The Gramm-Leach-Bliley Act Privacy Rule: Requirements and Compliance

Nicolas Cesare  | 

In 1999 the United States Congress passed the Gramm-Leach-Bliley Act (GLBA). Among other things, this act set forth requirements for financial institutions relating to the use and sharing of consumers’ personal information. Since its passage through congress, the provisions stipulated in the bill have been enforced by a number of government agencies, including the Consumer Financial Protection Bureau (CFPB) as part of their regulations.

A Brief History of the Gramm-Leach-Bliley Act

In 1999 Congress passed the Gramm-Leach-Bliley Act. The primary purpose of this act was to repeal certain aspects of the Glass–Steagall Act of 1933. This was a form of deregulation on the financial industry, as it allowed financial institutions that offered a variety of financial services to consolidate themselves into a single institution.

However, the act also created new regulations for financial institutions. In response to concerns about consumer privacy and the internet — which was just starting to gain popularity at the time — the Gramm-Leach-Bliley Act included Title V, which is the basis for the Privacy Rule in financial regulations.

What Is Privacy of Consumer Financial Information (The Privacy Rule)?

The Privacy Rule (also known as “Regulation P” as a part of the Code of Federal Regulations) is a government regulation designed to limit what financial institutions can do with a consumer’s personal information. Today, following the passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act, this is enforced by the CFPB. However, the law behind the regulation comes from Title V of the GLBA, which was passed in 1999, before the CFPB existed.

The Privacy Rule restricts the occasions in which a financial institution can disclose a consumer’s nonpublic personal information to third parties. It also gives consumers the tools that they need to fight back against improper disclosure of information.

Definition of Nonpublic Personal Information (NPPI)

Nonpublic information includes any financial information given by a consumer to a financial institution for the purpose of obtaining a financial product, as long as that information has not been made available by the consumer or another party through legal means. The definition of nonpublic personal information requires that financial institutions assume all information about a consumer is nonpublic unless the bank has good reason to believe otherwise. In other words, financial institutions must assume that any information about you, as a consumer is nonpublic unless they know for a fact that it is publicly available.

Nonpublic Personal Information Examples

Some examples of nonpublic personal information include:

  • If you own an item — such as a car — that you are using as collateral for a loan, the value of that item would be nonpublic personal information as long as its value was not a matter of public knowledge.
  • The balance of your bank account or credit card is an example of nonpublic personal information, as long as you haven’t shared that information in a publicly accessible forum, such as the internet.
  • Your payment history on credit cards or other forms of debt is an example of nonpublic personal information. Once again, it becomes public if you’ve shared it publicly.

Gramm-Leach Bliley Act Requirements

Regulation P enforced several requirements related to the handling of nonpublic personal information.

Privacy Notices

First, Regulation P requires that financial institutions issue an initial privacy notice to consumers as soon as they become customers of that financial institution. Essentially, this means that a bank or other financial institution must issue a privacy notice to you as soon as you enter a customer relationship with them. We’ll talk about the contents of privacy notices below.

On top of this initial notice, Regulation P also requires financial institutions to provide their customers with a copy of the privacy notice at least once a year. Financial institutions must continue providing copies until you cease to be their customer.

Notice Standards

In their privacy notices, financial institutions are required to include the following:

  • A notice about the kinds of information that the financial institution can collect, including the sources from which they get that information. For example, information from your credit report or transaction information from the use of your credit or debit card.
  • A notice about the kinds of information that the financial institution can disclose to third parties, including examples of situations under which they might disclose information.
  • A notice about the kinds of institutions or parties to which they can disclose the above information.
  • The institution’s policies on disclosing nonpublic personal information about former customers, who have since ceased their customer relationship with that institution.
  • That the institution has a right to disclose customer information to third parties who provide a service, such as marketing companies, or who partner with the institution in offering financial services.
  • That you, as a consumer, have the right to opt out of certain parts of the privacy notice

Reasonable Opportunity to Opt Out

The Privacy Rule requires that financial institutions give their customers a reasonable opportunity to opt out in the even that their information is about to be shared with an unaffiliated third party. 30 days notice is usually taken as enough time for a customer to opt out. However, there is no hard time limit written into the rule, and it is left up for interpretation what a “reasonable opportunity” consists of.

GLBA Compliance Checklist

If you are starting a small business in the financial industry or you’ve already been working in the industry for many years, it’s important to make sure that you are in compliance with Regulation P. Otherwise, the CFPB may pursue legal action against you, as they have done in the past with other alleged regulation-breakers, such as in the case of the ongoing Navient lawsuit.

In order to ensure that you are in compliance with Regulation P, make sure that:

  • You are not disclosing a consumer’s nonpublic personal information to non-exempt third parties, unless you have compelling reason to believe that the information is, in fact, publicly available.
  • You are sending privacy notices to new customers and that your existing customers are receiving yearly copies of that privacy notice.
  • Your privacy notice contains all of the necessary elements, as required by the CPFB.

The Privacy Rule according to Title V of the Gramm-Leach-Bliley act is complicated. If you are a consumer and you believe that your privacy rights are being violated by a financial institution, you can submit a complaint to be added to the CFPB’s complaint database. If you are a financial institution and you want to be sure that you are following the rules, then the CFPB has a number of compliance resources available.


Image Sourcehttps://depositphotos.com/

Nick Cesare is a writer from Boise, ID. In his free time he enjoys rock climbing and making avocado toast.

This post was updated November 15, 2018. It was originally published November 16, 2018.