With the exponential increase in the use of the Internet in the financial services industry, the need to protect personally identifiable information transmitted through electronic transactions has become critically important. As part of a response to the concern for online privacy of consumer information and following the Children's Online Privacy Protection Act (and its implementing regulations), the Federal Trade Commission ("FTC") recently published a final Rule (the "Rule"; 16 CFR Part 313) on the protection of consumers' financial information. The Rule provides guidelines for the implementation of the provisions of the Gramm-Leach-Bliley Act (the "Act") governing the privacy of consumers' financial information. The Rule is effective as of November 13, 2000, and full compliance is required by July 1, 2001.
The Rule specifically applies to "financial institutions" as defined in the Act. The Act uses an over-inclusive definition of financial institution: an entity that engages in any activity that the Federal Reserve Board has determined to be a "financial activity." Entities that qualify as financial institutions include, but are not limited to, online mortgage brokers, real estate brokers, tax preparers, mortgage lenders, "pay day" lenders, finance companies, account services, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors, other financial advisors, non-federally insured credit unions, and investment advisors that are not required to register with the Securities and Exchange Commission.
In addition, the Rule applies to third parties that are not financial institutions, but that receive nonpublic personal information (personally identifiable financial information) from financial institutions with whom they are not affiliated.
The breadth of the definition is such that even entities not immediately perceived to be in the financial space may be affected by the Rule. For example, institutions of higher education that offer forms of financial aid may fall within the definition of a "financial institution." When the Rule was finalized, the FTC recognized that the broad definition might technically or formally include in its scope some entities for which the Rule was not intended and to which it will not apply. Specifically, the FTC stated that "Many entities that come within the broad definition of financial institution will likely not be subject to the disclosure requirements of the rule because not all financial institutions have 'consumers' or establish 'customer relationships.'" [65 Fed. Reg. 11174, 11177 (Mar. 1, 2000)]
There may also be further modification or interpretation for the benefit of entities subject to more than one legislative act with respect to the privacy of personally identifiable information. The apparent intent of the Act was not to be overly burdensome or necessarily overlap with other rules. In its current incarnation, the Rule in some instances may depart from this intent. There are carve-outs already embodied in the Rule for entities that fall under multiple jurisdictions allowing the entities to be deemed in compliance with the Rule if they are in compliance with the regulations of other Acts providing for the protection of privacy of personally identifiable consumer data. For instance, health care entities deemed to be financial institutions that also fall under the auspices of the Health Insurance Portability and Accountability Act (HIPPA), universities and institutions of higher learning that fall under the auspices of the Federal Educational Rights and Privacy Act (FERPA; 20 U.S.C. 1232g), and some consumer credit entities that fall under the auspices of the Truth in Lending Act (TILA; 15 U.S.C. 1601 et seq.) and Regulation Z (12 CFR Part 226) all may be able to avoid compliance with this Rule by complying with the perquisite rules in their business sectors.
For those entities to which the Rule applies, the Rule imposes the following general requirements:
1. A financial institution must provide initial notice to consumers and its customers about its privacy policies and practices.
2. A financial institution must provide its customers with annual notices of its privacy policies and practices.
3. Notices must be clear, conspicuous, and accurate and must describe the conditions under which a financial institution may disclose nonpublic personal information about consumers to affiliates and nonaffiliated third parties.
4. A financial institution must provide a method by which consumers can prevent a financial institution from disclosing that information to nonaffiliated third parties by allowing consumers a reasonable opportunity to "opt out."
The initial, annual, and any revised notices must include particular information that must be presented in a clear and conspicuous manner. Financial institutions with Internet sites may comply with the Rule by using text or visual cues to encourage scrolling down the page if necessary to view the entire notice and ensure that other elements on the web site do not distract attention from the notice. The FTC gives examples of using a dialog box that pops up to provide the disclosure before a consumer provides information to the institution or a clearly labeled graphic hypertext link or hotlink in close proximity to the financial institution's logo. In addition, a financial institution should place either a notice or conspicuous link on a page frequently accessed by consumers, such as a page on which transactions are conducted. The notice should include the following:
1) the categories of nonpublic personal information the financial institution collects (information from the consumer and information about the consumer's transactions with the financial institution or its affiliates);
2) the categories of nonpublic personal information the financial institution discloses;
3) the categories of affiliates and nonaffiliated third parties to whom the financial institution discloses nonpublic personal information;
4) the categories of nonpublic personal information about former customers that the financial institution discloses, and the categories of affiliates and nonaffiliated third parties to whom the financial institution discloses nonpublic personal information about former customers;
5) a separate statement of the categories of information disclosed and the categories of third parties with whom the financial institution has contracted if nonpublic personal information is disclosed to a nonaffiliated third party;
6) an explanation of the consumer's right to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the method(s) by which the consumer may opt out;
7) any disclosures made under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (ie., notices regarding the ability to opt out of disclosures of information among affiliates); and
8) the financial institution's policies and practices with respect to protecting the confidentiality and security of nonpublic personal information.
Initial notice will not be required if:
1) nonpublic personal information is not disclosed to any affiliated third party;
2) the financial institution does not have a customer relationship with the consumer; or
3) the disclosed aggregate information or blind data that does not contain personal identifiers such as account numbers, names, or addresses is not deemed to be personally identifiable information.
Privacy of personally identifiable information in financial transactions has become an important issue with the growth and widespread acceptance of electronic transaction processing, data storage and commerce. It is an issue frequently in the press and often debated. Speaking on privacy in the information age a few years ago, Chairman of the Federal Reserve Alan Greenspan said:
The central dilemma in [discussions on privacy] almost always involves fundamental choices about how to strike prudent balances among the needs of individuals for privacy in their financial and commercial transactions, as well as their personal communications; the needs of commerce to bring us new products and new means to communicate; and the needs of the authorities to provide for the effective administration of government and to ensure the public safety. These are not easy choices #8230; we need to be aware that the balances we strike in one era may need to be reexamined as technology and circumstances change. (Remarks by Chairman Alan Greenspan at the Conference on Privacy in the Information Age, Salt Lake City, Utah, March 7, 1997).
Given the broad definition of financial institution currently enumerated in the Rule, it is probable that in the spirit of Mr. Greenspan's comments, the Rule will receive additional scrutiny and possibly be subject to interpretive rulings and statements. Because of these ambiguities and questions regarding the applicability of the Rule, it is highly recommended that expert opinion be consulted in determining whether an entity is a financial institution and must comply with the Rule.
Teresa Hu drafted this article while working as a Summer Associate at Gray, Cary, Ware & Freidenrich, LLP.