The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
The Gramm Leach Bliley Act (“GLBA”) and its implementing regulations impose privacy requirements when financial institutions collect “nonpublic personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes.”1 GLBA does not apply, however, when a financial institution collects information about individuals “who obtain financial products or services for business, commercial, or agricultural purposes” – such as information collected when providing commercial loans, commercial checking accounts or other B2B services.2 GLBA also does not apply when a financial institution collects information from an individual that is not applying for a financial product. For example, GLBA would not govern the collection by a financial institution of information from, or about, visitors to the institution’s website who do not have (or are not seeking) a relationship with the institution;3 nor would GLBA govern the collection by a financial institution of information from, or about, its employees. GLBA preempts state laws only to the extent that compliance with a state law would be “inconsistent with” the requirements of the GLBA.4 A state law is not considered to be “inconsistent” if it provides a person with “protection” that “is greater than the protection provided” under the GLBA.5 Nonetheless, some states have deferred to federal regulation of financial institutions by voluntarily exempting from the scope of their privacy statutes financial institutions that are subject to GLBA regulation.
The CCPA does not provide a blanket exemption for financial institutions, but it does contain a partial exemption for information collected by financial institutions that is subject to the GLBA (e.g., information about individuals who have obtained personal financial products from the institution). Such information is exempt from the privacy requirements of the Act, but is not exempt from the private right of action conferred if a business fails to implement and maintain reasonable security to protect certain sensitive categories of information. The relatively narrow scope of the exemption contrasts with broader exemptions provided by other states. For example, the following compares the financial institution exemption provided in the CCPA with the broader exemption provided in Nevada’s online privacy statute:
Nevada Online Privacy Notice Statute
Statute does not apply to “personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations . . . . This subdivision shall not apply to Section 1798.150 [of the CCPA].6
Statute does not apply to “A financial institution or an affiliate of a financial institution that is subject to the provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq., and the regulations adopted pursuant thereto.7
1. 12 C.F.R. 216.1(b).
2. 12 C.F.R. 216.1(b).
3. Federal Reserve, Regulation P: Privacy of Consumer Financial Information Frequently Asked Questions, at B.5 (Dec. 2001).
4. 15 U.S.C. 6807(a).
5. 15 U.S.C. 6807(b).
6. CCPA, § 1798.145(e).
7. Nevada Senate Bill 220 (Enacted May 29, 2019).