ABA urges caution on data privacy bill

In a memo to the House Financial Services Committee today, the American Bankers Association spelled out its concerns about a bill to modernize nationwide standards for financial data privacy. Among other things, ABA highlighted issues related to proposed consumer notification requirements, limits on how data can be collected and used, and the possibility that the legislation’s opt-out standard for obtaining consumer approval could be changed into an “opt-in” requirement.

The Data Privacy Act (H.R. 1165), sponsored by committee Chairman Patrick McHenry (R-N.C.) would amend the Gramm-Leach-Bliley Act to create new standards for how financial institutions collect and use customer data. In its comments, ABA said it supported several aspects of the bill, such as a provision to ensure that the GLBA preempts state data privacy laws, and the fact it leaves enforcement to the prudential regulatory agencies rather than state attorneys general or private rights of action. However, the association noted that the bill would also create new notification requirements, including two new annual notices, while other provisions would limit what data financial institutions can collect and establish a definition of “consumer relationship” so broad it would impose unnecessary burdens on banks.

ABA cautioned against any amendments establishing an opt-in requirement, which usually requires businesses to obtain their customers’ affirmative consent before collecting personal data. The association also raised concerns that the bill would clash with data access standards in Section 1033 of the Dodd-Frank Act, which the CFPB is currently in the process of writing regulations to implement. “In order to avoid confusion among financial institutions as well as regulators, the information in scope under Section 1033 should be expressly carved out from any right of access created under the bill’s amendments to the GLBA,” ABA said.