A new discussion draft from Representative Bill Huizenga (R-MI) would significantly update Title V of the Gramm‑Leach‑Bliley Act (GLBA) to reflect how financial data is collected, shared, and monetized in today’s market. Released in connection with the March 17, 2026 House Financial Services Committee (Committee) hearing, “Updating America’s Financial Privacy Framework for the 21st Century,” the draft purports to give consumers greater control over their financial data, impose new limits on financial institutions and data aggregators, and create a more uniform national privacy regime for consumer financial information.

Background
GLBA Title V has long served as the federal baseline for financial privacy, focusing primarily on notice and opt‑out requirements for sharing nonpublic personal information. In the years since its enactment, however, state-level privacy laws and sectoral rules have proliferated, while new industry participants, such as financial data aggregators and fintech platforms, have emerged to facilitate broad data flows well beyond traditional banks. The Committee’s memorandum describes the current regime as a “patchwork” and frames the draft bill as an effort to modernize GLBA for a data‑driven financial services ecosystem, while promoting consumer protection, innovation, and competitive markets under a clearer and more uniform legal framework.

Key Points
Substantively, the draft shifts the focus of Title V from disclosure to overall “treatment” of consumer financial information. It would impose a statutory data‑minimization obligation, limiting collection, use, retention, and disclosure of nonpublic personal information to what is necessary for legitimate business, legal, or regulatory purposes. Consumers’ opt‑out rights would be strengthened by clarifying that they may direct a financial institution not to share nonpublic personal information with nonaffiliated third parties prior to initial disclosure as well as at any time thereafter. The draft also directly targets financial data aggregators and other nonaffiliated third parties that use consumer credentials to access accounts, requiring clear, upfront disclosures about how credentials will be used and shared, the associated privacy and security risks, and an opportunity for consumers to refuse such access.

The bill would significantly expand what must be included in GLBA privacy notices. Financial institutions would need to describe the purposes for which they collect, use, retain, and disclose nonpublic personal information; their data retention practices; and their use of artificial intelligence in collecting, processing, and utilizing such data. Notices would also have to explain how consumers may request copies of a financial institution’s privacy disclosures and access to or deletion of their nonpublic personal information. Regulators would be required to update the model form, but the bill would provide a temporary safe harbor for one year for financial institutions that continue to use the prior model form following such update. A new § 503A would codify consumer rights to obtain their nonpublic personal information and a list of categories of recipients, as well as to request deletion of data held by a financial institution after the customer relationship ends, subject to exceptions for legal, regulatory, and Fair Credit Reporting Act (FCRA) obligations. The draft would also broaden GLBA’s definitions to capture access credentials, biometric data, and geolocation data as nonpublic personal information, and it formally defines “financial data aggregator” as a covered entity, while carving out service providers, consumer reporting agencies acting subject to the FCRA, and certain professional advisors.

From a regulatory and federalism standpoint, the bill would require agencies to consider the resource and compliance constraints of financial institutions with $15 billion or less in assets when issuing Title V regulations. At the same time, it would substantially revise GLBA’s preemption provision, expressly superseding state statutes and regulations that establish privacy or security requirements for nonpublic personal information subject to Title V and clarifying that state consumer data privacy and security laws do not apply to financial institutions with respect to that data. While state insurance authorities would retain their ability to enforce GLBA duties and issue consistent, comparable regulations, the overall effect of the bill if enacted would be to centralize financial privacy and security standards for nonpublic personal information at the federal level.

Next Steps
The Huizenga discussion draft is at an early stage, but it is clearly intended as a starting point for a comprehensive refresh of the federal financial privacy framework. The March 17 hearing will give lawmakers an opportunity to probe industry, aggregator, and consumer advocates on key issues such as the scope of data minimization, the feasibility of access and deletion rights in a heavily regulated environment, and the consequences of broad federal preemption for existing state privacy laws.