Financial Institutions Caught in the Net of the New Privacy Laws

With three new state consumer privacy laws set to go into effect in 2023, legal requirements around the collection and management of consumer data are rapidly changing. While new state laws provide certain carve-outs applicable to financial institutions, such entities nonetheless find themselves having to navigate an increasingly complicated landscape of privacy rules—and the changing consumer expectations and regulatory trends that produced the news laws.

Current Landscape

The year 2018 was a game changer in the privacy space. The EU General Data Protection Regulation (“GDPR”) went into effect in May, setting forth detailed rules for how entities operating in the EU or handling personal information of EU residents must manage that information. Specifically, the GDPR requires entities to establish a lawful basis for its activities involving personal information, to provide more transparency into those activities, and respond to requests from consumer to review, correct, delete, or otherwise restrict their data. The GDPR also contains a slew of requirements related to how entities must manage data internally, including:

• data minimization;
• privacy-by-design;
• data protection assessments;
• measures to protect personal information from unauthorized access;
• data breach notification;
• restrictions on cross-border transfer; and
• detailed contractual requirements for use of third parties to process personal information to perform functions on behalf of the entity.

GDPR was groundbreaking in the scope of its requirements, but also in the penalties for non-compliance; an entity can be fined up to 4% of its global revenue for a violation.

The GDPR does not contain any exception for financial institutions; it also covers the personal information of their workforce members (employees, contractors, etc.) in Europe. The impact of the Regulation has been felt most prominently with regard to advertising activities, where there have been numerous challenges under the law to entities’ collection and use of personal information for targeted advertising activities (including through website cookies). And, while GDPR may not be forcing financial institutions to significantly change internal data use practices, the burden of complying with the Regulation’s complex data management compliance obligations is significant.

A month after GDPR’s implementation date, the first general consumer privacy law in the United States, the California Consumer Privacy Act (CCPA), was signed into law with an effective date of Jan. 1, 2020. The CCPA is largely a consumer protection statute, which gives individuals certain rights to control their data but does not impose the same internal data use and management obligations as the GDPR. It also contains an exemption for “personal information collected, processed, sold, or disclosed subject to the federal Gramm- Leach-Bliley Act” (GLBA). See Cal. Civ. Code 1798.145(e). Importantly, however, CCPA does not exempt information collected by financial institutions that is not covered by GLBA (which may include, for example, information related to marketing activities). The exemption also does not apply to one of the most significant pieces of the legislation: a provision allowing California consumers whose personal information was subject to a data breach to bring a lawsuit against the breached entity, if that entity had failed to exercise reasonable security and to recover statutory damages, thus overcoming standing challenges that had made consumer lawsuits difficult in the past.

The CCPA as initially passed applied to workforce personal information as well as that of individuals acting in a personal or household context. A last minute amendment exempted workforce information for a year; however, the language of the exemption still requires entities to provide notice to employees about the data processing practices of the company. Because GLBA does not cover workforce data, financial institutions are currently subject to this requirement.

What’s Happening in 2023

The California Privacy Rights Act (CPRA), which passed as a ballot referendum in 2020, amended the CCPA and will be fully effective January 1, 2023. For any consumer information not subject to GLBA, the CPRA will expand financial institutions obligations regarding that data—specifically, entities will now have an obligation to minimize processing of personal information, make additional disclosures about data retention, and consumers will be able to request that the entity restrict processing of sensitive information about them (such as government identifiers, race and ethnicity). Financial institutions that have not already mapped which of their data is subject to California privacy law and which is exempt will urgently need to do so in order to determine the contours of their CPRA obligations. At minimum, it is likely that some website cookie data is not covered by GLBA, and therefore financial institutions will have to update their websites and public disclosures to comply with new requirements (including to enable websites to honor Global Privacy Control browser signals).

The CPRA will also apply to workforce data and will require financial institutions to respond to requests from workforce members to access their personal information, have such corrected or deleted, as well as to opt-out of sale and restrict the processing of their sensitive information. The workforce privacy notice will also have to include detailed information about the entity’s retention practices for workforce personal information—which practices may need to be adjusted to comply with data minimization obligations.

Virginia and Colorado also have comprehensive consumer privacy laws that go into effect on January 1 and July 1, 2023, respectively.These laws are narrower than the GDPR and less proscriptive than CCPA, and don’t apply to workforce data, but do impose onerous requirements to collect consent for the use of sensitive personal information and conduct data protection assessments. Virginia and Colorado will exempt financial institutions subject to GLBA—but that doesn’t mean that such institutions will be unaffected.

Directly, the new laws in these states (as well as the CPRA) have extensive requirements for contracts involving data sharing to ensure that privacy protections carry to the new entity. In an industry ecosystem where financial institutions partner frequently with fintechs, consumer data providers, and other (potentially non- regulated) entities, individual institutions will be forced to put more definition around the role they play in data sharing (data controller or processor), and may become subject to certain obligations of these laws via contract—or find their access to information for KYC research curtailed.

Indirectly, the expansion of consumer rights to new states may be a tipping point that pushes entities outside the financial institution to offer access, deletion, and opt- out rights nationally, in part due to ease of administration and in part due to pushback from consumers in other states who don’t understand why they are being treated differently. Consider, for example, that cookie banners became ubiquitous in the US upon the implementation of GDPR, even though they were only required for EU website visitors. As consumers come to expect certain rights from all entities they deal with, they will carry those expectations to their dealings with financial institutions. Moreover, financial institutions are likely to find that internal data management processes cannot be applied on a jurisdictional basis, because services generally collect data the same way nationally (or even globally), and network systems mix data from different jurisdictions. To the extent that compliance with new requirements necessitates a change in organizational culture around data management, the jagged requirements of GDPR, CPRA, and other U.S. state laws as applicable is enough to force global change.

But Wait, There’s More

The new state laws are also motivating regulators to broaden the application of existing federal laws to align to trends and new consumer expectations. For example, the GLBA Safeguards rule was amended last fall for the first time in 15 years to expand requirements for the protection of consumer information.Federal banking regulators also published new incident reporting requirements for regulated institutions last November, which will require the institution to notify their regulatory within 36 hours of an incident that harms the confidentiality, integrity, or availability of an information system or the information in it.The Securities and Exchange Commission released a proposed rule on March 9 which would require public companies to report material cybersecurity incidents on their form 8-K within 4 days.

Takeaways

One theme that emerges strongly from the new privacy and security requirements is that lawmakers are no longer focused on just notice and consent; they are pushing organizations to improve their practices around the management and protection of data. As financial institutions aim to offer more data-driven products and use data to optimize internal operations, embedding principles of conscious data management becomes critical to the entity’s business operations. Specifically, financial institutions must implement technology, policies, and process that ensure cross-functional teams work together to document the personal information the entity processes (in a dynamic way that can be updated as practices change), assess how the complex array of legal requirements apply to that information, and then comply with such requirements across the lifecycle of the information.