No, with a caveat.

The CCPA does not to apply to “personal information collected, processed, sold, or disclosed pursuant to the Gramm Leach Bliley Act (GLBA) and implementing regulations.” The GLBA regulates privacy and security for financial institutions and applies to more than just banks, including mortgage brokers, non-bank lenders, personal property or real estate appraisers, professional tax preparers, auto-dealers that extend credit, and insurance companies.

The GLBA imposes privacy requirements – and therefore would preempt application of the CCPA – when financial institutions collect “nonpublic personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes.”¹ Note that the qualifier “who obtain” is somewhat misleading. Under the GLBA, “consumer” includes individuals who applied for, but did not obtain, financial products, including:

• Individuals who apply for credit, regardless of whether the credit is extended;
• Individuals who provide non-public personal information to the financial institution in order to obtain a determination about whether they may qualify for a loan, regardless of whether the loan is extended;
• Individuals who provide non-public personal information in connection with obtaining or seeking to obtain financial, investment, or economic advisory services, regardless of whether they establish an advisory relationship.

GLBA does not apply, and therefore would not preempt application of the CCPA, to the following situations:

• When financial institutions collect information about individuals “who obtain financial products or services for business, commercial, or agricultural purposes” – such as information collected when providing commercial loans, commercial checking accounts or other B2B services;²
• When financial institutions collect information from an individual who is not applying for a financial product or seeking to obtain financial services, such as website data or marketing leads generated by third parties where the individual hasn’t applied for a product;
• When financial institutions possess personal information about individuals who are consumers of another financial institution for which the financial institution is acting as an agent or providing processing or for which it is providing other services;
• When the financial institution is designated by an individual as the trustee for a trust;
• If an individual is a participant or beneficiary of an employee benefit plan sponsored by the financial institution;
• Personal information about financial institution employees (subject to the CCPA beginning in 2021).

Note that the partial exemption applies to privacy requirements under the CCPA only. A financial institution is still subject to being sued and defending against actual or statutory damages under Section 1798.150 of the CCPA if a business fails to implement and maintain reasonable security to protect certain sensitive categories of personal information.

Maybe.

The CCPA requires a business to respond to an access request by disclosing all information that it has “collected” about a consumer in the previous 12 months.¹ Unlike the CCPA’s treatment of a business’s obligation to delete information, the Act provides very few exceptions to a business’s obligation to provide access to information.

Although the “access” obligation is undoubtedly broad, it is somewhat limited by how the CCPA interacts with other statutes, rights, and other obligations. Under the CCPA:

1. The rights of one consumer “shall not adversely affect the rights…of other consumers,² and
2. Individuals whose information has been subject to “an unauthorized access…or disclosure” can recover statutory damages.³

A business’s response to an access request must take these provisions into consideration. For example, a business may not be able to provide access to internal documents regarding a consumer (i.e. internal notes about a customer service representative’s experience with the consumer) as it could be construed as an unauthorized disclosure of the document creator’s personal information.

A case could also be made that the right of “access” is somewhat limited by the term “collect.” Under the CCPA, “collect” means:

[B]uying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.⁴

Arguably, this definition does not include information that is “created” internally, even if it relates to the consumer. At face value, all of the terms describing “collect” refer to information that already exists, so information that is “created” by the business may not need to be disclosed. Internally developed or created information may include:

• Inferences about a consumer
• Background responses (e.g., internal responses to consumer requests and/or consumer activity)
• Internal notes about a consumer

For example, if a consumer contacts a retailer to request a purchase return, some information relating to the return is “collected” and some is not. The information given to the retailer during the request phase  ̶  such as the consumer’s name, phone number, mailing address, and the request made  ̶  is certainly “collected” under the CCPA and would need to be disclosed pursuant to an access request. Other information generated after the request is made  ̶  such as internal return protocols, the refund date, the retailer’s response to the consumer,  fraud detection protocols, internal notes, and inferences made about the consumer’s purchasing behavior ­ ̶  is arguably not “collected” under the CCPA and would not need to be disclosed pursuant to an access request.

The CCPA requires a business to respond to an access request by disclosing all information that it has “collected” about a consumer in the previous 12 months.¹ Unlike the CCPA’s treatment of a business’s obligation to delete information, the Act provides very few exceptions to a business’s obligation to provide access to information.

Although the “access” obligation is undoubtedly broad, it is somewhat limited by how the CCPA interacts with other statutes, rights, and other obligations. Under the CCPA:

1. The rights of one consumer “shall not adversely affect the rights…of other consumers,² and
2. Individuals whose information has been subject to “an unauthorized access…or disclosure” can recover statutory damages.³

A business’s response to an access request must take these provisions into consideration. For example, a business may not be able to provide access to internal documents regarding a consumer (i.e. internal notes about a customer service representative’s experience with the consumer) as it could be construed as an unauthorized disclosure of the document creator’s personal information.

A case could also be made that the right of “access” is somewhat limited by the term “collect.” Under the CCPA, “collect” means:

[B]uying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.⁴

Arguably, this definition does not include information that is “created” internally, even if it relates to the consumer. At face value, all of the terms describing “collect” refer to information that already exists, so information that is “created” by the business may not need to be disclosed. Internally developed or created information may include:

• Inferences about a consumer
• Background responses (e.g., internal responses to consumer requests and/or consumer activity)
• Internal notes about a consumer

For example, if a consumer contacts a retailer to request a purchase return, some information relating to the return is “collected” and some is not. The information given to the retailer during the request phase  ̶  such as the consumer’s name, phone number, mailing address, and the request made  ̶  is certainly “collected” under the CCPA and would need to be disclosed pursuant to an access request. Other information generated after the request is made  ̶  such as internal return protocols, the refund date, the retailer’s response to the consumer,  fraud detection protocols, internal notes, and inferences made about the consumer’s purchasing behavior ­ ̶  is arguably not “collected” under the CCPA and would not need to be disclosed pursuant to an access request.

For more information and resources about the CCPA visit http://www.CCPA-info.com.

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1.1798.100(b).

2. 1798.145(j).

3. 1798.150(a).

4. 1798.140(e).

Maybe.

The CCPA requires a business to respond to an access request by disclosing all information that it has “collected” about a consumer in the previous 12 months.¹ Unlike the CCPA’s treatment of a business’s obligation to delete information, the Act provides very few exceptions to a business’s obligation to provide access to information.

Although the “access” obligation is undoubtedly broad, it is somewhat limited by how the CCPA interacts with other statutes, rights, and other obligations. Under the CCPA:

1. The rights of one consumer “shall not adversely affect the rights…of other consumers,² and
2. Individuals whose information has been subject to “an unauthorized access…or disclosure” can recover statutory damages.³

A business’s response to an access request must take these provisions into consideration. For example, a business may not be able to provide access to internal documents regarding a consumer as it could be construed as an unauthorized disclosure of the document creator’s personal information.

A case could also be made that the right of “access” is somewhat limited by the term “collect.” Under the CCPA, “collect” means:

[B]uying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.⁴

Arguably, this definition does not include information that is “created” internally, even if it relates to the consumer. At face value, all of the terms describing “collect” refer to information that already exists, so information that is “created” by the business may not need to be disclosed. Internally developed or created information may include:

• Inferences about a consumer
• Background programming
• Background responses (e.g., internal responses to consumer requests and/or consumer activity)
• Internal information unrelated to the consumer (e.g., background data describing a web page that the consumer navigated to)
• Internal notes about a consumer

For example, if a consumer contacts a retailer to request a purchase return, some information relating to the return is “collected” and some is not. The information given to the retailer during the request phase  ̶  such as the consumer’s name, phone number, mailing address, and the request made  ̶  is certainly “collected” under the CCPA and would need to be disclosed pursuant to an access request. Other information generated after the request is made  ̶  such as internal return protocols, the refund date, the retailer’s response to the consumer,  fraud detection protocols, internal notes, and inferences made about the consumer’s purchasing behavior ­ ̶  is arguably not “collected” under the CCPA and would not need to be disclosed pursuant to an access request.

Maybe.

The CCPA requires a business to respond to an access request by disclosing all information that it has “collected” about a consumer in the previous 12 months.¹ Unlike the CCPA’s treatment of a business’s obligation to delete information, the Act provides very few exceptions to a business’s obligation to provide access to information.

Although the “access” obligation is undoubtedly broad, it is somewhat limited by how the CCPA interacts with other statutes, rights, and other obligations. Under the CCPA:

1. The rights of one consumer “shall not adversely affect the rights…of other consumers,² and
2. Individuals whose information has been subject to “an unauthorized access…or disclosure” can recover statutory damages.³

A business’s response to an access request must take these provisions into consideration. For example, a business may not be able to provide access to CCTV footage if there is a third party in the video, as this would infringe upon the third party’s privacy rights. Similarly, a business may not be able to provide access to internal documents regarding a consumer as it could be construed as an unauthorized disclosure of the document creator’s personal information.

A case could also be made that the right of “access” is somewhat limited by the term “collect.” Under the CCPA, “collect” means:

[B]uying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.⁴

Arguably, this definition does not include information that is “created” internally, even if it relates to the consumer. At face value, all of the terms describing “collect” refer to information that already exists, so information that is “created” by the business may not need to be disclosed. Internally developed or created information may include:

• Inferences about a consumer
• Background programming
• Background responses (e.g., internal responses to consumer requests and/or consumer activity)
• Internal information unrelated to the consumer (e.g., background data describing a web page that the consumer navigated to)
• Internal notes about a consumer

For example, if a consumer contacts a retailer to request a purchase return, some information relating to the return is “collected” and some is not. The information given to the retailer during the request phase  ̶  such as the consumer’s name, phone number, mailing address, and the request made  ̶  is certainly “collected” under the CCPA and would need to be disclosed pursuant to an access request. Other information generated after the request is made  ̶  such as internal return protocols, the refund date, the retailer’s response to the consumer,  fraud detection protocols, internal notes, and inferences made about the consumer’s purchasing behavior ­ ̶  is arguably not “collected” under the CCPA and would not need to be disclosed pursuant to an access request.

In some cases yes, and in other cases no.

The CCPA defines “personal information” as information that, among other things, “is capable of being associated with” a particular consumer.¹ Conversely, the CCPA refers to information as “deidentified” if it “cannot reasonably” be “associated with” a particular consumer.²

In situations in which a company encrypts personal information, but maintains the means to decrypt the information (e.g., a password or an encryption key), an argument exists that while the encrypted information remains in the possession of the business, it is “capable” of being associated with a consumer.  In such a situation, most of the requirements of the CCPA would apply with one important exception.  The private right of action conferred by the CCPA to bring suit following a data breach only applies in the context of “nonencrypted” information that has been disclosed.³  As a result, if the business accidentally disclosed the encrypted information (or if the encrypted information were accessed by a malicious third party), the business should not be liable for the statutory liquidated damages identified in the Act.

In situations in which a company receives, stores, or transmits encrypted information, but does not have the means to decrypt it (e.g., acts simply as a transmission conduit), a strong argument exists that the information “cannot reasonably” be associated with a particular consumer and, as a result, is not personal information subject to the CCPA.

In comparison to the CCPA, the European GDPR recognizes encryption as a security technique that may help keep personal data safe, but the GDPR does not state that encrypted data is no longer personal data; nor does the GDPR state that encrypted data is not governed by the Regulation.⁴ To the contrary, the Article 29 Working Party⁵ held the opinion that encryption does not “per se lend[ ] itself to the goal of making a data subject unidentifiable” and “it does not necessarily result in anonymisation.”⁶

More than likely.

The CCPA states that consumers may seek, on “an individual or class-wide” basis, actual damages, statutory damages, or injunctive or declaratory relief following certain types of data security breaches.¹ The CCPA further states that “[a]ny provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under [the CCPA], including, but not limited to, any right to a remedy or means of enforcement” is “void and unenforceable.”²  The reference to contract provisions limiting consumer rights as being void and unenforceable has led some plaintiffs’ attorneys to suggest that the California legislature intended to invalidate the use of arbitration and class action waiver clauses in contracts as those provisions might prevent consumers from proceeding on a “class-wide” basis.

Despite the language in the CCPA, the United States Supreme Court has consistently affirmed the strong federal policy favoring arbitration and the enforceability of class action waivers in arbitration agreements.  In the landmark case of AT&T Mobility LLC v. Concepcion, 563 U.S. 333 (2011), the Supreme Court explained that the Federal Arbitration Act (“FAA”) was specifically designed to preempt state laws that undermine the goal of the FAA to promote arbitration.  Furthermore in Sanchez v. Valencia Holding Co., 61 Cal. 4th 899 (2015), the California Supreme Court determined that class action waiver provisions within contracts are enforceable even if a state law appears to provide for class action type recovery.

As a result, and based upon the holdings in Concepcion and Sanchez, there is a strong argument that the CCPA will not be interpreted as preventing consumers from entering into arbitration agreements or from agreeing to waive their ability to proceed in class actions.

There is a good deal of confusion about when the CCPA actually “becomes law.”  The confusion is due, in large part, to a lack of drafting clarity presumably caused by the hasty drafting of the Act.¹

The CCPA includes the following references to deadlines:

In summary, although the statute becomes “operative” on January 1, 2020, the only enforcement of the statute as of that date relates to suits involving data security breaches.  A company cannot be a defendant in a civil action for the privacy-oriented provisions of the CCPA until July of 2020 – at which time the Attorney General can bring enforcement actions premised on any provision of the CCPA (regardless of whether such a provision relates to privacy or security, or one of the Attorney General’s regulations).

The timeline created by California legislature has raised questions about whether the Attorney General is prohibited from initiating an enforcement action until July 1, 2020 (i.e., prohibited from filing a lawsuit until that date), or whether the Attorney General is prohibited from bringing an enforcement action for conduct that occurs prior to July 1, 2020.  In other words, the CCPA is ambiguous about whether companies that violate the privacy provisions of the Act on January 1, 2020 are immune from liability, or could be subject to an enforcement action initiated on July 1, 2020, as the January conduct would fall within the scope of the four year statute of limitations that applies to an Attorney General initiated suit.⁶  While the text of the Act is ambiguous, a strong argument could be made that the intent of the legislature in building a delayed enforcement period into the statute was to provide businesses with time – between when the statutorily mandated interpretative guidance is first proposed and when it is approved as a final rule – to process that guidance, and take steps to come into compliance.  In addition, the Attorney General has not given any indication to-date that he intends to bring enforcement actions premised on conduct that occurs between January 1, 2020 and the final publication of regulations.  The net result is that while the Attorney General might theoretically attempt to bring a suit under the CCPA on July 1, 2020 for conduct that occurred before July 1, 2020, as a practical matter, it is highly unlikely that he will attempt to do so, and dubious that such an attempt, if made, would be successful.