State Data Protection Issues

Share to

MBA is providing this resource center to its member companies, state and local real estate finance associations, and partner trade groups to help engage with state policymakers working to strengthen their consumer data protection laws. As part of this debate, it is important to recognize not just the necessity of sharing and validating data in real estate finance, but to also appreciate that this system is already subject to robust federal consumer protection laws and rules. State data protection bills must not unintentionally impede homeownership. To help inform the policy discussion on these issues, MBA provides suggested legislative language for consideration in state bills and other support materials and information.

Please read MBA's Data Protection Principles and MBA's Model Data Protection Amendment

Recent MBA Activity Related to Data Protection Issues


  • June 13, 2024: Vermont Governor Philip Scott vetoed the Vermont Data Privacy Act, H121, citing "unnecessary and avoidable level of risk" in his veto letter.
  • May 24, 2024: Minnesota Governor Tim Walz signs large omnibus package, HF 4757, which includes the Minnesota Consumer Data Privacy Act (starting in Article 5, line 155.17).  This privacy legislation includes a GLBA data exemption, a depository exemption, and some narrow activities based exemptions and will take effect July 31, 2025. 
  • May 10, 2024: Vermont Legislature passes the Vermont Data Privacy Act, which includes a GLBA data exemption, a depository exemption, and some activities based exemptions (e.g. FCRA credit reporting). If signed, this law will take effect July 1, 2025. 
  • May 9, 2024: Maryland Governor Wes Moore signed the Maryland Online Data Privacy Act of 2024, which includes an entity level GLBA exemption in Section 14-4603. The new law becomes effective on October 1, 2025.
  • April 17, 2024: Nebraska Governor Jim Pillen signed the Data Privacy Act, another comprehensive data privacy bill that included the entity, affiliate and data level exemptions for GLBA. 
  • April 4, 2024: Kentucky Governor Andy Beshear signed the Kentucky Consumer Data Protection Act, HB 55, which takes effect January 1, 2026 and exempts Financial Institutions, affiliates and data subject to GLBA.
  • March 6, 2024: New Hampshire Governor Chris Sununu signed SB 255, a comprehensive data privacy law that includes an entity- and data-level exemption for companies subject to the GLBA. The law becomes effective on January 1, 2025.
  • January 16, 2024: New Jersey Governor Murphy signs SB 332, a broad data privacy bill, which contains a GLBA entity and affiliate exemption. Majority of this act takes effect January 15, 2025.
  • July 18, 2023: Oregon Governor Kotek signs the Oregon Consumer Privacy Act, which contains a GLBA data exemption along with additional varying exemptions for industry dependent on state chapter definitions within ORS 706 and ORS 725. The majority of this act will take effect July 1, 2024.
  • June 30, 2023: Delaware legislature passes HB 154, the Delaware Data Privacy Act. This bill awaits Governor Carney's action. The bill includes an entity exemption for financial institutions and their affiliates to the extent these entities are subject to GLBA.
  • June 18, 2023: Texas Governor Abbott signs the Texas Data Privacy and Security Act, which contains GLBA exemptions for financial institutions and data subject to GLBA. The majority of this act will take effect July 1, 2024.
  • May 19,2023: Governor Gianforte signed the Montana Consumer Data Privacy Act, which contains GLBA exemptions for financial institutions, affiliates of financial institutions, and data subject to federal GLBA. 
  • May 11, 2023: Governor Bill Lee signed the Tennessee Information Protection Act, which contains GLBA exemptions financial institutions and affiliates, or data subject to federal GLBA.
  • May 1, 2023: Indiana Consumer Data Privacy Act enacted. The new law is effective January 1, 2026, and contains exemptions for any financial institutions and affiliates, or data subject to federal GLBA.
  • April 21, 2023: Montana legislature passes data protection legislation (SB-384) with exemptions for a financial institution or an affiliate of a financial institution governed by, or personal data collected, processed, sold, or disclosed in accordance with, Title V of the Gramm-Leach-Bliley Act. It will take effect on October 1, 2024 if signed.
  • March 28, 2023: Iowa Governor Kim Reynolds signs consumer data protection bill into law. Legislation includes Gramm-Leach-Bliley (GLBA) exemption for financial institutions and data. 
  • January 9, 2023: MBA and NYMBA submit a joint comment letter in response to NYDFS releasing proposed amendments to New York's Cybersecurity Regulation (23 NYCRR 500).
  • August 23, 2022: MBA and CMBA submit a comment letter in response to California Privacy Protection Agency's proposed rules to implement the California Privacy Rights Acts. 
  • May 10, 2022: Connecticut Governor Ned Lamont signs into law the Connecticut Data Privacy Act ( SB 6). Connecticut is fifth state to enact comprehensive data privacy legislation.
  • March 24, 2022: Utah Governor Spencer Cox signs the Utah Consumer Privacy Act ( SB 227) to overhaul state data privacy law, which includes Gramm-Leach-Bliley (GLBA) exemption for financial institutions and data.
  • July 8, 2021: Colorado Governor Jared Polis signs Colorado Privacy Act into Law (SB 190). Comprehensive data privacy legislation that is consistent with Virginia.
  • March 21, 2021: Virginia enacts comprehensive data privacy legislation (HB 2307). Exemptions financial institutions are consistent with the federal Gramm-Leach-Bliley Act (GLBA).
MAA Social Media Graphic