glba privacy notice requirements

Exceptions to the Notice and Opt-Out Requirements, Exception to the Opt-Out Requirement: Service Providers and Joint Marketing. Thus, in 2012, the Commission announced it was retaining the implementing regulations governing privacy notices for motor vehicle dealers at 16 CFR part 313. The Commission also proposed amending the rule to allow motor vehicle dealers to notify their customers that a privacy notice is available online, under circumstances identical to those that had been adopted by the CFPB. (iii) (2) Special rule for loans. to the courts under 44 U.S.C. If you share information under this exception, you must give your customers - and your consumers if you share their information - a privacy notice that describes this disclosure. NADA argued motor vehicle dealers generally do not engage in these activities, and while it is theoretically possible that a dealer somewhere may offer, under unique circumstances, to cash a check for a customer, [NADA] is not aware of that service being offered by dealers and the possibility is attenuated at best.[32] You must provide an "initial notice" by the time the customer relationship is established. 21. NADA (comment 9), at 4. Classification System Codes, 13 CFR 121.201 (available at: 40. However, under section 1029 of the Dodd-Frank Act, the Commission retained rulemaking authority for certain motor vehicle dealers. 5519. Second, if you receive "nonpublic personal information" from a financial institution with which you are not affiliated, you may be limited in your use of that information. Examples of establishing a customer relationship. If you were not required to provide a revised privacy notice under 313.8, you must provide an annual privacy notice by July 9 of year 1. and services, go to Amendment to the Annual Privacy Notice Requirement Under the Gramm Accordingly, the final rule retains the references to mortgage loans in these provisions. 5519. Regulatory Relief on Annual Privacy Notices | NCUA An opt-out notice must be delivered with a privacy notice, and it can be part of the privacy notice. The Commission notes that while the term loan may not be applicable to all motor vehicle dealers' transactions with their customers, most extensions of credit or the arranging of credit will play the same role as loans for purposes of this amendment, and dealers may generally apply these examples accordingly. Final Rule, 79 FR 64057 (Oct. 28, 2014) available at 7. Gramm-Leach-Bliley Act (GLBA) - Microsoft Compliance Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C. First, most of the changes effectuate statutory changes from the Dodd-Frank Act and the FAST Act. This part applies to those financial institutions over which the Federal Trade Commission (Commission) has rulemaking authority pursuant to section 504(a)(1)(C) of the Gramm-Leach-Bliley Act. Document Drafting Handbook First, section 603(d)(2)(A)(iii) of the FCRA allows the sharing of a consumer's information among affiliates, but only if the consumer is notified of such sharing and is given an opportunity to opt out. (ii) Have not changed your policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under 313.6(a)(2) through (5) and (9) in the most recent privacy notice provided pursuant to this part. For example, a list is not NPI if it is drawn entirely from publicly available information, such as a list of a lender's mortgage customers in a jurisdiction that requires that information to be publicly recorded. These tools are designed to help you understand the official document In general Categories of information collected. Note: An online form builder can be accessed on the main GLBA page under additional materials. Our mission is protecting consumers and competition by preventing anticompetitive, deceptive, and unfair business practices through law enforcement, advocacy, and education without unduly burdening legitimate business activity. Chapter 21 (Financial Recordkeeping), a State insurance authority, with respect to any person domiciled in that insurance authority's State that is engaged in providing insurance, and the Federal Trade Commission), self-regulatory organizations, or for an investigation on a matter related to public safety; 1. The Commission proposed modifying the definition of financial institution to harmonize the Privacy Rule with other agencies' rules. Second, the removal of certain examples provided in the rule that are not applicable to motor vehicle dealers will have no impact on existing information collection requirements. Learn more about your rights as a consumer and how to spot and avoid scams. 1843(k), which incorporates activities enumerated by the Federal Reserve Board in 12 CFR 225.28 and 225.86. In 2009, all those agencies jointly adopted a model form financial institutions could use to provide the required initial and annual privacy disclosures. means a continuing relationship between a consumer and you under which you provide one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes. 5519. For an isolated consumer transaction, like buying a money order, you may require your consumers to make their opt-out decision before completing the transaction. If you receive NPI from a nonaffiliated financial institution, your ability to reuse and redisclose that information is limited. transferred the majority of GLBA's privacy rulemaking authority from the Fed, NCUA, OCC, OTS, FDIC, and the Commission (in part) to the Consumer Financial Protection Bureau (CFPB). Information about this document as published in the Federal Register. 27. Privacy of Consumer Financial Information (Regulation P) | NCUA The Commission believes, however, while informal understandings may be unusual for motor vehicle dealers, it is possible some dealers may engage in such practices and the example should continue to make clear that such arrangements create continuing relationships. edition of the Federal Register. Significant Issues Raised in Public Comments in Response to the IRFA, 3. https://www.federalregister.gov/documents/2001/04/27/01-10398/privacy-of-consumer-financial-information. Federal Register provide legal notice to the public and judicial notice [17] The proposed amendment to 313.1(b) narrowed the description of the scope of the Privacy Rule to those entities set forth in the Dodd-Frank Act:[26] The Commission anticipates the amendments will reduce the burden for many covered entities associated with the Privacy Rule annual notice. 16 CFR 313.2, 16 CFR 313.4 through 313.9. In addition, as discussed above, the Commission declines to change the language of examples retained in the final rule. Nevertheless, the Commission is modifying the definition for purposes of consistency with Regulation P and the Safeguards Rule. 12 U.S.C. The Commission received two comments on these proposed changes. 77 FR 22201. Final Model Privacy Form Under the Gramm-Leach-Bliley Act A notice on a website should be placed on a page that consumers use often, or it should be hyperlinked directly from a page where transactions are conducted. 29. Second, the Commission does not expect the amendment to impose costs on small motor vehicle dealers because the amendments are primarily for clarification purposes and should not result in any increased burden on any motor vehicle dealer. The CFPB then restated the implementing regulations in Regulation P, 12 CFR part 1016, in late 2011 (Regulation P). No substantial delay of customer's transaction. See 16 C.F.R. There are a number of exceptions to the notice and opt-out requirements. (e) Changes preceded by a revised privacy notice. Joint Final Rule, 65 FR 35162 (June 1, 2000) available at Table of Small Bus. The GLBA was enacted in 1999. Read on to learn more about the specific privacy notification requirements within the GLBA. Restrictions on Reuse and Redisclosure if NPI is Received Outside the Section 14 or 15 Exceptions. This amendment modifies 16 CFR part 313. Consumers and customers who have the right to opt out may do so at any time. The Commission received no comments that suggested such entities exist. The FTC has issued a separate rule to address the requirements for safeguarding NPI. Each year, the Ombudsman evaluates the conduct of these activities and rates each agencys responsiveness to small businesses. [1] GLBA Compliance; The Data Protection Requirements of - SecurityStudio You must deliver your privacy notices to each consumer or customer in writing, or, if the consumer or customer agrees, electronically. [43], Under the existing clearance, the FTC has attributed to itself the estimated burden regarding all motor vehicle dealers and shares equally the remaining estimated PRA burden with the CFPB for other types of financial institutions for which both agencies have enforcement authority regarding the GLBA Privacy Rule.[44]. To file a complaint or to get free information on consumer issues, visit ftc.gov or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. 1681s-3. The limits depend on how the information is disclosed to you. setting forth amendments to the Privacy Rule (the Proposed Amendments) proposing three types of changes to the Privacy Rule: (1) Technical changes to the rule to correspond to the reduced scope of the rule due to Dodd-Frank Act changes, which primarily consist of removing references that do not apply to motor vehicle dealers; (2) modifications to the annual privacy notice requirements to reflect the changes made to the GLBA by the FAST Act; and (3) a modification to the scope and definition of financial institution to include entities engaged in activities incidental to financial activities, which would bring the rule into accord with the CFPB's Regulation P. The Commission received four comments related to the proposed amendments, to which it responds below.[25]. . YOUR OBLIGATIONS UNDER THE PRIVACY RULE, III. As explained in the IRFA, however, determining a precise estimate of the number of small entitiesincluding newly covered entities under the modified definition of financial institutionis not readily feasible. If you share their NPI with nonaffiliated third parties outside of three exceptions (see "Exceptions"), you must give your consumers and customers an "opt-out notice" that clearly and conspicuously describes their right to opt out of the information being shared. The Gramm-Leach-Bliley Act's notice and opt out provisions are in addition to the obligations imposed by the Fair Credit Reporting Act (FCRA). 5 U.S.C. The amendment was . A Rule by the Federal Trade Commission on 12/09/2021. 30. Yes. Only official editions of the The Commission believes, however, negative examples are useful to clarify the definition and, therefore, the final rule retains this example. However, it does not apply when you disclose an account number to your agent or service provider just to market your own products or services, as long as the party receiving the information can't directly initiate charges to the account. 1503 & 1507. PDF 64057 Rules and Regulations Federal Register - GovInfo [4], As originally promulgated, the FTC's Privacy Rule covered a broad range of non-bank financial institutions such as payday lenders, mortgage brokers, check cashers, debt collectors, real estate appraisers, certain motor vehicle dealers, and remittance transfer providers. A consumer does not, however, have a continuing relationship with you if: (A) The consumer obtains a financial product or service from you only in isolated transactions, such as cashing a check with you or making a wire transfer through you; (B) You sell the consumer's loan and do not retain the rights to service that loan; or. 15 U.S.C. The GLBA privacy rules, as enforced by the various regulators, generally require: Clear and conspicuous notice of the financial institution's information-sharing policies and practices, including what information it collects and with whom it shares the information. In 313.3(i)(2)(i)(A) and 313.5(b)(2)(ii), references to mortgage loans were removed. enforcement agencies (including the Consumer Financial Protection Bureau, a federal functional regulator, the Secretary of the Treasury, with respect to 31 U.S.C. Track enforcement and policy developments from the Commissions open meetings. GLBA Meaning. This subsection The Federal Reserve Board, the Office of Thrift Supervision, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation. Financial institutions must notify their customers about their information-sharing practices and tell consumers of their right to "opt-out" if they don't want their information shared with certain nonaffiliated third parties. https://www.federalregister.gov/documents/2000/06/29/00-16269/privacy-of-consumer-financial-information-regulation-s-p;; In these situations, you may only disclose and use the information in the ordinary course of business to carry out the purpose for which it was received. (e) Exception to annual privacy notice requirement (1) When exception available. The FTC may bring enforcement actions for violations of the Privacy Rule. headings within the legal text of Federal Register documents. The OFR/GPO partnership is committed to presenting accurate and reliable In this situation, you may use the information internally for your own purposes. Privacy notices (GLBA) | Consumer Financial Protection Bureau 17. Guide to the Gramm-Leach-Bliley Act - International Association of Browse Supervisory Highlights Fall 2015 issue, Interagency guidance on privacy laws and reporting financial abuse of older adults. When you provide the notice and what you say depend on what you do with the information. As discussed above, the Commission's Privacy Rule applies only to motor vehicle dealers and so would apply only to finders that are also motor vehicle dealers. information that is in widely distributed media like telephone books, newspapers, and websites that are available to the general public on an unrestricted basis, even if the site requires a password or fee for access. Search the Legal Library instead. Under the Privacy Rule, only an institution that is "significantly engaged" in financial activities is considered a financial institution. regulatory information on FederalRegister.gov with the objective of In addition, the Commission decided activities determined to be financial in nature after the enactment of the GLBA would not be automatically included in its Privacy Rule; rather, the Commission would have to take additional action to include them. Those predominantly engaged in the sale and servicing of motor vehicles or the leasing and servicing of motor vehicles, excluding those dealers that directly extend credit to consumers and do not routinely assign the extensions of credit to an unaffiliated third party. Another exception can be found in section 313.13 ("section 13 exception") of the Privacy Rule. . Financial institution In contrast, a business that regularly wires money to and from consumers is significantly engaged in a financial activity. 2. 36484 (May 23, 2002). Therefore, the Commission does not believe the amendments substantially or materially modify any collections of information as defined by the PRA. You may also disclose the information to your affiliates, who are limited in their reuse and redisclosure of the information in the same way as you are, and to affiliates of the originating financial institution. The Commission also proposed changing the Privacy Rule provisions governing how motor vehicle dealers should deliver annual privacy notices. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely. The FTC enters consumer complaints into the Consumer Sentinel Network, a secure online database and investigative tool used by hundreds of civil and criminal law enforcement agencies in the U.S. and abroad. NADA suggested the term loan be replaced with financing, or finance or lease contract.[29] Looking for legal documents or records? The final rules implement these requirements of the Gramm-Leach-Bliley Act with respect to investment advisers registered with the Commission, brokers, dealers, and investment companies, which are the financial institutions subject to the Commission's jurisdiction under that Act. Id. You may also disclose the information to your affiliates, whose redisclosure is limited in the same way as you, and to affiliates of the originating financial institution. [10] Are there exceptions to the GLBA privacy notice requirements? changing the language of an example, as opposed to completely removing it, could be read as a change to the substance of the rule. Model Privacy Forms | Consumer Financial Protection Bureau Specifically, it requires covered entities to provide an initial notice of these policies,[13] providing real estate settlement services. If you still have a question, you may submit it using the link below. et seq., Examples of exceptions [15] The Gramm-Leach-Bliley Act (GLBA) is a federal law that establishes various legal requirements for companies that qualify as "financial institutions" under the Act. 34. https://www.federalregister.gov/documents/2017/10/16/2017-22334/agency-information-collection-activities-submission-for-omb-review-comment-request. 6802; 16 CFR 313.6(a)(6). Examples of Nonpublic Personal Information (in list form). The FTC has jurisdiction over any financial institution or other person not regulated by other government agencies. (5) The Securities and Exchange Commission. A retailer that lets some consumers make payments through an occasional lay-away plan is not "significantly engaged" in a financial activity. On December 4, 2015, Congress amended the GLBA as part of the FAST Act. Changes to the Annual Privacy Notice Delivery Requirement A financial institution establishes a customer relationship with an individual when it originates a loan. PRA Notice, 82 FR 48081 (Oct. 16, 2017) available at The "joint agreement" requirement means that you have entered into a written contract with one or more financial institutions about your joint offering, endorsement, or sponsorship of a financial product or service. Estimate of Number of Small Entities To Which the Final Rule Will Apply, 4. Guides to how the Bureau will supervise and examine entities under its jurisdiction for compliance with Federal consumer financial law. This includes, for example, disclosing NPI to service providers who help mail account statements and perform other administrative activities for a consumer's account. 1681a(d)(2)(A)(iii). Public Law 111-203, 124 Stat. Amend 313.15 by revising paragraph (a)(4) to read as follows: (4) To the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978 (12 U.S.C. Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley Act Use the PDF linked in the document sidebar for the official electronic format. DISCLOSURE OF ACCOUNT NUMBERS IS PROHIBITED. Once you receive an opt-out direction from your existing consumers or customers, you must comply with it as soon as is reasonably possible. The notice should use plain language, be easy to read, and be distinctive in appearance. 15 U.S.C. It must be reasonably understandable, and designed to call attention to the nature and significance of the information. Gramm Leach Bliley Act (Reg P) - American Bankers Association David Lincicum (202-326-2773), Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. 1312, 1787 (2015). If you are using public inspection listings for legal research, you Examples of appropriate information disclosures under this exception include those made to technical service providers who maintain the security of your records; your attorneys or auditors; a purchaser of a portfolio of consumer loans you own; and a consumer reporting agency, consistent with the Fair Credit Reporting Act (see "Exceptions"). Gramm-Leach-Bliley Act Privacy Notice - Securiti (A) You change your policies and practices in such a way that you no longer meet the requirements of paragraph (e)(1) of this section effective April 1 of year 1.