On January 28, 2019, Senator Mike Crapo (R.-Id.), Chair of the Senate Committee on Banking, Housing, and Urban Affairs, published a column signaling his support for data privacy and security legislation in the 116th Congress.
In his column, Senator Crapo emphasizes what he sees as the “incredibly positive” developments associated with the development of technology, including increasing consumer choice, inclusion, and economic prosperity. However, he also highlights the increasing prevalence of data breach incidents and the lack of transparency associated with “big data analytics, data aggregation, and other technologies that make use of consumer data.”
He concludes that “[i]n order to fully embrace the immense benefits that can result from technological innovation, we must ensure proper safeguards are in place and consumers are fully informed.” Because of this, “[d]ata privacy and data security legislation will remain a priority in the 116th Congress,” and the Senate Banking Committee in particular will explore solutions to “give consumers more control over and enhance the protection of consumer financial data.”
Senator Crapo’s column comes on the heels of several bills that have recently been introduced in the Senate to address data protection issues, from both Democrats and Republicans. In particular, Senator Marco Rubio (R.-Fla.) introduced a privacy bill in January, and Senators Amy Klobuchar (D.-Minn.) and John Kennedy (R-La.) reintroduced their bipartisan bill in this Congress. Senators Brian Schatz (D-Hawaii) and Ron Wyden (D.-Ore.) introduced proposals last session.
The outlines of a possible compromise are still coming into view, but a key issue in the debates over data protection legislation is likely to be whether the law would preempt California’s new California Consumer Privacy Act (“CCPA”). As we have previously discussed, amendments to the CCPA exempted broad categories of consumer financial data under an exemption for data collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act, making the CCPA much less onerous for financial services companies. However, the full breadth of that exemption has not yet been defined, and certain financial data will fall outside the exemption.
Legislators will likely also debate whether a federal law should include rights to data access, data correction, data deletion, and data mobility (i.e., the right to transfer personal information to another business), and, if so, what forms those rights should take.
Senator Crapo’s column underscores both that data protection legislation will be a major focus of this Congress, and also the important implications such legislation could have for financial services companies, including banks, credit reporting agencies, and other nonbank financial institutions.