Is One of Your Members a California Resident?
Do any of your members take the 405 to Santa Monica and then, when they see the Jack in the Box, take a left onto Lincoln in order to get to Bay Cities Italian Deli and Bakery? If so, they might be a…Californian.
On January 1, 2023, the amendments, created by the California Privacy Rights Act (CPRA), to the California Consumer Privacy Act (CCPA) went into effect. To be clear, the CPRA is not a replacement for the CCPA, but rather amends the CCPA.
Who does the CCPA apply to?
Generally, the CCPA governs how businesses collect and use personal information of California Residents. As of January 1, 2023, the CCPA defines business as
“A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
(A) As of January 1 of the calendar year, had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year, as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households.
(C) Derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.”
Credit unions may want to review the above to determine whether they would be considered a business. However, if you have already done some research, you may have noticed that according to this California Privacy Protection Agency (CPPA) FAQ, the CCPA does not “generally apply to nonprofits” (Emphasis added). Credit unions should note that the CPPA does not adamantly state that all nonprofits are exempted. This is likely due to the fact that neither the CCPA nor its regulations specifically exempt nonprofits. As such, credit unions may want to rely on the text of the statute to determine whether they are a “business” rather than a wishy-washy FAQ.
Credit unions may also want to be careful if they have CUSOs, as a business may also be:
“(2) Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business and with whom the business shares consumers’ personal information. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, servicemark, or trademark that the average consumer would understand that two or more entities are commonly owned.”
Based on the above, it is possible that a credit union could be considered a business due to a relationship with its CUSO if the CUSO does business in California.
What is protected?
The CCPA protects consumers’ personal information that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The CCPA provides several examples of personal information, such as biometric information or geolocation data. However, credit unions should note that the CCPA excepts several types of information from the definition of personal information. Chief among the exceptions for credit unions, is “personal information collected, processed, sold, or disclosed subject to the federal Gramm-Leach-Bliley Act.” There is other information that is excepted, and credit unions may want to review the statute to understand what is and is not protected under the CCPA.
Who is Protected?
The CCPA is designed to protect a consumer’s personal information. The CCPA defines a consumer as “a natural person who is a California resident” (Emphasis added). Based on this, it appears that all a credit union has to do is check to see if they serve any California residents. However, it is not so simple. Prior to 2023, the CCPA had exceptions for employees and business to business transactions. The CPRA removed those exceptions and credit unions may want to be aware that the CCPA now fully protects a credit union’s employees and the employees of businesses that the credit union transacts with. With the increase in the number of remote employees, it is more and more likely that a business will have a California employee, even if they are located out of state.
Based on these new changes to the CCPA and the commencement of enforcement actions by the California Attorney General, credit unions may want to step back and review whether the CCPA applies to them. Credit unions that are worried may want to speak to counsel familiar with the law.
About the Author
Keith Schostag joined NAFCU as regulatory compliance counsel in February 2021. In this role, Keith assists credit unions with a variety of compliance issues.