THE CCPA AND PREPARING FOR STATE PRIVACY LEGISLATION Nathan Taylor Morrison & Foerster LLP
Federal Financial Privacy Law Fair Credit Reporting Act Regulates the disclosure and use of consumer reports Functionally limits sharing with affiliates Limits marketing based on information received from affiliates Title V of the Gramm-Leach-Bliley Act ( GLBA ) Privacy notice obligation Limits sharing with nonaffiliated third parties Right to Financial Privacy Act Limits sharing with the federal government 1
HOW WE GOT HERE 2
The California Consumer Privacy Act Arguably the most significant U.S. privacy development ever Replaced a controversial privacy ballot initiative Fast tracked from introduction to enactment in June (but amended by SB1121 in September) AG rulewriting expected in Fall 2019 (but legislative lobbying efforts continue) Operative on January 1, 2020, AG enforcement by at least July 1, 2020 1
SCOPE 4
Who Will Be Required to Comply? Any business that: o Collects personal information (PI) relating to California residents o Determines (alone or jointly) the purposes and means of the processing of the PI o Does business in California o Meets one of the following thresholds: Has annual gross revenues in excess of $25 million; Annually buys, receives for commercial purposes, sells, or shares for commercial purposes PI relating to 50,000 or more California residents, households, or devices; or Derives 50% or more of its annual revenues from selling PI relating to California residents A business that controls or is controlled by, and shares common branding with, a covered business above 5
Consumer Means Californian A natural person who is a CA resident o A resident includes any individual who is: In CA for other than a temporary or transitory purpose; or Domiciled in CA, but outside of CA for a temporary or transitory purpose No customer-type nexus needed o Includes employees, individuals associated with commercial customers, vendors and business partners, independent contractors and visitors to company premises Banks will need to decide if they want to limit these rights to CA residents or extend beyond CA 5
Personal Information Information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked with a particular consumer or household Includes information identified in 11 enumerated categories (e.g., identifiers, commercial information and employment-related information) 7
OVERVIEW OF INDIVIDUAL RIGHTS 8
Individual Rights Right to know/access Right to deletion Right to opt out of sale Right to be free from discrimination Right to sue (for certain data security events) 9
THE GLBA EXCEPTION 10
The GLBA Exception This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, if it is in conflict with that law. or the California Financial Information Privacy Act... This subdivision shall not apply to Section 1798.150. Amended in September 2018 to remove conflict limitation and to add California SB1 to the exception But also preserved consumer right to sue for security incidents 31
STRATEGIES OUTSIDE OF CALIFORNIA 12
The CCPA A Trickle or a Tsunami? California is undisputedly a state leader Sometimes California is the model o Data breach Within 15 years, every state has a law Sometimes it s not o Online privacy protection Only several states have followed in 15 years o California Shine the Light 41
CCPA-Like Bills Connecticut S.B. 1108 Hawaii S.B. 418 Illinois H.B. 2736 S.B. 2149 Maine S.P. 275 Maryland H.B. 901 / S.B. 613 Massachusetts S. 120 Minnesota H.F. 1030 S.F. 1553 Montana H.B. 457 Nevada S.B. 220 New Jersey A. 4902 / S. 2834 A. 4640 / S. 3153 New Mexico S.B. 176 New York A.B. 6531 / S.B. 4411 A.B 3739 / S.B. 224 A.B. 3818 / S.B. 2323 North Dakota H.B. 1485 Rhode Island S. 234 Texas H.B. 4390 H.B. 4518 Washington S.B. 5376 / H.B 1854
State Lobbying Strategies GLBA exceptions are a/the prominent state financial lobbying strategy o On an island when not aligned with other industries o Legislature often do not understand the GLBA o But there are numerous examples of state GLBA exceptions in privacy laws (e.g., biometric laws) and security laws (e.g., breach notification) o Consider adding HIPAA to the mix? Most other lobbying efforts align with other industries o Limiting scope (e.g., definition of consumer) o Limiting controversial rights (e.g., access/portability and deletion) 41
Understanding GLBA Privacy As more states consider consumer privacy laws, it is essential to understand what the GLBA requires and why a GLBA exception makes sense Title V of the GLBA Part of the 1999 financial reform law repealing the Glass-Steagall Act separating banking and commercial activities Privacy protections added to improve transparency and require notice regarding a financial institution s privacy practices Limits disclosure of customer information to third parties Financial institutions must provide notice and an opt-out opportunity Before disclosing information to nonaffiliated third parties Personally identifiable information relating to both customers and former customers So financial institution customers have been protected for nearly 20 years! 16
Understanding GLBA Privacy Many important exceptions to GLBA disclosure limitations, including: Consent of the consumer To complete a transaction requested by the consumer Fraud prevention and institutional risk control Disclosure to private label, co-brand card partners Disclosures to and from consumer reporting agencies To enforce legal rights and for law enforcement purposes But disclosure to third parties for marketing is usually not permitted Unless notice is given with an opportunity to opt out GLBA reuse/redisclosure restrictions Information received from a financial institution under an exception may only be reused or redisclosed under an exception This impacts both the financial institution and the recipient 17
Banking Agency Oversight of the GLBA Within banking, financial institutions are subject to comprehensive oversight, examinations and enforcement by both the CFPB and prudential regulators (e.g., the OCC and FDIC) FFIEC examines service providers for GLBA compliance, particularly data security Due to the completeness of this federal oversight scheme, many state laws already exempt financial institutions subject to the GLBA And, the CCPA exempts information subject to the GLBA State recognition of this comprehensive federal oversight structure will be critical when states consider the adoption of privacy laws The focus of any state privacy legislation should be on companies that attempt to monetize consumer information, not on banks that have been subject to privacy rules for 20 years 18
The Many Forms of GLBA Exceptions State GLBA exceptions come in many forms that are far from equal Examples o The law does not apply to a person who is a financial institution as defined in the GLBA o The law does not apply to a person who is subject to the GLBA o The law does not apply to a person who is subject to, and complies with, the GLBA o The law does not apply to information subject to the GLBA/collected pursuant to the GLBA o The law does not apply to the extent that it is in conflict with the GLBA 41
Importance of Consumer Definition If not done correctly, a state statute can sweep in information related to employees, small business and even commercial banking clients, and vendors Should reflect, to the extent possible, the customer definition in the GLBA: A natural person who is a resident of [STATE] [acting in a personal, family or household context [OR] who obtains a product or service used primarily for personal, family or household purposes] 20