Skip to main content

Don't Throw Away Your Right to Financial Privacy

Don't throw away your right to financial privacy:

Read your mail from financial institutions and decide whether to say "No!" to information trafficking.

The Attorney General's office advises consumers to learn about their right to say "no" to the sharing of their personal information by financial institutions. Perhaps unknown to many consumers, financial institutions are allowed to sell your personal information to unaffiliated companies - but before they do, they must notify you of their information-sharing practices and give you the opportunity to limit some of the trafficking in your personal information. Do not throw out mail from banks, insurance companies, investment brokers, and other financial institutions until you have reviewed it for financial privacy information. If you do not exercise your right to say "no," these companies may begin selling your personal information to outside companies.

Many financial institutions have voluntarily adopted stricter information sharing policies than the law now requires, but many have not. Only by reading the information you receive, and by asking questions of financial institutions, will you know how your institution uses your personal information and be able to decide whether to take your business elsewhere.

As collecting, slicing, dicing, mixing, and manipulating your personal information has become easier and cheaper there has been a corresponding increase in the reported cases of identity theft, which occurs when a person uses someone else's personal information to fraudulently make purchases or obtain credit in your name. Some identity thieves have even generated criminal convictions under an innocent consumer's name. Identity theft can be a nightmare, but consumers can take steps to reduce their risk of becoming victims by limiting others' access to their personal information.

(The information presented in this alert concerns data trading by financial institutions. For more information on identity theft, see the Attorney General’s Consumer Alerts titled “Identity Theft Prevention,” “Identity Theft Recovery,” “Identity Theft: Deceased Victims,” and the Federal Trade Commission’s Identity Theft website.

The Financial Privacy Laws - Good News and Bad for Consumers

In passing the Gramm-Leach-Bliley Act of 1999, Congress repealed long-standing restrictions separating different sectors of the financial services industry. Now, banks, insurance companies and brokerage companies are allowed to merge or become corporate affiliates and to share consumers' personal information. (For example, a brokerage house or bank can now share information about a consumer's transactions with an affiliated insurance company.)

First, the good news: The new federal financial privacy rules require financial institutions to:

  • give consumers some limited information about how their personal information is being shared;
  • offer consumers a limited opportunity to block some trafficking in consumers' personal information before they may begin trading in your personal information; and
  • maintain the confidentiality of account numbers and not sell them to nonaffiliated companies for use in telemarketing, direct mail, or commercial e-mail.

Consumers have an opportunity to inform and protect themselves. By being vigilant - and active - consumers can stop the flow of some personal information between corporate databases and nonaffiliated, outside companies, such as information brokers, telemarketers, and junk mailers.

Now, the bad news: While Congress and other federal agencies have given consumers limited ability to protect the privacy of their financial information, the sad fact is that much of the information that financial institutions gather about their customers is not covered by these rules.

Financial institutions generally don't have to offer consumers the right to prevent "publicly available" information about them from being sold to other parties, or to prevent the sharing of even nonpublic personal information with "affiliates" of the financial institution. (An exception, however, is the sharing of non-transactional information, such as "creditworthiness" information, among affiliates under the federal Fair Credit Reporting Act - this information should be included in the notices you receive.)

The cost of preventing the sale or other transfer of nonpublic personal financial information to outside companies rests squarely on the consumers' shoulders - consumers must spend the time and effort to learn what rights they have, to determine how to exercise those rights, and then to invest the additional time and effort completing the opt-out process.

Frequently Asked Questions About Your Right to Opt Out of Certain Trafficking in Your Personal Information

Under the Gramm-Leach-Bliley Act and rules established by the Federal Trade Commission and other federal agencies, financial institutions have an obligation to give their customers notice about the use of their personal information and a limited opportunity to block some information sharing. The questions and answers below cover elements of the FTC's rules.

1. Which "financial institutions" are covered by these laws?

According to the Federal Trade Commission, a "financial institution" includes banks, insurance companies, and investment businesses, as well as any other business "significantly engaged" in financial activities. "Financial institutions" may include:

  • Retailers that issue their own credit cards;
  • Banks;
  • Insurance companies;
  • Mortgage brokers;
  • Investment advisors;
  • Securities dealers;
  • Accountants and tax preparation services;
  • Lawyers and law firms (confidential client communications remain protected);
  • Car dealerships that lease cars on a "non-operating basis" for more than 90 days;
  • Businesses that print and sell checks for consumers;
  • Check cashing businesses; or
  • Businesses that operate travel agencies in connection with financial services.

2. What Notice is Required?

Institutions must supply consumers with an initial privacy statement. Consumers who have a continuing relationship with a financial institution are entitled to additional statements on a yearly basis. The notice should include:

  • An explanation of the consumers' right to opt out of disclosures to nonaffiliated third parties and how consumers may exercise their right;
  • Categories of personal information the financial institution collects;
  • Categories of personal information the financial institution discloses;
  • Categories of affiliates and nonaffiliated third parties to whom the financial institution discloses the information;
  • An explanation regarding disclosures of nonpublic personal information about former customers by the financial institution;
  • A description of the financial institution's disclosures to nonaffiliated parties that fall within certain exceptions to the consumers' right to opt out;
  • An explanation of consumers' ability to opt out of disclosures of certain types of information among affiliates under the federal Fair Credit Reporting Act (FCRA); and
  • A statement of the financial institution's confidentiality and security policies and practices regarding nonpublic personal information.

3. How does the opt-out notice work?

The opt-out notice is separate from the privacy statement. It must contain certain information and must be clear. Specifically, the opt-out notice must:

  • State that the institution will disclose, or reserves the right to disclose, nonpublic personal information about you to outside companies, if this is the institution's policy;
  • Tell consumers that they have a right to opt out of such information sharing; and
  • Provide consumers with a reasonable means for opting out.

4. What is "nonpublic personal information?"

The new rules give consumers only a limited right to block sharing of certain information. Consumers have no right to block sharing of information that is "publicly available" which means:

  • Information the institution believes can be legally obtained from government records;
  • Information the institution believes is available to the general public through telephone books, newspapers, websites, and other "widely distributed media"; and 
  • Information from disclosures required by law to be made public.

5. What is an "affiliated company?"

Generally, affiliated companies are individual companies that belong to the same corporate family. For example, an insurance company and a bank that are under the control of a third (parent) company would be affiliates, as would the parent company. Thus, neither the bank nor the insurance company would be required to permit you to opt-out of data sharing with the other company under the FTC's rules.

Under the Fair Credit Reporting Act, however, consumers have a limited ability to opt out of some information sharing between affiliates involving non-transactional information, including information about:

  • Your alleged creditworthiness, credit capacity, and credit standing;
  • Your alleged character;
  • Your alleged general reputation;
  • Your alleged personal information; and
  • Your alleged "mode of living."

Unfortunately, at this time, the Fair Credit Reporting Act does not give consumers the right to prevent affiliates from sharing "transaction and experience" information about a consumer. Such transactional information can include a wide variety of data many consumers would consider very personal, such as credit card charges a consumer makes and checks a consumer writes.

What Can You Do to Limit Trading in Your Personal Information by a Financial Institution?

  • Read information you receive, or have received recently, from financial institutions and look for notices or statements containing phrases like " Opt Out," "Your Options," or "Your rights regarding personal information." These statements may not be in a separate mailing or even on a separate piece of paper. The privacy statement should not only tell you how your information is being used and how you can opt out of information-sharing between outside companies, but it should also inform you of your right to block certain non-transactional information, including "creditworthiness" and "character" information, from being shared between affiliated organizations.
  • Exercise your right to opt out of information sharing. Notices from financial institutions should have clear and simple instructions for mailing in opt-out requests or calling a toll-free customer service number.
  • Check with your financial institution to make sure your "opt-out" decision has been received and recorded.
  • Learn more about your rights if you are concerned about how your financial information is used. (More information and links to websites are provided below).
  • Contact any companies with which you have an existing relationship that you believe fall within the definition of a "financial institution." Ask them any questions you have about their privacy practices, and ask for instructions on how to opt-out of information sharing.
  • Consider taking your business to a company that offers greater privacy protection if you are dissatisfied with how your financial institution is using your information.

For More Information:

Consumers who would like more information about the Gramm-Leach-Bliley Act can visit the FTC's website that contains various resources related to the Act.

For more information about identity theft prevention, consumers should visit the Attorney General's Consumer Alert entitled "Identity Theft Prevention." Consumers may also call the Federal Trade Commission (FTC) at 877-ID-Theft.

If you have a complaint about a privacy notice or opt-out instructions, you may wish to file a complaint with the FTC.

Contact the Attorney General if you have a complaint

If you have a complaint, please contact the Attorney General's Consumer Protection Team at:

Consumer Protection Team
P.O. Box 30213
Lansing, MI 48909
517-335-7599
Fax: 517-241-3771
Toll-free: 877-765-8388
Online complaint form