The financial technology (“Fintech”) industry has boomed over the last decade, from the rise of mobile payment apps, robo-advisers, lending platforms, consumer-friendly brokerages to cryptocurrency trading platforms. By their nature, many Fintech companies deal with highly sensitive consumer personal and financial information and face a host of privacy concerns and legal obligations that flow therefrom. In the United States, instead of a single federal regulatory framework governing all personal information, there are several different laws and regulations that impose various privacy and data security requirements on different sectors or jurisdictions. In addition to these federal laws, Fintechs must also remain aware of requirements under the ever-expanding patchwork of state data protection laws. This article provides an overview of U.S. state data protection laws and carve-outs for federal laws that may be applicable to Fintechs.
We’ve included a brief overview of the Gramm-Leach-Bliley Act (the “GLBA”) and the Fair Credit Reporting Act (the “FCRA”) below. For a more fulsome discussion on Fintechs’ obligations under these federal laws, see our article on “What Fintech Companies Need to Know About Key Federal Privacy Requirements”.
The GLBA regulates all collection, usage, and disclosures of personal financial information. The GLBA’s financial privacy provisions apply to financial institutions, which are defined as businesses that are “significantly engaged” in “financial activities,” as well as businesses whose services facilitate financial operations on behalf of financial institutions. What constitutes a financial activity has been construed broadly; therefore, many Fintechs are likely subject to the GLBA.
The GLBA preempts state laws only to the extent that compliance with a state law would be “inconsistent with” the requirements of the GLBA. A state law is not considered “inconsistent” if it provides consumers with “greater protection” than that provided under the GLBA. Thus, Fintechs subject to the GLBA must comply with state data protection laws so long as the state law provides greater protection and does not expressly provide an exemption. Such exemptions in specific state data protection laws are discussed below.
The FCRA limits the circumstances under which consumer credit information may be used, and grants consumers the right to know what information is being used and when it impacts them negatively. The FCRA is very broad and covers a plethora of data types used to make eligibility decisions about consumers. Some Fintechs, such as lead generators, data aggregators, and debt collectors, as well as those that use algorithms to make a decision about consumers, may also be subject to the FCRA if their services are used to facilitate decision-making about consumers’ eligibility for credit, housing, employment, and other eligibility purposes.
U.S. state data protection laws (thus far, California, Virginia, Colorado, Utah, Connecticut, and Nevada) provide carve-outs for the GLBA and FCRA. However, these exemptions function in different ways, some applying to types of entities, others to types of data, others to specific uses of certain types of data. Fintechs need to understand the intricacies of these carve-outs to understand which laws apply and in which contexts.
Unlike the other four state laws, California’s CCPA/CPRA does not contain any institutional or entity-level exemptions, exempting only specific information subject to the GLBA and FCRA. The data protection laws passed by other states (Virginia, Colorado, Utah, Connecticut, and Nevada) include entity-level exemptions for institutions subject to the GLBA, but only for specific information subject to the FCRA. Thus, a Fintech that determines it is subject to the GLBA will not need to undertake a separate scoping exercise to assess any requirements under these state laws. However, if a Fintech is not subject to the GLBA and maintains data pursuant to the FCRA, it may need to comply with all other requirements in these state laws, as only the specific data processed pursuant to the FCRA (not the institution) is exempted. These exemptions are discussed in detail below.
Note that there may be instances where an exemption only partially applies to information collected and processed. For example, where a Fintech collects information from an individual that is not applying for a financial product or service (e.g., via website visitors or sweepstakes participants), such information may fall outside of the scope of the GLBA exemption under CCPA/CPRA and so fall back into the scope of the CCPA/CPRA’s generally applicable provisions. Further, the GLBA and FCRA don’t govern the collection of information from, or about, a business’s employees and business-to-business (“B2B”) contacts, which are in-scope for CPRA.
Importantly, the CCPA/CPRA is the only state data protection law that currently includes a private right of action. With potential statutory damages ranging from $100 to $750 per consumer per incident and breaches often involving hundreds of thousands or millions of users, the private right of action could lead to massive financial and reputational consequences for Fintechs who fail to protect their customers’ data.
The CCPA is currently the only comprehensive consumer data protection law in the United States. The CPRA (effective on January 1, 2023) substantially amends and amplifies the requirements of the CCPA.
Notably, as of January 1, 2023, CPRA will include in its scope personal information of employees (including job applicants, controlling owners, directors, officers, medical staff members, and independent contractors) and B2B contacts (i.e., information reflecting a communication or transaction between a covered business and the employees of a third-party entity).
The CCPA contains a partial exemption for information collected by financial institutions where the specific data is “pursuant to” the GLBA, whereas the CPRA revises the financial information exception to apply to personal information “subject to” instead of pursuant to the GLBA. Such information is exempt from the privacy requirements of the CCPA/CPRA except the private right of action for a data breach, which still applies. However, information that is collected by financial institutions that is not “subject to” the GLBA will still be subject to the requirements under the CCPA/CPRA.
The CCPA/CPRA exempts “the sale of personal information to or from a consumer reporting agency” if that information is to be reported in or used to generate a consumer report and the use of the information is limited by the FCRA. Similarly, it is not an entity-level exemption and only applies to the extent that the personal information is subject to the FCRA and is used as authorized by the FCRA. As with the GLBA exemption, the CCPA/CPRA makes clear that all activity governed by the FCRA is exempt from all obligations and restrictions set forth in the CCPA/CPRA except the data breach private right of action, meaning that consumers can still sue businesses for a cybersecurity breach caused by the business’s failure to implement and maintain reasonable security procedures.
See Orrick’s tips for compliance with the CCPA and CPRA here.
Virginia became the second U.S. state to enact comprehensive data protection legislation when it passed the VCDPA in March 2021. The law will become effective on January 1, 2023.
Like the CCPA/CPRA, the VCDPA exempts specific data processed pursuant to the FCRA. However, instead of only exempting the personal information subject to the GLBA, the VCDPA also fully exempts financial institutions and their affiliates that are subject to the GLBA. See Orrick’s general tips for compliance with the VCDPA here.
Colorado became the third U.S. state to enact comprehensive data protection legislation with the passage of the CPA, which will go into effect on July 1, 2023. The CPA mirrors the VCDPA and contains an exemption that covers not only data governed by the GLBA but also financial institutions and their affiliates subject to and in compliance with the GLBA. The CPA also exempts specific “activities” regulated by the Fair Credit Reporting Act. See Orrick’s general tips for compliance with the CPA here.
Utah became the fourth state to enact comprehensive data protection legislation with the passage of the UCPA in March 2022. The UCPA will take effect on December 31, 2023. The UCPA, like the VCDPA and CPA, contains an exemption that covers both financial institutions and their affiliates subject to the GLBA as well as specific personal information collected pursuant to the GLBA. The UCPA also exempts specific personal information subject to the FCRA.
On May 10, 2022, Connecticut became the fifth U.S. state with comprehensive data protection legislation with the passage of the CTDPA. The CTDPA will go into effect on July 1, 2023. The CTDPA similarly exempts financial institutions and data covered by the GLBA while only exempting specific personal information subject to the FCRA.
In 2021, Nevada enacted an amendment to significantly expand the scope of its existing online privacy law, the NPL. These amendments became effective on October 1, 2021. The NPL governs the collection of personal information by websites and includes a carve-out for both the GLBA and the FCRA. The NPL exempts personally identifiable information regulated by the FCRA while fully exempting all financial institutions and their affiliates who are subject to the GLBA as well as “any personally identifiable information regulated by” the GLBA. See Orrick’s general tips for compliance with the NPL here.
Fintechs may collect and process data outside the scope of the GLBA and FCRA in conjunction with other nonexempt data, including personal information of employees and B2B contacts as well as personal information related to website browsing data, geolocation, data collected as part of marketing activities, or data collected when an investor downloads an annual report. Since many Fintechs are likely subject to the GLBA and FCRA, these companies may be at least partially exempt from the requirements of the U.S. state data protection laws discussed above. However, such companies will likely need to comply with certain portions of state data protection laws such as notice, disclosure, and opt-out obligations. Notably, the GLBA and FCRA exemptions do not apply to the CCPA/CPRA’s private right of action for damages arising from data breaches. This amplifies the need to adequately protect personal and financial information due to the possibility of enormous legal and financial consequences that could result from a data breach.
Regardless, Fintechs should carefully evaluate if they are a regulated entity under the GLBA and FCRA and then determine the degree to which they (or the data they process) may be subject to the exemptions under state data protection laws. With new state data protection laws going into effect in 2023 and regulations under these laws that may impact the relevant exemptions forthcoming, the time is now to assess requirements under both federal and state law and to develop an effective compliance program that is scalable and flexible in light of the ever-changing U.S. privacy landscape. Building compliance efforts into products through Privacy-By-Design and across organizational policies will allow Fintechs to better serve clients and avoid costly regulatory actions.
The authors wish to give special thanks to summer associate Vertis McMillan of Fordham University School of Law ’23 for contributing to this piece.