Do financial institutions need to comply with the CCPA with respect to all consumer information?

Bryan Cave Leighton Paisner

No, with a caveat.

The CCPA does not to apply to “personal information collected, processed, sold, or disclosed pursuant to the Gramm Leach Bliley Act (GLBA) and implementing regulations.” The GLBA regulates privacy and security for financial institutions and applies to more than just banks, including mortgage brokers, non-bank lenders, personal property or real estate appraisers, professional tax preparers, auto-dealers that extend credit, and insurance companies.

The GLBA imposes privacy requirements – and therefore would preempt application of the CCPA – when financial institutions collect “nonpublic personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes.”1 Note that the qualifier “who obtain” is somewhat misleading. Under the GLBA, “consumer” includes individuals who applied for, but did not obtain, financial products, including:

  • Individuals who apply for credit, regardless of whether the credit is extended;
  • Individuals who provide non-public personal information to the financial institution in order to obtain a determination about whether they may qualify for a loan, regardless of whether the loan is extended;
  • Individuals who provide non-public personal information in connection with obtaining or seeking to obtain financial, investment, or economic advisory services, regardless of whether they establish an advisory relationship.

GLBA does not apply, and therefore would not preempt application of the CCPA, to the following situations:

  • When financial institutions collect information about individuals “who obtain financial products or services for business, commercial, or agricultural purposes” – such as information collected when providing commercial loans, commercial checking accounts or other B2B services;2
  • When financial institutions collect information from an individual who is not applying for a financial product or seeking to obtain financial services, such as website data or marketing leads generated by third parties where the individual hasn’t applied for a product; 
  • When financial institutions possess personal information about individuals who are consumers of another financial institution for which the financial institution is acting as an agent or providing processing or for which it is providing other services;
  • When the financial institution is designated by an individual as the trustee for a trust;
  • If an individual is a participant or beneficiary of an employee benefit plan sponsored by the financial institution;
  • Personal information about financial institution employees (subject to the CCPA beginning in 2021).

Note that the partial exemption applies to privacy requirements under the CCPA only. A financial institution is still subject to being sued and defending against actual or statutory damages under Section 1798.150 of the CCPA if a business fails to implement and maintain reasonable security to protect certain sensitive categories of personal information. 

For more information and resources about the CCPA visit

 This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bryan Cave Leighton Paisner | Attorney Advertising

Written by:

Bryan Cave Leighton Paisner

Bryan Cave Leighton Paisner on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.