GAO Recommends Updating Gramm-Leach-Bliley Act Privacy Notice

December 19, 2020Alerts

The General Accounting Office believes that the Gramm-Leach-Bliley Act (GLBA) model form privacy notice gives a limited view of what information is collected and with whom it is shared and that a reassessment of the form is warranted.

Reasons for the Need to Change

  • The model form was issued over 10 years ago and data sharing has proliferated since then.
  • Since Congress transferred authority to the Consumer Financial Protection Bureau (CFPB) for implementing GLBA privacy provisions, the agency has not reassessed if the form meets consumer expectations for disclosures of information-sharing.
  • While banks and credit unions are required to protect the personal information they collect, the increased use of financial technology applications (fintech apps) may put this personal information at risk.
  • Consumers may be largely unaware of how fintech apps use their personal information and the privacy risks that such usage poses.

Deficiencies in the Model Form

  • While the current model form is more readable than privacy notices previously used by financial institutions, it discloses only a small number of the types of personal information they collect and share and the ways in which the information is collected. For example, Regulation P identifies 24 types of consumer personal information institutions may collect and share, but the form only includes six types: one that is mandatory (Social Security number) and five to be selected by the institution. Furthermore, the regulation identifies 34 examples of how banks and credit unions may collect personal information from consumers, but the form only discloses five of those examples.
  • Banks and financial institutions only use the predefined examples. The GAO's analysis of 60 bank and credit union GLBA model privacy notices, found that 12 used only predefined examples of the types of personal information collected. In other cases, institutions selected predefined examples (account balance and credit history) as well as other categories (such as employment information, transaction history, and investment experience) from the menu in the regulation.
  • The form provides limited information. Experts from consumer privacy groups and one industry group interviewed by the GAO said the GLBA model privacy form does not give the consumer a full explanation of what information banks and credit unions collect and how they share that information.

More Detail Required

Improvements to the model form could help ensure that consumers are better informed about all the ways banks and credit unions collect and share personal information. For instance, in online versions of privacy notices, there may be opportunities for readers to access additional details — such as through hyperlinks — in a manner consistent with statutory requirements.


Odia Kagan is a partner in the firm's Privacy & Data Security Practice and Chair of the GDPR Compliance & International Privacy Practice. For questions about this alert or assistance with other GLBA compliance issues, contact Odia at [email protected] or 215.444.7313.