New Privacy Act May Affect Some Cemeteries and Funeral Homes
by David W. Thompson, guest columnist
For more than a year, federal agencies such as the FTC and the Federal Reserve Board have been wrestling with a new consumer disclosure law known as the Gramm-Leach-Bliley Act (GLBA). Although the GLBA applies to traditional financial institutions like banks and insurance companies, the act's definition of a "financial institution" is so broad that many retailers -- including cemeteries and funeral homes -- that extend credit or offer insurance to consumers will be affected. Effective July 1, financial institutions must give existing and new customers a written notice describing the institution's information collection and sharing practices, even if the financial institution will only share the customers' information as permitted by law. In some cases, financial institutions must also allow consumers to "opt-out" of the institution's plans to share nonpublic personal information with nonaffiliated third parties. This article provides a brief overview of the GLBA.
Who Is a "Financial Institution"?
Funeral homes, cemeteries and other merchants ("retailers") may become financial institutions for GLBA purposes if they regularly offer a product or service to consumers that a financial holding company could also offer by engaging in a "financial activity" authorized by the Federal Reserve Board, such as extending credit, servicing credit and offering a third party's insurance products.
Retailers should carefully evaluate whether they extend credit to determine if they are "financial institutions" for GLBA purposes. A retailer may offer a "financial product or service" that makes it a GLBA "financial institution" if it regularly sells goods and services to customers on credit under retail installment contracts initially payable to the retailer (a "retail contract").
A retailer does not offer a "financial product or service" as a GLBA "financial institution" when it sells merchandise to customers paying with cash, checks, or credit cards issued by another institution, or if the retailer's only means of extending credit are occasional "lay away" and deferred payment plans. Any finance company or bank to which a retailer sells and assigns a retail contract is itself a GLBA "financial institution."
Retailers should also consider whether they are offering other "financial products or services," such as insurance products, that would make the retailer a GLBA "financial institution."
Who Is Protected as a "Consumer" or "Customer" Under GLBA?
GLBA protects the privacy rights of everyone who is or was a consumer of a financial product or service they obtained from a financial institution (including current and former credit applicants and current or former customers). Consumers with whom a financial institution currently has a "continuing relationship" (i.e., customers) are entitled to receive GLBA privacy notices at different times than persons who are simply consumers. Customers are a sub-set of the broader category of consumers protected by GLBA. For example, a retailer who allows a consumer to finance their purchase of goods and services establishes a continuing relationship that makes the consumer a customer at least while payments are due the retailer under the retail contract.
A GLBA financial institution must only provide consumers such as credit applicants and former customers with a GLBA privacy and opt-out notice before the institution may share the consumer's "nonpublic personal information" with nonaffiliated third parties.
However, each consumer who establishes a "customer relationship" with the financial institution (each "customer") must receive a financial institution's privacy notice both (a) at the time the customer relationship is established (e.g., when a retail contract is signed) and (b) annually thereafter while the customer relationship continues (e.g., until the retailer sells and assigns its rights in the retail contract to a sales finance company, when the retail contract is charged off, or when the customer completes his payment obligations under the retail contract).
The financial institution must provide GLBA privacy notices to all of its "customers," even if the institution will not share any of the customer's nonpublic personal information. The chart on page 12 illustrates the differences between the various GLBA notices that might be required.
What Kind of Information Is Protected?
GLBA allows consumers and customers to protect their "nonpublic personal information" (which means any "personally identifiable financial information" about the consumer that is not "publicly available information"). Information about a consumer is not publicly available information unless the financial institution reasonably believes the information has been made publicly available by lawful means (e.g., listed numbers in a telephone book). Personally identifiable financial information includes any information a financial institution collects about a consumer in conjunction with providing a financial product or service (e.g., the consumer's name, address and telephone number, their credit history with the institution and others). Even a list or database consisting only of names and addresses identifying persons who are "consumers" or "customers" of a financial institution contains protected "nonpublic personal information" about those persons.
Overview of GLBA Privacy Requirements
The GLBA privacy rule governs when and how financial institutions may share nonpublic personal information about consumers with nonaffiliated third parties. All financial institutions must develop and provide customers with initial and annual privacy notices, even if the financial institution will not share nonpublic personal information about consumers with nonaffiliated third parties or will only share such information with a nonaffiliated third party as permitted under an exception in the GLBA privacy rule. The GLBA privacy notices must describe in general terms the financial institution's information sharing practices.
A financial institution's initial, annual, and revised notices must disclose, as applicable: (1) Categories of information the financial institution collects; (2) Categories of information the financial institution may disclose; (3) Categories of affiliates and nonaffiliates to whom the financial institution discloses nonpublic personal information; (4) Information sharing practices about former customers; (5) Categories of information disclosed under the service provider/joint marketing exception; (6) Consumer's right to opt-out; (7) Disclosures made under the Fair Credit Reporting Act; and (8) Disclosures about confidentiality and security of information.
Financial institutions that share nonpublic personal information about consumers with nonaffiliated third parties (outside of specific opt-out exceptions contained in the privacy rule) must provide consumers with an opt-out notice and a reasonable period of time in which consumers may exercise their opt-out rights. Please note that consumers cannot opt-out of all information sharing, and an opt-out notice and opt-out opportunity may not necessarily be required under GLBA. First, the GLBA privacy rule primarily targets a financial institution's ability to share information with nonaffiliated parties. Second, the rule contains a number of exceptions that allow financial institutions to transfer nonpublic personal information to nonaffiliated parties to process and service a consumer's transaction, to comply with legal or regulatory requirements, and to facilitate other normal business transactions. If an opt-out notice is required, a financial institution may include its opt-out notice in its initial, annual and revised privacy notices.
Getting Ready for July 1
All existing customers of a financial institution must receive an initial privacy notice no later than July 1, 2001, and all consumers who establish a customer relationship with a financial institution on and after July 1, 2001 must receive an initial privacy notice from the financial institution. In addition, financial institutions may need to provide an initial privacy notice and an opt-out opportunity to former customers and other persons who are simply "consumers," if the financial institution will share nonpublic personal information about those persons with nonaffiliated third parties outside the exceptions on and after July 1, 2001. All GLBA "financial institutions" should take a comprehensive inventory of their information collection and information sharing practices, to ensure that they properly disclose those practices in their privacy notices. Financial institutions must also carefully identify which consumers and customers are entitled to receive the initial and opt-out notices. Some financial institutions may need to coordinate several databases and with a variety of vendors and internal departments to identify everyone who is entitled to receive a notice.
David W. Thompson is an attorney with the compliance and litigation sections of McGlinchey Stafford, PLLC's consumer financial services practice group, based in the Cleveland office. He focuses his practice on consumer financial services compliance and litigation. Mr. Thompson received his B.A. from Transylvania University, his J.D. from the University of Kentucky, and his L.L.M. in banking law from Boston University. Mr. Thompson is a member of the Committee on Consumer Financial Services of the Section of Business Law of the American Bar Association. He has written articles and is a frequent speaker on consumer finance related topics. He is admitted to practice in Ohio, Kentucky and Massachusetts.