The California Consumer Protection Act (CCPA) goes into effect in January, and although California Attorney General Xavier Becerra has said his office won’t enforce the law until July, lenders should start preparing now, said Michael Benoit, partner at Hudson Cook. One important aspect of that preparation is understanding how exemptions in the Gramm-Leach-Blilley Act (GLBA) overflow into the CCPA.
The GLBA “requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data,” according to the Federal Trade Commission’s website.
Lenders are exempt from the CCPA if the information that is collected, processed, sold or disclosed falls under the GLBA, Benoit said. “For finance companies, you are subject to the Gramm-Leach-Blilley privacy act rule, so there’s a major exemption, but it does not attach in a way that makes [financiers] completely immune to the bill,” he said, noting that lenders can take advantage of the exemption because of their status as financial institutions.
Further, if a lender obtains personal information – as defined in the CCPA – in order to deliver a financial product or service, that data could fall under the GLBA exemption, Benoit said. “If you provide GLBA-regulated data to a third party as GLBA permits, that data is still covered by this exemption.”
The GLBA exemption, however, doesn’t cover data breaches when consumers have the right to sue, Benoit said.