How do the privacy protections in the Gramm-Leach-Bliley Act — the well-known banking law — help consumers? The short answer is that the GLBA does almost nothing to help consumer privacy. Understanding that the GLBA is essentially a privacy fraud is important because exemptions for the GLBA are features of some state and federal privacy bills.

Let’s look at the provisions of the GLBA. The privacy part of the law provides two — and only two — provisions for consumers. First, each financial institution must have a privacy notice. That’s something but not much. We know that consumers don’t read privacy notices, although others — regulators, consumer groups, reporters — do. Notices used to be an annual event, but the banks lobbied Congress to dilute that obligation. In any event, at this stage, law or not, banks would have privacy notices anyway.

Second, the GLBA provides that a financial institution that wants to share personal information with a non-affiliated third party — anyone outside the corporate family — must give consumers the chance to "opt out" under some circumstances. Even if a consumer doesn’t opt out, the law prevents sharing of account and credit card numbers for third-party marketing uses. But the opt-out does not apply to joint marketing agreements with other financial institutions. That means that if one financial institution wants to share consumer information with another financial institution, it can do so through a joint marketing agreement, and consumers have no opt-out rights.

Some financial institutions don’t bother offering opt-outs, choosing not to share information with third parties at all. The minor benefits of data sharing aren’t worth the bother of telling consumers about their opt-out rights and processing the opt-outs.

That’s it for the GLBA and privacy.

There is nothing else in the law for consumer privacy. No limits on data collection. No right of access or amendment. No restrictions on use. Some financial institutions have dozens of lines of business, and they can share consumer data freely with all those affiliated businesses without restriction from the GLBA. The control on disclosure for non-affiliate sharing is not all that meaningful because few consumers read notices and even fewer bother to opt out.

Now, there is a security requirement in the GLBA. But banks need security for their own purposes. Banks have more to lose from security lapses than consumers. A general statutory requirement adds little to the protections. Still, does the security requirement count here? No, because we’re talking here about privacy protections and not security obligations.

In some ways, the GLBA is worse for consumers than nothing. At this late date, it actually harms consumer privacy interests. The California Consumer Privacy Act offers an example. The CCPA does not apply to personal information collected, processed, sold or disclosed pursuant to the GLBA. The CCPA doesn’t just effectively exempt financial institutions; it exempts any information that a financial institution discloses to others. The exemption apparently follows the data.

Let’s try an example: Suppose a bank offers consumers an opt-out of data sharing to third parties. With few exceptions, the usual opt-out rate rarely exceeds a few percentage points. If the bank discloses consumer data to a third party, that data is exempt from the CCPA in the hands of the recipient, as well.

In California, the effect of the GLBA exemption is to deny consumers the rights that they would have with respect to data that banks disclose to third parties, rights that they would have but for the CCPA’s GLBA exemption. In California, the GLBA is effectively a get-out-of-regulation-free law for consumer data originating with financial institutions. It’s an incredibly broad exemption, to say the least.

Not all state law exemptions for federal privacy laws are terrible. The CCPA also exempts credit reports under the federal Fair Credit Reporting Act. That exemption is OK because the FCRA is probably the best federal privacy law, with real limits on the use of credit reports and real rights for consumers.

In privacy battles in Congress and states, banks use the GLBA as a privacy shield. Don’t regulate us, they argue, because we are already regulated federally for privacy. But the federal regulation is so thin that it offers no meaningful privacy protection to consumers. In effect, the only real beneficiaries of the GLBA privacy provisions are the financial institutions themselves. They use it to avoid real privacy regulations.

Consumer privacy would be enhanced by actually repealing the privacy provisions in the GLBA. That is just how perverse the GLBA privacy provisions are now. Banks would have privacy notices anyway, and repeal would make financial institutions fully subject to the CCPA and perhaps other state laws, too.

For the moment, a better result would be for federal and state legislators to not provide a GLBA exemption in their privacy laws. California should repeal its GLBA exemption at the next opportunity. At this time, however, repealing the privacy parts of the GLBA is just a fantasy.

Photo by Sharon McCutcheon on Unsplash