Do financial institutions need to comply with the CCPA with respect to all consumer information?

No, with a caveat.

The CCPA does not to apply to “personal information collected, processed, sold, or disclosed pursuant to the Gramm Leach Bliley Act (GLBA) and implementing regulations.” The GLBA regulates privacy and security for financial institutions and applies to more than just banks, including mortgage brokers, non-bank lenders, personal property or real estate appraisers, professional tax preparers, auto-dealers that extend credit, and insurance companies.

The GLBA imposes privacy requirements – and therefore would preempt application of the CCPA – when financial institutions collect “nonpublic personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes.”1 Note that the qualifier “who obtain” is somewhat misleading. Under the GLBA, “consumer” includes individuals who applied for, but did not obtain, financial products, including:

  • Individuals who apply for credit, regardless of whether the credit is extended;
  • Individuals who provide non-public personal information to the financial institution in order to obtain a determination about whether they may qualify for a loan, regardless of whether the loan is extended;
  • Individuals who provide non-public personal information in connection with obtaining or seeking to obtain financial, investment, or economic advisory services, regardless of whether they establish an advisory relationship.

GLBA does not apply, and therefore would not preempt application of the CCPA, to the following situations:

  • When financial institutions collect information about individuals “who obtain financial products or services for business, commercial, or agricultural purposes” – such as information collected when providing commercial loans, commercial checking accounts or other B2B services;2
  • When financial institutions collect information from an individual who is not applying for a financial product or seeking to obtain financial services, such as website data or marketing leads generated by third parties where the individual hasn’t applied for a product;
  • When financial institutions possess personal information about individuals who are consumers of another financial institution for which the financial institution is acting as an agent or providing processing or for which it is providing other services;
  • When the financial institution is designated by an individual as the trustee for a trust;
  • If an individual is a participant or beneficiary of an employee benefit plan sponsored by the financial institution;
  • Personal information about financial institution employees (subject to the CCPA beginning in 2021).

Note that the partial exemption applies to privacy requirements under the CCPA only. A financial institution is still subject to being sued and defending against actual or statutory damages under Section 1798.150 of the CCPA if a business fails to implement and maintain reasonable security to protect certain sensitive categories of personal information.