House Data Privacy Bill Would Preempt State Law

After holding a hearing on the subject earlier this month, House Financial Services Committee Chairman Patrick McHenry (R-NC) is set to bring his bill, the Data Privacy Act of 2023, to the full committee for a markup tomorrow, Tuesday, February 28.

The bill seeks to revise existing federal standards created by the 1999 Gramm-Leach-Bliley Act (GLBA) that protect consumer data by expanding the requirements imposed on “financial institutions,” including independent insurance agencies, that collect and retain consumer data as part of their normal business operation. Chairman McHenry has indicated that his goal is to create a uniform national standard that would govern all financial institutions’ use of consumers’ nonpublic personal information (NPI).

Of course, PIA supports the scrupulous protection of insurance consumers’ data and applauds all 50 states for their prompt regulatory response to GLBA after it was passed. Because all 50 states currently have a GLBA-responsive regulatory regime in place, we oppose the development of a prescriptive federal legislative regime that attempts to impose redundancy on the insurance industry’s existing, robust protection of consumer data.

PIA appreciates the Committee’s attention to the evolving issues around protecting consumer data; however, we have had concerns about this legislation for months, and the current draft has not alleviated those concerns. In advance of the hearing, PIA engaged with the committee on the bill and highlighted the redundancy that it would create, the challenges that it would pose for independent insurance agencies, and the existential threat it represents to the state insurance regulatory system.

Some of PIA’s concerns have been addressed in the draft being considered at this week’s committee markup. Specifically, we are pleased that the strict liability and private right of action provisions have been eliminated, and we appreciate that the existing enforcement section was largely retained.

However, PIA continues to have concerns about this legislation and cannot support it in its current form for three primary reasons: 1) the bill would impose potentially unworkable requirements on insurance agencies, 2) this bill would effectively fully preempt state insurance regulation in the context of GLBA, and 3) it would require state insurance regulatory systems to enforce inappropriate federal regulations against state insurance licensees.

The bill would effectively preempt state law governing insurance in all meaningful ways but would require state insurance regulators to enforce federal regulations that are ill-suited to their licensees and that are not meant to operate against state insurance licensees.

PIA will continue to work with policymakers to ensure that consumer data is protected while also ensuring the primacy of state oversight of insurance, which can best be achieved through the use of the successful existing state insurance regulatory system.