DMA: Data and Marketing Association
Consumer Help

Gramm Leach Bliley Act

Do The Privacy Notice Requirements Of The Gramm-Leach-Bliley (GLB) Act Apply To Your Company?

The short answer is YES, if you are considered a “financial institution” under the Gramm-Leach-Bliley Act of 2000 (GLB). Such institutions are required to send GLB-compliant privacy policies to their customers initially and once a year thereafter.

What is a “financial institution” under GLB?

Under GLB, a “financial institution” includes traditional institutions such as banks, credit unions, and securities brokers. It also covers other entities such as real estate appraisers, insurance companies, automobile leasing companies, companies that operate as travel agencies in connection with financial services, and retailers that issue their own credit cards directly to consumers.

What must a Gramm-Leach-Bliley privacy policy notice include?

If your company is considered a “financial institution” as defined above, then you need to send your customers an initial – and then annual – notice regarding your company’s policies. In your notice, you must explain how you collect and share information, and provide a way for customers to opt-out of such information exchanges. Specifically, you must include:

  • Types of information your company collects;
  • Types of information your company shares;
  • Types of affiliates, non-affiliates and joint marketers with whom your company shares information; [Note: You need not offer an opt-out for information shared with affiliates, joint marketers, and non-affiliates that are performing functions on your company’s behalf. However, you must still describe your information-sharing practices.]
  • How a customer can opt-out of information exchanges as well a method for doing so. You must also include a means for opting out of information exchanges among affiliates as required by the Fair Credit Reporting Act (FCRA);
  • Assurance that information policies and practices are in place for security and confidentiality of data; and
  • Description of the types of information your company discloses about former customers and to whom you disclose such information.

Contact Information

Data & Marketing Association
Corporate & Social Responsibility (CSR) Department and Government Affairs
225 Reinekers Lane
Suite 325
Alexandria, VA 22314