By Brian Casey, Theodore Augustinos, and Alex Cox

Four years ago, the California Consumer Privacy Act[1] created a new, rigorous regulatory and data processing environment for businesses processing personal information of California residents.

However, many questions about the implementation of the CCPA, and its amendments through the voter ballot initiative of the California Privacy Rights and Enforcement Act of 2020,[2] still abound.

One of the oft-overlooked consequences of this law is how its exceptions change the received wisdom of various industries, including for extended warranties — known as service contracts in legal parlance — which may have attempted to structure their businesses to avoid the application of data privacy and security regulations like those promulgated pursuant to the Gramm-Leach-Bliley Act where possible.

The CCPA turns this on its head, as through its exemption for information subject to the California Financial Information Privacy Act, or CalFIPA — California’s GLBA regulation — it may be preferable to fall under the GLBA’s data privacy and security rules instead of those in the CCPA.

Extended warranty providers would be well advised to assess their exposure to CCPA and the applicability of the GLBA exemption, to determine how they plan to address the coming wave of omnibus state consumer privacy laws that began in California, but will expand in 2023 to Colorado, Connecticut, Utah and Virginia.

A service contract obligor may, through distributors, sell service contracts covering various types of consumer goods purchased by California residents such as vehicles and everyday electronics, by which the obligor promises to repair or replace the consumer goods beyond a product manufacturer’s customary warranty and thus provide indemnity under certain circumstances.

In these circumstances, the obligor receives basic ‎information about the consumer purchaser, such as name, residential address, telephone ‎number, email address and the type of covered product.

They may also receive other information if a claim is filed under a contract about the claim that would be identifiable to the claimant.

Assuming the obligor otherwise meets the thresholds for CCPA applicability,[3] at first it appears they may need to treat this personal information as protected by the CCPA.

The twist comes when the obligor, which may have historically taken the position that it falls outside of the GLBA, now wants to treat information as subject to the GLBA, and thus exempt the CCPA.

In summary, the GLBA and its supporting statutes and regulations apply to financial institutions and its obligations for the protection and disclosure of nonpublic personal information.[4]

Under CalFIPA, a regulated financial institution is “any institution the business of which is engaging in financial activities as described in Section 1843(k) of Title 12 of the United States Code and doing business in this state.”[5]

An extended warranty obligor is likely engaged in activities that are financial in nature, as defined by Title 12 of the U.S. Code, Section 1843(k), that includes by way of example, “[i]nsuring, guaranteeing, or indemnifying against loss, harm, damage, illness, disability, or death.”[6]

In particular, California defines a consumer electronics service contract to mean, in relevant part, ‎a contract in writing to perform, over a fixed period of ‎time or for a specified duration, services relating to the maintenance, ‎replacement, or repair of consumer goods and may include provisions for ‎incidental payment of indemnity under limited circumstances, including, but not ‎limited to, power surges, food spoilage, or accidental damage from handling‎.[7]

Furthermore, it should be noted that service contracts — where issued by a third party that is not the covered product manufacturer or its affiliate usually would be classified as an insurance product, except for state service contract laws that statutorily deregulate these contracts from treatment as insurance policies — are clearly a financial product or service, although they remain regulated in most states by state insurance departments.

In such circumstances, the obligor appears to be a financial institution under GLBA. This means the nonpublic personal information the obligor collects, is subject to CalFIPA.

Nonpublic personal information is very broadly defined to include any information, other than publicly available information, obtained by a financial institution from a consumer — a purchaser of financial products or services primarily for personal, family or household purposes.[8]

The requirements found in the GLBA’s privacy rule[9] and the safeguards rule[10] are similarly limited and apply in the context of nonpublic personal information.[11]

As described above, the obligor collects information about individuals who obtain financial products or services, which are used primarily for personal, family or household purposes, and therefore is engaged in the collection of nonpublic personal information of California consumers.

Under the CCPA, a business is a sole proprietorship or legal entity engaged in a for-profit business activity in California that collects or processes consumers’ personal information and:

· Has more than $25 million of annual gross revenues;

· Buys, sells, or shares personal information of 100,000 or more consumers or households; or

· Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.[12]

If the obligor is a business, it is subject to the CCPA to the extent that the obligor collects personal information, defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or ‎could reasonably be linked, directly or indirectly, with a particular consumer or household.[13]

Personal information does not include publicly available information or de-identified information. While this definition is extremely broad, importantly, the CCPA carves out information otherwise regulated by CalFIPA and the GLBA.

Thus, to the extent that the data the obligor collects and processes is subject to CalFIPA or the GLBA, this data is exempt from the CCPA and CPRA.[14]

In this case, the data would be collected, used and shared subject to the less stringent data processing environment of CalFIPA or the GLBA to that of the CCPA and its intensive contracting and consumer rights provisions.

The recent updates to the GLBA safeguards rule from the Federal Trade Commission, which will become effective Dec. 9, have placed entities subject to FTC jurisdiction under a cybersecurity regime similar to the New York Department of Financial Services Cybersecurity Regulation, which is a current high bar for the financial products and services industry.

Some organizations will prefer this posture, as strong security protections have business oriented benefits, while providing consumer rights are typically viewed as a cost on the business with little gain beyond customer goodwill.

Brian Casey is a partner and co-leader of the regulatory and transactional insurance practice group at Locke Lord LLP.

Theodore Augustinos is a partner at the firm.

Alex Cox is an associate at the firm.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of their employer, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] Cal. Civ. Code §§ 1798.100 et seq.

[2] Cal. Proposition 24 (Nov. 3, 2020, which amended the California Consumer Privacy Act with an enforcement effective date on July 1, 2023).

[3] https://www.lockelord.com/newsandevents/publications/2021/10/new-privacy-laws.

[4] 5 U.S.C. § 6801 et seq. (1999); Cal. Fin. Code §§ 4050 et seq. (“CalFIPA”) and 16 C.F.R. § 313.1(b) (Privacy Rule); 16 C.F.R. § 314.1(b) (Safeguards Rule).

[5] Cal. Fin. Code § 4052(c).

[6] 12 U.S. Code § 1843(k)(4)(B).

[7] Cal. Bus. & Prof. Code § 9855(a).

[8] See 15 U.S.C. § 6809 (1999) and Cal. Fin. Code § 4052(f) (explaining the definition of “nonpublic information”).

[9] 16 C.F.R. § 313.1 et seq.

[10] 16 C.F.R. § 314.1 et seq.

[11] See 16 C.F.R. § 313.1(b); 16 C.F.R. § 314.1(b); 16 C.F.R. § 314.2(b); 16 C.F.R. § 313.3(n); 16 C.F.R. § 313.3(e) (outlining how the definitions of “nonpublic personal information” in the GLBA’s Privacy and Safeguards Rules are limited to information obtained from consumers who obtain products and services used primarily for personal, family, or household purposes).

[12] Cal. Civ. Code § 1798.140(d).

[13] CCPA § 1798.140(v).

[14] Cal. Civ. Code § 1798.145(e).

Originally published by © 2022, Portfolio Media, Inc