| Entities | |
| Topics and Issues | Gramm-Leach-Bliley Act (GLBA) (3) Privacy (42) |
In February 2023, the chairman of House Financial Services, Patrick McHenry (R-NC) introduced H.R. 1165, the Data Privacy Act of 2023. As noted in a press release, “this legislation modernizes financial data privacy laws and gives consumers more control over how their personal information is collected and used—without stifling innovation in the United States.”
On February 28, 2023, the Committee held a markup. For the markup, Chairman McHenry released an Amendment in the Nature of a Substitute. In connection with this markup, CDIA submitted a letter to the committee.
In June 2023, McHenry filed an amendment (no. 60) to the NDAA (H.R. 2670). His amendment would incorporate his Data Privacy Act of 2023. The amendment’s most serious problem is an opt-in for consumers where there is no “customer or consumer relationship.”
Resources:
- One-page summary of the bill here (Feb. 24, 2023)
- Read a section-by-section summary here (Feb. 24, 2023).
- CBO score (June 13, 2023)
. . .
In early-2023, the committee released Key Pillars of the Data Privacy Act. The chairman’s office provided the following key pillars:
Modernizes the Gramm-Leach-Bliley Act (GLBA) Using a Technology-Agnostic Approach
- The Data Privacy Act modernizes GLBA to better align with our evolving technological landscape. Advances in technology have innovated the financial system and the way in which consumers interact with financial institutions, including nonbank institutions. The consumer protections contained in the bill will apply seamlessly to future innovation and new technologies.
Puts Control Back in the Hands of the Consumer
- The Data Privacy Act ensures consumers control how their personal information will be used beyond financial institutions. The bill empowers consumers to understand how their data is being collected and used by a service provider when they agree to the provider’s privacy policy. In addition, the bill ensures consumers have the right to terminate collection of their data, and/or request deletion of their data, at any time.
Data Minimization
- The Data Privacy Act protects against the misuse or overuse of consumer nonpublic personal information. Under the bill, entities are directed to disclose to consumers why they are collecting certain pieces of data, and only use data for its stated purpose. Covered entities must provide consumers with an opportunity to opt out of the data collection if it is not necessary to provide the product or service offered by the entity.
Informed Choice and Transparency
- The Data Privacy Act empowers consumers by requiring privacy terms and conditions to be transparent and easily understandable. Consumer disclosures are critical to understanding what data is collected; the manner in which the data is collected; the purposes for which the data will be used; who has access to the data; how an entity is using the data; where the data will be shared; data retention policies of the entity; and the rights associated with that data for uses inconsistent with stated purpose.
Preemption
- The Data Privacy Act provides consistency across the country with respect to understanding how downstream entities are collecting and using personal information. A national standard will reduce compliance burden and provide certainty to both consumers and entities that handle their financial data.