Understanding the GUARD Financial Data Act: What It Means for Your Financial Privacy

On April 22, 2026, lawmakers introduced the Guidelines for Use, Access, and Responsible Disclosure of Financial Data Act — better known as the GUARD Financial Data Act (HR 8398). The bill represents the most significant proposed update to financial privacy law in over two decades, modernizing Title V of the Gramm-Leach-Bliley Act (GLBA) with data minimization requirements, new consumer rights, AI disclosure mandates, and strengthened enforcement. Here is what the GUARD Financial Data Act does, what it means for you, and what steps you can take now to protect your financial privacy.

What Is the GUARD Financial Data Act?

The GUARD Financial Data Act (HR 8398) is a federal bill that updates the financial privacy provisions originally established by the Gramm-Leach-Bliley Act of 1999. GLBA has long required banks, credit unions, insurance companies, and other financial institutions to explain their information-sharing practices and protect sensitive customer data. However, the original law was written before smartphones, cloud computing, and artificial intelligence transformed how financial data is collected, processed, and shared.

HR 8398 is designed as a companion to the SECURE Data Act, and together the two bills aim to bring U.S. financial privacy rules in line with the realities of modern data handling. The GUARD Act focuses specifically on how financial institutions collect, use, disclose, and retain your nonpublic personal information (NPI).

What Is Nonpublic Personal Information (NPI)?

Under the Gramm-Leach-Bliley Act, nonpublic personal information — or NPI — is any personally identifiable financial information that is not publicly available. This includes:

• Account numbers and balances
• Transaction and payment history
• Social Security numbers provided to financial institutions
• Credit and income information
• Information collected through cookies or account usage tracking
• Any data gathered in connection with providing a financial product or service

The GUARD Act does not change the definition of NPI, but it significantly changes what financial institutions are allowed to do with it and what they must tell you about how it is used.

Key Provisions of the GUARD Financial Data Act

1. Data Minimization

One of the most consequential provisions is a new data minimization standard. Under the GUARD Act, financial institutions would only be permitted to collect, use, and disclose NPI that is "adequate, relevant, and reasonably necessary" for the purpose at hand. This is a major shift from the status quo, where financial companies have broad latitude to collect and share customer data as long as they disclose the practice in their privacy policies.

In practical terms, data minimization means your bank could not collect or share more of your personal data than it actually needs to provide the service you signed up for. Excess data collection — gathering information "just in case" or for secondary marketing purposes — would face new legal constraints.

2. New Consumer Rights Under Section 503A

The GUARD Act creates an entirely new section of GLBA — Section 503A — that grants consumers specific rights over their financial data:

• Right to know: Financial institutions must disclose the NPI they hold about you upon request.
• Right to see who received your data: Institutions must list the categories of affiliates and third parties who have received your NPI.
• Right to deletion: Former customers gain the right to request deletion of their NPI.

3. Enhanced Transparency and AI Disclosure

The GUARD Act expands the existing disclosure requirements under Section 503(c) of GLBA. Financial institutions would need to provide clear information about:

• Why NPI is collected and shared: Institutions must explain the specific purposes behind data collection and sharing.
• Retention practices: Consumers must be told how long their data is kept and under what policies.
• AI use: If artificial intelligence or automated decision-making systems are used to handle your NPI, the institution must disclose this.
• Covered nation disclosure: Institutions must reveal whether your NPI has been processed or disclosed to a "covered nation" — a designation for countries identified as posing national security or data-security concerns.

The AI disclosure requirement is particularly notable. As banks and financial companies increasingly use machine learning for credit decisions, fraud detection, customer profiling, and marketing, the GUARD Act would ensure consumers know when their personal financial data is being fed into automated systems.

4. Enforcement Mechanisms

The bill establishes two enforcement channels:

• FTC enforcement: Violations of the GUARD Act would be treated as unfair or deceptive practices under FTC authority, opening the door to investigations, consent orders, and civil penalties.
• State attorney general authority: State attorneys general gain parens patriae authority to bring enforcement actions on behalf of their state's residents, giving the law teeth at the state level.
• Right to cure: Financial institutions are given a right to cure violations before enforcement actions proceed, which means companies have an opportunity to fix problems before facing penalties.

How the GUARD Act Affects Consumers

If passed, the GUARD Financial Data Act would give everyday consumers more visibility into and control over how banks, insurers, and other financial companies handle their personal data. Specifically:

• You could ask your bank exactly what personal information it holds about you.
• You could find out which affiliates and third parties received your data.
• If you close an account, you could request deletion of your data.
• You would know whether AI is being used to make decisions based on your financial information.
• You would know whether your data has been sent to a foreign country flagged for security concerns.

These rights would put financial privacy closer to what consumers in Europe already have under GDPR, though with important differences — particularly the lack of a private right of action.

Limitations to Understand

While the GUARD Act is a meaningful step forward, there are limitations worth noting:

• No private right of action: You cannot sue on your own if a financial institution mishandles your data. You would need to rely on the FTC or your state attorney general to take action.
• Right to cure may weaken enforcement: Critics argue that giving companies a chance to fix violations before penalties apply could reduce the deterrent effect of the law.
• It must still pass: As of June 2026, the GUARD Act is a bill, not a law. It still needs to move through committee, pass both chambers of Congress, and be signed by the president.
• Does not cover data brokers directly: The GUARD Act targets financial institutions under GLBA. Data brokers, people-search sites, and other companies that trade in personal information are not directly covered unless they fall under GLBA's definition of a financial institution.

What You Can Do Right Now

Regardless of whether the GUARD Act passes, there are steps you can take today to protect your financial privacy:

1. Review your current institution's privacy notices: Most banks already provide annual privacy disclosures under existing GLBA rules. Read them and opt out of information sharing where permitted.
2. Opt out of marketing data sharing: Under current law, you can often opt out of your financial institution sharing data with non-affiliated third parties for marketing.
3. Monitor your credit: Use free credit monitoring to detect unauthorized accounts or inquiries.
4. Remove your data from people-search sites and data brokers: Even if the GUARD Act does not cover data brokers directly, removing your information from these sites reduces your overall exposure.
5. Use strong, unique passwords and enable two-factor authentication on all financial accounts.

How PrivacyOn Helps Protect Your Financial Privacy

The GUARD Financial Data Act addresses how financial institutions handle your data, but it does not touch the hundreds of data brokers and people-search sites that expose your personal information to anyone who searches for it. PrivacyOn fills that gap by removing your data from 100+ data broker sites, monitoring the dark web for your exposed information, and providing 24/7 continuous monitoring to catch reappearances. With family plans covering up to 5 people starting at just $8.33/month, PrivacyOn gives you the comprehensive privacy protection that no single law can provide on its own.