Today, the Chairman of the House Financial Services Committee, Patrick McHenry (NC-10), introduced the Data Privacy Act of 2023. This legislation modernizes financial data privacy laws and gives consumers more control over how their personal information is collected and used—without stifling innovation in the United States.
“Republicans are putting American consumers back in control of their financial data,” said Chairman McHenry. “As advances in technology bring greater access to our financial system, the amount of personal financial information collected on Americans also increases. The financial services sector is already highly regulated when it comes to consumer data. However, it’s critical that we bring our privacy guardrails into the 21st century to match the widespread adoption of financial technology. I’m proud to introduce this legislation to secure Americans’ private financial data, without strangling innovation.”
Read a one-page summary of the bill here.
Read a section-by-section summary here.
Read the text of the bill here.
Key Pillars of the Data Privacy Act:
Modernizes the Gramm-Leach-Bliley Act (GLBA) Using a Technology-Agnostic Approach
- The Data Privacy Act modernizes GLBA to better align with our evolving technological landscape. Advances in technology have innovated the financial system and the way in which consumers interact with financial institutions, including nonbank institutions. The consumer protections contained in the bill will apply seamlessly to future innovation and new technologies.
Puts Control Back in the Hands of the Consumer
- The Data Privacy Act ensures consumers control how their personal information will be used beyond financial institutions. The bill empowers consumers to understand how their data is being collected and used by a service provider when they agree to the provider’s privacy policy. In addition, the bill ensures consumers have the right to terminate collection of their data, and/or request deletion of their data, at any time.
Data Minimization
- The Data Privacy Act protects against the misuse or overuse of consumer nonpublic personal information. Under the bill, entities are directed to disclose to consumers why they are collecting certain pieces of data, and only use data for its stated purpose. Covered entities must provide consumers with an opportunity to opt out of the data collection if it is not necessary to provide the product or service offered by the entity.
Informed Choice and Transparency
- The Data Privacy Act empowers consumers by requiring privacy terms and conditions to be transparent and easily understandable. Consumer disclosures are critical to understanding what data is collected; the manner in which the data is collected; the purposes for which the data will be used; who has access to the data; how an entity is using the data; where the data will be shared; data retention policies of the entity; and the rights associated with that data for uses inconsistent with stated purpose.
Preemption
- The Data Privacy Act provides consistency across the country with respect to understanding how downstream entities are collecting and using personal information. A national standard will reduce compliance burden and provide certainty to both consumers and entities that handle their financial data.
###