California's New Privacy Rule Will Impact Financial Institutions

Financial institutions are not exempt from California’s landmark new data privacy regulation just because they already have data controls in place under federal law.

The California Consumer Privacy Act (CCPA) went live on the first day of 2020. The law gives California’s residents unprecedented controls over their personal data, including the right to tell companies to delete their data.

If you think what California has done in enacting its own regime is complicated, just imagine what it would be like if 15, 25, or even 35 states move forward and enact their own version of the CCPA, and how complicated that would make privacy regulation in the US with all these competing regimes.

Mike Nonaka

Under the Graham Leach Bliley Act (GLBA) of 1999, financial firms that offer products and services, like loans and investment advice, already have stringent requirements to safeguard the user data they hold. The CCPA recognizes this, and exempts GLBA data from its scope. However, GLBA only applies to consumer data, not business data.

“There are exemptions [in the CCPA] for information that is covered by the GLBA. This is consumer information used by FIs, including broker-dealers. But there is not a broad exemption that just takes out the entirety of data maintained by capital markets firms. The GLBA applies to a bank or broker-dealer that is providing a financial product or service to a consumer, and the consumer has to be using that product or service for personal, family, or household purposes,” says Mike Nonaka, co-chair of the financial services group at Covington law firm.

Nonaka explains that if an individual were to apply for a credit card online with a bank, the data generated by that interaction is covered by GLBA and counts as personal purposes. However, if that same person went to that same bank to take out a loan because they wanted to start a small business, the GLBA exemption would not apply and that data would be covered by the CCPA.

Under the CCPA, residents of California can now demand that companies disclose what information they have on them. They can demand that the company delete that data (subject to some exemptions). And they can opt-out of the sale of their data to third parties. The definitions in the regulation are broad and prescriptive, Nonaka says. The definition of what constitutes personal data under the CCPA includes names, social security numbers, geolocation data, biometric data, and IP addresses.

The complexities begin for FIs in figuring out exactly what data they have on individuals and then determining whether it falls into the scope of CCPA. They will have to understand for what purpose the data was obtained. They will also have to be able to find and delete that information if the consumer demands it.

“You have this waterfall you have to do in order to determine that financial data in an institution’s hands is subject to the CCPA; you apply the different exemptions to the CCPA overall, and then there are exceptions to the different specific rights in the CCPA. So it becomes a very layered analysis,” Nonaka says.

The CCPA applies to all companies that do business with residents of California and that exceed certain thresholds (such as making over $25 billion in revenue). It applies to companies outside of the state and even outside the US—they just have to be doing business with Californians. The reality of enforcing the statute has been debated, but the state attorney general has existing powers to pursue violations.

The law has drawn comparisons with Europe’s ground-breaking General Data Protection Regulation (GDPR), and Nonaka says it will set a precedent, as GDPR has done.

“This is a very significant development, both in terms of the specific requirements and for what it signals about what other states may do in future. It is a very prescriptive privacy framework, similar in some ways to GDPR, and it is prescriptive in a way that most US companies haven’t had to deal with,” Nonaka says.

He says other states will probably follow suit—which will compound the complexity for large organizations.

“If you think what California has done in enacting its own regime is complicated, just imagine what it would be like if 15, 25, or even 35 states move forward and enact their own version of the CCPA, and how complicated that would make privacy regulation in the US with all these competing regimes. And it just so happens to be in the most populous state in the US, so it covers a ton of people [and] it covers a ton of companies. The CCPA has become a benchmark of sorts on its own, even though it only applies to California residents.”