Summary of Provacy Rules in the U.S.

Summary of Provacy Rules in the United States

TOTAL HITS
Since 1999

Last update: Friday, 20 June 2003

Go to the Data Protection & Privacy page

Federal & State Privacy Rules (by type of information)

Type of Information Credit Information (Application Information) Other Financial Information (Experience Information) Health & Medical Information

Gramm-Leach-Bliley Act, GLBA, Title V (Fair Credit Reporting Act, FCRA, endorsed)

Affiliates

Opt-out (by FCRA)

Sharing is allowed (by GLBA)

Silent *1

Third party (with joint program)

Generally prohibited (by FCRA) *2

Sharing is allowed (by GLBA)

Silent *1

Third party (unrelated)

Generally prohibited (by FCRA) *2

Opt-out (by GLBA)

Silent *1

Relation To State Privacy Laws *3

Affiliates

Preempted until January 1, 2004 (by FCRA). *4 Afterwards, state laws with greater protection, if any, determined by FTC are not automatically preempted by the Title V. (by GLBA)*5

Preempted until January 1, 2004 (by FCRA).*4 Afterwards, state laws with greater protection determined by FTC are not automatically preempted by the Title V. (by GLBA)*5

State laws which require depository institutions to allow customers to opt-in regarding the use of medical information other than insurance underwriting are not preempted by federal laws (one of the 13 safe harbors, by GLBA). Otherwise, preempted until January 1, 2004.*4 Afterwards, silent. *1

Third party

State laws with greater protection, if any, determined by FTC are not automatically preempted by the Title V (by GLBA)*3

State laws which require depository institutions to allow customers to opt-in regarding insurance information are not preempted by federal laws. (one of the 13 safe harbors, by GLBA) Otherwise, state laws with greater protection determined by FTC are not automatically preempted by the Title V. (by GLBA)*5

State laws which require depository institutions to allow customers to opt-in regarding the use of medical information other than insurance underwriting are not preempted by federal laws. Otherwise, state laws with greater protection determined by FTC are not automatically preempted by the Title V. (by GLBA)*5

*1 It is noted that the final rules by federal regulators include health & medical information as "financial" information, despite the legislative intention to exclude them. HHS is working on privacy regulations for health, disability & LTC insurance. (not life insurance)

*2 Otherwise subject to the substantial regulations as consumer reporting agencies.

*3 It is noted that the insurance regulator of the state of "domicle" is responsible for the implimentation of Title V (Subtitle I), while the regulation of market conduct are generally done by those of the state of residents or licenses. (This may raise an interesting basic issue, the preemption by the state of domicile over the state of residents or licenses.)
It is also noted that a state that fails to implement Title V, Subtitle I, is not eligible to override consumer protection regulations prescribed by federal banking agencies regarding bank-insurance matters (not limited to privacy issues).

*4 FCRA was revised in 1996, inserting the provision to preempt any state laws which restrict free flow of information within the same corporate group (affiliates), while allowing opt-out for affiliates.

*5 Any state laws inconsistent with the Title V. The section 507 says that state laws with greater protection determined by FTC is not inconsistent with this Act on this regards. It is to be noted that the greater protection of state laws is a necessary condition but not certain if it is a sufficient condition to avoid federal preemption.

Note: I am not an attorney and this is not a legal advice. I advise you to consult your attorneys for more information.

Privacy Provisions in the Financial Reform Bills

S900 (as signed by the President on November 12,1999) H.R.10 (as approved by the House on July 1, 1999) H.R.10 (as approved by the House Commerce Committee on June 10, 1999) S900 (as approved by the Senate on May 4, 1999)

Obtaining private customer financial information through fraudulent or deceptive means such as "pretext calling." is a federal crime, punishable by up to five years in prison.

All financial institutions are imposed an "affirmative and continuing obligation" to respect the privacy of customers and to protect the security and confidentiality of customer's nonpublic personal information.

Financial institutions may share consumer information with affiliated insurers or secrities companies, or legitimate joint ventures.

Consumers have right to opt-out, for the first time, of sharing their private information with unaffiliated third parties with exceptions for customer transactions, consumer reporting, compliance, etc.

A financial institution could share information with companies performing functions on behalf of the institution or for joint marketing for financial services, as long as the institution disclose to the consumers and require the third party to keep confidentiality.

Financial institutions are barred, with certain exceptions, from disclosing customer account numbers or access codes to unaffiliated third parties for telemarketing or other direct marketing purposes

A study of current information sharing among affiliates and unaffiliated third parties.

Privacy policy and disclosure of information are required to be disclosed annually.

Federal and state regulators are required to establish comprehensive standards for ensuring the security and confidentiality of consumers' personal information.

Fair Credit Reporting Act is protected. Federal banking agencies and NCUA are authorized to prescribe joint regulations and FRB is given authority to prescribe FCRA regulations for BHCs and their affiliates.

Federal banking regulators cannot preempt state opt-in health privacy laws (one of the 13 safe harbor areas). More generally, state laws with greater privacy protection are granted supremacy over the provision of this bill.

Obtaining private customer financial information from financial institutions by false means such as "pretext calling" is prohibited, and criminal penalities may be provided.

All financial institutions are imposed an "affirmative and continuing obligation" to respect the privacy of customers and to protect the security and confidentiality of customer's nonpublic personal information.

Financial institutions may share consumer information with affiliated insurers or secrities companies, or legitimate joint ventures.

Consumers have right to opt-out of the disclosure of their private information with unaffiliated third parties with limited exceptions for handling of consumer initiated transactions, consumer reporting, compliance, etc.

A study of current information sharing among affiliates and unaffiliated third parties.

Regulations are required to implement privacy protection and security standards. Regulatory authority to detect and enforce violations of consumer privacy requirement is enhanced.

Insurance companies could not share consumers' medical and health information with their affiliates, subsidiaries or third parties, with certain exceptions broader than the Commerce bill, unless the consumers consent, or "opt in".

Federal banking regulators cannot preempt state opt-in health privacy laws (one of the 13 safe harbor areas).

Obtaining private customer financial information from financial institutions by false means such as "pretext calling" is prohibited, and criminal penalities may be provided.

Consumers have right to opt-out of the disclosure of their private information with affiliated companies and third parties.

Insurance companies could not share consumers' medical and health information with their affiliates, subsidiaries or third parties, with certain exceptions, unless the consumers consent, or "opt in". .

Federal banking regulators cannot preempt state opt-in health privacy laws (one of the 13 safe harbor areas).

Obtaining private customer financial information from financial institutions by false means such as "pretext calling" is prohibited, and criminal penalities may be provided.

Federal banking regulators are required to establish a consumer grievance process to deal with privacy violations.

GAO is required to prepare a report on the effectiveness of remedies for pretext calling.

Federal banking regulators cannot preempt state opt-in health privacy laws (one of the 13 safe harbor areas).

Type of Information	Credit Information (Application Information)	Other Financial Information (Experience Information)	Health & Medical Information
Gramm-Leach-Bliley Act, GLBA, Title V (Fair Credit Reporting Act, FCRA, endorsed)
Affiliates	Opt-out (by FCRA)	Sharing is allowed (by GLBA)	*Silent 1**
Third party (with joint program)	*Generally prohibited (by FCRA) 2**	Sharing is allowed (by GLBA)	*Silent 1**
Third party (unrelated)	*Generally prohibited (by FCRA) 2**	Opt-out (by GLBA)	*Silent 1**
*Relation To State Privacy Laws 3**
Affiliates	*Preempted until January 1, 2004 (by FCRA). 4 Afterwards, state laws with greater protection, if any, determined by FTC are not automatically preempted by the Title V. (by GLBA)5*	*Preempted until January 1, 2004 (by FCRA).4 Afterwards, state laws with greater protection determined by FTC are not automatically preempted by the Title V. (by GLBA)5*	State laws which require depository institutions to allow customers to opt-in regarding the use of medical information other than insurance underwriting are not preempted by federal laws (one of the 13 safe harbors, by GLBA). Otherwise, preempted until January 1, 2004.4 Afterwards, silent. 1
Third party	*State laws with greater protection, if any, determined by FTC are not automatically preempted by the Title V (by GLBA)3**	State laws which require depository institutions to allow customers to opt-in regarding insurance information are not preempted by federal laws. (one of the 13 safe harbors, by GLBA) Otherwise, state laws with greater protection determined by FTC are not automatically preempted by the Title V. (by GLBA)*5	State laws which require depository institutions to allow customers to opt-in regarding the use of medical information other than insurance underwriting are not preempted by federal laws. Otherwise, state laws with greater protection determined by FTC are not automatically preempted by the Title V. (by GLBA)*5

S900 (as signed by the President on November 12,1999)	H.R.10 (as approved by the House on July 1, 1999)	H.R.10 (as approved by the House Commerce Committee on June 10, 1999)	S900 (as approved by the Senate on May 4, 1999)
Obtaining private customer financial information through fraudulent or deceptive means such as "pretext calling." is a federal crime, punishable by up to five years in prison. All financial institutions are imposed an "affirmative and continuing obligation" to respect the privacy of customers and to protect the security and confidentiality of customer's nonpublic personal information. Financial institutions may share consumer information with affiliated insurers or secrities companies, or legitimate joint ventures. Consumers have right to opt-out, for the first time, of sharing their private information with unaffiliated third parties with exceptions for customer transactions, consumer reporting, compliance, etc. A financial institution could share information with companies performing functions on behalf of the institution or for joint marketing for financial services, as long as the institution disclose to the consumers and require the third party to keep confidentiality. Financial institutions are barred, with certain exceptions, from disclosing customer account numbers or access codes to unaffiliated third parties for telemarketing or other direct marketing purposes A study of current information sharing among affiliates and unaffiliated third parties. Privacy policy and disclosure of information are required to be disclosed annually. Federal and state regulators are required to establish comprehensive standards for ensuring the security and confidentiality of consumers' personal information. Fair Credit Reporting Act is protected. Federal banking agencies and NCUA are authorized to prescribe joint regulations and FRB is given authority to prescribe FCRA regulations for BHCs and their affiliates. Federal banking regulators cannot preempt state opt-in health privacy laws (one of the 13 safe harbor areas). More generally, state laws with greater privacy protection are granted supremacy over the provision of this bill.	Obtaining private customer financial information from financial institutions by false means such as "pretext calling" is prohibited, and criminal penalities may be provided. All financial institutions are imposed an "affirmative and continuing obligation" to respect the privacy of customers and to protect the security and confidentiality of customer's nonpublic personal information. Financial institutions may share consumer information with affiliated insurers or secrities companies, or legitimate joint ventures. Consumers have right to opt-out of the disclosure of their private information with unaffiliated third parties with limited exceptions for handling of consumer initiated transactions, consumer reporting, compliance, etc. A study of current information sharing among affiliates and unaffiliated third parties. Regulations are required to implement privacy protection and security standards. Regulatory authority to detect and enforce violations of consumer privacy requirement is enhanced. Insurance companies could not share consumers' medical and health information with their affiliates, subsidiaries or third parties, with certain exceptions broader than the Commerce bill, unless the consumers consent, or "opt in". Federal banking regulators cannot preempt state opt-in health privacy laws (one of the 13 safe harbor areas).	Obtaining private customer financial information from financial institutions by false means such as "pretext calling" is prohibited, and criminal penalities may be provided. Consumers have right to opt-out of the disclosure of their private information with affiliated companies and third parties. Insurance companies could not share consumers' medical and health information with their affiliates, subsidiaries or third parties, with certain exceptions, unless the consumers consent, or "opt in". . Federal banking regulators cannot preempt state opt-in health privacy laws (one of the 13 safe harbor areas).	Obtaining private customer financial information from financial institutions by false means such as "pretext calling" is prohibited, and criminal penalities may be provided. Federal banking regulators are required to establish a consumer grievance process to deal with privacy violations. GAO is required to prepare a report on the effectiveness of remedies for pretext calling. Federal banking regulators cannot preempt state opt-in health privacy laws (one of the 13 safe harbor areas).