SW&M Comments on Proposed CCPA Regulation
By Styskal, Wiese & Melchione
To: Privacy Regulations Coordinator (Office of the California Attorney General)
On behalf of Styskal, Wiese & Melchione (“SW&M”), a law firm that provides comprehensive legal services to small and medium-sized financial institutions in the transactional, regulatory, compliance and governance practice areas, we have the following comments, questions and requests for clarification on the California Consumer Privacy Act of 2018 (“CCPA”):
1) Does the Federal Gramm-Leach-Bliley Act (“GLBA”) or the California Financial Information Privacy Act (“FIPA”) exemption apply to financial institutions regulated under these sectoral privacy laws, or does it only apply to personal information collected, processed, sold or disclosed under GLBA or FIPA?
The CCPA provides an exemption for “personal information collected, processed, sold, or disclosed under the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code).” The GLBA and FIPA are sectoral privacy laws that govern financial institutions subject to these laws, which includes banks and credit unions, and much of their collection, processing or disclosure of “personal information” (as defined in the CCPA) is already covered under the GLBA and FIPA.
Two interpretations may be taken from the wording of the exemption. The first interpretation is that exemption only applies if the personal information is collected, processed, sold, or disclosed under the GLBA and FIPA. Under this interpretation, the full scope of the CCPA would apply to financial institutions only in the context of their collection, processing, sale, or disclosure of personal information outside of the GLBA or FIPA framework. For collection, processing, selling, or disclosure of personal information made under GLBA and FIPA, the CCPA would apply only for Section 1798.150 of the CCPA, and none of the other CCPA consumer rights would apply in this context.
The second interpretation is that this exemption is intended to apply to the financial institutions that are regulated under the GLBA and FIPA since financial institutions are already governed by both state and federal sectoral privacy laws and regulations. A CCPA-related bill (Assembly Bill No. 1202) regarding data brokers used much clearer verbiage to carve out an exception to the financial industry: “A financial institution to the extent that it is covered by the Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations.”
Many financial institutions that we represent would like clarification about the GLBA/FIPA exemption. Does it exempt the financial industry or just the type of data they collect, process, sell or disclose under GLBA or FIPA?
2) Does the CCPA apply to credit unions?
SW&M is counsel for state and federal credit unions of all sizes throughout the country. Credit unions are a special type of financial institution. As opposed to banks, which are for-profit institutions, credit unions are, in essence, non-profit or not-for-profit financial cooperatives that are owned by their “members.” Members benefit from their credit union membership through lower interest rates on loans and dividends on their shares, among other benefits of credit union membership. Credit unions, like banks, accept deposits and make loans and provide a wide array of other financial services. However, unlike banks, credit unions seek to serve their members as a primary objective rather than seeking to earn profits.
Federally chartered credit unions are tax-exempt under Section 501(c)(1) of the Internal Revenue Code (“IRC”). California state-chartered credit unions are tax-exempt under Section 501(c)(14)(A). Also, California state-chartered credit unions are formed under the Corporations Code as non-profit mutual benefit corporations.
On page 21 of the Initial Statement of Reasons (ISOR), under the discussion on service providers, the following statement was made: “This unintended and undesired consequence will lead to significant disruption in the functioning of those non-profits and governmental entities and is not in furtherance of the purposes of the CCPA, which clearly excluded non-profits and other government entities from being subject to the CCPA.” We are requesting the Attorney General to clarify this statement in the context of the following definition of “Business” under the CCPA:
“Business” means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners…..”
Non-profits are not expressly referenced or excluded in the definition of “business” in the CCPA. Furthermore, the Proposed Regulations do not mention any non-profit exception. We respectfully request the Attorney General to clarify its position regarding whether non-profit organizations are exempt from the CCPA in its Final Regulations and whether the Attorney General believes credit unions are exempt by their special status as a not-for-profit or non-profit mutual benefit corporation. This clarification is needed because the phrase “or financial benefit” in the above definition of a “business” may be interpreted broadly to capture all sorts of nonprofit mutual benefit corporations, where their members or owners directly or indirectly benefit financially through membership, not just credit unions.
Additionally, concerning federal credit unions chartered under the Federal Credit Union Act, are they exempt by being an instrumentality of the United States? See Section 501(c)(1) of the IRC; See also Section 1614 of the California Code of Regulations (“Examples of incorporated federal instrumentalities exempt from tax are federal reserve banks, federal credit unions, federal land banks, and federal home loan banks”).
3) If the definitions of “Business Purpose” and “Commercial Purpose” are intended to be mutually exclusive, please provide a method to differentiate between the two definitions, particularly in the advertising and marketing context in Final Regulations.
The definition of a “Business Purpose” and “Commercial Purpose” in the CCPA are challenging to differentiate in a variety of applications, particularly advertising and marketing. If the Attorney General considers these definitions mutually exclusive, then please provide a method to differentiate between the two definitions, such as a factor-based analysis. Both definitions seem to apply equally to advertising and marketing contexts.
“Business Purpose” is defined as the “use of personal information for the business’s or service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected. Business purposes are: … (5) [p]erforming services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising and marketing services, providing analytical services, or providing similar services on behalf of the business or service provider.
“Commercial Purposes” is defined as “[advancing] a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction….”
It is essential to differentiate between the two definitions in the advertising and marketing context because the definition of “sale” under the CCPA expressly excludes “[using] and [sharing] with a service provider personal information of a consumer that is necessary to perform a business purpose….” “Commercial Purpose” is not included in this exclusion. Thus, if a service provider is engaged to provide a business an advertising and marketing service, and such service is considered a “business purpose,” then the transfer of personal information to the servicer in this context will not be a “sale.” However, if the service deemed for a “commercial purpose,” then the transfer may arguably be considered a “sale” of personal information.
4) Please provide a factor-based method to determine whether “valuable consideration” is provided to establish “sale” under the CCPA.
The CCPA defines “sell,” “selling,” “sale,” or “sold,” as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” Presuming that the term “consideration” in this definition is the same standard used to determine the validity of contracts, consideration is generally considered to have some economic value, which is necessary for a contract to be enforceable. California Civil Code section 1605 defines consideration as “[a]ny benefit conferred, or agreed to be conferred, upon the promisor, by any other person, to which the promisor is not lawfully entitled, or any prejudice suffered, or agreed to be suffered, by such person, other than such as he is at the time of consent lawfully bound to suffer, as an inducement to the promisor, is good consideration for a promise.” Any benefit one confers on another is enough to establish consideration for form a contract; the value of such consideration does not matter. Thus, the term “valuable” is even more ambiguous and subjective in the context of the definition of “sale” if it is used to qualify the term “consideration.”
Please consider a factor-based analysis to provide some objective framework to analyze “valuable consideration.” Furthermore, please consider placing a determinative factor in this analysis whereby if a business is paying a service provider to provide a service which requires a transfer of personal information from the business to the service provider, which is presumptively “valuable” for the business otherwise the business would not be paying for it), then the business should not be deemed to be “selling” personal information to the service provider. The business is paying the service provider, not the other way around, and the mere fact that the service provider’s services to the business is maybe “valuable” for the business should not constitute a “sale” under the CCPA.
5) Please provide guidance on “audio” information.
The definition of “personal information” in the CCPA expressly includes “audio” if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household. Consumers may leave “audio” information in a variety of interactions with financial institutions, for instance, voicemail messages left with employees to live-recorded calls with their call centers. The Proposed Regulations did not provide any guidance on handling audio information. How are notices at or before collection supposed to be provided to such consumers with all of the minimum required information required by Section 999.305(a)(2) of the Proposed Regulation? If the Attorney General requires a notice at or before collecting audio information from consumers, we suggest providing an abbreviated notice that directs consumers to the business’s privacy policy on its website.
Furthermore, are business’s expected to operationalize voicemail messages left with employees for CCPA purposes? In other words, will voicemail messages left with employees constitute a collection of personal information under the CCPA by the business? For instance, you have an individual leave a voicemail with an employee, which includes the person’s name and other identifiers that satisfy the definition of “personal information” under the CCPA. Are such employees expected to save the voicemail and/or make a record of such messages for purposes of being able to disclose the business collected that information and to provide consumers the right to know categories and specific pieces of information collected and the right to delete such information? If so, this will put an extraordinary burden on businesses to screen and record all of their calls, including employee voicemail information, which could potentially trespass into the privacy rights of employees.
Arguably, a business should not be considered to be “collecting” or “processing” (let alone “sharing” or “selling”) audio information if a consumer calls and leaves a voicemail message if the business does not retain that information for an extended period of time. We suggest that the Attorney General’s Final Regulations address this issue and state that a business should not be considered to be collecting, processing, sharing or selling personal information if the voicemail message is left with an employee and if the business deletes the voicemail message within a certain number of days (e.g., 30 days).
6) Please clarify the reference to Civil Code section 1798.105(d) in Section 999.313(d)(5) of the Proposed Regulations.
Section 999.313(d)(5) of the proposed regulations states, “[i]n responding to a request to delete, a business shall disclose that it will maintain a record of the request pursuant to Civil Code section 1798.105(d).” Section 1798.105(d) only lists the exceptions for a business or service provider’s obligation to respond to a consumer’s deletion request. It is neither the operative section for making the request to delete, which is covered under Civil Code section 1798.105(a), or maintaining a record of the data, which is addressed in Section 999.317 of the Proposed Regulations. Therefore, the reference to Civil Code section 1798.105(d) 999.313(d)(5) of the Proposed Regulation appears to be a mistake.
7) The Attorney General should stay the disclosure required under Section 999.317(g) until January 1, 2021.
Section 999.317(g) a business that alone or in combination, annually buys, receives for the business’s commercial purposes, sells or shares for commercial purposes, the personal information of 4,000,000 or more consumers, shall:
(1) Compile the following metrics for the previous calendar year: (a) The number of requests to know that the business received, complied with in whole or in part, and denied; (b) The number of requests to delete that the business received, complied with in whole or in part, and denied; (c) The number of request to opt-out that the business received, complied with in whole or in part, and denied; (d) The median number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.
(2) Disclose the information complied in subsection (g)(1) within their privacy policy or posted on their website and accessible from a link included in their privacy policy….
For all intents and purposes, even if a business has met the 4,000,000 threshold for the calendar year 2019, its Privacy Policy posted on January 1, 2020, when the CCPA takes effect, will have zero as the response to all of the metrics because consumers could not have exercised their CCPA right to information, deletion and opt-out before the CCPA took effect. It makes sense to require businesses to collect the analytical information in 2020 and post it in their Privacy Policies as of January 1, 2021.
We respectfully request the Office of the Attorney General to clarify and respond to the above-referenced questions and suggestions in its Final Regulations. As provided in CCPA, the Attorney General may adopt additional regulations as necessary to further the purposes of the CCPA. As representatives of financial institutions, SW&M respectfully requests clarification on all of the issues above, particularly but issues about the scope and application of the CCPA on banks and credit unions.