Guidelines for Use, Access, and Responsible Disclosure of Financial Data Act
- Bill Number
- H.R. 8398
- Origin Chamber
- House
- Congress
- 119th Congress, Session 2
- Policy Area
- Finance and Financial Sector
- Status
- Introduced
- Latest Action
- 2026-04-21: Referred to the House Committee on Financial Services.
- Last Updated
- 2026-05-13T08:06:30Z
AI-Generated Summary
Purpose
The GUARD Financial Data Act (H.R. 8398) amends Title V of the Gramm-Leach-Bliley Act (GLBA), a 1999 law on financial privacy, to strengthen protections for consumers' nonpublic personal information (private financial details like account numbers or transaction history). It promotes responsible data handling by financial institutions through minimization, opt-outs/opt-ins, deletion rights, and limits on sharing credentials, while considering small banks' burdens and preempting conflicting state laws.
Key Provisions
- Data Handling Rules (Title I):
- Data minimization: Institutions must collect or share only necessary data (effective 2 years after enactment). Exceptions include required disclosures (e.g., to regulators or credit agencies).
- Ongoing opt-out: Consumers can opt out of sharing with nonaffiliated third parties (unrelated companies) anytime, not just initially.
- Access credentials limits (e.g., usernames/passwords): Data aggregators (companies compiling financial data, like fintech apps) must warn consumers of risks and offer opt-out before using credentials (effective 1 year). Institutions cannot block valid consumer-directed requests.
- Enhanced privacy notices: Must detail data purposes, retention practices, AI use (artificial intelligence: automated systems for decisions), sharing with "covered nations" (foreign adversaries like China), and opt-out/deletion instructions. Agencies to update model forms.
- Policy access: Customers can request copies of privacy policies.
- Disclosure and deletion rights: Customers/former customers can request their data and recipient lists. Former customers can demand deletion (with exceptions like legal retention needs), including verification, 45-day response (extendable), free initial requests (2/year), fees/declines for extras, and appeals.
- Sensitive data opt-in: Affirmative consent (clear agreement) required for collecting/sharing sensitive info (e.g., race/ethnicity, biometrics like fingerprints, precise location within 1,750 feet). Revocable anytime (effective 1 year).
- Small Institutions (Title II): Regulators must weigh impacts on banks/credit unions with ≤$15 billion in assets (threshold rises with GDP every 5 years).
- State Law Preemption (Title III): Federal rules override state privacy/security laws for financial data/institutions, but state insurance regulators retain enforcement powers if aligned with federal rules.
- New Definitions (Title IV): Clarifies terms like financial data aggregator, access credentials, biometric data, precise geolocation data, sensitive nonpublic personal information, consent, covered nation, and former customer.
Significant Changes to Existing Law
- Shifts GLBA focus from mere "disclosure" to broader "treatment" of data.
- Adds data minimization, deletion rights (new for former customers), credential protections, and sensitive data opt-ins—absent before.
- Makes opt-outs perpetual and notices more detailed.
- Explicitly preempts state privacy laws (previously allowed if not conflicting).
- Ties into CFPB's Section 1033 (open banking: consumer-directed data sharing).
- Expands "nonpublic personal information" to include credentials, biometrics, and geolocation in financial contexts.
Potential Impacts
- Consumers: More control (opt-outs/ins, deletions, notices), reduced risks from credential sharing or foreign data flows.
- Financial Institutions: Higher compliance costs (e.g., handling requests, notices), but small ones get tailored rulemaking; must verify identities and appeal denials.
- Data Aggregators/Fintechs: Restricted credential use; must disclose risks.
- Regulators: Need to issue rules, model forms; balance small-bank burdens.
- States: Limited ability to impose stricter financial privacy rules.
- No direct international impacts, but curbs data to covered nations.
Main Stakeholders
- Consumers/customers (current/former).
- Financial institutions (especially ≤$15B assets).
- Financial data aggregators and nonaffiliated third parties.
- Federal regulators (e.g., FTC, CFPB, banking agencies).
- State insurance authorities.
Notable Legal, Constitutional, or Political Implications
- Legal: Creates uniform federal standard, avoiding state-by-state rules; integrates with existing laws (e.g., Fair Credit Reporting Act, CFPB open banking).
- Constitutional: Relies on Commerce Clause for financial regulation; preemption valid under Supremacy Clause (federal law trumps states).
- Political: Enhances privacy amid rising data breaches/AI concerns; supports small banks; bipartisan sponsors signal industry-consumer balance.
This summary was generated by AI and may contain inaccuracies. Refer to the official source document for the authoritative text.
Sponsor
Cosponsors (6)
Rep. Barr, Andy [R-KY-6], Rep. Steil, Bryan [R-WI-1], Rep. Hill, J. French [R-AR-2], Rep. Meuser, Daniel [R-PA-9], Rep. Haridopolos, Mike [R-FL-8], Rep. Lawler, Michael [R-NY-17]
Recent Actions
- 2026-04-21: Referred to the House Committee on Financial Services.
- 2026-04-21: Introduced in House
- 2026-04-21: Introduced in House
Bill Versions
- Guidelines for Use, Access, and Responsible Disclosure of Financial Data Act — issued 2026-04-21 — PDF (29 pages)