On June 28, 2018, the California governor signed into law AB 375, which will come into force as the California Consumer Privacy Act of 2018 (CCPA) on January 1, 2020. The CCPA was passed by the California legislature in exchange for the withdrawal of a ballot initiative that had proposed a different consumer privacy law that was viewed as more onerous by many in the industry. The CCPA will cover companies doing business in California that collect personal information from California residents and meet certain thresholds related to company revenue or amount of data. For companies subject to the CCPA, the law is likely to compel significant changes in business practices at a time when many are still grappling with the impact of the EU General Data Protection Regulation. Among other significant elements, the CCPA applies to a broad range of information that relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The CCPA creates new rights for consumers with respect to this data, including rights related to data access, data deletion, and opting out of the sharing or selling of personal information to third parties. The new law will be enforced by the California Attorney General, as well as through a private right of action when personal information is subject to unauthorized access and exfiltration, theft, or disclosure.
One exception to the CCPA relevant to the financial services industry is that the CCPA will not apply to the sale of personal information to or from a consumer reporting agency if the information will be reported in, or used to generate, a consumer report to be used in accordance with the Fair Credit Reporting Act. Additionally, the CCPA will not apply to personal information that is collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act ("GLBA") if the CCPA is in conflict with the GLBA. Please contact us for more information.