Why California’s Privacy Law doesn’t apply to your Credit Union

January 31, 2020 at 10:31 am Leave a comment

I’m more than a little surprised by how many credit unions outside of the great state of California are concerned that they have to comply with the California Consumer Privacy Act (CCPA). As states such as New York and California move to more aggressively assert their jurisdiction, and even international actors such as the European Union seek to expand the applicability of their laws, it’s important that credit unions look beyond the specific statute they are dealing with and understand the total legal framework in which they operate.

The CCPA is landmark legislation, which aims to give consumers control of their on-line information by, among other things, giving them the ability to make sure information is deleted and giving them greater control over which third parties have access to their data. It’s modeled after Europe’s GDPR. It’s a big deal for those businesses that have to comply with its mandates. But the reality is that the vast majority of credit unions outside of the great state of California are not subject to its requirements. This is not a question governed by California Law but by Article 14 of the U.S. Constitution.

For some background, §1798.140 of the CCPA provides that the law applies to entities that are “doing business” in California provided they meet certain thresholds. There is also an exemption for not-for-profit businesses but the way that term is defined it’s possible that these exemptions will not apply to credit unions when the regulations are finalized by the California Attorney General. Both CUNA and NAFCU have understandably asked for clarification as to how exactly California is going to define these terms.

But keep in mind that no matter how California seeks to interpret its own regulations, it is constrained in its ability to impose these far reaching requirements on out-of-state entities. As none other than RBG explained for the Supreme Court

A state court’s assertion of jurisdiction exposes defendants to the State’s coercive power, and is therefore subject to review for compatibility with the Fourteenth Amendment’s Due Process Clause. *919 International Shoe Co. v. Washington, 326 U.S. 310, 316, 66 S.Ct. 154, 90 L.Ed. 95 (1945) (assertion of jurisdiction over out-of-state corporation must comply with **2851 “ ‘traditional notions of fair play and substantial justice’ Goodyear Dunlop Tires Operations, S.A. v. Brown, 564 U.S. 915, 918–19, 131 S. Ct. 2846, 2850–51, 180 L. Ed. 2d 796 (2011)

This is not controversial. It is a bedrock legal principal embraced across the legal spectrum. This is why California Law stipulates that its state courts may exercise jurisdiction “on any basis not inconsistent with the constitution”. (Cal. Civ. Proc. Code § 410.10)

So how will you know if your credit union is doing business in California? This is a term of art, which means it will ultimately depend on the unique circumstances of each credit union’s operations. But as the Supreme Court has made clear, to establish that a company is doing business more has to be proven than the occasional, incidental and isolated contact with the state. This means that for your average credit union with specific fields of membership and concentrated almost exclusively within New York and maybe some neighboring states, California law will not apply. This will be true even if some of your members end up doing banking on the West Coast. The situation changes of course if your credit union actively engages in California. For example, if you have a field of membership that includes television actors, there is a good chance that your credit union engages in the type of continuous conduct from which a court could reasonably conclude that your credit union is doing business in the state.

Here is my suggestion; before your credit union starts complying with the CCPA, ask an attorney to do an analysis as to whether or not it actually does business in the state. Chances are this will be money well spent.

Entry filed under: Compliance, Legal Watch, technology. Tags: , , , , , .

Why Robocall Crackdown Is Hurting Your Credit Union Taxi Task Force to NCUA: It’s Time To Get Involved

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 653 other followers

Archives