Blog

Show Me the Money: How the CCPA Applies to GLBA-Regulated Entities

This post is authored by Kacey Jennings, a second-year law student at Villanova University’s Charles Widger School of Law. Ms. Jennings is a legal-intern with the XPAN Law Group.

At first blush, the language in the most comprehensive piece of data privacy legislation in any US state to date — the California Consumer Privacy Act — seems to provide a sweeping exception for financial institutions. Can you hear Goldman Sachs and Wells Fargo breathing a sigh of relief? Not so fast, guys.

In its original form, the CCPA provided a carve-out for entities regulated by the Gramm-Leach-Bliley Act (Public Law 106-102). The exemption stated,

“This title shall not apply to personal information collected, processed, or disclosed pursuant to the federal Gramm-Leach-Bliley Act, and implementing regulations, if it is in conflict with that law.”

(Emphasis added). However, commentators rendered “in conflict with” vague and called for a change.”

In an amendment signed into law on September 23, 2018, legislators removed the phrase: “in conflict with.” The provision now reads:

“This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.”

Cal. Civ. Code § 1798.145(C)(1)(e).

While much of the CCPA will not apply to GLBA-regulated entities, there are two major ways they will be impacted. First, the CCPA applies to activities which fall outside the scope of the GLBA. Second, consumers can initiate private actions for damages against GLBA-regulated entities in the event of a breach of information regardless of which act regulated the collection, processing, sale and disclosure of the information. This begs two questions: what does it mean for an activity to fall outside the scope of the GLBA? And what about a little thing called the Supremacy Clause?

The GLBA provides that the federal law preempts any state law which is inconsistent with its provisions. However, if a state law provides “greater protection,” it is not inconsistent with the GLBA. 15 USC 6807 § 507. The CCPA provides greater protection than the GLBA because of a broader definition and protection of personal information, thus presumably surviving the preemption of the federal law.

The GLBA regulates how financial institutions manage “nonpublic personal information,” defined as personally identifiable financial information which was:

  • Provided by a consumer to a financial institution
  • Resulting from any transaction with the consumer or any service performed for the consumer; or
  • Otherwise obtained by the financial institution.

15 USC 6807 § 509(4)(a).

Although this definition seems broad, the FTC has provided guidance that nonpublic personal information under the GLBA refers only to information collected about an individual in connection with providing a financial product or service.

On the other hand, the CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Cal. Civ. Code § 1798.140 (o)(1). It includes IP addresses, email addresses, internet and network activity information, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application or advertisement. It also includes inferences drawn from any information collected about consumers’ preferences. Cal. Civ. Code § 1798.140(o)(1)(K).

The CCPA defines personal information broader than the GLBA because it is not limited to information collected regarding financial products or services. The result is that in practice, if the GLBA-regulated entity collects information outside of providing a financial service or product to a consumer, the CCPA will apply (at least, this is the inference that can be drawn as it is currently drafted). Some examples include tracking website visitors, collecting geolocation data, or using targeted online advertising through their web pages or apps. It may be practical for businesses to distinguish between which of their data is federally-regulated and state-regulated in order to easily prove which data is exempt from the CCPA.

Additionally, GLBA-regulated entities will be subject to Section 1798.150 of the CCPA which provides a private right of action for consumers whose information is subject to “an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices . . . .” Cal. Civ. Code § 1798.150 (a)(1) This section allows consumers to “recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.” GLBA-regulated entities will be subject to damages for consumers when their information is breached, regardless of which law regulated the collection.

Even though the CCPA is still subject to changes and variations, the deadline for determining the impact of the CCPA on your company is fast approaching. And, although the majority of the CCPA will not apply to GLBA-regulated entities, there are still major implications financial institutions must consider before it comes into effect in 2020. The first step is to conduct an inventory of the data collected, to determine which data falls outside the scope of the GLBA, which data will be regulated by the CCPA, and revamping security to avoid breaches which could result in costly damages brought by California citizens.

*****

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.