The Gramm-Leach-Bliley Act

Privacy in the Financial Services Sector

GLBA applies to financial institutions and contains provisions aimed at protecting consumer financial privacy.

To Whom Does GLBA Apply?

GLBA applies to all “financial institutions,” defined broadly to include companies that offer financial products or services to individuals, that collect nonpublic personal information from consumers and customers.

GLBA also applies to “nonaffiliated third parties,” defined broadly to include entities not related to financial institutions by way of ownership or control, but which receive nonpublic personal information from financial institutions. Any such entity is restricted in its reuse and redisclosure of that information to the same extent as the financial institution.

What Information Does GLBA Protect?

GLBA protects “nonpublic personal information,“ i.e., non-public, “personally identifiable financial information” that a financial institution collects about an individual in connection with providing a financial product or service, as well as certain nonpublic information in list form.

What Is the GLBA Privacy Rule?

The Privacy Rule requires financial institutions to send privacy notices to consumers and customers of their right to opt out, or say no, to information sharing with nonaffiliated third parties, subject to exceptions.

The Privacy Rule also requires financial institutions to send customers notice of the institution’s privacy practices and policies.

GLBA’s notice and opt-out requirements are in addition to the obligations imposed by the Fair Credit Reporting Act.

Some states afford consumers greater protection when it comes to sharing information with nonaffiliated third parties by requiring opt-in consent.

The Consumer / Customer Distinction

Only customers are required to receive notice about a financial institution’s privacy policies and practices. Here’s a chart explaining the difference between consumers and customers:

A consumer is an individual who obtains or has obtained a financial product or service from a financial institution for non-commercial reasons. Consumers are supposed to receive “opt-out” notices before information is shared with nonaffiliated third parties. Short-form notices may be used.
A customer is a consumer with a continuing relationship with a financial institution. In addition to “opt-out” notices, customers are supposed to receive privacy notices initially upon becoming a customer, as well as annually.

Privacy Notice Drafting Tips

The model privacy form for use under GLBA can be found here.

Guidance from the Federal Trade Commission on writing effective privacy notices can be found here.

What Is the GLBA Safeguard Rule?

The Safeguard Rule requires covered financial institutions to develop and maintain a written information security program describing their program to protect individual information.

What Are the Breach Notice Requirements, If Any?

The Safeguard Rule further requires financial institutions to develop and implement a response program designed to address incidents of unauthorized access to sensitive customer information maintained by the financial institution or its service provider. Regulatory guidance requires that an integral part of that response program include giving notice to federal regulators as soon as possible after becoming aware of the breach or suspicious event.

Notice should also be sent to customers if the organization determines that misuse of its information about a customer has occurred or is reasonably possible. The regulatory guidance and final rule can be found here.