In the payments world, commentators note Illinois’ recent Interchange Fee Prohibition Act, which prohibits charging interchange fees on the tax or tip portions of processed transactions.

Key portions of the law take effect July 1.

By its terms, the Interchange Fee Prohibition Act also contains a general privacy rule restricting the use of payments transactional data:

(b) An entity, other than the merchant, involved in facilitating or processing an electronic payment transaction, including, but not limited to, an issuer, a payment card network, an acquirer bank, a processor, or other designated entity, may not distribute, exchange, transfer, disseminate, or use the electronic payment transaction data except to facilitate or process the electronic payment transaction or as required by law. A violation of this subsection constitutes a violation of the Consumer Fraud and Deceptive Business Practices Act.

The fact and wording of the prohibition seems to suggest some level of increasing sophistication on the part of these legislators concerned about payment processing and its inherent data movement.

With this Illinois example in mind, then, I consider below how payment and related fintech companies might generally be impacted if privacy regulators and enforcement authorities, like Illinois, took a keener interest in their industry. These are the issues that payments service providers  should be paying attention to under state comprehensive privacy laws in any case, assuming that payments transaction data relating to an individual qualifies as regulated “personal data.”

Applicability / Financial Exemptions. Many state comprehensive privacy laws exempt regulated “financial institutions” under the federal Gramm Leach Bliley Act from their requirements. Payment service providers should consider their status under these exemptions. The issue is double-edged: appropriate designation as a “financial institution” may reduce the applicability of state comprehensive privacy laws, but such designation also enables regulation under Gramm Leach Bliley and other federal privacy laws (such as the Affiliate Marketing Rule).

At least some payment service providers will want to, and will have good arguments for, avoiding designation as a regulated “financial institution.” For these payment service providers, the full complement of state comprehensive privacy laws will presumptively apply. At least, such laws will apply assuming that the payment service provider meets meet data volume or other threshold requirements. And note: data volume thresholds may be very easily met by any company which regularly sees or processes transaction data at scale.

The rest of this piece examines specific requirements payment service providers need to consider assuming comprehensive privacy laws apply to them.

Controller/Processor Positions. All state comprehensive privacy laws have adopted some form of the data “controller” / “processor” distinction first seen in European law. In general: processors receive and use data on behalf of another; controllers receive and use data on their own behalf for their own purposes. Distinct obligations attach to either status, although data “controllers” often bear the most direct obligations under comprehensive privacy laws.

Payment service providers should consider their positions carefully. Possibly, with respect to some data uses, the service provider acts as a processor, while others activities require a different analysis. The inquiring privacy enforcement authority may want to know the company’s basic positions. And these positions – whether controller or processor – will naturally require some form of compliance activity. Companies which have not assessed their basic controller/processor positions will have no, or very limited, practical chance of ensuring their actual compliance with the applicable comprehensive state law.

Contracts. Most state comprehensive privacy laws include mandatory provisions for inclusion in contracts with service providers (whether or not those service providers may be considered “upstream” or “downstream” in the payments processing ecosystem). These requirements are detailed and specific; depending on the law, controllers or processors may be required to pass privacy-protective terms along, such as terms limiting use or combination of data. Failure to include required contract these terms could mean that any personal data transfer qualifies as a data “sale,” whether or not the payments industry convention would typically regard it as such. If a data sale, further specific consumer disclosure and opt-outs are required under many laws.

Data Brokering. Payment service providers engaged in a sale who do not have a relationship with direct consumers may be deemed “data brokers” if engaged in data sales. Data brokers may be subject to independent registration requirements, may be obligated to make additional notices and honor opt-out rights, and may be subject to mass opt-outs.  

Notices. Data controllers, in particular, must provide comprehensive privacy notices disclosing data collection, use, and sharing. These notices must offer various opt-out rights to consumers. These rights can include rights to access, delete, port, or restrict processing. The inclusion of data rights really indicates that privacy notices are no longer a mere paper exercise; these notices assume some operational process for handling and responding to substantive exercises of rights by concerned individuals. Payment service providers should consider how they would respond to these rights.

Other Data Use Restrictions. In at least one state (Maryland), the comprehensive privacy law requires that: “A controller shall limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains”. (Emphasis added.) Many payment service providers do not interact directly with consumers. These companies will likely need to consider how their operations meet the requirement to limit data use to activity to that specifically “requested by the consumer.”

Cyber Audits. Under regulations in effect this year, California requires companies to conduct a rigorous, independent, comprehensive, annual, evidence-based audit of their cyber security program, with certification of the same by a business executive under penalty of perjury. These requirements will apply to any in-scope payment service providers.

Risk Assessments / Data Protection Impact Assessments. Companies must conduct risk or data protection impact assessments in certain circumstances. As explained in another recent piece, these circumstances can include:

  • processing of “sensitive” financial information,
  • the provision of risk scoring or assessments that impact the provision or denial of financial services,
  • certain consumer profiling,
  • and/or the “sale” of data.

Payment service providers should consider whether their services may fall within the scope of these requirements for risk assessments.

To summarize, I speculate that many payments processing companies have heretofore avoided significant privacy enforcement in part because privacy regulators do not understand their arcane industry and the inherent data transfers between entities in the payment ecosystem. The attention from Illinois’ legislature indicates that that privacy-regulatory veil of ignorance may be lifting. If it does, payment service providers will want to pay attention to the substantial requirements of privacy laws. They should want to pay attention to these requirements in any case: these laws are in effect now. Regulation is here. Enforcement is coming. The question for forward-thinking payment services provider is: how well positioned is your company under these requirements?

We will continue to monitor updates. For more information on data privacy and security regulations and other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog.