April 12, 2004 |
2004-R-0372 | |
DISCLOSURE OF FINANCIAL INFORMATION | ||
By: Jennifer Gelb, Associate Attorney | ||
You asked about the differences between Vermont’s and Connecticut’s laws allowing consumers to opt in or out of having a financial institution disclose their personal financial information.
SUMMARY
Vermont’s law prohibits financial institutions from disclosing customers’ personal financial information unless the customer “opts in,” that is, takes affirmative action authorizing the institution to do so. Connecticut law prohibits banks and credit unions from disclosing information unless a customer has opted in, but allows all other financial institutions to share customer information to the extent allowed by the federal Gramm-Leach-Bliley Act and its accompanying “opt-out” provisions. The federal act requires financial institutions to inform customers and some consumers of their privacy policies, and to provide them with an opportunity to choose not to have certain information shared.
VERMONT
Opt-In Provisions
Vermont’s laws prohibit a financial institution or its affiliate from disclosing a consumer’s nonpublic personal financial information to a third party unless (1) the institution gives an initial notice of its disclosure practices and policies to consumers before most disclosures and to customers at the beginning of the customer relationship; (2) the institution has provided the customer or consumer with an “opt in notice; ” and (3) the customer or consumer has authorized the disclosure in writing or, if the customer or consumer agrees, electronically (Vermont Department of Banking, Insurance, Securities and Health Care Administration (BISHCA) Regulation B-2001-01, §§ 5, 11). Opting in means a customer or consumer affirmatively acts to give the financial institution permission to disclose his nonpublic personal financial information. Vermont law defines “nonpublic personal financial information” as personally identifiable financial information and any list, description, or other grouping of customers or consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available (BISHCA Regulation B-2001-01 § 4).
A financial institution’s opt-in notice must:
1. provide to the customer or consumer a clear and conspicuous written or electronic notice of the categories of nonpublic personal financial information that may be disclosed and the categories of nonaffiliated third parties to whom the financial institution discloses this information,
2. identify the financial products or services subject to the opt-in direction,
3. identify the methods the customer or consumer may use to subsequently revoke the opt-in direction, and
4. clearly and conspicuously request in written or electronic form that the customer or consumer affirmatively authorize disclosure (BISHCA Regulation B-2001-01 § 8).
The opt-in direction is effective until the customer or consumer revokes it electronically or in writing. The opt-in requirements do not apply to a financial institution’s disclosure to a nonaffiliated third party working for or on behalf of the institution if (1) it gave the customer or consumer initial notice of its policies and practices and (2) the contract with the third party prohibits secondary disclosures (BISHCA Regulation B-2001-01 §§ 8, 14).
Financial Institutions Covered
Vermont’s law covers state and national financial institutions, credit unions, financial institution subsidiaries, licensed lenders, mortgage brokers, other state licensees, independent trust companies, money services providers, debt adjusters, and sales finance companies organized or regulated under Vermont, federal, or other states’ laws (8 VSA § 10202 and BISHCA Regulation B-2001-01 § 4).
CONNECTICUT
Banks and Credit Unions
Connecticut is an opt-in state with respect to bank and credit union disclosures, but opt-out for other entities. Connecticut law prohibits a Connecticut or federal bank or credit union or an out-of-state bank or credit union with a Connecticut branch from disclosing a customer’s financial records unless the customer authorizes disclosure. The law defines financial records as (1) documents granting signature authority over a deposit or share account with a financial institution; (2) a statement, ledger card, or other record on a deposit or share account showing each account transaction; (3) any check, draft, or money order drawn on a financial institution or issued and payable by the institution; or (4) any other item, other than an institutional or periodic charge, made pursuant to an agreement between the customer and the institution constituting a debt or credit to the customer’s account.
Connecticut law allows financial institutions to disclose, without a customer’s authorization, information with respect to (1) child support orders; (2) a lawful subpoena, summons, warrant, or court order; (3) interrogatories by a judgment creditor or a demand by a levying officer; (4) certain certificates issued by a medical provider or its attorney; (5) certain certificates signed by the veterans’ affairs commissioner; or (6) the consent of an elderly person or his representative provided to a person, department, agency, or commission in connection with receiving protective services.
Gramm-Leach-Bliley Financial Modernization Act of 1999
Connecticut law does not specifically address consumers’ privacy rights with respect to financial services provided by institutions other than banks and credit unions. These protections come from the federal Gramm-Leach-Bliley Act, a 1999 law requiring financial service providers such as non-bank mortgage lenders, investment advisers, tax preparers, and debt collectors to give notice and an opportunity to opt-out to customers and some consumers. Customers, who have a long-term or significant relationship with a financial institution, must automatically receive an annual privacy notice. Consumers, on the other hand, are generally entitled to receive the notice only if the company shares consumers’ information with unaffiliated companies.
The Gramm-Leach-Bliley Act allows consumers and customers to opt out of having their information shared with certain third parties. The privacy notice must inform them of that right and give them an opportunity to opt out. According to the Federal Trade Commission, providing a toll-free telephone number or a detachable form with a pre-printed address is a reasonable way to allow consumers or customers to opt out; requiring someone to write a letter as the only way to opt out is not. The privacy notice must also explain that consumers have a right to object to a financial institution’s sharing of credit report or application information with its affiliates.
The act does not allow an individual to opt out if (1) a financial institution shares the information with outside companies providing essential services, such as data processing or account servicing; (2) the disclosure is legally required; or (3) a financial institution shares customer data with outside service providers marketing the financial company’s products or services (15 USC § 6801 et seq. ).
JG: nf