Privacy Notices: Is GLB Compliance Enough?

As financial institutions get to the specifics of drafting privacy policies, many are coming face-to-face with the fact that GLB and its various implementing regulations are not the only laws that impose obligations concerning the privacy of consumer information. Other statutes, both federal and state, also impose obligations, and these various obligations are not always consistent. Financial service providers in the throes of drafting GLB privacy policy notices need to consider the extent to which it is mandatory or advisable to address all such obligations in one notice.

Two prime examples are the Federal Fair Credit Reporting Act ("FCRA") and state statutes modeled on the 1982 NAIC Insurance Information and Privacy Protection Model Act ("Model Act"). Both have been around for a number of years. FCRA was first enacted in 1970, with substantial amendments in 1996. The Model Act was adopted in 1980 and amended in 1982, and fifteen states have enacted it. Two other states, Kansas and Wisconsin, enacted limited portions of the Model Act, and Hawaii enacted a similar law in 1988, but repealed it in 1993. To date, however, neither FCRA nor the Model Act has been widely utilized as a vehicle for protecting generalized informational privacy concerns. With the current prominence of consumer informational privacy issues and the looming deadline for GLB privacy compliance, however, both are receiving considerable attention from consumers and financial institutions alike.

GLB requires, in brief, that financial institutions notify customers of their policies and practices concerning collecting, using, and sharing customer information at the inception of the customer relationship and annually thereafter. Under GLB, financial institutions must provide customers with the opportunity to opt out of information sharing with non-affiliated third parties that is not within one of GLB’s express exceptions ("GLB opt out"). In addition, GLB expressly requires that GLB privacy notices contain certain disclosures if required by FCRA, discussed below.

FCRA applies to the circulation by "consumer reporting agencies of "consumer reports." A consumer reporting agency is, in essence, an entity that assembles or evaluates consumer information for the purpose of furnishing consumer reports to third parties. A consumer report is basically consumer information disclosed by a consumer reporting agency which was collected or used to determine a consumer’s eligibility for credit or insurance, employment, or any other permissible purpose under FCRA. The two definitions are circular and interdependent. Thus, a "consumer report" is certain information collected by a consumer reporting agency, and a consumer reporting agency is an entity that collects and circulates consumer report information. Under FCRA, a consumer reporting agency may circulate consumer report information only for specified permissible purposes, and is subject to all of FCRA’s requirements concerning, among other things, consumer access and right to request correction of individual information. However, significant information is excluded from the definition of consumer report. First, "experience" or "transaction" information is excluded, and thus under FCRA can be shared freely with affiliates and non-affiliates alike. (Note, however, that GLB, which does not recognize an experience/transaction exception, prohibits sharing this information with non-affiliated third parties unless such sharing is within one of GLB’s exceptions or a GLB opt out has been provided.)

Second, as to affiliate sharing, any consumer information is excepted from the definition of consumer report to the extent that the collecting entity notifies its customers that it shares such information with affiliates and gives customers an opportunity to opt out of such sharing ("consumer report opt out"). If a financial institution shares customer information other than its own experience and transaction information with its affiliates, GLB requires that the consumer report be included in the institution’s GLB privacy notice. The consumer report opt out permits consumer information to flow freely among affiliates. Thus, depending on a company’s information sharing practices, it is possible that its GLB privacy notice must contain either or both the GLB opt out from sharing with non-affiliated third parties, and the FCRA consumer report opt out from sharing with affiliates. Of course, a company has no obligation to provide either opt out if it does not share.

FCRA contains another notice and opt out requirement. A consumer reporting agency may disclose certain consumer report information in connection with a credit or insurance transaction not initiated by the consumer if the consumer reporting agency has given the consumer the opportunity to opt out and the consumer has not done so ("prescreening opt out"). This provision provides for pre-screening of customer information for marketing purposes. Thus, for example, an insurance company might seek from a bank a list of all its individual customers with bank balances over $100,000 for the purposes of offering them insurance products. The information that may be shared pursuant to the prescreening opt out is limited to name, address, and other information that does not identify the relationship of the consumer with the reporting entity. GLB does not require that this opt out be included in the GLB privacy notice. However, GLB does not modify, amend, or supersede FCRA. Therefore financial institutions that share information that is within GLB’s joint marketing exception must evaluate the extent to which that information might also be subject to FCRA’s prescreening opt-out requirement. If there is overlap, the company should consider whether it would be most efficient to include the prescreening opt out in the GLB notice as well.

GLB expressly reserves the rights of states to enact laws relating to consumer informational privacy that are more restrictive than GLB. The Model Act arguably falls within that category. Among other things, the Model Act requires insurance institutions and agents, in connection with insurance applications and policy renewals, to provide all policyholders and applicants with written notice of their information practices, give customers access to the company’s files concerning the customer, and consider customer requests for correction of inaccurate information in those files.

It also prohibits the disclosure of personal or privileged information except in eighteen specified circumstances. Significantly, personal/privileged information can be disclosed if the individual affirmatively agrees, i.e., opts in, to such information disclosure. The Model Act specifically outlines the contents of the opt-in form, and further indicates that opt-ins have a limited life span. Unlike FCRA and GLB, the Model Act does not expressly distinguish between information sharing with affiliates and non-affiliates.

The exceptions to the Model Act’s disclosure prohibition are both broad and numerous, and generally very similar to the GLB exceptions. Nevertheless, the bottom line is that where no exception applies, an insurance institution cannot share personal or privileged customer information unless the individual to whom the information applies affirmatively opts in to such sharing.

The Model Act is applicable in only fifteen states, and applies only to insurance institutions, agents, and insurance support organizations. However, because its requirements are generally more restrictive than GLB, insurers doing business in the states where the Model Act has been enacted must consider carefully whether they are sharing information outside the Act’s exceptions. If they are, an opt in is required by the Model Act, regardless of whether or not a GLB opt out applies to the same information.

Financial service providers must understand precisely what information collecting and sharing they are involved in in order to make a useful assessment as to whether all, some, or none of the various opting provisions should be included in their GLB notice or provided to customers separately.