The California Attorney General recently released its proposed regulation to the California Consumer Protection Act (CCPA). The CCPA, a privacy statute, was enacted in 2018 and takes effect on January 1, 2020. Text of the CCPA can be found here, and text of the proposed regulation can be found here. Comment is due by December 6, 2019.
Two items to note regarding the law and the proposed regulation. First, if your institution meets the coverage criteria below, the law’s exemption for financial institutions is not a blanket exemption. Second, the proposed regulation imposes a substantial burden regarding website disclosures for those that are covered under the law.
The CCPA applies to each business that collects personal information about consumers. A “business” is defined as follows:
“Personal information” includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household…” such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, Internet browsing history, geolocation data, and employment-related information.
The CCPA exempts the collection, processing, selling or disclosure of a consumer’s personal information pursuant to a specified federal law relating to “banks, brokerages, insurance companies…,” which would be covered under the Gramm-Leach-Bliley Act (GLBA). However, the GLBA only protects nonpublic personal information of consumers and customers used for “personal, family or household use,” and you will note the CCPA definition is more expansive.
What does this mean? Institutions covered by the CCPA would remain covered for personal information collected from sole proprietors, prospective employees, independent contractors, and (potentially) website visitors.
CCPA Proposed Disclosure Requirement
The proposed CCPA regulation would require the privacy notices to be “accessible to consumers with disabilities. At a minimum, provide information on how a consumer with a disability may access the notice in an alternative format.” These notices have to be seen before a business collects the information, so if the website is the first contact with a consumer, the website would be required to provide accommodations.
What the proposed regulation fails to provide is a definition of “disabilities,” or any guidance on what the minimum requirements would be. Taking into account the various forms of disability, compliance with this requirement would be quite burdensome.
Many financial institutions will not be required to comply with the CCPA. However, it is still worth reviewing, as fourteen other state legislatures have introduced bills to provide greater privacy protections than the (GLBA) provides. The International Association of Privacy Professionals (IAPP) maintains an updated state privacy law comparison chart, which can be found here. In the event additional states pass such laws, the CCPA could well be the model used to draft them.
PLEASE NOTE: The information and opinions provided on this blog are not intended to be legal advice. No attorney-client relationship is formed, nor should any such relationship be implied. Nothing on this blog is intended to substitute for the advice of an attorney that is licensed in your jurisdiction. No article may be republished without the express written permission of ESTEE Compliance, LLC © 2019