skip to navigation
skip to content

Financial Outsourcing Solutions


FOS Blog

28 May

The Evolution of Privacy – Changing Again!

The Evolution of Privacy – Changing Again!

“Privacy” became a topic of discussion around the turn of the century (2000).  The concern then was that customer information was being shared with service providers who in turn used it for their own purposes.  Additionally, credit bureaus were “selling” lists of customer attributes as a source of revenue.  Through Gramm-Leach-Bliley Act (GLBA), privacy protection was born.  It required disclosure of how customer information was collected and used.  It began a commitment to protecting the rights of individuals in that process.

It wasn’t long until other privacy protection controls followed – Vendor Management, Fair Credit Reporting Act, technology security controls, user access controls, confidentiality clauses in contracts, malware controls, remote access controls, disposition of customer information, and disposition of the machines that process and hold customer information.  “Cybersecurity” has grown into a whole new industry.

One of the more recent concerns has been GDPR (2018).  Nearly 20 years after GLBA, the European Union’s “General Data Protection Regulation” is considered the world’s toughest privacy and security law in the world.  If you process personal data of EU citizens or you offer goods or services to such people, then GDPR applies to you even if you’re not in the EU.  This includes American organizations.  Data controllers must be able to demonstrate they are GDPR compliant.  The key control is consent from the data subject, who is the true owner of “consumer information.”  That consent must be “freely given” and “clearly distinguishable from other matters.”  Some of the data subject’s privacy rights include the right to be informed, the right to access and correct information, the right to erase information, the right to restrict processing and to object to use of information.

So, how has that affected “privacy” in the United States?  We have no national law that is as strong as GDPR.  As individual states have examined their privacy laws in light of GDPR, they’ve come to realize that their consumer protections are too “light.”  The first to adopt laws was California when voters approved CPRA (California Privacy Rights Act) which takes effect on January 1, 2023.  Its requirements are greater than its original Privacy law – the California Consumer Privacy Act (CCPA)(2018) – and more inclusive of GDPR standards.  If you’ve started to comply with CCPA, you’ve started the journey to complying with CPRA.  The CPRA also created a new “California Privacy Protection Bureau” which will be implementing new regulations between now and 2023.

Other states are not far behind.  Virginia passed a regulation on March 3, 2021 with an effective date of January 1, 2023.  Washington and Florida have laws pending.  Colorado, Maryland, and Massachusetts have introduced legislation and another half dozen have proposals in Committee.  Most will require additional disclosures at origination and allow for opt-out of information sharing.

So, how is a bank to manage all this information?

  • Begin a Data Protection Risk Assessment. Determine what states are represented in your customer database.
  • Review the definition for “personal information” in each applicable state’s regulation to see if any can be excluded from consideration.
  • Review internal practices relating to collection, retention, and sharing of personal information.
  • Evaluate whether transfers of personal information are considered “sharing” and whether opt-outs are required.
  • Evaluate all uses of “sensitive personal information” as defined in each state’s regulation.
    • Limit data collection to only what’s necessary.
    • Use and share information proportionately to the purpose intended.
  • Update notices and opt-out options.
  • Update contracts with third parties, service providers, and contractors.
  • Update individual rights procedures (correction, requests to know, etc.)
  • Continue to monitor as more states initiate privacy protection laws. Follow public resources such US State Privacy Law Tracker or State Privacy Law Map to update your compliance program.

Information Security and Privacy are becoming ever increasingly crucial practices.  We cannot drop our guard for our legal responsibilities and our social duty to our customers.

For additional information contact the author at