.svg)
- GLBA "notice-and-choice" system outdated, EPIC says
- Advocacy groups ask not to add data aggregators to GBLA as proposed
The chair of the House Financial Services Committee has promised to modernise the US financial data protection rules but consumer advocates are not convinced the new protections are strong enough.
Last week, Congress examined a discussion draft by House Financial Services Committee chair Patrick McHenry (R-NC), which intends to amend the 20-year-old federal Gramm-Leach-Bliley Act (GLBA).
The GLBA requires financial institutions to disclose their information-sharing practices to their customers and to safeguard sensitive data.
Members of Congress are now considering updating the law so it can provide protections that are better suited to the digital age.
Key features of the discussion draft circulated by the Republican lawmaker include the expansion of the scope of the GLBA to data aggregators and giving new, GDPR-like rights to consumers.
For instance, under the proposed Financial Data Privacy Bill, consumers would have the right to opt out of data collection and sharing with third parties and request the deletion of their data.
Although there is widespread recognition that an update of the US data protection rules is highly timely and a welcome step, consumer privacy advocacy groups highlight some serious questions about the proposal.
According to the Electronic Privacy Information Center (EPIC), the bill takes an outdated approach to privacy when it proposes to strengthen the GLBA’s “notice and choice” regime.
“This notice-and-choice regime, in which consumers are expected to read extensive privacy policies, makes it impossible for consumers to meaningfully protect their privacy” because, in practice, very few consumers read these notices or exercise their opt-out option, the organisation says.
“Rather than move past this outdated notice-and-choice system, the Financial Data Privacy bill simply adds another layer of notice — notice must now be given at the point of collection rather than just at the point of disclosure.”
Additionally, the draft includes very broad preemptions of state laws. It means that, if passed, the GLBA would supersede all state privacy laws, even those that provide stronger protections for consumers, such as California’s pioneer data protection laws.
This, combined with the proposal to add data aggregators to the scope of the GLBA, would practically mean that data aggregators could evade stricter regulations.
Currently, five US states have passed comprehensive data privacy laws: California; Colorado; Virginia; Connecticut; and Utah.
Among these states, California allows for the least degree of exemption from its data privacy laws, exempting only data collected pursuant to the GLBA. The remaining four states exempt entities governed by the GLBA, even for data that is not covered by the federal law.
EPIC argues that once data aggregators are added to the scope of the GLBA, these laws would no longer apply to them.
Concerns over the broad preemption provision were also raised in a congressional hearing by progressive NGO "Americans for Financial Reform" (AFR), which pointed out that Americans’ recourse over state law violations would be significantly curtailed by the amendment.
Currently, Californians can bring businesses to court over any alleged violation of the state privacy law.
As a result of that provision, fintechs such as Plaid were held accountable for practices such as selling consumers’ data without their knowledge. Plaid eventually agreed to pay $58m, change its business practices and delete a vast amount of data.
According to Perkins Coie’s CCPA litigation tracker, there have been more than 270 cases filed at California courts over data privacy violations since 2020, with finance standing out as the sector with the most claims.
But under this draft legislation, which allows Americans to go to court only if they incurred damages resulting from a data breach, many of these companies would have evaded responsibility, AFR’s advocacy and legislative director Renita Marcellin told lawmakers.
Although this legislation expands liability to data aggregators, “the benefit gained by doing so is minimal because they too will be subject to the preemption clause. This coupled with a very weak federal private right of action for consumers when compared to many states create a double whammy for consumers looking for restitution,” Marcellin stressed.
Similarly, EPIC said the committee “should not include data aggregators under GLBA coverage unless the privacy protections in this bill are substantially improved and set a higher standard than existing state laws.”
CFPB: a 'conspicuous omission'
Marcellin also pointed out that the proposed bill “conspicuously omits” the role of the Consumer Financial Protection Bureau (CFPB), the main agency looking after consumers in the financial services sector.
The Financial Data Privacy Bill names the National Credit Union Administration, the Securities and Exchange Commission and the Federal Trade Commission as federal agencies with the authority to issue regulations.
The CFPB is, however, in the process of drafting an open banking framework, which will set rules for how consumers can share their financial data with third parties.
The agency declined to comment when approached by VIXIO PaymentsCompliance.
