Springing Privacy Obligations for Highly Regulated Organizations
Smart Summary
Although many are very familiar with this concept, recent regulatory activity warrants a reminder that:
- GLBA and related exemptions under the CCPA apply only to specific types of information, not to the institution as a whole.
- The CFPB clarified that the FCRA and GLBA do not override more protective state laws.
- Institutions must design processes to ensure compliance with the CCPA for non-exempt personal information, which may include email addresses and device identifiers.
- Personal information collected for employment purposes, and personal information collected from website visitors for personalized advertising purposes may not be exempt from CCPA requirements.
Insurance businesses, credit unions, and other financial institutions should pay close attention to the information level exemption under the CCPA and prepare.
The concepts contained in the California regulations and the November 12, 2024 report from the CFPB – which clarify that the Fair Credit Reporting Act (FCRA) and Gramm-Leach-Bliley Act (GLBA) do not preempt state law that is more protective to the individual – deserve thoughtful strategic evaluation.
This article highlights a few common examples where the CCPA requirements may apply due to the details of business operations and potential information level exemptions.
Is My Information Exempt from CCPA Requirements?
While highly regulated organizations may be exempt from certain CCPA requirements, those exemptions generally only apply at the level of the specific exempted information (for example, the CCPA does not apply to personal information collected, processed, sold, or disclosed pursuant to the federal GLBA, and implementing regulations). To say it another way:
A financial institution that meets the definition of “business” under the CCPA is required to comply with the CCPA for personal information that is not exempted .
Operational processes and controls should be designed and implemented with an understanding that – depending on the circumstances – the same categories of information, (e.g., email addresses, marketing and other device identifiers, or IP addresses) may or may not be exempt from the CCPA’s requirements.
So, When Is Information NOT Exempt?
Example 1(Pre-Product/Service):
A financial institution collects an email address, device ID, or other personal information from visitors of its website who have not applied for any insurance product or other financial product or service from the business. The information is used to tailor personalized advertisements across different business websites.
- In this instance, the business must comply with the CCPA, including by providing consumers the right to opt-out of the sale/sharing of their personal information, and honoring opt-out preference signals , because the personal information collected from the website browsing is not related to an application for or provision of an insurance transaction or other financial product or service.
Example 2 (Employees + Job Applicants):
A financial institution collects personal information from its employees or job applicants for employment purposes.
- In this instance, the business must comply with the CCPA with regard to employee information, including by providing a Notice at Collection to the employees and job applicants at or before the time their personal information is collected, and comply with applicable automated decision-making technology obligations. This is because the personal information collected in this situation is not exempt.
For further clarification on how these regulations impact your business, contact David Wilson at dwilson@keglerbrown.com.
