Posts tagged ‘California’

Why California’s Privacy Law doesn’t apply to your Credit Union

I’m more than a little surprised by how many credit unions outside of the great state of California are concerned that they have to comply with the California Consumer Privacy Act (CCPA). As states such as New York and California move to more aggressively assert their jurisdiction, and even international actors such as the European Union seek to expand the applicability of their laws, it’s important that credit unions look beyond the specific statute they are dealing with and understand the total legal framework in which they operate.

The CCPA is landmark legislation, which aims to give consumers control of their on-line information by, among other things, giving them the ability to make sure information is deleted and giving them greater control over which third parties have access to their data. It’s modeled after Europe’s GDPR. It’s a big deal for those businesses that have to comply with its mandates. But the reality is that the vast majority of credit unions outside of the great state of California are not subject to its requirements. This is not a question governed by California Law but by Article 14 of the U.S. Constitution.

For some background, §1798.140 of the CCPA provides that the law applies to entities that are “doing business” in California provided they meet certain thresholds. There is also an exemption for not-for-profit businesses but the way that term is defined it’s possible that these exemptions will not apply to credit unions when the regulations are finalized by the California Attorney General. Both CUNA and NAFCU have understandably asked for clarification as to how exactly California is going to define these terms.

But keep in mind that no matter how California seeks to interpret its own regulations, it is constrained in its ability to impose these far reaching requirements on out-of-state entities. As none other than RBG explained for the Supreme Court

A state court’s assertion of jurisdiction exposes defendants to the State’s coercive power, and is therefore subject to review for compatibility with the Fourteenth Amendment’s Due Process Clause. *919 International Shoe Co. v. Washington, 326 U.S. 310, 316, 66 S.Ct. 154, 90 L.Ed. 95 (1945) (assertion of jurisdiction over out-of-state corporation must comply with **2851 “ ‘traditional notions of fair play and substantial justice’ Goodyear Dunlop Tires Operations, S.A. v. Brown, 564 U.S. 915, 918–19, 131 S. Ct. 2846, 2850–51, 180 L. Ed. 2d 796 (2011)

This is not controversial. It is a bedrock legal principal embraced across the legal spectrum. This is why California Law stipulates that its state courts may exercise jurisdiction “on any basis not inconsistent with the constitution”. (Cal. Civ. Proc. Code § 410.10)

So how will you know if your credit union is doing business in California? This is a term of art, which means it will ultimately depend on the unique circumstances of each credit union’s operations. But as the Supreme Court has made clear, to establish that a company is doing business more has to be proven than the occasional, incidental and isolated contact with the state. This means that for your average credit union with specific fields of membership and concentrated almost exclusively within New York and maybe some neighboring states, California law will not apply. This will be true even if some of your members end up doing banking on the West Coast. The situation changes of course if your credit union actively engages in California. For example, if you have a field of membership that includes television actors, there is a good chance that your credit union engages in the type of continuous conduct from which a court could reasonably conclude that your credit union is doing business in the state.

Here is my suggestion; before your credit union starts complying with the CCPA, ask an attorney to do an analysis as to whether or not it actually does business in the state. Chances are this will be money well spent.

January 31, 2020 at 10:31 am Leave a comment

California Dreaming? Why and What You Should Know About CA’s Privacy Law and Regulations

The most important regulation that is out for comment right now is not being promulgated by the federal government or New York State. Instead, they are regulations proposed by California to implement the California Consumer Privacy Act of 2018 (CCPA).

To be clear, assuming you are not a California credit union or dealing with California consumers, you can go about your day happy with the fact that there is actually a state that imposes even more onerous mandates on its businesses than New York. That being said, there isn’t a compliance person, IT professional or lawyer working with businesses or financial institutions today that shouldn’t be aware of the steps California has taken to give consumers greater control of their personal online data. We are all going to have to comply with similar frameworks sometime in the future, and my guess is that future is coming sooner rather than later.

So what is the CCPA? It is a comprehensive statute which gives California residents the right to know what private information of theirs is being collected by businesses, as well as to give consumers the right to forbid businesses from selling this information to third parties. It also gives consumers the right to demand that their information be deleted, although there are exceptions to this requirement. The statute was inspired by the European Union’s GDPR framework and was a reaction to Facebook’s mishandling of account information, and the ease with which it gave this private information to venders including political operatives who helped target voters in the 2016 election.

Why is this such a big deal? From a public policy standpoint, it codifies the principle that peoples’ personal information is theirs to control and use as they see fit. This includes a right to internet privacy. From a technical standpoint, the legislation has necessitated a fundamental shift in how information is collected, stored and organized.

For example, in New York, effected businesses worked themselves into a low-level frenzy when the Department of Financial Services established baseline requirements for the encryption of personally identifiable information. In contrast, effective January 1, 2020, California consumers will have the right to know about the specific pieces of personal information that a business has collected about them; a breakdown by category of the personal information that it has collected or sold; the purpose for which they collected or sold this information; and the categories of third parties to whom this information has been sold.

The definition of personal information is broader than what we’ve gotten used to. Specifically, this “means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The key to understanding the definition is that it captures big data uses by including information which can be used to identify a specific individual, such as an individual’s ”browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.”

In recognition of the difficulty and cost of implementing this radical mandate, the law does not apply to all businesses. Instead, it applies to businesses that have at least 25 million dollars in gross revenues; that buy, receive or sell personal information of 50,000 or more consumers or households; or derive 50% or more of their annual income from selling personal information.

There is much more I could talk about, but there’s only so much I can test your patience when it comes to describing California law. Nevertheless, what California is doing will catch on. I would be asking my IT person or department what resources they would need to comply with this kind of requirement, and to start moving in the direction of being able to segregate personal information by member. The more time you give yourself to integrate this approach into your IT and compliance framework, the more cost-effective it will be.

October 16, 2019 at 9:24 am Leave a comment

Did The GDPR Just Land On The West Coast?

That is the question I was thinking about this morning after reading California Bill AB-375 which imposes European like restrictions on companies doing business in California that buy and sell large amounts of personal information.

As readers of this blog may recall, I have been unapologetically equivocated when it comes to expressing my opinion as to how much credit unions should really be concerned about the General Data Protection Regulation (GDPR). After all, there are several jurisdictional hurdles that European regulators would have to overcome before imposing penalties on a credit union which has no branches on the continent, does not actively seek out European citizens for membership and only incidentally has some members who qualify for the GDPR protection. That being said, a commitment to giving consumers control over their personal data is the direction in which things are headed.

The California law passed a few days ago shows that things are moving even quicker than anticipated. Most importantly, it gives consumers the right to request that a business that collects personal information disclose to the consumer “the categories and specific pieces of personal information” that the business has collected. This requirement only applies to a consumer who has worked with the business more than once and requests such information.

Similar to the GDPR, the statute also gives consumers the right to be forgotten. Specifically, it empowers them to request that a business “delete any personal information” about the consumer which the business has collected. Finally, a consumer has the right to know if its information has been sold to third-parties. The consumer shall have the right to opt out of allowing its information to be sold by third-parties.

California likes to do things first and this statute certainly fits the bill. Now I want to stress that this bill does not apply to your credit union, unless of course it is based in California. That being said, you should be generally aware of what it mandates because California does tend to establish trends that other states like to follow and on a practical level, so many vendor contracts are interpreted pursuant to California law, you are likely to see increased data protection obligations imposed under some of your agreements.

Have a great July 4th! It appears that many of you are taking the week off so yours truly will be returning with a new blog on Monday. See you then.

July 3, 2018 at 8:30 am Leave a comment


Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 756 other followers

Archives