Criticisms

Criticism has been directed at the written approval. The act never specifies if the customer is responsible for submitting the approval directly to the financial institution or if the government is responsible for only providing proof that a written approval has been submitted to them.^[3]

Safeguards Rule

The Safeguards Rule was implemented into GLBA by the Federal Trade Commission (FTC) to set standards that financial institutions must follow when protecting financial information.^[8] The rule required that financial institutions create and implement a security program that is appropriate to the size of the institutions' operations. The program must keep information safe from any unauthorized access of information, unauthorized use of information, and threats to the safety of the information. Information systems that processes, stores, transmits, and destroys information must be used in the security program.^[8] The rule also states that institutions must dedicate employees to the development, implementation, and maintenance of the security program. There must be people trained to identity and respond to any security threats or data breaches.^[8]

Criticisms

The Gramm-Leach-Bliley Act has been the subject of much criticism as experts claim that the act provides weak protection due to its broad language. Without clear explanation and better defined language, the act is open to interpretation which will ultimately work against consumers.^[6] The privacy policies required by the act are also unhelpful, as many of the policies written by financial institutions are intentionally complex to prevent customer comprehension.^[6] There is also a lack of rules that punish financial institutions for any noncompliance.^[6] Criticism has also been targeted at the opt-out rule in the act. Former president of the Federal Reserve Bank of Richmond, Jeffrey M. Lacker argues that the opt-out option, provided by banks in their policies to customers, is ineffective due to a weak marketplace for financial information. Sharing financial information is not profitable enough to motivate financial institutions to pay for customer consent, so opt-out notifications are rarely distributed. In situations where customers are notified, only an estimated 5% respond. The low response rate is evidence that consumers do not seem to care about their financial privacy. With unconcerned customers and a weak market, the opt-out option is rendered ineffective.^[9]

Criticisms

The Fair Credit Reporting Act faced criticism over the strength of its regulations as the act only limits the distribution of information instead of the collection of it.^[11] The act is also written with broad language which invites open interpretation that may lead to loopholes.^[11] Some criticism has also been directly aimed at the vagueness in defining "accuracy." In the context of the act, "accuracy" can be interpreted as a credit report that is either correct or incomplete.^[14]

The Disposal Rule

The Disposal Rule set requirements under FACTA for how public and nonpublic entities have to destroy consumer reports in order to prevent unauthorized access to nonpublic consumer information.^[12] Under the act, disposal of physical information can be done through the burning, pulverization, and shredding of documents. Digital information can be disposed of by simply erasing electronic files. Information can also be destroyed by hiring contractors. Due diligence must be performed on documents to identify consumer information before they can be submitted to contractors for disposal.^[12] Any disposal of information must be done so in way that the documents cannot be reconstructed and read.^[12]

The Red Flags Rule

The Red Flags Rule was a rule set under FACTA that requires financial institutions and creditors to develop and implement programs to identify and prevent any identity theft threats.^[12][13]

California Consumer Privacy Act

The California Consumer Privacy Act was passed in 2018 to protect any and all California residents' nonpublic information.^[17]

The act set requirements that regulates and attempts to limit the sale of personal information. However, companies can justify their sale of information through contracts with business partners. Those contracts would be taken into consideration when a company is reviewed for compliance to the act.^[17]

If a company is unable to comply with provisions regarding the sale of information without disrupting their business, then they must receive consent through the opt-in option from minors under 16 years old or parental consent if the minor is under 13 years old.^[17] Companies must also give all other consumers the ability to opt-out of any disclosure of information through a webpage link that clearly and specifically says "Do Not Sell My Personal Information."^[17] In the event that a consumer does opt out, the company cannot approach the consumer with the option to opt in again until a year has passed since the consumer opted out.^[17]

Under the act, companies must notify consumers of their new rights regarding data access, disposal, and portability.^[17] The company must also provide a way for consumers to exercise their new rights and a way to verify any consumer requests to exercise their rights.^[17] Privacy policies must also be updated to reflect newly required information disclosures.^[17]

Companies can deny a consumer's request to erase personal information under 9 conditions:

1. The information is needed to complete a transaction^[17]
2. The information is needed to identify and protect from fraudulent activity as well as prosecute those responsible for such attacks^[17]
3. The information is needed to identify and fix problems with functionality^[17]
4. The information is needed to exercise free speech^[17]
5. The information is needed to stay compliant with the California Communications Privacy Act^[17]
6. The information is needed to conduct statistical research of public interest^[17]
7. The information is needed to meet obligations with the consumer in question^[17]
8. The information is needed to meet legal obligations^[17]
9. The information is needed to meet the requirements in which the consumer initially provided the information^[17]

The act also regulates any employer-employee relationships regarding personal information.^[17] Under the act, employers must provide a way for their employees to exercise their rights outlined in the act. Employees also have the ability to opt out of any sale of information. A clear link that specifically says "Do Not Sell My Personal Information" must also be provided to employees under the employers' website to help facilitate any opt-out requests.^[17] Under the act, employees can request the disclosure of certain categories of information.^[17] If employers plan to collect information concerning their employees, then they must notify their employees of what information was collected, why it was collected, and under what conditions would the information be used. If the employers were to gather additional data, then another notification must be sent out to employees with the same aforementioned details.^[17] Employees have the ability to request that the employers erase their information. However, employers also have the right to deny the request if maintaining the information is necessary to meet certain obligations.^[17] Employees must also be notified if their employers are selling their information under the California Civic Code's definition of "business purposes."^[17]

Companies that conduct business with California consumers must comply with the act if the company satisfies one of the three conditions stated under the act:

1. If the company has annual gross revenues of $25 million or more^[17]
2. If the company holds personal information of 50,000 or more California residents, households, and devices^[17]
3. If the company generates greater than or equal to 50% of their revenue by selling California residents' information^[17]

Companies that are not physically located within California and conduct all of their business outside of the state may be exempt from the act.^[17] However, if such companies enter California or begin engaging in transactions with California residents online, then they would be expected to comply with the act.^[17]

California Privacy Act

The California Privacy Act is a state level privacy act that provides protection of consumer information. The act is described as a stricter version of the Gramm-Leach-Bliley Act.^[18] The California Privacy Act provides narrower definitions of some language found in the Gramm-Leach-Bliley Act. For example, financial institutions that are regulated under the act only include institutions that are "significantly engaged in financial activities."^[18] The act also provides an opt-in rule instead of opt-out which allows consumers more control over the situations in which financial institutions can handle information without consent.^[18] Financial information is also required to stay within one financial entity which means other institutions are not allowed access based on affiliation.

Punishment is also outlined in the act to deal with any institution that fails to comply. Violations to the act may result in a maximum penalty of $500,000. However, the fine can double in situations concerning identity theft.^[18]

Despite providing more stringent rules, the act also includes exceptions. Those who entered into contracts before the act was passed may still have their information shared if they do not manually opt out. Institutions that share the same regulator are allowed to exchange consumer information without notifying the customer. Customers also do not need to be notified that their information has been given out if the information is used for any legal proceedings.^[18]

California Consumer Credit Reporting Agencies Act

The California Consumer Credit Reporting Agencies Act (CCCRA) was passed in 1975 as the state's version of the federal Fair Credit Reporting Act.^[16] The act regulates consumer credit reporting agencies as well as any users of credit reports. The act also provides a narrower definition of "consumer credit report" as any information that falls within credit reports is protected by the act.^[16]

The CCCRA allows consumers to request a copy of their credit file with a thorough explanation of any codes used, credit score with related information, records of any third party requests made for the consumer's files, and the identifiable information of any party third party that has received the consumer's file.^[16] Any information requested by the consumer must be made available by a person, by mail, or by phone with a trained person who is able provide a comprehensive explanation of the information.^[16] Credit reports can be disclosed to third parties without notifying the consumer if the information is related to the party requesting the information, if it is to complete a court order, or if the party requesting it has legitimate use for the information.^[16]

Right to Financial Privacy Act

California passed its own Right to Financial Privacy Act two years before the federal government passed an act of the same name in 1976.^[16] The act regulated the state's government agencies' abilities to access nonpublic consumer information. As a result of the act, California's government agencies are not authorized to access financial records unless the consumer gives consent or if a subpoena or a search warrant is issued for the information.^[16]

As long as government agencies show proof of customer consent, a subpoena, or a search warrant, financial institutions are obligated to disclose the requested financial information.^[16] With proof, financial institutions do not have to verify that all laws were followed before handing over information.^[16]

Song-Beverly Credit Card Act

The Song-Beverly Credit Card Act of California was passed in 1971 to protect consumer information in credit card transactions.^[16] Under the act, companies may not collect personally identifiable information from consumers who purchase goods or services using credit cards. Companies cannot set conditions in which consumers must consent to sharing their information in order to use their credit cards for a transaction. However, consumer information can be requested in order to complete a credit card transactions as long as the information is never recorded. The act also set a redundant state level requirement that companies must shorten a consumer's credit and debit card information on receipts.^[16]

There are exceptions to the act as companies are still able to collect information from consumer who pay using debit card of cash.^[16] Under the act, companies can still collect consumer data if a credit card is being used to collect money in situations similar to damages and defaults. In the event of a consumer return or refund, companies are allowed to collect information to protect against fraud.^[16] Gas stations are also allowed to only collect a consumer's zip code information to protect themselves from fraud.^[16]

Regulation B-2018-01: Privacy of Consumer Financial and Health Information

Regulation B-2018-01: Privacy of Consumer Financial and Health Information was passed in Vermont to protect privacy of financial information. Financial privacy is defined by the first four articles in the regulation.^[19]

Article I

The first article in the regulation is used define what the regulation is in general. As stated in the article, the purpose of the regulation is regulate the handling of any private information connected to financial institutions.^[19]

The regulation defines financial institutions through nine conditions:

1. Financial institutions defined by the Vermont statues^[19]
2. Licensed or registered individuals engaging in financial activities defined by the Bank Holding Company Act of 1956^[19]
3. Mortgage brokers, mortgage loan originators, lenders, and sales finance companies^[19]
4. Independent trust companies^[19]
5. Money service providers^[19]
6. Debt adjusters^[19]
7. Loan service providers^[19]
8. Foreign financial institutions^[19]
9. Subsidiaries of any of the above^[19]

Article II

• Financial institutions are required to inform customers of their privacy policy with an understandable notification.^[19]
• Customers must be notified every 12 months of the financial institution's privacy policy.^[19]
• Privacy notifications must include the nine points of information outlined by the regulation:
  1. What information the financial institution collects^[19]
  2. What information the financial institution chooses to share^[19]
  3. Categories which affiliated and nonaffiliated parties the financial institutions disclose information to fall into^[19]
  4. The categories of information regarding former customers that the financial institution has shared, and to which parties the information has been shared with^[19]
  5. Whether a financial institution has shared information with a nonaffiliated third party under an exception^[19]
  6. A outline of the methods in which a customer can exercise their right to opt-in^[19]
  7. If any private financial information has been shared under the Fair Credit Reporting Act, federal implementing regulations, and the Vermont Fair Credit Reporting Act^[19]
  8. The financial institution's policies regarding protecting consumer financial information^[19]
  9. If any information has been shared using exceptions authorized under the regulation^[19]
• If a financial institution chooses to revise its privacy policy, it must still abide by the initial notice it sent to customers until customers are notified of the changes or if the customers gives consent since the changes^[19]
• Notifications must be delivered to customers in writing unless the customer has given consent to receiving the notifications electronically^[19]

Article III

• Consumers have the ability to partially opt-in, which means that they can pick and choose what information they give consent to the financial institution to share^[19]
• If a financial institution receives information from another, unaffiliated party, the institution is allowed to re-disclose the information if it is to parties affiliated to the unaffiliated party they received the information from, if it is to their own affiliated parties, of if they receive permission from the consumer^[19]
• Unless the financial institution is disclosing information to a consumer reporting agency, the institution is not allowed to share account information to parties that would use the information for marketing purposes^[19]

Article IV

• Financial institutions can share their customers' financial information with unaffiliated third parties if the third parties are using the information to carry out services for the institution or if the third parities are acting on behalf of the institution^[19]
• Financial institutions can disclose a customer information if it is in the interest of enforcing a transaction that the customer authorized or is in connection to^[19]