An update on state data privacy laws

In 1999, the Gramm-Leach Bliley Act (GLBA) created a federal data privacy rule. This rule, implemented by Regulation P, governs how financial institutions can share a consumer’s information. Specifically, Regulation P requires that a financial institution disclose its privacy policy and, with some exceptions, provides a consumer the ability to opt-out of the institution’s sharing their nonpublic personal information. For years, the GLBA and Regulation P were the only game in town. However, this has begun to change. Recently, states have been passing their own data privacy laws to further protect their own citizens.

Are these laws preempted?

As credit unions know, federal law often preempts state law. So, does the GLBA and Regulation P preempt these new state privacy laws? Generally, no they do not preempt the state laws. Section 1016.17 of Regulation P provides that “[t]his part shall not be construed as superseding, altering, or affecting any statute, regulation, order, or interpretation in effect in any state, except to the extent that such state statute, regulation, order, or interpretation is inconsistent with the provisions of this part, and then only to the extent of the inconsistency.”

As noted in the section, a state law is only preempted to the extent that it is inconsistent with the GLBA and Regulation P. The section further states that a state law providing greater protection is not inconsistent with Regulation P. This means that, generally, most state laws are unlikely to be preempted by the GLBA and Regulation P. However, credit unions may want to note that some state privacy laws exclude financial institutions or information that are already covered by the GLBA.


continue reading »