What responsibilities, if any, do we have under the California Consumer Privacy Act to our customers who live in California, when we have branches only in Illinois?

Whether your bank has any responsibilities under the California Consumer Privacy Act (CCPA) depends on several factors, including whether you do business in California and whether you collect any personal information about your California customers that is not already covered by the Gramm–Leach–Bliley Act (GLBA).

The CCPA, which takes effect on January 1, 2020, creates new consumer rights for California residents relating to the access to, deletion of, and sharing of personal information collected by businesses. It applies to all for-profit businesses that collect consumers’ personal information, do business in California, and meet at least one of the following thresholds:

(1) have adjusted gross annual revenues exceeding $25 million,

(2) buy, sell, receive, or share the personal information of at least 50,000 consumers, households, or devices for commercial purposes, or

(3) derive 50% or more of their annual revenues from selling consumers’ personal information.

The CCPA defines “consumers” as natural persons who are California residents. However, the CCPA lacks several other definitions, such as what “doing business in California” means, and unfortunately, the California Attorney General’s recently proposed rules under the CCPA provide little clarification on how out-of-state businesses are covered by the law.

For example, the CCPA applies to businesses with gross annual revenues over $25 million, and it is unclear whether those revenues must be derived from activities in California. Additionally, the law applies to businesses that receive (or buy, sell or share) the personal information of at least 50,000 consumers, households, or devices annually. While the term “consumer” is limited to California residents, “household” and “device” are not limited to California households or devices. As noted in the California Attorney General’s regulatory impact assessment for its proposed rules, a website collecting information from as few as 137 unique visitors per month could be subject to the law due to this 50,000 threshold. Consequently, although your bank has no branches in California, it is unclear whether your bank will be exempt from the CCPA.

Also, we note that while the applicability of the CCPA to out-of-state businesses has not yet been tested in the courts, the Ninth Circuit has applied the Illinois Biometric Privacy Act (BIPA) to a California corporation (Facebook), finding that although the BIPA did not address whether a violation is deemed to occur where the person whose privacy rights are impacted is located, or where their personal information is maintained, “it is reasonable to infer that the [Illinois] General Assembly contemplated BIPA's application to individuals who are located in Illinois, even if some relevant activities occur outside the state.” Similarly, courts may infer that the CCPA applies when a California resident’s privacy rights are impacted, even if certain relevant activities occur outside of California.

A separate law, the California Corporate Code, defines “transact intrastate business” to exclude a foreign corporation’s “creating evidences of debt or mortgages, liens or security interests on real or personal property” in California. It also excludes a foreign banking corporation’s acquisition or modification of loans (if these activities are carried on by the bank outside of California) or enforcement of any loans or the acquisition of title to any real or personal property by trustee’s sale, judicial sale, foreclosure, or deed in lieu of foreclosure. However, the CCPA and the proposed regulations unfortunately do not reference these definitions.

The CCPA has a limited exception for personal information “collected, processed, sold, or disclosed pursuant to” the GLBA — but this exception does not apply for purposes of the CCPA’s private right of action. Additionally, the CCPA defines personal information broadly to include “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Thus the CCPA’s definition may include information not covered by the GLBA, as implemented by Regulation P, such as biometric information, geolocation data, and information regarding a consumer’s interaction with a website, unless such information is obtained in connection with collecting on or servicing a loan or credit account or is collected through an internet “cookie.”

Due to the CCPA’s complexity and ambiguity, we recommend reviewing the extent of your dealings with California residents and the personal information that you collect, process, sell, or disclose related to these customers — and consulting legal counsel if necessary — to determine the extent to which you may be subject to its requirements.

For resources related to our guidance, please see:

California Consumer Privacy Act of 2018, Cal Civ. Code § 1798.100 (effective January 1, 2020) (“(a) A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected. . . .”)

California Consumer Privacy Act of 2018, Cal Civ. Code § 1798.105 (effective January 1, 2020) (“(a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer. . . .”)

California Consumer Privacy Act of 2018, Cal Civ. Code § 1798.120 (effective January 1, 2020) (“(a) A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt-out. . . .”)

California Consumer Privacy Act of 2018, Cal Civ. Code § 1798.140(c) (effective January 1, 2020) (“‘Business’ means:

(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that collects consumers’ personal information or on the behalf of which that information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:

(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.

(B) Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.

(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

(2) Any entity that controls or is controlled by a business as defined in paragraph (1) and that shares common branding with the business. ‘Control’ or ‘controlled’ means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. ‘Common branding’ means a shared name, servicemark, or trademark.”)

California Attorney General, Standardized Regulatory Impact Assessment: California Consumer Privacy Act of 2018 Regulations, page 2 (“‘Household’ means a person or group of people occupying a single dwelling.”)

California Attorney General, Proposed CCPA Regulations, page 20 (“[[i][/i]I]t is likely that the 50,000 PI requirement and the 50% annual revenue requirement will apply to many businesses with annual revenues less than $25 million. For example, any firm that collects personal information from more than 137 consumers or devices a day will meet the 50,000 threshold.”)

California Consumer Privacy Act of 2018, Cal Civ. Code § 1798.140(c) (Effective January 1, 2020) (“‘Consumer’ means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.”)

California Consumer Privacy Act of 2018, Cal Civ. Code § 1798.145(e) (effective January 1, 2020) (“This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm–Leach–Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.”)

Patel v. Facebook, Inc., 932 F.3d 1264, 1275 (9th Cir. 2019) (“Facebook insists that the Illinois legislature did not intend for the BIPA to have extraterritorial effect, and in the absence of such an intent, a court would have to consider whether the relevant events at issue took place inside or outside Illinois. Facebook argues that its collection of biometric data and creation of a face template occurred on its servers outside of Illinois, and therefore the necessary elements of any violation occurred extraterritorially.”)

Patel v. Facebook, Inc., 932 F.3d 1264, 1276 (9th Cir. 2019) (“The parties' dispute regarding extraterritoriality requires a decision as to where the essential elements of a BIPA violation take place. The statute does not clarify whether a private entity's collection, use, and storage of face templates without first obtaining a release, or a private entity's failure to implement a compliant retention policy, is deemed to occur where the person whose privacy rights are impacted uses Facebook, where Facebook scans photographs and stores the face templates, or in some other place or combination of places. Given the General Assembly's finding that ‘[m]ajor national corporations have selected the City of Chicago and other locations in this State as pilot testing sites for new applications of biometric-facilitated financial transactions,’ 740 Ill. Comp. Stat. 14/5, it is reasonable to infer that the General Assembly contemplated BIPA's application to individuals who are located in Illinois, even if some relevant activities occur outside the state.”)

Cal Corp. Code § 191(c) (“Without excluding other activities that may not constitute transacting intrastate business, a foreign corporation shall not be considered to be transacting intrastate business within the meaning of subdivision (a) solely by reason of carrying on in this state any one or more of the following activities: . . . (7) Creating evidences of debt or mortgages, liens or security interests on real or personal property. . . .”)

Cal Corp. Code § 191(d) (“Without excluding other activities that may not constitute transacting intrastate business, any foreign lending institution, including, but not limited to: any foreign banking corporation . . . whether organized under the laws of the United States or of any other state . . . shall not be considered to be doing, transacting, or engaging in business in this state solely by reason of engaging in any or all of the following activities either on its own behalf or as a trustee of a pension plan, employee profit sharing or retirement plan, testamentary or inter vivos trust, or in any other fiduciary capacity: . . .

(1) The acquisition . . . of loans, secured or unsecured, or any interest therein, if those activities are carried on from outside this state by the lending institution.

* * * * *

(3) The ownership of any loans and the enforcement of any loans by trustee’s sale, judicial process or deed in lieu of foreclosure or otherwise.

(4) The modification, renewal, extension, transfer or sale of loans . . . if the activities are carried on from outside this state by the lending institution. . .

* * * * *

(6) The acquisition of title to the real or personal property covered by any mortgage, deed of trust or other security instrument by trustee’s sale, judicial sale, foreclosure or deed in lieu of foreclosure . . .”)

California Consumer Privacy Act of 2018, Cal Civ. Code § 1798.140(o) (effective January 1, 2020) “(1) ‘Personal information’ means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:

(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

(B) Any categories of personal information described in subdivision (e) of Section 1798.80.

(C) Characteristics of protected classifications under California or federal law.

(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

(E) Biometric information.

(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.

(G) Geolocation data.

(H) Audio, electronic, visual, thermal, olfactory, or similar information.

(I) Professional or employment-related information.

(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).

(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

(2) ‘Personal information’ does not include publicly available information. . . .”)

Regulation P, 12 CFR 1016.3(p)(1)(i) (“Nonpublic personal information means . . . Personally identifiable financial information . . . .”)

Regulation P, 12 CFR 1016.3(q)(2)(i)(C) (“Personally identifiable financial information includes:

(A) Information a consumer provides to you on an application to obtain a loan, a credit card, a credit union membership, or other financial product or service;

(B) Account balance information, payment history, overdraft history, and credit or debit card purchase information;

(C) The fact that an individual is or has been one of your customers or has obtained a financial product or service from you;

(D) Any information about your consumer if it is disclosed in a manner that indicates that the individual is or has been your consumer;

(E) Any information that a consumer provides to you or that you or your agent otherwise obtain in connection with collecting on, or servicing, a loan or a credit account;

(F) Any information you collect through an internet ‘cookie’ (an information collecting device from a Web server); and

(G) Information from a consumer report.”)