New consumer privacy laws go into effect Thursday (Jan. 1) in Kentucky, Indiana and Rhode Island, each holding implications for banks, FinTechs and merchants. Together, they add to the growing patchwork of state-level privacy regimes payment processors must navigate, imposing new burdens on compliance departments.
The net effect, according to TrustArc, is that processors need to move beyond simple “GDPR-lite” compliance checklists and build multijurisdictional privacy processes that provide support for consumer rights and vendor governance across state lines.
Here is what banks, FinTechs and merchants need to know about the new statutes:
- The Kentucky Consumer Data Privacy Act (KCDPA), and Indiana Consumer Data Protection Act (ICDPA) are modeled on laws in California and elsewhere that grant consumers rights to access, correct, request deletion, and opt-out of having their personal data used, for targeted advertising and other activities, or sold or disclosed to a third party.
- Both the Kentucky and Indiana statutes apply to businesses operating in their respective states that process data from at least 100,000 residents annually, or 25,000 residents if the business derives more than 50% of its revenue from the sale of personal information, according to an overview from Cozen O’Connor.
- Both state laws also exempt nonprofits, higher education institutions, and entities regulated under HIPAA or GLBAAs in other states, and neither law creates a private right of action, relying instead on state privacy agencies and attorneys general for enforcement.
- The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) creates new transparency requirements around third-party data sales along with new consumer rights similar to the Kentucky and Indiana statutes.
- Rhode Island sets a lower threshold for the volume of data processed, according to White & Case. The law applies to companies that process data on 35,000 residents, or 25,000 if 20% of more of a business’ revenue comes from selling personal data. The exemption for HIPAA-regulated entities is also narrower, limited to only data explicitly covered by the health information privacy law.
- The Rhode Island law, in language similar to the other states, defines “personal information” as any information that is “linked or reasonably linkable to an identified or identifiable individual.”
The implications of the new statutes for different payment processors vary, but in general, consumer-facing applications just as user portals, UXs and consent mechanisms may need to be upgraded to enable consumers to exercise or assert their new rights. Vendor contracts may also need tightening; the Rhode Island statute explicitly requires contractual provisions around privacy cooperation and security between controllers and processors, according to White & Case…