To strengthen consumers’ control over the use and disclosure of their personal financial and health information by financial institutions, and for other purposes.
Be it enacted in the Senate and House of Representatives of the United States of America in Congress assembled,
Section 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the "Consumer Financial Privacy Act".(b) Table of Contents.--The table of contents for this Act is as follows:
Sec. 1. Short title; table of contents.
Sec. 2. Opt-out requirement for disclosure to affiliates and nonaffiliated third parties.
Sec. 3. Restricting the transfer of information about personal spending habits.
Sec. 4. Restricting the use of health information in making credit and other financial decisions.
Sec. 5. Limits on redisclosure and reuse of information.
Sec. 6. Consumer rights to access and correct information.
Sec. 7. Improved enforcement authority.
Sec. 8. Enhanced disclosure of privacy policies.
Sec. 9. Limitation on disclosure of account numbers.
Sec. 10. General exceptions.
Sec. 11 Definitions.
Sec. 12. Issuance of implementing regulations.
Sec. 13. FTC rulemaking authority under the Fair Credit Reporting Act.
Sec. 2. OPT-OUT REQUIREMENT FOR DISCLOSURE TO AFFILIATES AND NONAFFILIATED THIRD PARTIES.
Section 502(a) of the Gramm-Leach-Bliley Act (15 U.S.C. 6802(a)) is amended to read as follows:
"(a) Disclosure of nonpublic personal information.--Except as otherwise provided in this subtitle, a financial institution may not disclose any nonpublic personal information to an affiliate or a nonaffiliated third party unless such financial institution--
"(1) has provided to the consumer a clear and conspicuous notice, in writing or electronic form or other form permitted by the regulations implementing this subtitle, of the categories of information that may be disclosed to the--"(A) affiliate; or"(B) nonaffiliated third party;
"(2) has given the consumer an opportunity, before the time that such information is initially disclosed, to direct that such information not be disclosed to such--
"(A) affiliate; or"(B) nonaffiliated third party; and
"(3) has given the consumer the ability to exercise that nondisclosure option through the same method of communication by which the consumer received the notice described in paragraph (1) or another method at least as convenient to the consumer, and an explanation of how the consumer can exercise such option.".
SEC. 3. RESTRICTING THE TRANSFER OF INFORMATION ABOUT PERSONAL SPENDING HABITS.
Section 502(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6802(b)) is amended to read as follows:
"(b) Restriction on the Transfer of Information about Personal Spending Habits.
"(1) In general.--Notwithstanding subsection (a), if a financial institution provides a service to a consumer through which the consumer makes or receives payments or transfers by check, debit card, credit card, or other similar instrument, the financial institution shall not transfer to an affiliate or a nonaffiliated third party--"(A) an individualized list of that consumer’s transactions or an individualized description of that consumer’s interests, preferences, or other characteristics; or"(B) any such list or description constructed in response to an inquiry about a specific, named individual;
if the list or description is derived from information collected in the course of providing that service.
"(2) Restriction on transfer of aggregate lists containing certain health information.--Notwithstanding subsection (a), a financial institution shall not transfer to an affiliate or a nonaffiliated third party any aggregate list of consumers containing or derived from individually identifiable health information.
"(3) Exceptions.--
"(A) The financial institution may disclose the information described in paragraph (1) or (2) to an affiliate or a nonaffiliated third party if such financial institution --"(i) has clearly and conspicuously requested in writing or in electronic form or other form permitted by the regulations implementing this subtitle, that the consumer affirmatively consent to such disclosure; and"(ii) has obtained from the consumer such affirmative consent and such consent has not been withdrawn.
"(B) Rule of construction.--This subsection shall not prevent a financial institution from transferring the information described in paragraph (1) or (2) to an affiliate or a nonaffiliated third party for the purposes described in paragraphs (1), (2), (3), (5), (7), (8), (9), or (10) of subsection (f).
"(C) Scope of application.--Paragraph (1) shall not apply to the transfer of aggregate lists of consumers.".
SEC. 4. RESTRICTING THE USE OF HEALTH INFORMATION IN MAKING CREDIT AND OTHER FINANCIAL DECISIONS.
(a) Restriction on Use of Consumer Health Information.--Section 502(c) of the Gramm-Leach-Bliley Act (15 U.S.C. 6802(c)) is amended to read as follows:
"(c) Use of Consumer Health Information Available from Affiliates and nonaffiliated third parties.--In deciding whether, or on what terms, to offer, provide, or continue to provide a financial product or service to a consumer, a financial institution shall not obtain, receive, evaluate, or otherwise consider individually identifiable health information about the consumer from an affiliate or a nonaffiliated third party, unless the financial institution--
"(1) has clearly and conspicuously requested in writing or in electronic form or other form permitted by the regulations implementing this subtitle, that the consumer affirmatively consent to the transfer and use of that information with respect to a particular financial product or service;"(2) has obtained from the consumer such affirmative consent and such consent has not been withdrawn; and
"(3) requires the same health information about all consumers as a condition for receiving the financial product or service.".
(b) Existing Protections for Health Information Not Affected.--Title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.) is amended by adding after section 510 the following new section:
"SECTION 511. RELATION TO STANDARDS ESTABLISHED UNDER THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996.
"Nothing in this subtitle shall be construed to--
"(1) modify, limit, or supersede standards governing the privacy and security of individually identifiable health information promulgated by the Secretary of Health and Human Services under sections 262(a) and 264 of the Health Insurance Portability and Accountability Act of 1996; or
"(2) authorize the use or disclosure of individually identifiable health information in a manner other than as permitted by other applicable law.".
(c) Definition of Individually Identifiable Health Information.--Section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809) is amended by adding at the end the following new paragraph:
"(12) Individually identifiable health information.--The term "individually identifiable health information" means any information, including demographic information, obtained from, or about, an individual that is described in section 1171(6)(B) of the Social Security Act.".
(d) Technical and Conforming Amendment.--Section 505(a)(6) of the Gramm-Leach-Bliley Act (15 U.S.C. 6805(a)(6)) is amended by inserting before the period at the end "to the extent that the provisions of such section are not inconsistent with the provisions of this subtitle".
SEC. 5. LIMITS ON REDISCLOSURE AND REUSE OF INFORMATION.
Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802) is amended--
(1) by redesignating subsections (d) and (e) as subsections (e) and (f), respectively; and(2) by inserting after subsection (c) the following new subsection:
"(d) Limits on Redisclosure and Reuse of Information--
"(1) In general.--An affiliate or a nonaffiliated third party that receives nonpublic personal information from a financial institution shall not disclose such information to any other person unless such disclosure would be lawful if made directly to such other person by the financial institution."(2) Disclosure under a general exception.--Notwithstanding paragraph (1), any person that receives nonpublic personal information from a financial institution in accordance with one of the general exceptions in subsection (f) may use or disclose such information only--
"(A) as permitted under that general exception; or"(B) under another general exception in subsection (f), if necessary to carry out the purpose for which the information was disclosed by the financial institution.".
SEC. 6. CONSUMER RIGHTS TO ACCESS AND CORRECT INFORMATION.
Title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.) is amended by adding after section 511 (as added by subsection 103(b)), the following new section:
"SECTION 512. Access TO AND CORRECTION OF Information.
"(a) Access.--(1) In general.--Upon the request of a consumer, a financial institution shall make available to the consumer information about the consumer that is under the control of, and reasonably available to, the financial institution.
"(2) Exceptions.--Notwithstanding paragraph (1), a financial institution--"(A) shall not be required to disclose to a consumer any confidential commercial information, such as an algorithm used to derive credit scores or other risk scores or predictors;"(B) shall not be required to create new records in order to comply with the consumer’s request;
"(C) shall not be required to disclose to a consumer any information assembled by the financial institution, in a particular matter, as part of the financial institution’s efforts to comply with laws preventing fraud, money laundering, or other unlawful conduct; and
"(D) shall not disclose any information required to be kept confidential by any other federal law.
"(b) Correction.--A financial institution shall provide a consumer the opportunity to dispute the accuracy of any information disclosed to the consumer pursuant to subsection (a), and to present evidence thereon. A financial institution shall correct or delete material information identified by a consumer that is materially incomplete or inaccurate.
"(c) Coordination and consultation.--In promulgating rules implementing this section, the federal agencies specified in section 504(a) shall consult with one another to ensure that the rules--
"(1) impose consistent requirements on the financial institutions under their respective jurisdictions;"(2) take into account conditions under which financial institutions do business both in the United States and in other countries; and
"(3) are consistent with the principle of technology neutrality.
"(d) Charges For Disclosures.--A financial institution may impose a reasonable charge for making a disclosure under this section, which charge must be disclosed to the consumer before making the disclosure. ".
SEC. 7. IMPROVED ENFORCEMENT AUTHORITY.
(a) Compliance with Privacy Policy.--Section 503 of the Gramm-Leach-Bliley Act (15 U.S.C. 6803) is amended by adding at the end the following new subsection:
"(c) Compliance with Privacy Policy.--A financial institution’s failure to comply with any of its policies or practices disclosed to a consumer under this section constitutes a violation of the requirements of this section.".
(b) Unfair and Deceptive Trade Practice.--Section 505(a)(7) of the Gramm-Leach-Bliley Act (15 U.S.C. 6805(a)(7)) is amended by adding at the end the following new sentence:
"A violation of any requirement of this subtitle, or the regulations of the Federal Trade Commission prescribed under this subtitle, by a financial institution or other person described in this paragraph shall constitute an unfair or deceptive act or practice in commerce in violation of section 5(a) of the Federal Trade Commission Act.".
(c) Supplemental State Enforcement For FTC Regulated Entities.--Section 505 of the Gramm-Leach-Bliley Act (15 U.S.C. 6805) is amended by adding at the end the following new subsection:
"(e) State Action for Violations.--
"(1) Authority of the states.--In addition to such other remedies as are provided under State law, if the attorney general of a State, or an officer authorized by the State, has reason to believe that any financial institution or other person described in section 505(a)(7) has violated or is violating this subtitle or the regulations prescribed thereunder by the Federal Trade Commission, the State may--"(A) bring an action on behalf of the residents of the State to enjoin such violation in any appropriate United States district court or in any other court of competent jurisdiction; and"(B) bring an action on behalf of the residents of the State to enforce compliance with this subtitle and the regulations prescribed thereunder by the Federal Trade Commission, to obtain damages, restitution, or other compensation on behalf of the residents of such State, or to obtain such further and other relief as the court may deem appropriate.
"(2) Rights of the Federal Trade Commission.--The State shall serve prior written notice of any action under paragraph (1) upon the Federal Trade Commission and shall provide the Commission with a copy of its complaint; provided that, if such prior notice is not feasible, the State shall serve such notice immediately upon instituting such action. The Federal Trade Commission shall have the right--
"(A) to move to stay the action, pending the final disposition of a pending federal matter as described in paragraph (4);"(B) to intervene in an action under paragraph (1);
"(C) upon so intervening, to be heard on all matters arising therein;
"(D) to remove the action to the appropriate United States district court; and
"(E) to file petitions for appeal.
"(3) Investigatory powers.--For purposes of bringing any action under this subsection, nothing in this subsection shall prevent the attorney general, or officers of such State who are authorized by such State to bring such actions, from exercising the powers conferred on the attorney general or such officers by the laws of such State to conduct investigations or to administer oaths or affirmations or to compel the attendance of witnesses or the production of documentary and other evidence.
"(4) Limitation on state action while federal action pending.--If the Federal Trade Commission has instituted an action for a violation of this subtitle, no State may, during the pendency of such action, bring an action under this section against any defendant named in the complaint of the Commission for any violation of this subtitle that is alleged in that complaint.".
(d) State Action for Violations of Ban on Pretext Calling.--Section 522 of the Gramm-Leach-Bliley Act (15 U.S.C. 6822) is amended by adding at the end the following new subsection:
"(c) State Action for Violations.--
"(1) Authority of the states.--In addition to such other remedies as are provided under State law, if the attorney general of a State, or an officer authorized by the State, has reason to believe that any person (other than a person described in subsection (b)(1)) has violated or is violating this subtitle, the State may--"(A) bring an action on behalf of the residents of the State to enjoin such violation in any appropriate United States district court or in any other court of competent jurisdiction; and"(B) bring an action on behalf of the residents of the State to enforce compliance with this subtitle, to obtain damages, restitution, or other compensation on behalf of the residents of such State, or to obtain such further and other relief as the court may deem appropriate.
"(2) Rights of Federal agencies.--The State shall serve prior written notice of any action commenced under paragraph (1) upon the Attorney General and the Federal Trade Commission, and shall provide the Attorney General and the Commission with a copy of the complaint; provided that, if such prior notice is not feasible, the State shall serve such notice immediately upon instituting such action. The Attorney General and the Federal Trade Commission shall have the right--
"(A) to move to stay the action, pending the final disposition of a pending federal matter as described in paragraph (4);"(B) to intervene in an action under paragraph (1);
"(C) upon so intervening, to be heard on all matters arising therein;
"(D) to remove the action to the appropriate United States district court; and
"(E) to file petitions for appeal.
"(3) Investigatory powers.--For purposes of bringing any action under this subsection, nothing in this subsection shall prevent the attorney general, or officers of such State who are authorized by such State to bring such actions, from exercising the powers conferred on the attorney general or such officers by the laws of such State to conduct investigations or to administer oaths or affirmations or to compel the attendance of witnesses or the production of documentary and other evidence.
"(4) Limitation on state action while federal action pending.--If the Attorney General has instituted a criminal proceeding or the Federal Trade Commission has instituted a civil action for a violation of this subtitle, no State may, during the pendency of such proceeding or action, bring an action under this section against any defendant named in the criminal proceeding or civil action for any violation of this subtitle that is alleged in that proceeding or action.".
SEC. 8. ENHANCED DISCLOSURE OF PRIVACY POLICIES.
(a) Timing of Notice to Consumers.--Section 503(a) of the Gramm-Leach-Bliley Act (15 U.S.C. 6803(a)) is amended to read as follows:
"(a) Disclosure Required.--
"(1) Time of disclosure.--A financial institution shall provide a disclosure that complies with paragraph (2)--"(A) to an individual upon the individual’s request;"(B) as part of an application for a financial product or service from the financial institution; and
"(C) to a consumer, prior to establishing a customer relationship with the consumer and not less frequently than annually during the continuation of such relationship.
"(2) Disclosure format.--The disclosure required by paragraph (1) shall be a clear and conspicuous notice, in writing or in electronic form or other form permitted by the regulations implementing this subtitle, of such financial institution's policies and practices with respect to--
"(A) disclosing nonpublic personal information to affiliates and nonaffiliated third parties, consistent with section 502, including the categories of information that may be disclosed;"(B) disclosing nonpublic personal information of persons who have ceased to be customers of the financial institution; and
"(C) protecting the nonpublic personal information of consumers.
Such disclosures shall be made in accordance with the regulations implementing this subtitle.".
(b) Notice Of Rights To Access and Correct Information.--Section 503(b)(2) of the Gramm-Leach-Bliley Act (15 U.S.C. 6803(b)(2)) is amended by inserting ", and a statement of the consumer’s right to access and correct such information, consistent with section 512" after "institution".
(c) Conforming Amendment.--Section 503(b)(1)(A) of the Gramm-Leach-Bliley Act (15 U.S.C. 6803(b)(1)(A)) is amended by striking "502(e)" and inserting "502(f)".
SEC. 9. LIMIT ON DISCLOSURE OF ACCOUNT NUMBERS.
Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802) is amended in subsection (e) (as so redesignated by section 5) by inserting "affiliate or" before "nonaffiliated third party".
SEC. 10. GENERAL EXCEPTIONS.
Section 502(f) of the Gramm-Leach-Bliley Act (15 U.S.C. 6802)) (as so redesignated by section 5 of this Act) is amended--
(1) in the matter preceding paragraph (1), by striking "Subsections (a) and (b)" and inserting "Subsection (a)";(2) in paragraph (1)--
(A) by striking "or" at the end of subparagraph (B);(B) by inserting "or" after the semicolon at the end paragraph (C); and
(C) by inserting after subparagraph (C) the following new subparagraph:
"(D) performing services for or functions solely on behalf of the financial institution with respect to the financial institution’s own customers, including marketing of the financial institution’s own products or services to the financial institution’s customers;";
(3) in paragraph (4), by striking ", and the institution’s attorneys, accountants, and auditors";
(4) in paragraph (5), by inserting "section 21 of the Federal Deposit Insurance Act" after "title 31, United States Code,";
(5) in paragraph (7) by striking "or" at the end;
(6) in paragraph (8) by striking the period and inserting a semicolon; and
(7) by adding at the end the following new paragraphs:
"(9) in order to facilitate customer service, such as maintenance and operation of consolidated customer call centers or the use of consolidated customer account statements; or
"(10) to the institution’s attorneys, accountants, and auditors.".
SEC. 11. DEFINITIONS.
Section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809) is amended--
(1) in paragraph (3)--(A) by striking "(A) Financial Institution" and all that follows through "The term ‘financial institution’" and inserting "(3) Financial Institution.--The term "Financial Institution’"; and(B) by striking paragraphs (B), (C), and (D);
(2) by amending paragraph (4) to read as follows:
"(4) Nonpublic personal information.--The term "nonpublic personal information" means--
"(A) any personally identifiable information, including a Social Security number--"(i) provided by a consumer to a financial institution, in an application or otherwise, to obtain a financial product or service from the financial institution;"(ii) resulting from any transaction between a financial institution and a consumer involving a financial product or service; or
"(iii) obtained by the financial institution about a consumer in connection with providing a financial product or service to that consumer, other than publicly available information, as such term is defined by the regulations prescribed under section 504; and
"(B) any list, description or other grouping of one or more consumers of the financial institution and publicly available information pertaining to them"; and
(3) in paragraph (9) by inserting "applies for or" before "obtains".
SEC. 12. ISSUANCE OF IMPLEMENTING REGULATIONS.
(a) In General.--The federal agencies specified in section 504(a) of the Gramm-Leach-Bliley Act (15 U.S.C. 6804(a)) shall prescribe regulations implementing the amendments to subtitle A of title 5 of the Gramm-Leach-Bliley Act made by this Act, and shall include such requirements determined to be appropriate to prevent their circumvention or evasion.
(b) Coordination, Consistency, and Comparability.--The regulations issued under subsection (a) shall be issued in accordance with the requirements of section 504(a) of the Gramm-Leach-Bliley Act (15 U.S.C. 6804(a)), except that the deadline in section 504(a)(3) shall not apply.
Sec. 13. FTC Rulemaking authority under the FAIR CREDIT REPORTING ACT.
Section 621(e) of the Fair Credit Reporting Act (15 U.S.C. 1681s(e)) is amended by adding at the end the following new paragraph:
"(3) The Federal Trade Commission shall prescribe such regulations as necessary to carry out the provisions of this Act with respect to any persons identified under paragraph (1) of subsection (a). Prior to prescribing such regulations, the Federal Trade Commission shall consult with the Federal banking agencies referred to in paragraph (1) of this subsection in order to ensure, to the extent possible, comparability and consistency with the regulations issued by the Federal banking agencies under that paragraph.".