Marketing

Consumer & Customer Privacy Laws: The Gramm-Leech-Bliley Act

2012_02_12_GLBAct

While many consumers today assume they know the laws governing direct marketing, they are usually unaware that there are lines direct marketers can cross and the rules tend to get a little hazy. For instance, a telephone interviewer is able to call numbers on the National Do-Not-Call Registry, but a telemarketer is not. A financial institution can disclose account numbers to non-affiliate parties to market the same institution’s products or services, but not to non-affiliate parties that use the information to market themselves.

In the last few years, the Federal Trade Commission has set up laws to help protect the privacy of consumers. In 2001, the Gramm Leech Bliley Act was put into effect to protect the privacy of consumer and customer’s financial information. In 2004, new laws governing Spam were regulated and a National do-not-call-list appeared in 2005. These laws do not mean that direct marketers have no control over the limitations that govern them. In order to keep you in control of your direct marketing campaigns, American Name Services would like to offer you some do’s and don’ts of the new privacy laws that have been hitting direct marketers this century.

Issuing Privacy Policy notices under the Gramm-Leach-Bliley Act

In a recent poll, Privacy ranked as the number one worry among customers and consumers alike. Because it is a concern for them, it should be a concern for you as well.  While you may be considering sharing your customer and consumer information with another third party, remember that there are certain laws that govern consumers and customers differently. The Gramm-Leach-Bliley Act of 2000 (GLB Act) defines a consumer as “someone who has only a brief relationship with your company, such as applying for a loan but not taking it out.” A customer on the other hand is defined as someone who “has an on-going relationship, such as establishing an account or actually taking out a loan.”

Under GLB, a “financial institution” includes traditional institutions such as banks, credit unions, and securities brokers. It also covers other entities such as real estate appraisers, insurance companies, automobile leasing companies, companies that operate as travel agencies in connection with financial services, and retailers that issue their own credit cards directly to consumers. If your business falls under the category of a “financial institution,” then the GLB Act applies to you. The rules also apply to companies such as marketers, data processors, and consumer reporting agencies that sell personal information, if they receive that information from financial institutions with whom they are not affiliated.

The Gramm-Leach-Bliley Act basically states that your consumers should receive one upfront notice if you plan to share their non-public personal information (NPPI) with an unaffiliated third party.  Additionally, your customers must receive a notice once a relationship has been established and once a year thereafter. Although the GLB has been in force since July of 2001, you may not be aware of everything that should be included in the privacy policy or notice that you are to distribute. For instance, who can you give private information to? How are you supposed to distribute that information? What exceptions does the Act include?

Basically, your privacy policy notice should explain how you collect and share information, and provide a way for customers to opt-out of such information exchanges. Specifically, you must include:

  • Types of information your company collects;
  • Types of information your company shares;
  • Types of affiliates, non-affiliates and joint marketers with whom your company shares information; [Note: You need not offer an opt-out for information shared with affiliates, joint marketers, and non-affiliates that are performing functions on your company’s behalf. However, you must still describe your information-sharing practices.]
  • How a customer can opt-out of information exchanges as well as a method for doing so. You must also include a means for opting out of information exchanges among affiliates, as required by the Fair Credit Reporting Act (FCRA);
  • Assurance that information policies and practices are in place for security and confidentiality of data; and
  • Description of the types of information your company discloses about former customers and to whom you disclose such information.

As your company writes up your privacy policy on what you will be using your client’s NPPI information for, you might also consider the following on when and how you need to deliver the notice under the GLB Act:

  • You will need to send out initial notices to consumers and customers, and then annual notices to customers thereafter before you disclose their information to a non-affiliated third party for consumers. Your customers will need to receive their notice when you first establish a customer relationship. (An affiliate is a company that is controlled by another company. Control of a company is defined as the power to vote 25 percent or more of the stock; the ability to control the election of a majority of the company directors; or the power to exercise a controlling influence over the management or policies of the company.)
  • Notices must be sent in writing or, if the consumer agrees, electronically. Oral explanations, in person or over the telephone, cannot be provided as sufficient notice to your consumer. You can hand a printed copy of the notice to the consumer or mail it by either First-Class or Standard (A) mail. If you mail the notice, you must give the consumer a reasonable amount of time to opt out, which is at least 30 days after the notice has been sent.
  • The notice may be sent via email or posted to your website as long as it is a “clearly and conspicuously” posting of a privacy notice that requires consumers to acknowledge receipt of the notice before you provide them with any financial product or service. “Clear and conspicuous” means you must design your Web site so that the notice or a clear link to it cannot be overlooked.
  • The notices can be sent in addition to other documents provided that the notice is still “clear and conspicuous” with different fonts, shading, etc.
  • Provide a revised policy to those consumers and customers who are unaware changes that are not mentioned in the original notice they received.

After you have done everything you need to in order to inform consumers and customers of your new private policy, you need to provide them with an opportunity to opt-out. It is unacceptable to request that they write you a letter. Acceptable ways under the GLB act include the following:

  • Designate check-off boxes in a prominent position on the relevant forms with the opt-out notice;
  • Include a reply form that provides the address to which the form should be mailed;
  • Provide an electronic means to opt out, such as a form that can be sent via e-mail or an opt-out procedure at your Web site;
  • Provide a toll-free number that consumers can call. For example, your notice could state that “if you prefer that we not disclose personal information about you to third parties, you may call the following toll-free number: 800-_________________.”

Many of these requirements are simple, but they do involve some hassle. Although this Act was put into place to protect the consumers and customers, there are exemptions that protect “financial institutions” too. For instance, account numbers can be disclosed under certain conditions. If a customer chooses to participate in a private label credit card program (such as a Wal-Mart Visa), the merchant and the financial institution can share the consumer’s account number if the consumer is told upfront who the participants in the private label credit card are.

The rules also allow disclosures of account numbers to agents or service providers (such as telemarketing firms) for the purpose of marketing the financial institution’s own products or services, as long as the agent or service provider is not allowed to debit the consumer’s account without the consumer’s consent.

There are also other exemptions for opt-out requirements. You do not need to offer an opt-out when you are sharing information with companies that run marketing campaigns for you or companies with whom you have joint marketing agreements. However, you must notify the customer that you are making the disclosures, and you must have a contract with the other company that requires it to maintain the confidentiality of the information, using it only to carry out the marketing campaign for which you supplied the information.

Situations where notice and opt-out are not required prior to sharing personal information with nonaffiliated third parties, are as follows:

  • where the disclosure is necessary to process or service a transaction;
  • to protect record security and confidentiality;
  • to provide information to legal counsel and to prove that the company is complying with industry standards;
  • to respond to requests from regulators, self-regulatory organizations, and law enforcement;
  • to report a customer’s activities to a credit bureau;
  • to protect against fraud;
  • to individuals or businesses with a legal interest relating to the consumer;
  • in connection with a proposed or actual merger or acquisition;
  • to comply with laws and legal process.

Just as there are regulations set for those financial institutions that distribute consumer and customer information, there are also regulations of the reuse and re-disclosure of personal information by third parties. Under the GLB Act, if the third party receives the personal information from a financial institution under one of the above exceptions, the recipient may reuse or re-disclose the personal information only as necessary to carry out the activity covered by the exception under which it received the information.

If the third party receives the personal information from a financial institution outside of one of the exceptions, the recipient “steps into the shoes” of the financial institution and may reuse or re-disclose the information only in accordance with the privacy policies and consumer opt-out choices of the company from which the information was obtained.

As previously mentioned, the Gramm-Leach-Bliley Act was put into effect as of July, 2001. It is now being enforced by the various Federal government institutions that have jurisdiction over financial institutions such as the Federal Trade Commission. If you fall into any of the financial institution categories discussed, you must be in compliance.

We thought it might be helpful to walk you through the process of creating a privacy policy that meets the notice and opt-out requirements of GLB. You may go directly to the DMA generator and fill out the questions. They’ll send you a customized page you can post to your Web site and mail to your customers .

Leave a Reply

Your email address will not be published. Required fields are marked *