Data Security & Privacy Laws
Consumer data privacy and data security must be addressed uniformly to avoid a patchwork of confusion.
Overview: Federal laws on consumer data privacy and data security cover various industries and individuals. Financial institutions are governed by the Gramm-Leach-Bliley Act (GLBA). However, there is no federal data breach notification law. In contrast, there are over 50 different non-federal data breach notification laws throughout the United States. MBA member companies cannot separate their information technology infrastructures to comply with varying state requirements, as well as those of the federal government. MBA continues to advocate for federal standards on matters of data privacy and data security and a federal preemptive data breach notification law. Recently, California enacted the California Consumer Privacy Act (CCPA), which takes effect January 1, 2020. Other states have begun introducing privacy bills mirroring the CCPA many with their own variations. Some of these bills, like the CCPA, contain an exemption for data subject to the GLBA, while others require confusing conflict analysis to determine whether a federal or state requirement is applicable. At a minimum, any state-level data privacy legislation must include a clear and simple GLBA exemption.
Recent MBA Activity Related to Data Security & Privacy Laws
- Letter: MBA to Senate Banking Committee's Request for Comment on Data Privacy and Consumer Protection (March 15, 2019)
- Comment Letter: MBA to CFPB on Data Collections and HMDA (December 21, 2018)
- Letter: MBA to Council of State Goverments on the California Consumer Privacy Act (September 13, 2018)
- Comment Letter: MBA and NYMBA to New York State Department of Financial Services regarding Online Lending in New York State (May 17, 2018)
- Comment Letter: MBA to Treasury on FinTech Regulations (March 26, 2018)
- Letter: MBA to U.S. Senate Committee on Transportation, Housing and Urban Development Appropriations Bill for FY 2018 (July 26, 2017)
- Comment Letter: MBA and NYMBA on Cybersecurity Requirements for Financial Services Companies (January 27, 2017)