Credit unions subject to the California Consumer Privacy Act of 2018 (CCPA) should be working on expanding their privacy programs as mandated by the California Privacy Rights Act of 2020 (CPRA), which amended the CCPA effective January 1, 2023. Implementation will be facilitated now that the regulations are in the process of being finalized. The Board of the California Privacy Protection Agency submitted the final draft of regulations to the Office of Administrative Law for approval in early February. That approval is expected to be announced around the beginning of April 2023. Some of the implementation basics are discussed below.
Does the CCPA apply to your credit union?
Some public resources are misleading with their definition of a covered “business” because they focus on the “for-profit” element. But the complete definition includes much more. In fact, the CPRA expanded the definition further.
The CCPA will apply generally to credit unions to the extent that the credit union: (1) is a corporation organized for the financial benefit of its members, (2) collects (or a third party collects for the credit union) personal information of a consumer, (3) determines the purposes for, and means of, processing the information, and (4) does business in California. The CPRA expands the definition further, but the new criteria are not generally applicable to credit unions and are beyond the scope of this article.
Also, a covered business must meet one of the following jurisdictional limits:
Most credit unions that meet the jurisdictional limit do so based on their gross revenues during a calendar year. Note that the CPRA added a specific definition for “share” or “sharing” as disclosing for “cross-context behavioral advertising purposes”, which is also specifically defined.
What information does the amended CCPA cover?
The CCPA (as amended by the CPRA) expanded the privacy protections to information gathered about consumers (generally defined as residents of California). Now, workforce data and business-to-business information is no longer exempt. So, the protections extend to employees, applicants, independent contractors, etc., as well as business contacts (the individual consumer on behalf of the business that the credit union interacts with).
What information is exempt?
Credit unions are governed by state and federal privacy laws such as the Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), and California privacy laws such as the California Financial Privacy Act (CalFIPA). The CCPA is intended to supplement the protections already imposed by these laws. These laws all define “personal information” similarly, but the CCPA defines it very broadly to serve as a “catch-all,” of sorts.
If the information collected falls outside the scope of those laws, then the CCPA is triggered and you are required to comply with regard to that information. For example, information collected through webpage tracking, something not covered under GLBA, would be subject to the CCPA.
What disclosures are required now?
The CCPA gives consumers the right to know what information is being gathered about them and the right to control, with certain exceptions, what the credit union does with that information. The CPRA expanded those rights. The final regulations describe the form and content of the following disclosures, when they apply, as well as how and when they are to be disclosed:
The CCPA, as amended by the CPRA, is a very complicated law and requires close attention to detail in order to properly comply. Even with the upcoming approval of the final regulations, proper implementation of your compliance program should include guidance from your legal counsel.
Article by Haydee Garbero Hooten, partner at Moore, Brewer & Wolfe.