| |
Fact
Sheet 24(d)
Frequently Asked Questions about Financial Privacy
1.
What laws protect privacy of my
financial information?
2. Does
GLB apply only to my bank and credit union accounts?
3. What’s
the most important thing I can do to protect my financial information?
4. If
I go to the trouble to opt out, how can I be assured my company won’t
sell or disclose my information anyway?
5. I
received a privacy notice that doesn’t give me an opt out. Am I
missing something?
6. I
receive privacy notices at least once a year. I opted out last year. Do
I have to opt out every time I get a notice?
7. I
have been tossing the privacy notices. Is it too late to opt out?
8. My
bank’s privacy notice says I can send a letter to opt-out. What
should I say in the letter?
9. My
bank’s privacy notice says my “creditworthiness” information
is shared with the bank’s affiliated companies unless I opt out.
What does this mean?
10. The
privacy notices I receive are impossible to understand. Is anything being
done to make the notices easier to read and understand?
11. Why
did I receive a privacy policy from my insurance company?
12.
I received a privacy notice that saysid my
bank shares my information with third parties as “permitted by law.”
What does this mean?
13. Can
I stop my credit card company from using an overseas customer call center?
14. Can
a company my bank hires to send out statements sell my information to
a third partysomeone else?
15.
A relative of my ex-spouse works at a bank. I believe this person gave
my ex information about my finances. What should I do?
16. How
do I know if my small company is a “financial institution,”
and subject to GLB’s privacy and data security rules?
17. Is
private information I give to an auto dealer protected by the GLB privacy
rule?
18. Does
my bank have to safeguard all personal information it receives?
19.
Does my bank have to notify me of a security breach?
20. I
suspect someone called my bank impersonating me to get my account files.
What should I do?
21.
Can I sue my bank for violating my privacy
rights?
22.
Do state laws allow more privacy protection
of my financial information?
23. How
do I complain about a violation of my financial privacy?
24. I
strongly object to a company sharing any information about me without
my consent. Is there anything I can do?
25. Where
can I learn more about protecting my financial privacy?
1. What laws protect privacy
of my financial information?
The Financial Services Modernization Act
of 1999 is the major federal law that covers privacy for personal financial
information. It is more commonly known as the Gramm-Leach-Bliley Act (or
GLB), after the sponsors of the legislation.
GLB requires financial institutions to notify customers about how personal
information is collected and used. Companies that share or sell customer
data to outside companies (third party non-affiliates) must give customers
a way to opt out, that is say “no” to having information shared
with others. (15 USC, Subchapter 1, Section 6801-6809)
Since July 1, 2001, customers have, at least annually, been receiving
written privacy notices. The notices are usually included as an insert
with monthly statements and are easily overlooked. GLB only covers data
shared with outside companies. However, another federal law, the Fair
Credit Reporting Act (FCRA), gives you some rights to stop companies from
sharing your personal data with corporate affiliates. Your rights to opt
out under the FCRA are usually included in the GLB privacy notice you
receive.
2. Does GLB apply only to my
bank and credit union accounts?
No. GLB applies to “financial institutions,”
that is companies that offer financial services and products to individuals.
This includes not only banks but, among many others, financial advisors,
stock and commodities brokers, real estate settlement companies, mortgage
brokers, payday lenders, debt collectors, tax preparers and automobile
dealers.
3.
What’s the most important thing I can do to protect my financial
information?
Take a few minutes to read the privacy notices
you receive. If you are concerned about privacy, follow the instructions
given in the notice and take every opt out allowed. Remember, GLB only
gives you the right to opt out if the company shares information with
outside companies. And, as discussed in Question 1 above, the FCRA provides
another opt out for information about your creditworthiness. This means
the privacy notice may include one or two opt out choices. Or, the notice
may not give any opt out at all. When the privacy notice says your information
is neither shared with outside companies nor affiliates, there is no opt
out required.
You may even find that the notice gives you more than two choices to opt
out. For example, some companies include an opt out to allow you to stop
information from being shared with joint marketers. This is a signal that
the company offers an “extra” opt out, one that is not required
by law. For more on the “extra” privacy a company can provide,
see PRC Fact Sheet 24(c), How to Shop for Financial Privacy, www.privacyrights.org/fs/fs24c-ShopFin.htm.
4.
If I go to the trouble to opt out, how can I be assured my company won’t
sell or disclose my information anyway?
Unfortunately, GLB does not require that you
receive a confirmation when you opt out. Nor will you see your privacy
choices on your account statements.
Many types of companies are included in the definition of “financial
institution.” Banks, insurance companies, credit unions, and securities
and commodities brokers all operate in what is called a “regulated
industry.” This means the company’s activities are regulated
by a particular government agency called a “functional regulator”
in the law.
If a company operates within a “regulated industry,” the government
agency that oversees the company’s activities conducts regular audits
to assure compliance with regulations. Regular audits may detect company
practices that are not in compliance with all regulations, including those
governing privacy and data security.
Companies that do not answer to one of the “functional regulators”
and are not subject to periodic audits come under the jurisdiction of
the Federal Trade Commission, www.ftc.gov.
To the general public, the business of selling, transferring, trading,
or leasing personal information remains largely a mystery. Equally unknown
to the public are procedures companies adopt to make sure your opt out
choices are honored.
5.
I received a privacy notice that doesn’t give me an opt-outopt out.
Am I missing something?
Remember, GLB does not give you total control
over how your information is shared. The law only gives you the right
to opt out if the company shares your information with third-party nonaffiliated
companies. Some companies such as banks and credit card companies are
also required to offer an FCRA opt out, that is, a choice to stop the
company from sharing information about your “creditworthiness”
with corporate affiliates. This is sometimes also called “application”
information. It includes information you would normally give a potential
creditor when applying for a loan -- such things as your income and debt
level.
If the company does not share information with outsiders and does not
share information with affiliates, no opt out is required.
6. I receive privacy
notices at least once a year. I opted out last year. Do I have to opt
out every time I get a notice?
No. Your opt out choice remains in effect until you change it. However,
the opt out only applies to the active account(s) you have at the time
you make your choice. If you, for example, close your accounts, open an
account with a new bank, but later open a new account with your old bank,
you will have to opt out again. In other words, your opt out applies to
the account(s) you have at the time you opt out.
7. I have been tossing
the privacy notices. Is it too late to opt-outopt out?
Your right to opt out is continuing. This means you can always opt out.
However, you must follow the procedure for opting out that the notices
gives you. Many companies have established special addresses and/or toll-free
telephone numbers just for opting -out. If you don’t have the privacy
notice but want to opt out, it is best to ask your financial institution
for a copy of the most recent privacy policy. Your desire to opt out may
not be properly recorded unless you follow the procedure given in the
notice.
8.
My bank’s privacy notice says I can send a letter to opt-outopt
out. What should I say in the letter?
The PRC Web site includes sample letters that
you can use to opt out. The letters appear as an attachment to Fact Sheet
24(a). www.privacyrights.org/fs/fs24a-letter.htm
The sample letters include the language necessary to opt out, both under
GLB and the FCRA. The sample letters include other opt-out choices as
well. Understand that some of the optional paragraphs we have included
in the sample letter need not be honored by your financial institution.
A company has no obligation under GLB to stop sharing your information
with affiliates or with joint marketers. Rather, GLB applies only to sharing
with unaffiliated third parties.
By requesting privacy protections that go beyond what a company is required
to do, you are simply saying that you value your privacy and object to
having your information used for any purpose other than servicing your
account.
9.
My bank’s privacy notice says my “creditworthiness”
information is shared with the bank’s affiliated companies unless
I opt out. What does this mean?
The FCRA allows companies to share information with affiliates. For example,
banks may have an affiliated brokerage firm, insurance company, or other
company that operates under a common corporate umbrella. The FCRA allows
sharing of two separate kinds of personal information.
So called “experience and transaction” information encompasses
account activity like deposits, withdrawals, debits, and credits. Also
included in this category are specifics such as what you buy, where you
buy it, and how much you pay. This is valuable information, particularly
when a company wants to sell you every variety of its financial products.
The FCRA does not allow you to stop this data flow.
The FCRA does, however, give you the right to opt out when it comes to
information about your “creditworthiness.” This includes information
such as the amount and source of your income, your debt level, and your
history of paying bills on time.
10. The privacy notices
I receive are impossible to understand. Is anything being done to make
the notices easier to read and understand?
Reaction to the first privacy notices delivered in July 2001 was highly
negative. GLB and federal rules specify that notices be “clear and
conspicuous,” that is written in plain language. Yet the notices
received by millions were filled with legalese and confusing messages.
Many consumers simply tossed the privacy notices, seeing them as just
another bit of junk mail stuffed in with account statements.
The Federal Trade Commission, responding to criticism from consumers,
privacy advocates, readability experts, members of Congress, and the financial
services industry itself, hosted a workshop in December 2001, aimed at
creating more effective GLB notices. www.ftc.gov/bcp/workshops/glb/index.html
The PRC presented findings based on contact with approximately 2,500 consumers.
See PRC’s report to the FTC, How Consumers Responded to Financial
Privacy Notices, December 2001, www.privacyrights.org/ar/fp-glb-ftc.htm.
Efforts to improve the notices continue. Some companies have voluntarily
improved on their notices, and some are now giving customers opt outs
that are not required by law. Federal GLB agencies contracted with a research
firm, and a report on the first phase of the project was issued in March
2006. www.ftc.gov/opa/2006/03/jointprprivacy.htm
The report examined consumer reaction to a various sample privacy notices
and concluded that it is possible to design an understandable short-form
privacy notice. The second phase of the study will encompass a larger
focus group.
11.
Why did I receive a privacy policy from my insurance company?
Unlike most financial institutions which are regulated by the federal
government, insurance companies are regulated by state government agencies.
Each state has an insurance commissioner overseeing insurance companies
operating in that state. However, GLB, a federal law, covers insurance
companies as well. To comply with GLB’s privacy provisions, state
insurance commissioners were required to adopt privacy regulations.
To learn more about your state’s privacy regulations for insurance
companies, visit your state insurance regulator’s Web site. To find
the insurance commissioner in your state, visit the Web site of the National
Association of Insurance Commissioners, www.naic.org.
12. I received a privacy
notice that says my bank shares my information with third parties as “permitted
by law.” What does this mean?
Like most laws that promise some privacy, GLB is riddled with exceptions.
The law almost never gives you complete control over how your information
is shared. Sometimes it’s to your advantage to have a company share
your information. For example, when your credit card company reports your
favorable payment history to the credit bureaus, this helps build your
credit history and increase your credit score. Even if information is
negative, you cannot stop the flow of data from a financial institution
to a credit bureau.
Nor does GLB allow you to keep information from being shared with a financial
institution’s service provider, that is an outside company that
performs services such as preparing account statements, printing checks
or customer call centers.
A most troubling opt out exception included in GLB is one that allows
your bank or other financial institution to share your personal data for
“joint marketing” purposes. This allows a bank, for example,
without your permission, to enter into a contract with another company
to sell you new financial products or services. Sharing data with credit
bureaus, service providers, and joint marketers are examples of disclosures
permitted by GLB.
Your information may also be disclosed if required by law. One example
of this would be if financial information is ordered by a court or subpoenaed
by a party to litigation. The federal Right to Financial Privacy Act (RFPA),
12 USC 3401, also gives some federal government agencies authority to
obtain financial records as part of an investigation. For more on the
RFPA, visit the webWeb site for the Electronic Privacy Information Center
(EPIC), at www.epic.org/privacy/rfpa/
.
13. Can I stop my credit
card company from using an overseas customer call center?
No. An offshore call center is an example of a “service provider”
under GLB. The law makes no distinction between a domestic and foreign
service provider. Recognizing unique privacy implications of foreign-based
service providers, federal banking regulators have issued specific guidance
for financial institutions that outsource personal data. See for example,
FDIC Guidelines, Offshore Outsourcing of Data Services by Insured Institutions
and Associated Consumer Privacy Risks, www.fdic.gov/regulations/examinations/offshore/supervisory.html
.
14. Can a company my bank
hires to send out statements sell my information to someone else?
Maybe. Most financial institutions contract with other companies to perform
some service, printing or mailing statements. GLB calls such companies
“service providers.” You cannot stop sharing with service
providers. If your bank’s privacy policy says your information can
be shared with third- party companies, the bank must give you an opportunity
to opt out. If you do not opt out, the bank can share your information
and so can the bank’s service provider.
Here’s an example: Your bank’s privacy policy says it may
share your information with third parties. The bank must then give you
a means to opt out to stop this sharing. If you take the opt- out, neither
the bank nor its outside service provider should further share your information.
Conversely, if you do not take the bank’s opt- out, both the bank
and its service provider could share your information as described in
the bank’s notice of privacy policy.
15. A relative of my ex-spouse
works at a bank. I believe this person gave my ex information about my
finances. What should I do?
This is a very serious matter. It should not be taken lightly, either
by one who makes the claim or by an employee tempted to use private data
for personal reasons.
GLB requires banks and other financial institutions to adopt data security
procedures. Success of data security programs depends largely on a company’s
employees. Most companies conduct background checks and some ask employees
to sign an agreement to follow the company policies. An employee who uses
access to personal financial data for personal reasons almost certainly
violating company policy.
The bank’s branch and regional managers should be notified immediately
as well as the company’s corporate headquarters. Reports to several
levels should prompt an internal investigation to identify weakness in
data security procedures.
The matter should also be reported to the federal government agency that
oversees the company. For more on safeguarding customer data, see PRC
Fact Sheet 24(e), Is Your Financial Information Safe?, www.privacyrights.org/fs/fs24e-FinInfo.htm#7
At the end of this guide you will find a list of federal agencies with
contacts for complaints.
16. How do I know if my
small company is a “financial institution” subject to GLB’s
privacy and data security rules?
As discussed in Question 2 above, GLB applies to many business types,
not just those in regulated financial industries like banking, securities,
commodity futures, or insurance. The Federal Trade Commission’s
Web site has a great deal of information for businesses that must comply
with the privacy and security provisions of GLB. www.ftc.gov/privacy/privacyinitiatives/financial_rule_bus.html
The FTC has also developed a guide for small businesses.
www.ftc.gov/bcp/conline/pubs/buspubs/getnoticed.htm
17. Is private information
I give to an auto dealer protected by the GLB privacy rule?
According to the FTC, a car dealer must comply
with GLB when the dealer:
Extends credit to someone (for example, through
a retail installment contract) in connection with the purchase of a car
for personal, family, or household use.
Arranges for someone to finance or lease a car
for personal, family, or household use.
Provides financial advice or counseling to
individuals.
For answers to other questions about GLB and
auto dealers, see the FTC’s guide, The FTC’s Privacy Rule
and Auto Dealers: Frequently Asked Questions.
www.ftc.gov/bcp/conline/pubs/buspubs/autoglb.htm
18. Does a bank have
to safeguard all personal information it receives?
No. The GLB rules on security only apply
to data maintained on a company’s “customers.” A “customer”
is an individual with an ongoing relationship with the bank. Only accounts
opened for personal, family, or household reasons are covered. GLB does
not apply to business accounts. Nor do the GLB safeguarding rules apply
to “consumers” who use the bank’s service only once
or infrequently to cash a check or make an ATM withdrawal.
GLB privacy rules do, however, apply to “consumers,” to
a limited extent. For example, you may visit an ATM even though you
do not have an ongoing “customer” relationship with that
bank. If the bank shares your information with third-parties, you should
be given a one-time notice of that fact and an opportunity to opt out.
19. Does my bank have
to notify me of a security breach?
Many states now have laws that require companies,
including financial institutions, to give individuals notice about unauthorized
access to personal data. The rules vary from state to state. Following
is a list on state data breach laws published by Consumers Union:
www.consumersunion.org/campaigns/Breach_laws_May05.pdf .
In addition, the federal banking agencies have adopted joint guidelines,
requiring banks to adopt “response” procedures. Federal
guidelines specify notice to customers if the breach could “result
in substantial harm or inconvenience” to the bank’s customers.
For more on the federal guidelines, see the banking agencies’
joint press release dated March 23, 2005. www.fdic.gov/news/news/press/2005/pr2605.html
20. I suspect someone
called my bank impersonating me to get my account files? What should
I do?
This is called “pretexting,”
and it is illegal. GLB includes a specific section that prohibits fraudulent
access to your financial information. www.ftc.gov/privacy/glbact/glbsub2.htm
The pretexting section applies if someone calls you and tricks you into
giving personal information, or calls someone else such as your bank.
It also applies if someone uses a forged or stolen document to get your
information. (15 USC, Subchapter II, Sec. 6821-6827)
The law includes civil as well as criminal penalties for one who uses
false pretenses to get your personal financial information. Incidents
should be reported to the bank’s fraud department, the FTC, and
criminal authorities such as the FBI or your local District Attorney.
For more on pretexting with tips on how to protect yourself, see PRC
Fact Sheet 24(e), Is Your Financial Information Safe?, www.privacyrights.org/fs/fs24e-FinInfo.htm#5
.
21. Can I sue my bank
for violating my privacy rights?
GLB does not give you the right to sue a
financial institution. However, some state laws may give you the right
to file a lawsuit. An attorney can advise you of your rights under state
law.
Even though GLB does not allow you to sue, you may complain to the appropriate
federal agency. A list of federal agencies that enforce GLB data privacy
and security rules can be found in the References Section (Part 7) of
PRC Fact Sheet 24(e), Is Your Financial Information Safe? www.privacyrights.org/fs/fs24e-FinInfo.htm#7
. Consumer complaints are a major source of information, and government
enforcement actions are often initiated based on consumer complaints.
As discussed above (Question 11), insurance companies are subject to
state privacy regulations. To file a privacy-related complaint against
an insurance company, contact your state insurance commissioner through
the Web site for the National Association of Insurance Commissioners,
www.naic.org .
22. Do state laws allow
more privacy protection of my financial information?
GLB allows states to adopt stronger privacy
protections. (15 USC §6807) . California’s Senate Bill 1(SB1)
is perhaps the most widely publicized state law that goes beyond the
privacy rights included in GLB. The California Financial Information
Privacy Act, added Sections 4050-4060 to the California Financial Code.
As signed by the Governor in 2003, the law gives Californians more control
over information sharing among corporate affiliates, data flow governed
by the FCRA. Specifically, SB1 allows consumers to opt out for all data
sharing among affiliated companies. (See Question 1). The law also expanded
GLB’s privacy rights by requiring companies to get consumer consent,
an opt in, before sharing information with outside, third-party companies.
A court challenge by the financial services industry was eventually
heard by the United States Court of Appeals for the Ninth Circuit,
www.ca9.uscourts.gov, (See: American Bankers Assn v.. Lockyer, 04-16334,
June 20, 2005). After further hearings before the lower district court,
the FCRA, affiliate sharing section of the California law, was overturned.
However, the GLB section that requires an opt in before information
can be shared with outsiders is still valid. This means financial companies
doing business in California must obtain consumer consent before sharing
data with nonaffiliated companies. The privacy notices Californians
receive annually should reflect this.
For further information about the history of SB1 and subsequent court
challenges, see the Web site of the Electronic Privacy Information Center
(EPIC). www.epic.org/privacy/preemption/abavlockyer.html
23. How do I complain
about a violation of my financial privacy?
Write a letter, call, or file a complaint
online with the appropriate federal agency. The eight agencies with
authority to enforce GLB privacy and data security rights are listed
in Part 10 of PRC Fact Sheet 24, Protecting Financial Privacy in the
New Millenium: The Burden is on You, www.privacyrights.org/fs/fs24-finpriv.htm#10
.
If your complaint involves an insurance company, file a complaint with
your state insurance commissioner. Contact information for state insurance
agencies can be found at the Web site for the National Association of
Insurance Commissioners, www.naic.org .
24. I strongly object
to a company sharing any information about me without my consent. Is
there anything I can do?
You can voice your opinion to your representatives
in Congress as well as your state legislators. GLB allows states to
enact stronger privacy protections. To date, most efforts by states
to enact strong privacy protections have been defeated. This is largely
due to the strong and well-financed lobby of the financial services
industry.
However, the experience in California shows that persistence has its
reward. Over the last few years, numerous bills were introduced in the
California legislature but were ultimately defeated by industry opposition.
Finally, SB1 was signed by the Governor in 2003. Although a portion
of SB1, the FCRA affiliate sharing choice, was rejected by the courts,
Californians still have the right to consent to sharing information
with outside companies. |
Failure of states to enact stronger privacy legislation is also due
to the fact that consumers have not been adequately informed about information-sharing
practices. The more consumers become informed, the better they are able
to communicate their point of view to state lawmakers.
The same is true for consumers' opinions expressed to federal lawmakers
who have it within their power to strengthen GLB. Tell your U.S. Senators
and Representative that you want laws to give consumers more control
over how their personal information is used. To contact your US Senators
visit the Web site www.senate.gov/ and to contact your Representative
visit the Web site for the House of Representatives, www.house.gov.
25. Where can I learn
more about protecting my financial privacy?
See also these PRC financial privacy guides:
Fact Sheet 6: How Private Is My Credit Report.
www.privacyrights.org/fs/fs6-crdt.htm
Fact Sheet 24: Protecting Financial Privacy in the New Millennium: The
Burden Is on You.
www.privacyrights.org/fs/fs24-finpriv.htm
Fact Sheet 24a: Financial Privacy: How to Read Your "Opt-Out"
Notices.
www.privacyrights.org/fs/fs24a-optout.htm
Sample - Opt-Out Letters.
www.privacyrights.org/fs/fs24a-letter.htm
Fact Sheet 24b. Take the Cloze Test: Readability of a Financial Privacy
Policy.
www.privacyrights.org/fs/fs24b-ClozeFinancial.htm
Fact Sheet 24c. How to Shop for Financial Privacy.
www.privacyrights.org/fs/fs24c-ShopFin.htm
|
|
