NASCUS Summary on the House Financial Services Committee Request for Feedback on Current Federal Consumer Financial Data Privacy Law and Potential Legislative Proposals
July 31, 2025
The House Committee on Financial Services issued a request for feedback from the public on current federal consumer financial data privacy law and potential legislative proposals to account for changes in the consumer financial services sector.
Comments and answers to the questions below must be received by August 29, 2025.
- Comments should be emailed to [email protected].
- The request for feedback can be found here.
Questions Posed
The committee is requesting feedback to the following questions as well as any additional comments members of the public wish to share.
- Should we amend the Gramm-Leach-Bliley Act (GLBA) or consider a broader approach?
- Should we consider a preemptive federal GLBA standard or maintain the current GLBA federal floor approach?
- If GLBA is made preemptive federal standard, how should it address state laws that only provide for a data-level exemption from their general consumer data privacy laws?
- How should GLBA relate to other federal consumer data privacy laws, both a potential general data privacy law and current sector-specific laws?
- Should GLBA “financial institutions” be subject to entity level or data level exemptions from these laws?
- How should we define “non-public personal information” within the context of privacy regulations?
- Does the term “personally identifiable financial information” in GLBA require modification?
- Do the definitions of “consumer” and “customer relationship” in GLBA require modification?
- Does the current definition of “financial institution” sufficiently cover entities that should be subject to GLBA Title V requirements, such as data aggregators?
- Are there states that have developed effective privacy frameworks?
- Which specific elements from these state-level frameworks could potentially be adapted for federal implementation?
- Should we consider requiring consent to be obtained before collecting certain types of data, such as PIN Numbers and IP addresses?
- Should we consider mandating the deletion of data for accounts that have been inactive for over a year, provided the customer is notified and no response is received?
- Should we consider requiring customers be provided with a list of entities receiving their data?
- Should we consider changing the structure by which a financial institution is held liable if data it collects or holds is shared with a third-party, and that third-party is breached?
- Should we consider changes to require or encourage financial institutions, third parties, and other holders of consumer financial data to minimize data collection to only collection that is needed to effectuate a consumer transaction and place limits on the time-period for data retention?