State Financial Privacy: California (CFIPA) and New York (NYDFS)

Because GLBA does not preempt states, California's CFIPA (SB-1) adds opt-in consent for sharing with nonaffiliated third parties, and New York's NYDFS cybersecurity regulation (2017) imposes stricter, NIST-aligned mandates including a CISO and incident response. CCPA/CPRA exempt only GLBA/CFIPA-covered datasets, not whole institutions.

CFIPA requires written opt-in consent before sharing personal information with nonaffiliated third parties, on a form titled "Important Privacy Choices for Consumers," and lets consumers opt out of sharing with affiliates in a different line of business. Negligent violations carry statutory damages of $2,500 per consumer up to a $500,000 cap; willful violations have no cap.

The NYDFS cybersecurity regulation (2017) was the first state regulation to go well beyond GLBA, defining nonpublic information more broadly and adding requirements GLBA lacked on personnel, reporting, documentation and third-party providers. NYDFS also regulates virtual currencies via the BitLicense (2015) and maintains a "Greenlist" of approved coins.

Key terms - quick answers

What is “CFIPA”?

California Financial Information Privacy Act (SB-1), which expands GLBA protections and requires written opt-in consent to share personal information with nonaffiliated third parties.

What is “NYDFS cybersecurity regulation”?

New York Department of Financial Services 2017 regulation imposing NIST-aligned cybersecurity mandates on covered financial institutions, including a CISO, incident response and audit trails.

What is “BitLicense”?

NYDFS license required for individuals or businesses that receive, transmit, control, issue, exchange or maintain custody of virtual currencies.