By 1999, the invasion of our “personal spaces” from every direction had reached an epidemic proportion in the USA. Americans were seeing their nonpublic personal information being gathered and used without restriction or limitation, to sell us consumer goods and services of every kind and description. Some early FTC Rules and Regulations were on the books. However, these Rules and Regulations were generally product specific and largely ineffective to protect consumer privacy.
Congress responded in 1999, with the passage of the Gramm-Leach-Bliley Act (GLBA). The GLBA sets forth restrictions and requirements on consumer lenders and sellers with respect to their use of nonpublic personal information. Nonpublic personal information includes:
- Personally identifiable financial information that a consumer provides to a creditor to obtain a financial product or service from the creditor; and
- Any list, description, or other grouping of consumers that is derived using any personally identifiable financial information that is not publicly available.
Even with the existence of a GLBA model form, compliance with the law is still not so simple. That is, the model form basically spells out the content of the Privacy Notice and that is extremely helpful. But, there are requirements that address the timing of the delivery of the Initial Privacy Notice as well as the Annual Privacy Notice. And then there are the confusing requirements when consumers have “opt-out rights,” depending upon the creditor's sharing practices with affiliates and nonaffiliated third parties.
We are all consumers. So, each of us has a stake in GLBA compliance.
(i) when and how a consumer should receive a copy of the initial, annual and revised Privacy Notice;
(ii) how to manage consumer opt-out elections;
(iii) how to prevent unlawful disclosure of nonpublic personal information; and
(iv) how to address requests for nonpublic personal information from other entities and persons.