Compliance Blog

On Wednesday, the California Consumer Privacy Act (CCPA) goes into effect. Cal. Civ. Code §1798.198. Even though the law will go into effect and its legal requirements will be in place, the actual regulatory requirements detailing how to comply with the law are not yet finalized. We blogged about the proposed regulations earlier this year, and NAFCU filed its comments with the California DOJ. Final implementing regulations are expected to be released by the California DOJ no earlier than April.

The CCPA specifies that the California Attorney General shall not bring any enforcement actions under the CCPA until the earlier of six months after the publication of final implementing regulations or July 1, 2020. Cal. Civ. Code §1798.185(c). Given that the final regulations are not expected until April, it is likely the July 1, 2020 date will be the applicable timeline that enforcement could begin.

The CCPA applies to the personal information of a consumer who is a California resident. The CCPA does not care about the context during which the information is collected. An individual’s personal information could be collected in connection with the opening of a consumer account or loan, but it could also be collected in connection with the individual serving as a beneficial owner of a member business, an authorized signor for a corporate account, or as an employee of the credit union. Because the personal information of an individual California resident would be collected in these situations, the rights and requirements of the CCPA would apply under the current law. Amendments to the CCPA did delay its applicability to these situations.

Delay for Employee and Director Information

Prior to the closure of the California legislature’s 2019 session, a flurry of amendments to the CCPA were passed. One of these amendments to the CCPA was AB-25, which established an exception where a credit union collects a consumer’s personal information in a human resources context.

The CCPA specifies that if a consumer’s personal information is collected in the context of obtaining emergency contact information of, administering benefits to, or otherwise within the context of a consumer acting as a job applicant, employee, director, officer or contractor of the credit union, the delayed effective date would apply. The delay only applies to the extent that the information is used in those contexts – in other words if employment information was used to perform marketing, the delay date would not apply because the information was used in a marketing context.

For information that meets this exception, the effective date of most of the CCPA requirements will be delayed until January 1, 2021.  The requirement for an initial notice prior to collection under section 1798.100(b) and the personal right of action in connection with a breach under section 1798.150 will still go into effect on January 1, 2020.

Delay for Business-to-Business Transaction Information

Another last-minute amendment to the CCPA was AB-1355. This amendment established a delay of implementation for consumer’s personal information collected in the context of a business to business transaction for specific requirements of the CCPA.

Specifically, the CCPA states that if the consumer is acting as an employee, owner, director, officer, or contractor of a company (or partnership, sole proprietorship, nonprofit, or government agency), and the consumer’s personal information is collected or shared solely in the context of conducting due diligence or providing or receiving a product or service, many of the CCPA provisions are delayed until January 1, 2021.

The delayed provisions include the disclosure and notice requirements and the requirements to respond to requests to know or requests to delete. Notably, section 1798.125’s anti-discrimination provision and the personal right of action in connection with a breach under section 1798.150 still go into effect on January 1, 2020.

A Problem Delayed

While the delays of the CCPA applicability to employment information and business-to-business transaction information are somewhat helpful in lowering the initial compliance burden of the CCPA, they only delay the inevitable pain points credit unions will experience.

As NAFCU recently discussed in its Principles for a Federal Data Privacy Standard whitepaper, it is likely that additional state privacy laws will be passed in 2020 and 2021. The privacy law landscape is set to become tremendously more complicated for credit unions operating in multiple states. The need for a single, federal privacy law standard is clear, and credit unions concerned about this issue can share the white paper with their state and federal representatives to educate them on the issue. Also, this one-page statement of NAFCU’s recommendations for a single, federal privacy standard may be helpful for discussing a potential fix to this situation.