Pub. 11 2021-2022 Issue 3

September • October 2021 27 • If it controls, or is controlled by, a business which meets the threshold requirements and shares branding with such business Note, however, that obligations under California’s privacy laws would apply only with respect to personal information relating to a California resident or household. How does the GLBA exemption work under CCPA? The GLBA exemption under CCPA (and the forthcoming CPRA) applies with respect to personal information collected, processed, sold, or disclosed pursuant to … GLBA. Given that most personal information collected by banks and financial institutions meets this threshold, the majority of personal information processed by such organizations will be out of scope for purposes of the CCPA. However, the exemption does not apply to all personal information. For example, personal information collected from an individual visiting a bank’s website, or applying for a job with the bank, would not be collected, processed, sold, or disclosed pursuant to GLBA, and therefore would not fall within the exemption. The flowchart below provides a helpful graphic for understanding when the GLBA exemption may apply: Examples of consumers whose personal information is protected by GLBA include: • Bank customers; • Individuals applying for a financial product or service (whether in person or online), regardless of whether application is accepted; • A list of a third-party financial institution’s customers provided to the bank or financial institution (e.g., as part of a joint offering); and • A legal representative (parent or guardian, for example) of an individual who is otherwise a GLBA consumer. Examples of consumers whose personal information is not protected by GLBA (and therefore is subject to CCPA) include: • Employees; • An individual who opens a financial account for their sole proprietorship or on behalf of another business entity; • Website visitors; • Individuals on marketing lists obtained by a third-party vendor, that is not a financial institution, and sold to the bank or financial institution; and • Individuals on general marketing lists developed or obtained by the bank or financial institution (e.g., list of attendees at a marketing event sponsored by the bank or financial institution), but who have not obtained a financial product or service from the bank or financial institution. Examples of personal information that would not be covered by GLBA (and therefore subject to CCPA ) include: • Names and email addresses of attendees of a conference sponsored by the bank or financial institution; • Personnel records; • Contact information for volunteers of a charity event hosted by the bank or financial institution; • Contact information obtained by a vendor that is not a financial institution and sold to the bank or financial institution; and • Information obtained from an Internet cookie of an unregistered visitor who browses parts of the bank or financial institution’s website that is open to the public. What obligations do banks and financial institutions have under CCPA? CCPA places broad obligations on organizations that meet its threshold requirements, including: • Duty of transparency – businesses must provide consumers with clear cont inued on page 28