FAQs
GENERAL PRIVACY
Question: We have a bank club newsletter in which we regularly publish birthdays and anniversary dates of club members. In addition, we’ll feature photographs of club members attending events hosted by the bank club. We have been advised to obtain permission from club members to include such information in the newsletter, for without the permission we may be violating the privacy provisions of the Gramm-Leach-Bliley Act (GLBA). Do you agree that this type of information sharing would violate the privacy provisions of Gramm-Leach-Bliley? What do you suggest?
Answer: Although a consumer’s birth date and/or wedding anniversary date are public records, the mere fact that a consumer is your customer is protected information under the privacy provisions of the GLBA. By including a club members’ birthday or anniversary announcement in your newsletter, you have provided to nonaffiliated third parties the information that a particular consumer is your customer (a member of your bank club). The bank must respect the rights of club members who do not provide permission, or who opt-out of information sharing, and make sure that information about those members is not shared in the club newsletters. In order to comply with the privacy provisions of GLBA, the bank can do one of two things:
1) Include in your privacy notice the fact that you share nonpublic personal information with nonaffiliated third parties (describe the categories of information that is shared) and allow the customer to opt-out of such information-sharing; or
2) Obtain each club member’s express permission to include such information in the club newsletter. A suggested format for this permission reads:
WAIVER AND AUTHORIZATION
The undersigned understands that State and Federal laws, including but not limited to the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act, restrict the bank’s ability to disseminate certain information about its customers to affiliates and nonaffiliated third parties.
The undersigned hereby waives his or her rights under law to the extent that the bank is authorized to publish and disseminate certain information about the undersigned (such as the age, birthday, anniversary dates, or photographs of club events featuring the undersigned) to other members of [name of bank club].
The undersigned customer may revoke this authorization at any time by contacting [bank] at [telephone number].
______________________________________
Customer’s signature Date
Question: Our bank is considering starting a “refer- a-friend” marketing program. For example, I submit a friend’s name to the bank to contact. If my friend opens an account, I receive a cash or other reward. Does this program violate privacy rules as the referring person now knows that his friend opened an account at the bank? Also, if a bank representative calls the referred friend, does the bank need to check the Do Not Call list? Can the bank mail an account opening packet and marketing materials?
Answer: If the bank’s payment to the current customer making the referral verifies an account has been opened by their friend, it can be deemed to violate the privacy regulations. Remember the mere fact someone is a bank customer is protected under the privacy rules. It may be possible for the bank to proceed with the promotion and be in compliance with privacy rules. In most instances, the current customer provides the new prospective customer with a referral slip or coupon. This “refer-a-friend” coupon could contain a disclosure/waiver in which the new customer expressly agrees to sharing the fact they have opened an account with the referrer; such as, “delivery of this item to the bank with a concurrent account opening will allow the bank to pay the referrer $25 in the form of a prepaid card. This also serves as a one-time waiver of my privacy rights as detailed in the bank privacy policy in that referrer will be aware of this account opening.”
If the bank is given a name of a prospective customer and cold calls them, the Do Not Call laws apply, so the Do Not Call list needs to be checked before the call is made. There is no restrictions at this point on sending out account information and marketing materials via the mail unless the recipients’ names were produced from a prescreened list from a credit reporting agency.
PRIVACY NOTICE
Question: We are working on updating and reformatting our bank’s website and are debating whether or not we need to continue to provide our Privacy Notice on a designated page. With the recent amendments to Regulation P can we eliminate the notice from our website?
Answer: Yes, the alternative delivery method of providing an annual privacy notice allowed by the 2014 Regulation P amendment was removed from the rule August 9, 2018. However, financial institutions can still choose to include their privacy notice on their website with no effect on their eligibility for the annual notice exception. So while it can be removed, your bank may decide to continue posting its privacy notice for ease in referring consumers to its privacy practices. The September 2018 Disclosure included a highlight article summarizing the finalization of the annual privacy notice exemption.
For additional information refer to the Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley Act (Regulation P) Final Rule. (January 2019)
JOINT MARKETING AGREEMENTS
Question: Under the privacy regulation, is a notice of a joint marketing arrangement required for certain “club” accounts, credit card third party referrals, such as programs with the bank’s name on the card, and other nonaffiliated arrangements where nonpublic personal information is only given to the nonaffiliate at the request of the lender? Other examples are arrangements with Iowa Student Loan and Sallie Mae to hand out student loan applications where the bank receives a small referral fee for the student loan account.
Answer: According to the Privacy FAQs, issued in December 2001, a joint marketing arrangement exists between one or more financial institutions in which the institutions jointly offer, endorse, or sponsor a financial product or service. You may disclose your consumer customers’ names and other non-public personal information only when you and the other financial institution(s) have entered into a written agreement that restricts re-disclosure or use of the customers’ nonpublic personal financial information for any purpose other than as stipulated in the agreement. Further, you must describe joint marketing arrangements in your privacy notice.
However, in situations as you describe, where you do not directly disclose nonpublic personal information about your customers to unaffiliated third parties, you do not have a joint marketing arrangement. Even though you may provide applications for financial products or services available from unaffiliated third parties, there is no disclosure or sharing of your customers’ nonpublic personal information until such time as the consumer makes such disclosure by completing the application. However, you must be careful not to facilitate your customers’ unwitting disclosure of his or her nonpublic personal information to the vendor by virtue of a response to the marketing materials. For example, the third party may have printed a reference code on its marketing materials that indicates that the offer for that product was sent to your customers who share certain financial characteristics. From this code, the third party would be able to determine that the individual who responds to the marketing materials that you delivered is your customer or holds certain kinds of assets. In that case, you would have disclosed nonpublic personal information about the customer to the vendor. Under these circumstances, you must both describe these types of marketing arrangements in your initial, annual, or revised privacy notice, and provide your customer with a reasonable opportunity to opt out or obtain your customer’s specific consent to such arrangements. Alternatively, you may structure the marketing materials so your customer knows that by responding he or she would be disclosing certain categories of nonpublic personal information about himself or herself.
Question: Our information sharing practices are changing as we have decided to begin sharing nonpublic personal information to a nonaffiliated third party for marketing purposes. Are we required to mail our revised Privacy Notice to all customers before we begin sharing the nonpublic personal information?
Answer: The change you describe triggers the opt-out right for consumers and therefore requires a revised privacy notice as described in Regulation P 1016.8. Delivering the revised privacy notice can be done by mail to the last known address of a consumer or by handing a printed copy to the consumer. Additionally, for consumers who conduct transactions electronically, follow § 1016.9(b)(1)(iii) by posting the notice electronically and requiring the consumer to acknowledge receipt. Since the change you are making requires an opt-out, § 1016.7 requires the bank provide a reasonable opportunity for the consumer to opt-out prior to disclosing their information to the nonaffiliated third party. (January 2019)
CCPA
Question: Recently I have noticed lots of “chatter” on the compliance blogs about the California Consumer Privacy Act (CCPA). At first I disregarded it entirely because we do not have a branch location in California, but recently I have seen posts indicating out of state banks could be covered by the rule if they have customers who are California residents. Do we need to conduct a search of our customer database and determine if we have customers who live in California and, if so, create a program that meets the requirements of the CCPA?
Answer: The CCPA was enacted in June 2018 and was effective on Jan. 1, 2020. The CCPA provides several new privacy rights to “consumers,” defined simply as California residents. Those new rights include:
- The right to opt out of a business’ sale of their personal information (PI).
- The right to know what PI a business has collected about them and what has been sold to others.
- The right to have a business delete their PI.
- The right to exercise their CCPA rights without discrimination by businesses in the price and/or quality of goods and services.
PI is defined broadly, including not only social security numbers and “nonpublic personal information” protected by the GLBA, but also a consumer’s browsing history, geolocation, and purchasing activity. Key terms such as “sale” and “collection” are also expansively defined; for example, “collection” includes passively receiving PI about a consumer.
“Businesses” are responsible for compliance with the CCPA. A business is defined in the CCPA as a for-profit entity doing business in California, that collects consumers’ PI, directs or controls the processing of the PI, and meets one or more of the following three criteria:
- Gross annual revenues exceeding $25 million.
- Buys, sells or receives the PI of at least 50,000 consumers, households or devices.
- Derives at least 50% of annual revenue from selling consumers’ PI.
It’s unlikely a community bank in Iowa meets either the last two criteria to be considered a “covered business” but if the bank’s gross annual revenues exceeded $25 million, it could be covered and should run a query to determine if it has customers who are California residents.
More information on the CCPA is available on the California AG website here. An ABA Banking Journal article on the impact of the CCPA on banks is available here. (December 2019)