The California Consumer Privacy Act (“CCPA”) becomes effective in less than a year and businesses – especially those in highly regulated sectors – should consider assessing their privacy programs now to identify covered processing activities and to allow timely compliance with the new law. For financial services businesses, this exercise can pose quite a challenge due to a lack of guidance regarding the law’s application to the use of personal information by entities regulated by the Gramm-Leach-Bliley Act (“GLBA”) and CCPA language that still remains vague regarding some important exemptions. This is particularly true with regard to financial services entities’ sales and marketing activities, where personal information may not be covered by the CCPA’s GLBA exemption.
Applicability of the CCPA’s GLBA Exemption
The CCPA generally exempts from its requirements personal information processed pursuant to the GLBA. More specifically, this means that where a financial institution processes personal information for providing core consumer financial services it is exempt from CCPA requirements. The CCPA does not, however, provide a blanket exemption for financial institutions. There will be instances in which a financial institution must assess whether its collection and use of personal information falls outside the scope of the exemption, and particular attention should be focused on the sales and marketing functions.
Identifying In-Scope Personal Information
The definitions of “consumer” and “personal information” differ between the CCPA and the GLBA, and these differences must be understood in order to determine the breadth of the applicability of the exemption. The CCPA provides very broad definitions of these terms and an extensive list of examples of how they apply. The GLBA, however, defines the terms more narrowly, tailored to private individuals, and requires a direct link to the provision of financial products or services.
The differences in the definitions indicate that financial institutions are only exempt from the CCPA requirements with regard to personal information that refers to private individuals and which is processed specifically for the provision of financial services or products. The FDIC’s GLBA guidance provides that “a “financial service” includes, among other things, a financial institution’s evaluation or brokerage of information that the institution collects in connection with a request or an application from a consumer for a financial product or service.” A financial service under this guidance includes a lender’s evaluation of an application for a consumer loan or for opening an account even if the application is ultimately rejected or withdrawn.
These definitions and guidance provide excellent direction to processing activities by financial services companies that do not fall under the GLBA and to which the CCPA will apply. Such processing of personal information may include, for example:
- Targeting California residents with online advertising or tracking web page visitors who are not yet financial product or services customers. Personal information processed in such initiatives may include online identifiers, IP address, browsing history and search history;
- Processing personal information of California resident prospects and leads, for example, by obtaining a list of leads for marketing activities, or collecting information about individuals interested in obtaining a product or service, but who have not reached the threshold of becoming a GLBA consumer;
- Personal information collected from California commercial clients, including sole proprietorships or individuals seeking a product or service for a business purpose;
- Processing personal information about California employees or applicants; and
- Processing personal information about California business contacts, such as employees of vendors or other business partners.
While all of these processing activities need to be assessed with regard to CCPA planning, a financial institution’s data driven sales and marketing initiatives require special attention from a compliance risk perspective.Where does the In-Scope Personal Information Reside?
A key challenge for financial institutions planning for CCPA compliance will be locating covered personal information – specifically personal information of individuals who have not crossed the hurdle of obtaining or even requesting or applying for a “financial product or service”. This is essential, as once the Act goes into effect, organizations must be able to respond to subject right requests (i.e., access, deletion, opt-out) which requires a clear view of where personal information resides.
While relevant datasets may be discovered in any number of processing activities, they are likely to be found in the institution’s sales and marketing systems, as well as with third parties who support those efforts. Mapping personal information through specific identified processing activities is key to understanding the collection points, storage and transfer of such information and is a necessary step to achieve CCPA compliance.
CCPA Compliance Measures for Sales and Marketing Activities
Website Notice Requirements
Many financial institutions operate websites or applications on which they collect and analyze user data to gather insights into consumer preferences and behavior. In many instances this again falls under the realm of the sales and marketing functions. Under the CCPA, consumers whose personal information (which includes IP address and online identifiers) must be notified, at or before the point of collection, “of the categories of personal information collected and the purposes for which that information will be used.” Financial institutions should therefore ascertain exactly what categories of consumer personal information are being collected by their websites for analytic and other purposes, review their website privacy notices and add additional language if necessary. While this exercise is necessary in order to meet CCPA compliance obligations, it may not require extensive effort given existing GLBA and California Online Privacy Protection Act (“CalOPPA”) notice requirements.
Notice Requirements for Indirectly Collected Information
A more significant CCPA compliance challenge will be posed by instances in which financial institutions collect consumer personal information indirectly (e.g., from third parties). This requirement will apply, for example, to financial services companies that acquire third-party lists of potential customers for marketing purposes. Effectively operationalizing the notice requirement in such instances may be difficult given the lack of direct interaction with consumers and the fact that the CCPA does not define how consumers should be “informed.” While no legal guidance has been published yet by California regulators or the State Attorney General, practical solutions that will likely meet CCPA requirements include providing information regarding the indirect collection in the financial institution’s website privacy notice or attaching an updated privacy notice to the first communication with the consumer – if that takes place within a reasonably short timeframe following the collection of his/her personal information.
Consumer Choice Requirements
The CCPA requires businesses to offer consumers the opportunity to opt-out of the sale of their personal information. Under the CCPA a “sale” means “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” The term “valuable consideration” is widely interpreted to include broadly any benefit to which an organization is not legally entitled absent an agreement. The opt-out rules for selling personal information do not apply if businesses share personal information with “service providers” for performing “business purposes”, a business provides notice of such sharing, and contracts exist with the service providers to restrict them from using the information for any incompatible subsequent purposes.
Financial institutions regularly obtain marketing lists and re-share personal information included in them with other financial institutions or third parties. For example, personal information may be shared with advertising agencies that provide marketing services for financial institutions, third-party partners for cross-promotional activities, or may be sold outright for use by the third party for its own purposes. Given the CCPA’s opt-out requirements, it becomes crucial for financial institutions to review existing third-party relationships and determine which entities are purely service providers and which use the shared information for their own business purposes. For service providers, financial institutions may need to renegotiate existing data sharing agreements to explicitly restrict incompatible personal information processing activities and facilitate the fulfilment of subject right requests (e.g., right to access and delete). For sales of California resident personal information to third-parties who are not service providers, financial institutions must implement technical and operational measures to respect consumer sale preferences (e.g., maintaining internal do-not-sell lists to effectuate the right to opt-out).
In cases where financial institutions obtain third-party marketing lists and use the personal information contained in them for their own business purposes, they should ensure the implementation of technical and organizational measures to respect consumer opt-out or subject right requests. This may be accomplished in part by developing detailed process workflows for responding to each type of request. Such workflows, to be effective, should include detailed depictions of where in-scope data may reside (e.g., marketing or CRM databases) and specific actions that need to be taken to effectuate requests such as verifying the identity of the requester and effectivley tagging the personal information so that there is no risk of it being transferred for value.
Although non-public personal financial information falls outside of the scope of the CCPA, financial institutions should not underestimate compliance efforts that will be necessary where personal information is processed, particularly for sales and marketing purposes. Financial services entities should consider the following compliance activities in anticipation of the CCPA becoming effective in 2020:
- Mapping out in-scope data sets, data flows and third-party recipients of personal information,
- Assessing notice requirements,
- Creating process flows and implementing technical and operational measures to respect consumer sale preferences as well as other individual right requests, and
- Reviewing and renegotiating existing data sharing agreements with service providers.
Undertaking these activities in advance of the CCPA’s effective date will provide financial services companies with the opportunity to work through some of the still vague CCPA language and establish effective processes to address business risks associated with the Act, in particular those risks associated with sales and marketing initiatives targeting consumers that have not yet obtained a financial product or service.