The House Financial Services Committee is seeking public feedback on current federal consumer financial data privacy law and potential legislative proposals to account for changes in the financial services sector, according to a notice posted yesterday.
The Gramm-Leach-Bliley Act (GLBA) established standards for the collection of data by banks and other institutions. Among other things, the committee is asking whether lawmakers should amend the GLBA “or consider a broader approach?”
Other questions the committee is seeking comments on:
- Should lawmakers consider a preemptive federal GLBA standard or maintain the current GLBA federal floor approach?
- If GLBA is made a preemptive federal standard, how should it address state laws that only provide for a data-level exemption from their general consumer data privacy laws?
- How should GLBA relate to other federal consumer data privacy laws, both a potential general data privacy law and current sector-specific laws? Should GLBA “financial institutions” be subject to entity-level or data-level exemptions from these laws?
- How should lawmakers define “non-public personal information” within the context of privacy regulations? Does the term “personally identifiable financial information” in GLBA require modification?
- Do the definitions of “consumer” and “customer relationship” in GLBA require modification?
- Does the current definition of “financial institution” sufficiently cover entities that should be subject to GLBA Title V requirements, such as data aggregators?
- Are there states that have developed effective privacy frameworks? Which specific elements from these state-level frameworks could potentially be adapted for federal implementation?
- Should lawmakers consider requiring consent to be obtained before collecting certain types of data, such as PIN Numbers and IP addresses?
- Should lawmakers consider mandating the deletion of data for accounts that have been inactive for over a year, provided the customer is notified and no response is received?
- Should lawmakers consider requiring consumers be provided with a list of entities receiving their data?
- Should lawmakers consider changing the structure by which a financial institution is held liable if data it collects or holds is shared with a third-party, and that third-party is breached?
- Should lawmakers consider changes to require or encourage financial institutions, third parties and other holders of consumer financial data to minimize data collection to only collection that is needed to effectuate a consumer transaction and place limits on the time-period for data retention?
Comments and answers to the questions should be emailed to [email protected] by Aug. 28.
