It’s no secret that states are focused on implementing consumer privacy laws given the ubiquity of personal data that is gathered, processed, stored and shared for commercial activities, including those involving financial institutions. Since California passed the California Consumer Privacy Act (CCPA) in 2018, a host of states have followed with their own consumer privacy laws. Since 2024, consumer privacy laws have gone into effect in 10 states, and are expected in four more by the end of 2026.
Each of these laws provide exemptions for financial institutions, reflecting that protections for customers of financial institutions are already in place under provisions of the Gramm-Leach-Bliley Act (GLBA). However, the scope of exemptions in each state differs. States have adopted different approaches as to whether their exemptions apply to entities or specific types of data. Data-level exemptions are particularly important to assess, as such exemptions would not cover data collected by financial institutions that is not covered by GLBA. There is no discernable pattern as to why certain states choose entity-level exemptions versus data-level exemptions or even both.
Given the ever-increasing importance of protecting customer data and ensuring compliance with cybersecurity standards, bank executives should ensure that their institutions are prepared to respond to this maze of state law.
Executives should consider:
1. How their institution’s commercial footprint interplays with its data footprint. Certain financial institutions may be relieved to find that they have little to no obligations under newly adopted state consumer protection laws. This could be the case, for example, if an institution operates within a single state that has provided an entity-level exemption. However, some institutions will need to be very attentive to how each state they operate in treats the data they collect, particularly if they collect data on customers within states that have adopted a data-level exemption. In such states, banks must determine the extent to which the data they collect and process is covered by the GLBA. Not every bank will have the same answer to that question. Given the variety of products and vendors banks use today, it is possible that certain institutions — particularly those that offer a large platform of digital products — will face greater exposure to new state privacy regulations than others.
2. Not missing the forest for the trees. The importance of understanding state-by-state footprint cannot be overstated. However, banks should be prepared to face competitive pressures, regardless of where they operate. As new laws are implemented, consumer preferences could shift with respect to what is expected from banks in handling and communicating about personal data. Even exempt banks may adopt certain practices that are not required as a matter of law but are necessary to respond to competitive pressures. Moreover, the continued rise of fintech products, alternative payments solutions and digital asset services only make the regulatory landscape surrounding consumer data more dynamic and important.
3. Keeping an eye on the courts, if their bank is nationally chartered. The give-and-take between state and federal law, and the extent to which state consumer laws are pre-empted by the National Bank Act, has long been a fertile ground for litigation. In 2024, the Supreme Court’s ruling in Cantero v. Bank of America clarified the current rule regarding preemption in the GLBA (see 12 U.S.C. § 25b(b)(1)), which provides that a state law is preempted by the National Bank Act only if:
- Application of a state consumer law would have a discriminatory effect on national banks in comparison with the effect of the law on a bank chartered by that state.
- The state consumer law “prevents or significantly interferes with the exercise by the national bank of its powers.”
- The state consumer law is preempted by a provision of federal law.
Given the increasing importance of gathering and handling personal data when providing financial products and services and the increasing amount of state laws that are inconsistent with respect to exemptions, one might expect that if compliance became exceedingly complicated, national banks could challenge the enforcement of certain state consumer privacy laws as an improper encroachment into their deposit taking powers under the National Bank Act. It should be noted that the Office of the Comptroller of the Currency (OCC) recently reaffirmed the legality of its preemption regulations in response to a request by the Conference of State Bank Supervisors to comply with Executive Orders 14129 and 14267 by reversing its regulations governing national bank preemption. This response by the OCC could be embolden challenges to new state consumer privacy laws. At the very least, it indicates that, at least as far as OCC regulations are concerned, the general effort to deregulate by the current administration will not lead to a reversal on pre-emption of state consumer laws.
