Section 502 of the Gramm-Leach-Bliley Act (codified at 15 U.S.C. ยง 6802) is the provision that requires financial institutions to provide consumers with an opt-out notice before sharing their nonpublic personal information with nonaffiliated third parties. The section is titled “Obligations with Respect to Disclosures of Personal Information,” and its subsection (b) lays out the three specific conditions a financial institution must meet before any such disclosure can happen.
What Section 502 Actually Requires
Section 502(b) prohibits a financial institution from disclosing nonpublic personal information to a nonaffiliated third party unless all three of the following conditions are satisfied:
- Clear disclosure: The institution must clearly and conspicuously tell the consumer, in writing or electronic form, that their information may be shared with the third party.
- Opportunity to opt out: The consumer must be given the chance, before the information is initially disclosed, to direct that their information not be shared.
- Explanation of how to opt out: The institution must explain the specific steps the consumer can take to exercise that right.
All three elements must appear together. A notice that tells you your data might be shared but doesn’t explain how to stop it fails the requirement. Likewise, offering an opt-out mechanism without first disclosing what sharing will occur doesn’t satisfy the law.
How the Notice Must Be Delivered
The statute delegates delivery details to implementing regulations. For most financial institutions supervised by the Consumer Financial Protection Bureau, those rules live in Regulation P (12 CFR Part 1016). Section 1016.9 of Regulation P specifies that privacy and opt-out notices must be delivered so that each consumer can reasonably be expected to receive actual notice, either in writing or, if the consumer agrees, electronically.
Acceptable delivery methods include hand-delivering a printed copy, mailing a printed copy to the consumer’s last known address, or posting the notice on an electronic site where the consumer must acknowledge receipt as a necessary step to obtaining the financial product or service. For isolated transactions like an ATM withdrawal, posting the notice on the ATM screen and requiring acknowledgment before the transaction proceeds also qualifies.
Certain methods do not count. Simply posting a sign in a branch lobby or publishing a general advertisement about privacy practices is not enough. Sending an email to someone who doesn’t transact with you electronically fails the test as well. And an oral explanation of the notice, whether in person or over the phone, can never substitute for a written or electronic notice. The regulation is explicit on that point.
When the Notice Is Triggered
The opt-out requirement under Section 502 applies specifically to sharing nonpublic personal information with nonaffiliated third parties. “Nonpublic personal information” covers data a consumer provides on an application, transaction history, and any information the institution obtains in connection with providing a financial product or service. “Nonaffiliated third parties” means companies that are not part of the same corporate family as the financial institution.
The law does carve out exceptions. Financial institutions can share information with service providers and joint marketing partners under certain conditions without triggering the opt-out requirement, typically when contractual agreements restrict how the third party can use the data. Sharing that falls within routine processing, such as sending account data to a company that prints your statements, generally falls under these exceptions. But when an institution wants to share your information for purposes beyond servicing your account, the opt-out notice kicks in.
The Annual Notice Exception
Originally, GLBA required financial institutions to send an annual privacy notice to every customer, which would include the opt-out information. The FAST Act, passed in 2015, created an exception to this annual mailing requirement. A financial institution can skip the annual notice if it meets two conditions: it does not share nonpublic personal information about customers except under the statutory exceptions that don’t require an opt-out, and it has not changed its privacy policies and practices from what it disclosed in the most recent notice it sent.
This exception only relieves the institution of the annual notice obligation. The initial privacy notice and opt-out notice requirements under Section 502 still apply when a customer relationship is first established or when the institution’s sharing practices change in ways that newly trigger the opt-out right.
Where Section 502 Fits in the Broader Law
Section 502 works alongside Section 501 and Section 503 of GLBA. Section 501 establishes the general obligation for financial institutions to protect consumer information. Section 503 requires financial institutions to provide an initial privacy notice describing their information-sharing policies at the time the customer relationship begins. The opt-out notice required by Section 502 is typically delivered as part of that initial privacy notice, though it can also be provided separately when sharing practices change.
Regulation P ties these sections together into a practical compliance framework, specifying the content, format, and timing requirements that financial institutions follow when building their privacy notices. If you’ve ever received a dense privacy policy mailing from your bank or credit card company, that document is the institution’s attempt to satisfy Sections 502 and 503 simultaneously, with the opt-out mechanism usually appearing as a phone number, a web form, or a tear-off reply card.