FTC Privacy Rule: Consumer Financial Information

Primary Focus

Information sharing and disclosure

Information security

Different compliance programs required

Core Requirement

Provide privacy notices, opt-out rights, limit sharing

Implement comprehensive information security program

Privacy = disclosure control; Safeguards = protection

Trigger

Collection of nonpublic personal information

Possession of customer information

Privacy kicks in earlier

Consumer Rights

Right to opt out of certain sharing

No direct consumer rights (institutional obligation)

Privacy requires active consumer management

Penalties

Up to $46,000 per violation

Up to $46,000 per violation

Both carry severe financial exposure

Enforcement

FTC + state regulators

FTC + state regulators

Coordinated enforcement common

Complexity

Moderate (disclosure-focused)

High (technical security requirements)

Privacy seems simpler but isn't

Banks

Commercial banks, savings banks, credit unions

100 to 10M+ customers

Third-party vendor management, affiliate sharing notices

Securities Firms

Broker-dealers, investment advisers, mutual funds

50 to 500K+ clients

Complex affiliate structures, joint marketing

Insurance Companies

Life, health, property & casualty insurers

1,000 to 5M+ policyholders

Agent information sharing, claims data handling

Mortgage Brokers

Residential mortgage brokers and lenders

100 to 50K+ applicants annually

Marketing vendor sharing, lead generation practices

Consumer Lenders

Auto lenders, personal loan providers, payday lenders

500 to 100K+ borrowers

High-volume processing, third-party servicing

Credit Counseling Services

Debt management, credit repair

200 to 20K+ clients

Extensive information sharing for debt negotiation

Tax Preparation Services

Commercial tax preparers offering RALs (refund anticipation loans)

1,000 to 1M+ customers

Dual regulatory status (FTC + IRS), cross-selling financial products

Real Estate Settlement Services

Title companies, escrow agents offering financing

500 to 10K+ transactions annually

Information sharing with lenders, insurers, agents

Fintech Payment Processors

Facilitate financial transactions, may hold funds

Often don't realize GLBA applies until FTC inquiry

Buy Now Pay Later (BNPL) Providers

Extend credit for consumer purchases

Treat themselves as technology companies, not lenders

Peer-to-Peer Lending Platforms

Arrange loans between individuals

Complex information flows between platform, lenders, borrowers

Digital Wallet Providers

Store payment information, facilitate transactions

Mix of covered and non-covered activities

Cryptocurrency Exchanges

Increasingly treated as financial institutions

Unclear regulatory status but FTC showing interest

Collection Agencies

Receive consumer financial information from creditors

Often claim exemption as service providers (incorrect)

Personally Identifiable Financial Information

Information collected about an individual in connection with providing a financial product/service

Credit card number, account balance, payment history, credit report data, loan application details

Yes (always)

"Public" credit scores are still NPI in financial context

Information on Application Forms

Data provided by consumer to obtain financial product/service

Income, SSN, employment history, assets, debts, credit references

Yes (always)

"It's public record if we file it" (still NPI)

Information from Transactions

Data about consumer's transactions with the institution

Account activity, payment patterns, wire transfers, check deposits

Yes (always)

"Aggregated data isn't NPI" (still is if identifiable)

Information from Service Providers

Data obtained from third parties providing services to the institution

Credit bureau reports, fraud scores, property appraisals

Yes (always)

"The vendor owns this data" (it's NPI regardless of source)

Information from Consumer Reporting Agencies

Credit reports, credit scores, specialized consumer reports

FICO scores, credit bureau reports, tenant screening reports

Yes (always)

"We can use this however we want" (same NPI rules apply)

Information in Public Records

Government records available to the public

Bankruptcy filings, tax liens, court judgments, property records

No (but becomes NPI when combined with other data)

"Public means we can use it freely" (depends on combination)

Publicly Available Information

Data available from directories, media, government sources

Phone numbers from white pages, business registrations, professional licenses

No (unless derived from transaction/relationship)

Complex edge cases require legal analysis

Mortgage lender uses property records to identify homeowners in specific ZIP codes for marketing

Property ownership records (public)

No

Purely public information, no customer relationship

Same lender uses property records + customer payment history to identify refinancing candidates

Property records (public) + payment data (customer relationship)

Yes

Combination includes customer relationship information

Auto lender pulls credit report for loan application

Credit report data

Yes

Obtained in connection with financial service

Same lender uses credit data to market other products

Same credit report data

Yes

Still NPI regardless of use

Tax preparer uses client's income information to recommend investment services

Income from tax return

Yes

Collected through financial service relationship

Category I: Permitted Without Notice

Sharing necessary to effect/administer/enforce transactions requested by consumer

General privacy notice only

No opt-out right

Processing loan application, servicing account, preventing fraud, complying with legal obligations

Category II: Permitted with Opt-Out

Sharing with nonaffiliated third parties for non-transaction purposes

Initial + annual privacy notice with opt-out

Consumer must have opportunity to opt out

Marketing partnerships, lead generation, data analytics, joint marketing with non-affiliates

Category III: Prohibited (with exceptions)

Sharing account numbers for marketing purposes

N/A (generally prohibited)

N/A (prohibited regardless of opt-out)

Sharing account numbers with telemarketers, email marketers (exceptions for service providers, agents)

Transaction Processing

§ 313.14(a)

Sharing with payment processors, clearinghouses, credit bureaus (when necessary for transaction)

Over-broad interpretation—sharing more than necessary

Service Provider Exception

§ 313.13(a)

Sharing with vendors providing services to the institution (if contractual safeguards in place)

Failing to maintain required contracts, allowing vendor to use data for own purposes

Legal Compliance

§ 313.14(b)

Responding to subpoenas, regulatory exams, fraud investigations

Sharing more information than legally required

Fraud Prevention

§ 313.14(b)

Sharing with fraud detection services, law enforcement

Using "fraud prevention" to justify marketing data sharing

Account Administration

§ 313.15(a)(1)

Sharing with collection agencies, attorneys, accountants servicing account

Sharing with marketing firms disguised as "account administration"

Categories of NPI Collected

Must describe types of information collected (§ 313.6(a)(1))

"We collect information such as: [specific categories]"

Vague language like "information you provide"

Categories of NPI Disclosed

Must describe types of information disclosed to third parties (§ 313.6(a)(2))

"We may share: [specific categories]"

Missing disclosure categories or generic "business purposes"

Categories of Recipients

Must identify categories of third parties to whom information is disclosed (§ 313.6(a)(3))

"We share information with: credit bureaus, marketing partners, service providers"

"Third parties" without categorization

Categories of Information About Former Customers

Must describe policies for sharing information about former customers (§ 313.6(a)(4))

"After you close your account, we continue to share information as described in this notice"

Omitting former customer treatment entirely

Right to Opt Out

If sharing under Category II, must explain opt-out right and process (§ 313.6(a)(5))

"You have the right to limit marketing sharing. To opt out: [specific method]"

Unclear opt-out instructions or buried opt-out rights

Confidentiality and Security

Must describe policies to protect confidentiality and security (§ 313.6(a)(8))

"We maintain physical, electronic, and procedural safeguards"

Boilerplate language without specifics

Readability

Reasonably understandable to ordinary consumer

8th-10th grade reading level, defined terms, logical organization

Legal jargon, complex sentences, undefined technical terms

Format

Designed to call attention to nature and significance

Adequate spacing, readable font (minimum 10pt), contrasting colors

8pt font, dense paragraphs, poor contrast

Prominence

Prominent location where consumer likely to see it

First page of account opening documents, separate document, link in prominent location

Buried in fine print, page 47 of 52-page agreement

Timing

Provided when consumer can review before making decisions

Before account opening, reasonable time to review

Provided simultaneously with transaction closing, no time to read

Postal Mail

Must be sent to last known address (§ 313.9(c))

High reliability, clear receipt

$0.75-$1.50

High (90%+ receipt rate)

Email

Requires prior customer consent to electronic delivery (§ 313.9(e))

Cost-effective, rapid distribution

$0.02-$0.05

Medium (60-70% open rate)

Website Posting

Adequate if customer accesses account online AND institution posts notice in clear and conspicuous manner (§ 313.9(c)(2))

Low cost, must ensure customers see it

$0.01-$0.03

Low (15-25% viewed)

Account Statement

Can be included with periodic statements

Convenient, cost-effective

$0.10-$0.30

Medium (40-60% read statements)

Toll-Free Phone Number

Acceptable (§ 313.7(a)(1)(i))

High (easy for consumers)

Medium ($15-30K setup + $2-5 per call)

12-18%

Return Form (Mail)

Acceptable (§ 313.7(a)(1)(ii))

Medium (requires mailing)

Low ($5-10K setup + $0.50 per response)

8-12%

Email Address

Acceptable (§ 313.7(a)(1)(iii))

High (convenient)

Low ($2-5K setup + $0.10 per response)

15-22%

Website Form

Acceptable (§ 313.7(a)(1)(iv))

High (instant)

Medium ($10-20K setup + $0.15 per submission)

18-25%

Opt-Out Box on Application

Acceptable (can include with initial notice)

Highest (point of application)

Low (integrated into existing forms)

35-48%

Requiring In-Person Visit

Unreasonably burdensome (§ 313.7(e))

Bank requiring customers to visit branch to opt out

Requiring Notarized Signature

Unreasonably burdensome

Lender requiring notarized opt-out form

Requiring Account Closure

Not an opt-out (eliminates customer relationship)

"You can opt out by closing your account"

Single, Limited-Time Opportunity

Must allow opt-out at any time

"Opt-out only available in first 30 days"

Charging Fees

Unreasonably burdensome

$25 fee to process opt-out request

Reasonable Opportunity

At least 30 days to opt out before information sharing begins (§ 313.7(a)(3))

Sharing immediately after providing notice

Delay sharing until opt-out period expires

Continuing Right

Consumer can opt out at any time

Only allowing opt-out during account opening

Maintain permanent opt-out mechanism

Effectiveness Period

Opt-out remains effective until revoked by consumer

Annual re-consent requirements

Make opt-out permanent unless consumer opts back in

Renewal

If relationship continues, no need to renew opt-out

Requiring annual opt-out renewal

Honor original opt-out indefinitely

Parent-Subsidiary

Yes (common control)

Can share without opt-out, but must provide opt-out for marketing use

Bank holding company and subsidiary bank

Sister Companies

Yes (common parent)

Can share without opt-out, but must provide opt-out for marketing use

Two banks owned by same holding company

Common Ownership <25%

No

Treated as nonaffiliated third parties

Two companies with same investor but separate management

Strategic Partnership

No

Treated as nonaffiliated third parties

Joint marketing partners without ownership relationship

Franchise Relationship

No (typically)

Treated as nonaffiliated third parties

Franchisee and franchisor (absent common control)

Transaction/Experience Information

Customer's direct relationship

Permitted without notice

Permitted without opt-out

No opt-out right

Credit Report Information

Consumer reporting agency

Permitted with notice

Requires opt-out if used for marketing

Must offer opt-out for marketing use

Application Information

Customer application

Permitted with notice

Requires opt-out if used for marketing

Must offer opt-out for marketing use

Information from Public Records

Government sources

Permitted without notice

Permitted without opt-out

No opt-out right

Bank shares transaction history with investment firm to assess investment suitability

Affiliate sharing permitted (transaction/experience information)

No opt-out required (not marketing)

None (but must include in privacy notice)

Bank shares credit score with insurance agency to market life insurance

Affiliate sharing permitted with notice

Requires opt-out (credit info used for marketing)

Must provide FCRA 624 opt-out

Bank shares income information with investment firm to market wealth management

Affiliate sharing permitted with notice

Requires opt-out (application info used for marketing)

Must provide FCRA 624 opt-out

Bank shares customer contact information (name, address) obtained through banking relationship

Affiliate sharing permitted

No opt-out required (if no other NPI involved)

None (unless combined with other data)

Prohibition on Disclosure

Contract must prohibit service provider from disclosing or using information except to perform services for the institution

Review contract language, vendor data flow diagrams

Generic confidentiality clauses insufficient; must specifically prohibit use for vendor's own purposes

Prohibition on Unauthorized Use

Service provider cannot use information for own marketing, analytics, or other purposes

Vendor questionnaires, audits, certification

Vendor builds models using client data and sells to others

Confidentiality Requirement

Must require service provider to maintain confidentiality

Security addendums, confidentiality agreements

Boilerplate NDA doesn't address Privacy Rule specifics

Appropriate Safeguards

Must require service provider to implement appropriate safeguards

Vendor security assessments, SOC 2 reviews

No validation of vendor security controls

"Vendor will maintain confidentiality"

No prohibition on use for vendor's purposes

High—vendor may use data for own analytics

"Vendor will comply with applicable laws"

Generic—doesn't specifically address Privacy Rule

Medium—vendor may claim different interpretation

"Vendor will use commercially reasonable efforts"

Not a prohibition—creates wiggle room

High—"efforts" doesn't mean prohibition

"Vendor will use data to perform services"

Too broad—doesn't prohibit additional uses

High—vendor may claim building models is "performing services"

Data Use Practices

What does vendor do with customer data? Who else sees it?

Vendor questionnaire, data flow review, contract analysis

Vendor builds models, shares with other clients, aggregates across clients

Subcontractor Disclosure

Does vendor use subcontractors? Are they contractually bound?

Subcontractor list review, flow-down provision validation

Unnamed subcontractors, no flow-down provisions

Geographic Data Storage

Where is data stored? Transmitted? Processed?

Data center location disclosure, network diagrams

Foreign data storage without notification

Data Retention

How long does vendor retain data? Destruction processes?

Retention policy review, destruction certification

Indefinite retention, no destruction process

Security Controls

What safeguards protect data?

SOC 2 Type II review, security questionnaire

No third-party security assessment

Breach Response

How does vendor handle data breaches? Notification timeline?

Incident response plan review, breach notification provisions

No defined notification process

Tier 1 (Critical)

Extensive NPI access, high volume, sensitive data

Annual comprehensive assessment

Full Privacy Rule provisions, right to audit, SOC 2 Type II required

Core banking processors, credit bureaus, loan servicers

Tier 2 (Significant)

Moderate NPI access, specific use cases

Biennial assessment

Privacy Rule provisions, security questionnaire, annual certification

Marketing platforms, analytics vendors, CRM systems

Tier 3 (Limited)

Minimal NPI access, low volume

Initial assessment + trigger-based review

Standard confidentiality provisions, data use restrictions

Document management, specific service tools

Tier 4 (No NPI)

No customer NPI access

Initial verification only

Standard business terms

Office supplies, facilities management, general IT infrastructure

Formal Agreement

Written agreement between financial institutions (§ 313.13(b))

Review joint marketing agreement

Informal partnership without contract

Marketing Financial Products

Agreement must be to market financial products/services

Review products being marketed

Marketing non-financial products (travel, shopping)

All Parties Are Financial Institutions

Each party must be a financial institution as defined by GLBA

Verify regulatory status

Partnering with non-financial entities

Service to Consumer

Arrangement must be to jointly offer, endorse, or sponsor financial product/service

Review marketing materials

Lead generation disguised as joint marketing

Contractual Confidentiality

Contract must require each party to maintain confidentiality and safeguard information

Review contract provisions

Generic partnership agreement without confidentiality

True Joint Marketing

Two financial institutions market co-branded financial product

Joint marketing exception applies

No (if properly structured)

Lead Generation

Financial institution pays for customer leads from third party

Not joint marketing—information sharing with third party

Yes

Affinity Partnership

Financial institution markets through non-financial organization

Not joint marketing (partner isn't financial institution)

Yes

Cross-Selling Between Affiliates

Affiliate uses customer information to market affiliate's products

Affiliate sharing rules apply

Depends on information type (FCRA 624 may apply)

Referral Arrangement

One financial institution refers customers to another

Information sharing with third party

Yes (unless specific exception applies)

Civil Penalty (Per Violation)

$46,784 per violation (2024, adjusted annually for inflation)

Each affected consumer can be a separate violation

$500,000 to $15 million (depends on violation count and harm)

Knowing Violation

Criminal penalties (up to $10,000 fine and/or 5 years imprisonment)

Per knowing and willful violation

Rare—FTC refers to DOJ

Obtaining Information Under False Pretenses

Criminal penalties (up to $10,000 fine and/or 5 years imprisonment)

Per incident

Very rare—typically prosecuted separately

Inadequate privacy notice to 50,000 customers

50,000 violations (one per customer)

$2.34 billion

Improper information sharing for 25,000 customers

25,000 violations

$1.17 billion

Missing opt-out opportunity for 100,000 consumers

100,000 violations

$4.68 billion

Dwolla (Payment Processor)

2016

False privacy and security claims, inadequate safeguards

Consent order + compliance program

Don't make claims you can't substantiate

PayPal

2018

Failed to honor opt-out requests (Venmo), inadequate privacy notices

$2.9 million

Opt-out mechanisms must actually work

TaxSlayer (Tax Prep)

2017

Sharing customer information with third parties without disclosure or consent

$100,000 + compliance program

Service provider exception requires proper contracts

Liberty Tax

2017

Deceptive privacy practices, sharing customer tax information

$60,000 + compliance program

Tax preparers are financial institutions if offering financial products

Check Into Cash (Payday Lender)

2013

Disclosure of customer information without proper notices, no opt-out rights

$5 million (related to other violations)

Payday lenders fully subject to Privacy Rule

State Attorneys General

GLBA enforcement authority, state consumer protection laws

State-specific penalties (vary widely)

New York AG: $3.5M settlement with insurance company for privacy violations

State Banking Regulators

Examination authority for state-chartered banks

Enforcement actions, consent orders, operating restrictions

California DBO: Regular privacy compliance exams, enforcement actions

State Insurance Commissioners

GLBA enforcement for insurance companies

License restrictions, fines, consent orders

Multiple state actions against insurers for information sharing violations

Governance

Privacy policy, compliance oversight, board reporting

Chief Compliance Officer, Privacy Officer

Annual policy review, quarterly oversight

Privacy policy, board minutes, compliance reports

Information Inventory

NPI catalog, data flow mapping, system inventory

IT + Compliance

Annual comprehensive, quarterly updates

Data inventory, flow diagrams, system catalog

Vendor Management

Third-party risk assessment, contract review, monitoring

Vendor Management + Legal

Annual for Tier 1, biennial for Tier 2

Vendor assessments, contract files, monitoring reports

Notice Management

Privacy notice creation, distribution, posting, updates

Compliance + Marketing + Legal

Annual notices, updates when practices change

Notice archives, distribution logs, customer communications

Opt-Out Processing

Opt-out mechanism, request processing, preference management

Customer Service + Operations

Continuous processing, quarterly validation

Opt-out requests log, preference database, audit reports

Training

Employee awareness, role-specific training, vendor training

HR + Compliance

Annual general, onboarding for new employees

Training materials, completion records, assessments

Monitoring

Privacy compliance testing, vendor audits, consumer complaint tracking

Internal Audit + Compliance

Annual testing, quarterly metrics review

Test results, audit reports, complaint logs

Incident Response

Privacy breach procedures, notification protocols, remediation

Legal + Compliance + IT

As needed, annual plan review

Incident response plan, breach logs, notifications

Phase 1: Inventory

Identify all systems containing NPI, list all data elements

NPI data inventory

Shadow IT systems, undocumented integrations

Phase 2: Internal Flows

Map how NPI moves between internal systems and departments

Internal data flow diagram

Department-to-department sharing, temporary extracts

Phase 3: External Flows

Identify all third parties receiving NPI, purpose of sharing

External data sharing matrix

Marketing vendors, analytics platforms, forgotten integrations

Phase 4: Purpose Categorization

Classify each sharing instance (Category I exception, Category II requiring opt-out, prohibited)

Sharing categorization matrix

Misclassified vendor relationships

Phase 5: Gap Analysis

Compare actual practices to privacy notices and required opt-outs

Compliance gap report

Undisclosed sharing, missing opt-out rights

Core Lending System

SSN, income, credit score, loan terms

Transaction processing

Category I (necessary)

Yes

No (not required)

N/A (internal)

None

TransUnion (Credit Bureau)

SSN, application data

Credit report pull

Category I (necessary)

Yes

No (not required)

Yes

None

ABC Collections Agency

SSN, payment history, contact info

Collection on defaulted loans

Category I (account admin)

Yes

No (not required)

Yes

None

XYZ Marketing Analytics

Credit score, income, geographic data

Predictive modeling for marketing

Category II (requires opt-out)

No

No

No

Major Gap

Email Marketing Platform

Email, name, loan product

Product marketing

Category II (requires opt-out)

Partial

No

Partial

Gap

Fraud Detection Service

Application data, device fingerprint

Fraud prevention

Category I (fraud prevention)

Yes

No (not required)

Yes

None

Annual Notice Distribution

Annually (unless qualify for exception)

Compliance + Operations

Distribution records, delivery confirmations

Material Change Assessment

Quarterly or when business practices change

Compliance + Business Units

Change assessment documentation

Notice Update (When Triggered)

Within 30 days of material change

Legal + Compliance

Updated notice, change log, distribution plan

Website Posting Verification

Monthly

Compliance + IT

Screenshot archive, accessibility testing

Readability Assessment

Every 2-3 years

Compliance + Marketing

Reading level analysis, consumer testing

Affiliate Sharing Disclosures

When affiliations change

Legal + Compliance

Corporate structure updates, notice revisions

Former Customer Notice Review

Annual

Compliance

Former customer treatment policy, notice language

New Sharing Category

Yes

Begin sharing with new category of third parties

Before sharing begins

New Information Collection

Yes (if significant)

Start collecting biometric data

Before collection begins

Change in Opt-Out Rights

Yes

Eliminate previously available opt-out

Before change takes effect

Affiliate Addition

Yes (if affects sharing)

Acquire new subsidiary that will receive customer data

Before sharing with new affiliate

Service Provider Change

No (usually)

Switch to new loan servicing platform

Not required (if still service provider exception)

Expanded Service Provider Use

Assess case-by-case

Service provider begins using data for model development

If exceeds service provider exception, Yes

Secondary Market Sales

Selling loans to investors involves NPI transfer

Category I exception (transaction processing) usually applies, but must have proper servicing agreements

Lead Generation Practices

Purchasing leads or sharing with lead aggregators

Often requires opt-out unless structured as service provider relationship

Affiliated Title/Insurance

Common ownership with settlement service providers

Affiliate sharing rules + RESPA anti-kickback compliance

Marketing to Past Applicants

Using denied application data for marketing

Permitted if proper notices provided, but FCRA adverse action rules also apply

Third-Party Origination (TPO)

Broker receives application, forwards to multiple lenders

Each lender must provide privacy notice; broker may be service provider or separate financial institution

Transaction Data Monetization

Selling aggregated/anonymized transaction data

If data is truly anonymized (not re-identifiable), may not be NPI; high risk area

Platform Business Model

Facilitating transactions between users

Both sides of transaction may be customers requiring notices

Rapid Product Iteration

Frequently adding features/services

Trigger frequent notice updates; consider broad initial disclosures

Marketing Analytics

Using transaction data for targeted advertising

Category II sharing requiring opt-out unless within service provider exception

Open Banking / Data Aggregation

Connecting to users' bank accounts

Complex multi-party data flows; assess if company is financial institution

Dual Regulatory Status

IRS regulations + GLBA Privacy Rule if offering financial products

Coordinate compliance across both frameworks

Refund Anticipation Loans (RALs)

Offering RALs/refund advances makes company a financial institution

Full Privacy Rule compliance required

Tax Return Information

Detailed financial data collected

Extensive NPI requiring careful handling; IRS 7216 also applies

Cross-Selling Financial Products

Marketing banking, credit cards, investments

Affiliate marketing rules if owned by financial holding company

Software-Based Preparation

Consumer uses software independently

Still must provide privacy notices if financial products offered

Agent Relationships

Independent agents receive customer information

Agents may be separate financial institutions or service providers; structure determines treatment

Claims Data Sharing

Sharing with healthcare providers, repair shops, investigators

Category I exception typically applies; verify necessity

Underwriting Data

Extensive information collected for risk assessment

Proper notice required; sharing with reinsurers usually Category I

Marketing Through Agents

Agents market products from multiple insurers

Joint marketing exception may apply if properly structured

Medical Information

Health insurance includes protected health information (PHI)

HIPAA may also apply; coordinate privacy frameworks

Model Training

Can we use customer NPI to train ML models?

If models used internally for permitted purposes (fraud detection, underwriting), Category I exception likely applies; if models sold/licensed to third parties, likely requires opt-out

Medium—limited guidance

Algorithmic Decisioning

Must we disclose AI-based decisions in privacy notices?

Privacy Rule doesn't explicitly require; FCRA may require adverse action notices if credit decision

Low under Privacy Rule, higher under other laws

Synthetic Data Generation

Is AI-generated synthetic data still NPI?

If synthetic data cannot be re-identified to individuals, likely not NPI; high technical bar to prove

Medium—fact-specific

Third-Party AI Services

Sharing NPI with AI vendors for processing?

Service provider exception applies if contract prohibits vendor from using data for own purposes (including model improvement)

High—many AI vendors want to use client data for model enhancement

Consumer Uses Aggregator to View All Accounts

Is the aggregator a financial institution? Likely yes, if significantly engaged in financial activities

Aggregator must provide privacy notices to consumers

Bank Shares Data with Aggregator

Is this Category I (consumer-directed transaction) or Category II (third-party sharing)?

Unclear—bank may argue consumer directed; FTC hasn't definitively ruled

Aggregator Shares with Downstream Services

Clear third-party sharing requiring notices and opt-out

Aggregator must comply as financial institution

Consent vs. Opt-Out

Can consumer consent substitute for opt-out?

Consent may satisfy Privacy Rule if truly voluntary and informed; CFPB Section 1033 may alter this

Fingerprint

If collected in connection with financial service, likely NPI

State biometric privacy laws (Illinois BIPA, Texas, Washington) may impose additional requirements

Facial Recognition

If collected/stored for authentication, likely NPI

High consumer sensitivity; consider explicit notice even if not legally required

Voice Print

If collected for phone banking authentication, likely NPI

Regulatory agencies showing increased scrutiny

Behavioral Biometrics

Keystroke dynamics, mouse movements—arguably NPI if used for authentication

Emerging area with limited guidance

Crypto Custody Services

If bank custodies crypto for customers, transaction data likely NPI

Low—traditional custody analogies apply

Crypto Trading Platforms

Platform facilitating crypto trades likely financial institution subject to Privacy Rule

Medium—some platforms argue they're not financial institutions

Blockchain Analytics

Sharing transaction data with blockchain analysis firms

High—is this fraud prevention (Category I) or marketing analytics (Category II)?

DeFi Protocol Integration

Bank interacts with decentralized finance protocols

High—novel territory with no clear guidance

Opt-Out Request Capture

Provides multiple channels (web, phone, mail) for opt-out submissions

OneTrust, TrustArc, Osano

$15K-$75K annually

Preference Management

Tracks consumer choices across opt-out categories

OneTrust, TrustArc, Transcend

Included in platform pricing

Privacy Notice Management

Versions privacy notices, tracks changes, manages distribution

OneTrust, TrustArc, DataGrail

Included in platform pricing

Consent Documentation

Records when/how consent obtained (for jurisdictions requiring consent)

OneTrust, TrustArc, Cookiebot

Included in platform pricing

Integration with Marketing Platforms

Propagates opt-out preferences to email, ad platforms

Varies by platform

Configuration cost $10K-$50K

Data Discovery

Scans systems to find where NPI resides

Creates foundation for compliance program—can't protect what you don't know exists

BigID, OneTrust, Spirion

Data Flow Mapping

Visualizes how NPI moves through systems

Satisfies "know your data" compliance requirement, identifies sharing requiring opt-out

OneTrust, BigID, Collibra

API Discovery

Identifies system integrations and data sharing

Finds undocumented third-party sharing

Noname Security, Salt Security

Prevalent

Vendor questionnaires, contract management, privacy assessment workflows

Organizations with 100+ vendors

Per-vendor pricing

OneTrust Vendorpedia

Integrated with OneTrust privacy platform, vendor risk scoring

Organizations already using OneTrust

Module pricing

ProcessUnity

Comprehensive third-party risk management including privacy

Large enterprises with complex vendor ecosystems

License + implementation

SecurityScorecard Third-Party Risk

Continuous vendor monitoring, privacy compliance tracking

Organizations prioritizing continuous monitoring

Per-vendor pricing

Regulatory Alignment

35%

Does the platform specifically address Privacy Rule requirements (not just GDPR/CCPA)? Does it handle financial services compliance?

Integration Capability

25%

Can it integrate with existing systems (CRM, core banking, marketing platforms) to propagate preferences?

Scalability

15%

Will it handle your customer volume? Growth projections for next 3-5 years?

User Experience

15%

Is it easy for consumers to exercise opt-out rights? Is it easy for employees to manage?

Reporting

10%

Can it generate reports needed for audits, board reporting, regulatory exams?

All Employees

Privacy Rule basics, NPI handling, incident reporting

Annual

Quiz (80% passing)

Training records, quiz scores

Customer-Facing Staff

Privacy notices, opt-out procedures, customer questions

Annual + onboarding

Role-play scenarios

Training records, scenario completion

Marketing

Permissible uses of customer data, opt-out obligations, vendor contracts

Annual + campaign-based

Campaign review checklist

Training records, campaign approvals

IT/Data Teams

Data handling requirements, system integrations, vendor data sharing

Annual + project-based

Technical assessment

Training records, project reviews

Vendor Management

Service provider exception requirements, contract provisions, vendor assessment

Annual + onboarding

Contract review exercise

Training records, assessment completion

Senior Management

Regulatory landscape, enforcement trends, business implications

Annual

Board presentation

Training records, board minutes

Privacy/Compliance Team

Deep regulatory knowledge, enforcement actions, emerging issues

Quarterly updates

Professional certification

Professional development records

Privacy Notice Delivery

Verify new customers received initial notice; verify annual notice distribution

25-50 new customers, full distribution records

Annual

>95% delivery rate

Opt-Out Processing

Submit test opt-out requests through each channel; verify processing

5-10 test requests per channel

Annual

100% processed correctly within 5 business days

Vendor Contracts

Review vendor contracts for required Privacy Rule provisions

10-15 vendors (all Tier 1, sample of Tier 2)

Annual

100% Tier 1 compliant, >90% Tier 2 compliant

Information Sharing

Review actual data sharing against privacy notices and opt-outs

All third-party recipients

Annual

100% sharing is disclosed and compliant

Website Notice Posting

Verify current notice posted, accessible, conspicuous

Full website review

Quarterly

100% posting compliance

Employee Knowledge

Test sample of employees on privacy practices

25-50 employees (stratified by role)

Annual

>80% demonstrate competency

3 vendor contracts missing prohibition on use for vendor's own purposes

High

Renegotiate contracts, add required provisions

60 days

$12,000 (legal)

Annual notice distribution rate 87% (below 95% target)

Medium

Investigate delivery failures, implement confirmation tracking

30 days

$3,000 (process improvement)

Privacy notice on website required 3 clicks to access

Low

Redesign site to make notice accessible in header/footer

14 days

$1,500 (web development)

2 test opt-out requests not processed within 5 days

Medium

Retrain customer service, implement automated routing

21 days

$4,500 (training + workflow)

Marketing using customer data not disclosed in privacy notice

Critical

Immediately cease use; update notice; notify affected customers

7 days

$45,000 (legal + communications + notice update)

GLBA Privacy Rule

Financial institutions handling NPI

Privacy notices, opt-out rights, information sharing limits

N/A (this is our focus)

GLBA Safeguards Rule

Financial institutions handling customer information

Comprehensive information security program

Complementary—Privacy = disclosure control, Safeguards = security

FCRA Section 624

Affiliate marketing using credit/application info

Opt-out for affiliate marketing

Overlaps for affiliate sharing—both may apply

CCPA/CPRA (California)

Businesses with California customers meeting thresholds

Notice, access, deletion, opt-out of sale

Overlaps—financial institutions often need to comply with both

GDPR (EU)

Organizations with EU customers

Lawful basis, extensive consumer rights, data protection impact assessments

Overlaps for US institutions with EU customers; more stringent than Privacy Rule

State Privacy Laws

Varies by state (Virginia, Colorado, Connecticut, others)

Notice, access, deletion, opt-out (varies by state)

Growing patchwork creating compliance complexity

HIPAA (Health Insurance)

Health plans, healthcare clearinghouses, healthcare providers

Privacy rule, security rule, breach notification

Overlaps for health insurance companies—both HIPAA and GLBA apply

Highest Common Denominator

Comply with most stringent applicable regulation across all operations

When operating in multiple jurisdictions with similar customer populations

High initial effort, simpler ongoing operations

Jurisdiction-Specific

Tailor compliance to each jurisdiction's requirements

When customer populations are clearly segmented geographically

Lower initial effort, complex ongoing management

Hybrid

Baseline high standard with jurisdiction-specific enhancements

Most common for organizations with diverse operations

Moderate complexity