Lenders beware: Notwithstanding a GLBA exemption, many financial institutions doing business in California will be subject to the new consumer privacy requirements by 2020, California’s recently-enacted version of the General Data Protection Regulation (GDPR). California legislators crafted the California Consumer Protection Act of 2018 (CCPA) in a mere seven days in order to save a more expansive and deeply flawed ballot initiative from reaching California voters in November.
Does the CCPA supplement or supplant the Gramm-Leach-Bliley Act (GLBA)? Not exactly. Although some commentators suggest that GLBA-regulated entities are broadly exempt, that exemption only insofar as they collect personally identifiable information (PI) strictly in connection with a financial product or service. However, many lenders do much more, such as by collecting data associating consumers as customers of a company that is not a financial institution. We discuss this issue in more detail below.
The CCPA is the nation’s strictest consumer privacy and data protection measure. The law will apply to any for-profit entity doing business in California that (1) collects California residents’ PI solely or jointly with others, and (2) either (i) exceeds $25 million in annual gross revenues; (ii) annually transacts in the PI of 50,000 or more consumers, households or devices; or (iii) derives half or more of its annual revenues from PI sales.
Critical for financial services companies, the CCPA exempts PI that is “collected, processed, sold, or disclosed pursuant to the [GLBA]” if compliance with the new provisions are “in conflict” with the GLBA. The CCPA also does not apply to the sale of PI to or from a CRA if such information is used to generate a consumer report as regulated by federal law.
However, given the breadth of nonpublic information regulated by the CCPA, financial services companies will still be subject to the CCPA requirements to the extent they gather or process non-GLBA-regulated information. This may include items such as IP address, commercial information, biometrics, Internet activity, geolocation, employment-related information, education information and “inferences” drawn from any such information to create a profile reflecting consumer characteristics to the extent such information is not tied to financial products or services.
The CCPA will require covered businesses to ensure an assortment of consumer rights and related notices that, in certain respects, resemble those recently codified in the GDPR. The CCPA’s new rights include:
Right of Access. Consumers may request disclosure of the specific PI that a business has collected about the consumer.
Right of Deletion. Consumers may request that a business delete any PI it has collected from the consumer and direct any service providers to do the same, subject to several exceptions, such as when PI is needed to complete requested transactions or services.
Right to Know. Consumers may request disclosure of the categories and specific pieces of PI collected about them, the sources from which the PI was collected, the purpose for such collection, and the categories of third parties the PI is shared with or sold to.
Right to Opt Out or Opt In. Consumers may opt out of any sale of their PI to third parties, and consumers under age 16 must opt in to any such sales.
Right of Equal Service. Covered businesses must not discriminate against consumers exercising any of the above rights, including through pricing and quality of goods or services, unless different treatment is reasonably related to the value provided to the consumer by his or her data. However, businesses may offer reasonable financial incentives related to PI collection, sale or deletion.
Violations of these provisions are actionable by the California attorney general (AG) via the state’s Unfair Competition Law (UCL) after a 30-day cure period has passed. In addition to UCL penalties, the law authorizes civil penalties of up to $7,500 per violation.
The CCPA also provides a limited private right of action for data breaches, defined as any instance in which unencrypted PI is subject to unauthorized access and exfiltrated or otherwise disclosed as a result of a violation of the business’s duty to observe reasonable security procedures and practices. The right of action has two major prerequisites: first, 30 days’ written notice to the business identifying the allegations and an opportunity to cure, and second, notification to the AG within 30 days of filing a complaint requiring the AG’s response within 30 days stating whether the AG will prosecute the matter within six months and potentially whether the consumer is not authorized to proceed. Only once these preconditions are met may the consumer proceed with his or her civil claim for the greater of statutory damages between $100 and $750 per incident or actual damages and injunctive or declaratory relief.
The CCPA’s quick passage represents a significant compromise with Alastair Mactaggart, the lead sponsor of a ballot initiative that would have brought similar proposals to California voters in November. As part of the compromise, Mr. Mactaggart agreed to pull the initiative from the ballot before the June 28 deadline for the initiative’s certification. Though industry groups had been gearing up for an opposition to the ballot initiative, the Internet Association issued a statement saying it would not impede the bill’s enactment.
Why it matters
Though financial services companies are no stranger to privacy and data security regulation, the CCPA introduces extremely burdensome obligations to California businesses, most of which were previously unseen by American companies and several of which bring questions about what implementation even looks like. For example, the CCPA’s extra protections for data sales utilize an expansive definition that includes any dissemination of consumer data for “monetary or other valuable consideration.” In addition, though companies will have an important right to cure alleged data breaches, it remains unstated and untested what might constitute a cure. Given the potentially complicated measures needed to comply with the CCPA, the 2020 effective date is not far off, and financial services companies would be well-advised to begin reviewing their practices and policies for potential exposure now.