Since the passage of the Gramm-Leach-Bliley Act in 1999, financial institutions have relied on the law’s exclusive application to financial institutions, along with the Fair Credit Reporting Act and other sector-specific legislation, to wall them off from changes to privacy laws. They have relied on the demonstrable success of these statutes to show that the gathering and use of data by banks should not be subject to rules that apply to health information, advertising or other data.
However, with the passage of the California Consumer Privacy Act this summer, that wall has been breached: The new state law, which will establish a number of new privacy rights for California residents, such as the right to request, restrict use of and delete personal information starting on January 1, 2020, does not include a blanket exception for financial institutions generally or for entities that comply with the 1999 law, as had been the case for previous privacy legislation.
Specifically, while the new law carves out some activities under GLB and the FCRA, it does not provide a complete blanket exception to those laws, but only applies to activities undertaken pursuant to them.
This breach of the heretofore sacrosanct protection of GLB is dangerous to financial institutions for several reasons. First, the changes to the law may force financial institutions to change how they gather and use consumer information, which could adversely impact credit underwriting and other consumer lending. Second, there is a strong bipartisan push for privacy legislation at the federal and state levels, and California’s new law is going to spur on the discussions. Those that are principally engaged, such as the tech community and the House and Senate Commerce committees, are not necessarily as aware of — or respectful of — the need for specific financial services privacy legislation, and they may be more inclined to “cut a deal” that harms consumer lending without being aware of the full consequences of the changes that they are making.
In other words, before CCPA, banks could simply request that they be fully carved out of any privacy legislation. Now that that wall has been breached, however, financial institutions potentially face a slippery slope that will erode the special privacy protections that they have enjoyed since the enactment of the FCRA and GLB. At the end of the road could lie legislation which could end up applying the same privacy restrictions to financial institutions that apply to other entities.
Because of that fundamental change, banks will need to pay close attention and engage with federal and state privacy legislation negotiations going forward. Specifically, the historical reliance on Gramm-Leach-Bliley and other laws as a blanket carve out financial institutions is probably over.
In other words, as deals are cut and legislation advances, the financial services sector must get more engaged to ensure that their interests are not ignored.
The ground is only going to get more treacherous in 2019. One of the reasons that financial institutions have been successful in stopping state-based privacy legislation is because they have had the ability to argue that if a state enacts a law that is substantially outside the “mainstream,” it will make it more expensive and difficult for banks to do business there, risking higher rates and fewer services for consumers and companies in that state. However, with the passage of the new California law, states are not only more likely to play “copycat” to the California legislation, though perhaps with even stricter requirements, but the argument that states are “outliers” is easily debunked. Now states can credibly argue that they are simply imposing the same requirements as California. And few, if any, financial institutions are going to simply not do business with California residents.
At the federal level, industries that are looking for legislation to preempt California face challenges. For example, some industries might see enacting a single, uniform standard — one that ignores the bank carve-out of Gramm-Leach-Bliley — as a worthwhile compromise. Banks could be hard pressed to back that deal out once it is already made.
As industry groups from a wide range of sectors, consumer groups, states and Congress wrestle with consumer privacy, the financial sector needs a strong voice to ensure that those that are drafting potential provisions are aware of the existence and function the sector-specific data privacy protections for banks that are already on the books, and why it is important to continue to wall off their data collection activities from broader privacy legislation.
