While the focus of each state has a unique flavor with varying eligibility thresholds, banks should consider some common threads.
By Jake Frazier
Coast to coast, state lawmakers are responding to public outcry for stronger data privacy and data protection rules. While the concept of data privacy as a fundamental right and value has long eluded the U.S. legal system, a sea change is underway in the states.
This year, five state-based data privacy laws are coming into force in California, Colorado, Connecticut, Utah and Virginia. While each state’s law carries varying data privacy requirements and principles, they generally follow the lead of the California Consumer Privacy Act, which took effect in January 2020.
Worth noting is that many state laws do offer exemptions and/or certain data exceptions for financial organizations and banks governed under the Gramm-Leach-Bliley Act. The ADPPA has been drafted with Gramm-Leach-Bliley Act exceptions as well.
Below is an overview of the current landscape of state-based privacy regulations and the key considerations that banks subject to these laws will need to address as they take effect.
California
The CCPA provides broad privacy protections for California residents, many of which emulate the protections provided under the European Union’s General Data Protection Regulation, which is widely considered the world’s most stringent data privacy law. Shortly after the enactment of CCPA, the California Privacy Rights Act was introduced and passed to further align CCPA to the standards of GDPR.
CCPA applies to for-profit businesses in California and meet any of the following parameters: have a gross annual revenue exceeding $25 million; buy, receive or sell the personal information of 100,000 or more California residents, households or devices; or derive 50 percent or more of annual revenue from selling California residents’ personal information. Any company currently obligated under CCPA will be likewise impacted by CPRA. Generally, the law provides expanded data subject rights, including the right to correct, opt out of sharing and profiling and limiting the processing of sensitive personal information; stricter definitions around what constitutes the sale of data; and the establishment of the California Privacy Protection Agency.
Colorado
The Colorado Privacy Act (CPA) will be effective in July 2023, applicable to organizations either operating in Colorado or targeting products or services to Colorado residents, though financial organizations and banks governed by the Gramm-Leach-Bliley Act are currently exempt.
However, bank customers in the state will be affected, as additional eligibility thresholds include that covered organizations either control or process personal data of 100,000 residents or more; or derive revenue from the sale of personal data and control or process the personal data of 25,000 or more Colorado residents. Because the threshold focuses on the number of residents, rather than revenue figures like many other laws, it may apply to a larger set of small and mid-sized businesses. CPA provides data subject rights—individual privacy rights of data subjects, including the right to opt out of targeted advertising, the sale of their personal data and certain types of profiling—as well as consent requirements and rules for covered businesses to follow regarding the completion of data protection assessments prior to engaging in certain data processing activities.
Connecticut
Like the Colorado Privacy Act, the Connecticut Data Privacy Act (CTDPA) will also take effect in July and does not include a revenue threshold. Rather, thresholds are based on number of impacted Connecticut residents and/or percentage of revenue derived from the sale of personal data belonging to state residents. It also includes entity-level and data-based exemptions for banks and information already covered under the Gramm-Leach-Bliley Act and/or Fair Credit Reporting Act, among others. CTDPA includes data protection assessment requirements and provides numerous data subject rights, including the right to opt out of the “sale of their personal data, the processing of personal data for the purposes of targeted advertising, and profiling that may have a legal or other significant impact.”
Utah
The Utah Consumer Privacy Act is somewhat less stringent than other state laws and ncludes exemption for entities covered under the Gramm-Leach-Bliley Act. It offers fewer data subject rights than Colorado and Connecticut—for example, opt-out rights are more limited and data subjects are not given the right to rectification, such as the right to have companies complete, correct, or supplement their personal data without undue delay. It requires that covered businesses provide transparent privacy notices and certain opt-out options, but does not include consent requirements, which are present in most other laws. The law’s annual revenue threshold for applicability is $25 million, and in addition to meeting that figure, covered businesses must also either control or process personal data of 100,000 or more Utah consumers during a calendar year; or derive more than 50 percent of gross revenue from the sale of personal data and control or process the personal data of 25,000 or more Utah consumers.
Virginia
As of January, the Virginia Consumer Data Protection Act imposed obligations on businesses located in Virginia or those that served Virginia residents if the businesses. Notably, financial organizations and banks governed by the Gramm-Leach-Bliley Act are currently exempt from Virginia’s CDPA requirements.
Additional state activity
In 2022, five states—Georgia, Indiana, Maine, Michigan and Vermont—considered comprehensive data privacy legislation for the first time. Some of these bills failed during sessions in 2022, while others are still pending amendments and decisions. Michigan, New Jersey, Ohio and Pennsylvania are the latest states to either introduce or have in committee comprehensive consumer privacy laws. Dozens of others, including Arizona, Massachusetts and Rhode Island, have inactive comprehensive privacy bills or proposals at various stages of the legislative process.
While each state law has a unique flavor with varying eligibility thresholds, and exemptions and carve-outs for certain industries and organizations, there are some common threads that banks should consider. These fundamentals provide a guide for best practices banks can follow across operations in every state and jurisdiction.
One such fundamental is that transparent privacy notices are universally required, even though not every privacy law requires data controllers to obtain consent for processing. Thus, banks should prioritize the creation and implementation of notices that are transparent and clearly define the ways in which customers’ personal data is collected, stored and used.
Another common thread is that most laws provide some degree of data subject rights. Privacy programs should address the specific workflows and technologies needed to ensure the organization is equipped to respond to and remediate data subject requests in a timely manner, without undue burden to the business or the data subject.
Compliance alongside change
In this landscape of rapidly changing state-based data privacy requirements, flexibility and scalability are key to success. Banks must continually evaluate the state and federal laws as they change, and ensure new obligations are addressed either as the laws come into force, or as the business expands into new, regulated regions.
Legal and compliance teams should focus on establishing a set of policies and repeatable processes that default to the highest standard of requirements under which the business is regulated. A standardized and holistic approach will enable ongoing reinforcement of a flexible data privacy program that can adapt to new requirements as they arise.
Jake Frazier is a senior managing director at FTI Consulting and heads the information governance, privacy and security practice within the technology segment.
