As of today, the U.S. government has yet to establish an all-inclusive federal data privacy law. While work towards federal law has been underway since 2018, when the California Consumer Privacy Protection Act was passed, nothing has been enacted. Instead, there is an assortment of industry-specific laws and regulations that cover the privacy and security of various types of consumer data.
In the absence of federal privacy law, some states have moved forward with enacting their own legislation, with others expected to follow. This blog will explore where privacy legislation is today, where it’s likely headed and what obligations the title industry has in light of various state-level privacy laws.
Title insurers, title agents and settlement service providers have long been accustomed to protecting and securing consumer financial data. Since 1999, the title industry has followed regulations set forth under the Gramm-Leach-Bliley Act (GLBA), a federal law that requires businesses in the financial sector to disclose to consumers policies and practices put in place to protect the security and integrity of consumer personal financial information.
Generally, federal law preempts state law only to the extent that compliance with state law is “inconsistent with” the requirements of federal law. By definition, state law that provides greater protection is not considered inconsistent. Therefore, businesses in the financial sector that are subject to GLBA must comply with the state consumer privacy laws, provided that state law offers greater protection and does not provide a federal exemption or a GLBA “carve-out.”
Eighteen states have enacted comprehensive consumer privacy legislation:
· California |
· Iowa |
· New Jersey |
· Colorado |
· Kentucky |
· Oregon |
· Connecticut |
· Maryland |
· Tennessee |
· Delaware |
· Montana |
· Texas |
· Florida |
· Nebraska |
· Utah |
· Indiana |
· New Hampshire |
· Virginia |
At the time of this writing, Vermont has passed its respective comprehensive Privacy Bill. It is pending the governor’s signature. If signed, the bill will become the second strongest Privacy law behind California. It has a limited Private Right of Action and will become operative July 1, 2025.
The laws have several requirements in common, such as the right to access and delete personal information and to opt-out of the sale of personal information, among others. These laws also provide various carve-outs for the GLBA – some that apply to the entire entity and others that apply to the type of data or specific use of data. Let’s take a look at the state legislation and explore the GLBA carve-outs provided.
State Consumer Privacy Laws
California was the first state to establish a comprehensive consumer data privacy law with the passing of the California Privacy Act of 2018 (CCPA). It was signed into law on June 28, 2018 and went into effect on January 1, 2020. Later that year, on November 3, 2020, California voters added clarification and additional regulations known as the California Privacy Rights Act (CPRA), which became effective on January 1, 2023. The CPRA alters some provisions of the law, including expanding rights offered to employees. It also created the California Privacy Protection Agency (CPPA), a dedicated regulatory agency that administers and enforces all California privacy regulations.
The CCPA/CPRA does provide a carve-out for personal information collected, processed, sold or disclosed subject to the GLBA. Such information would be exempt from the privacy requirements of CCPA/CPRA, but not necessarily exempt from the limited private right of action (private civil lawsuit) against a business that fails to implement and maintain reasonable security of consumer personal information.
The other states all have more robust GLBA carve-out language, meaning businesses in the financial sector that are subject to the GLBA are fully exempt from complying with the requirements set forth in the legislation:
- Virginia Consumer Data Protection Act (VCDPA), effective January 1, 2023
- Iowa Act Relating to Consumer Data Protection (ICDPA), effective January 1, 2023
- Colorado Privacy Act (CPA), effective July 1, 2023
- Connecticut Data Privacy Act (CTDPA), effective July 1, 2023
- Utah Consumer Privacy Act (UCPA), effective December 31, 2023
- Florida Digital Bill of Rights (FCBR), effective July 1, 2024
- Oregon Consumer Privacy Act (OCPA), effective July 1, 2024
- Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024
- Montana Consumer Privacy Act, effective October 1, 2024
- Delaware Personal Data Privacy Act (DPDPA), effective January 1, 2025
- New Hampshire Privacy Act (NHPA), effective January 1, 2025
- Nebraska Data Privacy Act (NDPA), effective January 1, 2025
- New Jersey Data Privacy Act (NJDPA), effective January 16, 2025
- Tennessee Information Protection Act (TIPA), effective July 1, 2025
- Maryland Online Data Privacy Act, effective October 1, 2025
- Indiana Consumer Data Protection Act, effective January 1, 2026
- Kentucky Consumer Data Protection Act, effective January 1, 2026
While there is no private right of action offered to consumers under the above referenced legislation, the State Attorneys General can impose fines against businesses that violate requirements.
Federal Update
Several federal consumer privacy bills have been introduced in the past but failed to gain momentum. In July of 2022, there was a shift in traction when the House Committee on Energy Commission voted to advance the American Data Privacy and Protection Act (ADPPA) to the full U.S. House of Representatives. While this bill was bi-partisan and seemed to have a path forward, it too failed.
In April of this year, a new bill was introduced known as the American Privacy Rights Act (APRA). Like many other privacy laws, the APRA would provide individuals certain rights, such as the right to access personal information that is collected, processed or transferred; the right to correction or deletion of any covered data; the right to data portability and the right to opt out of data transfer or targeted advertising. The bill introduces two highly contested issues: (1) preemption of state privacy law; and (2) private right of action.
Although APRA would generally preempt state privacy laws, it contains a list of exceptions that includes a GLBA exemption.
Outlook
As lawmakers, regulators and consumer advocates continue to seek implementation of both state-level and federal comprehensive privacy legislation, the GLBA remains the title industry’s standard for consumer privacy and security protections.
Since 1999, the GLBA has limited the financial sectors’ use and sharing of consumer personal information and required security protocols and comprehensive disclosure practices. In addition to the GLBA, the title industry’s national trade association, American Land Title Association, has had best practices in place since 2013. In 2020, it also developed data privacy principles to establish a national standard for protecting consumer private information.
While current state-level data privacy legislation has GLBA carve-outs, title insurers, title agents and settlement service providers will need to evaluate the details of the carve-outs to ensure they meet compliance obligations. The same is true for future legislation at both the state and federal level.
At Old Republic Title, we make consumer data privacy and security a top priority. We operate through a national network of Company-owned offices, affiliates, authorized title agents and approved attorneys. We will continue to review the developing privacy landscape across the nation and ensure our privacy practices are compliant in meeting consumer data privacy protections.