On Jan. 1, California’s Consumer Privacy Act (“CCPA”) went into effect, activating the most onerous privacy regime in the nation. Broadly speaking, CCPA grants consumers the right to know what personal information is being collected from them; know how that information is being used, shared or sold; and request that such information be deleted or to opt-out of its sale. Consumers also gained the right not to be discriminated against for exercising those rights. Particularly concerning, CCPA authorizes the California Attorney General to bring enforcement actions for non-compliance, and consumers to sue for data breaches. CCPA has generated praise from consumers and confusion and concern among businesses. But do Alabama banks need to worry about what happens in the Golden State, or can they simply watch from the sidelines? Thanks to broad statutory language, the answer lies somewhere in between.
While CCPA only applies to for-profit entities that collect or sell personal information of California residents, the term “resident” is less restrictive or obvious than it seems. For example, a consumer domiciled in Alabama may be considered a California resident if they spend more than 6 months a year in California. Conversely, a consumer remains a California resident even if he or she happens to be temporarily outside California at the time that a business collects his or her personal information. Similarly, consumers that originally resided in Alabama at the time of data collection may have moved to California, bringing them within the purview of CCPA. Given our increasingly connected world where California is much closer than geography implies, whether an Alabama bank serves California residents for CCPA purposes may require greater analysis.
Similarly, CCPA’s application to entities that “do business in California,” is not limited to California-organized banks, or even banks that have a physical presence in California. Banks with an Internet presence that require or even allow California residents to input personal information may be within the scope of CCPA. Notably, CCPA also applies to entities that share common branding, further extending the web of potentially affected businesses.
This said, CCPA does have limiting criteria, only applying to banks that either generate annual gross revenue in excess of $25 million; derive at least half their annual revenue from selling personal information; or that buy, receive, sell or share personal information of more than 50,000 California residents, households or devices annually. This criteria is somewhat deceptive, though, as “personal information” extends to information beyond what is generally considered sensitive, including, for example, identifiers such as names, postal or e-mail addresses, IP addresses, account names, browsing and search histories, or any inferences drawn from such information to create a profile about a consumer’s preferences. In light of this definition, it only takes approximately 135 California residents, households or devices to access a website per day (assuming the site actively or passively collects personal information) to meet the 50,000 resident threshold.
Notably for banks, though, CCPA exempts certain categories of information from its scope, including personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (“GLBA”). Importantly, this exemption is imperfect as CCPA has a much more expansive definition of “personal information” than what is covered by GLBA. For example, non-customer data gathered from a bank’s website or through marketing efforts is not “nonpublic personal information” subject to GLBA, but is “personal information” subject to CCPA. To the extent banks collect this data, they are not exempt from CCPA coverage.
In short, CCPA represents a potential minefield of trip wires that may unexpectedly impact Alabama banks. Banks who fail to appreciate its scope and impact may do so at their own peril.
Dhruv Sharma is a partner in McGlinchey Stafford’s Commercial Litigation practice group. Based in the firm’s Irvine office, Dhruv primarily represents banking and other financial institutions in consumer financial services litigation. He can be reached at firstname.lastname@example.org.