On June 23, 2022, a U.S. Representative on the House Financial Services Committee, released a discussion draft of new legislation to modernize financial data privacy laws (“Draft”) and provide consumers more control over how their personal information is collected and used. The legislation, if passed, would amend the Gramm-Leach-Bliley Act (“GLBA”) to better align with the evolution of technology. In this update, we will present the purpose and key pillars of the Draft.
Modernizes GLBA using a Technology-Agnostic Approach.
The consumer protection mechanisms contained in the Draft will be adapted to future innovation and new technologies. Specifically:
- Requires notice of collection activities: the Draft will require financial institutions to notify and make sure that consumers will be aware that their nonpublic personal information is being collected as well.
- Updates the definition of a financial institution: under the GLBA, a financial institution is defined as “any institution the business of which is engaging in financial activities as described in 4(k) of the bank holding company act of 1956”. The Draft updates that definition to include data aggregators. This amendment ensures aggregators will be bound by the same rules as traditional financial institutions.
Consumers Control Over Personal Information.
The Draft recognizes the need for consumers to control how financial institutions and third parties are using their personal information. The Draft ensures consumers have the right to opt-out of the data collection and request deletion of their personal information at any time. Moreover, the Draft expands the definition of “personally identifiable financial information” to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer.”
Minimizes Data Collection.
The Draft protects consumers against misuse or overuse of their nonpublic personal information. Specifically:
- Notify consumers of data collection: according to the Draft, financial institutions’ privacy policies must include the following information – categories of personal information collected; the manner of collection, and; the purpose for which the personal information is being collected.
- Empower consumers to opt-out: according to the Draft, the privacy policy of financial institutions must allow consumers to opt-out of the collection of their personal information.
- Provide consumers access to their personal information: under the Draft, upon an authorized consumer’s request, a financial institution shall disclose the following: (i) the personal information held by them; (ii) the third party with which they are sharing consumer’s personal information; and (iii) list of entities from whom the financial institution had received the consumer’s nonpublic personal information.
Accessible and transparent policies.
According to the Draft, financial institutions’ privacy policy and terms and conditions shall be transparent and easy to understand by the consumers. Moreover, consumer disclosures are critical to understand the type of personal information being collected; how the personal information is collected; the purposes for which the personal information will be used; who has access to the personal information; how the personal information is being used; in which cases the personal information will be shared; retention policies; and consumers’ rights associated with their personal information.
If the Draft will be approved, it will provide consistency across the U.S. regarding how financial institutions collect and use personal information. The Draft will create a national standard for data collection, which will provide certainty to both consumers and financial entities that handle their financial data.
This document is intended to provide only a general background regarding this matter. This document should not be regarded as setting out binding legal advice, but rather a practical overview that is based on our understanding. APM &Co. is not licensed to practice law outside of Israel.
For more information we will be happy to assist.
APM Privacy and Cyber Team.