GLBA Modernization Legislation: Key Implications For Financial Institutions’ Data Practices

The House Financial Services Committee recently advanced legislation to modernize the Gramm-Leach-Bliley Act (GLBA), reflecting a continued shift toward more prescriptive data governance obligations for financial institutions. The proposal, titled the GUARD Financial Data Act, is paired with the SECURE Data Act and is intended to establish a national framework for consumer data privacy while updating GLBA’s longstanding notice-and-opt-out regime.

While the path forward for the legislation remains uncertain, the proposal provides a useful window into how policymakers are approaching financial data privacy, and where expectations for institutions’ data practices may be headed.

Below are several of the most consequential elements.

A Shift Toward Data Minimization and Purpose-Based Constraints

At the center of the bill is a new data minimization requirement that would limit financial institutions’ collection and disclosure of nonpublic personal information (NPI) to what is “adequate, relevant, and reasonably necessary” for a specified purpose.

This represents a notable evolution from the current GLBA framework, which is primarily disclosure-driven. In practice, this requirement would push institutions toward:

• Defined, documented purposes for data use;
• Enterprise data mapping and inventorying; and
• Alignment of retention and sharing practices with those purposes.

The construct closely tracks “purpose limitation” concepts found in comprehensive state privacy laws and the GDPR, suggesting continued convergence between financial privacy regulation and broader data protection regimes.

Importantly, the bill retains GLBA’s existing exceptions and expressly permits disclosures required under Section 1033 of the Dodd-Frank Act and other established frameworks.

New Data Access and Deletion Rights

The legislation would introduce new consumer rights, including:

• A right to access nonpublic personal information (NPI) held by a financial institution; and
• A right for former customers to request deletion of their data.

The deletion right, while narrower than some state privacy laws given its focus on former customers and the breadth of GLBA exceptions, would nonetheless require institutions to operationalize:

• Identity verification procedures;
• Request intake and response workflows (generally within 45 days); and
• Appeals processes for denied requests.

These requirements move GLBA closer to the rights-based model seen in state comprehensive privacy statutes, even if the scope is more tailored to the financial services context.

Expanded Transparency and Governance Expectations

The bill would significantly expand privacy notice requirements, requiring disclosures regarding:

• Categories of purposes for data collection and disclosure;
• Data retention practices;
• Use of artificial intelligence; and
• Whether data is processed in certain foreign jurisdictions.

These additions reinforce the expectation that privacy disclosures reflect underlying governance practices, increasing the need for coordination among legal, compliance, and data management functions.

Limits on Use of Consumer Access Credentials—With Important Caveats

The proposal addresses the use of consumer access credentials (e.g., usernames and passwords) by data aggregators and third parties.

It would require:

• Clear disclosures regarding how credentials are used and shared;
• Notice of associated risks; and
• An opportunity for consumers to opt out of credential-based access.

However, the bill does not prohibit credential-based access. If a consumer receives the required disclosures and does not opt out, a financial institution may not deny the resulting data access request.

As a result, while the provision introduces greater transparency and consumer control, it could allow screen scraping practices to persist alongside API-based data sharing.

Interplay with Section 1033—and Tension with API-Based Data Access

The legislation explicitly incorporates Section 1033 of the Dodd-Frank Act, preserving disclosures required under that provision and requiring compliance with Section 1033 in connection with credential-based access.

This alignment signals that Congress intends GLBA modernization to operate alongside the emerging open banking framework. At the same time, the bill introduces a potential tension with how that framework is currently developing in practice.

In particular, Section 1033 rulemaking has been moving the market toward more secure, standardized, API-based data access – an approach broadly supported by banks, data aggregators, and fintechs as a replacement for credential-based “screen scraping.” APIs are generally viewed as more secure, auditable, and controllable, enabling institutions to limit data sharing to defined data elements.

By contrast, the GLBA modernization bill preserves the viability of credential-based access so long as disclosure and opt-out requirements are satisfied—and, critically, prohibits financial institutions from denying such access in those circumstances.

This creates a structural inconsistency:

• On one hand, Section 1033 implementation is pushing the ecosystem toward APIs as the preferred (and in some cases required) method of data access;
• On the other hand, the proposed GLBA amendments would effectively entrench a pathway for continued credential-based access.

The result may be a hybrid environment in which:

• API-based access expands, particularly where bilateral agreements and technical standards are in place; but
• Credential-based access remains available as a fallback, potentially slowing full migration away from screen scraping.

For financial institutions, this dynamic could complicate data access strategies, vendor management, and risk controls, particularly where institutions are seeking to phase out credential-based access in favor of more secure alternatives.

Federal Preemption and Comparison to State Privacy Laws

A central feature of the bill is its establishment of a national standard for financial data privacy, coupled with preemption of state laws as applied to GLBA-covered financial institutions and data.

This approach would represent a significant shift from the current landscape, where financial institutions must navigate:

• GLBA requirements;
• Sector-specific rules (e.g., FCRA); and
• A growing patchwork of state comprehensive privacy laws (such as those in California, Colorado, and others).

Unlike those state laws, which generally apply across sectors and include broader consumer rights, such as correction rights, broader deletion rights, and opt-outs of targeted advertising, the proposed framework is more tailored to financial services but would displace those state regimes with respect to GLBA-covered entities and data.

From an industry perspective, this could reduce compliance fragmentation. At the same time, it would replace a more flexible, disclosure-based federal regime with a more prescriptive framework that incorporates elements of those same state laws, including data minimization and expanded individual rights.

Broader Takeaways

Regardless of the ultimate legislative outcome, the proposal highlights several clear trends:

• Movement toward substantive regulation of data practices. Data minimization and purpose-based use limitations are gaining traction.
• Rising expectations for operational privacy infrastructure. Data mapping, retention controls, and consumer rights workflows are becoming core compliance capabilities.
• Continued convergence across privacy regimes. The bill reflects increasing alignment between GLBA, 1033, state privacy laws, and global frameworks.

Taken together, these developments point toward a future in which financial institutions face more rigorous and granular expectations around the full data lifecycle, from collection through retention and deletion.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.