GLBA and the California Consumer Privacy Act: Analyzing SB 1121's Change to the Financial Institution Carve-Out Provision
Less than three months after California passed the California Consumer Privacy Act of 2018 (CCPA), Governor Jerry Brown signed SB 1121 this week, making a number of technical and substantive changes to the law.
Of particular note: SB 1121 modifies the financial institution carve-out language in CCPA section 1798.145(e). While the change is a welcome development for entities subject to regulation under the Gramm-Leach-Bliley Act (GLBA), it does not grant full exemption from the CCPA. Therefore, GLBA-regulated entities that collect information online will need to analyze the CCPA's requirements and how they apply to a specific business.
The original carve-out language provided that:
"This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, if it is in conflict with that law."
As we have previously discussed, that language raised a number of issues, such as what would constitute a "conflict" between the GLBA and the CCPA, and whether the language was even consistent with the GLBA insofar as personal information is not collected, processed, sold, or disclosed pursuant to the GLBA. The provision also failed to address the relationship between the CCPA and California's Financial Information Privacy Act.
The new language tries to resolve some of those issues, stating:
"This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act … . This subdivision shall not apply to Section 1798.150."
The new language removes the phrase "if it is in conflict with that law," incorporates the California Financial Information Privacy Act, and adds a sentence providing that financial institutions are still subject to Section 1798.150. The preamble explains those changes as follows:
"The bill would also prohibit application of the act to personal information collected, processed, sold, or disclosed pursuant to a specified federal law relating to banks, brokerages, insurance companies, and credit reporting agencies, among others, and would also except application of the act to that information pursuant to the California Financial Information Privacy Act."
While the revised language is no doubt welcomed by GLBA-regulated entities, it should not be interpreted as a full exemption. Rather, GLBA entities will remain subject to the provisions and requirements of the CCPA if they engage in activities falling outside of the GLBA—which they almost certainly do.
By way of explanation, the GLBA regulates financial institutions' management of nonpublic personal information, which is defined in 15 U.S.C. § 6809 as personally identifiable financial information: 1) provided by a consumer to a financial institution; 2) resulting from any transaction with the consumer or any service performed for the consumer; or 3) otherwise obtained by the financial institution.
The CCPA defines "personal information" much more broadly to include "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." The CCPA identifies numerous examples such as online identifiers, Internet Protocol addresses, email addresses, browsing history, search history, geolocation data, and information regarding a consumer's interaction with a website or online application or advertisement. Notably, the CCPA's definition also includes any "inferences drawn" from any personal information that is used "to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes."
Therefore, to the extent that GLBA-regulated entities are using targeted online advertising, tracking web page visitors, and/or collecting geolocation data—to name a few examples—either through their web pages or apps, they will need to analyze the CCPA's requirements.
As for the new statutory language providing that "[t]his subdivision shall not apply to Section 1798.150," the impact of that sentence cannot be overstated.
Section 1798.150 sets forth a private right of action for consumers to seek statutory damages of not less than $100 and not greater than $750 "per consumer per incident or actual damages, whichever is greater" if the consumer's information "is subject to an unauthorized access, exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices." In other words, GLBA-regulated entities will still be subject to millions of dollars of potential damages if they experience a data breach.