Supporting Consumer Privacy That Works
The American Financial Services Association has long supported a federal privacy law that is durable and protects American consumers. However, AFSA has significant concerns with H.R. 8152- the American Data Privacy and Protection Act (ADPPA), will affect the ability of financial institutions to best serve their customers.
First, regulated financial institutions are already subject to privacy and data security consumer protection requirements under Title V of the Gramm-Leach Bliley Act (GLBA). The GLBA established stringent data security requirements that financial institutions must comply with in order to safeguard the confidentiality and privacy of their customers. The ADPPA should be amended to include a provision which clearly exempts all GLBA regulated institutions. This will avoid unnecessary and conflicting requirements, which could lead to an interruption in the consumer data practices which are already in place.
Secondly, the ADPPA’s proposed enforcement system will lead to an increase in frivolous lawsuits and a myriad of interpretations of the law. The private right of action included in the ADPPA covers both compensatory damages and attorneys’ fees. This will only encourage an increase in trivial lawsuits or time-consuming class action suits. Furthermore, the private right of action enforcement allows for varied judicial review. Under private right of action, however, states will eventually have different privacy protections based on their judicial interpretations. To avoid further fracturing national privacy laws and encouraging time-consuming, inconsequential lawsuits, the enforcement provision of ADPPA should be amended.
Finally, AFSA is concerned that the ADPPA’s preemption exemptions would dilute the purpose of a federal standard for data security. While the ADPPA includes preemptions for many state laws, the numerous exemptions also included will only serve to further entrench the current patchwork system. AFSA recommends that the ADPPA be amended to include this direct preemption in order to finally clarify the current unorganized and often confusing data privacy system.
July 19th, 2022 by Dan Bucherer