- Privacy Notices
- How Your Financial Institution Shares Your Data
- Joint Marketing Agreements
- Service Providers
- Financial Privacy in California
- File a Complaint
The Gramm-Leach-Bliley Act (GLB) (15 U.S.C. §§ 6801-6809) (also known as the Financial Services Modernization Act of 1999) requires your financial institution to provide you with a privacy notice. Financial institutions are generally required to provide customers with an initial notice of these policies, and then provide an annual notice every year that the relationship continues. The privacy notice must describe three things:
- Right to Opt Out: Your financial institution must explain your ability to prevent the sharing of your customer data with third parties.
- Safeguards: Financial institutions are required to develop policies to prevent unauthorized access to confidential financial information. These policies must be disclosed to you.
GLB gives you the right to opt-out of certain types of information sharing. The default for the opt-out approach is that your data is shared until and unless you notify the company otherwise by opting out.
When GLB became effective in 1999, several federal financial regulatory agencies enforced the law. In 2011, the Dodd-Frank Act transferred most enforcement authority to the Consumer Financial Protection Bureau (CFPB).
Which financial institutions must provide me with a privacy notice?
You should receive a privacy notice from any companies that offer financial products or services to individuals. This includes your bank, credit card issuers, payday loan companies, mortgage brokers, insurance companies, investment companies and investment advisors.
Will the privacy notice say exactly what information about me can be disclosed?
You will get notice of the categories of information the financial institution collects and the categories of information that may be sold or shared with a third party. The privacy notice must give you specific examples of each category, but this is by no means a complete list of the data that may be disclosed.
My bank's privacy notice does not give me an opt out. Am I missing something?
Do I have only one chance to opt out?
If you are a customer with a continuing relationship with the company, your right to opt out is continuing. If you fail to opt out, your financial institution may sell or share your personal data after a "reasonable" time. If you later decide you want to keep your financial institution from disclosing your personal data, you always have the right to opt out. It goes without saying, however, that information that is disclosed before you opt out is already "out there." You can't bring it back.
Once you opt out, you do not have to respond to any future privacy notices that you may receive for that account. Your opt-out choice remains in effect until you change it.
What about closed accounts?
Financial institutions are not required to send you an opt-out notice if your account is closed. However, if you have an existing account and have already opted out, your opt-out election would continue even after you closed the account.
What are model privacy notices?
Most financial institutions have chosen to use a model privacy notice. The model notice is a two-page disclosure form designed to allow consumers to compare the privacy practices of different financial institutions. Use of the model privacy form is voluntary. A financial institution that properly uses the model privacy notice will be considered to be in compliance with the disclosure requirements for privacy notices under GLB.
Where does a financial institution get its information?
The privacy notice must tell you this. A financial institution may receive information directly from you, for example, when you fill out an application for a new account. Information about you may also be compiled based upon records of your transactions with that company, its affiliates, and other sources. This may include information about how you use your credit card, your account balances, late payments, what you buy, and where you shop.
What kinds of companies can get my personal information?
The privacy notice you receive from financial institutions does not have to tell you the names of any specific companies or organizations that may buy or receive your personal information. Only the categories of companies have to be disclosed to you.
The relationship between your company and the company that receives your information determines if you have a right to opt out, that is to stop the information flow. Your financial institution may have relationships with the following categories of companies:
- Third party nonaffiliated (outside) companies
- Affiliated companies
- Joint marketing companies
- Service providers
GLB only gives you the right to opt out when it comes to third-party nonaffiliated (outside) companies.
What is a third party nonaffiliate?
It means a company that is not owned or controlled by the company you're doing business with. For example, your bank's privacy notice may say it shares your personal information with third party nonaffiliates. The notice may go on to identify one such category as "financial services providers." An example could be an insurance company that is not affiliated with your bank.
Other categories of nonaffiliated companies that could receive your information might be identified in the privacy notice as "non-financial service providers" such as retailers, direct marketers, telemarketers, or "other companies" like nonprofit organizations. Remember, if the company sells customer data to third party nonaffiliates, it must give you the right to opt out.
What is an affiliate?
Large companies often have many separate companies that do business under the corporate umbrella. Although each company operates separately, it is still under the control of the parent corporation. Your bank's affiliates, for example, might include other financial companies such as a credit card company, a brokerage firm, a mortgage company, an insurance company, or an automobile financing company. Affiliates may also include nonfinancial companies such as auto parts or repair companies.
Can I stop my financial company from sharing my personal information with its affiliates?
Under GLB, a company can share your personal information with its affiliates. However, the notice you receive is also likely to explain your right to opt out under another law, the federal Fair Credit Reporting Act (FCRA). This law gives you the right to prevent a company from sharing information about your "creditworthiness" with affiliates. This includes information such as the amount and source of your income, your debt level, and your history of paying bills on time.
Your "transaction and experience" information can still be shared with affiliates without your consent. This information encompasses account activity like deposits, withdrawals, debits, and credits. Also included in this category are specifics such as what you buy, where you buy it, and how much you pay. This is valuable information, particularly when a company wants to sell you every variety of its financial products.
When your information is disclosed under a contract between your financial institution and a joint marketer, this is called a "joint marketing agreement." You have no right to know any details about these joint marketing agreements, and you have no say in the information flow under these contracts.
What is a joint marketer?
A joint marketer is a company that contracts with another company to sell you financial services or products. It is standard practice in the financial services industry for companies to enter into marketing agreements with telemarketers or direct mail marketers. Information can be freely shared under such contracts. GLB requires that such contracts be for the purpose of marketing financial products or services. The receiving company must restrict further disclosure of the customer data. The law does not enable you to say "no" to sharing your information under these marketing agreements.
How does joint marketing weaken my right to opt out?
Joint marketing agreements are entered into by third-party, non-related companies. But for GLB's joint marketing loophole, you could stop this data sharing by simply opting out. Consider the expansive definition of a financial "service or product" and companies that fall under the "financial institution" heading. A financial institution is not just companies like banks, brokerage houses, and insurance companies. Payday lenders, mortgage brokers and automobile dealers are also "financial institutions." Joint marketing agreements thus open the door for data sharing among an array of third-party nonaffiliated companies.
Can I stop unwanted solicitations that come from joint marketers?
GLB does not give you the right to stop these offers. A few financial companies now offer to let you opt-out from joint marketing solicitations. If so, this choice will be included in the privacy notice you receive.
A "service provider" is a company that contracts with your bank to service your account or process your transactions. Many financial institutions contract with other companies to perform some service, such as printing or mailing statements. GLB gives you no control or right to opt-out when your financial institution shares your information with service providers.
Personal data necessary to perform accounting functions, operate customer call centers, and process transactions are now routinely sent offshore. Personal data at stake includes any information you would give your bank. For example, your name, Social Security number, and account numbers are all data items needed to "service" your account.
Will the privacy notice tell me if my bank outsources services?
Very unlikely. But, if you are dealing with a large financial corporation it is a near certainty today that some or all of your personal information will flow offshore.
What can I do if outsourcing results in identity theft?
It is unlikely that you will even be able to trace the source of the fraud. Most victims can't. Even if you can trace the source to a foreign "service provider," you have little recourse. GLB does not give you the right to sue, even an American company, for privacy or data security violations. Even federal financial agencies, with the authority to enforce GLB, will probably not have standing in foreign countries.
California's Financial Information Privacy Act (known as FIPA or SB 1) (Cal. Financial Code §§ 4050-4060) exists specifically to offer privacy protections that GLB lacks. FIPA provides more protection than GLB, but it does not prevent financial institutions from sharing your personal information with affiliates. FIPA originally had a section to provide such a protection but it was struck down in 2008 when a federal court held that the FCRA pre-empts state law when it comes to sharing personal information with affiliates. American Bankers Association v. Lockyer, 541 F.3d 1213 (9th Cir. 2008).
Regardless, FIPA still provides more protection than GLB:
- A financial institution must notify you and obtain your consent to share information with unaffiliated businesses (a business is unaffiliated when it is not under the control of the same company). (Cal. Financial Code § 4052.5)
- You can opt out of information sharing that results from joint-marketing agreements that a financial institution makes with outside companies to market financial products and services. (Cal. Financial Code § 4053(a)(1))
Where to Complain:
To report violations of the federal Gramm-Leach-Bliley Act:
Consumer Financial Protection Bureau
Phone: (855) 411-CFPB (2372)
To report violations of California's Financial Information Privacy Act, contact the appropriate state agency:
- California Department of Insurance regulates the insurance industry in California and enforces both federal and state privacy laws. Phone: 800-927-HELP (927-4357)
- California Department of Financial Institutions regulates banks, savings associations, credit unions, commercial lending companies, issuers of travelers check, transmitters of money abroad and others. Phone: 800-622-0620