Data Sharing: Which privacy laws apply?

When a lender shares data outside of its organization, the question often arises of what laws apply to the sharing. What is an organization allowed to share and with whom, and how do these laws impact my company’s financial privacy notice? 

At the federal level, the answer to these questions relates to the relationship between the Gramm-Leach-Bliley Act (GLBA, along with its implementing Regulation P), the Fair Credit Reporting Act (FCRA, implementing Regulation V) and the common financial privacy notice used to satisfy disclosure and opt-out requirements under both laws.  

To understand which law governs the sharing at issue, it is key to ask: Who are you sharing the data with (affiliates or non-affiliates), and for what purposes? 

Data sharing with non-affiliates 

The GLBA requires that a lender provide a privacy notice to consumers either prior to disclosing nonpublic personal information (NPI) about the consumer to any non-affiliated third party, (outside of certain exceptions) or before or when the institution enters into a continuing customer relationship with that consumer.  

The notice must provide the consumer with the right to opt-out of the disclosure of NPI to non-affiliated third parties. Stated another way, the GLBA only specifically restricts the sharing of NPI with a non-affiliated third party.  

In the financial privacy notice model form provided by the Consumer Financial Protection Bureau (CFPB), certain categories of data sharing relate specifically to the GLBA opt-out requirement and its exceptions, namely the categories that discuss sharing:  

• “(i) For our everyday business purposes — such as to process your transactions, maintain your account(s), respond to court orders and legal investigations, or report to credit bureaus;  
• (ii) For our marketing purposes — to offer our products and services to you;  
• (iii) For joint marketing with other financial companies; and  
• (iv) For non-affiliates to market to you.”  

The financial institution must describe whether it shares each type of specific information under the above categories and whether the consumer can limit the sharing. The first three categories describe exceptions to the GLBA requirement, which means that a consumer does not have a federal right to limit those types of sharing. However, although opt-out rights may exist under state laws, an institution also is free to offer a voluntary opt-out opportunity.  

Sharing under the fourth category is subject to the GLBA opt-out requirement and affirmative opt-in requirements under certain state laws. Properly populating these categories is critical to maintaining GLBA compliance regarding when NPI may be shared with non-affiliates. 

Data sharing with affiliates 

In contrast to the GLBA, the FCRA regulates sharing of information between affiliated entities. An “affiliate” is generally any company that controls, is controlled by or is under common control with another company. Generally, when consumer information is shared between affiliates, the FCRA will come into play.  

However, understanding the type of information shared and for what purposes — marketing or non-marketing — will determine how the information is disclosed in the notice, and whether the consumer has a right to opt-out of the sharing and/or use of such information.  

FCRA affiliate sharing and marketing rules impact the following sections of the financial privacy notice that address information about transactions and experiences as well as creditworthiness for affiliates’ everyday business purposes as well as affiliates’ marketing purposes. 

Transactions and experience vs. creditworthiness 

The first question is to assess whether the sharing is for an “everyday business purpose” or a marketing purpose. In the everyday business purpose context, the entity must next ask whether the sharing relates to “information about transactions and experiences” or “information about creditworthiness.” Both categories map to the FCRA’s definition of a “consumer report.”  

Specifically, for purpose of “information about transactions and experiences,” a consumer report does not include: 

• “(i) a report containing information solely as to transactions or experiences between the consumer and the person making the report; or 
• (ii) communication of that information among persons owned by common ownership or affiliated by corporate control.” 

For purpose of “creditworthiness” a consumer report does not include: 

• “(i) communication of other information among persons related by common ownership or affiliated by corporate control, if it is clearly and conspicuously disclosed to the consumer that the information may be communicated amongst such persons and the consumer is given the opportunity, before the time that the information is initially communicated, to direct that such information not be communicated among such person.”  

This means that if a financial institution wishes to share “transaction and experience” information with an affiliate, the financial institution must disclose that fact on the financial privacy notice but does not have to give the consumer an opt-out right.  

If a financial institution wishes to disclose “creditworthiness” information with an affiliate in a manner that might otherwise cause the information to be considered a “consumer report” (i.e., for the affiliate’s everyday business purposes), the financial institution must disclose that fact on the financial privacy notice and provide the consumer with an opt-out right; otherwise, the financial institution risks being considered a “consumer reporting agency,” making it subject to a variety of burdensome regulatory requirements. 

Sharing for marketing purposes 

If the sharing is for marketing purposes as opposed to everyday business purposes, specific rules under the FCRA will govern the use of such information. The FCRA provides that a regulated person may not use “eligibility information” about a consumer received from an affiliate to make a solicitation for marketing purposes to the consumer, unless:  

• “(i) It is clearly and conspicuously disclosed to the consumer; 
• (ii) The consumer is provided a reasonable opportunity and a reasonable and simple method to ‘opt out; and 
• (iii) The consumer has not opted out.” 

Under the FCRA, when eligibility information is shared to make solicitations for marketing purposes, the entity must disclose the sharing and provide an opportunity for the consumer to opt-out before the information may be used for marketing purposes. Note that this opt-out is separate from the opt-out provided when sharing occurs between affiliates for everyday business purposes. 

Thus, when eligibility information is shared between affiliates for solicitation or marketing purposes, this sharing must be properly disclosed in the “affiliates to market to you” category and the consumer must have a right to opt-out of the use of such information for marketing purposes. 

Overall, it can be difficult to grasp the nuances between the GLBA and FCRA and how the different categories of data sharing in the financial privacy notice relate to the requirements under each law. Understanding the interplay between these two laws is critical when sharing any consumer information, no matter who the recipient is. 

Paul Lysobey is an associate at McGlinchey. He advises clients on compliance with the Truth in Lending Act (TILA), Fair Debt Collection Practices Act (FDCPA), Servicemember Civil Relief Act (SCRA), Fair Credit Reporting Act (FCRA) and the Equal Credit Opportunity Act (ECOA). 

David Tallman is a member (partner) at McGlinchey. He advises clients on obligations under federal and state consumer credit laws, including data privacy, cybersecurity and payments processing requirements.