National Retail Federation opposes expansion of Gramm-Leach-Bliley data security rules

The NRF says increased FTC oversight of the retail industry would be a “poor fit”

For more than 15 years, the Gramm-Leach-Bliley Act (GLBA) has governed data security in the banking industry. But should those guidelines, and the Federal Trade Commission’s (FTC) application of them, be expanded to retailers as well? Some lawmakers say yes, but the National Retail Federation (NRF) adamantly says no.

The NRF released a statement on March 16 in response to a number of proposals before Congress  looking to expand the FTC’s authority to retailers and other businesses, similar to its current obligations for the financial industry under Gramm-Leach-Bliley. The law requires financial institutions to explain their information-sharing practices to customers and safeguard certain types of data.

However, the NRF says that this expansion would be a “poor fit.” The federation cites three key reasons for its opposition:

  • The FTC’s role as a law enforcement agency rather than an oversight regulator;
  • Overly burdensome obligations on nonbank businesses that have little or no authority to implement changes to payment cards; and
  • The FTC’s own objections to expanding GLBA requirements to retailers.



Why Hillary Clinton’s email troubles matter for in-house counsel

An overview and the impact of the Consumer Privacy Bill of Rights

Will the FTC be privacy guardians after all?


“When it issued consumer information privacy and safeguards rules under the Gramm-Leach-Bliley Act, the FTC considered applying the rules to retailers that accept bank credit or debit cards and declined to do so,” write Joel Winston and Anne Fortney, both of whom were former FTC Bureau of Consumer Protection officials. “We believe that determination remains equally justified today.”

The writers further argued that the FTC would not be able to effectively cover all retailers, saying, “The FTC lacks supervisory examination authority and lacks the resources to provide the specific guidance and ongoing oversight that would be necessary to effectuate guidelines-type rules covering the huge diversity of nonbank entities.”

Although the NRF is against expanding FTC authority, it is in favor of a national data security law that would replace the current patchwork of 47 state laws.

The NRF isn’t the only non-financial industry body opposing expanded FTC oversight of data security. Notably, Wyndham Worldwide continues to fight the agency’s jurisdiction of privacy matters following the FTC’s 2012 lawsuit against the hotel chain.

Assistant Editor

author image

Zach Warren

Zach Warren is Assistant Editor of InsideCounsel magazine, where he oversees online content submissions and administers InsideCounsel's enewsletters. Zach specializes in new media and multimedia...

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.