Bill Proposed to Congress to Expand Privacy Obligations of Financial Institutions | Wilmer Hale
On June 23, 2022, Congressman Patrick McHenry (NC-10) released a Discussion Draft (“Discussion Draft”) of new legislation to amend the Gramm-Leach-Bliley Act (GLBA) to to “modernize the GLBA to better align with our evolving technology landscape.” The discussion draft was released days after the House Subcommittee on Consumer Protection and Commerce heard testimony from consumer advocates and industry representatives on the recently proposed bipartisan U.S. Privacy Act. Data Protection and Privacy (ADPPA).
The draft discussion includes an expansion of the definition of “financial institutions” to include data aggregators and “non-public personal information” (NPI) to include information reasonably associated with an individual (such as inferences). It would also extend the general obligation to provide a GLBA notice to situations where a financial institution “collects” the NPI (as opposed to applying only in situations where the NPI is shared with third parties). The draft discussion further eliminates the distinction between “consumers” and “customers” under the GLBA; if passed, the law will protect both consumers and customers alike.
While not identical to the ADPPA or the comprehensive privacy laws that have been passed at the state level, this bill would significantly expand the privacy obligations of financial institutions and would have the effect of to have more entities regulated under the GLBA. Financial institutions subject to the GLBA have previously avoided new confidentiality obligations for their core business offerings because comprehensive state laws have generally exempted data processed under the GLBA. (Such an exemption would also exist under the ADPPA.) This proposal shows that Congress is paying attention to this particular issue.
Along with the discussion draft, Congressman McHenry also circulated a one-page summary and a section-by-section summary.
Below is a selection of highlights from the discussion project:
- Data Collection Obligations. The GLBA establishes obligations regarding the disclosure of non-public personal information (“NPI”) by financial institutions. The draft discussion requires financial institutions to also disclose to consumers when their NPI is collected, not just when it is disclosed to third parties.
- Updates to the definition of a financial institution. Under the GLBA, a financial institution is defined as “any institution the business of which is engaged in financial business as described in section 4(k) of the Bank Holding Company Act of 1956”. GBLA §509(3)(A). The draft discussion expands the definition of financial institutions to also include data aggregators. A data aggregator is “anyone who operates a commercial enterprise for the purpose” of accessing, aggregating, collecting, selling or sharing non-public personal information about the financial accounts or transactions of consumers under the direction of a consumer”. In particular, this update provides an exception for service providers acting on the instruction of the financial institution such as marketers offering the financial institution’s products.
- Broaden the definition of non-public information covered. The draft discussion expands personally identifiable financial information to also include “information that identifies, relates to, describes, is reasonably likely to be associated with, or could reasonably be linked, directly or indirectly, to a particular consumer”, thereby expanding non-public personal information. to also include inferences.
- Third Party Notification. The draft discussion requires that in the event that a financial institution is required to terminate the collection of NPI, that financial institution must notify its unaffiliated third parties that the sharing has been terminated. These third parties must also stop sharing the consumer’s NPI.
- Consumers versus customers. GLBA Title V makes a distinction between customers and consumers. A consumer is a person who receives or has received a financial product or service from a financial institution. “Customers” are a subcategory of consumers. Customers have an ongoing relationship with a financial institution. For example, a person using the ATM of a bank where that person does not have an account is a consumer. Isolated transactions, regardless of frequency, will not make the individual a customer of that bank. The discussion draft eliminates this distinction by completely removing the use of “customer”. For non-client consumers, a consumer relationship exists so long as the financial institution collects, controls, possesses, transmits or maintains any NPI of the consumer.
- Transparency and choice. The discussion draft requires disclosures in the event that NPI is collected from consumers for purposes other than the provision of a specific product or service. In such circumstances, the disclosure must include a description of such information; the purpose for which this information is collected; the ability to opt out of having these NPIs collected or disclosed to an unaffiliated third party; how a consumer can make such opt-out choice; data retention policies; the right to terminate the sharing of the NPI; the consumer’s right to request a list of all NPIs collected; and the right to request deletion of these NPIs.
- Regulatory authority. Federal banking agencies, the National Credit Union Administration, the Securities and Exchange Commission, and the Federal Trade Commission retain regulatory and enforcement authority under Section 505, if necessary. According to the draft discussion, the Secretary of the Treasury will no longer be involved in the development of GLBA rules. In addition, agencies are not required to consult the National Association of Insurance Commissioners, if any.
- Small enterprises. With respect to small financial firms, the draft discussion states that agencies must consider compliance costs imposed on small institutions when enacting rules.
- Liability for Unauthorized Access. The discussion draft includes a new GLBA Section 505A regarding liability to consumers. Under the Draft Discussion, the financial institution will be fully liable to the consumer in the event that the NPI obtained from that financial institution is used to gain unauthorized access to the consumer’s account.
- Pre-emption. Unlike the GLBA which empowers states to extend protections over federal law where appropriate, the draft discussion requires preemption and a national standard that must supersede any state law.
We will continue to provide updates on major developments in federal privacy law and more.