Fact Sheet 24:
Protecting Financial Privacy:
The Burden Is on You

Send to PrinterSend to Printer

Copyright © 2000 - 2014
Privacy Rights Clearinghouse
Posted December 2000
Revised October 2013

  1. Introduction
  2. Financial Privacy 101
  3. More About Privacy Notices
  4. Information Flow - How Data Comes and Goes
  5. Outsourcing - The "Service Provider" Loophole
  6. Joint Marketing Agreements - Watering Down Your Opt-Out
  7. Affiliate Sharing - Can You Stop It?
  8. Financial Privacy - California Style
  9. What You Can Do to Protect Your Privacy
  10. File a Complaint
  11. Resources

1. Introduction

Used to be, your bank handled your checking and savings accounts. You visited your insurance agent for life, auto, or homeowner's insurance. And, if you wanted to "play the market," you called your stock broker. Federal legislation changed all that.

The Financial Services Modernization Act allows banks, insurance companies, and brokerage firms to operate as one. The law was implemented in 2001 and is also known as the Gramm-Leach-Bliley Act or GLB. The combined companies have been aptly dubbed "financial supermarkets." They may promise you such benefits as consolidated account statements and lower fees. But at the same time, the ability of these companies to merge customer data from several sources and even sell it to third parties represents a real risk to your privacy.

Information about you kept in the files of financial institutions is now, and always has been, some of the most sensitive, personal information imaginable. Surprisingly, before GLB there were few restrictions on a financial institution's ability to share, rent or sell your personal information.  Most companies share your information by renting or leasing customer data to third parties for a one-time use. Even though financial companies are likely to be renting customer data, we use the word "sell" to indicate that customer data exchanges hands for a fee.

Title V of GLB (15 U.S.C.§§ 6801-6810) gives you some minimal rights to protect your financial privacy.   Privacy notices started appearing in your mailbox in 2001.  Since then efforts have been made to make the notices easier to understand. However, no matter how short or clearly written, the message is still the same.  The burden is on you to assert your rights.

2. Financial Privacy 101

Does GLB give me control of my financial information?

Not much. GLB only gives you the right to opt-out. "Opt-out" is contrary to the "opt-in" approach preferred by most consumer and privacy advocates. Opt-in prohibits a financial institution from sharing or selling your data if you do not give your affirmative consent. With opt-out, you give your implied consent by failing to return the privacy notice sent to you by your financial company. So, if you say nothing, it means "yes, you can share my data." The default for the opt-out approach is that your data is shared until and unless you notify the company otherwise.

Your right to control your personal financial information is further diluted by GLB's "joint marketing" exception. This means your company can share your information with outside companies by entering into an agreement to sell you a financial service or product. You cannot opt-out when it comes to joint marketing. For more on joint marketing agreements, see Part 6 of this guide.

What privacy rights do I have under GLB?

GLB requires that your financial institution give you notice of three things:

  •  Privacy Policy:  Your financial institution must tell you the kinds of information it collects about you and how it uses that information.
  •  Right to Opt-Out: Your financial institution must explain your ability to prevent the sale of your customer data to third parties.
  •  Safeguards: Financial institutions are required to develop policies to prevent unauthorized access to confidential financial information. These policies must be disclosed to you.

Will the privacy notice come from my bank?

Yes. And if you have active accounts with a brokerage house, credit card company, or insurance company, you will receive a privacy notice once a year from these institutions as well. In addition, the term "financial institution" includes companies you might not consider to be financial institutions such as payday loan companies, collection agencies, and travel agents. For this reason, it is particularly important to carefully review all notices you receive in the mail.

As a small business owner, how do I know if I have to send a privacy notice to my clients?

Some small business owners are every bit as confused as consumers about how GLB applies. In short, any company that deals in "financial services or products" is a "financial institution" and must provide its customers with an annual privacy notice. This broad definition means that small companies that provide real estate settlement services or collect debts for other companies may be required to send an annual privacy notice. It is the kind, not size, of your business that determines whether you are required to send a privacy notice. The Federal Trade Commission's  Financial Privacy: Business Guidance provides online guidance for small business owners on this topic.

The FTC's web site also includes specific guidance for automobile dealers, and mortgage brokers. Accountants no longer have to send an annual privacy notice. Tax preparers that are also certified public accountants are exempt from GLB compliance by a 2006 law, the Financial Services Regulatory Relief Act (FSRRA), Pub L. 109-351 (2006).

For a full summary of the FSRRA Sections, see the Congressional Research Service Summary of FSRRA of 2006.

3. More About Privacy Notices

July 1, 2001 was the deadline for companies to send out initial privacy notices. After that, financial institutions had to send such notices annually. But the annual notices don't necessarily arrive around July 1 of each year. Companies now can pick any twelve consecutive months, as long as they are consistent.

Will I receive a notice for every account?

If you have more than one account with any company, you will probably not receive a notice for each account. Or, if you do business with one of the "financial supermarkets," you may receive a single privacy notice that lists all the companies that are covered by the notice -- insurance, brokerage, banking, and so on.

You may receive notices from companies where you were not even aware that you had an existing relationship. And, you could receive a notice from a company even though the account has been closed for years. The American Bankers' Association initially estimated that the average household will receive about 18 notices each year.

Will I receive a written notice in the mail?

You will receive a written notice in the mail, or by electronic mail if you normally do business online. Use caution when responding to any electronic mail, especially if you are being asked to supply personal information like account numbers. Since GLB went into effect in 2001, there has been a rash of fraudulent e-mails sent by identity thieves and other fraudsters. The e-mails can look deceivingly authentic. Most official websites tell you that they do not request personal information via e-mail.  For more on this scam, known as "phishing," see the US Government website, OnGuardOnline: Phishing.

How will I recognize the privacy notice?

The notice must be "clear and conspicuous." For example, an Internet notice should prompt you to scroll down the page. Or, a drop-down menu should draw your attention to the privacy notice. To be effective, you must agree to receive the notice by electronic means and must acknowledge having received it. Verbal notice alone is not enough. Nor is it enough for a company to post a notice at its office.

Will the privacy notice be separate from other notices?

GLB does not require that you receive a separate notice of your company's privacy policy, your right to opt-out, or the policy regarding safeguarding confidential information. Nor does GLB require a standard form, so the notice may come in a variety of ways. The exact format is left to the company. The law requires only that the notice be "clear and conspicuous" and "designed to call attention to the nature and significance of the information contained" in the notice.

GLB notices may, for example, be mailed along with your account statements. Your privacy notice may also be included with other notices you are required to receive, for instance, in a mutual fund prospectus. Remember: If you do not want your financial institution to share or sell your confidential information, the burden is on you to recognize the notice and follow the opt-out instructions.

Can I shop around for a privacy policy before opening an account?

You may certainly ask a financial institution you're thinking of doing business with for a copy of its privacy policy. However, you are only entitled to the notice if you are either an existing customer or at the time you establish a "customer relationship" with a financial institution. After that, you will get a notice annually.

A "customer relationship" means a continuing relationship. You have only a "consumer relationship" if you have a one-time transaction with a financial institution. An example would be an ATM withdrawal. As a "consumer" you only get a notice if the bank says it intends to disclose information to nonaffiliated third parties.

It's uncommon to find your bank's privacy notice displayed in the branch office alongside the many brochures offering credit cards, identity theft protection, and other services. However, if you're "shopping" for privacy you may get more information about the company's privacy policies on its web site.

What privacy factors should I look for in opening a new account?

  • Does the company sell your information?
  • Does the company make it easy to opt-out?
  • Does the company give other opt-out choices, such as an opt-out for all affiliate sharing?
  • Does the company tell you how it treats medical information?
  • Does the company use legalese or straight talk?
  • Does the company offer to send you a privacy notice in your own language?
  • Does the company invite you to correct inaccurate information?

A 2013 study found large variations in data-sharing practices, even among banks of the same class.  While thousands of financial institutions share personal information without providing the opportunity for consumers to opt out, some institutions' practices are more consumer-friendly. L.F. Cranor, K. Idouchi, P.G. Leon, M. Sleeper, B. Ur, Are They Actually Any Different? Comparing Thousands of Financial Institutions’ Privacy Practices

My bank's privacy notice gives a toll-free number to opt-out, but no address. Can I send a letter to the company's corporate headquarters?

You must follow the procedure for opting out established by the company and as stated in its privacy notice. If the notice gives you a toll-free number, you should use that method to opt-out. However, there is nothing wrong with using the toll-free number and writing to your company expressing your views on its privacy policy. After all, financial companies survive by pleasing their customers. Your views on privacy should count.

I have a joint account with a spouse/friend. Do we both have to "opt-out"?

To be safe, probably yes, if you both want to opt-out. A financial institution cannot require that you both opt-out. If only one decides to opt-out, you should ask for separate notices. Then, only information that relates to the one who did not opt-out can be disclosed. The company's policy regarding joint accounts should be included in its privacy notice.

What about closed accounts?

Initial and annual notices must inform you about sharing policies for closed accounts. Financial institutions are not required to send you an opt-out notice if your account is closed. However, if you have an existing account and opt-out, that is return the notice saying you do not want your information disclosed, your opt-out election would continue even after you closed the account. If at a later time you decide to open another account with that bank or other company, you will receive another initial privacy notice which will apply only to data about your new account. You may choose to opt-out of the second account, but your decision on the first account will not change unless you change it.

How long do I have to opt-out?

You are entitled to a "reasonable" time to respond before your personal data can be disclosed. Generally 30 days is considered "reasonable." If the privacy notice says you have 30 days to respond, you must return the notice so that it reaches the company within 30 days after it was sent to you. When you agree to accept notice via the Internet, you must respond to the notice within 30 days after you acknowledge you received it, if 30 days is the response time stated.

If you have an isolated transaction, which means you have only a "consumer relationship" with a financial institution, you may be required to opt-out or not on the spot. For example, if an ATM screen posts a privacy policy and opt-out notice, you must elect at that time whether you want to opt-out. Failure to do so would mean that the financial institution could share or sell your personal data any time after that.

Do I have only one chance to opt-out?

No, not if you are a customer and have a continuing relationship with the company. Your right to opt-out is continuing. If you fail to return the initial opt-out notice or an annual opt-out notice, your financial institution may sell or share your personal data after a "reasonable" time, usually 30 days. If you later decide you want to keep your financial institution from disclosing your personal data, you always have the right to opt-out. It goes without saying, however, that information that is disclosed before you opt-out is already "out there." You can't bring it back. Once you opt-out, you do not have to respond to any future privacy notices for that account.

Do I have to write a letter for every account?

No. Your financial institution is required to give you a "reasonable" means to exercise your opt-out rights. Requiring you to write individual letters is not considered "reasonable" if that is the only way you can opt-out. A formal response may be included with the notice such as a form with check-off boxes or a simple reply form. However, financial institutions are not required to provide pre-paid postage. An email or web site form may be used if your request is processed via the Internet. A toll-free telephone number may also be used for customers to call and opt-out.

Can I opt-out by verbally telling my broker or banker?

No. You must opt-out using the procedure your bank or other financial company establishes, as long as it is reasonable. Again, the burden is on you to follow the procedures set out by your financial institution. Failure to do so could result in information being disclosed that you would not tell your best friend.

Will I get a confirmation number or a way to verify that I opted out?

No. When you call or write to opt-out, make a point to ask, but GLB does not require it.

My bank's privacy notice does not give me an opt-out. Am I missing something?

Perhaps the bank's privacy policy says it does not share information with third-party companies. If that's the case, you do not get an opt-out under GLB. Usually you would still see an opt-out for some sharing among affiliate companies, a right given by the Fair Credit Reporting Act. See Part 7 of this guide for more on affiliate sharing.

Some small financial institutions like local credit unions may not have affiliates.  In that case, the FCRA opt-out would not apply.  If a company does not share your information with third parties or if the company does not have affiliates, the privacy notice should explain this.

Will the privacy notice say exactly what information about me can be disclosed?

The law and regulations require only that you get notice of the categories of information the financial institution collects and the categories of information that may be sold or shared with a third party. Notice must give you specific examples of each category, but this is by no means a complete list of the data that may be disclosed.

Privacy notices may tell you that your financial institution collects and may disclose information from account applications such as your name, address, Social Security number, assets and income. Assume such a statement means that any other application data could be collected and disclosed. An application might also include former addresses, debt level, mortgage payments, income other than salary such as child support payments, and much more.

Is there any kind of information that cannot be disclosed?

GLB and federal regulations only prevent disclosure your account number or access code to a third-party nonaffiliated company to use in telemarketing or direct mail marketing. This means that a financial institution can sell your personal data to a telemarketer, for example, but it cannot sell the means by which your account can be accessed.

But, like much of GLB, there are exceptions to the rule. For example, your account number may be disclosed when companies market products and services via joint marketing agreements. Your account number may then be disclosed in encrypted (coded) format as long as the key to the code is not disclosed.

Can my medical information be disclosed?

GLB gives no special treatment for medical information that may be included in the files of your bank or other financial company. Unless you opt-out, sensitive information such as details about your health and treatments may be disclosed to a third-party nonaffiliate. Again, you will not receive notice of exactly what data can be released -- only the category.

You have only minimal control over whether medical information captured by financial institutions is shared with an affiliate company. For example, if you have paid XYZ Oncology Clinic by credit card or check, that information will be recorded and perhaps shared within the individual companies that make up the financial "supermarket." GLB gives you no right to opt-out when it comes to affiliates -- even for sensitive medical information. What's worse, if you are given an opt-out and don't use it, medical information can be disclosed to any outside company as well.

Although GLB doesn't require it, some companies' privacy policies promise not to disclose medical information without your prior consent. Practices like this that go beyond the legal requirement are worth considering as you "shop" for financial privacy.

You may have greater rights to protect health information under the laws of your state. For example, California passed a law that makes it a crime for an insurance company to sell information to a financial institution for the purpose of granting credit (California Civil Code 56.26). The information flow in this case is only restricted one way. This law does not cover information that flows from a financial institution to an insurance company. State regulations about insurance may also give you more rights to medical privacy.

Has anything been done to improve privacy notices?

Reaction to the first privacy notices delivered in July 2001 was highly negative. GLB and federal rules specified that notices be “clear and conspicuous,” that is, written in plain language. Yet the notices received by millions were filled with legalese and confusing messages. Many consumers simply tossed the privacy notices, seeing them as just another bit of junk mail stuffed in with account statements.

In response to these concerns, in November 2009, eight regulatory agencies (the FDIC, the Board of Governors of the Federal Reserve System, the Commodity Futures Trading Commission, the Federal Trade Commission, the National Credit Union Administration, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, and the U.S. Securities and Exchange Commission) released new model privacy notices. http://www.ftc.gov/privacy/privacyinitiatives/PrivacyModelForm_FR.pdf. 

The model privacy notice is a two-page disclosure form designed to allow consumers to easily compare the privacy practices of different financial institutions.  Use of the model privacy form is voluntary.  A financial institution that properly uses the model privacy notice will be in compliance with the disclosure requirements for privacy notices under the GLB and obtains a "safe harbor" for federal regulatory requirements for privacy notices.   Read more about model notices at http://www.skadden.com/insights/privacy-alert-january-1-2011-%E2%80%93-safe-harbor-conversion-date-under-gramm-leach-bliley.

While financial institutions are free to write their own privacy notices, such notices do not offer the institution "safe harbor" protection.  Therefore, most financial institutions have adopted the regulatory agencies' model privacy notices which are simpler and easier for consumers to understand.  Most importantly, it's now possible to compare notices from different financial institutions, to see how the institutions handle the use and disclosure of your information.

The regulatory agencies have provided an Online Form Builder that financial institutions can download and use to develop and print customized versions of a model consumer privacy notice. http://www.federalreserve.gov/bankinforeg/privacy_notice_instructions.pdf.  The Online Form Builder provides financial institutions with four options depending on the financial institution’s data sharing practices and the opt-out rights it extends to consumers.    

Financial institutions may not change the content of the form or add any information, except as specifically permitted by the form’s instructions. They may incorporate the form in another document or with other notices, and include additional documents or information provided the form is presented in a clear and conspicuous manner.

4. Information Flow - How Data Comes and Goes

Where does a financial institution get its information?

The privacy notice must tell you this. A financial institution may receive information directly from you, for example, when you fill out an application for a new account. Information about you may also be compiled based upon records of your transactions with that company or its affiliates. This may include information about how you use your credit card, your account balances, late payments, what you buy, and where you shop.

Information may also be collected from nonaffiliated third parties, consumer reporting agencies, or public records. Some financial institutions also "enhance" their files about you with information purchased from companies that collect data from consumer surveys, product registration cards, public records, and Census tracts. Such data is used to market products and services to you that the company believes are compatible with your interests.

Consider the amount and kinds of information you supply just to a financial institution that may sell insurance, bank products, and securities. Combine this with the information available from other sources, and virtually any detail of your financial affairs, health status, spending habits, lifestyle purchases, political affiliations, religious contributions, and more can be collected by your financial institution. Unless you formally object, it can be shared, sold, rented, or otherwise disclosed with few exceptions.

Keep in mind, a company may routinely purchase direct marketing mailing lists in order to get new customers. However, unless you actually are a customer or consumer of the company, you have no rights to notice, to opt-out, or any other means to control how such information is used.

What kinds of companies can get my personal information?

The privacy notice you receive from financial institutions does not have to tell you the names of any specific companies or organizations that may buy or receive your personal information. Only the categories of companies have to be disclosed to you. The relationship between your company and the company that receives your information determines if you have a right to opt-out, that is to stop the information flow. These relationships are: (1) nonaffiliated third party (outside company), (2) affiliated company, or (3) joint marketer or service provider.

GLB only gives you the right to opt-out when it comes to third-party, nonaffiliated companies. Parts 5 and 6 of this guide explain more about the joint marketer and service provider exceptions. Part 7 discusses data sharing among corporate affiliates.

Categories of outside companies (third-party nonaffiliates) as well as affiliated companies must be described. When your information is disclosed under a contract between your company and another company to sell you financial products, this is called a "joint marketing agreement." You have no right to know any details about these joint marketing agreements, and you have no say in information flow under these contracts.

What is a third party nonaffiliated?

It means a company that is not owned or controlled by the company you're doing business with. For example, your bank's privacy notice may say it shares your personal information with third party nonaffiliates. The notice may go on to identify one such category as "financial services providers." An example could be an insurance company that is not affiliated with your bank. Other categories of nonaffiliated companies that could receive your information might be identified in the privacy notice as "non-financial service providers" such as retailers, direct marketers, telemarketers, or "other companies" like nonprofit organizations. Remember, if the company sells customer data to third party nonaffiliates, it must give you the right to opt-out.

5. Outsourcing - The "Service Provider" Loophole

GLB gives you no control or right to opt-out when your financial institution shares your information with service providers. A "service provider" is a company that contracts with your bank to service your account or process your transactions.

Since GLB's effective date in 2001, outsourcing, also called offshoring, has exploded as a privacy and data security issue. Fueled by ease of electronic data transfers and efforts to cut costs, many financial companies now employ low-wage, foreign workers to service accounts.

Personal data necessary to perform accounting functions, operate customer call centers, and process transactions are now routinely sent offshore. Personal data at stake includes any information you would give your bank. For example, your name, Social Security number, and account numbers are all data items needed to "service" your account. The privacy and security implications are significant, and all the more troubling because nothing prevents a foreign "service provider" from hiring subcontractors.

What can I do if outsourcing results in identity theft?

It is unlikely that you will even be able to trace the source of the fraud. Most victims can't. Even if you can trace the source to a foreign "service provider," you have little recourse. GLB does not give you the right to sue, even an American company, for privacy or data security violations. Even federal financial agencies, with the authority to enforce GLB, will probably not have standing in foreign countries.

Will the privacy notice at least tell me if my bank outsources services?

Very unlikely. But, if you are dealing with a large financial corporation it is a near certainty today that some or all of your personal information will flow offshore.

Is there anything I can do about outsourcing?

Some efforts have been made in state legislatures and Congress to, as a minimum, give notice and get your consent to outsourcing personal data. However, as of this writing, notice and consent are not required. If you are concerned about outsourcing, let your state and federal lawmakers know.

For more about the privacy and data security risks of outsourcing, see:

6. Joint Marketing Agreements - Watering Down Your Opt-Out

What is a "joint marketer"?

A "joint marketer" is a company that contracts with another company to sell you financial services or products. It is standard practice in the financial services industry for companies to enter into marketing agreements with telemarketers or direct mail marketers. Information can be freely shared under such contracts. GLB requires that such contracts be for the purpose of marketing financial products or services. The receiving company must restrict further disclosure of the customer data. The law does not enable you to say "no" to sharing your information under these marketing agreements.

How does joint marketing weaken my opt-out?

Joint marketing agreements are entered into by third-party, non-related companies. But for GLB's joint marketing loophole, you could stop this data sharing by simply opting out. Consider the expansive definition of a financial "service or product" and companies that fall under the "financial institution" heading. As we discussed in Part 2 of this guide, a financial institution is not just companies like banks, brokerage houses, and insurance companies. Travel agents, payday lenders, mortgage brokers and automobile dealers are also "financial institutions." Joint marketing agreements thus open the door for data sharing among an array of third-party nonaffiliated companies.

Can I stop unwanted solicitations that come from joint marketers?

GLB does not give you the right to stop these offers. A few financial companies now offer to let you opt-out from joint marketing solicitations. If so, this choice should be included in the annual privacy notice you receive. PRC Fact Sheet 1(a), Privacy Basics and Opt-Out Strategies, also provides some tips on reducing unwanted solicitations.

7. Affiliate Sharing - Can You Stop It?

What is an "affiliate"?

Large companies often have many separate companies that do business under the corporate "umbrella." Although each company operates separately, it is still under the control of the parent corporation. Your bank's affiliates, for example, might include other financial companies such as a credit card company, a brokerage firm, a mortgage company, an insurance company, or an automobile financing company. Affiliates may also include nonfinancial companies such as auto parts or repair companies. Under GLB, you have no right to opt-out of affiliate sharing no matter what the nature of the affiliate's business is.

If I opt-out, will that give me total control over how my bank (insurance company, broker, etc.) uses my information?

No. Your opt-out will only prevent disclosure to third party nonaffiliates described in Part 4 above. As you can see from the above discussion, your information can still be disclosed in other ways. Nonetheless, exercising even this limited opt-out can stop the flow of your personal information to an unlimited number of marketing databases.

Can I stop my financial company from sharing my personal information with its affiliates?

Under GLB, a company can share your personal information with its affiliates. However, the notice you receive is also likely to explain your right to opt-out under another law, the federal Fair Credit Reporting Act (FCRA). This law gives you the right to prevent a company from sharing information about your "credit worthiness" with affiliates. Your "transaction and experience" information can still be shared with affiliates without your consent, according to the FCRA. As explained above with the example about health-related payments, transaction information can be highly sensitive.

Another opportunity to limit information sharing with affiliates is included in the Fair and Accurate Credit Transaction Act (FACTA), a law that amended the FCRA in 2003.  The FACTA affiliate sharing opt out provision is discussed in Part 10 of PRC Fact Sheet 6a: Facts on FACTA and the Federal Trade Commission's Affiliate Marketing Rule, Final Rule issued in October 2007.

8. Financial Privacy - California Style

California's Financial Information Privacy Act (known as FIPA or SB 1) exists specifically to offer privacy protections that GLB lacks.  (Cal. Financial Code §§ 4050-4060)  FIPA provides more protection than GLB, but it does not prevent financial institutions from sharing your personal information with affiliates.  FIPA originally had a section to provide such a protection but it was struck down in 2008 when a federal court held that the FCRA pre-empts state law when it comes to sharing personal information with affiliates.  American Bankers Association v. Lockyer, 541 F.3d 1213 (9th Cir. 2008).  You can read more about this decision at http://privacylaw.proskauer.com/2008/09/articles/direct-marketing/californias-financial-information-privacy-act-affiliate-sharing-provisions-narrowly-survive-complete-preemption/.

Regardless, FIPA still provides more protection than GLB in several important ways:

  • A financial institution must notify you and obtain your consent to share information with unaffiliated businesses (a business is unaffiliated when it is not under the control of the same company). (Cal. Financial Code § 4052.5)

  • You can opt out of information sharing that results from joint-marketing agreements that a financial institution makes with outside companies to market financial products and services. (Cal. Financial Code § 4053(a)(1))

    There are many types of joint marketing arrangements, but quite often they are with telemarketers or direct-mail marketers. An example of this might be a life or auto insurance company that enters into a joint-marketing agreement with a third-party company to sell long-term care insurance. If you are a customer of the life or auto insurance company, it could share your contact information with the third party and also with a direct-mail marketer to pitch the long term care policy. FIPA lets you opt out of this, but GLB does not.
  • You must receive a standardized, single-page notice, like this one from every financial company with which you have a customer relationship.  Envelopes that contain privacy notices must be flagged,  so you don't discard them as junk mail and lose your opt-out opportunities. (Cal. Financial Code §§ 4051.5(a)(3) and 4053, generally)

    The California-compliant FIPA notice has a check box for affirming that you do not want your information shared with affiliates.  However, the notice does not explain the difference between creditworthiness information (also called "consumer report information") which may not be shared, and "transaction and experience" information, which may be.

    may be based on information about whether you pay your bills on time, how long you have had credit, and the level of debt you can comfortably carry.  It may also be based on character, general reputation, personal characteristics, or mode of living. Transactional (and experience) information, in the broadest sense, is data based on your interactions or transactions with businesses, organizations, and websites that create a record of those events, such as a payment record.

If you do not exercise the opt-out rights that GLB and FIPA give you, you relinquish the already limited control you have over personal information collected by financial institutions.  Once the financial institution shares your information, you lose all practical control over where it goes and how it is used.

If you change your mind later, you can call the financial institutions you deal with directly and ask for an 800 number or website where you can declare your opt-out preferences.  Such financial institutions may include banks, brokers, credit card companies, insurers, and less obvious ones like automobile dealers, payday loan companies, collection agencies, and travel agents.

Information that a financial institution has already shared is out of your control.  Even though the burden is on you to opt out, once you do it, you never have to do it again.  Your choice is effective until you cancel it in writing.

9. What You Can Do to Protect Your Privacy

May I sue my financial institution for violating my GLB privacy rights?

GLB does not contain what is called a private right of action. So you cannot go to court and sue for violations of your privacy rights under that statute. However, under some state laws you might be able to claim that the company's violation of GLB violated other rights you have.

You can complain to one of the federal agencies with authority to enforce GLB. (See Part 10 for federal agencies with GLB responsibility.) These agencies are identified below along with a description the financial institution each oversees. Each agency has enforcement authority under GLB for the financial services it regulates. Enforcement authority means that you can complain to the agency, the agency may investigate your complaint, and may bring a court action or administrative case against the company. The agency cannot represent you and cannot give you legal advice on your particular complaint.

What are the most important things I can do to protect my financial privacy?

The single most important thing you can do to protect your financial privacy is to carefully read all information that comes from a financial institution. Study the institution's privacy policy. If it causes you concern, return the opt-out notice within the specified time.

Remember, you have only limited ability to prevent a financial services company from sharing your customer data with its affiliated companies and no ability to opt-out of information shared through joint marketing agreements. The privacy provisions of GLB only pertain to unaffiliated third parties. You would not, for example, be able to prevent your bank from sharing your customer data with its affiliated insurance company or brokerage firm.

So, if you are concerned about affiliate sharing and the ability of these "financial supermarkets" to compile extensive dossiers about you, you must take extra care to conduct your banking with one corporation, keep your insurance accounts with another unaffiliated corporation, and your investments with yet another. The same holds true if you are concerned about your information being shared as part of marketing contracts.

In this privacy-conscious marketplace, some financial institutions might differentiate themselves by becoming more "privacy-friendly." Watch for companies that advertise that they do not share your customer data with either affiliates or third parties. And look for companies that give you the choice to take yourself out of marketing programs.

State legislatures and Congress might attempt to strengthen the privacy provisions of the federal GLB Act in the coming years. If you favor stronger financial privacy rights, be sure to contact your state and federal legislators.

Why should I opt-out?

If you are like the many people who have responded to polls, you are concerned about your privacy. Opting out gives you some control over how your personal information is used. Banks and other financial companies may revise and strengthen their privacy policies if enough people show their concern for privacy by opting out.

Where can I go to complain about my financial institution's privacy policy?

As far as we can determine, no federal agency has a specific address for consumers to file privacy complaints. Information about the federal agencies that enforce the privacy and security provisions of GLB is listed in Part 10 below.

10. File a Complaint

Where to Complain - Federal Agencies

Federal Deposit Insurance Corporation (FDIC). The FDIC insures consumer deposits made in banks and savings associations. To ensure financial soundness and compliance with consumer protection rules, the FDIC, often in coordination with other federal banking agencies, conducts examinations of the institutions included within its jurisdiction.

Board of Governors of the Federal Reserve (Federal Reserve). The Federal Reserve is the nation's central bank. It sets monetary policy, regulates bank institutions, and provides financial services to the government and the public.

Office of Comptroller of the Currency (OCC). The OCC is an agency of the U.S. Department of Treasury. This agency charters, regulates and supervises all national banks and federal savings associations, as well as the federal branches of foreign banks.

National Credit Union Administration (NCUA). The NCUA regulates and conducts examinations of federal credit unions, which are nonprofit, cooperative financial institutions owned and run by members.

Securities and Exchange Commission (SEC). The SEC oversees the nation's equity markets. This includes stock exchanges, broker-dealers, associated persons of broker-dealers, and investment advisors.

Commodity Futures Trading Commission (CFTC). The CFTC oversees the nation's commodity futures markets. This includes futures exchanges and the registered companies and individuals engaged in futures and commodity option trading.

Federal Trade Commission (FTC). The FTC investigates consumer protection and consumer fraud matters that are not specifically within the jurisdiction of another federal agency such as the SEC. The FTC's consumer protection jurisdiction includes debt collection, credit reports, lending, telemarketing, credit repair services and much more. To file a complaint with the FTC's Office of Consumer Protection, write, call, or contact the agency online:

To find the address and telephone number of the Insurance Commissioner in your state, write, call, or connect online with the National Association of Insurance Commissioners:

  • NAIC
    2301 McGee Street, Ste 800
    Kansas City, MO 64108-2604
    (816) 842-3600

To report violations of California's Financial Information Privacy Act, contact the appropriate state agency:

  • California Department of Insurance: Regulates the insurance industry in California and enforces both federal and state privacy laws.

    California Department of Insurance
    Consumer Communications Bureau
    300 So. Spring St.
    Los Angeles, CA 90013
    800-927-HELP (927-4357)
    e-mail: 927HELP@insurance.ca.gov

  • California Department of Financial Institutions: Regulates banks, savings associations, credit unions, commercial lending companies, issuers of travelers check, transmitters of money abroad and others.

    California Department of Financial Institutions
    Consumer Services
    1810 13th Street
    Sacramento, CA 95814

  • California Department of Corporations: Regulates investment brokers and dealers, investment companies, investment advisors, residential mortgage lenders, and finance lenders.

    California Department of Corporations
    Consumer Services Office
    1515 K Street, Suite 200
    Sacramento, CA 95814
    866-ASK-CORP (275-2677)

  • California Attorney General: Enforces privacy laws on financial service companies not regulated by the state financial regulators.

    California Attorney General's Office
    California Department of Justice
    Attn: Public Inquiry Unit
    P.O. Box 944255
    Sacramento, CA 94244-2550

11. Resources

GLB Privacy Regulations

Government Publications

Privacy Rights Clearinghouse's Financial Privacy Guides


Copyright © Privacy Rights Clearinghouse. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse.


Sign In!