A view from DC: The federal plan to modernize — and preempt — financial privacy rules

Weeks before the rumored circulation among Republicans on the U.S. House Committee on Energy and Commerce of a discussion draft from the committee's privacy working group, a separate but potentially compatible draft had already been released and debated in another committee. 

On 17 March, the House Committee on Financial Services hosted a hearing titled "Updating America's Financial Privacy Framework for the 21st Century." The update in question would be an overhaul to the Gramm-Leach-Bliley Act, which serves as the primary privacy law for much of the U.S. financial sector.

As originally designed, the GLBA was focused on the banking sector. But the modern financial landscape has evolved into a sprawling, interconnected set of institutions, including data aggregators, payment platforms and modern hybridized services. Only some of these organizations are subject to the privacy requirements of the GLBA. Though the Consumer Financial Protection Bureau attempted to unify some of the rules around the modern data-fueled financial industry, the resulting open banking rule is currently enjoined. Last year, the CFPB began the process of adjusting its rule. Whether and how these reforms will ultimately take shape remains uncertain. 

Gaps in coverage are not the only complaint from stakeholders about the GLBA. Overall, it is an opt-out focused law that does not fully reflect the current state of privacy practice in the broader consumer context. The discussion draft under consideration by the financial services committee includes some tweaks that bring the law more in line with other modern privacy laws, including a basic data minimization provision and updated definitions for sensitive data coverage to include geolocation and biometrics. 

The draft even has a transparency tweak for the age of artificial intelligence. Specifically, it would include a duty to disclose "the policies and practices of the financial institution with respect to the financial institution's use of artificial intelligence in the collection, processing, and utilization of nonpublic personal information."

More controversially, the draft would also change the GLBA from a federal floor for financial privacy and security rules to a ceiling. Supporting this change, remarks from the committee leadership and witnesses focused on economic efficiency, arguing that the current state-level patchwork creates barriers to entry for smaller firms and increases costs that are ultimately passed down to consumers. The preemptive approach is presented as a modern unification of a fragmented market.

Preemptive intent

As the IAPP's most recent U.S. state report explains, most state comprehensive consumer privacy laws exempt financial institutions covered by GLBA entirely from coverage under their laws. Others take a more granular, data-level approach, exempting only the specific datasets governed by GLBA, that is nonpublic personal information collected in the context of a financial service. This means data collected and used for purposes outside of the historically banking-focused context of the GLBA, including more modern financial services — and, in California, employee data — remain subject to the updated requirements of state privacy laws.

Taking recent amendments into account, there are now five states with consumer privacy laws that do not fully exempt GLBA-covered institutions, instead providing only the narrow data-level carveout. These include California, Connecticut, Minnesota, Montana and Oregon.

These laws, as applied to GLBA entities, appear to be the implicit targets of the updated preemption clause, which explicitly supersedes any state "privacy or security requirements for nonpublic personal in-formation subject to this subtitle."

Also notable here is the inclusion of security requirements, which could have a broad impact on the cybersecurity legal landscape for GLBA entities. Most state breach laws include a form of safe harbor for entities that comply with the Federal Trade Commission's Safeguards Rule, or the Interagency Guidance on Response Programs for banks. 

Even so, just as in the privacy context, gaps are continuing to widen as state breach laws apply to data types not covered by GLBA and, under the FTC's most recent update to the Safeguards Rule, many entities must now make public their incidents on a shorter timeline than they enjoyed under some state rules.

Data-level preemption would significantly simplify this landscape.

The advocate's lens

Among the witnesses at March's financial services hearing was Laura MacCleery, representing UnidosUS, a Latino civil rights and advocacy organization. Her written testimony provides an important counterpoint about the potential shortcomings of the proposed GLBA update.

Acknowledging the "modest gains" in the proposal, MacCleery claims they are outweighed by the decision to extend GLBA's coverage to data aggregators while maintaining an opt-out model. As she explains, "Under an opt-out, the default is that consumer data is shared unless the individual acts to stop it, so the path of least resistance is the path of least protection."

MacCleery also calls attention to permissive consumer choice language in the draft, which does not require consent but would instead allow for data collection and disclosure when a financial institution obtains "evidence of such individual's authorization." She warns this exception would allow dark patterns to continue to proliferate in the financial sector.

Point by point, MacCleery's testimony also takes issue with the specific language of the updates to many of the other GLBA modernization clauses in the draft bill, including the data minimization provision and the access and deletion rights.

Finally, as ever, preemption emerges as a major battleground. Echoing concerns shared by Democrats on the committee, MacCleery takes issue with the fundamental preemption shift in the draft. Pointing to the existing enhancements in state laws, she and others argue that federal preemption would freeze the law in place eliminate the potential for states to provide their citizens with protections that respond to new technologies and services.

For example, though the expansion to data aggregators would close a much-maligned loophole, it would also provide preemptive protections. MacCleery cites the success of class-action settlements against such companies, an impossible outcome under a preemptive regime.

Many steps remain to take a discussion draft to a final piece of legislation, but this work in the financial services committee has begun to set the table for a Republican vision of an updated privacy framework across sectors. The extent to which it is compatible with the Energy and Commerce committee vision will likely become apparent in the coming weeks.

Please send feedback, updates and hybridized services to cobun@iapp.org.