GLBA Privacy Notice Requirements
As mentioned earlier, one of the main requirements of the GLBA is for financial institutions to be transparent about their information-sharing practices to their customers. Additionally, all customers must be appropriately and adequately informed of their right to opt-out of having their information shared with third parties.
Privacy notice requirements under the GLBA depend upon whether the person receiving the notice is a customer of the financial institution providing the notice or merely a consumer and not a customer.
Privacy Notice to a Consumer
For the purposes of GLBA, a consumer is someone, excluding commercial clients, like sole proprietorships, who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that person's legal representative.
The consumers, non-customers that enter into a short financial transaction relationship with the institution, must be provided with a privacy notice, including an opt-out notice, before the financial institution shares their NPI with a non-affiliated third party. The financial institution may choose to provide a shorter version of the notice to a consumer, which should contain information on how the non-customer can access a full notice if required.
Privacy Notice to a Customer
Under the GLBA, customers are a subclass of consumers with a continuing relationship with a financial institution. The nature of the relationship - not how long it lasts - defines whether a person is a customer or a consumer.
In the case of customers, the financial institutions are required to provide a privacy notice, by the time the customer relationship is established, whether they share the NPI of a customer with a non-affiliated third party or not. The financial institution may also provide this notice within a reasonable time after the customer relationship is established if providing notice at the time of the establishment of the customer relationship may lead to a delay in the customer’s transaction.
Further, a financial institution should provide the customers with an opt-out notice if it shares the NPI of a customer with a non-affiliated third party outside of the exception provided under the GLBA.
The financial institution must also provide the customers with an annual privacy notice as long as the customer relationship lasts.
Contents of the Privacy Notice
For the purposes of the GLBA, a financial institution must include the following information in its privacy notice, if applicable:
- Categories of information collected;
- Categories of information disclosed;
- Categories of affiliates and non-affiliated third parties to whom the financial institution discloses the information;
- Categories of information disclosed and to whom under the joint marketing/ service provider exception under the GLBA;
- In case of disclosure of NPI to non-affiliated third parties under the exceptions provided in the GLBA, a statement that the disclosures are made "as permitted by law";
- In case of disclosure of NPI to non-affiliated third parties that does not fall within any exception provided under the GLBA, an explanation of consumers' and customers' right to opt out of such disclosures;
- Any disclosures required by the Fair Credit Reporting Act; and
- The policies and practices of the financial institution with respect to protecting the confidentiality and security of NPI.
Transparency Requirement
Per the GLBA, the privacy notice must be clear and conspicuous, providing users with adequate resources needed to make an informed decision.
Privacy Notice Methods
The notice must be provided in both writing and in electronic form, depending on the customer's preference. The written notices may be delivered by mail or by hand, whereas privacy notices must be posted on the financial institution’s website for consumers or customers who conduct their transactions electronically. The customer must acknowledge the receipt of the notice before obtaining the product or service from the institution unless the customer agrees to forego this requirement as mentioned above.
Here’s How Securiti Can Help
Securiti is a market leader in providing data security, privacy, governance, and compliance solutions.
Securiti Privacy Center is designed to be a consolidated solution that integrates all privacy-related obligations, such as cookie & GPC preferences, DSR requests, Do Not Track signals, and the privacy policy on a single page.
Privacy teams can maximize Privacy Center to automate any major and minor changes depending on the regulation as promptly as possible.
Sign up for Privacy Center today to automate your Privacy Policies and other data privacy obligations.
