GLBA Exemption in California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) provides an exemption for personal information that is covered by the federal privacy law governing financial institutions, the Gramm-Leach-Bliley Act (GLB Act or GLBA). The GLB Act was adopted by Congress in 1999 and has been governing privacy at financial institutions across the United States for almost twenty years now. The California legislature, which passed the CCPA in June 2018 and amended it in August 2018, recognized that there may be conflicts between the laws and created the GLBA exemption.
As a result of the GLBA exemption, the personal information at California businesses which is collected, processed, sold or disclosed pursuant to that federal privacy law will not be covered by the CCPA.
The GLB Act is a federal law passed to regulate how financial institutions handle the personal information of their customers and prospective customers. The federal privacy law covers all businesses that are significantly engaged in providing financial products or services. This includes check-cashing, payday lending, mortgage brokers, nonbank lenders, real estate appraisers, professional tax preparers and others. An associated regulation, the Safeguards Rule, applies to credit reporting agencies and ATM operators.
However, the GLBA exemption does not completely remove financial institutions from the scope of the new California privacy law. Information that is collected by financial institutions that does not fall within the GLB Act will still be covered by the CCPA.
GET OUR FREE WHITE PAPER ON THE NEW CALIFORNIA LAW:
What obligations will not apply?
Because the GLBA already governs collection of consent for the sharing of personal information, the primary obligation that will be avoided at financial institutions is that there will be a more limited scope for data subject access rights requests required by the law. Individuals will not automatically have the right to access or delete their personal information in the same fashion as California consumers will have at other organizations.
Insofar as financial institutions will need to comply with the law for information that is not covered by GLBA, they will need to make a strategic decision about the extent that they decide to voluntarily comply with the law’s terms. For example, it may be difficult to explain to a California customer that submits a right to access request under CCPA that they are only entitled to select information and not data collected by the bank.
SB-1121 on Financial Institutions
SB-1121 amended the section of the CCPA discussing GLBA. As a result, the California Consumer Privacy Act (except for the private cause of action as discussed below) does not apply to personal information collected, processed, sold, or disclosed pursuant to the GLB Act and implementing regulations.
The amendments also added an exclusion for personal information covered by the California Financial Information Privacy Act. The CFIPA (or SB-1 as it is usually referenced) requires a financial institution to obtain a consumer’s written consent prior to sharing consumer information with a nonaffiliated third-party. It also requires a financial institution (as defined by the law) to provide the ability to opt-out of sharing consumer information with an affiliated party.
The one area of the California privacy law that the amendments excluded from the GLBA exemption is the private cause of action. California consumers will be able to sue financial institutions covered by the GLBA or SB-1 if they are subject to unauthorized access and exfiltration, theft or disclosure of personal information as a result of a violation of the duty to implement and maintain reasonable security procedures and practices.
AB-375 on GLBA
The original bill, AB-375, only provided an exemption for personal information collected, processed, sold or disclosed pursuant to the GLB Act or its implementing regulations if it was in conflict with the federal law. In other words, if the federal financial privacy law did not speak to the question at issue being regulated in the California Consumer Privacy Act, then the exemption did not apply and the CCPA would govern the conduct.
We will be closely following the California legislature to see if there are any other changes before the law goes into effect in 2020.
Contact Clarip for Help with Your Privacy Program
The Clarip privacy software and team are available to help improve privacy practices at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If you are working towards GDPR compliance, we can help through our modular GDPR software. Whether you are starting the process with GDPR data mapping automation, need privacy impact assessment software, or looking to meet ePrivacy requirements with cookie management software, Clarip can help strengthen your privacy program.
If CCPA compliance in 2020 is on your radar, ask us about our California Consumer Privacy Act software. Improve efficiency of responses to data subject access requests with our DSAR software, or provide the right to opt out of the sale of personal information with our consent management platform.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.