FTC Seeks to Expand Regulation of Financial Privacy

On February 24, the Federal Trade Commission (“FTC”) announced its proposed trade regulation rule implementing the Gramm-Leach-Bliley Act of 1999 (the “Act”). Comments are due on March 31, and the final rule will take effect in mid-November, 2000.

The Act requires “financial institutions” to: (1) disclose, at the time of establishing a “customer relationship,” their privacy policies and practices with respect to information sharing with both affiliates and nonaffiliated third parties; and (2) provide consumers with a means of opting out of any disclosure of their personal information to nonaffiliated third parties. The Act directs the FTC and other federal agencies with jurisdiction over “financial institutions” to develop rules to implement its requirements.

Broad Definitions of “Financial Institution,” “Personally Identifiable Financial Information” and “Nonpublic Personal Information” Extend Proposed Rule’s Coverage.

The FTC’s proposed rule, the full text of which is available at http://www.ftc.gov/os/2000/02/glbrulemaking.pdf, incorporates the Act’s mandates, but takes an expansive approach to protecting consumers’ information, including defining key terms broadly. For example, the Commission defines “financial institution,” to include companies that engage in activities that are “closely related to banking.” Accordingly, the FTC envisions regulating retailers (including e-commerce web sites) that issue their own credit, manufacturers of computer hardware and software (the Commission does not elaborate at all on this example), collection agencies, mortgage lenders and other credit grantors, real estate settlement services and payday lenders, among others.

The proposed rule would regulate parties that are not financial institutions by limiting the transfer of nonpublic personal information received from financial institutions. Specifically, the FTC’s proposal would prohibit nonaffiliated third parties from redisclosing nonpublic personal information obtained from financial institutions unless they are otherwise permitted by law to do so, or unless the financial institution would, itself, be permitted to do so, through an exemption to the rule or through notice and failure of the consumer to opt out.

The rule also contains a broad definition of the term “personally identifiable financial information.” Rather than limit the definition to the types of information typically considered “financial” in nature, such as account numbers, balances, transaction summaries and similar information, the Commission defines the term to include all information a financial institution obtains from consumers in connection with providing a financial product or service.

The proposed rule offers alternative definitions for “nonpublic personal information,” which financial institutions would be permitted to share with nonaffiliated third parties only if a consumer has not opted out of such disclosure. The first definition would include all information obtained from consumers that is available from a public source. The second would cover only information actually obtained from a public source.

Important Exemption for Service Providers

The proposed rule contains an exemption from the opt-out requirement for the sharing of personal information (except account information) between financial institutions and nonaffiliated third parties for use by the third party to perform services for the financial institutions, including the marketing of the financial institution’s products or services. However, to qualify for this exemption, the financial institution must provide notice that it will share such information and the parties must enter into an agreement limiting the third party’s further disclosure of the information.

Concerns and Opportunities for Marketers: Issues for Comment

The Commission’s proposal to regulate parties that are not financial institutions, but who receive nonpublic personal information from financial institutions, has the potential to cover a large portion of American businesses. In this age of electronic communications and commerce, many businesses receive information from entities that the FTC would define as “financial institutions.” This aspect of the FTC’s proposal therefore raises the following questions:

How would a third party know if a consumer has, at a later time, chosen to opt out? Does this continuing right of the consumer effectively ban nonaffiliated third parties from redisclosing such information?

  • If the Commission adopts a definition of “nonpublic personal information” that includes information that includes all information available from public sources, how will third party recipients make such a determination in deciding whether such information may be redisclosed? What if its determination differs from that of the “financial institution”?
  • How does the FTC anticipate that companies will set up systems to recognize when they have received “nonpublic financial information” from a “financial institution” as defined by the FTC? Even if they could do so, how would companies screen for information that was provided upon consumers’ opting out, which information they could transfer to third parties?
  • The Commission’s proposal is unclear with regard to the scope of coverage against merchants. Does it cover all merchants that offer monthly payments for goods and services? What if the merchant does not issue the credit itself, but merely arranges the consumer to obtain credit through one or more lenders?
  • The current draft of the rule also includes numerous examples of types of conduct that would, and that would not would not, be covered by the rule, and that would, and would not, meet the rule’s requirements. The Commission has expressly asked for comment on whether this use of examples is appropriate. For example, the proposed rule provides examples of:
  • What would constitute a “financial institution” (and what would not constitute a “financial institution”); a “customer relationship”; and “nonpublic personal information;”
  • What would constitute “clear and conspicuous” notice of a financial institution’s privacy policy and opt out notices; and
  • What information must be included in initial and annual notices of privacy policies and practices.

This is a great opportunity to ask the Commission to expressly include in the final rule an example that clarifies that the rule does not apply to your company.