GLBA Privacy Amendments: What Mortgage Lenders Need to Know

A new discussion draft released on March 17, 2026, could fundamentally change how mortgage lenders handle consumer data. Representative Bill Huizenga's proposed amendments to the Gramm-Leach-Bliley Act (GLBA) aim to modernize privacy protections for the digital age—and mortgage professionals need to understand what's coming.

What's Changing?

The current GLBA framework, established in 1999, focuses primarily on disclosure—telling consumers how their data is used. The proposed amendments shift to comprehensive data treatment, introducing requirements that mirror modern privacy expectations:

Data Minimization Requirements

Lenders would need to limit collection, use, retention, and disclosure of nonpublic personal information (NPI) to what's necessary for legitimate business, legal, or regulatory purposes. This means auditing current data practices and potentially streamlining what information you collect during the mortgage application process.

Enhanced Consumer Control

The draft introduces new consumer rights under a proposed Section 503A, including:

• The right to access their NPI and see who it's been shared with
• The right to request deletion after the business relationship ends (with exceptions for legal and FCRA obligations)
• Strengthened opt-out rights for third-party data sharing

Expanded Privacy Notices

Privacy notices would need to detail data retention practices, AI usage, and the new access and deletion rights. The draft includes a temporary safe harbor for using prior model forms, giving lenders time to transition.

What This Means for Mortgage Professionals

For lenders, these changes could require significant operational adjustments. The data minimization principle might affect how long you retain application data, what information you collect from borrowers who don't close, and how you structure data-sharing agreements with third-party service providers.

The good news? The draft addresses the compliance burden on smaller institutions, requiring agencies to consider the impact on organizations under $15 billion in assets when implementing rules.

Federal Preemption: A Simpler Path Forward?

One of the most significant aspects of the proposed amendments is strengthened federal preemption. The draft would supersede state privacy and security laws for GLBA-covered data, creating a single national standard instead of the current patchwork of state requirements.

This could actually simplify compliance for multi-state lenders, who currently navigate varying requirements from California to Indiana. A unified federal framework means consistent policies, training, and procedures across all markets.

Timeline and Next Steps

It's crucial to note that this is still a discussion draft, not enacted law. The proposal emerged from a March 17-18 House Financial Services Committee hearing titled "Updating America's Financial Privacy Framework for the 21st Century."

Industry groups including the American Bankers Association and credit unions have voiced support for GLBA modernization, emphasizing the need for uniform protections that don't create unnecessary burdens. However, the path from draft to final legislation can be long.

What to Do Now

While these amendments aren't law yet, forward-thinking lenders can prepare:

1. Review current data practices – Identify what consumer information you collect and why
2. Audit retention policies – Ensure you're not holding data longer than necessary
3. Document your legitimate purposes – Be ready to justify each data element you collect
4. Evaluate third-party relationships – Understand where consumer data flows and why

The proposed GLBA amendments reflect where consumer expectations and technology have moved since 1999. Whether this specific draft becomes law or not, the trend toward enhanced privacy protections, data minimization, and consumer control is clear. Mortgage lenders who adapt proactively will be better positioned for whatever regulatory changes lie ahead.