I believe it was eight years too late and I was in the 10th grade when I first read George Orwell’s dystopian classic, 1984. Maybe it was because the dreaded year had already come and gone when I was seven years old, or maybe it was because I was still so naïve about all things, including Pete Rose’s innocence. Or maybe it was because the 1992 world around me in small-town Mississippi was so much more optimistic and quaint than what I read in the novel. Whatever the reason, Mr. Orwell’s story seemed to be nothing more than a bad dream, not unlike others I’d had following a mistimed chili dog right before bed. However, three years later, as I was enrolling at Mississippi State and typing “www” for the first time, my whole world rapidly began to change. At first, I realized nothing but upside when a lifetime’s worth of information was suddenly accessible to me in less than 10 minutes. Over the course of the next 25 years, I would slowly start to realize that this also meant the information about my life was instantaneously accessible to everyone else.
Others are coming to this realization as well, which has generated a recent push for privacy legislation all the way from Europe—where government leaders recently passed the General Data Protection Regulation limiting the collection and use of information belonging to EU citizens—to California, where that state’s Consumer Privacy Act, passed in 2018, aims to do largely the same thing for its citizens. In the latter case, the implementation of such protections in the United States, and the compliance with those regulations by businesses outside of California, can be complicated by the internet itself. After all, if I run a business in Mississippi, how am I supposed to keep track of whether or not a California customer requiring different treatment has shown interest in my online offerings? And why should I care if my state’s expectations of my business are so much lower than California’s? It is for this very reason that Congress is in the middle of a debate over whether federal privacy legislation is necessary and how such legislation should be crafted with respect to the preemption of state law.
To be clear, federal preemption is not a new battleground, and in the area of banking law in which I practice, it is a story almost as old as our country itself. (See McCulloch v. Maryland, 17 US [4 Wheat.] 316 [1819], with apologies to my fellow attorneys for the constitutional law flashback.) However, technology is about to give this story a brand-new chapter, especially in the banking world.
For its part, the Trump administration evidently considers this brave new world a positive development, or at least a necessary one for the US to continue as a political and economic leader in the world, and this administration seems intent on doing everything it can to make sure that local concerns about privacy or states’ rights don’t get in the way. In July 2018, the Office of the Comptroller of the Currency (OCC) began accepting applications for national bank charters from non-depository fintech companies engaged in the business of banking, despite the fact that such companies would not meet the traditional, regulatory definition of a bank because of their lack of insured deposits. The OCC’s resolve remains steely despite determined legal challenges from the Conference of State Bank Supervisors and the New York Department of Financial Services—challenges that were originally dismissed for not being ripe before the application invitation was formally issued last summer, but that were refiled in October following the official request for applications.
Then, in December, Uncle Sam’s newest consumer cop—that champion of business-friendly policies named the Consumer Financial Protection Bureau (CFPB)—showed that it has gotten with the program, when it issued a proposed Policy on No-Action Letters and the BCFP Product Sandbox. The proposal included a revision to the CFPB’s 2016 Policy on No-Action Letters that provides for (1) the issuance of no-action letters to technologically advanced companies, protecting them from certain regulatory actions if they play by certain rules, and (2) the creation of a regulatory sandbox that would not only include no-action relief but also exempt participants from both state and federal consumer laws if they agree to maintain close contact with the CFPB. As you might imagine, this generous offer resulted in a backlash from 22 Democratic state attorneys general who sent a letter to the CFPB in February, informing the agency that they did not believe the CFPB could give such a blanket safe harbor to sandbox participants because it protects them from enforcement by state authorities, especially since the policy was not issued as a more formal rulemaking subject to a notice and comment period.
These preemption skirmishes are just the beginning of this war. As a matter of fact, President Trump issued an executive order in February that called on federal agencies to develop rules for integrating artificial intelligence into the private sector, reinforcing that the administration is determined for the federal government to take the lead on encouraging technologically friendly government policy. It is evident that Uncle Sam is not going to let this little turf battle get in the way of “progress,” and states determined to protect their residents from the looming threat of Big Brother have many battles yet to fight. I’m sure Mr. Orwell would be very interested to see how this turns out.