Chapter 9: Financial Privacy

The GLBA Privacy Rule

The Privacy Rule requires initial and annual privacy notices and processing of opt-outs within 30 days. Institutions may freely share with affiliates and joint marketing partners; sharing with nonaffiliated third parties generally needs notice plus opt-out. Sharing account numbers with nonaffiliated telemarketers is prohibited even without opt-out.

Notices must state what information is collected, with whom it is shared, how it is protected, and how to opt out.
Provide notices when the customer relationship is established and annually thereafter; process opt-outs within 30 days.
Sharing with affiliates and Joint marketing partner|joint marketing partners is permitted under the notice standard.
Sharing with nonaffiliated companies generally requires notice and an opt-out opportunity.

Account-number ban

GLBA prohibits disclosing account numbers to nonaffiliated companies for telemarketing or direct-mail/email marketing even if the consumer has not opted out. No-opt-out situations also include sharing for essential services, legally required disclosures, and marketing the institution's own products.

Key terms - quick answers

What is “Joint marketing partner”?

Another financial institution with which an entity jointly markets a financial product or service, with whom information may be shared under GLBA.

← GLBA Scope, NPI and Enforcement The GLBA Safeguards Rule →