S 2513 IS
106th CONGRESS
2d Session
S. 2513
To strengthen control by consumers over the use and disclosure of
their personal financial and health information by financial institutions, and
for other purposes.
IN THE SENATE OF THE UNITED STATES
May 4, 2000
Mr. LEAHY (for himself, Mr. SARBANES, Mr. ROBB, Mr. DODD, Mr. KERRY, Mr.
BRYAN, Mr. EDWARDS, Mr. DURBIN, Mr. HARKIN, and Mrs. FEINSTEIN) introduced the
following bill; which was read twice and referred to the Committee on Banking,
Housing, and Urban Affairs
A BILL
To strengthen control by consumers over the use and disclosure of
their personal financial and health information by financial institutions, and
for other purposes.
Be it enacted by the Senate and House of Representatives of the United
States of America in Congress assembled,
SECTION 1. SHORT TITLE AND TABLE OF CONTENTS.
(a) SHORT TITLE- This Act may be cited as the `Financial Information
Privacy Protection Act of 2000'.
(b) TABLE OF CONTENTS- The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Opt-out requirement for disclosure to affiliates and
nonaffiliated third parties.
Sec. 3. Restricting the transfer of information about personal spending
habits.
Sec. 4. Restricting the use of health information in making credit and
other financial decisions.
Sec. 5. Limits on redisclosure and reuse of information.
Sec. 6. Consumer rights to access and correct information.
Sec. 7. Improved enforcement authority.
Sec. 8. Enhanced disclosure of privacy policies.
Sec. 9. Limit on disclosure of account numbers.
Sec. 10. General exceptions.
Sec. 12. Issuance of implementing regulations.
Sec. 13. FTC rulemaking authority under the Fair Credit Reporting
Act.
SEC. 2. OPT-OUT REQUIREMENT FOR DISCLOSURE TO AFFILIATES AND NONAFFILIATED
THIRD PARTIES.
Section 502(a) of the Gramm-Leach-Bliley Act (15 U.S.C. 6802(a)) is
amended to read as follows:
`(a) DISCLOSURE OF NONPUBLIC PERSONAL INFORMATION- Except as otherwise
provided in this subtitle, a financial institution may not disclose any
nonpublic personal information to an affiliate or a nonaffiliated third party
unless such financial institution--
`(1) has provided to the consumer a clear and conspicuous notice, in
writing or electronic form or other form permitted by the regulations
implementing this subtitle, of the categories of information that may be
disclosed to the--
`(B) nonaffiliated third party;
`(2) has given the consumer an opportunity, before the time that such
information is initially disclosed, to direct that such information not be
disclosed to such--
`(B) nonaffiliated third party; and
`(3) has given the consumer the ability to exercise that nondisclosure
option through the same method of communication by which the consumer
received the notice described in paragraph (1) or another method at least as
convenient to the consumer, and an explanation of how the consumer can
exercise such option.'.
SEC. 3. RESTRICTING THE TRANSFER OF INFORMATION ABOUT PERSONAL SPENDING
HABITS.
Section 502(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6802(b)) is
amended to read as follows:
`(b) RESTRICTION ON THE TRANSFER OF INFORMATION ABOUT PERSONAL SPENDING
HABITS-
`(1) IN GENERAL- Notwithstanding subsection (a), if a financial
institution provides a service to a consumer through which the consumer
makes or receives payments or transfers by check, debit card, credit card,
or other similar instrument, the financial institution shall not transfer to
an affiliate or a nonaffiliated third party--
`(A) an individualized list of that consumer's transactions or an
individualized description of that consumer's interests, preferences, or
other characteristics; or
`(B) any such list or description constructed in response to an
inquiry about a specific, named individual;
if the list or description is derived from information collected in the
course of providing that service.
`(2) RESTRICTION ON TRANSFER OF AGGREGATE LISTS CONTAINING CERTAIN
HEALTH INFORMATION- Notwithstanding subsection (a), a financial institution
shall not transfer to an affiliate or a nonaffiliated third party any
aggregate list of consumers containing or derived from individually
identifiable health information.
`(A) IN GENERAL- The financial institution may disclose the
information described in paragraph (1) or (2) to an affiliate or a
nonaffiliated third party if such financial institution--
`(i) has clearly and conspicuously requested in writing or in
electronic form or other form permitted by the regulations implementing
this subtitle, that the consumer affirmatively consent to such
disclosure; and
`(ii) has obtained from the consumer such affirmative consent and
such consent has not been withdrawn.
`(B) RULE OF CONSTRUCTION- This subsection shall not be construed as
preventing a financial institution from transferring the information
described in paragraph (1) or (2) to an affiliate or a nonaffiliated third
party for the purposes described in paragraph (1), (2), (3), (5), (7),
(8), (9), or (10) of subsection (f).
`(C) SCOPE OF APPLICATION- Paragraph (1) shall not apply to the
transfer of aggregate lists of consumers.'.
SEC. 4. RESTRICTING THE USE OF HEALTH INFORMATION IN MAKING CREDIT AND OTHER
FINANCIAL DECISIONS.
(a) RESTRICTION ON USE OF CONSUMER HEALTH INFORMATION- Section 502(c) of
the Gramm-Leach-Bliley Act (15 U.S.C. 6802(c)) is amended to read as
follows:
`(c) USE OF CONSUMER HEALTH INFORMATION AVAILABLE FROM AFFILIATES AND
NONAFFILIATED THIRD PARTIES- In deciding whether, or on what terms, to offer,
provide, or continue to provide a financial product or service to a consumer,
a financial institution shall not obtain or receive individually identifiable
health information about the consumer from an affiliate or nonaffiliated third
party, or evaluate or otherwise consider any such information, unless the
financial institution--
`(1) has clearly and conspicuously requested in writing or in electronic
form or other form permitted by the regulations implementing this subtitle,
that the consumer affirmatively consent to the transfer and use of that
information with respect to a particular financial product or service;
`(2) has obtained from the consumer such affirmative consent and such
consent has not been withdrawn; and
`(3) requires the same health information about all consumers as a
condition for receiving the financial product or service.'.
(b) EXISTING PROTECTIONS FOR HEALTH INFORMATION NOT AFFECTED- Title V of
the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.) is amended by adding after
section 510 the following new section:
`SEC. 511. RELATION TO STANDARDS ESTABLISHED UNDER THE HEALTH INSURANCE
PORTABILITY AND ACCOUNTABILITY ACT OF 1996.
`Nothing in this subtitle shall be construed as--
`(1) modifying, limiting, or superseding standards governing the privacy
and security of individually identifiable health information promulgated by
the Secretary of Health and Human Services under sections 262(a) and 264 of
the Health Insurance Portability and Accountability Act of 1996; or
`(2) authorizing the use or disclosure of individually identifiable
health information in a manner other than as permitted by other applicable
law.'.
(c) DEFINITION OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION- Section
509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809) is amended by adding at the
end the following new paragraph:
`(12) INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION- The term
`individually identifiable health information' means any information,
including demographic information obtained from or about an individual, that
is described in section 1171(6)(B) of the Social Security Act.'.
(d) TECHNICAL AND CONFORMING AMENDMENT- Section 505(a)(6) of the
Gramm-Leach-Bliley Act (15 U.S.C. 6805(a)(6)) is amended by inserting before
the period at the end `to the extent the provisions of such section are not
inconsistent with the provisions of this subtitle'.
SEC. 5. LIMITS ON REDISCLOSURE AND REUSE OF INFORMATION.
Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802) is amended--
(1) by redesignating subsections (d) and (e) as subsections (e) and (f),
respectively; and
(2) by inserting after subsection (c) the following new
subsection:
`(d) LIMITS ON REDISCLOSURE AND REUSE OF INFORMATION-
`(1) IN GENERAL- An affiliate or a nonaffiliated third party that
receives nonpublic personal information from a financial institution shall
not disclose such information to any other person unless such disclosure
would be lawful if made directly to such other person by the financial
institution.
`(2) DISCLOSURE UNDER A GENERAL EXCEPTION- Notwithstanding paragraph
(1), any person that receives nonpublic personal information from a
financial institution in accordance with one of the general exceptions in
subsection (f) may use or disclose such information only--
`(A) as permitted under that general exception; or
`(B) under another general exception in subsection (f), if necessary
to carry out the purpose for which the information was disclosed by the
financial institution.'.
SEC. 6. CONSUMER RIGHTS TO ACCESS AND CORRECT INFORMATION.
Title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.) is amended
by adding after section 511 (as added by section 4(b) of this Act), the
following new section:
`SEC. 512. ACCESS TO AND CORRECTION OF INFORMATION.
(1) IN GENERAL- Upon the request of a consumer, a financial institution
shall make available to the consumer information about the consumer that is
under the control of, and reasonably available to, the financial
institution.
`(2) EXCEPTIONS- Notwithstanding paragraph (1), a financial
institution--
`(A) shall not be required to disclose to a consumer any confidential
commercial information, such as an algorithm used to derive credit scores
or other risk scores or predictors;
`(B) shall not be required to create new records in order to comply
with the consumer's request;
`(C) shall not be required to disclose to a consumer any information
assembled by the financial institution, in a particular matter, as part of
the financial institution's efforts to comply with laws preventing fraud,
money laundering, or other unlawful conduct; and
`(D) shall not disclose any information required to be kept
confidential by any other Federal law.
`(b) CORRECTION- A financial institution shall provide a consumer the
opportunity to dispute the accuracy of any information disclosed to the
consumer pursuant to subsection (a), and to present evidence thereon. A
financial institution shall correct or delete material information identified
by a consumer that is materially incomplete or inaccurate.
`(c) COORDINATION AND CONSULTATION- In prescribing regulations
implementing this section, the Federal agencies specified in section 504(a)
shall consult with one another to ensure that the rules--
`(1) impose consistent requirements on the financial institutions under
their respective jurisdictions;
`(2) take into account conditions under which financial institutions do
business both in the United States and in other countries; and
`(3) are consistent with the principle of technology neutrality.
`(d) CHARGES FOR DISCLOSURES- A financial institution may impose a
reasonable charge for making a disclosure under this section, which charge
must be disclosed to the consumer before making the disclosure. '.
SEC. 7. IMPROVED ENFORCEMENT AUTHORITY.
(a) COMPLIANCE WITH PRIVACY POLICY- Section 503 of the Gramm-Leach-Bliley
Act (15 U.S.C. 6803) is amended by adding at the end the following new
subsection:
`(c) COMPLIANCE WITH PRIVACY POLICY- A financial institution's failure to
comply with any of its policies or practices disclosed to a consumer under
this section constitutes a violation of the requirements of this section.'.
(b) UNFAIR AND DECEPTIVE TRADE PRACTICE- Section 505(a)(7) of the
Gramm-Leach-Bliley Act (15 U.S.C. 6805(a)(7)) is amended by adding at the end
the following new sentence: `A violation of any requirement of this subtitle,
or the regulations of the Federal Trade Commission prescribed under this
subtitle, by a financial institution or other person described in this
paragraph shall constitute an unfair or deceptive act or practice in commerce
in violation of section 5(a) of the Federal Trade Commission Act.'.
(c) SUPPLEMENTAL STATE ENFORCEMENT FOR FTC REGULATED ENTITIES- Section 505
of the Gramm-Leach-Bliley Act (15 U.S.C. 6805) is amended by adding at the end
the following new subsection:
`(e) STATE ACTION FOR VIOLATIONS-
`(1) AUTHORITY OF THE STATES- In addition to such other remedies as are
provided under State law, if the attorney general of a State, or an officer
authorized by the State, has reason to believe that any financial
institution or other person described in section 505(a)(7) has violated or
is violating this subtitle or the regulations prescribed thereunder by the
Federal Trade Commission, the State may--
`(A) bring an action on behalf of the residents of the State to enjoin
such violation in any appropriate United States district court or in any
other court of competent jurisdiction; and
`(B) bring an action on behalf of the residents of the State to
enforce compliance with this subtitle and the regulations prescribed
thereunder by the Federal Trade Commission, to obtain damages,
restitution, or other compensation on behalf of the residents of such
State, or to obtain such further and other relief as the court may deem
appropriate.
`(2) RIGHTS OF THE FEDERAL TRADE COMMISSION- The State shall serve prior
written notice of any action under paragraph (1) upon the Federal Trade
Commission and shall provide the Commission with a copy of its complaint;
provided that, if such prior notice is not feasible, the State shall serve
such notice immediately upon instituting such action. The Federal Trade
Commission shall have the right--
`(A) to move to stay the action, pending the final disposition of a
pending Federal matter as described in paragraph (4);
`(B) to intervene in an action under paragraph (1);
`(C) upon so intervening, to be heard on all matters arising
therein;
`(D) to remove the action to the appropriate United States district
court; and
`(E) to file petitions for appeal.
`(3) INVESTIGATORY POWERS- For purposes of bringing any action under
this subsection, nothing in this subsection shall prevent the attorney
general, or officers of such State who are authorized by such State to bring
such actions, from exercising the powers conferred on the attorney general
or such officers by the laws of such State to conduct investigations or to
administer oaths or affirmations or to compel the attendance of witnesses or
the production of documentary and other evidence.
`(4) LIMITATION ON STATE ACTION WHILE FEDERAL ACTION IS PENDING- If the
Federal Trade Commission has instituted an action for a violation of this
subtitle, no State may, during the pendency of such action, bring an action
under this section against any defendant named in the complaint of the
Commission for any violation of this subtitle that is alleged in that
complaint.'.
(d) STATE ACTION FOR VIOLATIONS OF BAN ON PRETEXT CALLING- Section 522 of
the Gramm-Leach-Bliley Act (15 U.S.C. 6822) is amended by adding at the end
the following new subsection:
`(c) STATE ACTION FOR VIOLATIONS-
`(1) AUTHORITY OF THE STATES- In addition to such other remedies as are
provided under State law, if the attorney general of a State, or an officer
authorized by the State, has reason to believe that any person (other than a
person described in subsection (b)(1)) has violated or is violating this
subtitle, the State may--
`(A) bring an action on behalf of the residents of the State to enjoin
such violation in any appropriate United States district court or in any
other court of competent jurisdiction; and
`(B) bring an action on behalf of the residents of the State to
enforce compliance with this subtitle, to obtain damages, restitution, or
other compensation on behalf of the residents of such State, or to obtain
such further and other relief as the court may deem appropriate.
`(2) RIGHTS OF FEDERAL AGENCIES- The State shall serve prior written
notice of any action commenced under paragraph (1) upon the Attorney General
and the Federal Trade Commission, and shall provide the Attorney General and
the Commission with a copy of the complaint; provided that, if such prior
notice is not feasible, the State shall serve
such notice immediately upon instituting such action. The Attorney General
and the Federal Trade Commission shall have the right--
`(A) to move to stay the action, pending the final disposition of a
pending Federal matter as described in paragraph (4);
`(B) to intervene in an action under paragraph (1);
`(C) upon so intervening, to be heard on all matters arising
therein;
`(D) to remove the action to the appropriate United States district
court; and
`(E) to file petitions for appeal.
`(3) INVESTIGATORY POWERS- For purposes of bringing any action under
this subsection, nothing in this subsection shall prevent the attorney
general, or officers of such State who are authorized by such State to bring
such actions, from exercising the powers conferred on the attorney general
or such officers by the laws of such State to conduct investigations or to
administer oaths or affirmations or to compel the attendance of witnesses or
the production of documentary and other evidence.
`(4) LIMITATION ON STATE ACTION WHILE FEDERAL ACTION IS PENDING- If the
Attorney General has instituted a criminal proceeding or the Federal Trade
Commission has instituted a civil action for a violation of this subtitle,
no State may, during the pendency of such proceeding or action, bring an
action under this section against any defendant named in the criminal
proceeding or civil action for any violation of this subtitle that is
alleged in that proceeding or action.'.
SEC. 8. ENHANCED DISCLOSURE OF PRIVACY POLICIES.
(a) TIMING OF NOTICE TO CONSUMERS- Section 503(a) of the
Gramm-Leach-Bliley Act (15 U.S.C. 6803(a)) is amended to read as follows:
`(a) DISCLOSURE REQUIRED-
`(1) TIME OF DISCLOSURE- A financial institution shall provide a
disclosure that complies with paragraph (2)--
`(A) to an individual upon the individual's request;
`(B) as part of an application for a financial product or service from
the financial institution; and
`(C) to a consumer, prior to establishing a customer relationship with
the consumer and not less frequently than annually during the continuation
of such relationship.
`(2) DISCLOSURE FORMAT- The disclosure required by paragraph (1) shall
be a clear and conspicuous notice, in writing or in electronic form or other
form permitted by the regulations implementing this subtitle, of such
financial institution's policies and practices with respect to--
`(A) disclosing nonpublic personal information to affiliates and
nonaffiliated third parties, consistent with section 502, including the
categories of information that may be disclosed;
`(B) disclosing nonpublic personal information of persons who have
ceased to be customers of the financial institution; and
`(C) protecting the nonpublic personal information of
consumers.
Such disclosure shall be made in accordance with the regulations
implementing this subtitle.'.
(b) NOTICE OF RIGHTS TO ACCESS AND CORRECT INFORMATION- Section 503(b)(2)
of the Gramm-Leach-Bliley Act (15 U.S.C. 6803(b)(2)) is amended by inserting
`, and a statement of the consumer's right to access and correct such
information, consistent with section 512' after `institution'.
(c) TECHNICAL AND CONFORMING AMENDMENT- Section 503(b)(1)(A) of the
Gramm-Leach-Bliley Act (15 U.S.C. 6803(b)(1)(A)) is amended by striking
`502(e)' and inserting `502(f)'.
SEC. 9. LIMIT ON DISCLOSURE OF ACCOUNT NUMBERS.
Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802) is amended in
subsection (e) (as so redesignated by section 5) by inserting `affiliate or'
before `nonaffiliated third party'.
SEC. 10. GENERAL EXCEPTIONS.
Section 502(f) of the Gramm-Leach-Bliley Act (15 U.S.C. 6802)) (as so
redesignated by section 5 of this Act) is amended--
(1) in the matter preceding paragraph (1), by striking `Subsections (a)
and (b)' and inserting `Subsection (a)';
(A) by striking `or' at the end of subparagraph (B);
(B) by inserting `or' after the semicolon at the end of subparagraph
(C); and
(C) by inserting after subparagraph (C) the following new
subparagraph:
`(D) performing services for or functions solely on behalf of the
financial institution with respect to the financial institution's own
customers, including marketing of the financial institution's own products
or services to the financial institution's customers;';
(3) in paragraph (4), by striking `, and the institution's attorneys,
accountants, and auditors';
(4) in paragraph (5), by inserting `section 21 of the Federal Deposit
Insurance Act,' after `title 31, United States Code,';
(5) in paragraph (7), by striking `or' at the end;
(6) in paragraph (8), by striking the period and inserting a semicolon;
and
(7) by adding at the end the following new paragraphs:
`(9) in order to facilitate customer service, such as maintenance and
operation of consolidated customer call centers or the use of consolidated
customer account statements; or
`(10) to the institution's attorneys, accountants, and auditors.'.
SEC. 11. DEFINITIONS.
Section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809) is amended--
(A) by striking `(3) FINANCIAL INSTITUTION' and all that follows
through `The term
`financial institution' and inserting `(3) FINANCIAL INSTITUTION- The term
`financial institution'; and
(B) by striking subparagraphs (B), (C), and (D);
(2) by amending paragraph (4) to read as follows:
`(4) NONPUBLIC PERSONAL INFORMATION- The term `nonpublic personal
information' means--
`(A) any personally identifiable information, including a Social
Security number--
`(i) provided by a consumer to a financial institution, in an
application or otherwise, to obtain a financial product or service from
the financial institution;
`(ii) resulting from any transaction between a financial institution
and a consumer involving a financial product or service; or
`(iii) obtained by the financial institution about a consumer in
connection with providing a financial product or service to that
consumer, other than publicly available information, as such term is
defined by the regulations prescribed under section 504; and
`(B) any list, description or other grouping of one or more consumers
of the financial institution and publicly available information pertaining
to them.'; and
(3) in paragraph (9), by inserting `applies for or' before
`obtains'.
SEC. 12. ISSUANCE OF IMPLEMENTING REGULATIONS.
(a) IN GENERAL- The Federal agencies specified in section 504(a) of the
Gramm-Leach-Bliley Act (15 U.S.C. 6804(a)) shall prescribe regulations
implementing the amendments to subtitle A of title V of the Gramm-Leach-Bliley
Act made by this Act, and shall include such requirements determined to be
appropriate to prevent their circumvention or evasion.
(b) COORDINATION, CONSISTENCY, AND COMPARABILITY- The regulations issued
under subsection (a) shall be issued in accordance with the requirements of
section 504(a) of the Gramm-Leach-Bliley Act (15 U.S.C. 6804(a)), except that
the deadline in section 504(a)(3) shall not apply.
SEC. 13. FTC RULEMAKING AUTHORITY UNDER THE FAIR CREDIT REPORTING ACT.
Section 621(e) of the Fair Credit Reporting Act (15 U.S.C. 1681s(e)) is
amended by adding at the end the following new paragraph:
`(3) REGULATIONS- The Federal Trade Commission shall prescribe such
regulations as necessary to carry out the provisions of this title with
respect to any persons identified under paragraph (1) of subsection (a).
Prior to prescribing such regulations, the Federal Trade Commission shall
consult with the Federal banking agencies referred to in paragraph (1) of
this subsection in order to ensure, to the extent possible, comparability
and consistency with the regulations issued by the Federal banking agencies
under that paragraph.'.
END