[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 1165 Reported in House (RH)]
<DOC>
Union Calendar No. 673
118th CONGRESS
2d Session
H. R. 1165
[Report No. 118-822]
To amend the Gramm-Leach-Bliley Act to modernize the protection of the
nonpublic personal information of individuals with whom financial
institutions have customer or consumer relationship, and for other
purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
February 24, 2023
Mr. McHenry introduced the following bill; which was referred to the
Committee on Financial Services
December 5, 2024
Reported with an amendment, committed to the Committee of the Whole
House on the State of the Union, and ordered to be printed
[Strike out all after the enacting clause and insert the part printed
in italic]
[For text of introduced bill, see copy of bill as introduced on
February 24, 2023]
_______________________________________________________________________
A BILL
To amend the Gramm-Leach-Bliley Act to modernize the protection of the
nonpublic personal information of individuals with whom financial
institutions have customer or consumer relationship, and for other
purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Data Privacy Act
of 2023''.
(b) Table of Contents.--The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Protection of nonpublic personal information.
Sec. 3. Obligations with respect to the collection and disclosure of
nonpublic personal information.
Sec. 4. Disclosure of institution privacy policy.
Sec. 5. Rulemaking.
Sec. 6. Relation to State laws.
Sec. 7. Obligations with respect to access and deletion of nonpublic
personal information.
Sec. 8. Obligations with respect to the international sharing of
nonpublic personal information.
Sec. 9. Definitions.
Sec. 10. Repeal of expired provisions.
Sec. 11. GAO Report.
Sec. 12. Sense of Congress.
Sec. 13. Effective date.
SEC. 2. PROTECTION OF NONPUBLIC PERSONAL INFORMATION.
Section 501 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801) is
amended--
(1) in subsection (a)--
(A) by striking ``of its customers'' and inserting
``of individuals with whom such financial institution
has a customer or consumer relationship''; and
(B) by striking ``those customers' nonpublic
personal information'' and inserting ``those
individual's nonpublic personal information''; and
(2) by adding at the end the following:
``(c) Use of Nonpublic Personal Information.--Unless otherwise
permitted under section 502(e), it shall be unlawful for a financial
institution to willfully use nonpublic personal information without the
consent of an individual with whom the financial institution has a
customer or consumer relationship.''.
SEC. 3. OBLIGATIONS WITH RESPECT TO THE COLLECTION AND DISCLOSURE OF
NONPUBLIC PERSONAL INFORMATION.
(a) In General.--Section 502 of the Gramm-Leach-Bliley Act (15
U.S.C. 6802) is amended--
(1) in the heading, by striking ``disclosures of'' and
inserting ``the collection and disclosure of nonpublic'';
(2) in subsection (a)--
(A) by inserting before ``disclose'' the following:
``collect nonpublic personal information from an
individual with whom such financial institution has a
customer or consumer relationship or''; and
(B) by striking ``has provided to the consumer''
and inserting ``has provided to such individual''; and
(3) in subsection (b), by amending paragraph (1) to read as
follows:
``(1) In general.--A financial institution may not collect
nonpublic personal information from an individual with whom
such financial institution has a customer or consumer
relationship or disclose nonpublic personal information to a
nonaffiliated third party unless the individual with whom such
financial institution has a consumer or customer relationship
is given the opportunity, before the time that such information
is initially collected or disclosed, to direct that such
information not be collected or disclosed to such third
party.'';
(4) in subsection (d)--
(A) by striking ``of a consumer'' and inserting
``of an individual with whom such financial institution
has a customer or consumer relationship''; and
(B) by striking ``telemarketing, direct mail
marketing, or other marketing through electronic mail
to the consumer'' and inserting ``marketing to the
individual with whom such financial institution has a
customer or consumer relationship, regardless of
medium'';
(5) in subsection (e)--
(A) in the heading, by striking ``General'';
(B) by striking ``Subsections (a) and (b) shall not
prohibit the disclosure of nonpublic personal
information'' and inserting ``The general collection
and disclosure procedures provided in subsections (a)
and (b) shall not prohibit or otherwise limit the
collection or disclosure of nonpublic personal
information'';
(C) by striking paragraphs (1) and (2) and
inserting the following:
``(1) if the collection or disclosure is--
``(A) necessary to effect, administer, or enforce a
transaction requested or authorized by the individual
with whom the financial institution has a customer or
consumer relationship;
``(B) in connection with servicing or processing a
financial product or service requested or authorized by
the individual with whom the financial institution has
a customer or consumer relationship;
``(C) with the consent or at the direction of the
individual with whom the financial institution has a
customer or consumer relationship, and the financial
institution obtains, from such individual, evidence of
such individual's authorization for such collection or
disclosure; or
``(D) in connection with--
``(i) maintaining or servicing the account,
with such financial institution or with another
entity as part of a private label or co-brand
credit card program or an extension of credit
on behalf of such entity, of an individual with
whom such financial institution or entity has a
customer or consumer relationship; or
``(ii) a proposed or actual securitization,
secondary market sale (including sales of
servicing rights), or similar transaction
related to an account or a transaction of the
individual which whom such entity or financial
institution has a customer or consumer
relationship; or
``(2) to a nonaffiliated third party to perform services
for, or functions on behalf of, the financial institution,
including marketing of the financial institution's own products
or services, or financial products or services offered pursuant
to joint agreements between two or more financial institutions
that comply with the requirements imposed by the regulations
prescribed under section 504, if the financial institution
fully discloses the providing of such information and enters
into a contractual agreement with the third party that requires
the third party to maintain the confidentiality of such
information;'';
(D) in paragraph (3)--
(i) in subparagraph (A)--
(I) by striking ``or security'' and
inserting ``, security, or integrity'';
(II) by striking ``pertaining to
the consumer'' and inserting
``pertaining to the individual with
whom the financial institution has a
customer or consumer relationship'';
(III) by inserting before the
semicolon the following: ``, as well as
the systems, processes, and services
that handle such records'';
(ii) in subparagraph (B), by inserting
after ``fraud,'' the following: ``identity
theft,'';
(iii) in subparagraph (C), by striking
``for resolving customer disputes or
inquiries'' and inserting ``for resolving
disputes or inquires relating to individuals
with whom the financial institution has a
customer or consumer relationship'';
(iv) in subparagraph (D), by striking
``relating to the consumer'' and inserting
``relating to the individual with whom the
financial institution has a customer or
consumer relationship''; and
(v) in subparagraph (E), by striking
``behalf of the consumer'' and inserting
``behalf of the individual with whom the
financial institution has a customer or
consumer relationship''; and
(E) in paragraph (7)--
(i) by striking ``or exchange'' and
inserting ``exchange, or similar transaction'';
(ii) by striking ``consumers of such
business or unit'' and inserting ``individuals
with whom such business or unit have a customer
or consumer relationship''; and
(iii) by inserting ``collection or'' before
``disclosure'';
(6) by adding at the end the following:
``(f) Notification to Nonaffiliates When Sharing Is Terminated.--
``(1) In general.--If a financial institution is required
to terminate sharing nonpublic personal information, of an
individual with whom such financial institution has a customer
or consumer relationship, with a nonaffiliated third party--
``(A) the financial institution shall notify the
nonaffiliated third party that the sharing has been
terminated and that such nonaffiliated third party may
not share any nonpublic information of the individual
already received from the financial institution; and
``(B) upon receipt of a notice described under
subparagraph (A), the nonaffiliated third party may not
share any nonpublic information of such individual
already received from the financial institution.
``(2) Rulemaking.--The agencies referred to in section 504
shall issue rules to establish the requirements for notices
under paragraph (1), including the form of such notices, taking
into account any privacy risks posed by such notices.
``(g) Requirements With Respect to the Collection of Account
Credentials.--A financial institution may not collect from an
individual with whom such financial institution has a customer or
consumer relationship account credentials such individual uses to
access an account at a nonaffiliated third party that is a financial
institution unless, prior to collecting the account credentials--
``(1) the financial institution clearly and conspicuously
discloses to the individual, in a form permitted by the
regulations prescribed under section 504--
``(A) that the financial institution is collecting
such account credentials;
``(B) how such credentials will be used by the
financial institution; and
``(C) whether such credentials may be disclosed to
a nonaffiliated third party; and
``(2) such individual is given an opportunity to direct
that such credentials not be collected or to direct that such
credentials not be disclosed to any nonaffiliated third
party.''.
(b) Conforming Amendment.--Section 509(3)(D) of the Gramm-Leach-
Bliley Act (15 U.S.C. 6809(3)(D)) is amended by striking ``section
502(e)(1)(C)'' and inserting ``section 502(e)(1)(D)(ii)''.
SEC. 4. DISCLOSURE OF INSTITUTION PRIVACY POLICY.
Section 503 of the Gramm-Leach-Bliley Act (15 U.S.C. 6803) is
amended--
(1) in subsection (a)--
(A) by striking ``customer relationship with a
consumer'' and inserting ``customer or consumer
relationship'';
(B) by striking ``clear and conspicuous disclosure
to such consumer'' and inserting ``clear and
conspicuous disclosure to such individual with whom
such financial institution has a customer or consumer
relationship'';
(C) by redesignating paragraphs (1), (2), and (3)
as paragraphs (2), (3), and (4), respectively;
(D) by inserting before paragraph (2), as so
redesignated, the following:
``(1) collecting nonpublic personal information;'';
(E) in paragraph (3), as so redesignated, by
striking ``have ceased to be customers of'' and
inserting ``have ceased to have a customer or consumer
relationship with''; and
(F) in paragraph (4), as so redesignated, by
striking ``personal information of consumers'' and
inserting ``personal information of individuals with
whom such financial institution has a customer or
consumer relationship'';
(2) by redesignating subsections (b) through (f) as
subsections (c) through (g), respectively;
(3) by inserting after subsection (a) the following:
``(b) Disclosure Upon Request.--Upon the request of an individual
with whom a financial institution has a customer or consumer
relationship, a financial institution shall provide such individual
with a copy of the disclosures required by subsection (a) in writing or
in electronic or other form as permitted by the regulations prescribed
under section 504.''; and
(4) in subsection (d), as so redesignated--
(A) in paragraph (1)--
(i) by inserting ``collecting or'' before
``disclosing nonpublic''; and
(ii) by striking subparagraph (B) and
inserting the following:
``(B) the purpose for which the financial
institution collects the nonpublic personal information
of individuals with whom the financial institution has
a customer or consumer relationship, as well as how the
information will be used;'';
(B) in paragraph (2), by inserting before the
semicolon the following: ``, provided in a manner that
provides individuals with whom the financial
institution has a customer or consumer relationship a
meaningful understanding of the information that is
collected'';
(C) in paragraph (3), by striking ``and'' at the
end;
(D) in paragraph (4), by striking the period at the
end and inserting a semicolon; and
(E) by adding at the end the following:
``(5) if the financial institution collects nonpublic
personal information for any purpose other than to provide a
specific product or service such an individual is seeking--
``(A) a description of such information;
``(B) the purpose for which such information is
collected; and
``(C) the right of such individual to opt out of
having such nonpublic personal information collected or
disclosed to a nonaffiliated third party, and the
manner in which such individual may make such opt out
election;
``(6) the data retention policies of the financial
institution, including--
``(A) the period of time for which the financial
institution retains the nonpublic personal information
relating to such individual; or
``(B) the criteria used by the financial
institution to determine the period of time for which
such information is retained;
``(7) the right of such individual to direct the financial
institution to terminate the sharing of nonpublic personal
information with a nonaffiliated third party, and the manner in
which such individual may make such direction;
``(8) the right of such individual to request that the
financial institution provide the individual with a list of all
nonpublic personal information relating to the individual held
by the financial institution, and the manner in which the
individual may make such request; and
``(9) the right of such individual to direct the financial
institution to delete nonpublic personal information of the
individual held by the financial institution (subject to the
exceptions provided under section 502A(b)(3)), and the manner
in which the individual may make such direction.'';
(5) in subsection (f), as so redesignated--
(A) in paragraph (2)(A), by striking ``to
consumers'' and inserting ``to individuals with whom a
financial institution has a customer or consumer
relationship''; and
(B) in paragraph (2)(C), by striking ``enable
consumers'' and inserting ``enable individuals with
whom a financial institution has a customer or consumer
relationship''; and
(6) in subsection (g), as so redesignated, by striking
``sent to consumers'' and inserting ``sent to individuals with
whom a financial institution has a customer or consumer
relationship''.
SEC. 5. RULEMAKING.
Section 504 of the Gramm-Leach-Bliley Act (15 U.S.C. 6804) is
amended--
(1) in subsection (a)(1)--
(A) by striking subparagraph (D) and inserting the
following:
``(D) Insurance.--
``(i) In general.--With respect to any
person engaged in providing insurance, the
applicable State insurance authority of the
State in which the person is domiciled shall
issue regulations as may be necessary to carry
out the purposes of this subtitle, subject to
section 505(c).
``(ii) Limitation.--Regulations issued by a
State insurance authority under this
subparagraph may be no more restrictive for a
person engaged in providing insurance than
those regulations issued by the agencies
coordinating for consistency and comparability
under paragraph (2).''; and
(2) by adding at the end the following:
``(c) Consideration of Compliance Costs.--When prescribing rules
under this subtitle, agencies shall take into account the compliance
cost such rules will impose on small institutions.''.
SEC. 6. RELATION TO STATE LAWS.
Section 507 of the Gramm-Leach-Bliley Act (15 U.S.C. 6807) is
amended to read as follows:
``SEC. 507. RELATION TO STATE LAWS.
``This subtitle and the amendments made by this subtitle supersede
any statute or rule of a State or political subdivision thereof that
regulates the obligations of a financial institution with respect to--
``(1) the collection or disclosure of personal information;
``(2) the disclosure of the financial institution's privacy
policy or information about the financial institution's privacy
policies and practices;
``(3) the access to, deletion of, or other individual
privacy rights with respect to personal information; or
``(4) the international sharing of personal information.''.
SEC. 7. OBLIGATIONS WITH RESPECT TO ACCESS AND DELETION OF NONPUBLIC
PERSONAL INFORMATION.
(a) In General.--Title V of the Gramm-Leach-Bliley Act (15 U.S.C.
6801 et seq.) is amended by inserting after section 502 the following:
``SEC. 502A. OBLIGATIONS WITH RESPECT TO ACCESS AND DELETION OF
NONPUBLIC PERSONAL INFORMATION.
``(a) Access to Information.--
``(1) In general.--Upon an authorized request from an
individual with whom a financial institution has a customer or
consumer relationship, a financial institution shall disclose--
``(A) any nonpublic personal information relating
to such individual held by the financial institution;
``(B) the list of categories of nonaffiliated third
parties with whom the financial institution shares
nonpublic personal information relating to such
individual; and
``(C) the list of categories of nonaffiliated third
parties from whom the financial institution has
received nonpublic personal information relating to
such individual.
``(2) Format.--Disclosures described under paragraph (1)
shall be in a structured, commonly used, and machine-readable
format.
``(3) Exception.--For purposes of subparagraphs (B) and (C)
of paragraph (1), a financial institution is not required to
disclose a nonaffiliated third party with whom the financial
institution shares or receives nonpublic personal information
relating to such individual pursuant to an exception described
under any of paragraphs (3) through (8) of section 502(e).
``(b) Deletion of Information.--
``(1) In general.--Upon an authorized request from an
individual with whom a financial institution has a customer or
consumer relationship, a financial institution shall delete any
nonpublic personal information relating to such individual held
by the financial institution.
``(2) Certain inactive accounts.--If such individual has
not used a product or service provided by a financial
institution for 1 year, the financial institution shall--
``(A) notify such individual that such individual
has the right to request the deletion of any nonpublic
personal information relating to such individual held
by the financial institution, and provide such
individual with clear instructions on how to make such
request; and
``(B) for each additional 1-year period with
respect to which such person continues to not use a
product or service of the financial institution, resend
the notice described under subparagraph (A).
``(3) Exception.--
``(A) In general.--This subsection shall not
require a financial institution to delete nonpublic
personal information if--
``(i) the financial institution is
otherwise required by law to retain the
nonpublic personal information;
``(ii) the nonpublic personal information
may be necessary to respond to a dispute under
the Fair Credit Reporting Act; or
``(iii) the nonpublic personal information
may be necessary to retain for a purpose
described in an exception under section 502(e).
``(B) Limitation on retained nonpublic personal
information.--With respect to nonpublic personal
information that a financial institution would be
required to delete under this subsection but for the
application of this paragraph, the financial
institution may only use such nonpublic personal
information for the applicable purpose described under
subparagraph (A).
``(c) Timing.--A financial institution that receives an authorized
request, under this section, from an individual with whom such
financial institution has a customer or consumer relationship, shall
respond within 45 business days.
``(d) Rulemaking.--Not later than the end of the 1-year period
beginning on the date of enactment of this section, each agency or
authority described in section 504 shall issue rules to carry out this
section with respect to the financial institutions subject to its
jurisdiction.''.
(b) Clerical Amendment.--The table of contents in section 1(b) of
the Gramm-Leach-Bliley Act is amended by inserting after the item
relating to section 502 the following:
``Sec. 502A. Obligations with respect to access and deletion of
nonpublic personal information.''.
SEC. 8. OBLIGATIONS WITH RESPECT TO THE INTERNATIONAL SHARING OF
NONPUBLIC PERSONAL INFORMATION.
(a) In General.--Title V of the Gramm-Leach-Bliley Act (15 U.S.C.
6801 et seq.), as amended by section 10, is further amended by
inserting after section 502A the following:
``SEC. 502B. OBLIGATIONS WITH RESPECT TO THE INTERNATIONAL SHARING OF
NONPUBLIC PERSONAL INFORMATION.
``(a) In General.--A financial institution may not share with a
foreign government nonpublic personal information relating to an
individual with whom such financial institution has a customer or
consumer relationship.
``(b) Law Enforcement Exception.--Subsection (a) shall not apply to
the sharing of the nonpublic personal information relating to such an
individual with a foreign government authority if such sharing is--
``(1) done for legitimate law enforcement purposes; or
``(2) to a foreign government authority having jurisdiction
over the financial institution for examination, compliance, or
other purposes as authorized by law.''.
(b) Clerical Amendment.--The table of contents in section 1(b) of
the Gramm-Leach-Bliley Act, as amended by section 10, is further
amended by inserting after the item relating to section 502A the
following:
``Sec. 502B. Obligations with respect to the international sharing of
nonpublic personal information''.
SEC. 9. DEFINITIONS.
Section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809) is
amended--
(1) in paragraph (3)(A), by inserting before the period at
the end the following: ``and includes a data aggregator'';
(2) in paragraph (4), by striking ``personally identifiable
financial information'' and inserting ``information that
identifies, relates to, describes, is reasonably capable of
being associated with, or could reasonably be linked, directly
or indirectly, with a particular individual and is'';
(3) in paragraph (7), by inserting ``collection or'' before
``disclosure'' each place such term appears;
(4) by striking paragraph (9);
(5) by amending paragraph (11) to read as follows:
``(11) Customer or consumer relationship.--
``(A) In general.--The term `customer or consumer
relationship' means a customer relationship or a
consumer relationship.
``(B) Customer relationship.--The term `customer
relationship' shall have the meaning given the term in
rules issued pursuant to section 504.
``(C) Consumer relationship.--The term `consumer
relationship' shall have the meaning given the term in
rules issued pursuant to section 504 and such meaning
shall--
``(i) include situations in which a
financial institution obtains nonpublic
information from an individual with whom the
financial institution does not have a customer
relationship; and
``(ii) deem a financial institution to no
longer to be in a consumer relationship with an
individual at such time as the financial
institution no longer collects, controls,
possesses, transmits, or maintains any
nonpublic personal information of such
individual.
``(D) Treatment of certain transactions.--When the
terms `customer relationship' and `consumer
relationship' are defined by rule, it shall be
specified that the following transactions do not, by
themselves, establish a consumer relationship or a
consumer relationship:
``(i) The use of an automated teller
machine.
``(ii) The use of a credit card or debit
card to make a purchase.
``(iii) Such other similar transactions as
the agencies determine appropriate.''; and
(6) by adding at the end the following:
``(12) Account credentials.--The term `account credentials'
means nonpublic personal information that an individual with
whom a financial institution has a customer or consumer
relationship uses to access an account of the individual at
such financial institution, including a username, password, or
an answer to a security question.
``(13) Data aggregator.--The term `data aggregator'--
``(A) means any person that operates a commercial
business or enterprise for the business purpose of
accessing, aggregating, collecting, selling, or sharing
nonpublic personal information about financial accounts
or transactions relating to an individual; and
``(B) does not include--
``(i) a service provider acting at the
express instruction of a financial institution
that accesses, aggregates, collects, or shares
nonpublic personal information about an
individual with whom such financial institution
has a customer or consumer relationship in
accordance with paragraphs (1), (2), (3)(A),
(3)(B), (3)(C), (3)(D), or (6) of section
502(e); or
``(ii) an attorney or accountant acting on
behalf of an individual with whom such attorney
or accountant has a customer or consumer
relationship, in accordance with section
502(e)(3)(E).
``(14) Person engaged in providing insurance.--The term
`person engaged in providing insurance' means a person that
engages in the business of insurance, as that term is defined
in section 1002 of the Dodd-Frank Wall Street Reform and
Consumer Protection Act (12 U.S.C. 5481).''.
SEC. 10. REPEAL OF EXPIRED PROVISIONS.
The Gramm-Leach-Bliley Act is amended--
(1) by striking section 508 (15 U.S.C. 6808); and
(2) in the table of contents in section 1(b), by striking
the item relating to section 508.
SEC. 11. GAO REPORT.
(a) In General.--The Comptroller General of the United States
shall, not later than 1 year after the date of the enactment of this
Act, submit to the Congress a report that assesses--
(1) whether the safeguard standards promulgated pursuant to
section 501 of the Gramm-Leach-Bliley Act, including protecting
against unauthorized disclosure, are effective in protecting
individuals with whom financial institutions have a customer or
consumer relationship; and
(2) whether the enforcement regime with respect to those
standards are effective in protecting customers and consumers,
and whether additional remedies are necessary.
(b) Definitions.--In this section, the terms ``customer or consumer
relationship'' and ``financial institution'' have the meaning given
those terms, respectively, under section 509 of the Gramm-Leach-Bliley
Act (15 U.S.C. 6809), as amended by section 9.
SEC. 12. SENSE OF CONGRESS.
It is the sense of the Congress that the Federal agencies
implementing the Gramm-Leach-Bliley Act should implement such Act, to
the extent possible, in a technology-agnostic manner so as to ensure it
can adapt to different business models and technologies.
SEC. 13. EFFECTIVE DATE.
The amendments made by this Act shall take effect on the date that
is the earlier of--
(1) the date that is one year after the date on which all
rulemaking required under this Act is complete; or
(2) the date that is 2 years after the date of the
enactment of this Act.
Union Calendar No. 673
118th CONGRESS
2d Session
H. R. 1165
[Report No. 118-822]
_______________________________________________________________________
A BILL
To amend the Gramm-Leach-Bliley Act to modernize the protection of the
nonpublic personal information of individuals with whom financial
institutions have customer or consumer relationship, and for other
purposes.
_______________________________________________________________________
December 5, 2024
Reported with an amendment, committed to the Committee of the Whole
House on the State of the Union, and ordered to be printed