On August 31, 2018, the California Senate approved a “clean-up” bill that, if signed by the governor, would amend the California Consumer Privacy Act (“CCPA”), California’s sweeping new privacy law enacted in June. The amendments fall short of addressing many of the most significant criticisms of the CCPA, and are, on the whole, relatively minor. Our sister blog, Inside Privacy, has a full rundown of the changes.
However, while these amendments appear modest, they could transform the effect of the CCPA on financial institutions. In particular, the bill clarifies the exemption for personal information that is regulated under the Gramm-Leach-Bliley Act (“GLBA”) and adds an exemption for personal information regulated under the California Financial Information Privacy Act (or “S.B. 1”). These two statutes regulate the privacy of consumer financial information.
Most importantly, the amendments delete the CCPA’s language providing that the GLBA exemption only applies if the CCPA is “in conflict with” GLBA. GLBA contains a similar provision that preempts state laws that conflict with GLBA: under that law, a state law is preempted if it is “inconsistent with” GLBA, and “then only to the extent of inconsistency.” Further, GLBA makes clear that a state law that provides “greater protection” than GLBA is not inconsistent with it.
Because the CCPA arguably provides “greater protection” to consumers than GLBA, the effect of the original GLBA exemption was unclear.
The amended bill clarifies that “personal information collected, processed, sold, or disclosed pursuant to” GLBA or S.B. 1 would not be subject to most provisions of the CCPA. (The provision that creates a private right of action for data breaches would still apply to this data.) While the full breadth of the exemption is not certain, personal information subject to GLBA and S.B. 1 could include nonpublic personal information as defined under those statutes, which consists generally of personally identifiable financial information relating to consumers.