Federal: AFC Letter to House Financial Services Committee on Current Federal Consumer Financial Data Privacy Law and Potential Legislative Proposals

August 28, 2025
The Honorable French Hill
Chairman
Committee on Financial Services
United States House of Representatives
Washington, D.C. 20515

The Honorable Maxine Waters|
Ranking Member
Committee on Financial Services
United States House of Representatives
Washington, D.C. 20515

Re: Request for Feedback on Current Federal Consumer Financial Data Privacy Law and Potential Legislative Proposals

Dear Chairman Hill and Ranking Member Waters:

On behalf of the American Fintech Council (AFC),  I am submitting this comment letter in response to the House Committee on Financial Services’ (the Committee) Request for Feedback on Current Federal Consumer Financial Data Privacy Law and Potential Legislative Proposals (Request for Feedback).

AFC is the premier trade association representing the largest financial technology (Fintech) companies and innovative banks who power them. Our mission is to promote a transparent, inclusive, and customer-centric financial system by supporting responsible innovation in financial services and encouraging sound public policy. AFC members foster competition in consumer finance and pioneer products to better serve underserved consumer segments and geographies. Our members are lowering the cost of financial transactions, allowing them to help meet demand for high-quality, affordable products.

As financial services become increasingly digital and interconnected, Congress has an important opportunity to modernize federal data privacy law. The Gramm-Leach-Bliley Act (GLBA) has long served as the foundation for federal consumer financial data privacy, setting baseline protections for non-public personal information while allowing financial institutions to responsibly collect, share, and use data to provide essential services. GLBA’s framework has enabled innovation and competition by ensuring flexibility to deliver modern financial products and partnerships, particularly between fintech companies and banks, while also ensuring strong safeguards for consumers. However, data and its movement, both inside and outside of the financial services industry has grown and developed significantly in the years since GLBA’s passage. This growth and development in the data ecosystem necessitates a more modern, harmonized approach for the data ecosystem. Modernizing GLBA through the passage of a comprehensive federal data privacy bill offers an opportunity for Congress to preserve these benefits, address the challenges posed by evolving technology, providing clarity for both consumers and institutions in a rapidly changing data ecosystem both inside and outside of the financial services industry.

AFC has consistently supported developing a unified approach to regulation that creates strong consumer protections while ensuring that fintech companies and their innovative bank partners can responsibly collect, share, and use data in ways that improve financial inclusion, competition, and affordability. Given the questions raised by the Committee, AFC respectfully submits the following three key recommendations:

I. AFC Recommends Pursuing a Comprehensive Data Privacy Bill that Establishes a Strong Federal Privacy Standard with Preemption

In past correspondences with the Committee, AFC has consistently advocated for clear and consistent “rules of the road” for industry participants to use when developing innovative products and services or engaging in a responsible bank-fintech partnership as well as a unified approach to regulating the financial services industry.  This approach ensures that consumers are not only protected, but also empowered with greater choice, lower costs, and more equitable access to financial services. Ultimately, a federal data privacy law should advance both consumer protection and economic opportunity, principles that are core to AFC’s mission. To that end, AFC believes that pursuing a comprehensive federal data privacy bill would be instrumental in meeting these principles and would ensure that the U.S. data privacy framework effectively recognizes the needs of the 21st century data ecosystem.

As evidenced by previously passed federal data privacy laws and data’s lack of geographic constraints, the issue ensuring prudent data privacy practices holds an intrinsic federal quality. This intrinsic federal quality has been further amplified by the rapid growth and development of the data ecosystem in the U.S. Data privacy and consumers’ financial information are not bound by state lines, information flows across geographies in real time, making uniform federal standards the critical forum for consistent protection and operational efficiency. Without federal action, the burden of conflicting rules will continue to grow, stifling innovation and ultimately undermining consumer trust. For several years, Congress has called for and, at times, considered a comprehensive federal data privacy bill.  Further, since 2013, the U.S. Government Accountability Office has called on Congress to “consider strengthening the current consumer privacy framework to reflect the effects of changes in technology and the marketplace—particularly in relation to consumer data used for marketing purposes—while also ensuring that any limitations on data collection and sharing do not unduly inhibit the economic and other benefits to industry and consumers that data sharing can accord”.  While AFC recognizes the difficulty with passing a comprehensive federal data privacy bill, the current policy and industry environments on this issue necessitates Congressional action.

Currently, 20 states have passed data privacy laws, with some states pursuing a comprehensive framework, while others opted for a narrow framework.  The varied nature of these state laws and their provisions has given rise to inconsistent state regulations that create significant challenges for responsible financial services companies seeking to comply with the myriad and nuanced requirements found within state laws. For example, California's recent Delete Request and Opt-Out Platform (DROP) Act highlights the challenges of a fragmented regulatory landscape. The proposed rule, which establishes a centralized Delete Request and Opt-Out Platform, would expand the definition of “data broker” in a way that would incorrectly categorize companies that collect information directly from consumers to provide requested services. In our public comment letter to the state regulator, AFC emphasizes that this approach contradicts the legislative intent of the California State Assembly and could force compliant providers to make operational changes that confuse consumers and increase regulatory burdens without improving consumer protection. Additionally, the proposed rule lacked the necessary verification processes that would ensure consumers are accessing financial services in a safe and sound manner.

Also, without federal leadership, inconsistent state regulations, as well as non-U.S. laws have become the de facto law of the land. Extraterritorial jurisdiction within data privacy has already started to occur in absence of a comprehensive federal data privacy law. The European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have caused responsible companies both inside and outside of financial services to modify their data practices in an effort to comply with these laws. Though some of the provisions offered in these statutes may align with AFC’s views of prudent data privacy practices, these laws technically leave a legal gap that allows nefarious actors to pursue data practices that, while disallowed by the statutes, may not be enforceable against the nefarious actor due to their limited jurisdiction. Thus, overreliance on these statutes in lieu of a comprehensive federal data privacy law may disadvantage responsible companies both inside and outside of the financial services industry and harm consumers.

As noted above, GLBA has helped encourage innovation in the financial services industry. Specifically, AFC members, including responsible fintech companies, utilize the existing GLBA exemptions to ensure they can collect and share data the same way traditional financial institutions do to deliver services. However, AFC and our member companies have also seen that the current “federal floor” approach has enabled a patchwork of regulatory requirements to arise across the states. These overlapping and sometimes contradictory requirements are ill suited to the modern financial services ecosystem, leading many states to compete in adopting increasing restrictive frameworks, often to the detriment of consumer access. These high burdens lead to increases in costs, preventing operational efficiencies from being developed. These issues underscore the need for a unified federal approach. Importantly, a preemptive federal standard would do away with this tangled patchwork, reduce compliance costs, and allow institutions to operate efficiently while maintaining robust consumer protections. As the Committee and Congress consider updating and modernizing GLBA, it is essential that these protections are retained.

Furtherance of the state-by-state patchwork approach to data privacy laws, extraterritorial data privacy landscape in the financial services industry, and limitations of the current GLBA “federal floor” approach have the strong potential to hinder innovation and harm consumers. Therefore, AFC respectfully recommends that the Committee consider pursuing a comprehensive federal data privacy bill built upon the principles of GLBA that offers strong federal preemption to state data privacy laws. Pursuing a comprehensive federal data privacy bill of this type would harmonize the existing data privacy legislative and regulatory landscape and effectively recognize the needs of the 21st century data ecosystem.

II. AFC Recommends Leveraging GLBA as the Foundation for Modern Data Privacy

As many of the Committee’s questions relating to Title V, Subtitle A of the GLBA also contend with definitional modernization, AFC is of the view that these definitions be precise and reflect a modern understanding of the financial services ecosystem. Clear and precise definitions will ensure consistent application of protections across institutions and services, reduce ambiguity, and facilitate compliance. As noted above, the existing GLBA framework has been helpful in encouraging innovation in the financial services industry. These principles should inform any data privacy modernization effort pursued by the Committee. Equally important, any legislative reform should preserve existing GLBA exemptions that allow institutions to responsibly collect and share data necessary for core services, such as identity verification, transaction processing, and regulatory compliance. Maintaining this operational flexibility ensures that institutions can continue delivering essential financial services while safeguarding consumers’ data and privacy.

AFC also believes that any reforms to GLBA should work to harmonize its provisions with other existing data privacy laws in a manner that does not cause harm to innovative banks and fintech companies delivering responsible products to consumers. As demonstrated above, AFC advocates for harmonization of both federal and state laws. This is especially important on cross-sectoral issues, such as data privacy. Ensuring consumer data remains protected both within and outside of the financial services industry is also important because consumers do not necessarily distinguish their expectations for protection, use, and conveyance of data between types of data or which entity holds the data.

Further, to avoid the furtherance of the patchwork of state data privacy regime that we described above, a modernized GLBA should provide an entity-level and data-level exemption to state laws. This reform would ensure that the entire supply chain of banking has a harmonized data privacy regime. The current definition of “financial institution” used in GLBA does not fully contemplate services such as data aggregation. To ensure there is a comprehensive quality associated with any GLBA reforms, including the development of a comprehensive data privacy act, the Committee should seek to ensure that the “financial institution” definition also encompasses the conveyance or movement of financial data. Modernizing GLBA in this way will ensure consumers receive both strong protections and meaningful disclosures. At the same time, Congress should recognize that privacy safeguards must be balanced with compliance efficiency and data minimization, which brings us to the importance of aligning privacy with modernization of customer identification and data access requirements.

III. AFC Recommends Codifying Consumer Data Rights while Ensuring Responsible Innovation can Flourish

AFC consistently advocates for pragmatic regulation that recognizes the nuances present and the need to balance privacy, operational needs, regulatory compliance, and financial inclusion. Ensuring consumers can access, correct, and delete their data should they choose to do so will help ensure that the modern data ecosystem protects consumers effectively. Further, giving consumers greater control over their data can expand choice and lower costs. Further, through the continued development of application program interfaces (APIs) and regtech tools, financial institutions can ensure data is transmitted securely and that regulatory requirements related to key areas such as fraud detection, anti-money laundering efforts, and customer identification, are met. Data remains a crucial component to the efficacy of these tools and, in turn, the safety and soundness of the financial services industry. Therefore, as the Committee considers modernizing the U.S. data privacy statutory framework, it should also ensure that existing exemptions that have allowed these important, innovative tools to flourish remain intact.

The Committee and Congress have an opportunity to ensure that federal privacy law can further support the innovative bank-fintech partnerships that improve affordability, expand access, and foster competition, particularly for underserved consumers and geographies. Through these responsible industry uses of modern data collection and usage practices, customers are offered significant benefits, such as the ability to access affordable loans and other banking services not previously available to them. Innovative banks and their fintech partners can offer these products responsibly to consumers by leveraging the consumer-permissioned data collected on the fintech company’s platform. As evidenced in multiple government, industry, and academic reports these activities have provided significant consumer benefits to consumers, particularly those in traditionally underserved areas, such as low- and moderate-income communities.

The responsible, consumer-permissioned secondary use of their data has been instrumental in increasing the availability and use of innovative financial products and services, particularly to those communities that have been historically underserved by the financial services industry. Innovative banks and their fintech partners have been able to leverage the consumer data provided to notify consumers about loans, savings accounts, and other services that would improve their financial health.

As the Committee considers legislative efforts to modernize the federal approach to data privacy, it should ensure that consumers receive adequate disclosures regarding the use of their data and that financial services companies are able to use that data to effectively serve current and future consumers. Further, in the event of a data breach, AFC believes that any modern data privacy law should limit the liability to the entity whose systems were breached and ensure that this liability does not extend beyond that entity insofar as the other institutions in the “supply chain” of the data have proper data protection and risk management practices in place.

* * *

AFC appreciates the opportunity to submit comments on current federal consumer financial data privacy law and potential legislative proposals to account for changes in the consumer financial services sector. It is our sincere hope that the Committee will use the perspectives provided within this letter to craft a pragmatic and effective federal consumer data privacy framework that both protects consumers and fosters innovation.

AFC welcomes continued engagement with the Committee and Congress on these important reforms.

Sincerely,

Ian P. Moloney
SVP, Head of Policy and Regulatory Affairs
American Fintech Council

[1] AFC’s membership spans technology platforms, non-bank lenders, banks, payments providers, loan servicers, credit bureaus, and personal financial management companies.
[2] American Fintech Council, “Request for Feedback on “Make Community Banking Great Again ”Principles and Slate of Bills (Mar. 31, 2025), https://www.fintechcouncil.org/advocacy/federal-afc-letter-to-house-financial-services-committee-on-principles-to-make-community-banking-great-again

[3] H.R.8152- 117th Congress (2021-2022): American Data Privacy and Protection Act,H.R.8152, 117th Cong. (2022), available at https://www.congress.gov/bill/117th-congress/house-bill/8152. and H.R.8818 - 118th Congress (2023-2024):American Privacy Rights Act of 2024, H.R.8818, 118th Cong. (2024), available at https://www.congress.gov/bill/118th-congress/house-bill/8818/text.
41] U.S.Government Accountability Office, Consumer Privacy Framework Needs toReflect Changes in Technology and the Marketplace, GAO-13-663, (Sept. 25,2013), available at https://www.gao.gov/products/gao-13-663
[5] Bloomberg Law, Which States Have Consumer Data Privacy Laws? (April 7, 2025), Available at https://pro.bloomberglaw.com/insights/privacy/state-privacy-legislation-tracker/#map-of-state-privacy-laws
[6] American Fintech Council “AFC Comment Letter on CPPA's Accessible Deletion Mechanism Regulation” (June 10, 2025), https://www.fintechcouncil.org/advocacy/ca-afc-comment-letter-on-cppas-accessible-deletion-mechanism-regulation
[7] See Federal Reserve Bank of St. Louis, “Unsecured Personal Loans Get a Boost from Fintech Lenders” (2019), available at https://www.stlouisfed.org/publications/regional-economist/second-quarter-2019/unsecuredpersonal-loans-fintech, Federal Reserve Bank of San Francisco, “Community Development Innovation Review, Fintech, Racial Equity, and an Inclusive Financial System” (2021), available at https://www.frbsf.org/wp-content/uploads/sites/3/fintech-racialequity-inclusive-financial-system.pdf. See also U.S. Department of the Treasury, “Report to the White House Competition Council, Assessing the Impact of New Entrant Non-Bank Firms on Competition in Consumer Finance Markets” at 75-79(2022), available at https://home.treasury.gov/news/press-releases/jy1105, and Dolson and Jagtiani (2023).