One of the myriad of issues arising from the California Consumer Privacy Act (CCPA) is the extent to which financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) must comply with the CCPA’s requirements in light of Section 1798.145(e), which provides that the CCPA “shall not apply to personal information collected, processed, sold, or disclosed pursuant to [the GLBA], and implementing regulations.” Because the CCPA’s definition of “personal information” is broader than the GLBA’s definition of “nonpublic personal information,” financial institutions have been faced with the daunting task of not only data mapping but also classifying that data based on whether it is subject to the GLBA.
To add to that task, over the last two months, consumer privacy legislation has been proposed in a number of other state legislatures, including Hawaii, Maryland, Massachusetts, New Jersey, New Mexico, Nevada, Rhode Island and Washington. Although that proposed legislation is, of course, subject to change or outright legislative failure, the proposed bills notably do not take a consistent approach with respect to GLBA-regulated financial institutions. This potential for divergent treatment is of particular concern given that many financial institutions are already building their CCPA compliance programs due to the CCPA’s twelve-month look-back period having begun on January 1, 2019.
In the below chart, we analyze how a number of proposed state laws have approached the GLBA carve-out issue (if at all). For proper context, we also identify whether those proposed laws grant consumers the right to access their personal information, the right to be forgotten, and the right to opt-out of a business’s transfer of the consumer’s personal information to third parties. Although not discussed in the chart, the definitions of “personal information” or “personal data” in all of the proposed statutes are broad enough to be inclusive of “nonpublic personal information” as defined in 15 U.S.C. § 6809(4). After the chart, we provide some analysis and takeaways.
|State||Right to Access||Right to be Forgotten||Right to Opt-Out of Transfers of PI to Third Parties||GLBA Carve-Out Language|
|Yes.||Yes.||Yes.||“This subtitle does not apply to . . . personal information collected, processed, sold or disclosed under the federal [GLBA] and implementing regulations.”|
|Massachusetts (Bill SD.341)||Yes.||Yes.||Yes.||“This chapter shall not apply to . . . personal information collected, processed, sold, or disclosed pursuant to the federal [GLBA] and implementing regulations.”|
|New Mexico (SB 176)||Yes.||Yes.||Yes.||“The Consumer Information Privacy Act shall not apply to information that is collected or used pursuant to state or federal law if the application is in conflict with that law. The office of the attorney general may promulgate rules to clarify when the application of the Consumer Information Privacy Act is in conflict with state or federal law.”|
|Rhode Island (SB 234)||Yes.||Yes.||Yes.||No.|
|Washington (SB 5376)||Yes.||Yes.||Yes.||“This chapter does not apply to . . . personal data collected, processed, sold, or disclosed pursuant to [GLBA], and implementing regulations, if the collection, processing, sale, or disclosure is in compliance with that law.”|
Perhaps the most notable takeaway is that none of the proposed laws provides a complete carve-out for GLBA-regulated entities. Rather, at most, Maryland, Massachusetts, and Washington are consistent with the CCPA insofar as they carve-out personal information that is subject to the CCPA but not all personal information held by GLBA-regulated entities.
Yet, financial institutions will certainly note that the proposed legislation in Hawaii, New Jersey, Nevada and Rhode Island does not currently contain any GLBA carve-outs. The lack of carve-outs is less concerning with respect to the New Jersey and Nevada legislation because those bills only would provide consumers with the right to opt-out of the transfer of personal information to third parties.
In contrast, Hawaii and Rhode Island would also grant consumers the right to access their personal information and to have it deleted. Those rights would create an additional compliance burden on financial institutions. For example, a business responding to a California resident’s verifiable request to access her personal information would be able to exclude nonpublic personal information. However, that same business would have to include that information when responding to a Hawaii or Rhode Island resident’s request.
Finally, New Mexico’s approach is reminiscent of the CCPA’s original carve-out language before it was amended. Specifically, the CCPA originally provided that it would not apply “to personal information collected, processed, sold, or disclosed pursuant to the [GLBA], and implementing regulations, if it is in conflict with that law.” The inclusion of the phrase “if it is in conflict with that law” led to widespread confusion and it was removed when the CCPA was amended in Senate Bill 1121. New Mexico has apparently tried to address this confusion by proposing to charge the New Mexico Attorney General’s office with issuing guidance.
In the end, it is anyone’s guess whether these proposed bills will become law. However, what does appear inevitable is that states other than California will enact consumer privacy legislation. Because of that inevitability, financial institutions should strongly consider building scalable and repeatable compliance programs that can adapt to new state privacy laws. For more information on privacy-related legislation, contact David Stauss or Marci Kawski.