The Gramm-Leach-Bliley Act (the “Act”), also referred to as the Financial Modernization Act of 1999, is a federal law designed to regulate the use of individuals’ private financial information by financial institutions. Under the Act, financial institutions are required to conform to a variety of requirements designed to protect consumers’ privacy. Financial institutions are defined as companies that offer financial products and services to individuals. This includes loan providers, firms offering financial and investment advice, as well as insurance providers. All of these institutions will fall under the Federal Trade Commission’s (“FTC”) jurisdiction under the Act as long as they are “significantly” engaged in providing financial products and services to individuals. Many of the provisions of the Act are enforced solely by the FTC and there is no private right of action explicitly granted by the Act for violations. However, many individual state privacy laws and other federal regulations provide for a private right of action that may be relevant in the event of an unpermitted disclosure of private financial information.
The Act is made of up three components: the Financial Privacy Rule, the Safeguards Rule, and the Pretexting Protection. The Financial Privacy Rule controls financial institutions’ use, collection, and disclosure of individuals’ private information while the Safeguards Rule requires these institutions to deploy measures to protect individuals’ private financial information. The Pretexting Protection prohibits financial institutions from using private financial information under false pretenses. Financial institutions must also distribute information to their customers regarding the measures they use to protect individuals’ private financial information and the institution’s sharing practices.
Under the Act, there is an important difference between a “customer” and “consumer”. The primary difference between a customer and consumer is the length of the relationship between the financial institution and the individual. A customer is an individual that has a continuing, long-term relationship with a financial institution for financial services or products. Under the Act, only customers are entitled to receive privacy notices from a financial institution required under the Act. Consumers will only receive a notice upon the disclosure of the individual’s private financial information to a non-affiliated third party. Under the Act, financial institutions are required to send annual notices to customers.
The Act requires financial institutions to provide a notice to individuals that present a clear, conspicuous, and accurate reflection of the institution’s privacy practices. These notices only apply to information that is “nonpublic” private financial information. The notices are required to include relevant details such as what information is collected about the individual, how the information is shared, as well as what safeguards are in place to protect the privacy of the individual’s information.