An Update on State Data Privacy Laws
Are These Laws Preempted?
As credit unions know, federal law often preempts state law. So, does the GLBA and Regulation P preempt these new state privacy laws? Generally, no they do not preempt the state laws. Section 1016.17 of Regulation P provides that “[t]his part shall not be construed as superseding, altering, or affecting any statute, regulation, order, or interpretation in effect in any state, except to the extent that such state statute, regulation, order, or interpretation is inconsistent with the provisions of this part, and then only to the extent of the inconsistency.”
As noted in the section, a state law is only preempted to the extent that it is inconsistent with the GLBA and Regulation P. The section further states that a state law providing greater protection is not inconsistent with Regulation P. This means that, generally, most state laws are unlikely to be preempted by the GLBA and Regulation P. However, credit unions may want to note that some state privacy laws exclude financial institutions or information that are already covered by the GLBA.
Does Your Credit Union have to Comply?
State privacy laws are usually concerned about their own citizens and their privacy laws won’t affect a credit union’s transactions with citizens of another state. As such, credit unions may want to review whether they have members residing in states that have passed a data privacy law. Credit unions should also be careful of their CUSOs. Under California’s privacy law, a credit union can be dragged into California’s sphere of influence if their CUSO does business in California. Further, as noted above, some laws exclude financial institutions.
What States Have Enacted Data Privacy Laws?
As of October 11th, twelve states have enacted data privacy laws. These are:
· Utah; and
Of the above, only four of the twelve states laws are currently in effect. The first, California, has two separate Acts. The first is the California Consumer Privacy Act, which became effective in 2020. The second, which amended the CCPA, is the California Privacy Rights Act which became effective on January 1, 2023. The second state with an active law is Virginia. Virginia’s law, the Virginia Consumer Data Protection Act became effective on January 1, 2023. The third and fourth, Colorado and Connecticut’s laws became effective on July 1, 2023.
For the other states, Delaware’s law becomes effective on January 1, 2025, Indiana’s on January 1, 2026, Iowa’s on January 1, 2025, Montana’s on October 1, 2024, Oregon’s on July 1, 2024, Tennessee’s on July 1, 2025, Texas’ on July 1, 2024, and Utah’s on December 31, 2023.
Beyond the above twelve states, credit unions should note that states continue to pass data privacy laws and the legal landscape is in constant flux. Credit unions that would like to keep track of state data privacy laws, should review IAPP’s state privacy legislation tracker for more up to date information.
🚀 Secure Your Spot Now! NAFCU’s 2024 Regulatory Compliance School is Open for Enrollment
This conference was a rapid sell-out in 2023! Don't miss the chance to join industry peers in Arlington, VA from March 18 - 22, 2024, for a comprehensive dive into CU compliance from A to Z. Earn your NAFCU Certified Compliance Officer (NCCO) credential upon passing optional exams.
🎯 Online Compliance Training Subscriptions: For just one price, your entire credit union receives access to over 40 hot-topic compliance webinars per year, so your team can master challenges like BSA, data security, risk management, loss prevention, and more. Learn more.
About the Author
Keith Schostag joined NAFCU as regulatory compliance counsel in February 2021. In this role, Keith assists credit unions with a variety of compliance issues.