How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act
July 2002
The Federal Trade Commission (“FTC”) Guide comply with the Privacy of Consumer Financial Information Rule under the Gramm-Leach-Bliley Act (“GLBA”), which was enacted in 1999 to enhance consumer financial privacy. The Act requires financial institutions to notify customers about their information-sharing practices and provides consumers the right to opt-out of certain disclosures. The FTC enforces the Privacy Rule, which applies to a wide range of entities engaged in financial activities, even if they are not traditional financial institutions.
The guide outlines who is covered by the Privacy Rule, distinguishing between "customers" and "consumers." It explains that a "consumer" is anyone obtaining financial products or services for personal use, while "customers" have ongoing relationships with financial institutions. The text clarifies the definition of nonpublic personal information (“NPI”), which includes any personally identifiable financial information collected during the provision of financial services, excluding publicly available information.
Furthermore, the guide emphasizes that businesses receiving NPI from nonaffiliated financial institutions must also adhere to restrictions on its reuse and redisclosure. Overall, the guide aims to provide businesses with detailed guidance on complying with privacy requirements established by the GLBA.
The guide also details the obligations financial institutions have under the Privacy Rule of the GLBA regarding consumer privacy notices. Institutions must provide "clear and conspicuous" written privacy notices to their customers and, in certain cases, to consumers before sharing their NPI with nonaffiliated third-parties.
Customers must receive an initial privacy notice upon establishing a relationship, and an annual notice as long as the relationship lasts. If a financial institution shares NPI outside of specific exceptions, it must also provide an opt-out notice, allowing customers the opportunity to refuse such disclosures. For non-customers, a privacy notice is required only if NPI will be shared; a shorter version of the notice can be used in some cases.
The contents of the privacy notice must include detailed descriptions of the types of information collected, the categories of disclosures made, the parties involved, and the institution's policies on protecting NPI. The notice should be designed to be easily understandable and prominent, whether delivered in print or online.
Furthermore, the guide addresses the safeguarding of NPI, directing institutions to comply with the FTC's separate safeguards rule. Notices must be delivered in writing or electronically if consent is obtained, with oral or posted notices deemed insufficient.
An opt-out notice must accompany privacy notices if NPI is shared outside of specified exceptions, and institutions must provide reasonable means for consumers to opt-out. This right to opt-out remains effective even after a customer relationship ends unless revoked by the consumer.
Several exceptions to the notice and opt-out requirements are outlined, including those for information sharing necessary for processing transactions or complying with laws, where notices may not be required. Additionally, specific provisions exist for sharing information with service providers under joint marketing agreements. Overall, the guide emphasizes the importance of transparency and consumer control over personal financial information.
The guide outlines the limits on the reuse and redisclosure of NPI under the GLBA. When a financial institution receives NPI from a nonaffiliated financial institution, its ability to reuse or redisclose that information is restricted based on how it was received:
Under Section 14 or 15 Exceptions. If NPI is received under these exceptions, the institution may only use the information in the ordinary course of business for the purpose it was received. This includes sharing with other parties as necessary to fulfill that purpose, such as responding to a subpoena. Redisclosures to affiliates are permitted, but affiliates must follow the same restrictions.
Outside Section 14 or 15 Exceptions. If NPI is received outside these exceptions (for example, through a purchased customer list), the originating institution must have informed consumers of this type of disclosure in its privacy notice, and consumers must not have opted out. The receiving institution can use the information internally and may redisclose it only according to the originating institution's privacy policy. This means that the receiving institution can only disclose NPI to the same types of entities as allowed by the originating institution’s privacy policy.
The GLB Act prohibits financial institutions from sharing account numbers or similar access codes for marketing purposes, even if a consumer has not opted out. This prohibition extends to any nonaffiliated third-party for uses like telemarketing or direct mail marketing. However, sharing encrypted account numbers is allowed, provided the receiving party cannot decode them.
There are exceptions for disclosures to agents or service providers for marketing a financial institution's own products, as long as the recipient cannot initiate charges to the account. Importantly, the exceptions in the privacy rule do not apply to account number disclosures for marketing purposes.
The guide also highlights that the GLBA’s requirements are in addition to those of the Fair Credit Reporting Act (“FCRA”). Institutions must continue to provide clear disclosures about information sharing with affiliates as mandated by the FCRA.
Enforcement of the GLB Act is carried out by the FTC, federal banking agencies, and state insurance authorities. The FTC has the authority to bring actions for violations of the Privacy Rule in federal court and can seek comprehensive injunctive and equitable relief. Additionally, it can examine privacy policies for issues of deception and unfairness under Section 5 of the FTC Act.
Overall, the guide emphasizes the importance of safeguarding consumer privacy and the specific restrictions on handling sensitive information, ensuring compliance with both the GLBA and other applicable regulations.
For more information, see here: https://www.ftc.gov/tips-advice/business-center/guidance/how-comply-privacy-consumer-financial-information-rule-gramm
These materials were obtained directly from the Federal Government public websites and are posted here for your review and reference only. No Claim to Original U.S. Government Works. These may not be the most recent versions. The U.S. Government may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.
