Financial Institutions have always banked their privacy practices on the requirements under Title V of the Gramm-Leach-Bliley Act (GLBA) and its implementing regulations. That day is now over! The California Consumer Privacy Act (CCPA) is sweeping in and changing the financial privacy landscape. Many had hoped the CCPA would have an all-inclusive exemption for financial instructions already subject to compliance under GLBA; however, the California legislature has made clear that CCPA’s application will apply to portions of data held by financial institutions.
Scope of Financial Institution Exemption
CCPA exempts certain types of information that are subject to GLBA. The impact for financial institutions – all of the personal information collected today that is not subject to GLBA will be subject to CCPA (to the extent the financial institution is subject to CCPA). This includes the following information: personal information collected through general advertising and website marketing; personal information obtained from non-financial institution partners; and personal information obtained for commercial (non-personal or household) purposes.
A financial institution will be subject to CCPA if it does business in California and either (1) has at least $25 million in annual gross revenues; (2) buys, sells, shares or receives information from at least 50,000 California consumers; or (3) derives at least 50% of its annual revenue from selling California personal information.
Financial Institution Data Likely Subject to CCPA
The initial action financial institutions should take is to perform an internal data mapping exercise. Once the financial institution has determined what personal information it collects that is not subject to GLBA, the financial institution can prepare a practical and efficient CCPA compliance plan for all “non-GLBA” information.
As you are formulating a plan to comply with CCPA, our experienced privacy team is ready to partner with you in determining the most practical approach that minimizes disruptions to your already existing GLBA obligations. Here is a link for more information about our team: Privacy Team