<enum>I</enum><header>Improvements to Treatment of Consumer Financial Data</header> <section id="H121026EE5C8748ABA37A2D196C00D7F4"><enum>101.</enum><header>Subtitle and section heading alterations</header><text display-inline="no-display-inline">The Gramm-Leach-Bliley Act is amended—</text> <paragraph id="HD6EDB1E76352425A81DC8BA5A344A55F"><enum>(1)</enum><text display-inline="yes-display-inline">in title V (<external-xref legal-doc="usc" parsable-cite="usc/15/6801">15 U.S.C. 6801 et seq.</external-xref>)—</text> <subparagraph id="H5172A74EF6D849A2AED9C56AB34E9DBB"><enum>(A)</enum><text display-inline="yes-display-inline">in subtitle A, in the heading of the subtitle, by striking <quote><header-in-text level="subtitle" style="OLC">Disclosure</header-in-text></quote> and inserting <quote><header-in-text level="subtitle" style="OLC">Treatment</header-in-text></quote>; and</text></subparagraph> <subparagraph id="H7D4986501F8F441297A2C81F808AEBED"><enum>(B)</enum><text display-inline="yes-display-inline">in section 502, by striking <quote><header-in-text level="section" style="OLC">DISCLOSURES OF</header-in-text></quote> and inserting <quote><header-in-text level="section" style="OLC">NONPUBLIC</header-in-text></quote>; and</text></subparagraph></paragraph> <paragraph id="HDD700F0CD6DF41CBA3876F469816C3EE"><enum>(2)</enum><text>in the table of contents for such Act—</text> <subparagraph id="HA2597E3EDD46459798CFDF87AFB5DA03"><enum>(A)</enum><text>in the item relating to subtitle A of title V, by striking <quote>Disclosure</quote> and inserting <quote>Treatment</quote>; and</text></subparagraph> <subparagraph id="H2BF243123E9E49BEAA09764078885180"><enum>(B)</enum><text>in the item relating to section 502, by striking <quote>disclosures of</quote> and inserting <quote>nonpublic</quote>.</text></subparagraph></paragraph></section> <section id="H5141D218F3BC4E8C9528193058B96001"><enum>102.</enum><header>Data minimization</header> <subsection id="HEECB45FEA6E149EFB6BF4C3CDB022B6E"><enum>(a)</enum><header>In general</header><text display-inline="yes-display-inline">Section 502 of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6802">15 U.S.C. 6802</external-xref>) is amended—</text> <paragraph id="HFA851C23AEF047E39A7598A7A72813B9"><enum>(1)</enum><text>in subsection (e), by striking <quote>Subsections (a) and (b)</quote> and inserting <quote>Subsections (a), (b), and (f)</quote>;</text></paragraph> <paragraph id="HA7D5C91F08DC4D648E71F69B6CCAE3FC"><enum>(2)</enum><text display-inline="yes-display-inline">in subsection (e), by inserting <quote>collection or</quote> before <quote>disclosure</quote>; and</text></paragraph> <paragraph id="H163B51DC31D14DE2A1EE06F2229BA262"><enum>(3)</enum><text>by adding at the end the following:</text> <quoted-block style="OLC" id="H3A08534D1A4343D5B5302186145E51D3" display-inline="no-display-inline"> <subsection id="H218BF988899F427285FC8BC58511353C"><enum>(f)</enum><header>Data minimization</header> <paragraph id="HD27FB18D72D44A01AB564E90DB21D48C"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">A financial institution shall limit the collection or disclosure of nonpublic personal information to what is adequate, relevant, and reasonably necessary in relation to each purpose for which the nonpublic personal information is collected or disclosed, and if such collection or disclosure is not otherwise prohibited by this subtitle or the amendments made by this subtitle.</text></paragraph> <paragraph id="H1E88344B567E4F70A912A3C654AEC6BE"><enum>(2)</enum><header>Rule of construction</header><text display-inline="yes-display-inline">Nothing in paragraph (1) shall be construed to prevent a financial institution from disclosing nonpublic personal information—</text> <subparagraph id="HCFD355473F5C42C99E0960F457DE478D"><enum>(A)</enum><text>to a nonaffiliated third party pursuant to subsection (b)(2);</text></subparagraph> <subparagraph id="H6431DDF034054879B8931B816639A8B7"><enum>(B)</enum><text display-inline="yes-display-inline">to a nonaffiliated third party as required by section 1033 of the Consumer Financial Protection Act of 2010 (<external-xref legal-doc="usc" parsable-cite="usc/12/5533">12 U.S.C. 5533</external-xref>);</text></subparagraph> <subparagraph id="H20E5D67E1E9F4E94AD1E34EAF36168FB"><enum>(C)</enum><text>to comply with a request from a consumer reporting agency (as defined in section 603(f) of the Fair Credit Reporting Act (<external-xref legal-doc="usc" parsable-cite="usc/15/1681a">15 U.S.C. 1681a(f)</external-xref>)) to the extent the consumer reporting agency is engaged in activities subject to the Fair Credit Reporting Act;</text></subparagraph> <subparagraph id="H3F6EFABF901A4491BE26E08CCF5CCCB8"><enum>(D)</enum><text>to an agency with regulatory jurisdiction over the financial institution; </text></subparagraph> <subparagraph id="H1789CC20C2C34B678A45CBA4F494A3C4"><enum>(E)</enum><text>to a self-regulatory organization of which the financial institution is a member;</text></subparagraph> <subparagraph id="H0BB50B99781040A1877A10E09872BDE1"><enum>(F)</enum><text>as otherwise permitted or required by this subtitle; or</text></subparagraph> <subparagraph id="H9E96DEF4F90D4C3B8F60AF0EE268205E"><enum>(G)</enum><text>as otherwise required by law.</text></subparagraph></paragraph></subsection><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></subsection> <subsection id="H6D6C3A05E14D432B948AF68370050137"><enum>(b)</enum><header>Effective date</header><text display-inline="yes-display-inline">This section shall take effect 2 years after the date of enactment of this Act.</text></subsection></section> <section id="HB7677994B44942FBBA7A43193F8B1642"><enum>103.</enum><header>Continuing consumer opt out right</header><text display-inline="no-display-inline">Section 502(b)(1) of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6802">15 U.S.C. 6802(b)(1)</external-xref>) is amended—</text> <paragraph id="H7ACF954C3C4E4B53A4D502C7A80868E7"><enum>(1)</enum><text display-inline="yes-display-inline">in subparagraph (B), by inserting after <quote>initially disclosed</quote> the following: <quote>and with that opportunity exercisable by the consumer at any time thereafter</quote>; and</text></paragraph> <paragraph id="HEEC2AF186A014FB88469A4FCD9AEB550"><enum>(2)</enum><text display-inline="yes-display-inline">in subparagraph (C), by inserting before the period at the end the following: <quote>before the time that such information is initially disclosed and with that explanation accessible to the consumer at any time thereafter</quote>.</text></paragraph></section> <section id="H35AA337FD95E4D118EF75F9216E05431"><enum>104.</enum><header>Limits on use of consumer access credentials</header> <subsection id="H61A3EC94170942428CADF6426870D294"><enum>(a)</enum><header>In general</header><text display-inline="yes-display-inline">Section 502 of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6802">15 U.S.C. 6802</external-xref>), as amended by section 102(3), is further amended by adding at the end the following:</text> <quoted-block style="OLC" id="H33C18D1D996C4E2FA45362F139A5EB71" display-inline="no-display-inline"> <subsection id="H3DAD1C42D0D04A0E9338ADEFDF3DAF54"><enum>(g)</enum><header>Limits on use of consumer access credentials</header> <paragraph id="H4C796E71B579409F904938A239152BB3"><enum>(1)</enum><header>Notice and opt out</header><text display-inline="yes-display-inline">A financial data aggregator or nonaffiliated third party may not use the access credentials of a consumer to access an electronic form of the consumer’s account at, or otherwise obtain an electronic form of nonpublic personal information of the consumer from, a financial institution unless—</text> <subparagraph id="HBBEC6B58B3EB464692D1B0DB60B59F99"><enum>(A)</enum><text display-inline="yes-display-inline">before the time that such access credentials are initially collected, the financial data aggregator or nonaffiliated third party provides a clear and conspicuous disclosure to such consumer that includes—</text> <clause id="H12B0044557624C51A5BD3BD2CFA1C60A"><enum>(i)</enum><text display-inline="yes-display-inline">how the financial data aggregator or nonaffiliated third party will use such access credentials;</text></clause> <clause id="HB82E1B212584481CAA115153F42AEA1F"><enum>(ii)</enum><text display-inline="yes-display-inline">whether the financial data aggregator or nonaffiliated third party will disclose such access credentials to a third party not affiliated with the financial data aggregator or nonaffiliated third party; and</text></clause> <clause id="HD23DA6969B114DF18FDFE7A565F410A3"><enum>(iii)</enum><text>a notification of—</text> <subclause id="H97ADBF0B08F245D2837D61822F0B929C"><enum>(I)</enum><text>the risks to privacy and security of nonpublic personal information associated with use of access credentials to obtain nonpublic personal information held by a financial institution; and</text></subclause> <subclause id="H41647FAA903748DEB67FA7D64274185F"><enum>(II)</enum><text display-inline="yes-display-inline">the practices of the financial data aggregator or nonaffiliated third party to ensure the privacy and security of nonpublic personal information obtained using access credentials; and</text></subclause></clause></subparagraph> <subparagraph id="HBA60085BDF254D9F8BD951CD213BE333"><enum>(B)</enum><text display-inline="yes-display-inline">the consumer is given the opportunity to direct that such access credentials not be used to access the consumer’s account at, or otherwise obtain nonpublic personal information of the consumer from, the financial institution.</text></subparagraph></paragraph> <paragraph id="H5C59AC0C6FD646C889449601C04C6AC2"><enum>(2)</enum><header>Treatment of access credential-based request</header><text display-inline="yes-display-inline">A financial institution may not deny a disclosure request from a financial data aggregator or a nonaffiliated third party using the access credentials of a consumer if the consumer—</text> <subparagraph id="H8127FD7F5AE44CE6A38FD4D78925D0A3"><enum>(A)</enum><text>has received the disclosure described in paragraph (1)(A); and</text></subparagraph> <subparagraph id="H38864CA81C96454ABD5B538CC08D6D94"><enum>(B)</enum><text>has been given the opportunity to direct that such access credentials not be used, as described in paragraph (1)(B).</text></subparagraph></paragraph> <paragraph id="H964D7E25CC964C5681C892EAB4991511"><enum>(3)</enum><header>Rule of construction</header><text display-inline="yes-display-inline">Notwithstanding paragraphs (1) and (2), when complying with this subsection, a financial institution, financial data aggregator, or nonaffiliated third party shall comply with any requirements of section 1033 of the Consumer Financial Protection Act of 2010 (<external-xref legal-doc="usc" parsable-cite="usc/12/5533">12 U.S.C. 5533</external-xref>) with respect to the use of the access credentials of a consumer to access an electronic form of the consumer’s account at, or otherwise obtain an electronic form of nonpublic personal information of the consumer from, a financial institution.</text></paragraph> </subsection><after-quoted-block>.</after-quoted-block></quoted-block></subsection> <subsection id="HC344DF9996FB43A297380C70D339B32B"><enum>(b)</enum><header>Effective date</header><text display-inline="yes-display-inline">This section shall take effect 1 year after the date of enactment of this Act.</text></subsection></section> <section id="H55D22E367B55481F84B156C76B196BBE"><enum>105.</enum><header>Additional information to be included in notices to consumers</header> <subsection id="H699DD1E3E8A248F3A2AF37E23D9C3E81"><enum>(a)</enum><header>In general</header><text display-inline="yes-display-inline">Section 503(c) of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6803">15 U.S.C. 6803(c)</external-xref>) is amended—</text> <paragraph id="HC7424248F85648F8ABB20F3F738378D8"><enum>(1)</enum><text>in paragraph (3) by striking <quote>and</quote> at the end;</text></paragraph> <paragraph id="H6DFA399FD4B34B999E67D807F30A7084"><enum>(2)</enum><text>by redesignating paragraph (4) as paragraph (11); and</text></paragraph> <paragraph id="H6AA2E83A64C54F17BBA83B27B057D9D6"><enum>(3)</enum><text>by inserting after paragraph (3) the following:</text> <quoted-block id="HED63D1BEEDC04320A8C59C5822EF4DED" style="OLC"> <paragraph id="HB4F8226D79AB4041BF300F134121C922"><enum>(4)</enum><text display-inline="yes-display-inline">the categories of purposes for which the financial institution—</text> <subparagraph id="HB3A890575E444D3490C846608FE5D355"><enum>(A)</enum><text>collects nonpublic personal information; and</text></subparagraph> <subparagraph id="HCA79978F0AD54D46B5A43F91A079EDA7"><enum>(B)</enum><text>discloses nonpublic personal information to a nonaffiliated third party;</text></subparagraph></paragraph> <paragraph id="H2B47A517828D4403BFDA5EB1F827D771"><enum>(5)</enum><text display-inline="yes-display-inline">the categories of practices of the financial institution with respect to the financial institution’s retention of nonpublic personal information;</text></paragraph> <paragraph id="HB73D397B367641F4B15ACFBA60974EA3"><enum>(6)</enum><text display-inline="yes-display-inline">the categories of practices of the financial institution with respect to the financial institution’s use of artificial intelligence in the collection, processing, and utilization of nonpublic personal information;</text></paragraph> <paragraph id="H0879E143677F49AF861E899E29A51B92"><enum>(7)</enum><text display-inline="yes-display-inline">whether any nonpublic personal information of the consumer is processed in, retained in, or disclosed to a covered nation;</text></paragraph> <paragraph id="H0DD159DCD2A845219CAE3FA495E119A4"><enum>(8)</enum><text>an explanation of how a consumer can exercise the option pursuant to section 502(b) to direct that nonpublic personal information not be disclosed to a nonaffiliated third party before the time that such information is initially disclosed and at any time thereafter;</text></paragraph> <paragraph id="H643BA2C57A6A4F729CCE336554AB5DF9"><enum>(9)</enum><text>an explanation of how a customer can exercise the option to request a copy of the disclosure required by subsection (a) pursuant to subsection (g);</text></paragraph> <paragraph id="H7EB2ED38AE6146B1A4E482F613C287F3"><enum>(10)</enum><text display-inline="yes-display-inline">an explanation of how a customer or former customer can exercise the option to request disclosure of nonpublic personal information and how a former customer can exercise the option to request deletion of nonpublic personal information pursuant to section 503A; and</text></paragraph><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></subsection> <subsection id="H166AC54643034E64B1932054BEEDDB40"><enum>(b)</enum><header>Update of model forms</header> <paragraph id="HAF1FA1C2180447DB9B8FB695D992C27C"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">The agencies referred to in section 504(a)(1) of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6804">15 U.S.C. 6804(a)(1)</external-xref>) shall, in consultation with the Federal functional regulators, jointly develop updates to the model form mandated by section 503(e) of such Act.</text> </paragraph> <paragraph id="HC5F79C5DA7A149C7AF2B5EAEBA38C207"><enum>(2)</enum><header>Safe harbor</header><text display-inline="yes-display-inline">During the 2-year period beginning on the date the agencies finalize updates to the model form under paragraph (1), a financial institution shall be deemed to be compliant with section 502(a) of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6802">15 U.S.C. 6802(a)</external-xref>) if the disclosures of the financial institution under section 503 of such Act comply with the model form issued pursuant to section 503(e) in effect on the date of enactment of this Act.</text></paragraph></subsection></section> <section id="H05ED56AFDEDA4FC2B6FD31828CE9F665"><enum>106.</enum><header>Customer access to privacy and disclosure policies</header><text display-inline="no-display-inline">Section 503 of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6803">15 U.S.C. 6803</external-xref>) is amended by inserting at the end the following:</text> <quoted-block style="OLC" id="H646EA8B1919B48729FD4E93563F40662" display-inline="no-display-inline"> <subsection id="H4F4972C8DE494BF5A54389ABACE8EA01"><enum>(g)</enum><header>Customer access to privacy and disclosure policies</header><text>A financial institution shall, upon a customer request, provide such customer with a copy of the disclosure required by subsection (a) in writing or in electronic form or other form permitted by the regulations prescribed under section 504.</text></subsection><after-quoted-block>.</after-quoted-block></quoted-block></section> <section id="H6F44755D700C4B378A4EDAA41935BB4C"><enum>107.</enum><header>Requests for disclosure of or deletion of nonpublic personal information</header> <subsection id="HB3EC0F46897A428A9B0E182DFD40385A"><enum>(a)</enum><header>In general</header><text display-inline="yes-display-inline">Title V of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6801">15 U.S.C. 6801 et seq.</external-xref>) is amended by inserting after section 503 the following:</text> <quoted-block id="H28188C4DC62A4CED9245BAC7E1809F26" style="OLC"> <section id="H34BA17B6CD144E669DA1BA79366AE0AA"><enum>503A.</enum><header>Requests for disclosure of or deletion of nonpublic personal information</header> <subsection id="H0FB6EBEFB3BF4378A53733ACF50E8CF2"><enum>(a)</enum><header>Customer or former customer request for disclosure of nonpublic personal information</header> <paragraph id="H611343D1F692471AB0C0BF6021A99606"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">Upon a request from a customer or former customer of a financial institution, such financial institution shall disclose to the customer or former customer—</text> <subparagraph id="H2DDA0EA6FD514883AFF6A053384C5BCA"><enum>(A)</enum><text display-inline="yes-display-inline">pursuant to the requirements of section 1033 of the Consumer Financial Protection Act of 2010 (<external-xref legal-doc="usc" parsable-cite="usc/12/5533">12 U.S.C. 5533</external-xref>), any nonpublic personal information of the customer or former customer in the control or possession of the financial institution; and</text></subparagraph> <subparagraph id="H8D81682E130041979B544F844E79422A"><enum>(B)</enum><text display-inline="yes-display-inline">a list of the categories of affiliates and nonaffiliated third parties to whom the financial institution has disclosed nonpublic personal information of the customer or former customer (other than disclosures of nonpublic personal information made to an affiliate or a nonaffiliated third party pursuant to an exception under section 502(e)).</text></subparagraph></paragraph> <paragraph id="H061069C2ECB04EA58F603C95E6BE4F72"><enum>(2)</enum><header>Exception</header><text display-inline="yes-display-inline">Paragraph (1) shall not apply to the extent that disclosure of nonpublic personal information to a customer or former customer is prohibited under other provisions of law.</text></paragraph> </subsection> <subsection id="HADFB7BA68F094DF39FDC7F8DC5A8ED0B"><enum>(b)</enum><header>Former customer request for deletion of nonpublic personal information</header> <paragraph id="H32B4C9E480BB45F281A347206B125C77"><enum>(1)</enum><header>In general</header><text>Upon a request from a former customer, a financial institution shall delete any nonpublic personal information of the former customer held by the financial institution.</text> </paragraph> <paragraph id="H6F0CE0DA3BC845438E0D528CC8713FD2"><enum>(2)</enum><header>Former customer deletion request exceptions</header><text>Paragraph (1) shall not require deletion of nonpublic personal information of a former customer by a financial institution where—</text> <subparagraph id="H5C246CFEC47541E3B4B4C5FDE336A33D"><enum>(A)</enum><text>the nonpublic personal information is required to be retained for a continuing purpose pursuant to an exception described under section 502(e);</text></subparagraph> <subparagraph id="HDB40DEA92F034BED8EE988589E27918F"><enum>(B)</enum><text>the holder of the nonpublic personal information is a consumer reporting agency, as defined in section 603(f) of the Fair Credit Reporting Act (<external-xref legal-doc="usc" parsable-cite="usc/15/1681a">15 U.S.C. 1681a(f)</external-xref>), and the nonpublic personal information is held solely to the extent that it is used in activities subject to the Fair Credit Reporting Act;</text></subparagraph> <subparagraph id="H4C78833BA4D54A64A77730A6371ED33E"><enum>(C)</enum><text display-inline="yes-display-inline">the nonpublic personal information is required to be retained to respond to a dispute under the Fair Credit Reporting Act; or</text></subparagraph> <subparagraph id="HF541F368D6704651B566B4737C9149FE"><enum>(D)</enum><text display-inline="yes-display-inline">the nonpublic personal information is required to be retained as otherwise required by law.</text></subparagraph></paragraph> <paragraph id="H2A85D971C9E64FD0A15CCD4D0D989757"><enum>(3)</enum><header>Verification</header> <subparagraph id="HAE56D120878E4B37AF4F62FBB7BC27AE"><enum>(A)</enum><header>In general</header><text>A financial institution shall establish and implement procedures to verify the identity of a former customer submitting a request under paragraph (1) before deleting nonpublic personal information that is the subject of such request.</text></subparagraph> <subparagraph id="H9442A7667F424ADF9183BC23CE1EBD3A"><enum>(B)</enum><header>Requirements</header><text>The procedures established by a financial institution pursuant to subparagraph (A) shall be designed to—</text> <clause id="H94731F62B42945DAB8B9EAE5E69D86DE"><enum>(i)</enum><text>confirm that the individual making the request is the former customer to whom the nonpublic personal information relates;</text></clause> <clause id="HD5A4D3950E404003AC890DAC599303A4"><enum>(ii)</enum><text>protect against unauthorized deletion of nonpublic personal information resulting from fraudulent requests; and</text></clause> <clause id="HE8926F554A05412EA9CB1CE01AE4CB7E"><enum>(iii)</enum><text display-inline="yes-display-inline">protect against deletion of nonpublic personal information resulting from requests made by a former customer in error.</text></clause></subparagraph> <subparagraph id="H3BE4522C61624C5096823A367797B3FE"><enum>(C)</enum><header>Exception</header><text display-inline="yes-display-inline">A financial institution shall not be required to grant a request under paragraph (1) if the financial institution cannot confirm that the identity of the individual making such request is the same as the former customer to whom the nonpublic personal information relates.</text></subparagraph></paragraph> <paragraph id="H0847A7F731974D1F9031F4D6849C5C7C"><enum>(4)</enum><header>Response period</header> <subparagraph id="H6BA9F9845954430F96A7D38EA8FF6565"><enum>(A)</enum><header>In general</header><text display-inline="yes-display-inline">A financial institution shall respond to a former customer submitting a request under paragraph (1) without undue delay, but in all cases within 45 days of receiving such request.</text></subparagraph> <subparagraph id="H4296825DA5074DF8BE9BA24AA3176CAA"><enum>(B)</enum><header>Extension</header><text display-inline="yes-display-inline">A financial institution may extend the response period in subparagraph (A) once for an additional 45 days when necessary, taking into account the complexity and number of requests by the former customer, but must inform the former customer of such extension and the reason for such extension within the initial 45 day response period under subparagraph (A).</text></subparagraph></paragraph> <paragraph id="H1DE6351743E4449AA38D504D71C4AAD3"><enum>(5)</enum><header>Apportionment of costs</header> <subparagraph id="H7A6ACD83947F4EBAA60844DFC833193B"><enum>(A)</enum><header>Initial requests</header><text display-inline="yes-display-inline">A former customer may submit 2 requests per year free of charge to a financial institution under paragraph (1).</text></subparagraph> <subparagraph id="H9EC1E44B086B4151AC35088AFE7DC7E2"><enum>(B)</enum><header>Subsequent requests</header><text>For any request of a former customer under paragraph (1) subsequent to the requests described in subparagraph (A), a financial institution may—</text> <clause id="H900F9151208742EB8CFFD2B7959EB096"><enum>(i)</enum><text>charge the former customer a fee, if the financial institution has notified the former customer of such fee and the former customer has consented to such fee; or</text></clause> <clause id="HD395EA46B60E4F40AC0C43540ACB13E2"><enum>(ii)</enum><text>decline to act on such request, if the former customer does not consent to the fee described under clause (i).</text></clause></subparagraph></paragraph> <paragraph id="H116CD7583AAB4D4085E1834F5D0395FB"><enum>(6)</enum><header>Appeal</header><text>Subject to the exceptions in paragraph (2), a financial institution receiving a request under paragraph (1) shall—</text> <subparagraph id="HE2377CEA84ED4A42AADC3E40E04C817B"><enum>(A)</enum><text>establish a process for a former customer to appeal a determination by a financial institution to deny a request under paragraph (1);</text></subparagraph> <subparagraph id="H9B5F84905FA64D2EA4D867028E3F285E"><enum>(B)</enum><text>make such appeal process under subparagraph (A) clearly and conspicuously disclosed to the former customer in the response required under paragraph (4) if the request under paragraph (1) is to be denied by the financial institution;</text></subparagraph> <subparagraph id="H3DAD3D61BB1B484CB2C3915A7D02B3D6"><enum>(C)</enum><text>respond to such an appeal request by the former customer—</text> <clause id="HDC77147BB9644CC99682153CF3B98375"><enum>(i)</enum><text>not later than 60 days after the date on which such appeal request is received; and</text></clause> <clause id="H6B2ED96C0AFD4AA28B22973212F37885"><enum>(ii)</enum><text>by informing the former customer in writing or in electronic form or other form permitted by the regulations prescribed under section 504 of any action taken in response to the appeal, including an explanation of the reason for each action taken; and</text></clause></subparagraph> <subparagraph id="H69AE7707031544BD98D8A311B67B825C"><enum>(D)</enum><text display-inline="yes-display-inline">if such an appeal is denied, provide the former customer with an online mechanism, if available, or other method through which the former customer may contact the appropriate enforcement agency or authority as described in section 505 to submit a complaint.</text></subparagraph></paragraph></subsection> </section><after-quoted-block>.</after-quoted-block></quoted-block></subsection> <subsection id="H66C68BECF9D64EA1857DDCD29850E9CE"><enum>(b)</enum><header>Effective date</header><text>This section shall take effect 2 years after the date of enactment of this Act.</text></subsection> <subsection id="H39BFE0F55F6045748FD413E9673F62B3"><enum>(c)</enum><header>Clerical amendment</header><text display-inline="yes-display-inline">The table of contents in section 1(b) of the Gramm-Leach-Bliley Act is amended by inserting after the item relating to section 503 the following:</text> <quoted-block style="OLC" id="H5B993D9670BA45BD841712C9A9A7100A" display-inline="no-display-inline"> <toc regeneration="no-regeneration"> <toc-entry level="section">Sec. 503A. Requests for disclosure of or deletion of nonpublic personal information.</toc-entry></toc><after-quoted-block>.</after-quoted-block></quoted-block></subsection></section> <section id="HB6FB6074099D4237986AE7D8F65DF042" commented="no"><enum>108.</enum><header>Opt in for sensitive nonpublic personal information</header> <subsection id="H8FBE2E040239472CA74580E1CC2CE446"><enum>(a)</enum><header>In general</header><text display-inline="yes-display-inline">Section 502 of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6802">15 U.S.C. 6802</external-xref>), as amended by sections 102(3) and 104, is further amended by adding at the end the following:</text> <quoted-block id="HA5A8CDBE6AF844AEB7EACF67AD7FD3BC" style="OLC"> <subsection id="H0319550F3EE847FE85DE7AF14C29603C" commented="no"><enum>(h)</enum><header>Opt in for sensitive nonpublic personal information</header> <paragraph id="HD15BA4598C764076B0B4A1DC4552AC27" commented="no"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">Notwithstanding subsection (b)(1), a financial institution may not collect sensitive nonpublic personal information or disclose sensitive nonpublic personal information to a nonaffiliated third party unless—</text> <subparagraph id="HC541FB60B84D4A8EBEE8810D6BE67C35" commented="no"><enum>(A)</enum><text display-inline="yes-display-inline">such financial institution clearly and conspicuously discloses to the consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 504, that such information may be collected or that such information may be disclosed to such third party;</text></subparagraph> <subparagraph id="H61C8D5A547C743008EB537466E5A9B06" commented="no"><enum>(B)</enum><text display-inline="yes-display-inline">such financial institution obtains the consent of the consumer to collect such information or to disclose such information to such third party before the time that such information is initially collected or disclosed; and</text></subparagraph> <subparagraph id="H37ABC2A399654313A718E5B1597F5C01" commented="no"><enum>(C)</enum><text>the consumer is given an explanation of how the consumer can revoke that consent pursuant to paragraph (2).</text></subparagraph></paragraph> <paragraph id="HC19E82E27D4F4B369633685724286189" commented="no"><enum>(2)</enum><header>Continuing consumer consent revocation right</header><text>A consumer may revoke their consent under paragraph (1)(B) at any time.</text></paragraph> <paragraph id="H24A8DA5C066640D3BC130F8BF6D008B0" commented="no"><enum>(3)</enum><header>Rule of construction</header><text>Paragraph (1) shall not be construed to prevent a financial institution from disclosing sensitive nonpublic personal information—</text> <subparagraph id="HA7F0FE9D34DC4812B1BB21B0F4B57EE2" commented="no"><enum>(A)</enum><text>pursuant to section 502(e)(3)(A);</text></subparagraph> <subparagraph id="H5009246A496A4743A11E5B666FF96D53" commented="no"><enum>(B)</enum><text>pursuant to section 502(e)(3)(B);</text></subparagraph> <subparagraph id="HB089FDE46458480BB5E39407D0321BF5" commented="no"><enum>(C)</enum><text>pursuant to section 502(e)(5); or</text></subparagraph> <subparagraph id="HBD991A0A17BA4FE084EEDAF0ABECADB7" commented="no"><enum>(D)</enum><text>pursuant to section 502(e)(8).</text></subparagraph></paragraph> </subsection><after-quoted-block>.</after-quoted-block></quoted-block></subsection> <subsection id="H1467F530271E4A4890325861A0366C81"><enum>(b)</enum><header>Effective date</header><text display-inline="yes-display-inline">This section shall take effect 1 year after the date of enactment of this Act.</text></subsection></section>

119 HR 8398 IH: GUARD Financial Data Act U.S. House of Representatives 2026-04-21 text/xml EN Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.

Short title; table of contents

(a)

Short title

This Act may be cited as the

Guidelines for Use, Access, and Responsible Disclosure of Financial Data Act

or the GUARD Financial Data Act. (b)

Table of contents

The table of contents for this Act is as follows:

Sec. 1. Short title; table of contents.

Title I—Improvements to Treatment of Consumer Financial Data

Sec. 101. Subtitle and section heading alterations.

Sec. 102. Data minimization.

Sec. 103. Continuing consumer opt out right.

Sec. 104. Limits on use of consumer access credentials.

Sec. 105. Additional information to be included in notices to consumers.

Sec. 106. Customer access to privacy and disclosure policies.

Sec. 107. Requests for disclosure of or deletion of nonpublic personal information.

Sec. 108. Opt in for sensitive nonpublic personal information.

Title II—Regulatory Consideration for Small Financial Institutions

Sec. 201. Regulatory consideration for small financial institutions.

Title III—Relation to Other Laws

Sec. 301. Relation to State laws.

Title IV—Additions to Definitions

Sec. 401. Additions to definitions.

<enum>I</enum><header>Improvements to Treatment of Consumer Financial Data</header> <section id="H121026EE5C8748ABA37A2D196C00D7F4"><enum>101.</enum><header>Subtitle and section heading alterations</header><text display-inline="no-display-inline">The Gramm-Leach-Bliley Act is amended—</text> <paragraph id="HD6EDB1E76352425A81DC8BA5A344A55F"><enum>(1)</enum><text display-inline="yes-display-inline">in title V (<external-xref legal-doc="usc" parsable-cite="usc/15/6801">15 U.S.C. 6801 et seq.</external-xref>)—</text> <subparagraph id="H5172A74EF6D849A2AED9C56AB34E9DBB"><enum>(A)</enum><text display-inline="yes-display-inline">in subtitle A, in the heading of the subtitle, by striking <quote><header-in-text level="subtitle" style="OLC">Disclosure</header-in-text></quote> and inserting <quote><header-in-text level="subtitle" style="OLC">Treatment</header-in-text></quote>; and</text></subparagraph> <subparagraph id="H7D4986501F8F441297A2C81F808AEBED"><enum>(B)</enum><text display-inline="yes-display-inline">in section 502, by striking <quote><header-in-text level="section" style="OLC">DISCLOSURES OF</header-in-text></quote> and inserting <quote><header-in-text level="section" style="OLC">NONPUBLIC</header-in-text></quote>; and</text></subparagraph></paragraph> <paragraph id="HDD700F0CD6DF41CBA3876F469816C3EE"><enum>(2)</enum><text>in the table of contents for such Act—</text> <subparagraph id="HA2597E3EDD46459798CFDF87AFB5DA03"><enum>(A)</enum><text>in the item relating to subtitle A of title V, by striking <quote>Disclosure</quote> and inserting <quote>Treatment</quote>; and</text></subparagraph> <subparagraph id="H2BF243123E9E49BEAA09764078885180"><enum>(B)</enum><text>in the item relating to section 502, by striking <quote>disclosures of</quote> and inserting <quote>nonpublic</quote>.</text></subparagraph></paragraph></section> <section id="H5141D218F3BC4E8C9528193058B96001"><enum>102.</enum><header>Data minimization</header> <subsection id="HEECB45FEA6E149EFB6BF4C3CDB022B6E"><enum>(a)</enum><header>In general</header><text display-inline="yes-display-inline">Section 502 of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6802">15 U.S.C. 6802</external-xref>) is amended—</text> <paragraph id="HFA851C23AEF047E39A7598A7A72813B9"><enum>(1)</enum><text>in subsection (e), by striking <quote>Subsections (a) and (b)</quote> and inserting <quote>Subsections (a), (b), and (f)</quote>;</text></paragraph> <paragraph id="HA7D5C91F08DC4D648E71F69B6CCAE3FC"><enum>(2)</enum><text display-inline="yes-display-inline">in subsection (e), by inserting <quote>collection or</quote> before <quote>disclosure</quote>; and</text></paragraph> <paragraph id="H163B51DC31D14DE2A1EE06F2229BA262"><enum>(3)</enum><text>by adding at the end the following:</text> <quoted-block style="OLC" id="H3A08534D1A4343D5B5302186145E51D3" display-inline="no-display-inline"> <subsection id="H218BF988899F427285FC8BC58511353C"><enum>(f)</enum><header>Data minimization</header> <paragraph id="HD27FB18D72D44A01AB564E90DB21D48C"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">A financial institution shall limit the collection or disclosure of nonpublic personal information to what is adequate, relevant, and reasonably necessary in relation to each purpose for which the nonpublic personal information is collected or disclosed, and if such collection or disclosure is not otherwise prohibited by this subtitle or the amendments made by this subtitle.</text></paragraph> <paragraph id="H1E88344B567E4F70A912A3C654AEC6BE"><enum>(2)</enum><header>Rule of construction</header><text display-inline="yes-display-inline">Nothing in paragraph (1) shall be construed to prevent a financial institution from disclosing nonpublic personal information—</text> <subparagraph id="HCFD355473F5C42C99E0960F457DE478D"><enum>(A)</enum><text>to a nonaffiliated third party pursuant to subsection (b)(2);</text></subparagraph> <subparagraph id="H6431DDF034054879B8931B816639A8B7"><enum>(B)</enum><text display-inline="yes-display-inline">to a nonaffiliated third party as required by section 1033 of the Consumer Financial Protection Act of 2010 (<external-xref legal-doc="usc" parsable-cite="usc/12/5533">12 U.S.C. 5533</external-xref>);</text></subparagraph> <subparagraph id="H20E5D67E1E9F4E94AD1E34EAF36168FB"><enum>(C)</enum><text>to comply with a request from a consumer reporting agency (as defined in section 603(f) of the Fair Credit Reporting Act (<external-xref legal-doc="usc" parsable-cite="usc/15/1681a">15 U.S.C. 1681a(f)</external-xref>)) to the extent the consumer reporting agency is engaged in activities subject to the Fair Credit Reporting Act;</text></subparagraph> <subparagraph id="H3F6EFABF901A4491BE26E08CCF5CCCB8"><enum>(D)</enum><text>to an agency with regulatory jurisdiction over the financial institution; </text></subparagraph> <subparagraph id="H1789CC20C2C34B678A45CBA4F494A3C4"><enum>(E)</enum><text>to a self-regulatory organization of which the financial institution is a member;</text></subparagraph> <subparagraph id="H0BB50B99781040A1877A10E09872BDE1"><enum>(F)</enum><text>as otherwise permitted or required by this subtitle; or</text></subparagraph> <subparagraph id="H9E96DEF4F90D4C3B8F60AF0EE268205E"><enum>(G)</enum><text>as otherwise required by law.</text></subparagraph></paragraph></subsection><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></subsection> <subsection id="H6D6C3A05E14D432B948AF68370050137"><enum>(b)</enum><header>Effective date</header><text display-inline="yes-display-inline">This section shall take effect 2 years after the date of enactment of this Act.</text></subsection></section> <section id="HB7677994B44942FBBA7A43193F8B1642"><enum>103.</enum><header>Continuing consumer opt out right</header><text display-inline="no-display-inline">Section 502(b)(1) of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6802">15 U.S.C. 6802(b)(1)</external-xref>) is amended—</text> <paragraph id="H7ACF954C3C4E4B53A4D502C7A80868E7"><enum>(1)</enum><text display-inline="yes-display-inline">in subparagraph (B), by inserting after <quote>initially disclosed</quote> the following: <quote>and with that opportunity exercisable by the consumer at any time thereafter</quote>; and</text></paragraph> <paragraph id="HEEC2AF186A014FB88469A4FCD9AEB550"><enum>(2)</enum><text display-inline="yes-display-inline">in subparagraph (C), by inserting before the period at the end the following: <quote>before the time that such information is initially disclosed and with that explanation accessible to the consumer at any time thereafter</quote>.</text></paragraph></section> <section id="H35AA337FD95E4D118EF75F9216E05431"><enum>104.</enum><header>Limits on use of consumer access credentials</header> <subsection id="H61A3EC94170942428CADF6426870D294"><enum>(a)</enum><header>In general</header><text display-inline="yes-display-inline">Section 502 of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6802">15 U.S.C. 6802</external-xref>), as amended by section 102(3), is further amended by adding at the end the following:</text> <quoted-block style="OLC" id="H33C18D1D996C4E2FA45362F139A5EB71" display-inline="no-display-inline"> <subsection id="H3DAD1C42D0D04A0E9338ADEFDF3DAF54"><enum>(g)</enum><header>Limits on use of consumer access credentials</header> <paragraph id="H4C796E71B579409F904938A239152BB3"><enum>(1)</enum><header>Notice and opt out</header><text display-inline="yes-display-inline">A financial data aggregator or nonaffiliated third party may not use the access credentials of a consumer to access an electronic form of the consumer’s account at, or otherwise obtain an electronic form of nonpublic personal information of the consumer from, a financial institution unless—</text> <subparagraph id="HBBEC6B58B3EB464692D1B0DB60B59F99"><enum>(A)</enum><text display-inline="yes-display-inline">before the time that such access credentials are initially collected, the financial data aggregator or nonaffiliated third party provides a clear and conspicuous disclosure to such consumer that includes—</text> <clause id="H12B0044557624C51A5BD3BD2CFA1C60A"><enum>(i)</enum><text display-inline="yes-display-inline">how the financial data aggregator or nonaffiliated third party will use such access credentials;</text></clause> <clause id="HB82E1B212584481CAA115153F42AEA1F"><enum>(ii)</enum><text display-inline="yes-display-inline">whether the financial data aggregator or nonaffiliated third party will disclose such access credentials to a third party not affiliated with the financial data aggregator or nonaffiliated third party; and</text></clause> <clause id="HD23DA6969B114DF18FDFE7A565F410A3"><enum>(iii)</enum><text>a notification of—</text> <subclause id="H97ADBF0B08F245D2837D61822F0B929C"><enum>(I)</enum><text>the risks to privacy and security of nonpublic personal information associated with use of access credentials to obtain nonpublic personal information held by a financial institution; and</text></subclause> <subclause id="H41647FAA903748DEB67FA7D64274185F"><enum>(II)</enum><text display-inline="yes-display-inline">the practices of the financial data aggregator or nonaffiliated third party to ensure the privacy and security of nonpublic personal information obtained using access credentials; and</text></subclause></clause></subparagraph> <subparagraph id="HBA60085BDF254D9F8BD951CD213BE333"><enum>(B)</enum><text display-inline="yes-display-inline">the consumer is given the opportunity to direct that such access credentials not be used to access the consumer’s account at, or otherwise obtain nonpublic personal information of the consumer from, the financial institution.</text></subparagraph></paragraph> <paragraph id="H5C59AC0C6FD646C889449601C04C6AC2"><enum>(2)</enum><header>Treatment of access credential-based request</header><text display-inline="yes-display-inline">A financial institution may not deny a disclosure request from a financial data aggregator or a nonaffiliated third party using the access credentials of a consumer if the consumer—</text> <subparagraph id="H8127FD7F5AE44CE6A38FD4D78925D0A3"><enum>(A)</enum><text>has received the disclosure described in paragraph (1)(A); and</text></subparagraph> <subparagraph id="H38864CA81C96454ABD5B538CC08D6D94"><enum>(B)</enum><text>has been given the opportunity to direct that such access credentials not be used, as described in paragraph (1)(B).</text></subparagraph></paragraph> <paragraph id="H964D7E25CC964C5681C892EAB4991511"><enum>(3)</enum><header>Rule of construction</header><text display-inline="yes-display-inline">Notwithstanding paragraphs (1) and (2), when complying with this subsection, a financial institution, financial data aggregator, or nonaffiliated third party shall comply with any requirements of section 1033 of the Consumer Financial Protection Act of 2010 (<external-xref legal-doc="usc" parsable-cite="usc/12/5533">12 U.S.C. 5533</external-xref>) with respect to the use of the access credentials of a consumer to access an electronic form of the consumer’s account at, or otherwise obtain an electronic form of nonpublic personal information of the consumer from, a financial institution.</text></paragraph> </subsection><after-quoted-block>.</after-quoted-block></quoted-block></subsection> <subsection id="HC344DF9996FB43A297380C70D339B32B"><enum>(b)</enum><header>Effective date</header><text display-inline="yes-display-inline">This section shall take effect 1 year after the date of enactment of this Act.</text></subsection></section> <section id="H55D22E367B55481F84B156C76B196BBE"><enum>105.</enum><header>Additional information to be included in notices to consumers</header> <subsection id="H699DD1E3E8A248F3A2AF37E23D9C3E81"><enum>(a)</enum><header>In general</header><text display-inline="yes-display-inline">Section 503(c) of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6803">15 U.S.C. 6803(c)</external-xref>) is amended—</text> <paragraph id="HC7424248F85648F8ABB20F3F738378D8"><enum>(1)</enum><text>in paragraph (3) by striking <quote>and</quote> at the end;</text></paragraph> <paragraph id="H6DFA399FD4B34B999E67D807F30A7084"><enum>(2)</enum><text>by redesignating paragraph (4) as paragraph (11); and</text></paragraph> <paragraph id="H6AA2E83A64C54F17BBA83B27B057D9D6"><enum>(3)</enum><text>by inserting after paragraph (3) the following:</text> <quoted-block id="HED63D1BEEDC04320A8C59C5822EF4DED" style="OLC"> <paragraph id="HB4F8226D79AB4041BF300F134121C922"><enum>(4)</enum><text display-inline="yes-display-inline">the categories of purposes for which the financial institution—</text> <subparagraph id="HB3A890575E444D3490C846608FE5D355"><enum>(A)</enum><text>collects nonpublic personal information; and</text></subparagraph> <subparagraph id="HCA79978F0AD54D46B5A43F91A079EDA7"><enum>(B)</enum><text>discloses nonpublic personal information to a nonaffiliated third party;</text></subparagraph></paragraph> <paragraph id="H2B47A517828D4403BFDA5EB1F827D771"><enum>(5)</enum><text display-inline="yes-display-inline">the categories of practices of the financial institution with respect to the financial institution’s retention of nonpublic personal information;</text></paragraph> <paragraph id="HB73D397B367641F4B15ACFBA60974EA3"><enum>(6)</enum><text display-inline="yes-display-inline">the categories of practices of the financial institution with respect to the financial institution’s use of artificial intelligence in the collection, processing, and utilization of nonpublic personal information;</text></paragraph> <paragraph id="H0879E143677F49AF861E899E29A51B92"><enum>(7)</enum><text display-inline="yes-display-inline">whether any nonpublic personal information of the consumer is processed in, retained in, or disclosed to a covered nation;</text></paragraph> <paragraph id="H0DD159DCD2A845219CAE3FA495E119A4"><enum>(8)</enum><text>an explanation of how a consumer can exercise the option pursuant to section 502(b) to direct that nonpublic personal information not be disclosed to a nonaffiliated third party before the time that such information is initially disclosed and at any time thereafter;</text></paragraph> <paragraph id="H643BA2C57A6A4F729CCE336554AB5DF9"><enum>(9)</enum><text>an explanation of how a customer can exercise the option to request a copy of the disclosure required by subsection (a) pursuant to subsection (g);</text></paragraph> <paragraph id="H7EB2ED38AE6146B1A4E482F613C287F3"><enum>(10)</enum><text display-inline="yes-display-inline">an explanation of how a customer or former customer can exercise the option to request disclosure of nonpublic personal information and how a former customer can exercise the option to request deletion of nonpublic personal information pursuant to section 503A; and</text></paragraph><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></subsection> <subsection id="H166AC54643034E64B1932054BEEDDB40"><enum>(b)</enum><header>Update of model forms</header> <paragraph id="HAF1FA1C2180447DB9B8FB695D992C27C"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">The agencies referred to in section 504(a)(1) of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6804">15 U.S.C. 6804(a)(1)</external-xref>) shall, in consultation with the Federal functional regulators, jointly develop updates to the model form mandated by section 503(e) of such Act.</text> </paragraph> <paragraph id="HC5F79C5DA7A149C7AF2B5EAEBA38C207"><enum>(2)</enum><header>Safe harbor</header><text display-inline="yes-display-inline">During the 2-year period beginning on the date the agencies finalize updates to the model form under paragraph (1), a financial institution shall be deemed to be compliant with section 502(a) of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6802">15 U.S.C. 6802(a)</external-xref>) if the disclosures of the financial institution under section 503 of such Act comply with the model form issued pursuant to section 503(e) in effect on the date of enactment of this Act.</text></paragraph></subsection></section> <section id="H05ED56AFDEDA4FC2B6FD31828CE9F665"><enum>106.</enum><header>Customer access to privacy and disclosure policies</header><text display-inline="no-display-inline">Section 503 of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6803">15 U.S.C. 6803</external-xref>) is amended by inserting at the end the following:</text> <quoted-block style="OLC" id="H646EA8B1919B48729FD4E93563F40662" display-inline="no-display-inline"> <subsection id="H4F4972C8DE494BF5A54389ABACE8EA01"><enum>(g)</enum><header>Customer access to privacy and disclosure policies</header><text>A financial institution shall, upon a customer request, provide such customer with a copy of the disclosure required by subsection (a) in writing or in electronic form or other form permitted by the regulations prescribed under section 504.</text></subsection><after-quoted-block>.</after-quoted-block></quoted-block></section> <section id="H6F44755D700C4B378A4EDAA41935BB4C"><enum>107.</enum><header>Requests for disclosure of or deletion of nonpublic personal information</header> <subsection id="HB3EC0F46897A428A9B0E182DFD40385A"><enum>(a)</enum><header>In general</header><text display-inline="yes-display-inline">Title V of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6801">15 U.S.C. 6801 et seq.</external-xref>) is amended by inserting after section 503 the following:</text> <quoted-block id="H28188C4DC62A4CED9245BAC7E1809F26" style="OLC"> <section id="H34BA17B6CD144E669DA1BA79366AE0AA"><enum>503A.</enum><header>Requests for disclosure of or deletion of nonpublic personal information</header> <subsection id="H0FB6EBEFB3BF4378A53733ACF50E8CF2"><enum>(a)</enum><header>Customer or former customer request for disclosure of nonpublic personal information</header> <paragraph id="H611343D1F692471AB0C0BF6021A99606"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">Upon a request from a customer or former customer of a financial institution, such financial institution shall disclose to the customer or former customer—</text> <subparagraph id="H2DDA0EA6FD514883AFF6A053384C5BCA"><enum>(A)</enum><text display-inline="yes-display-inline">pursuant to the requirements of section 1033 of the Consumer Financial Protection Act of 2010 (<external-xref legal-doc="usc" parsable-cite="usc/12/5533">12 U.S.C. 5533</external-xref>), any nonpublic personal information of the customer or former customer in the control or possession of the financial institution; and</text></subparagraph> <subparagraph id="H8D81682E130041979B544F844E79422A"><enum>(B)</enum><text display-inline="yes-display-inline">a list of the categories of affiliates and nonaffiliated third parties to whom the financial institution has disclosed nonpublic personal information of the customer or former customer (other than disclosures of nonpublic personal information made to an affiliate or a nonaffiliated third party pursuant to an exception under section 502(e)).</text></subparagraph></paragraph> <paragraph id="H061069C2ECB04EA58F603C95E6BE4F72"><enum>(2)</enum><header>Exception</header><text display-inline="yes-display-inline">Paragraph (1) shall not apply to the extent that disclosure of nonpublic personal information to a customer or former customer is prohibited under other provisions of law.</text></paragraph> </subsection> <subsection id="HADFB7BA68F094DF39FDC7F8DC5A8ED0B"><enum>(b)</enum><header>Former customer request for deletion of nonpublic personal information</header> <paragraph id="H32B4C9E480BB45F281A347206B125C77"><enum>(1)</enum><header>In general</header><text>Upon a request from a former customer, a financial institution shall delete any nonpublic personal information of the former customer held by the financial institution.</text> </paragraph> <paragraph id="H6F0CE0DA3BC845438E0D528CC8713FD2"><enum>(2)</enum><header>Former customer deletion request exceptions</header><text>Paragraph (1) shall not require deletion of nonpublic personal information of a former customer by a financial institution where—</text> <subparagraph id="H5C246CFEC47541E3B4B4C5FDE336A33D"><enum>(A)</enum><text>the nonpublic personal information is required to be retained for a continuing purpose pursuant to an exception described under section 502(e);</text></subparagraph> <subparagraph id="HDB40DEA92F034BED8EE988589E27918F"><enum>(B)</enum><text>the holder of the nonpublic personal information is a consumer reporting agency, as defined in section 603(f) of the Fair Credit Reporting Act (<external-xref legal-doc="usc" parsable-cite="usc/15/1681a">15 U.S.C. 1681a(f)</external-xref>), and the nonpublic personal information is held solely to the extent that it is used in activities subject to the Fair Credit Reporting Act;</text></subparagraph> <subparagraph id="H4C78833BA4D54A64A77730A6371ED33E"><enum>(C)</enum><text display-inline="yes-display-inline">the nonpublic personal information is required to be retained to respond to a dispute under the Fair Credit Reporting Act; or</text></subparagraph> <subparagraph id="HF541F368D6704651B566B4737C9149FE"><enum>(D)</enum><text display-inline="yes-display-inline">the nonpublic personal information is required to be retained as otherwise required by law.</text></subparagraph></paragraph> <paragraph id="H2A85D971C9E64FD0A15CCD4D0D989757"><enum>(3)</enum><header>Verification</header> <subparagraph id="HAE56D120878E4B37AF4F62FBB7BC27AE"><enum>(A)</enum><header>In general</header><text>A financial institution shall establish and implement procedures to verify the identity of a former customer submitting a request under paragraph (1) before deleting nonpublic personal information that is the subject of such request.</text></subparagraph> <subparagraph id="H9442A7667F424ADF9183BC23CE1EBD3A"><enum>(B)</enum><header>Requirements</header><text>The procedures established by a financial institution pursuant to subparagraph (A) shall be designed to—</text> <clause id="H94731F62B42945DAB8B9EAE5E69D86DE"><enum>(i)</enum><text>confirm that the individual making the request is the former customer to whom the nonpublic personal information relates;</text></clause> <clause id="HD5A4D3950E404003AC890DAC599303A4"><enum>(ii)</enum><text>protect against unauthorized deletion of nonpublic personal information resulting from fraudulent requests; and</text></clause> <clause id="HE8926F554A05412EA9CB1CE01AE4CB7E"><enum>(iii)</enum><text display-inline="yes-display-inline">protect against deletion of nonpublic personal information resulting from requests made by a former customer in error.</text></clause></subparagraph> <subparagraph id="H3BE4522C61624C5096823A367797B3FE"><enum>(C)</enum><header>Exception</header><text display-inline="yes-display-inline">A financial institution shall not be required to grant a request under paragraph (1) if the financial institution cannot confirm that the identity of the individual making such request is the same as the former customer to whom the nonpublic personal information relates.</text></subparagraph></paragraph> <paragraph id="H0847A7F731974D1F9031F4D6849C5C7C"><enum>(4)</enum><header>Response period</header> <subparagraph id="H6BA9F9845954430F96A7D38EA8FF6565"><enum>(A)</enum><header>In general</header><text display-inline="yes-display-inline">A financial institution shall respond to a former customer submitting a request under paragraph (1) without undue delay, but in all cases within 45 days of receiving such request.</text></subparagraph> <subparagraph id="H4296825DA5074DF8BE9BA24AA3176CAA"><enum>(B)</enum><header>Extension</header><text display-inline="yes-display-inline">A financial institution may extend the response period in subparagraph (A) once for an additional 45 days when necessary, taking into account the complexity and number of requests by the former customer, but must inform the former customer of such extension and the reason for such extension within the initial 45 day response period under subparagraph (A).</text></subparagraph></paragraph> <paragraph id="H1DE6351743E4449AA38D504D71C4AAD3"><enum>(5)</enum><header>Apportionment of costs</header> <subparagraph id="H7A6ACD83947F4EBAA60844DFC833193B"><enum>(A)</enum><header>Initial requests</header><text display-inline="yes-display-inline">A former customer may submit 2 requests per year free of charge to a financial institution under paragraph (1).</text></subparagraph> <subparagraph id="H9EC1E44B086B4151AC35088AFE7DC7E2"><enum>(B)</enum><header>Subsequent requests</header><text>For any request of a former customer under paragraph (1) subsequent to the requests described in subparagraph (A), a financial institution may—</text> <clause id="H900F9151208742EB8CFFD2B7959EB096"><enum>(i)</enum><text>charge the former customer a fee, if the financial institution has notified the former customer of such fee and the former customer has consented to such fee; or</text></clause> <clause id="HD395EA46B60E4F40AC0C43540ACB13E2"><enum>(ii)</enum><text>decline to act on such request, if the former customer does not consent to the fee described under clause (i).</text></clause></subparagraph></paragraph> <paragraph id="H116CD7583AAB4D4085E1834F5D0395FB"><enum>(6)</enum><header>Appeal</header><text>Subject to the exceptions in paragraph (2), a financial institution receiving a request under paragraph (1) shall—</text> <subparagraph id="HE2377CEA84ED4A42AADC3E40E04C817B"><enum>(A)</enum><text>establish a process for a former customer to appeal a determination by a financial institution to deny a request under paragraph (1);</text></subparagraph> <subparagraph id="H9B5F84905FA64D2EA4D867028E3F285E"><enum>(B)</enum><text>make such appeal process under subparagraph (A) clearly and conspicuously disclosed to the former customer in the response required under paragraph (4) if the request under paragraph (1) is to be denied by the financial institution;</text></subparagraph> <subparagraph id="H3DAD3D61BB1B484CB2C3915A7D02B3D6"><enum>(C)</enum><text>respond to such an appeal request by the former customer—</text> <clause id="HDC77147BB9644CC99682153CF3B98375"><enum>(i)</enum><text>not later than 60 days after the date on which such appeal request is received; and</text></clause> <clause id="H6B2ED96C0AFD4AA28B22973212F37885"><enum>(ii)</enum><text>by informing the former customer in writing or in electronic form or other form permitted by the regulations prescribed under section 504 of any action taken in response to the appeal, including an explanation of the reason for each action taken; and</text></clause></subparagraph> <subparagraph id="H69AE7707031544BD98D8A311B67B825C"><enum>(D)</enum><text display-inline="yes-display-inline">if such an appeal is denied, provide the former customer with an online mechanism, if available, or other method through which the former customer may contact the appropriate enforcement agency or authority as described in section 505 to submit a complaint.</text></subparagraph></paragraph></subsection> </section><after-quoted-block>.</after-quoted-block></quoted-block></subsection> <subsection id="H66C68BECF9D64EA1857DDCD29850E9CE"><enum>(b)</enum><header>Effective date</header><text>This section shall take effect 2 years after the date of enactment of this Act.</text></subsection> <subsection id="H39BFE0F55F6045748FD413E9673F62B3"><enum>(c)</enum><header>Clerical amendment</header><text display-inline="yes-display-inline">The table of contents in section 1(b) of the Gramm-Leach-Bliley Act is amended by inserting after the item relating to section 503 the following:</text> <quoted-block style="OLC" id="H5B993D9670BA45BD841712C9A9A7100A" display-inline="no-display-inline"> <toc regeneration="no-regeneration"> <toc-entry level="section">Sec. 503A. Requests for disclosure of or deletion of nonpublic personal information.</toc-entry></toc><after-quoted-block>.</after-quoted-block></quoted-block></subsection></section> <section id="HB6FB6074099D4237986AE7D8F65DF042" commented="no"><enum>108.</enum><header>Opt in for sensitive nonpublic personal information</header> <subsection id="H8FBE2E040239472CA74580E1CC2CE446"><enum>(a)</enum><header>In general</header><text display-inline="yes-display-inline">Section 502 of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6802">15 U.S.C. 6802</external-xref>), as amended by sections 102(3) and 104, is further amended by adding at the end the following:</text> <quoted-block id="HA5A8CDBE6AF844AEB7EACF67AD7FD3BC" style="OLC"> <subsection id="H0319550F3EE847FE85DE7AF14C29603C" commented="no"><enum>(h)</enum><header>Opt in for sensitive nonpublic personal information</header> <paragraph id="HD15BA4598C764076B0B4A1DC4552AC27" commented="no"><enum>(1)</enum><header>In general</header><text display-inline="yes-display-inline">Notwithstanding subsection (b)(1), a financial institution may not collect sensitive nonpublic personal information or disclose sensitive nonpublic personal information to a nonaffiliated third party unless—</text> <subparagraph id="HC541FB60B84D4A8EBEE8810D6BE67C35" commented="no"><enum>(A)</enum><text display-inline="yes-display-inline">such financial institution clearly and conspicuously discloses to the consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 504, that such information may be collected or that such information may be disclosed to such third party;</text></subparagraph> <subparagraph id="H61C8D5A547C743008EB537466E5A9B06" commented="no"><enum>(B)</enum><text display-inline="yes-display-inline">such financial institution obtains the consent of the consumer to collect such information or to disclose such information to such third party before the time that such information is initially collected or disclosed; and</text></subparagraph> <subparagraph id="H37ABC2A399654313A718E5B1597F5C01" commented="no"><enum>(C)</enum><text>the consumer is given an explanation of how the consumer can revoke that consent pursuant to paragraph (2).</text></subparagraph></paragraph> <paragraph id="HC19E82E27D4F4B369633685724286189" commented="no"><enum>(2)</enum><header>Continuing consumer consent revocation right</header><text>A consumer may revoke their consent under paragraph (1)(B) at any time.</text></paragraph> <paragraph id="H24A8DA5C066640D3BC130F8BF6D008B0" commented="no"><enum>(3)</enum><header>Rule of construction</header><text>Paragraph (1) shall not be construed to prevent a financial institution from disclosing sensitive nonpublic personal information—</text> <subparagraph id="HA7F0FE9D34DC4812B1BB21B0F4B57EE2" commented="no"><enum>(A)</enum><text>pursuant to section 502(e)(3)(A);</text></subparagraph> <subparagraph id="H5009246A496A4743A11E5B666FF96D53" commented="no"><enum>(B)</enum><text>pursuant to section 502(e)(3)(B);</text></subparagraph> <subparagraph id="HB089FDE46458480BB5E39407D0321BF5" commented="no"><enum>(C)</enum><text>pursuant to section 502(e)(5); or</text></subparagraph> <subparagraph id="HBD991A0A17BA4FE084EEDAF0ABECADB7" commented="no"><enum>(D)</enum><text>pursuant to section 502(e)(8).</text></subparagraph></paragraph> </subsection><after-quoted-block>.</after-quoted-block></quoted-block></subsection> <subsection id="H1467F530271E4A4890325861A0366C81"><enum>(b)</enum><header>Effective date</header><text display-inline="yes-display-inline">This section shall take effect 1 year after the date of enactment of this Act.</text></subsection></section> <enum>II</enum><header>Regulatory Consideration for Small Financial Institutions</header> <section id="H9948A36BACF94E6AAB42283C6518D874"><enum>201.</enum><header>Regulatory consideration for small financial institutions</header><text display-inline="no-display-inline">Section 504 of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6804">15 U.S.C. 6804</external-xref>) is amended by adding at the end the following:</text> <quoted-block style="OLC" id="H23FE0FF6A1DC46868AD49D8185AC624C" display-inline="no-display-inline"> <subsection id="H439A3306ED2A4038BD13E4B1C73D9462"><enum>(c)</enum><header>Consideration of effects on financial institutions with $15,000,000,000 or less in assets</header> <paragraph id="H45722898AD484CBDA299C6C57415F560"><enum>(1)</enum><header>In general</header><text>Each of the agencies authorized under subsection (a)(1) to prescribe regulations shall take into account the effects of the regulations on financial institutions with $15,000,000,000 or less in assets, including the resource, technical, and personnel limitations of such financial institutions to comply with the regulations and the regulatory compliance costs relative to the size, complexity, financial activities, revenues, and noncompliance costs of such financial institutions.</text></paragraph> <paragraph id="HB329361C9E60441CBAED9E1CDC150DA7"><enum>(2)</enum><header>Threshold adjustment</header><text display-inline="yes-display-inline">By April 1, 2031, and the 1st day of each subsequent 5-year period, the agencies authorized under subsection (a)(1) to prescribe regulations shall increase the threshold described in paragraph (1) by the ratio, if greater than 1, of the annual value of current-dollar United States gross domestic product, published by the Department of Commerce, for the calendar year preceding the year in which the adjustment is calculated under this section, to the published annual value of such index for the calendar year preceding April 1, 2026.</text></paragraph></subsection><after-quoted-block>.</after-quoted-block></quoted-block></section> <enum>III</enum><header>Relation to Other Laws</header> <section id="H4D020939D91B4591AE82325EAC590C06"><enum>301.</enum><header>Relation to State laws</header><text display-inline="no-display-inline">Section 507 of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6807">15 U.S.C. 6807</external-xref>) is amended to read as follows:</text> <quoted-block style="OLC" id="HB155632792E043C59F5E6441BE5DB112" display-inline="no-display-inline"> <section id="H469EDDC3921844C190F7DD18A4B87D64" commented="no"><enum>507.</enum><header>Relation to State laws</header> <subsection id="H883E0B77C6664F0391F0002ABB23856F"><enum>(a)</enum><header>In general</header><text display-inline="yes-display-inline">This subtitle and the amendments made by this subtitle shall supersede and preempt the application of any State statute, regulation, order, interpretation, or other law that establishes consumer data privacy or security requirements to nonpublic personal information subject to this subtitle. This subtitle and the amendments made by this subtitle shall supersede and preempt the application of any State statute, regulation, order, interpretation, or other law that establishes consumer data privacy or security requirements to a financial institution subject to this subtitle.</text></subsection> <subsection id="H078E74D7DFDC4315B34C251AD51FF271"><enum>(b)</enum><header>Regulation and enforcement by State insurance authorities</header><text display-inline="yes-display-inline">Subsection (a) shall not be construed to alter, affect, or otherwise limit the authority of a State insurance authority to enforce this subtitle pursuant to section 505 or to adopt regulations to carry out this subtitle pursuant to section 504 in a manner consistent and comparable with, and not more restrictive than, the regulations prescribed by the Federal agencies authorized to prescribe regulations under section 504 as required by section 504(a)(2).</text></subsection></section><after-quoted-block>.</after-quoted-block></quoted-block></section> <enum>IV</enum><header>Additions to Definitions</header> <section id="H2B9E2C5DD9C34E618CFCF6B9D192BBB2"><enum>401.</enum><header>Additions to definitions</header><text display-inline="no-display-inline">Section 509 of the Gramm-Leach-Bliley Act (<external-xref legal-doc="usc" parsable-cite="usc/15/6809">15 U.S.C. 6809</external-xref>) is amended—</text> <paragraph id="HA1876FBFAA3C43DF952569B188D20676"><enum>(1)</enum><text>in paragraph (3)(A), by inserting before the period at the end the following: <quote>or a financial data aggregator</quote>;</text></paragraph> <paragraph id="HB8C8DEE2E51C4FE1A16CCDB3E202D42D"><enum>(2)</enum><text>by amending paragraph (4)(A) to read as follows:</text> <quoted-block style="OLC" id="HF07E782A665543C4B9795A9A99182D2B" display-inline="no-display-inline"> <subparagraph id="H37B4B388CE074F208616132AAA269ABE"><enum>(A)</enum><text display-inline="yes-display-inline">The term <term>nonpublic personal information</term> means—</text> <clause id="H7D925C693DEA4CA2899EFCABD85522F6"><enum>(i)</enum><text>personally identifiable financial information—</text> <subclause id="H0325F4E9132846BA8C5E627DDC31EC92"><enum>(I)</enum><text>provided by a consumer to a financial institution;</text></subclause> <subclause id="H400F1A671644469287CB69437934BF10"><enum>(II)</enum><text>resulting from any transaction with the consumer or any service performed for the consumer; or</text></subclause> <subclause id="H22E6DEAE7B204BA3ADD0C672FCBC134D"><enum>(III)</enum><text>otherwise obtained by the financial institution;</text></subclause></clause> <clause id="H4ECD93FA520F4BD8ABCB7BCA6CBB96A8"><enum>(ii)</enum><text display-inline="yes-display-inline">access credentials; and</text></clause> <clause id="HD6E73D7DE22043219F0D5DF0EFF1D25A"><enum>(iii)</enum><text display-inline="yes-display-inline">when used by a financial institution while engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 (<external-xref legal-doc="usc" parsable-cite="usc/12/1843">12 U.S.C. 1843(k)</external-xref>)—</text> <subclause id="H86D2958C09AE470AA76A792F61155C0F"><enum>(I)</enum><text>biometric data; and</text></subclause> <subclause id="H18F8365D3FB349D48C1A4AB0531A3C3B"><enum>(II)</enum><text>precise geolocation data.</text> </subclause></clause> </subparagraph><after-quoted-block>;</after-quoted-block></quoted-block></paragraph> <paragraph id="H9B30FE499753427583ACEBC0B230255E"><enum>(3)</enum><text>in paragraph (11), by striking <quote><header-in-text level="paragraph" style="OLC">Customer</header-in-text></quote> and inserting <quote><header-in-text level="paragraph" style="OLC">Time of establishing a customer</header-in-text></quote>; and</text></paragraph> <paragraph id="HF5B3056CD4C446869AB7990C0A433A2C"><enum>(4)</enum><text display-inline="yes-display-inline">by adding at the end the following:</text> <quoted-block id="HD8CCB072431046C3A08222EFDC0256F8" style="OLC"> <paragraph id="H4057543DD75B41EFA226CBF97832F017"><enum>(12)</enum><header>Access credentials</header><text display-inline="yes-display-inline">The term <term>access credentials</term> means personally identifiable nonfinancial information that a consumer uses to access an account of such consumer at a financial institution, including a username, password, personal identification number, access code, answer to a security question, or a substantially similar item of personally identifiable nonfinancial information.</text></paragraph> <paragraph id="HF23DA8BB63E44D7DAC4485EDD27D9B02"><enum>(13)</enum><header>Artificial intelligence</header><text>The term <term>artificial intelligence</term> has the meaning given such term in section 5002 of the National Artificial Intelligence Initiative Act of 2020 (<external-xref legal-doc="usc" parsable-cite="usc/15/9401">15 U.S.C. 9401</external-xref>).</text></paragraph> <paragraph id="H0E1327C74C0C43C1B7907D65AE00DB80"><enum>(14)</enum><header>Biometric data</header><text display-inline="yes-display-inline">The term <term>biometric data</term>—</text> <subparagraph id="H1E9F5FECD3974BE491A923B82B5ACC5E"><enum>(A)</enum><text>means personally identifiable nonfinancial information of a consumer generated by automatic measurements of biological characteristics, including a fingerprint, voiceprint, eye retinas, eye irises, or other unique biological patterns or characteristics that are used to identify a specific consumer; and</text></subparagraph> <subparagraph id="HE015833220404D24A497217BBDDEF461"><enum>(B)</enum><text>does not include a physical or digital photograph, a video or audio recording or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under the Health Insurance Portability and Accountability Act or the amendments made by that Act.</text></subparagraph></paragraph> <paragraph id="HA2065482C95E452FBEE50153583C2E0A" commented="no" display-inline="no-display-inline"><enum>(15)</enum><header>Consent</header><text display-inline="yes-display-inline">The term <term>consent</term> means a clear affirmative act by a consumer that—</text> <subparagraph id="H6CBF4D84C3B44AF2A18FC1BE2205C01D" commented="no"><enum>(A)</enum><text>signifies the freely given, specific, informed, and unambiguous agreement by the consumer to an action; and</text></subparagraph> <subparagraph id="HCE65C751A7984D2E9DD770C7517C7809" commented="no"><enum>(B)</enum><text>is—</text> <clause id="H7888EF5E8415472D81EECA28F536BFD4" commented="no"><enum>(i)</enum><text display-inline="yes-display-inline">in writing or in electronic form or other form permitted by the regulations prescribed under section 504; or</text></clause> <clause id="HFC4E138BD5944C9FA90687B39EC95C68" commented="no"><enum>(ii)</enum><text>in any other unambiguous affirmative form.</text></clause></subparagraph></paragraph> <paragraph id="H81C645C073414B40832D58C13CBA797A"><enum>(16)</enum><header>Covered nation</header><text display-inline="yes-display-inline">The term <term>covered nation</term> has the meaning given such term in section 4872(f) of title 10, United States Code.</text></paragraph> <paragraph id="H3C3AF686A7CF4695A2E86819CDD952B0"><enum>(17)</enum><header>Customer</header><text>The term <term>customer</term> means a consumer who has a customer relationship with a financial institution.</text></paragraph> <paragraph id="HCF0F15E1FB3C48AC9A00970B6F507892"><enum>(18)</enum><header>Customer relationship</header><text display-inline="yes-display-inline">The term <term>customer relationship</term> means a continuing relationship between a consumer and a financial institution under which the financial institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.</text></paragraph> <paragraph id="H461D71A7377A4227AD94EEA70B6C8465"><enum>(19)</enum><header>Financial data aggregator</header><text>The term <term>financial data aggregator</term>—</text> <subparagraph id="HCC77ACBEA2654A5FA8C1CD82FE793065"><enum>(A)</enum><text>means any person that operates a commercial enterprise for the primary business purpose of accessing, aggregating, collecting, processing, selling, or otherwise disclosing nonpublic personal information; and</text></subparagraph> <subparagraph id="HB1CBB0BCDE1844849ADE66E7A19ECAF1"><enum>(B)</enum><text>does not include—</text> <clause id="H66BF141F44C6414DB674A5977E2E8431"><enum>(i)</enum><text display-inline="yes-display-inline">a person that receives, processes, or discloses nonpublic personal information solely to the extent that it performs services for or functions on behalf of a financial institution pursuant to section 502(b)(2) or pursuant to an exception described under section 502(e);</text></clause> <clause id="HF9111F13D6E9409E95379ED0D43965C8"><enum>(ii)</enum><text>a consumer reporting agency, as defined in section 603(f) of the Fair Credit Reporting Act (<external-xref legal-doc="usc" parsable-cite="usc/15/1681a">15 U.S.C. 1681a(f)</external-xref>), solely to the extent that it engages in activities subject to the Fair Credit Reporting Act;</text></clause> <clause id="HCEA9C53D12AA4AB28B7CBCA525F06BD0"><enum>(iii)</enum><text display-inline="yes-display-inline">an attorney, accountant, investment adviser, or other person acting in a fiduciary or representative capacity on behalf of a consumer pursuant to section 502(e)(3)(E);</text></clause> <clause id="H0F9ED508DE08452BAEC61AEF6D8F40E6"><enum>(iv)</enum><text display-inline="yes-display-inline">a person—</text> <subclause id="H7157E9ACC1814E7EAF8E9447BEBDEB67"><enum>(I)</enum><text>to the extent that such person is not a financial institution; and</text></subclause> <subclause id="HA0D143B06B4649A29D10A621D9D9B504"><enum>(II)</enum><text>that operates a commercial enterprise that receives, processes, or discloses nonpublic personal information for the purpose of making or receiving payments associated with a sale, purchase, or exchange of goods or services; or</text></subclause></clause> <clause id="H44964BEDE629419AB7D7FAF6B6BEA586"><enum>(v)</enum><text display-inline="yes-display-inline">a self-regulatory organization that receives or processes nonpublic personal information disclosed to it by its members, or that discloses nonpublic personal information to an agency.</text></clause></subparagraph></paragraph> <paragraph id="H3D5AB24A3B624BC6AFBCFA536AE54795"><enum>(20)</enum><header>Former customer</header><text>The term <term>former customer</term> means a consumer who has previously had a customer relationship with a financial institution and that is no longer a customer of the financial institution because that customer relationship has terminated.</text></paragraph> <paragraph id="HF892E1935CDB4CD9A929C0EC3054D326"><enum>(21)</enum><header>Precise geolocation data</header><text display-inline="yes-display-inline">The term <term>precise geolocation data</term>—</text> <subparagraph id="H54BA8D0263214DAE9959E80518387DEC"><enum>(A)</enum><text>means personally identifiable nonfinancial information of a consumer generated by technological means, including global positioning systems, telemetry, telematics, and level, latitude, and longitude coordinates, or other means, that directly identifies the specific location of a consumer with precision and accuracy within a radius of 1,750 feet; and</text></subparagraph> <subparagraph id="H52C1F965E880495DA9E458538FA931F5"><enum>(B)</enum><text>does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.</text></subparagraph></paragraph> <paragraph id="HE0FB4E6413C8440585A117643A865441"><enum>(22)</enum><header>Self-regulatory organization</header><text>The term <term>self-regulatory organization</term>—</text> <subparagraph id="HCDDB638D48D341E8B021B21BCEF5BB87"><enum>(A)</enum><text display-inline="yes-display-inline">has the meaning given that term in section 3(a) of the Securities Exchange Act of 1934 (<external-xref legal-doc="usc" parsable-cite="usc/15/78c">15 U.S.C. 78c(a)</external-xref>); and</text></subparagraph> <subparagraph id="H1D3CDABF7CD44EA6851BC42E0605067D"><enum>(B)</enum><text display-inline="yes-display-inline">means—</text> <clause id="HBFDD40C5DCA44EB88A2881822A6FC694"><enum>(i)</enum><text>a contract market, derivatives transaction execution facility, registered futures association, or other self-regulatory organization registered with the Commodity Futures Trading Commission; and</text></clause> <clause id="HE8383ED57CC1407AA57846054559E049"><enum>(ii)</enum><text display-inline="yes-display-inline">any other self-regulatory organization registered with an agency authorized under section 504(a)(1) to prescribe regulations or with a Federal functional regulator, as determined by such agency or such Federal functional regulator.</text></clause></subparagraph></paragraph> <paragraph id="HD9D392624B5C4272BD3ECC1C55A907B5" commented="no"><enum>(23)</enum><header>Sensitive nonpublic personal information</header><text display-inline="yes-display-inline">The term <term>sensitive nonpublic personal information</term> means, when used by a financial institution while engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 (<external-xref legal-doc="usc" parsable-cite="usc/12/1843">12 U.S.C. 1843(k)</external-xref>)—</text> <subparagraph id="H2E30502A2DF541709DFF0F3E6B4B9F29" commented="no"><enum>(A)</enum><text>personally identifiable nonfinancial information of a consumer that discloses the consumer’s racial or ethnic origin, religious belief, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;</text></subparagraph> <subparagraph id="H941A8C90D8F5457DBACAC2209645FB4B" commented="no"><enum>(B)</enum><text>genetic or biometric data of a consumer that is disclosed for the purpose of uniquely identifying a specific consumer; and</text></subparagraph> <subparagraph id="H3959CFFA27BC43C1B261136AB54ABB94" commented="no"><enum>(C)</enum><text>precise geolocation data.</text></subparagraph></paragraph> <paragraph id="H29A0273E151144468C55246D8CBBF1B3"><enum>(24)</enum><header>State</header><text display-inline="yes-display-inline">The term <term>State</term> means each State of the United States, the District of Columbia, each commonwealth, territory, or possession of the United States, and each federally recognized Indian Tribe.</text></paragraph><after-quoted-block>.</after-quoted-block></quoted-block></paragraph></section>