December 06, 2019

NAFCU on CCPA: Law shouldn't apply to CUs as it creates confusion, compliance burdens


In a letter to California Attorney General Xavier Becerra, NAFCU's Mahlet Makonnen outlined a number of concerns the association and its member credit unions have related to the California Consumer Privacy Act (CCPA), which is set to take effect Jan. 1, 2020. NAFCU is an advocate for a uniform federal standard – not a patchwork of state privacy laws – and this week unveiled principles for a national data privacy standard.

Makonnen, NAFCU's regulatory compliance counsel, reiterated NAFCU's position that the CCPA should not apply to credit unions and recommended California lawmakers implement regulations to clarify:

  • requirements of the CCPA and its implementing regulations do not apply to organizations that solely collect Gramm-Leach-Bliley Act (GLBA)-covered information; and
  • organizations subject to the GLBA that collect CCPA-covered information should be able to comply through a regulatory regime that works in tandem with the GLBA, rather than an entirely separate, parallel framework that increases confusion and compliance burdens.

"State data privacy requirements, including the CCPA, are already creating confusion and leading to daunting compliance considerations for credit unions," wrote Makonnen. "In particular, the proposed CCPA regulations create challenging and expensive new obligations and varying standards that will undoubtedly present unnecessary burdens for credit unions and could, in turn, increase costs for consumers.

"Credit unions already comply with privacy requirements under the GLBA, yet the Proposed Regulations add overlapping and confusing requirements that would result in substantial additional compliance costs," Makonnen added.

Makonnen's letter is in response to proposed regulations released in January; she specifically provides recommendations related to:

  • exemptions under the CCPA;
  • notification of a consumer's rights and disclosure requirements;
  • handling consumer requests;
  • non-discrimination requirements; and
  • extension of the moratorium on enforcement of CCPA requirements.

NAFCU previously joined with the U.S. Chamber of Commerce and other organizations representing every sector of the American economy to urge California leaders to delay the effective date of the CCPA by two years.

The association has a recent Compliance Blog post available that highlights the requirements and proposed regulations of the CCPA, as well as a webinar on CCPA and the future of privacy laws available on-demand.