[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[H.R. 8398 Introduced in House (IH)]
<DOC>
119th CONGRESS
2d Session
H. R. 8398
To make improvements to title V of the Gramm-Leach-Bliley Act, and for
other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
April 21, 2026
Mr. Huizenga (for himself, Mr. Barr, Mr. Steil, and Mr. Hill of
Arkansas) introduced the following bill; which was referred to the
Committee on Financial Services
_______________________________________________________________________
A BILL
To make improvements to title V of the Gramm-Leach-Bliley Act, and for
other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Guidelines for
Use, Access, and Responsible Disclosure of Financial Data Act'' or the
``GUARD Financial Data Act''.
(b) Table of Contents.--The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
TITLE I--IMPROVEMENTS TO TREATMENT OF CONSUMER FINANCIAL DATA
Sec. 101. Subtitle and section heading alterations.
Sec. 102. Data minimization.
Sec. 103. Continuing consumer opt out right.
Sec. 104. Limits on use of consumer access credentials.
Sec. 105. Additional information to be included in notices to
consumers.
Sec. 106. Customer access to privacy and disclosure policies.
Sec. 107. Requests for disclosure of or deletion of nonpublic personal
information.
Sec. 108. Opt in for sensitive nonpublic personal information.
TITLE II--REGULATORY CONSIDERATION FOR SMALL FINANCIAL INSTITUTIONS
Sec. 201. Regulatory consideration for small financial institutions.
TITLE III--RELATION TO OTHER LAWS
Sec. 301. Relation to State laws.
TITLE IV--ADDITIONS TO DEFINITIONS
Sec. 401. Additions to definitions.
TITLE I--IMPROVEMENTS TO TREATMENT OF CONSUMER FINANCIAL DATA
SEC. 101. SUBTITLE AND SECTION HEADING ALTERATIONS.
The Gramm-Leach-Bliley Act is amended--
(1) in title V (15 U.S.C. 6801 et seq.)--
(A) in subtitle A, in the heading of the subtitle,
by striking ``Disclosure'' and inserting ``Treatment'';
and
(B) in section 502, by striking ``disclosures of''
and inserting ``nonpublic''; and
(2) in the table of contents for such Act--
(A) in the item relating to subtitle A of title V,
by striking ``Disclosure'' and inserting ``Treatment'';
and
(B) in the item relating to section 502, by
striking ``disclosures of'' and inserting
``nonpublic''.
SEC. 102. DATA MINIMIZATION.
(a) In General.--Section 502 of the Gramm-Leach-Bliley Act (15
U.S.C. 6802) is amended--
(1) in subsection (e), by striking ``Subsections (a) and
(b)'' and inserting ``Subsections (a), (b), and (f)'';
(2) in subsection (e), by inserting ``collection or''
before ``disclosure''; and
(3) by adding at the end the following:
``(f) Data Minimization.--
``(1) In general.--A financial institution shall limit the
collection or disclosure of nonpublic personal information to
what is adequate, relevant, and reasonably necessary in
relation to each purpose for which the nonpublic personal
information is collected or disclosed, and if such collection
or disclosure is not otherwise prohibited by this subtitle or
the amendments made by this subtitle.
``(2) Rule of construction.--Nothing in paragraph (1) shall
be construed to prevent a financial institution from disclosing
nonpublic personal information--
``(A) to a nonaffiliated third party pursuant to
subsection (b)(2);
``(B) to a nonaffiliated third party as required by
section 1033 of the Consumer Financial Protection Act
of 2010 (12 U.S.C. 5533);
``(C) to comply with a request from a consumer
reporting agency (as defined in section 603(f) of the
Fair Credit Reporting Act (15 U.S.C. 1681a(f))) to the
extent the consumer reporting agency is engaged in
activities subject to the Fair Credit Reporting Act;
``(D) to an agency with regulatory jurisdiction
over the financial institution;
``(E) to a self-regulatory organization of which
the financial institution is a member;
``(F) as otherwise permitted or required by this
subtitle; or
``(G) as otherwise required by law.''.
(b) Effective Date.--This section shall take effect 2 years after
the date of enactment of this Act.
SEC. 103. CONTINUING CONSUMER OPT OUT RIGHT.
Section 502(b)(1) of the Gramm-Leach-Bliley Act (15 U.S.C.
6802(b)(1)) is amended--
(1) in subparagraph (B), by inserting after ``initially
disclosed'' the following: ``and with that opportunity
exercisable by the consumer at any time thereafter''; and
(2) in subparagraph (C), by inserting before the period at
the end the following: ``before the time that such information
is initially disclosed and with that explanation accessible to
the consumer at any time thereafter''.
SEC. 104. LIMITS ON USE OF CONSUMER ACCESS CREDENTIALS.
(a) In General.--Section 502 of the Gramm-Leach-Bliley Act (15
U.S.C. 6802), as amended by section 102(3), is further amended by
adding at the end the following:
``(g) Limits on Use of Consumer Access Credentials.--
``(1) Notice and opt out.--A financial data aggregator or
nonaffiliated third party may not use the access credentials of
a consumer to access an electronic form of the consumer's
account at, or otherwise obtain an electronic form of nonpublic
personal information of the consumer from, a financial
institution unless--
``(A) before the time that such access credentials
are initially collected, the financial data aggregator
or nonaffiliated third party provides a clear and
conspicuous disclosure to such consumer that includes--
``(i) how the financial data aggregator or
nonaffiliated third party will use such access
credentials;
``(ii) whether the financial data
aggregator or nonaffiliated third party will
disclose such access credentials to a third
party not affiliated with the financial data
aggregator or nonaffiliated third party; and
``(iii) a notification of--
``(I) the risks to privacy and
security of nonpublic personal
information associated with use of
access credentials to obtain nonpublic
personal information held by a
financial institution; and
``(II) the practices of the
financial data aggregator or
nonaffiliated third party to ensure the
privacy and security of nonpublic
personal information obtained using
access credentials; and
``(B) the consumer is given the opportunity to
direct that such access credentials not be used to
access the consumer's account at, or otherwise obtain
nonpublic personal information of the consumer from,
the financial institution.
``(2) Treatment of access credential-based request.--A
financial institution may not deny a disclosure request from a
financial data aggregator or a nonaffiliated third party using
the access credentials of a consumer if the consumer--
``(A) has received the disclosure described in
paragraph (1)(A); and
``(B) has been given the opportunity to direct that
such access credentials not be used, as described in
paragraph (1)(B).
``(3) Rule of construction.--Notwithstanding paragraphs (1)
and (2), when complying with this subsection, a financial
institution, financial data aggregator, or nonaffiliated third
party shall comply with any requirements of section 1033 of the
Consumer Financial Protection Act of 2010 (12 U.S.C. 5533) with
respect to the use of the access credentials of a consumer to
access an electronic form of the consumer's account at, or
otherwise obtain an electronic form of nonpublic personal
information of the consumer from, a financial institution.''.
(b) Effective Date.--This section shall take effect 1 year after
the date of enactment of this Act.
SEC. 105. ADDITIONAL INFORMATION TO BE INCLUDED IN NOTICES TO
CONSUMERS.
(a) In General.--Section 503(c) of the Gramm-Leach-Bliley Act (15
U.S.C. 6803(c)) is amended--
(1) in paragraph (3) by striking ``and'' at the end;
(2) by redesignating paragraph (4) as paragraph (11); and
(3) by inserting after paragraph (3) the following:
``(4) the categories of purposes for which the financial
institution--
``(A) collects nonpublic personal information; and
``(B) discloses nonpublic personal information to a
nonaffiliated third party;
``(5) the categories of practices of the financial
institution with respect to the financial institution's
retention of nonpublic personal information;
``(6) the categories of practices of the financial
institution with respect to the financial institution's use of
artificial intelligence in the collection, processing, and
utilization of nonpublic personal information;
``(7) whether any nonpublic personal information of the
consumer is processed in, retained in, or disclosed to a
covered nation;
``(8) an explanation of how a consumer can exercise the
option pursuant to section 502(b) to direct that nonpublic
personal information not be disclosed to a nonaffiliated third
party before the time that such information is initially
disclosed and at any time thereafter;
``(9) an explanation of how a customer can exercise the
option to request a copy of the disclosure required by
subsection (a) pursuant to subsection (g);
``(10) an explanation of how a customer or former customer
can exercise the option to request disclosure of nonpublic
personal information and how a former customer can exercise the
option to request deletion of nonpublic personal information
pursuant to section 503A; and''.
(b) Update of Model Forms.--
(1) In general.--The agencies referred to in section
504(a)(1) of the Gramm-Leach-Bliley Act (15 U.S.C. 6804(a)(1))
shall, in consultation with the Federal functional regulators,
jointly develop updates to the model form mandated by section
503(e) of such Act.
(2) Safe harbor.--During the 2-year period beginning on the
date the agencies finalize updates to the model form under
paragraph (1), a financial institution shall be deemed to be
compliant with section 502(a) of the Gramm-Leach-Bliley Act (15
U.S.C. 6802(a)) if the disclosures of the financial institution
under section 503 of such Act comply with the model form issued
pursuant to section 503(e) in effect on the date of enactment
of this Act.
SEC. 106. CUSTOMER ACCESS TO PRIVACY AND DISCLOSURE POLICIES.
Section 503 of the Gramm-Leach-Bliley Act (15 U.S.C. 6803) is
amended by inserting at the end the following:
``(g) Customer Access to Privacy and Disclosure Policies.--A
financial institution shall, upon a customer request, provide such
customer with a copy of the disclosure required by subsection (a) in
writing or in electronic form or other form permitted by the
regulations prescribed under section 504.''.
SEC. 107. REQUESTS FOR DISCLOSURE OF OR DELETION OF NONPUBLIC PERSONAL
INFORMATION.
(a) In General.--Title V of the Gramm-Leach-Bliley Act (15 U.S.C.
6801 et seq.) is amended by inserting after section 503 the following:
``SEC. 503A. REQUESTS FOR DISCLOSURE OF OR DELETION OF NONPUBLIC
PERSONAL INFORMATION.
``(a) Customer or Former Customer Request for Disclosure of
Nonpublic Personal Information.--
``(1) In general.--Upon a request from a customer or former
customer of a financial institution, such financial institution
shall disclose to the customer or former customer--
``(A) pursuant to the requirements of section 1033
of the Consumer Financial Protection Act of 2010 (12
U.S.C. 5533), any nonpublic personal information of the
customer or former customer in the control or
possession of the financial institution; and
``(B) a list of the categories of affiliates and
nonaffiliated third parties to whom the financial
institution has disclosed nonpublic personal
information of the customer or former customer (other
than disclosures of nonpublic personal information made
to an affiliate or a nonaffiliated third party pursuant
to an exception under section 502(e)).
``(2) Exception.--Paragraph (1) shall not apply to the
extent that disclosure of nonpublic personal information to a
customer or former customer is prohibited under other
provisions of law.
``(b) Former Customer Request for Deletion of Nonpublic Personal
Information.--
``(1) In general.--Upon a request from a former customer, a
financial institution shall delete any nonpublic personal
information of the former customer held by the financial
institution.
``(2) Former customer deletion request exceptions.--
Paragraph (1) shall not require deletion of nonpublic personal
information of a former customer by a financial institution
where--
``(A) the nonpublic personal information is
required to be retained for a continuing purpose
pursuant to an exception described under section
502(e);
``(B) the holder of the nonpublic personal
information is a consumer reporting agency, as defined
in section 603(f) of the Fair Credit Reporting Act (15
U.S.C. 1681a(f)), and the nonpublic personal
information is held solely to the extent that it is
used in activities subject to the Fair Credit Reporting
Act;
``(C) the nonpublic personal information is
required to be retained to respond to a dispute under
the Fair Credit Reporting Act; or
``(D) the nonpublic personal information is
required to be retained as otherwise required by law.
``(3) Verification.--
``(A) In general.--A financial institution shall
establish and implement procedures to verify the
identity of a former customer submitting a request
under paragraph (1) before deleting nonpublic personal
information that is the subject of such request.
``(B) Requirements.--The procedures established by
a financial institution pursuant to subparagraph (A)
shall be designed to--
``(i) confirm that the individual making
the request is the former customer to whom the
nonpublic personal information relates;
``(ii) protect against unauthorized
deletion of nonpublic personal information
resulting from fraudulent requests; and
``(iii) protect against deletion of
nonpublic personal information resulting from
requests made by a former customer in error.
``(C) Exception.--A financial institution shall not
be required to grant a request under paragraph (1) if
the financial institution cannot confirm that the
identity of the individual making such request is the
same as the former customer to whom the nonpublic
personal information relates.
``(4) Response period.--
``(A) In general.--A financial institution shall
respond to a former customer submitting a request under
paragraph (1) without undue delay, but in all cases
within 45 days of receiving such request.
``(B) Extension.--A financial institution may
extend the response period in subparagraph (A) once for
an additional 45 days when necessary, taking into
account the complexity and number of requests by the
former customer, but must inform the former customer of
such extension and the reason for such extension within
the initial 45 day response period under subparagraph
(A).
``(5) Apportionment of costs.--
``(A) Initial requests.--A former customer may
submit 2 requests per year free of charge to a
financial institution under paragraph (1).
``(B) Subsequent requests.--For any request of a
former customer under paragraph (1) subsequent to the
requests described in subparagraph (A), a financial
institution may--
``(i) charge the former customer a fee, if
the financial institution has notified the
former customer of such fee and the former
customer has consented to such fee; or
``(ii) decline to act on such request, if
the former customer does not consent to the fee
described under clause (i).
``(6) Appeal.--Subject to the exceptions in paragraph (2),
a financial institution receiving a request under paragraph (1)
shall--
``(A) establish a process for a former customer to
appeal a determination by a financial institution to
deny a request under paragraph (1);
``(B) make such appeal process under subparagraph
(A) clearly and conspicuously disclosed to the former
customer in the response required under paragraph (4)
if the request under paragraph (1) is to be denied by
the financial institution;
``(C) respond to such an appeal request by the
former customer--
``(i) not later than 60 days after the date
on which such appeal request is received; and
``(ii) by informing the former customer in
writing or in electronic form or other form
permitted by the regulations prescribed under
section 504 of any action taken in response to
the appeal, including an explanation of the
reason for each action taken; and
``(D) if such an appeal is denied, provide the
former customer with an online mechanism, if available,
or other method through which the former customer may
contact the appropriate enforcement agency or authority
as described in section 505 to submit a complaint.''.
(b) Effective Date.--This section shall take effect 2 years after
the date of enactment of this Act.
(c) Clerical Amendment.--The table of contents in section 1(b) of
the Gramm-Leach-Bliley Act is amended by inserting after the item
relating to section 503 the following:
``Sec. 503A. Requests for disclosure of or deletion of nonpublic
personal information.''.
SEC. 108. OPT IN FOR SENSITIVE NONPUBLIC PERSONAL INFORMATION.
(a) In General.--Section 502 of the Gramm-Leach-Bliley Act (15
U.S.C. 6802), as amended by sections 102(3) and 104, is further amended
by adding at the end the following:
``(h) Opt in for Sensitive Nonpublic Personal Information.--
``(1) In general.--Notwithstanding subsection (b)(1), a
financial institution may not collect sensitive nonpublic
personal information or disclose sensitive nonpublic personal
information to a nonaffiliated third party unless--
``(A) such financial institution clearly and
conspicuously discloses to the consumer, in writing or
in electronic form or other form permitted by the
regulations prescribed under section 504, that such
information may be collected or that such information
may be disclosed to such third party;
``(B) such financial institution obtains the
consent of the consumer to collect such information or
to disclose such information to such third party before
the time that such information is initially collected
or disclosed; and
``(C) the consumer is given an explanation of how
the consumer can revoke that consent pursuant to
paragraph (2).
``(2) Continuing consumer consent revocation right.--A
consumer may revoke their consent under paragraph (1)(B) at any
time.
``(3) Rule of construction.--Paragraph (1) shall not be
construed to prevent a financial institution from disclosing
sensitive nonpublic personal information--
``(A) pursuant to section 502(e)(3)(A);
``(B) pursuant to section 502(e)(3)(B);
``(C) pursuant to section 502(e)(5); or
``(D) pursuant to section 502(e)(8).''.
(b) Effective Date.--This section shall take effect 1 year after
the date of enactment of this Act.
TITLE II--REGULATORY CONSIDERATION FOR SMALL FINANCIAL INSTITUTIONS
SEC. 201. REGULATORY CONSIDERATION FOR SMALL FINANCIAL INSTITUTIONS.
Section 504 of the Gramm-Leach-Bliley Act (15 U.S.C. 6804) is
amended by adding at the end the following:
``(c) Consideration of Effects on Financial Institutions With
$15,000,000,000 or Less in Assets.--
``(1) In general.--Each of the agencies authorized under
subsection (a)(1) to prescribe regulations shall take into
account the effects of the regulations on financial
institutions with $15,000,000,000 or less in assets, including
the resource, technical, and personnel limitations of such
financial institutions to comply with the regulations and the
regulatory compliance costs relative to the size, complexity,
financial activities, revenues, and noncompliance costs of such
financial institutions.
``(2) Threshold adjustment.--By April 1, 2031, and the 1st
day of each subsequent 5-year period, the agencies authorized
under subsection (a)(1) to prescribe regulations shall increase
the threshold described in paragraph (1) by the ratio, if
greater than 1, of the annual value of current-dollar United
States gross domestic product, published by the Department of
Commerce, for the calendar year preceding the year in which the
adjustment is calculated under this section, to the published
annual value of such index for the calendar year preceding
April 1, 2026.''.
TITLE III--RELATION TO OTHER LAWS
SEC. 301. RELATION TO STATE LAWS.
Section 507 of the Gramm-Leach-Bliley Act (15 U.S.C. 6807) is
amended to read as follows:
``SEC. 507. RELATION TO STATE LAWS.
``(a) In General.--This subtitle and the amendments made by this
subtitle shall supersede and preempt the application of any State
statute, regulation, order, interpretation, or other law that
establishes consumer data privacy or security requirements to nonpublic
personal information subject to this subtitle. This subtitle and the
amendments made by this subtitle shall supersede and preempt the
application of any State statute, regulation, order, interpretation, or
other law that establishes consumer data privacy or security
requirements to a financial institution subject to this subtitle.
``(b) Regulation and Enforcement by State Insurance Authorities.--
Subsection (a) shall not be construed to alter, affect, or otherwise
limit the authority of a State insurance authority to enforce this
subtitle pursuant to section 505 or to adopt regulations to carry out
this subtitle pursuant to section 504 in a manner consistent and
comparable with, and not more restrictive than, the regulations
prescribed by the Federal agencies authorized to prescribe regulations
under section 504 as required by section 504(a)(2).''.
TITLE IV--ADDITIONS TO DEFINITIONS
SEC. 401. ADDITIONS TO DEFINITIONS.
Section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809) is
amended--
(1) in paragraph (3)(A), by inserting before the period at
the end the following: ``or a financial data aggregator'';
(2) by amending paragraph (4)(A) to read as follows:
``(A) The term `nonpublic personal information'
means--
``(i) personally identifiable financial
information--
``(I) provided by a consumer to a
financial institution;
``(II) resulting from any
transaction with the consumer or any
service performed for the consumer; or
``(III) otherwise obtained by the
financial institution;
``(ii) access credentials; and
``(iii) when used by a financial
institution while engaging in financial
activities as described in section 4(k) of the
Bank Holding Company Act of 1956 (12 U.S.C.
1843(k))--
``(I) biometric data; and
``(II) precise geolocation data.'';
(3) in paragraph (11), by striking ``Customer'' and
inserting ``Time of establishing a customer''; and
(4) by adding at the end the following:
``(12) Access credentials.--The term `access credentials'
means personally identifiable nonfinancial information that a
consumer uses to access an account of such consumer at a
financial institution, including a username, password, personal
identification number, access code, answer to a security
question, or a substantially similar item of personally
identifiable nonfinancial information.
``(13) Artificial intelligence.--The term `artificial
intelligence' has the meaning given such term in section 5002
of the National Artificial Intelligence Initiative Act of 2020
(15 U.S.C. 9401).
``(14) Biometric data.--The term `biometric data'--
``(A) means personally identifiable nonfinancial
information of a consumer generated by automatic
measurements of biological characteristics, including a
fingerprint, voiceprint, eye retinas, eye irises, or
other unique biological patterns or characteristics
that are used to identify a specific consumer; and
``(B) does not include a physical or digital
photograph, a video or audio recording or data
generated therefrom, or information collected, used, or
stored for health care treatment, payment, or
operations under the Health Insurance Portability and
Accountability Act or the amendments made by that Act.
``(15) Consent.--The term `consent' means a clear
affirmative act by a consumer that--
``(A) signifies the freely given, specific,
informed, and unambiguous agreement by the consumer to
an action; and
``(B) is--
``(i) in writing or in electronic form or
other form permitted by the regulations
prescribed under section 504; or
``(ii) in any other unambiguous affirmative
form.
``(16) Covered nation.--The term `covered nation' has the
meaning given such term in section 4872(f) of title 10, United
States Code.
``(17) Customer.--The term `customer' means a consumer who
has a customer relationship with a financial institution.
``(18) Customer relationship.--The term `customer
relationship' means a continuing relationship between a
consumer and a financial institution under which the financial
institution provides one or more financial products or services
to the consumer that are to be used primarily for personal,
family, or household purposes.
``(19) Financial data aggregator.--The term `financial data
aggregator'--
``(A) means any person that operates a commercial
enterprise for the primary business purpose of
accessing, aggregating, collecting, processing,
selling, or otherwise disclosing nonpublic personal
information; and
``(B) does not include--
``(i) a person that receives, processes, or
discloses nonpublic personal information solely
to the extent that it performs services for or
functions on behalf of a financial institution
pursuant to section 502(b)(2) or pursuant to an
exception described under section 502(e);
``(ii) a consumer reporting agency, as
defined in section 603(f) of the Fair Credit
Reporting Act (15 U.S.C. 1681a(f)), solely to
the extent that it engages in activities
subject to the Fair Credit Reporting Act;
``(iii) an attorney, accountant, investment
adviser, or other person acting in a fiduciary
or representative capacity on behalf of a
consumer pursuant to section 502(e)(3)(E);
``(iv) a person--
``(I) to the extent that such
person is not a financial institution;
and
``(II) that operates a commercial
enterprise that receives, processes, or
discloses nonpublic personal
information for the purpose of making
or receiving payments associated with a
sale, purchase, or exchange of goods or
services; or
``(v) a self-regulatory organization that
receives or processes nonpublic personal
information disclosed to it by its members, or
that discloses nonpublic personal information
to an agency.
``(20) Former customer.--The term `former customer' means a
consumer who has previously had a customer relationship with a
financial institution and that is no longer a customer of the
financial institution because that customer relationship has
terminated.
``(21) Precise geolocation data.--The term `precise
geolocation data'--
``(A) means personally identifiable nonfinancial
information of a consumer generated by technological
means, including global positioning systems, telemetry,
telematics, and level, latitude, and longitude
coordinates, or other means, that directly identifies
the specific location of a consumer with precision and
accuracy within a radius of 1,750 feet; and
``(B) does not include the content of
communications or any data generated by or connected to
advanced utility metering infrastructure systems or
equipment for use by a utility.
``(22) Self-regulatory organization.--The term `self-
regulatory organization'--
``(A) has the meaning given that term in section
3(a) of the Securities Exchange Act of 1934 (15 U.S.C.
78c(a)); and
``(B) means--
``(i) a contract market, derivatives
transaction execution facility, registered
futures association, or other self-regulatory
organization registered with the Commodity
Futures Trading Commission; and
``(ii) any other self-regulatory
organization registered with an agency
authorized under section 504(a)(1) to prescribe
regulations or with a Federal functional
regulator, as determined by such agency or such
Federal functional regulator.
``(23) Sensitive nonpublic personal information.--The term
`sensitive nonpublic personal information' means, when used by
a financial institution while engaging in financial activities
as described in section 4(k) of the Bank Holding Company Act of
1956 (12 U.S.C. 1843(k))--
``(A) personally identifiable nonfinancial
information of a consumer that discloses the consumer's
racial or ethnic origin, religious belief, mental or
physical health diagnosis, sexual orientation, or
citizenship or immigration status;
``(B) genetic or biometric data of a consumer that
is disclosed for the purpose of uniquely identifying a
specific consumer; and
``(C) precise geolocation data.
``(24) State.--The term `State' means each State of the
United States, the District of Columbia, each commonwealth,
territory, or possession of the United States, and each
federally recognized Indian Tribe.''.
<all>