Amid ongoing debates over national data protection standards, U.S. House officials have issued a Request for Information (RFI) to gather insights on potential federal data privacy legislation. Led by Rep. French Hill (R-Ark.), chair of the House Financial Services Committee, and Rep. Andy Barr (R-Ky.), chair of the Subcommittee on Financial Institutions, the RFI focuses on reviewing and possibly amending the Gramm-Leach-Bliley Act (GLBA)—a cornerstone law for financial data privacy. This comes at a time when the U.S. struggles to enact a comprehensive federal privacy law, leaving a patchwork of state regulations that often conflict and complicate compliance for businesses.
The GLBA, enacted in 1999, requires financial institutions—including banks, insurers, and debt collectors—to safeguard customers’ non-public personal information. Its Safeguards Rule, updated by the Federal Trade Commission (FTC) in 2021 and fully enforced by June 9, 2023, mandates robust security measures like risk assessments and employee training. However, as digital threats evolve and states like California (with CCPA/CPRA) and Virginia push their own frameworks, the RFI aims to explore how GLBA can align with broader data privacy needs or preempt inconsistent state laws.
Despite repeated attempts—such as the American Data Privacy and Protection Act (ADPPA) stalling in Congress—the U.S. lacks a unified federal privacy law like the EU’s GDPR. This void has led to sector-specific approaches like GLBA for finance, HIPAA for health, and COPPA for children, but no overarching framework. The RFI signals a potential path forward, seeking input on harmonizing GLBA with emerging standards, including data-level exemptions and definitions of sensitive information.
Purpose and Scope of the RFI
The RFI invites feedback from industry stakeholders, privacy advocates, and experts on GLBA standards, state privacy frameworks that complement federal rules, and data security enhancements. It particularly scrutinizes Title V, Subtitle A of the GLBA, which outlines privacy protections for financial data. Comments are due by August 28, 2025, and can be submitted via the House Financial Services Committee’s website. This initiative underscores the challenges in bridging federal and state divides, where preemption debates rage on—balancing national uniformity against states’ rights to innovate.
The Questions on Title V, Subtitle A of the GLBA Include:
- Should we amend the GLBA or consider a broader approach?
- Should we consider a preemptive federal GLBA standard or maintain the current GLBA federal floor approach?
- If GLBA is made a preemptive federal standard, how should it address state laws that only provide for a data-level exemption from their general consumer data privacy laws?
- How should GLBA relate to other federal consumer data privacy laws, both a potential general data privacy law and current sector-specific laws?
- Should GLBA “financial institutions” be subject to entity-level or data-level exemptions from these laws?
- How should we define “non-public personal information” within the context of privacy regulations?
Additional queries probe definitions like “personally identifiable financial information” and “financial institution,” as well as effective state privacy models that could inform federal updates.
Key Considerations for having a National Data Privacy Framework
Tying into GLBA’s framework, experts highlight several steps for advancing a cohesive national strategy:
- Harmonize Definitions: Standardize terms like “non-public personal information” across laws to reduce compliance burdens, drawing from GLBA’s focus on financial data while expanding to general consumer info.
- Address Preemption: Decide on federal overrides for state laws, as GLBA’s “floor” approach allows stricter state rules but creates inconsistencies—exemplified by California’s exemptions for GLBA-covered data.
- Incorporate Sector-Specific Insights: Build on GLBA’s successes in safeguarding financial privacy, integrating lessons from HIPAA and FERPA to create a modular framework that adapts to industries.
- Enhance Enforcement: Bolster FTC oversight, similar to GLBA’s Safeguards Rule, with clearer penalties and resources to match GDPR’s rigor.
- Promote Innovation: Encourage privacy-by-design principles, ensuring any federal law doesn’t stifle tech growth while protecting against breaches like those prompting GLBA updates.
- Engage Stakeholders: As with this RFI, involve diverse voices to overcome partisan gridlock that has blocked bills like ADPPA, fostering bipartisan support for consumer rights.
The inability to pass a sweeping federal privacy law stems from ideological divides—conservatives wary of overregulation, liberals pushing for stronger consumer protections—and lobbying from tech giants favoring self-regulation. Yet, with rising data breaches and public demand, initiatives like this RFI could catalyze progress. For financial sectors under GLBA, it’s a chance to influence reforms that streamline operations while bolstering trust. Stakeholders should seize this opportunity to submit comments and shape the future of U.S. data privacy.
