Briefly

Transcript

00:05
Adam Stofsky
Sheree, can you give us an overview of what the requirements of financial data privacy laws are? So we know that certain organizations are subject to these laws, like banks and financial organizations and those providing services to those organizations. But once you're subject to these laws, like what do you have to do?

00:22
Sherry Safchuk
It's not straightforward. And all of these laws have different requirements that may not necessarily interact well with each other and in some cases may conflict with each other. And California is a perfect example, which I will get into. So at the federal level, the gram H. Bliley act requires these financial institutions to provide a notice of the type of sharing that they intend to do. They need to provide an opportunity for those customers to opt out of that type of sharing. Now, there's certain types of sharing where the customer doesn't have the right to opt out, but that's all outlined in that privacy notice that customers will get. And this privacy notice must be provided annually.

01:05
Sherry Safchuk
And once you kind of, if you google the GLBA notice, it'll be really familiar to you because you probably get several of them in the beginning of the year or the end of the year. In addition to this notice requirement, there's also a number of restrictions on how the financial institution and the third parties or service providers that they're working on can use and disclose this information. And it really depends on how these third parties and service providers are going to use the information on behalf of the financial institution. So that's one federal law that applies. The second one is the Fair Credit Reporting act. The Fair Credit Reporting act has kind of two flavors of laws. The first relates to credit reports. Those laws set forth requirements related to what a consumer reporting agency can and can't do.

02:00
Sherry Safchuk
And for those people that use consumer report data or that provide these consumer reporting agencies with credit report data, what they can and can't do with that data and how they have to treat that data. So that's one kind of bucket in the FCRA world. The other one is notice requirements for when you're sharing with your family of companies like your affiliates. So any company that's like a sister brother entity or a parent child entity, and those have notice requirements and opt out requirements with respect to what you can and can't share and what you can and do with the information. So there's limits on marketing, such as an opt out, for example, at the state level, for your California Financial Information Privacy act and your Vermont law, those are a bit more restrictive than the federal laws.

02:54
Sherry Safchuk
And those actually require and opt in certainstances so if you want to share this information with affiliates or entities in your company, those laws are different from the ones that you want to share with third parties or entities outside of your family. And if you do want to share outside of kind of your family, that's an opt in. And it's very difficult to get opt inside.

03:23
Adam Stofsky
So this is, I'm assuming a lot of this is for marketing, right? So like our selling of data, selling of customer lists, is that a major concern of this opt in requirement?

03:32
Sherry Safchuk
It's a major concern in California because it does relate to the marketing space. But this marketing can occur at any time during the product or service lifecycle, effectively stops companies from marketing or sending information to third parties for marketing, unless the consumer says, hi, I'd like to receive that marketing.

03:52
Adam Stofsky
Right. So in other words, if you're, if it's within your family of companies and maybe you're upselling your existing customer, you don't have to worry there. You've got the data already, they've consented, it's your company. You can try to pitch them on whatever you want. But if you're, if you have a business selling customer list or selling data or getting even some kind of channel partnership or your other kind of relationship where you're getting some kind of rev share or anything like that, if you're going to share that data, you can't just ask the customer, hey, you should opt out of, you don't want, we're going to do this. Unless you opt out, you have to actually get their explicit permission and say, oh, yes, you can definitely give my name to this other company.

04:28
Sherry Safchuk
That's right. In California and Vermont, right?

04:31
Adam Stofsky
Yeah, that's hard to do.

04:33
Sherry Safchuk
And California becomes a bit of a stumbling block because of how large the economy is.

04:38
Adam Stofsky
In other words, companies set up systems to comply with California just because they have to. Because California is so big. Is that what you mean?

04:45
Sherry Safchuk
California has a huge market and so to have an opt in for marketing as opposed to an opt out, you lose a huge chunk of folks that you are able to market to.

04:57
Adam Stofsky
Okay, we get a little sidetracked there. Anything else to say about the very general requirements of financial data privacy laws?

05:06
Sherry Safchuk
I think we covered the financial information privacy laws, where I would also note is that there may be a category of information that these financial institutions collect that is not financial data or financial information, and that data will be subject to state comprehensive privacy laws. So that will require an online privacy notice. Opportunities to opt out, in some cases, a notice at collection service provider requirements and so forth.

05:40
Adam Stofsky
Wow. Interesting. All right, sherry, thank you so.