Fact Sheet 24a:
Financial Privacy:
How to Read Your "Opt-Out" Notices

Send to PrinterSend to Printer

Copyright © 2001 - 2014
Privacy Rights Clearinghouse
Posted March 2001
Revised October 2013

A federal law gives you some minimal rights to protect your personal financial information. Fact Sheet 24 describes the Financial Services Modernization Act ("Protecting Financial Privacy in the New Millennium: The Burden Is on You," www.privacyrights.org/fs/fs24-finpriv.htm). It outlines the steps you must take if you want to "opt-out," that is limit the sharing of your customer data with other companies.

The law gives you the right to prevent a company you do business with from sharing or selling certain sensitive information to non-affiliated third parties. The term "opt-out" means that unless and until you inform your bank, credit card company, insurance company, or brokerage firm that you do not want them to share or sell your customer data to other companies, they are free to do so.

When this law was debated in Congress, consumer advocates argued unsuccessfully for an "opt-in" provision. This stronger standard would have prevented the sharing or sale of your customer data unless you affirmatively consented. Unfortunately, the opt-in standard did not prevail. That is why we emphasize in Fact Sheet 24 that the burden is on you to protect your financial privacy.

What is the first step I can take to protect my personal financial information?

Banks and other financial services companies must mail privacy notices to their customers. Pay attention to the mail you receive from your bank, insurance company, credit card company, and brokerage firm. Look for words such as "Privacy Notice," "Privacy Policy," and "Opt-Out Notice." You might receive such notices via e-mail or the company's website if that is the way you normally do business with them.

Will the notice explain the law and the rights it gives me?

Not in so many words. Some companies may use the notice as a marketing opportunity. Instead of referring to your rights under the law, you may see statements at the beginning of the notice such as these: "Because we respect your privacy.," or "In order to provide you with the best services..." However, make no mistake: The rights described in the notices are yours under federal law and companies must give you this notice.

Should I assume the notice is about my rights under the Financial Services Modernization Act?

The notices you receive will actually be a combination of your opt-out rights under two federal laws -- the Financial Services Modernization Act (also known as Gramm-Leach-Bliley, or GLB, after the Congressmen who introduced it) and the Fair Credit Reporting Act (FCRA). The notice may not identify either of these laws by name, so you must be able to identify the words and phrases associated with each law.

An important difference is that GLB allows you to opt-out of information-sharing only with non-affiliated third parties and not with a company's affiliates. The FCRA allows you to opt-out or prevent a company from sharing "creditworthiness" information with its affiliates. (To learn more about the your rights under the Fair Credit Reporting Act, read Fact Sheet 6, "How Private Is Your Credit Report?" www.privacyrights.org/fs/fs6-crdt.htm)

The following table may help to explain the differences between the opt-out opportunities in the two laws. The terms used in this table are further explained below.

LAW Information Covered Key Words
and Phrases
(sharing and sales) to
Can You Opt-Out? How to
Financial Services Modernization Act (GLB) Information maintained by a financial institution Personally identifiable financial information, also termed Nonpublic personal information Third-parties Non-Affiliates Yes --Toll-free number
--By mail
      Service providers No  
      Joint marketers No  
      Affiliates No  
    Publicly available information Third-party non-affiliates and/or affiliates No  
Fair Credit Reporting Act (FCRA) Information from consumer reports Transaction and experience information Affiliates No  
    Creditworthiness information Affiliates Yes --Toll-free number
--By mail

I received a privacy notice that said my bank does not sell my information to third-party nonaffiliates. But later in the notice, it says they share information with third-party nonaffiliates "as permitted by law." Can I opt-our or not?

Probably not. The law contains exceptions to your right to opt-out to information sharing with third-party nonaffiliated companies. You cannot opt-out if your company shares information with an outside company that provides services for your company such as check printing. More troubling is the loophole that enables the company to enter into joint marketing agreements with outside companies. Such sharing of information is "permitted by law" and you have no right to opt out.

Will the notice tell me exactly what information the company has about me?

No. The notice need only be general in nature, and an identical notice will be sent to all the company's customers. Do not expect to see anything that applies specifically to you.

You will have to read between the lines. If a notice says that the company collects information from applications you filled out, think about the kinds of information you are required to give on an application for credit or a loan.

Will some information be on all privacy notices?

There are certain key words and phrases that you are likely to see in all notices. You will often see the following words in bold type.

  • Affiliate. Refers to a company that is owned or controlled by the same people or parent company as the one sending the opt-out privacy notice to you. An affiliate is often referred to as a company in the same "corporate family." You cannot opt out of affiliate sharing under GLB. But under the FCRA you can opt-out of having information about your creditworthiness shared with company affiliates. (See Creditworthiness below.)

  • Collect. Tells you what information the company collects about you and where it gets the information.

  • Creditworthiness. Refers to information about how you pay your bills (are you current or overdue?), your credit score, and the risk of giving you credit. You may opt-out of affiliate sharing under the FCRA. (See Affiliate above.)

  • Joint Marketers. Refers to non-affiliated third parties and affiliates that have entered into an agreement with your company to sell you products. An example, would be if your credit card company enters into an agreement with another company to sell you insurance against loss on your credit card account. You cannot opt-out of the sale or sharing of your customer data with Joint Marketers.

  • Non-affiliated Third Party. Refers to all companies, individuals, and organizations that are not affiliates. You can opt-out under GLB.

  • Nonpublic Personal Information. See Personally Identifiable Financial Information.

  • Personally Identifiable Financial Information. Refers to information that may be connected with you and your accounts. For example, information that combines your name with your account balance or income would be personally identifiable information. This phrase comes from GLB and you may choose to opt-out of sharing or sale of this information but only as it pertains to third-party non-affiliates.

  • Publicly Available Information. Refers to information that your financial institution has a reasonable basis to believe is lawfully made available to the general public. For example, your telephone number is public information unless you have an unlisted number. You cannot opt-out.

  • Service Providers. Refers to a company hired to perform a service such as preparing account statements or printing checks for your company. You cannot opt-out.

  • Share, Disclose, or Provide. Tells you what the company does with your personal information. "Share," "disclose," and "provide" will usually be used with the words "affiliate" and/or "non-affiliated third party." When used with the term non-affiliated third party, it is quite likely that your information may be rented, usually on a one-time-use basis. You will seldom see the word "sell" unless the company says it does not sell your information to third party non-affiliates.

  • Transaction and Experience. Refers to information that may include such things as the charges you make on your credit card or the checks you write. This phrase comes from the FCRA. You cannot prevent the company from sharing this information with affiliates under either the FCRA or GLB. However, under GLB you can opt-out of the sharing or sale of this information to a third-party non-affiliate.

    Privacy advocates strongly opposed this loophole in the FCRA because "transaction and experience information" is often highly personal and very sensitive. Think, for example, of the entries in your check register. When you write checks to medical facilities, religious organizations, political candidates, charitable organizations, and so on, you are revealing a great deal of information about yourself. The same can be said of the purchases you make on your credit cards. Your monthly statement can read like a mini-autobiography. Yet, such information can be shared with company affiliates without your permission.

Will the notice tell me what to do if I want to opt-out?

Yes. This is one of the requirements of both GLB and the FCRA. The notice will most likely give you three choices:

  • Send a letter or return an attached form to an address given in the notice.
  • Call a toll-free number given in the notice.
  • Opt-out online if that is the way you normally do business with the company.

My bank's privacy notice gives a toll-free number to call to opt out, but I'd rather send a letter. Is this okay?

Federal regulations explain that you must follow the procedure to opt-out that is provided in the company's privacy notice. So you cannot be guaranteed of successfully opting out if you choose another method of contacting the company. However, if you want to follow the procedure provided by the company, such as calling the toll-free number, and then write a letter in addition, go ahead. In this way, you will have a written record of your request. Some companies may be more willing than others to accept an alternative opt-out procedure.

I received a privacy notice that has a pre-addressed form to tear off and send back in order to opt-out. On the back of the form, I must fill in my name, address, account number and Social Security number. I don't want to send such personal information in the mail for anyone to see. Will my opt-out request be processed if I put the form inside an envelope? What if I provide only the last four digits of my Social Security number?

We agree that consumers should not be required to mail such personal information on a postcard. As we have said many times in other publications, your Social Security number is the key to identity theft if it gets into the wrong hands. Your financial company may honor your opt-out request without a complete Social Security number or if you insert the card into an envelope. But, it's best to check with the company before altering their procedures. Such flexibility would indicate that your company wants to comply with the spirit as well as the letter of the law.

Attached is a sample letter you may use if you want to opt-out by mail. Use this letter if one of the choices the privacy notice gives you is to send a letter to a specific address. Or use the letter if you want to make a written record to follow a toll-free call or an online opt-out request. Note that the sample letter asks the company not to share your information with affiliated companies or with joint marketers. The company is not obligated to comply with these additional requests. However, including such requests lets the company know that you do not approve of its sharing information with affiliates or joint marketers.

What is the easiest and cheapest way for me to opt-out?

Unless you do business online, the easiest and cheapest way to opt-out is to call a toll-free number. Not all companies have provided toll-free numbers, however. And companies are not required to provide prepaid postage for you to return your opt-out instructions by mail.

Can I opt-out under the FCRA and GLB at the same time?

It depends. If the company gives you a toll-free number, the same number will likely appear in two places:

  • In connection with your right under GLB to opt-out of information sharing with third-party non-affiliates.
  • In connection with your right under the FCRA to opt-out of sharing your "creditworthiness" information with affiliates.

If you call the toll-free number, an automated system is likely to give you two opt-out choices. Follow the instructions to opt-out under both GLB (non-affiliated third parties) and the FCRA (creditworthiness).

If you talk to a person at the number, be sure to mention both opt-out laws and the phrases associated with each if that is your choice. You may use the attached letter as a guide on what to say if you want to speak to a representative of the company.

Online, you should be given the same two opt-out choices. If you are familiar with the words that apply to each of the opt-out laws, you should be able to easily follow the online instructions.

Do I have any other opt-out choices?

Although it is not required, the notice may enable you to not receive marketing offers for products or services from that company or its affiliates. Follow the instructions in the notice if you do not want to receive such offers.

In Fact Sheet 24, we noted that a major weakness of GLB is that it does not give you the opportunity to prevent your financial services companies from sharing your data with its affiliated companies. However, there's no stopping you from asking anyway. In the following sample letter, we include language that you may use if you want to request that your bank, credit card company, insurance company, or brokerage firm refrain from sharing your personal data with its affiliates and joint marketing partners.

What is being done to make privacy notices easier to understand? 

Reaction to the first privacy notices delivered in July 2001 was highly negative. GLB and federal rules specify that notices be “clear and conspicuous,” that is, written in plain language. Yet the notices received by millions were filled with legalese and confusing messages. Many consumers simply tossed the privacy notices, seeing them as just another bit of junk mail stuffed in with account statements.

In response to these concerns, in November 2009, eight regulatory agencies (the FDIC, the Board of Governors of the Federal Reserve System, the Commodity Futures Trading Commission, the Federal Trade Commission, the National Credit Union Administration, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, and the U.S. Securities and Exchange Commission) released model privacy notices. http://www.ftc.gov/privacy/privacyinitiatives/PrivacyModelForm_FR.pdf. 

The model privacy notice is a two-page disclosure form designed to allow consumers to easily compare the privacy practices of different financial institutions.  Use of the model privacy form is voluntary.  A financial institution that properly uses the model privacy notice will be in compliance with the disclosure requirements for privacy notices under the GLB and obtains a "safe harbor" for federal regulatory requirements for privacy notices.   Read more about model notices at http://www.skadden.com/insights/privacy-alert-january-1-2011-%E2%80%93-safe-harbor-conversion-date-under-gramm-leach-bliley.

While financial institutions are free to write their own privacy notices, such notices do not offer the institution "safe harbor" protection.  Therefore, most financial institutions have adopted the regulatory agencies' model privacy notices.

The regulatory agencies have provided an Online Form Builder that financial institutions can download and use to develop and print customized versions of a model consumer privacy notice. http://www.federalreserve.gov/bankinforeg/privacy_notice_instructions.pdf.  The Online Form Builder provides financial institutions with four options depending on the financial institution’s data sharing practices and the opt-out rights it extends to consumers.  Many financial institutions now use these model notices, which are simpler and easier for consumers to understand. 

Financial institutions may not change the content of the form or add any information, except as specifically permitted by the form’s instructions. They may incorporate the form in another document or with other notices, and include additional documents or information provided the form is presented in a clear and conspicuous manner.

Other PRC Financial Privacy Fact Sheets:

Fact Sheet 24. "Financial Privacy in the New Millennium: The Burden Is on You,"

Fact Sheet 24(d). "Frequently Asked Questions About Financial Privacy,"

"Lost in the Fine Print: Readability of Financial Privacy Notices,"
by Mark Hochhauser, readability consultant

Fact Sheet 6. "How Private Is My Credit Report?"

Fact Sheet 24A -- Attachment
Sample Opt-Out Letter

(Use this letter if the company provides you the option of writing a letter. This letter may also be used if you want to follow a toll-free call or an online opt-out with a written request.)


[Your address]


[Name of company]

[Company's address as shown in the privacy notice]

RE: Opt-Out Instructions for Account #______________


Dear [name if given in the privacy notice]:

Following are my instructions with regard to your information sharing and sales policies:

You do not have my permission to share my personally identifiable information with non-affiliated third party companies or individuals. I am asserting my rights under the Financial Services Modernization Act (the Gramm-Leach-Bliley Act) to opt-out of any sharing or sales of my information by your company.

You do not have my permission to share information about my creditworthiness with any affiliate of your company. I am asserting my rights under the Fair Credit Reporting Act to opt-out of any sharing of this information by your company.

[Optional] I do not wish to receive marketing offers from your company or its affiliates. Please delete my name from all marketing lists and databases.

[Optional] Your company's privacy notice states you may otherwise use my information as "permitted by law." I wish to limit other uses of my personal information by your company and its affiliates. In particular:

You do not have my permission to disclose any information about me, including transaction and experience information, to your affiliates.

You do not have my permission to disclose any information about me in connection with joint marketing agreements between your company and another company.

Thank you for respecting my privacy and honoring my choices regarding my customer information.


[Your signature]

[Your name]                                         [Keep a copy of the letter for yourself.]

Copyright © Privacy Rights Clearinghouse. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse.


Sign In!