Press Releases

Yesterday, the House Financial Services Committee, led by Chairman French Hill (AR-02), explored potential changes to modernize Title V of the Gramm-Leach-Bliley Act (GLBA) to ensure consistent and effective financial data privacy protections for all Americans.

On Consumer Privacy Laws:

Chairman Hill said, “Most state consumer privacy laws exempt either GLBA compliant institutions or GLBA compliant data. And this is important because that's one of the great strengths of Gramm Leach is it extends all those authorities and protections out to anyone in that ecosystem connected to a compliant financial institution. But a lot of the states seem to be moving toward adopting a data level only sort of exemption. That doesn't sound in keeping with Gramm-Leach-(Bliley).”

Rep. Marlin Sutzman (IN-03) said, “As we know, GLBA sets a Federal floor. States can then enact additional data privacy laws should they choose to do so. The result is a patchwork framework in which businesses in different states can face different financial data privacy standards. For example, in Indiana, if a business is classified as a financial institution under GLBA, like a bank or credit union, it is typically exempt from the state's data privacy law. However, in California, those same GLBA compliant businesses are held to the additional heightened standards of California's financial privacy laws.”

Rep. Mike Haridopolos (FL-08) said, “As a nation, we value our federalism, and we try to let states regulate when appropriate. Yet, the founders recognize the supremacy of the Congress in matters of interstate commerce. Sometimes we need a predictable standard to avoid impairing commerce among the states.”

On the Need to Update GLBA:

Subcommittee on Financial Institutions Chairman Andy Barr (KY-06) said, “Because of GLBA’s current framework, and because it functions as a Federal floor above which states can enact stricter laws and regulations, it has created a nationwide patchwork of standards. This, as you testified, increases compliance costs and creates barriers to entry into certain states for new firms. Those increased compliance costs and competition killing barriers to entry result in consumers paying higher prices and having less choice.”

Task Force on Monetary Policy, Treasury Market Resilience, and Economic Prosperity Chairman Frank Lucas asked witnesses about what GLBA provisions need to be updated, to which Ms. Clara Kim, Senior Vice President, Bank Policy Institute responded: “We believe that GLBA is a simple but effective framework for privacy and information security. So, any changes that we would recommend include things, as I mentioned in my testimony, a strong fully preemptive GLBA to ensure predictable standards across the board. Secondly, we definitely advocate for maintaining its technology neutrality and principles based standards because we believe that is what has made it so relevant today.”

Subcommittee on Capital Markets Chairman Ann Wanger (MO-02) said, “At the time of its enactment, Gramm-Leach-Bliley was an important step towards modernizing the rules that govern our financial services industry and providing guidance on how customers’ data was to be handled. However, it has now been more than 25 years since its passage, and while the basic framework has held strong, we've seen countless changes take place in the financial services sector and obviously the time is ripe for Congress to make much needed updates.”

Witnesses Echoed the Work of the Committee:

Mr. Nathan Taylor, Partner, Morrison Foerster said, “That said, in recognition of the evolution of privacy law since 1999, I do think certain updates to the GLBA would be appropriate. First, I believe that it would be reasonable to provide a consumer with the right to request a copy of (or “access” to) “nonpublic personal information” relating to the individual that is maintained at a financial institution. Nonetheless, I believe that it is critical that the right be limited by exceptions for certain information that would be inappropriate to share with a consumer or that could create security or other risks to financial institutions.”

Ms. Kim said, “Any entity that handles sensitive personal and financial data about consumers, including fintechs, data aggregators and crypto, should have to meet the same rigorous standards and duties as banks to protect that information. Banks operate under stringent information security requirements set by federal regulators, who routinely examine how banks collect, use and retain data and enforce robust safeguards. By contrast, many nonbank providers holding comparable data are not subject to equivalent security standards or ongoing supervision, leaving critical gaps in protection.”

Mr. Steve Boms, Executive Director, Financial Data and Technology Association said, “As the committee considers legislation to modernize financial data privacy, I strongly urge you to carefully consider the interrelationship between data privacy and the ability of a consumer or small business to elect to share elements of their financial data with third-party financial tools as an important consideration of any new federal privacy legislation.”

Mr. Jordan Crenshaw, Senior Vice President, Technology Engagement Center, U.S. Chamber of Commerce said, “The U.S. Chamber of Commerce urges Congress to modernize GBLA in a manner that provides regulatory certainty and to adopt broader comprehensive privacy legislation. Both efforts should: include a strong federal preemption to eliminate the patchwork for state laws and provide a uniform standard for businesses and consumers; vest enforcement authority with appropriate Federal and state agencies while avoiding private rights of action that lead to abusive litigation and inconsistent enforcement; and strike a balance on data minimization to protect privacy while enabling the beneficial uses of data that drive innovation and address societal challenges.”

###