top of page

Congress Seeks GLBA Input; ACU Responds

  • Writer: Roy Urrico
    Roy Urrico
  • Sep 3
  • 4 min read

By Roy Urrico

ree

On July 31, 2025, the U.S. House Financial Services Committee issued a request for public comment to answer a series of key questions that could drive the first major overhaul of the of the Gramm-Leach-Bliley Act (GLBA), the nation’s primary financial privacy law, in more than 25 years.


On August 29, 2025, America’s Credit Unions (ACU) shared its position with the House Financial Services Committee that data security is a high priority and concern for credit unions, and the GLBA should remain the model for credit union compliance with any future federal data security and privacy standard.


On January 1, 2024, the Credit Union National Association (CUNA) and the National Association of Federally-Insured Credit Unions (NAFCU) merged. America’s Credit Unions was formed to offer “exceptional services to credit unions so they can help Americans achieve and afford their best financial lives.”


GLBA -25 Years and Counting?


Passed in 1999, the GLBA is the foundation of federal law governing the privacy and security of consumer financial information. “At the time it was enacted, it was a monumental shift in the obligations for financial institutions with respect to how those entities handled personal information,” said the committee’s invitation. That includes car dealerships, payday lenders, debt collectors, some retailers, tax preparers, travel agents, and more.


The review comes as fintech development, state-by-state privacy patchworks, and new technologies like artificial intelligence (AI) are challenging whether the GLBA still supplies the protections promised. What do stakeholders, industry leaders, and the general public need to know before sharing their views on the future of federal consumer financial data privacy?


Some of the key GLBA questions addressed include whether GLBA should consider a broader approach, a preemptive federal standard; how it should address state laws; defining “non-public personal information,” “consumer” and “customer relationship,” “financial institution;” states with effective privacy frameworks; consent obtained before collecting certain types of data, such as PINs and IP addresses. Other concerns centered on mandating the deletion of data for inactive accounts; requiring that consumers receive a list of entities getting their data; financial institution liability of if data collected with a third-party; and requiring or encourage financial institutions, third parties, and other holders of consumer financial data to minimize data collection.

 

Future Data Privacy Laws


ACU’s submitted comments urging Congress to prioritize the following features in a future data privacy framework:


  • A recognition of GLBA standards and accompanying regulations in place for financial institutions through the adoption of an entity-level exemption.

  • Strong federal preemption from the myriad state laws for those in compliance with national privacy and GLBA standards.

  • Protection from frivolous lawsuits created by a private right of action.


The organization also encourages the House Financial Services Committee to collaborate closely with the House Energy and Commerce Committee to “ensure that any federal privacy legislation builds upon and strengthens the GLBA while firmly preempting state laws.” Additionally, ACU supports the expansion of the definition of “financial institution” to include fintechs, data aggregators, and decentralized finance companies that handle nonpublic personal information. The letter also notes the Kentucky Consumer Data Privacy Act, enacted on April 4, 2024, “provides a clear and concise entity-level GLBA exemption that should serve as the model for federal legislation.”


ACU formally submitted the following comments to the House Financial Services Committee:


  • “America’s Credit Unions is the voice of consumers best option for financial services: credit unions. As not-for-profit, member-owned financial cooperatives, credit unions play a vital role in the financial well-being of individuals, families, and small businesses across the country. We advocate for policies that allow credit unions to effectively meet the needs of their over 142 million members nationwide.”

  • “Credit unions are already subject to the security and privacy protection requirements under the GLBA, and the technical safeguards rules adopted by the National Credit Union Administration. Not only are credit unions subject to these laws, but they are regularly examined and supervised for compliance. Given the robust oversight already applicable to credit unions, we urge any potential data privacy framework to avoid regulatory overlap or conflict.”

  • “The current patchwork of state laws perpetuates a regulatory environment littered with idiosyncratic rules and inconsistently defined data elements, leaving entities and consumers on unequal footing. All state privacy laws should be fully preempted with respect to financial institutions already subject to the GLBA.”

  • “For credit unions, strong federal preemption of state banking privacy laws is critical. Without it, credit unions risk facing inadvertent restrictions on core member services and conflicting rules around joint marketing.”

  • “The Dodd-Frank Act does not provide a definition for customer; however, the GLBA delegates interpretation of the term “customer relationship” to various agencies and does define a customer relationship with respect to the credit activities of financial institutions. In general, Congress should be mindful of how the terms customer and consumer are used when paired with data privacy laws that create affirmative breach notification duties.”

  • “For more sensitive information, such as a PIN, Congress should consider ways to limit sharing of this data. In general, financial institutions do not share sensitive security credentials, except in narrow instances where law enforcement may be involved. In fact, credit unions advise their members not to share sensitive information, login credentials, or PIN numbers.”

  • “Credit unions have no control over the third-party companies with which their members choose to engage, such as data aggregators, and those companies often pass information along to additional downstream entities.”

  • “Financial institutions have long relied on fraud and underwriting models to protect consumers and the safety and soundness of the payments and banking system, and the collection of critical data is one way of to ensure that safety and soundness.”

  • “The FFIEC (Federal Financial Institutions Examination Council) has advised its regulated financial institutions to ‘restrict and monitor data extraction’ and limit the ability to view or modify data to only what is necessary to carry out job responsibilities and automated functions—principles of access control that help achieve the goal of data minimization.”

bottom of page