The Gramm-Leach-Bliley Act (GLBA) includes provisions designed to address concerns over how consumer data would be collected, used, and shared among financial institutions. The GLBA’s privacy provisions mandate privacy notices and place limitations on the sharing of nonpublic personal information (NPI), defined as “personally identifiable financial information (i) provided by a consumer to a financial institution, (ii) resulting from a transaction or any service performed for the consumer, or (iii) otherwise obtained by the financial institution.”1 The financial institutions subject to the GLBA encompass any entities that are significantly engaged in financial activities, including banks, insurance providers, securities firms, mortgage lenders, and others.2 The GLBA’s privacy protections generally apply to consumers, i.e., individuals who obtain financial products or services from a financial institution primarily for personal, family, or household purposes, while some requirements apply to customers, i.e., consumers with whom the organization has an ongoing relationship.3
The GLBA privacy rules, as enforced by the various regulators, generally require:
- Clear and conspicuous notice of the financial institution’s information-sharing policies and practices, including what information it collects and with whom it shares the information. Covered institutions may use a model privacy form published by regulators as a safe harbor. The privacy notice must be provided when a customer relationship is established, and annually thereafter unless the financial institution does not engage in any sharing for which customers have the opportunity to opt out and there have been no changes in policy or practice since the previous privacy notice.4
- Providing customers the right to opt out of having their nonpublic personal information shared with nonaffiliated third parties, subject to a number of significant exceptions, including for joint marketing, processing consumer transactions, and service providers. Financial institutions must process opt-outs within 30 days.5
- Refraining from disclosing account numbers or similar forms of access codes to any nonaffiliated third parties for marketing purposes, with certain narrow exceptions, such as for joint marketing arrangements.6
1 15 USC § 6809(4).
2 Id. § 6809(3).
3 Id. § 6809(9).
4 Id. § 6803.
5 Id. § 6802; see also 17 CFR § 248.124.
6 15 USC § 6802(d).