House Committee Moves Privacy Bill Forward

Privacy is a growing concern in the United States and as we increasingly see consumer private information being obtained and used, both by businesses and cyber criminals, regulation of the collection and disclosure of non-public information and cyber security will likely increase as well. For instance, in early March, the Biden Administration announced a new national cybersecurity strategy that, it said in a statement, was intended “to secure the full benefits of a safe and secure digital ecosystem for all Americans.” https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/. Later in March, Iowa became the sixth state, joining California and Virginia as well as Colorado, Connecticut and Utah (three states whose laws have not yet gone into effect) to enact a comprehensive data privacy law when Governor Kim Reynolds approved Senate File 262, which had been unanimously passed by the Iowa Senate and House. https://www.legis.iowa.gov/legislation/BillBook?ba=SF%20262&ga=90.

New York, of course, also has been active in seeking to regulate businesses’ use of consumer data and to penalize companies for cyber breaches. As just one example, this year, the New York State Department of Financial Services is likely to finalize updates it proposed last November to the comprehensive cybersecurity regulation it first adopted in 2017. https://dfs.ny.gov/reports_and_publications/press_releases/pr20221109221.

Notwithstanding last year’s attempt at an “American Data Privacy and Protection Act,” https://www.congress.gov/bill/117th-congress/house-bill/8152/all-actions, Congress has been notably absent among elected officials and regulators in addressing privacy issues. That makes H.R. 1165, the Data Privacy Act of 2023 (the Act), all the more interesting. https://financialservices.house.gov/uploadedfiles/glb_2023_xml_2.24_934.pdf.

On February 24, Representative Patrick McHenry (R-NC), chair of the House Financial Services Committee, introduced the Act, which is intended to amend the Gramm-Leach-Bliley Act (GLBA), with a stated goal of “moderniz[ing] financial data privacy laws and giv[ing] consumers more control over how their personal information is collected and used.” https://financialservices.house.gov/news/documentsingle.aspx?DocumentID=408613. The GLBA governs the treatment of nonpublic personal information about consumers by financial institutions. As currently written (and subject to certain exceptions), the GLBA prohibits a financial institution from disclosing nonpublic personal information about a consumer to nonaffiliated third parties, unless (i) the institution satisfies various notice and opt-out requirements, and (ii) the consumer has not elected to opt out of the disclosure. The GLBA also requires the financial institution to provide notice of its privacy policies and practices to its customers. https://www.fdic.gov/resources/supervision-and-examinations/consumer-compliance-examination-manual/documents/8/viii-1-1.pdf.

Several days after Representative McHenry introduced the Act, the committee voted 26-21, in a party line vote, to send the Act to the full House. https://www.congress.gov/bill/118th-congress/house-bill/1165/all-actions.

Although it appears that the likelihood of the Act becoming law, at least at this time, is remote, given the divided government, examining its provisions provides a good roadmap to determine what Representative McHenry and other committee members who voted to favorably report the Act to the full House would support in federal privacy legislation.

Highlights

The Act has more than a dozen separate sections. Section 2, the first section of substance in the Act, titled “Protection of Nonpublic Personal Information,” expands the GLBA’s privacy provisions to cover both customers and consumers. The Act further expands the definition of “nonpublic personal information” to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to, directly or indirectly, with a particular individual.”

This section makes clear that nonpublic personal information, not just “personally identifiable financial information,” is protected whether an individual has a customer relationship or a consumer relationship with the financial institution holding the individual’s data. The section also makes clear that it is unlawful for financial institutions to willfully use nonpublic personal information without the consent of an individual with whom the financial institution maintains a customer or consumer relationship.

Significantly, the Act expands the GLBA’s coverage to now include “data aggregators” (more commonly known as data brokers) in the definition of financial institution. Data aggregator is defined as an entity operating a business for the purpose of accessing, aggregating, collecting, selling, or sharing nonpublic personal information.

Another section of the Act sets forth a financial institution’s obligations with respect to its collection and disclosure of nonpublic personal information. It expands the existing notification obligations of a financial institution to include the nonpublic personal information that is being collected on a customer or consumer. It also provides exceptions that include information necessary to effect, administer, or enforce a transaction requested by the consumer or customer, and information in connection with servicing or processing a request authorized by the consumer or customer. In addition, this section requires financial institutions to notify nonaffiliated third parties when a consumer or customer has terminated sharing of his or her data, and to require the nonaffiliated third party to also cease sharing the individual’s data. Finally, it requires that financial institutions “clearly and conspicuously” notify customers and consumers when their account credentials (defined as nonpublic personal information that an individual uses to access his or her account at a financial institution) are collected and how those credentials will be used or shared, and to give customers and consumers an opportunity to decline to share those credentials.

Current law requires that financial institutions provide a privacy notice when a relationship is established with a customer, and annually thereafter. The Act broadens that obligation, directing financial institutions to disclose information upon the request of a consumer or customer. In addition, it expands the information to be included in a financial institution’s privacy policy disclosure, including but not limited to:

• Nonpublic personal information collected by the financial institution;
• The purpose for which the financial institution collects that nonpublic personal information;
• How that nonpublic personal information will be used;
• The data retention policies of the financial institution;
• A description of any collection of nonpublic personal information that is not necessary to provide the specific product or service the customer or consumer is seeking;
• The right of the customer or consumer to opt out of collection of certain pieces of information;
• The right of a customer or consumer to terminate collection or sharing of his or her nonpublic personal information;
• The right of a customer or consumer to request a list of all nonpublic personal information held by the financial institution; and
• The right of a customer or consumer to direct the deletion of the nonpublic personal information held by a financial institution unless an exception is met.

The Act also has two sections relating to state law. First, it directs state insurance regulators to “issue regulations required by [the Act]” – and requires that, when doing so, they “take into consideration the cost of compliance such rules will impose on small institutions.” A key section of the Act provides that it preempts state law regulating the obligations of a financial institution with respect to the collection or disclosure of personal information; the disclosure of the financial institution’s privacy policy or information about the financial institution’s privacy policies and practices; the access to, deletion of, or other individual privacy rights with respect to personal information; and the international sharing of personal information. This is a significant change from existing GLBA provisions, which permit states to enact rules that go beyond the GLBA’s provisions.

Another section of the Act adds to the regulatory obligations of financial institutions. It makes clear that customers and consumers have the right to both access their nonpublic personal information held by a financial institution and to know the categories of nonaffiliated third parties with whom the financial institution has shared such information, as well as the categories of nonaffiliated third parties from whom the financial institution has received nonpublic personal information about them. This section also provides customers and consumers with the right to request deletion of their nonpublic personal information, with exceptions for law enforcement and other purposes. In addition, this section also requires that financial institutions notify consumers or customers annually of accounts that are inactive (defined as a consumer not using a product or service for one year). Under the Act, consumers and customers generally have the right to delete nonpublic personal information held by a financial institution unless, among other things, it is required by the Fair Credit Reporting Act or other law.

The Act also prohibits a financial institution from sharing nonpublic personal information of a customer or consumer with a foreign government, with exceptions for law enforcement purposes.

Finally, the Act’s effective date is the earlier of one year after completion of the rulemaking required under the Act or two years after the date of its enactment.

Comments

Consumer advocacy organizations and business groups sent comments on the Act to the House committee or otherwise made their views about its provisions quite clear. For example, some groups opposed the Act’s preemption provision, observing that because the GLBA applies to credit bureaus, debt collectors, auto dealers, travel agents, and many other types of businesses in addition to banks and other financial institutions, the preemption provision would override state laws relating to those companies. https://www.nclc.org/consumer-advocates-blast-so-called-data-privacy-bill-for-wiping-out-state-consumer-protection-laws/.

Similarly, the Electronic Privacy Information Center (EPIC), a privacy rights group, opposes the GLBA’s disclosure and opt-out provisions, arguing that, in practice, consumers typically do not rely on those procedures, and that “notice-and-choice” is outdated and “does not meaningfully protect privacy.” https://epic.org/documents/epic-statement-re-data-privacy-act-of-2023/. Consumer Reports agrees. https://advocacy.consumerreports.org/wp-content/uploads/2023/03/Consumer-Reports-Feb-2023-MarkUp-McHenry-Data-Privacy-Bill-Statement.pdf. EPIC further takes issue with the addition of “data aggregators” to the Act, arguing that it allows these entities to evade stricter privacy regulations and is actually worse for consumers.

The American Bankers Association urges “caution” on the Act, noting that it creates new notification requirements, while other provisions limit the data that financial institutions can collect and “impose unnecessary burdens on banks.” https://bankingjournal.aba.com/2023/02/aba-urges-caution-on-data-privacy-bill/.

And although the Independent Community Bankers of America praises various provisions of the Act, such as the “national privacy standard preempting the patchwork of state privacy laws,” it also expresses concern over the provisions in the Act prohibiting a financial institution from using nonpublic information without the consent of the customer or consumer and requiring banks to give consumers the option to have their nonpublic personal information deleted. https://www.icba.org/docs/default-source/icba/advocacy-documents/letters-to-congress/icba-letter-regarding-financial-data-privacy-act.pdf?sfvrsn=8a5b1817_1.

Conclusion

In his remarks accompanying his introduction of the Act, Representative McHenry pointed out that just as advances in technology are bringing greater access to the country’s financial system, “the amount of personal financial information collected on Americans also increases.” Federal and state regulators and state legislators are seeking to fill what they perceive to be a gap in privacy law. However, whether Congress will be able to move legislation such as the Data Privacy Act of 2023 forward to also fill the gap – or even to occupy large portions of it – remains to be seen.

Reprinted with permission from the April 17, 2023, issue of the New York Law Journal^©, ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.