August 19, 2020

California finalizes consumer privacy regs

data privacyThe California Department of Justice has finalized regulations to implement the California Consumer Privacy Act (CCPA), which took effect Jan. 1. NAFCU is an advocate for a uniform federal standard – not a patchwork of state privacy laws – and had urged the California attorney general to exempt credit unions from the state's privacy law as the industry already complies with the federal Gramm-Leach-Bliley Act (GLBA) for consumer data security and privacy.

The final regulations do not provide a credit union exemption, but do clarify several provisions. They went into effect immediately.

The final text of regulations can be viewed here; an addendum containing the final statement of reasons is also available.

Prior to the CCPA taking effect, a NAFCU Compliance Blog post detailed what credit unions needed know; a previous NAFCU Compliance Blog post explained the initial set of proposed CCPA requirements. NAFCU will soon provide another analysis of what the final regulations mean for the credit union industry.

NAFCU President and CEO Dan Berger has asked CFPB Director Kathy Kraninger, who also leads the Federal Financial Institutions Examination Council (FFIEC), to provide interagency guidance related to the GLBA to help credit unions and other financial institutions comply with data privacy laws to ensure credit unions are not unnecessarily burdened by conflicting state laws.

Relatedly, NAFCU will monitor a meeting today for the Uniform Law Commission's Collection and Use of Personally Identifiable Data Drafting Committee, during which the committee is expected to reveal its draft of a uniform privacy law. NAFCU has called for an exemption for GLBA-covered financial institutions, such as credit unions, in its final proposal. The association will keep credit unions updated on developments.