Although there is no general federal legislation for data and metadata protection and privacy, there are a number of federal data protection laws that are sector-specific or focus on particular types of data. In addition to the Federal regulations, there are some state laws that are also applicable.
Table 1 summarizes the number of U.S. Laws and Regulations covering Privacy Considerations. The total number (i.e., 16
) indicates the complexity of the Privacy that confronts the CBDC just within the U.S. The more Laws and Regulations, the more effort there is to coordinate the CBDC efforts and to work with the Legislative and Executive Branches to keep the Laws and Regulations current with CBDC efforts.
U.S. Privacy Consideration | No. of Laws and Regulations |
---|---|
U.S. Federal Laws and Regulations | 10 |
U.S. State Laws and Regulations | 6 |
Total | 16 |
There is no single U.S. law or regulation covering Privacy, but a whole set of laws. Table 2 outlines most of the laws as determined by the OMG DIDO-RA .
There are roughly 10 Laws and Regulations in the U.S. covering Privacy.
U.S. Federal Laws | ||
---|---|---|
Kind | Law / Regulation | Description |
Privacy | Driver's Privacy Protection Act of 1994 (DPPA) | DPPA governs the privacy and disclosure of personal information gathered by state Departments of Motor Vehicles, including photographs, Social Security Number (SSN), Driver Identification Number (DID), name, address (but not the five-digit ZIP code), telephone number, medical information and disability information. |
Privacy | Video Privacy Protection Act (VPPA) | VPPA restricts the disclosure of rental or sale records of videos or similar audio-visual materials, including online streaming. |
Privacy | Cable Subscriber Protection | Cable Subscriber Protection provides access to all Personal Identifiable Information (PII) regarding the subscriber which is collected and maintained by a cable operator. |
Privacy | Right to Financial Privacy Act of 1978 (RFPA) | The RFPA was put in place to limit the government's ability to freely access nonpublic financial records. The RFPA defines financial institutions as any institution that engages in activities regarding banking, credit cards, and consumer finance. It also defines financial records as any documentation of a consumer's relationship with a financial institution. |
Privacy | Gramm-Leach-Bliley Act (GLBA) | The GLBA promotes consumer privacy, the Gramm-Leach-Bliley Act included regulations to limit the ways in which companies handled and shared financial data. |
Privacy | Fair Credit Reporting Act (FCRA) | The FCRA regulates credit agencies and promotes fair and secure handling of consumer information. The FCRA attempts to limit the dissemination of information through five main rules:
|
Privacy | Fair and Accurate Credit Transactions Act (FACTA) | FCRA amended the FCRA with stricter regulations that need to be enforced first. State laws regarding credit scores, credit reports, and insurance were to remain in effect as a result of the amendments. FCRA gave consumers more rights to explanations of their credit scores and the right to a free credit report each year. It also includes two rules:
|
Privacy | Credit and Debit Card Receipt Clarification Act | Credit and Debit Card Receipt Clarification Act requires account numbers printed on receipts have to be shortened to five digits in order to protect consumer privacy |
Privacy | Fair Debt Collection Practices Act (FDCPA) | Under the FDCPA, collectors are not allowed to publish a consumer's name and address on a bad debt list or reveal any information regarding the debt to unaffiliated third parties except the consumer's partner or attorney. |
Privacy | Electronic Funds Transfer Act | The act implemented requirements so that banks have to notify their customers of any policies regarding the electronic transfer of funds. Banks are also held liable in the event that information is disclosed through telephone without consent. Also, banks would be held responsible for any damages that came as a result of unauthorized access to a consumer's information. |
The U.S. States each can have their own laws or regulations covering Privacy, as well as, a whole set of laws. Table 3 outlines most of the U.S. State laws as determined by OMG DIDO-RA .
There are roughly 6 major U.S. State Laws and Regulations covering Privacy.
State Laws | ||
---|---|---|
Kind | Law / Regulation | Description |
Privacy | California Privacy Act | California Privacy Act is a state-level privacy act that provides protection of consumer information. The act is described as a stricter version of the Gramm-Leach-Bliley Act. |
Privacy | California Consumer Privacy Act (CCPA) | CCPA gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law. |
Privacy | California Consumer Credit Reporting Agencies Act (CCCRA) | The CCCRA regulates consumer credit reporting agencies as well as any users of credit reports. The act also provides a narrower definition of “consumer credit report” as any information that falls within credit reports is protected by the act. |
Privacy | California Right to Financial Privacy Act | California's Right to Financial Privacy Act regulates the state's government agencies' abilities to access nonpublic consumer information. As a result of the act, California's government agencies are not authorized to access financial records unless the consumer gives consent or if a subpoena or a search warrant is issued for the information. |
Privacy | California Song-Beverly Credit Card Act | Under the California Song-Beverly Credit Card Act, companies may not collect personally identifiable information from consumers who purchase goods or services using credit cards. Companies cannot set conditions in which consumers must consent to share their information in order to use their credit cards for a transaction. However, consumer information can be requested in order to complete a credit card transaction as long as the information is never recorded. The act also set a redundant state-level requirement that companies must shorten a consumer's credit and debit card information on receipts. |
Privacy | Vermont Privacy of Consumer Financial and Health Information | The law defines the purpose, scope, application, compliance, and exceptions to the law. The purpose of the Vermont Privacy of Consumer Financial and Health Information is to govern the treatment of nonpublic personal information about consumers by financial institutions. |
The following user scenario is meant as an exemplar of the importance of Data Strategy and Data Governance for a U.S.-based CBDC.
The following is a theoretical problem used to highlight some major issues with privacy.
Two U.S. citizens go into a U.S. clinic: John Doe and Jame White.
Both show up at a medical facility that treats mental health and substance abuse. The diagnosis and treatment for John and Jane are identical, with the same prognosis, and the outcomes are expected to be the same. On a personal level, this is a tragedy for both John and Jane, their families, and their friends.
Both John and Jane would like to keep their visit to the medical facility quiet. John has a better chance of keeping his visit secret, especially since there is no real economic incentive to divulge the secret. However, if it is known that Jane has visited this clinic, the collateral impact on her company, its employees, the investors, and even those investing in competing companies can be wide-reaching and significant.
Regardless, if the data and metadata are about John or Jane, there is a reasonable expectation by both of them that data and metadata about their transaction with the medical facility are secure and remain private.
A theoretical solution is for the CBDC to develop a rigorous and comprehensive Data Strategy that guarantees the security and privacy of the transactional data associated with the CBDC. The CBDC and the Federal Reserve do not need to develop their own Security and Privacy framework but can rely on the existing framework laid out by the U.S. Federal Government.
The OMG DIDO Reference Architecture (DIDO-RA) provides a discussion on what a U.S. Federal Data Strategy is.
The following is from the U.S. Federal Government on Data Strategy:
The DIDO-RA summarizes the areas required for a U.S. Federal Data Strategy covering the following areas:
1. Principles
2. Practices
3. Actions
The “desirements” specified in White Paper and identified by the OMG's CBDC WG White Paper Analysis as Privacy Issues are listed in Table 4.
Category | Desirements |
---|---|
Benefits | B0004, B0022 |
Policies and Considerations | P0004 |
Risks | R0014 |
Design | D0012 |
B
= Benefit, P
= Policy, R
= Requirement, D
= Design.Table 5 provides discussion points for each of the “desirements” identified by the OMG's CBDC WG White Paper Analysis.
Desirement No. | Desirement Text | Comment |
---|---|---|
B0004 | Protect consumer privacy | Consumer privacy is information privacy as it relates to the consumers of products and services. A variety of social, legal and political issues arise from the interaction of the public's potential expectation of privacy and the collection and dissemination of data by businesses or merchants |
B0022 | Provide a CBDC that is:
| Privacy-Protected means that the Central Bank Digital Currency (CBDC) protecting consumer privacy is critical. Any CBDC would need to strike an appropriate balance, however, between safeguarding the privacy rights of consumers and affording the transparency necessary to deter criminal activity. |
P0004 | Protect consumer privacy | See B0004 . |
R0014 | Risk of not achieving an appropriate balance between safeguarding the privacy rights of consumers and affording the transparency necessary to deter criminal activity |
|
D0012 | Design should address privacy concerns by leveraging existing tools already in use by intermediaries | Intermediaries means commercial banks and regulated nonbank financial service providers that would operate in an open market for CBDC services |
B = Benefit Considerations |
||
P = Policy Considerations |
||
R = Risk Considerations |
||
D = Design Considerations |
State Laws | ||
---|---|---|
Kind | Law / Regulation | Description |
Privacy | California Privacy Act | California Privacy Act is a state-level privacy act that provides protection of consumer information. The act is described as a stricter version of the Gramm-Leach-Bliley Act. |
Privacy | California Consumer Credit Reporting Agencies Act (CCCRA) | The CCCRA regulates consumer credit reporting agencies as well as any users of credit reports. The act also provides a narrower definition of “consumer credit report” as any information that falls within credit reports is protected by the act. |
Privacy | California Right to Financial Privacy Act | California's Right to Financial Privacy Act regulates the state's government agencies' abilities to access nonpublic consumer information. As a result of the act, California's government agencies are not authorized to access financial records unless the consumer gives consent or if a subpoena or a search warrant is issued for the information. |
Privacy | California Song-Beverly Credit Card Act | Under the California Song-Beverly Credit Card Act, companies may not collect personally identifiable information from consumers who purchase goods or services using credit cards. Companies cannot set conditions in which consumers must consent to share their information in order to use their credit cards for a transaction. However, consumer information can be requested in order to complete a credit card transaction as long as the information is never recorded. The act also set a redundant state-level requirement that companies must shorten a consumer's credit and debit card information on receipts. |
Privacy | Vermont Privacy of Consumer Financial and Health Information | The law defines the purpose, scope, application, compliance, and exceptions to the law. The purpose of the Vermont Privacy of Consumer Financial and Health Information is to govern the treatment of nonpublic personal information about consumers by financial institutions. |