data privacyThose who have spent time critically thinking about the California Consumer Privacy Act (CCPA), can undoubtedly identify a number of ambiguities and uncertainties. Some of those may be resolved through the current legislative amendment process or the forthcoming Attorney General interpretive regulations. However, notwithstanding those efforts, there likely will be many unresolved issues when the CCPA becomes effective.

This post analyzes one such ambiguity – namely, whether the CCPA applies to credit unions. As discussed below, this uncertainty appears to have arisen out of the premise that the CCPA does not apply to non-profits. However, based on an analysis of the CCPA’s definition of “business” in the context of the unique nature of credit unions as well as industry guidance, the CCPA likely does apply to credit unions.

For those interested in a further discussion of the CCPA, Husch Blackwell’s privacy and data security practice group will be hosting a webinar on the CCPA on June 5. Click here for more information and to register.

Background

Credit unions are not-for-profit organizations that, like banks, accept deposits, make loans and provide other financial services. As explained by the World Council of Credit Unions, Inc., a “credit union is a customer/member owned financial cooperative, democratically controlled by its members, and operated for the purpose of maximizing the economic benefit of its members by providing financial services at competitive and fair rates.”

In turn, the CCPA applies to “businesses,” which is defined in § 1798.140(c) as a “sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California,” and that: (1) has annual gross revenues in excess of $25,000,000; (2) alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices or (3) derives 50 percent or more of its annual revenues from selling consumers’ personal information.

Because credit unions are not-for-profits there is a line of thinking that they do not qualify as businesses. However, that interpretation does not take into account the unique nature of credit unions and the fact that they are operated “for the profit or financial benefits of [their] owners.”

Industry Guidance – The California Credit Union League

The California Credit Union League (CCUL) is the trade association for more than 265 California credit unions. Notably, the CCUL was actively involved in lobbying for passage of the CCPA’s revised GLBA carve-out language, which the California legislature did through passage of SB 1121 (the now-current version of the CCPA). This year, the CCUL has pushed for passage of AB 1416, which would specify that the CCPA does not prevent a business from using personal information to protect or prevent illegal or malicious activity. (See also here.)

We contacted the CCUL and confirmed that the CCUL’s understanding is that the CCPA does cover credit unions based on the phrase “operated for the profit or financial benefit of its shareholders or owners” in the CCPA’s definition of business.

Amendment/Regulatory Process

Although the CCPA is subject to further amendment and interpretative regulations, our review of the proposed amendments and guidance published by the Attorney General’s office does not lead us to believe that this issue will be addressed in that process. In particular, none of the proposed bills that we have reviewed to date would modify the CCPA’s definition of business. Likewise, the Attorney General’s list of rulemaking topics does not identify the CCPA’s definition of business as a topic for regulations.

The GLBA Carve-Out

Assuming that the CCPA does apply to credit unions, such entities will be able to take advantage of the GLBA carve-out language in § 1798.145(e), which provides:

This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.

However, it must be emphasized that that language does not provide a full exemption. Rather, GLBA-regulated entities will remain subject to the provisions and requirements of the CCPA if they engage in activities falling outside of the GLBA—which credit unions almost certainly do.

 

Print:
EmailTweetLikeLinkedIn
Photo of Gina Carter Gina Carter

Gina heads Husch Blackwell’s Credit Union team. Her credit union practice centers on all legal matters of interest to credit unions including vendor contracting, consumer finance, credit union mergers and governance. Gina also represents for-profit credit union service organizations (CUSOs) in areas including…

Gina heads Husch Blackwell’s Credit Union team. Her credit union practice centers on all legal matters of interest to credit unions including vendor contracting, consumer finance, credit union mergers and governance. Gina also represents for-profit credit union service organizations (CUSOs) in areas including corporate structure, IP, data protection and privacy.

Photo of Marci Kawski Marci Kawski

Marci represents installment lenders, auto finance companies, payday and short-term lenders, online lenders, credit unions, and banks when faced with regulatory issues. She provides practical advice to clients to ensure they comply with the myriad laws governing their businesses. Marci’s skills extend to…

Marci represents installment lenders, auto finance companies, payday and short-term lenders, online lenders, credit unions, and banks when faced with regulatory issues. She provides practical advice to clients to ensure they comply with the myriad laws governing their businesses. Marci’s skills extend to all aspects of consumer finance litigation: discovery, dispositive motion practice, mediation, negotiation of settlement agreements, trial and appeal. Her litigation experience informs her counsel to clients hoping to avoid regulatory issues. Credit unions and other financial institutions also turn to Marci to prepare and review third-party and vendor contracts.

Photo of David Stauss David Stauss

 

David is co-leader of Husch Blackwell’s national privacy and cybersecurity practice group. He routinely counsels clients on responding to data breaches, complying with privacy laws such as GDPR and the California Consumer Privacy Act, and complying with information security statutes. He also …

 

David is co-leader of Husch Blackwell’s national privacy and cybersecurity practice group. He routinely counsels clients on responding to data breaches, complying with privacy laws such as GDPR and the California Consumer Privacy Act, and complying with information security statutes. He also represents clients in data security-related litigation. David is certified by the International Association of Privacy Professionals as a Certified Information Privacy Professional (US), Certified Information Privacy Technologist, and Fellow of Information Privacy.