In the first part of our series, we covered the basics of GLBA Compliance. In this article, we turn our focus to the GLBA Privacy Rule.
The GLBA Privacy Rule stipulates that, for a company to be considered a GLBA financial institution, it must be "significantly engaged" in financial activities. All circumstances and facts of your corporate operations connected to financial activities must be taken into account to determine whether "significant engagement" is taking place.
FTC ‘Significantly Engaged’ Standard
This standard, created by the FTC, intends to exclude some auxiliary activities that the GLBA Privacy Rule could otherwise cover.
Two factors stand out as distinctly necessary to define "significant engagement" in financial activity, according to the FTC.
- First, it needs to be established if there is a formal arrangement. For example, a retail company offering its consumers credit via the issuance of its own credit card would fall under the GLBA Privacy Rule; Conversely, a store owner who, for example,” runs a tab” for customers would not be considered to be significantly engaging in financial activities.
- Second, it must be determined how often the business engages in financial activities. For instance, if a company regularly transfers money from and to its consumers, it would be covered by the GLBA Privacy Rule; Conversely, a retailer that allows some consumers to make payments via an occasional layaway plan would not be significantly engaged.
Customers vs. Consumers
If your company is a financial institution, your responsibilities are directly tied to whether your clients are "consumers" or "customers."
Per the FTC's explanation, a consumer "is someone who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that person's legal representative."
Customers are "a subclass of consumers who have a continuing relationship with a financial institution. It's the nature of the relationship - not how long it lasts - that defines [a company's] customers."
Compliance with the GLBA Privacy Rule
As mentioned before, a privacy notice must be provided when a customer relationship is formed and each following year after that. This notice must clearly explain what information is being collected, where that information is being shared, how it is being used, and what is done to protect it. This privacy notice must underline the customer's right to opt-out and not have it shared with unaffiliated parties.
The GLBA Privacy Rule applies its protective provisions to a consumer's nonpublic personal information (“NPI”). NPI is any "personally identifiable financial information" of an individual that a financial institution collects in relation to providing financial services or products that are not otherwise publicly available.
On the other hand, NPI does not include any information for which there is a reasonable basis to believe it is "publicly available" in accordance with the law.
Privacy Notices
The GLBA Privacy Rule mandates that financial institutions provide their consumers with "clear and conspicuous" notices, in writing, regarding privacy policies and practices. These annual privacy notices must be delivered "for as long as the customer relationship lasts." In accordance with the Privacy Rule, the privacy notices must include certain pieces of information including, but not limited to:
- NPI categories the company collects
- NPI categories the company discloses to third parties
- Company's policies for data confidentiality and data security
- Any and all Fair Credit Reporting Act (FCRA)-required disclosures
Opt-Out Notices
Those financial institutions that share NPI with unaffiliated third parties are also obliged to provide their consumers with opt-out notices. These opt-out notices must give "reasonable means" to choose for the NPI not to be shared with anyone. Companies are also required to provide for "reasonable opportunity" for their consumers to use this opt-out right. The FTC suggests, for example, a period of 30 days after the opt-out notice is delivered.
Redisclosing and Reusing NPI
In addition to all requirements established with respect to NPI obtained directly from consumers, the GLBA Privacy Rule also institutes requirements for all the other cases in which a company obtains NPI from unaffiliated third parties. The FTC points out that it is mindful of the fact that the ability of a financial institution to redisclose and reuse NPI received in such a way is "limited." Specific limitations are determined on the basis of "how the information is disclosed." Reach out to InnReg for further GLBA compliance support.
