A compliance challenge for Regulated Businesses: FinTech and Health Care

Navigating Entity-Level and Data-Level Exemptions

Businesses operating in regulated sectors, particularly within the realms of financial services and healthcare, find themselves facing a complex web of state-specific privacy laws. These laws come with various exemptions, and these differences can result in significantly divergent compliance obligations for regulated businesses depending on their location and state they operate within.

Entity-Level Exemptions in a Changing Landscape

The majority of new and emerging privacy laws in the United States introduce entity-level exemptions for financial services entities governed by the Gramm-Leach-Bliley Act (GLBA) and for healthcare or medical services-related entities regulated under the Health Insurance Portability and Accountability Act (HIPAA). Notably, in several states, including Virginia, Connecticut, Utah, Tennessee, Montana, Florida, Texas, Iowa, and Indiana, entities regulated by both GLBA and HIPAA can avail themselves of entity-level exemptions. This means that, in these states, the entire business, as a regulated entity, falls outside the scope of those states’ privacy laws.

Data-Level Exemptions: A Different Scenario

However, in certain other states, privacy laws only contain data-level exemptions for consumer financial information regulated by GLBA and/or for protected health information (PHI) covered by HIPAA. This implies that while the regulated data maintained by the business may be exempt, the business as an enterprise still needs to comply with the privacy law. This includes making mandatory public-facing disclosures regarding the business’s data collection practices and allowing consumers to exercise their statutory rights concerning their personal data held by the business.

The California Challenge

Businesses in regulated industries have already grappled with exemptions under California’s comprehensive privacy law, the California Consumer Privacy Act (CCPA). HIPAA-covered entities benefit from a wholesale entity-level exemption under the CCPA, but financial services entities subject to GLBA can only take advantage of the CCPA’s data-level exemption for GLBA-covered consumer financial information. Moreover, recent changes, such as the California Privacy Rights Act (CPRA), have heightened privacy compliance hurdles in the state.

The CPRA, which came into effect in 2023, removed exceptions for HR-related information and business-to-business information under the CCPA. This means that California businesses must now provide employees, job prospects, former employees, and B2B contacts with the same scope of rights as traditional consumers under CCPA.

Expanding Privacy Laws

For financial services entities, compliance challenges are compounded with the introduction of Oregon’s Consumer Privacy Act (OCPA). The OCPA, set to take effect on July 1, 2024, offers only a data-level exemption for GLBA-regulated information. However, it does provide entity-level exemptions for financial institutions regulated by Oregon’s Bank Act and the federal Bank Holding Company Act. While many banks may still benefit from entity-level exemptions, other GLBA-regulated entities, including alternative lenders and financing companies, will have to comply.

The good news is that, unlike the CCPA, Oregon’s OCPA contains an exemption for business-to-business information and employment-related information.

HIPAA Compliance Challenges

HIPAA-regulated businesses also face complexities with state privacy laws. The Colorado Consumer Privacy Act (CPA), effective as of July 1, 2023, provides only a data-level exemption for PHI. Oregon’s OCPA similarly contains a data-level exemption for PHI, necessitating careful consideration for businesses subject to HIPAA.

Looking Ahead

Delaware’s Personal Data Privacy Act (PDPA), signed into law on September 11, 2023, introduces a data-level exemption for PHI when it goes into effect on January 1, 2025. However, GLBA-regulated businesses can avail themselves of wholesale entity-level exemptions under both the CPA and PDPA.

In this evolving landscape of state privacy laws, staying informed and consulting with legal experts is crucial for businesses operating in regulated sectors. Compliance obligations can vary significantly from one state to another, making proactive measures a necessity for those subject to these regulations. Additionally, CCPA is a cautionary example of amendments significantly changing compliance guidelines for a privacy program.

Clarip’s Data Privacy Governance Platform ensures compliance with all consumer privacy regulations, including the “Do Not Sell/Do Not Share My Personal Information” solution. Allow customers to submit, revoke and update granular consent with Clarip’s Universal Consent Management. Clarip takes enterprise privacy governance to the next level and helps organizations reduce risks, engage better, and gain customers’ trust! Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.

Email Now:

Mike Mango, VP of Sales
mmango@clarip.com

Related Articles:

Data Privacy and the Future of Digital Marketing
2023 US Privacy Law Tracker
Understanding US Data Privacy Law Fines
Evolution of digital consent and preferences
What Is GPC (Global Privacy Control), And why does it matter?