/privacy

GLBA Privacy Rule Compliance

Provides guidance on implementing the GLBA Privacy Rule (16 CFR Part 313) requirements for consumer privacy notices and information sharing.

Arguments

• $1 - Focus area (required: all, initial-notice, annual-notice, opt-out, sharing-practices, exceptions)
• $2 - Delivery method (optional: paper, electronic, website)

Privacy Rule Overview

Authority: 16 CFR Part 313 Effective: July 1, 2001 (with amendments) Purpose: Ensure consumers receive clear privacy notices and control over information sharing Enforced by: FTC, banking regulators, SEC, state regulators

Core Requirements

1. Initial Privacy Notice

Requirement: Provide clear, conspicuous privacy notice before establishing customer relationship

Timing:

• At account opening
• Before disclosing nonpublic personal information
• Not later than when relationship established

Content Requirements:

1. Information Collection:

   • Categories of nonpublic personal information collected
   • Sources of information (customer, transactions, third parties)

2. Information Sharing:

   • Categories shared with affiliates
   • Categories shared with nonaffiliated third parties
   • Purpose of sharing

3. Security Practices:

   • Policies and practices to protect information
   • Safeguards implemented

4. Consumer Rights:

   • Right to opt-out of certain sharing
   • How to exercise opt-out rights

5. Contact Information:

   • How to contact institution
   • Customer service contact details

Format Requirements:

• Clear and conspicuous
• Reasonably understandable
• Plain language
• Separate document or prominent part of document

2. Annual Privacy Notice

Requirement: Provide annual privacy notice to customers at least once in 12-month period

Exception: Annual notice NOT required if:

1. Only share with affiliates
2. Only share under GLBA exceptions (service providers, joint marketing)
3. Have not changed privacy policies

Many institutions now exempt from annual notice requirement due to 2015 FAST Act amendments

When Required:

• Share with nonaffiliated third parties beyond exceptions
• Privacy policies have changed

Delivery Timing:

• At least once in any 12-month period
• No requirement to coordinate with account anniversary

3. Revised Privacy Notice

Requirement: Provide revised notice before implementing material changes to privacy policies

Material Changes:

• New categories of information collected
• New categories of affiliates/third parties to whom info disclosed
• New purposes for disclosure
• Changes to opt-out rights
• Changes to security policies

Timing: Reasonable time before implementing change

Opt-Out: New opt-out right required if change affects previous opt-out

4. Opt-Out Rights

Requirement: Allow consumers to opt-out of information sharing with nonaffiliated third parties

When Opt-Out Required:

• Sharing nonpublic personal information with nonaffiliated third parties
• Sharing beyond GLBA exceptions

When Opt-Out NOT Required (Exceptions):

• Sharing with service providers (processing transactions)
• Joint marketing agreements (with customer authorization)
• Sharing as permitted by law
• Sharing with consumer reporting agencies
• Sharing necessary to effect transaction customer requested

Opt-Out Mechanisms:

• Must provide reasonable means to opt-out
• Examples: Check-off box, reply form, toll-free number, online portal
• Must allow opt-out at any time
• Opt-out effective within reasonable time (30 days standard)

Opt-Out Duration:

• Continues until revoked by consumer
• Revocation must be voluntary and clear
• Institution may require periodic reaffirmation (but not mandatory)

Information Categories

Nonpublic Personal Information (NPI)

Definition: Personally identifiable financial information not publicly available

Examples:

• Name, address, SSN, income
• Account numbers and balances
• Transaction history
• Credit scores and reports
• Information from applications
• Information from consumer reports

NOT NPI:

• Publicly available information (phone book, government records)
• De-identified/aggregated data
• Information customer authorizes to be public

Affiliate vs. Nonaffiliated Third Party

Affiliate:

• Company controlled by, controlling, or under common control
• Example: Parent company, subsidiaries, sister companies
• Rule: Can share with affiliates without opt-out (but annual notice may be required under FCRA)

Nonaffiliated Third Party:

• Any entity not affiliated
• Examples: Marketing companies, data brokers, unrelated financial institutions
• Rule: Must provide opt-out unless exception applies

Privacy Notice Delivery Methods

Paper Delivery

Methods:

• Mailed to customer's address
• Hand-delivered at branch/office
• Included with account statements

Advantages:

• Accessible to all customers
• Creates physical record
• Familiar to customers

Disadvantages:

• Printing and mailing costs
• Delivery delays
• Environmental impact

Electronic Delivery

Methods:

• Email (with PDF attachment or link)
• Website posting (with customer acknowledgment)
• Mobile app notification
• Secure messaging portal

E-SIGN Act Requirements:

1. Consumer Consent: Affirmative consent to electronic delivery
2. Demonstration of Access: Consumer demonstrates ability to access electronic records
3. Hardware/Software Requirements: Disclose technical requirements
4. Right to Paper: Consumer can request paper copy
5. Change Notice: Notify if hardware/software requirements change

Advantages:

• Cost-effective
• Immediate delivery
• Eco-friendly
• Easy to update

Disadvantages:

• Requires customer consent
• Technology barriers
• Spam filters may block
• Accessibility concerns

Website Posting

Continuous Access Method: Post privacy notice on public website

Requirements:

• Prominently placed
• Clearly labeled ("Privacy Policy" or "Privacy Notice")
• Easily accessible (typically footer link)
• Available without login

Note: Website posting alone does NOT satisfy delivery requirement; must also provide notice to customer directly

Sharing Practices

Permissible Sharing (No Opt-Out Required)

1. Service Providers and Joint Marketing:

• Sharing with service providers to perform services for institution
• Examples: Data processors, statement printers, payment processors
• Contract Required: Service provider must maintain confidentiality

Joint Marketing: Marketing by institution and nonaffiliated financial institution together

• Agreement Required: Formal joint marketing agreement

2. Exceptions Under Section 313.14/313.15:

• Sharing to process transactions customer requested
• Sharing to maintain or service account
• Sharing to resolve disputes or inquiries
• Sharing to comply with laws, regulations, legal process
• Sharing to prevent fraud
• Sharing with consumer reporting agencies
• Sharing in connection with sale or merger

Restricted Sharing (Opt-Out Required)

Examples:

• Selling customer lists to marketers
• Sharing for third-party marketing purposes
• Providing information to data brokers
• Cross-selling arrangements with nonaffiliates

Opt-Out Requirement: Must provide clear opt-out mechanism and honor consumer choices

Privacy Notice Templates

Model Privacy Form (Appendix A to Part 313)

FTC Provides: Optional model privacy form (safe harbor)

• Use of model form deemed compliant
• Specific format and content prescribed
• Tables for information categories
• Standard disclosures

Benefits:

• Safe harbor compliance
• Consistent consumer experience
• Reduced legal risk

Customization: Institutions can modify but lose safe harbor if deviate significantly

Custom Privacy Notices

Requirements:

• Must include all required content
• Clear and conspicuous
• Reasonably understandable
• Accurate and not misleading

Best Practices:

• Use plain language
• Avoid legal jargon
• Use tables/charts for clarity
• Highlight key information
• Provide examples
• Make opt-out instructions prominent

State Privacy Laws

State Law Interaction

Preemption: GLBA preempts state laws only to extent they are inconsistent Greater Protection: States can require MORE privacy protection, not less

State-Specific Requirements:

• California: CCPA/CPRA additional requirements
• Vermont: Strict opt-in for data broker sharing
• New York: NYDFS cybersecurity and privacy requirements

Multi-State Compliance: Institutions must comply with GLBA AND applicable state laws

Common Compliance Issues

1. Outdated Privacy Notices:

   • Notice doesn't reflect current practices
   • New sharing practices not disclosed
   • Solution: Annual review and update of privacy notice

2. Improper Delivery:

   • Electronic delivery without proper consent
   • Notice not provided at account opening
   • Solution: Implement delivery controls and verification

3. Confusing Opt-Out Process:

   • Opt-out mechanism not clear
   • Website links broken
   • Phone numbers disconnected
   • Solution: Regular testing of opt-out mechanisms

4. Inadequate Notice Content:

   • Missing required disclosures
   • Vague or misleading language
   • Solution: Use model form or legal review

5. Failure to Honor Opt-Out:

   • Continuing to share after opt-out
   • System errors
   • Solution: Opt-out tracking system, compliance audits

6. Service Provider Oversight:

   • No confidentiality contracts
   • Inadequate vendor monitoring
   • Solution: Standardized service provider agreements with privacy clauses

FTC Enforcement Examples

Recent Actions:

• Credit Karma (2022): $3M penalty for deceptive pre-approved claims and privacy violations
• CafePress (2021): Data breach, inadequate security, misleading privacy claims
• PayPal (2018): Venmo privacy settings misleading
• TaxSlayer (2017): Data breach, inadequate security despite privacy promises

Common Violations:

• Misleading privacy statements
• Failure to implement stated privacy practices
• Inadequate security despite privacy promises
• Deceptive opt-out processes

Privacy and Security Intersection

Privacy Rule + Safeguards Rule:

• Privacy Rule: What you SAY about information practices
• Safeguards Rule: What you DO to protect information
• Consistency Required: Privacy statements must match actual security practices

Example Violations:

• Privacy notice says "we encrypt your data" but encryption not implemented
• Privacy notice says "we limit access" but no access controls in place
• Consequence: FTC deception charges + Safeguards Rule violations

Examples

# Complete Privacy Rule compliance guidance
/glba:privacy all

# Initial privacy notice requirements
/glba:privacy initial-notice

# Annual privacy notice determination
/glba:privacy annual-notice electronic

# Opt-out mechanism implementation
/glba:privacy opt-out

# Information sharing practices review
/glba:privacy sharing-practices

# Exceptions to opt-out requirements
/glba:privacy exceptions

Checklist for Compliance

• Initial privacy notice provided at account opening
• Privacy notice includes all required content elements
• Annual notice provided (if required based on sharing practices)
• Opt-out mechanism available and functional
• Opt-out requests tracked and honored
• Service provider contracts include confidentiality requirements
• Privacy notice reviewed and updated annually
• Electronic delivery has proper E-SIGN consent
• Website privacy policy is current and accessible
• Privacy practices match Safeguards Rule implementation
• State-specific privacy requirements addressed
• Staff trained on privacy requirements
• Privacy compliance audited periodically