All Blog Posts
Privacy News

Concord Privacy News: 4/2/2026

What a new congressional hearing signals for financial data privacy; thousands selling identities to train AI; White House AI framework calls for preemption of state laws.

Published: Thu Apr 02 2026

Concord Privacy News: 4/2/2026
What a New Congressional Hearing Signals for Financial Data PrivacyA Growing Tension: Federal Framework vs. State LawsA Shift Away from Broad GLBA ExemptionsWhy This Matters for Privacy TeamsThe Bigger Picture: Toward a Federal Standard?What Organizations Should Do NowOther Privacy News of NoteThousands of People Are Selling Their Identities to Train AI – But at What Cost?White House AI Framework Calls for Preemption of State Laws

What a New Congressional Hearing Signals for Financial Data Privacy

U.S. House Financial Services Committee convened a hearing examining the current state of financial data privacy in the United States—and the implications could be significant for organizations navigating an increasingly complex regulatory landscape.

A Growing Tension: Federal Framework vs. State Laws

A central theme of the hearing was the growing fragmentation of privacy requirements across the United States. While federal law, particularly the Gramm-Leach-Bliley Act (GLBA), has long governed how financial institutions handle consumer data, lawmakers raised concerns about how newer state privacy laws are evolving.

Historically, most state privacy laws have included exemptions tied to GLBA, either exempting financial institutions outright (entity-level exemptions) or exempting specific categories of financial data (data-level exemptions).

Today, that still largely holds true:

  • As of 2026, roughly 20 states have comprehensive privacy laws in effect.
  • The majority of these laws include some form of GLBA exemption, reflecting the longstanding view that financial data is already regulated at the federal level.

However, the details matter, and they are changing.

A Shift Away from Broad GLBA Exemptions

What's new, and central to the discussion at the committee hearing, is a shift in how states are applying those exemptions.

Traditionally, many states provided broad, entity-level exemptions, meaning that if an organization was subject to GLBA, it was largely outside the scope of state privacy laws. But increasingly:

  • States are moving toward data-level exemptions only, limiting protection to specific categories of GLBA-covered data.
  • Some states (like Connecticut and Montana) are rolling back broad entity-level exemptions altogether.

This creates a more nuanced and burdensome compliance environment. Financial institutions and their partners may now find that only portions of their data processing activities are exempt, while the rest fall under state privacy requirements.

Why This Matters for Privacy Teams

For privacy and compliance leaders, this shift introduces real operational challenges:

  • GLBA is no longer a blanket shield. Compliance with federal law may not exempt your organization from state obligations.
  • Data classification is critical. Teams must distinguish between GLBA-covered and non-covered data at a granular level.
  • Vendor and ecosystem risk is increasing. Non-bank partners, fintechs, and service providers are more likely to fall within scope.

In short, what qualifies as "covered" or "exempt" is becoming less predictable and more dependent on jurisdiction-specific interpretation.

The Bigger Picture: Toward a Federal Standard?

The hearing also underscores a broader policy question: Is the U.S. moving closer to a unified federal privacy framework for financial data?

Industry and advocacy groups are increasingly weighing in:

  • Some argue that weakening GLBA exemptions could undermine existing financial privacy protections if not carefully aligned.
  • Others contend that current frameworks are outdated for today's data ecosystem, particularly given the rise of fintech and third-party data sharing.

At the same time, draft proposals discussed by the committee suggest potential efforts to modernize GLBA and possibly preempt state laws, signaling that federal reform may be on the horizon.

What Organizations Should Do Now

As policymakers continue to debate the future of financial data privacy, organizations should take proactive steps:

  • Reassess your data mapping: Understand exactly which data falls under GLBA and which does not.
  • Evaluate state-level exposure: Don't assume exemptions apply uniformly across jurisdictions.
  • Strengthen vendor governance: Third-party relationships are increasingly in scope.
  • Plan for regulatory change: Both state enforcement and potential federal updates are accelerating.

Other Privacy News of Note

Thousands of People Are Selling Their Identities to Train AI – But at What Cost?

One morning last year, Jacobus Louw set out on his daily neighborhood walk to feed the seagulls he finds along the way. Except this time, he recorded several videos of his feet and the view as he walked on the pavement. The video earned him $14, about 10 times the country's minimum wage, or for Louw, a 27-year-old based in Cape Town, South Africa, half a week's worth of groceries. The video was for an "Urban Navigation" task Louw found on Kled AI, an app that pays contributors for uploading their data, such as videos and photos, to train artificial intelligence models. Read more.

White House AI Framework Calls for Preemption of State Laws

The White House (on March 20) proposed its framework for a national artificial intelligence policy, pushing for broad preemption of state AI laws and against "open-ended liability" for AI firms. The proposal urges Congress to take some steps to protect kids, energy costs and copyright holders, while also requesting streamlined permitting for data centers, regulatory "sandboxes" to allow exemptions to federal regulations and no new regulatory body to oversee the fast-spreading technology. Read more.