When an entity shares data outside of its organization, the following questions often arise: Does the FCRA or GLBA (or both) apply to the specific type of data sharing? And how do these laws impact a company’s financial privacy notices?
The answer to these questions comes down to the relationship between the Gramm-Leach-Bliley Act and its implementing Regulation P (GLBA) and the Fair Credit Reporting Act and its implementing Regulation V (FCRA), and the common financial privacy notice used to satisfy disclosure and opt-out requirements under both laws. To understand which law governs the particular data sharing at issue, the key questions to ask are: With whom you are sharing the data (affiliates or non-affiliates), and for what purposes?
Data Sharing with Non-Affiliates: GLBA
The GLBA requires that a financial institution provide a privacy notice to consumers: (i) prior to disclosing nonpublic personal information (NPI) about the consumer to any non-affiliated third party (outside of certain exceptions); or (ii) at or before the time that the institution enters into a continuing customer relationship with that consumer. Among other things, the notice must provide the consumer with the right to opt out of the disclosure of NPI to non-affiliated third parties. Stated another way, the GLBA only specifically restricts the sharing of NPI with a non-affiliated third party. In the financial privacy notice model form on the website of the Consumer Financial Protection Bureau (CFPB), certain categories of sharing relate specifically to the GLBA opt-out requirement and its exceptions. Namely, the model form lists these categories that discuss sharing:
- “For our everyday business purposes—such as to process your transactions, maintain your account(s), respond to court orders and legal investigations, or report to credit bureaus;”
- “For our marketing purposes—to offer our products and services to you;”
- “For joint marketing with other financial companies;” and
- “For non-affiliates to market to you.”
The financial institution must describe whether it shares each type of specific information under the above categories and whether the consumer can limit the sharing. The first three categories describe exceptions to the GLBA requirement, which means that a consumer does not have a federal right to limit those types of sharing (although opt-out rights may exist under state laws, and an institution also is free to offer a voluntary opt-out opportunity). Sharing under the fourth category (non-affiliate marketing) is subject to the GLBA opt-out requirement and affirmative opt-in requirements under certain state laws. Properly populating these categories is critical to maintaining GLBA compliance regarding when NPI may be shared with non-affiliates.
Data Sharing with Affiliates: FCRA
In contrast to the GLBA, the FCRA regulates sharing of information between affiliated entities. An “affiliate” is generally any company that controls, is controlled by, or is under common control with another company. Generally, whenever consumer information is shared between affiliates, the FCRA will come into play. However, understanding the type of information shared and for what purposes (i.e., marketing or non-marketing purposes) will determine how the information is disclosed in the notice and whether the consumer has a right to opt out of the sharing and/or use of such information. FCRA affiliate sharing and marketing rules impact the following sections of the financial privacy notice:
- “For our affiliates’ everyday business purposes—information about your transactions and experiences;”
- “For our affiliates’ everyday business purposes—information about your creditworthiness;” and
- “For our affiliates to market to you.”
Therefore, the first question is to assess whether the sharing is for an everyday business purpose or a marketing purpose. In the everyday business purpose context, the entity must next ask whether the sharing relates to “information about transactions and experiences” or “information about creditworthiness.” Both of these the categories map to the FCRA’s definition of a “consumer report.”
Specifically, for purpose of “information about transactions and experiences,” a consumer report does not include any:
- report containing information solely as to transactions or experiences between the consumer and the person making the report; [or]
- communication of that information among persons owned by common ownership or affiliated by corporate control.
For purpose of “creditworthiness” a consumer report does not include:
communication of other information among persons related by common ownership or affiliated by corporate control, if it is clearly and conspicuously disclosed to the consumer that the information may be communicated amongst such persons and the consumer is given the opportunity, before the time that the information is initially communicated, to direct that such information not be communicated among such persons.
Transactions and Experience vs. Creditworthiness
This means that if a financial institution wishes to share “transaction and experience” information with an affiliate, the financial institution must disclose that fact on the financial privacy notice, but does not have to give the consumer an opt-out right. If a financial institution wishes to disclose “creditworthiness” information with an affiliate in a manner that might otherwise cause the information to be considered a “consumer report” (i.e., for the affiliate’s everyday business purposes), the financial institution must disclose that fact on the financial privacy notice and provide the consumer with an opt-out right; otherwise, the financial institution risks being considered a “consumer reporting agency,” making it subject to a variety of burdensome regulatory requirements.
The FCRA itself does not provide clear guidance as to what constitutes “transaction or experience” information. However, the Federal Trade Commission, the former regulatory agency for the FCRA, explained in a 2011 staff report called “40 Years of Experience with the Fair Credit Reporting Act” (which, by the way, is an excellent FCRA resource) that:
[r]eports limited to transactions or experiences between the consumer and the entity making the report are not consumer reports. An opinion that is based only on transactions or experiences between the consumer and the reporting entity is also within the exception. For example, a creditor’s description of an account as “slow pay” would not be a consumer report if the description was based on the creditor’s own experience and did not come from a [consumer reporting agency].
The FTC also noted that a list provided by a creditor showing customers who have an account balance of $10,000 or more would be transaction or experience information. In contrast, any information beyond the reporting entity’s own first-hand transactions or experiences with a consumer would not qualify as transaction and experience, and the consumer would be entitled to opt out of such sharing to the extent that the information bears on the consumer’s creditworthiness or other personal characteristics, and is being shared in a manner that might otherwise cause the financial institution to be considered a consumer reporting agency. Moreover, application information “supplied by the consumer (including lists of [the consumer’s] assets and liabilities, and lists of the names of companies from whom the customer has purchased insurance and securities) is not the creditor’s ‘transaction or experience’ information because it includes the customer’s transactions with entities other than the creditor.”
Sharing for Marketing Purposes
In addition, if the sharing is for marketing purposes as opposed to everyday business purposes, specific rules under the FCRA will govern the use of such information. The FCRA provides that a regulated person may not use “eligibility information” about a consumer received from an affiliate to make a solicitation for marketing purposes to the consumer, unless:
- it is clearly and conspicuously disclosed to the consumer;
- the consumer is “provided a reasonable opportunity and a reasonable and simple method to ‘opt out,’”; and
- the consumer has not opted out.
Under the FCRA, when eligibility information is shared to make solicitations for marketing purposes, the entity must disclose the sharing and provide an opportunity for the consumer to opt out before the information may be used for marketing purposes. Note that this opt-out is separate from the opt-out provided when sharing occurs between affiliates for everyday business purposes.
At a broad level, “eligibility information” is defined to mean any information that would be a “consumer report” under the FCRA, but for the exceptions for “transaction and experience” information and information that is shared under the authority of the affiliate-sharing opt-out. Thus, it generally includes any written, oral, or other communication of any information that bears on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living that is used (or expected to be used) or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for: (A) credit or insurance to be used primarily for personal, family, or household purposes; (B) employment purposes; or (C) any other permissible purpose under the FCRA. However, note that eligibility information does not include “aggregate or blind data that does not contain personal identifiers such as account numbers, names, or addresses.”
Thus, when eligibility information is shared between affiliates for solicitation or marketing purposes, this sharing must be properly disclosed in the “affiliates to market to you” category on the notice, and the consumer must have a right to opt out of the use of such information for marketing purposes.
It can be difficult to grasp the nuances between the GLBA and FCRA and how the different categories of data sharing in the financial privacy notice relate to the requirements under each law. But understanding the interplay between these two laws is critical when sharing any consumer information, no matter who the recipient is.