If you’re a B2C fintech startup this post is for you. If not, carry on living your life.
Early-stage companies are generally not subject to emergent state privacy legislation (in California, Virginia, Colorado, etc.) due to nexus and materiality exceptions whereby a business (at the date of this posting) must process personal information (PI) of at least 100,000 state residents (or have a pretty high revenue number ($25MM in case of California)) before compliance applies. FN1
This is good news in that these startups don’t need to build operationally-intensive compliance practices (e.g., internal data mapping, data subject request and response management, and service provider contracting standards) or deal with a lawyer (and the $ cost) or chatGPT (and the end of humanity AI anxiety) in drafting the mandated consumer disclosures.
The bad news is that fintech startups, at least if they provide services to consumers (rather than to other businesses), are likely still covered by a lesser known privacy rule arising from the Gramm Leach Bliley Act (GLBA), which establishes certain requirements stipulating how “banks” can use and disclose consumer PI.
People are less familiar with the GLBA privacy rule largely because the law applies to companies not traditionally considered (both by common perception and law) to be banks. The GLBA definition of “financial institutions” includes any business "significantly engaged" in "financial activities" as well as businesses whose services facilitate financial operations on behalf of traditional banks. This scope has been very broadly interpreted and there is no materiality requirement. A business that provides or facilitates the provision of financial products or services to individuals for personal, family, or household use (i.e., not commercial use / B2B) has a good chance of being within GLBA reach. FN2 Further, while GLBA only applies to nonpublic PI financial information this scope is also less narrow than it may seem, since it encompasses any PI financial institution collects about an individual in connection with providing a financial product or service.
The disclosure and opt-out requirements of GLBA are too extensive and boring for a brief blog post but here’s something to care about: if a fintech doesn’t (a) share PI from customers with third parties (b) other than as necessary for providing its service and or related administrative needs (such as to control fraud or comply with law) then (c) it isn't required to provide customers an opt-out notice or a method of opting out and (d) doesn’t need to make any specialized disclosures other than a basic description of collection practices, a statement that PI is shared with nonaffiliated third parties as permitted by law and a brief description of how PI is protected. Detailed FTC compliance guidance is here. FN3
The upshot of the above is that a privacy notice in such cases is still required in some modest form but it is nowhere near as complex as the disclosures required by emergent state privacy legislation like the California Consumer Privacy Act. Lawyers like me can help draft (or finalize a draft) of these notices but it’s not a thousand dollar+ exercise in billing.
A few additional practical pointers for anyone who has read this far. First, although technically the GLBA has an annual notice requirement that applies to “customers”, by virtue of an FTC ruling no separate “annual” alert or communication is required where (a) customers that use your website to access your financial products or services, (b) agree to receive notices at your website, and (c) you post your notice continuously in a clear and conspicuous manner on that website.
Second, the GLBA has - independent of the disclosure requirements - a requirement that a covered “financial institution” develop and maintain (as an operational practice) an information security program that contains specific measures taken to protect customer information. Relatively sophisticated fintechs often stand up these programs anyway (and/or be required by banking partners to have such programs) but the concept is that there must be rudimentary security safeguards in place (prior to processing consumer PI) to control and monitor risks, train personnel, appoint risk managers, etc. If the company has less than 5,000 customers some aspects of the program (annual reports, risk assessments, incident response plans) are suspended. The FTC has provide more information on security safeguards here. FN4
FN1. Unless that company’s business is specifically brokering or selling PI.
FN2. In determining whether your company specifically is a “financial institution” within the meaning of GLBA you should naturally resist any blunt analysis and I’m not providing legal guidance, etc. etc. The "significant engagement" definition requires a fact-based determination in a rapidly evolving industry and there remains uncertainty regarding the level of financial activity that is required for a company to become subject to GLBA.
FN3. Generally, a “financial institution” may not disclose any nonpublic personal information about a consumer to a nonaffiliated third party unless” it (1) has provided the consumer with an initial privacy notice; (2) has provided to the consumer with an opt out notice; (3) has given the consumer a reasonable opportunity to opt out of information sharing; and (4) the consumer does not opt out.” 16 CFR § 313.10(a)(1).
FN4. This post does not discuss Fair Credit Reporting Act in part because it is so uninteresting. But the FCRA applies to circumstances adjacent to those governed by the GLBA. It limits the circumstances under which consumer creditinformation may be used, and requires companies provide consumers with clear and transparent notices and disclosures regarding the collection, use, and sharing of their credit information. It is worthwhile for fintechs to analyze their data collection purposes and practices to determine whether they are subject to the requirements of the FCRA.
This alert was prepared by Jake Molland, a Principal at Bound Legal Strategy P.C. The content of this alert is informational only and does not constitute legal or professional advice. Please note that the law changes frequently and further that the generalized information reflected in this alert may not address the specifics of a given factual situation. Please contact Jake at jake.molland@boundlegal.com if you have specific questions or concerns relating to any of the topics covered in here.
コメント