For the last 18 years, most financial services businesses could sum up their privacy practices with just four letters: G-L-B-A, also known as Title V of the Gramm-Leach-Bliley Act, Public Law 106-102, and its implementing regulations (“GLBA”). With the compliance date for California’s sweeping new privacy law quickly approaching, however, the financial privacy landscape is becoming much more complex. Here are some fast facts to keep financial services businesses on track with privacy compliance:
Aren’t Financial Institutions Subject to the GLBA exempt from the CCPA?
In a word, no. The CCPA does not exempt businesses that are financial institutions or that provide financial products or services as defined by the GLBA (“financial services businesses”). The CCPA does exempt, however, certain types of information that are subject to the GLBA. Specifically, the CCPA does not apply to personal information “collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act, and implementing regulations . . . .” CCPA § 1798.145(e).
The difficulty with this construct is that the CCPA’s protections apply to a much broader set of personal information than is covered by the GLBA—and financial services companies typically collect a good deal of information that is not subject to the GLBA but will now be subject to the CCPA. The CCPA defines personal information to include any data that relates to, describes, could be reasonably linked, or is capable of being associated with an individual or household. CCPA § 1798.140(o). This is the most expansive designation of protected information under any privacy or data security law, ever. The GLBA, in contrast, only applies to “personally identifiable financial information”—i.e., information that a consumer provides to obtain a financial product or service, that results from a consumer transaction, or is otherwise obtained in connection with providing a financial product or service. GLBA 12 C.F.R. §1016.3(q)(1).
Isn’t all of the data collected by a financial services business “otherwise obtained” under GLBA?
That depends on the type of information the financial services business is collecting. For example, the GLBA definition of personally identifiable financial information would not encompass information collected prior to a consumer’s application for a financial product or service, such as that collected through marketing campaigns and promotions, because such information is obtained while promoting, not providing, a financial product or service.
What CCPA personal information IS exempt under the GLBA provision?
The answer to this question depends on how and why the information was collected. Here are some examples of information that likely is exempt:
- Transaction and experience information: Information generated from consumer accounts and transactions with a financial services business likely is exempt from the CCPA for that business.
- Joint products or services: Information collected by a financial services business and transferred to a second financial services business in the course of providing joint financial products or services likely is exempt for both financial services businesses, because both are engaged in providing a financial product or service to the same consumer.
- Account website information: The GLBA explicitly applies to IP addresses and information collected through cookies when such information is obtained in connection with providing a financial product or service. GLBA 12 C.F.R. §1016.3(q)(2) Accordingly, such information collected through webpages or mobile apps that allow consumers to access their accounts or use financial products or services is exempt.
What CCPA personal information IS NOT exempt under the GLBA provision?
Again, this depends in large measure on how and why the information is collected. Here are some things to think about:
- General advertising and website marketing: CCPA applies to personal information that a business collects passively, such as IP addresses. Such information is not subject to GLBA it is collected outside of the context of applying for or providing a financial product or service. Accordingly, personal information collected by a financial services provider’s general webpages or through marketing promotions is not exempt from CCPA.
- Information obtained from non-financial institution partners: Generally, information obtained from third parties that are not subject to GLBA, including marketing lists and profiles, are not personally identifiable financial information under GLBA. The exception to this is consumer reports obtained from a consumer reporting agency, because that information is obtained when a consumer applies for, or already has, a financial product or service provided by the financial services business.
- Information shared with, or obtained from, an affiliate: The GLBA does not apply to information that is shared with an affiliate. Thus, when a financial services business receives personal information from an affiliated financial services business (outside the context of providing a joint product or service) GLBA does not apply to the shared data set. But note that this information may be exempt under California’s financial privacy law (also known as SB 1). CCPA § 1798.145(e).
The bottom line
As with most privacy and financial services regulations, application of the CCPA depends on the context in which the information is collected and shared. Financial services businesses should review their data inventories carefully and make determinations as to what information is subject to CCPA at the data flow and data element level. As demonstrated above, the same data elements—such as name, email address, and IP address—may be exempt in one situation and not in another.
Coming Soon! Exempt or Not Exempt Part 2: The CCPA and the Fair Credit Reporting Act.