California’s Mini-GDPR and Implications for Northwest Credit Unions


On June 28 the California Legislature pass the California Consumer Privacy Act of 2018 (CCPA). The CPPA changes the privacy requirements within California giving residents more control over information that is collected on them and imposing new requirements and prohibitions on businesses. Violations of the CPPA could expose businesses to penalties and private actions.

The CPPA goes into effect on January 1, 2020. The legislation was rushed through the California legislature because there had been a ballot initiative that would have been voted on in November which would have gone farther than the CPPA. The CPPA and ballot initiative mostly targeted technology companies that acquire all sorts of personal information. The legislature intends to pass a fix bill prior to the effective date to correct a few provisions within the CPPA.

Businesses will be required to make disclosures about the information they collect and the purpose which that information could be used. Consumers may request the disclosed information, and even request businesses to delete their information. In addition, businesses would be prohibited from discriminating against consumers who exercise the right to opt out of the sale of their personal information.

Credit unions have been managing the consumer privacy protections under Gramm-Leach-Bliley for years, but some analysis will be needed to see if the CPPA provides additional protections.

Credit unions in the Northwest have been wondering what the implications of the CPPA mean to them. While the following analysis should not be considered legal advice, hopefully it will be insightful for credit unions.

As many in compliance departments know, it all comes down to the definitions. 1798.140 provides the important definitions.

First the consumer. (g) “Consumer” means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.” This means your members who live in Idaho, Oregon, or Washington states are not consumers under the CPPA. Nor would anyone who lives in any state other than California. Also, your members who are traveling through California would not be considered consumers since they do not reside there. These distinctions are important when we look at the definition of a business.

The CPPA defines a business as:

(c) “Business” means:

(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:

(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.

(B) Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.

(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

(2) Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, servicemark, or trademark.

The questions to be answered:

  • Credit unions are not-for-profit financial cooperatives. Does this provide exemption per the “organized or operated for the profit or financial benefit of its shareholders or other owners”?
  • Does “does business in the State of California” mean it only applies to businesses that have a physical location in California, or include those who market to consumers within California? Or does it even include those who have consumers living in California, but that do not have a physical location or even market to those living in California.
  • While households is not defined, does the 50,000 or more consumers mean 50,000 or more California residents since that is how consumers are defined?
  • Most credit unions probably do not derive 50 percent of more of their annual revenue from selling their members’ personal information. And since the CPPA defines consumers only as those residing in California, this may provide exemption for credit unions.
  • If the business has gross revenues in excess of $25,000,000, but does not meet (B) or (C), does this still apply?

This article is not intended as legal advice, but to provide insight and thoughts for credit unions. We will continue to monitor developments as the fix bill goes through the California legislature. Credit unions may wish to consult with their legal counsel to obtain official legal opinion on the implications of the CPPA before making any changes to their privacy policy and procedures.

Question of the Week

What should we do if a member wants to set up a trust account, and how should we set up this type of account?

First ask whether the members want to set up a trust account (also called a Totten Trust or POD account) or whether they want to set up an account for a pre-existing living trust (other types of trusts exist as well and may possibly be members). The credit union can set up a trust on its account card by listing a beneficiary on the account.

The members usually have trust papers and want to set up an account using those papers, so for our purposes they want to set up an account for a living trust (or simply an account for another type of trust). The credit union can set up an account for a living trust by setting up the account in the name of the living trust.

With an account for a living trust, the member’s attorney will usually tell the member what TIN number dividends for the living trust should be reported under. Set up the account using this number.

Related Links:

Legal Briefs

National Credit Union Administration (NCUA)

The NCUA announced that the $736 million share insurance distribution payments will occur the week of July 23, 2018. Dividend recipients will be mailed the statements that will indicate the amount they will receive.

Consumer Financial Protection Bureau (CFPB)

The CFPB announced that Acting Director Mick Mulvaney selected Paul Watkins to lead the Bureau’s new Office of Innovation. Watkins will lead the new Office of Innovation which is focused on encouraging consumer-friendly innovation.

Federal Reserve Board (FRB)

The FRB released the July 18, 2018 edition of the Beige Book. This edition indicates that economic activity has continued to expand, employment continued to rise at modest rates, and prices increased at a modest to moderate rate.

FRB Chairman Powell delivered testimony to the Senate Committee on Banking, Housing, and Urban Affairs regarding the FRB’s semiannual Monetary Policy Report.

Office of Foreign Assets Control (OFAC)

OFAC has updated the SDN list as of July 19, 2018. The last update prior to this was July 10, 2018.

Questions? Contact the Compliance Hotline: 1.800.546.4465,

Posted in Compliance News, Compliance News.