As of today, the U.S. government has yet to establish an all-inclusive federal data privacy law. While work towards federal law has been underway since 2018, when the California Consumer Privacy Act was passed, nothing has been enacted. Instead, there is an assortment of industry-specific laws and regulations that cover the privacy and security of various types of consumer data.
In the absence of federal privacy law, some states have moved forward with enacting their own legislation, with others expected to follow. This blog will explore where privacy legislation is today, where it’s likely headed and what obligations the title industry has in light of state-level privacy legislation scheduled to take effect next year.
Title insurers, title agents and settlement service providers have long been accustomed to protecting and securing consumer financial data. Since 1999, the title industry has followed regulations set forth under the Gramm-Leach-Bliley Act (GLBA), a federal law that requires businesses in the financial sector to disclose to consumers policies and practices put in place to protect the security and integrity of consumer personal financial information. Generally, federal law preempts state law only to the extent that compliance with state law is “inconsistent with” the requirements of federal law. By definition, state law that provides greater protection is not considered inconsistent. Therefore, businesses in the financial sector that are subject to GLBA must also comply with state consumer privacy laws, provided they offer greater protection and do not provide a federal exemption, or a GLBA “carve-out” as explained below.
Five states have enacted comprehensive consumer privacy legislation: California, Virginia, Colorado, Utah and Connecticut. The laws have several requirements in common, such as the right to access and delete personal information and to opt out of the sale of personal information, among others. These laws also provide varied carve-outs for the GLBA – some that apply to the business entity and others that apply to the type of data or specific use of data. Let’s take a look at the state legislation and explore the GLBA carve-outs provided.
State Consumer Privacy Laws
California was the first state to establish a comprehensive consumer data privacy law with the passing of the California Consumer Privacy Act of 2018 (CCPA). It was signed into law on June 28, 2018, and it went into effect on January 1, 2020. Later that same year, on November 3, 2020, California voters added clarification and additional regulations known as the California Privacy Rights Act (CPRA), which will become effective on January 1, 2023. The CPRA alters some provisions of the law, including expanding rights offered to employees. It also created the California Privacy Protection Agency (CPPA), a dedicated regulatory agency that will administer and enforce all California privacy regulations.
The CCPA/CPRA does provide a carve-out for personal information collected, processed, sold or disclosed subject to the GLBA. Such information would be exempt from the privacy requirements of CCPA/CPRA, but not necessarily exempt from the limited private right of action (private civil lawsuit) against a business that fails to implement and maintain reasonable security of consumer personal information.
The other states – Virginia, Colorado, Utah and Connecticut – all have more robust GLBA carve-out language, meaning businesses in the financial sector that are subject to the GLBA are fully exempt from complying with the requirements set forth in the legislation:
- Virginia Consumer Data Protection Act (VCDPA), effective January 1, 2023
- Colorado Privacy Act (CPA), effective July 1, 2023
- Connecticut Data Privacy Act (CDPA), effective July 1, 2023
- Utah Consumer Privacy Act (UCPA), effective December 31, 2023
While there is no private right of action offered to consumers under the above referenced legislation, the State Attorneys General can impose fines against businesses that violate requirements.
Several federal consumer privacy bills have been introduced in the past but failed to gain momentum. In July 2022, there was a shift in traction when the House Committee on Energy Commission voted to advance the American Data Privacy and Protection Act (ADPPA) to the full U.S. House of Representatives. If passed by Congress, the bill will go to the U.S. Senate and the possibility of an enacted comprehensive federal data privacy law could be close to realization.
Like many other privacy laws, the ADPPA would provide individuals certain rights, including the right to access personal information that is collected, processed or transferred; the right to correction or deletion of any covered data; the right to data portability; and the right to opt out of data transfer or targeted advertising. The bill also addresses two highly contested issues: (1) preemption of state privacy law; and (2) private right of action.
Although ADPPA would generally preempt state privacy laws, it contains a laundry list of exceptions, including CCPA/CPRA’s private right of action for victims of data breaches. The ADPPA would be enforceable by the Federal Trade Commission (FTC) or State Attorneys General, and private rights of action will be prohibited the first two years after enactment. After those two years, an individual will be required to inform the FTC or their State Attorney General of their intent to file a civil lawsuit under the ADPPA.
The ADPPA takes a hybrid approach to GLBA exemption based on the type of data involved. Businesses that are subject to, and compliant with, the privacy program requirements and cybersecurity standards of the GLBA are deemed compliant with those requirements under the ADPPA.
As lawmakers, regulators and consumer advocates continue to advance both state-level and federal comprehensive privacy legislation, the GLBA remains the title industry’s standard for consumer privacy and security protections. Since 1999, the GLBA has limited the financial sector’s use and sharing of consumer personal information, and required security protocols and comprehensive disclosure practices. In addition to the GLBA, the title industry’s national trade association, American Land Title Association (ALTA), has had best practices in place since 2013. In 2020, the ALTA also developed data privacy principles to establish a national standard for protecting consumer private information.
While current state-level data privacy legislation has GLBA carve-outs, title insurers, title agents and settlement service providers will need to evaluate the details of the carve-outs to ensure they meet compliance obligations. The same is true for future legislation at both the state and federal level.
At Old Republic Title, we make consumer data privacy and security a top priority. We operate through a national network of Company-owned offices, affiliates, authorized title agents and approved attorneys. We will continue to review the developing privacy landscape across the nation and ensure our privacy practices are compliant in meeting consumer data privacy protections.