July 01, 2020

NAFCU reiterates call for GLBA exemption to ULC's data privacy law

data securityNAFCU and several other organizations Tuesday sent additional comments to the Uniform Law Commission (ULC) on its updated draft of the proposed Collection and Use of Personally Identifiable Data Act reiterating that the drafting committee should include an exemption for Gramm-Leach-Bliley Act (GLBA)-covered financial institutions.

The drafting committee, created by the ULC to create a uniform data privacy and security law, released the updated draft at its May meeting. As states consider their own data security and privacy standards, this draft law will serve as an important model to promote a uniform state law. 

"Data privacy and security legislation are critical in an increasingly digital world and, while we recognize the necessity of such legislation, a balance must be struck between consumer protections and workability of the provisions in such bills by business," the groups wrote in the letter sent Tuesday. "It is in the interest of all consumers that laws in this arena are written with a clear understanding of the issues, are forward-thinking with respect to advancing technologies, and are not designed to be punitive for businesses that act in good faith."

The letter explicitly details financial institutions' compliance with the GLBA and why this exemption should be included in the ULC's act, and also calls for an exemption for data covered by the Fair Credit Reporting Act.

In addition, the groups highlight concerns about proposed enforcement, arguing that "enforcement policy must be implemented in a way that accounts for society's interests in privacy and innovation," and about reverting certain already publicly-available data to private information.

NAFCU has continuously advocated for a national privacy and data security standard so credit unions are not subject to multiple privacy frameworks and will continue to monitor the committee's efforts and provide feedback on the drafted laws, both in writing and at meetings, to reflect credit unions' needs on this issue.

NAFCU is a leader in calling for uniform, national data security and privacy standards. The association has a whitepaper that outlines a set of six key data privacy principles.

The association has urged the California attorney general to exempt credit unions from the state's privacy law – which took effect Jan. 1 – as the industry already complies with the GLBA. It also recently reiterated its call for a national data security and privacy standards to Congress.

NAFCU will continue to advocate for uniform federal standards – not a patchwork of state privacy laws.