Proven bank privacy laws should apply to tech firms, too

Twenty years ago, conventional wisdom was that one could learn more about a person from his or her financial transactional history than any other way.

Today, that notion seems quaint, as a tech company monitoring someone’s browsing history knows far more about them than their bank ever will. And whether it’s their browsing history or online friendships, Americans have become acutely aware that their personal information is constantly being gathered and sold.

Numerous proposals have been floated at both the federal and state level on how to grant consumers greater control over their private information. But a good and proven model is hiding in plain sight.

Five years before Facebook was created, Congress enacted a comprehensive federal framework — Title V of the Gramm-Leach-Bliley Act of 1999 — to govern how banks manage their customers’ data and allows consumers to control sharing of that information. The law and its implementing regulations established fundamental practices for governing customer data that today appear prescient.

In particular, the law requires a bank to maintain robust internal and external protections on all customer data; inform consumers about how their data is collected and shared; and give them the right to opt out of sharing information outside the company. There is also a requirement to adopt fraud protection standards for customers in the event of a data breach.

To ensure that they protect customer information, banks use a wide range of physical and technical safeguards, including physical access restrictions, firewalls, intrusion protection and threat monitoring tools, and encryption technologies. Moreover, if data is compromised in some manner despite these best efforts, there are standards for how customers are to be notified.

By any measure, this law has been a success. The majority of consumers trust banks with their data. Indeed, they are three times more likely to trust banks and financial institutions than they are technology companies, according to a recent Morning Consult voter poll conducted on behalf of BPI.

Likely recognizing this sentiment, the recently adopted California Consumer Privacy Act specifically allows banks to continue operating under this federal legal framework, providing that “[t]his title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act, and implementing regulations.”

Experience with the Gramm-Leach-Bliley Act has demonstrated that Congress can and should balance the benefits of using that data with the privacy concerns raised by that use. A similar effort seems warranted for the tech industry, with existing law as a useful guide.