Pub. 11 2021-2022 Issue 3

coloradobankers.org 26 By Elizabeth Harding, Shareholder in the Tech Transactions & Data Privacy Practice Group at Polsinelli Colorado Banks and Financial Institutions – State Privacy Law Compliance Obligations E merging privacy laws in the US are leading to increasingly complex compliance obligations for banks and other financial institutions. Colorado recently joined ranks with California (with its CCPA and upcoming CPRA privacy laws) and Virginia (with its VCDPA) by adopting its own comprehensive privacy law, the Colorado Privacy Act (CPA). The CPA comes into force on Jan. 1, 2023, and will regulate how personal information of Colorado residents is collected, used, stored, and shared. Which organizations are subject to the CPA? The CPA applies to organizations that conduct business in Colorado or that target their products or services to Colorado residents or households (“consumers”) and: • Control or process the personal data of at least 100,000 Colorado consumers per year; or • Sell personal data and process or control the personal data of 25,000 or more Colorado consumers or more. To what extent does the CPA apply to banks and other financial institutions? The good news for Colorado-based banks and financial institutions is that they are subject to a blanket exemption under the CPA on the basis that they are governed by the Gramm-Leach- Bliley Act (GLBA). The GLBA imposes privacy requirements on financial institutions’ collection of nonpublic personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes. Does this mean that Colorado-based banks and financial institutions don’t have to worry about State privacy laws at all? No. Although Colorado (like Virginia) applies a blanket exemption to financial institutions (and their affiliates) that are subject to GLBA, other State privacy laws take a different approach. Notably, California’s CCPA (and forthcoming CPRA) contains a narrower exclusion, which applies only to personal information collected, processed, sold, or disclosed pursuant to GLBA. In other words, the exemption applies to certain information, rather than the organization as a whole. To the extent Colorado-based banks and financial institutions are subject to the CCPA, certain personal information that they process will still be subject to the requirements of California’s privacy law. A Colorado-based bank could be subject to CCPA in a number of ways: • If it targets products or services to California residents or households and (a) has annual revenues in excess of $25 million, OR (b) processes the personal information of 50,000 or more California residents, households, or devices, or (c) derives 50% or more of its revenues from the sale of California residents’ personal information

RkJQdWJsaXNoZXIy MTIyNDg2OA==