IDC Names Securiti a Worldwide Leader in Data PrivacyView
Owing to various political, economic, and social factors, governments worldwide have begun taking privacy regulations seriously. Within the United States, the Cambridge Analytica fiasco brought users' data privacy into renewed focus, especially since the US lacks a federal data privacy regulation akin to that of the GDPR in the EU or PIPEDA in Canada.
There have long been discussions over a comprehensive federal data privacy regulation. The proposed American Data Privacy and Protection Act (ADPPA) is the most recent example of Congressional attempts to do so.
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, is a federal privacy law that primarily regulates how financial institutions handle their customers' personal information.
Read on to learn more about the specific privacy notification requirements within the GLBA.
In the absence of a federal data privacy regulation, several states in the US, including California, Virginia, Utah, Connecticut, Colorado, Iowa, Indiana, Montana, and Tennessee, have enacted their own data privacy regulations, and many other states are expected to follow them.
However, the lack of a similar data privacy regulation at the federal level does not mean there is no enforcement of privacy measures at all. There are several privacy measures for separate segments, most notably Health Insurance Portability and Accountability Act (HIPAA) for healthcare providers and related entities, Fair Credit Reporting Act for consumer reporting agencies, and the Gramm-Leach-Bliley Act (GLBA) for financial institutions.
At its core, the GLBA requires all financial institutions to ensure their customers are adequately informed of the institutions' information sharing (Notice provisions) and to protect any sensitive customer information (Safeguards rule).
Enacted back in November 1999, the law's financial privacy-related provisions are enforced directly by the Federal Trade Commission and several other government agencies responsible for regulating financial institutions.
The law is relatively simple and straightforward in its application. Businesses that are involved in financial activities such as lending, investing, financial advising, debt collecting, and loan servicing are subject to the GLBA.
As for what information is covered by the GLBA, it protects all non-public personally identifiable financial information on customers related to a financial service or product (NPI).
As mentioned earlier, one of the main requirements of the GLBA is for financial institutions to be transparent about their information-sharing practices to their customers. Additionally, all customers must be appropriately and adequately informed of their right to opt-out of having their information shared with third parties.
Privacy notice requirements under the GLBA depend upon whether the person receiving the notice is a customer of the financial institution providing the notice or merely a consumer and not a customer.
For the purposes of GLBA, a consumer is someone, excluding commercial clients, like sole proprietorships, who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that person's legal representative.
The consumers, non-customers that enter into a short financial transaction relationship with the institution, must be provided with a privacy notice, including an opt-out notice, before the financial institution shares their NPI with a non-affiliated third party. The financial institution may choose to provide a shorter version of the notice to a consumer, which should contain information on how the non-customer can access a full notice if required.
Under the GLBA, customers are a subclass of consumers with a continuing relationship with a financial institution. The nature of the relationship - not how long it lasts - defines whether a person is a customer or a consumer.
In the case of customers, the financial institutions are required to provide a privacy notice, by the time the customer relationship is established, whether they share the NPI of a customer with a non-affiliated third party or not. The financial institution may also provide this notice within a reasonable time after the customer relationship is established if providing notice at the time of the establishment of the customer relationship may lead to a delay in the customer’s transaction.
Further, a financial institution should provide the customers with an opt-out notice if it shares the NPI of a customer with a non-affiliated third party outside of the exception provided under the GLBA.
The financial institution must also provide the customers with an annual privacy notice as long as the customer relationship lasts.
For the purposes of the GLBA, a financial institution must include the following information in its privacy notice, if applicable:
Per the GLBA, the privacy notice must be clear and conspicuous, providing users with adequate resources needed to make an informed decision.
The notice must be provided in both writing and in electronic form, depending on the customer's preference. The written notices may be delivered by mail or by hand, whereas privacy notices must be posted on the financial institution’s website for consumers or customers who conduct their transactions electronically. The customer must acknowledge the receipt of the notice before obtaining the product or service from the institution unless the customer agrees to forego this requirement as mentioned above.
Securiti is a market leader in providing data security, privacy, governance, and compliance solutions.
Privacy teams can maximize Privacy Center to automate any major and minor changes depending on the regulation as promptly as possible.
Sign up for Privacy Center today to automate your Privacy Policies and other data privacy obligations.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
300 Santana Row
San Jose, CA 95128