Fact Sheet 24:
Protecting Financial Privacy:
The Burden Is on You
Send to Printer
Privacy Rights Clearinghouse
The Gramm-Leach-Bliley Act (GLB) financial privacy rule (15 U.S.C. §§ 6801-6809) requires your financial institution to provide you with a privacy notice that describes three things:
- Right to Opt-Out: Your financial institution must explain your ability to prevent the sharing of your customer data with third parties.
- Safeguards: Financial institutions are required to develop policies to prevent unauthorized access to confidential financial information. These policies must be disclosed to you.
GLB gives you the right to opt-out of certain types of information sharing. The default for the opt-out approach is that your data is shared until and unless you notify the company otherwise by opting out.
Financial institutions are generally required to provide an initial notice of these policies, and then an annual notice to customers every year that the relationship continues.
Which financial institutions must provide me with a privacy notice?
You should receive a privacy notice from any companies that offer financial products or services to individuals. This includes your bank, credit card issuers, payday loan companies, collection agencies, mortgage brokers, and insurance companies.
What are model privacy notices?
Most financial institutions use a model privacy notice. The model notice is a two-page disclosure form designed to allow consumers to easily compare the privacy practices of different financial institutions. Use of the model privacy form is voluntary. However, a financial institution must use one of the model privacy notices if it delivers its privacy notice online rather than by postal mail.
A financial institution that properly uses the model privacy notice will be in compliance with the disclosure requirements for privacy notices under the GLB and obtains a "safe harbor" for federal regulatory requirements for privacy notices.
Will the privacy notice say exactly what information about me can be disclosed?
You will get notice of the categories of information the financial institution collects and the categories of information that may be sold or shared with a third party. The privacy notice must give you specific examples of each category, but this is by no means a complete list of the data that may be disclosed.
My bank's privacy notice does not give me an opt-out. Am I missing something?
Do I have only one chance to opt-out?
If you are a customer with a continuing relationship with the company, your right to opt-out is continuing. If you fail to opt-out, your financial institution may sell or share your personal data after a "reasonable" time. If you later decide you want to keep your financial institution from disclosing your personal data, you always have the right to opt-out. It goes without saying, however, that information that is disclosed before you opt-out is already "out there." You can't bring it back.
Once you opt-out, you do not have to respond to any future privacy notices that you may receive for that account. Your opt out choice remains in effect until you change it.
What about closed accounts?
Financial institutions are not required to send you an opt-out notice if your account is closed. However, if you have an existing account and have already opted out, your opt-out election would continue even after you closed the account.
Where does a financial institution get its information?
The privacy notice must tell you this. A financial institution may receive information directly from you, for example, when you fill out an application for a new account. Information about you may also be compiled based upon records of your transactions with that company, its affiliates, and other sources. This may include information about how you use your credit card, your account balances, late payments, what you buy, and where you shop.
What kinds of companies can get my personal information?
The privacy notice you receive from financial institutions does not have to tell you the names of any specific companies or organizations that may buy or receive your personal information. Only the categories of companies have to be disclosed to you.
The relationship between your company and the company that receives your information determines if you have a right to opt-out, that is to stop the information flow. These relationships are: (1) nonaffiliated third party (outside company), (2) affiliated company, or (3) joint marketer or service provider. GLB only gives you the right to opt-out when it comes to third-party, nonaffiliated companies.
When your information is disclosed under a contract between your company and another company to sell you financial products, this is called a "joint marketing agreement." You have no right to know any details about these joint marketing agreements, and you have no say in information flow under these contracts.
What is a third party nonaffiliate?
It means a company that is not owned or controlled by the company you're doing business with. For example, your bank's privacy notice may say it shares your personal information with third party nonaffiliates. The notice may go on to identify one such category as "financial services providers." An example could be an insurance company that is not affiliated with your bank.
Other categories of nonaffiliated companies that could receive your information might be identified in the privacy notice as "non-financial service providers" such as retailers, direct marketers, telemarketers, or "other companies" like nonprofit organizations. Remember, if the company sells customer data to third party nonaffiliates, it must give you the right to opt-out.
What is an affiliate?
Large companies often have many separate companies that do business under the corporate umbrella. Although each company operates separately, it is still under the control of the parent corporation. Your bank's affiliates, for example, might include other financial companies such as a credit card company, a brokerage firm, a mortgage company, an insurance company, or an automobile financing company. Affiliates may also include nonfinancial companies such as auto parts or repair companies.
Can I stop my financial company from sharing my personal information with its affiliates?
Under GLB, a company can share your personal information with its affiliates. However, the notice you receive is also likely to explain your right to opt-out under another law, the federal Fair Credit Reporting Act (FCRA). This law gives you the right to prevent a company from sharing information about your "creditworthiness" with affiliates. This includes information such as the amount and source of your income, your debt level, and your history of paying bills on time.
Your "transaction and experience" information can still be shared with affiliates without your consent. This information encompasses account activity like deposits, withdrawals, debits, and credits. Also included in this category are specifics such as what you buy, where you buy it, and how much you pay. This is valuable information, particularly when a company wants to sell you every variety of its financial products.
Another opportunity to limit information sharing with affiliates is included in the Fair and Accurate Credit Transaction Act (FACTA). The FACTA affiliate sharing opt out provision is discussed in the Federal Trade Commission's Affiliate Marketing Rule, Final Rule. This rule generally prohibits using certain information received from an affiliate to make a solicitation to a consumer about the person’s products or services, unless the consumer is given notice and a reasonable opportunity and a reasonable and simple method to opt out of the making of such solicitations, and the consumer does not opt out.
What is a joint marketer?
A joint marketer is a company that contracts with another company to sell you financial services or products. It is standard practice in the financial services industry for companies to enter into marketing agreements with telemarketers or direct mail marketers. Information can be freely shared under such contracts. GLB requires that such contracts be for the purpose of marketing financial products or services. The receiving company must restrict further disclosure of the customer data. The law does not enable you to say "no" to sharing your information under these marketing agreements.
How does joint marketing weaken my opt-out?
Joint marketing agreements are entered into by third-party, non-related companies. But for GLB's joint marketing loophole, you could stop this data sharing by simply opting out. Consider the expansive definition of a financial "service or product" and companies that fall under the "financial institution" heading. A financial institution is not just companies like banks, brokerage houses, and insurance companies. Payday lenders, mortgage brokers and automobile dealers are also "financial institutions." Joint marketing agreements thus open the door for data sharing among an array of third-party nonaffiliated companies.
Can I stop unwanted solicitations that come from joint marketers?
GLB does not give you the right to stop these offers. A few financial companies now offer to let you opt-out from joint marketing solicitations. If so, this choice should be included in the privacy notice you receive.
GLB gives you no control or right to opt-out when your financial institution shares your information with service providers. A "service provider" is a company that contracts with your bank to service your account or process your transactions. Many financial institutions contract with other companies to perform some service, such as printing or mailing statements.
Personal data necessary to perform accounting functions, operate customer call centers, and process transactions are now routinely sent offshore. Personal data at stake includes any information you would give your bank. For example, your name, Social Security number, and account numbers are all data items needed to "service" your account.
What can I do if outsourcing results in identity theft?
It is unlikely that you will even be able to trace the source of the fraud. Most victims can't. Even if you can trace the source to a foreign "service provider," you have little recourse. GLB does not give you the right to sue, even an American company, for privacy or data security violations. Even federal financial agencies, with the authority to enforce GLB, will probably not have standing in foreign countries.
Will the privacy notice at least tell me if my bank outsources services?
Very unlikely. But, if you are dealing with a large financial corporation it is a near certainty today that some or all of your personal information will flow offshore.
California's Financial Information Privacy Act (known as FIPA or SB 1) (Cal. Financial Code §§ 4050-4060) exists specifically to offer privacy protections that GLB lacks. FIPA provides more protection than GLB, but it does not prevent financial institutions from sharing your personal information with affiliates. FIPA originally had a section to provide such a protection but it was struck down in 2008 when a federal court held that the FCRA pre-empts state law when it comes to sharing personal information with affiliates. American Bankers Association v. Lockyer, 541 F.3d 1213 (9th Cir. 2008).
Regardless, FIPA still provides more protection than GLB:
- A financial institution must notify you and obtain your consent to share information with unaffiliated businesses (a business is unaffiliated when it is not under the control of the same company). (Cal. Financial Code § 4052.5)
- You can opt out of information sharing that results from joint-marketing agreements that a financial institution makes with outside companies to market financial products and services. (Cal. Financial Code § 4053(a)(1))
Where to Complain:
To report violations of the federal Gramm-Leach-Bliley Act:
Consumer Financial Protection Bureau
(855) 411-CFPB (2372)
To report violations of California's Financial Information Privacy Act, contact the appropriate state agency:
- California Department of Insurance regulates the insurance industry in California and enforces both federal and state privacy laws. Phone: 800-927-HELP (927-4357)
- California Department of Financial Institutions regulates banks, savings associations, credit unions, commercial lending companies, issuers of travelers check, transmitters of money abroad and others. Phone: 800-622-0620
- Gramm-Leach-Bliley Act (GLB), 15 U.S.C. §§6801-6810
- Fair Credit Reporting Act (FCRA), 15 U.S.C §1681 et. seq.
- California Financial Information Privacy Act, CA Financial Code §§4050-4060
- The FTC has published numerous guides on GLB for consumers and businesses.
- California residents can read Your Financial Privacy Rights, by the California Department of Justice’s Privacy Enforcement and Protection Unit
Privacy Rights Clearinghouse's Other Financial Privacy Guides
Browse Privacy Topics
Background Checks & Workplace
Banking & Finance
Credit & Credit Reports
Harassment & Stalking
Identity Theft & Data Breaches
Online Privacy & Technology
Privacy When You Shop
Public Records & Info Brokers
Social Security Numbers
Who We Are
We are a nationally recognized consumer education and advocacy nonprofit dedicated to protecting the privacy of American consumers.