Special Report: Applicability of the California Consumer Privacy Act (CCPA)

January 23, 2020

We are excited to feature an article on the much-discussed CCPA topic, written by Alexander W. Powell, partner at Kaufman & Canoles Firm in Williamsburg, VA and our retained law firm for our compliance team. We know that CCPA has been a massive source of headache and confusion for the credit union industry and we hope this article provides insight and value to you. And FYI…this article was featured on our monthly compliance newsletter, which is available to our outsourced compliance credit unions. The newsletter is loaded with in-depth, timely articles just like this one. Like what you see? Drop us a line to chat about how we can help you. Now, on to Mr. Powell’s article.

******

Applicability of the California Consumer Privacy Act (CCPA)

by Alexander W. Powell Jr., guest contributor

The California Consumer Privacy Act (“CCPA”) goes into effect January 1, 2020 and will affect businesses collecting or storing data about California residents.

The CCPA applies to any for-profit entity or entity that operates for the financial benefit of its shareholders or other owners that (i) does business in California, (ii) collects personal information of California residents (or has such information collected on its behalf), (iii) determines on its own or jointly with others the purpose and means of processing that information, and (iv) meets any of the following criteria:

(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000).

(B) Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.

Below is breakdown of the major requirements relating to applicability of the statute:

1. Any For-Profit Entity or Entity That Operates For The Financial Benefit of its Shareholders or Other Owners

The Act does not specifically address whether credit unions are entities to which the act is intended to apply. While credit unions are not for profit, the general consensus is that a credit union would likely fall within the scope of any entity that “operates for the financial benefit of its shareholders or other owners.” Therefore, credit unions should assume that they are considered “entities” under the CCPA.

2. Doing Business in California

The ‘doing business in California’ requirement appears to create the most uncertainty. California has various definitions relating to “doing business” in the state. The California Corporations Code defines doing business as “entering into repeated and successive transactions of its business in this state, other than interstate or foreign commerce.” The California Franchise Tax Board considers a company to be doing business in California if any of the following are true (i) the company engages in any transaction for the purpose of financial gain within California, (i) the company is organized or commercially domiciled in California, or (iii) a company’s California sales, property or payroll exceed certain threshold amounts.

The CCPA does not expressly define what constitutes “doing business” in California. It does, however, provide a very narrow safe harbor in instances where “every aspect of that commercial conduct takes place wholly outside of California.” The statute provides that commercial conduct will be considered “wholly outside of California” where: (i) the business collects information while the consumer is outside of California (ii) no part of the sale of the consumer’s “personal information” occurs in California; and (iii) no “personal information” collected while the consumer is in California is sold. Any conduct outside of this narrow safe harbor would likely be deemed “doing business” in California for purposes of the CCPA.

From a practical perspective, it is unclear how helpful this exception will be for credit unions that do not have a physical presence in California. Under Section 1798.140(e), the term “collection” is defined as “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.”

Essentially, any “business” that has a website or other digital property that is visited by California residents likely will fall under the scope of the CCPA, at least with respect to those individuals. For example, because an IP address is considered “personal information,” cookies and other tracking technologies can be said to be passively collecting personal information from website users even if the user does not actively submit any other personal details.

Thus, to the extent a credit union has members residing in California, it should assume it is “doing business” in California for purposes of the CCPA.

3. Threshold Requirements

In addition to begin an entity that does business in California, there are three threshold requirements. The CCPA will apply if ANY ONE of the three thresholds are met:

(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000).

4. GLBA Exemption

One final area of confusion is the exemption of information subject to the Gramm-Leach-Bliley Act (“GLBA”). The CCPA exempts certain types of information (but does not exempt the institution itself) that are subject to the GLBA. Specifically, the CCPA does not apply to personal information “collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act, and implementing regulations.” That does not, however, mean that a credit union is in compliance with the CCPA if it complies with the GLBA because the CCPA is broader in scope.

What personal data that a financial institution handles would not fall under the GLBA exemption? Hopefully the legislature or attorney general regulations will clarify this. For now, generally speaking, it seems likely that information collected through the following activities would be examples of personal data falling outside the GLBA exemption:

A sole proprietor opening a business checking account.
Personal details of representatives from corporate clients, third-party vendors, or non-account holder visitors to a physical facility.
Data gathered from a visitor to a financial institution’s website or mobile application, when the visit is outside the context of account opening or service.
Marketing or analytics data.
Subject to the pending amendment mentioned above—the data of job applicants, contractors, and employees currently is covered by the CCPA.

5. General Obligations

The current business obligations, as generally outlined by the Office of the Attorney General, are as follows:

Provide notice to consumers at or before data collection (regarding what types of personal information are being collected and for what purposes they will be used), upon receipt of a consumer’s request for such disclosure
Create procedures to respond to requests from consumers to opt-out, know, and delete any personal information that is collected
- For requests to opt-out, businesses must provide a “Do Not Sell My Info” link on their website or mobile app
Respond to requests from consumers to know, delete, and opt-out within specific timeframes
- As proposed by the draft regulations, businesses must treat user-enabled privacy settings that signal a consumer’s choice to opt-out as a validly submitted opt-out request
Verify the identity of consumers who make requests to know and to delete, whether or not the consumer maintains a password-protected account with the business
- As proposed by the draft regulations, if a business is unable to verify a request, it may deny the request, but must comply to the greatest extent it can
- For example, it must treat a request to delete as a request to opt-out
As proposed by the draft regulations, businesses must disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they calculate the value of the personal information
- Businesses must also explain how the incentive is permitted under the CCPA
As proposed by the draft regulations, businesses must maintain records of requests and how they responded for 24 months in order to demonstrate their compliance
- In addition, businesses that collect, buy, or sell the personal information of more than 4 million consumers have additional record-keeping and training obligations

Additionally, upon taking effect, any business or third party may seek the opinion of the Attorney General of California for guidance on how to comply with the provisions of the CCPA, and a business in violation of the CCPA will have 30 days upon receiving notice of alleged noncompliance before being liable for a civil penalty of up to $7,500 per violation.