Industry and Regulators Disagree on Federal Consumer Privacy Legislation
Commentary by Michael A. Kleinman
Industry participants and state regulators disagree as to whether proposed federal legislation to standardize privacy and security protections for consumer data should preempt state law.
In comments submitted to the House Subcommittee on Energy and Commerce, ten state Attorneys General urged Congress to "adopt legislation that sets a federal floor, not a ceiling, for critical privacy rights and respects the important work already undertaken by states to provide strong privacy protections for our residents." They expressed concern that the proposed American Data Privacy Protection Act does not sufficiently protect consumer data and may override existing state-level privacy laws.
Comments from the industry, including a joint comment letter from SIFMA, the American Bankers Association, the Consumer Bankers Association, the Financial Services Institute and the National Association of Federally-Insured Credit Unions, however, strongly favored federal preemption of state law. However they expressed concerns about the proposed framework, including:
- disruptive, ambiguous language that may lead to conflicting requirements for financial institutions already subject to oversight by existing regulation; and
- allowing enforcement by private rights of action, which may cause conflicting interpretations of the law and make it harder for consumers to understand the law.
Commentary
Taken together, the two letters reflect the consequences of Congressional inaction on comprehensive federal privacy laws over the last twenty years. On the one hand, the void left by the absence of a comprehensive federal regulation has been filled by state laws vesting consumers with broad rights over their personal information and state attorneys’ general with a mandate to enforce such laws. The state attorneys general have expressed their concern that preemption will vitiate consumer rights granted in their states and weaken the states’ ability to investigate privacy violations. On the other hand, the financial services industry has long been subject to sector-specific consumer privacy and protection laws, including under the Gramm-Leach Bliley Act (“GLBA”), and not surprisingly, seeks an end to the ever-expanding patchwork of state privacy and data breach laws through a request for total preemption of state laws and an explicit carve out for financial institutions from the ADPPA.
On the surface, carving financial institutions out from the ADPPA would appear to be an easy solution to the preemption question. However, absent a total carve out of financial institutions (not simply certain data processed by those institutions, as the ADPPA currently contemplates) would simply preserve the patchwork status quo without total preemption of state law. That would do nothing to ease existing compliance burdens caused by the partial and/or possible applicability of state and local laws to non-GLBA covered personal information processed by financial institutions.