On February 27, 2023, the Chairman of the House Financial Services Committee Patrick McHenry (NC-10) introduced the Data Privacy Act of 2023 (the Bill), which would amend the Gramm-Leach-Bliley Act (GLBA) to “modernize financial data privacy laws and give consumers more control over how their personal information is collected and used[.]” This is an update to a Discussion Draft of the Bill that Rep. McHenry released in June 2022. The Bill is substantially similar to the Discussion Draft with some minor changes, which are pointed out below.
The proposed legislation is significant because while a number of states have either passed or proposed comprehensive privacy legislation, those state bills tend to have carveouts for entities and information governed by other federal laws like the GLBA. The same was true of the last proposed version of the American Data Privacy and Protection Act (ADPPA). These carveouts have meant that financial service entities have continued to be governed by the GLBA—which was enacted in 1999 and where the governing privacy rules largely have not changed since they were first developed—as entities in other sectors have had to comply with stronger, more recent state or federal privacy laws. The Bill, which importantly would preempt all relevant state laws in the field, is intended to update the GLBA to account for some of the protections that are now routine in modern privacy law.
The timing of the bill is also significant because it is being proposed at the same time when Congress is reconsidering ADPPA. ADPPA may dominate the privacy discussion in Congress and put the Bill on the backburner. However, if ADPPA fails to get any additional traction, the Bill may be a way for Congress to show some progress on privacy issues during this legislative session. There is also a distinct possibility that this Bill is incorporated into ADPPA, which has provoked its own discussions about the extent to which federal privacy laws should preempt state laws. The Bill could thus become an important part of the national conversation about comprehensive federal privacy law in 2023.
Below are selected highlights from the proposed Bill:
- Applies to both consumers and customers. Title V of the GLBA differentiates between customers and consumers. A consumer is an individual who receives or has received a financial product or service from a financial institution. “Customers” are a subcategory of consumers. Customers have a continuing relationship with a financial institution. The Bill applies the GLBA’s privacy provisions to both categories by replacing “customers” and “consumers” with the phrase “individuals with whom such financial institution has a customer or consumer relationship[.]” This is a slightly different approach than the Discussion Draft of the Bill, which would have eliminated the general distinction between consumers and customers.
- Consent to use nonpublic personal information. The Bill explicitly states that it is unlawful for financial institutions to willfully use nonpublic personal information (“NPI”) without the consent of an individual with whom the financial institution maintains a customer or consumer relationship.
- Obligations for the collection and disclosure of data. The GLBA sets obligations regarding the disclosure of NPI by financial institutions. The Bill requires financial institutions to also disclose to individuals when their NPI is being collected, not just when it is being disclosed to third parties. Additionally, financial institutions must notify nonaffiliated third parties when a consumer or customer has ceased sharing of their data, and the nonaffiliated third parties must also cease sharing of the individual’s data. Financial institutions must notify customers and consumers when their account credentials are collected, explain how those credentials will be used or shared, and give the customers and consumers a chance to decline to share the credentials.
- NPI collected by the financial institution;
- The purpose for which the financial institution collects that NPI;
- How that NPI will be used;
- The data retention policies of the financial institution;
- Describe any collection of NPI that is not necessary to provide the specific product or service the customer or consumer is seeking;
- The right of the customer or consumer to opt out of collection of certain pieces of information;
- The right of a customer or consumer to request a list of all NPI held by the financial institution; and
- The right of a customer or consumer to direct the deletion of the NPI held by a financial institution unless an exception is met.
- State insurance authority rulemaking. In a provision that was not included in the Discussion Draft, the Bill directs state insurance authorities to issue regulations with respect to persons engaged in providing insurance, as necessary to carry out the Bill, while considering the cost of compliance on small businesses. Those regulations cannot be more restrictive for persons engaged in providing insurance than regulations issued by the relevant federal agencies.
- Preemption. In stark contrast to the GLBA that empowers states to expand protections over federal law, if appropriate, the Bill requires preemption and a national standard that is set to supersede any state law.
- Updates to the definition of a financial institution. Under the GLBA, a financial institution is defined as “any institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company act of 1956.” GBLA §509(3)(A). The Bill expands the definition of financial institutions to also include data aggregators. A data aggregator is any person that operates a commercial business for the purpose of “accessing, aggregating, collecting, selling or sharing nonpublic personal information about financial accounts or transactions” relating to an individual. Notably, this update provides for an exception to service providers acting at the instruction of the financial institution, as well as attorneys and accountants.
- Updates to the definition of NPI. The Bill broadens the definition of NPI by replacing “personally identifiable financial information” with “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual[,]” thereby expanding NPI to also include inferences.
- Clarification of how certain transactions are defined. The Bill specifies that the following transactions are insufficient by themselves to establish a consumer relationship: the use of an ATM; the use of a credit or debit card to make a purchase; and other similar transactions as the agencies find appropriate. This provision was not included in the 2022 Discussion Draft.
- Obligations to allow access to and deletion of NPI. The Bill provides a series of rights to customers and consumers including: the right to access NPI held by the financial institution; the right to know the categories of nonaffiliated third parties from whom the financial institution has received NPI about the individual (a change from the Discussion Draft, which would have required a list of the third parties themselves rather than just the categories); the right to request deletion of NPI, with exceptions for law enforcement and other purposes; and an obligation for financial institutions to notify individuals annually of “inactive” accounts (i.e. accounts that have not been used for a year). The Bill sets a response period of 45 business days within which a financial institution must respond to an authorized request for the above, a time period which had not yet been decided in the Discussion Draft.
- Partial prohibition on sharing NPI with foreign governments. Financial institutions are prohibited from sharing the NPI of customers or consumers with foreign governments, except for legitimate law enforcement purposes or to a foreign government authority with jurisdiction over the institution for examination, compliance, or other legal purpose. The latter exception was not included in the Discussion Draft.
- Absence of an “Enforcement” section. While the Discussion Draft contained an “Enforcement” section without any draft text, the Bill itself does not contain an “Enforcement” section.
- Absence of “Liability for Unauthorized Access” section. The Discussion Draft contained a section making financial institutions liable to individuals for the full amount of damages resulting from unauthorized access to an individual’s account in the case of data breaches or otherwise. That section was not included in the newly proposed Bill.
- Required Government Accountability Office report. Perhaps in preparation for future amendments to include sections on liability and enforcement, the Bill directs the Government Accountability Office to issue a report on the efficacy of the existing GLBA standards to safeguard NPI from unauthorized access and disclosure and the existing enforcement regime.
- Delayed effective date. If enacted, the Bill would be effective two years after the date of enactment or one year after the date on which all rulemaking required under the Act is complete, whichever is earlier.
We will continue to provide updates on major developments of federal privacy law and more. To stay updated with our writings on this topic, please subscribe to the WilmerHale Privacy and Cybersecurity Blog.