[co-author: Austin Smith]
California enacted the nation’s most extensive consumer privacy law after only a week of legislative debate. The California Consumer Privacy Act of 2018 (“CCPA”) creates detailed notice, opt-out/opt-in, access, and erasure rights for consumers vis-à-vis businesses that collect their personal information, as well as a private right of action in the event of a data breach.
The CCPA is likely to place a significant burden on the Financial Services Provider industry, where companies collect, aggregate, analyze, and move the consumer data at the heart of the law.
New FinTechs could meet the threshold of data collection from 50,000 consumers, households, or devices annually within their first few weeks of operations. Companies that start doing business in California will need to devote a significant part of their start-up budget to prepare for compliance;
Opt-out rights are more extensive than what is required under the Gramm–Leach–Bliley Privacy Rule, 12 C.F.R Part 1016 (the GLBA Rule), and other financial privacy laws. And for at least 12 months, financial services providers cannot solicit consumers that opt out to opt back in;
Although the CCPA provides exemptions for some data that is subject to the GLBA Rule and the Fair Credit Reporting Act, 15 U.S.C. §§ 1681 et seq., much of the consumer information collected routinely by financial services providers is still subject to the CCPA;
Financial services providers will face increased risk of liability in the event of a data breach, as the new law creates a private right of action for the unauthorized access and exfiltration, theft, or disclosure of information covered by California’s data breach law, Cal. Civ. Code §§ 1798.80–.84, which includes financial data. The private right of action also allows plaintiffs to recover statutory damages, meaning they do not have to establish that they were actually harmed by the breach.
Here is what financial services providers need to know about the CCPA—and why businesses need to start preparing now for the January 1, 2020, effective date.
All “Personal Information”—Not Just Financial Information—Is Covered
The CCPA has been described in news reports as a regulation of “online privacy.” In reality, it applies to all personal information (“PI”), regardless of the means of collection, and across businesses, regardless of industry. The definition of PI contained in the CCPA is the broadest formulation of protected information in U.S. law. It applies to all information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,” including name, email address, biometric information, IP address, device identifiers, and browser-derived information (such as information stored in cookies, web beacons, and web pixels). CCPA § 1798.140(o)(1). Personally identifiable financial information is just a small subset of the information that the CCPA seeks to protect.
Also notable is the inclusion of information related to “households” in addition to that of individuals. The term “household” is not defined in the law, but this language appears to draw in information aggregated at the address or household level and requires that such information be treated in the same way as information that is capable of being associated with an individual. As a result, financial services providers need to take a fresh look at all of the consumer-derived information they collect to determine their obligations under the new law.
Financial Services Providers Are Not Exempt from the CCPA (Even Though Some of Their Data May Be)
The CCPA exempts certain information that is subject to the GLBA Rule or the FCRA from its reach, but financial services providers are still largely subject to the law’s provisions for two reasons. First, these exemptions apply to the data, not the organization that holds it. The CCPA clearly applies to financial institutions and financial services providers. Second, in the CCPA, exemptions apply only to data that is actually subject to those laws. Information collected by a financial services provider for marketing purposes—such as merchant-provided consumer lists or website browsing histories—is not protected by the GLBA Rule or the FCRA but is subject to CCPA requirements.
GLBA Rule Exemption
The CCPA does not apply to personal information “collected, processed, sold, or disclosed pursuant to the federal Gramm–Leach–Bliley Act, and implementing regulations . . .” CCPA § 1798.145(e). As noted above, the CCPA defines personal information to include any data that relates to or is capable of being associated with an individual or household. CCPA § 1798.140(o)(1). The GLBA, in contrast, applies only to “personally identifiable financial information” (“PIFI”)—i.e., information that a consumer provides to obtain a financial product or service, that results from a consumer transaction, or that is otherwise obtained in connection with providing a financial product or service. GLBA Rule, 12 C.F.R. § 1016.3(q)(1). This means that a significant amount of data held by financial services providers will fall outside this exception for PIFI regulated by the GLBA Rule. In addition to household-level data, any behavioral advertising data, web-based analytics, and third-party marketing profiles would remain subject to the CCPA, as would biometric and geolocation data. Personal Information that a financial services company maintains on individuals other than customers and potential customers also is not subject to the GLBA Rule and therefore is not exempt from the CCPA, such as information regarding California resident business contacts.
Similarly, the CCPA exempts certain information that is subject to the FCRA. Specifically, the CCPA does “not apply to the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report” and the information is regulated by the FCRA. CCPA § 1798.145(d). So information qualifying for this exemption from the CCPA must be: (1) PI “sold” to or from a consumer reporting agency; (2) used to generate a consumer report; and (3) protected under the FCRA.
The CCPA defines a “sale” of personal information as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” CCPA § 1798.140(t)(1) (emphasis added). Thus, “sales” do not need to involve money; two businesses agreeing to exchange the PI they each have about consumers, for example, would likely constitute a “sale” under the CCPA because the exchange of PI has value.
Reading these statutory definitions together, the following types of personal information are likely to not meet the CCPA’s exemption for FCRA-protected information:
PI that is shared with, but not “sold” to, a credit reporting agency, e.g., any information reported to or received from a credit reporting agency for which no value is received in return. (But note, this same information may be still be exempt if it is subject to the GLBA Rule);
PI that is “sold” to a credit reporting agency but is not used to generate a consumer report (as that term is defined under the FCRA); and
PI that is “sold” to a credit reporting agency but is not protected by the FCRA—one example of this is consumer-identifying information contained in consumer reports (sometimes called “header information”).
The CCPA Covers Employee Data
Another type of information collected by financial services providers that is subject to the CCPA includes information about California resident employees. A business’s employees have the same rights as any other California resident in relation to their personal information under the CCPA, even though they are not customers of the business or directly engaged in any type of personal, family, or household transaction with the business outside of the employment relationship.
Time to Act
Financial services providers of all varieties need to reevaluate the data they collect and share in light of the CCPA’s cross-cutting application. Many prior judgments regarding the types of information that are subject to privacy protections will no longer be applicable once the CCPA goes into effect. The key decisions regarding which information collected by a financial services provider will be and will not be subject to the CCPA must be examined closely to ensure full compliance with the statute by January 1, 2020.