Your Financial Privacy Rights (2024)

Get control of your financial information

Controlling your personal information is an important part of personal privacy. Personal financial information is among the most sensitive of all personal information. Personal financial information includes what you put on an application for a loan or credit card, your account balances, your payment history, your overdraft history, and where you make purchases by debit or credit card. In some instances, it can even include medical information.

You have rights

California and federal laws allow consumers to put limits on what banks and other financial companies can do with your personal financial information¹ California law gives you more rights to limit the sharing of your personal financial information. The laws apply to banks, credit unions, savings and loans, credit card companies, insurance companies and other financial service companies.²

When they have to ask you first

Under California law, financial service companies must get your permission first, before they can share your personal financial information with outside companies. This does not apply to sharing with outside companies that offer financial products or services. You have a right to "opt out" of information sharing with outside companies for those purposes. See below for more on how to opt out.

Notices sent to consumers

Both state and federal laws require financial companies to notify their customers of their privacy rights every year. The first federal notices were often written in legal language that was hard to understand, but some companies have improved their notices since then.³ California law requires a notice that is clear and easy to read. The California notice, titled "Important Privacy Choices for Consumers," lets you check off your choices on the sharing of your personal information. You may receive the California financial privacy notice enclosed with the federal notice, or it may come separately.⁴

When you can say no

California law lets you tell your bank and other financial companies that you do not want them to share your personal financial information in some cases. You can say no to, or opt out of, having your information shared with outside companies that offer financial products or services. You also have the right to opt out of some information sharing with some companies owned or controlled by your financial company (called "affiliates").⁵

How to say no, or how to "opt out."

"Opting out" means that if you say "no," then the company must follow your wishes. But if you say nothing, if you do not opt out, then the company is free to share your information. It's easy to opt out on the California "Important Privacy Choices for Consumers" form. Simply check the boxes to indicate your choices and mail the form in the pre-addressed envelope provided. The company may also allow you to opt out by e-mail or by calling a toll-free phone number. It is still a good idea to mail in the form to create a record of your action. You do not have to opt out every year. Your financial institutions must continue to follow your opt-out decision until you change it.

It's not too late

It's never too late to opt-out, even if you did not reply to the privacy notices right away. If you didn't reply within 45 days, then your financial company may have already started sharing your information. But you have a continuing right to opt out and you can prevent future sharing of more current information.

What if you think your privacy rights were violated?

You can make a complaint under the California law to the California Attorney General or to a state or federal agency that regulates financial companies. The agency may investigate your complaint and may take action against the financial company. But the agency can't represent you. You may also file a complaint under the federal law with a federal agency.⁶

Before filing a complaint, consider writing a letter to the financial company. In your letter, explain why you think the company violated the law and what you would like it to do for you. Ask for a specific response within a reasonable time (for example, 30 days).

State Government Agencies

The following state government agencies can enforce the privacy protections in the California Financial Information Privacy Act.

California Department of Insurance

Regulates insurance industry in California. Enforces both federal and state privacy laws.

California Department of Financial Protection and Innovation (DFPI)

Provides protection to consumers and services to businesses engaged in financial transactions. The Department regulates a variety of financial ser¬vices, products and professionals. The Department oversees the operations of state-licensed financial institutions, including banks, credit unions, money transmitters, issuers of payment instruments and travelers checks, and premium finance companies. Additionally, the Department licenses and regulates a variety of financial businesses, including securities brokers and dealers, investment advisers, deferred deposit (commonly known as payday loans) and certain fiduciaries and lenders..

California Office of Attorney General

Enforces privacy law on financial service companies not regulated by the state financial regulators.

Federal Government Agencies

The following federal government agencies can enforce the privacy protections in the federal and state laws listed above.

Federal Trade Commission

Investigates consumer fraud outside the jurisdiction of other federal agencies.

Federal Reserve Board

Regulates banks other than national banks and branches of foreign banks.

Office of the Comptroller of the Currency

Regulates national banks and branches of foreign banks.

Office of Thrift Supervision

Regulates federal savings associations and savings banks and state-chartered savings associations.

Securities and Exchange Commission

Oversees stock exchanges, broker-dealers and associates, and investment advisers.

National Credit Union Administration

Regulates federal credit unions.

Notes

¹The Financial Services Modernization Act, or Gramm-Leach-Bliley Act, 15 U.S. Code §§ 6801-6810. Known as the "GLB Act," the law allows financial institutions, insurance companies and investment companies to merge, becoming what have been called "one-stop financial supermarkets." It also provides some consumer privacy rights and requires security safeguards for personal information. The California Financial Information Privacy Act (FIPA), Financial Code §§ 4050-4060, gives California consumers additional rights to limit the sharing of their personal financial information by financial service companies doing business in California. Back to link 1

²The GLB Act and FIPA consider a broad array of businesses to be "financial institutions," including, for example, retailers that issue their own credit cards directly to consumers, real estate appraisers, mortgage brokers, career counselors in the finance area, check printing businesses, and accountants who prepare tax returns. Back to link 2

³The federal GLB Act privacy notices are required to include the following information: how the customer's personal financial information is collected, how the customer's information is used, and how the customer could "opt-out" or choose not to have personal financial information shared with some outside or "third-party" companies. Back to link 3

⁴FIPA requires the notice, among other things, to be on a single page; be titled "Important Privacy Choices for Consumers;" use the headers, if applicable, "Restrict Information Sharing With Companies We Own Or Control (Affiliates)" and "Restrict Information Sharing With Other Companies We Do Business With To Provide Financial Products And Services"; use text in no smaller than 10-point type; provide choices that may be selected by checking a box; use sentences averaging 15 to 20 words or bullet lists where possible; and avoid multiple negatives, legal terminology and highly technical terminology whenever possible. See Financial Code § 4053(d)(1) for details. Back to link 4

⁵The affiliate sharing provisions of FIPA are being contested in court and may be ruled as preempted by federal law. FIPA provides an opt-out right over sharing with affiliates other than those affiliated companies that are regulated by the same functional regulator, engaged in the same line of business and share a common brand. If the California provision were preempted, then the limited opt-out right in the federal Fair Credit Reporting Act (FCRA) would apply. The FCRA allows a consumer to opt out of having "creditworthiness information" shared with affiliates. This is information such as payment history and credit score. Federal law does not allow consumers to stop a company from sharing the more sensitive "transaction and experience information" with affiliates. Transaction and experience information includes, for example, what items are charged on a credit card. Back to link 5

⁶You can't go to court to sue the company under FIPA or the GLB Act. Under the FCRA, you have the right to sue a credit reporting agency in federal or state court. You could recover damages from violators of the FCRA. Back to link 6