NAFCU Journal July August 2023

In 1999, the Gramm-Leach-Bliley Act (GLBA) created a federal data privacy rule. This rule, implemented by Regulation P, governs how financial institutions can share a consumer’s information. Specifically, Regulation P requires that a financial institution disclose its privacy policy and, with some exceptions, provide a consumer the ability to opt-out of the institution sharing their nonpublic personal information. For years, the GLBA and Regulation P were the only game in town. However, this has begun to change. Recently, states have passed their own data privacy laws to further protect their own citizens. Are These Laws Preempted? As credit unions know, federal law often preempts state law. So, does the GLBA and Regulation P preempt these new state privacy laws? Generally, no, they do not preempt the state laws. Section 1016.17 of Regulation P provides that “[t]his part shall not be construed as superseding, altering, or affecting any statute, regulation, order, or interpretation in effect in any state, except to the extent that such state statute, regulation, order, or interpretation is inconsistent with the provisions of this part, and then only to the extent of the inconsistency.” As noted in the section, a state law is only preempted to the extent that it is inconsistent with the GLBA and Regulation P. The section further explains that a state law providing greater protection is not inconsistent with Regulation P. This means that, generally, most state laws are unlikely to be preempted by the GLBA and COMPLIANCE CENTRAL AN UPDATE ON STATE DATA PRIVACY LAWS By Keith Schostag, NAFCU Senior Regulatory Compliance Counsel Regulation P. However, credit unions may want to note that some state privacy laws exclude financial institutions or information that are already covered by the GLBA. Does Your Credit Union have to Comply? State privacy laws are usually concerned about the state’s own citizens and their privacy laws won’t affect a credit union’s transactions with citizens of another state. As such, credit unions may want to review whether they have members residing in states that have passed a data privacy law. Credit unions should also be careful of their Credit Union Service Organizations (CUSOs). Under California’s privacy law, a credit union can be dragged into California’s sphere of influence if their CUSO does business in California. What States Have Enacted Data Privacy Laws? As of early May, seven states have enacted data privacy laws. These are: ■ California; ■ Colorado; ■ Connecticut; ■ Indiana; ■ Iowa; ■ Virginia; and ■ Utah. Of the above, only two of the six states’ laws are currently in effect. The first, California, has two separate acts. The first is the California Consumer Privacy Act (CCPA), which became effective in 2020. The second, which amended the CCPA, is the California Privacy Rights Act and became effective January 1, 2023. The second state with an active law is Virginia. Virginia’s law, the Virginia Consumer Data Protection Act, became effective January 1, 2023. For the other states, three become effective this year: the Colorado Privacy Act and Connecticut Data Privacy Act on July 1 and the Utah Consumer Privacy Act on December 31. The Iowa Consumer Data Protection Act becomes effective Jan. 1, 2025, and, finally, Indiana’s Data Privacy Act takes effect January 1, 2026. Beyond the above seven states, credit unions should note that states continue to pass data privacy laws and the legal landscape is in constant flux. Credit unions that would like to keep track of state data privacy laws should review IAPP’s state privacy legislation tracker for more up to date information. “For years, the GLBA and Regulation P were the only game in town. However, this has begun to change. Recently, states have passed their own data privacy laws to further protect their own citizens.” 40 THE NAFCU JOURNAL July–August 2023

RkJQdWJsaXNoZXIy MTY1NDIzOQ==