GAO: Model privacy form should disclose more about third-party info sharing by banks, credit unions

The consumer financial protection agency should update the model privacy form that many banks and credit unions use to disclose their information-sharing practices to their customers and members, according to a report Monday by the congressional watchdog office to the chairman of the Senate Banking Committee.

The Government Accountability Office (GAO), in a report requested by Senate Banking Chairman Mike Crapo (R-Idaho), said the current model form provided under the Gramm-Leach-Bliley Act (GLBA) for required disclosures gives consumers only a limited understanding of institutions’ information sharing. The GAO specifically recommended that the CFPB update the model privacy form and consider including more information about third-party sharing.

“The growing collection and use of consumers’ personal information by commercial entities have raised concerns about protecting consumer privacy, which have been intensified by large-scale data breaches and the growing use of the internet, social media, and mobile applications,” the GAO said in a letter to Crapo. “For example, an incident in 2019 compromised the personal information of approximately 100 million individuals who were Capital One credit card customers or were applying for a Capital One credit card.”

It added that social media and online applications “also make it easier to gather personal information, track online behavior, and monitor individuals’ locations and activities.”

The GAO noted that the GLBA-related model privacy form, providing a safe harbor under the law, was created more than 10 years ago. The office found that the form gives a limited view of what information is collected and with whom it is shared. It said consumer and privacy groups interviewed by the GAO cited similar limitations.

It said the proliferation of data-sharing since the form’s creation in 2009 “suggests a reassessment of the form is warranted.”

“Improvements and updates to the model privacy form could help ensure that consumers are better informed about all the ways that banks and credit unions collect, use, and share personal information,” it said. “For instance, in online versions of privacy notices, there may be opportunities for readers to access additional details – such as through hyperlinks – in a manner consistent with statutory requirements.”

The CFPB, since receiving authority for implementing GLBA privacy provisions, has not reassessed whether the form meets consumer expectations for disclosures of information-sharing, the GAO said. The office said the CFPB reported not having considered a reevaluation because it had not heard concerns from industry or consumer groups about the notices.

The CFPB did not agree or disagree with the GAO’s recommendation to update the model form, the GAO reported, but the bureau said it would consider doing so, adding that it would require a joint rulemaking with other agencies.

The GAO said that for its report, it reviewed privacy notices from a nongeneralizable sample of 60 banks and credit unions that use the model form, with a mix of institutions with asset sizes above and below $10 billion. It also reviewed federal privacy laws and regulations, regulators’ examinations in 2014–2018 (the last five years available), procedures for assessing compliance with federal privacy requirements, and data on violations. It also interviewed officials from banks, industry and consumer groups, academia, and federal regulators.

CONSUMER PRIVACY: Better Disclosures Needed on Information Sharing by Banks and Credit Unions (GAO-21-36)