BID® Daily Newsletter
Apr 14, 2021

BID® Daily Newsletter

Apr 14, 2021

Update: State Online Data Privacy Laws

Summary: Online data collection is becoming an increasingly important issue, further intensified by the pandemic and digital banking. Instead of waiting on the sidelines for the federal government to take action, a number of states have begun passing their own privacy laws. We highlight some of the current laws in existence and what laws are coming.

Did you know that it is illegal to use blasphemy in the state of MI? Or that it is against the law to swear at a sporting event in MA, if you are 16 years or older? And that dance halls are not allowed to be open on Sundays in SC? There is no shortage of laws that are still on the books within individual states past their intended use. Of course, many of these laws are no longer enforced. But while states may now overlook some of these more outdated laws, don’t expect that to be the case when it comes to emerging state data privacy laws regarding online data collection.
Online data collection is becoming an increasingly important issue as countless organizations now store not only birth dates, ID information, contact data, and social security information, but also people’s biometric information, such a fingerprint scans. The importance of privacy was further intensified by the pandemic, as various organizations collect and manage health data in order to test and vaccinate large groups of people.
Instead of waiting on the sidelines for the federal government to take action, a handful of states have begun to follow the lead of the UK’s Data Protection Act 2018 and Europe’s Payment Services Directive 2 (PSD2) by creating their own rules and regulations designed to ensure the safety of consumer data collected electronically. As a result, community financial institutions (CFIs) should be aware of the status of these regulations, based on where they are located and where their customers are. Action at the state level is likely to result in significant inconsistencies between the rules and regulations making their way down the pipeline so make sure you have your regulatory and legal teams involved as well.
So far, data collection laws have already been passed or are in the works in AL, AZ, CA, CT, IL, KY, ME, NV, NY, OK, UT, VT, VA, and WA. Others are sure to follow too.
The gold standard, so far
IL was the first state to take action by implementing its Biometric Information Privacy Act in 2008, which allows the state’s residents to take legal action against organizations that collect an individual’s biometric data without first getting their consent. Later, CA picked up the ball and took things farther with the passage of its California Consumer Privacy Act (CCPA) in 2018 and its subsequent amendment in the form of the California Privacy Rights Act of 2020. The CCPA, largely based on the regulations outlined in the General Data Protection Regulation that Europe passed in 2016, allows people to inquire about any digital data that is collected on them and have the information deleted. The California Privacy Rights Act created the California Privacy Protection Agency, a governing body that people can use to file suit against companies that violate the regulations.
Several new laws expected in 2021
At present, MN, OK, VA, and WA are on track to pass laws of their own this year. Here is what to expect from them. 
  • The Oklahoma Computer Data Privacy Act would require internet technology companies to get permission from people before collecting their data, but it would be limited to companies earning at least 25% of their revenue from the sale of data or those that earn more than $10MM per year. 
  • Virginia’s Consumer Data Protection Act, which also aims for comprehensive protection for the consumer, would apply to businesses that process data of at least 100K people or derive more than 50% of their gross revenue from data sales and process data of at least 25K people. 
  • Though MN’s efforts are fairly similar to CA’s, the state is also expected to provide a greater range of “private right of action.”
  • Meanwhile, WA is currently torn between two different bills — the Washington Data Privacy Act that would allow people to access and correct or delete data collected on them and the People’s Privacy Act, which specifies biometric data rights and requires clear consumer permission before using or sharing data.  
It is not easy to navigate and keep up with all of the state data privacy laws and regulations. So, make sure your regulatory and legal teams are keeping up on these too. 
Subscribe to the BID Daily Newsletter to have it delivered by email daily.

Related Articles:

What CFPB’s Rule Means for Consumer Data and Competition
Even if your institution isn't required to comply with the new Personal Financial Data Rights rule, preparing for open banking is essential. As consumer demand for data sharing grows, adopting secure digital interfaces will help you stay competitive and meet evolving expectations.
PCBB’s President’s Top Predictions for CFIs in 2025
We interviewed PCBB President Mike Dohren about the key trends he anticipates affecting CFIs in 2025, including regulatory changes, mergers and acquisitions, lending trends, and technology.