The California Consumer Privacy Act (CCPA) is an expansive privacy law covering businesses, including financial institutions, both in and out of the state of California. There is a common misconception that financial institutions are not subject to the CCPA, however that is not the case. Only certain types of data collected by financial institutions are exempt from the CCPA; the financial institution itself, and some of the data it may collect, are not exempt.
Does the CCPA apply to financial institutions?
Yes, if a financial institution meets certain requirements, the CCPA applies. The CCPA applies to for-profit businesses that:
- Collect information about California consumers or households;
- Have control of the information, either individually or jointly with others;
- Do business in California (this is a very broad standard); and
- Meet any one of the following criteria:
- Have an annual gross revenue in excess of $25 million;
- Annually process personal information of 50,000 or more California consumers, devices or households; or
- Derive 50% or more of its revenue by selling California consumers’ personal data.
What is exempt from the CCPA?
While a financial institution itself may be subject to the CCPA, certain data that a financial institution collects may be exempt. The CCPA does not generally apply to personal information collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act (GLBA) or its implementing regulations. Thus, it is likely that personal information collected by financial institutions for the purpose of providing consumer financial products or services is not subject to the CCPA.
Even though data regulated by the GLBA is not generally subject to the CCPA, the CCPA still applies to this data with respect to an individual’s private right of action. Particularly, the CCPA allows California residents to sue an institution if certain data elements of the institution’s unencrypted or non-redacted personal information was subject to a data breach as a result of the institution’s failure to implement appropriate and reasonable security practices and procedures. Therefore, if a financial institution suffers a breach, California residents may sue the financial institution under the CCPA if their unencrypted or non-redacted personal information was involved, regardless of whether that data is subject to the GLBA.
What information is subject to the CCPA?
Any personal information relating to California consumers that is not exempt under the GLBA exception is likely covered by the CCPA. Personal information collected by financial institutions that is subject to the CCPA generally can be broken down into two broad categories:
- Personal information not covered by the GLBA:
The GLBA applies to “nonpublic personal information,” which is personally identifiable financial information: (i) provided by a consumer to a financial institution; (ii) resulting from any transaction with the consumer or any service performed for the consumer; or (iii) otherwise obtained by the financial institution in connection with the provision of financial products or services to that consumer.
If the personal information of a California resident is collected for any purpose other than described above, it may not be subject to the GLBA and therefore may be covered by the CCPA. For example, if personal information is collected for general marketing purposes, it would likely be subject to the CCPA. Additionally, IP addresses, geolocation data, cookies and other personal information not collected specifically for the provision of consumer financial products or services likely are covered by the CCPA. Thus, the data collected from California visitors to a financial institution’s website is likely subject to the CCPA.
The GLBA only applies to the personal information of those seeking or obtaining a financial product or service, while the CCPA broadly applies to personal information of any California resident. As such, if a financial institution is collecting personal information about a California resident who is not applying for or obtaining a financial product or service, that personal information is potentially covered by the CCPA. This may include individuals who obtain financial products or services for non-consumer purposes (e.g., commercial, business or agricultural purposes), financial institution employees or contractors, service providers and others.
Note, the CCPA provides other exclusions and exemptions, so even if data is not exempt under the GLBA exception, it may be exempt under other CCPA provisions, either permanently or temporarily.
What are the risks if a financial institution does not comply?
The California attorney general is authorized to enforce penalties of up to $2,500 per violation of the CCPA. Additionally, consumers whose certain unencrypted or non-redacted data (such as social security numbers, driver’s licenses numbers, health information and biometric information) is the subject of a data breach can sue for between $100 and $750 per incident if the business failed to implement reasonable security procedures.
What should a financial institution be doing about the CCPA?
Many non-California financial institutions have data potentially covered by the CCPA. To determine whether the CCPA applies, the first step is to have a thorough understanding of what personal information you are collecting, how and why. The answers to these questions will help you determine your CCPA compliance activities.
For more details on the CCPA, please review our previous posts on CCPA compliance linked below and contact Norbert Kugele, Rodney Martin, Kelly Hollingsworth, Alexandra Chitwood, Lexi Woods or your Warner privacy attorney if you have any questions.