Mortgage Bankers Ask Congress to Preempt State Privacy Laws in GLBA

Committee Republicans gathered public comment through Thursday on potential legislative updates to the GBLA, including impacts on privacy laws (see 2507310060).

MBA previously aligned with the American Bankers Association, America’s Credit Unions, Bank Policy Institute, Consumer Bankers Association, Independent Community Bankers of America and Securities Industry and Financial Markets Association in joint comments to House Commerce Committee Republicans on their privacy bill inquiry (see 2504070065). That letter asked the Republican working group to exempt financial institutions from any broad federal privacy bill in the same way Kentucky did in its Consumer Data Protection Act.

Consumer advocates argued against federal preemption and took the opposite stance on many other issues raised by MBA.

“MBA believes that given financial services’ data privacy practices are already supervised, financial institutions should not be subject to inconsistent or duplicative requirements primarily designed to regulate other types of entities,” the organization said in an email Monday.

MBA’s comments to the House Financial Services Committee argue that states have “created a patchwork of data privacy requirements that create compliance challenges to the industry without creating meaningful consumer protections. MBA recommends the legislation make clear and explicit that state data privacy laws should be fully preempted.”

MBA recommended that Congress not require consumer consent under GLBA when lenders collect certain types of data, such as PIN numbers and IP addresses: “Impeding the collection of this necessary data may detrimentally affect the origination process or make it impossible to complete a consumer requested transaction.”

MBA said there would be little benefit in requiring companies to provide consumers with a list of individual third parties receiving their data because GLBA “generally prohibits financial institutions from disclosing financial and other consumer information to third parties without first providing consumers with an opportunity to opt out of such sharing.”

Electronic Privacy Information Center filed comments with National Consumer Law Center, Consumer Federation of America, Public Citizen and dozens of other consumer groups. Their letter recommends Congress require financial institutions to “follow data minimization rules and obtain affirmative, opt-in consent to share consumer data with third parties.” They recommend the committee strengthen the GLBA by adding a private right of action for consumers to sue violators.

The Software & Information Industry Association (SIIA), in separate GLBA comments, urged Congress to “avoid broad expansions of the definition of “financial institution,” preserve the current liability structure for third-party data sharing, and support flexible best practices on data minimization and retention rather than prescriptive mandates.”

SIIA argued that current privacy practices and existing GLBA requirements for third-party data-sharing liability “effectively balance consumer protection with operational realities and established industry expectations.” Determining liability across “multiple interdependent third parties in a complex data breach scenario could become exceedingly difficult and protracted, leading to prolonged legal disputes, increased litigation costs for all involved parties, and significantly higher insurance premiums across the entire industry,” said SIIA. “This would ultimately translate into increased costs for consumers through higher service fees.”

SIIA recommended against establishing new data minimization and retention requirements because that would likely “create operational challenges and increase compliance burdens, particularly for businesses managing dynamic data ecosystems where data flows are fluid, copious, and where diverse data types have varying retention needs and legal mandates.”