Legislation would provide privacy protections for credit union members

Legislation under discussion in Congress would layer additional privacy protections on top of existing GLBA/Reg P and NCUA safeguards for credit union members, while also trying to avoid duplicative burdens on credit unions through exemptions or deference to the current regime.

Current privacy baseline for CUs

• Credit unions are already subject to the Gramm‑Leach‑Bliley Act (GLBA) and Regulation P, which govern disclosure of nonpublic personal information to non‑affiliated third parties and require clear initial and annual privacy notices.

• NCUA’s security guidelines require administrative, technical, and physical safeguards and flow‑down of those protections to service providers with access to member data.

What the new legislation is aiming to do

• House and other federal data privacy efforts are looking at a broader national data privacy and security framework that would apply across sectors, not just traditional financial institutions.

• Draft federal data privacy bills include concepts like data minimization requirements, enhanced consumer notice, and more consistent standards for all entities that collect or hold sensitive personal data.

How credit union groups want members protected

• America’s Credit Unions is urging lawmakers to recognize that GLBA already provides strong privacy protections for credit union members and to treat compliant institutions as effectively meeting the federal standard.

• They are advocating for: (1) robust federal preemption of conflicting state privacy laws for GLBA‑compliant CUs, (2) a strong exemption from new, duplicative requirements, and (3) protection from expansive private rights of action that could invite litigation rather than improve member privacy.

Interaction with CFPB data‑access rules

• Separately, the CFPB’s finalized personal financial data rights rule under Dodd‑Frank 1033 will give consumers greater control over accessing and sharing their account data, with phased compliance dates and an exemption for certain small banks and credit unions.

• Credit union trade groups see potential competition benefits from data portability but have raised concerns about implementation costs and the allocation of liability when third parties mishandle shared data.

Key policy tension

• The CFPB has warned that broad GLBA‑based exemptions in state privacy laws can leave financial data under‑protected given how old GLBA and FCRA are relative to today’s digital environment.

• So, Congress is effectively balancing two views: using GLBA as the “model” for financial‑sector privacy versus updating or supplementing it to close perceived gaps, especially around non‑traditional data holders and modern data uses.