Joint Financial Services Trades Letter on the American Data Privacy and Protection Act (ADPPA)(H.R. 8152)

Dear Chairwoman Schakowsky and Ranking Member Bilirakis:

On behalf of the financial services trade associations listed above, we are pleased to submit these comments regarding the American Data Privacy and Protection Act (ADPPA)(H.R. 8152).

Our members are strong proponents of protecting consumer data and privacy and have done so for a very long time because protecting consumer financial data is a cornerstone of their business. Our members have been subject to extensive federal privacy and data protection laws and regulations for several decades. While we support privacy and security protections for consumer data for all companies, especially technology and other firms that are increasingly moving into financial services, we have serious concerns about several provisions included in the ADPPA, as well as the overly rushed pace that this legislation is proceeding through the Committee process which will not allow for adequate input from stakeholders. We urge the Committee to carefully consider these concerns before proceeding further with this legislation.
 

GLBA and Data Privacy

The primary privacy and data security consumer protection law for consumer financial data is Title V of the Gramm-Leach Bliley Act (GLBA). With the GLBA, Congress carefully constructed a privacy and data security regime to provide an effective and successful balance between strong consumer protections and ensuring that consumer financial transactions take place in a safe and secure environment. In particular, the current regime has been carefully structured to ensure compliance with existing laws and regulations, adherence to judicial process, and protection from
fraud, illicit finance, money laundering and terrorist financing. Further, GLBA grants federal financial regulators with broad authority to adopt necessary regulations to enact these standards, thus allowing the regulatory regime to adapt over time as privacy concerns evolve.

Notably, the GLBA requires that financial institutions provide consumers with notice of their privacy practices and generally prohibits such institutions from disclosing financial and other consumer information to third parties without first providing consumers with an opportunity to opt out of such sharing.

It is clear that Congress has long recognized the importance of privacy for financial institutions and has put in place several meaningful frameworks that include strong privacy and data security protections that have been carefully balanced with commonsense exceptions to minimize disruptions to financial markets. While the financial services trade associations support legislation to put in place a national privacy standard, that standard must recognize the strong privacy and data security standards that are already in place for the financial sector under the GLBA and other financial privacy laws and avoid provisions that duplicate or are inconsistent with those laws.

As currently framed, the ADPPA does not include unambiguous language for financial institutions to understand their exemption from the requirements of the bill. This will lead to duplicative and conflicting requirements for financial institutions already subject to oversight by GLBA regulation. This framework will be disruptive to the financial system, consumers, and the economy. The ADPPA should be amended to broaden the provision to exempt all GLBA regulated institutions to avoid such disruption.

Enforcement

One of the most important elements that must be included in any federal privacy legislation is assurance that the legislation will be consistent from state-to-state. A uniform national standard is the foundation for adopting federal privacy legislation. By allowing enforcement by private rights of action, however, it will only be a short matter of time before different judicial interpretations of the law mean that different states have different interpretations of the law, and a consumer in Nebraska will have different privacy protections than someone in Alabama. Another disadvantage is that these state-by-state variations inhibit national training and consumer understanding of privacy rights.

Further, a private right of action in this context will only serve to encourage frivolous litigation from plaintiffs’ attorneys and will further encourage class actions even for minor compliance infractions. As in many class action suits, companies are forced to settle to avoid outrageous litigation costs even if the firm is not at fault. This type of legislation leaves open many opportunities for such actions and should be amended to remove such provisions.

As such, our members do not support provisions in the ADPPA that would authorize private rights of action. Instead, federal privacy law must include preserving GLBA’s existing regulatory enforcement structure for financial institutions.

To read full comment letter, click here.