Emerging privacy laws in the US are leading to increasingly complex compliance obligations for banks and other financial institutions. Colorado recently joined ranks with California (with its CCPA and upcoming CPRA privacy laws) and Virginia (with its VCDPA) by adopting its own comprehensive privacy law, the Colorado Privacy Act (CPA). The CPA comes into force on Jan. 1, 2023, and will regulate how personal information of Colorado residents is collected, used, stored, and shared.
Which organizations are subject to the CPA?
The CPA applies to organizations that conduct business in Colorado or that target their products or services to Colorado residents or households (“consumers”) and:
- Control or process the personal data of at least 100,000 Colorado consumers per year; or
- Sell personal data and process or control the personal data of 25,000 or more Colorado consumers or more.
To what extent does the CPA apply to banks and other financial institutions?
The good news for Colorado-based banks and financial institutions is that they are subject to a blanket exemption under the CPA on the basis that they are governed by the Gramm-Leach-Bliley Act (GLBA). The GLBA imposes privacy requirements on financial institutions’ collection of nonpublic personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes.
Does this mean that Colorado-based banks and financial institutions don’t have to worry about State privacy laws at all?
No. Although Colorado (like Virginia) applies a blanket exemption to financial institutions (and their affiliates) that are subject to GLBA, other State privacy laws take a different approach. Notably, California’s CCPA (and forthcoming CPRA) contains a narrower exclusion, which applies only to personal information collected, processed, sold, or disclosed pursuant to GLBA. In other words, the exemption applies to certain information, rather than the organization as a whole. To the extent Colorado-based banks and financial institutions are subject to the CCPA, certain personal information that they process will still be subject to the requirements of California’s privacy law.
A Colorado-based bank could be subject to CCPA in a number of ways:
- If it targets products or services to California residents or households and (a) has annual revenues in excess of $25 million, OR (b) processes the personal information of 50,000 or more California residents, households, or devices, or (c) derives 50% or more of its revenues from the sale of California residents’ personal information
- If it controls, or is controlled by, a business which meets the threshold requirements and shares branding with such business
Note, however, that obligations under California’s privacy laws would apply only with respect to personal information relating to a California resident or household.
How does the GLBA exemption work under CCPA?
The GLBA exemption under CCPA (and the forthcoming CPRA) applies with respect to personal information collected, processed, sold, or disclosed pursuant to … GLBA. Given that most personal information collected by banks and financial institutions meets this threshold, the majority of personal information processed by such organizations will be out of scope for purposes of the CCPA. However, the exemption does not apply to all personal information. For example, personal information collected from an individual visiting a bank’s website, or applying for a job with the bank, would not be collected, processed, sold, or disclosed pursuant to GLBA, and therefore would not fall within the exemption.
The flowchart below provides a helpful graphic for understanding when the GLBA exemption may apply:
Examples of consumers whose personal information is protected by GLBA include:
- Bank customers;
- Individuals applying for a financial product or service (whether in person or online), regardless of whether application is accepted;
- A list of a third-party financial institution’s customers provided to the bank or financial institution (e.g., as part of a joint offering); and
- A legal representative (parent or guardian, for example) of an individual who is otherwise a GLBA consumer.
Examples of consumers whose personal information is not protected by GLBA (and therefore is subject to CCPA) include:
- Employees;
- An individual who opens a financial account for their sole proprietorship or on behalf of another business entity;
- Website visitors;
- Individuals on marketing lists obtained by a third-party vendor, that is not a financial institution, and sold to the bank or financial institution; and
- Individuals on general marketing lists developed or obtained by the bank or financial institution (e.g., list of attendees at a marketing event sponsored by the bank or financial institution), but who have not obtained a financial product or service from the bank or financial institution.
Examples of personal information that would not be covered by GLBA (and therefore subject to CCPA) include:
- Names and email addresses of attendees of a conference sponsored by the bank or financial institution;
- Personnel records;
- Contact information for volunteers of a charity event hosted by the bank or financial institution;
- Contact information obtained by a vendor that is not a financial institution and sold to the bank or financial institution; and
- Information obtained from an Internet cookie of an unregistered visitor who browses parts of the bank or financial institution’s website that is open to the public.
What obligations do banks and financial institutions have under CCPA?
CCPA places broad obligations on organizations that meet its threshold requirements, including:
- Duty of transparency – businesses must provide consumers with clear and transparent notice of the data they collect, what they use it for and who they share it with.
- Right of access, deletion, correction and portability. In addition, consumers have the right to opt out of the sale of their personal information.
- Requirement to enter into contracts with third party service providers who may process personal information on the business’ behalf.
- Requirement to implement reasonable security measures to protect against unauthorized use or disclosure of personal information.
In addition to their obligations under GLBA, banks and financial institutions meeting the thresholds discussed above have direct obligations under CCPA, regardless of whether they are physically located in California or not. Violation of state privacy laws could lead to regulatory investigations, fines and class action litigation.
CCPA also includes a private right of action for individuals in the event certain sensitive personal information (for example, social security number, account information, password and passport number) is subject to a data breach. The GLBA exemption does not apply with respect to an individual’s right to bring an action against a bank or financial institution in the event such organization fails to implement appropriate security protections. The private right of action under CCPA is one of the biggest areas of concern for organizations, as it enables impacted consumers to claim statutory damages in an amount between $100 and $750 per incident.
What should Colorado banks and financial institutions be doing now?
In addition to their obligations under GLBA, banks and financial institutions meeting the thresholds discussed above have direct obligations under CCPA, regardless of whether they are physically located in California or not. Violation of state privacy laws could lead to regulatory investigations, fines and class action litigation. Regardless of where the bank or financial institution is located, it should consider implementing the following:
- Post a clear and transparent privacy notice, explaining what personal information is collected, what it is used for, to whom it is disclosed, and for how long it is retained.
- Analyze and understand which personal information is in scope for purposes of GLBA and is thus exempted from CCPA requirements, and which is not. This is particularly important when it comes to analyzing whether or not a consumer request (for example, for access to, or deletion of, personal information) needs to be complied with under CCPA.
- Confirm that agreements with third party vendors include adequate privacy and security obligations, and other relevant protections.
- Review security and access controls.
In addition, banks and financial institutions should consider whether to adopt CCPA standards at an enterprise level, or just with respect to individuals who are resident in California. Given the variances in existing State laws, and the likely implementation of new State laws in the absence of a Federal privacy law, there is logic to applying a consistent standard to all personal information regardless of which State the individual is actually resident in.