States are showing increasing interest in supplementing federal protection of consumer data privacy rights. Since 2018, three states have enacted consumer data privacy statutes. The current statutes appear to be of limited concern for community banks, but bankers should be vigilant as statutes are proposed in the states where they do business. This article will briefly discuss the state privacy trend, application, bank exemptions, and what to watch for in emerging legislation.
The Growing Trend of State Consumer Privacy Regulation
In 2018, California adopted the California Consumer Privacy Act (CCPA) to extend substantial data privacy protections to California consumers and impose significant compliance obligations on certain businesses collecting, processing, or selling consumer data. There appears to be growing interest in other states to follow California’s lead. The CCPA was supplemented by the California Privacy Rights Act (CPRA) in 2020.
Recently, Virginia and Colorado enacted privacy laws that broadly protect their citizens. Other state legislatures have proposed similar laws, including House Bill 3159 introduced in the West Virginia House of Delegates during the 2021 legislative session. These new state privacy laws expand the rights of consumers concerning their data and personal information, including: the right to know whether an entity is processing their personal information; the right to access, correct, delete, and transfer this personal information; and the right to opt-out of targeted advertising and the sale of personal data. The new state privacy laws are generally based on a common set of international fair information practices.
Many of the new and proposed state privacy laws appear to be patterned after the CCPA. They provide protections for data beyond the types of personal nonpublic information covered by the Gramm-Leach-Bliley Act (GLBA). The additional customer information that the GLBA does not cover includes personal information collected for non-financial products or services like publications and from web cookies when a potential customer visits a financial institution’s website.
Application
The CCPA and CPRA only apply to businesses that do business in California. Virginia’s Consumer Data Protection Act (the VCDPA) and Colorado’s Colorado Privacy Act (the CPA) expand this in-state conduct to also include persons that produce commercial products or services that are targeted to their respective residents.
Each statute sets minimum activity requirements that need to be met for it to apply to a business, including annual gross revenues (the CCPA and CPRA), the number of consumers whose data is processed (the CCPA, CPRA, VCDPA, and CPA), or the number of consumers whose data is processed in conjunction with deriving revenue or receiving a discount from the sale of that data (the CCPA, CPRA, VCDPA, and CPA). The four existing state data privacy acts appear to be targeted at relatively large data firms. Because of these multiple requirements, each state’s privacy law should be analyzed to determine whether a non-exempt financial institution is subject to it.
Bankers should pay attention to state data privacy initiatives. Do not assume that GLBA compliance and preemption will provide protection. Work to ensure that any new legislation includes the broadest possible exemption for financial institutions.
Exemptions for Financial Institutions
Federally insured financial institutions have long been charged with protecting customer privacy rights under regulations relating to the Gramm-Leach-Bliley Act. While the GLBA provides limited preemption of state laws, it does not preempt state laws that provide greater privacy protections than provided under the GLBA.
All of the currently enacted statutes have included some exemption for insured financial institutions. The VCDPA and the CPA appear to broadly exempt both financial institutions and data subject to the GLBA. However, the CCPA and the CPRA appear to only exempt data subject to the GLBA, not financial institutions subject to the GLBA. Thus, under the CCPA, banks could be subject to state regulatory requirements for personal information separate from the information covered by the GLBA. Interestingly, House Bill 3159 did not contain any exemptions for financial institutions or data subject to the GLBA.
What to Watch For
Most community banks should not be significantly impacted by the currently enacted state consumer data privacy laws. Community banks have proven trustworthy stewards of their customers’ information. The time to limit the risk of substantial additional and unnecessary regulatory burdens is before the bank is impacted by new legislative initiatives.
Bankers should pay attention to state data privacy initiatives. Do not assume that GLBA compliance and preemption will provide protection. Work to ensure that any new legislation includes the broadest possible exemption for financial institutions. Evaluate the level of data collection and activity by the bank, its affiliates, and its vendors. Work to ensure that legislation applies only to businesses engaging in activity levels far exceeding those of the bank.
Given the constantly evolving privacy landscape, all businesses, including financial institutions, need to be on alert for state privacy legislation in their jurisdictions to determine what privacy obligations, if any, apply to them.
Matthew Chase is an Associate Attorney with Jackson Kelly PLLC. His experience includes helping clients with real estate, energy, and privacy issues, focusing on transactional matters, due diligence, and closings. Contact Matthew at 304-284-4145 or matthew.chase@jacksonkelly.com.
Mark Mangano is Counsel with Jackson Kelly PLLC. Mark is a former community bank CEO and owner. He focuses his practice on assisting clients with strategic planning, corporate governance, banking regulation, and mergers and acquisitions. Contact Mark at 304-670-0441 or mark.mangano@jacksonkelly.com.
