On June 23, 2022, Congressman Patrick McHenry (NC-10), released a discussion draft (“Discussion Draft”) of new legislation set to amend the Gramm-Leach-Bliley Act (GLBA) with the intent to “modernize GLBA to better align with our evolving technological landscape.” The Discussion Draft was released a few days after the House Subcommittee on Consumer Protection and Commerce heard testimony from consumer advocates and industry representatives on the recently proposed bipartisan American Data Privacy and Protection Act (ADPPA).
The Discussion Draft includes a broadening of the definition of “financial institutions” to include data aggregators and of “nonpublic personal information” (NPI) to include information reasonably associated with an individual (such as inferences). It would also expand the general obligation to provide a GLBA notice to situations where a financial institution “collects” NPI (as opposed to only applying in situations where NPI is shared with third parties). The Discussion Draft further eliminates the distinction between “consumers” and “customers” under the GLBA; if passed, the law would protect both consumers and customers in the same manner.
While not identical to ADPPA or the comprehensive privacy laws that have been passed at the state level, this proposed bill would significantly expand the privacy obligations of financial institutions, as well as have the effect of having more entities regulated under the GLBA. Financial institutions subject to the GLBA have previously avoided new privacy obligations for their core business offerings because the comprehensive state laws have generally exempted data processed pursuant to the GLBA. (Such an exemption would also exist under ADPPA.) This proposal shows that Congress is paying attention to this particular issue.
Below are selected highlights from the Discussion Draft:
- Obligations for the collection of data. The GLBA sets obligations regarding the disclosure of nonpublic personal information (“NPI”) by financial institutions. The Discussion Draft requires financial institutions to also disclose to consumers when their NPI is being collected, not just when it is being disclosed to third parties.
- Updates to the definition of a financial institution. Under the GLBA, a financial institution is defined as “any institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company act of 1956.” GBLA §509(3)(A). The Discussion Draft expands the definition of financial institutions to also include data aggregators. A data aggregator is “any person that operates a commercial business for the purpose of “accessing, aggregating, collecting, selling or sharing nonpublic personal information about consumer financial accounts or transactions at the direction of a consumer.” Notably, this update provides for an exception to service providers acting at the instruction of the financial institution such as marketeers offering the financial institution’s products.
- Broadening the definition of nonpublic information covered. The Discussion Draft broadens personally identifiable financial information to also include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer,” thereby expanding nonpublic personal information to also include inferences.
- Notification of third parties. The Discussion Draft requires that in the event that a financial institution is required to terminate the collection of NPI, such financial institution must notify its nonaffiliated third parties that sharing has been terminated. Such third parties must also terminate sharing of the consumer’s NPI.
- Consumers versus customers. Title V of the GLBA differentiates between customers and consumers. A consumer is an individual who receives or has received a financial product or service from a financial institution. “Customers” are a subcategory of consumers. Customers have a continuing relationship with a financial institution. For example, an individual using the ATM at a bank where such individual does not have an account, is a consumer. The isolated transactions, no matter how frequent, will not make the individual that bank’s customer. The Discussion Draft eliminates this distinction by striking the use of “customer” altogether. For non-customer consumers, a consumer relationship exists as long as the financial institution is collecting, controlling, possessing, transmitting or maintaining any NPI of the consumer.
- Transparency and Choice. The Discussion Draft requires disclosures in the event that NPI is collected from consumers for a purpose other than to provide a specific product or service. Under such circumstances, the disclosure must include a description of such information; the purpose for which such information is collected; the opportunity to opt out having such NPI collected or disclosed to a nonaffiliated third party; the manner in which a consumer may make such opt out election; the data retention policies; the right to terminate the sharing of the NPI; the right of the consumer to request a list of all the NPI collected; and the right to request deletion of such NPI.
- Regulatory Authority. The Federal banking agencies, the National Credit Union Administration, the Securities and Exchange Commission, and the Federal Trade Commission maintain rulemaking authority and enforcement under section 505 as necessary. Per the Discussion Draft, the Secretary of the Treasury will no longer be involved in rulemaking of the GLBA. Further, agencies are not required to consult as appropriate with the National Association of Insurance Commissioners.
- Small businesses. In consideration of small financial businesses, the Discussion Draft stipulates that agencies shall consider compliance costs imposed on smaller institutions when promulgating rules.
- Liability for Unauthorized Access. The Discussion Draft includes a new section 505A to the GLBA concerning liability to consumers. Under the Discussion Draft, financial institution will be fully liable to the consumer in the event that the NPI attained from such financial institution is used to make unauthorized access to the consumer’s account.
- Preemption. In stark contrast to the GLBA that empowers states to expand protections over federal law, if appropriate, the Discussion Draft requires preemption and a national standard that is set to supersede any state law.
We will continue to provide updates on major developments of federal privacy law and more. To stay updated with our writings on this topic, please subscribe to the WilmerHale Privacy and Cybersecurity Blog.