EPIC to House Committee: Notice and Choice Does Not Protect Privacy

In advance of a markup by the House Financial Services Committee, EPIC sent a statement to the Committee regarding the proposed Data Privacy Act of 2023 sponsored by Chairman Patrick McHenry. “This bill’s reliance on an outdated system of notice-and-choice does not meaningfully protect privacy and is out of step with recent developments in privacy legislation,” EPIC said.

The proposed bill unfortunately relies on an outdated system that does little to protect privacy by extending the notice-and-choice provisions of the Gramm-Leach-Bliley Act (GLBA). “The Committee should not advance legislation that purports to be a privacy bill unless it includes a data minimization standard similar to what is set forth in the bipartisan American Data Privacy and Protection Act,” EPIC wrote. 

EPIC also argued that “data aggregators,” more commonly known as data brokers, should not be added to the types of entities covered by GLBA unless the privacy protections are strengthened, as the bill proposes to do. “Adding data brokers to GLBA simply allows them to evade stricter regulations, whether from existing state privacy laws or stronger national standards that may come into effect in the coming years,” EPIC said. This is due to the success that financial institutions has had in lobbying state lawmakers to exempt any GLBA-covered entities from state privacy laws. “The Committee should not include data aggregators under GLBA coverage unless the privacy protections in this bill are substantially improved and set a higher standard than existing state laws,” EPIC told the Committee.