In 1999, the United States Congress passed the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, which protects the financial privacy of consumers.
The GLBA directed the Federal Trade Commission (FTC) and six other federal agencies to implement regulations requiring financial institutions to provide financial privacy notices to their customers.
The FTC proposed the regulations in March 2000, and issued them in their final form in May 2000, The GLBA took effect in November 2000 and required organizations to be in full compliance by July 2001.
The FTC, federal banking agencies, other federal regulatory authorities, and state insurance oversight agencies enforce the GLBA.
The GLBA consists of three key sections:
Financial Privacy Rule
The GLBA mandates that financial institutions, organizations that offer financial services or financial products, such as financial or investment advice, loans, or insurance, provide every customer with a financial privacy notice. This must happen when the consumer relationship is established and every subsequent year.
In their financial privacy notices, financial institutions must explain their information-sharing practices to their customers. That means that financial institutions have to tell consumers what information they are collecting about them, where they’re sharing that information, and how they’re using and protecting customers’ nonpublic personal information.
Financial institutions are also required to tell customers that they have the right to opt-out of the information-sharing practices. They must also safeguard the private financial information of consumers.
In addition, the GLBA restricts when a financial institution is allowed to disclose a consumers’ private information to non-affiliated third-party organizations. And any organization that receives consumers’ nonpublic personal information from a financial institution can be limited in how it reuses and rediscloses that information.
The GLBA requires financial institutions to develop written information security plans describing the processes and procedures they use to protect consumers’ nonpublic personal information. The financial institutions have to develop comprehensive risk analyses on each department that handles customers’ nonpublic personal information.
Additionally, they have to develop, monitor, and test programs to safeguard customer information. Financial institutions are required to update these safeguards if they change how they collect, store, or use customer information. Financial institutions must also ensure that business partners and third-party service providers secure customers’ nonpublic personal information.
Pretexting is when a person attempts to access consumers’ nonpublic personal information under false pretenses. For example, an unauthorized user may impersonate an authority figure, such as a law enforcement agent, social worker, manager, potential employer, to get customer information via mail, phone, email, or phishing.
The GLBA requires financial institutions to develop procedures to prevent pretexting, including training their employees, as part of their information security plans.
The California Consumer Privacy Act (CCPA), established to protect the privacy and data of consumers, provides an exemption for personal information covered by the GLBA.
The California legislature, which passed the CCPA in June 2018 and amended it in August 2018, realized that there might be conflicts between the CCPA and the GLBA and created the exemption, one of a number of CCPA exemptions. The effective date of the CCPA is January 1, 2020.
As a result of the exemption, the CCPA doesn’t cover personal information that California businesses collect, process, sell, or disclose pursuant to GLBA.
However, the CCPA exemption does not completely remove financial institutions from the scope of the new California privacy law. The CCPA will still cover information that is collected by financial institutions, but that does not fall within the GLBA.