Used to be, your bank handled your checking and savings accounts. You visited your insurance agent for life, auto, or homeowner's insurance. And, if you wanted to "play the market," you called your stock broker. Recent federal legislation has changed all that.

The Financial Services Modernization Act (also known as the Gramm-Leach-Bliley Act or GLB) now allows banks, insurance companies, and brokerage firms to operate as one. The combined companies have been aptly dubbed "financial supermarkets." They may promise you such benefits as consolidated account statements and lower fees. But at the same time, the ability of these companies to merge customer data from several sources and even sell it to third parties represents a real risk to your privacy.

Information about you kept in the files of financial institutions is now, and always has been, some of the most sensitive, personal information imaginable. Surprisingly, until now, there were few restrictions on a financial institution's ability to share or even sell* your personal information. Title V of GLB (15 U.S.C.§§ 6801-6810) gives you some minimal rights to protect your financial privacy. But the burden is on you to assert your rights.

[*Note regarding the word "sell." Most companies actually rent or lease customer data to third parties for a one-time use. Even though financial companies are likely to be renting customer data, we use the word "sell" in this guide to indicate that customer data exchanges hands for a fee.]

Privacy Policy: Your financial institution must tell you the kinds of information it collects about you and how it uses that information.

Right to Opt-Out: Your financial institution must explain your ability to prevent the sale of your customer data to third parties.

Safeguards: Financial institutions are required to develop policies to prevent fraudulent access to confidential financial information. These policies must be disclosed to you.

"Opt-out" is contrary to the "opt-in" approach preferred by most consumer and privacy advocates. Opt-in would prohibit a financial institution from sharing or selling your data if you did not give your affirmative consent. With opt-out, you give your implied consent by failing to return the notice. The default for the opt-out approach is that your data is shared until and unless you notify the company otherwise.

Will the privacy notice come from my bank?
Yes. And if you have active accounts with a brokerage house, credit card company, or insurance company, you will receive a privacy notice from these institutions as well. In addition, the term "financial institution" includes companies you might not consider to be financial institutions such as payday loan companies, collection agencies, and travel agents. For this reason, it is particularly important to carefully review all preprinted notices you receive in the mail or via a company's web site or electronic mail messages.

When will I receive the privacy notices?
By July 1, 2001, you should have received a privacy notice from every financial institution where you have an ongoing customer relationship. If you have more than one account with any company, you will probably not receive a notice for each account. You may receive notices from companies where you were not even aware that you had an existing relationship. The American Bankers' Association has estimated that the average household will receive about 18 notices.

Will I receive a written notice in the mail?
You will receive a written notice in the mail or by electronic mail if you normally do business online. The notice, whether received in the mail or online, must be "clear and conspicuous." For example, an Internet notice should prompt you to scroll down the page in order to view the entire notice or provide you a drop-down menu that draws your attention to the privacy notice. In order for it to be effective, you must agree to receive the notice by electronic means and must acknowledge having received it. Verbal notice alone is not enough. Nor is it enough for a company to post a notice at its office.

Will the privacy notice be separate from other notices?
The law does not require that you receive a separate notice of the privacy policy, your right to opt-out, or the policy regarding safeguarding confidential information. There is no standard form, so the notice may come in a variety of ways. The exact format is left to the discretion of the company. The law requires only that the notice be "clear and conspicuous" and "designed to call attention to the nature and significance of the information contained" in the notice.

Notices may, for example, be mailed along with your account statements. Your privacy notice may also be included with other notices you are required to receive, for instance, in a mutual fund prospectus. Remember: If you do not want your financial institution to share or sell your confidential information, the burden is on you to recognize the notice and follow the opt-out instructions.

Can I shop around for a privacy policy I like before opening an account?
You may certainly ask a financial institution you're thinking of doing business with for a copy of its privacy policy. However, you are only entitled to the notice if you are either an existing customer or at the time you establish a "customer relationship" with a financial institution. After that, you are entitled to receive a notice annually.

A "customer relationship" means a continuing relationship. You have only a "consumer relationship" if you have an isolated transaction with a financial institution. One example would be an ATM withdrawal. A "consumer" is entitled to notice of the financial institution's privacy policy only if it intends to disclose information to nonaffiliated third parties.

I have a joint account with a spouse/friend. Do both of us have to "opt-out" to prevent information from being shared or sold?
To be safe, probably yes, if both of you want to opt-out. A financial institution cannot require that you both opt-out. If only one of you decides to opt-out, you should ask for separate notices. Then, only information that relates to the one who did not opt-out can be disclosed. The company’s policy regarding joint accounts should be included it its privacy notice to you.

What about closed accounts?
Initial and annual notices must inform you of the policies regarding disclosures of information from closed accounts. Financial institutions are not required to send you an "opt-out" notice if your account is closed. However, if you have an existing account and "opt-out," that is return the notice saying you do not want your information disclosed, your opt-out election would continue even after you closed the account. If at a later time you decide to open another account with that bank or other company, you will receive another initial "opt-out" notice which will apply only to data about your new account. You may choose to "opt-out" of the second account, but your decision with regard to the first account will not change unless you change it.

How long do I have to opt-out?
You are entitled to a "reasonable" time to respond before your personal data can be disclosed. Generally 30 days is considered "reasonable." If the privacy notice says you have 30 days to respond, you must return the notice so that it reaches the company within 30 days after it was sent to you. When you agree to accept notice via the Internet, you must respond to the notice within 30 days after you acknowledge you received it, if 30 days is the amount of time you are given to respond.

If you have an isolated transaction, which means you have only a "consumer relationship" with a financial institution, you may be required to decide whether to opt-out at the time of the transaction. For example, if an ATM screen posts a privacy policy and opt-out notice, you must elect at that time whether you want to opt-out. Failure to do so would mean that the financial institution could share or sell your personal data any time after that.

Do I have only one chance to opt-out?
No. Your right to opt-out is continuing. If you fail to return the initial opt-out notice or an annual opt-out notice, your financial institution may sell or share your personal data after a "reasonable" time, usually 30 days. If you later decide you want to keep your financial institution from disclosing your personal data, you always have the right to opt-out. It goes without saying, however, that information that is disclosed before you opt-out is already "out there."

Do I have to write a letter for every account?
No. Your financial institution is required to give you a "reasonable" means to exercise your opt-out rights. Requiring you to write individual letters is not considered "reasonable" if that is the only way you can opt-out. A formal response may be included with the notice such as a form with check-off boxes or a simple reply form. However, financial institutions are not required to provide pre-paid postage. An e-mail or web site form may be used if your request is processed via the Internet. A toll-free telephone number may also be used for customers to call and opt-out.

Can I opt-out by verbally telling my broker or banker?
No. You must opt-out using the procedure your bank or other financial company establishes, as long as it is reasonable. Again, the burden is on you to follow the procedures set out by your financial institution. Failure to do so could result in disclosure of information you would not tell your best friend.

Will the privacy notice say exactly what information about me can be disclosed?
The law and regulations require only that you get notice of the categories of information the financial institution collects and the categories of information that may be sold or shared with a third party. The notice must give you specific examples of the kinds of information included in each category, but this is by no means a complete list of the data that may be disclosed.

The privacy notice may tell you that your financial institution collects and may disclose information obtained from you from account applications and give examples such as your name, address, Social Security number, assets and income. You should assume from such a statement that any other information you provide on an account application could be collected and disclosed. Depending on the nature of the application, other information might include former addresses, debt level, mortgage payments, income other than salary such as child support payments, and much more.

Is there any kind of information that can't be disclosed?
GLB and federal regulations only keep financial institutions from disclosing your account number or access code to a third-party nonaffiliated company to use in telemarketing or direct mail marketing. This means that a financial institution can sell your personal data to a telemarketer, for example, but it cannot sell the means by which your account can be accessed.

Can my medical information be disclosed?
Unless you opt-out, sensitive information such as details about your health and treatments, may be disclosed to a third-party nonaffiliate. Again, you will not receive notice of exactly what can be released -- only the category.

You may have heard that the federal Department of Health and Human Services (HHS) has adopted rules to protect your medical privacy. The HHS rules, however, only apply to records kept by health-related institutions. You have no control over whether medical information captured by financial institutions is shared with an affiliate company. For example, if you have paid XYZ Oncology Clinic by credit card or check, that information will be recorded and perhaps shared with third parties.

The status of these medical privacy rules is now in flux. The Bush Administration has delayed implementation of the rules, which were developed during the Clinton Administration, pending additional study. (See www.healthprivacy.org for more information.)

You may have greater rights to protect health information under the laws of your state. For example, California recently passed a law that makes it a crime for an insurance company to sell information to a financial institution for the purpose of granting credit (AB 2797 in the 2000 legislative session, California Civil Code 56.26). The information flow in this case is only restricted one way. This law does not cover information that flows from a financial institution to an insurance company. State regulations about insurance may also give you more rights to medical privacy.

Where does a financial institution get its information?
This is one of the things the notice must tell you. A financial institution may receive information directly from you, for example, when you fill out an application for a new account. Information about you may also be compiled based upon records of your transactions with that company or its affiliates. This may include information about how you use your credit card, your account balances, late payments, what you buy, and where you shop.

Information may also be collected from nonaffiliated third parties, consumer reporting agencies, or public records. Some financial institutions, for example, "enhance" their files about you with information purchased from companies that collect data from consumer surveys, product registration cards, public records, and Census tracts. Such data is used to market products and services to you that the company believes are compatible with your interests.

Consider the amount and kinds of information you supply just to a financial institution that may sell insurance, bank products, and securities. Combine this with the information available from other sources, and virtually any detail of your financial affairs, health status, spending habits, lifestyle purchases, political affiliations, religious contributions, and more can be collected by your financial institution. Unless you formally object, it can be shared, sold, rented, or otherwise disclosed with few exceptions.

What kinds of companies can get my personal information?
The privacy notice you receive from financial institutions does not have to tell you the names of any specific companies or organizations that may buy or receive your personal information. Again, only the categories of companies have to be disclosed to you. Your bank may sell your personal information to financial services providers, one example of which could be an insurance company that is not affiliated with your bank. Other categories of nonaffiliated companies that could receive your information might be non-financial service providers such as retailers, direct marketers, or nonprofit organizations. A company that is an affiliate of your bank may include a credit card company, a brokerage company, a mortgage company, an insurance company and an automobile financing company.

Can I stop my financial institution from sharing my personal information with its affiliates?
Under GLB, a company can share your personal information with its affiliates. However, the notice you receive is also likely to explain your right to opt-out under the Fair Credit Reporting Act (FCRA). This law gives you the right to prevent a company from sharing information about your credit worthiness and information from your applications with an affiliate. Your "transaction and experience" information can still be shared with affiliates without your consent, according to the FCRA. As explained above with the example about health-related payments, transaction information can be highly sensitive.

Under federal rules, a credit reporting agency (CRA) cannot sell so-called "credit header" information to third parties (your name, address, phone number, age and Social Security number) unless your bank has given you the right to opt-out. Credit reporting agencies have filed lawsuits over this issue, claiming they should not be restricted in selling such data. The CRAs are Equifax, Experian, and Trans Union.

Despite the weaknesses in both the GLB and FCRA laws, you are free to tell the company that you object to any use of your personal information even if it is permitted by law. If you object to having your information shared with third parties or affiliates, you may use the sample letter included in Fact Sheet 24a to object. (See "How to Read Your Opt-Out Notice," www.privacyrights.org/fs/fs24a-optout.htm) For more information about your ability to opt-out under the FCRA, see PRC Fact Sheet 6, "How Private is My Credit Report," at www.privacyrights.org/fs/fs6-crdt.htm.

May I sue my financial institution for violating my GLB privacy rights?
GLB does not contain what is called a private right of action. So you cannot go to court and sue for violations of your privacy rights just under that statute. However, under some state laws you might be able to claim that the company’s violation of GLB violated other rights you have.

You can complain to one of the seven federal agencies that has jurisdiction over financial institutions under GLB. These agencies are identified below along with a description of the kinds of financial institution each oversees. Each agency has enforcement authority under GLB for the area of financial services it regulates. Enforcement authority means that you can complain to the agency, the agency may investigate your complaint, and may bring a court action or administrative case against the company. The agency cannot represent you and cannot give you legal advice on your particular complaint.

What are the most important things I can do to protect my financial privacy?
The single most important thing you can do to protect your financial privacy is to carefully read all information that comes from a financial institution. Study the institution's privacy policy. If it causes you concern, return the opt-out notice within the specified time.

Remember, you have very little ability to prevent a financial services company from sharing your customer data with its affiliated companies. The privacy provisions of GLB only pertain to unaffiliated third parties. You would not, for example, be able to prevent your bank from sharing your customer data with its affiliated insurance company or brokerage firm.

So, if you are concerned about affiliate sharing and the ability of these "financial supermarkets" to compile extensive dossiers about you, you must take extra care to conduct your banking with one corporation, keep your insurance accounts with another unaffiliated corporation, and your investments with yet another.

In this privacy-conscious marketplace, some financial institutions might differentiate themselves by becoming more "privacy-friendly." Watch for companies that advertise that they do not share your customer data with either affiliates or third parties.

State legislatures and Congress might attempt to strengthen the privacy provisions of the federal GLB Act in the coming years. If you favor stronger financial privacy rights, be sure to communicate that to your state and federal legislators.

Why should I opt-out?
If you are like the many people who have responded to polls, you are concerned about your privacy. Opt-out gives you some control over how your personal information is used. Banks and other financial companies may revise and strengthen their privacy policies if enough people show their concern for privacy by opting-out.

Where can I go to complain about my financial institution's privacy policy?
As far as we can determine, no federal agency has a specific address for consumers to file privacy complaints. Information about the seven federal agencies that enforce the privacy provisions of the GLB is listed below:

Federal Deposit Insurance Corporation (FDIC). The FDIC insures consumer deposits made in banks and savings associations. To insure financial soundness and compliance with consumer protection rules, the FDIC, often in coordination with other federal banking agencies, conducts examinations of the institutions included within its jurisdiction.

FDIC
Compliance & Consumer Affairs
550 17th Street, N.W.
Washington, D.C. 20429

(800) 925-4618
www.fdic.gov/consumers/questions/customer/

Board of Governors of the Federal Reserve (Federal Reserve). The Federal Reserve is the nation's central bank. It sets monetary policy, regulates bank institutions, and provides financial services to the government and the public.

Federal Reserve
Consumer & Community Affairs
20th & C Streets, N.W. Stop 801
Washington, D.C. 20551

(202) 452-3693
www.federalreserve.gov/pubs/complaints

Office of Thrift Supervision (OTS). The OTS is an agency of the U.S. Department of Treasury. OTS regulates state-chartered thrift institutions such as savings banks and savings and loan associations.

OTS, Consumer Complaints
1700 G. Street, N.W.
Washington, D.C. 20552

(202) 906-6000
www.ots.treas.gov/contacts.html

Office of Comptroller of the Currency (OCC). The OCC is an agency of the U.S. Department of Treasury. This agency charters, regulates and supervises all national banks as well as the federal branches of foreign banks.

OCC
Customer Assistance Group
1301 McKinnley St., Suite 3710
Houston, TX 77010

(800) 613-6743
www.occ.treas.gov/customer.htm

National Credit Union Administration (NCUA). The NCUA regulates and conducts examinations of federal credit unions, which are nonprofit, cooperative financial institutions owned and run by members.

NCUA
1775 Duke Street
Alexandria, VA 22314

(703) 518-6330
www.ncua.gov/talk2ncua/talk2ncua.html

Securities and Exchange Commission (SEC). The SEC oversees the nation's equity markets which include stock exchanges, broker-dealers, associated persons of broker-dealers, and investment advisors.

SEC
Investor Education & Assistance
450 Fifth St., N.W.
Washington, D.C. 20549

(202) 942-7040
www.sec.gov/consumer/compform.htm

Federal Trade Commission (FTC). The FTC investigates consumer protection and consumer fraud matters that are not specifically within the jurisdiction of another federal agency such as the SEC. The FTC's consumer protection jurisdiction includes debt collection, credit reports, lending, telemarketing, credit repair services and much more. To file a complaint with the FTC's Office of Consumer Protection, write, call, or contact the agency online:

Federal Trade Commission
CRC-240
Washington, D.C. 20580

(877) FTC-HELP (877-382-4357)
www.ftc.gov/privacy/

To find the address and telephone number of the Insurance Commissioner in your state, write call, or connect online with the National Association of Insurance Commissioners:

NAIC
2301 McGee Street, Ste 800
Kansas City, MO 64108-2604

(816) 842-3600
www.naic.org

Laws

Financial Services Modernization Act (GLB), 15 U.S.C. §§6801-6810
www.ftc.gov/privacy/glbact/glbsub1.htm

Fair Credit Reporting Act (FCRA), 15 U.S.C §1681 et. seq.
www.ftc.gov/dcp/conline/edcams/fcra/
GLB Privacy Regulations

FTC: Privacy of Consumer Financial Information; 16 C.F.R. Part 313; 65 Federal Register 33645 (May 24, 2000), http://www.ftc.gov/privacy/glbact/index.html

SEC: Privacy of Consumer Financial Information (Regulation S-P). 17 C.F.R. Part 248; 65 Federal Register 40333 (June 29, 2000), www.sec.gov/rules/final/34-42974.htm

OCC; FDIC; Federal Reserve; OTS (Joint Regulations): Privacy of Consumer Financial Information; 12 C.F.R. Part 40; 65 Federal Register 35161 (June 1, 2000), www.occ.treas.gov/fr/cfr.htm

NCUA: Privacy of Consumer Financial Information; 12 C.F.R. Parts 716 and 741; 65 Federal Register 31722 (May 18, 2000),
www.ncua.gov/ref/rules_and_regs/rules_and_regs.html (See change 5)

Related PRC Publications on Financial Privacy:
Fact Sheet 24. “Financial Privacy in the New Millennium: The Burden Is on You.”
www.privacyrights.org/fs/fs24-finpriv.htm

Fact Sheet 24(a) “Financial Privacy: How to Read Your “Opt-Out” Notices.”
www.privacyrights.org/fs/fs24a-optout.htm

Fact Sheet 24(b). "Take the Cloze Test: Readability of a Financial Privacy Notice."
www.privacyrights.org/fs/fs24b-ClozeFinancial.htm

Fact Sheet 24(c). "How to Shop for Financial Privacy"
www.privacyrights.org/fs/24c-ShopFin.htm

Financial Privacy Notices: Do They Really Want You to Know What They’re Saying?
www.privacyrights.org/ar/GLB-CodeOpEd.htm

“Lost in the Fine Print: Readability of Financial Privacy Notices.”
www.privacyrights.org/ar/GLB-Reading.htm