Improvements Needed for CUs in Data Privacy Legislation

Ten days after bipartisan legislation was unveiled to address data privacy, officials with America’s Credit Unions filed a letter expressing their general approval of the legislation, but highlighted areas of concerns for the credit union industry.

The American Privacy Rights Act (APRA) was introduced by Rep. Cathy McMorris Rodgers (R-Wash.) and Sen. Maria Cantwell (D-Wash.) on April 7 and would establish national consumer data privacy rights and set standards for data security. According to the draft legislation, the bill “would require covered entities to be transparent about how they use consumer data and give consumers the right to access, correct, delete and export their data, as well as opt out of targeted advertising and data transfers.”

In a joint statement, Rep. Rodgers and Sen. Cantwell said, “This bipartisan, bicameral draft legislation is the best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information.”

In a letter sent to lawmakers on Wednesday ahead of a House Energy and Commerce subcommittee meeting, America’s Credit Unions President/CEO Jim Nussle supported “the idea of a national data security and data privacy regime that includes robust security standards that apply to all who collect or hold personal data and is preemptive of state laws.”

Nussle also said the legislation falls short and suggested three areas he hoped could be addressed to better help credit unions. Those areas included the following:

Gramm-Leach-Bliley Act (GLBA) Exemption

Nussle wrote, “We are concerned that the bill does not have an entity-level exemption for those in compliance with the GLBA, but instead creates a data-level GLBA exemption. While this would provide some exemption for credit unions from a number of the bill’s provisions, it may not address certain new requirements that lack any comparable analogue in either the GLBA or the Fair Credit Reporting Act (FCRA), such as data portability. The data-level exemption in the bill, unlike an entity-level exemption, will only apply to the extent the GLBA addresses certain uses of data.

“This is concerning, as the language of the APRA could be construed as capturing both federal and state-chartered credit unions, as well as credit union service organizations (CUSOs) under its current language, creating significant new burdens on the credit union industry. We would urge changes to strengthen the GLBA exemption to an entity level to include all credit unions before moving forward.”

Federal Preemption

According to Nussle, the APRA “would generally preempt state privacy and data security laws,” but said there is concern about some exemptions that exist in current state laws.

“By far the most problematic of these exceptions to preemption are state laws addressing unfair or unconscionable practices — a catchall that could be used to erode the entire purpose of a uniform federal standard and preemption through incremental expansions of state authority over practices deemed unfair to consumers,” he wrote.

Private Right of Action

While America’s Credit Unions sees most of the APRA covering a broad private right of action, Nussle said this could expose credit unions to frivolous lawsuits. “Individuals could be awarded actual damages, injunctive relief, declaratory relief, and reasonable attorney fees and litigation costs,” Nussle wrote. “While a covered entity would have the opportunity to cure actions or violations in response to a claim for injunctive relief with 30-days’ notice, the notice requirement would be waved in cases involving substantial harm (which could be overly broad). We are concerned that this could still lead to frivolous legal action given the exceptions.”