Skip to Main Content

Gramm Leach Bliley and Privacy Notices: Obligations of Originators/Brokers and Funders in connection with the Placement of a Lease?

Dispatches from the Trenches

I. Introduction and Short Answer

This article discusses whether originators/brokers or funders have any obligations under the privacy provisions of the Gramm Leach Bliley Act (the "GLBA") when an originator disclosed information about a lessee to a funder in connection with the placement of a lease. The short answer is that the GLBA does not impose any disclosure obligations on originators or funders who deal solely in commercial leases since the privacy notices required under the GLBA relate only to consumers—i.e. individuals who obtain financial products or services for personal, family or household purposes. Originators or funders dealing with consumer leases may be obligated to provide an initial privacy notice at the time a customer relationship is established with the consumer and an annual privacy notice.

II. Detailed Discussion of the GBL

A. Structure of the GLBA. and Purpose of the GLBA.
Subtitle A of the GLBA regulates the disclosure of nonpublic personal information.[1] The underlying motivation for this regulation is clearly expressed in §6801(a) of the GLBA, which reads: "[i]t is the policy of Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information." The GLBA therefore requires "financial institutions" to make certain disclosures to both "consumers" and "customers."[2] Originators offering or arranging for lease-financing are classified as financial institutions under the GLBA.

B. Who are Consumers and who are Customer
The term "consumer" is used under the GLBA to refer to "an individual who obtains a financial product or service from a [financial institution] for personal, family, or household purposes." [3] The term "financial product or service" includes the "evaluation or brokerage of information collected in connection with a request or application, such as a bank’s review of loan application materials to determine whether an applicant qualifies for a loan.

A "consumer" becomes a financial institution’s "customer" under the GLBA when the financial institution establishes a "customer relationship" with the consumer. Basically, a "customer" is a particular type of "consumer" that has an ongoing relationship with the financial institution that is providing the financial product or service.[5]

C. Types of Notices Required

1. Initial and Annual Notices.
Financial institutions must provide all consumers, whether or not they are customers, with an initial privacy notice if: (i) they disclose nonpublic personal information to nonaffiliated third parties; and (ii) such disclosures do not fall within certain enumerated exceptions outlined in the GLBA. Some of these exceptions are discussed in more detail below in Section II(D) of this article.[6]

Even if the financial institution does not disclose nonpublic personal information to nonaffiliated third parties or is allowed to make such disclosures in accordance with the GLBA's exceptions, an initial privacy notice must still be made to every consumer who becomes a customer, at the time the customer relationship is established.[7] In addition, privacy notices must be provided to customers not less than annually during the customer relationship.[8]

2. Opt Out Notices.
Financial institutions must provide all consumers, which by definition includes all customers, with an "opt out notice" if: (i) the institutions disclose nonpublic personal information to nonaffiliated third parties; and (ii) such disclosures do not fall within one of the exceptions outlined in the GLBA.[9]

D. Exceptions to Notice Requirements

1. Description of Applicable Exceptions
The GLBA contains numerous exceptions that absolve financial institutions from any responsibility to provide: (a) initial notices to consumers who are not customers; and (b) opt-out notices to any consumers (even if they are customers). The following exceptions (the "Exceptions") are particularly noteworthy:

(i) A financial institution may disclose nonpublic personal information as necessary to effect, administer or enforce a transaction that a consumer requests or authorizes;[10] and

(ii) A financial institution may disclose nonpublic personal information in connection with a proposed or actual securitization, secondary market sale or similar transaction related to a transaction of the consumer.[11]

As used in the first Exception, the term "necessary" means "required, or is a usual, appropriate or acceptable method to carry out the transaction."[12]

This Exception should apply since a "usual method" by which originators and funders place leases is for the originators to forward certain information about potential lessees to funders with whom the originators are trying to place the leases. The Exception becomes even more applicable to the extent that the money which allows an originator to purchase the leased equipment is obtained from a funder, since that would make the forwarding of the consumer’s information a "required" step in effecting the transaction."

The second Exception is directly on point. Originators are forwarding the information about the consumer to determine whether, and under what terms, the funders would consummate a secondary market sale of a lease with that consumer. According to Compliance Headquarters,[13] this Exception applies even if the secondary market sale is never completed.[14] This interpretation is consistent with the plain meaning of the statute.[15]

III. Summary

The privacy provisions of the GLBA clearly apply only to financial institutions that offer financial services or products to "consumers" (and a specialized subset of consumers called "customers"). As such, originators who circulate, and funders who receive, non-public personal information in connection with a business transaction (rather than a transaction intended for personal, family or household purposes) should not be covered by the GLBA.[16]

Originators who circulate non-public personal information in connection with consumer transactions encounter a more difficult analysis. Clearly, an initial notice and an annual notice must be provided to the consumer if the transaction is consummated and the consumer becomes a "customer." Whether these notices are the responsibility of the originator or the funder depends on the situation.[17] Although the relative youth of the GLBA and the dearth of case law interpreting the statute or its regulations prevents a definitive statement regarding whether any statutory exceptions to the notice requirements of the GLBA are applicable when an originator forwards non-public personal information to a funder in connection with a consumer lease, it is likely that certain exceptions absolve such originators from: (a) making any disclosures with respect to consumers until a customer relationship is established (thereby preventing any additional burdens during the application stage); and (b) providing any opt out notices to consumers or customers solely because the information was forwarded from an originator to a funder. Nonetheless, to the extent any originators are engaged in consumer leasing, a closer look at the GLBA is strongly advised.

Article appeared in the September, 2002 issue of the Monitor.
For more articles/news regarding the equipment leasing and finance industry, visit

[1] The GLBA is codified at 15 U.S.C §§6801-6810 and available at privacy/glbact/glbsub1.htm.

[2] See Question B.1.Q of the Frequently Asked Questions for the Privacy Regulations, published on the FTC’s Website at (outlining the different disclosure obligations with respect to consumers and customers).

[3] Id. See also GLBA, §6809(9)(defining the term "consumer").

[4] Id.

[5] Id. See also GLBA, §6809(11)(defining the term "customer relationship"); and 16 CFR 313.3(i). 

[6] GLBA, §§6802(a) and (e); See also Frequently Asked Questions, supra note 3. 

[7]  16 CFR 313.14 and 313.15 (noting that the exceptions only apply to §313.4(a)(2)); 16 CFR 313.4(a)(2)(initial notice requirement for consumers is separate from the §313.4(a)(1) initial notice requirement for customers).  See also GLBA, §6803(a).

[8]  Id.

[9] GLBA, §§6802(b) and (e).

[10] GLBA, §§6802(e) and 6809(7); 16 CFR 313.14(a) and (b).

[11] GLBA, §6802(e); 16 CFR 313.14(a).

[12]  GLBA, §6809(7); 16 CFR 313.14(b).

[13]  Compliance Headquarters can be accessed at and is run by Bankers System, Inc.—a  leading national provider of compliance resource solutions which is used by more than 12,000 financial institutions, including 83 percent of banks in the United States.

[14] Questions regarding GLBA Exceptions available at Privacy/Privacy_Q_A_Archive/Other_Exceptions/other_exceptions.html

[15]  The language used in the statute is "proposed or actual" secondary market sale.

[16] It should be noted that the recent fiasco, whereby the Federal Trade Commission (the "FTC") briefly held that a consumer credit report was a "consumer document" even if used in connection with a guaranty of a commercial lease, has been resolved as the FTC subsequently decided, after substantial lobbying by the Equipment Leasing Association, that the a consumer credit report of a guarantor of a business loan was not covered by the Fair Credit Reporting Act.  Moreover, the reasoning in the FTC’s earlier opinion—that the consumer credit report was originally gathered for consumer purposes and therefore was a consumer document—would not be applicable with respect to the situation discussed in this article.

[17] 16 CFR 313.4(c)(3).

Email Disclaimer

NOTICE: The mailing of this email is not intended to create, and receipt of it does not constitute an attorney-client relationship. Anything that you send to anyone at our Firm will not be confidential or privileged unless we have agreed to represent you. If you send this email, you confirm that you have read and understand this notice.
Cancel Accept