In November 1999, Congress passed the Gramm-Leach-Bliley Act (GLB Act), also known as the Financial Services Modernization Act. This was a long-awaited regulatory modernization bill for the financial services industry. Title V of the GLB Act sets forward a stringent set of guidelines that restrict the use of consumer information by financial institutions.
The GLB Act added new regulations in four main areas: disclosure of privacy policies; "opt-out" of information disclosures to non-affiliated third parties; non-disclosure of account information; and standards to protect security and confidentiality of consumers' non-public information.
First, the GLB Act requires institutions to annually disclose their privacy policies to consumers. This disclosure must be prominent and must be made to all customers either when the customer begins his or her relationship with the institution or on an annual basis to existing customers.
The disclosure must also contain the institution's policy regarding the categories of non-public personal information it collects, its disclosure policy of non-public personal information to third parties and affiliates, and the categories of entities that receive the information.
Second, the GLB Act gives consumers the right to "opt-out" of allowing the institution to send non-public personal information to nonaffiliated third parties. Even if the consumer does not opt-out, third parties may not re-disclose this information.
There are exceptions, however, to this opt-out rule, and for good reason. This provision does not apply to the sharing of information with third parties to process statements or service customer accounts. Opt-out is also unnecessary when information is transferred to complete transactions authorized by the customer, when disclosing customer information to a credit bureau, complying with a regulatory investigation by state or federal authorities, or to protect against fraud.
Opt-outs are also not required for institutions that want to share information with affiliates — companies that are closely related through ownership by a parent company. This rule applies to all companies, not just financial institutions.
Third, the GLB Act flatly prohibits institutions from sharing account numbers or other similar identification numbers or codes with non-affiliated parties for the purposes of telemarketing, direct mail marketing, and marketing through e-mail solicitations.
Finally, the GLB Act requires financial institution regulators to establish standards to ensure the confidentiality and security of consumer records, protect against threats to the security of those records, and protect against unauthorized access to those records that could result in substantial harm or inconvenience to the consumer.
The GLB Act's sweeping definition of "financial institution" means any regulated financial company or business that engages in financial activities. It includes banks, bank holding companies, securities firms, insurance companies, insurance agencies, thrifts, credit unions, mortgage brokers, finance companies, and check cashers. In addition, because of the way GLB defines "financial activities," these protections will extend to travel agencies and may even apply to real estate brokers.
The GLB Act gave rulemaking and enforcement authority to the National Credit Union Administration, federal banking agencies, the Securities and Exchange Commission (SEC), the Treasury Department, and the Federal Trade Commission (FTC). Each of these entities was to issue implementing regulations by May 12, 2000, and they would be effective in November 2000, but they have been delayed. To date, these additional privacy regulations are over 100 pages long.
Under G-L-B Web page, PrivacyHeadquarters.com