October 16, 2018

October 16, 2018

Subscribe to Latest Legal News and Analysis

October 15, 2018

Subscribe to Latest Legal News and Analysis

GLBA and the California Privacy Act: Analyzing SB 1121's Change to the Financial Institution Carve-Out Provision

Less than three months after California passed the California Consumer Privacy Act of 2018 (CCPA), Governor Jerry Brown signed SB 1121 this week, making a number of technical and substantive changes to the law.

Of particular note: SB 1121 modifies the financial institution carve-out language in CCPA section 1798.145(e). While the change is a welcome development for entities subject to regulation under the Gramm-Leach-Bliley Act (GLBA), it does not grant full exemption from the CCPA. Therefore, GLBA-regulated entities that collect information online will need to analyze the CCPA’s requirements and how they apply to a specific business.

The original carve-out language provided that:

“This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, if it is in conflict with that law.”

As we have previously discussed, that language raised a number of issues, such as what would constitute a “conflict” between the GLBA and the CCPA and whether the language was even consistent with the GLBA insofar as personal information is not collected, processed, sold, or disclosed pursuant to the GLBA. The provision also failed to address the relationship between the CCPA and California’s Financial Information Privacy Act.

The new language tries to resolve some of those issues, stating:

“This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act … . This subdivision shall not apply to Section 1798.150.”

The new language removes the phrase “if it is in conflict with that law,” incorporates the California Financial Information Privacy Act, and adds a sentence providing that financial institutions are still subject to Section 1798.150. The preamble explains those changes as follows:

“The bill would also prohibit application of the act to personal information collected, processed, sold, or disclosed pursuant to a specified federal law relating to banks, brokerages, insurance companies, and credit reporting agencies, among others, and would also except application of the act to that information pursuant to the California Financial Information Privacy Act.”

While the revised language is no doubt welcomed by GLBA-regulated entities, it should not be interpreted as a full exemption. Rather, GLBA entities will remain subject to the provisions and requirements of the CCPA if they engage in activities falling outside of the GLBA—which they almost certainly do.

By way of explanation, the GLBA regulates financial institutions’ management of nonpublic personal information, which is defined in 15 U.S.C. § 6809 as personally identifiable financial information: 1) provided by a consumer to a financial institution; 2) resulting from any transaction with the consumer or any service performed for the consumer; or 3) otherwise obtained by the financial institution.

The CCPA defines “personal information” much more broadly to include “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The CCPA identifies numerous examples, such as online identifiers, Internet Protocol addresses, email addresses, browsing history, search history, geolocation data, and information regarding a consumer’s interaction with a website or online application or advertisement. Notably, the CCPA’s definition also includes any “inferences drawn” from any personal information that is used “to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”

Therefore, to the extent that GLBA-regulated entities are using targeted online advertising, tracking web page visitors, and/or collecting geolocation data—to name a few examples—either through their web pages or apps, they will need to analyze the CCPA’s requirements.

As for the new statutory language providing that “[t]his subdivision shall not apply to Section 1798.150,” the impact of that sentence cannot be overstated.

Section 1798.150 sets forth a private right of action for consumers to seek statutory damages of not less than $100 and not greater than $750 “per consumer per incident or actual damages, whichever is greater” if the consumer’s information “is subject to an unauthorized access, exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” In other words, GLBA-regulated entities will still be subject to millions of dollars of potential damages if they experience a data breach.

Copyright © by Ballard Spahr LLP

TRENDING LEGAL ANALYSIS


About this Author

David Stauss, Ballard Spahr Law Firm, Denver, Privacy and Litigation Attorney
Partner

David M. Stauss focuses on complex business and commercial litigation in state and federal courts. He handles all aspects of litigation on a wide range of substantive matters for clients, including product liability, landowner liability, and commercial lending.

Mr. Stauss is head of the Denver office's privacy and cybersecurity practice group. He advises clients on regulatory and statutory compliance issues, third-party vendor management policies and contractual provisions, cyber liability insurance retention and coverage analysis, information...

303-299-7363
Kristen Poetzel, Ballard Spahr Law Firm, Philadelphia, Finance and Cybersecurity Law Attorney
Associate

Kristen Poetzel is an associate in the firm's Privacy and Data Security Group who concentrates on data privacy and cybersecurity matters, including breach response and investigation, risk assessment, proactive breach planning, regulatory investigation and compliance, and privacy litigation defense. Kristen's cybersecurity clients include financial institutions, corporations from various industries, health care entities, municipalities, and educational institutions. She uses her technical knowledge of ransomware, phishing, hacking, malware, Trojans, botnets, and DDoS attacks to provide counsel on data protection strategies and has represented clients in working in cooperation with federal, state, and local law enforcement agencies on investigations.

Kristen advises clients on regulatory compliance with federal and state laws, including HIPAA, HITECH, Gramm-Leach-Bliley, and securities laws. Her experience also includes advising clients on business acquisitions, real estate transactions, labor and employment agreements, contract disputes, and tax matters.

During law school, Kristen worked as a student attorney and certified mediator at the Mediation Clinic at the University of Maryland School of Law. She also worked in a competitively selected intern program at the U.S. Securities and Exchange Commission (SEC), where she investigated SEC employee and whistleblower complaints and advised on compliance with federal laws and regulations.

215-864-8660
Malia Rogers, Ballard Spahr Law Firm, Denver, Finance Law Attorney
Associate

Malia K. Rogers is an associate in the firm's Public Finance Department. In addition to her focus in public finance, Malia has experience with privacy and cybersecurity matters.

Before entering the legal profession, Malia was a marketing and business development professional, including at eBay Enterprise.

Professional Activities...

303-299-7356