Fact Sheet 24d:
Financial Privacy FAQ


Send to PrinterSend to Printer


Copyright © 2001 - 2014
Privacy Rights Clearinghouse
Posted August 2001
Revised April 2013

  1. What laws protect privacy of my financial information?
  2. Does GLB apply only to my bank and credit union accounts?
  3. What’s the most important thing I can do to protect my financial information?
  4. If I go to the trouble to opt out, how can I be assured my company won’t sell or disclose my information anyway?
  5. I received a privacy notice that doesn’t give me an opt out. Am I missing something?
  6. I receive privacy notices at least once a year. I opted out last year. Do I have to opt out every time I get a notice?
  7. I have been tossing the privacy notices. Is it too late to opt out?
  8. My bank’s privacy notice says I can send a letter to opt-out. What should I say in the letter?
  9. My bank’s privacy notice says my “creditworthiness” information is shared with the bank’s affiliated companies unless I opt out. What does this mean?
  10. The privacy notices I receive are impossible to understand. Is anything being done to make the notices easier to read and understand?
  11. Why did I receive a privacy policy from my insurance company?
  12. I received a privacy notice that saysid my bank shares my information with third parties as “permitted by law.” What does this mean?
  13. Can I stop my credit card company from using an overseas customer call center?
  14. Can a company my bank hires to send out statements sell my information to a third partysomeone else?
  15. A relative of my ex-spouse works at a bank. I believe this person gave my ex information about my finances. What should I do?
  16. How do I know if my small company is a “financial institution,” and subject to GLB’s privacy and data security rules?
  17. Is private information I give to an auto dealer protected by the GLB privacy rule?
  18. Does my bank have to safeguard all personal information it receives?
  19. Does my bank have to notify me of a security breach?
  20. I suspect someone called my bank impersonating me to get my account files. What should I do?
  21. Can I sue my bank for violating my privacy rights?
  22. Do state laws allow more privacy protection of my financial information?
  23. How do I complain about a violation of my financial privacy?
  24. I strongly object to a company sharing any information about me without my consent. Is there anything I can do?
  25. Where can I learn more about protecting my financial privacy?

1. What laws protect privacy of my financial information?

The Financial Services Modernization Act of 1999 is the major federal law that covers privacy for personal financial information. It is more commonly known as the Gramm-Leach-Bliley Act (or GLB), after the sponsors of the legislation.

GLB requires financial institutions to notify customers about how personal information is collected and used. Companies that share or sell customer data to outside companies (third party non-affiliates) must give customers a way to opt out, that is say “no” to having information shared with others. (15 USC, Subchapter 1, Section 6801-6809)

Since July 1, 2001, customers have, at least annually, been receiving written privacy notices. The notices are usually included as an insert with monthly statements and are easily overlooked. GLB only covers data shared with outside companies. However, another federal law, the Fair Credit Reporting Act (FCRA), gives you some rights to stop companies from sharing your personal data with corporate affiliates. Your rights to opt out under the FCRA are usually included in the GLB privacy notice you receive.

2. Does GLB apply only to my bank and credit union accounts?

No. GLB applies to “financial institutions,” that is companies that offer financial services and products to individuals. This includes not only banks but, among many others, financial advisors, stock and commodities brokers, real estate settlement companies, mortgage brokers, payday lenders, debt collectors, tax preparers and automobile dealers.

3. What’s the most important thing I can do to protect my financial information?

Take a few minutes to read the privacy notices you receive. If you are concerned about privacy, follow the instructions given in the notice and take every opt out allowed. Remember, GLB only gives you the right to opt out if the company shares information with outside companies. And, as discussed in Question 1 above, the FCRA provides another opt out for information about your creditworthiness. This means the privacy notice may include one or two opt out choices. Or, the notice may not give any opt out at all. When the privacy notice says your information is neither shared with outside companies nor affiliates, there is no opt out required.

You may even find that the notice gives you more than two choices to opt out. For example, some companies include an opt out to allow you to stop information from being shared with joint marketers. This is a signal that the company offers an “extra” opt out, one that is not required by law.

4. If I go to the trouble to opt out, how can I be assured my company won’t sell or disclose my information anyway?

Unfortunately, GLB does not require that you receive a confirmation when you opt out. Nor will you see your privacy choices on your account statements.

Many types of companies are included in the definition of “financial institution.” Banks, insurance companies, credit unions, and securities and commodities brokers all operate in what is called a “regulated industry.” This means the company’s activities are regulated by a particular government agency called a “functional regulator” in the law.

If a company operates within a “regulated industry,” the government agency that oversees the company’s activities conducts regular audits to assure compliance with regulations. Regular audits may detect company practices that are not in compliance with all regulations, including those governing privacy and data security.

Companies that do not answer to one of the “functional regulators” and are not subject to periodic audits come under the jurisdiction of the Federal Trade Commission, www.ftc.gov.

To the general public, the business of selling, transferring, trading, or leasing personal information remains largely a mystery. Equally unknown to the public are procedures companies adopt to make sure your opt out choices are honored.

5. I received a privacy notice that doesn’t give me an opt-out. Am I missing something?

Remember, GLB does not give you total control over how your information is shared. The law only gives you the right to opt out if the company shares your information with third-party nonaffiliated companies. Some companies such as banks and credit card companies are also required to offer an FCRA opt out, that is, a choice to stop the company from sharing information about your “creditworthiness” with corporate affiliates. This is sometimes also called “application” information. It includes information you would normally give a potential creditor when applying for a loan -- such things as your income and debt level.

If the company does not share information with outsiders and does not share information with affiliates, no opt out is required.

6. I receive privacy notices at least once a year. I opted out last year. Do I have to opt out every time I get a notice?

No. Your opt out choice remains in effect until you change it. However, the opt out only applies to the active account(s) you have at the time you make your choice. If you, for example, close your accounts, open an account with a new bank, but later open a new account with your old bank, you will have to opt out again. In other words, your opt out applies to the account(s) you have at the time you opt out.

7. I have been tossing the privacy notices. Is it too late to opt-out?

Your right to opt out is continuing. This means you can always opt out. However, you must follow the procedure for opting out that the notices gives you. Many companies have established special addresses and/or toll-free telephone numbers just for opting-out. If you don’t have the privacy notice but want to opt out, it is best to ask your financial institution for a copy of the most recent privacy policy. Your desire to opt out may not be properly recorded unless you follow the procedure given in the notice.

8. My bank’s privacy notice says I can send a letter to opt out. What should I say in the letter?

The PRC Web site includes a sample letter that you can use to opt out. The letter appears as an attachment to Fact Sheet 24(a). www.privacyrights.org/fs/fs24a-letter.htm

The sample letter includes the language necessary to opt out, both under GLB and the FCRA. Understand that some of the optional paragraphs we have included in the sample letter need not be honored by your financial institution. A company has no obligation under GLB to stop sharing your information with affiliates or with joint marketers. Rather, GLB applies only to sharing with unaffiliated third parties.

By requesting privacy protections that go beyond what a company is required to do, you are simply saying that you value your privacy and object to having your information used for any purpose other than servicing your account.

9. My bank’s privacy notice says my “creditworthiness” information is shared with the bank’s affiliated companies unless I opt out. What does this mean?

The FCRA allows companies to share information with affiliates. For example, banks may have an affiliated brokerage firm, insurance company, or other company that operates under a common corporate umbrella. The FCRA allows sharing of two separate kinds of personal information.

So called “experience and transaction” information encompasses account activity like deposits, withdrawals, debits, and credits. Also included in this category are specifics such as what you buy, where you buy it, and how much you pay. This is valuable information, particularly when a company wants to sell you every variety of its financial products. The FCRA does not allow you to stop this data flow.

The FCRA does, however, give you the right to opt out when it comes to information about your “creditworthiness.” This includes information such as the amount and source of your income, your debt level, and your history of paying bills on time.

10. The privacy notices I receive are impossible to understand. Is anything being done to make the notices easier to read and understand?

Reaction to the first privacy notices delivered in July 2001 was highly negative. Federal law specifies that notices should be “clear and conspicuous,” that is, written in plain language. Yet the notices received by millions were filled with legalese and confusing messages. Many consumers simply tossed the privacy notices, seeing them as just another bit of junk mail stuffed in with account statements.

In response to these concerns, in November 2009, federal regulatory agencies released new model privacy notices. http://www.ftc.gov/privacy/privacyinitiatives/PrivacyModelForm_FR.pdf. 

The model privacy notice is a two-page disclosure form designed to allow consumers to easily compare the privacy practices of different financial institutions.  Use of the model privacy form is voluntary.  A financial institution that properly uses the model privacy notice will be in compliance with the disclosure requirements for privacy notices under the GLB and obtains a "safe harbor" for federal regulatory requirements for privacy notices.   You can read more about these model notices at http://www.skadden.com/insights/privacy-alert-january-1-2011-%E2%80%93-safe-harbor-conversion-date-under-gramm-leach-bliley.

While financial institutions are free to write their own privacy notices, such notices do not offer the institution "safe harbor" protection.  Therefore, most financial institutions have adopted the regulatory agencies' model privacy notices which are simpler and easier for consumers to understand.  Most importantly, it's now possible to compare notices from different financial institutions, to see how the institutions handle the use and disclosure of your information.

The regulatory agencies have provided an Online Form Builder that financial institutions can download and use to develop and print customized versions of a model consumer privacy notice. http://www.federalreserve.gov/bankinforeg/privacy_notice_instructions.pdf.  The Online Form Builder provides financial institutions with four options depending on the financial institution’s data sharing practices and the opt-out rights it extends to consumers.    

Financial institutions may not change the content of the form or add any information, except as specifically permitted by the form’s instructions. They may incorporate the form in another document or with other notices, and include additional documents or information provided the form is presented in a clear and conspicuous manner.

11. Why did I receive a privacy policy from my insurance company?

Unlike most financial institutions which are regulated by the federal government, insurance companies are regulated by state government agencies. Each state has an insurance commissioner overseeing insurance companies operating in that state. However, GLB, a federal law, covers insurance companies as well. To comply with GLB’s privacy provisions, state insurance commissioners were required to adopt privacy regulations.

To learn more about your state’s privacy regulations for insurance companies, visit your state insurance regulator’s Web site. To find the insurance commissioner in your state, visit the Web site of the National Association of Insurance Commissioners, www.naic.org.

12. I received a privacy notice that says my bank shares my information with third parties as “permitted by law.” What does this mean?

Like most laws that promise some privacy, GLB is riddled with exceptions. The law almost never gives you complete control over how your information is shared. Sometimes it’s to your advantage to have a company share your information. For example, when your credit card company reports your favorable payment history to the credit bureaus, this helps build your credit history and increase your credit score. Even if information is negative, you cannot stop the flow of data from a financial institution to a credit bureau.

Nor does GLB allow you to keep information from being shared with a financial institution’s service provider, that is an outside company that performs services such as preparing account statements, printing checks or customer call centers.

A most troubling opt out exception included in GLB is one that allows your bank or other financial institution to share your personal data for “joint marketing” purposes. This allows a bank, for example, without your permission, to enter into a contract with another company to sell you new financial products or services. Sharing data with credit bureaus, service providers, and joint marketers are examples of disclosures permitted by GLB.

Your information may also be disclosed if required by law. One example of this would be if financial information is ordered by a court or subpoenaed by a party to litigation. The federal Right to Financial Privacy Act (RFPA), 12 USC 3401, also gives some federal government agencies authority to obtain financial records as part of an investigation. For more on the RFPA, visit the webWeb site for the Electronic Privacy Information Center (EPIC), at www.epic.org/privacy/rfpa/ .

13. Can I stop my credit card company from using an overseas customer call center?

No. An offshore call center is an example of a “service provider” under GLB. The law makes no distinction between a domestic and foreign service provider. Recognizing unique privacy implications of foreign-based service providers, federal banking regulators have issued specific guidance for financial institutions that outsource personal data. See for example, FDIC Guidelines, Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks, http://www.fdic.gov/regulations/examinations/offshore/

14. Can a company my bank hires to send out statements sell my information to someone else?

Maybe. Most financial institutions contract with other companies to perform some service, printing or mailing statements. GLB calls such companies “service providers.” You cannot stop sharing with service providers. If your bank’s privacy policy says your information can be shared with third- party companies, the bank must give you an opportunity to opt out. If you do not opt out, the bank can share your information and so can the bank’s service provider.

Here’s an example: Your bank’s privacy policy says it may share your information with third parties. The bank must then give you a means to opt out to stop this sharing. If you take the opt-out, neither the bank nor its outside service provider should further share your information. Conversely, if you do not take the bank’s opt-out, both the bank and its service provider could share your information as described in the bank’s notice of privacy policy.

15. A relative of my ex-spouse works at a bank. I believe this person gave my ex information about my finances. What should I do?

This is a very serious matter. It should not be taken lightly, either by one who makes the claim or by an employee tempted to use private data for personal reasons.

GLB requires banks and other financial institutions to adopt data security procedures. Success of data security programs depends largely on a company’s employees. Most companies conduct background checks and some ask employees to sign an agreement to follow the company policies. An employee who uses access to personal financial data for personal reasons almost certainly violating company policy.

The bank’s branch and regional managers should be notified immediately as well as the company’s corporate headquarters. Reports to several levels should prompt an internal investigation to identify weakness in data security procedures.

The matter should also be reported to the federal government agency that oversees the company. For more on safeguarding customer data, see PRC Fact Sheet 24(e), Is Your Financial Information Safe?, www.privacyrights.org/fs/fs24e-FinInfo.htm#7 At the end of this guide you will find a list of federal agencies with contacts for complaints.

16. How do I know if my small company is a “financial institution” subject to GLB’s privacy and data security rules?

As discussed in Question 2 above, GLB applies to many business types, not just those in regulated financial industries like banking, securities, commodity futures, or insurance. The Federal Trade Commission’s Web site has a great deal of information for businesses that must comply with the privacy and security provisions of GLB. http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act

17. Is private information I give to an auto dealer protected by the GLB privacy rule?

According to the FTC, a car dealer must comply with GLB when the dealer:

  • Extends credit to someone (for example, through a retail installment contract) in connection with the purchase of a car for    personal, family, or household use.
  • Arranges for someone to finance or lease a car for personal, family, or household use.
  • Provides financial advice or counseling to individuals.

    For answers to other questions about GLB and auto dealers, see the FTC’s guide, The FTC’s Privacy Rule and Auto Dealers: Frequently Asked Questions. http://business.ftc.gov/documents/bus64-ftcs-privacy-rule-and-auto-dealers-faqs

18. Does a bank have to safeguard all personal information it receives?

No. The GLB rules on security only apply to data maintained on a company’s “customers.” A “customer” is an individual with an ongoing relationship with the bank. Only accounts opened for personal, family, or household reasons are covered. GLB does not apply to business accounts. Nor do the GLB safeguarding rules apply to “consumers” who use the bank’s service only once or infrequently to cash a check or make an ATM withdrawal.

GLB privacy rules do, however, apply to “consumers,” to a limited extent. For example, you may visit an ATM even though you do not have an ongoing “customer” relationship with that bank. If the bank shares your information with third-parties, you should be given a one-time notice of that fact and an opportunity to opt out.

19. Does my bank have to notify me of a security breach?

Most states have laws that require companies, including financial institutions, to give individuals notice about unauthorized access to personal data. The rules vary from state to state. Following is a list on state data breach laws: http://www.perkinscoie.com/statebreachchart/.

In addition, the federal banking agencies have adopted joint guidelines, requiring banks to adopt “response” procedures. Federal guidelines specify notice to customers if the breach could “result in substantial harm or inconvenience” to the bank’s customers. For more on the federal guidelines, see the banking agencies’ joint press release dated March 23, 2005. www.fdic.gov/news/news/press/2005/pr2605.html

20. I suspect someone called my bank impersonating me to get my account files? What should I do?

This is called “pretexting,” and it is illegal. GLB includes a specific section that prohibits fraudulent access to your financial information. www.ftc.gov/privacy/glbact/glbsub2.htm

The pretexting section applies if someone calls you and tricks you into giving personal information, or calls someone else such as your bank. It also applies if someone uses a forged or stolen document to get your information. (15 USC, Subchapter II, Sec. 6821-6827)

The law includes civil as well as criminal penalties for one who uses false pretenses to get your personal financial information. Incidents should be reported to the bank’s fraud department, the FTC, and criminal authorities such as the FBI or your local District Attorney.

For more on pretexting with tips on how to protect yourself, see PRC Fact Sheet 24(e), Is Your Financial Information Safe?, www.privacyrights.org/fs/fs24e-FinInfo.htm#5 .

21. Can I sue my bank for violating my privacy rights?

GLB does not give you the right to sue a financial institution. However, some state laws may give you the right to file a lawsuit. An attorney can advise you of your rights under state law.

Even though GLB does not allow you to sue, you may complain to the appropriate federal agency. A list of federal agencies that enforce GLB data privacy and security rules can be found in the References Section (Part 7) of PRC Fact Sheet 24(e), Is Your Financial Information Safe? www.privacyrights.org/fs/fs24e-FinInfo.htm#7 . Consumer complaints are a major source of information, and government enforcement actions are often initiated based on consumer complaints.

As discussed above (Question 11), insurance companies are subject to state privacy regulations. To file a privacy-related complaint against an insurance company, contact your state insurance commissioner through the Web site for the National Association of Insurance Commissioners, www.naic.org .

22. Do state laws allow more privacy protection of my financial information?

GLB allows states to adopt stronger privacy protections. (15 USC §6807) . California’s Senate Bill 1(SB1) is perhaps the most widely publicized state law that goes beyond the privacy rights included in GLB. The California Financial Information Privacy Act, added Sections 4050-4060 to the California Financial Code.

As signed by the Governor in 2003, the law gave Californians more control over information sharing among corporate affiliates, data flow governed by the FCRA. Specifically, SB1 allows consumers to opt out for all data sharing among affiliated companies. (See Question 1). The law also expanded GLB’s privacy rights by requiring companies to get consumer consent, an opt in, before sharing information with outside, third-party companies.

The portion of the law allowing consumers to opt out of all data sharing among affiliated companies has been limited by the decision in American Bankers Association v. Lockyer, No. 05-17163, 2008 WL 4070308 (9th Cir. Sept. 4, 2008), The decision preserves consumers’ rights to restrict affiliate data-sharing related to non-consumer report information (i.e., transaction and experience information), but not creditworthiness information.

23. How do I complain about a violation of my financial privacy?

Write a letter, call, or file a complaint online with the appropriate federal agency. The agencies with authority to enforce GLB privacy and data security rights are listed in Part 10 of PRC Fact Sheet 24, Protecting Financial Privacy in the New Millennium: The Burden is on You, www.privacyrights.org/fs/fs24-finpriv.htm#10 .

If your complaint involves an insurance company, file a complaint with your state insurance commissioner. Contact information for state insurance agencies can be found at the Web site for the National Association of Insurance Commissioners, www.naic.org .

24. I strongly object to a company sharing any information about me without my consent. Is there anything I can do?

You can voice your opinion to your representatives in Congress as well as your state legislators. GLB allows states to enact stronger privacy protections. To date, most efforts by states to enact strong privacy protections have been defeated. This is largely due to the strong and well-financed lobby of the financial services industry.

Failure of states to enact stronger privacy legislation is also due to the fact that consumers have not been adequately informed about information-sharing practices. The more consumers become informed, the better they are able to communicate their point of view to state lawmakers.

The same is true for consumers' opinions expressed to federal lawmakers who have it within their power to strengthen GLB. Tell your U.S. Senators and Representative that you want laws to give consumers more control over how their personal information is used. To contact your US Senators visit the Web site www.senate.gov/ and to contact your Representative visit the Web site for the House of Representatives, www.house.gov.

25. Where can I learn more about protecting my financial privacy?

See also these PRC financial privacy guides:

Fact Sheet 6: How Private Is My Credit Report.
www.privacyrights.org/fs/fs6-crdt.htm

Fact Sheet 24: Protecting Financial Privacy in the New Millennium: The Burden Is on You.
www.privacyrights.org/fs/fs24-finpriv.htm

Fact Sheet 24a: Financial Privacy: How to Read Your "Opt-Out" Notices.
www.privacyrights.org/fs/fs24a-optout.htm

Sample - Opt-Out Letter.
www.privacyrights.org/fs/fs24a-letter.htm


Copyright © Privacy Rights Clearinghouse. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse.


X

Sign In!

Loading