[Congressional Bills 107th Congress]
[From the U.S. Government Publishing Office]
[S. 30 Introduced in Senate (IS)]
107th CONGRESS
1st Session
S. 30
To strengthen control by consumers over the use and disclosure of their
personal financial and health information by financial institutions,
and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
January 22, 2001
Mr. Sarbanes (for himself, Mr. Leahy, Mr. Dodd, Mr. Reed, Mr. Kerry,
Mr. Harkin, and Mr. Edwards) introduced the following bill; which was
read twice and referred to the Committee on Banking, Housing, and Urban
Affairs
_______________________________________________________________________
A BILL
To strengthen control by consumers over the use and disclosure of their
personal financial and health information by financial institutions,
and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE AND TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Financial
Information Privacy Protection Act of 2001''.
(b) Table of Contents.--The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Opt-out requirement for disclosure to affiliates and
nonaffiliated third parties.
Sec. 3. Restricting the transfer of information about personal spending
habits.
Sec. 4. Restricting the use of health information in making credit and
other financial decisions.
Sec. 5. Limits on redisclosure and reuse of information.
Sec. 6. Consumer rights to access and correct information.
Sec. 7. Improved enforcement authority.
Sec. 8. Enhanced disclosure of privacy policies.
Sec. 9. Limit on disclosure of account numbers.
Sec. 10. General exceptions.
Sec. 11. Definitions.
Sec. 12. Issuance of implementing regulations.
Sec. 13. FTC rulemaking authority under the Fair Credit Reporting Act.
SEC. 2. OPT-OUT REQUIREMENT FOR DISCLOSURE TO AFFILIATES AND
NONAFFILIATED THIRD PARTIES.
Section 502(a) of the Gramm-Leach-Bliley Act (15 U.S.C. 6802(a)) is
amended to read as follows:
``(a) Disclosure of Nonpublic Personal Information.--Except as
otherwise provided in this subtitle, a financial institution may not
disclose any nonpublic personal information to an affiliate or a
nonaffiliated third party unless the financial institution--
``(1) has provided to the consumer a clear and conspicuous
notice, in writing or electronic form or other form permitted
by the regulations implementing this subtitle, of the
categories of information that may be disclosed to the--
``(A) affiliate; or
``(B) nonaffiliated third party;
``(2) has given the consumer an opportunity, before the
time that such information is initially disclosed, to direct
that such information not be disclosed to such--
``(A) affiliate; or
``(B) nonaffiliated third party; and
``(3) has given the consumer the ability to exercise the
nondisclosure option described in paragraph (2) through the
same method of communication by which the consumer received the
notice described in paragraph (1) or another method at least as
convenient to the consumer, and an explanation of how the
consumer can exercise such option.''.
SEC. 3. RESTRICTING THE TRANSFER OF INFORMATION ABOUT PERSONAL SPENDING
HABITS.
Section 502(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6802(b)) is
amended to read as follows:
``(b) Restriction on the Transfer of Information About Personal
Spending Habits.--
``(1) In general.--Notwithstanding subsection (a), if a
financial institution provides a service to a consumer through
which the consumer makes or receives payments or transfers by
check, debit card, credit card, or other similar instrument,
the financial institution shall not transfer to an affiliate or
a nonaffiliated third party--
``(A) an individualized list of that consumer's
transactions or an individualized description of that
consumer's interests, preferences, or other characteristics; or
``(B) any such list or description constructed in
response to an inquiry about a specific, named
individual;
if the list or description is derived from information
collected in the course of providing that service.
``(2) Restriction on transfer of aggregate lists containing
certain health information.--Notwithstanding subsection (a), a
financial institution shall not transfer to an affiliate or a
nonaffiliated third party any aggregate list of consumers
containing or derived from individually identifiable health
information.
``(3) Exceptions.--
``(A) In general.--The financial institution may
disclose the information described in paragraph (1) or
(2) to an affiliate or a nonaffiliated third party if
such financial institution--
``(i) has clearly and conspicuously
requested in writing or in electronic form or
other form permitted by the regulations
implementing this subtitle, that the consumer
affirmatively consent to such disclosure; and
``(ii) has obtained from the consumer such
affirmative consent and such consent has not
been withdrawn.
``(B) Rule of construction.--This subsection shall
not be construed as preventing a financial institution
from transferring the information described in
paragraph (1) or (2) to an affiliate or a nonaffiliated
third party for the purposes described in paragraph
(1), (2), (3), (5), (7), (8), (9), or (10) of
subsection (f).
``(C) Scope of application.--Paragraph (1) shall
not apply to the transfer of aggregate lists of
consumers.''.
SEC. 4. RESTRICTING THE USE OF HEALTH INFORMATION IN MAKING CREDIT AND
OTHER FINANCIAL DECISIONS.
(a) Restriction on Use of Consumer Health Information.--Section
502(c) of the Gramm-Leach-Bliley Act (15 U.S.C. 6802(c)) is amended to
read as follows:
``(c) Use of Consumer Health Information Available From Affiliates
and Nonaffiliated Third Parties.--In deciding whether, or on what
terms, to offer, provide, or continue to provide a financial product or
service to a consumer, a financial institution shall not obtain or
receive individually identifiable health information about the consumer
from an affiliate or nonaffiliated third party, or evaluate or
otherwise consider any such information, unless the financial
institution--
``(1) has clearly and conspicuously requested in writing or
in electronic form or other form permitted by the regulations
implementing this subtitle, that the consumer affirmatively
consent to the transfer and use of that information with
respect to a particular financial product or service;
``(2) has obtained from the consumer such affirmative
consent and such consent has not been withdrawn; and
``(3) requires the same health information about all
consumers as a condition for receiving the financial product or
service.''.
(b) Existing Protections for Health Information Not Affected.--
Subtitle A of title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et
seq.) is amended--
(1) by redesignating section 510 as section 512; and
(2) by inserting after section 509 the following new
section:
``SEC. 510. RELATION TO STANDARDS ESTABLISHED UNDER THE HEALTH
INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996.
``Nothing in this subtitle shall be construed as--
``(1) modifying, limiting, or superseding standards
governing the privacy and security of individually identifiable
health information promulgated by the Secretary of Health and
Human Services under sections 262(a) and 264 of the Health
Insurance Portability and Accountability Act of 1996; or
``(2) authorizing the use or disclosure of individually
identifiable health information in a manner other than as
permitted by other applicable law.''.
(c) Definition of Individually Identifiable Health Information.--
Section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809) is amended
by adding at the end the following new paragraph:
``(12) Individually identifiable health information.--The
term `individually identifiable health information' means any
information, including demographic information obtained from or
about an individual, that is described in section 1171(6)(B) of
the Social Security Act.''.
(d) Technical and Conforming Amendment.--Section 505(a)(6) of the
Gramm-Leach-Bliley Act (15 U.S.C. 6805(a)(6)) is amended by inserting
before the period at the end ``to the extent that the provisions of
such section are not inconsistent with the provisions of this
subtitle''.
SEC. 5. LIMITS ON REDISCLOSURE AND REUSE OF INFORMATION.
Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802) is
amended--
(1) by redesignating subsections (d) and (e) as subsections
(e) and (f), respectively; and
(2) by inserting after subsection (c) the following new
subsection:
``(d) Limits on Redisclosure and Reuse of Information.--
``(1) In general.--An affiliate or a nonaffiliated third
party that receives nonpublic personal information from a
financial institution shall not disclose such information to
any other person unless such disclosure would be lawful if made
directly to such other person by the financial institution.
``(2) Disclosure under a general exception.--
Notwithstanding paragraph (1), any person that receives
nonpublic personal information from a financial institution in
accordance with one of the general exceptions in subsection (f)
may use or disclose such information only--
``(A) as permitted under that general exception; or
``(B) under another general exception in subsection
(f), if necessary to carry out the purpose for which
the information was disclosed by the financial
institution.''.
SEC. 6. CONSUMER RIGHTS TO ACCESS AND CORRECT
INFORMATION.
Subtitle A of title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801
et seq.) is amended by inserting after section 510 (as added by section
4(b) of this Act), the following new section:
``SEC. 511. ACCESS TO AND CORRECTION OF INFORMATION.
``(a) Access.--
``(1) In general.--Upon the request of a consumer, a
financial institution shall make available to the consumer
information about the consumer that is under the control of,
and reasonably available to, the financial institution.
``(2) Exceptions.--Notwithstanding paragraph (1), a
financial institution--
``(A) shall not be required to disclose to a
consumer any confidential commercial information, such
as an algorithm used to derive credit scores or other
risk scores or predictors;
``(B) shall not be required to create new records
in order to comply with the consumer's request;
``(C) shall not be required to disclose to a
consumer any information assembled by the financial
institution, in a particular matter, as part of the
financial institution's efforts to comply with laws
preventing fraud, money laundering, or other unlawful
conduct; and
``(D) shall not disclose any information required
to be kept confidential by any other Federal law.
``(b) Correction.--A financial institution shall provide a consumer
the opportunity to dispute the accuracy of any information disclosed to
the consumer pursuant to subsection (a), and to present evidence
thereon. A financial institution shall correct or delete material
information identified by a consumer that is materially incomplete or
inaccurate.
``(c) Coordination and Consultation.--In prescribing regulations
implementing this section, the Federal agencies specified in section
504(a) shall consult with one another to ensure that the rules--
``(1) impose consistent requirements on the financial
institutions under their respective jurisdictions;
``(2) take into account conditions under which financial
institutions do business both in the United States and in other
countries; and
``(3) are consistent with the principle of technology
neutrality.
``(d) Charges for Disclosures.--A financial institution may impose
a reasonable charge for making a disclosure under this section, which
charge must be disclosed to the consumer before making the disclosure.
''.
SEC. 7. IMPROVED ENFORCEMENT AUTHORITY.
(a) Compliance With Privacy Policy.--Section 503 of the Gramm-
Leach-Bliley Act (15 U.S.C. 6803) is amended by adding at the end the
following new subsection:
``(c) Compliance With Privacy Policy.--A financial institution's
failure to comply with any of its policies or practices disclosed to a
consumer under this section constitutes a violation of the requirements
of this section.''.
(b) Unfair and Deceptive Trade Practice.--Section 505(a)(7) of the
Gramm-Leach-Bliley Act (15 U.S.C. 6805(a)(7)) is amended by adding at
the end the following new sentence: ``A violation of any requirement of
this subtitle, or the regulations of the Federal Trade Commission
prescribed under this subtitle, by a financial institution or other
person described in this paragraph shall constitute an unfair or
deceptive act or practice in commerce in violation of section 5(a) of
the Federal Trade Commission Act.''.
(c) Supplemental State Enforcement for FTC Regulated Entities.--
Section 505 of the Gramm-Leach-Bliley Act (15 U.S.C. 6805) is amended
by adding at the end the following new subsection:
``(e) State Action for Violations.--
``(1) Authority of the states.--In addition to such other
remedies as are provided under State law, if the attorney
general of a State, or an officer authorized by the State, has
reason to believe that any financial institution or other
person described in section 505(a)(7) has violated or is
violating this subtitle or the regulations prescribed
thereunder by the Federal Trade Commission, the State may--
``(A) bring an action on behalf of the residents of
the State to enjoin such violation in any appropriate
United States district court or in any other court of
competent jurisdiction; and
``(B) bring an action on behalf of the residents of
the State to enforce compliance with this subtitle and
the regulations prescribed thereunder by the Federal
Trade Commission, to obtain damages, restitution, or
other compensation on behalf of the residents of such
State, or to obtain such further and other relief as
the court may deem appropriate.
``(2) Rights of the federal trade commission.--The State
shall serve prior written notice of any action under paragraph
(1) upon the Federal Trade Commission and shall provide the
Commission with a copy of its complaint; provided that, if such
prior notice is not feasible, the State shall serve such notice
immediately upon instituting such action. The Federal Trade
Commission shall have the right--
``(A) to move to stay the action, pending the final
disposition of a pending Federal matter as described in
paragraph (4);
``(B) to intervene in an action under paragraph
(1);
``(C) upon so intervening, to be heard on all
matters arising therein;
``(D) to remove the action to the appropriate
United States district court; and
``(E) to file petitions for appeal.
``(3) Investigatory powers.--For purposes of bringing any
action under this subsection, nothing in this subsection shall
prevent the attorney general, or officers of such State who are
authorized by such State to bring such actions, from exercising
the powers conferred on the attorney general or such officers
by the laws of such State to conduct investigations or to
administer oaths or affirmations or to compel the attendance of
witnesses or the production of documentary and other evidence.
``(4) Limitation on state action while federal action is
pending.--If the Federal Trade Commission has instituted an
action for a violation of this subtitle, no State may, during
the pendency of such action, bring an action under this section
against any defendant named in the complaint of the Commission
for any violation of this subtitle that is alleged in that
complaint.''.
(d) State Action for Violations of Ban on Pretext Calling.--Section
522 of the Gramm-Leach-Bliley Act (15 U.S.C. 6822) is amended by adding
at the end the following new subsection:
``(c) State Action for Violations.--
``(1) Authority of the states.--In addition to such other
remedies as are provided under State law, if the attorney
general of a State, or an officer authorized by the State, has
reason to believe that any person (other than a person
described in subsection (b)(1)) has violated or is violating
this subtitle, the State may--
``(A) bring an action on behalf of the residents of
the State to enjoin such violation in any appropriate
United States district court or in any other court of
competent jurisdiction; and
``(B) bring an action on behalf of the residents of
the State to enforce compliance with this subtitle, to
obtain damages, restitution, or other compensation on
behalf of the residents of such State, or to obtain
such further and other relief as the court may deem
appropriate.
``(2) Rights of federal agencies.--The State shall serve
prior written notice of any action commenced under paragraph
(1) upon the Attorney General and the Federal Trade Commission,
and shall provide the Attorney General and the Commission with
a copy of the complaint; provided that, if such prior notice is
not feasible, the State shall serve such notice immediately
upon instituting such action. The Attorney General and the Federal
Trade Commission shall have the right--
``(A) to move to stay the action, pending the final
disposition of a pending Federal matter as described in
paragraph (4);
``(B) to intervene in an action under paragraph
(1);
``(C) upon so intervening, to be heard on all
matters arising therein;
``(D) to remove the action to the appropriate
United States district court; and
``(E) to file petitions for appeal.
``(3) Investigatory powers.--For purposes of bringing any
action under this subsection, nothing in this subsection shall
prevent the attorney general, or officers of such State who are
authorized by such State to bring such actions, from exercising
the powers conferred on the attorney general or such officers
by the laws of such State to conduct investigations or to
administer oaths or affirmations or to compel the attendance of
witnesses or the production of documentary and other evidence.
``(4) Limitation on state action while federal action is
pending.--If the Attorney General has instituted a criminal
proceeding or the Federal Trade Commission has instituted a
civil action for a violation of this subtitle, no State may,
during the pendency of such proceeding or action, bring an
action under this section against any defendant named in the
criminal proceeding or civil action for any violation of this
subtitle that is alleged in that proceeding or action.''.
SEC. 8. ENHANCED DISCLOSURE OF PRIVACY POLICIES.
(a) Timing of Notice to Consumers.--Section 503(a) of the Gramm-
Leach-Bliley Act (15 U.S.C. 6803(a)) is amended to read as follows:
``(a) Disclosure Required.--
``(1) Time of disclosure.--A financial institution shall
provide a disclosure that complies with paragraph (2)--
``(A) to an individual upon the individual's
request;
``(B) as part of an application for a financial
product or service from the financial institution; and
``(C) to a consumer, prior to establishing a
customer relationship with the consumer and not less
frequently than annually during the continuation of
such relationship.
``(2) Disclosure format.--The disclosure required by
paragraph (1) shall be a clear and conspicuous notice, in
writing or in electronic form or other form permitted by the
regulations implementing this subtitle, of such financial
institution's policies and practices with respect to--
``(A) disclosing nonpublic personal information to
affiliates and nonaffiliated third parties, consistent
with section 502, including the categories of
information that may be disclosed;
``(B) disclosing nonpublic personal information of
persons who have ceased to be customers of the
financial institution; and
``(C) protecting the nonpublic personal information
of consumers.
Such disclosure shall be made in accordance with the
regulations implementing this subtitle.''.
(b) Notice of Rights to Access and Correct Information.--Section
503(b)(2) of the Gramm-Leach-Bliley Act (15 U.S.C. 6803(b)(2)) is
amended by inserting ``, and a statement of the consumer's right to
access and correct such information, consistent with section 511''
after ``institution''.
(c) Technical and Conforming Amendment.--Section 503(b)(1)(A) of
the Gramm-Leach-Bliley Act (15 U.S.C. 6803(b)(1)(A)) is amended by
striking ``502(e)'' and inserting ``502(f)''.
SEC. 9. LIMIT ON DISCLOSURE OF ACCOUNT NUMBERS.
Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802) is
amended in subsection (e) (as so redesignated by section 5) by
inserting ``affiliate or'' before ``nonaffiliated third party''.
SEC. 10. GENERAL EXCEPTIONS.
Section 502(f) of the Gramm-Leach-Bliley Act (15 U.S.C. 6802)) (as
so redesignated by section 5 of this Act) is amended--
(1) in the matter preceding paragraph (1), by striking
``Subsections (a) and (b)'' and inserting ``Subsection (a)'';
(2) in paragraph (1)--
(A) by striking ``or'' at the end of subparagraph
(B);
(B) by inserting ``or'' after the semicolon at the
end of subparagraph (C); and
(C) by inserting after subparagraph (C) the
following new subparagraph:
``(D) performing services for or functions solely
on behalf of the financial institution with respect to
the financial institution's own customers, including
marketing of the financial institution's own products
or services to the financial institution's
customers;'';
(3) in paragraph (4), by striking ``, and the institution's
attorneys, accountants, and auditors'';
(4) in paragraph (5), by inserting ``section 21 of the
Federal Deposit Insurance Act,'' after ``title 31, United
States Code,'';
(5) in paragraph (7), by striking ``or'' at the end;
(6) in paragraph (8), by striking the period and inserting
a semicolon; and
(7) by adding at the end the following new paragraphs:
``(9) in order to facilitate customer service, such as
maintenance and operation of consolidated customer call centers
or the use of consolidated customer account statements; or
``(10) to the institution's attorneys, accountants, and
auditors.''.
SEC. 11. DEFINITIONS.
Section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809) is
amended--
(1) in paragraph (3)--
(A) by striking ``(3) Financial institution'' and
all that follows through ``The term `financial
institution''' and inserting ``(3) Financial institution.--The term
`financial institution'''; and
(B) by striking subparagraphs (B), (C), and (D);
(2) by amending paragraph (4) to read as follows:
``(4) Nonpublic personal information.--The term `nonpublic
personal information' means--
``(A) any personally identifiable information,
including a Social Security number--
``(i) provided by a consumer to a financial
institution, in an application or otherwise, to
obtain a financial product or service from the
financial institution;
``(ii) resulting from any transaction
between a financial institution and a consumer
involving a financial product or service; or
``(iii) obtained by the financial
institution about a consumer in connection with
providing a financial product or service to
that consumer, other than publicly available
information, as such term is defined by the
regulations prescribed under section 504; and
``(B) any list, description or other grouping of
one or more consumers of the financial institution and
publicly available information pertaining to them.'';
and
(3) in paragraph (9), by inserting ``applies for or''
before ``obtains''.
SEC. 12. ISSUANCE OF IMPLEMENTING REGULATIONS.
(a) In General.--The Federal agencies specified in section 504(a)
of the Gramm-Leach-Bliley Act (15 U.S.C. 6804(a)) shall prescribe
regulations implementing the amendments to subtitle A of title V of the
Gramm-Leach-Bliley Act made by this Act, and shall include such
requirements determined to be appropriate to prevent their
circumvention or evasion.
(b) Coordination, Consistency, and Comparability.--The regulations
issued under subsection (a) shall be issued in accordance with the
requirements of section 504(a) of the Gramm-Leach-Bliley Act (15 U.S.C.
6804(a)), except that the deadline in section 504(a)(3) shall not
apply.
SEC. 13. FTC RULEMAKING AUTHORITY UNDER THE FAIR CREDIT REPORTING ACT.
Section 621(e) of the Fair Credit Reporting Act (15 U.S.C.
1681s(e)) is amended by adding at the end the following new paragraph:
``(3) Regulations.--The Federal Trade Commission shall
prescribe such regulations as necessary to carry out the
provisions of this title with respect to any persons identified
under paragraph (1) of subsection (a). Prior to prescribing
such regulations, the Federal Trade Commission shall consult
with the Federal banking agencies referred to in paragraph (1)
of this subsection in order to ensure, to the extent possible,
comparability and consistency with the regulations issued by
the Federal banking agencies under that paragraph.''.
<all>