As new laws and regulations continue to develop, lawmakers and regulators are signaling that these laws are here to stay, and BIG changes are on the horizon. When it comes to processing consumer personal information, companies, financial institutions, and their service providers are expected to provide transparency and be accountable, and the law will continue to develop to reflect these expectations.

Generally, there are three main groups of data privacy laws and regulations that dominated the legislative cycle during 2022: (1) state data privacy laws, (2) federal data privacy laws, and (3) actions by regulatory agencies. This white paper will discuss each in turn.

At Baldini Lang LLC, we monitor and report on the ever-changing federal and state data privacy law landscape. If you are interested in our monthly data privacy law tracker, tracking the developing federal and state data privacy laws in the United States, contact us for more information.

State Data Privacy Laws

At the start of 2022, just three states had passed comprehensive data privacy laws: California, Colorado, and Virginia. While these laws contain many similar elements, as heavily analyzed by leaders in the industry, each takes a different approach to consumer data protection, and the scope and legal requirements of each law varies. In 2022, this confusing web of overlapping state data privacy requirements nearly doubled, with Connecticut and Utah adding laws to the mix. Nonetheless, these were not the only states making headlines, as the legislatures of 29 states and the District of Columbia considered data privacy proposals in 2022.

So, what does this mean for 2023? Only time will tell, but it’s a safe bet that we will see renewed efforts to pass legislation in the 27+ states that failed to do so during 2022. Until a federal law is passed that preempts these state laws, this web of data privacy laws and requirements will continue to expand. Companies, financial institutions, and their service providers should continue monitoring and implementing best practices from these state data privacy laws.

Federal Data Privacy Laws

The development of federal data privacy law has been much slower than state proposals. Very few bills have been introduced on the matter, and most of these proposals have been unable to gain traction to progress through Congress. However, with the recent introduction of the American Data Privacy and Protection Act (ADDPA) in the House, on June 21, 2022, the tides appear to be changing. With bi-partisan support, the ADDPA quickly advanced through subcommittee and committee markups early in the summer. Many believed this momentum may carry this bill across the finish line before the end of the year. While efforts to pass the ADDPA were ultimately unsuccessful, its impact and influence on the direction of data privacy law is here to stay. We will likely see the ADDPA and ADDPA-based bills return to Congress and among the state legislatures in 2023.

This may leave you wondering: What is the ADDPA? And how does it compare to other privacy laws? In short, the ADDPA is a massive proposal (over 100 pages long) for a comprehensive data privacy framework for businesses in the United States that would preempt existing state laws. The ADDPA contains many familiar concepts found in state laws and proposals, including individual rights to access, to know, to correct, to delete, and to data portability. It also provides a limited private right of action. But although the ADDPA contains similar components to many existing state laws, it has introduced many new concepts that have not yet been explored by state legislation and will likely inspire new proposals among state legislatures. Nonetheless, if the ADDPA or any state copycat proposal is ever passed, there is a good chance that it will materially differ from the current draft of the ADDPA.

Actions by Regulatory Agencies

Although often overshined by the various legislative proposals for a comprehensive data privacy framework, without a doubt, the most significant data privacy news of 2022 came from the regulatory agencies. The Federal Deposit Insurance Corporation (FDIC) (and other major federal banking regulators), National Credit Union Administration (NCUA), Consumer Financial Protection Bureau (CFPB), and Federal Trade Commission (FTC) have all made enormous strides in expanding their oversight of consumer data protections, and this is a trend that is likely to continue. Accordingly, some of the significant actions by regulatory agencies during 2022 include as follows:

1. Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers. In November of 2021, the FDIC, Office of the Comptroller of the Currency, and Federal Reserve System issued a final rule that imposed new computer-security incident notification requirements on “banking organizations.” The rule requires banking organizations to notify their primary regulators within 36 hours in the event a “computer security incident” arises to the level of a “notification incident.” Notably, this rule also places direct obligations on service providers to notify banking organizations in the event of certain computer security incidents. The rule provided an effective date of April 1, 2022, and a mandatory compliance date of May 1, 2022.
2. Cyber Incident Notification Requirements for Federally Insured Credit Unions. On July 21, 2022, the NCUA followed suit with the banking regulators and introduced a proposed rule with similar computer-security incident notification requirements for federally insured credit unions (FICUs). As currently drafted, the rule would require FICUs to notify the NCUA within 72 hours in the event a “cyber incident” arises to the level of a “reportable incident.”
3. CFPB Invokes Dormant Authority to Examine Nonbank Companies Posing Risks to Consumers. In April of 2022, the CFPB announced that it is invoking its authority to supervise “fintechs” and other nonbank financial companies that may pose risks to consumers. The implications of this CFPB authority to regulate nonbanks are very broad and may easily be utilized by the CFPB to examine and regulate the data privacy controls and procedures of services providers for financial institutions, particularly those service providers that process personal information of consumers.
4. Consumer Financial Protection Circular 2022-04: Insufficient data protection or security for sensitive consumer information. On August 11, 2022, the CFPB published a circular stating that financial companies, including “fintechs” and other nonbank companies, are at risk of violating the Consumer Financial Protection Act for “unfair acts or practices,” 12 U.S.C. 5536(a)(1)(B) if such company maintains inadequate security for the sensitive consumer information. The CFPB circular also thereby implicated the application of the prohibition against unfair, deceptive or abusive acts or practices (UDAAP) under federal law to the data privacy practices of companies generally.
5. FTC Commercial Surveillance and Data Security Rulemaking. Also, on August 11, 2022, the FTC issued an advance notice of proposed rulemaking (ANPR) to request public comment on the “lax data security” and surveillance practices of commercial entities and potential consumer harm.

With these actions, the CFPB and other major banking regulators have left little doubt about the scope of their powers and their intent to directly supervise and examine the data practices of service providers of financial institutions. Similarly, the FTC’s ANPR strongly signals its intent to establish federal data security requirements for businesses that handle personal information. In 2023, we will likely see these federal regulatory agencies build on these actions and continue expanding their oversight and regulation of data security of financial institutions, their service providers, and all other companies that may process consumers’ personal information.

Contact us for more information.

Baldini Lang LLC has extensive experience working with data privacy laws and assisting clients in mapping out the steps they must take to comply with minimum requirements to best practice standards. We also monitor and report on the ever-changing federal and state data privacy law landscape. Contact us for more information.