Congress Proposes Major GLBA Update: Preemption Possible?

Written By Troy Garris

On April 22, two House committees made a coordinated move to reshape U.S. data privacy law.  The House Energy & Commerce Committee introduced the SECURE Data Act, a comprehensive federal consumer privacy framework designed to replace the existing state-by-state patchwork.  Simultaneously, the House Financial Services Committee introduced the GUARD Financial Data Act, which would modernize Title V of the Gramm-Leach-Bliley Act (GLBA)—the federal law that has governed financial institution data privacy since 1999.

The bills are designed as companion legislation, dividing the regulatory universe cleanly: the SECURE Data Act covers non-financial firms, while the GUARD Act covers GLBA-regulated financial institutions.  For mortgage companies, GUARD is the bill to watch.

What the GUARD Act Means for the Mortgage Industry

GLBA's privacy framework is over 25 years old, and GUARD would significantly alter requirements as currently contemplated.  Mortgage companies should pay close attention, including to the following:

  • Data Minimization.  GUARD requires financial institutions to limit collection and disclosure of nonpublic personal information (NPI) to what is adequate, relevant, and reasonably necessary for each disclosed purpose.  Financial institutions that have treated data minimization as a best practice would now face a statutory mandate.

  • New Consumer Rights.  Current and former customers gain expanded rights.  Current customers could request access to their NPI and a list of third parties to whom it has been disclosed.  Former customers - think paid-off borrowers - could gain a right to request deletion of their data, subject to legal retention requirements.  Mortgage servicers, who often hold borrower data for years after loan payoff, would need to stand up processes to handle these requests.

  • Opt-In for Sensitive Data.  Financial institutions would need to obtain affirmative consumer consent before collecting or disclosing sensitive NPI, defined to include health information, biometric data, precise geolocation data, and certain demographic information.  The existing opt-out framework would not be enough for these categories.

  • Limits on Data Aggregators.  Before using a consumer's login credentials to access their financial account, financial data aggregators and third parties would need to provide specific disclosures and give consumers an opportunity to opt out.  This provision directly could affect fintech integrations increasingly common in mortgage origination.

  • Modified Privacy Notices.  Notices to consumers would include information on AI use in data processing, data retention practices, and whether NPI is shared with China, Iran, North Korea or Russia.

National Preemption: A Potential Compliance Win

GUARD would preempt state consumer data privacy and security laws as applied to GLBA-covered financial institutions and their NPI.  For mortgage companies operating in multiple states - already navigating CCPA, various state privacy laws, and a growing number of state-specific requirements - a single federal standard could meaningfully reduce compliance overhead.

The Road Ahead

Neither bill is law yet, and the road through Congress is never short.  But when two significant committees move together on legislation of this scope, it is worth paying attention.  

Keep an Eye Out for Updates

Mortgage companies should closely monitor for updates and stay involved with their trade associations.  Questions about how?  Contact troy@garrishorn.com.

Troy Garris
Previous

Is New Jersey Joining the Crowd on Independent Contractors?
Next

11 States Now Restrict Employer Use of Credit Reports – Growing Trend?