By July 1, 2001, financial institutions must send privacy notices to all current customers who obtain financial products or services primarily for personal, family or household purposes. The new Federal Trade Commission ("FTC") rules are broad, and Internet and other technology companies that deal directly with consumers may be covered if they furnish or process financial, banking or economic information for individual consumers..
The notices are required by federal financial privacy rules issued under the 1999 "Gramm-Leach-Bliley" financial services modernization law (the "GLB Act"). The GLB Act implements the familiar privacy principles of notice, access, choice and security, as discussed in our May 2, 2000 Internet Alert, with respect to nonpublic personal information obtained by financial institutions. The law applies to a broadly-defined class of "financial institutions" that extends far beyond traditional financial service providers.
The FTC and several other federal regulatory agencies have issued privacy rules under the GLB Act. The FTC rules, cover businesses that are not subject to the jurisdiction of another federal financial regulatory agency, and apply to any such business that is "significantly engaged" in providing individual consumers with products or services that are considered "financial" under federal banking law. This includes activities such as extending credit; credit reporting; providing economic or investment advice or planning; tax preparation; debt collection; and real estate leasing, appraisal and settlement services.
While many businesses may qualify as financial institutions, only those that have "consumers" or "customer relationships" are required to comply with the new disclosure requirements. An individual is considered a "consumer" when he or she fills out an application to obtain a financial service, regardless of whether the application is accepted and the service is rendered.
Privacy Notices. The required privacy notices must state what nonpublic personally-identifiable information is collected, what information is disclosed to affiliated or nonaffiliated third parties, how a consumer may prevent disclosures to nonaffiliated third parties, and how the information is kept secure and confidential. There are three types of required notices:
- Initial notice to customers. Consumers who currently have a continuing relationship with a financial institution must be sent privacy notices by July 1, 2001. After July 1, new customers must generally receive this privacy notice when the customer relationship begins.
- Initial notice to non-customer consumers. Consumers who do not have a continuing customer relationship must receive a privacy notice before nonpublic personal information is disclosed to a nonaffiliated third party, such as an outside marketing firm.
- Annual notice to customers. Privacy notices, updated as appropriate, must be sent annually for as long as a continuing customer relationship exists.
Privacy notices may be issued electronically if the recipient conducts transactions electronically and the consumer is required to acknowledge receipt of the notice. Annual notices may be posted on a web site for customers who agree to view notices at the site.
Consumer Choice. Nonpublic personal information generally may not be provided to nonaffiliated third parties unless the notice contains an "opt-out" provision enabling a consumer to block information sharing. There are significant exceptions to this opt-out requirement:
- Information may be disclosed as necessary to conduct a transaction requested or authorized by a consumer, and for certain other purposes such as fraud prevention, dispute resolution and regulatory compliance.
- Information may be disclosed under joint marketing agreements or under contracts with service providers who agree to use the data for a specific limited purpose.
Violations of the FTC rules may constitute "unfair" or "deceptive" commercial practices and subject the offender to compliance orders and fines of up to $10,000 per violation. Businesses regulated by other federal agencies, such as the Securities and Exchange Commission, Federal Reserve Board or Federal Deposit Insurance Corporation, are subject to comparable GLB Act privacy rules issued by those agencies. Individual states may also implement their own privacy requirements, and the federal rules will not preempt state laws that provide greater protection to its consumers.
The GLB Act illustrates the continuation of the federal government's "sectoral" approach toward personal data privacy. Like the Children's Online Privacy Protection Act (discussed in our February 11, 2000 Internet Alert) and the recently-adopted health data privacy standards (discussed in our May 31, 2001 Internet Alert), the GLB Act rules will require an entire industry sector to adopt mandatory notice-and-consent procedures for protecting personal privacy. On the other hand, the GLB Act rules do not actually prohibit any current data practice, as long as sufficient notice and choice are provided in the required privacy statement. It remains to be seen whether and how these federal standards will affect the public's perception of privacy and its acceptance of commercial uses of personal information.