The Attorney General provides Consumer Alerts to inform the public of unfair, misleading or deceptive business practices, and to provide information and guidance on other issues of concern. Consumer Alerts are not legal advice, legal authority, or a binding legal opinion from the Department of Attorney General.
The Attorney General's office advises consumers to learn about their right to say "no" to the sharing of their personal information by financial institutions. Perhaps unknown to many consumers, financial institutions are allowed to sell your personal information to unaffiliated companies - but before they do, they must notify you of their information-sharing practices and give you the opportunity to limit some of the trafficking in your personal information. Do not throw out mail from banks, insurance companies, investment brokers, and other financial institutions until you have reviewed it for financial privacy information. If you do not exercise your right to say "no," these companies may begin selling your personal information to outside companies.
Many financial institutions have voluntarily adopted stricter information sharing policies than the law now requires, but many have not. Only by reading the information you receive, and by asking questions of financial institutions, will you know how your institution uses your personal information and be able to decide whether to take your business elsewhere.
As collecting, slicing, dicing, mixing, and manipulating your personal information has become easier and cheaper there has been a corresponding increase in the reported cases of identity theft, which occurs when a person uses someone else's personal information to fraudulently make purchases or obtain credit in your name. Some identity thieves have even generated criminal convictions under an innocent consumer's name. Identity theft can be a nightmare, but consumers can take steps to reduce their risk of becoming victims by limiting others' access to their personal information.
(The information presented in this alert concerns data trading by financial institutions. For more information on identity theft, see the Attorney General’s Consumer Alerts titled “Identity Theft Prevention,” “Identity Theft Recovery,” “Identity Theft: Deceased Victims,” and the Federal Trade Commission’s Identity Theft website.
In passing the Gramm-Leach-Bliley Act of 1999, Congress repealed long-standing restrictions separating different sectors of the financial services industry. Now, banks, insurance companies and brokerage companies are allowed to merge or become corporate affiliates and to share consumers' personal information. (For example, a brokerage house or bank can now share information about a consumer's transactions with an affiliated insurance company.)
First, the good news: The new federal financial privacy rules require financial institutions to:
Consumers have an opportunity to inform and protect themselves. By being vigilant - and active - consumers can stop the flow of some personal information between corporate databases and nonaffiliated, outside companies, such as information brokers, telemarketers, and junk mailers.
Now, the bad news: While Congress and other federal agencies have given consumers limited ability to protect the privacy of their financial information, the sad fact is that much of the information that financial institutions gather about their customers is not covered by these rules.
Financial institutions generally don't have to offer consumers the right to prevent "publicly available" information about them from being sold to other parties, or to prevent the sharing of even nonpublic personal information with "affiliates" of the financial institution. (An exception, however, is the sharing of non-transactional information, such as "creditworthiness" information, among affiliates under the federal Fair Credit Reporting Act - this information should be included in the notices you receive.)
The cost of preventing the sale or other transfer of nonpublic personal financial information to outside companies rests squarely on the consumers' shoulders - consumers must spend the time and effort to learn what rights they have, to determine how to exercise those rights, and then to invest the additional time and effort completing the opt-out process.
Under the Gramm-Leach-Bliley Act and rules established by the Federal Trade Commission and other federal agencies, financial institutions have an obligation to give their customers notice about the use of their personal information and a limited opportunity to block some information sharing. The questions and answers below cover elements of the FTC's rules.
1. Which "financial institutions" are covered by these laws?
According to the Federal Trade Commission, a "financial institution" includes banks, insurance companies, and investment businesses, as well as any other business "significantly engaged" in financial activities. "Financial institutions" may include:
2. What Notice is Required?
Institutions must supply consumers with an initial privacy statement. Consumers who have a continuing relationship with a financial institution are entitled to additional statements on a yearly basis. The notice should include:
3. How does the opt-out notice work?
The opt-out notice is separate from the privacy statement. It must contain certain information and must be clear. Specifically, the opt-out notice must:
4. What is "nonpublic personal information?"
The new rules give consumers only a limited right to block sharing of certain information. Consumers have no right to block sharing of information that is "publicly available" which means:
5. What is an "affiliated company?"
Generally, affiliated companies are individual companies that belong to the same corporate family. For example, an insurance company and a bank that are under the control of a third (parent) company would be affiliates, as would the parent company. Thus, neither the bank nor the insurance company would be required to permit you to opt-out of data sharing with the other company under the FTC's rules.
Under the Fair Credit Reporting Act, however, consumers have a limited ability to opt out of some information sharing between affiliates involving non-transactional information, including information about:
Unfortunately, at this time, the Fair Credit Reporting Act does not give consumers the right to prevent affiliates from sharing "transaction and experience" information about a consumer. Such transactional information can include a wide variety of data many consumers would consider very personal, such as credit card charges a consumer makes and checks a consumer writes.
Consumers who would like more information about the Gramm-Leach-Bliley Act can visit the FTC's website that contains various resources related to the Act.
For more information about identity theft prevention, consumers should visit the Attorney General's Consumer Alert entitled "Identity Theft Prevention." Consumers may also call the Federal Trade Commission (FTC) at 877-ID-Theft.
If you have a complaint about a privacy notice or opt-out instructions, you may wish to file a complaint with the FTC.
If you have a complaint, please contact the Attorney General's Consumer Protection Division at:Consumer Protection Division