Background
Data Privacy
Depository institutions have been subject to a national standard on data privacy and security since the passage of the Gramm-Leach-Bliley Act (GLBA) over two decades ago. The GLBA includes both a Financial Privacy Rule, implemented by the Bureau’s Regulation P, and a Safeguards Rule, implemented for credit unions in NCUA’s Part 748. In combination, these two regulations establishes robust protections for the privacy and safety of members’ financial information. However, other entities who handle consumer financial data do not have similarly-enforced standards. This gap in legal and regulatory requirements, enforcement and examination has resulted in real harm to credit unions and consumers.
In the absence of comprehensive privacy protection laws, the discovery of some data sharing business practices, such as those uncovered in the Facebook-Cambridge Analytica scandal, have highlighted the need for consistent protections surrounding the sale and use of consumer’s personal information. Other nations have passed comprehensive privacy laws, for example, the European Union (EU) passed the General Data Protection Regulation (GDPR). The GDPR, which took effect in May 2018, was designed to protect the privacy of EU residents but applies to all companies processing or controlling the personal information of EU residents, regardless of the business’s location. In the absence of similar federal action in the U.S., states have moved to implement their own privacy laws. In particular, the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. The CCPA applies to certain businesses serving residents of California. The CCPA generally offers California consumers new statutory rights to learn what personal information businesses have collected, opportunities to opt-out of the sale of their personal information, and protection from “discrimination” in the form of reduced service. While the CCPA exempts information collected pursuant to the GLBA, it does not exempt GLBA-covered entities, raising complex questions regarding the coverage of these laws.
In 2021, Virginia and Colorado enacted state data privacy laws. The Virginia law prevents the processing of sensitive data without opt-in consent from adults as well as children, allows individuals to opt out of the sale of their personal data, and gives individuals the right to have data collected from them deleted. Credit unions and other financial institutions subject to the GLBA are exempt from the Virginia law. Like the Virginia law, the Colorado law provides that individuals may opt out of the sale of their personal data and have their collected data deleted. The Colorado law similarly exempts credit unions and other financial institutions subject to the GLBA. Unlike the CCPA and CPRA, the Virginia and Colorado laws rely on consumer thresholds rather than revenue thresholds, and neither the Virginia nor the Colorado law provides consumers a private right of action. The Virginia Consumer Data Protection Act takes effect on January 1, 2023, and the Colorado Privacy Act takes effect on July 1, 2023. Other states continue to consider their own privacy legislation, further confusing credit unions on compliance requirements. Credit unions seeking to manage data privacy obligations across multiple jurisdictions face enormous operational challenges.
Further, ongoing cyberattacks and frequent data breaches, and the cost of dealing with these issues has hindered credit unions’ ability to serve their members. Credit bureaus, such as Equifax, handle millions of consumer financial records and are subject to the GLBA, but they remain unexamined for compliance with security standards and the Federal Trade Commission's implementing regulations for credit reporting bureaus are less stringent than those applicable to credit unions and banks. Other entities, such as retailers, merchants and fintech companies who regularly handle large volumes of financial data, are not legally subject to security requirements at all, let alone regularly examined for the sufficiency of their practices. When one of these organizations suffers a breach, it is the credit union which ultimately bears the cost of reissuing debit and credit cards and the losses associated with resulting identity theft and fraud.
NAFCU is leading the charge against a patchwork of state privacy laws to protect credit unions from the burden of compliance with multiple privacy frameworks and continues to work with Congress to establish consistent protection of consumer financial data and hold all entities accountable.