IBA Compliance Connection

Your go to source for compliance!

We’re looking into sharing information with unaffiliated third parties and are researching privacy law. Does Illinois privacy law or federal privacy law apply? Do we have to collect customer opt-ins or allow for opt-outs?

by

admin

Both Illinois and federal privacy laws apply to the sharing information with unaffiliated third parties. Your institution needs to comply with both the federal opt-out requirement and the Illinois opt-in requirements.

The Illinois Department of Financial and Professional Regulation (IDFPR) has issued an Interpretive Letter that explains the relationship between the Illinois and federal privacy laws. As stated by the IDFPR: “Illinois banks are required to maintain privacy policies and practices that comply with both Section 48.1 of the [Illinois Banking] Act and the federal privacy regulations.” This is because the federal privacy regulations (Regulation P) explicitly do not preempt any state law with privacy protections that are more protective than federal law. 12 CFR 1016.17(b).

In the case of sharing customer information with unaffiliated third parties, the Illinois law is more protective than the federal law. As explained in the IDFPR’s letter, the Illinois requirement to get a customer’s authorization before sharing their information (205 ILCS 5/48.1(c)(1)) is more protective than the federal requirement, which simply allows customers to opt-out of information sharing (12 CFR 1016.7). Consequently, financial institutions in Illinois must obtain customers’ opt-in authorizations before sharing information, and they also must adhere to a customer’s opting out of such sharing.

Another distinction between Section 48.1 and the federal regulations is the method through which a customer exercises his or her right to opt in or opt out. The federal regulations require a bank to provide a consumer with a reasonable means to exercise an opt out right. The regulations identify specific methods that will be deemed “reasonable” and “unreasonable” that banks and bank counsel should review carefully. In contrast to the federal regulations, Section 48.1 does not require that a bank provide its customer a specific method to authorize disclosure or to opt in. For instance, Section 48.1 does not prohibit banks from incorporating a customer’s consent to disclosure into the terms of an account or loan agreement. However, if a bank chooses to use such a method to obtain a customer’s consent pursuant to Section 48.1, it must also comply with the federal regulations by providing the customer with a reasonable opportunity to exercise the right to opt out. Thus, if a customer opts in when a customer relationship is established, the bank may only begin sharing information if and when the customer chooses not to exercise his or her right to opt out provided by the federal regulations.

            (IDFPR Interpretive Letter, page 5)