Quick take: New comprehensive federal privacy bills aim to supersede state privacy laws

On April 22, the U.S. House of Representatives Financial Services Committee and the Energy and Commerce Committee introduced two privacy bills that would preempt related state laws and present a major attempt to establish comprehensive consumer privacy rules in the United States. These include the Guidelines for Use, Access, and Responsible Disclosure of Financial Data Act (the GUARD Financial Data Act), and the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act (the Secure Data Act).

The GUARD Financial Data Act

The GUARD Financial Data Act aims to enhance Title V of the Gramm‑Leach‑Bliley Act (GLBA) by updating the obligations for how financial institutions treat their consumer financial data.

Key provisions:

  • Data minimization: The Act would introduce a statutory data minimization requirement that would require financial institutions to limit the collection and disclosure of nonpublic personal information (NPI) to what is “adequate, relevant, and reasonably necessary” for each stated purpose for which the NPI is collected or disclosed, subject to existing exceptions under GLBA.
  • Continuing consumer opt-out rights: The Act would codify the right for consumers to exercise their right to opt out of disclosures of NPI to nonaffiliates at any time by amending § 502(b)(1) of the Gramm-Leach-Bliley Act.
  • Data access and deletion rights: The Act would allow a former or current customer of a financial institution to request access to their NPI, and to receive a list of the categories of nonaffiliated third parties to whom NPI has been disclosed. Further, the Act would allow a former customer to request the deletion of NPI at an institution with whom they no longer have a relationship.
  • Additional information to be included in consumer privacy notices: The Act would require that financial institutions provide increasingly detailed notices to consumers before disclosing a consumer’s NPI to a nonaffiliated third party. The additional information will include:

-The purpose for the collection and disclosure of NPI, retention practices;

-The financial institution’s use of AI with respect to NPI;

-Whether NPI is processed or retained in or disclosed to China, Iran, North Korea, or Russia;

-An explanation of how consumers can exercise their continuing opt-out rights;

-An explanation of how consumers can access copies of the financial institution’s privacy disclosures; and

-An explanation of how a consumer can request the disclosure or deletion of their NPI.

  • Preemption of state law: The bill’s amendment to GLBA Title V would supersede and preempt state laws that establish consumer data privacy or security requirements for NPI or for financial institutions subject to GLBA.
The Secure Data Act

The Secure Data Act aims to establish a national privacy framework that would preempt related state laws. The bill includes consumer rights such as the right to know, access, correct, and delete personal data; the right to obtain a portable copy of personal data; and the right to opt out of data processing activities, such as targeted advertising and data sales.

The Act would apply to entities that conduct business in the United States, offer products or services to U.S. residents, or process or sell personal data of U.S. residents and meet certain thresholds of data processing volumes. However, the Act would include exemptions for financial institutions subject to title V of the Gramm‑Leach‑Bliley Act, HIPAA-covered entities and business associates and, certain nonprofit organizations, and institutions of higher education.

Key Provisions

  • Data minimization: The Act seeks to impose data minimization requirements similar to those of state laws that limit data collection to what is adequate, relevant, and reasonably necessary to the disclosed purpose.
  • Data access and deletion rights: The Act would provide consumers with the right to access a copy of their personal data, unless the access would require the controller to reveal a trade secret. Similarly, the Act would provide consumers with the right to delete such data provided by or obtained about the consumer.
  • Teen data: The Act would establish a parental consent standard for personal data collected from teenagers.
  • Consent for processing of sensitive data: The Act seeks to require affirmative consent before processing sensitive data. Sensitive data is defined to include the following:

-Personal data that discloses racial or ethnic origin, religious belief, mental or physical health diagnoses, sexual orientation, or citizen or immigration status;

-Genetic or biometric data that is processed for the purpose of uniquely identifying a specific individual;

-Personal data collected from a child or teen; and

-Precise geolocation data.

  • National Data Broker Registry: The Act would establish a national broker registry with the FTC and require data brokers to register and provide disclosures regarding data practices publicly. The bill defines a “data broker” as a controller that collects and processes personal data concerning a consumer who is not:

-A customer or a client of the controller;

-A user, reader, or subscriber of a product or service provided by the controller; and

-The controller derives 50 percent or more of gross revenue from the sale of such personal data.

  • Regulatory enforcement powers: The Act would grant enforcement power to the FTC through its power and duties under the FTC Act, and also to state attorneys general. Violations of the Act may be subject to penalties by the FTC. However, the bill does include an opportunity to cure no later than 180 days after the date on which the controller or processor receives a written notice of the violation.
What’s next?

These bills are a joint effort by the House Financial Services Committee and the House Energy & Commerce Committee to provide consumers with more control over their personal data and to create a uniform national framework for privacy, which the United States has lacked thus far.

If you have questions about the latest legislative updates, how to keep your organization in compliance, or if you would like to discuss proactive measures to protect against cyber threats, please reach out to a member of our national data privacy and cybersecurity team.

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.

trellis19