State Data Protection Issues

Share to

MBA is providing this resource center to its member companies, state and local real estate finance associations, and partner trade groups to help engage with state policymakers working to strengthen their consumer data protection laws. As part of this debate, it is important to recognize not just the necessity of sharing and validating data in real estate finance, but to also appreciate that this system is already subject to robust federal consumer protection laws and rules. State data protection bills must not unintentionally impede homeownership. To help inform the policy discussion on these issues, MBA provides suggested legislative language for consideration in state bills and other support materials and information.

Please read MBA's Data Protection Principles and MBA's Model Data Protection Amendment

Recent MBA Activity Related to Data Protection Issues

 

  • January 16, 2024: New Jersey Governor Murphy signs SB 332, a broad data privacy bill, which contains a GLBA entity and affiliate exemption. Majority of this act takes effect January 15, 2025.
  • July 18, 2023: Oregon Governor Kotek signs the Oregon Consumer Privacy Act, which contains a GLBA data exemption along with additional varying exemptions for industry dependent on state chapter definitions within ORS 706 and ORS 725. The majority of this act will take effect July 1, 2024.
  • June 30, 2023: Delaware legislature passes HB 154, the Delaware Data Privacy Act. This bill awaits Governor Carney's action. The bill includes an entity exemption for financial institutions and their affiliates to the extent these entities are subject to GLBA.
  • June 18, 2023: Texas Governor Abbott signs the Texas Data Privacy and Security Act, which contains GLBA exemptions for financial institutions and data subject to GLBA. The majority of this act will take effect July 1, 2024.
  • May 19,2023: Governor Gianforte signed the Montana Consumer Data Privacy Act, which contains GLBA exemptions for financial institutions, affiliates of financial institutions, and data subject to federal GLBA. 
  • May 11, 2023: Governor Bill Lee signed the Tennessee Information Protection Act, which contains GLBA exemptions financial institutions and affiliates, or data subject to federal GLBA.
  • May 5, 2023: Texas Legislature approves the HB-4, which includes GLBA exemption. The bill is now in conference committee.
  • May 1, 2023: Indiana Consumer Data Privacy Act enacted. The new law is effective January 1, 2026, and contains exemptions for any financial institutions and affiliates, or data subject to federal GLBA.
  • April 21, 2023: Montana legislature passes data protection legislation (SB-384) with exemptions for a financial institution or an affiliate of a financial institution governed by, or personal data collected, processed, sold, or disclosed in accordance with, Title V of the Gramm-Leach-Bliley Act. It will take effect on October 1, 2024 if signed.
  • March 28, 2023: Iowa Governor Kim Reynolds signs consumer data protection bill into law. Legislation includes Gramm-Leach-Bliley (GLBA) exemption for financial institutions and data. 
  • January 9, 2023: MBA and NYMBA submit a joint comment letter in response to NYDFS releasing proposed amendments to New York's Cybersecurity Regulation (23 NYCRR 500).
  • August 23, 2022: MBA and CMBA submit a comment letter in response to California Privacy Protection Agency's proposed rules to implement the California Privacy Rights Acts. 
  • May 10, 2022: Connecticut Governor Ned Lamont signs into law the Connecticut Data Privacy Act ( SB 6). Connecticut is fifth state to enact comprehensive data privacy legislation.
  • March 24, 2022: Utah Governor Spencer Cox signs the Utah Consumer Privacy Act ( SB 227) to overhaul state data privacy law, which includes Gramm-Leach-Bliley (GLBA) exemption for financial institutions and data.
  • July 8, 2021: Colorado Governor Jared Polis signs Colorado Privacy Act into Law (SB 190). Comprehensive data privacy legislation that is consistent with Virginia.
  • March 21, 2021: Virginia enacts comprehensive data privacy legislation (HB 2307). Exemptions financial institutions are consistent with the federal Gramm-Leach-Bliley Act (GLBA).
MAA Social Media Graphic