Bloomberg News
Financial technology companies want lawmakers to preempt state privacy laws by amending the Gramm-Leach-Bliley Act, which prohibits the disclosure of information to any third party unless the consumer is provided notice and an opportunity to opt out.
On Tuesday, the American Fintech Council sent a comment letter to the House Financial Services Committee and the Subcommittee on Financial Institutions. In July, lawmakers requested public comment on potential changes to the Gramm-Leach-Bliley Act of 1999. The deadline for submitting comments was August 28.
The American Fintech Council is lobbying for lawmakers to preempt state privacy laws with both entity-level and data-level exemptions to state laws as well as liability for data breaches. The trade group does not want any restrictions on the secondary use of data, which is fundamental to the business models of most fintechs.
Both banks and fintechs are already subject to the privacy requirements of GLBA. An entity- level exemption means any financial institution subject to the requirements of GLBA would be exempt from the new law, while data-level means financial data governed by GLBA would also be exempt from state rules.
“Data and its movement, both inside and outside of the financial services industry has grown and developed significantly in the years since GLBA’s passage,” wrote Ian P. Moloney, a senior vice president and head of policy and regulatory affairs at the fintech trade group. “As the Committee considers legislative efforts to modernize the federal approach to data privacy, it should ensure that consumers receive adequate disclosures regarding the use of their data and that financial services companies are able to use that data to effectively serve current and future consumers.”
Maloney also said that “any modern data privacy law should limit the liability to the entity whose systems were breached.”
Currently, 20 states have passed data privacy laws. The fintech trade group is lobbying for Congress to make changes that would preempt the European Union’s General Data Protection Regulation and the California Consumer Privacy Act, which the trade group claims “have caused responsible companies both inside and outside of financial services to modify their data practices in an effort to comply with these laws.”
The trade group specifically highlighted California’s Delete Request and Opt-Out Platform, or DROP, Act that passed in 2023, and goes into effect next year. The law expands the definition of “data broker,” to include companies that collect information directly from consumers to provide requested services. The law requires the California Privacy Protection Agency to create a platform that allows consumers to request that data brokers delete their information through a single request. The so-called DROP platform is expected to launch by January 1, 2026, with data brokers obligated to comply by August 1, 2026.
