[ad_1]
To print this article, all you need is to be registered or login on Mondaq.com.
On June 23, 2022, Congressman Patrick McHenry (NC-10), released
a discussion draft (“Discussion
Draft”) of new legislation set to amend the Gramm-Leach-Bliley Act (GLBA) with the
intent to “modernize GLBA to better align with our evolving
technological landscape.” The Discussion Draft was released a
few days after the House Subcommittee on Consumer Protection and
Commerce heard testimony from consumer advocates and industry
representatives on the recently proposed bipartisan American Data Privacy
and Protection Act (ADPPA).
The Discussion Draft includes a broadening of the definition of
“financial institutions” to include data aggregators
and of “nonpublic personal information” (NPI) to
include information reasonably associated with an individual (such
as inferences). It would also expand the general obligation to
provide a GLBA notice to situations where a financial institution
“collects” NPI (as opposed to only applying in
situations where NPI is shared with third parties). The Discussion
Draft further eliminates the distinction between
“consumers” and “customers” under the GLBA;
if passed, the law would protect both consumers and customers in
the same manner.
While not identical to ADPPA or the comprehensive privacy laws
that have been passed at the state level, this proposed bill would
significantly expand the privacy obligations of financial
institutions, as well as have the effect of having more entities
regulated under the GLBA. Financial institutions subject to the
GLBA have previously avoided new privacy obligations for their core
business offerings because the comprehensive state laws have
generally exempted data processed pursuant to the GLBA. (Such an
exemption would also exist under ADPPA.) This proposal shows that
Congress is paying attention to this particular issue.
Along with the Discussion Draft, Congressman McHenry also
circulated a one-page summary and a section by section summary.
Below are selected highlights from the Discussion Draft:
- Obligations for the collection of
data. The GLBA sets obligations regarding the
disclosure of nonpublic personal information (“NPI”) by
financial institutions. The Discussion Draft requires financial
institutions to also disclose to consumers when their NPI is being
collected, not just when it is being disclosed to third
parties. - Updates to the definition of a financial
institution. Under the GLBA, a financial institution
is defined as “any institution the business of which is
engaging in financial activities as described in section 4(k) of
the Bank Holding Company act of 1956.” GBLA §509(3)(A).
The Discussion Draft expands the definition of financial
institutions to also include data aggregators. A data aggregator is
“any person that operates a commercial business for the
purpose of “accessing, aggregating, collecting, selling or
sharing nonpublic personal information about consumer financial
accounts or transactions at the direction of a consumer.”
Notably, this update provides for an exception to service providers
acting at the instruction of the financial institution such as
marketeers offering the financial institution’s
products. - Broadening the definition of nonpublic information
covered. The Discussion Draft broadens personally
identifiable financial information to also include
“information that identifies, relates to, describes, is
reasonably capable of being associated with, or could reasonably be
linked, directly or indirectly, with a particular consumer,”
thereby expanding nonpublic personal information to also include
inferences. - Notification of third parties. The
Discussion Draft requires that in the event that a financial
institution is required to terminate the collection of NPI, such
financial institution must notify its nonaffiliated third parties
that sharing has been terminated. Such third parties must also
terminate sharing of the consumer’s NPI. - Consumers versus customers. Title V of
the GLBA differentiates between customers and consumers. A consumer
is an individual who receives or has received a financial product
or service from a financial institution. “Customers”
are a subcategory of consumers. Customers have a continuing
relationship with a financial institution. For example, an
individual using the ATM at a bank where such individual does not
have an account, is a consumer. The isolated transactions, no
matter how frequent, will not make the individual that bank’s
customer. The Discussion Draft eliminates this distinction by
striking the use of “customer” altogether. For
non-customer consumers, a consumer relationship exists as long as
the financial institution is collecting, controlling, possessing,
transmitting or maintaining any NPI of the consumer. - Transparency and Choice. The Discussion
Draft requires disclosures in the event that NPI is collected from
consumers for a purpose other than to provide a specific product or
service. Under such circumstances, the disclosure must include a
description of such information; the purpose for which such
information is collected; the opportunity to opt out having such
NPI collected or disclosed to a nonaffiliated third party; the
manner in which a consumer may make such opt out election; the data
retention policies; the right to terminate the sharing of the NPI;
the right of the consumer to request a list of all the NPI
collected; and the right to request deletion of such
NPI. - Regulatory Authority. The Federal banking
agencies, the National Credit Union Administration, the Securities
and Exchange Commission, and the Federal Trade Commission maintain
rulemaking authority and enforcement under section 505 as
necessary. Per the Discussion Draft, the Secretary of the Treasury
will no longer be involved in rulemaking of the GLBA. Further,
agencies are not required to consult as appropriate with the
National Association of Insurance Commissioners. - Small businesses. In consideration of
small financial businesses, the Discussion Draft stipulates that
agencies shall consider compliance costs imposed on smaller
institutions when promulgating rules. - Liability for Unauthorized Access. The
Discussion Draft includes a new section 505A to the GLBA concerning
liability to consumers. Under the Discussion Draft, tinancial
institution will be fully liable to the consumer in the event that
the NPI attained from such financial institution is used to make
unauthorized access to the consumer’s account. - Preemption. In stark contrast to the
GLBA that empowers states to expand protections over federal law,
if appropriate, the Discussion Draft requires preemption and a
national standard that is set to supersede any state
law.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from United States
[ad_2]
Source link