Privacy Policies at Banks: The Gramm-Leach-Bliley Act

There has been a lot of discussion in the United States of privacy policies following the Cambridge-Analytica scandal and GDPR. Bills have been proposed in Congress to substantially alter the way businesses currently handle privacy online in the United States. States also may be imposing their own requirements on businesses, as would happen if California voters adopt the California Consumer Privacy Act in November. We thought today that we would take an in-depth look at the Gramm-Leach-Bliley Act (“GLBA”) to see what has been done by the federal government on privacy before in an area that is obviously important: sensitive financial information.

Although most enforcement of privacy law in the United States is done under the Section 5 powers of the Federal Trade Commission, Congress has already required privacy measures in certain business segments, like HIPAA for health providers, the Fair Credit Reporting for consumer reporting agencies, and the GLBA for financial institutions.

The Gramm-Leach-Bliley Act requires financial insitutions to explain their information sharing to customers (the Notice provisions) and protect sensitive customer information (often called the “Safeguards Rule”). The law was enacted on November 12, 1999 to reform the financial services industry. The financial privacy provisions are enforced by the Federal Trade Commission and other government agencies that regulate financial insitutions.

The law applies broadly to businesses that have significant financial activities, including lending, investing, financial advising, debt collecting, loan servicing and other enumerated activities. It governs their interaction with consumers and customers (a subset of consumers with a continuing relationship with the financial institution). It also governs the use and disclosure of the information by businesses that are not a financial institution if they receive covered infromation from a nonaffiliated financial institution.

The Gramm-Leach-Bliley Act protects nonpublic personal information, defined as personally identifiable financial information collected about an individual in connection with a financial product or service. Information that is generally publicly available is not covered by the law.

Notice Requirements

The law requires notification by banks and other financial institutions of their information-sharing practices as well as disclosure to consumers of their right to opt-out of information sharing with certain third-parties. This written notice must be clear and conspicuous. All customers must get an initial notice before the customer relationship is established, or within a reasonable time after if the customer agrees and providing the notice would substantially delay the transaction. The law provides for certain non-customer consumers to get a short-form privacy notice instead with an opt-out of sharing, an explanation that the full notice is available, and how to get it.

The privacy notice must be accurate and describe the categories of information collected, disclosed, the categories of third-parties to whom the bank discloses information, any use of the joint marketing / service provider exception, disclosures required by the Fair Credit Reporting Act, security / confidentiality practices, and other enumerated information as applicable.

There are certain requirements for the delivery of these GLBA privacy notices, including that the privacy policy is received in writing, or electronically if the individual agrees. Gramm-Leach-Bliley requires businesses to have customers engaged in electronic transactions acknowledge receipt of the notice before obtaining a product or service. There is also an annual requirement to deliver it at least once in any period of 12 consecutive months for the duration of a customer relationship.

In 1999, the FTC published a two-page disclosure form as a model privacy form to be voluntarily used by financial institutions. FTC regulated entitities that use it consistent with the instructions satisfy the GLBA and obtain a “safe harbor”.

There are exceptions to the notice and opt-out requirements. There is also certain information (such as account numbers) that may not be shared for marketing purposes regardless of whether an individual opts-out of information sharing. As with any privacy law, it is complex. Businesses covered by the law may also be covered by other laws protecting privacy, such as the Fair Credit Reporting Act.

Safeguards Rule

This portion of the GLBA requires financial institutions to develop a written information security plan to protect customer information. The companies must designate an employee (or more than one) to coordinate its information security program, identify and assess the risks to customer information, regularly monitor and test the security program, oversee the vendors providing security services, and evaluate/adjust the program as needed.

How Will New Legislation Handle Financial Information?

The new laws under consideration by Congress establish sensitive financial information as one of the categories of confidential personal information that should be protected online. If one of them passes and becomes law, they will apply privacy protections beyond the limitations of the GLBA (financial institutions) to all (or most) website and app operators. For example, the Social Media Privacy and Consumer Rights Act of 2018 borrows the definition of nonpublic personal information from section 509 of the GLBA.

Discover the Benefits of Privacy Management Software with Clarip

The Clarip data privacy software and team are available to help improve privacy and trust at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.

If you are working towards GDPR compliance, try our modular GDPR software. Start with our automated GDPR data mapping software, enhance your privacy program with DPIA software, and meet ePrivacy requirements with the cookie consent manager.

If CCPA compliance in 2020 is on your radar, ask us about our California Consumer Privacy Act software. Improve efficiency of responses to data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with our consent software.

Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.