On February 24, 2023, Representative Patrick T. McHenry of North Carolina introduced a bill proposing the creation of the Data Privacy Act of 2023. The bill proposes to amend the Gramm-Leach-Bliley Act (“GLBA”) by making the following changes:
- Financial institutions would need to notify “consumers” (in addition to customers) that their nonpublic personal information (“NPI”) is being collected;
- The definition of GLBA-covered “financial institution” would be updated to include “data aggregators”;
- The definition of NPI would be broadened to align it with the definition of “personal information” under the California Consumer Privacy Act. In particular, NPI would include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer”;
- The privacy notice required by GLB would be expanded to include additional required content;
- Consumers would have the right to request access to and delete their NPI;
- Financial institutions would be required to notify relevant third parties when a consumer opts out of data sharing with those parties, thus also requiring the third parties to terminate such sharing; and
- Financial institutions would be required to provide an opportunity to opt out of data collection (in addition to data sharing with non-affiliated third parties) if the collection is not necessary to provide the product or service offered by the entity. Financial institutions also would be required to specify in their privacy notice a description of any NPI collected for purposes that extend beyond providing the particular financial product or service.