Long ago, when I worked as a lawyer at a large bank, we were generally able to rely on new state consumer protection laws being pre-empted by Federal financial regulations. This was a positive thing, because our bank, like many other big national consumer-facing companies, would usually wrap a new obligation into our general package of consumer protections, whether it applied to everyone, or only applied in South Carolina.
Federal pre-emption prevented us from the nightmare of our daily operations being subject to every little whim of state legislatures.
State consumer laws are now appearing as privacy protections and banking lawyers are hoping the same dynamic will apply here. I have often heard the comment, “Hey, we have great consumer privacy hygiene and our regulators enforce this. Why would we need new state consumer privacy laws to apply to us?”
The short answer is “Marketing.” And this also goes for HIPAA regulated health care entities holding patient information.
While both HIPAA and the Federal consumer privacy regulations surrounding the Gramm-Leach-Bliley Act require regulated entities to protect data and to be careful in not publicizing the health conditions or financial facts about the consumers they service, the CCPA and new breed of privacy laws being considered by other states are aimed at modern marketing practices. They grant consumers new rights to remove their information from sharing programs that tend to revolve around learning details about the customer that companies can use for targeted marketing.
The CCPA allows California consumers to request a record of the categories of data that a company holds about them including how that data is used for business purposes or shared with third parties, to request erasure of their data within a company and to opt out of the sale of their data. While the Federal privacy regulations do allow individual data subjects to check and correct the accuracy of data held about them, the rest of the rights described are primarily useful for stopping the early stages of data collection and sharing that underlies targeted marketing campaigns.
Intellectually, these rules are cribbed from foreign protections of individual privacy like PEPIDA in Canada and the GDPR in Europe, which directly aim to reduce targeted marketing of consumers, account holders and patients. The people passing these laws comment on the ways that individuals are being manipulated by industry who not only collects deep wells of facts about potential customers, but uses sophisticated analytics programs to gain greater insights into consumer behavior based on all of the collected facts.
So, while the Federally regulated industries may push for state pre-emption from the coming onslaught of US state consumer privacy protection laws, it is likely that legislatures will want everyone to share in these new protections. In other words, Level 1 data protection requirements are not likely to protect financial institutions and health care providers from Level 2 data obligations.