Greenberg Traurig Alert

Federal Banking Agencies Release Final Consumer Privacy Rule

June 2000
By Carlos E. Loumiet, Gilbert L. Rudolph and Carl A. Fornaris

  View or download the PDF version of this Alert here.

On June 1, 2000, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, and the Federal Reserve (collectively, the "Federal Banking Agencies") published their long-awaited joint final rule (the "Rule") implementing the financial privacy provisions of the Gramm-Leach-Bliley Act signed into law by President Clinton in November 1999. Separately, on May 24, 2000, the Federal Trade Commission (the "FTC") issued a final rule substantially similar to the Rule published by the Federal Banking Agencies. The Federal Banking Agencies’ Rule generally applies to national banks, state banks, federal and state thrifts, and credit unions. The FTC rule, on the other hand, generally applies to non-bank lenders, loan brokers, collection agencies, financial advisers, and property appraisers.

The Rule’s main objectives are to limit the circumstances under which a financial institution may disclose "nonpublic personal information" about one of its customers to non-affiliated third parties and to allow consumers to prohibit a financial institution from divulging nonpublic personal information to most non-affiliated third parties. The Rule culminates a rulemaking proceeding that began in March during which the agencies received approximately 8,000 comment letters. The Rule becomes effective November 13, 2000. Compliance with the Rule, however, will remain voluntary until July 1, 2001, at which time compliance becomes mandatory.

The Rule, among other things, requires a financial institution to fulfill three requirements:

(1) provide consumers with notice about the institution’s privacy policies and practices; (2) describe the conditions under which the financial institution may disclose nonpublic personal information about consumers to non-affiliated third parties; and (3) permit consumers to "opt out" of disclosure, thereby preventing an institution from sharing the consumer’s nonpublic personal information with certain non-affiliated third parties.

A summary of the Rule’s major provisions follows.

1. Relevant Terms. The new Rule provides the following terms:

• A financial institution is any institution whose business engages, directly or indirectly, in financial activities as described in Section 4(k) of the Bank Holding Company Act of 1956 (e.g., banks, bank holding companies, lenders, collection agencies, loan brokers, financial advisors, real estate settlement services, property appraisers, and the like).
• Nonpublic personal information consists of personally identifiable information and any list, description, or grouping of consumers that is a by-product of personally identifiable information that is not "publicly available." In other words, the disclosure of a financial institution customer’s publicly available information is not restricted by the Rule.
• Publicly available information is any information that the institution has a reasonable basis to believe is lawfully available to the general public from specific public sources outlined in the Rule.

2. Initial Privacy Notice. Under the Rule, a financial institution must present a consumer with a clear and conspicuous notice that outlines the institution’s privacy policies and practices no later than when a customer relationship is established. Consequently, once a continuing relationship is established with a consumer, the consumer becomes a customer and the institution must issue the customer a privacy notice. The institution, however, may provide a "short-form" initial notice to a consumer that does not become a customer, as long as the initial notice states that a privacy notice is available upon request and sets forth a reasonably convenient manner in which to obtain the privacy notice.

3. Revised Privacy Notices. Before a financial institution discloses the nonpublic personal information of an existing customer, it must be certain that the privacy notice issued to that customer is accurate and up-to-date. If the policies or practices of the institution have changed, then prior to any disclosure to a third party the institution must provide the customer with a revised privacy notice. The Rule, however, creates an exception for disclosures made to a new non-affiliated third party that the institution adequately described in its prior privacy notice. Additionally, the Rule does not require the issuance of a revised notice when providing an existing customer with a new financial service or product as long as the initial notice requirement was satisfied and the notice accurately reflected the situation with regard to the new service or product.

4. Joint Account Holders. A single privacy notice may be issued to joint account holders - unless otherwise requested by any other account holder in a joint account - with the understanding that an election to opt out by any account holder will be representative of the decision of all account holders.

5. Annual Privacy Notice. At least once during any twelve-month consecutive period, a financial institution is required to provide the customer a privacy notice that accurately reflects the institution’s policies and practices. For purposes of issuing this notice, the institution may define the twelve-month period in question, so long as the customer is furnished at least one privacy notice in each calendar year (i.e., by December 31st) following the calendar year in which the initial notice was provided. Further, an institution is not obligated to provide an annual notice to a former customer.

6. Elements of a Privacy Notice. The initial, annual, and revised privacy notices must include, among other things, the following information:

• the categories of nonpublic personal information that the institution collects;
• the categories of nonpublic personal information that the institution discloses;
• the categories of affiliated and nonaffiliated third parties to whom the institution discloses nonpublic personal information, subject to exceptions;
• an explanation of the consumer’s right to opt out of the disclosure; and
• the institution’s policies and practices concerning the protection of confidentiality and the security of nonpublic personal information.

7. Delivery of Privacy and Opt Out Notices. Any privacy, opt out, or short-form notice must be issued in a manner that the institution reasonably expects the consumer to receive actual notice in writing or, if the consumer consents, electronically (e.g., by e-mail).

8. Limits On Disclosures. Before a financial institution may disclose a consumer’s nonpublic personal information to a non-affiliated third party, it must have satisfied the following key conditions:

• Provided the customer an initial privacy notice;
• Provided the customer an "opt out" notice;
• Given the customer a reasonable opportunity to opt out of the disclosure; and
• Made certain the customer did not opt out.

9. Application of Rule to Affiliated Third Parties. The Rule generally applies only to non-affiliated third parties. Thus, a financial institution may disclose nonpublic personal information to its affiliates, but its affiliates may only disclose and use the information to the extent already permitted by the Fair Credit Reporting Act of 1970, as amended.

10. Effective Date. The Rule is effective November 13, 2000. However, in order to give financial institutions sufficient time to create and implement policies and procedures that comply with the Rule, the Federal Banking Agencies made compliance voluntary until July 1, 2001. Moreover, if prior to the issuance of the Rule a financial institution has entered into a contract with a non-affiliated third party where the third party is a service provider or joint marketer, then the institution need not satisfy the opt out requirements until July 1, 2002. The preceding exemption applies to institutions even if the contract between the institution and the non-affiliated third party does not include a clause safeguarding the confidentiality of nonpublic personal information.

© 2000 Greenberg Traurig

This GT ALERT was drafted with the assistance of Mark A. Lopez.