Editing Gramm–Leach–Bliley Act (section)

===Financial Privacy Rule===
(Subtitle A: Disclosure of Nonpublic Personal Information, codified at {{usc|15|6801|6809}})

The Financial Privacy Rule requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected. The notice must also identify the consumer's right to opt out of the information being shared with unaffiliated parties pursuant to the provisions of the [[Fair Credit Reporting Act]]. Should the privacy policy change at any point in time, the consumer must be notified again for acceptance. Each time the privacy notice is reestablished, the consumer has the right to opt out again. The unaffiliated parties receiving the nonpublic information are held to the acceptance terms of the consumer under the original relationship agreement. In summary, the financial privacy rule provides for a [[privacy policy]] agreement between the company and the consumer pertaining to the protection of the consumer's personal nonpublic information.

On November 17, 2009, eight federal regulatory agencies released the final version of a [https://www.sec.gov/news/press/2009/2009-248.htm model privacy notice form] to make it easier for consumers to understand how financial institutions collect and share information about consumers.

====Financial institutions====
GLBA defines financial institutions as: "companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance". The [[Federal Trade Commission]] (FTC) has jurisdiction over financial institutions similar to, and including, these:
* Non-bank mortgage lenders,
* Real estate appraisers,
* Loan brokers,
* Some financial or investment advisers,
* Debt collectors,
* Tax return preparers,
* Banks, and
* Real estate settlement service providers.

These companies must also be considered significantly engaged in the financial service or production that defines them as a "financial institution".

Insurance has jurisdiction first by the state, provided the state law at minimum complies with the GLB. State law can require greater compliance, but not less than what is otherwise required by the GLB.

====Consumer vs. customer defined====
The ''Gramm–Leach–Bliley Act'' defines a "consumer" as
:"an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes, and also means the legal representative of such an individual." (See {{usc|15|6809(9)}}.)

A customer is a consumer that has developed a relationship with privacy rights protected under the ''GLB''. A customer is not someone using an automated teller machine (ATM) or having a check cashed at a cash advance business. These are not ongoing relationships like a customer might have—i.e., a [[mortgage loan]], tax advising, or credit financing. A business is not an individual with personal nonpublic information, so a business cannot be a customer under the ''GLB''. A business, however, may be liable for compliance to the ''GLB'' depending upon the type of business and the activities utilizing individual's personal nonpublic information.

{{blockquote|Definition: A "consumer" is an individual who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that individual's legal representative.

Examples of consumer relationships:
* Applying for a loan
* Obtaining cash from a foreign ATM, even if it occurs on a regular basis
* Cashing a check with a check-cashing company
* Arranging for a wire transfer<ref name=ftcoutline>{{cite web|title=The Gramm–Leach–Bliley Act Privacy of Consumer Financial Information|url=http://www.ftc.gov/privacy/glbact/glboutline.htm|work=Federal Trade Commission Bureau of Consumer Protection Division of Financial Practices|publisher=FTC|access-date=25 October 2011|author=FTC|author-link=Federal Trade Commission|date=June 18, 2001|url-status=live|archive-url=https://web.archive.org/web/20111031133633/http://www.ftc.gov/privacy/glbact/glboutline.htm|archive-date=31 October 2011}}</ref>}}

{{blockquote|Definition: A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship with a consumer.

Examples of establishing a customer relationship:
* Opening a credit card account with a financial institution
* Entering into an automobile lease (on a non-operating basis for an initial lease term of at least 90 days) with an automobile dealer
* Providing personally identifiable financial information to a broker in order to obtain a mortgage loan
* Obtaining a loan from a mortgage lender
* Agreeing to obtain tax preparation or credit counseling services

"Special Rule" for Loans: The customer relationship travels with ownership of the servicing rights.<ref name=ftcoutline/>}}

====Consumer/client privacy rights====
Under the ''GLB'', financial institutions must provide their clients a privacy notice that explains what information the company gathers about the client, where this information is shared, and how the company safeguards that information. This privacy notice must be given to the client prior to entering into an agreement to do business. There are exceptions to this when the client accepts a delayed receipt of the notice in order to complete a transaction on a timely basis. This has been somewhat mitigated due to online acknowledgement agreements requiring the client to read or scroll through the notice and check a box to accept terms.

The privacy notice must also explain to the customer the opportunity to 'opt out'. Opting out means that the client can say "no" to allowing their information to be shared with nonaffiliated third parties. The ''[[Fair Credit Reporting Act]]'' is responsible for the 'opt-out' opportunity, but the privacy notice must inform the customer of this right under the GLB. The client cannot opt out of:
* Information shared with those providing priority service to the financial institution
* Marketing of products or services for the financial institution
* When the information is deemed legally required.
* When entering into a financial transaction, the institution providing said transaction must provide the customer a secure room with the ability to close in order to better protect the clients personal information.

====Receipt of GLBA notices by consumers====
===== ¶ Service of notice requirements =====
Notice requirements may vary. In most cases, service of a GLBA notice is not necessary unless the entity serving the notice intends to "share" customer information, which the FTC defines as, "non-public personal information (NPI)", of customers required to be protected under ''GLBA''.<ref>[https://www.ftc.gov/tips-advice/business-center/guidance/how-comply-privacy-consumer-financial-information-rule-gramm **How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act**], FTC</ref><ref>[https://files.consumerfinance.gov/f/201410_cfpb_final-rule_annual-privacy-notice.pdf Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley], (US) Bureau of Consumer Financial Protection, modifying a requirement for financial institutions to provide an annual GLBA disclosure (.pdf)</ref><ref>[https://www.dlapiper.com/en/us/insights/publications/2016/01/annual-privacy-notice-requirement/ Annual privacy notice requirement eliminated for certain financial institutions] - explanation of rule change from DLA Piper law firm</ref>

=====¶ Response to receipt of a GLBA notice=====
A consumer may react to service of a ''GLBA'' notice by:

* Not responding
* Indicating, on an acknowledgment form that notice was not provided (typically for in-person signed documents) 
* Responding according to format suggested in the GLBA Notice
* Responding with a prepared letter (alone or in addition to the form)

====Synergy between GLBA and GDPR====
The [[European Union|European Union's]] [[General Data Protection Regulation|General Data Protection Regulation (GDPR)]] became enforceable on 25 May 2018. As applies to consumers, the [[General Data Protection Regulation|GDPR]] includes provision on scope of data collection, but also includes [[General Data Protection Regulation#Right of access|right of access]], [[General Data Protection Regulation#Right to erasure|right to erasure]], right to restriction of processing and right to data portability. Due to the multinational nature of some transactions, including data and internet transactions, and the possible implementation of corresponding regulations in some US states, it is likely that business and other entities will comply with the [[General Data Protection Regulation|GDPR]] as well as US ''GLBA'' requirements.

Individualized requests for privacy under the ''GLBA'' are likely to include provisions guaranteed by the [[European Union]]'s [[General Data Protection Regulation|GDPR]].