Gramm-Leach-Bliley Act (GLBA)

On November 2, 1999, President Clinton signed into law the Gramm-Leach-Bliley Act (GLBA). GLBA eliminates legal barriers among the securities, insurance, and banking industries, but retains the oversight roles of federal and state agencies within their particular areas of expertise.

One of the major components of GLBA is the creation of new privacy laws and regulations. The new privacy requirements went into effect on November 13, 2000, and compliance will be mandatory on July 1, 2001.

The Massachusetts Securities Division is providing this document to you and to other investment advisers in Massachusetts to assist you in complying with the new privacy laws and to inform you of your privacy obligations under the Massachusetts Uniform Security Act. It is not legal advice. You may want to consult an attorney regarding the applicability of GLBA’s privacy provisions to you.

Summary of GLBA

GLBA’s new privacy laws regulate what you are allowed to do with the confidential personal information that you collect in connection with your investment advisory activities. Specifically, these provisions govern how you collect, use, and maintain this personal information and under what circumstances you may share it with someone else. The law requires that you adopt written policies for handling confidential personal information and that you properly distribute those written policies.

In general, GLBA prohibits you from sharing an individual’s confidential information with non-affiliated third parties unless:

  • You tell the individual that you may share the information with others;
  • You give the individual the opportunity to tell you not to share the information; and
  • The individual does not tell you to keep the information confidential (i.e., the individual does not “opt out” of disclosure to third parties).

Top of page

M.G.L c. 110A

950 CMR 12.205(9)(c)(13) states that for the purposes of M.G.L. c.110A, it is deemed a dishonest and unethical business practice for an investment adviser to:

“[disclose] the identity, affairs or investments of any client to any third party unless required by law to do so, or unless consented to by the client”

The current regulation prohibits the state registered investment adviser from sharing non-public personal information with non-affiliated third parties unless the customer specifically consents to the disclosure. Hence, unlike the GLBA, a state registered investment adviser must give its customers an “opt-in” option to share information with any unaffiliated third parties. An “opt-in” requires the investment adviser to obtain from its customers and consumers a signed statement in which the person makes an affirmative declaration of permission to disclose such information. Without this affirmative affirmation from the person, investment advisers are prohibited from sharing this information with non-affiliated third parties.


Some definitions are in order, so that you can decide which people, and what information you obtained from or about those people, are included in the concept of confidential personal information.

GLBA distinguishes between a customer and a consumer. A customer is a person with whom you have developed a continuing relationship to provide products or services to be used for primarily personal, family, or household purposes. A customer would not include a person who met with someone from your firm, but then decided not to establish a business relationship with your firm. So we can distinguish the difference between the two types, we will call the latter person a consumer.

Non-public personal information (“NPI”) is any personal information that cannot be found in public sources. Publicly available information would be details available from federal, state, or local government records; widely distributed media (such as telephone directories or newspapers); or information disclosed to the public as required by federal, state, or local law. NPI is usually obtained directly from the individual. It includes such details as the person’s date of birth, social security number, financial account numbers and balances, sources and amounts of income, credit card numbers, information obtained about visitors to your Internet web site, and sometimes could include home addresses and telephone numbers.

An affiliate is a company that controls, is controlled by, or is under common control with your firm. A non-affiliated third party is any person or entity other than your firm, your employee, or an affiliate.

Opt-in is a concept requiring you to give consumers and customers notice that NPI may be disclosed to third parties. It requires that you obtain from customers a signed statement in which the person makes an affirmative declaration of approval to share this NPI with unaffiliated third parties.

A joint marketer is a person or company who markets your products or services under a joint agreement with one or more financial institutions. A service provider is a person or company who assists your firm in administrating, processing, or servicing a customer’s account.

Top of page

Notice Requirements

Under GLBA, each investment adviser must give its customers either a full notice or simplified notice of the firm’s privacy policies. In addition, your firm may be required to give consumers a limited type of notice called a “short form initial notice.” In order to determine which notice requirements apply to your firm, you should answer the following questions:

  • What NPI does your firm possess?
  • Who are your customers?
  • Who are your consumers?
  • What are your current information sharing practices?

The answers to these questions will help you determine which of the following types of notices is needed.

1. Notice to Consumers

A. When Consumer NPI IS Not Disclosed (No Notice)

You are not required to give notice of your privacy policy to consumers as long as you do not disclose NPI to any non-affiliated third party.

B. When Consumer NPI Is Disclosed (Short Form Initial Notice)

You may use abbreviated disclosure to tell consumers that you may disclose their NPI to non-affiliated third parties. The notice should be easily readable and describe how the consumer may request a copy of the firm’s privacy policy.

2. Notice to Customers

A. When Customer NPI Is Not Disclosed (Simplified Notice)

You may provide simplified notice to customers if you neither disclose nor reserve the rights to disclose their NPI to any third party, including affiliates as well as non-affiliates. The simplified notice should include: (1) the categories of NPI you do collect; (2) your policies and practices intended to protect the confidentiality, security and integrity of NPI in your office (i.e., your “safeguarding” procedures); (3) your statement you do not disclose and do not reserve the right to disclose NPI; and (4) your statement that you will make disclosure to non-affiliated parties only as permitted by law.

B. When Customer NPI Is Disclosed (Full Notice Plus Opt-In Disclsoure)

You must provide a more comprehensive notice to customers if you disclose or reserve the right to disclose their NPI to third parties. If third parties include non-affiliates you must also include an opt-in form. This notice must include the following:

  • What confidential information you may collect from or about a person;
  • What confidential information you may disclose to other entities;
  • If your firm intends to disclose NPI with non-affiliated entities, the categories of non-affiliated third partied to which your firm may disclose confidential information;
  • What your policy is on sharing information about former customers;
  • What categories of confidential information your firm discloses under agreement with third party service providers (such as a broker-dealer or a sub-adviser);
  • A clear and concise explanation that you can not share confidential information to non-affiliated third parties without first obtaining from the person a signed statement in which the person makes an affirmative declaration of permission to disclose such information;
  • Your office policies and practices intending to protect the confidentiality, security, and integrity of confidential information (i.e., your “safeguarding” procedures), including in general terms who is authorized to have access to this information;
  • Notices required under the Fair Credit Reporting Act, if applicable.

Top of page

Opt In Rights and Procedures

With each short form or full notice, you must provide a clear and concise statement that a person must provide you with a signed statement in which the person makes an affirmative declaration allowing you to share confidential information with non-affiliated third parties and that without this authorization you are prohibited from sharing this information with non-affiliated parties.


There is no opt-in requirement for any disclosure of NPI you make to service providers or joint marketers, but you must disclose the nature of any information to be shared with a service provider or joint marketer and must enter into contractual arrangements to require the third party to maintain confidentiality of the information. The opt-in requirement also does not apply to disclosure of confidential information in the following circumstances:

  • For resolving consumer or customer disputes or inquiries;
  • To persons holding a legal or beneficial interest relating to the consumer or customer;
  • To persons acting in a fiduciary or representative capacity on behalf of a consumer or customer;
  • To provide information to agencies assessing your firm’s compliance with industry standards, and to your attorneys, accountants, and auditors;
  • In connection with a proposed or a actual sale or merger of your firm;
  • To respond to a regulator’s examination of your firm; or
  • To comply with a civil, criminal, or regulatory investigation by federal, state, or local authorities.

Top of page

How, To Whom, and When to send Notices

Reasonable methods of providing a notice include hand delivering a printed copy, mailing a printed copy to the last known mailing address, and for a person who conducts business with you electronically, positing the notice on the electronic site and requiring the person to acknowledge receipt.

You must provide the notice to customers not later than the time you establish that on-going relationship. For any person who is already a customer, GLBA requires you to provide the notice as of July 1, 2001. Be advised that the Massachusetts Securities Division will not take any administrative action against investment adviser who unintentionally fails to meet the July 1, 2001 deadline.

Policy Changes and Annual Updates

Any time you change your privacy policy concerning disclosure of any category of nonpublic private information, or any category of non-affiliated third party that would receive information from you, you must revise the notice and provide a new opt-in form.

Finally, you must annually provide your privacy notice to customers.