{ "legislationId": "119_HR_8398", "lastUpdate": "2026-04-28T11:20:09.018Z", "history": [ { "timestamp": "2026-04-28T11:20:09.018Z", "source_url": "https://www.congress.gov/119/bills/hr8398/BILLS-119hr8398ih.htm", "model": "gemini-flash-lite-latest", "prompt_sent": "\nROLE: Fact Checker.\nZADANIE: Porównaj SOURCE (oryginał) i SUMMARY (streszczenie przygotowane przez inne AI).\n\nTwoim celem jest wykrycie \"ZMYŚLONYCH KONKRETÓW\" (Fabricated Entities) w SUMMARY.\n\nSOURCE:\n[Congressional Bills 119th Congress] [From the U.S. Government Publishing Office] [H.R. 8398 Introduced in House (IH)] 119th CONGRESS 2d Session H. R. 8398 To make improvements to title V of the Gramm-Leach-Bliley Act, and for other purposes. _______________________________________________________________________ IN THE HOUSE OF REPRESENTATIVES April 21, 2026 Mr. Huizenga (for himself, Mr. Barr, Mr. Steil, and Mr. Hill of Arkansas) introduced the following bill; which was referred to the Committee on Financial Services _______________________________________________________________________ A BILL To make improvements to title V of the Gramm-Leach-Bliley Act, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE; TABLE OF CONTENTS. (a) Short Title.--This Act may be cited as the ``Guidelines for Use, Access, and Responsible Disclosure of Financial Data Act'' or the ``GUARD Financial Data Act''. (b) Table of Contents.--The table of contents for this Act is as follows: Sec. 1. Short title; table of contents. TITLE I--IMPROVEMENTS TO TREATMENT OF CONSUMER FINANCIAL DATA Sec. 101. Subtitle and section heading alterations. Sec. 102. Data minimization. Sec. 103. Continuing consumer opt out right. Sec. 104. Limits on use of consumer access credentials. Sec. 105. Additional information to be included in notices to consumers. Sec. 106. Customer access to privacy and disclosure policies. Sec. 107. Requests for disclosure of or deletion of nonpublic personal information. Sec. 108. Opt in for sensitive nonpublic personal information. TITLE II--REGULATORY CONSIDERATION FOR SMALL FINANCIAL INSTITUTIONS Sec. 201. Regulatory consideration for small financial institutions. TITLE III--RELATION TO OTHER LAWS Sec. 301. Relation to State laws. TITLE IV--ADDITIONS TO DEFINITIONS Sec. 401. Additions to definitions. TITLE I--IMPROVEMENTS TO TREATMENT OF CONSUMER FINANCIAL DATA SEC. 101. SUBTITLE AND SECTION HEADING ALTERATIONS. The Gramm-Leach-Bliley Act is amended-- (1) in title V (15 U.S.C. 6801 et seq.)-- (A) in subtitle A, in the heading of the subtitle, by striking ``Disclosure'' and inserting ``Treatment''; and (B) in section 502, by striking ``disclosures of'' and inserting ``nonpublic''; and (2) in the table of contents for such Act-- (A) in the item relating to subtitle A of title V, by striking ``Disclosure'' and inserting ``Treatment''; and (B) in the item relating to section 502, by striking ``disclosures of'' and inserting ``nonpublic''. SEC. 102. DATA MINIMIZATION. (a) In General.--Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802) is amended-- (1) in subsection (e), by striking ``Subsections (a) and (b)'' and inserting ``Subsections (a), (b), and (f)''; (2) in subsection (e), by inserting ``collection or'' before ``disclosure''; and (3) by adding at the end the following: ``(f) Data Minimization.-- ``(1) In general.--A financial institution shall limit the collection or disclosure of nonpublic personal information to what is adequate, relevant, and reasonably necessary in relation to each purpose for which the nonpublic personal information is collected or disclosed, and if such collection or disclosure is not otherwise prohibited by this subtitle or the amendments made by this subtitle. ``(2) Rule of construction.--Nothing in paragraph (1) shall be construed to prevent a financial institution from disclosing nonpublic personal information-- ``(A) to a nonaffiliated third party pursuant to subsection (b)(2); ``(B) to a nonaffiliated third party as required by section 1033 of the Consumer Financial Protection Act of 2010 (12 U.S.C. 5533); ``(C) to comply with a request from a consumer reporting agency (as defined in section 603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f))) to the extent the consumer reporting agency is engaged in activities subject to the Fair Credit Reporting Act; ``(D) to an agency with regulatory jurisdiction over the financial institution; ``(E) to a self-regulatory organization of which the financial institution is a member; ``(F) as otherwise permitted or required by this subtitle; or ``(G) as otherwise required by law.''. (b) Effective Date.--This section shall take effect 2 years after the date of enactment of this Act. SEC. 103. CONTINUING CONSUMER OPT OUT RIGHT. Section 502(b)(1) of the Gramm-Leach-Bliley Act (15 U.S.C. 6802(b)(1)) is amended-- (1) in subparagraph (B), by inserting after ``initially disclosed'' the following: ``and with that opportunity exercisable by the consumer at any time thereafter''; and (2) in subparagraph (C), by inserting before the period at the end the following: ``before the time that such information is initially disclosed and with that explanation accessible to the consumer at any time thereafter''. SEC. 104. LIMITS ON USE OF CONSUMER ACCESS CREDENTIALS. (a) In General.--Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802), as amended by section 102(3), is further amended by adding at the end the following: ``(g) Limits on Use of Consumer Access Credentials.-- ``(1) Notice and opt out.--A financial data aggregator or nonaffiliated third party may not use the access credentials of a consumer to access an electronic form of the consumer's account at, or otherwise obtain an electronic form of nonpublic personal information of the consumer from, a financial institution unless-- ``(A) before the time that such access credentials are initially collected, the financial data aggregator or nonaffiliated third party provides a clear and conspicuous disclosure to such consumer that includes-- ``(i) how the financial data aggregator or nonaffiliated third party will use such access credentials; ``(ii) whether the financial data aggregator or nonaffiliated third party will disclose such access credentials to a third party not affiliated with the financial data aggregator or nonaffiliated third party; and ``(iii) a notification of-- ``(I) the risks to privacy and security of nonpublic personal information associated with use of access credentials to obtain nonpublic personal information held by a financial institution; and ``(II) the practices of the financial data aggregator or nonaffiliated third party to ensure the privacy and security of nonpublic personal information obtained using access credentials; and ``(B) the consumer is given the opportunity to direct that such access credentials not be used to access the consumer's account at, or otherwise obtain nonpublic personal information of the consumer from, the financial institution. ``(2) Treatment of access credential-based request.--A financial institution may not deny a disclosure request from a financial data aggregator or a nonaffiliated third party using the access credentials of a consumer if the consumer-- ``(A) has received the disclosure described in paragraph (1)(A); and ``(B) has been given the opportunity to direct that such access credentials not be used, as described in paragraph (1)(B). ``(3) Rule of construction.--Notwithstanding paragraphs (1) and (2), when complying with this subsection, a financial institution, financial data aggregator, or nonaffiliated third party shall comply with any requirements of section 1033 of the Consumer Financial Protection Act of 2010 (12 U.S.C. 5533) with respect to the use of the access credentials of a consumer to access an electronic form of the consumer's account at, or otherwise obtain an electronic form of nonpublic personal information of the consumer from, a financial institution.''. (b) Effective Date.--This section shall take effect 1 year after the date of enactment of this Act. SEC. 105. ADDITIONAL INFORMATION TO BE INCLUDED IN NOTICES TO CONSUMERS. (a) In General.--Section 503(c) of the Gramm-Leach-Bliley Act (15 U.S.C. 6803(c)) is amended-- (1) in paragraph (3) by striking ``and'' at the end; (2) by redesignating paragraph (4) as paragraph (11); and (3) by inserting after paragraph (3) the following: ``(4) the categories of purposes for which the financial institution-- ``(A) collects nonpublic personal information; and ``(B) discloses nonpublic personal information to a nonaffiliated third party; ``(5) the categories of practices of the financial institution with respect to the financial institution's retention of nonpublic personal information; ``(6) the categories of practices of the financial institution with respect to the financial institution's use of artificial intelligence in the collection, processing, and utilization of nonpublic personal information; ``(7) whether any nonpublic personal information of the consumer is processed in, retained in, or disclosed to a covered nation; ``(8) an explanation of how a consumer can exercise the option pursuant to section 502(b) to direct that nonpublic personal information not be disclosed to a nonaffiliated third party before the time that such information is initially disclosed and at any time thereafter; ``(9) an explanation of how a customer can exercise the option to request a copy of the disclosure required by subsection (a) pursuant to subsection (g); ``(10) an explanation of how a customer or former customer can exercise the option to request disclosure of nonpublic personal information and how a former customer can exercise the option to request deletion of nonpublic personal information pursuant to section 503A; and''. (b) Update of Model Forms.-- (1) In general.--The agencies referred to in section 504(a)(1) of the Gramm-Leach-Bliley Act (15 U.S.C. 6804(a)(1)) shall, in consultation with the Federal functional regulators, jointly develop updates to the model form mandated by section 503(e) of such Act. (2) Safe harbor.--During the 2-year period beginning on the date the agencies finalize updates to the model form under paragraph (1), a financial institution shall be deemed to be compliant with section 502(a) of the Gramm-Leach-Bliley Act (15 U.S.C. 6802(a)) if the disclosures of the financial institution under section 503 of such Act comply with the model form issued pursuant to section 503(e) in effect on the date of enactment of this Act. SEC. 106. CUSTOMER ACCESS TO PRIVACY AND DISCLOSURE POLICIES. Section 503 of the Gramm-Leach-Bliley Act (15 U.S.C. 6803) is amended by inserting at the end the following: ``(g) Customer Access to Privacy and Disclosure Policies.--A financial institution shall, upon a customer request, provide such customer with a copy of the disclosure required by subsection (a) in writing or in electronic form or other form permitted by the regulations prescribed under section 504.''. SEC. 107. REQUESTS FOR DISCLOSURE OF OR DELETION OF NONPUBLIC PERSONAL INFORMATION. (a) In General.--Title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.) is amended by inserting after section 503 the following: ``SEC. 503A. REQUESTS FOR DISCLOSURE OF OR DELETION OF NONPUBLIC PERSONAL INFORMATION. ``(a) Customer or Former Customer Request for Disclosure of Nonpublic Personal Information.-- ``(1) In general.--Upon a request from a customer or former customer of a financial institution, such financial institution shall disclose to the customer or former customer-- ``(A) pursuant to the requirements of section 1033 of the Consumer Financial Protection Act of 2010 (12 U.S.C. 5533), any nonpublic personal information of the customer or former customer in the control or possession of the financial institution; and ``(B) a list of the categories of affiliates and nonaffiliated third parties to whom the financial institution has disclosed nonpublic personal information of the customer or former customer (other than disclosures of nonpublic personal information made to an affiliate or a nonaffiliated third party pursuant to an exception under section 502(e)). ``(2) Exception.--Paragraph (1) shall not apply to the extent that disclosure of nonpublic personal information to a customer or former customer is prohibited under other provisions of law. ``(b) Former Customer Request for Deletion of Nonpublic Personal Information.-- ``(1) In general.--Upon a request from a former customer, a financial institution shall delete any nonpublic personal information of the former customer held by the financial institution. ``(2) Former customer deletion request exceptions.-- Paragraph (1) shall not require deletion of nonpublic personal information of a former customer by a financial institution where-- ``(A) the nonpublic personal information is required to be retained for a continuing purpose pursuant to an exception described under section 502(e); ``(B) the holder of the nonpublic personal information is a consumer reporting agency, as defined in section 603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f)), and the nonpublic personal information is held solely to the extent that it is used in activities subject to the Fair Credit Reporting Act; ``(C) the nonpublic personal information is required to be retained to respond to a dispute under the Fair Credit Reporting Act; or ``(D) the nonpublic personal information is required to be retained as otherwise required by law. ``(3) Verification.-- ``(A) In general.--A financial institution shall establish and implement procedures to verify the identity of a former customer submitting a request under paragraph (1) before deleting nonpublic personal information that is the subject of such request. ``(B) Requirements.--The procedures established by a financial institution pursuant to subparagraph (A) shall be designed to-- ``(i) confirm that the individual making the request is the former customer to whom the nonpublic personal information relates; ``(ii) protect against unauthorized deletion of nonpublic personal information resulting from fraudulent requests; and ``(iii) protect against deletion of nonpublic personal information resulting from requests made by a former customer in error. ``(C) Exception.--A financial institution shall not be required to grant a request under paragraph (1) if the financial institution cannot confirm that the identity of the individual making such request is the same as the former customer to whom the nonpublic personal information relates. ``(4) Response period.-- ``(A) In general.--A financial institution shall respond to a former customer submitting a request under paragraph (1) without undue delay, but in all cases within 45 days of receiving such request. ``(B) Extension.--A financial institution may extend the response period in subparagraph (A) once for an additional 45 days when necessary, taking into account the complexity and number of requests by the former customer, but must inform the former customer of such extension and the reason for such extension within the initial 45 day response period under subparagraph (A). ``(5) Apportionment of costs.-- ``(A) Initial requests.--A former customer may submit 2 requests per year free of charge to a financial institution under paragraph (1). ``(B) Subsequent requests.--For any request of a former customer under paragraph (1) subsequent to the requests described in subparagraph (A), a financial institution may-- ``(i) charge the former customer a fee, if the financial institution has notified the former customer of such fee and the former customer has consented to such fee; or ``(ii) decline to act on such request, if the former customer does not consent to the fee described under clause (i). ``(6) Appeal.--Subject to the exceptions in paragraph (2), a financial institution receiving a request under paragraph (1) shall-- ``(A) establish a process for a former customer to appeal a determination by a financial institution to deny a request under paragraph (1); ``(B) make such appeal process under subparagraph (A) clearly and conspicuously disclosed to the former customer in the response required under paragraph (4) if the request under paragraph (1) is to be denied by the financial institution; ``(C) respond to such an appeal request by the former customer-- ``(i) not later than 60 days after the date on which such appeal request is received; and ``(ii) by informing the former customer in writing or in electronic form or other form permitted by the regulations prescribed under section 504 of any action taken in response to the appeal, including an explanation of the reason for each action taken; and ``(D) if such an appeal is denied, provide the former customer with an online mechanism, if available, or other method through which the former customer may contact the appropriate enforcement agency or authority as described in section 505 to submit a complaint.''. (b) Effective Date.--This section shall take effect 2 years after the date of enactment of this Act. (c) Clerical Amendment.--The table of contents in section 1(b) of the Gramm-Leach-Bliley Act is amended by inserting after the item relating to section 503 the following: ``Sec. 503A. Requests for disclosure of or deletion of nonpublic personal information.''. SEC. 108. OPT IN FOR SENSITIVE NONPUBLIC PERSONAL INFORMATION. (a) In General.--Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802), as amended by sections 102(3) and 104, is further amended by adding at the end the following: ``(h) Opt in for Sensitive Nonpublic Personal Information.-- ``(1) In general.--Notwithstanding subsection (b)(1), a financial institution may not collect sensitive nonpublic personal information or disclose sensitive nonpublic personal information to a nonaffiliated third party unless-- ``(A) such financial institution clearly and conspicuously discloses to the consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 504, that such information may be collected or that such information may be disclosed to such third party; ``(B) such financial institution obtains the consent of the consumer to collect such information or to disclose such information to such third party before the time that such information is initially collected or disclosed; and ``(C) the consumer is given an explanation of how the consumer can revoke that consent pursuant to paragraph (2). ``(2) Continuing consumer consent revocation right.--A consumer may revoke their consent under paragraph (1)(B) at any time. ``(3) Rule of construction.--Paragraph (1) shall not be construed to prevent a financial institution from disclosing sensitive nonpublic personal information-- ``(A) pursuant to section 502(e)(3)(A); ``(B) pursuant to section 502(e)(3)(B); ``(C) pursuant to section 502(e)(5); or ``(D) pursuant to section 502(e)(8).''. (b) Effective Date.--This section shall take effect 1 year after the date of enactment of this Act. TITLE II--REGULATORY CONSIDERATION FOR SMALL FINANCIAL INSTITUTIONS SEC. 201. REGULATORY CONSIDERATION FOR SMALL FINANCIAL INSTITUTIONS. Section 504 of the Gramm-Leach-Bliley Act (15 U.S.C. 6804) is amended by adding at the end the following: ``(c) Consideration of Effects on Financial Institutions With $15,000,000,000 or Less in Assets.-- ``(1) In general.--Each of the agencies authorized under subsection (a)(1) to prescribe regulations shall take into account the effects of the regulations on financial institutions with $15,000,000,000 or less in assets, including the resource, technical, and personnel limitations of such financial institutions to comply with the regulations and the regulatory compliance costs relative to the size, complexity, financial activities, revenues, and noncompliance costs of such financial institutions. ``(2) Threshold adjustment.--By April 1, 2031, and the 1st day of each subsequent 5-year period, the agencies authorized under subsection (a)(1) to prescribe regulations shall increase the threshold described in paragraph (1) by the ratio, if greater than 1, of the annual value of current-dollar United States gross domestic product, published by the Department of Commerce, for the calendar year preceding the year in which the adjustment is calculated under this section, to the published annual value of such index for the calendar year preceding April 1, 2026.''. TITLE III--RELATION TO OTHER LAWS SEC. 301. RELATION TO STATE LAWS. Section 507 of the Gramm-Leach-Bliley Act (15 U.S.C. 6807) is amended to read as follows: ``SEC. 507. RELATION TO STATE LAWS. ``(a) In General.--This subtitle and the amendments made by this subtitle shall supersede and preempt the application of any State statute, regulation, order, interpretation, or other law that establishes consumer data privacy or security requirements to nonpublic personal information subject to this subtitle. This subtitle and the amendments made by this subtitle shall supersede and preempt the application of any State statute, regulation, order, interpretation, or other law that establishes consumer data privacy or security requirements to a financial institution subject to this subtitle. ``(b) Regulation and Enforcement by State Insurance Authorities.-- Subsection (a) shall not be construed to alter, affect, or otherwise limit the authority of a State insurance authority to enforce this subtitle pursuant to section 505 or to adopt regulations to carry out this subtitle pursuant to section 504 in a manner consistent and comparable with, and not more restrictive than, the regulations prescribed by the Federal agencies authorized to prescribe regulations under section 504 as required by section 504(a)(2).''. TITLE IV--ADDITIONS TO DEFINITIONS SEC. 401. ADDITIONS TO DEFINITIONS. Section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809) is amended-- (1) in paragraph (3)(A), by inserting before the period at the end the following: ``or a financial data aggregator''; (2) by amending paragraph (4)(A) to read as follows: ``(A) The term `nonpublic personal information' means-- ``(i) personally identifiable financial information-- ``(I) provided by a consumer to a financial institution; ``(II) resulting from any transaction with the consumer or any service performed for the consumer; or ``(III) otherwise obtained by the financial institution; ``(ii) access credentials; and ``(iii) when used by a financial institution while engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k))-- ``(I) biometric data; and ``(II) precise geolocation data.''; (3) in paragraph (11), by striking ``Customer'' and inserting ``Time of establishing a customer''; and (4) by adding at the end the following: ``(12) Access credentials.--The term `access credentials' means personally identifiable nonfinancial information that a consumer uses to access an account of such consumer at a financial institution, including a username, password, personal identification number, access code, answer to a security question, or a substantially similar item of personally identifiable nonfinancial information. ``(13) Artificial intelligence.--The term `artificial intelligence' has the meaning given such term in section 5002 of the National Artificial Intelligence Initiative Act of 2020 (15 U.S.C. 9401). ``(14) Biometric data.--The term `biometric data'-- ``(A) means personally identifiable nonfinancial information of a consumer generated by automatic measurements of biological characteristics, including a fingerprint, voiceprint, eye retinas, eye irises, or other unique biological patterns or characteristics that are used to identify a specific consumer; and ``(B) does not include a physical or digital photograph, a video or audio recording or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under the Health Insurance Portability and Accountability Act or the amendments made by that Act. ``(15) Consent.--The term `consent' means a clear affirmative act by a consumer that-- ``(A) signifies the freely given, specific, informed, and unambiguous agreement by the consumer to an action; and ``(B) is-- ``(i) in writing or in electronic form or other form permitted by the regulations prescribed under section 504; or ``(ii) in any other unambiguous affirmative form. ``(16) Covered nation.--The term `covered nation' has the meaning given such term in section 4872(f) of title 10, United States Code. ``(17) Customer.--The term `customer' means a consumer who has a customer relationship with a financial institution. ``(18) Customer relationship.--The term `customer relationship' means a continuing relationship between a consumer and a financial institution under which the financial institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes. ``(19) Financial data aggregator.--The term `financial data aggregator'-- ``(A) means any person that operates a commercial enterprise for the primary business purpose of accessing, aggregating, collecting, processing, selling, or otherwise disclosing nonpublic personal information; and ``(B) does not include-- ``(i) a person that receives, processes, or discloses nonpublic personal information solely to the extent that it performs services for or functions on behalf of a financial institution pursuant to section 502(b)(2) or pursuant to an exception described under section 502(e); ``(ii) a consumer reporting agency, as defined in section 603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f)), solely to the extent that it engages in activities subject to the Fair Credit Reporting Act; ``(iii) an attorney, accountant, investment adviser, or other person acting in a fiduciary or representative capacity on behalf of a consumer pursuant to section 502(e)(3)(E); ``(iv) a person-- ``(I) to the extent that such person is not a financial institution; and ``(II) that operates a commercial enterprise that receives, processes, or discloses nonpublic personal information for the purpose of making or receiving payments associated with a sale, purchase, or exchange of goods or services; or ``(v) a self-regulatory organization that receives or processes nonpublic personal information disclosed to it by its members, or that discloses nonpublic personal information to an agency. ``(20) Former customer.--The term `former customer' means a consumer who has previously had a customer relationship with a financial institution and that is no longer a customer of the financial institution because that customer relationship has terminated. ``(21) Precise geolocation data.--The term `precise geolocation data'-- ``(A) means personally identifiable nonfinancial information of a consumer generated by technological means, including global positioning systems, telemetry, telematics, and level, latitude, and longitude coordinates, or other means, that directly identifies the specific location of a consumer with precision and accuracy within a radius of 1,750 feet; and ``(B) does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility. ``(22) Self-regulatory organization.--The term `self- regulatory organization'-- ``(A) has the meaning given that term in section 3(a) of the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)); and ``(B) means-- ``(i) a contract market, derivatives transaction execution facility, registered futures association, or other self-regulatory organization registered with the Commodity Futures Trading Commission; and ``(ii) any other self-regulatory organization registered with an agency authorized under section 504(a)(1) to prescribe regulations or with a Federal functional regulator, as determined by such agency or such Federal functional regulator. ``(23) Sensitive nonpublic personal information.--The term `sensitive nonpublic personal information' means, when used by a financial institution while engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k))-- ``(A) personally identifiable nonfinancial information of a consumer that discloses the consumer's racial or ethnic origin, religious belief, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; ``(B) genetic or biometric data of a consumer that is disclosed for the purpose of uniquely identifying a specific consumer; and ``(C) precise geolocation data. ``(24) State.--The term `State' means each State of the United States, the District of Columbia, each commonwealth, territory, or possession of the United States, and each federally recognized Indian Tribe.''. \n\nSUMMARY TO EVALUATE:\nTitle: GUARD Financial Data Act: Strengthening Your Privacy and Data Control\nSummary: This act gives citizens more control over their financial information by allowing them to request data deletion and limiting collection to what is strictly necessary. Banks must now obtain explicit permission before using sensitive data like location or biometrics.\nKey Points: Right to request the deletion of your personal data after closing a bank account., Explicit 'opt-in' consent required for sensitive data, including biometrics and precise location., Ability to opt out of data sharing with third parties at any time., New requirements for banks to disclose if they use artificial intelligence to process your information.\n\nZASADY OCENY:\n1. Sprawdź wszystkie LICZBY, DATY i KWOTY w SUMMARY. Jeśli którejś brakuje w SOURCE -> is_valid: false.\n2. Sprawdź wszystkie NAZWISKA, ORGANIZACJE i MIEJSCA w SUMMARY. Jeśli którejś brakuje w SOURCE -> is_valid: false.\n3. Sprawdź wszystkie konkretne DZIAŁANIA PRAWNE . Jeśli tego mechanizmu nie ma w SOURCE -> is_valid: false.\n\nWAŻNE: Abstrakcyjne pojęcia (np. \"transparentność\", \"zaufanie\") są dozwolone jako wnioski.\n\nOUTPUT (JSON):\n{\n \"is_valid\": true/false,\n \"issue\": \"fabricated_entity\" / \"contradiction\" / \"none\"\n}\n\nWYMAGANIA FORMATOWANIA:\n1. Odpowiedz WYŁĄCZNIE surowym obiektem JSON.\n2. NIE używaj bloków kodu Markdown.\n3. NIE dodawaj żadnych wstępów ani wyjaśnień przed ani po JSONie.\n4. JSON musi być poprawny i gotowy do parsowania.\n\n", "ai_response_raw": "{\n \"is_valid\": true,\n \"issue\": \"none\"\n}" }, { "timestamp": "2026-04-28T11:12:45.550Z", "source_url": "https://www.congress.gov/119/bills/hr8398/BILLS-119hr8398ih.htm", "model": "gemini-flash-latest", "prompt_sent": "\nJesteś ekspertem od prawa Stanów Zjednoczonych, który ma za zadanie analizować dokumenty ustaw, uchwał oraz innych dokumentów legislacyjnych, a następnie przygotowywać z nich informacje w przystępny sposób dla obywateli. Twoim celem jest przedstawienie informacji tak, aby obywatele mogli sami ocenić wpływ legislacji na ich życie, nawet bez posiadania specjalistycznej wiedzy legislacyjnej. Skup się na faktach i obiektywnych skutkach wprowadzanych zmian, unikając wartościowania i osobistych opinii. Wszelki żargon prawny jest zabroniony. Prezentuj informacje w jasny, zwięzły i angażujący sposób, tak aby były zrozumiałe dla osoby bez wykształcenia prawniczego. Unikaj długich, złożonych zdań. Zamiast pisać \"projekt ma na celu nowelizację kodeksu podatkowego...\", napisz \"Zmiany w podatkach: nowe ulgi i obowiązki dla...\". Kontynuuj swoją pracę, dopóki nie rozwiążesz swojego zadania. Jeśli nie masz pewności co do generowanej treści, przeanalizuj dokument ponownie – nie zgaduj. Rozplanuj dobrze swoje zadanie przed przystąpieniem do niego. W podsumowaniu i kluczowych punktach, jeśli to możliwe i uzasadnione, podkreśl, jakie konkretne korzyści lub skutki (pozytywne lub negatywne) wprowadza ustawa dla życia codziennego obywateli, ich praw i obowiązków, finansów osobistych, bezpieczeństwa i innych ważnych kwestii (np. kategorycznych zakazów i nakazów czy najważniejszych konkretnych alokacji finansowych i terytorialnych).\n\nTwoja odpowiedź MUSI być w formacie JSON - i zawierać następujące klucze.\nZanim zwrócisz odpowiedź, dokładnie zweryfikuj, czy cała struktura JSON jest w 100% poprawna, włącznie ze wszystkimi przecinkami, nawiasami klamrowymi, kwadratowymi oraz cudzysłowami. Błędny JSON jest nieakceptowalny i uniemożliwi przetworzenie Twojej pracy.\n\nPrzeanalizuj dokładnie poniższy tekst dokumentu prawnego. To jest treść, na podstawie której masz wygenerować podsumowanie i kluczowe punkty:\n--- POCZĄTEK DOKUMENTU ---\n[Congressional Bills 119th Congress] [From the U.S. Government Publishing Office] [H.R. 8398 Introduced in House (IH)] 119th CONGRESS 2d Session H. R. 8398 To make improvements to title V of the Gramm-Leach-Bliley Act, and for other purposes. _______________________________________________________________________ IN THE HOUSE OF REPRESENTATIVES April 21, 2026 Mr. Huizenga (for himself, Mr. Barr, Mr. Steil, and Mr. Hill of Arkansas) introduced the following bill; which was referred to the Committee on Financial Services _______________________________________________________________________ A BILL To make improvements to title V of the Gramm-Leach-Bliley Act, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE; TABLE OF CONTENTS. (a) Short Title.--This Act may be cited as the ``Guidelines for Use, Access, and Responsible Disclosure of Financial Data Act'' or the ``GUARD Financial Data Act''. (b) Table of Contents.--The table of contents for this Act is as follows: Sec. 1. Short title; table of contents. TITLE I--IMPROVEMENTS TO TREATMENT OF CONSUMER FINANCIAL DATA Sec. 101. Subtitle and section heading alterations. Sec. 102. Data minimization. Sec. 103. Continuing consumer opt out right. Sec. 104. Limits on use of consumer access credentials. Sec. 105. Additional information to be included in notices to consumers. Sec. 106. Customer access to privacy and disclosure policies. Sec. 107. Requests for disclosure of or deletion of nonpublic personal information. Sec. 108. Opt in for sensitive nonpublic personal information. TITLE II--REGULATORY CONSIDERATION FOR SMALL FINANCIAL INSTITUTIONS Sec. 201. Regulatory consideration for small financial institutions. TITLE III--RELATION TO OTHER LAWS Sec. 301. Relation to State laws. TITLE IV--ADDITIONS TO DEFINITIONS Sec. 401. Additions to definitions. TITLE I--IMPROVEMENTS TO TREATMENT OF CONSUMER FINANCIAL DATA SEC. 101. SUBTITLE AND SECTION HEADING ALTERATIONS. The Gramm-Leach-Bliley Act is amended-- (1) in title V (15 U.S.C. 6801 et seq.)-- (A) in subtitle A, in the heading of the subtitle, by striking ``Disclosure'' and inserting ``Treatment''; and (B) in section 502, by striking ``disclosures of'' and inserting ``nonpublic''; and (2) in the table of contents for such Act-- (A) in the item relating to subtitle A of title V, by striking ``Disclosure'' and inserting ``Treatment''; and (B) in the item relating to section 502, by striking ``disclosures of'' and inserting ``nonpublic''. SEC. 102. DATA MINIMIZATION. (a) In General.--Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802) is amended-- (1) in subsection (e), by striking ``Subsections (a) and (b)'' and inserting ``Subsections (a), (b), and (f)''; (2) in subsection (e), by inserting ``collection or'' before ``disclosure''; and (3) by adding at the end the following: ``(f) Data Minimization.-- ``(1) In general.--A financial institution shall limit the collection or disclosure of nonpublic personal information to what is adequate, relevant, and reasonably necessary in relation to each purpose for which the nonpublic personal information is collected or disclosed, and if such collection or disclosure is not otherwise prohibited by this subtitle or the amendments made by this subtitle. ``(2) Rule of construction.--Nothing in paragraph (1) shall be construed to prevent a financial institution from disclosing nonpublic personal information-- ``(A) to a nonaffiliated third party pursuant to subsection (b)(2); ``(B) to a nonaffiliated third party as required by section 1033 of the Consumer Financial Protection Act of 2010 (12 U.S.C. 5533); ``(C) to comply with a request from a consumer reporting agency (as defined in section 603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f))) to the extent the consumer reporting agency is engaged in activities subject to the Fair Credit Reporting Act; ``(D) to an agency with regulatory jurisdiction over the financial institution; ``(E) to a self-regulatory organization of which the financial institution is a member; ``(F) as otherwise permitted or required by this subtitle; or ``(G) as otherwise required by law.''. (b) Effective Date.--This section shall take effect 2 years after the date of enactment of this Act. SEC. 103. CONTINUING CONSUMER OPT OUT RIGHT. Section 502(b)(1) of the Gramm-Leach-Bliley Act (15 U.S.C. 6802(b)(1)) is amended-- (1) in subparagraph (B), by inserting after ``initially disclosed'' the following: ``and with that opportunity exercisable by the consumer at any time thereafter''; and (2) in subparagraph (C), by inserting before the period at the end the following: ``before the time that such information is initially disclosed and with that explanation accessible to the consumer at any time thereafter''. SEC. 104. LIMITS ON USE OF CONSUMER ACCESS CREDENTIALS. (a) In General.--Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802), as amended by section 102(3), is further amended by adding at the end the following: ``(g) Limits on Use of Consumer Access Credentials.-- ``(1) Notice and opt out.--A financial data aggregator or nonaffiliated third party may not use the access credentials of a consumer to access an electronic form of the consumer's account at, or otherwise obtain an electronic form of nonpublic personal information of the consumer from, a financial institution unless-- ``(A) before the time that such access credentials are initially collected, the financial data aggregator or nonaffiliated third party provides a clear and conspicuous disclosure to such consumer that includes-- ``(i) how the financial data aggregator or nonaffiliated third party will use such access credentials; ``(ii) whether the financial data aggregator or nonaffiliated third party will disclose such access credentials to a third party not affiliated with the financial data aggregator or nonaffiliated third party; and ``(iii) a notification of-- ``(I) the risks to privacy and security of nonpublic personal information associated with use of access credentials to obtain nonpublic personal information held by a financial institution; and ``(II) the practices of the financial data aggregator or nonaffiliated third party to ensure the privacy and security of nonpublic personal information obtained using access credentials; and ``(B) the consumer is given the opportunity to direct that such access credentials not be used to access the consumer's account at, or otherwise obtain nonpublic personal information of the consumer from, the financial institution. ``(2) Treatment of access credential-based request.--A financial institution may not deny a disclosure request from a financial data aggregator or a nonaffiliated third party using the access credentials of a consumer if the consumer-- ``(A) has received the disclosure described in paragraph (1)(A); and ``(B) has been given the opportunity to direct that such access credentials not be used, as described in paragraph (1)(B). ``(3) Rule of construction.--Notwithstanding paragraphs (1) and (2), when complying with this subsection, a financial institution, financial data aggregator, or nonaffiliated third party shall comply with any requirements of section 1033 of the Consumer Financial Protection Act of 2010 (12 U.S.C. 5533) with respect to the use of the access credentials of a consumer to access an electronic form of the consumer's account at, or otherwise obtain an electronic form of nonpublic personal information of the consumer from, a financial institution.''. (b) Effective Date.--This section shall take effect 1 year after the date of enactment of this Act. SEC. 105. ADDITIONAL INFORMATION TO BE INCLUDED IN NOTICES TO CONSUMERS. (a) In General.--Section 503(c) of the Gramm-Leach-Bliley Act (15 U.S.C. 6803(c)) is amended-- (1) in paragraph (3) by striking ``and'' at the end; (2) by redesignating paragraph (4) as paragraph (11); and (3) by inserting after paragraph (3) the following: ``(4) the categories of purposes for which the financial institution-- ``(A) collects nonpublic personal information; and ``(B) discloses nonpublic personal information to a nonaffiliated third party; ``(5) the categories of practices of the financial institution with respect to the financial institution's retention of nonpublic personal information; ``(6) the categories of practices of the financial institution with respect to the financial institution's use of artificial intelligence in the collection, processing, and utilization of nonpublic personal information; ``(7) whether any nonpublic personal information of the consumer is processed in, retained in, or disclosed to a covered nation; ``(8) an explanation of how a consumer can exercise the option pursuant to section 502(b) to direct that nonpublic personal information not be disclosed to a nonaffiliated third party before the time that such information is initially disclosed and at any time thereafter; ``(9) an explanation of how a customer can exercise the option to request a copy of the disclosure required by subsection (a) pursuant to subsection (g); ``(10) an explanation of how a customer or former customer can exercise the option to request disclosure of nonpublic personal information and how a former customer can exercise the option to request deletion of nonpublic personal information pursuant to section 503A; and''. (b) Update of Model Forms.-- (1) In general.--The agencies referred to in section 504(a)(1) of the Gramm-Leach-Bliley Act (15 U.S.C. 6804(a)(1)) shall, in consultation with the Federal functional regulators, jointly develop updates to the model form mandated by section 503(e) of such Act. (2) Safe harbor.--During the 2-year period beginning on the date the agencies finalize updates to the model form under paragraph (1), a financial institution shall be deemed to be compliant with section 502(a) of the Gramm-Leach-Bliley Act (15 U.S.C. 6802(a)) if the disclosures of the financial institution under section 503 of such Act comply with the model form issued pursuant to section 503(e) in effect on the date of enactment of this Act. SEC. 106. CUSTOMER ACCESS TO PRIVACY AND DISCLOSURE POLICIES. Section 503 of the Gramm-Leach-Bliley Act (15 U.S.C. 6803) is amended by inserting at the end the following: ``(g) Customer Access to Privacy and Disclosure Policies.--A financial institution shall, upon a customer request, provide such customer with a copy of the disclosure required by subsection (a) in writing or in electronic form or other form permitted by the regulations prescribed under section 504.''. SEC. 107. REQUESTS FOR DISCLOSURE OF OR DELETION OF NONPUBLIC PERSONAL INFORMATION. (a) In General.--Title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.) is amended by inserting after section 503 the following: ``SEC. 503A. REQUESTS FOR DISCLOSURE OF OR DELETION OF NONPUBLIC PERSONAL INFORMATION. ``(a) Customer or Former Customer Request for Disclosure of Nonpublic Personal Information.-- ``(1) In general.--Upon a request from a customer or former customer of a financial institution, such financial institution shall disclose to the customer or former customer-- ``(A) pursuant to the requirements of section 1033 of the Consumer Financial Protection Act of 2010 (12 U.S.C. 5533), any nonpublic personal information of the customer or former customer in the control or possession of the financial institution; and ``(B) a list of the categories of affiliates and nonaffiliated third parties to whom the financial institution has disclosed nonpublic personal information of the customer or former customer (other than disclosures of nonpublic personal information made to an affiliate or a nonaffiliated third party pursuant to an exception under section 502(e)). ``(2) Exception.--Paragraph (1) shall not apply to the extent that disclosure of nonpublic personal information to a customer or former customer is prohibited under other provisions of law. ``(b) Former Customer Request for Deletion of Nonpublic Personal Information.-- ``(1) In general.--Upon a request from a former customer, a financial institution shall delete any nonpublic personal information of the former customer held by the financial institution. ``(2) Former customer deletion request exceptions.-- Paragraph (1) shall not require deletion of nonpublic personal information of a former customer by a financial institution where-- ``(A) the nonpublic personal information is required to be retained for a continuing purpose pursuant to an exception described under section 502(e); ``(B) the holder of the nonpublic personal information is a consumer reporting agency, as defined in section 603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f)), and the nonpublic personal information is held solely to the extent that it is used in activities subject to the Fair Credit Reporting Act; ``(C) the nonpublic personal information is required to be retained to respond to a dispute under the Fair Credit Reporting Act; or ``(D) the nonpublic personal information is required to be retained as otherwise required by law. ``(3) Verification.-- ``(A) In general.--A financial institution shall establish and implement procedures to verify the identity of a former customer submitting a request under paragraph (1) before deleting nonpublic personal information that is the subject of such request. ``(B) Requirements.--The procedures established by a financial institution pursuant to subparagraph (A) shall be designed to-- ``(i) confirm that the individual making the request is the former customer to whom the nonpublic personal information relates; ``(ii) protect against unauthorized deletion of nonpublic personal information resulting from fraudulent requests; and ``(iii) protect against deletion of nonpublic personal information resulting from requests made by a former customer in error. ``(C) Exception.--A financial institution shall not be required to grant a request under paragraph (1) if the financial institution cannot confirm that the identity of the individual making such request is the same as the former customer to whom the nonpublic personal information relates. ``(4) Response period.-- ``(A) In general.--A financial institution shall respond to a former customer submitting a request under paragraph (1) without undue delay, but in all cases within 45 days of receiving such request. ``(B) Extension.--A financial institution may extend the response period in subparagraph (A) once for an additional 45 days when necessary, taking into account the complexity and number of requests by the former customer, but must inform the former customer of such extension and the reason for such extension within the initial 45 day response period under subparagraph (A). ``(5) Apportionment of costs.-- ``(A) Initial requests.--A former customer may submit 2 requests per year free of charge to a financial institution under paragraph (1). ``(B) Subsequent requests.--For any request of a former customer under paragraph (1) subsequent to the requests described in subparagraph (A), a financial institution may-- ``(i) charge the former customer a fee, if the financial institution has notified the former customer of such fee and the former customer has consented to such fee; or ``(ii) decline to act on such request, if the former customer does not consent to the fee described under clause (i). ``(6) Appeal.--Subject to the exceptions in paragraph (2), a financial institution receiving a request under paragraph (1) shall-- ``(A) establish a process for a former customer to appeal a determination by a financial institution to deny a request under paragraph (1); ``(B) make such appeal process under subparagraph (A) clearly and conspicuously disclosed to the former customer in the response required under paragraph (4) if the request under paragraph (1) is to be denied by the financial institution; ``(C) respond to such an appeal request by the former customer-- ``(i) not later than 60 days after the date on which such appeal request is received; and ``(ii) by informing the former customer in writing or in electronic form or other form permitted by the regulations prescribed under section 504 of any action taken in response to the appeal, including an explanation of the reason for each action taken; and ``(D) if such an appeal is denied, provide the former customer with an online mechanism, if available, or other method through which the former customer may contact the appropriate enforcement agency or authority as described in section 505 to submit a complaint.''. (b) Effective Date.--This section shall take effect 2 years after the date of enactment of this Act. (c) Clerical Amendment.--The table of contents in section 1(b) of the Gramm-Leach-Bliley Act is amended by inserting after the item relating to section 503 the following: ``Sec. 503A. Requests for disclosure of or deletion of nonpublic personal information.''. SEC. 108. OPT IN FOR SENSITIVE NONPUBLIC PERSONAL INFORMATION. (a) In General.--Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802), as amended by sections 102(3) and 104, is further amended by adding at the end the following: ``(h) Opt in for Sensitive Nonpublic Personal Information.-- ``(1) In general.--Notwithstanding subsection (b)(1), a financial institution may not collect sensitive nonpublic personal information or disclose sensitive nonpublic personal information to a nonaffiliated third party unless-- ``(A) such financial institution clearly and conspicuously discloses to the consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 504, that such information may be collected or that such information may be disclosed to such third party; ``(B) such financial institution obtains the consent of the consumer to collect such information or to disclose such information to such third party before the time that such information is initially collected or disclosed; and ``(C) the consumer is given an explanation of how the consumer can revoke that consent pursuant to paragraph (2). ``(2) Continuing consumer consent revocation right.--A consumer may revoke their consent under paragraph (1)(B) at any time. ``(3) Rule of construction.--Paragraph (1) shall not be construed to prevent a financial institution from disclosing sensitive nonpublic personal information-- ``(A) pursuant to section 502(e)(3)(A); ``(B) pursuant to section 502(e)(3)(B); ``(C) pursuant to section 502(e)(5); or ``(D) pursuant to section 502(e)(8).''. (b) Effective Date.--This section shall take effect 1 year after the date of enactment of this Act. TITLE II--REGULATORY CONSIDERATION FOR SMALL FINANCIAL INSTITUTIONS SEC. 201. REGULATORY CONSIDERATION FOR SMALL FINANCIAL INSTITUTIONS. Section 504 of the Gramm-Leach-Bliley Act (15 U.S.C. 6804) is amended by adding at the end the following: ``(c) Consideration of Effects on Financial Institutions With $15,000,000,000 or Less in Assets.-- ``(1) In general.--Each of the agencies authorized under subsection (a)(1) to prescribe regulations shall take into account the effects of the regulations on financial institutions with $15,000,000,000 or less in assets, including the resource, technical, and personnel limitations of such financial institutions to comply with the regulations and the regulatory compliance costs relative to the size, complexity, financial activities, revenues, and noncompliance costs of such financial institutions. ``(2) Threshold adjustment.--By April 1, 2031, and the 1st day of each subsequent 5-year period, the agencies authorized under subsection (a)(1) to prescribe regulations shall increase the threshold described in paragraph (1) by the ratio, if greater than 1, of the annual value of current-dollar United States gross domestic product, published by the Department of Commerce, for the calendar year preceding the year in which the adjustment is calculated under this section, to the published annual value of such index for the calendar year preceding April 1, 2026.''. TITLE III--RELATION TO OTHER LAWS SEC. 301. RELATION TO STATE LAWS. Section 507 of the Gramm-Leach-Bliley Act (15 U.S.C. 6807) is amended to read as follows: ``SEC. 507. RELATION TO STATE LAWS. ``(a) In General.--This subtitle and the amendments made by this subtitle shall supersede and preempt the application of any State statute, regulation, order, interpretation, or other law that establishes consumer data privacy or security requirements to nonpublic personal information subject to this subtitle. This subtitle and the amendments made by this subtitle shall supersede and preempt the application of any State statute, regulation, order, interpretation, or other law that establishes consumer data privacy or security requirements to a financial institution subject to this subtitle. ``(b) Regulation and Enforcement by State Insurance Authorities.-- Subsection (a) shall not be construed to alter, affect, or otherwise limit the authority of a State insurance authority to enforce this subtitle pursuant to section 505 or to adopt regulations to carry out this subtitle pursuant to section 504 in a manner consistent and comparable with, and not more restrictive than, the regulations prescribed by the Federal agencies authorized to prescribe regulations under section 504 as required by section 504(a)(2).''. TITLE IV--ADDITIONS TO DEFINITIONS SEC. 401. ADDITIONS TO DEFINITIONS. Section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809) is amended-- (1) in paragraph (3)(A), by inserting before the period at the end the following: ``or a financial data aggregator''; (2) by amending paragraph (4)(A) to read as follows: ``(A) The term `nonpublic personal information' means-- ``(i) personally identifiable financial information-- ``(I) provided by a consumer to a financial institution; ``(II) resulting from any transaction with the consumer or any service performed for the consumer; or ``(III) otherwise obtained by the financial institution; ``(ii) access credentials; and ``(iii) when used by a financial institution while engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k))-- ``(I) biometric data; and ``(II) precise geolocation data.''; (3) in paragraph (11), by striking ``Customer'' and inserting ``Time of establishing a customer''; and (4) by adding at the end the following: ``(12) Access credentials.--The term `access credentials' means personally identifiable nonfinancial information that a consumer uses to access an account of such consumer at a financial institution, including a username, password, personal identification number, access code, answer to a security question, or a substantially similar item of personally identifiable nonfinancial information. ``(13) Artificial intelligence.--The term `artificial intelligence' has the meaning given such term in section 5002 of the National Artificial Intelligence Initiative Act of 2020 (15 U.S.C. 9401). ``(14) Biometric data.--The term `biometric data'-- ``(A) means personally identifiable nonfinancial information of a consumer generated by automatic measurements of biological characteristics, including a fingerprint, voiceprint, eye retinas, eye irises, or other unique biological patterns or characteristics that are used to identify a specific consumer; and ``(B) does not include a physical or digital photograph, a video or audio recording or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under the Health Insurance Portability and Accountability Act or the amendments made by that Act. ``(15) Consent.--The term `consent' means a clear affirmative act by a consumer that-- ``(A) signifies the freely given, specific, informed, and unambiguous agreement by the consumer to an action; and ``(B) is-- ``(i) in writing or in electronic form or other form permitted by the regulations prescribed under section 504; or ``(ii) in any other unambiguous affirmative form. ``(16) Covered nation.--The term `covered nation' has the meaning given such term in section 4872(f) of title 10, United States Code. ``(17) Customer.--The term `customer' means a consumer who has a customer relationship with a financial institution. ``(18) Customer relationship.--The term `customer relationship' means a continuing relationship between a consumer and a financial institution under which the financial institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes. ``(19) Financial data aggregator.--The term `financial data aggregator'-- ``(A) means any person that operates a commercial enterprise for the primary business purpose of accessing, aggregating, collecting, processing, selling, or otherwise disclosing nonpublic personal information; and ``(B) does not include-- ``(i) a person that receives, processes, or discloses nonpublic personal information solely to the extent that it performs services for or functions on behalf of a financial institution pursuant to section 502(b)(2) or pursuant to an exception described under section 502(e); ``(ii) a consumer reporting agency, as defined in section 603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f)), solely to the extent that it engages in activities subject to the Fair Credit Reporting Act; ``(iii) an attorney, accountant, investment adviser, or other person acting in a fiduciary or representative capacity on behalf of a consumer pursuant to section 502(e)(3)(E); ``(iv) a person-- ``(I) to the extent that such person is not a financial institution; and ``(II) that operates a commercial enterprise that receives, processes, or discloses nonpublic personal information for the purpose of making or receiving payments associated with a sale, purchase, or exchange of goods or services; or ``(v) a self-regulatory organization that receives or processes nonpublic personal information disclosed to it by its members, or that discloses nonpublic personal information to an agency. ``(20) Former customer.--The term `former customer' means a consumer who has previously had a customer relationship with a financial institution and that is no longer a customer of the financial institution because that customer relationship has terminated. ``(21) Precise geolocation data.--The term `precise geolocation data'-- ``(A) means personally identifiable nonfinancial information of a consumer generated by technological means, including global positioning systems, telemetry, telematics, and level, latitude, and longitude coordinates, or other means, that directly identifies the specific location of a consumer with precision and accuracy within a radius of 1,750 feet; and ``(B) does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility. ``(22) Self-regulatory organization.--The term `self- regulatory organization'-- ``(A) has the meaning given that term in section 3(a) of the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)); and ``(B) means-- ``(i) a contract market, derivatives transaction execution facility, registered futures association, or other self-regulatory organization registered with the Commodity Futures Trading Commission; and ``(ii) any other self-regulatory organization registered with an agency authorized under section 504(a)(1) to prescribe regulations or with a Federal functional regulator, as determined by such agency or such Federal functional regulator. ``(23) Sensitive nonpublic personal information.--The term `sensitive nonpublic personal information' means, when used by a financial institution while engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k))-- ``(A) personally identifiable nonfinancial information of a consumer that discloses the consumer's racial or ethnic origin, religious belief, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; ``(B) genetic or biometric data of a consumer that is disclosed for the purpose of uniquely identifying a specific consumer; and ``(C) precise geolocation data. ``(24) State.--The term `State' means each State of the United States, the District of Columbia, each commonwealth, territory, or possession of the United States, and each federally recognized Indian Tribe.''. \n--- KONIEC DOKUMENTU ---\n\nPAMIĘTAJ: Twoja odpowiedź MUSI być wyłącznie poprawnym obiektem JSON. Nie dodawaj żadnych dodatkowych znaków, komentarzy ani tekstu przed znacznikiem '{' ani po znaczniku '}'. Cała odpowiedź musi być parsowalna jako JSON.\nNa podstawie POWYŻSZEGO dokumentu, wypełnij poniższą strukturę JSON:\nOto struktura JSON, której oczekuję (wypełnij ją treścią):\n{\n \"pl_ai_title\": \"Nowy, krótki tytuł dla aktu prawnego po polsku, oddający sedno wprowadzanych zmian (np. maksymalnie 10-12 słów).\",\n \"pl_summary\": \"2-3 zdania zwięzłego podsumowania treści aktu prawnego po polsku, napisane z perspektywy wpływu na życie codzienne obywateli.\",\n \"pl_key_points\": [\n \"Pierwszy krótki punkt po polsku dotyczący najważniejszych wprowadzanych rozwiązań lub zmian.\",\n \"Drugi krótki punkt po polsku...\"\n ],\n \"eng_ai_title\": \"A new, short title for the legal act in English, capturing the essence of the changes (e.g., max 10-12 words).\",\n \"eng_summary\": \"2-3 sentences summarizing the legal act in English, from the perspective of its impact on citizens' daily lives.\",\n \"eng_key_points\": [\n \"First short bullet point in English regarding the most important solutions or changes being introduced.\",\n \"Second short bullet point in English...\"\n ],\n \"de_ai_title\": \"Ein neuer, kurzer Titel für das Rechtsdokument auf Deutsch, der den Kern der Änderungen erfasst (z.B. max. 10-12 Wörter).\",\n \"de_summary\": \"2-3 Sätze Zusammenfassung des Rechtsdokuments auf Deutsch, aus der Perspektive seiner Auswirkungen auf das tägliche Leben der Bürger.\",\n \"de_key_points\": [\n \"Erster kurzer Stichpunkt auf Deutsch zu den wichtigsten eingeführten Lösungen oder Änderungen.\",\n \"Zweiter kurzer Stichpunkt auf Deutsch...\"\n ],\n \"fr_ai_title\": \"Un nouveau titre court pour l'acte juridique en français, saisissant l'essence des changements (par exemple, 10-12 mots maximum).\",\n \"fr_summary\": \"Résumé de 2-3 phrases de l'acte juridique en français, du point de vue de son impact sur la vie quotidienne des citoyens.\",\n \"fr_key_points\": [\n \"Premier court point en français concernant les solutions ou changements les plus importants introduits.\",\n \"Deuxième court point en français...\"\n ],\n \"es_ai_title\": \"Un nuevo título breve para el acto jurídico en español, que recoja la esencia de los cambios (por ejemplo, máximo 10-12 palabras).\",\n \"es_summary\": \"Resumen de 2-3 frases del acto jurídico en español, desde la perspectiva de su impacto en la vida cotidiana de los ciudadanos.\",\n \"es_key_points\": [\n \"Primer punto breve en español sobre las soluciones o cambios más importantes que se introducen.\",\n \"Segundo punto breve en español...\"\n ],\n \"it_ai_title\": \"Un nuovo titolo breve per l'atto giuridico in italiano, che colga l'essenza delle modifiche (ad es. massimo 10-12 parole).\",\n \"it_summary\": \"Riepilogo di 2-3 frasi dell'atto giuridico in italiano, dal punto di vista del suo impatto sulla vita quotidiana dei cittadini.\",\n \"it_key_points\": [\n \"Primo breve punto in italiano riguardante le soluzioni o le modifiche più importanti introdotte.\",\n \"Secondo breve punto in italiano...\"\n ],\n \"nl_ai_title\": \"Een nieuwe, korte titel voor de rechtshandeling in het Nederlands, die de essentie van de wijzigingen weergeeft (bijv. max. 10-12 woorden).\",\n \"nl_summary\": \"Samenvatting van 2-3 zinnen van de rechtshandeling in het Nederlands, vanuit het perspectief van de impact op het dagelijks leven van burgers.\",\n \"nl_key_points\": [\n \"Eerste korte punt in het Nederlands betreffende de belangrijkste geïntroduceerde oplossingen of wijzigingen.\",\n \"Tweede korte punt in het Nederlands...\"\n ],\n \"pt_ai_title\": \"Um novo título curto para o ato jurídico em português, capturando a essência das mudanças (por exemplo, máx. 10-12 palavras).\",\n \"pt_summary\": \"Resumo de 2-3 frases do ato jurídico em português, na perspetiva do seu impacto na vida quotidiana dos cidadãos.\",\n \"pt_key_points\": [\n \"Primeiro ponto curto em português sobre as soluções ou alterações mais importantes introduzidas.\",\n \"Segundo ponto curto em português...\"\n ],\n \"category\": [\"Categorize the document into one category by default, based on the field it primarily concerns. Choose up to 3 if the document also touches upon SIGNIFICANT issues from other categories. You MUST select categories ONLY from the following list: Health, Education, Family, Taxes, Labor, Security, Environment, Courts and Law, Transport, Benefits, Real Estate, Media and Culture, Local Government, Migration, Agriculture, Public Investments, Informatization, Economy. If the document does not definitively fit any of these, you MUST use \"Other\". If you use \"Other\", it should be the ONLY category selected. Do NOT invent new categories. The response must be an array of strings, e.g., [\"Taxes\", \"Family\"].\"]\n}\n\n", "ai_response_raw": "{\n \"pl_ai_title\": \"Ustawa GUARD: Lepsza ochrona i kontrola nad Twoimi danymi finansowymi\",\n \"pl_summary\": \"Ustawa zwiększa kontrolę obywateli nad ich danymi finansowymi, wprowadzając prawo do ich usuwania oraz ograniczając zbieranie informacji do niezbędnego minimum. Banki będą musiały uzyskać wyraźną zgodę na przetwarzanie wrażliwych danych, takich jak lokalizacja czy biometria.\",\n \"pl_key_points\": [\n \"Prawo do żądania usunięcia swoich danych osobowych po zakończeniu współpracy z bankiem.\",\n \"Wymóg uzyskania wyraźnej zgody (opt-in) na zbieranie danych wrażliwych, w tym biometrii i lokalizacji.\",\n \"Możliwość rezygnacji z udostępniania danych firmom zewnętrznym w dowolnym momencie.\",\n \"Obowiązek informowania klientów o wykorzystywaniu sztucznej inteligencji do przetwarzania ich danych.\"\n ],\n \"eng_ai_title\": \"GUARD Financial Data Act: Strengthening Your Privacy and Data Control\",\n \"eng_summary\": \"This act gives citizens more control over their financial information by allowing them to request data deletion and limiting collection to what is strictly necessary. Banks must now obtain explicit permission before using sensitive data like location or biometrics.\",\n \"eng_key_points\": [\n \"Right to request the deletion of your personal data after closing a bank account.\",\n \"Explicit 'opt-in' consent required for sensitive data, including biometrics and precise location.\",\n \"Ability to opt out of data sharing with third parties at any time.\",\n \"New requirements for banks to disclose if they use artificial intelligence to process your information.\"\n ],\n \"de_ai_title\": \"GUARD Financial Data Act: Mehr Schutz und Kontrolle für Ihre Finanzdaten\",\n \"de_summary\": \"Dieses Gesetz stärkt die Kontrolle der Bürger über ihre Finanzdaten, indem es das Recht auf Löschung einführt und die Datenerhebung auf das Nötigste begrenzt. Banken müssen nun eine ausdrückliche Zustimmung für sensible Informationen wie Standort oder Biometrie einholen.\",\n \"de_key_points\": [\n \"Recht auf Löschung persönlicher Daten nach Beendigung der Kundenbeziehung.\",\n \"Ausdrückliche Zustimmung (Opt-in) für sensible Daten wie Biometrie und Standort erforderlich.\",\n \"Jederzeitiges Recht, der Weitergabe von Daten an Dritte zu widersprechen.\",\n \"Informationspflicht über den Einsatz von Künstlicher Intelligenz bei der Datenverarbeitung.\"\n ],\n \"fr_ai_title\": \"Loi GUARD : Renforcer la protection et le contrôle de vos données financières\",\n \"fr_summary\": \"Cette loi donne aux citoyens plus de contrôle sur leurs informations financières en introduisant un droit de suppression et en limitant la collecte au strict nécessaire. Les banques devront obtenir un consentement explicite pour les données sensibles comme la localisation ou la biométrie.\",\n \"fr_key_points\": [\n \"Droit de demander la suppression de vos données personnelles après la clôture d'un compte.\",\n \"Consentement explicite requis pour les données sensibles, y compris la biométrie et la localisation précise.\",\n \"Possibilité de refuser le partage de données avec des tiers à tout moment.\",\n \"Obligation d'informer sur l'utilisation de l'intelligence artificielle dans le traitement des données.\"\n ],\n \"es_ai_title\": \"Ley GUARD: Mayor protección y control sobre sus datos financieros\",\n \"es_summary\": \"Esta ley otorga a los ciudadanos un mayor control sobre su información financiera al permitirles solicitar la eliminación de datos y limitar su recopilación a lo necesario. Los bancos deberán obtener un consentimiento explícito para usar datos sensibles como la ubicación o la biometría.\",\n \"es_key_points\": [\n \"Derecho a solicitar la eliminación de sus datos personales tras cerrar una cuenta bancaria.\",\n \"Se requiere consentimiento explícito (opt-in) para datos sensibles como biometría y ubicación exacta.\",\n \"Posibilidad de revocar el permiso para compartir datos con terceros en cualquier momento.\",\n \"Obligación de informar sobre el uso de inteligencia artificial en el procesamiento de su información.\"\n ],\n \"it_ai_title\": \"Legge GUARD: Più tutela e controllo sui tuoi dati finanziari\",\n \"it_summary\": \"Questa legge aumenta il controllo dei cittadini sui propri dati finanziari, introducendo il diritto alla cancellazione e limitando la raccolta al minimo necessario. Le banche dovranno ottenere un consenso esplicito per trattare dati sensibili come posizione o biometria.\",\n \"it_key_points\": [\n \"Diritto di richiedere la cancellazione dei propri dati personali dopo la chiusura di un conto.\",\n \"Consenso esplicito obbligatorio per dati sensibili come biometria e geolocalizzazione precisa.\",\n \"Possibilità di negare la condivisione dei dati con terze parti in qualsiasi momento.\",\n \"Obbligo di informare sull'uso dell'intelligenza artificiale nel trattamento delle informazioni.\"\n ],\n \"nl_ai_title\": \"GUARD Financial Data Act: Betere bescherming en controle over uw financiële gegevens\",\n \"nl_summary\": \"Deze wet geeft burgers meer controle over hun financiële informatie door een recht op verwijdering in te voeren en gegevensverzameling tot het noodzakelijke te beperken. Banken moeten expliciete toestemming vragen voor gevoelige gegevens zoals locatie of biometrie.\",\n \"nl_key_points\": [\n \"Recht om verwijdering van uw persoonsgegevens te vragen na het beëindigen van een klantrelatie.\",\n \"Expliciete toestemming (opt-in) vereist voor gevoelige gegevens zoals biometrie en exacte locatie.\",\n \"Mogelijkheid om op elk moment bezwaar te maken tegen het delen van gegevens met derden.\",\n \"Verplichting om te informeren over het gebruik van kunstmatige intelligentie bij gegevensverwerking.\"\n ],\n \"pt_ai_title\": \"Lei GUARD: Maior proteção e controlo sobre os seus dados financeiros\",\n \"pt_summary\": \"Esta lei confere aos cidadãos maior controlo sobre as suas informações financeiras, introduzindo o direito ao apagamento e limitando a recolha ao estritamente necessário. Os bancos passam a exigir consentimento explícito para dados sensíveis, como localização ou biometria.\",\n \"pt_key_points\": [\n \"Direito de solicitar a eliminação dos seus dados pessoais após o encerramento de uma conta bancária.\",\n \"Consentement explícito obrigatório para dados sensíveis, incluindo biometria e localização precisa.\",\n \"Possibilidade de cancelar a partilha de dados com terceiros a qualquer momento.\",\n \"Dever de informar os clientes sobre o uso de inteligência artificial no tratamento dos seus dados.\"\n ],\n \"category\": [\"Economy\", \"Courts and Law\", \"Informatization\"]\n}" } ] }