Financial institutions in the United States are no strangers to privacy regulations, particularly given the obligations imposed by the federal Gramm-Leach-Bliley Act (“GLBA”) and the California Financial Information Privacy Act (“SB1”). More recently, financial institutions have been focused on whether and/or the extent to which the EU’s GDPR may apply to their U.S. operations. Many financial institutions, however, have yet to consider an equally important U.S. privacy development—the California Consumer Privacy Act (“Act”), a ballot initiative likely to appear on the November ballot.
If approved by voters, the Act would impose notice obligations on covered businesses to disclose the categories of personal information (“PI”) they collect, sell, and share about California consumers, and give those consumers a right to say “no” to the “sale” of their information. We discussed the Act and its potential requirements and related risks, including litigation arising from alleged violations of the Act, in greater detail in an earlier alert.
Here, we highlight certain considerations that are unique to financial institutions and evaluate the potential impact of the Act on financial institutions, particularly given their existing privacy obligations under the GLBA and SB1. Below are six key considerations for financial institutions to keep in mind as they navigate the interplay between the Act, the GLBA, and SB1.
Read our client alert.