Credit Union News

The Latest Industry News Coverage

On the Road to Implementing the Amended California Consumer Privacy Act

Credit unions subject to the California Consumer Privacy Act of 2018 (CCPA) should be working on expanding their privacy programs as mandated by the California Privacy Rights Act of 2020 (CPRA), which amended the CCPA effective January 1, 2023.  Implementation will be facilitated now that the regulations are in the process of being finalized.  The Board of the California Privacy Protection Agency submitted the final draft of regulations to the Office of Administrative Law for approval in early February.  That approval is expected to be announced around the beginning of April 2023.  Some of the implementation basics are discussed below.

Does the CCPA apply to your credit union?

Some public resources are misleading with their definition of a covered “business” because they focus on the “for-profit” element.  But the complete definition includes much more.  In fact, the CPRA expanded the definition further.

The CCPA will apply generally to credit unions to the extent that the credit union: (1) is a corporation organized for the financial benefit of its members, (2) collects (or a third party collects for the credit union) personal information of a consumer, (3) determines the purposes for, and means of, processing the information, and (4) does business in California. The CPRA expands the definition further, but the new criteria are not generally applicable to credit unions and are beyond the scope of this article.

Also, a covered business must meet one of the following jurisdictional limits:

  1. Has annual gross revenues in excess of $25,000,000 in the preceding calendar year; or
  2. Annually buys, sells, or shares the personal information of 100,000 or more consumers or households (increased from 50,000 per the original CCPA); or
  3. Derives 50 percent or more of its annual revenues from selling or sharing a consumers’ personal information.

Most credit unions that meet the jurisdictional limit do so based on their gross revenues during a calendar year.  Note that the CPRA added a specific definition for “share” or “sharing” as disclosing for “cross-context behavioral advertising purposes”, which is also specifically defined.

What information does the amended CCPA cover?

The CCPA (as amended by the CPRA) expanded the privacy protections to information gathered about consumers (generally defined as residents of California). Now, workforce data and business-to-business information is no longer exempt.  So, the protections extend to employees, applicants, independent contractors, etc., as well as business contacts (the individual consumer on behalf of the business that the credit union interacts with).

What information is exempt?

Credit unions are governed by state and federal privacy laws such as the Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), and California privacy laws such as the California Financial Privacy Act (CalFIPA).  The CCPA is intended to supplement the protections already imposed by these laws. These laws all define “personal information” similarly, but the CCPA defines it very broadly to serve as a “catch-all,” of sorts.

To the extent that the information gathered falls within the scope of these laws (the information gathered meets the definition set forth in those laws) then, consumer rights granted by the CCPA will not apply as to that information.  Consider personally identifiable information gathered in compliance with GLBA, CalFIPA (SB-1 Opt-in) and FCRA.  This information is exempt from compliance with a consumer’s request rights under CCPA.  However, the CCPA will still require you to disclose to consumers in your privacy policy and notice at collection that this information is being gathered.

If the information collected falls outside the scope of those laws, then the CCPA is triggered and you are required to comply with regard to that information. For example, information collected through webpage tracking, something not covered under GLBA, would be subject to the CCPA.

What disclosures are required now?

The CCPA gives consumers the right to know what information is being gathered about them and the right to control, with certain exceptions, what the credit union does with that information.  The CPRA expanded those rights.  The final regulations describe the form and content of the following disclosures, when they apply, as well as how and when they are to be disclosed:

  • Consumer/Workforce Data Privacy Policy
  • Consumer/Workforce Data Notice at Collection
  • Notice of Right to Opt-Out of Sale/Sharing or the alternative opt-out link (if the credit union “sells” or “shares” personal information)
  • Notice of Right to Limit Sensitive Personal Information or the alternative opt-out link (if the credit union uses or discloses a consumer’s sensitive personal information for purposes other than those specified in the regulations)
  • Notice of Financial Incentive (if the credit union offers a financial incentive or price or service difference)

Separate workforce notices (privacy policy and notice at collection) are not mandatory, but since the business purposes that need to be disclosed to consumers and the workforce are different, it is more practical to separate the two notices.

The CCPA, as amended by the CPRA, is a very complicated law and requires close attention to detail in order to properly comply.  Even with the upcoming approval of the final regulations, proper implementation of your compliance program should include guidance from your legal counsel.

Article by Haydee Garbero Hooten, partner at Moore, Brewer & Wolfe.

Related News

Become an Industry Supporter

Get membership information

Please contact me about compliance

Contact me about Credit Union Solutions

Education & Professional Development