We are considering using cookies on our website. Are we required to have a separate website privacy policy to disclose the use of cookies to visitors of our website, in addition to our general privacy policy under the Gramm–Leach–Bliley Act (GLBA)?

We are not aware of a requirement that a bank post either the GLBA privacy notice or a website privacy policy on its website. However, we do recommend adopting and posting a website privacy policy that describes your bank’s privacy practices with respect to the collection and use of consumer information, including through the use of cookies.

Referring to the GLBA privacy notice, the FFIEC’s IT Examination Manual states that “financial institutions are encouraged, but not required, to disclose their privacy policies on their websites.” When a financial institution does display its privacy policy on a website, the FFIEC provides that the policy must be disclosed conspicuously. Consequently, if your bank does choose to display its GLBA privacy notice on your website, it should be disclosed conspicuously.

Additionally, Regulation P requires that your GLBA privacy notice include “categories of nonpublic personal information that you collect,” among other information. The definition of “nonpublic personal information” includes information collected through a cookie. The GLBA privacy notice also “may include information about the institution’s use of cookies or other measures it uses to safeguard personal information.” We recommend updating your GLBA privacy notice as necessary to notify customers that you will be collecting their information through cookies and to reflect your use of cookies to safeguard customer information (for example, to authenticate a user’s device).

As to having a separate website privacy policy, there is little guidance from the federal banking regulators. The FDIC has issued two Financial Institution Letters (FILs) regarding website privacy policies, one before the enactment of the GLBA and one immediately after enactment, and consequently both now are marked “inactive,” but we believe these FILs remain valid guidance (even though their suggestions extend beyond the GLBA’s requirements). They recommend adopting a thorough website privacy policy describing your bank’s information practices, accompanied by staff training and monitoring to ensure that your practices match those described in the policy. Also, when formulating a website privacy policy, the FDIC recommends observing other banks’ website privacy policies.

We also recommend analyzing whether the California Consumer Privacy Act (CCPA) privacy requirements might apply to your bank. That law applies to businesses that collect consumers’ personal information and do business in California and meet at least one of the following thresholds: (1) they have adjusted gross annual revenues exceeding $25 million, (2) they buy, sell, receive, or share the personal information of at least 50,000 consumers, households, or devices for commercial purposes, or (3) they derive 50% or more of their annual revenues from selling consumers’ personal information. Notably, the CCPA defines “consumers” as natural persons who are California residents, but it does not define what “doing business in California” means. Consequently, even if your bank has no branches in California, it is conceivable that it could be subject to the CCPA, which affords individuals with private rights of action.

Additionally, if your bank has any customers residing in the European Union (EU), your bank and its website likely would be covered by the European Union’s General Data Protection Regulation. The GDPR applies to businesses outside of the EU that process personal data when offering goods or services to a natural person who is located in the EU, including the use of cookies to track a user. If your bank has even a single customer who resides in the EU, you may wish to consider working with your website’s developer to adopt the GDPR cookie disclosures that now have become very common on international websites, including the European Commission’s website (“This site uses cookies to offer you a better browsing experience. Find out more on how we use cookies and how you can change your settings”).

For resources related to our guidance, please see:

  • FFIEC IT Booklets, E-Banking, Appendix A: Examination Procedures (“Disclosure of privacy policy — financial institutions are encouraged, but not required, to disclose their privacy policies on their websites — to include: ‘Conspicuous’ disclosure of the privacy policy on the website in a manner that complies with the privacy regulation and information on how to ‘opt out’ of sharing (if the institution shares information with third parties).”)
  • Regulation P, 12 CFR 1016.6(a) (“The initial, annual, and revised privacy notices that you provide under §§ 1016.4, 1016.5, and 1016.8 of this part must include each of the following items of information, in addition to any other information you wish to provide, that applies to you and to the consumers to whom you send your privacy notice: . . . (1) The categories of nonpublic personal information that you collect; (2) The categories of nonpublic personal information that you disclose; . . .”)
  • Regulation P, 12 CFR 1016.3(p)(1) (“Nonpublic personal information means: (i) Personally identifiable financial information; . . .”)
  • Regulation P, 12 CFR 1016.3(q)(2)(i) (“Personally identifiable financial information includes: . . . (F) Any information you collect through an internet ‘cookie’ (an information collecting device from a Web server); . . .”)
  • Regulation P, Appendix — Model Privacy Form C(3)(a)(2) (“‘How does [name of financial institution] protect my personal information?’ The financial institution may only provide additional information pertaining to its safeguards practices following the designated response to this question. Such information may include information about the institution’s use of cookies or other measures it uses to safeguard personal information. Institutions are limited to a maximum of 30 additional words.”)
  • FDIC Financial Institution Letter 113-99, Financial Institution Web Site Privacy Survey (December 27, 1999) (“A privacy policy is generally a comprehensive disclosure describing the institution’s general or on-line policies and practices related to the collection and use of consumer information.”)
  • FDIC Financial Institution Letter 113-99, Financial Institution Web Site Privacy Survey (December 27, 1999) (“[T]he FDIC encourages every financial institution to establish and follow a privacy policy that addresses what are generally referred to as fair information practice principles, which have been articulated by a variety of governmental and intergovernmental entities. Five core principles advocated by the Federal Trade Commission (FTC) are: notice to consumers about information practices; choice for consumers about how personal information may be used; access for consumers to personal information and the ability to correct errors; security and integrity of consumer data; and enforcement and consumer redress.”)
  • FDIC Financial Institution Letter 86-98, Online Privacy of Consumer Personal Information (August 17, 1998) (“Financial institutions should train staff about their responsibilities under the institution's privacy policies and information practices. Financial institutions should ensure that online privacy policies and information practices are consistent with the bank’s offline, or physical environment, information-collection activities. Financial institutions should review their internal controls to ensure that these controls prevent the improper disclosure of personal information to third parties. . . . Internal controls should incorporate a monitoring and review mechanism that will test compliance with established privacy policies and information practices.”)
  • FDIC Financial Institution Letter 86-98, Online Privacy of Consumer Personal Information (August 17, 1998) (“Financial institutions may also want to consider observing examples of Web site privacy policies displayed by other financial service providers.”)

(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that collects consumers’ personal information or on the behalf of which that information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:

  • (A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
     
  • (B) Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
     
  • (C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

(2) Any entity that controls or is controlled by a business as defined in paragraph (1) and that shares common branding with the business. ‘Control’ or ‘controlled’ means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. ‘Common branding’ means a shared name, servicemark, or trademark.”)

  • California Consumer Privacy Act of 2018, Cal Civ. Code § 1798.140(c) (“‘Consumer’ means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.”)
  • California Consumer Privacy Act of 2018, Cal Civ. Code § 1798.145(e) (“This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm–Leach–Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.”)
  • European Commission FAQs, Who does the data protection law apply to? (“The law applies to: . . . (2) a company established outside the EU offering goods/services (paid or for free) or monitoring the behaviour of individuals in the EU.”)
  • European Commission FAQs, Who does the data protection law apply to? (“Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn’t specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.”)
  • European Commission FAQs, What is personal data? (“Examples of personal data: . . . a cookie ID*; . . . *Note that in some cases, there is a specific sectoral legislation regulating for instance the use of location data or the use of cookies . . . .”)
  • Regulation (EU) 2016/679 (GDPR), Article 3, Territorial Scope (“1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”)
  • Regulation (EU) 2016/679 (GDPR), Article 3, Territorial Scope (“2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. . . .”)
  • Regulation (EU) 2016/679 (GDPR), Article 4, Definitions (“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; . . .”)
  • Regulation (EU) 2016/679 (GDPR), Article 4, Definitions (“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; . . .”)