Yes, the California Attorney General may be able to enforce the CCPA’s notice rules against your bank, depending on the following factors. Also, a California resident or a class of California residents conceivably could sue your bank for violations of the CCPA, even though it does not have a physical presence in that state.
The CCPA applies to businesses that collect consumers’ personal information, do business in California and meet at least one of the following thresholds: (1) they have adjusted gross annual revenues exceeding $25 million, (2) they buy, sell, receive, or share the personal information of at least 50,000 consumers, households, or devices for commercial purposes, or (3) they derive 50% or more of their annual revenues from selling consumers’ personal information. Notably, the CCPA defines “consumers” as natural persons who are California residents, but it does not define what “doing business in California” means.
Consequently, even if your bank has no branches in California, it is conceivable that your bank must comply with the CCPA, at least with respect to customers residing in California — and the CCPA authorizes California’s Attorney General to bring enforcement actions for violations of the law beginning July 1, 2020, in addition to authorizing individuals to sue your bank directly for certain violations of the law.
For resources related to our guidance, please see:
- California Consumer Privacy Act of 2018, Cal Civ. Code § 1798.100(b) (“A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.”)
- Proposed CCPA Regulations, § 999.304, page 4 (updated March 11, 2020) (“Overview of Required Notices
(a) Every business that must comply with the CCPA and these regulations shall provide a privacy policy in accordance with the CCPA and these regulations, including section 999.308.
(b) A business that collects personal information from a consumer shall provide a notice at collection in accordance with the CCPA and these regulations, including section 999.305.
(c) A business that sells personal information shall provide a notice of right to opt-out in accordance with the CCPA and these regulations, including section 999.306.
(d) A business that offers a financial incentive or price or service difference shall provide a notice of financial incentive in accordance with the CCPA and these regulations, including section 999.307.”)
- California Consumer Privacy Act of 2018, Cal Civ. Code § 1798.140(c) (“‘Business’ means:
(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that collects consumers’ personal information or on the behalf of which that information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
- (A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
- (B) Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
- (C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
(2) Any entity that controls or is controlled by a business as defined in paragraph (1) and that shares common branding with the business. ‘Control’ or ‘controlled’ means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. ‘Common branding’ means a shared name, servicemark, or trademark.”)
- California Consumer Privacy Act of 2018, Cal Civ. Code § 1798.140(c) (“‘Consumer’ means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.”)
- California Consumer Privacy Act of 2018, Cal Civ. Code § 1798.145(e) (“This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm–Leach–Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.”)
- California Consumer Privacy Act of 2018, Cal Civ. Code § 1798.185(c) (“The Attorney General shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.”)
- California Consumer Privacy Act of 2018, Cal Civ. Code § 1798.150(a)(1) (“Any consumer whose nonencrypted and nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following: (A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater. (B) Injunctive or declaratory relief. (C) Any other relief the court deems proper.”)
- California Consumer Privacy Act of 2018, Cal Civ. Code § 1798.145(e) (“This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm–Leach–Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.”)