Order Code RS21427
Updated February 27, 2003
CRS Report for Congress
Received through the CRS Web
Financial Privacy Laws Affecting Sharing of
Customer Information Among Affiliated
Institutions
M. Maureen Murphy
Legislative Attorney
American Law Division
Summary
The privacy provisions of the Gramm-Leach-Bliley Act of 1999 (P.L. 106-102) do
not permit customers to preclude financial institutions from sharing nonpublic personal
information with affiliated companies; they merely require companies to notify their
customers of their practices of information sharing with affiliates. Until the Fair Credit
Reporting Act (FCRA) was amended in 1996, sharing of such information with affiliates
might have subjected a company to being regulated as a credit reporting agency. Under
provisions added in 1996, 15 U.S.C. §§ 1681a(d)(2)(A)(ii) and (iii), which preempt
inconsistent state law until January, 1, 2004, companies have been permitted to share
among their corporate family a broad range of data they have collected on their
customers provided they have given the customers the opportunity to preclude, i.e., opt
out of, the information sharing. After January 1, 2004, states may act to override this
FCRA provision. While information sharing among affiliates would, thus, not
automatically become impermissible on January 1, 2004, the possibility of enactment
of state overrides on a piecemeal and inconsistent basis raises concerns among large
nationwide conglomerates. This report provides an analysis of the current federal law
and a brief description of state laws that appear to provide more consumer protection
with respect to the issue of information sharing among affiliates. It will be updated to
reflect action on major legislation. For an economic perspective on financial privacy,
see CRS Report RL31758.
Background. Although confidentiality standards for businesses dealing in
consumer information have traditionally been a matter of state law, both the Fair Credit
Reporting Act of 1970 (FCRA)1 and the privacy title of the Gramm-Leach-Bliley Act of
1999 (GLBA)2 have meant that federal law generally controls the dissemination of
1 P.L. 91-508, tit. VI, §§ 601 et seq.; 88 Stat. 1521;15 U.S.C. §§ 1681 - 1681u.
2 P.L. 106-102, 113 Stat. 1338 (1999).
Congressional Research Service ˜ The Library of Congress
CRS-2
consumer credit information and governs the disclosing and safeguarding of nonpublic
personal information held by a wide array of financial institutions.3
GLBA generally prohibits the disclosure of nonpublic personal information on a
customer or consumer by financial institutions unless the consumer is given an
opportunity to prevent disclosure, i.e., opt-out; but it contains no prohibition on sharing
of customer information among affiliates. It requires each financial institution to notify
customers of its privacy policies and practices including those related to information
sharing with affiliates.4 FCRA prescribes standards that address information collected by
businesses that provide information used to determine eligibility of consumers for credit,
insurance, or employment. It imposes requirements for accuracy, limits purposes for
which such information may be disseminated, allows certain rights for consumer access,
and includes civil and criminal penalties for its violation. It generally defines “consumer
reports” and limits the purposes and conditions under which “consumer reports” may be
furnished by entities that it refers to and regulates as “consumer reporting agencies.”5
Apparently, in response to concern that information sharing among affiliated
companies might be interpreted as providing consumer reports, thereby subjecting banks,
insurance companies, and securities firms to all of the obligations imposed upon
consumer reporting agencies under the FCRA,6 the FCRA was amended by the Consumer
Credit Reporting Reform Act of 1996.7 Under these amendments,8 the FCRA’s definition
of “consumer report” was amended to exclude communication of transaction and
experience information among corporate affiliates and, – provided the consumer was
afforded an opportunity to prevent it, i.e., opt out -- communication of other information
3 “Financial institution” is defined to mean “any institution the business of which is engaging
in financial activities as defined under section 103 of GLBA, § 4k [12 U.S.C. §1843(k)] of the
Bank Holding Company Act of 1956." Essentially, these include banking, securities, and
insurance activities as enumerated in GLBA and other activities found by the Board of Governors
of the Federal Reserve Board, with the concurrence of the Secretary of the Treasury, either (1)
to be financial in nature or (2) not posing a risk to the safety or soundness of depository
institutions or the financial system generally and complementary to a financial activity. There
are, however, exceptions for persons subject to regulation by the Commodity Futures Trading
Commission under the Commodity Exchange Act, entities chartered under the Farm Credit Act
of 1971, and entities engaged in secondary market operations as long as they do not transfer
nonpublic personal information to a nonaffiliated third party.
4 15 U.S.C. § 6803.
5 15 U.S.C. § 1681b. See generally, CRS Report RL31666, Fair Credit Reporting Act: Rights
and Responsibilities.
6 See, e.g., Joseph L. Seidel, “The Consumer Credit Reporting Reform Act: Information Sharing
and Preemption,” 2 North Carolina Banking Institute78, 82-83 (1998) (hereinafter, “Seidel”).
L. Richard Fischer, Michel F. McEneney, and Clarke D. Camper, “Fair Credit Reporting Act
Amendments: Compliance Issues for Banks,” 18 ABA Bank Compliance 7 (1997) ( available in
LEXIS, BANKNG Library, ARCNWS file).
7 P.L. 104-208, Div. A, Tit. II, Subtitle D, Ch. 1, § §2401 2422,2419, 110 Stat. 3009, 3009-396
to 3009 - 454.
8 P.L. 104-208, Div. A, Tit. II, Subtitle D, Ch. 1, § 2419, 110 Stat. 3009-452, adding 15 U.S.C.§
1618t(b)(2).
CRS-3
concerning the consumer among affiliates.9 Essentially, these provisions permit
companies to share with their affiliates certain customer information respecting their
transactions and experience with a customer without any notification requirements.10
Other information about their customers, such as credit reports and application
information, may not be shared with other companies in the corporate family unless the
customers are given “clear and conspicuous” notice about the sharing and an opportunity
to direct that the information not be shared.11
FCRA and GLBA Preemption Language. The FCRA preemption of state law
regarding affiliate sharing of information is stated in terms of an exception to the rule12
that the FCRA preempts state law only to the extent of the inconsistency. It reads:
No requirement or prohibition may be imposed under the laws of any State...(2)
with respect to the exchange of information among persons affiliated by common
ownership or common corporate control, except that this paragraph shall not apply
with respect to subsection (a) or (c)(1) of section 2480e of title 9, Vermont Statutes
Annotated (as in effect on September 30, 1999)....14
After January 1, 2004, states may override the FCRA authorization for interaffiliate
sharing of customer information by enacting a provision of state law or of the state’s
constitution that states explicitly that it is intended to supplement the FCRA provision
and that provides greater protection to consumers than the FCRA provision provides.15
The legislative history of these amendments indicates a Congressional intent to establish
a national standard for interaffiliate sharing of information pertinent to the consumer
9 15 U.S.C. § 1681a(d)(2)(A).
10 15 U.S.C. § 1681a(d)(2)(A)(ii). Notice is required under GLBA, 15 U.S.C. § 6803, which
requires disclosure when the customer relationship is formed and annually thereafter of a
financial institution’s privacy policies and practices, including those relating disclosures to
affiliates.
11 15 U.S.C. § 1681a(d)(2) (A)(iii).
12 The FCRA’s general preemption clause reads::
Except as provided in subsections (b) and (c) of this section, this subchapter
does not annul, alter, affect, or exempt any person subject to the provisions of this
subchapter from complying with the laws of any State with respect to the collection,
distribution, or use of any information on consumers, except to the extent that those
laws are inconsistent with any provision of this subchapter, and then only to the extent
of the inconsistency.
15 U.S.C. § 1681t(a).
14 15 U.S.C. § 1681t(2). The Vermont statute prohibits anyone from obtaining a consumer’s
credit report without consent or a court order.
15 15 U.S.C. § 1681t(d)(2). This specifies that the general exceptions (including that relating to
sharing of information among affiliates) to the rule on preemption “do not apply to any provision
of State law (including any provision of a State constitution) that–(A) is enacted after January
1, 2004; (B) states explicitly that the provision is intended to supplement this subchapter [15
U.S.C. §§ 1681 - 1671u, i.e., the FCRA]; and (C) gives greater protection to consumers than is
provided under this subchapter.”
CRS-4
credit industry in the interest of “operational efficiency for industry ... and competitive
prices for consumers” in the credit reporting and credit granting [industries that] are, in
many aspects, national in scope.”16
GLBA’s prohibitions deal only with sharing of nonpublic personal information by
financial institutions with nonaffiliated third parties. There is no direct authorization of
sharing such information among affiliated financial institutions. In essence, therefore,
GLBA indirectly authorizes interaffiliate sharing of information by a provision
disavowing an intent to supercede the FCRA.17 It, therefore, preserves the conditions
placed upon interaffiliate sharing of information in the FCRA: (1) that information other
than experience or transaction information may be shared only upon providing customers
an opportunity to opt-out; and (2) state laws may not preempt until January 1, 2004 , and,
then, only upon specified conditions. This preservation of the FCRA runs counter to
GLBA’s general preemption provision under which GLBA preempts state laws only to
the extent that they provide less protection than GLBA.18 Whether or not a state law
provides more protection than GLBA and is not preempted, however, must be determined
by the Federal Trade Commission (FTC).19
Generally, state laws that provide more protection than GLBA, e.g., that require a
specific form of notice respecting an institution’s privacy policy, for example, would not
automatically be enforceable, without an FTC determination as required under GLBA20
That would not appear to be true for a state law limiting interaffiliate information sharing,
provided that it is enacted after January 1, 2004, and otherwise meets requirements
specified in the FCRA.21 Such state laws would appear to be covered by the GLBA
provision specifying that “nothing [subject to unrelated exceptions] in this chapter shall
be construed to modify, limit or supersede the operation of the Fair Credit Reporting
Act.”22
Current State Laws and Legislative Activity. Since enactment of GLBA,
there has been considerable activity in state legislatures on financial privacy issues,
particularly in terms of making reference to the changes wrought by GLBA. Some states
have laws that are more protective of consumer privacy. For example, at least four states,
Alaska,23
16 See S. Rep. 104-185, 104th Cong., 1st Sess. (1995), reporting on S. 650 in the 104th Congress,
the immediate predecessor of the legislation enacted in 1996. The time limitation derived from
a manager’s amendment offered by Senator Bryan in an earlier Congress. 140 Cong. Rec. S5027
(May 3, 1993 daily ed.).
17 15 U.S.C. § 6806.
18 15 U.S.C. § 6807.
19 15 U.S.C. § 6807(b).
20 15 U.S.C. § 6807(b).
21 15 U.S.C. § 1681t(d)(2). See n. 15 supra.
22 15 U.S.C. § 6806.
23 Alaska Stat. § 6.01.028 generally requires customer consent for a financial institution to
disclose customer information, with no blanket exception or authorization for sharing information
(continued...)
CRS-5
Connecticut,24 North Dakota,25 and Vermont,26 have current laws that would require
an opt-in or in some way hamper the sharing of customer information among affiliates.
None of these would, of course, operate to override the FCRA authorization of
interaffiliate information sharing without further legislative action. In other states, since
GLBA, there have been provisions enacted modifying stringent financial privacy laws to
accommodate GLBA.27 In the only state holding a referendum on such a statute, North
Dakota, the voters by a 73% majority, voted to repeal the new law.28 In the 2003
legislative session, the legislatures of at least two states, California29 and New Jersey,30are
considering enacting laws that would appear to be directed at limiting the ability of
financial institutions to share customer information should the FCRA preemption
provision not be renewed. Another, New York,31 is considering legislation to require
affirmative consent for disclosing nonpublic personal information to nonaffiliated third
parties.
Legislative Issues. The issue of whether or not and under what circumstances
to renew the FCRA preemption of state restrictions on affiliate sharing of customer
information is likely to be joined with issues relating to other FCRA provisions also
23 (...continued)
among affiliated companies, although there is permission for sharing with marketing partners.
24 Connecticut Gen. Stat. Anno. §§ 36a-41 to 36a-44 require consent for disclosure by financial
institutions, authorize disclosures in various circumstances, but contain no blanket exception for
sharing of information among affiliates and place restrictions on sharing of information with
broker-dealers.
25 N.D. Cent. Code §§ 6.08.1-01 to 6-08.1-08, requires customer written consent for sharing of
information among affiliates.
26 Vermont Stat. Anno. §§ 10201 - 10205 prohibits disclosure of customer financial information
by financial institutions except as provided in a list of exceptions, none of which appear to permit
interaffiliate sharing of customer information.
27 See, e.g., Florida Stat. §655.059(2)(b). (Amended to that effect in 2001). This states that
“nothing...[in the financial privacy statute] shall prohibit a financial institution from disclosing
financial information ...as permitted by [GLBA].”
28 See Mark Wolski, “North Dakota Voters Trounce Bid to Let Banks Use ‘Opt-Out’ on Financial
Privacy,” 78 BNA’s Banking Report 1051 (June 17, 2002).
29 California Senate Bill 1, introduced December 2, 2002, would provide a customer opt-out for
information sharing among affiliates and an affirmative opt-in for sharing with nonaffiliated third
parties. A previous version of the measure had been vetoed by Governor Davis. See Laura
Mahoney, “California Senate Kicks off New Session by Bringing Back Financial Privacy
Measure,” 79 BNA’s Banking Report 926 (December 9, 2002).
30 New Jersey Senate Bill No. 2245, introduced January 16, 2003, would prohibit financial
institutions from requiring more information than reasonably necessary and prohibits disclosure
of confidential consumer information to affiliates or unaffiliated third parties without obtaining
affirmative consent and specifying the types of information that will be disclosed and the
conditions under which it will be disclosed. The bill would also provide consumer access to
information and opportunity to dispute the accuracy of the information.
31 New York Assembly Bill 869, introduced January 8, 2003. This legislation would also
provide greater protection than GLBA in other ways, such as providing a private right of action.
CRS-6
subject to the January 1, 2004, expiration date.32 Consideration of these topics may
engender debate on other consumer credit issues–such as preempting state predatory
lending laws or state laws restricting insurance companies’ use of credit scoring.33 It may
also provoke questions as to whether or not to alter GLBA’s privacy provisions. Some
of the policy issues that might be considered are: (1) Should GLBA require opt-out for
information sharing among affiliates, similar to the FCRA provisions? (2) Should GLBA
be modified to require opt-in for sharing with nonaffiliated third parties? (3) Should
GLBA be modified to require opt-ins for sharing of sensitive information? (4) If so, how
should such sensitive information be defined? and (5) Should the same standards apply
to sharing of information among affiliates and to sharing pursuant to joint ventures or
marketing agreements–as is the case under GLBA? Underlying these policy issues, of
course, are questions that are more general – such as what is to be gained by these privacy
laws in terms of effectiveness in preventing unauthorized access or dissemination of
personal data, deterring identity theft, and meeting justifiable public expectations of
privacy.34 There are also practical matters – such as the relative cost of compliance both
to the industry and to its customers. Some of these issues have been addressed in
Congressional hearings in the 107th Congress35 and may resurface in hearings as
legislation is developed in the 108th Congress.
32 Without extension of the preemptions, “states could individually determine when a loan would
be deemed delinquent, what borrower information a lender could report to credit bureaus, and
what fines could be imposed for providing inaccurate information.” Rob Blackwell, “Greenspan
Is 1st Regulator to Endorse FCRA Extension,” American Banker 1 (February 13, 2003).
(Available in LEXIS, News Library, Curnws file.) Other provisions that are subject to the same
conditions for state overrides after January 1, 2004, are provisions relating to: furnishing credit
reports in connection with preapproved unsolicited offers of insurance; timing in connection with
disputed accuracy of credit reports; certain duties in connection with adverse actions taken on
the basis of a credit report; duties in connection with unsolicited, preapproved credit card or
insurance offers; certain specifications as to what may and may not be included in consumer
reports; and duties of persons furnishing information to credit reporting agencies. 15 U.S.C. §
§ 1681t(b) and (c).
33 See ; e.g., “Expiring Info Sharing Pre-Emption May Spark Fight, National Journal’s Congress
Daily (January 23,2003).
34 See CRS Report RS21163 , “Remedies Available to Victims of Identity Theft,” and CRS
Report RS21803, “Identity Theft and the Fair Credit Reporting Act: An Analysis of TRW v.
Andrews and Current Legislation.”
35 See, U.S. Senate Comm. on Banking, Housing, and Urban Affairs, “Hearing on ‘Financial
Privacy and Consumer Protection,” [http://banking.senate.gov/hrg02.htm#sep02]; The House
Committee on Energy and Commerce held hearings covering a wide variety of topics.
[http://energycommerce.house.gov/107/action/action.htm]. Included are: EU Data Protection
Directive; privacy in the commercial world, and existing federal statutes addressing information
privacy.