It is no exaggeration to say that the Financial Services Modernization Act of 1999, the Gramm-Leach-Bliley Act, contains the most comprehensive federal privacy legislation in history. In the words of House Banking Committee Chairman Jim Leach, the statute "provides the greatest consumer privacy protections of any legislation ever considered on (the House) floor."
The privacy title of the statute virtually rewrites the rules on information-sharing by financial institutions with nonaffiliated third parties. The title is noteworthy, however, not simply for how it will change the way institutions do business. It also reflects and will intensify the burgeoning trend toward privacy protection as a separate product characteristic on which consumers will shop for financial products and services and on which banks and other financial institutions will compete for customers.
The privacy title capped a congressional session characterized by an escalating focus on privacy by the media and by federal and state policymakers. In this article we discuss the key definitions and new disclosure requirements, and we provide a general road map through, and the reasons behind, the newest disclosure provisions. Later articles in our series, to appear in the next few weeks, will cover additional substantive provisions and important exceptions, the scope of the statute's mandate for new regulations and related enforcement issues, and the privacy title's relationship both to the Fair Credit Reporting Act and to state laws.
To understand the effects of the privacy title, one must first grasp its key definitions. Though the title applies principally to "financial institutions," that term is defined broadly to mean any entity "the business of which is engaging in financial activities," as described in the Bank Holding Company Act and as amended by this same legislation. This definition could include many entities that traditionally are not considered to be financial institutions, including, for example, a merchant or manufacturer that extends credit or a nonbank that issues stored value cards or sells money orders.
The scope of the privacy title also is determined in large part by the definition of "nonpublic personal information," since it is these data that are covered by the statute's new restrictions.
It means personally identifiable financial information obtained by a financial institution:
From the person (such as application information and other financial data provided by a consumer).
From the institution's own transactions or experiences with the customer.
From any third-party source (such as a demographics firm or a credit bureau).
Thus, unlike the Fair Credit Reporting Act, there is no exemption for disclosing transaction or experience information. The term is limited, however, to information that is "financial" and identified with a consumer. So it does not include nonfinancial demographic data or depersonalized information used by a bank or business for analytical purposes. In addition, "publicly available" information is expressly excluded, so the term should not include information available in a telephone directory, or such publicly recorded data as property sales records, tax liens, or bankruptcy filings, if such data are not combined with nonpublic financial information.
Moreover, the publicly available standard is not a fixed one and inevitably will change. For instance, one must assume that the term would include the rapidly increasing amount of information about people that is readily available over the Internet.
The privacy title's definition of "affiliate" is virtually identical to the corresponding term in the Fair Credit Reporting Act. This fact, and the focus of the new requirements on the sharing of information with nonaffiliated third parties, preserves the existing affiliate-sharing authority of the credit reporting law. It also preserves one of the principal benefits of the modernization bill to consumers and institutions alike: -- the enhanced ability of affiliated companies to share information more efficiently and effectively for cross-marketing.
It is important to note that the privacy title governs only nonpublic personal information of consumers and does not cover an institution's business customers. And though the statute does not say so expressly, the only reasonable reading is that the obligations on a financial institution apply only with respect to its own customers -- people who obtain "from (that) financial institution, financial products or services which are to be used primarily for personal, family, or household purposes."
There are no exceptions to this requirement. A financial institution is obliged to give this notice even if it does not disclose information to any nonaffiliated third party. This universality is intended to help people make educated choices among a range of financial institutions with various privacy policies or disclosure practices. The law also provides no specific exclusion for inactive customers, who may present special operational challenges and costs for credit card issuers and other lenders with a large number of inactive accounts.
The privacy notice must include the institution's policies and practices on the disclosure of nonpublic personal information to nonaffiliated third parties and the categories of information that may be disclosed to such parties. To streamline the notice and make it meaningful to consumers, disclosures to agents of the financial institution and disclosure practices that are exempted from the notification and opt-out requirements need not be included. However, the notice must include the institution's policy on disclosing information on former customers as well as categories of data collected.
The notice also must state the institution's procedures for protecting the confidentiality and security of customer information. This statement, however, can and should be in general terms so that these procedures are not put at risk by supplying a key, so to speak, to unscrupulous people who might seek to gain access to protected information.
Finally, the notice must include the affiliate-sharing notice and opt-out opportunity required by the credit reporting law, if applicable. It should be noted that this requirement includes a separate, ambiguous reference to disclosure of policies on affiliate-sharing. In keeping with the amendment's intended focus on third-party sharing, however, the only sensible reading is that this reference is only to the credit reporting law's affiliate-sharing notice. A couple of additional points:
First, the notice must be clear and conspicuous -- the same standard as in the Truth in Lending Act and in the traditional Federal Reserve Board approach to mandated consumer disclosures. Thus, banks should look to the Fed's Regulation Z and its accompanying commentary for guidance.
Second, a colloquy among Reps. Leach, Marge Roukema, and Michael Oxley during House debate on the amendment clarified that the annual notice need not be sent to single-event customers, such as buyers of cashier's checks or money orders who do not have a continuing relationship with the institution.
The rationale for this information-sharing notice is to let market forces regulate the flow of customer information. If American consumers are well informed about financial institutions' sharing policies, they will be better able to choose one with a policy to their liking. This should let institutions rely on the same market forces to address consumers' privacy concerns.
Another key provision gives consumers choice in the sharing of financial information with nonaffiliated third parties. The statute employs the same basic notice and opt-out approach used by the credit reporting law for affiliate information-sharing. An institution must give its customers: clear and conspicuous notice that information about them could be shared with nonaffiliated third parties, an opportunity to opt out of such sharing before it occurs, and an explanation of how the customer can opt out.
A colloquy between Sens. Phil Gramm and Michael Crapo during Senate consideration of the bill confirms that this notice and opt-out opportunity only has to be given once; in other words, it does not have to be provided separately for each disclosure of covered information or for each nonaffiliated entity to which such information may be provided.
The notice requirements of the privacy title take effect Nov. 12, 2000, unless a later date is specified in regulations issued under the statute.