Final Rule: Privacy of Consumer Financial Information
The Office of the Comptroller of the Currency, the Federal Reserve Board, the Federal Deposit Insurance Corporation and the Office of Thrift Supervision have issued an interagency final regulation (final rule) to implement provisions of the Gramm-Leach-Bliley Act (GLBA) that protect the privacy of consumers’ nonpublic personal information. The final rule is the product of an interagency working group and similar final rules are being issued by the Federal Trade Commission, Securities and Exchange Commission, and the NCUA.
A. Nonpublic personal information
The final rule implements the requirements of the GLBA that banks (and other types of "financial institutions," including securities firms, insurance agents and insurance underwriters) notify consumers about their privacy policies and provide consumers with an opportunity to opt out of information sharing between the bank and certain nonaffiliated third parties.
The notice requirement and opt out right pertain to "nonpublic personal information" about consumers. Nonpublic personal information is, generally speaking, "personally identifiable financial information" that is not "publicly available."
The final rule treats any information as "personally identifiable financial information" if the information is provided by a consumer in order to obtain a financial product or service, results from a transaction with a bank involving a financial product or service, or is otherwise obtained by the bank in connection with providing a financial product or service to the consumer.
The final rule excludes from the definition of "nonpublic personal information" information that is "publicly available." Information will be treated as publicly available if a bank has a "reasonable basis" to believe that the information is lawfully made available to the general public from government records, widely distributed media, or disclosures required by law. A bank may not assume that a consumer’s information is publicly available, but must determine that the information is of the type that is available to the general public and whether an individual can direct that the information not be publicly available (for example, an unlisted telephone number). If an individual can take steps to prevent information from being made publicly available, a bank must determine whether the consumer has done so.
Under the final rule, information obtained over the Internet will be considered publicly available if it is lawfully made available on a site that is accessible to the general public on an unrestricted basis. A Web site is not restricted merely because an Internet service provider or a Web site operator requires a fee or a password so long as access is available to the general public. A site, such as a "look up" service, that makes available personal information (that may combine publicly available and confidential information on a particular individual) compiled in response to a specific request, is not available to the general public on an unrestricted basis.
Publicly available information is, however, treated as "nonpublic personal information" when the information is included on a list, description, or other grouping of consumers that is derived from personally identifiable financial information that is not publicly available. For example, if a bank provides a list of its depositors, the final rule would cover all the information on the list (including publicly available information such as names and addresses) because the list and information would be derived from account numbers or the existence of the customer relationship, both of which are personally identifiable financial information that are not publicly available.
B. Distinction between "consumer" and "customer"
Under the GLBA, all customers are consumers, but not all consumers are customers. A bank must give to a customer, at the time of establishing the customer relationship and annually thereafter, a notice informing the customer of the bank’s privacy policies and practices. The bank must also give the privacy notice to a consumer along with a notice of the right to opt out of sharing nonpublic personal information with non-affiliates (opt out notice), before the bank discloses the information to a nonaffiliated third party. In other words, consumers who are not customers get the privacy and opt out notices only if their bank wants to share their nonpublic personal information with certain nonaffiliated third parties.
A consumer is anyone who obtains from a bank any financial product or service that is to be used primarily for personal, family, or household purposes. A financial service includes a bank’s evaluation of an application for a financial product or service from the bank. Thus, an individual who submits an application will be considered a consumer even if the application is denied.
A customer, by contrast, is defined as any consumer who has a "customer relationship" with the bank. A "customer relationship," in turn, is defined as a continuing relationship between a bank and a consumer for the purpose of providing a financial product or service to the consumer. This would include a deposit, credit, or investment account. A one-time transaction may come within the definition, such as the purchase of an insurance policy, because of the ongoing nature of the product. On the other hand, use (including repeated use) of an automated teller machine of a bank at which a consumer has no account would not create a "customer relationship."
C. Time of establishing a customer relationship
The final rule provides that a customer relationship is established at the time a bank and a consumer enter into a continuing relationship. This allows a bank to provide the privacy notice at the same time it is required to give other notices, such as those required under the Truth-in-Lending Act.
In general, for customer relationships that are contractual in nature, a customer relationship is established when a consumer executes the contract that is necessary to conduct the transaction in question. For transactions that do not involve contracts, a customer relationship is established when the consumer pays or agrees to pay a fee or commission for the product or service.
D. Time by which the privacy notices must be provided
1. Initial privacy notice
The GLBA provides that the initial privacy notice must be provided "at the time of establishing a customer relationship." The final rule requires a bank to provide the initial privacy notice not later than when the bank and a consumer establish a customer relationship, e.g., before a consumer enters into a binding contract. In the case of a mortgage loan, for instance, the relationship would be established at the time a consumer executes the loan documents. For credit card accounts, the relationship is established at the time the consumer opens the account.
The final rule also requires a bank to provide the initial privacy notice to a consumer prior to sharing nonpublic information about the consumer with nonaffiliated third parties. For example, if a bank wants to disclose information it collects about an individual who uses the bank’s ATM, but otherwise has no relationship with the bank, the bank would have to provide the initial privacy notice as part of the ATM transaction.
2. Annual notices
The final rule requires a bank to provide its customers with a copy of the privacy notice at least once during any twelve-month period. The obligation ceases when a customer no longer has a continuing relationship with the bank. The final rule provides several examples of how a customer relationship may terminate, such as when there has been no communication between the bank and the customer for twelve months.
3. Opt out notices
A bank must provide an opt out notice to a consumer before sharing nonpublic personal information about the consumer with nonaffiliated third parties. The notice must inform the consumer that the bank may disclose this information and that the consumer has the right to direct that the information not be shared with nonaffiliated third parties. The notice must either provide a reasonable means of opting out (such as a detachable reply form or a toll-free telephone number), or inform the consumer of some other reasonable means of opting out (such as designating an electronic mail address if the consumer agrees to electronic delivery of the notice). It would not be a reasonable means of opting out, on the other hand, if the customer must write his or her own letter to opt out, or if the only means of opting out is a check-off box that was only provided with the initial privacy notice received by the customer.
The bank need not provide opt out notices if the bank does not intend to share nonpublic personal information with nonaffiliated third parties.
E. Content of disclosures
1. Initial and annual privacy notices
The final rule requires the following specific types of information to be set out in a bank’s initial and annual privacy notices. However, a bank may provide to consumers who are not customers a "short form" initial notice together with an opt out notice stating that the bank’s privacy notice is available upon request and explaining a reasonable means for the consumer to obtain it.
Categories of information a bank may collect. A bank’s notice must disclose the categories of nonpublic personal information that it collects. This requirement may be satisfied if the bank categorizes the information according to the sources of the information, such as information from consumers, transaction information, and credit report information.
Categories of information a bank may disclose. The bank’s notice also must identify the categories of nonpublic personal information that a bank may disclose -- either to affiliates or nonaffiliated third parties. A bank may categorize this information according to its source and provide illustrative examples of the content of the information. For example, a bank’s notice may state that it discloses application information (such as name, address, social security number, assets and income), transaction information (such as account balance, payment history, parties to transactions, and credit card usage), and information from a consumer reporting agency (such as creditworthiness and credit history). If the bank does not intend to make any disclosures, or only disclosures that are exempt, it may simply state that.
Categories of parties to whom a bank may disclose. The notice also must disclose the categories of parties -- both affiliated and nonaffiliated -- to whom the bank discloses or intends to disclose nonpublic personal information about consumers. The bank may satisfy this requirement if it identifies the types of businesses in which those affiliates and non-affiliates engage. For example, a bank could state that it discloses information to a company offering financial products or services and then provide illustrative examples of the types of business of those companies.
Information about former customers. The bank’s initial and annual privacy notices must indicate the bank’s policies with respect to disclosing nonpublic personal information about persons who have ceased to be customers of the bank.
Information disclosed to service providers and joint marketers. The GLBA permits a bank to disclose nonpublic personal information about a consumer to a nonaffiliated third party for the purpose of the third party performing services for the bank, including marketing the bank’s own products or those offered jointly by the bank and another financial institution. The consumer has no right to opt out of this type of disclosure, but the bank must inform consumers that it will be disclosing this type of information. The rule requires that if a bank discloses nonpublic personal information to a nonaffiliated third party pursuant to this exception, the bank must include in its privacy notices a separate description of the categories of information that are disclosed and the categories of third parties providing the services.
Right to opt out. The bank’s initial and annual privacy notices must inform the bank’s customers of their right to opt out and explain the methods by which they can opt out. The notices may either provide the full set of opt out disclosures, or refer the customer to the bank’s opt out notice.
Disclosures required under the Fair Credit Reporting Act. A bank’s initial and annual notices also must include the opt out disclosures required under the Fair Credit Reporting Act, with respect to certain information proposed to be shared with affiliates of the bank.
Disclosures regarding confidentiality and security of information. The bank’s privacy notices also must disclose its policies with respect to protecting the confidentiality and security of nonpublic personal information. The information need not be technical in nature, but should address who has access to the information, and whether the bank has security practices and procedures in place to maintain the confidentiality of consumer information.
2. Opt out notices
A bank must inform a consumer if the bank intends to disclose nonpublic personal information about the consumer to certain nonaffiliated third parties. The final rule provides that an opt out notice would be adequate if it identifies all of the categories of nonpublic personal information that the bank discloses to nonaffiliated third parties as described in the bank’s initial and annual privacy notices, and states that the consumer can opt out of the disclosure of the information.
F. Standards governing delivery and clarity of notices
The final rule requires privacy and opt out notices to be reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice. The final rule also requires that the notices accurately reflect the bank’s privacy practices. This requirement that disclosures be accurate enables the banking agencies to evaluate whether a bank is actually complying with its stated privacy policies, and take appropriate action if it is not.
Notices must be provided so that each recipient can reasonably be expected to receive actual notice. Notices may be delivered in writing, or if the consumer agrees, electronically. A consumer must have the ability to retain an electronic notice or access it at a later time. Examples of acceptable delivery include mailing a copy to the consumer’s last known address, or sending it via electronic mail to a consumer who obtains a financial product or service from the bank electronically. It is not sufficient for a bank to post a copy of its privacy notices in a lobby, nor is it sufficient to provide an initial privacy notice only on a Web page unless the consumer is required to acknowledge receipt of the notice as a necessary step to obtaining the product or service in question. A bank may satisfy the annual notice requirement by posting the privacy notice on a transaction page on its Web site for customers who use the bank’s Web site to access financial products or services and who agree to receive notices at the site.
G. Reasonable opportunity to opt out
The final rule requires that a consumer have a reasonable opportunity to opt out before a bank discloses nonpublic personal information to nonaffiliated third parties. An example of a reasonable opportunity to opt out is 30 days from the date a notice is mailed to a consumer. The final rule does not, however, mandate a specific waiting period before a bank may disclose nonpublic personal information to third parties. Instead, the examples in the rule indicate that "reasonableness" depends on the circumstances. Regardless of the length of time a bank waits before sharing that information, a consumer may always opt out of the information sharing at any time.
H. Limits on re-disclosure and reuse of information
The final rule limits a nonaffiliated third party’s use and disclosure of the nonpublic personal information it receives from a financial institution. When a nonaffiliated third party receives information under an exception (discussed below under the heading "Section 502(e) exceptions"), the third party may only use the information and disclose it to carry out the
1. Service providers and joint marketers
As previously noted, the GLBA permits a bank to disclose nonpublic personal information about a consumer to a nonaffiliated third party for the purpose of the third party performing services for the bank, including marketing products offered jointly by the bank and another financial institution. A consumer has no right to opt out of this disclosure, but the bank must satisfy certain requirements in order to qualify for this exception. First, before the information is shared, the bank must disclose to the consumer that it will provide this information to the nonaffiliated third party. Second, the bank must enter into a contract with the third party that requires the third party to maintain the confidentiality of the information.
The final rule requires that the contract generally prohibit the third party from disclosing or using the information other than to carry out the purposes for which the information was disclosed. The final rule does not impose additional conditions for the availability of this exception beyond those indicated in the statute.
2. "Section 502(e) exceptions"
Section 502(e) of GLBA lists several exceptions to the requirements that would otherwise apply in connection with disclosure of nonpublic personal information to nonaffiliated third parties. These exceptions are generally intended to permit a bank to continue sharing information as needed to conduct routine business transactions, such as disclosures made in connection with administration, processing, servicing, or sale of a consumer’s account. When a bank shares information under any of these "502(e) exceptions," it need not provide a consumer a privacy notice or opportunity to opt out of the information sharing.
3. Disclosures of account numbers for marketing purposes
The final rule restates the statutory prohibition against a bank disclosing, other than to a consumer reporting agency, an account number or similar form of access number or access code for a credit card account, deposit account, or transaction account of a consumer, to any nonaffiliated party for use in telemarketing, direct mail marketing, or other marketing to the consumer through electronic mail.
The final rule provides two exceptions to this prohibition and further clarifies its scope. A bank may provide an account number to an agent or service provider to market solely the bank’s own products or services, provided the bank does not authorize the agent or service provider to initiate charges to a consumer’s account. A bank may also disclose a consumer’s account number to a participant in a private label credit card program or an affinity program where the participants are identified to the consumer.
An account number that is encrypted, where the bank does not provide the key to decode the number, is not considered an account number for purposes of the prohibition. The final rule also provides that a transaction account does not include an account to which third parties cannot initiate charges.
J. Effective date and transition rule
The final rule provides for an effective date of November 13, 2000, and states that the time for compliance is extended until July 1, 2001. Thus, by July 1, 2001, banks must have provided an initial privacy notice to existing customers as well as an opportunity for them to opt out, and must have established a system for providing initial notices to new customers.
K. Effect of State laws
Consistent with the GLBA, the final rule provides that the regulation does not preempt State laws that provide greater consumer protection than is provided under the GLBA privacy provisions. Determinations whether a particular State law provides greater protection are made by the Federal Trade Commission. (It should be noted, however, that the Fair Credit Reporting Act preempts State laws pertaining to information sharing among affiliated parties, until 2004.)