With the close of California legislative session on Sep. 13, we now know with relative certainty what the California Consumer Privacy Act (CCPA) will look like when it goes into effect on Jan. 1, 2020, as the last five amendments went to Gov. Gavin Newsom’s desk for signature. So did the amendments change anything for financial institutions? To address that, let’s lay out what financial institutions already knew before these amendments, what the amendments changed, and also, what they did not change as some had hoped.

Almost undoubtedly, the CCPA exclusion most pertinent for financial institutions is the Gramm-Leach-Bliley Act exclusion, stating that any personal information collected, processed, sold and disclosed pursuant to the federal Gramm-Leach-Bliley Act (GLBA) is exempt from CCPA coverage. Generally speaking, this means that any data collected in connection with issuance of a financial product is outside of scope of CCPA, rationale being that the CCPA protections are not necessary for data already covered by a different privacy regulation. It is worth noting that the GLBA only applies in the context of consumer financial products, which means that information about individuals obtained in the context of business financial products does not fall under the GLBA and therefore falls under the CCPA, provided no other exemption applies.