In this era of regulatory uncertainty, it is worth considering how privacy laws may affect digital currency businesses. Privacy law consists of a web of federal and state law – this first installment in a two-part series will discuss major threads in that web, the Privacy and Safeguards Rules of the Gramm-Leach-Bliley Act (GLBA), and how it may apply to digital currency companies. In the next installment, we will discuss the Right to Financial Privacy Act.
What is GLBA?
GLBA regulates the methods financial institutions use to maintain the private information of individuals. Its relevant rules come in two flavors – the Privacy Rule tells companies when they can and cannot disclose certain private information. The Safeguards Rule requires companies to set up and enact policies to protect customer information.
Who Enforces the GLBA?
For companies that are neither banks nor insurance companies, the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB) have enforcement authority.
Who Is Subject to GLBA’s Rules?
Companies who provide financial services to consumers for personal, family or household purposes. Companies that provide financial services to other businesses are not subject to the Privacy and Safeguard Rules.
The Privacy Rule applies first to “financial institutions” and second to any business that receives “nonpublic personal information” (NPI) from unaffiliated financial institutions. NPI is interpreted broadly and includes any personally identifiable information related to a person’s financial interactions with the company. Interestingly, the CFPB considers the information obtained from “cookies” and even a list of a company’s customers’ NPI to be forms of NPI. The Safeguards Rule applies to financial institutions.
What is a “Financial Institution”?
This question has several answers that complicate who falls under the law.
First, the GLBA defines “financial institution” as any institution in the business of engaging in financial activities, a broad definition that includes businesses that safeguard money or securities, extend credit, service loans, lease property, perform trust functions such as acting as a fiduciary or a custodian, provide financial adviser services, engage in investment transactions, provide insurance – the list goes on and on. This broad definition under the GLBA could potentially encompass some digital currency businesses.
Second, the two relevant enforcement agencies, the FTC and the CFPB, have stated that mortgage brokers, nonbank lenders, payday lenders, check-cashing services, retailers that extend credit by issuing a credit card to consumers, businesses that regularly wire money to and from consumers, and an accountant or other tax preparation service qualify as financial institutions. Under the guidance of both agencies, a good rule of thumb is to ask whether the business is significantly involved in providing financial products or services.
While a company may not itself be subject to all of the GLBA requirements, the CFPB has been vocal in their position that financial institutions are fully responsible for supervising their service providers and vendors. So, if a company is working with a financial institution, they are often subject to the requirements of the Privacy and Safeguards Rules by contract.
What Specifically Does GLBA Require?
The two relevant rules are the Privacy Rule and the Safeguards Rule.
The Privacy Rule is all about nondisclosure. It prohibits financial institutions from disclosing NPI, but permits them to disclose if the financial institution first provides notice to the consumer. In some cases, the rule gives the consumer the ability to opt out of the disclosure. As a further protection, if any other business that is not affiliated with the financial institution gets hold of the NPI, then that business is generally prohibited from disclosing the NPI.
In addition the nondisclosure requirements of the Privacy Rule, financial institutions also have to provide their consumers with one or more types of form privacy notices annually.
The Safeguards Rule requires financial institutions to dedicate an employee who will coordinate an information security program designed to ensure the security and confidentiality of customer’s personal information. As part of the program, companies must create a written information security plan outlining the protection of customer information. The plan should be tailored to the business’s risk profile and should require ongoing testing and review of the security program.
Combine all of the above, and it means digital currency companies that offer financial services and obtain personal information from their consumers may have to provide disclosures, opt outs, notices, and protect certain information in accordance with the rules set forth in GLBA and its enacting regulations. Even companies not subject to GLBA may work with financial institutions who are exposed to NPI, and these digital currency companies can thus be exposed to protected information. Finally, digital currency companies who partner with financial institutions may have to comply with GLBA because their contract requires it.
This two-part series will conclude with a review of another privacy law, the Right to Financial Privacy Act.