____________________
VIII. Privacy — GLBA
Gramm-Leach-Bliley Act
(Privacy of Consumer Financial Information)
Introduction
Title V, Subtitle A of the Gramm-Leach-Bliley Act
(“GLBA”)
1
governs the treatment of nonpublic personal
information about consumers by financial institutions. Section
502 of the Subtitle, subject to certain exceptions, prohibits a
financial institution from disclosing nonpublic personal
information about a consumer to nonaffiliated third parties,
unless (i) the institution satisfies various notice and opt-out
requirements, and (ii) the consumer has not elected to opt out
of the disclosure. Section 503 requires the institution to
provide notice of its privacy policies and practices to its
customers. Section 504 authorizes the issuance of regulations
to implement these provisions.
In 2000, the Board of Governors of the Federal Reserve
System (“Board”), the Federal Deposit Insurance Corporation
(“FDIC”), the National Credit Union Administration
(“NCUA”), the Office of the Comptroller of the Currency
(“OCC”), and the former Office of Thrift Supervision
(“OTS”), published regulations implementing provisions of
GLBA governing the treatment of nonpublic personal
information about consumers by financial institutions.
2
Title X of the Dodd-Frank Act Wall Street Reform and
Consumer Protection Act (“Dodd-Frank Act”)
3
granted
rulemaking authority for most provisions of Subtitle A of
Title V of GLBA to the Consumer Financial Protection
Bureau (“CFPB”) with respect to financial institutions and
other entities subject to the CFPB’s jurisdiction, except
securities and futures-related companies and certain motor
vehicle dealers. The Dodd-Frank Act also granted authority
to the CFPB to examine and enforce compliance with these
statutory provisions and their implementing regulations with
respect to entities under CFPB jurisdiction.
4
In December
2011 the CFPB recodified in Regulation P, 12 CFR Part
1016, the implementing regulations that were previously
issued by the Board, the FDIC, the Federal Trade
Commission (“FTC”), the NCUA, the OCC, and the former
OTS.
5
1
15 U.S.C. Sections6801-6809.
2
The NCUA published its final rule in the Federal Register on May 18, 2000
(65 FR 31722). The Board, the FDIC, the OCC, and the former OTS
jointly published their final rules on June 1, 2000 (65 FR 35162).
3
Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, Pub.
L. No. 111-203, Title X, 124 Stat. 1983 (2010).
4
Dodd-Frank Act Sections 1002(12)(J), 1024(b)-(c), and 1025(b)-(c); 12
U.S.C. Sections5481(12)(J), 5514(b)-(c), and 5515(b)-(c). Section
1002(12)(J) of the Dodd-Frank Act, however, excluded financial
institutions’ information security safeguards under GLBA section 501(b)
from the CFPB’s rulemaking, examination, and enforcement authority.
The regulation establishes rules governing duties of a financial
institution to provide particular notices and limitations on its
disclosure of nonpublic personal information, as summarized
below.
• A financial institution must provide notice of its privacy
policies and practices, and allow the consumer to opt out
of the disclosure of the consumer’s nonpublic personal in-
formation to a nonaffiliated third party if the disclosure is
outside of the exceptions in sections 13, 14, or 15 of the
regulation. If the financial institution provides the con-
sumer’s nonpublic personal information to a nonaffiliated
third party under the exception in section 13, it must pro-
vide notice of its privacy policies and practices to the con-
sumer. Under the exception in section 13, the financial
institution must also enter into a contractual agreement
with the third party that prohibits the third party from dis-
closing or using the information other than to perform ser-
vices for the institution or functions on the institution’s
behalf, including use under an exception in sections 14 or
15 in the ordinary course of business to carry out those
services or functions. If the financial institution complies
with these requirements, it is not required to provide an
opt out notice.
• Regardless of whether a financial institution shares non-
public personal information, the institution must provide
notice of its privacy policies and practices to its custom-
ers.
• A financial institution generally may not disclose con-
sumer account numbers to any nonaffiliated third party
for marketing purposes.
• A financial institution must follow redisclosure and reuse
limitations on any nonpublic personal information it re-
ceives from a nonaffiliated financial institution.
In general, the privacy notice must describe a financial
institution’s policies and practices with respect to collecting
and disclosing nonpublic personal information about a
consumer to both affiliated and nonaffiliated third parties.
Also, the notice must provide a consumer a reasonable
opportunity to direct the institution generally not to share
nonpublic personal information about the consumer (that is, to
“opt out”) with nonaffiliated third parties other than as
permitted by exceptions under the regulation (for example,
sharing for everyday business purposes, such as processing
transactions and maintaining customers’ accounts, and in
response to properly executed governmental requests). The
5
76 FR 79025 (Dec. 21, 2011). Pursuant to GLBA, the FTC retains
rulemaking authority over any financial institution that is a person described in
12 U.S.C. Section5519 (with certain statutory exceptions, the FTC generally
retains rulemaking authority for motor vehicle dealers predominantly engaged
in the sale and servicing of motor vehicles, the leasing and servicing of motor
vehicles, or both).
FDIC Consumer Compliance Examination Manual — April 2021 VIII–1.1