U.S. state data privacy laws pose compliance headaches for banks
10 Mar 2021

States are stepping up their efforts to protect the privacy of consumer data, and the trend is adding to banks’ compliance challenges as stewards of vast amounts of personal information.

Virginia passed a data privacy law on March 2, while California strengthened its existing data privacy law on Nov. 3. These new rules only partially affect banks, raising plenty of questions and concerns for bank employees responsible for handling consumer data. Vendors and partners may be subject to the new laws, too. And these new laws are just the beginning: Other states, including Washington, are writing their own data privacy legislation and a national data privacy law may be coming.

“The reality for the financial services industry is that this is going to be somewhat of a national exercise one way or the other within the next few years,” said Ron Whitworth, chief privacy officer at Truist Financial in Charlotte, N.C.

These state actions are part of a broader trend of increasing consumer awareness of data privacy.

“Customers care about how you’re handling their personal data anyway,” said Jill Reber, general manager of the data privacy practice at Logic20/20, a business and technology consulting company based in Seattle. “Your end game is to keep your customer loyalty. And so if you’re mishandling their personal data because you aren’t worried about these data privacy regulations, that’s going to create a new issue for you.”

Here are answers to key questions surrounding the new Virginia law and updated California law.

When do the new laws take effect?

Both are effective Jan. 1, 2023. However, the California Privacy Rights Act of 2020 has a 12-month look-back period. This means that when consumers make a request for access to their personal information, companies are required to provide records covering the year preceding the date of the request.

“Banks are going to have to have their business processes and technical systems in place to manage the data as of January 2022,” Reber said.

To what extent does each law apply to banks?

The Virginia law exempts financial institutions that are subject to the privacy-protection provisions of the federal Gramm-Leach-Bliley Act of 1999. But banks could still be on the hook.

“If you’re a bank, the Virginia law may not apply to you directly, but absolutely could apply to some of the vendors and third parties that you do business with,” Whitworth said. “There’s also a debate within the industry about how far the exemption will carry. There is a GLBA entity exemption, but it remains to be seen how far that exemption will carry. Does it cover all activities or just banking activities? These are some of the questions that a lot of the industry benchmarking forums are already working on as they wrestle with the Virginia and California laws.”

The California law exempts data that banks already protect under Gramm-Leach-Bliley. But banks must comply with the California rules for any data that is not covered by the federal law.

Gramm-Leach-Bliley covers all personal data on people who use a bank’s products and services, including their browser history. It does not cover data gathered from people who are not customers. So if someone goes to a bank’s website and applies for a financial education newsletter, the information that consumer enters into that form is not covered by Gramm-Leach-Bliley and could be subject to the California law. Marketing data on prospects who are not yet customers may be subject to California’s rules. Once an individual starts applying for a bank product, such as a mortgage or brokerage account, the information becomes subject Gramm-Leach-Bliley.

Banks can take two approaches to this data distinction, Reber said. Some banks are going to ignore the Gramm-Leach-Bliley exemption in California and follow the state’s more stringent rules for all consumer data, she said, because that route is easier and safer than trying to categorize and label all data. Others will draw a line between Gramm-Leach-Bliley data and other data and apply the California protections only to the latter.

It’s important for financial institutions to understand what information is subject to the California law and what is not, said Boris Segalis, partner in and co-chair of the data, privacy and cybersecurity group at the New York law firm Goodwin. “And that line usually is: A consumer visits a website and signs up for a newsletter — that data is subject to the California law. Once they start submitting their information to apply for a financial product or inquire about a product or service, that’s covered by GLBA. Even if a consumer abandons that application, that abandoned application is probably still subject to GLBA.”

What are the requirements of the new laws?

The two laws are a little different, but both generally follow some of the same principles of the European Union’s General Data Protection Regulation in giving consumers more rights around their data, such as the right to know how their data is being used, the right to access that data and the right to have their data deleted.

Virginia’s law provides consumers with the right to access any personal data a company has gathered about them; to correct that data or make the company delete it; to obtain a copy of the personal data the company has collected about them in a readily usable format that the consumer can transmit to another company (a process known as data portability); and to opt out of the use of their data for purposes like advertising, sales or profiling.

And businesses must comply with these requests within 45 days. If they don’t, consumers can appeal to the state attorney general.

Like the California law and the EU regulator before it, Virginia’s law limits the collection of data to that which is “adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed.”

Once the data has been collected, the statute mandates a business “not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.” Furthermore, the act prohibits companies from processing sensitive personal information without obtaining consumer consent.

Virginia’s law requires companies to have data privacy policies.

Under both laws, consumers can request all data a company has on them and ask to have all their data deleted.

The updated California law requires companies to tell consumers why they’re collecting and using their personal data, and then not use it for a different purpose.

“There are no secondary uses allowed without additional notice and then consent,” Reber said. This means covered businesses need to have internal processes and systems that alert any use of consumer data that was not anticipated at the time of collection.

Companies have to tell consumers how long they’re going to keep their personal information and then not keep it any longer than that. They cannot collect more information than they need to meet the purpose for which they’re gathering the data.

For all consumer data not subject to Gramm-Leach-Bliley, banks have to make sure that they’re providing privacy notices about how they collect, use and share the information that they provide, Segalis said.

By Penny Crosman, American Banker, 8 March 2021

Read more at American Banker

Photo: Visitor7 [CC BY 3.0] via wikimedia

RiskScreen: Eliminating Financial Crime with Smart Technology

Advance your CPD minutes for this content, by signing up and using the CPD Wallet