What are your Obligations under the Privacy Rule in the Gramm-Leach-Bliley Act?
Privacy Notices.
Financial institutions must give their customers - and in some cases their consumers - a "clear and conspicuous" written notice describing their privacy policies and practices. When you provide the notice and what you say depend on what you do with the information.
Who Gets a Privacy Notice?
Customers
Whether or not you share customer NPI, you must give all your customers a privacy notice. You must provide an "initial notice" by the time the customer relationship is established. If this would substantially delay the customer's transaction, you may provide the notice within a reasonable time after the customer relationship is established, but only if the customer agrees.
If you share NPI with nonaffiliated third parties outside of the exceptions described within (see "Exceptions"), you also must give your customers:
-
an "opt-out" notice explaining the individual's right to direct you not to share her NPI with a nonaffiliated third party;
-
a reasonable way to opt out; and
-
a reasonable amount of time to opt out before you disclose her NPI.
You must also give your customers an "annual notice" - a copy of your full privacy notice - for as long as the customer relationship lasts.
Consumers Who Are Not Customers
Before you share NPI with nonaffiliated third parties outside of the exceptions described within (see "Exceptions"), you must give your non-customer consumers a privacy notice, including an opt-out notice. If you don't share information with nonaffiliated third parties, or if you only share within the exceptions, you do not have to give a privacy notice to your consumers.
If you are required to provide a privacy notice to your consumers, you may choose to give them a "short-form notice" instead of a full privacy notice. The short-form notice must:
-
explain that your full privacy notice is available on request;
-
describe a reasonable way consumers may get the full privacy notice; and
-
include an opt-out notice.
The Contents of the Privacy Notice
Your notice must accurately describe how you collect, disclose, and protect NPI about consumers and customers, including former customers. Your notice must include, where it applies to you, the following information:
-
Categories of information collected. For example, nonpublic personal information obtained from an application or a third party such as a consumer reporting agency.
-
Categories of information disclosed. For example, information from an application, such as name, address, and phone number; Social Security number; account information; and account balances.
-
Categories of affiliates and nonaffiliated third parties to whom you disclose the information. For example, financial services providers, such as mortgage brokers and insurance companies; or non-financial companies, such as magazine publishers, retailers, direct marketers, and nonprofit organizations. You also may describe categories of other nonaffiliated parties to whom you may disclose NPI in the future.
-
Categories of information disclosed and to whom under the joint marketing/ service provider exception in section 313.13 of the Privacy Rule (see "Exceptions").
-
If you are disclosing NPI to nonaffiliated third parties under the exceptions in sections 313.14 (exceptions for processing or administering a financial transaction) and 313.15 (exceptions, including fraud prevention or complying with federal or state law and others) of the Privacy Rule (see "Exceptions"), a statement that the disclosures are made "as permitted by law."
-
If you are disclosing NPI to nonaffiliated third parties, and that disclosure does not fall within any of the exceptions in sections 313.14 and 313.15, an explanation of consumers' and customers' right to opt out of these disclosures (see "Opt-Out Notices").
-
Any disclosures required by the Fair Credit Reporting Act (see "Fair Credit Reporting Act").
-
Your policies and practices with respect to protecting the confidentiality and security of NPI (see "Safeguarding NPI").
You only need to address those items listed above that apply to you. For example, if you don't share NPI with affiliates or nonaffiliated third parties except as permitted under sections 313.14 and 313.15, you can provide a simplified notice that: (1) describes your collection of NPI; (2) states that you only disclose NPI to nonaffiliated third parties "as permitted by law;" and (3) explains how you protect the confidentiality and security of NPI.
The Appearance of the Privacy Notice
The privacy notice must be "clear and conspicuous," whether it is on paper or on a website. It must be reasonably understandable, and designed to call attention to the nature and significance of the information. The notice should use plain language, be easy to read, and be distinctive in appearance. A notice on a website should be placed on a page that consumers use often, or it should be hyperlinked directly from a page where transactions are conducted.
Safeguarding NPI
The FTC has issued a separate rule to address the requirements for safeguarding NPI. See 16 C.F.R. Part 314, 67 Fed. Reg. 36484 (May 23, 2002). You should consult the FTC's website for more information about this rule and further guidance for small businesses in implementing the Safeguards Rule requirements.
The Privacy Rule requires that your privacy notice provide an accurate description of your current policies and practices with respect to protecting the confidentiality and security of NPI. For example, if you restrict access to NPI to employees who need the information to provide products or services to your consumers or customers, say so.
Delivering Privacy Notices
You must deliver your privacy notices to each consumer or customer in writing, or, if the consumer or customer agrees, electronically. Your written notices may be delivered by mail or by hand. For individuals who conduct transactions with you electronically, you may post your privacy notice on your website and require them to acknowledge receiving the notice as a necessary part of obtaining a particular product or service. For annual notices, you may reasonably expect that your customers have received your notice if they use your website to access your financial products or services and agree to receive notices at your website, and you post your notice continuously in a clear and conspicuous manner on your website.
Notices given orally or posted in your office(s) don't comply with the rule.
Opt-Out Notices
General Obligations
If you share their NPI with nonaffiliated third parties outside of three exceptions (see "Exceptions"), you must give your consumers and customers an "opt-out notice" that clearly and conspicuously describes their right to opt out of the information being shared. An opt-out notice must be delivered with a privacy notice, and it can be part of the privacy notice.
The opt-out notice must describe a "reasonable means" for consumers and customers to opt out. They must receive the notice and have a reasonable opportunity to opt out before you can disclose their NPI to these nonaffiliated third parties. Acceptable "reasonable means" to opt out include a toll-free telephone number or a detachable form with a check-off box and mailing information. Requiring the consumer or customer to write a letter as the only option is not a "reasonable means" to opt out.
Note: While the GLB Act does not require you to provide an opt-out notice if you only disclose NPI to affiliates, if you share certain information with your affiliates, you may have an obligation to provide an opt-out notice under the Fair Credit Reporting Act. That opt-out notice must be included in your GLB privacy notice (see "Fair Credit Reporting Act").
Exercising the Opt-Out Right
You must give consumers and customers a "reasonable opportunity" to exercise their right to opt out, for example, 30 days, after you send the initial notice either on- or off-line, before you can share their information with nonaffiliated third parties outside the exceptions. For an isolated consumer transaction, like buying a money order, you may require your consumers to make their opt-out decision before completing the transaction.
Consumers and customers who have the right to opt out may do so at any time. Once you receive an opt-out direction from your existing consumers or customers, you must comply with it as soon as is reasonably possible.
The Shelf Life of an Opt-Out Direction
An opt-out direction by a consumer or customer is effective - even after the customer relationship is terminated - until canceled in writing, or, if the consumer agrees, electronically. However, if a former customer establishes a new customer relationship with you and you are required to provide an opt-out notice, the customer must make a new opt-out direction that will apply only to the new relationship.
SUMMARY OF NOTICE REQUIREMENTS
|
Exceptions
Exceptions to the Notice and Opt-Out Requirements
There are a number of exceptions to the notice and opt-out requirements. These exceptions are located in sections 313.14 ("section 14 exceptions") and 313.15 ("section 15 exceptions") of the Privacy Rule. If you share information only under these sets of exceptions, you don't need to give your consumers a privacy notice, but you will need to give your customers a simplified initial and, if applicable, an annual privacy notice. Customers and consumers have no right to opt out of these disclosures of NPI.
The section 14 exceptions apply to various types of information-sharing that are necessary for processing or administering a financial transaction requested or authorized by a consumer. This includes, for example, disclosing NPI to service providers who help mail account statements and perform other administrative activities for a consumer's account. It also includes disclosures to and by creditors listed by a consumer on a credit application to perform a credit check.
The section 15 exceptions apply to certain types of information-sharing, including disclosures for purposes of preventing fraud, responding to judicial process or a subpoena, or complying with federal, state, or local laws. Examples of appropriate information disclosures under this exception include those made to technical service providers who maintain the security of your records; your attorneys or auditors; a purchaser of a portfolio of consumer loans you own; and a consumer reporting agency, consistent with the Fair Credit Reporting Act (see "Exceptions").
Exception to the Opt-Out Requirement: Service Providers and Joint Marketing
Another exception can be found in section 313.13 ("section 13 exception") of the Privacy Rule. If you share information under this exception, you must give your customers - and your consumers if you share their information - a privacy notice that describes this disclosure. However, your consumers and customers do not have a right to opt out of this information sharing.
The section 13 exception covers disclosures for certain service providers and for certain marketing activities. The section 13 exception covers disclosures to third party service providers whose services for you do not fall within the section 14 exceptions. For example, if you hire a nonaffiliated third party to provide services in connection with marketing your products or to market financial products jointly for you and another financial institution, or to do a general analysis of your customer transactions, your disclosure of NPI for these purposes does not fall under the section 14 exceptions. Therefore, you can use the section 13 exception for these types of service providers.
The section 13 exception also applies to marketing financial products or services offered through a "joint agreement" with one or more other financial institutions. The "joint agreement" requirement means that you have entered into a written contract with one or more financial institutions about your joint offering, endorsement, or sponsorship of a financial product or service. This does not apply to any kind of joint marketing you do, but only joint marketing with other financial institutions and only the marketing of financial products or services.
To take advantage of the section 13 exception, you must enter into a contract with those nonaffiliated third parties with whom you share NPI. The agreement must guarantee the confidentiality of the information by prohibiting the third party or parties from using or disclosing the information for any purpose other than the one for which it was received. Contracts with nonaffiliated service providers that are effective before July 1, 2000 and don't have the required confidentiality agreement must be amended to include such a provision by July 1, 2002
For more information, see here: https://www.ftc.gov/tips-advice/business-center/guidance/how-comply-privacy-consumer-financial-information-rule-gramm
These materials were obtained directly from the Federal Government public websites and are posted here for your review and reference only. No Claim to Original U.S. Government Works. This may not be the most recent version. The U.S. Government may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.