By 1999, the invasion of our “personal spaces” from every direction had reached an epidemic proportion in the USA. Americans were seeing their nonpublic personal information being gathered and used without restriction or limitation, to sell us consumer goods and services of every kind and description. Some early FTC Rules and Regulations were on the books. However, these Rules and Regulations were generally product specific and largely ineffective to protect consumer privacy.

Congress responded in 1999, with the passage of the Gramm-Leach-Bliley Act (GLBA). The GLBA sets forth restrictions and requirements on consumer lenders and sellers with respect to their use of nonpublic personal information. Nonpublic personal information includes:

  • Personally identifiable financial information that a consumer provides to a creditor to obtain a financial product or service from the creditor; and
  • Any list, description, or other grouping of consumers that is derived using any personally identifiable financial information that is not publicly available.

The GLBA requires that we adopt a Privacy Policy that accurately, clearly and conspicuously describes the information sharing practices of the creditor with its affiliates, its vendors and nonaffiliated third parties. There are different rules for each type of relationship. And, there are timing rules associated with delivery to consumers of a Privacy Notice.

Even with the existence of a GLBA model form, compliance with the law is still not so simple. That is, the model form basically spells out the content of the Privacy Notice and that is extremely helpful. But, there are requirements that address the timing of the delivery of the Initial Privacy Notice as well as the Annual Privacy Notice. And then there are the confusing requirements when consumers have “opt-out rights,” depending upon the creditor's sharing practices with affiliates and nonaffiliated third parties.

We are all consumers. So, each of us has a stake in GLBA compliance.

Practice Pointer #1: Review your actual practices to make certain that you do not disclose nonpublic personal information except as permitted by your Privacy Policy.

Practice Pointer #2: Review your Privacy Policy to be certain that it complies with GLBA by addressing:

(i) when and how a consumer should receive a copy of the initial, annual and revised Privacy Notice;

(ii) how to manage consumer opt-out elections;

(iii) how to prevent unlawful disclosure of nonpublic personal information; and

(iv) how to address requests for nonpublic personal information from other entities and persons.