Fact Sheet 24:
Protecting Financial Privacy:
The Burden Is on You
Send to Printer
Privacy Rights Clearinghouse
- Annual Privacy Notices
- Information Flow - How Data Comes and Goes
- Outsourcing - The "Service Provider" Loophole
- Joint Marketing Agreements - Watering Down Your Opt-Out
- Affiliate Sharing - Can You Stop It?
- Financial Privacy in California
- What You Can Do to Protect Your Privacy
- File a Complaint
The Gramm-Leach-Bliley Act (GLB) (also known as the Financial Services Modernization Act) provides you some minimal rights to protect your financial privacy. However, the burden is on you to assert your rights.
GLB's financial privacy rule (15 U.S.C.§§ 6801-6809) requires your financial institution to provide you with an annual privacy notice that describes three things:
- Right to Opt-Out: Your financial institution must explain your ability to prevent the sale of your customer data to third parties.
- Safeguards: Financial institutions are required to develop policies to prevent unauthorized access to confidential financial information. These policies must be disclosed to you.
GLB does not give you a great deal of control over your financial privacy. It only gives you the right to opt-out of certain types of information sharing. "Opt-out" is contrary to the "opt-in" approach preferred by most consumer and privacy advocates. With opt-out, you give your implied consent by failing to respond to the privacy notice sent to you by your financial company. So, if you say nothing, it means "yes, you can share my data." The default for the opt-out approach is that your data is shared until and unless you notify the company otherwise.
When will I receive a privacy notice?
GLB's financial privacy rule requires that financial institutions provide consumers with privacy notices describing their privacy policies. Financial institutions are generally required to provide an initial notice of these policies, and then an annual notice to customers every year that the relationship continues. These notices describe whether and how the financial institution shares consumers’ nonpublic personal information,including personally identifiable financial information with other entities. The notices also may explain how consumers can opt out of certain types of sharing. They also briefly describe how financial institutions protect the personal information they collect and maintain.
How will I receive my annual privacy notice from a financial institution?
Financial institutions typically use U.S. postal mail to send initial and annual privacy notices to consumers. However, under Consumer Financial Protection Bureau (CFPB) rules, your annual privacy notice can be provided online if your financial institution:
- Does not share your information in a way that would trigger your right to opt-out
- Has not changed its privacy notice since you received the previous notice
- Continuously posts the annual privacy notice in a clear and conspicuous manner on its website
- Mails annual notices to customers who request them by telephone, within ten days of the request.
- Provides a clear and conspicuous statement at least once per year on an account statement, coupon book, or notice that informs customers that the annual privacy notice is available on the financial institution’s website, and
- Uses the model privacy notice developed by federal regulatory agencies
What are model privacy notices?
The model privacy notice is a two-page disclosure form designed to allow consumers to easily compare the privacy practices of different financial institutions. Use of the model privacy form is voluntary. However, a financial institution must use one of the model privacy notices if it delivers its annual privacy notice online rather than by postal mail.
A financial institution that properly uses the model privacy notice will be in compliance with the disclosure requirements for privacy notices under the GLB and obtains a "safe harbor" for federal regulatory requirements for privacy notices.
Financial institutions may not change the content of the form or add any information, except as specifically permitted by the form’s instructions. They may incorporate the form in another document or with other notices, and include additional documents or information provided the form is presented in a clear and conspicuous manner.
Which financial institutions must provide me with a privacy notice?
You should receive an annual privacy notice from any companies that offer financial products or services to individuals,. This includes your bank, credit card issuers, payday loan companies, collection agencies, mortgage brokers, check cashers, debt collectors, insurance companies, and remittance transfer providers as well as certain other businesses that do not offer or provide consumer financial products or services.
Will I receive a privacy notice for every account?
If you have more than one account with any company, you will probably not receive a notice for each account. Or, if you do business with one of the "financial supermarkets," you may receive a single privacy notice that lists all the companies that are covered by the notice -- insurance, brokerage, banking, and so on.
A "customer relationship" means a continuing relationship. You have only a "consumer relationship" if you have a one-time transaction with a financial institution. An example would be an ATM withdrawal. As a "consumer" you only get a notice if the bank says it intends to disclose information to nonaffiliated third parties.
Carnegie Mellon University has a database of bank privacy policies that allows you to search by bank name, zip code, or privacy characteristics. You can use it to help you find the most "privacy friendly" banks.
What privacy factors should I look for in opening a new account?
- Does the company sell your information?
- Does the company make it easy to opt-out?
- Does the company give other opt-out choices, such as an opt-out for all affiliate sharing?
- Does the company tell you how it treats medical information?
- Does the company use legalese or straight talk?
- Does the company offer to send you a privacy notice in your own language?
- Does the company invite you to correct inaccurate information?
How long do I have to opt-out?
You are entitled to a "reasonable" time to respond before your personal data can be disclosed. Generally 30 days is considered "reasonable."
Do I have only one chance to opt-out?
No, not if you are a customer and have a continuing relationship with the company. Your right to opt-out is continuing. If you fail to return the initial opt-out notice or an annual opt-out notice, your financial institution may sell or share your personal data after a "reasonable" time, usually 30 days. If you later decide you want to keep your financial institution from disclosing your personal data, you always have the right to opt-out. It goes without saying, however, that information that is disclosed before you opt-out is already "out there." You can't bring it back. Once you opt-out, you do not have to respond to any future privacy notices for that account.
My bank's privacy notice gives a toll-free number to opt-out, but no address. Can I send a letter to the company's corporate headquarters?
You must follow the procedure for opting out established by the company and as stated in its privacy notice. If the notice gives you a toll-free number, you should use that method to opt-out.
Can I opt-out by verbally telling my broker or banker?
No. You must opt-out using the procedure your bank or other financial company establishes, as long as it is reasonable. The burden is on you to follow the procedures set out by your financial institution. Failure to do so could result in information being disclosed.
Will I get a confirmation number or a way to verify that I opted out?
No. When you call or write to opt-out, make a point to ask, but GLB does not require it.
My bank's privacy notice does not give me an opt-out. Am I missing something?
Will the privacy notice say exactly what information about me can be disclosed?
The law and regulations require only that you get notice of the categories of information the financial institution collects and the categories of information that may be sold or shared with a third party. Notice must give you specific examples of each category, but this is by no means a complete list of the data that may be disclosed.
Privacy notices may tell you that your financial institution collects and may disclose information from account applications such as your name, address, Social Security number, assets and income. Assume such a statement means that any other application data could be collected and disclosed. An application might also include former addresses, debt level, mortgage payments, income other than salary such as child support payments, and much more.
What about closed accounts?
Initial and annual notices must inform you about sharing policies for closed accounts. Financial institutions are not required to send you an opt-out notice if your account is closed. However, if you have an existing account and opt-out, that is return the notice saying you do not want your information disclosed, your opt-out election would continue even after you closed the account. If at a later time you decide to open another account with that bank or other company, you will receive another initial privacy notice which will apply only to data about your new account. You may choose to opt-out of the second account, but your decision on the first account will not change unless you change it.
Is there any kind of information that cannot be disclosed?
GLB and federal regulations only prevent disclosure your account number or access code to a third-party nonaffiliated company to use in telemarketing or direct mail marketing. This means that a financial institution can sell your personal data to a telemarketer, for example, but it cannot sell the means by which your account can be accessed.
But, like much of GLB, there are exceptions to the rule. For example, your account number may be disclosed when companies market products and services via joint marketing agreements. Your account number may then be disclosed in encrypted format as long as the key to the code is not disclosed.
Can my medical information be disclosed?
GLB gives no special treatment for medical information that may be included in the files of your bank or other financial company. Unless you opt-out, sensitive information such as details about your health and treatments may be disclosed to a third-party nonaffiliate.
You have only minimal control over whether medical information captured by financial institutions is shared with an affiliate company. For example, if you have paid XYZ Oncology Clinic by credit card or check, that information will be recorded and perhaps shared within the individual companies that make up the financial "supermarket." GLB gives you no right to opt-out when it comes to affiliates -- even for sensitive medical information. What's worse, if you are given an opt-out and don't use it, medical information can be disclosed to any outside company as well.
You may have greater rights to protect health information under the laws of your state. For example, California passed a law that makes it a crime for an insurance company to sell information to a financial institution for the purpose of granting credit (California Civil Code 56.26). The information flow in this case is only restricted one way. This law does not cover information that flows from a financial institution to an insurance company. State regulations about insurance may also give you more rights to medical privacy.
As a small business owner, how do I know if I have to send a privacy notice to my clients?
Any company that deals in "financial services or products" is a "financial institution" and must provide its customers with an annual privacy notice. This broad definition means that small companies that provide real estate settlement services or collect debts for other companies may be required to send an annual privacy notice. It is the kind, not size, of your business that determines whether you are required to send a privacy notice. The Federal Trade Commission's Gramm-Leach-Bliley Act page provides guidance for small business owners on this topic.
The FTC's web site also includes specific guidance for automobile dealers. Tax preparers that are also certified public accountants are exempt from GLB compliance by the Financial Services Regulatory Relief Act (FSRRA), Pub L. 109-351 (2006).
Where does a financial institution get its information?
The privacy notice must tell you this. A financial institution may receive information directly from you, for example, when you fill out an application for a new account. Information about you may also be compiled based upon records of your transactions with that company or its affiliates. This may include information about how you use your credit card, your account balances, late payments, what you buy, and where you shop.
Information may also be collected from nonaffiliated third parties, consumer reporting agencies, or public records. Some financial institutions also "enhance" their files about you with information purchased from companies that collect data from consumer surveys, product registration cards, public records, and Census tracts. Such data is used to market products and services to you that the company believes are compatible with your interests.
Consider the amount and kinds of information you supply just to a financial institution that may sell insurance, bank products, and securities. Combine this with the information available from other sources, and virtually any detail of your financial affairs, health status, spending habits, lifestyle purchases, political affiliations, religious contributions, and more can be collected by your financial institution. Unless you formally object, it can be shared, sold, rented, or otherwise disclosed with few exceptions.
What kinds of companies can get my personal information?
The privacy notice you receive from financial institutions does not have to tell you the names of any specific companies or organizations that may buy or receive your personal information. Only the categories of companies have to be disclosed to you. The relationship between your company and the company that receives your information determines if you have a right to opt-out, that is to stop the information flow. These relationships are: (1) nonaffiliated third party (outside company), (2) affiliated company, or (3) joint marketer or service provider.
GLB only gives you the right to opt-out when it comes to third-party, nonaffiliated companies. Categories of outside companies (third-party nonaffiliates) as well as affiliated companies must be described.
When your information is disclosed under a contract between your company and another company to sell you financial products, this is called a "joint marketing agreement." You have no right to know any details about these joint marketing agreements, and you have no say in information flow under these contracts.
What is a third party nonaffiliate?
It means a company that is not owned or controlled by the company you're doing business with. For example, your bank's privacy notice may say it shares your personal information with third party nonaffiliates. The notice may go on to identify one such category as "financial services providers." An example could be an insurance company that is not affiliated with your bank.
Other categories of nonaffiliated companies that could receive your information might be identified in the privacy notice as "non-financial service providers" such as retailers, direct marketers, telemarketers, or "other companies" like nonprofit organizations. Remember, if the company sells customer data to third party nonaffiliates, it must give you the right to opt-out.
GLB gives you no control or right to opt-out when your financial institution shares your information with service providers. A "service provider" is a company that contracts with your bank to service your account or process your transactions.
A form of outsourcing called offshoring has exploded as a privacy and data security issue. Fueled by ease of electronic data transfers and efforts to cut costs, many financial companies now employ low-wage, foreign workers to service accounts.
Personal data necessary to perform accounting functions, operate customer call centers, and process transactions are now routinely sent offshore. Personal data at stake includes any information you would give your bank. For example, your name, Social Security number, and account numbers are all data items needed to "service" your account. The privacy and security implications are significant, and all the more troubling because nothing prevents a foreign "service provider" from hiring subcontractors.
What can I do if outsourcing results in identity theft?
It is unlikely that you will even be able to trace the source of the fraud. Most victims can't. Even if you can trace the source to a foreign "service provider," you have little recourse. GLB does not give you the right to sue, even an American company, for privacy or data security violations. Even federal financial agencies, with the authority to enforce GLB, will probably not have standing in foreign countries.
Will the privacy notice at least tell me if my bank outsources services?
Very unlikely. But, if you are dealing with a large financial corporation it is a near certainty today that some or all of your personal information will flow offshore.
For more about the privacy and data security risks of outsourcing, see:
- PRC Statement on Outsourcing and Privacy, testimony before the California Business and Professions Committee.
- FDIC Study, Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks.
What is a "joint marketer"?
A "joint marketer" is a company that contracts with another company to sell you financial services or products. It is standard practice in the financial services industry for companies to enter into marketing agreements with telemarketers or direct mail marketers. Information can be freely shared under such contracts. GLB requires that such contracts be for the purpose of marketing financial products or services. The receiving company must restrict further disclosure of the customer data. The law does not enable you to say "no" to sharing your information under these marketing agreements.
How does joint marketing weaken my opt-out?
Joint marketing agreements are entered into by third-party, non-related companies. But for GLB's joint marketing loophole, you could stop this data sharing by simply opting out. Consider the expansive definition of a financial "service or product" and companies that fall under the "financial institution" heading. A financial institution is not just companies like banks, brokerage houses, and insurance companies. Payday lenders, mortgage brokers and automobile dealers are also "financial institutions." Joint marketing agreements thus open the door for data sharing among an array of third-party nonaffiliated companies.
Can I stop unwanted solicitations that come from joint marketers?
GLB does not give you the right to stop these offers. A few financial companies now offer to let you opt-out from joint marketing solicitations. If so, this choice should be included in the annual privacy notice you receive. PRC's Privacy Survival Guide: Take Control of Your Personal Information also provides some tips on reducing unwanted solicitations.
What is an "affiliate"?
Large companies often have many separate companies that do business under the corporate "umbrella." Although each company operates separately, it is still under the control of the parent corporation. Your bank's affiliates, for example, might include other financial companies such as a credit card company, a brokerage firm, a mortgage company, an insurance company, or an automobile financing company. Affiliates may also include nonfinancial companies such as auto parts or repair companies. Under GLB, you have no right to opt-out of affiliate sharing no matter what the nature of the affiliate's business is.
If I opt-out, will that give me total control over how my bank (insurance company, broker, etc.) uses my information?
No. Your opt-out will only prevent disclosure to third party nonaffiliates. As you can see from the above discussion, your information can still be disclosed in other ways. Nonetheless, exercising even this limited opt-out can stop the flow of your personal information to an unlimited number of marketing databases.
Can I stop my financial company from sharing my personal information with its affiliates?
Under GLB, a company can share your personal information with its affiliates. However, the notice you receive is also likely to explain your right to opt-out under another law, the federal Fair Credit Reporting Act (FCRA). This law gives you the right to prevent a company from sharing information about your "credit worthiness" with affiliates. Your "transaction and experience" information can still be shared with affiliates without your consent, according to the FCRA. As explained above with the example about health-related payments, transaction information can be highly sensitive.
Another opportunity to limit information sharing with affiliates is included in the Fair and Accurate Credit Transaction Act (FACTA), a law that amended the FCRA in 2003. The FACTA affiliate sharing opt out provision is discussed in Part 10 of PRC Fact Sheet 6a: Facts on FACTA and the Federal Trade Commission's Affiliate Marketing Rule, Final Rule.
California's Financial Information Privacy Act (known as FIPA or SB 1) (Cal. Financial Code §§ 4050-4060) exists specifically to offer privacy protections that GLB lacks. FIPA provides more protection than GLB, but it does not prevent financial institutions from sharing your personal information with affiliates. FIPA originally had a section to provide such a protection but it was struck down in 2008 when a federal court held that the FCRA pre-empts state law when it comes to sharing personal information with affiliates. American Bankers Association v. Lockyer, 541 F.3d 1213 (9th Cir. 2008).
Regardless, FIPA still provides more protection than GLB in several important ways:
- A financial institution must notify you and obtain your consent to share information with unaffiliated businesses (a business is unaffiliated when it is not under the control of the same company). (Cal. Financial Code § 4052.5)
can opt out of information sharing that results from joint-marketing agreements
that a financial institution makes with outside companies to market financial
products and services. (Cal. Financial Code § 4053(a)(1))
There are many types of joint marketing arrangements, but quite often they are with telemarketers or direct-mail marketers. An example of this might be a life or auto insurance company that enters into a joint-marketing agreement with a third-party company to sell long-term care insurance. If you are a customer of the life or auto insurance company, it could share your contact information with the third party and also with a direct-mail marketer to pitch the long term care policy. FIPA lets you opt out of this, but GLB does not.
must receive a standardized, single-page notice, like this one from every financial
company with which you have a customer relationship. Envelopes that contain privacy notices must
be flagged, so you don't discard them as junk mail and lose your opt-out
opportunities. (Cal. Financial Code §§ 4051.5(a)(3) and 4053, generally)
The California-compliant FIPA notice has a check box for affirming that you do not want your information shared with affiliates. However, the notice does not explain the difference between creditworthiness information (also called "consumer report information") which may not be shared, and "transaction and experience" information, which may be.
Creditworthiness may be based on information about whether you pay your bills on time, how long you have had credit, and the level of debt you can comfortably carry. It may also be based on character, general reputation, personal characteristics, or mode of living. Transactional (and experience) information, in the broadest sense, is data based on your interactions or transactions with businesses, organizations, and websites that create a record of those events, such as a payment record.
If you do not exercise the opt-out rights that GLB and FIPA give you, you relinquish the already limited control you have over personal information collected by financial institutions. Once the financial institution shares your information, you lose all practical control over where it goes and how it is used.
What are the most important things I can do to protect my financial privacy?
Remember, you have only limited ability to prevent a financial services company from sharing your customer data with its affiliated companies and no ability to opt-out of information shared through joint marketing agreements. The privacy provisions of GLB only pertain to unaffiliated third parties. You would not, for example, be able to prevent your bank from sharing your customer data with its affiliated insurance company or brokerage firm.
So, if you are concerned about affiliate sharing and the ability of these "financial supermarkets" to compile extensive dossiers about you, you must take extra care to conduct your banking with one corporation, keep your insurance accounts with another unaffiliated corporation, and your investments with yet another. The same holds true if you are concerned about your information being shared as part of marketing contracts.
In this privacy-conscious marketplace, some financial institutions might differentiate themselves by becoming more "privacy-friendly." Watch for companies that advertise that they do not share your customer data with either affiliates or third parties. And look for companies that give you the choice to take yourself out of marketing programs.
May I sue my financial institution for violating my GLB privacy rights?
GLB does not contain what is called a private right of action. So you cannot go to court and sue for violations of your privacy rights under that statute. However, under some state laws you might be able to claim that the company's violation of GLB violated other rights you have.
Why should I opt-out?
If you are like the many people who have responded to polls, you are concerned about your privacy. Opting out gives you some control over how your personal information is used. Banks and other financial companies may revise and strengthen their privacy policies if enough people show their concern for privacy by opting out.
Where to Complain - Federal
Consumer Financial Protection Bureau
P.O. Box 4503
Iowa City, Iowa 52244
(855) 411-CFPB (2372)
To report violations of California's Financial Information Privacy Act, contact the appropriate state agency:
- California Department of Insurance: Regulates the insurance industry in California and enforces both federal and state privacy laws.
- California Department of Financial Institutions: Regulates banks, savings associations, credit unions, commercial lending companies, issuers of travelers check, transmitters of money abroad and others.
California Department of Financial Institutions
1810 13th Street
Sacramento, CA 95814
- California Department of Corporations: Regulates investment brokers and dealers, investment companies, investment advisors, residential mortgage lenders, and finance lenders.
California Department of Corporations
Consumer Services Office
1515 K Street, Suite 200
Sacramento, CA 95814
- California Attorney General: Enforces privacy laws on financial service companies not regulated by the state financial regulators.
California Attorney General's Office
California Department of Justice
Attn: Public Inquiry Unit
P.O. Box 944255
Sacramento, CA 94244-2550
- Financial Services Modernization Act (GLB), 15 U.S.C. §§6801-6810
- Fair Credit Reporting Act (FCRA)as amended by FACTA), 15 U.S.C §1681 et. seq.
- Fair and Accurate Credit Transactions Act (FACTA)
- California Financial Information Privacy Act, CA Financial Code §§4050-4060
- Financial Services Regulatory Relief Act, Pub L No 109-351 (2006),
- The FTC has published numerous guides on GLB for consumers and businesses.
- California residents can read Your Financial Privacy Rights, by the California Department of Justice’s Privacy Enforcement and Protection Unit
Privacy Rights Clearinghouse's Other Financial Privacy Guides
- Frequently Asked Questions About Financial Privacy. Answers to many of the questions received by the PRC about GLB and related issues.
- Is Your Financial Information Safe?. A guide to GLB's data security rules.
- Credit Reporting Basics: How Private Is My Credit Report?. An explanation of your rights under the federal Fair Credit Reporting Act
- FACTA: The Fair and Accurate Credit Transactions Act: Consumers Win Some, Lose Some
Browse Privacy Topics
Background Checks & Workplace
Banking & Finance
Credit & Credit Reports
Harassment & Stalking
Identity Theft & Data Breaches
Online Privacy & Technology
Privacy When You Shop
Public Records & Info Brokers
Social Security Numbers
Who We Are
We are a nationally recognized consumer education and advocacy nonprofit dedicated to protecting the privacy of American consumers.