Last week, Rep. Blaine Luetkemeyer (R-MO) introduced legislation (H.R. 5817) to limit the obligations of certain financial institutions to provide an annual privacy notice to consumers. Under the Gramm-Leach-Bliley Act (“GLBA”), financial institutions must provide customers an initial privacy notice and, for the duration of a customer relationship, an annual privacy notice that describes the company’s information-sharing practices. While anything is possible in Washington, particularly in a Presidential election year, the expectation is that this bill is unlikely to progress to enactment.
Under H.R. 5817, a financial institution would not be obligated to provide customers with an annual privacy notice so long as the company shares information only in certain limited respects (that are more narrow than those permitted under federal law) and provided that the company has not changed its privacy policies or practices from those disclosed in its most recent privacy notice. Specifically, the carve-out would only be available to those financial institutions that do not share information in either of the following respects:
- with affiliates, even to the extent permissible under the Fair Credit Reporting Act; or
- with unaffiliated third parties, except as authorized under certain “exceptions” to sharing under GLBA, such as those that contemplate disclosures to service providers, law enforcement, or as necessary to fulfill a transaction requested by the customer. In the absence of an available exception, GLBA generally permits financial institutions to share nonpublic personal information with unaffiliated third parties only to the extent that the financial institution has provided the customer with a reasonable opportunity to opt out of the sharing of the information.
Whereas GLBA defines financial institutions subject to its notice obligations broadly, H.R. 5817 also would carve out certain state-licensed financial institutions that are “subject to existing regulation of consumer confidentiality that prohibits disclosure of nonpublic personal information without knowing and express consent of the consumer.” Insurance companies and money transmission services are among the financial institutions that typically are licensed by state authorities.