The GLBA only applies to individuals who obtain financial products or services primarily for personal, family, or household purposes, and does not apply to companies or individuals who obtain financial products or services for business, commercial, or agricultural purposes.

On November 12, 1999, the Gramm-Leach-Bliley Act (GLBA) became law, bringing important changes to the regulation of consumer privacy protection in the financial services industry. Title V of the Act requires all financial institutions to disclose their privacy policies regarding the sharing of non-public personal information (NPI) with affiliates and third parties. Clear disclosure of privacy policies must be given to customers initially when the customer relationship is established and at least annually thereafter. Such policies must allow customers to “opt-out” of the financial institution’s information sharing arrangements. (The regulations created to enforce the GLBA distinguish between customers and consumers, and the notice requirements for each.) Furthermore, a non-affiliated third party that receives NPI from a financial institution may only re-use such information if such further disclosure could legally have been made directly by the financial institution.

Importantly, the privacy provisions of the GLBA and corresponding regulations only apply to NPI about individuals who obtain financial products or services primarily for personal, family, or household purposes, and do not apply to information about companies or individuals who obtain financial products or services for business, commercial, or agricultural purposes.

The GLBA defines financial institutions broadly.

The GLBA is broad in scope, defining as a “financial institution” any business engaging in a financial activity described in Section 4(k) of the Bank Holding Company Act of 1956, which incorporates by reference a list of activities enumerated by the Federal Reserve Board in the Code of Federal Regulations. 12 CFR 211.5(d) and 12 CFR 225.28. Certain businesses not traditionally thought of as financial institutions fall within the parameters of the GLBA. Financial institutions include, among others,

  • a retailer that extends credit by issuing its own credit card directly to consumers;
  • a personal property or real estate appraiser;
  • a check-cashing business;
  • an accountant or other tax preparation service that is in the business of preparing income tax returns; and
  • an automobile dealership that, as a usual part of its business, leases automobiles on a non-operating basis for longer than 90 days.

Determining what constitutes NPI is a less arduous task. NPI is personally identifiable financial information or any list of consumers that is derived using information not publicly available. Personally identifiable financial information is any information that a consumer provides to a financial institution in order to obtain a financial product or service, or that a financial institution gains resulting from a transaction involving the consumer. Personally identifiable financial information includes, for example,

  • information a consumer provides in an application to obtain a loan, credit card, or other financial product or service;
  • account balance information, payment history, overdraft history, and credit or debit card purchase information;
  • information collected by the financial institution using an Internet information collecting device (a “cookie”); and
  • information from a consumer report.

All Financial Institutions must be in full compliance with the GLBA by July 31, 2001.

Note that financial institutions may release publicly available information, such as information that could be obtained from government records, widely distributed media, or disclosures to the general public that are required by law.

Although the relevant provisions of Title V take effect on November 30, 2000, the agencies charged with enforcement have agreed to extend the mandatory date for compliance until July 1, 2001. The agencies expect financial institutions to begin compliance efforts promptly and to use the period before June 30, 2001 to implement and test their systems and to be in full compliance by July 31, 2001. In preparing for compliance, companies ought to assess their current practices regarding disclosure of NPI and their plans for future disclosure. A company should also determine who its customers are, who its affiliates are and, where appropriate, from whom it receives NPI. The company should then devise a system of compliance, including sufficient training for employees, and develop a system to ensure the continued accuracy of the disclosures following changes in products and services or the formation of new business alliances.