FRANKFORT, Ky.–With the new year here, new consumer privacy laws that credit unions will need to be paying attention to have gone into effect in Kentucky, Indiana and Rhode Island. In certain cases, credit unions are exempt from the laws.
The net effect, according to TrustArc, is that processors need to move beyond simple “GDPR-lite” compliance checklists and build multijurisdictional privacy processes that provide support for consumer rights and vendor governance across state lines.
The New Statutes
The new statues include:
The Kentucky Consumer Data Privacy Act (KCDPA), and Indiana Consumer Data Protection Act (ICDPA).
Both laws are modeled on laws in California and elsewhere that grant consumers rights to access, correct, request deletion, and opt-out of having their personal data used, for targeted advertising and other activities, or sold or disclosed to a third party, according to TrustArc.
Both the Kentucky and Indiana statutes apply to businesses operating in their respective states that process data from at least 100,000 residents annually, or 25,000 residents if the business derives more than 50% of its revenue from the sale of personal information.
Both state laws also exempt nonprofits, higher education institutions, and entities regulated under HIPAA or GLBAAs in other states, and neither law creates a private right of action, relying instead on state privacy agencies and attorneys general for enforcement.
The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)
The RIDTPAA creates new transparency requirements around third-party data sales along with new consumer rights similar to the Kentucky and Indiana statutes.
Rhode Island sets a lower threshold for the volume of data processed, according to White & Case. The law applies to companies that process data on 35,000 residents, or 25,000 if 20% of more of a business’ revenue comes from selling personal data. The exemption for HIPAA-regulated entities is also narrower, limited to only data explicitly covered by the health information privacy law.
The Rhode Island law, in language similar to the other states, defines “personal information” as any information that is “linked or reasonably linkable to an identified or identifiable individual.”
The implications of the new statutes for different payment processors vary, but in general, consumer-facing applications just as user portals, UXs and consent mechanisms may need to be upgraded to enable consumers to exercise or assert their new rights, TrustArc said.
In addition, vendor contracts may also need tightening; the Rhode Island statute explicitly requires contractual provisions around privacy cooperation and security between controllers and processors, according to White & Case.
Stricter Geofencing May be Needed
Moreover, compliance with the new statutes may require stricter geofencing and data inventory management to identify whether the data being processed crossed state lines or meets the statutory volume thresholds, according to TrustArc.
