Title V of the GLBA: What applies under the CPRA?
Title V of the GLBA governs the treatment of non-public personal information about consumers by financial institutions. Regulations within Title V do not apply to organizations covered by the CCPA and the CPRA in the situations outlined in this section.
Collecting information from website visitors
When a financial institution collects CPRA-covered personal information from “persons that do not obtain a financial product or service from a financial institution and is merely browsing the website,” the GLBA does not cover such processing. In this instance, the organization might collect personal information from web visitors to improve site performance or deliver targeted advertising. In the context of the CPRA, this personal information would be subject to the privacy protections of the law and would need to be included in consumer rights requests. Financial institutions will therefore need to consider mechanisms to facilitate consumer opt-out requests, including those sent via the Global Privacy Control (GPC) – a universal opt-out signal that the CPRA requires businesses to honor.
Personal information collected in the context of B2B products and services
The scope of the GLBA only applies to nonpublic personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes. Furthermore, it “does not apply to information about companies or individuals who obtain financial products or services for business, commercial or agricultural purposes” (12 C.F.R. 216.1(b)) For example CPRA will apply in situations when a financial institution collects and processes personal information from representatives of businesses who are California residents when such personal information is used to process commercial loans, commercial checking accounts, or other B2B services.
Consequently, GLBA does not govern the collection of personal information in situations when a financial institution collects and shares with third parties, personal information about representatives of companies or individuals who obtain financial products or services for the above-mentioned purposes. In these scenarios, the requirements for facilitating the opt-out of sharing data with third parties is in-scope for CPRA, and organizations need to establish mechanisms to communicate consent signals downstream, such as the GPC, to vendors and partners with whom the information is shared.
Another area that the GLBA does not govern is the collection of information about a business’s employees. When the CPRA takes effect on January 1, 2023, the exclusion of employees as covered individuals will expire and financial institutions will be required to extend a set of privacy rights to employees, contractors, job applicants, and former employees, similar to those afforded to consumers.
As seen under the employee inclusion under GDPR, the extension of the right to know will pose new and unique challenges for organizations that includes providing a different intake and verification method, as well as finding personal information held in different systems. This also introduces more unstructured data and a greater opportunity for personal information to be co-mingled with sensitive personal information of others or proprietary business information. Again, businesses will need to consider mechanisms to capture requests from current and former employees, applicants, and contractors, and establish processes to narrow the scope of what to include in the response without creating an undue burden on the requestor.