Privacy for Customer Contact Personnel

Select your form, based on the following:

(1) Whether you provide an opt out, (2) Whether you include affiliate marketing, and (3) Whether you use a mail-back form:

GDPR - General Data Protection Regulation - Defines "personal data" as:

1. Anything that could identify an individual - referred to as a "data subject" by the regulation - either on its own or when combined with other pieces of data. IP addresses, social media handles and many other pieces of information that an organization might collect fall under the scope of the rule. 2. The individual should have control over their data, such as the right to erasure—aka the 'right to be forgotten.' 3. Individual right to data portability, which refers to a data subject's right to request their data from a company and have that data transmitted to another data controller. 4. Grants individuals the right to access their data in a free, electronic format, and expands the notion of "privacy-by-design," which calls for companies to include data protection measures when designing their systems.

Privacy Related Laws FCRA - Fair Credit Reporting Act - Regulation V

1. Effective in 1971. Amended in 2003 - Fair and Accurate Credit Transactions Act (FACTA) * 2. Stipulates the rights consumers have regarding sharing their personal information between affiliated entities: a bank owned insurance agency and a bank-owned mortgage company. 3. It does not prohibit sharing but allows a consumer to direct what type of information may be shared and for what purpose. 4. Stipulates disclosures required to inform consumers the sharing of information between affiliated entities for advertising, other purposes. 5. Consumer's information may be shared with an affiliate and whether or not the consumer has a right to "opt out" of such sharing.

Which Federal Laws have been enacted to help safeguard the privacy of personal financial information?

1. FCRA - Fair Credit Reporting Act 2. RFPA - Right to Financial Privacy Act 3. HIPAA - Health Insurance Portability and Accountability Act 4. COPPA - Children's Online Privacy Protection Act 5. GDPR - General Data Protection Regulation 6. GLBA - Gramm-Leach-Bliley Act

Privacy Related Laws HIPAA - Health Insurance Portability and Accountability Act

1. HIPAA became effective on August 21, 1996. 2. The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other personal health information. 3. HIPAA applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. 4. If the Bank have a special relationship with HIPAA, wherein their mandate to comply is entirely dependent on what they do with information rather than what information they receive, disclose, use or maintain. 5. The law is particular about the specific scope of activities that financial institutions can engage in and still enjoy the exemption from the HIPAA rules.

There are many activities that most banks, merchant service providers, and other financial institutions engage in that do not apply:

1. If a bank process "protected health information" (PHI) from a non-standard format into a standard electronic format for purposes of billing and claims payment, the bank is acting as a health care clearinghouse under HIPAA. 2. Banks can be considered "business associates" of covered entities—businesses such as financial institutions that perform services on behalf of covered entities are subject to HIPAA through contracts with covered entities.

How can an institution manage the practice of Privacy when defined as the term used to describe the issue of financial institutions selling customer information to other companies so that they may use that information for marketing?

1. Laws prohibit sharing of customer information unless specific conditions are met. 2. Laws allow sharing as long as the customer is given a choice whether the bank shares information, how much is shared, and with whom. 3. The Gramm-Leach-Bliley Act. & regulations apply to the sharing of information between bank affiliates and with the federal government.

GLBA - Gramm-Leach-Bliley Act or Financial Services Modernization Act.

1. Passed by Congress on November 12, 1999 it became effective in 2000. Title V of the GLBA requires financial institutions to safeguard the security and confidentiality of customers' nonpublic personal information. 2. All financial institutions must provide initial disclosures to their customers describing policies for collecting and disclosing nonpublic customer information. Annual notices must be provided unless certain conditions are met. 3. Safeguarding customer information is one of the hallmarks of banking and goes back centuries. Federal laws have been in place for decades to ensure the accuracy and prevent the misuse of personal financial information.

Privacy Related Laws RFPA - The Right to Financial Privacy Act

1. Passed in 1978 Protects the financial records of individuals from unwarranted access by the federal government. 2. RFPA applies to requests for bank records made by the federal government for individuals or partnerships of five or fewer individuals. 3. The Act only governs disclosures to the federal government, its officers, agents, agencies, and departments. It does not apply to private businesses or state or local governments. 4. Corporations, trusts, estates, unincorporated associations such as unions, and large partnerships are not subject to the protections of the RFPA. 5. Financial institutions may not release customer information to a federal government agency unless certain requirements are met, such as authorization from the customer, a subpoena, or search warrant.

Privacy Related Laws COPPA - Children's Online Privacy Protection Act

1. Passed in 1998 COPPA took effect in April 2000. COPPA was created to protect the privacy of children under 13; to address the 90s rapid growth of websites (may include banks) targeting children, collecting their personal data without parental knowledge or consent. 2. COPPA is managed by the Federal Trade Commission - FTC. It requires that site operators allow parents to review any information collected from their children, providing full access to all user records, profiles and log-in when requested. Parents may delete but not alter certain information.

Information Sharing - Opting out

A "reasonable means" by which the consumer can opt out, includes, for example: Toll-free telephone number Detachable form with mailing information If the consumer has agreed to receive notices electronically, an electronic means such as a form that can be sent via e-mail or through the financial institution's website

Privacy Notice Rules 2

A Model Notice that banks can use was issued by the bank regulatory agencies in January 1, 2011. Although use of the Model is not mandatory, its use has become more important due to the revised annual notice requirements finalized in 2014. The Model replaces Sample Clauses that were used when the Privacy Rule was first adopted. It is based on consumer testing and banks that use it are granted certain protection, sometimes called a "safe harbor." In order to be eligible for that safe harbor, the Model Notice must be of a specific font and paper size, and must be formatted to comply with the Model standards. The privacy notice must be in a clear and conspicuous format.

When a Bank is considered a business associate?

A bank or financial institution performing collection services, or any other type of services for a covered entity involving the transmission of protected health information, is a business associate and must comply with certain HIPAA requirements.

GDPR - General Data Protection Regulation. According to the European Commission, the GDPR applies to:

A company or entity which processes the personal data as part of activities of one of its branches established in the EU, regardless of where the data is processed; A company established outside the EU offering goods/services (paid for or for free) or monitoring the behavior of individuals in the EU."

Customer

A consumer with whom a financial institution has a continuing relationship.

Opt out

A consumer's right to deny a financial institution the ability to disclose any nonpublic personal information to certain nonaffiliated third parties.

COPPA

A law created to protect the privacy of children under 13

1. As required by the GLBA, the privacy notice must be given to individual customers at which two important times during the customer relationship? A. At account opening and annually unless certain conditions are met B. At account opening and with each loan application C. Twice a year and when the customer requests online access D. Monthly with each periodic statement or quarterly if a monthly statement is not provided

A. At account opening and annually unless certain conditions are met

2. Both GLBA and FCRA contain provisions that give a customer the right to opt out of sharing some information. Which statement concerning opt outs is true? A. The customer only has one opportunity to exercise his or her opt out rights B. If the customer does not opt out—either for Privacy Rules or for FCRA information sharing or marketing rules—the bank may share information C. Under the GLBA, a customer's decision to opt out lasts for 3 years D. Under the GLBA opt out, the opt out lasts indefinitely. If, on the other hand, a customer opts out from information sharing with affiliates under FCRA, that opt out is only good for two years (the bank may extend the two years as a matter of policy)

A. At account opening and annually unless certain conditions are met

Privacy and the GLBA

Alternative Delivery Mechanism In 2014, the Consumer Financial Protection Bureau issued an amendment to the regulations that allowed a financial institution to post its privacy disclosure notice on its website provided a series of conditions were satisfied. That alternative delivery mechanism is still in place but is separate and apart from the provisions in the statute recently adopted by Congress through the FAST Act. Under the FAST Act, if the two conditions are met, no notice at all must be delivered. Essentially, the FAST Act has made the Bureau's alternative delivery mechanism no longer necessary.

FCRA section 624 allows:

An affiliate to use the information it has obtained from another affiliate within the corporate family for marketing purposes only if the customer has been provided with a clear, conspicuous, and concise notice and an opportunity to opt out from the sharing. Once a customer has elected against information sharing for marketing purposes, that election must be honored for five years.

Consumer

An individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes. It also means the legal representative of such an individual.

Privacy Rule

Annually means at least once in any period of 12 consecutive months during which that relationship exists. A bank may define the 12-consecutive-month period, but it must be applied on a consistent basis.

Glossary Affiliate

Any company that controls, is controlled by, or is under common control with another company.

Nonaffiliated third parties

Any entity that is not an affiliate of, related by common ownership to, or affiliated by corporate control with, the financial institution; does not include a joint employee of such institution.

Public information

Any information in which there is a reasonable basis to believe is lawfully made available to the general public from widely distributed media or federal, state, or local government records.

Regulation V**

Applies to banks members of the Federal Reserve. Implements the Fair Credit Reporting Act (FCRA) - Promote fairness and accuracy and to protect the privacy of consumers with regard to information collected by credit reporting agencies - used to determine a consumer's eligibility to receive certain products, such as credit to fund the purchase of a vehicle or home; services; or even for employment candidacy

Disclosure of information authorized by the customer such as providing a verification of deposit (VOE) form to a mortgage company

At the customer's request

In order for a bank to forego sending the annual privacy notice, which two requirements must a bank meet? A) It must not have any affiliates B) Has not changed its privacy notice since its most recent privacy notice to customers C) Send a notice weekly to remind customers to review the notice D) Not share customer information in a manner that provides the customer with opt-out rights

B and D are correct. A is incorrect because having affiliates does not impact the ability to take advantage of the annual notice exception. C is incorrect because the bank may forego the notice if it meets the statutory requirements.

Which statement is true concerning the availability of the privacy notice?

B) It must be in a form the customer can keep

What is a Business Associate?

Business associates are defined as entities performing a service on behalf of a covered entity. Some examples set forth in the federal regulations are claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; and billing.

Opt out exceptions

Consumers must be given the right to "opt out" of, or prevent, a financial institution from disclosing nonpublic personal information about them to a nonaffiliated third party, unless an exception to that right applies

GLBA - Gramm-Leach-Bliley Act

Consumers must provide their confidential personal information to businesses, such as banks, to obtain financial products and services. Privacy rules regulate how financial companies may share the personal information they receive, and federal law requires financial entities to tell customers how their information is collected, shared, and protected. Basically, though, these codify good banking practices.

Why is the difference between customers and consumers so important?

Customers Only customers receive a financial institution's privacy notice automatically. Customers must receive the notice when the customer establishes a relationship with the bank and every year thereafter for as long as the customer relationship lasts. Consumers Consumers, on the other hand, are only entitled to receive your notice if your bank shares consumer information with unaffiliated third parties.

At the customer's request

Disclosure of information authorized by the customer such as providing a verification of deposit (VOE)form to a mortgage company

Other exceptions to meet legal or regulatory requirements

Disclosure of information such as reporting interest to the IRS or responding to a subpoena or court order

GSA - Glass-Steagall Act Since many regulations have been instituted since the 1930s to protect bank depositors, GLBA was created to allow these financial industry participants to offer more services.

Due to the remarkable losses incurred as a result of 1929's Black Tuesday and Thursday, the Glass-Steagall Act was originally created to protect bank depositors from additional exposure to risk, associated with stock market volatility. As a result, for many years, commercial banks were not legally allowed to act as brokers.

Communicating Benefits to Customers

Educating customers Sometimes it is appropriate for financial institutions to share personal financial information among affiliates as well as with certain third parties. Part of your job is to understand how and why consumer information is shared so you can educate your customers and address any concerns they may have.

Privacy Related Laws GDPR - General Data Protection Regulation

Effective May 25, 2018 it is the European Union's (EU) regulation governing the use of personal data. It remains unclear what effect the rule will have on U.S. based banks offering banking products and services to European customers through internet banking websites, U.S. regulators have not yet issued any formal guidance on the GDPR for banks based in the U.S.

HIPAA

Establishes national standards to protect individuals' medical records and other personal health Information

Since the FCRA notice on affiliate sharing is not subject to an annual requirement, the question is whether the most recent privacy notice section on affiliate sharing would be sufficient. It appears that it would since it meets all current expectations.

Even so, since the notice requirements of the two statutes are now separate, policies and procedures should be reviewed to be certain that the standards for meeting the notice and opt-out for affiliates are still in compliance. This would include a mechanism to ensure notice and an opportunity to opt out is provided to customers if and when information sharing with affiliates should change.

Which act requires a bank to allow customers to opt out of the sharing of their personal information with affiliates when that information is to be used for advertising purposes?

Fair Credit Reporting Act

What is Financial Privacy

Financial privacy is a blanket term for a multitude of privacy laws and issues: 1. There is no single law that governs privacy and security; 2. There is a collection of federal laws and regulations governing specific industries and practices as well as a variety of state laws

What benefit of information sharing helps to address a customer's concern about identify theft?

Fraud detection. "We use customer information to recognize unusual behavior that may signal unauthorized use of your account. By helping to spot and prevent fraud, we help you protect yourself against identity theft."

GLBA (Gramm-Leach-Bliley Act)

GLBA was passed on the heels of commercial bank Citicorp's merger with the insurance firm Travelers Group. This led to the formation of the conglomerate Citigroup, which offered not only commercial banking and insurance services, but also lines of business related to securities. Its brands at this stage included Citibank, Smith Barney, Primerica, and Travelers. Citicorp's merger was a violation of the then-existing Glass-Steagall Act, as well as the Bank Holding Company Act of 1956. To allow the merger to take place, the U.S. Federal Reserve gave Citigroup a temporary waiver in September 1998—a precursor to Congress's passage of GLBA. Moving forward, other similar mergers would be fully legal. Repealing Glass-Steagall also removed the ban of "simultaneous service by any officer, director, or employee of a securities firm as an officer, director, or employee of any member bank."

Which act requires financial institutions to safeguard the security and confidentiality of customers' nonpublic personal information?

Gramm-Leach-Bliley Act

Privacy Rule

If a customer requests the notice by telephone, the bank must provide it within ten days of the request. As a general rule, banks must provide this notice not less than annually during the continuation of the relationship.

Not opting out

If the customer does not opt out—either for Privacy Rule or for FCRA information sharing or marketing rules—the bank may share nonpublic personal information with third parties and affiliates. The customer, however, may opt out at any time and that choice must be honored once it is made

Opting out and joint relationships

If two or more consumers jointly obtain a financial product or service from a bank, the bank may provide a single opt out notice. Any of the joint consumers may exercise the right to opt out

Select your form, based on the following 2:

If you provide an opt out and you want to include affiliate marketing, use Form 1 If you provide an opt out and you do not want to include affiliate marketing, use Form 2 If you do not provide an opt out and you want to include affiliate marketing, use Form 3 If you do not provide an opt out and you do not want to include affiliate marketing, use Form 4 If you provide an opt out, you want to include affiliate marketing, and you have a mail-back form, use Form 5 If you provide an opt out, you do not want to include affiliate marketing, and you have a mail-back form, use Form 6

FACTA - Fair & Accurate Credit Transactions Act

It is a law that protects the use and accuracy of consumer credit information.

How GLBA defines financial institution?

It is defined as a company that offers financial products or services to individuals such as loans, checking accounts, safe deposit boxes, insurance, and investments. Banks are examined for compliance with this law by their federal regulators.T The Privacy Rule applies to consumers and protects information collected about individuals; it does not protect information collected about business entities.

How you define Privacy?

It is often used as a short-hand reference to customer information and when that information may be shared with others. Although banks and other financial institutions are mindful of protecting the privacy and confidentiality of their customers' financial information, most privacy laws are really information sharing laws, regulating with whom and how a financial institution may share a customer's information.

How do banks determine if the GDPR applies?

Larger, internationally active global banks already know that this applies to them, but smaller U.S. based institutions may not realize it applies. For banks that are uncertain, a good first step is to conduct a privacy risk assessment to review the data they have for their customers, determine how many customers are in the EU, and if they regularly do business or marketing with them. Community banks may find additional clarity from the EU's dedicated GDPR website. https://eugdpr.org/ To assist domestic U.S. banks with their assessment of whether GDPR may apply, ABA has developed a GDPR checklist that ABA member banks may access. https://www.aba.com/Tools/Function/RiskMgmt/Pages/gdpr.aspx

Privacy and the GLBA

NOTE: As of December 2015, current regulations have not yet been amended and nothing has been issued by the regulatory agencies. If a financial institution satisfies the two conditions in the FAST Act and has not changed its information sharing policies and procedures since the last notice AND only shares information under one of the existing statutory or regulatory exceptions, it can elect not to send the annual notice. Technically, this will not comply with current regulations but it is difficult to imagine an examiner citing the bank for a regulatory violation when the reg is inconsistent with the law.

Privacy and the GLBA

No Annual Privacy Notice Required. If a financial institution has not changed its policies and practices with respect to the disclosure of nonpublic personal information since its most recent privacy notice to customers and the financial institution only shares information under one of the existing statutory or regulatory exceptions for sharing information, it will no longer be required to send the annual privacy notice to consumers. (These exceptions are discussed later in this course.)

Regulation P Terminology

Nonpublic personal information Personally identifiable financial information provided by a consumer to a financial institution or obtained by a financial institution Opt out A consumer's right to deny a financial institution the ability to disclose any nonpublic personal information to certain nonaffiliated third parties Affiliate Any company that controls, is controlled by, or is under common control with another company Nonaffiliated third party Any entity that is not an affiliate of, or related by common ownership to, or affiliated by corporate control with, the financial institution; does not include a joint employee of such institution

Privacy and the GLBA

On December 4, President Obama signed the Fixing America's Surface Transportation Act (FAST Act). Included in the legislation, now Public Law No: 114-94, Title 75, which creates a new exception to the annual privacy notice requirement under the Gramm-Leach-Bliley Act of 1999. The change took effect Dec. 4th, 2015.

Disclosure of information such as reporting interest to the IRS or responding to a subpoena or court order

Other exceptions to meet legal or regulatory requirements

Processing and servicing transactions

Outside companies that provide essential services to the bank, such as processing transactions or ordering check

Nonpublic personal information

Personally identifiable financial information, including account balances, payment history, debit card purchases • Provided by a consumer to a financial institution • Resulting from any transaction with the consumer or any service performed for the consumer • Obtained by the financial institution through any other means of such institution.

Gramm-Leach-Bliley Act (GLBA) - 2000

Preserving the privacy of customer information is a core directive of Title V of the Gramm-Leach-Bliley Act (GLBA). Financial service providers' need, and customers expect, strong privacy programs. This is essential to keeping a customer's trust and to complying with privacy and information security laws and regulations.

GDPR

Primary law regulating how companies protect EU citizens' personal data

Outside companies that provide essential services to the bank, such as processing transactions or ordering checks

Processing and servicing transactions

Privacy for Customer Contact - Personnel Privacy Policy Notice Q & A

Q: I just received a privacy policy from my bank, stockbroker, insurance company, or other financial institution. What is this? A: Title V of the Gramm-Leach-Bliley Financial Services Modernization Act requires that all financial institutions provide detailed annual disclosures to their customers describing their policies for collecting and disclosing nonpublic customer information. Q: What information must be disclosed under the law? A: Financial institutions are required to disclose the categories of nonpublic personal information that they collect and that might be shared. They must also disclose how information might be shared with affiliates or unrelated third parties. The notice also must give consumers specific details about how they can prevent having their information disclosed in certain circumstances. Q: What is the difference between public and nonpublic personal information? A: Public information means any information that is reasonable to believe is lawfully available to the general public from widely distributed media or from federal, state, or local government records. Nonpublic information includes a consumer's personally identifiable financial information, such as account balance information, payment history, or debit card purchase information. Q: Do consumers receive disclosures from each financial institution with which they do business? A: Yes. The act requires that all financial service companies disclose their privacy policies to each consumer. Consumers with relationships in multiple financial service companies will receive disclosures from each financial service company with which they do business. The law also requires that privacy disclosures be made annually. Q: Do small business and commercial customers receive these disclosures? A: The law applies only to individual consumers for their personal, family, and household accounts. It does not require that disclosures be made to business customers. Q: How can consumers reduce the amount of direct mail they receive? A: Consumers can write to the following agencies ABA course content does not provide, nor is it intended to substitute for, professional legal advice. © 5/2019 American Bankers Association Page 1 Privacy for Customer Contact Personnel Privacy Policy Notice Q & A For advertising received by mail, write to Mail Preferences Service C/O Direct Marketing Association P. O. Box 9008 Farmingdale, NY 11735-9008 For advertising received via telephone write to Telephone Preference Service C/O Direct Marketing Association P. O. Box 9014 Farmingdale, NY 11735-9014 If consumers wish to have their name taken off all pre-approved credit solicitations, they can write to the following credit reporting bureaus or call 1-888-5OPTOUT (888-567-8688) and include their full name, current address, social security number, and telephone number • Experian, Consumer Opt-Out, P. O. Box 919 Allen, TX 75013 • Equifax, Inc., Options, P. O. Box 740123, Lincoln, NE 68521 • Trans Union Corporation, Name Removal Option, P. O. Box 97328, Jackson, MS 39288-7328

Example

Really Safe Bank provides its privacy notice annually and has defined their 12 month period as a calendar year. If a customer opens an account on any day of year one, the bank must provide an annual notice to that customer by Dec 31 of year two.

GLBA

Requires financial institutions to safeguard the security and confidentiality of customers' nonpublic personal information

Communicating Benefits to Customers

Research shows that the more consumers know about the benefits of information sharing, the more accepting they are of the practice. To communicate your institution's privacy policies will affect your customer's comfort level. Consumers may be more receptive to sharing when you use family of companies rather than the term affiliates.

Service providers that perform services for the financial institution or function on its behalf, including marketing the institution's own products or services

Service providers and joint marketing

Service providers and joint marketing

Service providers that perform services for the financial institution or function on its behalf, including marketing the institution's own products or services

Privacy notice - Special notice

Special rule for loans: You establish a customer relationship with a consumer when you originate or acquire the servicing rights to a loan to the consumer for personal, family, or household purposes. If you subsequently transfer the servicing rights to that loan to another financial institution, the customer relationship transfers with the servicing rights.

FCRA

Stipulates disclosures required to inform consumers regarding the sharing of information between affiliated entities for advertising and other purposes

Glass-Steagall Act

The 1933 Glass-Steagall Act drew a distinct line between the banking industry and the investment industry, forbidding a financial institution to be both a bank and a brokerage, in effect.

The rules pertaining to the sharing of information with affiliates, and the use of that information by affiliates for marketing purposes, falls under which act?

The Fair Credit Reporting Act and not the GLBA privacy rules. However, the privacy regulations require that this information be included in the privacy notice.

Opt out exceptions

The GLB Act provides specific exceptions under which a financial institution may share customer information with a third party and the consumer may not opt out. When Congress adopted the Gramm-Leach-Bliley Act, it understood that there are times when information must be shared. Because of this, the law ensures banks can share NPPI about consumers and customers even though they have opted out.

Gramm-Leach-Bliley Act (GLBA) is more than a consumer privacy law. For instance, the primary goal of the statute was to let banks, securities brokerages, and insurance companies combine as one company

The GLBA was an attempt to update and modernize the financial industry. The GLBA is most well-known as the repeal the Glass-Steagall Act of 1933, which stated that commercial banks were not allowed to offer financial services, like investments and insurance-related services, as part of normal operations.

Privacy notice - Annual notice

The Gramm-Leach-Bliley Act (GLBA) generally requires that financial institutions send annual privacy notices to customers. These notices must describe whether and how the financial institution shares consumers' nonpublic personal information. If the institution does share this information with an unaffiliated third party, it typically must notify consumers. Banks found that the cost of mailing a privacy notice each year was very expensive and caused information overload for consumers.

Opting out and joint relationships

The bank may either: (i) Treat an opt out direction by a joint consumer as applying to all of the associated joint consumers; or (ii) Permit each joint consumer to opt out separately. If the bank permits joint consumer to opt out separately, the bank must permit one of the joint consumers to opt out on behalf of all of the joint consumers. A bank may not require all joint consumers to opt out before the bank implements any opt out direction

The Privacy Rule requires financial institutions to disclose the institution's policies and practices with respect to the following information:

The categories of nonpublic personal information the bank collects The categories of nonpublic personal information the bank discloses The categories of affiliates and nonaffiliated third parties to whom the bank discloses information (there are some exceptions that do not have to be included) Under what circumstances and how a consumer can limit sharing of information (opt out) How the bank protects nonpublic personal information

Privacy Notice Rules

The privacy notice must be given to individual customers or consumers at two important times during the customer relationship. It must be provided at account opening, and it must be provided annually as long as the individual is a customer of the bank and if certain conditions are met. (It also must be provided upon request.)

Defining Privacy

The term "privacy" is often used as a short-hand reference to customer information and when that information may be shared with others. Banks and other financial institutions are mindful of protecting the privacy and confidentiality of their customers' financial information, most privacy laws are really information sharing laws, regulating with whom and how a financial institution may share a customer's information.

Relation to state laws

There are some states that have passed privacy laws that are more protective than the federal law. Customers and consumers living in those states are protected by the applicable state law when it provides better protection. For example, some states enacted an "opt-in" standard, which requires affirmative customer consent for sharing customer data in certain instances. The state laws impacting customers in those states must be disclosed in the "other important information" section on page 2 of the Model notice. One such example is the California Consumer Privacy Act (CCPA), enacted in 2018. The CCPA was enacted very quickly and without adequate discussion or time to fully understand the consequences. This law is very broad and will be subject to interpretation in implementing regulations; therefore, its full impact is uncertain. In addition, other states are already considering adopting privacy laws similar to—if not modeled on—the CCPA, and this will exacerbate the existing patch- work of different, and often inconsistent, state privacy and data breach laws.

Sharing information with affiliates

There are three types of information sharing. The first two you learned about in Module 1, and involve the ability of the customer to opt out of sharing nonpublic personal information with affiliates for marketing purposes and the sharing of third party information with affiliates. If the bank shares or wishes to share under either of these circumstances, the bank must give the customer the right to opt out of such sharing.

Not opting out

Under the GLBA, a customer's decision to opt out lasts indefinitely or until it is revoked by the customer. If, on the other hand, a customer opts out from information sharing with affiliates under FCRA, that opt out is only good for five years (the bank may extend the five years as a matter of policy).

Privacy notice - Initial notice

When an existing customer obtains a new financial product or service from you that is to be used primarily for personal, family, or household purposes you may provide a revised privacy notice that covers the customer's new financial product or service; or if the initial, revised, or annual notice that you most recently provided to that customer was accurate with respect to the new financial product or service, you do not need to provide a new privacy notice.

Sharing information with affiliates

When the privacy rule was initially adopted in June 2000, it included an opt out right for certain information sharing under GLBA. At the same time, for convenience, the federal banking agencies determined that it made sense to include the notice and opt out rights for information sharing with affiliates, which is governed by FCRA, even though the FCRA notice and opt out does not require annual notice. In updating the privacy rule, the Bureau has determined that information sharing under FCRA does not impact the ability of the bank to take advantage of the exception from sending annual privacy notices.

Sharing information with affiliates

While the law changes the annual notice requirement under GLBA, the FAST Act did not change the provisions that apply to information sharing with affiliates. However, FCRA does not require an annual notice

Dec31_calendar

You are not required to provide an annual notice to a former customer. If a customer closes an account or the bank sells a loan and the servicing rights to another entity, that individual is no longer a customer of the bank for the purposes of receiving the annual privacy notice. (However, the information the bank obtained during the customer relationship must continue to be protected in accordance with your privacy policy.)

FCRA section 603 allows a financial institution to share:

a customer's transaction and experience information with an affiliate in any instance and the customer does not have the right to opt out from that information sharing. Section 603 also allows an affiliate to share other customer information, including information about credit-worthiness, with another affiliate but only if the consumer is given notice and an opportunity to opt out.

How GLBA defines customer and consumer ?

customer is a consumer with a continuing relationship with a financial institution. Generally, if the relationship between the financial institution and the individual is significant and/or long-term, the individual is a customer of the institution. The difference is important because it tells us which rules apply. A consumer is an individual who obtains or has obtained a financial product or service from a financial institution for personal, family, or household reasons.

Sharing information with affiliates

the GLBA Privacy Rule does not address the sharing of information with affiliates—this notice and the opt-out are required by the Fair Credit Reporting Act (FCRA). The Model Notice now used by many banks includes this information as part of the model. The FCRA opt out is generally provided as part of the Model Notice, but it can be given separately if a bank does not use the Model.

COPPA does not specifically define how website operators should obtain parental consent, the FTC has established guidelines to help website operators ensure compliance:

• Clear display of downloadable consent forms that may be mailed or faxed to the operator • Require that a parent use a credit card authenticating age & identity • Require that a parent call a toll-free phone number • Acceptance of email from a parent including digital signature

Title V of the GLBA -Title V, the Privacy Rule, requires banks to take the following action:

• Have a written privacy policy • Ensure that the bank's privacy policy is communicated throughout the organization • Give customers a written notice of the bank's privacy policy both when the customer establishes a relationship with the bank, and annually thereafter unless certain conditions are met • Give customers the right to prevent a financial institution from disclosing nonpublic personal information about them to nonaffiliated third parties by opting out from that disclosure after notice and a reasonable opportunity to exercise the option

Privacy for Customer Contact Personnel

• Provided by a consumer to a financial institution • Resulting from any transaction with the consumer or any service performed for the consumer • Obtained by the financial institution through any other means