Financial services companies subject to the Gramm-Leach-Bliley Act (GLBA) are treated somewhat differently under the CCPA. However, the CCPA does apply to some personal information that financial institutions handle. Kristen Mathews and Adam Fleisher, attorneys in Morrison & Foerster’s Privacy + Data Security Group, authored an article for Bloomberg Law that covers the compliance burdens that even financial institutions have under the California Consumer Privacy Act, and evaluates whether, how, and how fast, these burdens can be met.
“In general, it appears that the CCPA will apply to financial institutions with respect to information that is not collected for a GLBA purpose (i.e., not in the context of the provision of financial services primarily used for personal, family, or household purposes) and therefore is not collected ‘pursuant to’ the GLBA,” Kristen and Adam write. “One way to conceptualize how the CCPA could apply to a financial institution, therefore, is by considering people, activities, and information that could fall outside of the GLBA and therefore be subject to the CCPA.”
Kristen and Adam also advise that: “if they haven’t already, financial services companies that have personal information of individuals who reside in California should consider evaluating the personal information they collect that may be subject to the CCPA, the types of ‘consumers’ they interact with as defined under the CCPA as a result, and what they need to do to be ready for the law when it becomes operative.”