Privacy Rights Clearinghouse
- What laws protect privacy of my financial information?
- Does GLB apply only to my bank and credit union accounts?
- What’s the most important thing I can do to protect my financial information?
- If I go to the trouble to opt out, how can I be assured my company won’t sell or disclose my information anyway?
- I received a privacy notice that doesn’t give me an opt out. Am I missing something?
- I receive privacy notices at least once a year. I opted out last year. Do I have to opt out every time I get a notice?
- I have been tossing the privacy notices. Is it too late to opt out?
- My bank’s privacy notice says I can send a letter to opt-out. What should I say in the letter?
- My bank’s privacy notice says my “creditworthiness” information is shared with the bank’s affiliated companies unless I opt out. What does this mean?
- The privacy notices I receive are impossible to understand. Is anything being done to make the notices easier to read and understand?
- I received a privacy notice that saysid my bank shares my information with third parties as “permitted by law.” What does this mean?
- Can I stop my credit card company from using an overseas customer call center?
- Can a company my bank hires to send out statements sell my information to a third partysomeone else?
- A relative of my ex-spouse works at a bank. I believe this person gave my ex information about my finances. What should I do?
- How do I know if my small company is a “financial institution,” and subject to GLB’s privacy and data security rules?
- Is private information I give to an auto dealer protected by the GLB privacy rule?
- Does my bank have to safeguard all personal information it receives?
- Does my bank have to notify me of a security breach?
- I suspect someone called my bank impersonating me to get my account files. What should I do?
- Can I sue my bank for violating my privacy rights?
- Do state laws allow more privacy protection of my financial information?
- How do I complain about a violation of my financial privacy?
- I strongly object to a company sharing any information about me without my consent. Is there anything I can do?
- Where can I learn more about protecting my financial privacy?
The Financial Services Modernization Act of 1999 is the major federal law that covers privacy for personal financial information. It is more commonly known as the Gramm-Leach-Bliley Act (or GLB), after the sponsors of the legislation.
GLB requires financial institutions to notify customers about how personal information is collected and used. Companies that share or sell customer data to outside companies (third party non-affiliates) must give customers a way to opt out, that is say “no” to having information shared with others. (15 USC, Subchapter 1, Section 6801-6809)
Since July 1, 2001, customers have, at least annually, been receiving written privacy notices. The notices are usually included as an insert with monthly statements and are easily overlooked. GLB only covers data shared with outside companies. However, another federal law, the Fair Credit Reporting Act (FCRA), gives you some rights to stop companies from sharing your personal data with corporate affiliates. Your rights to opt out under the FCRA are usually included in the GLB privacy notice you receive.
No. GLB applies to “financial institutions,” that is companies that offer financial services and products to individuals. This includes not only banks but, among many others, financial advisors, stock and commodities brokers, real estate settlement companies, mortgage brokers, payday lenders, debt collectors, tax preparers and automobile dealers.
Take a few minutes to read the privacy notices you receive. If you are concerned about privacy, follow the instructions given in the notice and take every opt out allowed. Remember, GLB only gives you the right to opt out if the company shares information with outside companies. And, as discussed in Question 1 above, the FCRA provides another opt out for information about your creditworthiness. This means the privacy notice may include one or two opt out choices. Or, the notice may not give any opt out at all. When the privacy notice says your information is neither shared with outside companies nor affiliates, there is no opt out required.
You may even find that the notice gives you more than two choices to opt out. For example, some companies include an opt out to allow you to stop information from being shared with joint marketers. This is a signal that the company offers an “extra” opt out, one that is not required by law.
Unfortunately, GLB does not require that you receive a confirmation when you opt out. Nor will you see your privacy choices on your account statements.
Many types of companies are included in the definition of “financial institution.” Banks, insurance companies, credit unions, and securities and commodities brokers all operate in what is called a “regulated industry.” This means the company’s activities are regulated by a particular government agency called a “functional regulator” in the law.
If a company operates within a “regulated industry,” the government agency that oversees the company’s activities conducts regular audits to assure compliance with regulations. Regular audits may detect company practices that are not in compliance with all regulations, including those governing privacy and data security.
Companies that do not answer to one of the “functional regulators” and are not subject to periodic audits come under the jurisdiction of the Federal Trade Commission, www.ftc.gov .
To the general public, the business of selling, transferring, trading, or leasing personal information remains largely a mystery. Equally unknown to the public are procedures companies adopt to make sure your opt out choices are honored.
Remember, GLB does not give you total control over how your information is shared. The law only gives you the right to opt out if the company shares your information with third-party nonaffiliated companies. Some companies such as banks and credit card companies are also required to offer an FCRA opt out, that is, a choice to stop the company from sharing information about your “creditworthiness” with corporate affiliates. This is sometimes also called “application” information. It includes information you would normally give a potential creditor when applying for a loan -- such things as your income and debt level.
If the company does not share information with outsiders and does not share information with affiliates, no opt out is required.
No. Your opt out choice remains in effect until you change it. However, the opt out only applies to the active account(s) you have at the time you make your choice. If you, for example, close your accounts, open an account with a new bank, but later open a new account with your old bank, you will have to opt out again. In other words, your opt out applies to the account(s) you have at the time you opt out.
The PRC Web site includes a sample letter that you can use to opt out. The letter appears as an attachment to Fact Sheet 24(a). www.privacyrights.org/fs/fs24a-letter.htm 
The sample letter includes the language necessary to opt out, both under GLB and the FCRA. Understand that some of the optional paragraphs we have included in the sample letter need not be honored by your financial institution. A company has no obligation under GLB to stop sharing your information with affiliates or with joint marketers. Rather, GLB applies only to sharing with unaffiliated third parties.
By requesting privacy protections that go beyond what a company is required to do, you are simply saying that you value your privacy and object to having your information used for any purpose other than servicing your account.
The FCRA allows companies to share information with affiliates. For example, banks may have an affiliated brokerage firm, insurance company, or other company that operates under a common corporate umbrella. The FCRA allows sharing of two separate kinds of personal information.
So called “experience and transaction” information encompasses account activity like deposits, withdrawals, debits, and credits. Also included in this category are specifics such as what you buy, where you buy it, and how much you pay. This is valuable information, particularly when a company wants to sell you every variety of its financial products. The FCRA does not allow you to stop this data flow.
The FCRA does, however, give you the right to opt out when it comes to information about your “creditworthiness.” This includes information such as the amount and source of your income, your debt level, and your history of paying bills on time.
Reaction to the first privacy notices delivered in July 2001 was highly negative. Federal law specifies that notices should be “clear and conspicuous,” that is, written in plain language. Yet the notices received by millions were filled with legalese and confusing messages. Many consumers simply tossed the privacy notices, seeing them as just another bit of junk mail stuffed in with account statements.
In response to these concerns, in November 2009, federal regulatory agencies released new model privacy notices. http://www.ftc.gov/privacy/privacyinitiatives/PrivacyModelForm_FR.pdf. 
The model privacy notice is a two-page disclosure form designed to allow consumers to easily compare the privacy practices of different financial institutions. Use of the model privacy form is voluntary. A financial institution that properly uses the model privacy notice will be in compliance with the disclosure requirements for privacy notices under the GLB and obtains a "safe harbor" for federal regulatory requirements for privacy notices. You can read more about these model notices at http://www.skadden.com/insights/privacy-alert-january-1-2011-%E2%80%93-safe-harbor-conversion-date-under-gramm-leach-bliley .
While financial institutions are free to write their own privacy notices, such notices do not offer the institution "safe harbor" protection. Therefore, most financial institutions have adopted the regulatory agencies' model privacy notices which are simpler and easier for consumers to understand. Most importantly, it's now possible to compare notices from different financial institutions, to see how the institutions handle the use and disclosure of your information.
The regulatory agencies have provided an Online Form Builder that financial institutions can download and use to develop and print customized versions of a model consumer privacy notice. http://www.federalreserve.gov/bankinforeg/privacy_notice_instructions.pdf . The Online Form Builder provides financial institutions with four options depending on the financial institution’s data sharing practices and the opt-out rights it extends to consumers.
Financial institutions may not change the content of the form or add any information, except as specifically permitted by the form’s instructions. They may incorporate the form in another document or with other notices, and include additional documents or information provided the form is presented in a clear and conspicuous manner.
Unlike most financial institutions which are regulated by the federal government, insurance companies are regulated by state government agencies. Each state has an insurance commissioner overseeing insurance companies operating in that state. However, GLB, a federal law, covers insurance companies as well. To comply with GLB’s privacy provisions, state insurance commissioners were required to adopt privacy regulations.
To learn more about your state’s privacy regulations for insurance companies, visit your state insurance regulator’s Web site. To find the insurance commissioner in your state, visit the Web site of the National Association of Insurance Commissioners, www.naic.org .
Like most laws that promise some privacy, GLB is riddled with exceptions. The law almost never gives you complete control over how your information is shared. Sometimes it’s to your advantage to have a company share your information. For example, when your credit card company reports your favorable payment history to the credit bureaus, this helps build your credit history and increase your credit score. Even if information is negative, you cannot stop the flow of data from a financial institution to a credit bureau.
Nor does GLB allow you to keep information from being shared with a financial institution’s service provider, that is an outside company that performs services such as preparing account statements, printing checks or customer call centers.
A most troubling opt out exception included in GLB is one that allows your bank or other financial institution to share your personal data for “joint marketing” purposes. This allows a bank, for example, without your permission, to enter into a contract with another company to sell you new financial products or services. Sharing data with credit bureaus, service providers, and joint marketers are examples of disclosures permitted by GLB.
Your information may also be disclosed if required by law. One example of this would be if financial information is ordered by a court or subpoenaed by a party to litigation. The federal Right to Financial Privacy Act (RFPA), 12 USC 3401, also gives some federal government agencies authority to obtain financial records as part of an investigation. For more on the RFPA, visit the webWeb site for the Electronic Privacy Information Center (EPIC), at www.epic.org/privacy/rfpa/  .
No. An offshore call center is an example of a “service provider” under GLB. The law makes no distinction between a domestic and foreign service provider. Recognizing unique privacy implications of foreign-based service providers, federal banking regulators have issued specific guidance for financial institutions that outsource personal data. See for example, FDIC Guidelines, Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks, http://www.fdic.gov/regulations/examinations/offshore/ 
This is a very serious matter. It should not be taken lightly, either by one who makes the claim or by an employee tempted to use private data for personal reasons.
GLB requires banks and other financial institutions to adopt data security procedures. Success of data security programs depends largely on a company’s employees. Most companies conduct background checks and some ask employees to sign an agreement to follow the company policies. An employee who uses access to personal financial data for personal reasons almost certainly violating company policy.
The bank’s branch and regional managers should be notified immediately as well as the company’s corporate headquarters. Reports to several levels should prompt an internal investigation to identify weakness in data security procedures.
The matter should also be reported to the federal government agency that oversees the company. For more on safeguarding customer data, see PRC Fact Sheet 24(e), Is Your Financial Information Safe?, www.privacyrights.org/fs/fs24e-FinInfo.htm#7  At the end of this guide you will find a list of federal agencies with contacts for complaints.
As discussed in Question 2 above, GLB applies to many business types, not just those in regulated financial industries like banking, securities, commodity futures, or insurance. The Federal Trade Commission’s Web site has a great deal of information for businesses that must comply with the privacy and security provisions of GLB. http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act 
According to the FTC, a car dealer must comply with GLB when the dealer:
- Extends credit to someone (for example, through a retail installment contract) in connection with the purchase of a car for personal, family, or household use.
- Arranges for someone to finance or lease a car for personal, family, or household use.
- Provides financial advice or counseling to individuals.
For answers to other questions about GLB and auto dealers, see the FTC’s guide, The FTC’s Privacy Rule and Auto Dealers: Frequently Asked Questions. http://business.ftc.gov/documents/bus64-ftcs-privacy-rule-and-auto-dealers-faqs 
No. The GLB rules on security only apply to data maintained on a company’s “customers.” A “customer” is an individual with an ongoing relationship with the bank. Only accounts opened for personal, family, or household reasons are covered. GLB does not apply to business accounts. Nor do the GLB safeguarding rules apply to “consumers” who use the bank’s service only once or infrequently to cash a check or make an ATM withdrawal.
GLB privacy rules do, however, apply to “consumers,” to a limited extent. For example, you may visit an ATM even though you do not have an ongoing “customer” relationship with that bank. If the bank shares your information with third-parties, you should be given a one-time notice of that fact and an opportunity to opt out.
Most states have laws that require companies, including financial institutions, to give individuals notice about unauthorized access to personal data. The rules vary from state to state. Following is a list on state data breach laws: http://www.perkinscoie.com/statebreachchart/ .
In addition, the federal banking agencies have adopted joint guidelines, requiring banks to adopt “response” procedures. Federal guidelines specify notice to customers if the breach could “result in substantial harm or inconvenience” to the bank’s customers. For more on the federal guidelines, see the banking agencies’ joint press release dated March 23, 2005. www.fdic.gov/news/news/press/2005/pr2605.html 
This is called “pretexting,” and it is illegal. GLB includes a specific section that prohibits fraudulent access to your financial information. www.ftc.gov/privacy/glbact/glbsub2.htm 
The pretexting section applies if someone calls you and tricks you into giving personal information, or calls someone else such as your bank. It also applies if someone uses a forged or stolen document to get your information. (15 USC, Subchapter II, Sec. 6821-6827)
The law includes civil as well as criminal penalties for one who uses false pretenses to get your personal financial information. Incidents should be reported to the bank’s fraud department, the FTC, and criminal authorities such as the FBI or your local District Attorney.
For more on pretexting with tips on how to protect yourself, see PRC Fact Sheet 24(e), Is Your Financial Information Safe?, www.privacyrights.org/fs/fs24e-FinInfo.htm#5  .
GLB does not give you the right to sue a financial institution. However, some state laws may give you the right to file a lawsuit. An attorney can advise you of your rights under state law.
Even though GLB does not allow you to sue, you may complain to the appropriate federal agency. A list of federal agencies that enforce GLB data privacy and security rules can be found in the References Section (Part 7) of PRC Fact Sheet 24(e), Is Your Financial Information Safe? www.privacyrights.org/fs/fs24e-FinInfo.htm#7  . Consumer complaints are a major source of information, and government enforcement actions are often initiated based on consumer complaints.
As discussed above (Question 11), insurance companies are subject to state privacy regulations. To file a privacy-related complaint against an insurance company, contact your state insurance commissioner through the Web site for the National Association of Insurance Commissioners, www.naic.org  .
GLB allows states to adopt stronger privacy protections. (15 USC §6807) . California’s Senate Bill 1(SB1) is perhaps the most widely publicized state law that goes beyond the privacy rights included in GLB. The California Financial Information Privacy Act, added Sections 4050-4060 to the California Financial Code.
As signed by the Governor in 2003, the law gave Californians more control over information sharing among corporate affiliates, data flow governed by the FCRA. Specifically, SB1 allows consumers to opt out for all data sharing among affiliated companies. (See Question 1). The law also expanded GLB’s privacy rights by requiring companies to get consumer consent, an opt in, before sharing information with outside, third-party companies.
The portion of the law allowing consumers to opt out of all data sharing among affiliated companies has been limited by the decision in American Bankers Association v. Lockyer , No. 05-17163, 2008 WL 4070308 (9th Cir. Sept. 4, 2008), The decision preserves consumers’ rights to restrict affiliate data-sharing related to non-consumer report information (i.e., transaction and experience information), but not creditworthiness information.
Write a letter, call, or file a complaint online with the appropriate federal agency. The agencies with authority to enforce GLB privacy and data security rights are listed in Part 10 of PRC Fact Sheet 24, Protecting Financial Privacy in the New Millennium: The Burden is on You, www.privacyrights.org/fs/fs24-finpriv.htm#10  .
If your complaint involves an insurance company, file a complaint with your state insurance commissioner. Contact information for state insurance agencies can be found at the Web site for the National Association of Insurance Commissioners, www.naic.org  .
You can voice your opinion to your representatives in Congress as well as your state legislators. GLB allows states to enact stronger privacy protections. To date, most efforts by states to enact strong privacy protections have been defeated. This is largely due to the strong and well-financed lobby of the financial services industry.
Failure of states to enact stronger privacy legislation is also due to the fact that consumers have not been adequately informed about information-sharing practices. The more consumers become informed, the better they are able to communicate their point of view to state lawmakers.
The same is true for consumers' opinions expressed to federal lawmakers who have it within their power to strengthen GLB. Tell your U.S. Senators and Representative that you want laws to give consumers more control over how their personal information is used. To contact your US Senators visit the Web site www.senate.gov/ and to contact your Representative visit the Web site for the House of Representatives, www.house.gov .
See also these PRC financial privacy guides:
Fact Sheet 6: How Private Is My Credit Report.
Fact Sheet 24: Protecting Financial Privacy in the New Millennium: The Burden Is on You.
Fact Sheet 24a: Financial Privacy: How to Read Your "Opt-Out" Notices.
Sample - Opt-Out Letter.