Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
USA: State privacy law exemptions for financial institutions
In the US, privacy laws are quickly evolving - especially for financial services companies. A significant number of states are passing or contemplating laws to protect personal information, including consumer financial information. At the same time, U.S. federal regulators are either initiating or updating laws and regulations, including recent changes to the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule and the U.S. Congress considering a federal privacy law. This ever-changing landscape makes it challenging for financial institutions to navigate whether state privacy laws apply to their operations. In this Insight article, Eyvonne Mallet, Of Counsel at Loeb & Loeb LLP, outlines current state privacy law exemptions for financial institutions and suggests best practices for businesses in the financial space.
GLBA: Entity level vs. data level exemption
GLBA regulates financial institutions - defined as any institution or business that is engaging in activities that are financial in nature or incidental to such financial activities, as determined by §4(k) of the Bank Holding Company Act of 1956. Financial institutions can include banks, securities brokers and dealers, insurance underwriters and agents, finance companies, mortgage bankers, and travel agents. In Virginia, Connecticut, Utah, Tennessee, Montana, Florida, Texas, Iowa, and Indiana, GLBA-regulated entities can avail themselves of entity-level exemptions, meaning that the entire business as a regulated entity is outside the scope of those states' privacy laws. This exemption does not make a distinction between financial and non-financial business operations; if the entity is GLBA-regulated it is fully exempt from the above-mentioned state privacy laws.
However, privacy laws in certain other states, such as California and Oregon, only contain data-level exemptions for consumer financial information that is regulated by GLBA. Although such regulated data maintained by the business will be exempt, the business as an enterprise will still need to comply with the specific privacy law. This includes making mandatory public-facing disclosures regarding the business's data collection practices and allowing consumers to avail themselves of their statutory rights regarding the personal data that the business maintains.
GLBA: Data level exemption in California and Oregon
As of June 2024, GLBA-regulated companies are outside the scope of all state privacy laws except in California and Oregon, where an entity-level exemption applies. This entity-level exemption means any data processed by a GLBA-regulated entity is exempt as the data is covered under GLBA's Privacy Rule, which establishes that financial institutions must disclose how non-public personal financial information (NPI) is collected and shared, as well as provide consumers with the opportunity to opt out of sharing their NPI with third parties. As such, companies that are subject to GLBA only need to consider California and Oregon State privacy laws.
While the California Consumer Protection Act (as amended by the California Privacy Rights Act (collectively referred to as CCPA)) includes an exemption for personal information that is subject to GLBA, it is not an entity-level exemption. Under the CCPA, if financial institutions are collecting personal information that is not subject to GLBA, that personal information may be subject to the CCPA. Additionally, the CCPA also does not exempt financial institutions from its private right of action concerning data breaches. Under this provision of the CCPA, California residents can sue businesses when their non-encrypted and non-redacted personal information is subject to unauthorized access, theft, or disclosure due to a business's failure to implement and maintain reasonable data security procedures.
In Oregon, the Oregon Consumer Privacy Act (OCPA) provides a narrower exemption for financial institutions, contrary to the other states' privacy laws. Under the OCPA, only 'financial institutions,' as defined under §706.008 of the Oregon Revised Statutes (ORS), are subject to a full exemption. The definition of 'financial institution' under this statute is narrower than that under GLBA. It only applies to Federal Deposit Insurance Corporation (FDIC) insured institutions, banks organized under the laws of another country, Oregon-chartered credit unions, out-of-state credit unions, or federal credit unions. An affiliate or subsidiary of such financial institutions is also exempt from the OCPA if it meets a certain threshold of 'control' and is 'only and directly engaged in financial activities,' as described in §4(k) of the Bank Holding Company Act. In contrast, GLBA applies to a much broader array of financial institutions, i.e., businesses significantly engaged in financial activities - a broad umbrella. The Oregon legislature's choice to provide a narrower financial institution exemption means that the OCPA will not sweep in a wide range of companies, even if those companies are 'financial institutions' under GLBA and exempt from non-California state privacy laws. Consequently, customer information that would be exempt if it was collected, processed, sold, or disclosed under and in accordance with GLBA may not be exempt under the OCPA.
As a result of the differing state law exemptions, companies must assess exposure and ensure compliance with the quickly expanding list of state data privacy laws, which apply based on where its customers reside not only where the financial institution is located. As more laws become effective, financial institutions need to review and understand how the nuance of each law may impact their operations, policies, and practices including any exemptions that may apply given that not all state laws include entity-level GLBA exemptions.
What now? Actions financial institutions should consider in operationalizing privacy law compliance
Despite the privacy laws being in flux and nuanced, companies in the financial services space can establish the groundwork to operationalize current and future privacy law requirements. Specifically, companies should consider taking actions such as:
- Establishing privacy as a strategic objective. Companies should highlight the importance of privacy as a strategic objective instead of merely a matter of compliance. This will ensure that the company develops policies, procedures, governance structures, and enterprise-wide communications that focus on protecting the privacy of company and customer information.
- Making data management and governance an enterprise priority. Companies should review and analyze their data management and governance methodologies for data protection and privacy to confirm that these methods comply with privacy laws and customer expectations. This requires a company to assess how it collects, manages, discloses, protects, retains, and disposes of customer information.
- Solidifying board-level accountability. Companies should establish board-level oversight and accountability to ensure that the organizational culture of privacy is a leadership priority.
- Securing organizational buy-in. Companies should focus on creating a culture where there is buy-in to the significance of privacy and data protection from a regulatory and consumer perspective. To develop this culture, the company must provide privacy and data security education and communicate with management and employees to ensure that they are aware of the privacy laws and related internal policies and procedures, as well as any changes.
- Developing scalable and flexible privacy programs. As privacy laws change, a company that develops a scalable and flexible program will be able to adapt to any privacy law requirements.
The evolution of privacy laws does not appear to be slowing down in the near future. Therefore, companies must understand privacy law requirements and develop internal structures that support privacy law compliance by instituting processes, policies, reporting structures, and programs that operationalize privacy law requirements that can prepare them to quickly address new or changing privacy laws.
Eyvonne Mallet Of Counsel
[email protected]
Loeb & Loeb LLP, Washington, DC