June 23, 2022

The Honorable Janice Schakowsky
Chairwoman
Subcommittee on Consumer Protection & Commerce
U.S. House of Representatives
Washington, D.C. 20515

The Honorable Gus Bilirakis
Ranking Member
Subcommittee on Consumer Protection & Commerce
U.S. House of Representatives
Washington, D.C. 20515

Dear Chairwoman Schakowsky and Ranking Member Bilirakis:

On behalf of the financial services trade associations listed above, we are pleased to submit these comments regarding the American Data Privacy and Protection Act (ADPPA)(H.R. 8152).

Our members are strong proponents of protecting consumer data and privacy and have done so for a very long time because protecting consumer financial data is a cornerstone of their business. Our members have been subject to extensive federal privacy and data protection laws and regulations for several decades. While we support privacy and security protections for consumer data for all companies, especially technology and other firms that are increasingly moving into financial services, we have serious concerns about several provisions included in the ADPPA, as well as the overly rushed pace that this legislation is proceeding through the Committee process which will not allow for adequate input from stakeholders. We urge the Committee to carefully consider these concerns before proceeding further with this legislation.

GLBA and Data Privacy

The primary privacy and data security consumer protection law for consumer financial data is Title V of the Gramm-Leach Bliley Act (GLBA). With the GLBA, Congress carefully constructed a privacy and data security regime to provide an effective and successful balance between strong consumer protections and ensuring that consumer financial transactions take place in a safe and secure environment. In particular, the current regime has been carefully structured to ensure compliance with existing laws and regulations, adherence to judicial process, and protection from fraud, illicit finance, money laundering and terrorist financing. Further, GLBA grants federal financial regulators with broad authority to adopt necessary regulations to enact these standards, thus allowing the regulatory regime to adapt over time as privacy concerns evolve.

Notably, the GLBA requires that financial institutions provide consumers with notice of their privacy practices and generally prohibits such institutions from disclosing financial and other consumer information to third parties without first providing consumers with an opportunity to opt out of such sharing.

It is clear that Congress has long recognized the importance of privacy for financial institutions and has put in place several meaningful frameworks that include strong privacy and data security protections that have been carefully balanced with commonsense exceptions to minimize disruptions to financial markets. While the financial services trade associations support legislation to put in place a national privacy standard, that standard must recognize the strong privacy and data security standards that are already in place for the financial sector under the GLBA and other financial privacy laws and avoid provisions that duplicate or are inconsistent with those laws.

As currently framed, the ADPPA does not include unambiguous language for financial institutions to understand their exemption from the requirements of the bill. This will lead to duplicative and conflicting requirements for financial institutions already subject to oversight by GLBA regulation. This framework will be disruptive to the financial system, consumers, and the economy. The ADPPA should be amended to broaden the provision to exempt all GLBA regulated institutions to avoid such disruption.