What started as a simple question-and-answer session among chief privacy officers from major U.S. banks quickly fell down a compliance rabbit hole at the IAPP's Privacy. Security. Risk. conference in Las Vegas, Nevada. As has been the case with many U.S. privacy compliance discussions, the culprit of the unforeseen trip was the California Consumer Privacy Act, but specifically an exemption to the law.

The CCPA carve-out that unexpectedly seized the session was related to the Gramm-Leach-Bliley Act. The GLBA, also known as the Financial Modernization Act, regulates how a financial organization deals with individuals' private information. The mere mention of the GLBA within an answer to how the CPOs balance CCPA compliance versus other regulatory compliance made the exemption a recurring theme.

"In some cases you don't have to provide data back [to a consumer]. You may have a legal exemption," SunTrust Senior Vice President and CPO Ron Whitworth, CIPP/C, CIPP/E, CIPP/US, CIPM, FIP, said. "For example, the data they may be asking for is covered by the GLBA exemption, so we do not have to give it to you. That's where we are deeply engaged with our client experience teams because at the end of the day, we all have a strong interest in making our clients happy and giving them what they want but do it in a responsible manner."

The GLBA conundrum comes down to its definitions for protected personal information cutting into the CCPA's broader definitions. The exemption states personally identifiable financial information is consumer information provided for a product or a service. According to the exemption, any GLBA-defined information that is "collected, processed, sold, or disclosed" in accordance with the GLBA does not fall under the CCPA. 

Whitworth said he and his industry colleagues are constantly in discussion on how to best tackle the balancing act of multiple compliance efforts, including those of the CCPA against the GLBA. However, he said there have been tough conversations within industry forums on general interpretation of regulations and aligning approaches appropriately to create a standard for best practice among all banks.

The role of the GLBA exemption in CCPA compliance came up again in discussions about data requests related to portability and the CCPA's requiring organizations to post "Do Not Sell My Personal Information" on their websites to allow for consumer opt-outs. Both scenarios spawn transparency issues that U.S. Bank CPO and Associate General Counsel Tim Nagle, CIPP/US, said vary depending on the size of a financial institution. However, Nagle suggested that the friction between the two laws is avoidable so long as there is clear and proper disclosure of information.

"We share all the time with vendors and partners. Sharing isn't a bad thing, and I'd argue selling isn't a bad thing, under California law so long as you're disclosing," Nagle said. "It's not even an opt-in but an opt-out. They just want people to know and understand how data is being used and distributed. I'm for that so long as we figure out how to do it properly." 

The concept of over-compliance was suggested, at which point Nagle explained that deference to federal regulatory scheme — which, in this case, is the GLBA — comes before any state law. Nagle also mentioned banks shouldn't view over-compliance in a bad light despite the potential of extra work and resources.

"To me it makes sense," Nagle said. "We're financial institutions. CCPA isn't because of something we did, but we like everyone else are required to comply. We do have a long history of being regulated. So are we overexposing or over-complying? Maybe, but it's sort of just pointing out the fact that we're prepared to take on whatever comes next."