Owing to various political, economic, and social factors, governments worldwide have begun taking privacy regulations seriously. Within the United States, the Cambridge Analytica fiasco brought users' data privacy into renewed focus, especially since the US lacks a federal data privacy regulation akin to that of the GDPR in the EU or PIPEDA in Canada.
There have long been discussions over a comprehensive federal data privacy regulation. The proposed American Data Privacy and Protection Act (ADPPA) is the most recent example of Congressional attempts to do so.
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, is a federal privacy law that primarily regulates how financial institutions handle their customers' personal information.
Read on to learn more about the specific privacy notification requirements within the GLBA.
What is the Gramm-Leach-Bliley Act?
In the absence of a federal data privacy regulation, several states in the US, including California, Virginia, Utah, Connecticut, Colorado, Iowa, Indiana, Montana, and Tennessee, have enacted their own data privacy regulations, and many other states are expected to follow them.
However, the lack of a similar data privacy regulation at the federal level does not mean there is no enforcement of privacy measures at all. There are several privacy measures for separate segments, most notably Health Insurance Portability and Accountability Act (HIPAA) for healthcare providers and related entities, Fair Credit Reporting Act for consumer reporting agencies, and the Gramm-Leach-Bliley Act (GLBA) for financial institutions.
At its core, the GLBA requires all financial institutions to ensure their customers are adequately informed of the institutions' information sharing (Notice provisions) and to protect any sensitive customer information (Safeguards rule).
Enacted back in November 1999, the law's financial privacy-related provisions are enforced directly by the Federal Trade Commission and several other government agencies responsible for regulating financial institutions.
The law is relatively simple and straightforward in its application. Businesses that are involved in financial activities such as lending, investing, financial advising, debt collecting, and loan servicing are subject to the GLBA.
As for what information is covered by the GLBA, it protects all non-public personally identifiable financial information on customers related to a financial service or product (NPI).
GLBA Privacy Notice Requirements
As mentioned earlier, one of the main requirements of the GLBA is for financial institutions to be transparent about their information-sharing practices to their customers. Additionally, all customers must be appropriately and adequately informed of their right to opt-out of having their information shared with third parties.
Privacy notice requirements under the GLBA depend upon whether the person receiving the notice is a customer of the financial institution providing the notice or merely a consumer and not a customer.
Privacy Notice to a Consumer
For the purposes of GLBA, a consumer is someone, excluding commercial clients, like sole proprietorships, who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that person's legal representative.
The consumers, non-customers that enter into a short financial transaction relationship with the institution, must be provided with a privacy notice, including an opt-out notice, before the financial institution shares their NPI with a non-affiliated third party. The financial institution may choose to provide a shorter version of the notice to a consumer, which should contain information on how the non-customer can access a full notice if required.
Privacy Notice to a Customer
Under the GLBA, customers are a subclass of consumers with a continuing relationship with a financial institution. The nature of the relationship - not how long it lasts - defines whether a person is a customer or a consumer.
In the case of customers, the financial institutions are required to provide a privacy notice, by the time the customer relationship is established, whether they share the NPI of a customer with a non-affiliated third party or not. The financial institution may also provide this notice within a reasonable time after the customer relationship is established if providing notice at the time of the establishment of the customer relationship may lead to a delay in the customer’s transaction.
Further, a financial institution should provide the customers with an opt-out notice if it shares the NPI of a customer with a non-affiliated third party outside of the exception provided under the GLBA.
The financial institution must also provide the customers with an annual privacy notice as long as the customer relationship lasts.
Contents of the Privacy Notice
For the purposes of the GLBA, a financial institution must include the following information in its privacy notice, if applicable:
- Categories of information collected;
- Categories of information disclosed;
- Categories of affiliates and non-affiliated third parties to whom the financial institution discloses the information;
- Categories of information disclosed and to whom under the joint marketing/ service provider exception under the GLBA;
- In case of disclosure of NPI to non-affiliated third parties under the exceptions provided in the GLBA, a statement that the disclosures are made "as permitted by law";
- In case of disclosure of NPI to non-affiliated third parties that does not fall within any exception provided under the GLBA, an explanation of consumers' and customers' right to opt out of such disclosures;
- Any disclosures required by the Fair Credit Reporting Act; and
- The policies and practices of the financial institution with respect to protecting the confidentiality and security of NPI.
Transparency Requirement
Per the GLBA, the privacy notice must be clear and conspicuous, providing users with adequate resources needed to make an informed decision.
Privacy Notice Methods
The notice must be provided in both writing and in electronic form, depending on the customer's preference. The written notices may be delivered by mail or by hand, whereas privacy notices must be posted on the financial institution’s website for consumers or customers who conduct their transactions electronically. The customer must acknowledge the receipt of the notice before obtaining the product or service from the institution unless the customer agrees to forego this requirement as mentioned above.
Here’s How Securiti Can Help
Securiti is a market leader in providing data security, privacy, governance, and compliance solutions.
Securiti Privacy Center is designed to be a consolidated solution that integrates all privacy-related obligations, such as cookie & GPC preferences, DSR requests, Do Not Track signals, and the privacy policy on a single page.
Privacy teams can maximize Privacy Center to automate any major and minor changes depending on the regulation as promptly as possible.
Sign up for Privacy Center today to automate your Privacy Policies and other data privacy obligations.
