We are not aware of a list or 50-state survey for which states have more restrictive privacy laws than the federal law, and unfortunately, we cannot comment on state laws outside of Illinois.
However, a Data Privacy Primer published by the Sedona Conference in 2018 identifies California as requiring “explicit prior consent” from consumers before sharing their nonpublic personal information with both nonaffiliated third parties and affiliated parties in certain circumstances, as well as requiring data collectors to provide annual notices to their consumer customers of their disclosure policies. The Data Privacy Primer also identifies Alaska and Vermont as having adopted an “opt-in” requirement for sharing nonpublic personal information with both affiliates and nonaffiliated third parties. As to those states, as well as other states, we recommend consulting with your bank counsel regarding whether these and other states provide annual privacy notice exceptions for financial institutions that do not share nonpublic personal information with either nonaffiliated third parties or affiliates.
For resources related to our guidance, please see:
- Regulation P, 12 CFR 1016.5(e)(1) (“You are not required to deliver an annual privacy notice if you:
(i) Provide nonpublic personal information to nonaffiliated third parties only in accordance with the provisions of §1016.13, §1016.14, or §1016.15; and
(ii) Have not changed your policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under §1016.6(a)(2) through (5) and (9) in the most recent privacy notice provided pursuant to this part.”)
- Regulation P, 12 CFR 1016.17(a) (“This part shall not be construed as superseding, altering, or affecting any statute, regulation, order, or interpretation in effect in any state, except to the extent that such state statute, regulation, order, or interpretation is inconsistent with the provisions of this part, and then only to the extent of the inconsistency.”)
- Regulation P, 12 CFR 1016.17(b) (“Greater protection under state law. For purposes of this section, a state statute, regulation, order, or interpretation is not inconsistent with the provisions of this part if the protection such statute, regulation, order, or interpretation affords any consumer is greater than the protection provided under this part, as determined by the Bureau, on its own motion or upon the petition of any interested party, after consultation with the agency or authority with jurisdiction under section 505(a) of the GLB Act (15 U.S.C. 6805(a)) over either the person that initiated the complaint or that is the subject of the complaint.”)
- The Sedona Conference, Data Privacy Primer (January 2018) (“In fact, to the extent that related state laws afford an individual more protection than is outlined in the GLBA, it states that such additional protections are not to be construed as ‘inconsistent.’ The authority to determine whether a state’s financial privacy regulations are inconsistent with the GLBA currently rests with the Bureau of Consumer Financial Protection (CFPB) under the GLBA. As a result, some states have taken it upon themselves to enact stricter data privacy regulations for the protection of consumer nonpublic personal information.”)
- The Sedona Conference, Data Privacy Primer (January 2018) p. 402 (“Effective July 1, 2004, the California Financial Information Privacy Act (also known as ‘SB1’ or ‘FIPA’) was put in place by the state legislature because ‘[t]he policies intended to protect financial privacy imposed by the Gramm-Leach-Bliley Act are inadequate to meet the privacy concerns of California residents.’ Notably, SB1 does not distinguish between customers who have a continuing relationship with financial institutions and consumers who may have less frequent touch points, opting instead to universally identify ‘consumers’ as parties protected by its provisions. Further, while, like the GLBA, SB1 requires a financial institution obtain ‘explicit prior consent’ from a consumer when sharing the consumer’s nonpublic personal information with a nonaffiliated third party, it also requires the institution annually ‘clearly and conspicuously’ notify consumers and obtain their consent to disclose nonpublic personal information with affiliates in certain circumstances.”)
- The Sedona Conference, Data Privacy Primer (January 2018) p. 403 (“Other states have adopted an ‘opt-in’ posture for sharing nonpublic personal information with both affiliates and nonaffiliated third parties. Under Title 6 of the Alaska Statutes, the ‘records of financial institutions relating to their depositors and customers and the information in the records,’ are to be kept confidential, and the financial institution is required, if possible, to notify a consumer prior to disclosing such information. Vermont’s Financial Privacy Act likewise has similar restrictions in place. Still other states have chosen to more closely align with the GLBA standard of providing notification in the context of data sharing with nonaffiliated third parties. Because of the fluctuating nature of state data protection regulations, it is advisable to refer to the current text of a state’s statutes for the most up-to-date requirements for that given state or territory.”)