Banks and credit unions could wind up caught in the middle as state legislators seek to regulate what companies do with consumer information in the absence of federal standards.
Last year, California passed the nation’s first comprehensive consumer data privacy law, and state Sen. Cynthia Creem has introduced a bill on Beacon Hill to bring similar regulations here. With technology now integral to the banking industry’s products and services, the proposed legislation will have an impact beyond the tech companies whose behavior dominates the data privacy debate.
The Joint Committee on Consumer Protection and Professional Licensure is scheduled to hold a hearing on several consumer-related proposals on Monday, Oct. 7, including Creem’s bill, S.120. The bill is cosponsored by Sen. Jamie Eldridge (D-Acton) and Sen. Michael Moore (D-Millbury). Rep. Tommy Vitolo (D-Brookline) is carrying its counterpart in the House of Representatives.
Modeled after the California Consumer Privacy Act, which was passed in 2018 and goes into effect in January, S.120 would require companies to notify customers what types of data have been collected, the business purposes for using the data, the categories of third parties that will receive the data and the business purposes for disclosing data to third parties.
Consumers will have the right to ask what data has been collected, request that their data be deleted and opt out of having data disclosed to third parties. If consumers think a company has violated their rights under the law, even if no losses were suffered, they will have a “right of action.” Lawsuits could result in the consumer receiving compensation, the greater of $750 or the amount of actual damages.
Consumer Choice a Key Principal
Creem’s own experience as a consumer helped motivate her to file the bill. She said consumers should have a choice about how companies use their data.
“The companies that we rely on are tracking our every move, and they want to learn about us and then sell that information without our permission,” Creem said. “I ought to be able to have a say in how that information is used or opt out of the system completely.”
Without national laws governing how companies, including banks, use consumer data state legislatures
like Massachusetts’ are stepping into the breach to satisfy voters’ demands for regulation.
The proposed legislation would apply to companies with revenue of $10 million or more. This is different from the California law, which set the revenue threshold at $25 million. Creem said she would prefer to see all organizations adhere to the law, regardless of size, but added that threshold could change as testimony is heard and the bill moves through committee.
The bill covers the collection of biometric data, including fingerprints, voice recordings, and facial recognition data used in security measures.
Industry Concerned About Details
Creem’s bill exempts data collected through federal statutes, including the Gramm-Leach-Bliley Act, which regulates financial services firms. Massachusetts Bankers Association Executive Vice President Jon Skarin said the organization was pleased to see this provision in the bill but has decided not to take a formal position on S.120.
Skarin said the MBA would prefer a national standard over individual state laws, adding that he does not expect Congress to pass anything in the near future.
During an appearance at Boston FinTech Week in September, Rep. Trey Hollingsworth (R-Indiana), a member of the House Committee on Financial Services, described ongoing discussions about federal data privacy legislation as being only in their early stages.
The MBA has two key concerns about all consumer data privacy legislation, Skarin said. One is to make sure the language in the bill is not too specific when referring to the ever–changing world of technology.
“They should make it as flexible as possible about what information is allowed to be shared and what’s not,” Skarin said. “If they don’t, they will be in situation where they have to keep coming back and making changes to the law.”
Skarin also noted that banks often end up dealing with data security breaches even when a merchant or other entity is responsible. He would like to see legislation that requires the entity responsible for violations to bear cost burdens.
Businesses Often Back Data Laws
Melanie Conroy, an attorney at Pierce Atwood LLP in Boston and an expert on data privacy, said most data privacy legislation is supported by both businesses that would be regulated and consumer advocates.
“You have actually seen a great deal of advocacy for comprehensive consumer protection to be enacted on behalf of the business community,” Conroy said. “I think that it strongly demonstrates the need for certainty and clarity in this space and also for a very careful legislative process.”
Conroy, whose clients include financial institutions, said that internet–based services and products, as well as multi-state relationships, create complexities that aren’t easily solved.
Diane McLauglin
“The concern here is the lack of clarity or potential haste in finalizing or implementing these laws could create significant business risk,” Conroy said. “You want to ensure that what is enacted is thoughtfully done with appropriate input from the affected entities to ensure that there aren’t unintended consequences that result.”
More clarity is needed around the Gramm-Leach-Bliley Act exemption, Conroy said, and how it affects financial institutions collecting data through fintech services not covered by the act. She said California is currently dealing with this issue, as well.
Despite the questions and concerns raised by potential privacy laws, Conroy does see demand for data privacy legislation .
“I think in light of the momentum where you have so many different groups urging legislators at federal, state and local levels – depending on who you’re talking to – urging them to adopt a comprehensive privacy law, I would be surprised if that momentum does not lead somewhere,” Conroy said. “Now, where it leads is the question.”
