Pub. 12 2021 Issue 3

Pub. 12 2021 I Issue 3 Fall 29 West Virginia Banker privacy acts appear to be targeted at relatively large data firms. Because of these multiple requirements, each state’s privacy law should be analyzed to determine whether a non- exempt financial institution is subject to it. Exemptions for Financial Institutions Federally insured financial institutions have long been charged with protecting customer privacy rights under regulations relating to the Gramm-Leach-Bliley Act. While the GLBA provides limited preemption of state laws, it does not preempt state laws that provide greater privacy protections than provided under the GLBA. All of the currently enacted statutes have included some exemption for insured financial institutions. The VCDPA and the CPA appear to broadly exempt both financial institutions and data subject to the GLBA. However, the CCPA and the CPRA appear to only exempt data subject to the GLBA, not financial institutions subject to the GLBA. Thus, under the CCPA, banks could be subject to state regulatory requirements for personal information separate from the information covered by the GLBA. Interestingly, House Bill 3159 did not contain any exemptions for financial institutions or data subject to the GLBA. What to Watch For Most community banks should not be significantly impacted by the currently enacted state consumer data privacy laws. Community banks have proven trustworthy stewards of their customers’ information. The time to limit the risk of substantial additional and unnecessary regulatory burdens is before the bank is impacted by new legislative initiatives. Bankers should pay attention to state data privacy initiatives. Do not assume that GLBA compliance and preemption will provide protection. Work to ensure that any new legislation includes the broadest possible exemption for financial institutions. Evaluate the level of data collection and activity by the bank, its affiliates, and its vendors. Work to ensure that legislation applies only to businesses engaging in activity levels far exceeding those of the bank. Given the constantly evolving privacy landscape, all businesses, including financial institutions, need to be on alert for state privacy legislation in their jurisdictions to determine what privacy obligations, if any, apply to them.  Matthew Chase is an Associate Attorney with Jackson Kelly PLLC. His experience includes helping clients with real estate, energy, and privacy issues, focusing on transactional matters, due diligence, and closings. Contact Matthew at 304-284-4145 or matthew.chase@jacksonkelly.com . Mark Mangano is Counsel with Jackson Kelly PLLC. Mark is a former community bank CEO and owner. He focuses his practice on assisting clients with strategic planning, corporate governance, banking regulation, and mergers and acquisitions. Contact Mark at 304-670-0441 or mark.mangano@jacksonkelly.com . Bankers should pay attention to state data privacy initiatives. Do not assume that GLBA compliance and preemption will provide protection. Work to ensure that any new legislation includes the broadest possible exemption for financial institutions.