Financial Service Providers and the CCPA: Analyzing …media.straffordpub.com/products/financial-service...2019/10/03 · Tips for Optimal Quality Sound Quality If you are listening

Financial Service Providers and the CCPA:

Analyzing the GLBA Exemption, Avoiding

Damages for Noncompliance

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.

THURSDAY, OCTOBER 3, 2019

Presenting a live 90-minute webinar with interactive Q&A

Marci V. Kawski, Partner, Husch Blackwell, Madison, Wis.

Tobias Moon, Partner, Husch Blackwell, Dallas

David M. Stauss, Partner, Husch Blackwell, Denver

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-877-447-0294 and enter your Conference ID and PIN when prompted.

Otherwise, please send us a chat or e-mail [email protected] immediately

so we can address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the ‘Full Screen’ symbol located on the bottom

right of the slides. To exit full screen, press the Esc button.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your

participation in this webinar by completing and submitting the Attendance

Affirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you email

that you will receive immediately following the program.

For additional information about continuing education, call us at 1-800-926-7926

ext. 2.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the link to the PDF of the slides for today’s program, which is located

to the right of the slides, just above the Q&A box.

• The PDF will open a separate tab/window. Print the slides by clicking on the

printer icon.

FOR LIVE EVENT ONLY

Analyzing the CCPA’s GLBA Exemption

David M. Stauss, Partner, CIPP/US, CIPT, FIP

Marci Kawski, Partner

Tobias P. Moon, Partner

© 2019 Husch Blackwell LLP

Brief CCPA Overview

GLBA Exemption

Gaps

Inter and intra-company transfers

GLBA Definition of Personal Information and Implementing Regulations

Data breach statutory damages

Roadmap

1.

2.

3.

4.

5.

6.

6


Brief CCPA Overview

7


What Entities are Covered by the CCPA?

For Profit Legal Entity

Or: Entity that controls or is controlled by a business and that shares common branding with the business.

Have annual gross revenues in excess of $25,000,000

$25,000,000

Alone or in combination, annually buy, receive for the

business’s commercial purpose, sell, or share for

commercial purposes, alone or in combination, the

personal information of 50,000 or more consumers,

households, or devices

50,000

Derive 50% or more of its annual revenue from selling

consumers’ personal information

50%

or or

8


Personal Information“Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”

Unique personal identifier

SSN

Biometric information

Medical information

Online identifier

Driver’s license #

Browsing/

search history

Telephone #

Names

IP address

Passport #

Geolocation data

Alias

Email address

Education information

Financial information

Postal address

Account name

Purchasing/ consuming

history

Credit card/debit card #

Records of products or services purchased,

obtained or considered

Employment-related information

Information re: consumer’s interaction

w/website, application, or advertisement

Audio, electronic, visual, thermal, or

olfactory information

9


CCPA Rights

Know

Access

Data Portability

Be Forgotten

Opt Out of Sales

Equal Service

10


Right to Opt Out of Sales of PI

Overview• Consumers can direct a business not to “sell” their PI to

“third parties”• Express authorization required to sell thereafter• Cannot request consumer to re-authorize sales for 12

months

Sale ≠ Sale• It means transfer of PI to another business or third party

for “monetary or other valuable consideration”• CCPA does not define “other valuable consideration”• Creates potential issues with inter-company sharing

11


9.13 Amendments

Limited employee exemption

Limited business to business exemption

Clarification of personal information definition

Modified anti-discrimination provision

Changes to authentication procedures

1.

2.

3.

4.

5.

12


Enforcement

California Attorney General

Private Right of Action

• Statutory damages of $2,500 for each violation or $7,500 for each intentional violation

• Unclear how “violation” will be applied

• For data breaches due to a failure to implement and maintain reasonable security procedures and practices

• Statutory damages of between $100 and $750 “per consumer per incident”

13


GLBA Exemption

14


AB 375 (June 28, 2018)

“This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, if it is in conflict with that law.”

15


SB 1121 (Sept. 23, 2018)

“This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.”

16


Added CalFIPA Reference

Removed “if it is in conflict with that law” language

Carved out data breach private right of action section

Changes

1.

2.

3.

17


GLBA Definition of Non-Public Personal Information and Implementing Regulations

18


Implementing Regulations

• Privacy Rule

▪ CFPB

▪ SEC

▪ CFTC

▪ FTC (motor vehicle dealers)

19


Nonpublic personal information 12 CFR 1016.3(p)(1)

• Personally identifiable financial information; and

• Any list, description, or other grouping of consumer (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.

• Does not include:▪ Publicly available information

▪ List, etc. of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information that is not publicly available

20


Personally Identifiable Financial Information – 12 CFR 1016.3(q)(1)

Any information:

1. A consumer provides to you to obtain a financial product or service from you;

2. About a consumer resulting from any transaction involving a financial product or service between you and a consumer; or

3. You otherwise obtain about a consumer in connection with providing a financial product or service to that consumer

21


Examples of PII

• Information on an application

• Account balance information

• Payment history

• Overdraft history

• Credit/debit card purchase information

• Fact that individual is/was your customer

• Any information in connection with collecting on, or servicing, a loan or credit account

• Any information that you collect through an internet “cookie”

• Information from a consumer report

22


Consumer & Customer

• 12 CFR 1016.3• Consumer – An individual who obtains or has obtained a

financial product or service from you that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative.

• Examples: ▪ Individual who applies for credit, regardless of whether credit

is extended▪ Individual who applies for a loan, regardless of whether loan

is extended

• Customer – A consumer who has a customer relationship with you (i.e., a continuing relationship between a consumer and you under which you provide one or more financial products or services)

23


Information Not Included

• List of names and addresses of customers of an entity that is not a financial institution

• Information that does not identify a consumer, such as aggregate information or blind data

24


Information Not Included

• Publicly Available Information: Information that you have a reasonable basis to believe is lawfully made available to the general public from:

▪ Federal, state or local government records;

▪ Widely distributed media; or

▪ Disclosures to the general public that are required to be made by Federal, state, or local law

25


Gaps

26


Marketing - Advertising Cookies

YOURAD

27


Marketing - Advertising Cookies

▪ This is a “sale” under the CCPA• Senate Bill 753 would have excluded certain types of

advertising cookies from definition of sale

• Failed in Senate

▪ Triggers right to opt-out of sales for “non-consumers” (i.e., those not falling within the GLBA)

28


Personal Information of Website Visitors

▪ CCPA covers information such as browsing history, geolocation, cookies, IP addresses, etc.

▪ If you are collecting such information of non-consumers, the CCPA will apply

29


Commercial and Business Purpose Loans

▪ GLBA and Regulation P do not apply

▪ Regulation P applies only to nonpublic personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes

▪ Regulation P does not apply to information about companies or individuals who obtain financial products or services for business, commercial, or agricultural purposes

30


Personal Guarantees in Commercial Transactions

▪ GLBA and Regulation P do not apply

▪ Regulation P applies to consumers—individuals obtaining financial products and services to be used primarily for personal, family or household purposes

31


Firm Offers of Credit

▪ GLBA and Regulation P apply

▪ Personally identifiable financial information includes any information you otherwise obtain about a consumer in connection with providing a financial product or service to the consumer

▪ Regulation P states that personally identifiable financial information includes information from a credit report

32


Marketing Campaigns

▪ Data unrelated to financial product or service (e.g., sweepstakes)

▪ Data obtained from consumers and former customers

▪ Data obtained from someone inquiring into a financial product or service

33


Marketing – Lead Generators

Is the information obtained by a lead generator subject to the GLBA?

• Lead generator as agent of the financial institution

• Lead generator as a broker

• Lead generator merely collecting and selling information

34


Employee and Business Information

• September 13 amendments added limited exemptions

• Employees still have right know what is being collected and how it will be used

• Business to business exemption is helpful but will require analysis; does not apply to opt out

• 1 year sunset provisions

35


Inter and intra-company transfers

36


Sharing of NPI under GLBA

Reasons we can share your personal

information

Does FI

share?

Can you limit this sharing?

For our everyday business purposes— such as

to process your transactions, maintain your

account(s), respond to court orders and legal

investigations, or report to credit bureaus

Yes No

For our marketing purposes— to offer our products and services to you

Yes Up to Financial Institution

For joint marketing with other financial companies

Yes Up to Financial Institution

For our affiliates’ everyday business purposes— information about your transactions and experiences

Yes Yes

For our affiliates’ everyday business purposes— information about your creditworthiness

Yes Yes

For our affiliates to market to you Yes Yes

For nonaffiliates to market to you Yes Yes

Questions? Call 800-GLB-INFO

or go to http://www.GLB-INFO.com

37


CCPA Definition of “Business”

1. For profit legal entities that have (a) annual gross revenues in excess of $25,000,000;

(b) Alone or in combination, annually buy, receive for the business’s commercial purpose, sell, or share for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, or

(c) Derive 50 percent or more of its annual revenues from selling personal information.

2. Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business.

38


CCPA Definition of “Business”

1. Difficulty created for entities with corporate structure that contains companies that do not have common branding

2. GLBA exemption appears to cover transfers of personal information from one GLBA entity to another GLBA entity

3. GLBA exemption will not cover transfers of NPI from GLBA entity to non-GLBA entity, unless exception under GLBA applies, a privacy notice is given allowing disclosure of information for FI’s marketing purposes, or consumer has not opted out of sharing to non-affiliated third parties.

39


Data Breach Statutory Damages

40


Private Right of Action

• Carved out of GLBA exemption

• Private right of action for data breaches due to a failure to implement and maintain reasonable security procedures and practices

• Statutory damages of between $100 and $750 “per consumer per incident”

• “Personal information” links to data breach statute definition, not CCPA’s

41


Personal Information

1. First name/initial and last name plus

▪ Social security number;

▪ Driver’s license number;

▪ Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;

▪ Medical information; or

▪ Health insurance information.

42


Assembly Bill 1130

Added following categories:

• Tax ID number

• Passport number

• Military ID number

• Biometric data used to authenticate an individual such as fingerprint, retina, or iris image (does not include a physical or digital photograph, unless used or stored for facial recognition purposes)

43


Takeaways

1. Inventory and map data

▪ Understand what data is collected and how/from whom, how it flows within corporate structure and transfers to other entities

2. Classify data as GLBA or non-GLBA

3. Information Security

▪ Make sure proper information security controls are in place for any personal information covered by breach notification statute

44


HB CCPA Data Inventory Tool

• Online client portal

• Question/answer format

• Inventories all CCPA data elements and third partytransfers

• Gathers other information necessary to be disclosed by CCPA

• Reasonable flat fee for clients

• Significantly reduces attorney fees and client time

45


www.bytebacklaw.com

Subscribe to ourblog…

46

http://www.bytebacklaw.com/


Questions?

47


Thank You

Marci V. Kawski

[email protected]

Tobias Moon

[email protected]

David M. Stauss

[email protected]

48

Documents

Financial Service Providers and the CCPA: Analyzing …media.straffordpub.com/products/financial-service...2019/10/03 · Tips for Optimal Quality Sound Quality If you are listening