Privacy Rights Clearinghouse
The Gramm-Leach-Bliley Act (GLB) (also known as the Financial Services Modernization Act) provides you some minimal rights to protect your financial privacy. However, the burden is on you to assert your rights. In order to assert your rights, you must understand how to read an a privacy notice and the steps you must take to "opt-out," that is limit the sharing of your customer data with other companies.
The law gives you the right to prevent a company you do business with from sharing or selling certain sensitive information to non-affiliated third parties. The term "opt-out" means that unless and until you inform your bank, credit card company, insurance company, or brokerage firm that you do not want them to share or sell your customer data to other companies, they are free to do so.
What is the first step I can take to protect my personal financial information?
Will the notice explain the law and the rights it gives me?
Not in so many words. Some companies may use the notice as a marketing opportunity. Instead of referring to your rights under the law, you may see statements at the beginning of the notice such as these: "Because we respect your privacy.," or "In order to provide you with the best services..." However, make no mistake: The rights described in the notices are yours under federal law and companies must give you this notice.
Should I assume the notice is about my rights under GLB?
The notices you receive will actually be a combination of your opt-out rights under two federal laws -- GLB and the Fair Credit Reporting Act (FCRA). The notice may not identify either of these laws by name, so you must be able to identify the words and phrases associated with each law.
An important difference is that GLB allows you to opt-out of information-sharing only with non-affiliated third parties and not with a company's affiliates. The FCRA allows you to opt-out or prevent a company from sharing "creditworthiness" information with its affiliates.
The following table may help to explain the differences between the opt-out opportunities in the two laws. The terms used in this table are further explained below.
|LAW||Information Covered||Key Words
(sharing and sales) to
|Can You Opt-Out?||How to
|Gramm-Leach-Bliley Act (GLB)||Information maintained by a financial institution||Personally identifiable financial information, also termed Nonpublic personal information||Third-parties Non-Affiliates||Yes||--Toll-free number
|Publicly available information||Third-party non-affiliates and/or affiliates||No|
|Fair Credit Reporting Act (FCRA)||Information from consumer reports||Transaction and experience information||Affiliates||No|
|Creditworthiness information||Affiliates||Yes||--Toll-free number
I received a privacy notice that said my bank does not sell my information to third-party nonaffiliates. But later in the notice, it says they share information with third-party nonaffiliates "as permitted by law." Can I opt-our or not?
Probably not. The law contains exceptions to your right to opt-out to information sharing with third-party nonaffiliated companies. You cannot opt-out if your company shares information with an outside company that provides services for your company such as check printing. More troubling is the loophole that enables the company to enter into joint marketing agreements with outside companies. Such sharing of information is "permitted by law" and you have no right to opt out.
Will the notice tell me exactly what information the company has about me?
No. The notice need only be general in nature, and an identical notice will be sent to all the company's customers. Do not expect to see anything that applies specifically to you.
You will have to read between the lines. If a notice says that the company collects information from applications you filled out, think about the kinds of information you are required to give on an application for credit or a loan.
Will some information be on all privacy notices?
There are certain key words and phrases that you are likely to see in all notices. You will often see the following words in bold type.
- Affiliate. Refers to a company that is owned or controlled by the same people or parent company as the one sending the opt-out privacy notice to you. An affiliate is often referred to as a company in the same "corporate family." You cannot opt out of affiliate sharing under GLB. But under the FCRA you can opt-out of having information about your creditworthiness shared with company affiliates. (See Creditworthiness below.)
- Collect. Tells you what information the company collects about you and where it gets the information.
- Creditworthiness. Refers to information about how you pay your bills (are you current or overdue?), your credit score, and the risk of giving you credit. You may opt-out of affiliate sharing under the FCRA. (See Affiliate above.)
- Joint Marketers. Refers to non-affiliated third parties and affiliates that have entered into an agreement with your company to sell you products. An example, would be if your credit card company enters into an agreement with another company to sell you insurance against loss on your credit card account. You cannot opt-out of the sale or sharing of your customer data with Joint Marketers.
- Non-affiliated Third Party. Refers to all companies, individuals, and organizations that are not affiliates. You can opt-out under GLB.
- Nonpublic Personal Information. See Personally Identifiable Financial Information.
- Personally Identifiable Financial Information. Refers to information that may be connected with you and your accounts. For example, information that combines your name with your account balance or income would be personally identifiable information. This phrase comes from GLB and you may choose to opt-out of sharing or sale of this information but only as it pertains to third-party non-affiliates.
- Publicly Available Information. Refers to information that your financial institution has a reasonable basis to believe is lawfully made available to the general public. For example, your telephone number is public information unless you have an unlisted number. You cannot opt-out.
- Service Providers. Refers to a company hired to perform a service such as preparing account statements or printing checks for your company. You cannot opt-out.
- Share, Disclose, or Provide. Tells you what the company does with your personal information. "Share," "disclose," and "provide" will usually be used with the words "affiliate" and/or "non-affiliated third party." When used with the term non-affiliated third party, it is quite likely that your information may be rented, usually on a one-time-use basis. You will seldom see the word "sell" unless the company says it does not sell your information to third party non-affiliates.
- Transaction and Experience. Refers to information that may include such things as the charges you make on your credit card or the checks you write. This phrase comes from the FCRA. You cannot prevent the company from sharing this information with affiliates under either the FCRA or GLB. However, under GLB you can opt-out of the sharing or sale of this information to a third-party non-affiliate.
Privacy advocates strongly opposed this loophole in the FCRA because "transaction and experience information" is often highly personal and very sensitive. Think, for example, of the entries in your check register. When you write checks to medical facilities, religious organizations, political candidates, charitable organizations, and so on, you are revealing a great deal of information about yourself. The same can be said of the purchases you make on your credit cards. Your monthly statement can read like a mini-autobiography. Yet, such information can be shared with company affiliates without your permission.
Will the notice tell me what to do if I want to opt-out?
Yes. This is one of the requirements of both GLB and the FCRA. The notice will most likely give you three choices:
- Send a letter or return an attached form to an address given in the notice.
- Call a toll-free number given in the notice.
- Opt-out online if that is the way you normally do business with the company.
Can I opt-out under the FCRA and GLB at the same time?
It depends. If the company gives you a toll-free number, the same number will likely appear in two places:
- In connection with your right under GLB to opt-out of information sharing with third-party non-affiliates.
- In connection with your right under the FCRA to opt-out of sharing your "creditworthiness" information with affiliates.
If you call the toll-free number, an automated system is likely to give you two opt-out choices. Follow the instructions to opt-out under both GLB (non-affiliated third parties) and the FCRA (creditworthiness).
Online, you should be given the same two opt-out choices. If you are familiar with the words that apply to each of the opt-out laws, you should be able to easily follow the online instructions.
Do I have any other opt-out choices?
Although it is not required, the notice may enable you to not receive marketing offers for products or services from that company or its affiliates. Follow the instructions in the notice if you do not want to receive such offers.
Other PRC Financial Privacy Guides:
Fact Sheet 24A -- Attachment
Sample Opt-Out Letter
(Use this letter if the company provides you the option of writing a letter. This letter may also be used if you want to follow a toll-free call or an online opt-out with a written request.)
[Name of company]
[Company's address as shown in the privacy notice]
RE: Opt-Out Instructions for Account #______________
Dear [name if given in the privacy notice]:
Following are my instructions with regard to your information sharing and sales policies:
You do not have my permission to share my personally identifiable information with non-affiliated third party companies or individuals. I am asserting my rights under the Financial Services Modernization Act (the Gramm-Leach-Bliley Act) to opt-out of any sharing or sales of my information by your company.
You do not have my permission to share information about my creditworthiness with any affiliate of your company. I am asserting my rights under the Fair Credit Reporting Act to opt-out of any sharing of this information by your company.
[Optional] I do not wish to receive marketing offers from your company or its affiliates. Please delete my name from all marketing lists and databases.
[Optional] Your company's privacy notice states you may otherwise use my information as "permitted by law." I wish to limit other uses of my personal information by your company and its affiliates. In particular:
You do not have my permission to disclose any information about me, including transaction and experience information, to your affiliates.
You do not have my permission to disclose any information about me in connection with joint marketing agreements between your company and another company.
Thank you for respecting my privacy and honoring my choices regarding my customer information.
[Your name] [Keep a copy of the letter for yourself.]