financial service providers and the ccpa: analyzing...
Post on 10-Jun-2020
0 Views
Preview:
TRANSCRIPT
Financial Service Providers and the CCPA:
Analyzing the GLBA Exemption, Avoiding
Damages for Noncompliance
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.
THURSDAY, OCTOBER 3, 2019
Presenting a live 90-minute webinar with interactive Q&A
Marci V. Kawski, Partner, Husch Blackwell, Madison, Wis.
Tobias Moon, Partner, Husch Blackwell, Dallas
David M. Stauss, Partner, Husch Blackwell, Denver
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-877-447-0294 and enter your Conference ID and PIN when prompted.
Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately
so we can address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the ‘Full Screen’ symbol located on the bottom
right of the slides. To exit full screen, press the Esc button.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 2.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the link to the PDF of the slides for today’s program, which is located
to the right of the slides, just above the Q&A box.
• The PDF will open a separate tab/window. Print the slides by clicking on the
printer icon.
FOR LIVE EVENT ONLY
Analyzing the CCPA’s GLBA Exemption
David M. Stauss, Partner, CIPP/US, CIPT, FIP
Marci Kawski, Partner
Tobias P. Moon, Partner
© 2019 Husch Blackwell LLP
Brief CCPA Overview
GLBA Exemption
Gaps
Inter and intra-company transfers
GLBA Definition of Personal Information and Implementing Regulations
Data breach statutory damages
Roadmap
1.
2.
3.
4.
5.
6.
6
© 2019 Husch Blackwell LLP
Brief CCPA Overview
7
© 2019 Husch Blackwell LLP
What Entities are Covered by the CCPA?
For Profit Legal Entity
Or: Entity that controls or is controlled by a business and that shares common branding with the business.
Have annual gross revenues in excess of $25,000,000
$25,000,000
Alone or in combination, annually buy, receive for the
business’s commercial purpose, sell, or share for
commercial purposes, alone or in combination, the
personal information of 50,000 or more consumers,
households, or devices
50,000
Derive 50% or more of its annual revenue from selling
consumers’ personal information
50%
or or
8
© 2019 Husch Blackwell LLP
Personal Information“Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”
Unique personal identifier
SSN
Biometric information
Medical information
Online identifier
Driver’s license #
Browsing/
search history
Telephone #
Names
IP address
Passport #
Geolocation data
Alias
Email address
Education information
Financial information
Postal address
Account name
Purchasing/ consuming
history
Credit card/debit card #
Records of products or services purchased,
obtained or considered
Employment-related information
Information re: consumer’s interaction
w/website, application, or advertisement
Audio, electronic, visual, thermal, or
olfactory information
9
© 2019 Husch Blackwell LLP
CCPA Rights
Know
Access
Data Portability
Be Forgotten
Opt Out of Sales
Equal Service
10
© 2019 Husch Blackwell LLP
Right to Opt Out of Sales of PI
Overview• Consumers can direct a business not to “sell” their PI to
“third parties”• Express authorization required to sell thereafter• Cannot request consumer to re-authorize sales for 12
months
Sale ≠ Sale• It means transfer of PI to another business or third party
for “monetary or other valuable consideration”• CCPA does not define “other valuable consideration”• Creates potential issues with inter-company sharing
11
© 2019 Husch Blackwell LLP
9.13 Amendments
Limited employee exemption
Limited business to business exemption
Clarification of personal information definition
Modified anti-discrimination provision
Changes to authentication procedures
1.
2.
3.
4.
5.
12
© 2019 Husch Blackwell LLP
Enforcement
California Attorney General
Private Right of Action
• Statutory damages of $2,500 for each violation or $7,500 for each intentional violation
• Unclear how “violation” will be applied
• For data breaches due to a failure to implement and maintain reasonable security procedures and practices
• Statutory damages of between $100 and $750 “per consumer per incident”
13
© 2019 Husch Blackwell LLP
GLBA Exemption
14
© 2019 Husch Blackwell LLP
AB 375 (June 28, 2018)
“This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, if it is in conflict with that law.”
15
© 2019 Husch Blackwell LLP
SB 1121 (Sept. 23, 2018)
“This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.”
16
© 2019 Husch Blackwell LLP
Added CalFIPA Reference
Removed “if it is in conflict with that law” language
Carved out data breach private right of action section
Changes
1.
2.
3.
17
© 2019 Husch Blackwell LLP
GLBA Definition of Non-Public Personal Information and Implementing Regulations
18
© 2019 Husch Blackwell LLP
Implementing Regulations
• Privacy Rule
▪ CFPB
▪ SEC
▪ CFTC
▪ FTC (motor vehicle dealers)
19
© 2019 Husch Blackwell LLP
Nonpublic personal information 12 CFR 1016.3(p)(1)
• Personally identifiable financial information; and
• Any list, description, or other grouping of consumer (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.
• Does not include:▪ Publicly available information
▪ List, etc. of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information that is not publicly available
20
© 2019 Husch Blackwell LLP
Personally Identifiable Financial Information – 12 CFR 1016.3(q)(1)
Any information:
1. A consumer provides to you to obtain a financial product or service from you;
2. About a consumer resulting from any transaction involving a financial product or service between you and a consumer; or
3. You otherwise obtain about a consumer in connection with providing a financial product or service to that consumer
21
© 2019 Husch Blackwell LLP
Examples of PII
• Information on an application
• Account balance information
• Payment history
• Overdraft history
• Credit/debit card purchase information
• Fact that individual is/was your customer
• Any information in connection with collecting on, or servicing, a loan or credit account
• Any information that you collect through an internet “cookie”
• Information from a consumer report
22
© 2019 Husch Blackwell LLP
Consumer & Customer
• 12 CFR 1016.3• Consumer – An individual who obtains or has obtained a
financial product or service from you that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative.
• Examples: ▪ Individual who applies for credit, regardless of whether credit
is extended▪ Individual who applies for a loan, regardless of whether loan
is extended
• Customer – A consumer who has a customer relationship with you (i.e., a continuing relationship between a consumer and you under which you provide one or more financial products or services)
23
© 2019 Husch Blackwell LLP
Information Not Included
• List of names and addresses of customers of an entity that is not a financial institution
• Information that does not identify a consumer, such as aggregate information or blind data
24
© 2019 Husch Blackwell LLP
Information Not Included
• Publicly Available Information: Information that you have a reasonable basis to believe is lawfully made available to the general public from:
▪ Federal, state or local government records;
▪ Widely distributed media; or
▪ Disclosures to the general public that are required to be made by Federal, state, or local law
25
© 2019 Husch Blackwell LLP
Gaps
26
© 2019 Husch Blackwell LLP
Marketing - Advertising Cookies
YOURAD
27
© 2019 Husch Blackwell LLP
Marketing - Advertising Cookies
▪ This is a “sale” under the CCPA• Senate Bill 753 would have excluded certain types of
advertising cookies from definition of sale
• Failed in Senate
▪ Triggers right to opt-out of sales for “non-consumers” (i.e., those not falling within the GLBA)
28
© 2019 Husch Blackwell LLP
Personal Information of Website Visitors
▪ CCPA covers information such as browsing history, geolocation, cookies, IP addresses, etc.
▪ If you are collecting such information of non-consumers, the CCPA will apply
29
© 2019 Husch Blackwell LLP
Commercial and Business Purpose Loans
▪ GLBA and Regulation P do not apply
▪ Regulation P applies only to nonpublic personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes
▪ Regulation P does not apply to information about companies or individuals who obtain financial products or services for business, commercial, or agricultural purposes
30
© 2019 Husch Blackwell LLP
Personal Guarantees in Commercial Transactions
▪ GLBA and Regulation P do not apply
▪ Regulation P applies to consumers—individuals obtaining financial products and services to be used primarily for personal, family or household purposes
31
© 2019 Husch Blackwell LLP
Firm Offers of Credit
▪ GLBA and Regulation P apply
▪ Personally identifiable financial information includes any information you otherwise obtain about a consumer in connection with providing a financial product or service to the consumer
▪ Regulation P states that personally identifiable financial information includes information from a credit report
32
© 2019 Husch Blackwell LLP
Marketing Campaigns
▪ Data unrelated to financial product or service (e.g., sweepstakes)
▪ Data obtained from consumers and former customers
▪ Data obtained from someone inquiring into a financial product or service
33
© 2019 Husch Blackwell LLP
Marketing – Lead Generators
Is the information obtained by a lead generator subject to the GLBA?
• Lead generator as agent of the financial institution
• Lead generator as a broker
• Lead generator merely collecting and selling information
34
© 2019 Husch Blackwell LLP
Employee and Business Information
• September 13 amendments added limited exemptions
• Employees still have right know what is being collected and how it will be used
• Business to business exemption is helpful but will require analysis; does not apply to opt out
• 1 year sunset provisions
35
© 2019 Husch Blackwell LLP
Inter and intra-company transfers
36
© 2019 Husch Blackwell LLP
Sharing of NPI under GLBA
Reasons we can share your personal
information
Does FI
share?
Can you limit this sharing?
For our everyday business purposes— such as
to process your transactions, maintain your
account(s), respond to court orders and legal
investigations, or report to credit bureaus
Yes No
For our marketing purposes— to offer our products and services to you
Yes Up to Financial Institution
For joint marketing with other financial companies
Yes Up to Financial Institution
For our affiliates’ everyday business purposes— information about your transactions and experiences
Yes Yes
For our affiliates’ everyday business purposes— information about your creditworthiness
Yes Yes
For our affiliates to market to you Yes Yes
For nonaffiliates to market to you Yes Yes
Questions? Call 800-GLB-INFO
or go to http://www.GLB-INFO.com
37
© 2019 Husch Blackwell LLP
CCPA Definition of “Business”
1. For profit legal entities that have (a) annual gross revenues in excess of $25,000,000;
(b) Alone or in combination, annually buy, receive for the business’s commercial purpose, sell, or share for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, or
(c) Derive 50 percent or more of its annual revenues from selling personal information.
2. Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business.
38
© 2019 Husch Blackwell LLP
CCPA Definition of “Business”
1. Difficulty created for entities with corporate structure that contains companies that do not have common branding
2. GLBA exemption appears to cover transfers of personal information from one GLBA entity to another GLBA entity
3. GLBA exemption will not cover transfers of NPI from GLBA entity to non-GLBA entity, unless exception under GLBA applies, a privacy notice is given allowing disclosure of information for FI’s marketing purposes, or consumer has not opted out of sharing to non-affiliated third parties.
39
© 2019 Husch Blackwell LLP
Data Breach Statutory Damages
40
© 2019 Husch Blackwell LLP
Private Right of Action
• Carved out of GLBA exemption
• Private right of action for data breaches due to a failure to implement and maintain reasonable security procedures and practices
• Statutory damages of between $100 and $750 “per consumer per incident”
• “Personal information” links to data breach statute definition, not CCPA’s
41
© 2019 Husch Blackwell LLP
Personal Information
1. First name/initial and last name plus
▪ Social security number;
▪ Driver’s license number;
▪ Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
▪ Medical information; or
▪ Health insurance information.
42
© 2019 Husch Blackwell LLP
Assembly Bill 1130
Added following categories:
• Tax ID number
• Passport number
• Military ID number
• Biometric data used to authenticate an individual such as fingerprint, retina, or iris image (does not include a physical or digital photograph, unless used or stored for facial recognition purposes)
43
© 2019 Husch Blackwell LLP
Takeaways
1. Inventory and map data
▪ Understand what data is collected and how/from whom, how it flows within corporate structure and transfers to other entities
2. Classify data as GLBA or non-GLBA
3. Information Security
▪ Make sure proper information security controls are in place for any personal information covered by breach notification statute
44
© 2019 Husch Blackwell LLP
HB CCPA Data Inventory Tool
• Online client portal
• Question/answer format
• Inventories all CCPA data elements and third partytransfers
• Gathers other information necessary to be disclosed by CCPA
• Reasonable flat fee for clients
• Significantly reduces attorney fees and client time
45
© 2019 Husch Blackwell LLP
Questions?
47
© 2019 Husch Blackwell LLP
Thank You
Marci V. Kawski
marci.kawski@huschblackwell.com
Tobias Moon
tobias.moon@huschblackwell.com
David M. Stauss
david.stauss@huschblackwell.com
48
top related