The financial technology (“Fintech”) industry has boomed over the past decade, from the rise of mobile payment apps, robo-advisors, lending platforms, consumer-friendly brokerages to cryptocurrency trading platforms. By their very nature, many Fintech companies handle highly sensitive personal and financial information for consumers and face a range of privacy issues and legal obligations as a result. In the United States, rather than a single federal set of regulations governing all personal information, there are several different laws and regulations that impose different privacy and data security requirements on different sectors or jurisdictions. In addition to these federal laws, Fintechs must also be aware of the requirements under the ever-growing patchwork of state data protection laws. This article provides an overview of US state data protection laws and exceptions to federal laws that may apply to Fintechs.
We have included a brief overview of the Gramm-Leach-Bliley Act (“GLBA”) and the Fair Credit Reporting Act (“FCRA”) below. For a fuller discussion of Fintechs’ obligations under these federal laws, see our article on “What Fintech companies need to know about key federal privacy requirements“.
GLBA regulates all collection, use and disclosure of personal financial information. GLBA’s financial privacy provisions apply to financial institutions, which are defined as businesses that are “significantly engaged” in “financial activities”, as well as businesses whose services facilitate financial operations on behalf of financial institutions. What constitutes a financial activity has been widely interpreted; therefore, many Fintechs are likely to be subject to the GLBA.
The GLBA preempts state laws only to the extent that compliance with a state law would be “inconsistent with” the requirements of the GLBA. A state law is not considered “inconsistent” if it provides consumers with “greater protection” than that provided under the GLBA. Therefore, Fintechs subject to the GLBA must comply with state data protection laws as long as the state law provides greater protection and does not expressly provide an exception. Such exceptions in specific state data protection laws are discussed below.
The FCRA limits the circumstances under which consumer credit information can be used and gives consumers the right to know what information is used and when it adversely affects them. The FCRA is very broad and covers a multitude of data types used to make eligibility decisions about consumers. Some Fintechs, such as lead generators, data aggregators and debt collectors, as well as those that use algorithms to make a decision about consumers, may also be subject to the FCRA if their services are used to facilitate decision-making about consumers’ eligibility for credit, housing, employment and other qualification purposes.
Exemption from state law
State data protection laws in the United States (so far, California, Virginia, Colorado, Utah, Connecticut, and Nevada) provide carve-outs for the GLBA and FCRA. However, these exceptions work in different ways, some for types of devices, others for types of data, others for specific uses of certain types of data. Fintechs need to understand the intricacies of these carve-outs to understand which laws apply and in which contexts.
Unlike the other four state laws, California’s CCPA/CPRA does not contain any institutional or entity-level exemptions, exempting only specific information subject to the GLBA and FCRA. The data protection laws enacted by other states (Virginia, Colorado, Utah, Connecticut, and Nevada) include entity-level exemptions for institutions subject to the GLBA, but only for specific information subject to the FCRA. A Fintech that determines that it is subject to the GLBA will therefore not need to conduct a separate scoping exercise to assess any claims under these state laws. However, if a Fintech is not subject to the GLBA and maintains data under the FCRA, it may have to comply with all other requirements of those state laws, as only the specific data processed under the FCRA (not the institution) is exempt. These exceptions are discussed in detail below.
Note that there may be cases where an exception only partially applies to information that is collected and processed. For example, where a Fintech collects information from a person who is not applies for a financial product or financial service (e.g. via website visitors or contest entrants), such information may fall outside the scope of the GLBA exemption under the CCPA/CPRA and thus fall back within the scope of the CCPA/CPRA’s generally applicable provisions. Furthermore, the GLBA and FCRA do not govern the collection of information from, or about, an enterprise’s employees and business-to-business (“B2B”) contacts, which is within the scope of the CPRA.
Importantly, the CCPA/CPRA is the only state data protection law that currently includes a private right of action. With potential statutory damages ranging from $100 to $750 per consumer per incident and breaches often involving hundreds of thousands or millions of users, the private right of action can lead to massive financial and reputational consequences for Fintechs that fail to protect their customers’ data.
California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”)
The CCPA is currently the only comprehensive consumer data protection law in the United States. The CPRA (in force on 1 January 2023) significantly amends and strengthens the requirements of the CCPA.
Specifically, beginning January 1, 2023, the CPRA will include personal information about employees (including job applicants, controlling owners, directors, officers, medical staff, and independent contractors) and B2B contacts (i.e., information that reflects a communication or transaction between a covered business and the employees of a third party entity).
The CCPA contains a partial exemption for information collected by financial institutions where the specific data is “according to” GLBA, while the CPRA revises the exemption for financial information to apply to personal information “subject to” rather than under the GLBA. Such information is exempt from the privacy requirements of the CCPA/CPRA, except for the private right of appeal for a data breach, which still applies. However, information collected by financial institutions that are not “subject to” the GLBA will still be subject to the requirements under the CCPA/CPRA.
CCPA/CPRA Exempts “sale of personal information to or from a consumer reporting agency” if this information is to be reported in or used to generate a consumer report and the use of the information is restricted by the FCRA. Similarly, it is not an exception at entity level and only applies to the extent that the personal data is subject to the FCRA and is used as authorized by the FCRA. As with the GLBA exemption, the CCPA/CPRA makes clear that any activity governed by the FCRA is exempt from all obligations and restrictions set forth in the CCPA/CPRA except for the data breach’s private right to act, meaning that consumers can still sue businesses for a cyber security breach caused by the business’s failure to implement and maintain reasonable security procedures.
See Orrick’s CCPA and CPRA compliance tips here.
Virginia Consumer Data Protection Act (“VCDPA”)
Virginia became the second US state to enact comprehensive data protection legislation when it enacted the VCDPA in March 2021. The law takes effect on January 1, 2023.
Like the CCPA/CPRA, the VCDPA exempts specific data processed under the FCRA. However, instead of only exempting the personal information subject to the GLBA, the VCDPA also exempts financial institutions and their affiliates subject to the GLBA. See Orrick’s general VCDPA compliance tips here.
Colorado Privacy Act (“CPA”)
Colorado became the third US state to enact comprehensive data protection legislation with the passage of the CPA, which takes effect on July 1, 2023. The CPA mirrors the VCDPA and contains an exemption that not only covers data governed by the GLBA, but also financial institutions and their affiliates subject to and in compliance with GLBA. The CPA also exempts specific “activities” regulated by the Fair Credit Reporting Act. See Orrick’s general tips for CPA compliance here.
Utah Consumer Privacy Act (“UCPA”)
Utah became the fourth state to enact comprehensive data protection legislation with the passage of the UCPA in March 2022. The UCPA takes effect on December 31, 2023. Like the VCDPA and the CPA, the UCPA contains an exemption covering both financial institutions and their affiliates subject to the GLBA as well as specific personal information collected pursuant to the GLBA. The UCPA also exempts specific personal information subject to the FCRA.
Connecticut Data Privacy Act (“CTDPA”)
On May 10, 2022, Connecticut became the fifth US state with comprehensive data protection legislation with the passage of the CTDPA. The CTDPA takes effect on July 1, 2023. The CTDPA similarly exempts financial institutions and data covered by the GLBA, while exempting only specific personal information subject to the FCRA.
Nevada Privacy Law (“NPL”)
In 2021, Nevada passed an amendment to significantly expand the scope of its existing online privacy law, the NPL. These changes went into effect on October 1, 2021. The NPL governs the collection of personal information by websites and includes a carve-out for both the GLBA and the FCRA. The NPL exempts personally identifiable information regulated by the FCRA, while it exempts all financial institutions and their affiliates subject to the GLBA, as well as “any personally identifiable information regulated by” the GLBA. See Orrick’s general tips for NPL compliance here.
What will be next?
Fintechs may collect and process data outside the scope of the GLBA and FCRA in connection with other non-exempt data, including personal information about employees and B2B contacts as well as personal information related to browsing data, geolocation, data collected as part of marketing activities, or data collected when an investor downloads an annual report. Since many Fintechs are likely to be subject to the GLBA and FCRA, these companies may be the least partial exempt from the requirements of the US state data protection laws discussed above. However, such companies will likely have to comply with certain parts of state data protection laws, such as notice, disclosure and opt-out obligations. In particular, the GLBA and FCRA exceptions do not apply to CCPA/CPRA private actions for damages arising from data breaches. This reinforces the need to adequately protect personal and financial information due to the potential for huge legal and financial consequences that can result from a data breach.
Regardless, Fintechs should carefully consider whether they are a regulated entity under the GLBA and FCRA and then determine the extent to which they (or the data they process) may be subject to the exemptions under state data protection laws. With new state data protection laws coming into effect in 2023 and regulations under those laws that may affect the relevant exemptions to come, now is the time to assess requirements under both federal and state law and develop an effective compliance program that is scalable and flexible in light of of the ever-changing US privacy landscape. Building compliance efforts into products through Privacy-By-Design and across organizational policies will enable Fintechs to better serve customers and avoid costly regulatory actions.
The authors wish to extend special thanks to summer associate Vertis McMillan of Fordham University School of Law ’23 for contributing to this work.