Data Sharing: Which Privacy Laws Apply?

When lenders share data outside their organization, the question often arises as to what laws apply to the sharing. What is my organization allowed to share with whom, and how do these laws affect my company’s financial privacy notice?

At the federal level, the answers to these questions relate to the relationship between the Gramm-Leach-Bliley Act (GLBA, and its implementing Regulation P), the Fair Credit Reporting Act (FCRA, implementing Regulation V), and common financial privacy. doing. Notices used to satisfy disclosure and opt-out requirements under both laws.

To understand the laws governing the sharing at issue, it is important to ask the following questions: With whom (affiliate or non-affiliate) do you share your data and for what purpose do you share it?

Data sharing with non-affiliates

Under GLBA, a lender may disclose non-public personally identifiable information (NPI) about a consumer to an unaffiliated third party (with certain exceptions), or before or when the financial institution becomes a continuing customer. must provide consumers with a privacy notice. relationship with its consumers.

The notice must provide consumers with the right to opt out of disclosure of NPIs to unrelated third parties. In other words, GLBA expressly restricts sharing of her NPI only with unaffiliated third parties.

in the Financial Privacy Notice Model Form provided by Consumer Financial Protection Bureau (CFPB), a particular category of data sharing relates specifically to the GLBA opt-out requirement and its exceptions. Specifically, categories that describe sharing.

• (i) for our routine business purposes, such as processing your transactions, maintaining your account, responding to court orders and legal investigations, or reporting to credit bureaus;
• (ii) for our marketing purposes — to provide our products and services to you;
• (iii) for joint marketing with other financial companies;and
• (iv) for non-affiliates to market to you; ”

Under the categories above, financial institutions should explain whether they share each type of specific information and whether consumers can limit sharing. The first three categories represent exceptions to the GLBA requirements. This means that consumers do not have federal rights to restrict these types of sharing. However, although opt-out rights may exist under state law, institutions are also free to provide voluntary opt-out opportunities.

Sharing under the fourth category is subject to GLBA’s opt-out and affirmative opt-in requirements under certain state laws. Properly filling out these categories is critical to maintaining GLBA compliance regarding when NPI may be shared with non-affiliates.

Data sharing with affiliates

In contrast to GLBA, FCRA regulates information sharing between related entities. “Affiliate” generally refers to a company that controls, is controlled by, or is under common control with another company. In general, FCRA works when consumer information is shared between affiliates.

However, understanding the types of information shared and for what purposes (marketing or non-marketing) will help us understand how information is disclosed in our notices and how consumers may share and/or use such information. determines whether you have the right to opt out of information.

The FCRA Affiliate Sharing and Marketing Rules affect the following sections of the Financial Privacy Notice, which deal with information about Affiliate’s day-to-day business purposes and Affiliate’s marketing transactions and experiences, as well as creditworthiness.

Trading and experience versus creditworthiness

The first question is to assess whether the sharing is for “business purposes” or for marketing purposes. In the context of day-to-day business purposes, the entity should then ask whether the sharing relates to ‘information about transactions and experiences’ or ‘information about creditworthiness’. Both categories correspond to the FCRA’s definition of “consumer reports.”

Specifically, Consumer Reports, for the purposes of “transaction and experience information,” no include:

• (i) reports that contain only information relating to transactions or experiences between the consumer and the reporter;again
• (ii) communication of that information between parties under the control of joint owners or the enterprise; ”

For the purpose of “creditworthiness” as Consumer Reports does no include:

• “(i) common owner or corporate control if it is clearly and conspicuously disclosed to the consumer that information may be communicated between the joint parties and the consumer is given the opportunity ahead of time; the transmission of other information between under-related persons, that the information shall be transmitted first, and directing that such information shall not be transmitted between such persons.”

This means that if a financial institution wishes to share “transactions and experiences” information with affiliates, it must disclose that fact in its financial privacy notice, but does not have to give consumers an opt-out right. means

If a financial institution wishes to disclose “credit quality” information to an affiliate, the financial institution may disclose that fact online in a way that the information may be considered “consumer reporting” (i.e. for the affiliate’s day-to-day business purposes). must be disclosed in Provide financial privacy notices and provide consumers with opt-out rights. Otherwise, financial institutions risk being considered “consumer reporting agencies” and subject to a variety of onerous regulatory requirements.

Sharing for Marketing Purposes

If the sharing is for marketing purposes other than for day-to-day business purposes, the FCRA’s specific rules govern such use of information. The FCRA stipulates that a Regulated Person may not use consumer “credentials” received from an Affiliate to make solicitations for marketing purposes to consumers, except:

• (i) be clearly and conspicuously disclosed to consumers;
• (ii) Consumers are provided a reasonable opportunity and a reasonable and easy way to “opt out”;and
• (iii) the consumer has not opted out; ”

Under the FCRA, if eligibility information is shared to make solicitations for marketing purposes, the entity will disclose the sharing to provide consumers with an opportunity to opt out before the information is used for marketing purposes. is needed. Please note that this opt-out is separate from the opt-out provided when sharing occurs between affiliates for day-to-day business purposes.

Therefore, if eligibility information is shared between affiliates for solicitation or marketing purposes, this sharing must be properly disclosed in the “Affiliates marketing to you” category and consumers will not be permitted to do so for marketing purposes. You must have the right to opt out of any use of your information. the purpose.

Overall, it can be difficult to grasp the nuances between GLBA and FCRA, and how the different categories of data sharing in financial privacy notices relate to the requirements of each law. Understanding the interplay of these two laws is important when sharing consumer information, regardless of who the recipient is.

Paul Lithovay is an associate of mcgrincheeHe advises clients on compliance with the Lending Act (TILA), the Fair Debt Collection Practices Act (FDCPA), the Service Members Civil Relief Act (SCRA), the Fair Credit Reporting Act (FCRA), and the Equal Credit Opportunity Act (ECOA). To do.

David Tolman A member (partner) of McGlinchey. He advises clients on their obligations under federal and state consumer credit laws, including data privacy, cybersecurity, and payment processing requirements.