24
National Fair Housing Association | TechEquity Collaborative
Privacy, Technology, and Fair Housing - A Case for Corporate and Regulatory Action
Federal Trade Commission Act (1914) Gramm-Leach-Bliley Act (GLBA) (1999) Dodd Frank Act/UDAAP (2010) General Data Protection Regulation
(GDPR) (2016)
California Consumer Privacy Act (CCPA)
(2018)/California Privacy Rights Act (CPRA
- 2020 expansion of CCPA)*
Fair Housing Act (1968) Fair Credit Reporting Act (1970) Equal Credit Opportunity Act (1974) Home Mortgage Disclosure Act (1975)
Jurisdiction: Federal Jurisdiction: Federal Jurisdiction: Federal Jurisdiction: European Union Jurisdiction: California Jurisdiction: United States Jurisdiction: Federal Jurisdiction: Federal Jurisdiction: Federal
Does it
include a data
minimization
framework or
principles?
N/A. The Act was created to protect consumers
against unfair business practices - it did so by
creating the Federal Trade Commission and
intially, by enforcing the Sherman Antitrust Act
and the Clayton Antitrust Act. It is notable for
its role now as the primary enforcer of federal
privacy laws and protections, which it does in
part by enforcing the other laws in this chart.
No, GLBA does not limit the types of, or
purposes for which, data can be collected. It
utilizes an "opt out" framework for sharing
"nonpublic personal information" with third-
parties that allows entities to transmit data
unless and until expressly told not to by data
subjects.
No, Dodd Frank and UDAAP have recently
been interpreted and updated to give
consumers better protection and access to
their information, but they protect and monitor
the consumer data that financial institutions
hold, rather than limiting what they can hold
in the first place. Section 1033 of Dodd Frank
requires financial service providers to make
information available about products or services
to consumers. This, however, does not relate
to a consumer/data subject's personal data,
rather information about financial products and
services. In October 2022, the CFPB announced
rulemaking on personal financial data rights
related to section 1033 to require that financial
institutions make consumer financial data
available to data subjects or third-party entities
at the subject's request. At time of publishing,
rulemaking had not been finalized** The Act's
UDAAP authority protects against unfair,
deceptive, and abusive practices of financial
institutions. It August 2022, CFPB announced
that entities that do not adequately protect
consumer data could be violating UDAAP.
Yes. Personal data must be adequate, relevant,
and limited to what is necessary in relation to
the purposes for which they are processed.
It must only be kept for as long as the data is
necessary for the processing purposes.
No. CCPA/CPRA uses an opt out framework
- rather than limiting what businesses can
collect in the first place or ensuring privacy by
right, it places the responsibility on individual
data subjects to withdraw their consent from
businesses for the sale and sharing of their
personal information, or to request they limit
their use of your sensitive information.
N/A. The FHA does not require or entail data
collection
FCRA states that people requesting consumers
information must have a valid need to do so, but
it does not limit consumer reporting agencies
to collecting only specific information. Instead it
requires certain accuracy, fairness, and privacy
standards of the information contained in
consumer reports.
Regulation B of ECOA is limited data collection
requirements for non-HMDA covered mortgage
loans.
CFPB modifies the HMDA data they make public
to protect applicant and borrower privacy, but it
does not begin from a minimization framework
as outlined in this paper.
What are
its privacy
& security
protocols?
N/A. The Act was created to protect consumers
against unfair business practices - it did so by
creating the Federal Trade Commission and
intially, by enforcing the Sherman Antitrust Act
and the Clayton Antitrust Act. It is notable for
its role now as the primary enforcer of federal
privacy laws and protections, which it does in
part by enforcing the other laws in this chart.
The FTCA UDAP provisions can apply to privacy
violations.
The GLBA requires that financial institutions
implement security safeguards for consumer
information that encompass administrative,
technical, and physical protections. Technical
safeguards include certain cryptographic and
encryption standards.
No, Dodd Frank uses opt-out frameworks,
which do not guarantee privacy by right. The
Act's UDAAP authority has been interpreted to
mean that failing to safeguard data could violate
the prohibition on unfair practices; it outlines
certain technical security measures that can
mitigate risk of violating UDAAP: multi-factor
authentication, password management, and
regular software updates. While these show
certain technical security standards, they do not
align with the data standards outlined in this
paper.
Yes. GDPR explictly requires appropriate
technical measures such as pseudonymisation,
encryption, and other data protection principles
that safeguard data during the data processing
stages.
No, CCPA/CPRA use typical notice-and-consent
out-out frameworks, which enable data
subjects to reclaim their data but does not
guarantee ownership of the data by default.
CPRA requires businesses whose processes
of personal information presents significant
security risks to perform annual cybersecurity
audits. At time of publishing businesses did not
need to be assessed against privacy perserving
methodologies.
N/A FCRA gives consumers certain rights related to
the data held by consumer reporting agencies,
but it does not give consumers say over
whether those agencies have the information
at all. Anyone with a designated valid need
(landlords, employers, financial institutions,
etc.) can access your information. In the case
of employers, FCRA stipulates that consumers
must give express written consent for access
to their information. Consumers may request
all information about themselves contained
in consumer reports, and agencies must
delete inaccurate or unverifiable information
about consumers. The FCRA framework
leaves agencies in charge of consumer data,
with consumers/data subjects given discrete
rights over how it is used, rather than giving
consumers primacy in the use and distribution
of their information.
N/A Under HMDA, institutions disclose loan
application details including date, loan type,
property type, amount, location, applicant
demographics, income, and approval
information for each loan application, the data
that is publicly available is aggregated by banking
institution to exclude application date, property
addresss, as well as applicant credit score and
ethnicity.
Does it require
notice &
explanation?
N/A. The Act was created to protect consumers
against unfair business practices - it did so by
creating the Federal Trade Commission and
intially, by enforcing the Sherman Antitrust Act
and the Clayton Antitrust Act. It is notable for
its role now as the primary enforcer of federal
privacy laws and protections, which it does in
part by enforcing the other laws in this chart.
Requires financial institutions to give customers
and consumers a privacy notice that describes
the institution's collection, disclosure, and
protection practices, including the categories of
collected data, disclosed data, and which third-
parties information is shared with.
No, rulemaking at time of publishing on
Section 1033 proposes requiring that financial
institutions make personal consumer financial
data available to data subjects or third-party
entities at the subject's request but consumers
currently do not have clear rights to their data
under Dodd Frank.
Yes. Data subjects msut receive transparent
information on the purposes and processing
of their collected data, as well as information
on the data storage period, how to access and
delete one's data, how to submit a complaint,
and the existence of automated decision-
making. Data must be collected for "specified,
explicit, and legitimate" purposes.
CCPA/CPRA ensures the right to know, delete,
correct, limit, and opt-out of business' data
practices. The right to know also includes the
right to know how one's personal data is used.
N/A The Act outlines when information can be
shared (and with whom) and outlines when
consumers must be notified when an adverse
action is taken because of one of these
consumer reports.
Requires notice and explanation of adverse
action, 12 CFR 1002.9
HMDA data is submitted by financial institutions
about applicants. Applicants can self report their
ethnicity, race, and sex; in lieu of self-reported
data, institutions must report demographic
information based on visual observation or
surname assumptions. Besides the option to
self identify, there is no discretion or notice
given to applicants about how their data will be
submitted, and no opportunity to change the
information.
Is there an
explicit non-
discrimination
provision?
The Act created the Federal Trade Commission,
and prohibits unfair competition and deceptive
commerce practices. These protections are
now commonly upheld through enforcement
authorities given to the Commission in laws
such as ECOA and UDAP. The UDAP provisions
can apply to privacy violations.
The Federal Trade Commission may bring
enforcement actions for Privacy Rule violations
either through federal court or by examining
stated privacy policies for deception or
unfairness. The Consumer Financial Protection
Bureau also has certain Regulation P
enforcement authority under GLBA.
Dodd Frank created the Consumer Financial
Protection Bureau, and gave it authority to
protect against discriminatory lending and
enforce federal fair lending laws. It also changed
the disclosure requirements under HMDA,
to better monitor for discriminatory lending
patterns.
Yes. The protections do not neatly fit into
common U.S. protected classes but GDPR
prohibits the processing of data that reveals
racial or ethnic origin, political opinions,
religious or philosophical beliefs, trade union
membership, biometric data, health data, and
sex data.
CCCCPA/CPRA right to non-discrimination
protects individuals from adverse action on
the basis of enforcing or exercising their rights
under CCPA, but it does not create additional
discrimination protections specific to privacy
rights.
Yes, the Fair Housing Act prohibits
discrimination in housing on the bases of race,
color, national origin, religion, sex and gender,
familial status, and/or disability.
FCRA does not directly protect consumers
against the discriminatory use of their data.
Consumer data used in discriminatory ways
would be protected by other laws, such as
the Fair Housing Act in the case of housing
discrimination.
Protects consumers from being discriminated
against by lenders on the basis of race, color,
religion, national origin, sex and gender, marital
status, age, income assistance, and excersing
one's rights under other consumer protections
laws.
HMDA was enacted in 1975 in part to review
the data to identify potentially discriminatory
financial lending patterns. HMDA is effectively
an accountability and supervisory tool to ensure
non-discrimination in FHA and ECOA.
How does
it handle
enforcement?
The Act created the Federal Trade Commission,
the primary enforcement entity for federal
privacy laws and protections.
The Federal Trade Commission may bring
enforcement actions for Privacy Rule violations
either through federal court or by examining
stated privacy policies for deception or
unfairness. The federal financial regulators also
have authority to enforce against the regulated
entities.
Dodd Frank created new financial standards, and
authorized several agencies to enforce them.
The Consumer Financial Protection Bureau
authority to enforce against unfair, deceptive,
or abusive acts related to a consumer financial
product or service. UDAAP largely relies on a
consumer complaint and investigation process.
The federal financial regulators also have
authority to enforce against the regulated
entities.
GDPR is an international regulation covering
countries in the European Union and entities
operating in those countries, enforced by
authorities in each country known as Data
Protection Authorities (DPAs). Violations are
fined. The federal financial regulators also have
authority to enforce against the regulated
entities.
The California Attorney General enforces the
CCPA and CRPA, with the California Privacy
Protection Agency holding administrative and
jurisdictional power to implement and enforce
them. Enforcement of CPRA will not begin until
July 2023. CCPA violations carry right-to-cure
period and civil penalties up to $7,500 for each
intentional violation.
FHA has private right of action and is enforced
by various agencies including HUD and DOJ.
The Federal Trade Commission and. the
Consumer Financial Protection Bureau have
primary enforcement authority of FCRA, which
they exercise through legal action against the
consumer reporting agencies.
There is a private right of action under ECOA.
The CFPB supervises lending and credit
institutions for discrimination, and can take
public enforcement action on covered entities.
The FTC can enforce ECOA for non-CFPB
entities.
Institutions that do not submit HDMA
disclosures are subject to civil monetary
penalties. That said, it is a transparency measure
that publicizes potentially discriminatory
patterns; it is up to the public to assess the
data for those patterns to ensure that the data
collected is being applied effectively. CFPB
supervises and enforces for non-compliance.
Landscape of Existing Privacy Regulation/Policy