“To make improvements to title V of the Gramm-Leach-Bliley Act, and for other purposes.”
No CRS summary available for this bill.
This section establishes the short title of the Act as the “Guidelines for Use, Access, and Responsible Disclosure of Financial Data Act” (or the “GUARD Financial Data Act”) and sets forth the table of contents.
This section revises the heading of subtitle A of title V of the Gramm-Leach-Bliley Act from “Disclosure” to “Treatment”; revises the heading of section 502 from “DISCLOSURES OF” to “NONPUBLIC”; and makes conforming changes to the table of contents.
This section amends Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802), which limits financial institutions' disclosure of consumers' nonpublic personal information (NPI), as follows: (1) extends the scope of subsection (e) to cover collection or disclosure under subsections (a), (b), and new subsection (f); and (2) adds subsection (f) requiring financial institutions to limit collection or disclosure of NPI to what is adequate, relevant, and reasonably necessary for each purpose (i.e., data minimization), subject to exceptions such as disclosures required by law, to regulators, or to consumer reporting agencies. The amendments take effect two years after enactment.
This section modifies the Gramm-Leach-Bliley Act consumer privacy protections (i.e., requiring financial institutions to provide notice and an opt-out right before sharing nonpublic personal information with nonaffiliated third parties) by (1) allowing the opt-out opportunity to be exercisable at any time after initial disclosure (previously limited to the time of initial disclosure), and (2) requiring the opt-out explanation to remain accessible at any time thereafter (previously provided only before initial disclosure).
This section establishes limits under the Gramm-Leach-Bliley Act on financial data aggregators and nonaffiliated third parties using consumer access credentials (i.e., login information such as usernames and passwords) to access consumer accounts or nonpublic personal information at financial institutions. It requires such entities to provide clear and conspicuous disclosures—covering intended use, potential sharing with unaffiliated parties, privacy and security risks, and protective practices—along with an opt-out opportunity before initial credential collection. Financial institutions must honor compliant requests using such credentials and may not deny them. (All parties must also comply with Consumer Financial Protection Act §1033 consumer access requirements.) The section takes effect one year after enactment.
This section amends Section 503(c) of the Gramm-Leach-Bliley Act (GLBA), which requires financial institutions to provide consumers with annual privacy notices describing their nonpublic personal information practices, to require those notices to include the following additional information: (1) categories of purposes for which the institution collects and discloses such information to nonaffiliated third parties; (2) categories of retention practices for such information; (3) categories of practices regarding use of artificial intelligence in the collection, processing, and utilization of such information; (4) whether any such information of the consumer is processed in, retained in, or disclosed to a covered nation; (5) an explanation of how a consumer may opt out of disclosures to nonaffiliated third parties under GLBA Section 502(b); (6) an explanation of how a customer may request a copy of the privacy notice under GLBA Section 503(g); and (7) an explanation of how a customer or former customer may request disclosure or deletion of such information under new GLBA Section 503A. It further directs the GLBA agencies (in consultation with federal functional regulators) to update the model privacy form and provides a two-year safe harbor, beginning on the date of finalization, during which financial institutions using the model form in effect on enactment comply with GLBA disclosure requirements.
This section requires a financial institution, upon customer request, to provide a copy of the privacy notice required under Section 503(a) of the Gramm-Leach-Bliley Act (i.e., notice of the institution's information-sharing practices) in writing, electronic form, or other form permitted by regulations under Section 504.
This section amends Title V of the Gramm-Leach-Bliley Act (GLBA), which governs privacy protections for nonpublic personal information held by financial institutions, to establish requirements for financial institutions to disclose and delete such information upon customer or former customer requests, effective two years after enactment. Specifically, the section requires a financial institution, upon request from a customer or former customer, to (1) disclose the individual's nonpublic personal information (pursuant to Consumer Financial Protection Bureau rules under 12 U.S.C. 5533) and (2) provide a list of affiliates and nonaffiliated third parties to whom it disclosed such information (excluding certain exceptions under GLBA section 502(e)), unless prohibited by other law. For former customers, the section further requires deletion of nonpublic personal information upon request (subject to exceptions for required retention, consumer reporting agency activities under the Fair Credit Reporting Act, disputes, or other legal mandates); identity verification procedures; response within 45 days (extendable once by 45 days with notice); two free requests per year, with fees allowed or declination for subsequent requests if the customer consents to the fee; and an appeal process with response within 60 days.
This section establishes an opt-in requirement—overriding the Gramm-Leach-Bliley Act's general opt-out notice for nonpublic personal information—for financial institutions to collect or disclose sensitive nonpublic personal information to nonaffiliated third parties. It requires clear and conspicuous disclosure of the practice, affirmative consumer consent obtained prior to initial collection or disclosure, and an explanation of revocation rights; consumers may revoke consent at any time, and certain statutory exceptions to privacy protections remain applicable. The requirements take effect one year after enactment.
This section requires agencies authorized to prescribe financial privacy regulations under the Gramm-Leach-Bliley Act to consider the effects of such regulations on financial institutions with $15 billion or less in assets, including their resource, technical, and personnel limitations and compliance costs relative to size, complexity, activities, revenues, and noncompliance costs. It further directs those agencies to increase the asset threshold every five years beginning April 1, 2031, by the ratio of U.S. gross domestic product for the preceding calendar year to its value for the calendar year preceding April 1, 2026, if greater than 1.
This section revises the relation-to-state-laws provision of the Gramm-Leach-Bliley Act financial privacy subtitle (i.e., Subtitle A of Title V, 15 U.S.C. 6801 et seq., which limits financial institutions' collection, use, disclosure, and safeguarding of consumers' nonpublic personal information) to preempt any state statute, regulation, order, interpretation, or other law establishing consumer data privacy or security requirements applicable to such information or to financial institutions subject to the subtitle. It preserves state insurance authorities' authority to enforce the subtitle and adopt regulations to implement it, provided such regulations are consistent and comparable with federal regulations and not more restrictive.
This section amends the definitions in §509 of the Gramm-Leach-Bliley Act (GLBA), which supports Title V privacy protections limiting financial institutions' sharing of consumers' nonpublic personal information, as follows: (1) expands the definition of financial institution to include a financial data aggregator; (2) revises the definition of nonpublic personal information to explicitly encompass access credentials and, when used by a financial institution in financial activities under §4(k) of the Bank Holding Company Act of 1956, biometric data and precise geolocation data (i.e., location data identifying a consumer within a 1,750-foot radius); (3) revises the heading of paragraph (11) from "Customer" to "Time of establishing a customer"; and (4) adds definitions for 11 new terms, including access credentials (e.g., username, password), artificial intelligence (as defined in the National Artificial Intelligence Initiative Act of 2020), biometric data (e.g., fingerprint, voiceprint, excluding certain photographs, videos, or HIPAA-protected health data), consent (clear affirmative act), covered nation (as defined in 10 U.S.C. §4872(f)), customer (consumer with ongoing customer relationship), customer relationship (continuing provision of personal financial products or services), financial data aggregator (person primarily accessing, aggregating, or selling nonpublic personal information, with specified exclusions), former customer, precise geolocation data, and self-regulatory organization (e.g., under the Securities Exchange Act of 1934 or CFTC-registered entities).