With three new state consumer privacy laws set to go into effect in 2023, legal requirements around the collection and management of consumer data are rapidly changing. While new state laws provide certain carve-outs applicable to financial institutions, such entities nonetheless find themselves having to navigate an increasingly complicated landscape of privacy rules—and the changing consumer expectations and regulatory trends that produced the news laws.
Current Landscape
The year 2018 was a game changer in the privacy space. The EU General Data Protection Regulation (“GDPR”) went into effect in May, setting forth detailed rules for how entities operating in the EU or handling personal information of EU residents must manage that information. Specifically, the GDPR requires entities to establish a lawful basis for its activities involving personal information, to provide more transparency into those activities, and respond to requests from consumer to review, correct, delete, or otherwise restrict their data. The GDPR also contains a slew of requirements related to how entities must manage data internally, including:
- data minimization;
- privacy-by-design;
- data protection assessments;
- measures to protect personal information from unauthorized access;
- data breach notification;
- restrictions on cross-border transfer; and
- detailed contractual requirements for use of third parties to process personal information to perform functions on behalf of the entity.
GDPR was groundbreaking in the scope of its requirements, but also in the penalties for non-compliance; an entity can be fined up to 4% of its global revenue for a violation.
The GDPR does not contain any exception for financial institutions; it also covers the personal information of their workforce members (employees, contractors, etc.) in Europe. The impact of the Regulation has been felt most prominently with regard to advertising activities, where there have been numerous challenges under the law to entities’ collection and use of personal information for targeted advertising activities (including through website cookies). And, while GDPR may not be forcing financial institutions to significantly change internal data use practices, the burden of complying with the Regulation’s complex data management compliance obligations is significant.
A month after GDPR’s implementation date, the first general consumer privacy law in the United States, the California Consumer Privacy Act (CCPA), was signed into law with an effective date of Jan. 1, 2020. The CCPA is largely a consumer protection statute, which gives individuals certain rights to control their data but does not impose the same internal data use and management obligations as the GDPR. It also contains an exemption for “personal information collected, processed, sold, or disclosed subject to the federal Gramm- Leach-Bliley Act” (GLBA). See Cal. Civ. Code 1798.145(e). Importantly, however, CCPA does not exempt information collected by financial institutions that is not covered by GLBA (which may include, for example, information related to marketing activities). The exemption also does not apply to one of the most significant pieces of the legislation: a provision allowing California consumers whose personal information was subject to a data breach to bring a lawsuit against the breached entity, if that entity had failed to exercise reasonable security and to recover statutory damages, thus overcoming standing challenges that had made consumer lawsuits difficult in the past.
The CCPA as initially passed applied to workforce personal information as well as that of individuals acting in a personal or household context. A last minute amendment exempted workforce information for a year; however, the language of the exemption still requires entities to provide notice to employees about the data processing practices of the company. Because GLBA does not cover workforce data, financial institutions are currently subject to this requirement.