GLB - The Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (“GLB” or the “Act”) was passed by Congress in 1999. Its provisions became effective in 2000, with compliance was required in 2001. The purpose of the privacy provisions of GLB is to protect individual nonpublic financial information held by financial institutions. The Act applies to “financial institutions,” which include not only banks, securities firms and insurance companies, but other companies that provide financial products and services to consumers.

The primary purpose is to protect the privacy of consumer information held by financial institutions or those that are significantly engaged in financial activities. Entities regulated by federal banking agencies, Securities and Exchange Commission, Commodity Futures Trading Commission and state insurance authorities are covered as well. The Federal Trade Commission (FTC) also has authority to enforce the law against entities that are not regulated as these more traditional financial institutions. These include, for example, non-bank mortgage lenders, loan brokers, pay-day lenders, credit counselors, investment advisors, tax preparers, auto dealers, real estate settlement service providers, and debt collectors.

The Act requires protection of information collected about individuals, not from businesses or commercial activities. The Act addresses the rights of consumers and customers. A “consumer” is an individual who obtains a financial product or service from a financial institution for personal, family or household reasons. A “customer” is an individual consumer with a continuing relationship with a financial institution. A customer is always a consumer. A consumer is not always a customer.

This act protects Nonpublic Personal Information (NPI), which is personally identifiable financial information that a financial institution collects about an individual in connection with providing a financial product or service, unless the information is publicly available. The relationship itself is NPI. The Act specifically prohibits disclosure of account numbers. Financial institutions must give customers an initial privacy notice not later than when the relationship is established and annual (at least once every 12 months) privacy notices for the duration of the relationship. A simplified form is allowed if the institution does not share information with affiliates or nonaffiliates outside certain exceptions. The initial privacy notice must also be sent to consumers, prior to disclosure, if the financial institution shares individual information with unaffiliated companies. A short form can be used in lieu of a full notice. Annual notices are not required for consumers who are not customers. The privacy notice must be in writing and be mailed or delivered in person. It is not sufficient to give the notice orally or post the notice on a wall. Under certain circumstances, posting on a website may be reasonable delivery (i.e., the customer has agreed to accept such notice). It must be clear, conspicuous and accurate and should include the following:

a. Categories of the information the company
    collects about its consumers and customers;
b. Categories of information that the company
    discloses;
c. Categories of the parties with whom it
    shares the information;
d. An explanation of the opt-out rights; and
e. How the company protects or safeguards the
    information.