The California Consumer Privacy Act (CCPA) is scheduled to take effect on January 1, 2020 and many credit unions around the country are wondering what CCPA means for them. CCPA is a new data privacy law that applies to most businesses that have customers located in California even if the business is based in another state. As member-owned financial cooperatives, credit unions likely meet the CCPA’s definition of a “business” as defined by California Code section 1798.140 because credit unions operate for the “financial benefit of its shareholders or other owners”. The Federal Credit Union Act, for example, defines a “federal credit union” as “a cooperative association organized in accordance with the provisions of this chapter for the purpose of promoting thrift among its members and creating a source of credit for provident or productive purposes . . .” and state credit union acts use similar definitions. So what does looming CCPA compliance requirements mean for my credit union?
The good news for credit unions and other financial institutions about CCPA is that CCPA has a carve-out for data that is subject to the privacy requirements of the Gramm-Leach-Bliley Act. This means that consumer information that is covered by the Gramm-Leach-Bliley Act and the Consumer Financial Protection Bureau’s Regulation P is likely exempt from the CCPA. In general, the Gramm-Leach Bliley Act applies to data and personal information that a credit union or other financial institution collects for the purpose of providing a financial product or service. This Gramm-Leach-Bliley Act exemption is only a partial exemption, however, and many parts of CCPA still apply to any credit union that has members who live in California.
CCPA’s disclosure requirements, consumer right to data access provisions, “reasonable” data security requirements and private right of action provision are not covered by the Gramm-Leach-Bliley exemption, meaning that CCPA may become a fertile ground for multi-million-dollar class-action lawsuits against credit unions that do not try to prepare for CCPA compliance now, much as Americans with Disabilities Act litigation has been recently. In addition, CCPA also applies to consumer data, or uses of data, that the Gramm-Leach-Bliley Act does not apply to. For example, CCPA likely applies to data on small business owners or data that an institution collects for marketing purposes.
CCPA’s data privacy, data protection and disclosure requirements are also in many ways similar to the European Union’s General Data Protection Regulation (GDPR), a consumer data privacy law that applies to businesses based anywhere in the world who have customers who live in Europe. I lobbied the European Commission and European Parliament regarding credit union GDPR compliance when I worked for the World Council of Credit Unions, and I have assisted a number of American credit unions to adopt policies to reduce their GDPR-related compliance risk. If you have already tried to establish a GDPR compliance program at your credit union, CCPA compliance will be easier, however, the two laws are different in many respects even if they try to achieve the same goal of giving consumers more privacy and control over their data.
CCPA takes effect in less than a month even though the comment period on California Attorney General’s proposed CCPA regulations only ended on December 6, 2019 and the final rules are not yet published. I do not expect the final version of the regulations to change significantly from the proposal, at least not in ways that are significant to credit unions, so now is a great time to assess your institution’s CCPA readiness as well as GDPR-compliance in order to reduce your compliance and litigation risk for the New Year. Feel free to call or email me if you have questions or would like help adopting CCPA-compliant policies for your credit union.