.svg)
Patrick McHenry (R-NC), the chairman of the House Financial Services Committee, has formally introduced a bill that seeks to modernise the 20+ year-old federal privacy law.
The Data Privacy Act of 2023 would amend the Gramm-Leach-Bliley Act (GLBA) to allow consumers the right to opt out of the collection of certain pieces of information, terminate the collection and sharing of their non-public personal data and request the erasure of their data.
It also imposes further disclosure obligations on financial institutions, in addition to the ones already required under the GLBA.
For instance, firms in scope must disclose the purpose of data collection, whether they collect any information that is not necessary for the provision of their services and how long they keep the collected data.
The bill is intended to provide consistency across the country concerning financial data collection by proposing to preempt state laws.
Provisions of the proposed legislation were discussed in early February in Congress where consumer advocacy groups raised concerns about the broad preemptive measures which establish that the federal law supersedes state rules.
These measures, combined with the fact that the bill brings data aggregators into scope, could practically enable firms such as Plaid to evade potentially stricter state rules, for instance, regarding enforcement.
McHenry said the legislative changes will put “American consumers back in control of their financial data”.
“It’s critical that we bring our privacy guardrails into the 21st century to match the widespread adoption of financial technology. I’m proud to introduce this legislation to secure Americans’ private financial data, without strangling innovation.”
Meanwhile, privacy advocacy group EPIC reiterated its previous concerns stating that the bill still relies on an “outdated notice-and-choice regime that does little to protect privacy”.
“Unfortunately, the updated draft does not address any of our concerns,” the group told VIXIO.
Updating the US federal financial data protection rules was named among McHenry’s top priorities when he took over the leadership of the committee following last year’s midterm elections.
Original story: US Congress Mulls Financial Data Protection Law Update (February 15, 2023)
The chair of the House Financial Services Committee has promised to modernise the US financial data protection rules but consumer advocates are not convinced the new protections are strong enough.
Last week, Congress examined a discussion draft by House Financial Services Committee chair Patrick McHenry (R-NC), which intends to amend the 20-year-old federal Gramm-Leach-Bliley Act (GLBA).
The GLBA requires financial institutions to disclose their information-sharing practices to their customers and to safeguard sensitive data.
Members of Congress are now considering updating the law so it can provide protections that are better suited to the digital age.
Key features of the discussion draft circulated by the Republican lawmaker include the expansion of the scope of the GLBA to data aggregators and giving new, GDPR-like rights to consumers.
For instance, under the proposed Financial Data Privacy Bill, consumers would have the right to opt out of data collection and sharing with third parties and request the deletion of their data.
Although there is widespread recognition that an update of the US data protection rules is highly timely and a welcome step, consumer privacy advocacy groups highlight some serious questions about the proposal.
According to the Electronic Privacy Information Center (EPIC), the bill takes an outdated approach to privacy when it proposes to strengthen the GLBA’s “notice and choice” regime.
“This notice-and-choice regime, in which consumers are expected to read extensive privacy policies, makes it impossible for consumers to meaningfully protect their privacy” because, in practice, very few consumers read these notices or exercise their opt-out option, the organisation says.
“Rather than move past this outdated notice-and-choice system, the Financial Data Privacy bill simply adds another layer of notice — notice must now be given at the point of collection rather than just at the point of disclosure.”
Additionally, the draft includes very broad preemptions of state laws. It means that, if passed, the GLBA would supersede all state privacy laws, even those that provide stronger protections for consumers, such as California’s pioneer data protection laws.
This, combined with the proposal to add data aggregators to the scope of the GLBA, would practically mean that data aggregators could evade stricter regulations.
Currently, five US states have passed comprehensive data privacy laws: California; Colorado; Virginia; Connecticut; and Utah.
Among these states, California allows for the least degree of exemption from its data privacy laws, exempting only data collected pursuant to the GLBA. The remaining four states exempt entities governed by the GLBA, even for data that is not covered by the federal law.
EPIC argues that once data aggregators are added to the scope of the GLBA, these laws would no longer apply to them.
Concerns over the broad preemption provision were also raised in a congressional hearing by progressive NGO "Americans for Financial Reform" (AFR), which pointed out that Americans’ recourse over state law violations would be significantly curtailed by the amendment.
Currently, Californians can bring businesses to court over any alleged violation of the state privacy law.
As a result of that provision, fintechs such as Plaid were held accountable for practices such as selling consumers’ data without their knowledge. Plaid eventually agreed to pay $58m, change its business practices and delete a vast amount of data.
According to Perkins Coie’s CCPA litigation tracker, there have been more than 270 cases filed at California courts over data privacy violations since 2020, with finance standing out as the sector with the most claims.
But under this draft legislation, which allows Americans to go to court only if they incurred damages resulting from a data breach, many of these companies would have evaded responsibility, AFR’s advocacy and legislative director Renita Marcellin told lawmakers.
Although this legislation expands liability to data aggregators, “the benefit gained by doing so is minimal because they too will be subject to the preemption clause. This coupled with a very weak federal private right of action for consumers when compared to many states create a double whammy for consumers looking for restitution,” Marcellin stressed.
Similarly, EPIC said the committee “should not include data aggregators under GLBA coverage unless the privacy protections in this bill are substantially improved and set a higher standard than existing state laws.”
CFPB: a 'conspicuous omission'
Marcellin also pointed out that the proposed bill “conspicuously omits” the role of the Consumer Financial Protection Bureau (CFPB), the main agency looking after consumers in the financial services sector.
The Financial Data Privacy Bill names the National Credit Union Administration, the Securities and Exchange Commission and the Federal Trade Commission as federal agencies with the authority to issue regulations.
The CFPB is, however, in the process of drafting an open banking framework, which will set rules for how consumers can share their financial data with third parties.
The agency declined to comment when approached by VIXIO PaymentsCompliance.
