Consumer Privacy Regulations Information Pack

In a recent survey of over 1400 financial service professionals, only 17% felt they would be in compliance with the Gramm- Leach- Bliley Act (GLBA) by the mandatory deadline of July 1, 2001.

Is your organization one of the 83% that will be out of compliance and exposed to risk?

APFT can assist your company with Gramm- Leach- Bliley Act (GLBA) Consumer Privacy Compliance. We provide complete audits and identify non-compliance risks throughout your organization. Contact Us today.

Consumer Privacy Regulations
This document will serve as a preliminary information pack for the Gramm- Leach- Bliley Act (GLBA) Consumer Privacy Regulations: as signed by President Clinton on November 12, 1999. This law has an effective date of November 13, 2000 and must be in full compliance by July 1, 2001

Overview: The topic of Consumer Privacy Regulations is an extremely hot topic and has increasingly been brought to the forefront as the proliferation of businesses interact via new mediums, including but not limited to, the Internet and e-commerce. With more and more traditional brick-and-mortar businesses, financial institutions, insurance providers, health care organizations, and e-commerce companies collecting, utilizing, and often selling vast amounts of data about "consumers" and "customers", legislators have begun to regulate the use of such data with the goal of protecting consumer privacy. Implementation and compliance of state privacy laws and GLBA will continue to make headlines as the July 1, 2001 compliance deadline quickly approaches.

March 14, 2001 – The OCC announced that Federal banking agencies have stated that any final Fair Credit Reporting Act rule will not require depository institutions to revise Gramm Leach Bliley Act privacy notices prepared in reliance on existing FCRA law and delivered to consumers before next January.http://www.occ.treas.gov/ftp/release/2001-30.txt

March 14, 2001 - The Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision have jointly approved and issued guidelines establishing standards for safeguarding customer information as required by the Gramm-Leach-Bliley Act (GLBA). Press Release: http://www.fdic.gov/news/news/financial/2001/fil0122.html  Guidelines: http://www.fdic.gov/news/news/financial/2001/fil0122a.html 

Privacy regulations will become mainstream for all industries. Businesses will need to ensure that all business policies, practices, and procedures, including their business model, will be in compliance with both state privacy regulations and the GLBA.

Privacy Protections For Information collected by Financial Services

Main Issue: What privacy protections should exist for consumers and customers who divulge certain "nonpublic personal information" to financial service entities, including insurance companies?

IT IS IMPORTANT BECAUSE: Title V of the Gramm-Leach-Bliley (GLB) Act (Public Act 106-102) states that each financial institution (the definition includes insurers) has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of the "nonpublic personal information" of such customers. It is important the regulations for the different financial institutions are uniform so a level playing field for the sale and marketing of all financial services products can be preserved. As part of its obligation to consumers and its customers under Title V, each financial institution must:

  • Protect and safeguard confidential consumer and customer information and records.
  • Adopt a privacy policy for consumers and customers.
  • Disclose its policy to customers on an annual basis.
  • Provide an "opt-out" notice before sharing consumer and customer information with any non-affiliated third parties; and Comply with new rules to be issued in 2000.

    • Title V requires federal banking regulators and state insurance regulators to finalize the necessary regulations by May 2000, so the law can be implemented by November 2000. The GLB Act also states that any Title V regulations cannot supersede or preempt any state laws that offer greater privacy protection. This has prompted some states to introduce legislation this year that expand privacy definitions to include "publicly available information" such as a consumer's name, address and telephone number. In addition, Members of Congress have introduced legislation to expand the privacy protections beyond those in the GLB Act.

    Proposed Legislation to expand the GLBA of Nov 12, 2000:

    Uniform Regulations: The regulations should be uniform in their interpretation of such definitions as "nonpublic personal information" and in how specific requirements are to be enforced. While uniformity should be the watchword, slight differences should be duly noted for certain business practices and terminology that are unique to banks, securities firms and insurers.

    Initial Notices: Title V requires a financial institution to provide an initial notice of its privacy policy and practices to customers prior to establishing a customer relationship and to consumers at the time of or prior to, providing them with a financial product or service. Regulators should develop specific and practical guidelines for when the privacy notices should be given to customers and consumers. Without such specificity, the administrative costs and burden of complying with this requirement could be enormous.

    Manner of Providing Notice: Regulators should provide examples of how privacy notices are given to customers and consumers, but the regulations should allow the financial institutions some flexibility on how to comply with a given provision. Sending a notice to a consumer or customer should suffice as meeting the notice requirement. The regulation should not require that the notice be sent by certified mail or require an acknowledgement from the customer or consumer.

    Annual Notice: The law requires privacy notices to be sent to customers at least once annually. Notices should not be provided where the financial institution and customer no longer have a continuing relationship. The regulations should provide specific examples of what constitutes a continuing relationship. Content of Notices: Certain elements are required in the initial and annual privacy notices. They include the categories of "nonpublic personal information" the financial institution collects and discloses; the financial institution's policy for disclosing this information to affiliates and nonaffiliated third parties; and the instructions on how consumers or customers can opt-out of any disclosure to a nonaffiliated third party. Given the short timeline for this regulation, NAMIC believes the regulation should have "model" notices to help insurers comply with the regulation by November 2000.

    Opt-Out Provisions: The obligation to provide an opt-out notice applies to all consumers, even if no customer relationship is established and generally applies to all nonpublic personal information, regardless of whether the financial institution collected it before or after the consumer's opt-out direction. This is a particularly onerous requirement, and NAMIC believes the final regulations should limit the opt-out provision to those situations where only a customer relationship is established. The timeframe for a consumer to respond to an opt-out notice should be 30 days.

    What has happened so far? Federal banking regulators issued "draft" regulations in January and February and are currently reviewing comments from interested parties, including NAMIC.

    The National Association of Insurance Commissioners (NAIC), meanwhile, appointed a committee in December, co-chaired by Commissioners Glenn Pomeroy of North Dakota and Kathleen Sebelius of Kansas, to determine how insurance regulators should address Title V. In January, the committee solicited comments from interested parties on the elements that should be considered in insurance privacy regulation. In March, the NAIC held a public hearing in Chicago where several speakers, including representatives from NAMIC, urged regulators to become more engaged in the federal regulation drafting process and to draft their own privacy regulation that was uniform among states and consistent with federal regulations. At this writing, the committee was still trying to decide whether to pursue its own regulation now, or to wait for the final federal regulations.

    One other complication is Sec. 507(b) of Title V. It allows a state to enact a privacy statute that exceeds Title V. At least 20 states, at the urging of their state attorneys general, have introduced legislation this year to broaden the GLB privacy provisions.

    IMPLEMENTING THE GRAMM- LEACH- BLILEY ACT (GLBA) CONSUMER PRIVACY ACT.

    As of this writing, it appears that each type of entity, including but not limited to, the Federal Trades Commission, Security Exchange Commission, State governments, FRB, FDIC, OCC, OTS are adopting their own policies and rules: Each organization is in the process of implementing the GLBA with the following regulations:

    FDIC FINAL RULING:

    FTC FINAL RULING:

    FRB, FDIC, OCC, OTS JOINT FINAL RULING:

    BANK RULES CHART

    LAW FIRM & OTHER REPORTS ON GLBA IMPLEMENTATION:

    LLGM contains Executive Summary HIGHLY RECOMMENDED READING
    LLGM contains state-by-state proposed legislation HIGHLY RECOMMENDED READING
    Schenck, Price, LLP

    Additionally, most agencies have a "request for comment" sent out to most banks and financial institutions. Some of these "comment" letters are linked in the charts below:

    Laws, Legislation & Regulations on Privacy

    LAWS & LEGISLATION ON PRIVACY REGULATIONS AND OTHER RULES ON PRIVACY

  • H.R.4585 Medical Financial Privacy Protection Act (Introduced in the House, 6/6/2000)

  • H.R.4380 Consumer Financial Privacy Act (Introduced in the House, 5/4/2000)
  • H.R.4332 Financial Consumers' Bill of Rights Act (Introduced in the House, 4/13/2000)

  • S.2360 Freedom From Behavioral Profiling Act of 2000 (Introduced in the Senate, 4/5/2000)

  • H.R.4059 Online Privacy and Disclosure Act of 2000 (Introduced in the House, 3/22/2000)

  • H.R.4049 Privacy Commission Act (Introduced in the House, 3/21/2000)

  • H.R.3560 Online Privacy Protection Act of 2000 (Introduced in the House, 1/31/2000)

  • H.R.3320: A bill to amend the privacy provisions of the Gramm-Leach Bliley Act. (A related bill, as introduced by Rep. Markey in the House on November 10,1999)
  • S.1903: A bill to amend the privacy provisions of the Gramm-Leach Bliley Act. (A related bill, as introduced by Sen. Shelby in the Senate on November 10,1999)

  • S900: Gramm-Leach-Bliley Act of 1999, TITLE V Privacy (as signed by the President on November 12, 1999)

  • EPIC Bill Track - 106th Congress Privacy and Cyber-Liberties Legislation

  • Fair Credit Reporting Act (FCRA, U.S.C. Title 15, Section 1681)
  • Fair Credit Reporting Act (FCRA), FTC

  • State Statutes (check privacy provisions in your state)

  • The Right to Financial Privacy Act (RFPA, U.S.C. Title 12, Chapter 35)

  • PRIVACY OF CONSUMER FINANCIAL AND HEALTH INFORMATION REGULATION (Adopted by the NAIC Privacy Issues Working Group on September 12, 2000, Word97) (pdf)

  • NAIC MODEL INTERIM REGULATION PRIVACY OF CONSUMER FINANCIAL AND HEALTH INFORMATION (Draft, 7/28/2000, Word97) (pdf)

  • NCUA Privacy of Consumer Financial Information; Requirements for Insurance (Final Rules, 12 CFR Parts 716 and 741), 5/8/2000

  • SEC Privacy of Consumer Financial Information (Regulation S-P), 3/2/2000

  • FTC: Final Privacy Rule
  • FTC Seeks Public Comment on Proposed Financial Privacy Rule, 2/14/2000

  • FRB, FDIC, OCC, OTS Joint Joint Final Rule - Privacy of Consumer Financial Information, 5/9/2000
  • FRB, FDIC, OCC, OTS Joint Press Release: Privacy of Consumer Financial Information, 5/10/2000

  • FDIC: Proposed Rule - Privacy of Consumer Financial Information

  • OTS Proposes Privacy Rule to Implement Financial Modernization Legislation

  • FRB: Approval of a request for comment on a new regulation required by the Gramm-Leach-Bliley Act on 2/3/2000
  • OCC Proposes Rules to Implement Gramm-Leach-Bliley Act Privacy Provisions, 2/3/2000

  • Request for Public Comments on Implementing the Consumer Privacy Provisions of the Gramm-Leach-Bliley Act, NAIC, 1/14/2000

  • Draft Privacy Regulation, dated 12/21/99, via ABA

  • Standards for Privacy of Individually Identifiable Health Information (Published November 3, 1999; Comment period ends January 3, 2000), U.S. Department of Health and Human Services

  • FCRA, Staff Opinion Letters, FTC

  • Office of Controller of Currency (OCC): Advisory Letter on Fair Credit Reporting Act (AL 99-3)

    • Information Resources on Privacy Rules

    COMMENT LETTERS, ARTICLES & TESTIMONIES ON PRIVACY OTHER INFORMATION ON PRIVACY INTERNATIONAL PRIVACY RULES

  • Privacy Proposals Find Broad Industry Support : February 7, 2000, Best Week (Life & Health)

  • Will Financial Services Reform Turn You into a Peeping Tom? By Russ Banham, March, Independent Agent Magazine

    **** Comment Letters *****

  • NAIC's final comment letters regarding Federal consumer privacy regulations issued under the Gramm-Leach-Bliley Act (to FDIC, Federal Reserve Board, FTC, NCUA, OCC, OTS, and SEC, respectively)

  • NAIC's Standards for Privacy of Individually Identifiable Health Information Comments (to HHS)

    **** Public Hearing *****

  • FINANCIAL INSTITUTIONS SUBCOMMITTEE HEARING ON FINANCIAL PRIVACY JULY 20, 1999

  • FINANCIAL INSTITUTIONS SUBCOMMITTEE HEARING ON FINANCIAL PRIVACY JULY 21, 1999

  • White House: Clinton-Gore plan to enhance consumers' financial privacy: Protecting core values in the information age, April 30, 2000

  • ACLI News Release: ACLI Would Back Prohibitions To Keep Medical Info From Marketers, Loan Officers, May 1, 2000

  • ABA: Privacy of Customer Information

  • ICBA: Public Policy: Privacy Issues

  • CBA: Privacy Principles

  • ACB: Financial Privacy/Know Your Customer

  • AIA: United States Insurance Information Practices and Available Legal Protections, June 22, 1998

  • SIA: Privacy Protection In The United States Securities Industry

  • ICI: Protection of Data Privacy in the Investment Company Industry

  • National Retail Federation (NRF): Privacy Resources

  • Federal Trade Commission: About Privacy

  • FairIssac Inc. : FICO Scores (a lot of information on credit scoring and insurance scoring)

  • U.S. Department of Commerce: National Telecommunications and Information Administration (NTIA) : Privacy Issues

  • Privacy Regulation Report

  • PrivacyChoices: your resource for online privacy information (by DoubleClick)

  • Privacy Rights Clearinghouse

  • Electronic Privacy Information Center

  • Online Privacy Alliance (OPA)

  • Privacy and American Business

  • TRUSTe: Building a Web You Can Believe In

  • Privacy & Databases of Personal Information (@ Computer Ethics)

  • Tech Law Journal, Privacy Stories

  • Internet Cookies, March 12,1998, US Department of Energy Computer Incident Advisory Capability (CIAC)

  • European Union: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

  • France: Commission Nationale de l'Informatique et des Libertes (CNIL)
  • Transposition de la directive europeenne du 24 octobre 1995 (10/26/2000 France)

  • Germany: Der Bundesbeauftragte fur den Datenschutz (BfD)

  • United Kingdom: The Data Protection Commissioner
  • Data Protection Act 1998 (1998 Chapter 29, United Kingdom)

  • Australia: The Australian Privacy Commissioner
  • Privacy Amendment (Private Sector) Bill 2000 (Australia)
  • Federal Privacy Commissioner's submission to inquiry into the Privacy Amendment (Private Sector) Bill 2000 by the House of Representatives Standing Committee on Legal and Constitutional Affairs (25/5/2000) (Australia)
  • Privacy Act and other laws (Australia)

  • Canada: Privacy Commissioner of Canada
  • THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (Private sector, received Royal Assent on April 13, 2000 and comes into force on January 1, 2001., Canada)
  • The Privacy Act(Public sector, effective since 1983, Canada)
  • Privacy and Financial Services in Canada, Richard Owens (Task Force Research Reports, Canada)

  • Japan: Financial Information System Center (FISC, in Japanese)
  • About personal data protection in the life insurance business, The Life Insurance Association of Japan (Japan, in Japanese)
  • The working group on personal information protection (Prime Minister's Official Residence, Japan, in Japanese)

  • Organization for Economic Cooperation and Development (OECD) : Privacy Guidelines

  • Privacy Laws & Business: Data Protection & Privacy Information Worldwide (Privacylaws.co.uk)
  • Worldwide Privacy Links via Privacylaws.co.uk

  • Privacy International

    •  

    The information and materials presented throughout this website and links are for information purposes only and is not legal advice.

    For more informaton regarding our services, please contact APFT, Inc:


    APFT Inc.
    2808 Bear Island Pointe
    Winter Park, FL 32792
    (407) 671-8904
    (407) 671-9518 Fax

    EMAIL: info@appliedprofit.com

    TERMS OF USE & PRIVACY

    [HOME]  [OUR MISSION]  [OUR FOCUS]  [OUR PHILOSOPHY]
    [CUSTOMIZED SOLUTIONS] [REACHING GOALS]  [SERVICES]  [CONTACT US

    APFT Inc. - 2808 Bear Island Pointe - Winter Park, FL 32792 - (407) 671-8904 Fax (407)671-9518