States are stepping up their efforts to protect the privacy of consumer data, and the trend is adding to banks' compliance challenges as stewards of vast amounts of personal information.
Virginia passed a data privacy law on March 2, while California strengthened its existing data privacy law on Nov. 3. These new rules only partially affect banks, raising plenty of questions and concerns for bank employees responsible for handling consumer data. Vendors and partners may be subject to the new laws, too. And these new laws are just the beginning: Other states, including Washington, are writing their own data privacy legislation and a national data privacy law may be coming.
“The reality for the financial services industry is that this is going to be somewhat of a national exercise one way or the other within the next few years,” said Ron Whitworth, chief privacy officer at Truist Financial in Charlotte, N.C.
These state actions are part of a broader trend of increasing consumer awareness of data privacy.
“Customers care about how you're handling their personal data anyway,” said Jill Reber, general manager of the data privacy practice at Logic20/20, a business and technology consulting company based in Seattle. “Your end game is to keep your customer loyalty. And so if you're mishandling their personal data because you aren't worried about these data privacy regulations, that's going to create a new issue for you.”
Here are answers to key questions surrounding the new Virginia law and updated California law.
When do the new laws take effect?
Both are effective Jan. 1, 2023. However, the California Privacy Rights Act of 2020 has a 12-month look-back period. This means that when consumers make a request for access to their personal information, companies are required to provide records covering the year preceding the date of the request.
“Banks are going to have to have their business processes and technical systems in place to manage the data as of January 2022,” Reber said.
To what extent does each law apply to banks?
The Virginia law exempts financial institutions that are subject to the privacy-protection provisions of the federal Gramm-Leach-Bliley Act of 1999. But banks could still be on the hook.
“If you're a bank, the Virginia law may not apply to you directly, but absolutely could apply to some of the vendors and third parties that you do business with,” Whitworth said. “There's also a debate within the industry about how far the exemption will carry. There is a GLBA entity exemption, but it remains to be seen how far that exemption will carry. Does it cover all activities or just banking activities? These are some of the questions that a lot of the industry benchmarking forums are already working on as they wrestle with the Virginia and California laws.”
The California law exempts data that banks already protect under Gramm-Leach-Bliley. But banks must comply with the California rules for any data that is not covered by the federal law.
Gramm-Leach-Bliley covers all personal data on people who use a bank’s products and services, including their browser history. It does not cover data gathered from people who are not customers. So if someone goes to a bank’s website and applies for a financial education newsletter, the information that consumer enters into that form is not covered by Gramm-Leach-Bliley and could be subject to the California law. Marketing data on prospects who are not yet customers may be subject to California's rules. Once an individual starts applying for a bank product, such as a mortgage or brokerage account, the information becomes subject Gramm-Leach-Bliley.
Banks can take two approaches to this data distinction, Reber said. Some banks are going to ignore the Gramm-Leach-Bliley exemption in California and follow the state’s more stringent rules for all consumer data, she said, because that route is easier and safer than trying to categorize and label all data. Others will draw a line between Gramm-Leach-Bliley data and other data and apply the California protections only to the latter.
It’s important for financial institutions to understand what information is subject to the California law and what is not, said Boris Segalis, partner in and co-chair of the data, privacy and cybersecurity group at the New York law firm Goodwin. “And that line usually is: A consumer visits a website and signs up for a newsletter — that data is subject to the California law. Once they start submitting their information to apply for a financial product or inquire about a product or service, that’s covered by GLBA. Even if a consumer abandons that application, that abandoned application is probably still subject to GLBA.”
What are the requirements of the new laws?
The two laws are a little different, but both generally follow some of the same principles of the European Union's General Data Protection Regulation in giving consumers more rights around their data, such as the right to know how their data is being used, the right to access that data and the right to have their data deleted.
Virginia’s law provides consumers with the right to access any personal data a company has gathered about them; to correct that data or make the company delete it; to obtain a copy of the personal data the company has collected about them in a readily usable format that the consumer can transmit to another company (a process known as data portability); and to opt out of the use of their data for purposes like advertising, sales or profiling.
And businesses must comply with these requests within 45 days. If they don’t, consumers can appeal to the state attorney general.
Like the California law and the EU regulator before it, Virginia’s law limits the collection of data to that which is "adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed."
Once the data has been collected, the statute mandates a business "not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent." Furthermore, the act prohibits companies from processing sensitive personal information without obtaining consumer consent.
Virginia’s law requires companies to have data privacy policies.
Under both laws, consumers can request all data a company has on them and ask to have all their data deleted.
The updated California law requires companies to tell consumers why they're collecting and using their personal data, and then not use it for a different purpose.
“There are no secondary uses allowed without additional notice and then consent,” Reber said. This means covered businesses need to have internal processes and systems that alert any use of consumer data that was not anticipated at the time of collection.
Companies have to tell consumers how long they’re going to keep their personal information and then not keep it any longer than that. They cannot collect more information than they need to meet the purpose for which they’re gathering the data.
For all consumer data not subject to Gramm-Leach-Bliley, banks have to make sure that they're providing privacy notices about how they collect, use and share the information that they provide, Segalis said.
If a bank has non-Gramm-Leach-Bliley data on a lot of California residents (basically, where the bank has gathered information from individuals who are not the bank’s customers), and gets many requests under the California law to access or delete their data, this may become hard to handle manually.
“They have to figure out what volume of requests under [the California law] the bank is likely to receive,” Segalis said. “They have to have a process to respond to these requests. If they have one a day, maybe they can handle it manually. But if the bank expects to have 100 requests a day, they can't handle it manually. They will need to implement technology to allow individuals access to the information that the bank keeps about them and delete that information.”
The California law addresses modern digital practices of monitoring and manipulating data.
“It recognizes a greater need for regulation around technological advances in machine learning and [artificial intelligence] and the data that can be collected along with that leading to potential biases and profiling practices,” Reber said. “So it gives you the right to say, don't track me across different devices, different websites, different unrelated businesses.” This means companies have to be careful using algorithms that combine multiple data sets to create customer profiles.
California's law also addresses the new concept of "dark patterns," or user interfaces that are designed or manipulated with the effect of impairing user autonomy.
“If a bank has a user interface that leads somebody into purchasing something because they're doing targeted advertising to them, that could be a dark pattern,” Reber said. “Any consent that's obtained through use of a dark pattern interface is not valid.”
The California law prevents banks from collecting geolocation data on prospective customers, or analyzing their data without first obtaining consent.
“Precise geolocation is in the new category of sensitive personal data that's regulated,” Reber said.
Banks have to set up opt-out links and specific-purpose limitations for anything that's considered sensitive information, including financial account login information, credit card numbers and precise geolocation.
Banks tend to have complex legacy systems and information architectures that were created for siloed lines of business.
“Having to follow the data trail in an environment that was architected in a siloed fashion without those data subject rights in mind presents a challenge,” Reber said. “When you have siloed organizations, when one line of business might be an access point for that personal data, banks need to understand where it's flowing through the organization and how the organization is using it.”
Data that comes in through the website, goes to marketing and then is put through an algorithm that predicts what bank products a person might need would be an example.
“The data and system mapping that was done originally didn't have to worry about those kinds of secondary uses,” Reber said. “That's where I see the biggest thing that [the California law] imposes: It's kind of forcing you to break down the silos.”
There are data privacy software companies that address some aspects of this need, but they have limitations.
“Capturing the purpose for gathering and using the data isn't something that a software program can accurately pick up,” Reber said. “You really need folks interviewing the lines of business individuals who are actually handling the data and not just send out surveys, the way some of the software companies do.”
What software companies help automate compliance with data privacy laws?
OneTrust, Collibra, WireWheel and Trunomi are a few.
How quickly will banks try to conform to the new rules?
Ron Raether, partner at Troutman Pepper, expects states and banks to follow a bell curve of adoption of these new rules, the way they did with data-breach statutes.
“You had the California law, and then you had a few early adopters, and then you had a mass of followers, and then you had a few late adopters,” Raether said. “I think we're going to see that experience with the state privacy rules.”
Many U.S. banks are currently trying to think through their data governance and how it needs to change under the new laws, Whitworth said.
“We have to think through, what tools, technologies, people and processes do we have that are dedicated to understanding our data: what do we have, where is it, can we access it? Can we control it?” he said. “If we're required to deliver data to a client, how are we going to do that? Can we identify, is it tagged properly? Under the [California law] coming in 2023, for instance, certain types of data are considered sensitive. Are they tagged that way? They’ll have to be at some point.”
What are bankers most worried about with regard to privacy laws?
“One of the biggest concerns is that if we see a patchwork of state laws that are inconsistent with one another, how do we reconcile these things?” Whitworth said. “How are you going to stand up your controls to manage all of this properly? I think you'll see a lot of the banks will heavily lobby for a single standard, whether it's a federal law or just clarity such that financial institutions will understand what parameters they're operating under. If you have inconsistent laws, it becomes impossible to comply.”