Privacy is an important part of the real estate profession. Sensitive information trades hands frequently — particularly for mortgage professionals, who have access to their clients’ most personal financial data.
Privacy laws exist to protect this sensitive information. These laws include rules for when financial institutions can share information, and when they need to notify and receive consent from clients.
Except when otherwise noted, these privacy rules are federal, and therefore apply in California and across the U.S.
Customer or consumer?
These rules limit the consumer information shared by financial institutions, which are any institutions in the business of engaging in financial activities. This includes:
- banks;
- thrifts;
- mortgage loan originators (MLOs);
- real estate settlement service providers;
- mortgage servicers;
- payday lenders; and
- private student loan lenders. [12 Code of Federal Regulations §1016.3(l)(1)-(3)]
The term financial institution does not include:
- most auto dealers;
- brokers or dealers registered under the Security Exchange Act of 1934;
- investment advisors registered by any state or the Securities Exchange Commission;
- investment companies registered under the Investment Company Act of 1940; and
- insurance companies supervised by a state insurance regulator. [12 CFR §1016.3(s)(2)]
Privacy rules vary based on whether the individual is a consumer or customer of the financial institution.
A consumer is a broad term, covering any individual — or that individual’s legal representative — who obtains or has obtained a financial product or service from a financial institution which is used primarily for personal or household purposes. [12 CFR §1016.3(e)(1)]
For example, a consumer includes someone who has applied for personal or household credit from a financial institution, whether or not their application was approved or the loan was originated. [12 CFR §1016.3(e)(2)(i)]
On the other hand, a customer is a type of consumer, an individual with whom the institution has an established customer relationship, which means they:
- have a deposit or investment account with the institution;
- obtain a loan from the institution;
- have a loan which is serviced by the institution;
- purchase insurance from the institution;
- have entered into an agreement with the institution to arrange a mortgage loan;
- lease personal property from the institution; or
- obtain financial or investment advice from the institution for a fee. [12 CFR §1016.3(j)(2)(i)]
A consumer is no longer a customer if the financial institution originating a loan later sells the loan, no longer retaining the rights to service the loan. [12 CFR §1016.3(j)(2)(ii)(B)]
A consumer is also not considered a customer when they obtain one-time property appraisal services from an institution. [12 CFR §1016.3(j)(2)(ii)(D)]
Opting out
Financial institutions may wish to share nonpublic information collected from consumers with third parties.
When financial institutions share this type of information with third parties, they need to first notify consumers and give them the chance to opt out of their information being shared. [12 CFR §1016.10(a)(iii)]
The opt-out rules apply whether or not the financial institution has established a customer relationship with the consumer. [12 CFR §1016.10(b)]
The consumer may opt out by responding within a reasonable time of:
- at least 30 days after mailing a printed notice giving the consumer an opportunity to opt out; or
- at least 30 days after acknowledging receipt of electronic communications giving the consumer an opportunity to opt out. [12 CFR §1016.10(a)(3)]
If the consumer does not respond within these reasonable time frames, the financial institution may share their nonpublic information with third parties. [12 CFR §1016.10(a)(iii)-(iv)]
Financial institutions also may give consumers the option to opt out of having only part of their information shared, or for the institution to share their information only with certain parties. [12 CFR §1016.10(c)]
Exceptions to the opt-out rules
Financial institutions are exempt from the rules requiring them to give consumers the chance to opt out of sharing information with third parties when the shared information is between the institution and a third party which performs services for the institution or functions on the institution’s behalf, as long as the institution:
- delivers their initial privacy notice to the consumer; and
- signs an agreement with the third party that the third party will not use the nonpublic shared information in any other way than that agreed to with the institution. [12 CFR §1016.13(a)(1)]
For example, the third party may use the shared nonpublic information for joint marketing purposes, when the third party markets the financial institution’s services or services offered jointly between the institution and third party. [12 CFR §1016.13(a)(2)-(b)]
Further, these institutions are exempt from nonpublic information sharing rules when the information is shared when necessary to administer, initiate or enforce a transaction in connection with:
- the servicing or processing of a financial product requested or authorized by the consumer;
- maintaining or servicing the consumer’s account; or
- the securitization or secondary market sale (such as the sale of servicing rights) of the consumer’s transaction. [12 CFR §1016.14(a)]
For instance, a mortgage holder may share nonpublic information about a consumer with a third party who will be servicing the loan — as long as the information is only used to service the loan. [12 CFR §1016.14(a); §1016.11(a)]
Other cases when financial institutions are exempt from requiring consumers to opt out of information sharing with third parties include situations when:
- the consumer consents or directs the financial institution to do so;
- it is required to protect the confidentiality or security of the institution’s records on the consumer, service, product or transaction;
- it is required to prevent fraud or unauthorized transactions;
- it is needed to resolve a consumer dispute or inquiry; or
- it is with a person with a legal or beneficial interest relating to the consumer, or who is acting as their representative. [12 CFR §1016.15(a)(1); (2)]
It is also permissible for a financial institution to share nonpublic information without receiving prior approval from the consumer when doing so is required to comply with federal, state or local laws, including investigations. [12 CFR §1016.15(a)(7)]
Financial institutions are also exempt from the opt-out requirements when sharing information with a consumer reporting agency, or sharing information from a consumer report reported by a consumer reporting agency. [12 CFR §1016.15(a)(5)]
For example, a financial institution does not need to follow the opt-out rules when a consumer who has applied to the institution for a mortgage consents for the institution to share their nonpublic information with a homeowners insurance company. [12 CFR §1016.15(b)]
Privacy policies
Financial institutions are required to send current customers an annual notice describing their privacy policy. [12 CFR §1016.5(a)(1); (b)(1)]
The annual privacy policy notice needs to be delivered in writing, or electronically when the customer has agreed to receive electronic communications. [12 CFR §1016.9]
Financial institutions may not share a customer’s account or access number for use in marketing, unless it is to market the institution’s own services to the customer. [12 CFR §1016.12]
Annual privacy policies need to contain the following information:
- the categories of nonpublic personal information collected;
- the categories of nonpublic personal information disclosed;
- the categories of third parties who the nonpublic personal information is disclosed to, except for those third parties which qualify for certain exceptions to the privacy and opt out rules;
- the categories of nonpublic personal information about former customers disclosed and the categories of third parties to whom nonpublic personal information from former customers is disclosed, except for those third parties which qualify for certain exceptions to the privacy and opt out rules;
- when nonpublic personal information is disclosed to a nonaffiliated third party, a separate statement of the categories of information disclosed and the categories of third parties with whom the institution has contracted;
- an explanation of the consumer’s right to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including how the consumer may opt out;
- any notices regarding the ability to opt out of the sharing of nonpublic information among affiliated third parties;
- the financial institution’s policies and practices for protecting the confidentiality and security of nonpublic personal information; and
- any nonaffiliated third parties who are excepted from privacy rules. [12 CFR §1016.6(a)-(b)]
A model privacy form can be found here. [Appendix to 12 CFR §1016]
Exemptions to privacy policy notice rules
In some cases, financial institutions are exempt from sending out annual notices about their privacy policies.
For example, when a financial institution which grants a loan (other than a credit union) does not have a customer relationship with a consumer, it is not required to send out annual privacy notices. [12 CFR §1016.5(c)]
Further, beginning September 17, 2018, financial institutions are exempt from providing annual privacy policy notices when they:
- limit the nonpublic personal information shared with other parties to those allowed under the exceptions for providing opt-out notices; and
- have not changed their privacy policies or practices since they last delivered their privacy policy. [12 CFR 1016.5(e)]
California-specific privacy rules
When a state law provides greater protection to consumers than the federal law, the state law applies. [12 CFR §1016.17(b)]
In California, the California Financial Privacy Act requires a financial institution to obtain a consumer’s consent before sharing or selling their nonpublic, personal information. [Calif. Financial Code §4050 et seq.]
California’s financial privacy laws mostly mirror federal laws, with slight differences.
For example, in California a financial institution is only exempt from the opt out requirements when sharing personal, nonpublic information with a third party who is providing business or professional services (such as marketing services, data analysis or customer surveys) when:
- the services are lawfully able to be performed by the institution;
- the institution and third party agree the third party will only use the nonpublic information to carry out the agreed-to services;
- the nonpublic information is only what is necessary for the third party to perform the agreed-to services; and
- the institution doesn’t receive payment from the third party in connection with sharing the nonpublic information. [Fin C §4056(b)(9)]
Financial institutions and third parties that violate these California privacy laws may be fined up to $2,500 per violation, and in the case of multiple violations may be fined up to $500,000. [Fin C §4057(a); (b)]