The California Consumer Privacy Act is Now in Effect. What Does That Mean for Banks?

Every year or two, California reviews and updates its consumer privacy policies, imposing a number of new requirements on businesses that use personal customer information. This year is no different as the state has recently released new requirements that impact banks and other financial services companies.

But since these companies and banks are already regulated at the federal level, the California Consumer Privacy Act (CCPA) exempts certain types of personal financial information. However, regulation points to types of data, not types of companies or industries. With this in mind, it’s important for banks to know where they stand on exemption and how they can operate within regulatory guidelines and not overstep in sensitive areas that deal with consumer information.


According to the Gramm-Leach-Bliley Act (GLBA), banks and financial institutions are required to assess and implement controls for risks to certain customer data. There is also a push for protection and sensitivity around employee training and management, information systems, and detecting, preventing, and responding to failures.

Any non-compliance to these items can lead to major fines and enforcement headed up by the SEC, the FTC, or state regulators. Having certain protections and resources in place, such as cyber liability insurance for banks to protect against the fallout of a major cyberattack where sensitive customer information has been lost or stolen, is important. But working within regulations is just as vital.

Bolstering Consumer Protections

Taking effect on January 1, the CCPA upends the default state data breach notification and privacy protection laws already in place in California. For banks and financial institutions in the state, the CCPA exempts personal information that has been collected, processed, sold, or disclosed to the GLBA.

What banks and financial services companies are asking, though, is what is the true extent of this exemption ruling? The exemption does not help banks or financial institutions as a category, as mentioned above, like it would under the GLBA. Instead, the CCPA exempts the data and consumer information the GLBA covers.

The CCPA protects a wide range of information, more so than the GLBA in reality, and financial institutions are likely to have a lot of sensitive data. The CCPA covers personal information and data through a default definition that focuses more on its ability to identify its subject. Specifically, this points to information that is related to or associated with a specific consumer or household.

The GLBA, on the other hand, focuses more on a narrow category of personally identifiable financial information. The CCPA likely exempts account information or any data related to transactions, as well as information collected in order to provide consumers with products or services through a bank.

Financial services companies and banks should be sure to review their data inventories and review their current privacy practices in order to account for the differences between GLBA and CCPA.

About Financial Guaranty Insurance Brokers

Since 1983, Financial Guaranty Insurance Brokers has distinguished itself as a provider of Professional Liability, Cyber Liability, and Crime insurance products for entities of all types. To receive timely, personalized service from a knowledgeable and experienced staff, call us today at (626) 793-3330 to speak with one of our professionals.