Are Banks and Other Lenders Subject to the CCPA?

Cybersecurity and Privacy   |   August 29, 2019

California’s new privacy statute imposes a number of new requirements on businesses that touch the personal information of California consumers. Its reach includes banks and financial services companies.

But the California Consumer Privacy Act of 2018 (CCPA) recognizes what financial institutions know all too well — those institutions are already regulated at the federal level. In recognition of this, the CCPA exempts certain types of personal financial information that is subject to federal regulation. However, because the exemption is designed for types of data, not types of companies, financial institutions are not fully exempt from the law and should attend to its details.

The key federal law is the Gramm-Leach-Bliley Act (GLBA) and its implementing regulations, which impose substantial requirements on financial institutions to protect customer data. 15 U.S.C. § 6801–6809; 16 C.F.R. § 314.1–5. In general, “financial institutions” are companies that offer consumers financial products or services such as loans, financial or investment advice, or insurance. 15 U.S.C. § 6801(a), 6809(3); 12 U.S.C. § 1843(k). This definition covers most banks, securities brokers, and insurance companies.

The GLBA requires these companies to assess and implement controls for risks to customer information, with a focus on areas that are particularly important to information security, including: (1) employee training and management; (2) information systems (including network and software design and information processing and storage); and (3) detecting, preventing, and responding to attacks and system failures. 16 C.F.R. § 314.4(b). These are meaningful obligations; noncompliance can lead to enforcement action by the SEC, the FTC, or state regulators, and companies and consumers alike have litigated its provisions for years.

Into this regime comes the CCPA, which becomes effective January 1, 2020, and upends in many ways the default state data breach notification and privacy protection laws, in ways that we have discussed in several other places. Critically for financial institutions, the CCPA exempts “personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act, and implementing regulations. …” Cal. Civ. Code § 1798.145(e).

The key question is the extent of the exemption. The exemption does not do much for financial institutions as a category, as it would had it exempted all “financial institutions” under the GLBA. Instead, it exempts the information that the GLBA covers. In effect, the CCPA declares that it begins where the GLBA ends.

The trouble is that the CCPA covers a wider range of information than does the GLBA, and financial institutions are likely to possess such data. The CCPA covers “personal information” through an open-ended, default definition that focuses not on how the information was gathered but on its ability to identify its subject: “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Cal. Civ. Code § 1798.140(o)(1).

By contrast, the GLBA, when coupled with its implementing regulations, applies to the narrower category of “personally identifiable financial information.” That term is defined as “any information”:

  • (i) A consumer provides to you to obtain a financial product or service from you;
  • (ii) About a consumer resulting from any transaction involving a financial product or service between you and a consumer; or
  • (iii) You otherwise obtain about a consumer in connection with providing a financial product or service to that consumer.

12 C.F.R. § 1016.3(q)(1). Examples include information on a loan application, account balance information, and information from an internet “cookie.” Id. § 1016.3(q)(2)(i).

Accordingly, because it is covered by the GLBA, the CCPA likely exempts transaction or account information, as well as information collected to provide a customer with financial products or services.  Such information can include IP Addresses when they are obtained in connection with the provision of a financial product or service. The CCPA likely does not exempt personal information, including an IP address that is collected from marketing activities or a financial institution’s website, when the collection is not connected to the actual provision of a product or service. Likewise, because the GLBA does not apply to information shared with an institution’s affiliate when that affiliate is not providing a joint product or service with the institution, the CCPA is unlikely to exempt such data.

It will be a complex task to sort through, in any given set of facts, what information is gathered in a way that means it is covered by the GLBA versus what information a financial institution holds that otherwise would be subject to the default, CCPA definition.

The upshot is that financial institutions should review their data inventories and reassess their privacy practices to account for this interaction between the GLBA and the CCPA. Depending on how and why a data element is collected, the same element, such as an IP address, could receive different treatment in different instances. If it had been collected in connection with the provision of a financial service it would likely be exempt from the CCPA, but if it had been collected through general marketing efforts that never led to the provision of any service it would likely be covered by the CCPA. Financial institutions will have to get in the weeds and make fine distinctions.

©2023 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.