Greenberg Traurig Alert
Federal Banking Agencies Release Final Consumer Privacy Rule
By Carlos E. Loumiet, Gilbert L. Rudolph and Carl
View or download the PDF version of this Alert here.
On June 1, 2000, the Federal Deposit Insurance Corporation, the Office of the
Comptroller of the Currency, the Office of Thrift Supervision, and the Federal Reserve
(collectively, the "Federal Banking Agencies") published their long-awaited
joint final rule (the "Rule") implementing the financial privacy provisions of
the Gramm-Leach-Bliley Act signed into law by President Clinton in November 1999.
Separately, on May 24, 2000, the Federal Trade Commission (the "FTC") issued a
final rule substantially similar to the Rule published by the Federal Banking Agencies.
The Federal Banking Agencies Rule generally applies to national banks, state banks,
federal and state thrifts, and credit unions. The FTC rule, on the other hand, generally
applies to non-bank lenders, loan brokers, collection agencies, financial advisers, and
The Rules main objectives are to limit the circumstances under which a financial
institution may disclose "nonpublic personal information" about one of its
customers to non-affiliated third parties and to allow consumers to prohibit a financial
institution from divulging nonpublic personal information to most non-affiliated third
parties. The Rule culminates a rulemaking proceeding that began in March during which the
agencies received approximately 8,000 comment letters. The Rule becomes effective November
13, 2000. Compliance with the Rule, however, will remain voluntary until July 1, 2001, at
which time compliance becomes mandatory.
The Rule, among other things, requires a financial institution to fulfill three
(1) provide consumers with notice about the institutions privacy policies and
practices; (2) describe the conditions under which the financial institution may disclose
nonpublic personal information about consumers to non-affiliated third parties; and (3)
permit consumers to "opt out" of disclosure, thereby preventing an institution
from sharing the consumers nonpublic personal information with certain
non-affiliated third parties.
A summary of the Rules major provisions follows.
1. Relevant Terms. The new Rule provides the following terms:
- A financial institution is any institution whose business engages, directly or
indirectly, in financial activities as described in Section 4(k) of the Bank Holding
Company Act of 1956 (e.g., banks, bank holding companies, lenders, collection
agencies, loan brokers, financial advisors, real estate settlement services, property
appraisers, and the like).
- Nonpublic personal information consists of personally identifiable information
and any list, description, or grouping of consumers that is a by-product of personally
identifiable information that is not "publicly available." In other words, the
disclosure of a financial institution customers publicly available information is
not restricted by the Rule.
- Publicly available information is any information that the institution has a
reasonable basis to believe is lawfully available to the general public from specific
public sources outlined in the Rule.
2. Initial Privacy Notice. Under the Rule, a financial
institution must present a consumer with a clear and conspicuous notice that outlines the
institutions privacy policies and practices no later than when a customer
relationship is established. Consequently, once a continuing relationship is established
with a consumer, the consumer becomes a customer and the institution must issue the
customer a privacy notice. The institution, however, may provide a "short-form"
initial notice to a consumer that does not become a customer, as long as the initial
notice states that a privacy notice is available upon request and sets forth a reasonably
convenient manner in which to obtain the privacy notice.
3. Revised Privacy Notices. Before a financial institution
discloses the nonpublic personal information of an existing customer, it must be certain
that the privacy notice issued to that customer is accurate and up-to-date. If the
policies or practices of the institution have changed, then prior to any disclosure to a
third party the institution must provide the customer with a revised privacy notice. The
Rule, however, creates an exception for disclosures made to a new non-affiliated third
party that the institution adequately described in its prior privacy notice. Additionally,
the Rule does not require the issuance of a revised notice when providing an existing
customer with a new financial service or product as long as the initial notice requirement
was satisfied and the notice accurately reflected the situation with regard to the new
service or product.
4. Joint Account Holders. A single privacy notice may be issued
to joint account holders - unless otherwise requested by any other account holder in a
joint account - with the understanding that an election to opt out by any account holder
will be representative of the decision of all account holders.
5. Annual Privacy Notice. At least once during any twelve-month
consecutive period, a financial institution is required to provide the customer a privacy
notice that accurately reflects the institutions policies and practices. For
purposes of issuing this notice, the institution may define the twelve-month period in
question, so long as the customer is furnished at least one privacy notice in each
calendar year (i.e., by December 31st) following the calendar year in which the
initial notice was provided. Further, an institution is not obligated to provide an annual
notice to a former customer.
6. Elements of a Privacy Notice. The initial, annual, and
revised privacy notices must include, among other things, the following information:
- the categories of nonpublic personal information that the institution collects;
- the categories of nonpublic personal information that the institution discloses;
- the categories of affiliated and nonaffiliated third parties to
whom the institution discloses nonpublic personal information, subject to exceptions;
- an explanation of the consumers right to opt out of the disclosure; and
- the institutions policies and practices concerning the protection of
confidentiality and the security of nonpublic personal information.
7. Delivery of Privacy and Opt Out Notices. Any privacy, opt
out, or short-form notice must be issued in a manner that the institution reasonably
expects the consumer to receive actual notice in writing or, if the consumer consents,
electronically (e.g., by e-mail).
8. Limits On Disclosures. Before a financial institution may
disclose a consumers nonpublic personal information to a non-affiliated third party,
it must have satisfied the following key conditions:
- Provided the customer an initial privacy notice;
- Provided the customer an "opt out" notice;
- Given the customer a reasonable opportunity to opt out of the disclosure; and
- Made certain the customer did not opt out.
9. Application of Rule to Affiliated Third Parties. The Rule
generally applies only to non-affiliated third parties. Thus, a financial
institution may disclose nonpublic personal information to its affiliates, but its
affiliates may only disclose and use the information to the extent already permitted by
the Fair Credit Reporting Act of 1970, as amended.
10. Effective Date. The Rule is effective November 13, 2000.
However, in order to give financial institutions sufficient time to create and implement
policies and procedures that comply with the Rule, the Federal Banking Agencies made
compliance voluntary until July 1, 2001. Moreover, if prior to the issuance of the Rule a
financial institution has entered into a contract with a non-affiliated third party where
the third party is a service provider or joint marketer, then the institution need not
satisfy the opt out requirements until July 1, 2002. The preceding exemption applies to
institutions even if the contract between the institution and the non-affiliated third
party does not include a clause safeguarding the confidentiality of nonpublic personal
© 2000 Greenberg Traurig
This GT ALERT is issued for informational purposes only and is not intended
to be construed or used as general legal advice. Greenberg Traurig attorneys provide
practical, result-oriented strategies and solutions tailored to meet our clients’
individual legal needs.
This GT ALERT was drafted with the assistance of Mark A. Lopez.