Introduction  

On August 21, 2020, the California legislature enacted the California Consumer Financial Protection Law (CCFPL), which is to take effect on January 1, 2021.[1]  The law renames the “Department of Business Oversight” (DBO) the “California Department of Financial Protection and Innovation (DFPI)” and, among other things, empowers the department to regulate the offering and provision of consumer financial products or services under California consumer financial laws.[2]  The California legislature noted that the CCFPL strengthens “consumer protections by expanding the ability of the department to improve accountability and transparency in the California financial system and promote nondiscriminatory access to responsible, affordable credit, among other purposes.”[3]  In this blog post, we examine the DFPI’s possible authority over California’s principal privacy laws.  Covington will monitor how active the DFPI is in promulgating and enforcing privacy rules as the contours of the DFPI’s authority become apparent over time.

Regulated Entities

The CCFPL applies to “covered persons,” and broadly defines that term to include:

  • Any person that engages in offering or providing a consumer financial product or service to a resident of California.
  • Any affiliate of a person described in (1) if the affiliate acts as a service provider to the person.
  • Any service provider to the extent that the person engages in the offering or provision of its own consumer financial product or service.

The law exempts certain entities from its reach, including licensed finance lenders, brokers, program administrators, or mortgage loan administrators; licensed broker-dealers or investment advisors; federally or state-chartered banks and bank holding companies; and insurance companies.[4]

DFPI Enforcement Authority for Privacy Laws

The CCFPL gives the DFPI broad authorities, including the ability to “regulate the offering and provision of consumer financial products or services under California consumer financial laws and [to] exercise nonexclusive oversight and enforcement authority under California consumer financial law.”[5]  “Consumer financial law” includes a California law that “directly and specifically regulates the manner, content, or terms and conditions of any financial transaction, or any account, product, or service related thereto, with respect to a consumer.”[6]  Given this broad definition of “consumer financial law” and the absence of an enumerated list of laws transferred to the DFPI, there is some ambiguity as to which specific California privacy laws fall within the DFPI’s authority.

The DFPI will inherit authority over the California Financial Information Privacy Act (CFIPA), California’s counterpart to the privacy provisions of the federal Gramm-Leach-Bliley Act (GLBA), from the DBO.  The CFIPA, enacted in 2003, requires financial institutions to provide California consumers notice about how their nonpublic personal information is shared and to obtain a consumer’s written consent or opt-in prior to sharing a consumer’s information with a nonaffiliated third party.[7]  It also requires a financial institution to provide the consumer with the opportunity to “opt-out” of having the consumer’s information shared with an affiliated party,[8] although this provision is preempted, in part, by the Fair Credit Reporting Act per the Ninth Circuit’s decision in ABA v. Lockyer.[9]  As the law was originally enacted, the CFIPA may be enforced by the California Attorney General or the “functional regulator with jurisdiction over regulation of the financial institution,” which is the (1) Department of Business Oversight, Division of Financial Institutions for state banks, savings associations, credit unions, commercial lending companies, and bank holding companies, (2) the Department of Insurance for persons engaged in the business of insurance, and (3) the Department of Business Oversight, Division of Corporations for investment brokers or dealers, investment companies, investment advisers, or residential mortgage lenders or finance lenders.[10]  Because the DFPI is the successor to the DBO, the DFPI acquires the DBO’s enforcement authority over the CFIPA.

It is less clear whether or to what extent the California Consumer Privacy Act (CCPA), which took effect this year, could be considered a “consumer financial law.”  The CCPA places an obligation on businesses to disclose, at or before collection, the categories of personal information they collect and the purposes for which the personal information will be used.  Because the CCPA expressly exempts information collected, processed, sold, or disclosed pursuant to the GLBA or CFIPA, the CCPA would only apply in limited circumstances to a consumer’s financial information.[11]  Because the law could be considered a “consumer financial law” in these limited circumstances, it arguably may fall within the DFPI’s enforcement authority.  However, the DFPI is unlikely to assert broad authority for enforcing the law because the CCPA delegates enforcement authority exclusively to the California Attorney General,[12] and the CCFPL does not amend that provision of the CCPA.

DFPI Examination and Rulemaking Authority with Respect to Privacy Laws

The CCFPL provides that the DFPI “may require reports and conduct examinations on a periodic basis . . . for purposes of . . . assessing compliance with the requirements of consumer financial laws.”[13]  Thus, to the extent the CCPA and CFIPA are considered consumer financial laws, the DFPI could assert examination authority over covered entities with respect to the law.

The CCFPL grants the DFPI general authority to “prescribe rules applicable to any covered person or service provider identifying as unlawful, unfair, deceptive, or abusive acts or practices in connection with any transaction with a consumer for a consumer financial product or service, or the offering of a consumer financial product or service.”[14]  The DFPI may also “prescribe rules applicable to. . .  ensure that the features of any consumer financial product or service . .  . are. . . disclosed to consumers.” [15]  The current DBO does not have such broad rulemaking authority.

There is some ambiguity as to whether the DFPI could assert rulemaking authority regarding the CCPA in accordance with the new rulemaking authority provision.  While the Attorney General of California has the authority to promulgate regulations under the CCPA, the statute itself does not give the Attorney General the exclusive authority to do so.  If the DFPI were to conclude that the CCPA relates to the offering of a consumer financial product or service, it could, in theory, promulgate rules under the CCPA.  Note that the CCFPL provides that if the DFPI “and another agency have joint authority, the department shall consult with that agency before promulgating regulations under such laws.”[16]  In contrast, the CFIPA does not have a rulemaking provision.  However, as with the CCPA if the DFPI were to conclude that the CFIPA relates to the offering of a consumer financial product or service, it is possible that it could promulgate rules under this statute as well.

[1] Cal. Fin. Code § 90000.

[2] AB-1864, Sect. 7, proposed to be codified at Cal. Fin. Code § 90006.  The CCFPL also provides the DFPI with a new registration authority, UDAAP authority, and expanded enforcement authority.  AB-1864, Sec. 1, proposed to be codified at Cal. Fin. Code § 300(a).

[3] AB-1864.

[4] AB-1864, Sect. 7, proposed to be codified at Cal. Fin. Code § 90002.

[5] AB-1864, Sect. 7, proposed to be codified at Cal. Fin. Code § 90006.  The CCFPL also gives the DFPI the authority to exercise nonexclusive oversight and enforcement authority under federal consumer financial laws.  We note that the federal Consumer Financial Protection Act of 2010, 12 U.S.C. § 5552, provides that a state attorney general or its equivalent may enforce federal consumer protection laws against state-chartered or licensed entities.

[6] AB-1864, Sect. 7, proposed to be codified at Cal. Fin. Code § 90005.

[7] Cal. Fin. Code §§ 4051 and 4053(a)(1).

[8] Cal. Fin. Code § 4051.5(a)(3).

[9] American Bankers Ass’n. v. Lockyer, 541 F.3d 1214, 1218 (9th Cir. 2008).

[10] Cal. Fin. Code § 4057(e).

[11] Cal. Civ. Code § 1798.145(e).  The CCPA also does not apply to information collected, maintained, disclosed, sold, communicated, or used by a consumer reporting agency under the FCRA.  Cal. Civ. Code § 1798.145(d).

[12] “The civil penalties provided for in this section shall be exclusively assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.”  Cal. Civ. Code § 1798.155.

[13] AB-1864, Sect. 7, proposed to be codified at Cal. Fin. Code § 90010(b).

[14] AB-1864, Sect. 7, proposed to be codified at Cal. Fin. Code § 90009(c) (emphasis added).

[15] AB-1864, Sect. 7, proposed to be codified at Cal. Fin. Code § 90009(d).

[16] AB-1864, Sect. 7, proposed to be codified at Cal. Fin. Code § 90009(g).

 

Print:
EmailTweetLikeLinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Photo of Mike Nonaka Mike Nonaka

Michael Nonaka is a partner in the firm’s Financial Institutions practice group. He represents banks and other financial institutions on a wide variety of bank regulatory, enforcement, legislative and policy issues.  Mr. Nonaka also is co-chair of the firm’s Fintech Initiative and works…

Michael Nonaka is a partner in the firm’s Financial Institutions practice group. He represents banks and other financial institutions on a wide variety of bank regulatory, enforcement, legislative and policy issues.  Mr. Nonaka also is co-chair of the firm’s Fintech Initiative and works with a number of banks, lending companies, money transmitters, payments firms, technology companies, and service providers on innovative technologies such as big data, blockchain and related technologies, bitcoin and other virtual currencies, same day payments, and online lending.

Photo of David Stein David Stein

David Stein advises clients on credit reporting, financial privacy, financial technology, payments, retail financial services, and fair lending issues. He assists a broad range of financial services firms, consumer reporting agencies, financial technology companies, and their vendors with regulatory, compliance, supervision, enforcement, and…

David Stein advises clients on credit reporting, financial privacy, financial technology, payments, retail financial services, and fair lending issues. He assists a broad range of financial services firms, consumer reporting agencies, financial technology companies, and their vendors with regulatory, compliance, supervision, enforcement, and transactional matters.

Mr. Stein has significant experience advising clients on compliance with the FCRA, GLBA, ECOA, EFTA, E-Sign Act, TILA, TISA, FDCPA, Dodd-Frank Wall Street Reform and Consumer Protection Act, and FTC Act, as well as state financial privacy laws. Mr. Stein is a member of the firm’s fintech and artificial intelligence initiatives and works with clients on issues related to cutting edge technologies, such as blockchain, virtual currencies, big data and data analytics, artificial intelligence, online lending, and payments technology.

Mr. Stein previously served in senior regulatory, policy-making, and management positions at the Consumer Financial Protection Bureau (CFPB) and the Federal Reserve Board (FRB). He played a significant role in developing regulations and policy on credit reporting, financial privacy, retail payments systems, consumer credit, fair lending, overdraft services, debit interchange, unfair or deceptive acts or practices, and mortgage origination and servicing. Mr. Stein draws upon his government experience in representing clients before the CFPB, the FRB, and other regulatory agencies and leverages his insights into the regulatory process to provide clients with practical, actionable advice.