Fact Sheet 24:
Protecting Financial Privacy:
The Burden Is on You

Send to PrinterSend to Printer
Copyright © 2000-2016
Privacy Rights Clearinghouse
Posted December 2000
Revised July 2016
  1. Introduction
  2. Privacy Notices
  3. How Your Financial Institution Shares Your Data
  4. Affiliate Sharing
  5. Joint Marketing Agreements - Watering Down Your Opt-Out
  6. Outsourcing and Service Providers
  7. Financial Privacy in California
  8. What You Can Do to Protect Your Privacy
  9. File a Complaint
  10. Resources

1. Introduction

The Gramm-Leach-Bliley Act (GLB) (also known as the Financial Services Modernization Act) provides you with some rights to protect your financial privacy.  However, the burden is on you to assert your rights.

GLB's financial privacy rule (15 U.S.C. §§ 6801-6809) requires your financial institution to provide you with a privacy notice that describes three things:

  •  Privacy Policy:  Your financial institution must tell you the kinds of information it collects about you and how it uses that information.
  •  Right to Opt-Out: Your financial institution must explain your ability to prevent the sharing of your customer data with third parties.
  •  Safeguards: Financial institutions are required to develop policies to prevent unauthorized access to confidential financial information. These policies must be disclosed to you.

GLB gives you the right to opt-out of certain types of information sharing. With opt-out, you give your implied consent by failing to respond to the privacy notice sent to you by your financial company. So, if you say nothing, it means "yes, you can share my data." The default for the opt-out approach is that your data is shared until and unless you notify the company otherwise.

2. Privacy Notices

What information is contained in privacy notices?

Privacy notices describe whether and how the financial institution shares consumers’ nonpublic personal information, including personally identifiable financial information with other entities. The notices also may explain how consumers can opt out of certain types of sharing. They also briefly describe how financial institutions protect the personal information they collect and maintain.  Financial institutions are generally required to provide an initial notice of these policies, and then an annual notice to customers every year that the relationship continues. 

What are model privacy notices?

The model privacy notice is a two-page disclosure form designed to allow consumers to easily compare the privacy practices of different financial institutions.  Use of the model privacy form is voluntary.  However, a financial institution must use one of the model privacy notices if it delivers its privacy notice online rather than by postal mail.

A financial institution that properly uses the model privacy notice will be in compliance with the disclosure requirements for privacy notices under the GLB and obtains a "safe harbor" for federal regulatory requirements for privacy notices.  

Financial institutions may not change the content of the form or add any information, except as specifically permitted by the form’s instructions. They may incorporate the form in another document or with other notices, and include additional documents or information provided the form is presented in a clear and conspicuous manner.

Which financial institutions must provide me with a privacy notice?

You should receive a privacy notice from any companies that offer financial products or services to individuals. This includes your bank, credit card issuers, payday loan companies, collection agencies, mortgage brokers, and insurance companies.

Will I receive a privacy notice for every account?

If you have more than one account with any company, you will probably not receive a notice for each account. Or, if you do business with one of the "financial supermarkets," you may receive a single privacy notice that lists all the companies that are covered by the notice -- insurance, brokerage, banking, and so on.

Can I shop around for a privacy policy before opening an account?

You may certainly ask a financial institution you're thinking of doing business with for a copy of its privacy policy. However, you are only entitled to the notice if you are either an existing customer or at the time you establish a "customer relationship" with a financial institution.

A "customer relationship" means a continuing relationship. You have only a "consumer relationship" if you have a one-time transaction with a financial institution. An example would be an ATM withdrawal. As a "consumer" you only get a notice if the bank says it intends to disclose information to nonaffiliated third parties.

Carnegie Mellon University has a database of bank privacy policies that allows you to search by bank name, zip code, or privacy characteristics.  You can use it to help you find the most "privacy friendly" banks.

What privacy factors should I look for in opening a new account?

  • Does the company sell your information?
  • Does the company make it easy to opt-out?
  • Does the company give other opt-out choices, such as an opt-out for all affiliate sharing?
  • Does the company tell you how it treats medical information?
  • Does the company use legalese or straight talk?
  • Does the company offer to send you a privacy notice in your own language?
  • Does the company invite you to correct inaccurate information?

Do I have only one chance to opt-out?

No, not if you are a customer and have a continuing relationship with the company, your right to opt-out is continuing. If you fail to return the notice, your financial institution may sell or share your personal data after a "reasonable" time, usually 30 days. If you later decide you want to keep your financial institution from disclosing your personal data, you always have the right to opt-out. It goes without saying, however, that information that is disclosed before you opt-out is already "out there." You can't bring it back. Once you opt-out, you do not have to respond to any future privacy notices for that account.

I receive privacy notices at least once a year. I opted out last year. Do I have to opt out every time I get a notice?

No. Your opt out choice remains in effect until you change it. However, the opt out only applies to the active account(s) you have at the time you make your choice. If you, for example, close your accounts, open an account with a new bank, but later open a new account with your old bank, you will have to opt out again. In other words, your opt out applies to the account(s) you have at the time you opt out.

My bank's privacy notice gives a toll-free number to opt-out, but no address. Can I send a letter to the company's corporate headquarters?

You must follow the procedure for opting out established by the company and as stated in its privacy notice. If the notice gives you a toll-free number, you should use that method to opt-out.

Can I opt-out by verbally telling my broker or banker?

No. You must opt-out using the procedure your bank or other financial company establishes, as long as it is reasonable. The burden is on you to follow the procedures set out by your financial institution. Failure to do so could result in information being disclosed.

Will I get a confirmation number or a way to verify that I opted out?

No. When you call or write to opt-out, make a point to ask, but GLB does not require it.

My bank's privacy notice does not give me an opt-out. Am I missing something?

Perhaps the bank's privacy policy says it does not share information with third-party companies.  If a company does not share your information with third parties or if the company does not have affiliates, the privacy notice should explain this.

Will the privacy notice say exactly what information about me can be disclosed?

The law and regulations require only that you get notice of the categories of information the financial institution collects and the categories of information that may be sold or shared with a third party. Notice must give you specific examples of each category, but this is by no means a complete list of the data that may be disclosed.

Privacy notices may tell you that your financial institution collects and may disclose information from account applications such as your name, address, Social Security number, assets and income. Assume such a statement means that any other application data could be collected and disclosed. An application might also include former addresses, debt level, mortgage payments, income other than salary such as child support payments, and much more.

What about closed accounts?

Financial institutions are not required to send you an opt-out notice if your account is closed. However, if you have an existing account and opt-out, that is return the notice saying you do not want your information disclosed, your opt-out election would continue even after you closed the account. If at a later time you decide to open another account with that bank or other company, you will receive another initial privacy notice which will apply only to data about your new account. You may choose to opt-out of the second account, but your decision on the first account will not change unless you change it.

Is there any kind of information that cannot be disclosed?

GLB and federal regulations only prevent disclosure your account number or access code to a third-party nonaffiliated company to use in telemarketing or direct mail marketing. This means that a financial institution can sell your personal data to a telemarketer, for example, but it cannot sell the means by which your account can be accessed.

But, like much of GLB, there are exceptions to the rule. For example, your account number may be disclosed when companies market products and services via joint marketing agreements. Your account number may then be disclosed in encrypted format as long as the key to the code is not disclosed.

Can my medical information be disclosed?

You have only minimal control over whether medical information captured by financial institutions is shared with an affiliate company. For example, if you have paid XYZ Oncology Clinic by credit card or check, that information will be recorded and perhaps shared within the individual companies that make up the financial "supermarket." GLB gives you no right to opt-out when it comes to affiliates -- even for sensitive medical information. What's worse, if you are given an opt-out and don't use it, medical information can be disclosed to any outside company as well.

3. How Your Financial Institution Shares Your Data

Where does a financial institution get its information?

The privacy notice must tell you this. A financial institution may receive information directly from you, for example, when you fill out an application for a new account. Information about you may also be compiled based upon records of your transactions with that company or its affiliates. This may include information about how you use your credit card, your account balances, late payments, what you buy, and where you shop.

Information may also be collected from nonaffiliated third parties, consumer reporting agencies, or public records. Some financial institutions also "enhance" their files about you with information purchased from data brokers and other companies that collect data from consumer surveys, product registration cards, public records, and Census tracts. Such data is used to market products and services to you that the company believes are compatible with your interests.

Consider the amount and kinds of information you supply just to a financial institution that may sell insurance, bank products, and securities. Combine this with the information available from other sources, and virtually any detail of your financial affairs, health status, spending habits, lifestyle purchases, political affiliations, religious contributions, and more can be collected by your financial institution. Unless you formally object, it can be shared, sold, rented, or otherwise disclosed with few exceptions.

What kinds of companies can get my personal information?

The privacy notice you receive from financial institutions does not have to tell you the names of any specific companies or organizations that may buy or receive your personal information. Only the categories of companies have to be disclosed to you. The relationship between your company and the company that receives your information determines if you have a right to opt-out, that is to stop the information flow. These relationships are: (1) nonaffiliated third party (outside company), (2) affiliated company, or (3) joint marketer or service provider.

GLB only gives you the right to opt-out when it comes to third-party, nonaffiliated companies.  Categories of outside companies (third-party nonaffiliates) as well as affiliated companies must be described.

When your information is disclosed under a contract between your company and another company to sell you financial products, this is called a "joint marketing agreement." You have no right to know any details about these joint marketing agreements, and you have no say in information flow under these contracts.

What is a third party nonaffiliate?

It means a company that is not owned or controlled by the company you're doing business with. For example, your bank's privacy notice may say it shares your personal information with third party nonaffiliates. The notice may go on to identify one such category as "financial services providers."  An example could be an insurance company that is not affiliated with your bank.

Other categories of nonaffiliated companies that could receive your information might be identified in the privacy notice as "non-financial service providers" such as retailers, direct marketers, telemarketers, or "other companies" like nonprofit organizations. Remember, if the company sells customer data to third party nonaffiliates, it must give you the right to opt-out.

4. Affiliate Sharing

What is an "affiliate"?

Large companies often have many separate companies that do business under the corporate "umbrella." Although each company operates separately, it is still under the control of the parent corporation. Your bank's affiliates, for example, might include other financial companies such as a credit card company, a brokerage firm, a mortgage company, an insurance company, or an automobile financing company. Affiliates may also include nonfinancial companies such as auto parts or repair companies.  

Can I stop my financial company from sharing my personal information with its affiliates?

Under GLB, a company can share your personal information with its affiliates. However, the notice you receive is also likely to explain your right to opt-out under another law, the federal Fair Credit Reporting Act (FCRA). This law gives you the right to prevent a company from sharing information about your "creditworthiness" with affiliates. This includes information such as the amount and source of your income, your debt level, and your history of paying bills on time.

Your "transaction and experience" information can still be shared with affiliates without your consent.  This information encompasses account activity like deposits, withdrawals, debits, and credits. Also included in this category are specifics such as what you buy, where you buy it, and how much you pay. This is valuable information, particularly when a company wants to sell you every variety of its financial products. 

Another opportunity to limit information sharing with affiliates is included in the Fair and Accurate Credit Transaction Act (FACTA).  The FACTA affiliate sharing opt out provision is discussed in the Federal Trade Commission's Affiliate Marketing Rule, Final Rule.  This rule generally prohibits using certain information received from an affiliate to make a solicitation to a consumer about the person’s products or services, unless the consumer is given notice and a reasonable opportunity and a reasonable and simple method to opt out of the making of such solicitations, and the consumer does not opt out.

5. Joint Marketing Agreements - Watering Down Your Opt-Out

What is a "joint marketer"?

A "joint marketer" is a company that contracts with another company to sell you financial services or products. It is standard practice in the financial services industry for companies to enter into marketing agreements with telemarketers or direct mail marketers. Information can be freely shared under such contracts. GLB requires that such contracts be for the purpose of marketing financial products or services. The receiving company must restrict further disclosure of the customer data. The law does not enable you to say "no" to sharing your information under these marketing agreements.

How does joint marketing weaken my opt-out?

Joint marketing agreements are entered into by third-party, non-related companies. But for GLB's joint marketing loophole, you could stop this data sharing by simply opting out. Consider the expansive definition of a financial "service or product" and companies that fall under the "financial institution" heading. A financial institution is not just companies like banks, brokerage houses, and insurance companies. Payday lenders, mortgage brokers and automobile dealers are also "financial institutions." Joint marketing agreements thus open the door for data sharing among an array of third-party nonaffiliated companies.

Can I stop unwanted solicitations that come from joint marketers?

GLB does not give you the right to stop these offers. A few financial companies now offer to let you opt-out from joint marketing solicitations. If so, this choice should be included in the privacy notice you receive. 

6. Outsourcing and Service Providers

GLB gives you no control or right to opt-out when your financial institution shares your information with service providers. A "service provider" is a company that contracts with your bank to service your account or process your transactions.  Many financial institutions contract with other companies to perform some service, printing or mailing statements.

A form of outsourcing called offshoring has exploded as a privacy and data security issue. Fueled by ease of electronic data transfers and efforts to cut costs, many financial companies now employ low-wage, foreign workers to service accounts.

Personal data necessary to perform accounting functions, operate customer call centers, and process transactions are now routinely sent offshore. Personal data at stake includes any information you would give your bank. For example, your name, Social Security number, and account numbers are all data items needed to "service" your account. The privacy and security implications are significant, and all the more troubling because nothing prevents a foreign "service provider" from hiring subcontractors.

What can I do if outsourcing results in identity theft?

It is unlikely that you will even be able to trace the source of the fraud. Most victims can't. Even if you can trace the source to a foreign "service provider," you have little recourse. GLB does not give you the right to sue, even an American company, for privacy or data security violations. Even federal financial agencies, with the authority to enforce GLB, will probably not have standing in foreign countries.

Will the privacy notice at least tell me if my bank outsources services?

Very unlikely. But, if you are dealing with a large financial corporation it is a near certainty today that some or all of your personal information will flow offshore.

7. Financial Privacy in California

California's Financial Information Privacy Act (known as FIPA or SB 1) (Cal. Financial Code §§ 4050-4060) exists specifically to offer privacy protections that GLB lacks.   FIPA provides more protection than GLB, but it does not prevent financial institutions from sharing your personal information with affiliates.  FIPA originally had a section to provide such a protection but it was struck down in 2008 when a federal court held that the FCRA pre-empts state law when it comes to sharing personal information with affiliates.  American Bankers Association v. Lockyer, 541 F.3d 1213 (9th Cir. 2008).   

Regardless, FIPA still provides more protection than GLB in several important ways:

  • A financial institution must notify you and obtain your consent to share information with unaffiliated businesses (a business is unaffiliated when it is not under the control of the same company). (Cal. Financial Code § 4052.5)

  • You can opt out of information sharing that results from joint-marketing agreements that a financial institution makes with outside companies to market financial products and services. (Cal. Financial Code § 4053(a)(1))

    There are many types of joint marketing arrangements, but quite often they are with telemarketers or direct-mail marketers. An example of this might be a life or auto insurance company that enters into a joint-marketing agreement with a third-party company to sell long-term care insurance. If you are a customer of the life or auto insurance company, it could share your contact information with the third party and also with a direct-mail marketer to pitch the long term care policy. FIPA lets you opt out of this, but GLB does not.
  • You must receive a standardized, single-page notice from every financial company with which you have a customer relationship.  Envelopes that contain privacy notices must be flagged, so you don't discard them as junk mail and lose your opt-out opportunities. (Cal. Financial Code §§ 4051.5(a)(3) and 4053)

8. What You Can Do to Protect Your Privacy

What are the most important things I can do to protect my financial privacy?

The single most important thing you can do to protect your financial privacy is to carefully read all information that comes from a financial institution. Study the institution's privacy policy.

Remember, you have only limited ability to prevent a financial services company from sharing your customer data with its affiliated companies and no ability to opt-out of information shared through joint marketing agreements. The privacy provisions of GLB only pertain to unaffiliated third parties. You would not, for example, be able to prevent your bank from sharing your customer data with its affiliated insurance company or brokerage firm.

May I sue my financial institution for violating my GLB privacy rights?

GLB does not contain what is called a private right of action. So you cannot go to court and sue for violations of your privacy rights under that statute. However, under some state laws you might be able to claim that the company's violation of GLB violated other rights you have.

Why should I opt-out?

Opting out gives you some control over how your personal information is used. Banks and other financial companies may revise and strengthen their privacy policies if enough people show their concern for privacy by opting out.

9. File a Complaint

Where to Complain:

Consumer Financial Protection Bureau
(855) 411-CFPB (2372)

To report violations of California's Financial Information Privacy Act, contact the appropriate state agency:

10. Resources

Government Publications

  • The FTC has published numerous guides on GLB for consumers and businesses.
  • California residents can read Your Financial Privacy Rights, by the California Department of Justice’s Privacy Enforcement and Protection Unit

Privacy Rights Clearinghouse's Other Financial Privacy Guides

Content type: 
Copyright © Privacy Rights Clearinghouse. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse.