Member Spotlight
3 Reasons to MEMBER RevisitSPOTLIGHT Your Bank’s Privacy Policy When it comes to the privacy of customer information, banks are accustomed to complying with the federal privacy requirements of the Gramm-Leach-Bliley Act and Regulation P. Since Regulation P’s amendment in 2009 to provide a model privacy notice, little has changed with regard to a bank’s privacy obligations under federal law. So why should my bank review its privacy policy? Other nations and various states continue to march forward. Changes in international and state law, as well as the use of customer information by your vendors, make attention to your bank’s information collection procedures and privacy policies a top priority. 1. International law has changed. In April 2016, the European Union adopted the General Data Protection Regulation to regulate the processing of the personal data of individuals in the EU. The GDPR, which went into effect in May 2018, broadly applies to any company (whether or not located in the EU) that processes the personal information of individuals in the EU in connection with offering goods or services to EU individuals or monitoring the behavior of EU individuals. Notably, banks that do not specifically target their products and services to individuals in the EU (and that do not monitor the behavior of EU individuals) may not be subject to the GDPR. A bank can take certain steps, such as revising its website terms and conditions, to mitigate the risk of being deemed to target EU individuals. However, banks that offer products or services to EU individuals are likely subject to the GDPR and should ensure 40 ICBSD ICBSD2018 2018
that their privacy policies and procedures are GDPR-compliant. 2. State laws have changed. California recently adopted the California Consumer Privacy Act of 2018, which becomes effective on January 1, 2020. The Act applies to a “business,” which is broadly defined to include any business that collects consumers’ personal information, does business in California, and meets one of the following: gross revenues over $25 million, receipt or sharing of the personal information of 50,000 or more consumers, or annual revenues derived 50% or more from selling consumers’ personal information. There is no exception for entities subject to the GLBA, nor is there any coordination of the required disclosures with those required under Regulation P. The Act includes an expanded definition of “personal information,” requires expanded disclosures about customer information collection and use, and gives the consumer the right to request details regarding the personal information a business has about that individual consumer. The consumer may also request deletion of such personal information. Banks subject to the Act should review and revise their information collection and storage processes in order to meet the expectations of the Act. Further, the bank’s privacy notice will need to be coordinated with the new privacy notice requirements under the Act. 3. V endors’ use of consumer information may have changed. Vendors that provide marketing services in connection with bank products are eager to use the bank’s customer information for other purposes. If a bank
wishes to allow a vendor to use customer information for non-bank marketing purposes, the bank’s privacy notice must reflect its sharing with non-affiliates and must include a customer opt-out. Call to action! Every bank should periodically review its information collection, retention, storage, and sharing policies. Given the changes in international and state law and the increasing desire of vendors to use customer information, this review takes on added importance. Equally important is then updating the bank’s privacy notice to accurately reflect the bank’s collection and sharing practices.
written by Dixie Hieb and Tiffany Miller Hieb and Miller are attorneys at Davenport, Evans, Hurwitz & Smith, LLP in Sioux Falls, SD Contact Dixie at dhieb@dehs.com or Tiffany at tmiller@dehs.com
www.dehs.com