.svg)
US privacy regulations are becoming a complex web of federal and state laws, with new rules at both levels set to be adopted this year as the country moves towards open banking.
With the growing popularity of online services and mobile payment apps in the US, users’ data passes through the hands of a growing number of third-party service providers, raising concerns about access to sensitive financial information.
Five states enacted comprehensive privacy laws in 2023, three more come into effect this year and another five will apply over the next two years. These all vary in their scope and the enforcement methods, involving state attorney general offices, consumer protection agencies or individual private action.
The state laws passed so far include:
- California Privacy Rights Act (CPRA), which came into force on July 1, 2023 and amends the California Consumer Privacy Act (CCPA) of 2020.
- Virginia Consumer Data Protection Act (VDPA), effective from January 1, 2023.
- Colorado Privacy Act (CPA), effective from July 1, 2023
- Connecticut Data Privacy Act (CDPA), effective from July 1, 2023.
- Utah Consumer Privacy Act (UCPA), effective from December 31, 2023.
This year, three more laws will come into effect:
- Oregon Consumer Privacy Act from July 1.
- Texas Data Privacy and Security Act from July 1.
- Montana Consumer Data Privacy Act from October 1.
Additionally, 17 states have one or more bills currently working through the legislative process, data shows.
The state regulations focus on introducing requirements for the processing of consumer data, such as biometrics and financial data, and the way data is handled for certain uses, including artificial intelligence (AI), data broking or targeted advertising.
Although not all will make it to passage, it is clear that more states will codify data protection requirements that will affect businesses collecting data from US consumer payments.
In addition to privacy legislation, states are increasingly enforcing cybersecurity regulations to protect consumers’ financial data. Last year, the New York State Department of Financial Services (NYDFS) revised its cybersecurity regulations, and the Federal Trade Commission (FTC) updated its Safeguards Rule.
Enforcement is expected to grow in 2024, given a rise in financial data breaches. For instance, New York's Attorney General Letitia James is suing Citibank “for failing to protect and reimburse victims of electronic fraud”.
Meanwhile, at the federal level, the Consumer Financial Protection Bureau (CFPB) is working to enact a proposal it issued in October 2023 to regulate the handling of personal financial data.
The proposed rule would require “depository and nondepository entities to make available to consumers and authorised third parties certain data relating to consumers’ transactions and accounts; establish obligations for third parties accessing a consumer’s data, including important privacy protections for that data; provide basic standards for data access; and promote fair, open, and inclusive industry standards”.
The CFPB aims to lay the groundwork for a more decentralised market structure and the development of an open banking ecosystem in the US to give consumers more control, director Rohit Chopra said in a speech last year. The agency aims to finalise the rule by the autumn.
“For firms operating globally, it also aligns with many of the guidelines in place or under consideration in other major jurisdictions around the world,” Chopra said.
US attempts to balance light touch with data protection
The US approach has so far been in contrast with Europe’s General Data Protection Regulation (GDPR), effective since May 2018, which provides one of the most comprehensive data privacy frameworks worldwide.
US state laws tend to be narrower in scope than the GDPR, and each has differences in the provisions. The US has traditionally taken more of a hands-off approach than Europe to data privacy that favours businesses.
But the passage of new legislation in recent years reflects an acknowledgement that the transition to digitalisation and accompanying rise in data breaches, including in financial services, necessitates regulation to protect individuals and meet their expectations for how their data should be used.
US privacy laws are increasingly aligning with the European approach, with several state laws borrowing from the GDPR and California's CCPA, which is the US regulation that is most comparable to the GDPR.
In some cases, businesses that comply with GDPR compliance will be well-positioned to meet US state regulations. However, there are significant differences with the GDPR and between states that businesses will need to navigate, and they may require further compliance work to comply with the new rules.
One of the main differences applies to businesses that engage in targeted digital advertising because of complex policies on the sale and sharing of personal information. Europe typically imposes an opt-in model, while US rules tend to permit opt-out models.
There are other differences in how US regulations and the GDPR approach exemption of organisations, the handling of personal data and sensitive information, transparency, data processing terms and enforcement.
The GDPR is enforced by EU members’ national data protection authorities, which can fine violators up to 4 percent of global annual turnover. US state laws are typically enforced by state attorneys general or privacy protection agencies, with potential fines ranging from $2,500 under the CCPA to $20,000 per violation under Colorado's CPA.
This US system is likely to remain fragmented, creating challenges for payments firms to navigate the requirements.
“We do not foresee any comprehensive federal privacy law being enacted in the near future because of the ongoing dispute regarding whether the federal law will preempt the various state laws, and as many states have significantly increased their enforcement staff over the last few years,” law firm Hinshaw & Culbertson states.
When it comes to using customer data, payments firms will need to ensure they manage compliance with these various rules when a data partner requests information, such as when analysing customer behaviour trends for insights into how to improve products and services and develop new offerings.
They also have implications for data sharing to comply with financial crime investigations, know your customer (KYC) and anti-money laundering (AML) requirements.
