Those who have spent time critically thinking about the California Consumer Privacy Act (CCPA), can undoubtedly identify a number of ambiguities and uncertainties. Some of those may be resolved through the current legislative amendment process or the forthcoming Attorney General interpretive regulations. However, notwithstanding those efforts, there likely will be many unresolved issues when the CCPA becomes effective.
This post analyzes one such ambiguity – namely, whether the CCPA applies to credit unions. As discussed below, this uncertainty appears to have arisen out of the premise that the CCPA does not apply to non-profits. However, based on an analysis of the CCPA’s definition of “business” in the context of the unique nature of credit unions as well as industry guidance, the CCPA likely does apply to credit unions.
For those interested in a further discussion of the CCPA, Husch Blackwell’s privacy and data security practice group will be hosting a webinar on the CCPA on June 5. Click here for more information and to register.
Background
Credit unions are not-for-profit organizations that, like banks, accept deposits, make loans and provide other financial services. As explained by the World Council of Credit Unions, Inc., a “credit union is a customer/member owned financial cooperative, democratically controlled by its members, and operated for the purpose of maximizing the economic benefit of its members by providing financial services at competitive and fair rates.”
In turn, the CCPA applies to “businesses,” which is defined in § 1798.140(c) as a “sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California,” and that: (1) has annual gross revenues in excess of $25,000,000; (2) alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices or (3) derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Because credit unions are not-for-profits there is a line of thinking that they do not qualify as businesses. However, that interpretation does not take into account the unique nature of credit unions and the fact that they are operated “for the profit or financial benefits of [their] owners.”
Industry Guidance – The California Credit Union League
The California Credit Union League (CCUL) is the trade association for more than 265 California credit unions. Notably, the CCUL was actively involved in lobbying for passage of the CCPA’s revised GLBA carve-out language, which the California legislature did through passage of SB 1121 (the now-current version of the CCPA). This year, the CCUL has pushed for passage of AB 1416, which would specify that the CCPA does not prevent a business from using personal information to protect or prevent illegal or malicious activity. (See also here.)
We contacted the CCUL and confirmed that the CCUL’s understanding is that the CCPA does cover credit unions based on the phrase “operated for the profit or financial benefit of its shareholders or owners” in the CCPA’s definition of business.
Amendment/Regulatory Process
Although the CCPA is subject to further amendment and interpretative regulations, our review of the proposed amendments and guidance published by the Attorney General’s office does not lead us to believe that this issue will be addressed in that process. In particular, none of the proposed bills that we have reviewed to date would modify the CCPA’s definition of business. Likewise, the Attorney General’s list of rulemaking topics does not identify the CCPA’s definition of business as a topic for regulations.
The GLBA Carve-Out
Assuming that the CCPA does apply to credit unions, such entities will be able to take advantage of the GLBA carve-out language in § 1798.145(e), which provides:
This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.
However, it must be emphasized that that language does not provide a full exemption. Rather, GLBA-regulated entities will remain subject to the provisions and requirements of the CCPA if they engage in activities falling outside of the GLBA—which credit unions almost certainly do.