Synopsis: While certain industries have been able to navigate the explosion of privacy laws in recent times through express statutory exemptions or exceptions (often due to other regulatory regimes being in place, such as the GLBA for financial services institutions or HIPAA for certain health care companies), their vendors’ reliance on those exemptions or exceptions when providing services to the regulated entity may be in question now.
It is not news that industries of all types rely on vendors to provide technology services, applications, and hardware. The financial services and health care industries are no exception. An obvious example is the significant migration to cloud technologies to improve everything from the bottom line to customer experiences. While certain industries have been able to navigate the explosion of privacy laws in recent times through express statutory exemptions or exceptions (often due to other regulatory regimes being in place, such as the GLBA for financial services institutions or HIPAA for certain health care companies), their vendors’ reliance on those exemptions or exceptions when providing services to the regulated entity is now in question. In short, whether you are the regulated entity relying on the statutory exemption or exception or the vendor providing services, you need to pay attention to the evolution of how courts are interpreting privacy laws and the obligations and risks you may have.
On February 14, a judge in the U.S. District Court for the Northern District of Illinois upheld claims against a vendor providing identity verification services to a financial services company for alleged violations of Illinois’s Biometric Information Privacy Act. BIPA, for those not familiar with it, requires (among other things) organizations to provide notice to, and secure written consent from, Illinois residents before handling their biometric information, and contains a private right of action and statutory damages of $5,000 per violation. For that reason, BIPA claims have been popular class action fodder in recent times.
Do vendors fall within statutory exemptions in privacy statutes? In the ND IL case, the plaintiff claimed that the vendor violated the notice and consent requirements of Illinois's Biometric Information Privacy Act ("BIPA"), 740 ILCS 14/1 et seq., when it collected his biometric information while verifying his identity for a crypto exchange. The vendor allegedly employs facial recognition software to provide identity verification services to businesses seeking to confirm the identities of customers making transactions — here, the vendor’s verification technology was used for account access through web and mobile applications, as alleged. One of the questions addressed by the court is whether the vendor falls within BIPA’s express exemption that BIPA does not regulate “in any manner … [a] financial institution or an affiliate of a financial institution that is subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 and the rules promulgated thereunder.” 740 ILCS 14/25(c). While the court clearly wrestles with the statutory language and what “in any manner” means in the instant case, it explains:
Examining the plain language of the phrase “in any manner,” it is difficult to see how requiring [the vendor] to comply with BIPA’s notice and consent provisions leads to BIPA being applied in any manner to [the alleged financial institution]. If this Court were to order [the vendor] to comply with BIPA’s requirements, [the vendor] might have to modify the software that it provides to [the alleged financial institution] to allow for notice and consent obligations; [the alleged financial institution], however, would not have any affirmative obligation under BIPA to change the [alleged financial institution’s] App. … Without further information regarding how the [alleged financial institution’s application] functions and how [the vendor’s] identity-verification software is integrated into the [application], the Court cannot determine the extent to which requiring [the vendor] to comply with BIPA would necessitate changes to how [the alleged financial institution] does business, such that BIPA might be considered as applying “in any manner” to [the alleged financial institution]. That is a determination more appropriately made with the benefit of discovery at the summary judgment stage of the proceedings.
Why this matters: BIPA contains a broad exemption for financial institutions and their affiliates subject to the GLBA, and financial institutions generally have taken the view that data regulated under the GLBA that is handled by a financial institution or its service providers are exempted from the state privacy laws.
- By requiring financial institution vendors to comply with BIPA or other state privacy laws, this decision could impose additional compliance obligations on financial institutions themselves.
- At minimum, regulated entities relying on express statutory exemptions in privacy laws (e.g., financial institutions and health care companies) must be wary of contractual protections needed and oversight obligations they may or may not want related to vendors handling biometric information (or any other protected data, for that matter).
- Going forward, that regulated entity may be required to ensure its service providers comply with laws that the entity itself is not subject to and does not have the organizational risk management structure in place to analyze.
Other state privacy laws adopted to date typically contain exemptions for financial institutions or GLBA-regulated data, even though the federal privacy and security framework under the GLBA can differ greatly from what is in the state laws. Depending upon the wording of the laws’ exemptions, this could greatly complicate compliance efforts.
- For example, for laws wholly exempting financial institutions regulated by the GLBA, such as Virginia’s Consumer Data Privacy Act, this ruling could require the financial institution to effectively comply anyway to ensure its service providers are in compliance.
- Or for laws that exempt data regulated by the GLBA, such as California’s CCPA, once the GLBA-regulated data passes from the financial institution to a third-party service provider’s control, the logic of this ruling could effectively require those third-party service providers to treat the data as both GLBA-regulated (under contracts with the financial institution) and directly regulated by state law.
We are still in the early days of U.S. state privacy laws and understanding how they intersect with the federal sectoral privacy laws for the financial services, health care, and education sectors, and the extent to which those federal laws fully preempt state laws. Decisions such as this will complicate compliance efforts, and the use of cloud-based vendors may accelerate the burden of those efforts.
If you have any questions or would like to learn more, please contact Scott Lashway and Matthew Stein.