[Congressional Record Volume 147, Number 7 (Monday, January 22, 2001)]
[Senate]
[Pages S303-S307]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. SARBANES (for himself, Mr. Leahy, Mr. Dodd, Mr. Reed, Mr. 
        Kerry, Mr. Harkin, and Mr. Edwards):
  S. 30. A bill to strengthen control by consumers over the use and 
disclosure of their personal financial and health information by 
financial institutions, and for other purposes; to the Committee on 
Banking, Housing, and Urban Affairs.


              FINANCIAL INFORMATION PRIVACY PROTECTION ACT

  Mr. SARBANES.
  Mr. President, I rise today to address a very important issue: the 
protection of every American's personal, sensitive, financial 
information that is held by their financial institutions.
  Few Americans understand that, under Federal law, a financial 
institution could take information it obtains about a customer through 
his or her transactions, and sell or transfer that information to an 
affiliated company without the customer being able to object. And the 
customer has no right to get access to or correct that information.
  The amount of information that could be disclosed is enormous. It 
includes: savings and checking account balances; certificate of deposit 
maturity dates and balances; any check an individual writes; any check 
that is deposited into a customer's account; stock and mutual fund 
purchases and sales; and life insurance payouts.
  In considering this issue, I start with the threshold question: whose 
information is it? Is it the individual's or the institution's? I 
believe this information belongs to the individual.
  To help alleviate the concerns of American consumers, I am 
introducing legislation that would give customers the right to choose 
whether their financial institutions should be allowed to transfer this 
date for unintended uses. I am pleased that Senators Leahy, Dodd, Reed, 
Kerry, Harkin and Edwards are joining me in co-sponsoring the Financial 
Information Privacy Protection Act of 2001. I want to particularly 
recognize Senator Leahy, chairman of the Democratic Privacy Caucus, for 
his strong leadership on the privacy issue over the years.
  This bill seeks to protect a fundamental right of privacy for every 
American who entrusts his or her highly sensitive and confidential 
financial information to a financial institution. Every American should 
at least have the opportunity to say ``no'' if he or she does not want 
that nonpublic information disclosed. Every American should have the 
right to have especially sensitive information held by his or her 
financial institution kept confidential unless consent is given. Every 
American should be allowed to make certain that the information is 
accurate and, if it is not, have it corrected. And, put quite simply, 
these rights should be enforced.
  The Financial Information Privacy Protection Act of 2001 would 
accomplish these objectives.
  Today's technology makes it easier, faster, and less costly than ever 
for institutions to have immediate access to large amounts of customer 
information; to analyze that data; and to send that data to others. 
With the passage of financial services modernization legislation in 
1999, banks, securities firms and insurance firms are now allowed to 
affiliate and offer their multiple products to each other's customers. 
As a result, many financial institutions are warehousing large amounts 
of sensitive information and sharing it throughout the affiliate 
structure without the customer being fully informed of what financial 
information is being disclosed or the purposes for which it will be 
used. While cross-marketing can bring new and beneficial products to 
receptive consumers, it can also result in unwanted invasions of 
personal privacy.
  Surveys have consistently shown that the public is widely concerned 
about its privacy. For example, a recent AARP survey found that 96% of 
respondents were unwilling to let a company freely share their 
financial information with other financial companies. The survey also 
asked, ``[w]ho owns financial information provided in a business 
transaction?'' and 93% of respondents answered that the information 
belongs to the ``customer'' while only 4% answered that it belongs to 
the `'business'' (and 3% said they did not know).
  Congress has already protected citizens' privacy on prior occasions. 
In response to public concerns, Congress passed privacy laws 
restricting companies' disclosure of customer information without 
customer consent, such as in the Cable Communications Policy Act and 
the Video Privacy Protection Act. Yet while video rentals and cable 
television selections are prohibited by law from being disclosed, 
millions of Americans cannot object to disclosure of their financial 
transactions to their financial institutions' affiliates and certain 
other financial companies for purposes inconsistent with those for 
which they gave their data.
  Other important privacy concerns, such as the privacy of bankruptcy 
court records, fall outside of this bill. Last week, the Clinton 
administration published a study ``Financial Privacy in Bankruptcy'' 
with important recommendations that should be carefully considered. I 
commend the Administration for its many efforts to protect individuals' 
right to privacy.
  Along with medical records, financial records rank among the kinds of 
personal data Americans most expect will be kept confidential. However, 
the privacy of even highly sensitive financial information has been 
increasingly put at risk with the move to an economy in which the 
selling or sharing of consumers' personal information is highly 
profitable--and legal.
  The Financial Information Privacy Protection Act of 2001 contains key 
financial privacy protections that are consistent with the expectations 
of Americans and good business practices.
  The Act would provide consumers with:
  An ``opt out'' for affiliate sharing, allowing customers to object to 
financial institutions sharing their financial data with all affiliated 
firms.

[[Page S304]]

  An ``opt in'' for sharing some types of sensitive financial or 
medical information. A financial institution would need to have a 
consumer's affirmative consent before releasing his or her medical 
information or personal spending habits (e.g., credit card charges, 
check payees) to either an affiliate or an unaffiliated third party.
  Rights of access and correction. A consumer would be able to see the 
information to be released and correct material errors. To preclude 
abuse of this protection, the bill allows the institution to charge for 
access to this information.
  The Gramm-Leach-Bliley Act, enacted in November 1999, contains some 
limited Federal financial privacy protections for consumers. While an 
important beginning, these protections fail to meet the expectations of 
Americans. It does not contain the important protections that I have 
just referred to. Many groups have criticized the current law as 
inadequate. I agree.
  This bill would not affect Section 507 of the Gramm-Leach-Bliley Act, 
which I authored, which provides that these Federal privacy protections 
do not pre-empt stronger State privacy laws. States with citizens who 
want stronger privacy protections than contained in Federal law would 
still be able to enact such laws.
  A number of consumer groups, including Consumers Union, Consumer 
Federation of America, Consumer Action, Privacy Times, United Auto 
Workers and U.S. Public Interest Research Group, have stated their 
support of this bill. Mr. President, I would ask that their letter of 
endorsement be included at the end of my remarks. Professor Peter 
Swire, Professor of Law at Ohio State University and formerly the 
Clinton Administration's Chief Counselor for Privacy, has said: ``The 
bill is carefully crafted to provide the greatest protections for the 
most sensitive financial information. At the same time, the bill helps 
create an efficient financial system by allowing the use of information 
in situations where the risk to privacy is minimal.''
  The issue of financial privacy cuts across philosophical lines.
  For example, Mrs. Phyllis Schlafly and the Eagle Forum have spoken 
out for financial privacy protections even stronger than those 
contained in this bill. She has written, ``Some banks shamelessly admit 
they profile their customers so the bank can advise telemarketers which 
products a customer might like. But why should banks be able to make 
secret profits off of customers' personal information such as deposits, 
checks, phone numbers or credit card numbers? Many of us don't want to 
be solicited by any telemarketers.''
  Columnist William Safire has written frequently about the need for 
stronger privacy protections. For instance, in an editorial in the New 
York times of October 30, 2000, Mr. Safire pointed out that many people 
are concerned about financial records, and other records, ``being 
passed around by conglomerated banks, insurance companies and H.M.O.'s. 
Personal freedom is diminished when the most intimate secrets can be 
monitored by employers and merchants.''
  As we proceed in an age of technological advances and cross-industry 
marketing of financial services, we need to be mindful of the privacy 
concerns of the American public. Consumers who wish to keep their 
sensitive financial information private should be given a right to do 
so. The passage of the financial information Privacy Protection Act of 
2001 would be a major step toward that goal. Congress can and should 
provide that privacy protection by giving consumers, at a minimum, the 
rights of consent and access.
  I ask unanimous consent that the bill and a letter be printed in the 
Record.
  There being no objection, the material was ordered to be printed in 
the Record, as follows:

                                 S. 30

         Be it enacted by the Senate and House of Representatives 
     of the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE AND TABLE OF CONTENTS.

       (a) Short Title.--This Act may be cited as the ``Financial 
     Information Privacy Protection Act of 2001''.
       (b) Table of Contents.--The table of contents for this Act 
     is as follows:

Sec. 1. Short title; table of contents.
Sec. 2. Opt-out requirement for disclosure to affiliates and 
              nonaffiliated third parties.
Sec. 3. Restricting the transfer of information about personal spending 
              habits.
Sec. 4. Restricting the use of health information in making credit and 
              other financial decisions.
Sec. 5. Limits on redisclosure and reuse of information.
Sec. 6. Consumer rights to access and correct information.
Sec. 7. Improved enforcement authority.
Sec. 8. Enhanced disclosure of privacy policies.
Sec. 9. Limit on disclosure of account numbers.
Sec. 10. General exceptions.
Sec. 11. Definitions.
Sec. 12. Issuance of implementing regulations.
Sec. 13. FTC rulemaking authority under the Fair Credit Reporting Act.

     SEC. 2. OPT-OUT REQUIREMENT FOR DISCLOSURE TO AFFILIATES AND 
                   NONAFFILIATED THIRD PARTIES.

       Section 502(a) of the Gramm-Leach-Bliley Act (15 U.S.C. 
     6802(a)) is amended to read as follows:
       ``(a) Disclosure of Nonpublic Personal Information.--Except 
     as otherwise provided in this subtitle, a financial 
     institution may not disclose any nonpublic personal 
     information to an affiliate or a nonaffiliated third party 
     unless the financial institution--
       ``(1) has provided to the consumer a clear and conspicuous 
     notice, in writing or electronic form or other form permitted 
     by the regulations implementing this subtitle, of the 
     categories of information that may be disclosed to the--
       ``(A) affiliate; or
       ``(B) nonaffiliated third party;
       ``(2) has given the consumer an opportunity, before the 
     time that such information is initially disclosed, to direct 
     that such information not be disclosed to such--
       ``(A) affiliate; or
       ``(B) nonaffiliated third party; and
       ``(3) has given the consumer the ability to exercise the 
     nondisclosure option described in paragraph (2) through the 
     same method of communication by which the consumer received 
     the notice described in paragraph (1) or another method at 
     least as convenient to the consumer, and an explanation of 
     how the consumer can exercise such option.''.

     SEC. 3. RESTRICTING THE TRANSFER OF INFORMATION ABOUT 
                   PERSONAL SPENDING HABITS.

       Section 502(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 
     6802(b)) is amended to read as follows:
       ``(b) Restriction on the Transfer of Information About 
     Personal Spending Habits.--
       ``(1) In general.--Notwithstanding subsection (a), if a 
     financial institution provides a service to a consumer 
     through which the consumer makes or receives payments or 
     transfers by check, debit card, credit card, or other similar 
     instrument, the financial institution shall not transfer to 
     an affiliate or a nonaffiliated third party--
       ``(A) an individualized list of that consumer's 
     transactions or an individualized description of that 
     consumer's interests, preferences, or other characteristics; 
     or
       ``(B) any such list or description constructed in response 
     to an inquiry about a specific, named individual;
     if the list or description is derived from information 
     collected in the course of providing that service.
       ``(2) Restriction on transfer of aggregate lists containing 
     certain health information.--Notwithstanding subsection (a), 
     a financial institution shall not transfer to an affiliate or 
     a nonaffiliated third party any aggregate list of consumers 
     containing or derived from individually identifiable health 
     information.
       ``(3) Exceptions.--
       ``(A) In general.--The financial institution may disclose 
     the information described in paragraph (1) or (2) to an 
     affiliate or a nonaffiliated third party if such financial 
     institution--
       ``(i) has clearly and conspicuously requested in writing or 
     in electronic form or other form permitted by the regulations 
     implementing this subtitle, that the consumer affirmatively 
     consent to such disclosure; and
       ``(ii) has obtained from the consumer such affirmative 
     consent and such consent has not been withdrawn.
       ``(B) Rule of construction.--This subsection shall not be 
     construed as preventing a financial institution from 
     transferring the information described in paragraph (1) or 
     (2) to an affiliate or a nonaffiliated third party for the 
     purposes described in paragraph (1), (2), (3), (5), (7), (8), 
     (9), or (10) of subsection (f).
       ``(C) Scope of application.--Paragraph (1) shall not apply 
     to the transfer of aggregate lists of consumers.''.

     SEC. 4. RESTRICTING THE USE OF HEALTH INFORMATION IN MAKING 
                   CREDIT AND OTHER FINANCIAL DECISIONS.

       (a) Restriction on Use of Consumer Health Information.--
     Section 502(c) of the Gramm-Leach-Bliley Act (15 U.S.C. 
     6802(c)) is amended to read as follows:
       ``(c) Use of Consumer Health Information Available From 
     Affiliates and Nonaffiliated Third Parties.--In deciding 
     whether, or on what terms, to offer, provide, or continue to 
     provide a financial product or service to a consumer, a 
     financial institution shall not obtain or receive 
     individually identifiable health information about the 
     consumer from an affiliate or nonaffiliated third

[[Page S305]]

     party, or evaluate or otherwise consider any such 
     information, unless the financial institution--
       ``(1) has clearly and conspicuously requested in writing or 
     in electronic form or other form permitted by the regulations 
     implementing this subtitle, that the consumer affirmatively 
     consent to the transfer and use of that information with 
     respect to a particular financial product or service;
       ``(2) has obtained from the consumer such affirmative 
     consent and such consent has not been withdrawn; and
       ``(3) requires the same health information about all 
     consumers as a condition for receiving the financial product 
     or service.''.
       (b) Existing Protections for Health Information Not 
     Affected.--Subtitle A of title V of the Gramm-Leach-Bliley 
     Act (15 U.S.C. 6801 et seq.) is amended--
       (1) by redesignating section 510 as section 512; and
       (2) by inserting after section 509 the following new 
     section:

     ``SEC. 510. RELATION TO STANDARDS ESTABLISHED UNDER THE 
                   HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY 
                   ACT OF 1996.

       ``Nothing in this subtitle shall be construed as--
       ``(1) modifying, limiting, or superseding standards 
     governing the privacy and security of individually 
     identifiable health information promulgated by the Secretary 
     of Health and Human Services under sections 262(a) and 264 of 
     the Health Insurance Portability and Accountability Act of 
     1996; or
       ``(2) authorizing the use or disclosure of individually 
     identifiable health information in a manner other than as 
     permitted by other applicable law.''.
       (c) Definition of Individually Identifiable Health 
     Information.--Section 509 of the Gramm-Leach-Bliley Act (15 
     U.S.C. 6809) is amended by adding at the end the following 
     new paragraph:
       ``(12) Individually identifiable health information.--The 
     term `individually identifiable health information' means any 
     information, including demographic information obtained from 
     or about an individual, that is described in section 
     1171(6)(B) of the Social Security Act.''.
       (d) Technical and Conforming Amendment.--Section 505(a)(6) 
     of the Gramm-Leach-Bliley Act (15 U.S.C. 6805(a)(6)) is 
     amended by inserting before the period at the end ``to the 
     extent that the provisions of such section are not 
     inconsistent with the provisions of this subtitle''.

     SEC. 5. LIMITS ON REDISCLOSURE AND REUSE OF INFORMATION.

       Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802) 
     is amended--
       (1) by redesignating subsections (d) and (e) as subsections 
     (e) and (f), respectively; and
       (2) by inserting after subsection (c) the following new 
     subsection:
       ``(d) Limits on Redisclosure and Reuse of Information.--
       ``(1) In general.--An affiliate or a nonaffiliated third 
     party that receives nonpublic personal information from a 
     financial institution shall not disclose such information to 
     any other person unless such disclosure would be lawful if 
     made directly to such other person by the financial 
     institution.
       ``(2) Disclosure under a general exception.--
     Notwithstanding paragraph (1), any person that receives 
     nonpublic personal information from a financial institution 
     in accordance with one of the general exceptions in 
     subsection (f) may use or disclose such information only--
       ``(A) as permitted under that general exception; or
       ``(B) under another general exception in subsection (f), if 
     necessary to carry out the purpose for which the information 
     was disclosed by the financial institution.''.

     SEC. 6. CONSUMER RIGHTS TO ACCESS AND CORRECT
                   INFORMATION.

       Subtitle A of title V of the Gramm-Leach-Bliley Act (15 
     U.S.C. 6801 et seq.) is amended by inserting after section 
     510 (as added by section 4(b) of this Act), the following new 
     section:

     ``SEC. 511. ACCESS TO AND CORRECTION OF INFORMATION.

       ``(a) Access.--
       (1) In general.--Upon the request of a consumer, a 
     financial institution shall make available to the consumer 
     information about the consumer that is under the control of, 
     and reasonably available to, the financial institution.
       ``(2) Exceptions.--Notwithstanding paragraph (1), a 
     financial institution--
       ``(A) shall not be required to disclose to a consumer any 
     confidential commercial information, such as an algorithm 
     used to derive credit scores or other risk scores or 
     predictors;
       ``(B) shall not be required to create new records in order 
     to comply with the consumer's request;
       ``(C) shall not be required to disclose to a consumer any 
     information assembled by the financial institution, in a 
     particular matter, as part of the financial institution's 
     efforts to comply with laws preventing fraud, money 
     laundering, or other unlawful conduct; and
       ``(D) shall not disclose any information required to be 
     kept confidential by any other Federal law.
       ``(b) Correction.--A financial institution shall provide a 
     consumer the opportunity to dispute the accuracy of any 
     information disclosed to the consumer pursuant to subsection 
     (a), and to present evidence thereon. A financial institution 
     shall correct or delete material information identified by a 
     consumer that is materially incomplete or inaccurate.
       ``(c) Coordination and Consultation.--In prescribing 
     regulations implementing this section, the Federal agencies 
     specified in section 504(a) shall consult with one another to 
     ensure that the rules--
       ``(1) impose consistent requirements on the financial 
     institutions under their respective jurisdictions;
       ``(2) take into account conditions under which financial 
     institutions do business both in the United States and in 
     other countries; and
       ``(3) are consistent with the principle of technology 
     neutrality.
       ``(d) Charges for Disclosures.--A financial institution may 
     impose a reasonable charge for making a disclosure under this 
     section, which charge must be disclosed to the consumer 
     before making the disclosure. ''.

     SEC. 7. IMPROVED ENFORCEMENT AUTHORITY.

       (a) Compliance With Privacy Policy.--Section 503 of the 
     Gramm-Leach-Bliley Act (15 U.S.C. 6803) is amended by adding 
     at the end the following new subsection:
       ``(c) Compliance With Privacy Policy.--A financial 
     institution's failure to comply with any of its policies or 
     practices disclosed to a consumer under this section 
     constitutes a violation of the requirements of this 
     section.''.
       (b) Unfair and Deceptive Trade Practice.--Section 505(a)(7) 
     of the Gramm-Leach-Bliley Act (15 U.S.C. 6805(a)(7)) is 
     amended by adding at the end the following new sentence: ``A 
     violation of any requirement of this subtitle, or the 
     regulations of the Federal Trade Commission prescribed under 
     this subtitle, by a financial institution or other person 
     described in this paragraph shall constitute an unfair or 
     deceptive act or practice in commerce in violation of section 
     5(a) of the Federal Trade Commission Act.''.
       (c) Supplemental State Enforcement for FTC Regulated 
     Entities.--Section 505 of the Gramm-Leach-Bliley Act (15 
     U.S.C. 6805) is amended by adding at the end the following 
     new subsection:
       ``(e) State Action for Violations.--
       ``(1) Authority of the states.--In addition to such other 
     remedies as are provided under State law, if the attorney 
     general of a State, or an officer authorized by the State, 
     has reason to believe that any financial institution or other 
     person described in section 505(a)(7) has violated or is 
     violating this subtitle or the regulations prescribed 
     thereunder by the Federal Trade Commission, the State may--
       ``(A) bring an action on behalf of the residents of the 
     State to enjoin such violation in any appropriate United 
     States district court or in any other court of competent 
     jurisdiction; and
       ``(B) bring an action on behalf of the residents of the 
     State to enforce compliance with this subtitle and the 
     regulations prescribed thereunder by the Federal Trade 
     Commission, to obtain damages, restitution, or other 
     compensation on behalf of the residents of such State, or to 
     obtain such further and other relief as the court may deem 
     appropriate.
       ``(2) Rights of the federal trade commission.--The State 
     shall serve prior written notice of any action under 
     paragraph (1) upon the Federal Trade Commission and shall 
     provide the Commission with a copy of its complaint; provided 
     that, if such prior notice is not feasible, the State shall 
     serve such notice immediately upon instituting such action. 
     The Federal Trade Commission shall have the right--
       ``(A) to move to stay the action, pending the final 
     disposition of a pending Federal matter as described in 
     paragraph (4);
       ``(B) to intervene in an action under paragraph (1);
       ``(C) upon so intervening, to be heard on all matters 
     arising therein;
       ``(D) to remove the action to the appropriate United States 
     district court; and
       ``(E) to file petitions for appeal.
       ``(3) Investigatory powers.--For purposes of bringing any 
     action under this subsection, nothing in this subsection 
     shall prevent the attorney general, or officers of such State 
     who are authorized by such State to bring such actions, from 
     exercising the powers conferred on the attorney general or 
     such officers by the laws of such State to conduct 
     investigations or to administer oaths or affirmations or to 
     compel the attendance of witnesses or the production of 
     documentary and other evidence.
       ``(4) Limitation on state action while federal action is 
     pending.--If the Federal Trade Commission has instituted an 
     action for a violation of this subtitle, no State may, during 
     the pendency of such action, bring an action under this 
     section against any defendant named in the complaint of the 
     Commission for any violation of this subtitle that is alleged 
     in that complaint.''.
       (d) State Action for Violations of Ban on Pretext 
     Calling.--Section 522 of the Gramm-Leach-Bliley Act (15 
     U.S.C. 6822) is amended by adding at the end the following 
     new subsection:
       ``(c) State Action for Violations.--
       ``(1) Authority of the states.--In addition to such other 
     remedies as are provided under State law, if the attorney 
     general of a State, or an officer authorized by the State, 
     has reason to believe that any person (other than a person 
     described in subsection (b)(1)) has violated or is violating 
     this subtitle, the State may--

[[Page S306]]

       ``(A) bring an action on behalf of the residents of the 
     State to enjoin such violation in any appropriate United 
     States district court or in any other court of competent 
     jurisdiction; and
       ``(B) bring an action on behalf of the residents of the 
     State to enforce compliance with this subtitle, to obtain 
     damages, restitution, or other compensation on behalf of the 
     residents of such State, or to obtain such further and other 
     relief as the court may deem appropriate.
       ``(2) Rights of federal agencies.--The State shall serve 
     prior written notice of any action commenced under paragraph 
     (1) upon the Attorney General and the Federal Trade 
     Commission, and shall provide the Attorney General and the 
     Commission with a copy of the complaint; provided that, if 
     such prior notice is not feasible, the State shall serve such 
     notice immediately upon instituting such action. The 
     Attorney General and the Federal Trade Commission shall 
     have the right--
       ``(A) to move to stay the action, pending the final 
     disposition of a pending Federal matter as described in 
     paragraph (4);
       ``(B) to intervene in an action under paragraph (1);
       ``(C) upon so intervening, to be heard on all matters 
     arising therein;
       ``(D) to remove the action to the appropriate United States 
     district court; and
       ``(E) to file petitions for appeal.
       ``(3) Investigatory powers.--For purposes of bringing any 
     action under this subsection, nothing in this subsection 
     shall prevent the attorney general, or officers of such State 
     who are authorized by such State to bring such actions, from 
     exercising the powers conferred on the attorney general or 
     such officers by the laws of such State to conduct 
     investigations or to administer oaths or affirmations or to 
     compel the attendance of witnesses or the production of 
     documentary and other evidence.
       ``(4) Limitation on state action while federal action is 
     pending.--If the Attorney General has instituted a criminal 
     proceeding or the Federal Trade Commission has instituted a 
     civil action for a violation of this subtitle, no State may, 
     during the pendency of such proceeding or action, bring an 
     action under this section against any defendant named in the 
     criminal proceeding or civil action for any violation of this 
     subtitle that is alleged in that proceeding or action.''.

     SEC. 8. ENHANCED DISCLOSURE OF PRIVACY POLICIES.

       (a) Timing of Notice to Consumers.--Section 503(a) of the 
     Gramm-Leach-Bliley Act (15 U.S.C. 6803(a)) is amended to read 
     as follows:
       ``(a) Disclosure Required.--
       ``(1) Time of disclosure.--A financial institution shall 
     provide a disclosure that complies with paragraph (2)--
       ``(A) to an individual upon the individual's request;
       ``(B) as part of an application for a financial product or 
     service from the financial institution; and
       ``(C) to a consumer, prior to establishing a customer 
     relationship with the consumer and not less frequently than 
     annually during the continuation of such relationship.
       ``(2) Disclosure format.--The disclosure required by 
     paragraph (1) shall be a clear and conspicuous notice, in 
     writing or in electronic form or other form permitted by the 
     regulations implementing this subtitle, of such financial 
     institution's policies and practices with respect to--
       ``(A) disclosing nonpublic personal information to 
     affiliates and nonaffiliated third parties, consistent with 
     section 502, including the categories of information that may 
     be disclosed;
       ``(B) disclosing nonpublic personal information of persons 
     who have ceased to be customers of the financial institution; 
     and
       ``(C) protecting the nonpublic personal information of 
     consumers.
     Such disclosure shall be made in accordance with the 
     regulations implementing this subtitle.''.
       (b) Notice of Rights to Access and Correct Information.--
     Section 503(b)(2) of the Gramm-Leach-Bliley Act (15 U.S.C. 
     6803(b)(2)) is amended by inserting ``, and a statement of 
     the consumer's right to access and correct such information, 
     consistent with section 511'' after ``institution''.
       (c) Technical and Conforming Amendment.--Section 
     503(b)(1)(A) of the Gramm-Leach-Bliley Act (15 U.S.C. 
     6803(b)(1)(A)) is amended by striking ``502(e)'' and 
     inserting ``502(f)''.

     SEC. 9. LIMIT ON DISCLOSURE OF ACCOUNT NUMBERS.

       Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802) 
     is amended in subsection (e) (as so redesignated by section 
     5) by inserting ``affiliate or'' before ``nonaffiliated third 
     party''.

     SEC. 10. GENERAL EXCEPTIONS.

       Section 502(f) of the Gramm-Leach-Bliley Act (15 U.S.C. 
     6802)) (as so redesignated by section 5 of this Act) is 
     amended--
       (1) in the matter preceding paragraph (1), by striking 
     ``Subsections (a) and (b)'' and inserting ``Subsection (a)'';
       (2) in paragraph (1)--
       (A) by striking ``or'' at the end of subparagraph (B);
       (B) by inserting ``or'' after the semicolon at the end of 
     subparagraph (C); and
       (C) by inserting after subparagraph (C) the following new 
     subparagraph:
       ``(D) performing services for or functions solely on behalf 
     of the financial institution with respect to the financial 
     institution's own customers, including marketing of the 
     financial institution's own products or services to the 
     financial institution's customers;'';
       (3) in paragraph (4), by striking ``, and the institution's 
     attorneys, accountants, and auditors'';
       (4) in paragraph (5), by inserting ``section 21 of the 
     Federal Deposit Insurance Act,'' after ``title 31, United 
     States Code,'';
       (5) in paragraph (7), by striking ``or'' at the end;
       (6) in paragraph (8), by striking the period and inserting 
     a semicolon; and
       (7) by adding at the end the following new paragraphs:
       ``(9) in order to facilitate customer service, such as 
     maintenance and operation of consolidated customer call 
     centers or the use of consolidated customer account 
     statements; or
       ``(10) to the institution's attorneys, accountants, and 
     auditors.''.

     SEC. 11. DEFINITIONS.

       Section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809) 
     is amended--
       (1) in paragraph (3)--
       (A) by striking ``(3) Financial institution'' and all that 
     follows through ``The term `financial institution' '' and 
     inserting ``(3) Financial institution.--The term 
     `financial institution' ''; and
       (B) by striking subparagraphs (B), (C), and (D);
       (2) by amending paragraph (4) to read as follows:
       ``(4) Nonpublic personal information.--The term `nonpublic 
     personal information' means--
       ``(A) any personally identifiable information, including a 
     Social Security number--
       ``(i) provided by a consumer to a financial institution, in 
     an application or otherwise, to obtain a financial product or 
     service from the financial institution;
       ``(ii) resulting from any transaction between a financial 
     institution and a consumer involving a financial product or 
     service; or
       ``(iii) obtained by the financial institution about a 
     consumer in connection with providing a financial product or 
     service to that consumer, other than publicly available 
     information, as such term is defined by the regulations 
     prescribed under section 504; and
       ``(B) any list, description or other grouping of one or 
     more consumers of the financial institution and publicly 
     available information pertaining to them.''; and
       (3) in paragraph (9), by inserting ``applies for or'' 
     before ``obtains''.

     SEC. 12. ISSUANCE OF IMPLEMENTING REGULATIONS.

       (a) In General.--The Federal agencies specified in section 
     504(a) of the Gramm-Leach-Bliley Act (15 U.S.C. 6804(a)) 
     shall prescribe regulations implementing the amendments to 
     subtitle A of title V of the Gramm-Leach-Bliley Act made by 
     this Act, and shall include such requirements determined to 
     be appropriate to prevent their circumvention or evasion.
       (b) Coordination, Consistency, and Comparability.--The 
     regulations issued under subsection (a) shall be issued in 
     accordance with the requirements of section 504(a) of the 
     Gramm-Leach-Bliley Act (15 U.S.C. 6804(a)), except that the 
     deadline in section 504(a)(3) shall not apply.

     SEC. 13. FTC RULEMAKING AUTHORITY UNDER THE FAIR CREDIT 
                   REPORTING ACT.

       Section 621(e) of the Fair Credit Reporting Act (15 U.S.C. 
     1681s(e)) is amended by adding at the end the following new 
     paragraph:
       ``(3) Regulations.--The Federal Trade Commission shall 
     prescribe such regulations as necessary to carry out the 
     provisions of this title with respect to any persons 
     identified under paragraph (1) of subsection (a). Prior to 
     prescribing such regulations, the Federal Trade Commission 
     shall consult with the Federal banking agencies referred to 
     in paragraph (1) of this subsection in order to ensure, to 
     the extent possible, comparability and consistency with the 
     regulations issued by the Federal banking agencies under that 
     paragraph.''.
                                  ____

                                                 January 22, 2001.
       Dear Senator Sarbanes: We are writing in support of the 
     introduction of the Financial Information Privacy Act of 
     2001. If passed this legislation will correct many of the 
     shortcomings of the Gramm-Leach-Biley Act. The Financial 
     Privacy Act will be a significant improvement for consumers 
     by requiring financial institutions to obtain a consumer's 
     consent before sensitive financial and medical data is 
     shared, extending privacy protections to the sharing of 
     information among affiliated companies, and allowing 
     consumers to have access to the information about them that 
     is held by financial institutions.
       The GLB's privacy provisions are grossly inadequate. Mere 
     notice that data is being collected with a limited ability of 
     consumers to prevent the sharing of personal data--one that 
     is riddled with loopholes--fail to provide the privacy 
     protections that American consumers want and deserve. Instead 
     of protecting personal privacy, GLB protects the ability of 
     the financial services industry to collect and use personal 
     information about their customers with virtually no 
     restrictions.
       As personal privacy continues to erode, it is vital that 
     consumers be given strong privacy protections. The current 
     trend of favoring the appetite of business interests over the 
     privacy of individuals must be reversed.

[[Page S307]]

     If a financial institution cannot convince its customers that 
     the sharing of their personal information will be safe and 
     beneficial to them, then the financial institution should not 
     be allowed to share that information.
       The Financial Privacy Act is a step in advancing some of 
     the Fair Information Principles supported by our 
     organizations in the context of financial services. We will 
     continue to seek the strongest possible privacy safeguards 
     for Americans, including expanded medical privacy 
     protections, limitations on initial collection practices, and 
     increased enforcement mechanisms. Those protections may even 
     go beyond those in this bill.
       We appreciate your introducing this important legislation 
     and look forward to working with you on future legislative 
     efforts to protect the privacy of all Americans.
         Ken McEldowney, Consumer Action.
         Travis Plunkett, Consumer Federation of America.
         Frank Torres, Consumers Union.
         Jason Catlett, Junkbusters.
         Even Hendricks, Privacy Times.
         Mary Rouleau, United Auto Workers.
         Edmund Mierzwinski, US Public Interest Research Group.

  Mr. LEAHY. Mr. President, I am pleased today to be a original 
cosponsor of the Financial Information Privacy Protection Act of 2001. 
I am delighted to join Senator Sarbanes, the ranking member of the 
Senate Banking Committee, who is a real leader in the Senate on 
protecting personal financial information.
  In November 1999, President Clinton signed into law the landmark 
Financial Modernization Act, which updated our financial laws and opens 
up the financial services industry to become more competitive, both at 
home and abroad. Many of my colleagues and I supported that legislation 
because we believe it will benefit businesses and consumers. It is 
already making it easier for banking, securities, and insurance firms 
to consolidate their services, cut expenses and offer more products at 
a lower cost to all. But this consolidation also raises new concern 
about our financial privacy.
  New conglomerates in the financial services industry are offering a 
widening variety of services, each of which may require a customer to 
provide financial, medical or other personal information. Nothing in 
the new law prevents these new subsidiaries or affiliates of financial 
conglomerates from sharing this information for uses beyond those the 
customer thought he or she was providing it. For example, the new law 
has no requirement for the consumer to control whether these new 
financial subsidiaries or affiliates sell, share, or publish 
information on savings account balances, certificates of deposit 
maturity dates and balances, stock and mutual fund purchases and sales, 
life insurance payouts or health insurance claims. That is wrong.
  I believe the Financial Information Privacy Protection Act of 2001 
should serve as the foundation for model financial privacy legislation 
that Congress enacts into law this year. This bill is a common sense 
approach that can attract both consumers and the industry.
  Privacy is one of our most vulnerable rights in the information age. 
Digitalization of information offers tremendous benefits but also new 
threats. Some in Congress are content to punt the privacy issue down 
the field for another year. The public disagrees. People know that the 
longer we dawdle, the harder it will be to halt the erosion of privacy. 
A year is an eternity in the digital age.
  The right of privacy is a personal and fundamental right protected by 
the Constitution of the United States. But today, the American people 
are growing more and more concerned over encroachments on their 
personal privacy. To return personal financial privacy to the control 
of the consumer, this legislation would create the following rights in 
Federal law.
  New Right To Opt-out of Information Sharing By Affiliates. The new 
financial modernization law permits consumers to say no to information 
sharing, selling or publishing among third parties in many cases, but 
not among affiliated firms. The Financial Information Privacy Act of 
2001 would require financial conglomerates, which will only grow under 
the new modernization law, to expand this protection to give consumers 
the right to notify it (opt-out) to stop all information sharing, 
selling or publishing of personal financial information among all third 
parties and affiliates.
  New Right For Consumers To Opt-In For Sharing of Medical Information 
and Personal Spending Habits. The Financial Information Privacy 
Protection Act of 2001 would require financial firms to get the 
affirmative consent (opt-in) of consumers before a firm could gain 
access to medical information within a financial conglomerate or share 
detailed information about a consumer's personal spending habits.
  New Right To Access and Correct Financial Information. The Financial 
Information Privacy Protection Act of 2001 would give consumers the 
right to review and correct their financial records, just like 
consumers today may review and correct their credit reports.
  New Right To Privacy Policy Up Front. The Financial Information 
Privacy Protection Act of 2001 would require financial firms to provide 
their privacy policies to consumers before committing to a customer 
relationship, not after. In addition, the bill's new rights would be 
enforced by federal banking regulators, the Federal Trade Commission 
and state attorney generals.
  Unfortunately, if you have a checking account, you may have a 
financial privacy problem. Your bank may sell or share with business 
allies information about who you are writing checks to, when, and for 
how much. And even if you tell your bank to stop, it can ignore you 
under current law. This legislation returns to consumers the power to 
stop the selling or sharing of personal financial information.
  Americans ought to be able to enjoy the exciting innovations of this 
burgeoning information era without losing control over the use of their 
financial information. The Financial Information Privacy Protection Act 
of 2001 updates United States privacy laws to provide these 
fundamentals protections of personal financial information in the 
evolving financial services industry. I urge my colleagues to support 
it.
                                 ______