US FS Committee Introduces Data Privacy Act of 2023

The Data Privacy Act of 2023 would amend the Gramm-Leach-Bliley Act, or GLBA, to modernize the financial data privacy laws and give consumers more control over the way their personal information is collected and used. The provisions in the Act would supersede preempt state privacy rules and establish provisions that would require companies to provide more disclosures to consumers and give individuals the ability to request that their records be deleted. The Act is expected to:

• modernize the Gramm-Leach-Bliley Act to better align with evolving technologies. The consumer protection contained in the Bill will apply seamlessly to future innovation and new technologies.
• putting control bank in the hands of the consumer by empowering consumers to understand how their data is collected and used by a service provider when they agree to the provider’s privacy policy. It also ensures consumers have the right to terminate the collection of their data and/or request deletion of their data at any time.
• protect against the misuse or overuse of consumer nonpublic personal information. Under the Bill, entities are directed to disclose to consumers why they are collecting certain pieces of data and only use data for its stated purpose. Covered entities must provide consumers with an opportunity to opt out of the data collection if it is not necessary to provide the product or service offered by the entity. It also requires financial institutions to notify nonaffiliated third parties when a consumer or customer has terminated sharing of his or her data, and to require the nonaffiliated third party to also cease sharing of the individual’s data.
• empowers consumers by requiring privacy terms and conditions to be transparent and easily understandable. Consumer disclosures are critical to understanding what data is collected; the manner in which the
  data is collected; the purposes for which the data will be used; who has access to the data; how an entity is using the data; where the data will be shared; data retention policies of the entity; and the rights associated with that data for uses inconsistent with stated purpose. 
• provide consistency across the country with respect to understanding how downstream entities are collecting and using personal information. A national standard will reduce compliance burden and provide certainty to both consumers and entities that handle their financial data.

The Bill states that "this subtitle and the amendments made by this subtitle supersede any statute or rule of a State or political subdivision thereof that regulates the obligations of a financial institution with respect to the collection or disclosure of personal information; the disclosure of the financial institution’s privacy policy or information about the financial institution’s privacy policies and practices; and the access to, deletion of, or other individual privacy rights with respect to personal information; or the international sharing of personal information. However, the Bill is expected to face challenges in the House in the form of Democratic opposition." The Bill also directs that the Comptroller General of the United States shall, not later than one year after the date of the enactment of this Act, submit to the Congress a report that assesses the effectiveness of this Act.

Related Links

• Press Release on Data Privacy Act of 2023
• Text of Bill H. R. 1165