We agree that including customer names and their birthdays in your in-house newsletter is a disclosure of personal information that is protected by both federal privacy law (the Gramm-Leach-Bliley Act and its implementing regulation, Regulation P) and state privacy law (Section 48.1 of the Illinois Banking Act). We note that both laws provide an exception for revealing a customer’s financial information with the customer’s consent, which you have indicated was given. However, we recommend that you obtain their consent in writing and retain that documentation.
Listing customer names in your in-house newsletter reveals the fact that they are your customers. Under Regulation P, the simple fact that an individual is your customer constitutes “nonpublic personal information.” 12 CFR 1016.3(q)(2)(i)(C). That information also is protected under the Illinois Banking Act’s privacy provisions, as explained by the Illinois Department of Financial and Professional Regulation (IDFPR). See IDFPR Interpretive Letter No. 01-01 (March 9, 2001), page 4 (second numbered list).
A customer’s birthday also is likely protected information under both federal and Illinois privacy laws. Regulation P includes in protected customer information (“nonpublic personal information”) any information that “a consumer provides to you to obtain a financial product or service from you.” 12 CFR 1016.3(q). Similarly, the Illinois Banking Act includes as protected customer information “any other item containing information pertaining to any relationship established in the ordinary course of a bank’s business between a bank and its customer.” 205 ILCS 5/48.1(a)(4). If you require customers to disclose their dates of birth, for example during the account opening process, then their birthdays should be protected as private consumer information.
Both Illinois and federal privacy laws include exceptions for revealing a customer’s financial information with the customer’s consent. Regulation P includes an exception to the prohibition on disclosing “nonpublic personal information” when done so “[w]ith the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction.” 12 CFR 1016.15(a). The Illinois Banking Act’s privacy provisions state that a bank may disclose a customer’s financial records to another person if “the customer has authorized disclosure to the person.” 205 ILCS 5/48.1(c)(1). Therefore, you will need to obtain your customer’s permission to publish their name, birthday and most other customer information included in a newsletter. We do recommend that you obtain their permission in writing, and that you retain the documentation.