Introduction
On August 21, 2020, the California legislature enacted the California Consumer Financial Protection Law (CCFPL), which is to take effect on January 1, 2021.[1] The law renames the “Department of Business Oversight” (DBO) the “California Department of Financial Protection and Innovation (DFPI)” and, among other things, empowers the department to regulate the offering and provision of consumer financial products or services under California consumer financial laws.[2] The California legislature noted that the CCFPL strengthens “consumer protections by expanding the ability of the department to improve accountability and transparency in the California financial system and promote nondiscriminatory access to responsible, affordable credit, among other purposes.”[3] In this blog post, we examine the DFPI’s possible authority over California’s principal privacy laws. Covington will monitor how active the DFPI is in promulgating and enforcing privacy rules as the contours of the DFPI’s authority become apparent over time.
Regulated Entities
The CCFPL applies to “covered persons,” and broadly defines that term to include:
- Any person that engages in offering or providing a consumer financial product or service to a resident of California.
- Any affiliate of a person described in (1) if the affiliate acts as a service provider to the person.
- Any service provider to the extent that the person engages in the offering or provision of its own consumer financial product or service.
The law exempts certain entities from its reach, including licensed finance lenders, brokers, program administrators, or mortgage loan administrators; licensed broker-dealers or investment advisors; federally or state-chartered banks and bank holding companies; and insurance companies.[4]
DFPI Enforcement Authority for Privacy Laws
The CCFPL gives the DFPI broad authorities, including the ability to “regulate the offering and provision of consumer financial products or services under California consumer financial laws and [to] exercise nonexclusive oversight and enforcement authority under California consumer financial law.”[5] “Consumer financial law” includes a California law that “directly and specifically regulates the manner, content, or terms and conditions of any financial transaction, or any account, product, or service related thereto, with respect to a consumer.”[6] Given this broad definition of “consumer financial law” and the absence of an enumerated list of laws transferred to the DFPI, there is some ambiguity as to which specific California privacy laws fall within the DFPI’s authority.
The DFPI will inherit authority over the California Financial Information Privacy Act (CFIPA), California’s counterpart to the privacy provisions of the federal Gramm-Leach-Bliley Act (GLBA), from the DBO. The CFIPA, enacted in 2003, requires financial institutions to provide California consumers notice about how their nonpublic personal information is shared and to obtain a consumer’s written consent or opt-in prior to sharing a consumer’s information with a nonaffiliated third party.[7] It also requires a financial institution to provide the consumer with the opportunity to “opt-out” of having the consumer’s information shared with an affiliated party,[8] although this provision is preempted, in part, by the Fair Credit Reporting Act per the Ninth Circuit’s decision in ABA v. Lockyer.[9] As the law was originally enacted, the CFIPA may be enforced by the California Attorney General or the “functional regulator with jurisdiction over regulation of the financial institution,” which is the (1) Department of Business Oversight, Division of Financial Institutions for state banks, savings associations, credit unions, commercial lending companies, and bank holding companies, (2) the Department of Insurance for persons engaged in the business of insurance, and (3) the Department of Business Oversight, Division of Corporations for investment brokers or dealers, investment companies, investment advisers, or residential mortgage lenders or finance lenders.[10] Because the DFPI is the successor to the DBO, the DFPI acquires the DBO’s enforcement authority over the CFIPA.
It is less clear whether or to what extent the California Consumer Privacy Act (CCPA), which took effect this year, could be considered a “consumer financial law.” The CCPA places an obligation on businesses to disclose, at or before collection, the categories of personal information they collect and the purposes for which the personal information will be used. Because the CCPA expressly exempts information collected, processed, sold, or disclosed pursuant to the GLBA or CFIPA, the CCPA would only apply in limited circumstances to a consumer’s financial information.[11] Because the law could be considered a “consumer financial law” in these limited circumstances, it arguably may fall within the DFPI’s enforcement authority. However, the DFPI is unlikely to assert broad authority for enforcing the law because the CCPA delegates enforcement authority exclusively to the California Attorney General,[12] and the CCFPL does not amend that provision of the CCPA.
DFPI Examination and Rulemaking Authority with Respect to Privacy Laws
The CCFPL provides that the DFPI “may require reports and conduct examinations on a periodic basis . . . for purposes of . . . assessing compliance with the requirements of consumer financial laws.”[13] Thus, to the extent the CCPA and CFIPA are considered consumer financial laws, the DFPI could assert examination authority over covered entities with respect to the law.
The CCFPL grants the DFPI general authority to “prescribe rules applicable to any covered person or service provider identifying as unlawful, unfair, deceptive, or abusive acts or practices in connection with any transaction with a consumer for a consumer financial product or service, or the offering of a consumer financial product or service.”[14] The DFPI may also “prescribe rules applicable to. . . ensure that the features of any consumer financial product or service . . . are. . . disclosed to consumers.” [15] The current DBO does not have such broad rulemaking authority.
There is some ambiguity as to whether the DFPI could assert rulemaking authority regarding the CCPA in accordance with the new rulemaking authority provision. While the Attorney General of California has the authority to promulgate regulations under the CCPA, the statute itself does not give the Attorney General the exclusive authority to do so. If the DFPI were to conclude that the CCPA relates to the offering of a consumer financial product or service, it could, in theory, promulgate rules under the CCPA. Note that the CCFPL provides that if the DFPI “and another agency have joint authority, the department shall consult with that agency before promulgating regulations under such laws.”[16] In contrast, the CFIPA does not have a rulemaking provision. However, as with the CCPA if the DFPI were to conclude that the CFIPA relates to the offering of a consumer financial product or service, it is possible that it could promulgate rules under this statute as well.
[1] Cal. Fin. Code § 90000.
[2] AB-1864, Sect. 7, proposed to be codified at Cal. Fin. Code § 90006. The CCFPL also provides the DFPI with a new registration authority, UDAAP authority, and expanded enforcement authority. AB-1864, Sec. 1, proposed to be codified at Cal. Fin. Code § 300(a).
[3] AB-1864.
[4] AB-1864, Sect. 7, proposed to be codified at Cal. Fin. Code § 90002.
[5] AB-1864, Sect. 7, proposed to be codified at Cal. Fin. Code § 90006. The CCFPL also gives the DFPI the authority to exercise nonexclusive oversight and enforcement authority under federal consumer financial laws. We note that the federal Consumer Financial Protection Act of 2010, 12 U.S.C. § 5552, provides that a state attorney general or its equivalent may enforce federal consumer protection laws against state-chartered or licensed entities.
[6] AB-1864, Sect. 7, proposed to be codified at Cal. Fin. Code § 90005.
[7] Cal. Fin. Code §§ 4051 and 4053(a)(1).
[8] Cal. Fin. Code § 4051.5(a)(3).
[9] American Bankers Ass’n. v. Lockyer, 541 F.3d 1214, 1218 (9th Cir. 2008).
[10] Cal. Fin. Code § 4057(e).
[11] Cal. Civ. Code § 1798.145(e). The CCPA also does not apply to information collected, maintained, disclosed, sold, communicated, or used by a consumer reporting agency under the FCRA. Cal. Civ. Code § 1798.145(d).
[12] “The civil penalties provided for in this section shall be exclusively assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.” Cal. Civ. Code § 1798.155.
[13] AB-1864, Sect. 7, proposed to be codified at Cal. Fin. Code § 90010(b).
[14] AB-1864, Sect. 7, proposed to be codified at Cal. Fin. Code § 90009(c) (emphasis added).
[15] AB-1864, Sect. 7, proposed to be codified at Cal. Fin. Code § 90009(d).
[16] AB-1864, Sect. 7, proposed to be codified at Cal. Fin. Code § 90009(g).