CCPA clarity needed for credit unions to properly comply

December 6, 2019

CUNA seeks clarity on the California Consumer Privacy Act (CCPA) rules so credit unions can properly comply. The law’s definition of “business” needs further clarification, CUNA wrote, as the definition in the bill does not address not-for-profit status.

CUNA also seeks additional guidance on the “doing business in California” requirements, as the vast majority of credit unions are outside of California and likely do not seek to serve California residents.

“Some businesses with few customers in California may elect not to serve customers who live in the state, but credit unions cannot easily do this as they, by law, cannot close member share accounts without a vote of the membership of the credit union – a process that is involved and impractical for this purpose,” the letter reads. “A company should be allowed to serve a de minimis number of California residents without meeting the “doing business in California” requirements to allow for isolated instances where a business, such as a credit union, must provide services to California residents by law, yet does not seek to market itself in California or open accounts for California residents.”

Other CUNA recommendations include:

  • Clarification on the exemption for personal information collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act (GLBA) or the California Financial Information Privacy Act, which use terms inconsistent with one another;
  • The California Attorney General should propose model notices that satisfy the notice requirements of the CCPA and proposed regulations;
  • The requirement that businesses directly notify the consumer of a new use and obtain “explicit consent” to use information for this new purpose does not require an opt-out. CUNA recommends replacing this requirement with a new notice to the consumer along with a 30-day opt out;
  • Changing the requirement that additional information be provided in a privacy policy that isn’t required by statute;
  • Replacing the current unnecessary and complex two-step process for responses to a “request to delete” and “requests to opt in after opting out” with a simpler one-step process;
  • The proposed “request to know” and “requests to delete” sections in the regulation is not necessary and not required by statute;
  • CUNA requests that the business request to opt out regulations follow the GLBA; and
  • The effective date of the CCPA should be delayed two years to Jan. 1, 2022, and the date when enforcement is allowed by the attorney general should be delayed (six months after the effective date), should also be delayed by two years.