What Is the Glba Privacy Rule

An overview of the data protection requirements of the GLB Act is available online. This guide provides more detailed information than in the overview to help you comply with privacy policy requirements to protect consumers` financial information. It was written for companies that provide financial products or services to individuals for personal, family or household use. Opinions made orally or in your office(s) do not comply with the rule. Car dealers who lend, arrange financing or leasing, or provide financial advice must inform customers of the information they collect, with whom they share it, and how to protect it. Do you respect the rules of the road? If you are a financial institution, your obligations vary depending on whether your customers are “customers” or “consumers.” In short, the privacy rule requires that you inform all of your “customers” of your privacy practices and, if you share their information in certain ways, also your “consumers.” You`ll also need to give your customers an “annual notice” – a copy of your full privacy policy – for as long as the customer relationship lasts. The notification and opt-out provisions of the Gramm-Leach-Bliley Act complement the obligations of the Fair Credit Reporting Act (FCRA). If the FCRA currently requires you to provide your consumers with clear and visible disclosures regarding the sharing of certain information (e.B, consumer reports, and demand information) with your affiliates, you must continue to do so. The GLB Act requires that these disclosures be made as part of a privacy policy that you give to your consumers or customers. Learn more about the FCRA and how it applies to your information sharing practices.

The following explains what information is considered an NPI and what information is not considered an NPI. Information that is not an NPI is not governed by the financial confidentiality rule. You must provide your privacy notice to each consumer or customer in writing or, if the consumer or customer agrees, electronically. Your written communications may be delivered by mail or in person. For people who transact with you electronically, you can post your privacy policy on your website and ask them to acknowledge receipt of the notice as a necessary part of receiving a particular product or service. With annual communications, you can reasonably expect your customers to have received your notification when they use your website to access your financial products or services and agree to receive communications on your website and that you continually post your review clearly and prominently on your website. There are a number of exceptions to the notification and unsubscribe requirements. These exceptions can be found in sections 313.14 (“Section 14 Exceptions”) and 313.15 (“Section 15 Exceptions”) of the Confidentiality Rule. If you only share information under these exemptions, you don`t have to give your consumers a privacy statement, but you should give your customers a simplified initial privacy statement and, if necessary, an annual privacy statement. Customers and consumers do not have the right to refuse these disclosures from NPI. The Privacy Policy requires that your Privacy Policy include an accurate description of your current policies and practices regarding the protection of NPI`s privacy and security.

For example, if you restrict access to NPI to employees who need the information to provide products or services to your consumers or customers, say so. The FTC may take enforcement action in the event of a breach of the privacy policy. The FTC can sue for the confidentiality rule in district federal district court, where it can assert the full scope of the injunctive and ancillary right. The FTC also has the power, under Section 5 of the FTC Act, to review privacy policies and practices for deception and injustice. If you are required to provide a privacy policy to your consumers, you may choose to give them an “abridged notice” instead of a full privacy statement. The text message must: If you share your NPI with unaffiliated third parties outside of three exceptions (see “Exceptions”), you must provide your consumers and customers with an “unsubscribe notification” that clearly describes their right to opt-out of the information shared. An unsubscribe notice must be submitted with a privacy policy and may form part of the privacy policy. Alternatively, you can obtain NPI from an unaffiliated financial institution outside the exceptions of section 14 or 15. For example, you may want to buy a financial institution`s customer list to market your own products to those people. In these cases, the originating financial institution may disclose NPI about consumers or customers who have been notified of this type of disclosure in the Privacy Policy and who have not unsubscribed after receiving the notification and the opportunity to unsubscribe. Whether you share NPI customers or not, you need to give a privacy policy to all your customers. You must provide an “initial notification” at the time of establishing the customer relationship.

If this significantly delays the customer`s transaction, you can provide the notice within a reasonable time after the conclusion of the customer relationship, but only if the customer agrees. The FTC, Bundesbank agencies (1), other federal supervisory authorities (2) and state insurance agencies apply the GLB Act. Each agency has essentially adopted similar rules to implement GLB`s data protection regulations. States are responsible for the adoption of regulations and the enforcement of the law concerning insurance providers. The FTC has jurisdiction over any financial institution or other person that is not regulated by other government agencies. As mentioned above, customers have the right to refuse to disclose certain PII to unaffiliated third parties. The right to unsubscribe must be included in the privacy policy. The Gramm-Leach-Bliley Act (GLBA) contains provisions to address concerns about how consumer data is collected, used and shared between financial institutions. Note: Although the GLB Act does not require you to provide an unsubscribe notice if you only share NPI with affiliates when you share certain information with your affiliates, you may be required to provide an unsubscribe notice under the Fair Credit Reporting Act. This notice of opt-out must be included in your GLB Privacy Policy (see “Fair Credit Reporting Act”).

The FTC has issued a separate rule to meet NPI protection requirements. See 16 C.F.R. Part 314, 67 Fed. Reg. 36484 (23 May 2002). For more information about this rule and other tips for small businesses in implementing backup rule requirements, visit the FTC website. For another exception, see section 313.13 (“Section 13 Exception”) of the Confidentiality Rule. If you share information under this exception, you must provide your customers – and your consumers when you share their information – with a privacy statement that describes that disclosure. However, your consumers and customers do not have the right to object to this sharing of information. .