ABA Banking Journal
No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
SUBSCRIBE
ABA Banking Journal
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
No Result
View All Result
No Result
View All Result
ADVERTISEMENT
Home Compliance and Risk

Keeping on Top of Changes in U.S. Privacy Laws

October 31, 2019
Reading Time: 4 mins read
Keeping on Top of Changes in U.S. Privacy Laws

By Paul Breitbarth

The privacy regulatory environment in the U.S. continues to be a complex sea to navigate, changing on an almost daily basis. New privacy bills, amended bills, bills not making it out of committee, bills in debate in state legislatures. Of course, that doesn’t even take into account the discussion happening at the federal level. All of this is creating anxiety among privacy professionals, who are struggling to stay on top of ongoing legislation updates.

Currently, all eyes continue to be on the California Consumer Privacy Act and its amendments (and amendments to amendments). Vermont Attorney General T.J. Donovan observed that California’s policy could directly influence the behavior of other state privacy officials saying, “As California goes, so goes the nation. Watching how the rules in California are going to be developed is going to be critical.”

In many ways, CCPA is paving the way for a period of major change to the privacy compliance landscape in the U.S. At the time of publishing, Nevada and Maine have passed their own new privacy laws relating to consumer rights (Maine’s law applies to internet service providers only), and an additional 11 laws are in various stages of debate and amendment in state governments including Louisiana, Texas, Vermont, New Jersey and Washington.

Nevada’s new privacy law went into effect on Oct. 1, three months before the CCPA will. However, unlike the CCPA, it applies only to operators of online commercial services, requiring these companies or individuals to seek permission to sell a consumer’s personal data.

In the Evergreen State, the Washington Privacy Act was introduced in January and passed in the state Senate only two months later, but the bill did not make it to the House of Representatives. However, the prevailing sentiment is that this bill will be brought back in future sessions.

The bill in Louisiana focuses on protecting consumers online while they’re using the Internet and social media. While this may seem narrowly focused on ISPs, one of the definitions of the law seems to cover anybody operating a commercial website in the state of Louisiana, which would have significant implications for a large number of organizations.

Staying on top of it all

In a recent Nymity survey of privacy professionals in North America, almost half of respondents (47 percent) ranked building a privacy program as their top priority. How is your financial institution prepared to execute a data subject access request and demonstrate completion? How will you track, honor, reply and inform on a request for a right of access? How do you future-proof your organization for new and changing legislation? Some companies have taken the approach of addressing compliance one law at a time. However, with the volume of amendments and new legislation in the US (and around the world), this approach clearly won’t scale.

Under the European Union’s General Data Protection Regulation, “accountability” is enshrined as a legal obligation. Banks must be able to demonstrate compliance under the law. While the word “accountability” is not present in the legislation from California and Nevada (and in other states), it is a useful compliance concept.

An accountability approach to compliance means that financial institutions implement and embed relevant policies, procedures and other measures throughout the organization, and assign responsibility for the completion of these activities. Ideally, the activities are also reviewed on a regular basis (for example, quarterly or annually). As a result, documentation such as minutes of meetings, memos preparing decisions, the actual policies and procedures and log files are produced and can serve as evidence to demonstrate compliance to regulators and other stakeholders.

When my company began helping organizations prepare for GDPR, we mapped the text of the regulation to the Nymity privacy management accountability framework and identified 39 articles requiring evidence of a technical or organizational measure in order to demonstrate compliance. Those 39 articles mapped to 55 privacy management activities (technical and organizational measures) that, if implemented, would produce documentation to demonstrate compliance with the requirements. For the CCPA, we have identified nine of the 23 provisions, so far, requiring evidence of a technical or organizational measure in order to demonstrate compliance.

Structuring an organizational measure to demonstrate compliance

With clarification from lawmakers on various elements of the CCPA still pending, financial institutions may not have a sense of urgency when it comes to getting their compliance programs ready. However, we learned from our survey that the privacy office is often faced with competing priorities with CCPA compliance activities (35 percent) and continued GDPR compliance activities (26 percent) still figuring strongly, so it is critical to get started as early as possible for each regulation.

Banks can employ a three-step approach to building privacy compliance programs that can address multiple privacy laws:

  • First, identify which of the mandatory privacy management activities that apply to the law you have based your privacy program on. Then make sure that they are embedded in your organization including the policies and procedures you have implemented to ensure compliance. Compare them to the new law you are dealing with and verify that all elements that are embedded in the new law’s legal provisions are also part of your internal policies and procedures.
  • Second, review the privacy management activities that are considered mandatory for the new law you are working on, but are not part of your existing data protection compliance program. It may be that you have implemented these activities in your organization, for example as part of your security program. If so, you can repeat the check described above. If you have not implemented those activities, then you will likely have to implement new policies and procedures to address the gaps.
  • Third, as the regulatory environment has become more complex and the business impact of non-compliance has become more significant, our survey showed that over 70 percent of privacy professionals feel privacy has evolved into an integral part of the overall strategy and planning for their businesses. Financial institutions may be required to re-prioritize the team’s infrastructure and grow the headcount for the teams handling the compliance program.

GDPR has set the stage for new or enhanced privacy legislation from jurisdictions around the world. The introduction of a new law, or changing requirements of an existing law, will always require some effort to ensure ongoing compliance. While it may seem increasingly challenging to navigate the sea of privacy regulations, taking an accountability approach to compliance enables organizations to use existing mechanisms to meet revised compliance goals.

Paul Breitbarth is director of EU operations and strategy at Nymity, a privacy compliance software provider.

ADVERTISEMENT
Tags: California Consumer Privacy ActData privacyData strategyGDPR
ShareTweetPin

Related Posts

Budget bill narrowly passes Senate, moves back to House

Breaking down the bank-related provisions in the big budget bill

ABA Banking Journal Podcast
July 10, 2025

Following the enactment of the One Big Beautiful Bill Act, hear from ABA experts on how key ABA-supported provisions on tax policy, rural real estate and health savings accounts in the budget reconciliation law will affect banks.

Fed releases agenda for upcoming conference on large bank capital requirements

Fed seeks public input on large bank rating system revision

Compliance and Risk
July 10, 2025

The Federal Reserve requested comment on a proposal to revise its supervisory rating framework for large bank holding companies to address the "well managed" status of the firms.

Senate Banking Committee advances OCC, SEC nominations

Senate confirms Gould as comptroller of the currency

Newsbytes
July 10, 2025

The Senate voted to confirm Jonathan Gould as comptroller of the currency. He succeeds Rodney Hood, who is acting comptroller.

FinCEN, IRS-CI launch series to help banks combat fentanyl trafficking

FinCEN extends compliance dates for fentanyl orders

Compliance and Risk
July 9, 2025

FinCEN has extended by more than a month the effective dates for orders involving three Mexico-based financial institutions with alleged ties to fentanyl trafficking, according to an agency statement.

FDIC issues final special assessment to recover Deposit Insurance Fund losses

FDIC board to consider proposals on CRA, bank branches

Newsbytes
July 9, 2025

The FDIC board will hold an open meeting next week to consider several agenda items, including proposals on regulatory thresholds, the Community Reinvestment Act and bank branches.

FOMC minutes: Persistent inflation clouds path forward

FOMC minutes show divergence in opinion on tariff effects

Economy
July 9, 2025

Federal Open Market Committee members remain somewhat split on the long-term effects of the Trump administration’s tariff policy on inflation, according to the minutes.

NEWSBYTES

ABA donates to Texas flood relief efforts, urges bankers to contribute

July 10, 2025

Mortgage rates rise

July 10, 2025

Fed seeks public input on large bank rating system revision

July 10, 2025

SPONSORED CONTENT

Navigating Disruption in Ag Lending – Why Tariffs Are Just the Tip of the Iceberg

Navigating Disruption in Ag Lending – Why Tariffs Are Just the Tip of the Iceberg

July 1, 2025
AI Compliance and Regulation: What Financial Institutions Need to Know

Unlocking Deposit Growth: How Financial Institutions Can Activate Data for Precision Cross-Sell

June 1, 2025
Choosing the Right Account Opening Platform: 10 Key Considerations for Long-Term Success

Choosing the Right Account Opening Platform: 10 Key Considerations for Long-Term Success

April 25, 2025
Outsourcing: Getting to Go/No-Go

Outsourcing: Getting to Go/No-Go

April 5, 2025

PODCASTS

Breaking down the bank-related provisions in the big budget bill

July 10, 2025

Podcast: Inside ABA’s new Treasury Check Verification System API

June 25, 2025

Podcast: Staying close to clients amid tariff-driven volatility

June 18, 2025
ADVERTISEMENT

American Bankers Association
1333 New Hampshire Ave NW
Washington, DC 20036
1-800-BANKERS (800-226-5377)
www.aba.com
About ABA
Privacy Policy
Contact ABA

ABA Banking Journal
About ABA Banking Journal
Media Kit
Advertising
Subscribe

© 2025 American Bankers Association. All rights reserved.

No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive

© 2025 American Bankers Association. All rights reserved.