The New State Battleground: Privacy & Security

On January 1, the California Consumer Privacy Act (CCPA) became law–a warning shot across the bow of every real estate finance company in America.

To prepare for what appears to be an impending wave of similar state bills and regulations, the Mortgage Bankers Association has created two documents: a set of Data Protection Principles that should be considered in the development of public policy; and proposed amendment language for pending state legislation to reflect the unique needs and existing federal regulatory requirements of the real estate finance transactions.

“We expect more states to consider data protection bills during the 2020 state legislative season–in fact, many bills have already introduced–and we wanted to provide these documents for our state and local association partners,” said William Kooper, MBA Vice President of State Government Affairs and Industry Relations.

The CCPA, also known as AB 375, allows any California consumer to demand to see information a company has saved on them, as well as a list of all third parties that data is shared with. In addition, the CCPA allows consumers to sue companies if the privacy guidelines are violated–even with no breach. The law affects all companies that serve California residents and have at least $25 million in annual revenue. Additionally, companies of any size that have personal data on at least 50,000 people or that collect more than half of their revenues from the sale of personal data, also fall under the law, whether or not they are based in California—or even the United States.

The California law started as a ballot initiative, a 25-30 page bill on the ballot in 2018, financed by a wealthy real estate developer. “That got it on the ballot,” Kooper said. “But it was a much broader based bill and its language raised concerns across the economy including real estate finance. There was only two ways to derail it–either at the ballot box or by persuading the sponsor to remove it. Ultimately, he offered to withdraw it if the State Legislature passed, and the Governor signed, a substantially similar bill.  “And somehow this got done within about a week.”

Kooper said the CCPA represents the “second wave” of a legislative/regulatory push by governments worldwide. The “first wave” took place in 2016, when the European Union adopted the General Data Protection Regulation, a sweeping regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within the 28 EU member states.

Now, Kooper said, even as the cement is still drying on the California law, the “third wave” is imminent, at the state level as federal action is not expected in the near term.

“What we expect is that legislatures across the country are going to engage in a cut-and-paste of the California law,” Kooper said. “And a lot of political groups are going to get involved as well, endorsing some sort of model legislation. We expect it to happen much more quickly than other bills, particularly in politically blue/purple states. And it’s also an election year, and politicians are eager to run on this issue. You can also expect consumer groups to get behind it as well.”

The “third wave” will have a “lot of momentum,” Kooper said. “What we can talk about is how to help our members and state and local association partners as their states consider these measures.”

The first MBA resource is a set of Data Protection Principles, focusing on both privacy and security ( Principles include:

–National standards are critical.

–Data breach notifications should be standardized.

–Any designated framework must be technology neutral.

–State legislation should adopt a clear Gramm-Leach-Bliley exemption.

–There should be defined channels for opt-outs and industry-specific disclosures and delivery methods.

–Those that follow the rules should have a defined safe harbor

During a conference call with state and local associations to discuss these new documents, Justin Wiseman, MBA Associate Vice President and Managing Regulatory Counsel, said “We believe national standards are critical. These issues are often international, so a federal response would make more sense. Additionally, the internet is not limited to a single state. So it makes sense that data protection should be regulated by a single entity, to prevent a patchwork of different laws and regulations that can make compliance difficult.”

The second resource ( includes MBA-proposed language for any state privacy bills, focusing on exempting financial institutions or affiliates subject to Gramm-Leach-Bliley Act provisions.

Wiseman added MBA “recognizes and appreciates” that consumers deserve strong and effective state laws that protect their data from unauthorized use and disclosure. He noted the Gramm-Leach-Bliley Act requires financial institutions to provide just these sorts of protections on a nationwide basis and subject to the oversight of federal regulatory agencies.

“By including this language for financial institutions that already comply with GLBA, a state will continue to protect its citizens without creating unnecessary barriers to companies that intend to offer products and services to the state’s consumers,” Wiseman said.