Do financial institutions have to comply with the CCPA with respect to all consumer information?



The CCPA does not apply to “personal information collected, processed, sold or disclosed in accordance with the Gramm Leach Bliley Act (GLBA) and its regulations”. The GLBA regulates the privacy and security of financial institutions and applies to much more than banks, including mortgage brokers, non-bank lenders, personal or real estate appraisers, professional tax preparers, car dealerships that grant loans and insurance companies.

The GLBA imposes confidentiality requirements – and would therefore prevail over the application of the CCPA – when financial institutions collect “non-public personal information about individuals who obtain financial products or services primarily for personal, family or family use. domestic “.1 Note that the qualifier “who get” is somewhat misleading. Under the GLBA, the term “consumer” includes people who have requested, but not obtained, financial products, including:

  • People who apply for credit, whether the credit is extended or not;
  • Individuals who provide non-public personal information to the financial institution in order to obtain a decision on their eligibility for a loan, whether the loan is extended or not;
  • Individuals who provide non-public personal information in the course of obtaining or seeking financial, investment or economic advisory services, whether or not they are establishing an advisory relationship.

The GLBA does not apply, and therefore would not prejudge the application of the CCPA, to the following situations:

  • When financial institutions collect information about people “who obtain financial products or services for business, commerce, or agriculture” – such as information collected during the granting of commercial loans, commercial current accounts or other B2B services;2
  • When financial institutions collect information from a person who is not requesting a financial product or seeking to obtain financial services, such as website data or marketing leads generated by third parties when the person has no product requested;
  • When financial institutions have personal information about persons who are consumers of another financial institution for which the financial institution acts as an agent or provides processing or for which it provides other services;
  • When the financial institution is appointed by an individual as trustee of a trust;
  • If a person is a participant or beneficiary of a benefit plan sponsored by the financial institution;
  • Personal information on employees of financial institutions (submitted to CCAC as of 2021).

Note that the partial exemption applies to confidentiality requirements under the CCPA only. A financial institution can still be sued and defend itself against actual or statutory damages under CCPA section 1798.150 if a business fails to implement and maintain reasonable security to protect certain sensitive categories of personal information. .

For more information and resources on the CCAC, visit



Leave A Reply