Congress Wants to Kill State Privacy Laws for Banks. Here's What the GLBA Overhaul Means for Your Compliance Program.
TL;DR:
- A House Financial Services Committee discussion draft released March 17 would gut-renovate GLBA Title V — adding data minimization, consumer deletion rights, AI disclosure requirements, and broad federal preemption of state privacy laws for financial institutions.
- If passed, compliance teams managing 20+ state privacy regimes could see that collapse into a single federal standard — but the new GLBA requirements would be significantly more demanding than the current notice-and-opt-out baseline.
- Don’t wait for final legislation. The direction of travel is clear: map your data flows now, inventory your AI use in data processing, and build deletion-request infrastructure before you’re forced to.
Two days ago, Representative Bill Huizenga dropped a discussion draft that would rewrite the rules on financial data privacy in America. The bill would transform GLBA Title V from a 1999-era notice-and-opt-out regime into something that looks a lot more like the CCPA — data minimization obligations, consumer deletion rights, AI transparency requirements — while simultaneously preempting the patchwork of state privacy laws that compliance teams have spent years building programs around.
The timing isn’t accidental. Twenty states now have comprehensive privacy laws in effect. Indiana, Kentucky, and Rhode Island kicked in on January 1. Connecticut and Arkansas amendments land July 1. California just expanded data broker requirements and mandatory risk assessments. For a mid-size bank operating across 15 states, the compliance burden has become genuinely unmanageable — and Congress knows it.
Here’s what’s actually in the bill, what it means for your program, and what to do about it right now.
What the GLBA Overhaul Actually Changes
The current GLBA Title V is almost quaint by modern standards. It requires financial institutions to send privacy notices, give consumers an opt-out for third-party sharing, and implement reasonable safeguards. That’s essentially it. The Huizenga draft replaces that framework with something far more muscular.
Data Minimization Becomes a Legal Obligation
The draft imposes a statutory data-minimization requirement: financial institutions can only collect, use, retain, and disclose nonpublic personal information (NPI) that is “necessary for legitimate business, legal, or regulatory purposes.” That’s a fundamental shift from the current approach, which places no limits on collection as long as you disclose what you’re doing.
What this looks like in practice:
| Current GLBA | Proposed GLBA |
|---|---|
| Collect whatever you want, disclose in privacy notice | Collect only what’s necessary for legitimate purposes |
| No retention limits | Retention must be justified by business/legal need |
| Opt-out before sharing with third parties | Opt-out strengthened — consumers can refuse at any time, including before initial disclosure |
| Privacy notice covers basics | Notice must detail purposes, retention, AI use, deletion rights |
For compliance teams, data minimization means conducting purpose-limitation assessments for every data element you collect. Not “we might need this someday” — a documented, defensible business reason. That’s a significant undertaking if your institution has been operating under the old collect-and-disclose model for 25 years.
Consumer Deletion Rights Hit Financial Services
The draft creates a new Section 503A codifying consumer rights to:
- Obtain their nonpublic personal information and a list of recipient categories
- Request deletion of data after the customer relationship ends
The deletion right comes with exceptions for legal, regulatory, and Fair Credit Reporting Act obligations — which is critical, because financial institutions can’t just delete everything a customer asks them to. BSA/AML record retention, tax reporting requirements, FCRA obligations, and litigation holds all create legitimate reasons to retain data beyond the customer relationship.
The practical challenge: building a deletion-request workflow that can evaluate each request against your retention schedule, identify what can actually be deleted, and document the justification for anything retained. If you’ve dealt with CCPA deletion requests, you know this isn’t trivial. Financial services data is intertwined across core banking systems, CRM platforms, loan origination systems, fraud detection models, and analytics pipelines. A single customer’s data might touch 30 systems.
AI Disclosure Requirements
Here’s where it gets interesting for 2026. The draft requires privacy notices to describe “the use of artificial intelligence in collecting, processing, and utilizing” NPI. That’s broad — it could cover everything from AI-powered fraud detection to chatbot interactions to underwriting models that process personal data.
What qualifies as AI use in data processing? The bill doesn’t define it precisely, which means regulators will fill that gap. But at minimum, expect to disclose:
- Whether AI models process customer NPI
- What categories of NPI feed into AI systems
- What decisions or outputs those AI systems produce
This dovetails with the California Privacy Protection Agency’s automated decision-making regulations taking effect in 2027, and the broader trend toward AI transparency in financial services (see the FS AI RMF’s emphasis on consumer-facing AI disclosure).
Expanded Definition of NPI
The draft broadens what counts as nonpublic personal information to include:
- Access credentials (usernames, passwords, security questions)
- Biometric data (fingerprints, facial recognition, voiceprints)
- Geolocation data (precise location information)
This matters because many financial institutions already collect biometric data (mobile banking facial recognition, voice authentication for call centers) and geolocation data (fraud prevention, branch proximity marketing) without treating them as NPI subject to GLBA protections. Under the new definitions, those data elements would need full GLBA treatment — purpose limitation, minimization, notice, opt-out rights, and deletion capabilities.
The Preemption Bomb: 20 State Privacy Laws, One Federal Override
The headline provision for compliance teams: the draft would expressly preempt state privacy and security laws as they apply to financial institutions handling NPI subject to Title V.
That’s a big deal. Here’s the current landscape of state comprehensive privacy laws in effect as of 2026:
| Effective Date | States |
|---|---|
| Already in effect (pre-2026) | California (CCPA/CPRA), Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Delaware, New Hampshire, New Jersey, Nebraska, Maryland |
| January 1, 2026 | Indiana (amendments), Kentucky, Rhode Island |
| July 1, 2026 | Connecticut (amendments), Arkansas, Utah (amendments) |
That’s 20 states with active comprehensive privacy laws — each with different applicability thresholds, different definitions of sensitive data, different consumer rights, and different enforcement mechanisms. Rhode Island’s law, for example, kicks in at just 35,000 consumers (or 10,000 if you derive more than 20% of revenue from data sales). Kentucky just amended its law to add “automatic content recognition” as sensitive data before it even took effect.
If you’re a regional bank operating in 12 states, you’re currently mapping against a dozen different privacy frameworks on top of GLBA. The preemption provision would collapse that into one federal standard.
What Preemption Would and Wouldn’t Do
Would preempt:
- State comprehensive privacy laws (CCPA, Virginia CDPA, Colorado CPA, etc.) as applied to financial institutions handling NPI
- State data security requirements for NPI (to the extent covered by GLBA Safeguards Rule)
Would NOT preempt:
- State insurance privacy regulations (state insurance authorities retain enforcement power)
- State laws that aren’t specifically about privacy/security of NPI (e.g., state data breach notification laws likely survive)
- FCRA, which operates independently
- State consumer protection statutes not specifically targeting financial data privacy
The catch: federal preemption only helps if the new GLBA requirements are actually finalized. If the bill stalls — which is entirely possible for a discussion draft — you’re still stuck with the 20-state patchwork. And even if it passes, the one-year safe harbor for updating privacy notices means a transition period where both old and new requirements could arguably apply.
Who Owns This at Your Institution
At most mid-size banks (assets between $10B and $50B), data privacy compliance sits with the Chief Compliance Officer or a dedicated Privacy Officer reporting into Legal or Compliance. At community banks, it’s often the BSA/Compliance Officer wearing another hat. At fintechs, ownership typically falls to the Head of Legal or General Counsel, with operational support from Engineering.
Regardless of org structure, the GLBA overhaul touches multiple teams:
| Function | What Changes |
|---|---|
| Compliance/Privacy | New notice requirements, consumer rights workflows, data minimization policies |
| IT/Data Engineering | Data inventory, deletion infrastructure, retention automation |
| Legal | Preemption analysis, retention schedule updates, AI disclosure review |
| Risk Management | Privacy risk assessments, third-party data sharing reviews |
| Marketing | Geolocation and behavioral data collection practices |
| AI/Model Risk | Inventory of AI systems processing NPI, disclosure language |
The coordination challenge is real. A data minimization assessment requires input from business lines (why do we collect this?), IT (where does it live?), Legal (what are we required to retain?), and Compliance (does our collection align with stated purposes?). That’s a cross-functional effort that needs executive sponsorship to move.
What to Do Right Now (Even Though This Is Just a Draft)
Discussion drafts die in committee all the time. But the direction of travel — stronger federal financial privacy, data minimization, consumer rights, AI transparency — is clear regardless of whether this specific bill passes. Here’s a 90-day action plan:
Days 1-30: Inventory and Assess
- Complete a data inventory. If you don’t have one, start. Map every category of NPI you collect, which systems store it, who has access, how long you retain it, and who you share it with. This is table stakes for any modern privacy program and you’ll need it regardless of which law applies.
- Catalog AI touchpoints. Identify every system that uses AI/ML to process customer NPI. Include fraud detection, underwriting models, chatbots, marketing personalization, and credit decisioning. For each, document what NPI feeds in and what decisions or outputs result.
- Assess deletion capability. Can you actually delete a customer’s data across all systems when asked? Most financial institutions can’t — data is replicated, archived, embedded in analytics, and subject to multiple retention requirements. Map the gaps.
Days 31-60: Build the Framework
- Draft data minimization policies. For each data element, document the legitimate business purpose for collection. Flag anything collected “just in case” or for purposes that could be served with less data.
- Design deletion-request workflows. Build a process that receives deletion requests, checks against retention schedules and legal holds, identifies deletable data across systems, executes deletion, and confirms completion. Automate where possible — manual deletion across 30 systems isn’t sustainable.
- Update privacy notice templates. Draft expanded notices that cover purpose of collection, retention practices, AI use, and deletion rights. Even if the GLBA bill doesn’t pass, California’s CPRA regulations already require much of this.
Days 61-90: Operationalize
- Run a preemption impact assessment. Map your current state-by-state privacy obligations. Identify which would be eliminated by federal preemption and which would survive. This tells you the cost savings if preemption passes — useful for business-case justifications.
- Train front-line teams. Customer-facing staff need to know how to handle deletion requests and AI-related privacy inquiries. Build scripts and escalation paths.
- Brief the board or senior management. Package the regulatory trajectory (GLBA overhaul + state law proliferation + AI transparency requirements) into a 10-minute executive summary. Include resource asks for the data inventory and deletion infrastructure buildout.
The Bigger Picture: Why This Matters Even If the Bill Dies
Even if the Huizenga draft never becomes law, it signals where federal financial privacy regulation is heading. The themes are consistent across every recent regulatory action:
- Data minimization is coming. Whether through GLBA reform, CFPB rulemaking, or state law convergence, the era of unlimited data collection is ending for financial services.
- Consumer deletion rights are expanding. CCPA started it. State laws are spreading it. Federal law will eventually codify it.
- AI transparency is non-negotiable. Between the FS AI RMF, state AI laws (Texas’s Responsible AI Governance Act took effect January 1), and the EU AI Act’s extraterritorial reach, disclosing how AI processes consumer data is becoming a baseline expectation.
- The state patchwork is unsustainable. Twenty state laws and counting. Congress will eventually act — the question is when and how, not whether.
Compliance teams that build data minimization, deletion capability, and AI transparency into their programs now aren’t just preparing for this bill. They’re building infrastructure that every plausible future regulatory scenario requires. That’s not speculation — it’s risk management.
So What?
The GLBA overhaul is a discussion draft, not a done deal. But the compliance capabilities it requires — data inventory, purpose limitation, deletion infrastructure, AI disclosure — are things every financial institution should be building anyway. The state privacy law landscape is already demanding most of this. Federal preemption would simplify the jurisdictional math, but the underlying work is the same.
Don’t wait for final legislation to start. The institutions that mapped their data flows and built deletion workflows two years ago aren’t scrambling right now. Be that institution.
If you’re building a data privacy compliance program from scratch or updating an existing one, the Data Privacy Compliance Kit includes data inventory templates, privacy notice frameworks, and assessment tools designed for financial services teams.
FAQ
Does the GLBA overhaul preempt the CCPA for banks?
If passed as drafted, yes — for nonpublic personal information subject to GLBA Title V. The draft expressly supersedes state privacy and security laws as applied to financial institutions handling NPI. However, CCPA obligations related to data that falls outside GLBA’s NPI definition (like employee data or B2B contact data) would likely survive. The bill is a discussion draft and hasn’t been introduced as formal legislation yet.
When would the new GLBA requirements take effect?
The draft doesn’t specify an effective date yet — it’s still a discussion draft released for the March 17, 2026 House Financial Services Committee hearing. Even in an optimistic scenario, finalization would take 12-18 months. The draft includes a one-year safe harbor for privacy notice updates after new model forms are issued, giving institutions time to transition.
Do financial institutions need to comply with state privacy laws right now?
Yes. Until and unless federal preemption passes, state comprehensive privacy laws apply based on each state’s jurisdictional thresholds. As of March 2026, 20 states have active comprehensive privacy laws with varying applicability triggers, consumer rights, and enforcement mechanisms. The GLBA financial institution exemption in most state privacy laws varies by state — some exempt GLBA-covered entities entirely, others only exempt data already subject to GLBA, and some provide no exemption at all. Map your exposure state by state.
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.