Just when you thought California could go no further off the deep end, the governor signed AB 375 (California Consumer Privacy Act of 2018) yesterday. The new law will be effective January 1, 2020.

http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180AB375

We are tracking this as well. Whereas AB 375 originally was drafted to address Internet Service Providers (and was titled the CA Broadband Internet Privacy Act), it has now been recrafted and expanded to apply to a broad range of business doing business with CA consumers (and rebranded as The CA Consumer Privacy Act).

Companies around the world have to comply with this law if they receive personal data from California residents and if they — or their parent company or subsidiary — exceed 1 of 3 thresholds: (a) annual gross revenues of $25 million; (b) obtains personal information of 50,000 or more California residents, households or devices annually; or (c) 50 percent or more annual revenue from selling California residents’ personal information.

Note that these thresholds appear lower than they appear as the standard of $25 million in annual sales may refer to global sales (vague wording in law); and the collection of data may apply to things like the collection of IP addresses on your company website.

Lots to unpack on this one..

We on occasion do loans with CA residents that are moving to Bloomington to either work with the university or they are retiring here.

Will this affect us and will there be a CA Privacy Notice we will have to furnish the customer since at the time of the transaction they are CA residents?

Thankfully we only do this maybe once a year or every other year.

The law uses the definition of "resident" found in 18 CCR § 17014: "The term “resident,” as defined in the law, includes (1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose."

As for the Privacy Notice- so far I'm seeing standards in the law for an online privacy notice that must be published, as well as notices provided to consumers upon request that detail information collection practices for their data.

Thanks.

I suspect you will come under one of the exemptions - but stay tuned!

The new The CA Consumer Privacy Act was amended with SB 1121 on September 23. The exemption that was not in the original bill (AB 375) is now in the amended act. Most depository institutions should be exempted from the Act, except for one section dealing with the breach of unencrypted information.

http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB1121

It would SEEM that financial institutions my be exempted under the new amendment; however, you must determine if your institution collects information outside of what is covered by GLBA.

I'm thinking of the contact us feature that most banks have on their websites.

Its not just GLBA information that is exempted, but also the information that is collected under the California Financial Information Privacy Act (Fin Code 4050-4060). The California code covers a lot more information than GLBA.

http://leginfo.legislature.ca.gov/faces/...r=&article=

True. So have you determined anything that is not covered by GLBA and the FC?

The only concern we have is the use of biometrics to access accounts. We don't currently use it, but as technology advances it could be an issue.

I appreciate the response. Our legal department is very insistent that we get going on this. One of them attended a round table meeting and came back stating that other banks are already deep into the implementation of this. I had not planned to even look at it until January, as I knew that amendments were coming. So, I'm wondering what it is that these other institutions are already working on?

I think other banks/credit unions were working off the requirements of AB 375, before the amendments of SB 1121 were signed into law. We had already put together a preliminary plan of what needed to be done if we did not get some kind of exemption.

It doesn't help that the Attorney General does not needs to provide guidance and implementing regulations until July 1, 2020, even though the Act is effective January 1, 2020.

Hello All,

I was wondering what everyone has been doing to prepare for this New Privacy Law.. Can anyone share a project plan or any other guidelines they are utilizing to prepare for this?

We are moving our business out of California.

One of our consultants said this applies to all California residents and if they buy a property in Arizona, the new disclosure requirement applies to them.

Yes, CCPA does apply to all California residents. However, CCPA only applies to businesses that do business in California is they meet one of these three tests: 1) make more than $25 million in adjusted gross revenue; 2) buy/sell/receives/shares personal information on more than 50,000 consumers; of 3) at least 50% of revenue comes from selling personal information.

The CA Attorney General should be issuing proposed regulations/guidance some time this fall.

Effective date is January 1st. Isn't it nice that they are waiting until the fall?

Actually, only the proposed regulations will be release this fall. Per CCPA, the Attorney General doesn't need to have regulations in place until July 1, 2020, six months after CCPA takes affect.

The definitions within section 1798.140 of the bill define 'consumer' as "a natural person who is a California resident...", so I read that to mean if we do not have 50,000 or more consumers, households, or devices in connection with actual California residents, as a bank who has branches only in Mississippi and Tennessee, we would not be subject to these requirements. Am I reading this wrong?

Delta.....I would like to say you don't need comply.

There is the three prong test - two of which you probably pass easily: the number of CA residents and selling information. The third prong is murky - $25 million in adjust gross revenues - we don't know if this is revenue based on your CA residents or revenue based on all of your business. Only the Attorney General can provide this clarification.

Also, CCPA states "does business in the State California" - does this mean actively soliciting business or does it include your customers that moved to CA from another state? Another question for the Attorney General to answer.

The California Attorney General has published proposed regulations for complying with CCPA. Comments are due 12/6/2019.

https://www.oag.ca.gov/privacy/ccpa

Has anyone found a software solution to help respond to data requests? If so, please PM me. I'm also happy to share what I've been looking at.

Would anyone have a third party training platform they'd recommend specifically for CCPA training? Ideally something where we could just select one CCPA course a la carte for employees?

OK. so GLBA exemption seems to help but GLBA doesn't cover commercial or business transactions. We don't sell any information. Our Privacy Policy is on our web page but not CA specific.
Our business/commercial loans have guarantors so we need to comply with new requirements in my opinion. What if they were already advised of or given the Privacy Policy even though technically GLBA doesn't apply. Does anyone think that would cover permit the Bank to be completely exempt outside of course the data breach section?