Investment Advisers Urge Federal Preemption on Data Privacy Laws
August 27, 2025
The Honorable French Hill
Chairman
U.S. House Committee on Financial Services
Washington, D.C. 20515
The Honorable Maxine Waters
Ranking Member
U.S. House Committee on Financial Services
Washington, D.C. 20515
The Honorable Andy Barr
Chair
Subcommittee on Financial Institutions
Washington, D.C. 20515
The Honorable Bill Foster
Ranking Member
Subcommittee on Financial Institutions
Washington, D.C. 20515
Re: Request for Harmonization of Financial Data Privacy Standards
Dear Chairman Hill, Ranking Member Waters, Subcommittee Chair Barr, Subcommittee Ranking Member Foster, and Members of the Committee:
The Investment Adviser Association (IAA)[1] appreciates your leadership and continued efforts to modernize our nation’s data privacy laws, including your thoughtful focus on the Gramm-Leach-Bliley Act (GLBA). As the financial services landscape continues to evolve and data security grows more critical, modernizing the GLBA is essential to providing strong, consistent protection for consumers and greater regulatory clarity for financial institutions. We respectfully urge Congress to amend the GLBA to include a robust federal preemption clause that promotes national uniformity in financial privacy regulation.[2]
The current patchwork of state privacy laws – some overlapping, others conflicting – has resulted in a complex and challenging regulatory environment for financial institutions operating across multiple jurisdictions.
This challenge is especially significant for SEC-registered investment advisers, who are already subject to strict federal privacy and data protection requirements under Regulation S-P, [3] adopted pursuant to the GLBA and recently amended by the SEC. The IAA emphasizes that we are not seeking to alter the substance of the GLBA or diminish the strong protections it provides to consumers.
The growing complexity of this regulatory environment underscores the need for greater uniformity. Recognizing these challenges, it is important to revisit the original purpose behind the GLBA, which aimed to establish clear and consistent federal standards for financial privacy.
A. Congress Intended to Create Uniform Standards for the Financial Services Sector
The legislative history of the GLBA demonstrates Congress’s clear intent to establish a uniform national standard for financial privacy regulation. Throughout the development of the GLBA, lawmakers emphasized the importance of regulatory consistency across jurisdictions, recognizing that financial institutions operate on a national scale. A fragmented patchwork of state-level privacy laws was seen as a threat to the effectiveness of federal oversight and the smooth operation of interstate commerce. Both House and Senate records reflect concerns that divergent state requirements would create compliance challenges, impose duplicative or conflicting obligations, and frustrate the goals of comprehensive financial regulation. While the final statute permitted states to enact laws that are not “inconsistent” with the GLBA, the overarching purpose was to create a cohesive federal framework capable of adapting to evolving technologies and protecting consumer data nationwide. In light of the increasingly fractured regulatory environment, it is appropriate – and aligned with Congress’s original intent – to reaffirm the GLBA as the controlling federal standard by adopting a robust preemption provision.
Congress has consistently recognized the value of regulatory uniformity in the financial services space. When Congress enacted the National Securities Markets Improvement Act of 1996 (NSMIA), it broadly preempted state laws that impose substantive regulation on SEC-registered investment advisers, recognizing that such laws would impermissibly create new and different state regulatory obligations not required under federal law. NSMIA reflected the principle that national markets require a coherent federal regulatory regime to ensure efficiency, lower costs, and strengthen investor protection. That same rationale applies with equal force to financial data privacy. By adopting a broad federal preemption provision under the GLBA – modeled on NSMIA – Congress can provide much-needed clarity and consistency for advisers while enhancing investor protection in today’s data-driven financial ecosystem.
B. SEC-Registered Investment Advisers Are Subject to Strict Federal Data Privacy Standards
SEC-registered investment advisers are already subject to robust federal privacy and data security obligations under Regulation S-P. The regulation requires advisers to adopt written policies and procedures to safeguard clients’ nonpublic personal information, ensure the security and confidentiality of that data, and protect against anticipated threats or unauthorized access. In its recent amendments, the SEC further strengthened Regulation S-P by mandating the development and maintenance of comprehensive incident response programs, including obligations to assess, contain, and mitigate data breaches. Advisers must also notify clients whose sensitive data has been compromised – ensuring transparency and consumer protection in the event of a security incident.
C. Inconsistent Data Privacy Laws Create Unnecessary Challenges
Strengthening the GLBA with a clear federal preemption provision would not diminish investor protections – on the contrary, it would enhance them. As noted above, Regulation S-P imposes stringent data protection and breach notification obligations on investment advisers. These requirements are more protective of investors than most state data breach reporting laws and are enforced by the SEC, a highly sophisticated regulator. A uniform national standard would eliminate the need for firms to navigate duplicative or inconsistent state obligations, allowing firms to focus their efforts on meaningful, risk-based compliance, rather than potentially having to divert resources from investor-focused operations.
While the GLBA permits states to enact data privacy laws that are not “inconsistent” with federal standards, the proliferation of divergent state regimes has created a fragmented legal landscape. These state laws often vary in scope, definitions, notice and breach requirements, and enforcement mechanisms – leading to practical inconsistencies that are difficult to reconcile with the uniform standards established under the GLBA. This patchwork imposes significant compliance challenges, particularly for SEC-registered investment advisers, which are already subject to a robust investor-protective federal framework specifically tailored to their fiduciary obligations.
The lack of regulatory harmony not only complicates regulatory compliance but has also resulted in disparities in investor protection based solely on geography. Clients of SEC-registered advisers, who are otherwise subject to uniform fiduciary standards nationwide, should not face different privacy rights simply because of where they live. This inconsistency not only creates confusion for investors but also complicates adviser-client relationships. The SEC itself acknowledged this confusion and inconsistency in its recent amendments to Regulation S-P.[4] A broad preemption clause in the GLBA would restore consistency and ensure all advisory clients receive equal treatment under a single, national privacy framework.
Notably, several states have already acknowledged the strength and comprehensiveness of the GLBA framework by exempting GLBA-covered entities from their state privacy laws.[5] These carve-outs reflect an understanding that the GLBA, along with implementing rules such as Regulation S-P, already imposes extensive privacy and breach response obligations on advisers. By deferring to the federal framework, these states have avoided duplicative regulation and minimized unnecessary compliance burdens, further supporting the rationale for a statutory federal preemption clause. Such a clause would formalize and broadly apply what these several states have accepted in practice – that financial privacy is best regulated through a consistent, sector-specific national standard.
As advisers increasingly adopt emerging technologies to protect client data, the need for a coherent federal privacy framework becomes even more pressing. These innovations offer transformative benefits but also introduce new risks to data privacy. A strong preemption provision within the GLBA would ensure that investor protections evolve alongside these technologies, under a single, clear standard. Rather than forcing firms to adapt compliance programs to dozens of inconsistent state laws – many of which were not designed with these technologies in mind – a national framework would allow for proactive, technology-neutral oversight that keeps pace with innovation while ensuring investors’ personal information remains secure.
D. Amending the GLBA to Broadly Preempt State Law
The IAA respectfully emphasizes that we are not seeking to change the substance of the GLBA or weaken the strong protections it affords consumers. Rather, we urge Congress to modernize the statute by adopting a clear federal preemption provision that would eliminate duplicative and conflicting state privacy requirements. This would preserve the integrity of the existing federal framework while promoting national uniformity and reducing unnecessary compliance burdens for advisers operating across state lines.
To achieve this goal, we recommend revising 15 U.S.C. § 6807 as follows:
15 U.S. Code § 6807 — Relation to State Laws (Revised Version)
(a) Preemption of State Law
This subchapter and the amendments made by this subchapter shall supersede any statute, regulation, order, or interpretation of any State or political subdivision thereof that relates to the privacy, confidentiality, security, or protection of nonpublic personal information by financial institutions, regardless of whether such requirement provides greater, lesser, or equivalent protection.
(b) Preservation of Fraud and Consumer Protection Laws
Nothing in this section shall preempt, annul, or affect the enforcement of State laws of general applicability relating to fraud, misrepresentation, consumer protection, or unfair or deceptive acts or practices, provided that such laws do not impose duplicative, separate or additional requirements regarding the privacy, confidentiality, security, or protection of nonpublic personal information.
(c) Exclusivity of Federal Standards
The requirements of this subchapter shall constitute the exclusive standards governing the privacy, confidentiality, security, and protection of nonpublic personal information by financial institutions, except as preserved in subsection (b).
* * *
We appreciate the opportunity to provide comments on this important issue and look forward to collaborating with you on these and other key reforms to strengthen our capital markets and protect investors. Please do not hesitate to contact the undersigned at (202) 507-7214 if we can be of further assistance.
Respectfully Submitted,
William A. Nelson
Director of Public Policy and Associate General Counsel
cc:
The Honorable Tim Scott, Chair, U.S. Senate Committee on Banking, Housing, and Urban Affairs
The Honorable Elizabeth Warren, Raking Member, U.S. Senate Committee on Banking, Housing, and Urban Affairs
The Honorable Paul S. Atkins, SEC Chairman
The Honorable Mark T. Uyeda, SEC Commissioner
The Honorable Hester M. Peirce, SEC Commissioner
The Honorable Caroline A. Crenshaw, SEC Commissioner
[1] The IAA is the leading organization dedicated to advancing the interests of fiduciary investment advisers. For more than 85 years, the IAA has been advocating for advisers before Congress and federal, state, and global regulators, promoting best practices and providing education and resources to empower advisers to effectively serve their clients, the capital markets, and the U.S. economy. The IAA’s member firms manage more than $35 trillion in assets for a wide variety of individual and institutional clients, including pension plans, trusts, mutual funds, private funds, endowments, foundations, and corporations. For more information, please visit www.investmentadviser.org.
[2] The IAA has long called for harmonizing federal data privacy and cybersecurity standards. See Letter from Gail C. Bernstein, General Counsel, and William Nelson, Associate General Counsel, Investment Adviser Association, to the SEC re Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, available at https://www.investmentadviser.org/resources/iaa-supports-sec-proposal-on-protection-of-client-information-with-recommended-changes/.
[3] 17 C.F.R. pt. 248.
[4] As the SEC recognized, “states differ in the types of information that, if accessed or used without authorization, may trigger a notification requirement … [and] also differ regarding a firm’s duty to investigate a data breach when determining whether notice is required, deadlines to deliver notice, and the information required to be included in a notice, among other matters.” Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, 88 Fed. Reg. 20616, 20618 (Apr. 6, 2023), available at https://www.govinfo.gov/content/pkg/FR-2023-04-06/pdf/2023-05774.pdf.
[5] While some state privacy laws exclude financial institutions or data already covered by the GLBA, confusion persists because certain state laws expressly exempt both the information governed by the GLBA and the financial institutions subject to it, leading to uncertainty about the scope of preemption.