CCPA Exemptions: The California Consumer Privacy Act and the Gramm-Leach-Bliley Act

Published February 13, 2020 by 4 min read

A change is coming for privacy protection. Are you ready? For the past twenty years, most financial services businesses fell under the requirements of the Gramm-Leach-Bliley Act (GLB Act or GLBA). This law federally governed the collection and disclosure of customers’ personal financial information.

However, on January 1st, 2020, a new privacy rule—the California Consumer Privacy Act (CCPA)—is going into effect. Although a state law, it may significantly enhance data protection requirements in the U.S.

Does your business fall under this new Rule? Compliance with the GLBA does not mean your business won’t have to adhere to the CCPA. The CCPA does not exempt financial institutions or companies that provide financial services, but there are limited exemptions for certain types of information that are subject to the GLBA. As stated in the California Code [CCPA § 1798.145(e)], the CCPA does not apply to personal information that is collected, processed, sold, or disclosed under the Gramm-Leach-Bliley Act, and implementing regulations, if it conflicts with that law.

To understand if your company must comply with the CCPA, review the GLBA and the fundamental elements of each law.

What is the GLBA?

The GLBA (also known as the Financial Services Modernization Act of 1999) impacts financial institutions, as well as businesses that aren’t typically defined as financial institutions. It includes businesses that are “significantly engaged” in providing financial services or products and receive that type of financial information. For example, non-bank lenders, real estate appraisers, payday lenders, professional tax preparers, and check-cashing businesses, fall under the GLBA’s definition of “financial institutions.”

The three main components of the GLBA intended to protect the privacy of consumers’ financial information are:

  • The Financial Privacy Rule
  • The Safeguards Rule
  • The Pretexting Protection

Under the Safeguards Rule of the GLBA, companies that meet the definition of financial service institutions must have a written information security plan. Among other requirements, the written plan must describe the methods used to protect customer’s information, and it must incorporate risk assessments, evaluations of the program, and monitoring. The Safeguards Rule also requires financial institutions to ensure contracted service providers are following appropriate data protection if they are handling customer information.

The Financial Privacy Rule applies to the collection and disclosure of personal financial information. Entities that fall under the GLBA Privacy Rule must inform customers about their information-sharing practices. And further, the business must explain customers’ right to opt out if they do not want that information shared with third parties.

The Pretexting Protection provision of the GLBA prohibits access to customer’s financial data under false pretenses, such as fraudulently seeking private information.

Data covered by the GLBA includes non-public personal information or personally identifiable information, such as names, addresses, and phone numbers, bank and credit card account numbers, income and credit histories, and Social Security numbers of customers.

What is the CCPA?

The purpose of the CCPA is to offer broader privacy protections and greater personal control of data collected by businesses. 

Various consumer rights are guaranteed by the CCPA, including:

  • The right to know all data collected by a business, including categories of data prior to its collection
  • The right to be informed of any changes to data collection 
  • The right to know categories of third parties with whom the consumer data is shared
  • The right to refuse the sale of personal information
  • The right to pursue litigation against companies who were negligent with personal data
  • The right to know the business or commercial purpose for collecting consumer data

Under this rule, if consumers request the deletion of data they have posted, the business must comply. Additionally, consumers also have the right to be treated without discrimination if they request the deletion of data. For adult consumers, there is an opt out for data collection, but a mandatory opt in for the sale of minors’ data is included in the CCPA protections.

Companies impacted by the CCPA include those entities thatwho do business in California, as well as those who sell services or goods to California residents, even if the entity is not physically located in California.

And the main course on this buffet of data privacy protection is that the CCPA has different definitions for personal information, which directly impacts most financial service companies.

What About CCPA Exemptions?

The CCPA defines personal information as any data that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

In short, information collected which builds a profile of a consumer, or the household of the consumer will likely fall under the CCPA requirements. By contrast, the GLBA is only applicable to personally identifiable financial information, such as information that a consumer provides to obtain a loan or financial product or information that results from a consumer transaction. 

Likely exemptions are data that is directly generated from consumer transactions or experience information with a financial service business. Additionally, exemptions may also include information that is collected by a financial service business and transferred to another financial service business for the purpose of providing joint financial products, such as a loan or credit card provided by another financial service to the same consumer.

Website or mobile app information from consumer access or in providing a financial product, such as cookies or data that consumers use to access accounts, would be exempt, as this personal information falls under the GLBA provisions.

Credit reports, from a consumer reporting agency, would also fall under exemptions. As would publicly available information, provided it is used in a manner consistent with the purpose of the public information.

It is important to remember that while the information gathered, collected, stored or used above may fall under the GLBA exemptions, passive information or information used for advertising or marketing, and most third-party information would fall under the requirements of the CCPA.

The context of data and the applications of that data determines whether the information falls under the CCPA or is exempt. Reviews of databases and examination of data elements should be performed by financial service businesses to ensure compliance with the CCPA.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Help us get to know you.

Get a demo