Printer Friendly

Ready to Disclose How You Protect Your Clients' Privacy?

CalCPA recently learned that the federal Gramm-Leach-Bliley Act applies to CPAs who prepare federal or state tax returns for individuals. GLB requires that all non-business clients be informed of the privacy policies of a broad group of financial service providers (banks, tax preparation services, check cashing businesses, travel agencies affiliated with financial service providers, educational institutions that provide loans and others) with whom they have a customer (client) relationship.


GLB was intended to apply to banks and other credit institutions that may have been abusing customer trust by selling or sharing personal information. However, the Federal Trade Commission regulations do include those who are "significantly engaged" in the preparation of federal or state personal tax returns, or who provide financial planning services.

In this context, significantly engaged essentially means that the service is provided for compensation. Individuals who prepare an occasional tax return without charge for a relative are not required to provide the relative with a privacy disclosure notice.


The FTC regulations implementing this act require disclosure of specific information to nonbusiness clients. Disclosures are not required for clients that are businesses. These requirements are currently in effect and compliance is mandated by July 1, 2001. Qualifying CPA firms must notify clients by that date of their privacy policy.

Under the regulations, one-time or initial disclosures are required for all new and existing clients. Disclosures are to be made every 12 months thereafter to all clients. The disclosure must be a clear and conspicuous notice, written in plain language that accurately reflects the provider's privacy policy and practices. There is no requirement that the communication be sent as a separate mailing.

These disclosures are required even though California law specifically prohibits the disclosure or use of tax return information for any purpose other than that for which it was provided without the advance written consent of the taxpayer. Under the FTC rules, even those who are prohibited by law from sharing information, are required to notify their clients of the kinds of personal information they collect and the fact that they are prohibited by statute from sharing that information.

There is no required form for this notice, but it must include the following information:

* The categories of nonpublic personal information collected. Nonpublic personal information is defined by the FTC as "generally speaking ... (1) personally identifiable financial information, plus (2) a consumer list (and publicly available information pertaining to the consumers on that list) that is derived using personally identifiable information that is not publicly available... ." Examples of nonpublic personal information, according to the May 24, 2000 Federal Register (Vol. 65, No. 101, page 33681), include information a client provides to you, account balance information, the fact that an individual is or has been a client, and information from a consumer report.

* The categories of nonpublic personal financial information that you might disclose. You should state if you are legally prohibited from disclosing nonpublic personal financial information.

* The categories of affiliates and non-affiliated third parties to whom you disclose nonpublic personal financial information, or that you do not make such disclosures. California law requires that clients consent in advance, in writing, to any disclosure of tax return information and that the consent include the name of the individual to whom the information will be disclosed.

* The firm's policies with respect to sharing information on individuals who are no longer clients.

* The categories of information disclosed pursuant to agreements with third-party service providers and joint marketers, and the categories of third parties providing the services, or that you do not do so.

* The client's right to opt out of the disclosure of nonpublic personal information, if you make such disclosures. California law requires that clients give permission to have their tax return information used for any purpose other than for which it was given.

* Any disclosures made under the Fair Credit Reporting Act.

* Your practices with regard to protecting the confidentiality, security and integrity of nonpublic personal information.

All affected firms are required to develop and implement a written information security program that includes administrative, technical and physical safeguards for customer records. Additionally, firms are required to exercise appropriate due diligence in selecting and monitoring service providers to ensure that the service providers also implement appropriate security measures to meet the guidelines' objectives.


An appendix to the FTC rules provides sample clauses that can be used to construct a disclosure, but none of them apply directly to CPA firms. Additionally, many bank Web sites carry their privacy disclosure notices, and these may provide some guidance. The FTC final rule can be accessed online at, or through CalCPA's members' only interactive government relations site at A print version of the final rule is available in the May 24, 2000 Federal Register (Vol. 65, No. 101, page 33688).

Members are encouraged to contact their liability insurer or legal counsel for specific guidance in complying with the new requirement.

Bruce Allen is CalCPA's director of government relations.


CPAs who must comply with the FTC's privacy disclosure requirements must send their initial disclosure by July 1, 2001, to all clients for whom they prepare personal income, estate or gift tax returns, and to individuals for whom they provide financial planning services. The disclosure must be sent every 12 months thereafter.

The following sample disclosure letter is provided for illustrative purposes only. Your own situation will vary and each letter must be tailored to fit your own circumstances and practices. It is not intended to provide legal advice.

Dear Client of Stable, Strong and Aware:

If you are like most Americans, privacy is a big concern to you. We want you to know that we at Stable, Strong and Aware share this concern. During the preparation of your (tax return/financial plan), you share personal information with the employees and owners of Stable, Strong and Aware. This might include information on applications, worksheets, tax organizers or other documents we use in preparing your taxes or financial plan. It also may include information we receive directly from third parties such as brokerage houses and banks regarding your accounts with them and information about your transactions with us, or our affiliates. (CPAs who run credit checks on their clients need to indicate that they collect information from consumer credit reporting agencies.) We value your trust and make every effort to continue to deserve your confidence.

Protecting your privacy is important to us and your personal information is only shared with those employees with whom it is necessary to perform the services you have hired us to do. State and federal laws, and the standards of the CPA profession, pledge us to keep your information confidential unless we are required by a legal authority to divulge the information.

If necessary, to complete your (tax return/financial plan) this information may be shared with our affiliate ABC Computing, but you will be informed in advance if this is the case. Under California law you must give written permission before this information can be shared. ABC shares our privacy policy and commitment to your protection. (CPA firms that do not share personal information with affiliates, marketing experts or subcontractors may include a statement to that effect.)

Your personal information is stored in a secure space or on a secure computer. We take our obligation to you very seriously and value your trust. If you ever discontinue your client relationship with Stable, Strong and Aware, we will be happy to furnish you with a copy of the information in our files and will continue to protect and treat the information that you have trusted us with as confidential. When your personal information is no longer needed, it is shredded, erased or destroyed before being recycled.

Sincerely Yours,

Partners of Stable, Strong and Aware, CPAs
COPYRIGHT 2001 California Society of Certified Public Accountants
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2001, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Publication:California CPA
Geographic Code:1USA
Date:Mar 1, 2001
Next Article:XBRL: Make Its Power Your Own.

Related Articles
Privacy of Health Information: The New Y2K Challenge.
Sexual orientation protected from forced disclosure, Third Circuit holds.
Tax Advisers, Return Preparers and Financial Planners Subject to New Federal Privacy Disclosure Rules(*).
FTC, SEC make consumer privacy a priority for many CPAs.
Client privacy notification required.
Protecting privacy in Canada's private sector: businesses that are serious about competing successfully in Canada need to get serious about privacy....
E-mail and the law: how to manage privacy issues using the AICPA/CICA framework.

Terms of use | Privacy policy | Copyright © 2021 Farlex, Inc. | Feedback | For webmasters