House Financial Services Committee Discussion Draft to Amend GLBA and Preempt State Regimes

March 16, 2026 8:35 pm
The exchange for the debt economy
Source: site

HEARINGS NOTICE: House Financial Services Committee Schedule for March 2025 | U.S. House ...A key House Republican on House Financial Services (McHenry in the 118th; now Hill/Barr in 119th) has been using a GLBA “modernization” discussion draft as the vehicle to test support for turning GLBA into a fully preemptive federal financial-privacy regime that would displace much of the current state patchwork.

What the discussion draft does on GLBA scope

The McHenry discussion draft (118th Congress) is the clearest public marker of the policy architecture the Committee is still circling around for GLBA modernization:

  • Expands the “financial institution” definition to explicitly capture data aggregators and other fintech data handlers, bringing them under GLBA instead of leaving them solely under general state privacy regimes.

  • Broadens “nonpublic personal information” to sweep in data “reasonably associated” with an individual, including inferences, not just traditional account information.

  • Eliminates the consumer/customer distinction, applying the same protections across both, which is a functional tightening of coverage.

  • Shifts notice/consent obligations to cover collection of NPI, not only sharing, pulling front-end data collection practices into clearer GLBA privacy controls.

Committee hearings and the March 17, 2026 “Updating America’s Financial Privacy Framework for the 21st Century” session are explicitly framed around this kind of GLBA “modernization” template, with witnesses drawn from large banks, fintech/data aggregators, and privacy advocates to debate how far to push these expansions.

Preemption concept: moving from floor to ceiling

The defining move in the discussion draft is to invert GLBA’s traditional “federal floor / state ceiling” structure and instead create a national ceiling that preempts broader or conflicting state privacy regimes for GLBA-covered activity.

  • Today, GLBA allows states to adopt stronger protections; this is the classic §507 “relation to State laws” framework.

  • The draft and surrounding business feedback push for explicit language that GLBA supersedes any state statute or rule that regulates a financial institution’s collection, disclosure, privacy notices, data breach notification, and individual rights (access, deletion, etc.) with respect to GLBA data.

  • Industry commenters explicitly cite prior McHenry “Data Privacy Act” language as a model, under which GLBA becomes the operative standard for GLBA activity, displacing state privacy laws like the CCPA to the extent they reach GLBA-covered processing.

In parallel, large trade groups (U.S. Chamber, fintech coalitions) are urging the Committee to pair GLBA modernization with a general federal privacy law that (1) fully preempts state consumer data privacy law, and (2) exempts GLBA activity from that general law, leaving GLBA as the exclusive regime for financial data.

Privacy and consumer groups are pressing in the opposite direction, urging the Committee to modernize GLBA without “nullifying” stronger state laws, and to preserve state authority to adopt and enforce more protective rules.

How preemption would interact with state regimes

The debate in the Committee’s 2025–26 RFI and hearings is focused less on whether to preempt and more on how broad the preemption clause should be and how to treat partial state exemptions for financial data.

Key issues being tested in the discussion draft and stakeholder letters:

  • CCPA/CPRA and similar laws

    • Many state comprehensive privacy statutes have data-level or entity-level GLBA exemptions, which typically carve out GLBA-covered data or GLBA-covered entities from the state law’s scope.

    • Business groups are asking for GLBA amendments that treat GLBA as fully preemptive for any activity falling within GLBA, regardless of how a state structures its exemption, to avoid “end runs” where states regulate at the margins of those exemptions.

    • Consumer/advocacy groups argue the opposite: that any GLBA rewrite should notpreempt stronger state privacy or consumer protection laws, including those targeting data brokers, data sales, or AI uses that sit adjacent to core GLBA activity.

  • “Data-level exemption” problem

    • The Committee’s RFI specifically calls out states that only exempt certain data fields processed under GLBA from their general privacy laws, leaving other financial-data use cases partially subject to state rules.

    • Industry commenters respond that if Congress creates a fully preemptive GLBA standard, state provisions in this area should be preempted across the board; states that want an exemption would need to meet a federal benchmark, ideally an entity- and affiliate-level carve-out.

  • Sectoral overlap and other federal laws

    • There is ongoing discussion about how a preemptive GLBA would relate to FCRA, sectoral privacy rules, and any eventual comprehensive federal privacy statute.

    • Privacy advocates emphasize that GLBA-covered entities should not be carved out of other federal privacy laws (for example, by treating GLBA compliance as a safe harbor from FCRA or a general privacy act), warning that this would create large regulatory blind spots.

In short, the emerging preemption model is: for “GLBA activity” (as expanded by the draft to include aggregators, inferences, and collection), federal law would aim to be exclusive, with state financial privacy provisions displaced unless they fall clearly outside that activity.

Where the Committee is procedurally

Procedurally, the Committee is still in the fact-finding and coalition-building phase around this approach, rather than having a marked-up bill ready for floor action.

  • June 2025: The Financial Institutions Subcommittee begins a series of hearings reviewing consumer financial data privacy and open banking, setting up the modernization conversation.

  • July–August 2025: Chairman French Hill and Rep. Andy Barr issue a formal Request for Feedback on GLBA and “potential legislative proposals,” explicitly asking whether Congress should amend GLBA to create a preemptive federal standard and how to handle state laws with data-level exemptions.

  • Mid-late 2025: Trade associations (U.S. Chamber, American Fintech Council and others) and coalitions of advocacy groups file detailed comment letters staking out positions on preemption, private rights of action, opt-in vs opt-out, and data minimization requirements.

  • March 17, 2026: The full Committee holds “Updating America’s Financial Privacy Framework for the 21st Century,” with witnesses like large bank representatives, data/tech industry leaders, and privacy experts, expected to discuss draft text or staff-level concept language that builds on the earlier McHenry proposal.

So far there is no publicly posted, numbered bill in the 119th Congress that codifies the updated GLBA preemption structure; what we have is the prior McHenry discussion draft and an explicit RFI that suggests staff are drafting language that would move GLBA toward that model.

© Copyright 2026 Credit and Collection News

Privacy Policy