May 07, 2021
Policy Pulse: The State of Privacy
Ben White & Kat Cloud
Privacy is a top priority for policymakers across the world. COVID-19 raised the issue even higher, with people moving more of their lives online. In this version of the Policy Pulse, we review recent developments in the privacy world, and share our thoughts on how digital finance companies can adapt to the changing privacy landscape.
Federal: Today the U.S. lacks a comprehensive federal privacy law. Instead it has sectoral laws, like HIPAA in healthcare and GLBA in financial services. But that could change soon. Momentum for a comprehensive federal privacy law started building under the Trump administration, with several proposals brought forward. But these bills were blocked from passage when Congress couldn’t agree on two issues: Democrats wanted state laws to be able to supersede the federal law and for individuals to be able to sue companies over violations; Republicans wanted neither.
Despite their failure, these proposals had major elements in common, including:
Consumer rights and protections
Additional powers for the Federal Trade Commission
Notice and consent requirements for data collection
Security requirements for companies touching consumer data
In March 2021 the Information Transparency and Personal Data Control Act became the first federal privacy bill introduced under the Biden administration, drawing on many of the themes above. Similar proposals are expected to follow. With potential incoming commissioners at Federal Trade Commission and a potential incoming director at the Consumer Financial Protection Bureau, these proposals are likely to have strong support from the regulators tasked with carrying them out. Current FTC Chair Rebecca Slaughter may have given a preview of the agency’s approach to data in a recent speech, saying “we should require violators to disgorge not only the ill-gotten data, but also the benefits—here, the algorithms—generated from that data.”
State: In the absence of a federal privacy law, states have jumped into action. California passed its California Consumer Privacy Act in 2018, giving consumers rights to know, delete, opt-out, and avoid discrimination for choosing not to share their data. Several dozen states have since followed suit, with Virginia being the second state to pass a comprehensive law in early 2021. Consumer Reports, an advocacy group, released a Model State Privacy Act, adding even more momentum to states’ efforts.
(Source: International Association of Privacy Professionals)
Our take: More privacy laws are coming, whether state-by-state or at the federal level. State laws are likely to come out faster, leading to a patchwork of laws that would create complexity for private companies. Federal laws could address some of that patchwork, but will take time. This dynamic between state and federal laws will require flexibility from industry participants.
The United Kingdom’s Open Banking framework builds off of the Second Payment Services Directive (PSD2) to give consumers rights to their financial information. Now regulators are looking to expand that access to open finance. In February the UK’s Financial Conduct Authority (FCA) published their long-awaited open finance feedback statement. The FCA agreed that industry has a key role to play in the development of open finance, and that open finance will provide significant benefits to consumers. However the FCA also highlighted risks associated with data misuse, privacy, and security. Regulators are expected to review and update privacy regulations to ensure consumer protection.
The FCA noted that appropriate regulation is essential to manage these risks and a legislative framework is needed for open finance to develop. Going forward, they will work with other government departments on the design and implementation of regulations and legislation while also reviewing the relevant privacy and security regulations ensuring they are fit for purpose for an open finance ecosystem.
Our take: Open Finance is the future in the UK, but privacy rule updates could bring more burden to third-party providers. TPPs should engage with regulators to provide their input, as the ecosystem aligns around its next phase.
Canada is looking to update its 20+ year-old federal privacy law -- the Personal Information Protection and Electronic Documents Act (PIPEDA) -- with a comprehensive new bill called The Consumer Privacy Protection Act (CPPA). The CPPA, which is still being considered, takes a two-sided approach to privacy, including strong privacy protections, and actionable consumer data rights like data mobility.
CPPA is part of a broader set of efforts under Canada's Digital Charter aimed at bolstering its digital economy. Canada’s recent consultations around open banking are one example of how its government wants to spur innovation.
Our take: Data mobility rights are a core feature of open banking. Industry participants should advocate for privacy laws that include giving people rights to their data. Canada’s fintech ecosystem could see a boom if data mobility were enshrined in law.
How our ecosystem should prepare
Fintech is a highly interconnected ecosystem, so privacy will always be a collaborative effort. Financial institutions and fintech companies should find ways to partner to advance common goals. Our industry's emphasis on transparency and control is part of a broader effort to ensure consumers can benefit from innovation while also keeping their information safe and secure. We’re excited to work together with you on this journey.
Ben White and Kat Cloud are on Plaid's Policy Team based in the US and UK, respectively. They advocate for a future where consumers are empowered by their financial data.