The CPRA’s GLBA information exemption is not the blanket entity exemption found under other US state privacy laws. Now, certain personal information not covered by GLBA falls under the CPRA’s scope. Here's what you need to know
Robb Hiscock
Content Marketing Specialist | CIPP/E, CIPM
November 29, 2022
On January 1, 2023, the California Privacy Rights Act (CPRA) is set to go into effect, expanding upon the rights afforded to consumers established under the California Consumer Privacy Act (CCPA). The California legislature amended the CCPA in August 2018, recognizing the conflict between the CCPA and sectoral frameworks such as the Gramm-Leach-Bliley Act (GLBA). This resulted in an exemption for personal information covered by the requirements of the GLBA being written into the CCPA.
In contrast, privacy laws passed by other states including Consumer Data Protection Act (CDPA) in Virginia, Colorado Privacy Act (CPA) in Colorado, Utah Consumer Privacy Act (UCPA) in Utah, and Connecticut Data Privacy Act (CTDPA) in Connecticut include broader entity-level exemptions for financial institutions subject to the GLBA. This means, unlike Virginia, Colorado, Utah, and Connecticut, financial institutions operating in California or collecting personal information on California residents may still be subject to the CCPA and CPRA when collecting and processing personal information in certain instances. Therefore, it is still critical for financial institutions to understand where the CCPA and CPRA apply. The main two stipulations laid out by the GLBA are explained below.
Title V of the GLBA governs the treatment of non-public personal information about consumers by financial institutions. Regulations within Title V do not apply to organizations covered by the CCPA and the CPRA in the situations outlined in this section.
When a financial institution collects CPRA-covered personal information from “persons that do not obtain a financial product or service from a financial institution and is merely browsing the website,” the GLBA does not cover such processing. In this instance, the organization might collect personal information from web visitors to improve site performance or deliver targeted advertising. In the context of the CPRA, this personal information would be subject to the privacy protections of the law and would need to be included in consumer rights requests. Financial institutions will therefore need to consider mechanisms to facilitate consumer opt-out requests, including those sent via the Global Privacy Control (GPC) – a universal opt-out signal that the CPRA requires businesses to honor.
The scope of the GLBA only applies to nonpublic personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes. Furthermore, it “does not apply to information about companies or individuals who obtain financial products or services for business, commercial or agricultural purposes” (12 C.F.R. 216.1(b)) For example CPRA will apply in situations when a financial institution collects and processes personal information from representatives of businesses who are California residents when such personal information is used to process commercial loans, commercial checking accounts, or other B2B services.
Consequently, GLBA does not govern the collection of personal information in situations when a financial institution collects and shares with third parties, personal information about representatives of companies or individuals who obtain financial products or services for the above-mentioned purposes. In these scenarios, the requirements for facilitating the opt-out of sharing data with third parties is in-scope for CPRA, and organizations need to establish mechanisms to communicate consent signals downstream, such as the GPC, to vendors and partners with whom the information is shared.
Another area that the GLBA does not govern is the collection of information about a business’s employees. When the CPRA takes effect on January 1, 2023, the exclusion of employees as covered individuals will expire and financial institutions will be required to extend a set of privacy rights to employees, contractors, job applicants, and former employees, similar to those afforded to consumers.
As seen under the employee inclusion under GDPR, the extension of the right to know will pose new and unique challenges for organizations that includes providing a different intake and verification method, as well as finding personal information held in different systems. This also introduces more unstructured data and a greater opportunity for personal information to be co-mingled with sensitive personal information of others or proprietary business information. Again, businesses will need to consider mechanisms to capture requests from current and former employees, applicants, and contractors, and establish processes to narrow the scope of what to include in the response without creating an undue burden on the requestor.
OneTrust helps financial intuitions to close the compliance gap between GLBA and CPRA and create trusted experiences with customers and employees. The OneTrust Privacy & Data Governance Cloud enables businesses to build holistic privacy programs that encompass cross-regulation frameworks and best practices to future-proof organizations against a continuously evolving US privacy landscape.
OneTrust’s automated tools can help financial institutions cover the three areas where the CPRA applies in absence of GLBA requirements including:
Talk to an expert today and request a demo to see how the OneTrust Privacy & Data Governance Cloud can help your organizations fulfill its obligations under the GLBA and CPRA.
Webinar
Join us for a deep dive tour of our suite of technology solutions for operationalizing and automating CPRA requirements across Do Not Share, Consumer Rights and privacy governance operations.
Webinar
Join us for an in-depth webinar on "Going Beyond CCPA," where we will explore the intricacies of privacy laws, compare major regulations, and provide guidance on enhancing your privacy policy.
Webinar
Join us for an insightful webinar on "The Evolution of CCPA" where we will delve into the latest amendments, understand their impact, and explore the new requirements and implications for businesses.
Webinar
Mastering Data Privacy: Expert Guidance on CCPA, CPRA, GDPR Compliance, Privacy Policy Best Practices, and Live Demo Insights
Webinar
Join us for an interactive webinar we dive into the CPRA, which will go into force on March 29th.
Webinar
Attend OneTrust DataGuidance’s webinar to learn from experts about the CCPA, as amended, and its most pressing compliance questions.
Webinar
Join industry experts at OneTrust & Protiviti for an operational deep dive and interactive Q&A on the upcoming US State laws set to go into effect in 2023.
Checklist
Download this checklist to make sure your organization follows the right steps to implement processes that achieve California Privacy Rights Act compliance.
Webinar
Watch this on-demand webinar to get an overview of the CPRA including new obligations for businesses and exemptions for select organizations.
Webinar
In this webinar, you will learn what challenges the new CPRA employee rights will introduce, which CCPA learnings apply as you prepare for CPRA, and more.
Webinar
Join this webinar to learn about the rights request fulfillment complexities introduced by the end of the employee exclusion in the CPRA.
eBook
Download this guide to learn how you can comply with the CCPA's opt-out requirements to get on the right track to CCPA compliance.
Webinar
In this webinar, Odia Kagan explained what is new in the draft CPRA regulations and the American Data Privacy and Protection Act (ADPPA).
White Paper
This guide to California privacy law compliance helps your organization understand the requirements under the CCPA and CPRA.
eBook
Download this eBook and explore the key areas of US state privacy laws and how they compare.
Webinar
In this webinar we cover how data discover and mapping helps you streamline compliance with US privacy laws such as the CPRA, the CDPA, and Colorado's Privacy Act.
Webinar
Watch this webinar and prepare for compliance with the CPRA's employee rights requirements.
Webinar
Watch this webinar and start doing these 5 things to help you prepare for the California Privacy Rights Act (CPRA).
Webinar
Watch this webinar to learn more about California's employee privacy rights requirements and how to comply.
Webinar
Watch our webinar on US privacy laws and gain insight on effective personal information managment strategies.
Checklist
The CPRA's effective date is on the horizon and with it comes several new requirements. Download this checklist and work towards CPRA compliance.
Webinar
Join us for an overview of US privacy laws and strategies for dealing with compliance.
Webinar
Watch this free webinar and see how the CCPA and CPRA compare with the GDPR.
Webinar
In the first part of our US Privacy Series, we discuss US privacy laws such as the CPRA and best practices towards compliance.
Infographic
Download our infographic on employee rights under the CPRA to help prepare for the law's expansion in CPRA.
Webinar
Watch this webinar to learn about Global Privacy Control (GPC), how it centralizes user opt-out preferences, and streamlines compliance with CCPA and CPRA.
Webinar
Join us for a webinar as our legal experts discuss the key differences between the CPRA vs the CCPA.