November 22, 2022

NAFCU reiterates CUs’ data privacy, security stance to FTC

financial dataAs the Federal Trade Commission (FTC) seeks public feedback on commercial surveillance and data security issues, NAFCU advised the commission to “abstain from all further data privacy-related rulemaking efforts until Congress passes the comprehensive federal data privacy legislation necessary to meet the challenges of the contemporary data privacy risk environment.”

NAFCU has long advocated for comprehensive federal data privacy standards through its six data privacy principles. Credit unions for decades have complied with robust data privacy and security standards under the Gramm-Leach-Bliley Act (GLBA).

The association wrote the FTC in response to its advance notice of proposed rulemaking (ANPR) on whether the commission should implement new regulations and/or pursue regulatory alternatives that address ways in which companies may unfairly or deceptively collect, use, share, sell, or otherwise monetize consumer data.

In addition to urging the commission to refrain from rulemaking on this issue, NAFCU reiterated its position that the NCUA should be credit unions’ primary data privacy regulator. Though the NCUA oversees federal credit unions’ compliance with the GLBA, the FTC oversees GLBA compliance at state-chartered credit unions that are not federally insured.

The ANPR suggests a rulemaking designed to regulate the collection and use of consumers’ data across the entire economy, and the NAFCU-opposed American Data Privacy and Protection Act (ADPPA) could provide the FTC broad authority to implement and enforce new data privacy and date security standards, including over credit unions. 

The association has repeatedly told Congress that any comprehensive legislation must also recognize the robust federal data privacy standards that have been in place for decades, including the GLBA, and should avoid conflicting or duplicative disclosure requirements by incorporating easy-to-understand language consistent with the GLBA’s disclosure requirements.

NAFCU will continue to advocate for a national data security standard that requires fintechs and other companies to follow the same robust data privacy and data security standards as credit unions.