We are excited to feature an article on the much-discussed CCPA topic, written by Alexander W. Powell, partner at Kaufman & Canoles Firm in Williamsburg, VA and our retained law firm for our compliance team. We know that CCPA has been a massive source of headache and confusion for the credit union industry and we hope this article provides insight and value to you. And FYI…this article was featured on our monthly compliance newsletter, which is available to our outsourced compliance credit unions. The newsletter is loaded with in-depth, timely articles just like this one. Like what you see? Drop us a line to chat about how we can help you. Now, on to Mr. Powell’s article.
******
by Alexander W. Powell Jr., guest contributor
The California Consumer Privacy Act (“CCPA”) goes into effect January 1, 2020 and will affect businesses collecting or storing data about California residents.
The CCPA applies to any for-profit entity or entity that operates for the financial benefit of its shareholders or other owners that (i) does business in California, (ii) collects personal information of California residents (or has such information collected on its behalf), (iii) determines on its own or jointly with others the purpose and means of processing that information, and (iv) meets any of the following criteria:
(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000).
(B) Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Below is breakdown of the major requirements relating to applicability of the statute:
The Act does not specifically address whether credit unions are entities to which the act is intended to apply. While credit unions are not for profit, the general consensus is that a credit union would likely fall within the scope of any entity that “operates for the financial benefit of its shareholders or other owners.” Therefore, credit unions should assume that they are considered “entities” under the CCPA.
The ‘doing business in California’ requirement appears to create the most uncertainty. California has various definitions relating to “doing business” in the state. The California Corporations Code defines doing business as “entering into repeated and successive transactions of its business in this state, other than interstate or foreign commerce.” The California Franchise Tax Board considers a company to be doing business in California if any of the following are true (i) the company engages in any transaction for the purpose of financial gain within California, (i) the company is organized or commercially domiciled in California, or (iii) a company’s California sales, property or payroll exceed certain threshold amounts.
The CCPA does not expressly define what constitutes “doing business” in California. It does, however, provide a very narrow safe harbor in instances where “every aspect of that commercial conduct takes place wholly outside of California.” The statute provides that commercial conduct will be considered “wholly outside of California” where: (i) the business collects information while the consumer is outside of California (ii) no part of the sale of the consumer’s “personal information” occurs in California; and (iii) no “personal information” collected while the consumer is in California is sold. Any conduct outside of this narrow safe harbor would likely be deemed “doing business” in California for purposes of the CCPA.
From a practical perspective, it is unclear how helpful this exception will be for credit unions that do not have a physical presence in California. Under Section 1798.140(e), the term “collection” is defined as “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.”
Essentially, any “business” that has a website or other digital property that is visited by California residents likely will fall under the scope of the CCPA, at least with respect to those individuals. For example, because an IP address is considered “personal information,” cookies and other tracking technologies can be said to be passively collecting personal information from website users even if the user does not actively submit any other personal details.
Thus, to the extent a credit union has members residing in California, it should assume it is “doing business” in California for purposes of the CCPA.
In addition to begin an entity that does business in California, there are three threshold requirements. The CCPA will apply if ANY ONE of the three thresholds are met:
(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000).
(B) Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
One final area of confusion is the exemption of information subject to the Gramm-Leach-Bliley Act (“GLBA”). The CCPA exempts certain types of information (but does not exempt the institution itself) that are subject to the GLBA. Specifically, the CCPA does not apply to personal information “collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act, and implementing regulations.” That does not, however, mean that a credit union is in compliance with the CCPA if it complies with the GLBA because the CCPA is broader in scope.
What personal data that a financial institution handles would not fall under the GLBA exemption? Hopefully the legislature or attorney general regulations will clarify this. For now, generally speaking, it seems likely that information collected through the following activities would be examples of personal data falling outside the GLBA exemption:
The current business obligations, as generally outlined by the Office of the Attorney General, are as follows:
Additionally, upon taking effect, any business or third party may seek the opinion of the Attorney General of California for guidance on how to comply with the provisions of the CCPA, and a business in violation of the CCPA will have 30 days upon receiving notice of alleged noncompliance before being liable for a civil penalty of up to $7,500 per violation.
The contents of this publication are intended for general information only and should not be construed as legal advice or a legal opinion on specific facts and circumstances. Copyright 2019.