Data Privacy & Regulatory Factors in the Land Title Insurance Industry
The discussion of title insurance, data privacy, and other subjects in this article is intended only for informational purposes. It should not be construed as representing the position of the author’s employer or as legal advice.
Even in the midst of a global pandemic, consumer privacy continues to get significant attention from lawmakers, regulators, and consumer advocates. In the early days of the coronavirus, as stay-at-home orders and quarantines brought meetings and gatherings online, video conferencing platform Zoom was the target of much reporting on perceived flaws in its data privacy and security practices. This led to scrutiny from the New York attorney general, an investor lawsuit, and multiple class actions based on allegations that Zoom failed to maintain adequate privacy and security protections within the videoconferencing platform and mobile app.
Zoom took measures to improve its privacy practices to the satisfaction of the New York Attorney General, leading to settlement of the state’s inquiry. Nonetheless, critics would say that the fixes were too little, too late, and the episode reignited cries for comprehensive privacy laws that would have protected consumers from Zoom’s shortcomings in the first place.
A comprehensive privacy law is not a new concept for the land title industry. Title insurers, agents, and settlement service providers have been subject to the federal Gramm-Leach-Bliley Act’s (GLBA) privacy and security requirements for two decades. New York’s Regulation 169, the state’s GLBA counterpart for insurers, was enacted in 2001, imposing strict limitations on use and sharing of customers’ personal information and requiring consumer-facing privacy disclosures. The American Land Title Association’s privacy best practices privacy have been in place since 2013. Adherence to a privacy compliance regime has been the norm for our industry for quite some time.
As lawmakers and regulators look to implement comprehensive privacy legislation, it is important that we remind them that one size does not fit all when it comes to data privacy. GLBA has been a time-tested and effective comprehensive privacy framework for the financial services industry. A patchwork of additional state and federal privacy laws casting a wide net to catch unregulated industries can have the broad and unintended effect of adding compliance costs and reducing efficiency for financial services companies, without any meaningful change in privacy protections for customers. We should continue to advocate for GLBA remaining the standard for consumer privacy protections for our industry at both the federal and state levels.
The first GLBA exemption in a comprehensive privacy law appeared in the California Consumer Privacy Act (“CCPA”), enacted in 2018 and effective in January 2020. CCPA’s protections extend to an expansive definition of personal information, including any data that relates to, describes, could be reasonably linked, or is capable of being associated with an individual or household. Consumer privacy rights under the CCPA include the right to know what personal information is collected by businesses, the right to know whether consumer information is sold or disclosed, the right to say no to the sale of personal information, the right to access personal information; and the right to request deletion of personal information.
CCPA exempts any “personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act.” CCPA’s exception for personal information subject to GLBA – rather than entities subject to GLBA – poses a challenge for financial services companies. The broader definition of personal information within CCPA means that financial services companies can collect information that is subject to the CCPA but not GLBA. Those companies, if a CCPA “business,” must build CCPA compliance programs for their non-GLBA data sets. With the California Attorney General citing total compliance costs for entities subject to CCPA of $55 billion, building these compliance programs is not without added cost for any business.
Fresh on the heels of the California Consumer Privacy Act (CCPA), many states across the country introduced similar comprehensive consumer privacy and data security laws in their 2019 legislative sessions. Full entity GLBA carve-outs were present in some, though others contained no carve-out and others were limited.
The majority of these state privacy bills failed to cross the legislative finish line – a trend we are seeing repeated in 2020. New York had a somewhat prolific 2019 on the subject of data privacy. The New York Shield Act, now law, amended the state’s data breach notification law to expand the definition of “private information” protected under the law and imposed data security requirements for all businesses colleting personal information of New York residents.
The New York Privacy Act (NYPA) was also introduced in 2019. After failing to pass, it was reintroduced in the 2020 legislative session. If enacted, NYPA would be the most expansive and consumer protective privacy law introduced to date. The NYPA would apply to entities conducting business in New York, or producing products or services targeted to residents of New York (a scope similar to the EU’s General Data Protection Regulation, or GDPR). Unlike the CCPA, which applies only to businesses making more than $25 million in annual gross revenue, the NYPA applies to businesses of any size. Among other consumer privacy protections, NYPA would obligate businesses to make disclosures regarding its privacy practices and would require businesses to obtain affirmative consent from consumers before processing, sharing or selling personal information.
The most novel provision of the NYPA is its concept of a “data fiduciary.” The idea behind the data fiduciary concept is that businesses should be barred from using consumer personal information in a way that enriches or benefits the business to the detriment of the consumer. NYPA obligates businesses to protect consumer information with “the duty of care, loyalty and confidentiality,” and to “act in the best interests of the consumer,” without regard for the business’s own interests and as determined by a “reasonable consumer under the circumstances.”
Because these fiduciary duties are to trump all other loyalties of the business, including fiduciary responsibilities to shareholders, the law’s data fiduciary concept has been the subject of much criticism. Where the interests of shareholders and customers diverge, corporations subject to shareholder fiduciary laws like Delaware’s would risk violating one law to comply with the other. Additionally, the idea that the measure of these subjective standards is a “reasonable consumer” begs the question of what a reasonable consumer is for purposes of deciding what is in a user or consumer’s best interests.
Another criticism of NYPA has been against the law’s overly broad definition of “privacy risks” the fiduciary obligations must protect against. “Privacy risks” include direct or indirect financial loss, physical harm, psychological harm, significant inconvenience or time expenditure, adverse employment outcomes, stigmatization or reputational harm, disruption and intrusion from unwanted commercial communication, price discrimination and others.
Any alleged violation of NYPA puts much at stake, as the bill includes a private right of action for consumers who believe their NYPA privacy rights are violated.
Like CCPA, the NYPA currently contains a GLBA information exclusion. The NYPA definition of “personal data” is similarly broader than GLBA. “Personal data” extends beyond specific identifiers and financial information to include online activity information, geolocation data, or other information about an individual’s preferences or behavior. Thus, similar to CCPA, financial services companies could be in the unenviable position of having to comply with two comprehensive privacy compliance schemes if NYPA becomes law and the GLBA exemption isn’t amended to be an entity exemption.
As if that weren’t enough for data privacy legislation, both the Uniform Law Commission and National Association of Insurance Commissioners are working on model data privacy legislation. The GLBA exemption has been a subject of both groups’ discussions and will continue to be. With all of this activity at the state level, and federal-level privacy law discussions happening as well, our industry’s voice in these conversations and the others around the country on the subject of data privacy is an important one.
About the Author
Elizabeth Reilly is the Senior Privacy Counsel for the FNF Family of Companies and Co-Chair of the ALTA Data Privacy Executive Committee and Taskforce.‹ Back to Blog