What is the Gramm Leach Bliley Act (GLBA)?

The Gramm-Leach-Bliley Act was passed in 1999 and addresses various issues and concerns related to consumer financial privacy. Its provisions limit when a financial institution may disclose a consumer’s “nonpublic personal information” to “nonaffiliated” third parties. The GLBA covers a wide range of financial institutions within the United States, including many businesses and companies that would not be considered financial institutions in a traditional sense, due to certain financial activities that these businesses engage in. Under the GLBA, financial activities can include any of the following:

• Debt collection
• Brokering loans
• Servicing loans
• Lending, exchanging, transferring, investing for other people, or safeguarding securities or money. This includes services offered by check cashers, lenders, sellers of money orders, and wire transfer services
• Providing investment, financial, or economic advisory services. This includes services offered by credit counselors, tax preparers, investment advisors, financial planners, and accountants
• Career counseling for those seeking employment within the financial services industry
• Providing real estate settlement services
• Other financial activities as defined by the section 4K of the Bank Holding Company Act

Under the GLBA, only businesses that are “significantly engaged” in financial services or activities are considered to be financial institutions. There are two factors that are important in determining whether or not a business is significantly engaged in financial services. The first is whether or not a business operates under a formal arrangement. To give an example, A store owner who runs a tab for customers in their local neighborhood would not be considered to be significantly engaged in financial services, while a retailer who offers direct credit in the form of credit cards would be considered to be significantly engaged in financial services.

Despite the fact that both of these scenarios involve business transactions, the formal agreement involved with the offering of credit cards to consumers constitutes significant engagement in financial services under the GLBA. The second factor is how often a particular business engages in financial activities. To give another example, a clothing store that occasionally offers layaway plans to customers would not be significantly engaged in financial services, as such plans would be used infrequently outside of day-to-day operations. Alternatively, a small business that regularly accepts payments through cash, wire transfers, and checks would be considered as engaging in significant financial activities, due to the frequency of these transactions.

What types of personal information are covered by the GLBA?

The GLBA is geared towards protecting a consumer’s “nonpublic private information” or NPI. NPI is defined as any form of personally identifiable information that may be collected by a financial institution in regard to products or services. This information includes:

• Any information a consumer gives in relation to a financial product or service including names, addresses, social security numbers, income, or other forms of identification that may be required in an application
• Any information related to transactions involving financial products or services such as an account number, payment history, deposit or loan balances, credit or debit card purchases, etc.
• Any further information that may be used in relation to financial services or products such as a consumer report or court record

Conversely, NPI does not include information that is made lawfully available to the public. For example, while many telephone numbers may be listed in a phone directory for public consumption, an individual can elect to have an unlisted number. As such, this individual’s phone number would not be considered publicly available information.

What are the fines and penalties for non-compliance under the GLBA?

Once a GLBA compliance allegation has been proven, there are a variety of fines and penalties that can be levied against the business in question. Financial institutions found in violation of the GLBA can face a fine of up to $100,000 for each violation. What’s more, individuals found in violation, such as managers or directors of business operations, can also face a fine of up to $10,000 for each violation. Finally, individuals found in violation of the GLBA can also face a prison term of up to 5 years. All of these fines and penalties are handed down by the Federal Trade Commission.

To give a recent example of a business that was proven to be in violation of the GLBA, California mortgage broker Solutions FCS was fined $120,000 for non-compliance in 2020. This violation was issued in response to personally identifiable information that was released by Solutions FV in response to negative reviews that consumers left on the business’s yelp page. In responding to these negative reviews, Solutions FCS divulged sensitive personal information relating to their customers including sources of income, credit and payment histories, taxes, family history, and details pertaining to personal health. In addition to paying a fine, Solutions FCS must also implement a comprehensive data protection program to prevent future violations from occurring.

The GLBA was passed with the aim of providing U.S. consumers with the means to protect the personal information they disclose to financial institutions. While this information was largely restricted to paper and in-person transactions in the 1990s, the rise of internet communication and social media has changed the ways in which consumers go about engaging in financial services. The case of Solutions FCS is a great example of this change in communication, as there are now channels of communication that did not exist 20 years ago. As such, it is important that businesses and consumers alike do everything possible to avoid personally identifiable information from being released to the public.