Communications and Media

Gramm-Leach-Bliley Act and Financial Privacy


If you're like many Americans, you have a checking account, insurance policies, and have applied for some type of loan, like one to buy a car or a house. Did you know that your personal information was (and is still) collected and stored by the various companies or entities that handle your accounts or loans? Such information includes your address, telephone number, social security number, and credit card numbers.

What keeps these entities from giving your personal financial information to others?

The Gramm-Leach-Bliley Act of 1999 requires "financial institutions" to tell you about their policies regarding the privacy of your personal financial information, and it helps to make sure that your information is not shared with other companies or entities. Under the GLBA, the term "financial institutions" includes many things, like:

  • Banks
  • Credit unions
  • Insurance companies, and
  • Stock brokerage firms

The GLBA has three major rules or provisions that are aimed at protecting your personal information:

  • The Financial Privacy Rule
  • The Safeguarding Rule, and
  • The Pretexting Provisions

If financial institutions comply with the GLBA's requirements, and if you do your part, you can help safeguard your personal financial information from being shared inappropriately.


The Financial Privacy Rule

Under the "financial privacy rule," financial institutions must tell you the kinds of information they collect and with what types of businesses or companies they intend to share your information with. This is called a "privacy notice" or "privacy disclosure."

You should have received a privacy notice from any institution you were doing business with when the GLBA went into effect in 2001. Also you should receive a notice once a year from any financial institution you do business with.

In general, a financial institution can share your information with its "affiliates," that is, companies or businesses that belong to the institution's "corporate family." Also, the institution can share your information with certain third-party businesses that are not affiliated with the institution ("non-affiliated third parties), if, for example, the information is necessary for ordinary business. For example, your bank can give your personal information to the non-affiliated company that prints your checks or your bank statements.

Sometimes, however, a financial institution will share your information with a non-affiliated company that has nothing to do with your business dealing with the institution, such as telemarketers and retailers, who use the information to "drum-up" business. This is where the GLBA has a critical impact on your privacy: the privacy notice must tell you how you can "opt out" or say "no" to the institution's disclosure of your personal information to certain non-affiliated entities.

It's up to you to stop the disclosure of your information. Read your privacy notices carefully to find out with whom your financial institutions will share your information and how you can stop it.

The Safeguard Rule

Under this rule, all financial institutions are required to set-up and maintain safeguards to protect your personal financial information. Usually, financial institutions use computer "firewalls" and encryption schemes to keep your information safe. In addition, most institutions have rules and procedures for safely destroying information, such as through the use of shredders and specially-designed trash containers.

Pretexting Provisions

The last primary part of the GLBA is aimed at stopping third parties - either companies or individuals - from getting your personal information through "false pretenses" - that is, fraud or "trickery." Under the GLBA, a person or company can't:

  • Use false or fraudulent statements, or forged, lost, or stolen documents, to get your personal information from a financial institution or from you personally, or
  • Ask another individual or company to get your personal information by using false or fraudulent statements, or forged, lost, or stolen documents

Penalties for Violating the GLBA

The penalties for violating the GLBA are quite severe:

  • A financial institution can be fined up to $100,000 for each violation
  • The officers and directors of the financial institution can be fined up to $10,000 for each violation
  • Criminal penalties include imprisonment for up to 5 years, a fine, or both
  • If the GLBA is violated at the same time that another federal law is violated, or if the GLBA is violated as part of a pattern of any illegal activity involving more than $100,000 within a 12-month period, the violator's fine will be doubled and he or she will be imprisoned for up to 10 years

Questions for Your Attorney

  • I think my GLBA privacy rights were violated by my credit card company. What should I do?
  • As a bank, what are some steps I should take to protect my customers' financial information?
  • Do I have to "opt out" every time I receive a privacy notice from by financial institutions?
Have a privacy law question?
Get answers from local attorneys.
It's free and easy.
Ask a Lawyer

Get Professional Help

Find a Privacy Law lawyer
Practice Area:
Zip Code:
How It Works
  1. Briefly tell us about your case
  2. Provide your contact information
  3. Connect with local attorneys

Talk to an attorney

How It Works

  1. Briefly tell us about your case
  2. Provide your contact information
  3. Choose attorneys to contact you