The Gramm-Leach-Bliley Act (GLBA) includes provisions designed to address concerns over how consumer data would be collected, used, and shared among financial institutions. The GLBA’s privacy provisions mandate privacy notices and place limitations on the sharing of nonpublic personal information(NPI), defined as “personally identifiable financial information (i) provided by a consumer to a financial institution, (ii) resulting from a transaction or anyservice performed for the consumer, or (iii) otherwise obtained by the financial institution.”1 The financial institutions subject to the GLBA encompass any entities that aresignificantly engagedin financial activities, including banks, insurance providers, securities firms, mortgage lenders, and others.2 The GLBA’s privacy protections generally apply to consumers, i.e., individuals who obtain financial products or services from a financial institution primarily for personal, family, or household purposes, while some requirements apply to customers,i.e., consumers with whom the organization has an ongoing relationship.3
The GLBA privacy rules, as enforced by the various regulators, generally require:
- Clear and conspicuous notice of the financial institution’s information-sharing policies and practices, including what information it collects and with whom it shares the information. Covered institutions may use a model privacy form published by regulators as a safe harbor. The privacy notice must be provided when a customer relationship is established, and annually thereafter unless the financial institution does not engage in any sharing for which customers have the opportunity to opt out and there have been no changes in policy or practice since the previous privacy notice.4
- Providing customers the right to opt out of having their nonpublic personal information shared with nonaffiliated third parties, subject to a number of significant exceptions, including for joint marketing, processing consumer transactions, and service providers. Financial institutions must process opt-outs within 30 days.5
- Refraining from disclosing account numbers or similar forms of access codes to any nonaffiliated third parties for marketing purposes, with certain narrow exceptions, such as for joint marketing arrangements.6
1 15 USC § 6809(4).
2Id. § 6809(3).
3Id. § 6809(9).
4Id. § 6803.
5Id. § 6802; see also 17 CFR § 248.124.
6 15 USC § 6802(d).
More topics in this series
- Statutes and Official Guidance
- Privacy and Cybersecurity Overview
- Federal Trade Commission Act
- Financial Privacy Overview
- The New York Department of Financial Services Cybersecurity Rules
- Healthcare and Medical Privacy Overview
- Scope of the HIPAA Privacy Rule
- HIPAA and Employee Privacy
- HIPAA and Business Associates
- State Biometric Privacy Laws Overview
- Child and Student Privacy Overview
- Communications and Media Privacy Overview
- Customer Proprietary Network Information
- The Video Privacy Protection Act (VPPA)
- The Electronic Communications Privacy Act
- Digital Marketing Privacy Overview
- State Privacy Law – California
- State Employee Privacy Laws
- State Cybersecurity Laws
- New York SHIELD Act Overview
- Computer Fraud and Abuse Act
- State Data Broker Laws
- State Data Breach Notification Laws