Financial Privacy Laws Affecting Sharing of Customer Information Among Affiliated Institutions

CRS Report for Congress
Financial Privacy Laws Affecting
Sharing of Customer Information
Among Affiliated Institutions
M. Maureen Murphy
Legislative Attorney
American Law Division
The privacy provisions of the Gramm-Leach-Bliley Act of 1999 (P.L. 106-102) do
not permit customers to preclude financial institutions from sharing nonpublic personal
information with affiliated companies; they merely require companies to notify their
customers of their practices of information sharing with affiliates. Until the Fair Credit
Reporting Act (FCRA) was amended in 1996, sharing of such information with affiliates
might have subjected a company to being regulated as a credit reporting agency. Under
provisions added in 1996, 15 U.S.C. §§ 1681a(d)(2)(A)(ii) and (iii), which preempt
inconsistent state law, companies have been permitted to share among their corporate
family a broad range of data they have collected on their customers provided they have
given the customers the opportunity to preclude, i.e., opt out of, the information sharing.
P.L. 108-159 makes these FCRA preemptions permanent and provides a limited opt-out
from affiliate sharing of consumer information for the purpose of marketing
solicitations. This report will be updated to reflect action on major legislation. For
related information see CRS Report RL31758, Financial Privacy: The Economics of
Opt-In vs Opt-Out; CRS Report RL31847, The Role of Information in Lending: The
Cost of Privacy Restrictions; CRS Report RS21449, Fair Credit Reporting Act:
Preemption of State Law; and CRS Report RL32535, Implementation of the Fair and
Accurate Transactions (FACT) Act of 2003.
Background. Although confidentiality standards for businesses dealing in
consumer information have traditionally been a matter of state law, both the Fair Credit
Reporting Act of 1970 (FCRA)1 and the privacy title of the Gramm-Leach-Bliley Act of

1999 (GLBA)2 have meant that federal law generally controls the dissemination of

1 P.L. 91-508, tit. VI, §§ 601 et seq.; 88 Stat. 1521;15 U.S.C. §§ 1681 - 1681u.
2 P.L. 106-102, 113 Stat. 1338 (1999).
Congressional Research Service ˜ The Library of Congress

consumer credit information and governs the disclosing and safeguarding of nonpublic
personal information held by a wide array of financial institutions.3
GLBA generally prohibits the disclosure of nonpublic personal information on a
customer or consumer by financial institutions unless the consumer is given an
opportunity to prevent disclosure, i.e., opt-out; but it contains no prohibition on sharing
of customer information among affiliates. It requires each financial institution to notify
customers of its privacy policies and practices including those related to information
sharing with affiliates.4 FCRA prescribes standards that address information collected by
businesses that provide information used to determine eligibility of consumers for credit,
insurance, or employment. It imposes requirements for accuracy, limits purposes for
which such information may be disseminated, allows certain rights for consumer access,
and includes civil and criminal penalties for its violation. It generally defines “consumer
reports” and limits the purposes and conditions under which “consumer reports” may be
furnished by entities that it refers to and regulates as “consumer reporting agencies.”5
Apparently, in response to concern that information sharing among affiliated
companies might be interpreted as providing consumer reports, thereby subjecting banks,
insurance companies, and securities firms to all of the obligations imposed upon
consumer reporting agencies under the FCRA,6 the FCRA was amended by the Consumer
Credit Reporting Reform Act of 1996.7 Under these amendments,8 the FCRA’s definition
of “consumer report” was amended to exclude communication of transaction and
experience information among corporate affiliates and, — provided the consumer was
afforded an opportunity to prevent it, i.e., opt out — communication of other information

3 “Financial institution” is defined to mean “any institution the business of which is engaging
in financial activities as defined under section 103 of GLBA, § 4k [12 U.S.C. §1843(k)] of the
Bank Holding Company Act of 1956.” Essentially, these include banking, securities, and
insurance activities as enumerated in GLBA and other activities found by the Board of Governors
of the Federal Reserve Board, with the concurrence of the Secretary of the Treasury, either (1)
to be financial in nature or (2) not posing a risk to the safety or soundness of depository
institutions or the financial system generally and complementary to a financial activity. There
are, however, exceptions for persons subject to regulation by the Commodity Futures Trading
Commission under the Commodity Exchange Act, entities chartered under the Farm Credit Act
of 1971, and entities engaged in secondary market operations as long as they do not transfer
nonpublic personal information to a nonaffiliated third party.
4 15 U.S.C. § 6803.
5 15 U.S.C. § 1681b. See generally, CRS Report RL31666, Fair Credit Reporting Act: Rights
and Responsibilities.
6 See, e.g., Joseph L. Seidel, “The Consumer Credit Reporting Reform Act: Information Sharing
and Preemption,” 2 North Carolina Banking Institute78, 82-83 (1998) (hereinafter, “Seidel”).
L. Richard Fischer, Michel F. McEneney, and Clarke D. Camper, “Fair Credit Reporting Act
Amendments: Compliance Issues for Banks,” 18 ABA Bank Compliance 7 (1997) ( available in
LEXIS, BANKNG Library, ARCNWS file).
7 P.L. 104-208, Div. A, Tit. II, Subtitle D, Ch. 1, § §2401 2422,2419, 110 Stat. 3009, 3009-396
to 3009 - 454.
8 P.L. 104-208, Div. A, Tit. II, Subtitle D, Ch. 1, § 2419, 110 Stat. 3009-452, adding 15 U.S.C.§


concerning the consumer among affiliates.9 Essentially, these provisions permit
companies to share with their affiliates certain customer information respecting their
transactions and experience with a customer without any notification requirements.10
Other information about their customers, such as credit reports and application
information, may not be shared with other companies in the corporate family unless the
customers are given “clear and conspicuous” notice about the sharing and an opportunity
to direct that the information not be shared.11
FCRA and GLBA Preemption Language. The FCRA preemption of state law
regarding affiliate sharing of information, as amended by P.L. 108-159, the Fair and
Accurate Credit Transactions Act of 2003 (FACT), is stated in terms of an exception to
the rule12 that the FCRA preempts state law only to the extent of the inconsistency. It
No requirement or prohibition may be imposed under the laws of any State...(2) with
respect to the exchange of information among persons affiliated by common
ownership or common corporate control, except that this paragraph shall not apply
with respect to subsection (a) or (c)(1) of section 2480e of title 9, Vermont Statutes13
Annotated (as in effect on September 30, 1999)....
Under the 1996 amendments, the preemptive effect was to last until January 1, 2004,
when states would have been able to override the FCRA authorization for interaffiliate14
sharing of customer information. The legislative history shows a Congressional intent
to establish a national standard for interaffiliate sharing of information pertinent to the
consumer credit industry in the interest of “operational efficiency for industry ... and
competitive prices for consumers” in the credit reporting and credit granting [industries

9 15 U.S.C. § 1681a(d)(2)(A).
10 15 U.S.C. § 1681a(d)(2)(A)(ii). Notice is required under GLBA, 15 U.S.C. § 6803, which
requires disclosure when the customer relationship is formed and annually thereafter of a
financial institution’s privacy policies and practices, including those relating disclosures to
11 15 U.S.C. § 1681a(d)(2) (A)(iii).
12 The FCRA’s general preemption clause reads:
Except as provided in subsections (b) and (c) of this section, this subchapter does not
annul, alter, affect, or exempt any person subject to the provisions of this subchapter
from complying with the laws of any State with respect to the collection, distribution,
or use of any information on consumers, except to the extent that those laws are
inconsistent with any provision of this subchapter, and then only to the extent of the
inconsistency. 15 U.S.C. § 1681t(a).
13 15 U.S.C. § 1681t(2). The Vermont statute prohibits anyone from obtaining a consumer’s
credit report without consent or a court order.
14 15 U.S.C. § 1681t(d)(2). This specifies that the general exceptions (including that relating to
sharing of information among affiliates) to the rule on preemption “do not apply to any provision
of State law (including any provision of a State constitution) that — (A) is enacted after January
1, 2004; (B) states explicitly that the provision is intended to supplement this subchapter [15
U.S.C. §§ 1681 - 1671u, i.e., the FCRA]; and (C) gives greater protection to consumers than is
provided under this subchapter.”

that] are, in many aspects, national in scope.”15 The 2003 legislation made the
preemptive effect permanent. It also provided that, subject to certain exceptions,
affiliated companies may not share customer information for purposes of marketing
unless the consumer is provided clear and conspicuous notification that the information
may be exchanged for such purposes and an opportunity and a simple method to opt-out.
Among the exceptions are solicitations based on: pre-existing business relationships;
current employer’s employee benefit plan; a consumer’s request or authorization; and,
state unfair discrimination insurance law requirements. The 2003 amendments require
the agencies to conduct regular joint studies of information sharing practices of affiliated
companies and make reports to the Congress every three years, with the first report due
no later than December 4, 2006.
GLBA’s prohibitions deal only with sharing of nonpublic personal information by
financial institutions with nonaffiliated third parties. There is no direct authorization of
sharing such information among affiliated financial institutions. In essence, therefore,
GLBA indirectly authorizes interaffiliate sharing of information by a provision
disavowing an intent to supercede the FCRA.16 It, therefore, preserves the conditions
placed upon interaffiliate sharing of information in the FCRA: (1) that information other
than experience or transaction information may be shared only upon providing customers
an opportunity to opt-out; and (2) state laws may not preempt. This preservation of the
FCRA runs counter to GLBA’s general preemption provision under which GLBA
preempts state laws only to the extent that they provide less protection than GLBA.17
Whether or not a state law provides more protection than GLBA and is not preempted,
however, must be determined by the Federal Trade Commission (FTC).18
Generally, state laws that provide more protection than GLBA, e.g., that require a
specific form of notice respecting an institution’s privacy policy, for example, would not
automatically be enforceable, without an FTC determination as required under GLBA19
State Laws. Since enactment of GLBA, there has been considerable activity in
state legislatures on financial privacy issues, particularly in terms of making reference to
the changes wrought by GLBA. Some states have laws that are more protective of20
consumer privacy. The California Financial Information Privacy Act of 2003 is one of
these. It is the subject of litigation.21 At least six other states, Alaska,22 Connecticut,23

15 See S.Rept. 104-185, 104th Cong., 1st Sess. (1995), reporting on S. 650 in the 104th Congress,
the immediate predecessor of the legislation enacted in 1996. The time limitation derived from
a manager’s amendment offered by Sen. Bryan in an earlier Congress. 140 Cong. Rec. S5027
(May 3, 1993 daily ed.).
16 15 U.S.C. § 6806.
17 15 U.S.C. § 6807.
18 15 U.S.C. § 6807(b).
19 15 U.S.C. § 6807(b).
20 Cal. Fin. Code §§ 4050-4060.
21 See CRS Report RL32626, American Bankers Association v. Lockyer: Whether California’s
Financial Information Privacy Law Has Been Preempted by the Fair and Accurate Credit

Illinois,24 Maryland,25 North Dakota,26 and Vermont,27 have current laws that would
require an opt-in or in some way hamper the sharing of customer information among
affiliates. None of these would, of course, operate to override the FCRA authorization of
interaffiliate information sharing. In other states, since GLBA, there have been
provisions enacted modifying stringent financial privacy laws to accommodate GLBA.28
Legislative Issues. Although P.L. 108-159 has resolved various issues related
to the consumer credit industry and to the problem of identity theft, there are other topics
that may be confronted in future sessions of Congress. Privacy advocates favor
modifying GLBA to provide more protection for sensitive information; industry
representatives are likely to be in favor of federal preemption under GLBA similar to that
enacted for FCRA so that there is no prospect of having to comply with an array of state
laws when information is shared with non-affiliated third parties.
In the 109th Congress, S. 116 (Feinstein) generally requires businesses to provide
notice and an opt-out to a consumer before selling or marketing personally identifiable
information to affiliates; affirmative consent is in the case of non-affiliated third parties
It also includes a prohibition and civil and criminal sanctions for the display, sale, or
purchase of social security numbers without consent. It also contains provisions aimed
at curtailing the sale of individually identifiable health information and a section on
driver’s license privacy.

21 (...continued)
Transactions (FACT) Act, by M. Maureen Murphy.
22 Alaska Stat. § 6.01.028 generally requires customer consent for a financial institution to
disclose customer information, with no blanket exception or authorization for sharing information
among affiliated companies, although there is permission for sharing with marketing partners.
23 Connecticut Gen. Stat. Anno. §§ 36a-41 to 36a-44 require consent for disclosure by financial
institutions, authorize disclosures in various circumstances, but contain no blanket exception for
sharing of information among affiliates and place restrictions on sharing of information with
24 205 Ill. Comp. Stat. 5/48.1, et seq.
25 Md. Code Ann. [Financial Institutions] §§ 1-301, et seq.
26 N.D. Cent. Code §§ 6.08.1-01 to 6-08.1-08 require customer written consent for sharing of
information among affiliates.
27 Vermont Stat. Anno. §§ 10201 - 10205 prohibit disclosure of customer financial information
by financial institutions except as provided in a list of exceptions, none of which appear to permit
interaffiliate sharing of customer information.
28 See, e.g., Florida Stat. §655.059(2)(b). (Amended to that effect in 2001). This states that
“nothing...[in the financial privacy statute] shall prohibit a financial institution from disclosing
financial information permitted by [GLBA].”