Press Releases

Today, House Committee on Financial Services Chairman French Hill (AR-02) and Subcommittee on Financial Institutions Chairman Andy Barr (KY-06) issued a request for feedback from the public on current federal consumer financial data privacy law and potential legislative proposals to account for changes in the consumer financial services sector.

Interested members of the public may send their comments and answers to the questions below by August 28, 2025, to fsc119@mail.house.gov.

Questions on Title V, Subtitle A of the Gramm-Leach-Bliley Act (GLBA)

1.    Should we amend the Gramm-Leach-Bliley Act (GLBA) or consider a broader approach?

2.    Should we consider a preemptive federal GLBA standard or maintain the current GLBA federal floor approach?

3.    If GLBA is made a preemptive federal standard, how should it address state laws that only provide for a data-level exemption from their general consumer data privacy laws?

4.    How should GLBA relate to other federal consumer data privacy laws, both a potential general data privacy law and current sector-specific laws?

a.    Should GLBA “financial institutions” be subject to entity-level or data-level exemptions from these laws?

5.    How should we define “non-public personal information” within the context of privacy regulations?  

a.    Does the term “personally identifiable financial information” in GLBA require modification?

6.    Do the definitions of “consumer” and “customer relationship” in GLBA require modification?

7.    Does the current definition of “financial institution” sufficiently cover entities that should be subject to GLBA Title V requirements, such as data aggregators? 

8.    Are there states that have developed effective privacy frameworks?  

a.    Which specific elements from these state-level frameworks could potentially be adapted for federal implementation? 

9.    Should we consider requiring consent to be obtained before collecting certain types of data, such as PIN Numbers and IP addresses? 

10. Should we consider mandating the deletion of data for accounts that have been inactive for over a year, provided the customer is notified and no response is received?

11. Should we consider requiring consumers be provided with a list of entities receiving their data? 

12. Should we consider changing the structure by which a financial institution is held liable if data it collects or holds is shared with a third-party, and that third-party is breached?

13. Should we consider changes to require or encourage financial institutions, third parties, and other holders of consumer financial data to minimize data collection to only collection that is needed to effectuate a consumer transaction and place limits on the time-period for data retention?