Arrow Icon
blog header pale blue image blog header abstract shape

Heart of Advice

Insights and best practices for successful financial planning engagement

left arrow Back to All Articles

United States Privacy Laws: A Legal Evolution

Sarah Miller September 3, 2021

United States Privacy Laws

Your name. Your date of birth. Your IP addresses. The video your neighbor took of you winning the hot dog eating contest last Labor Day.

Just kidding about that last one. Kind of.

As technology evolves, more data becomes available, and more potential harm results from data breaches that expose personal information. Privacy legislation is the response to that harm, and it has evolved dramatically over the last few years. Here is a snapshot of that progression.

Global Shift Toward Privacy

In 1999 the United States federal government implemented the Gramm-Leach-Bliely Act (GLBA) with the intention of modernizing the financial industry in everything from security policies to privacy. The GLBA’s primary privacy outcome was that certain financial institutions became required to tell their customers about their information-sharing practices and provide an “opt-out” of sharing customer information with third parties.

Regulations didn’t become privacy-specific until three years ago when the EU General Data Protection Regulation (GDPR) took effect to protect individuals inside the EU. The GDPR is known as the most important change in data privacy regulations in 20 years because it impacted businesses across the world by basing its applicability on the relationship between the business and EU consumers. But, because the law is centered around EU consumers, it does not apply to many U.S. companies that don’t do business in or market to the EU.

Despite the GDPR’s inapplicability to some U.S. companies, many correctly saw the consumer rights and operational business requirements contained within the GDPR as indicators of United States privacy trends to come.

California Knows How to Privacy

On January 1, 2020, the California Consumer Privacy Act (“CCPA“) became the first impactful US privacy regulation to resemble the GDPR most closely by giving much broader privacy rights to California consumers (including prospects and employees). If a consumer lives in California and asks a business to reveal, potentially delete, provide an extract of, and/or stop selling an individual’s data, businesses must comply if the request isn’t covered by an exemption.

According to the law CA individuals can also sue a business if they are harmed by a company’s security or data breach if they can prove that the business failed to maintain reasonable security practices and procedures. In California and in many other states consumers already had the right to bring suit under data breach law. However, the CCPA’s private right of action provision makes it easier by providing for statutory damages and eliminating the need to prove actual damages in court.

CPRA

While U.S.-based businesses scrambled to prepare for the CCPA, California wasn’t done yet. The state took privacy to the next level through the California Privacy Rights Act of 2020 (“CPRA“), a ballot initiative that becomes operative Jan. 1, 2023, with a yearlong “look back” requiring businesses to include data starting Jan.1, 2022. It expands the scope of the CCPA by giving consumers additional rights (rectification, restriction against automated decision making), and adds additional business obligations such as requiring risk assessments and prohibiting discrimination. More notably, the CPRA funds a California agency that will make privacy rules, enforce them, and provide residents with related education and guidance (as opposed to the current regime where the state Attorney General is charged with interpreting and enforcing the law).

Virginia Is for Lawyers and Rocky Mountain PII

The same day that businesses must comply with the CPRA, Virginia’s Consumer Data Protection Act (“VCDPA“) becomes effective, followed by the Colorado Privacy Act (“CPA“) in July of 2023. Both Virginia and Colorado laws create similar consumer rights as California, although Virginia doesn’t go quite as far, aligning more closely with the CCPA than the CPRA (of course, with distinctions). In addition, federal law exemptions for GLBA and Health Insurance Portability and Accountability Act of 1996 (“HIPAA“) that are set to expire in California continue in perpetuity in Virginia making the law not applicable to certain businesses. In Colorado, the GLBA exemption also continues in perpetuity, but the HIPAA exemption is absent, and the scope of impacted businesses is broader.

Subtleties aside, if a financial institution is prepared for the CCPA and CPRA ,it is largely ready for (or exempt from) Virginia and Colorado regulations aside from any state specific disclosure requirements and other technicalities.

Preparing for New Privacy Laws

While the practical implications of managing state laws are manageable so far, it is becoming onerous. There are five additional state privacy bills containing equally nuanced language and implications. Luckily, the driver of federal legislation is often conflicting state legislation. Privacy laws are no different. Federal proposals were rolled out by both Republicans and Democrats in 2019 but were stalled until recently when Republicans submitted a largely reintroduced bill this summer. If and when a federal law is passed, it will likely supersede less restrictive state legislation. But the proposals from both parties so far have not been as comprehensive as states like California with more restrictive legislation.

In the meantime, businesses must be prepared to comply with each state’s law unless they are covered by an exemption. Companies should seek counsel on specific use cases and applicability and be forward-thinking in their privacy approach.

Follow the foundational tenets that the state privacy laws intend and implement them into internal policies and procedures. That way, as more state laws evolve, you will already be prepared to comply. Then take a deep breath and keep taking things one state at a time.

DISCLAIMER: The eMoney Advisor Blog is meant as an educational and informative resource for financial professionals and individuals alike. It is not meant to be, and should not be taken as financial, legal, tax or other professional advice. Those seeking professional advice may do so by consulting with a professional advisor. eMoney Advisor will not be liable for any actions you may take based on the content of this blog.

Image of Sarah Miller
About the Author

As Associate General Counsel, Data Governance and Protection, Sarah oversees the data and privacy legal organization including legal data strategy, data agreements, data governance, and everything privacy related.

You may also be interested in...

Woman at computer in server room

Understanding Dodd-Frank Section 1033: What You and Your Clients Need to Know

Section 1033 of the Dodd-Frank Act is designed to empower consumers by giving them the right to access and share… Read More

A financial professional talks to an AI chatbot.

The Intelligent Technology Landscape: Shaping the Future of Wealth Management

Artificial intelligence (AI) is transforming industries–including the wealth management industry. At the 2024 eMoney Summit, we delved into generative AI… Read More

Three Keys to Building Stronger Relationships with Today’s Clients

According to Fidelity’s 2024 Investor Insights Study, a significant majority of Millennials (Gen Y) and Gen Z (61 percent) and… Read More

eBook: Candid Conversations - Suddenly Single

Download our latest eBook for thoughtful guidance on how to serve clients who have recently lost a spouse or divorced.

Download Now

Sign up to have the most popular Heart of Advice posts delivered to your inbox monthly.

Heart of Advice by eMoney Advisors

Welcome to
Heart of Advice

a new source of expert insights for
financial professionals.

Get Started

Tips specific to the eMoney platform can be found in
the eMoney
application, under Help, eMoney Advisor Blog.