No single law provides a framework for regulating data privacy and protection in the United States. Instead, several laws cover different industries, and numerous laws cover aspects of cybersecurity for the financial system. For the financial industry, the Gramm-Leach-Bliley Act of 1999 (GLBA; P.L. 106-102) is the most comprehensive of these laws, directing financial regulators and other agencies to implement disclosure requirements and requiring security measures to safeguard private information. This Insight provides a brief overview of the GLBA Title V provisions and summarizes recent legislative efforts to amend this framework.
GLBA applies to a broad range of financial institutions. A financial institution is defined in statute as any institution that engages in activities that are "financial in nature." (12 U.S.C. ยง1843(k)(4) enumerates types of companies that may be covered, including those lending, exchanging, or safeguarding money; insuring against loss; providing investment services; and underwriting, as well as other activities the Federal Reserve identifies.) GLBA provides a framework built on two pillars: (1) privacy standards that impose disclosure requirements and limit disclosure of certain consumers' information and (2) security standards that require institutions to implement certain practices to safeguard the information from unauthorized access, use, and disclosure. The two major rules for implementing this framework are known as the Privacy Rule (Regulation P) and the Safeguards Rule, respectively. Each rule is summarized in Table 1.
|
Privacy Rule |
Safeguards Rule |
|
|
Source: CRS analysis of relevant provisions of the Gramm-Leach-Bliley Act (P.L. 106-102).
These rules are promulgated by several government agencies, and the regulators generally have supervisory and enforcement authority over the entities in their jurisdiction. Authorities vary among the financial regulators for rulemaking, supervision, and enforcement for each rule, and the agencies responsible for Privacy and Safeguards rulemaking are sometimes not the same agencies responsible for implementing these rules for a particular entity. For example, rulemaking authority to implement the Privacy Rule through Regulation P is vested in four agencies. The Federal Trade Commission (FTC) has the rulemaking authority for the Safeguards Rule. Further, most of the financial regulators have some supervisory or enforcement authority to ensure that the institutions in their respective jurisdictions comply with the Privacy and Safeguards Rules.
GLBA was enacted more than 25 years ago. Although the language in the bill is technology neutral, financial services have evolved to rely much more on data, data processors, and technology in recent years. One example of this is how consumers interact with data aggregators and what kinds of data are used versus what are collected. Congress has debated whether and, if so, how to "modernize" GLBA by addressing the types of information and institutions that are covered by the framework, as well as by addressing the way consumers access and control their data. For example, in March 2026, the House Committee on Financial Services held a hearing on these issues.
In the 119th Congress, House Committee on Financial Services leadership announced a joint effort with the House Committee on Energy and Commerce to advance two data privacy bills that would endeavor to "create a uniform national framework" for data protection and privacy across the financial industry and the broader economy. H.R. 8398, currently titled the Guidelines for Use, Access, and Responsible Disclosure (GUARD) Financial Data Act is focused on financial markets. Generally, the bill would attempt to amend the existing GLBA framework by requiring financial institutions to minimize the amount of data they collect to what is "adequate, relevant, and reasonably necessary for the purpose of the product or service." Further, it would require data aggregators and third parties to provide notice and give consumers the right to opt out before entering their log-on credentials to access accounts at a financial institution.
In previous Congresses, a number of bills about aspects of data privacy received committee action. One example from the 118th Congress is H.R. 1165, which was reported out of committee. The bill would have provided controls for individuals to limit collection of their data and would have established nationwide standards for data privacy. Regarding personal information, the bill would have expanded protections for customers (people whose relationship with their financial institution is ongoing) so they would also apply to consumers (people whose relationship with a financial institution is more limited, such as those who apply but are not approved for loans). Another key feature of the bill was a requirement for financial institutions to notify individuals about the purpose of the institutions' data usage and establish an individual's right to have their data deleted. Finally, the bill would have prohibited states from enacting privacy protections different from federal privacy protections. Under current law, states are allowed to establish stricter privacy protections.