managing-privacy-compliance-financial
Evaluates data privacy practices against GLBA, CCPA, and state privacy requirements. Use when assessing financial privacy compliance, managing opt-out requirements, or documenting data practices.
Best use case
managing-privacy-compliance-financial is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Evaluates data privacy practices against GLBA, CCPA, and state privacy requirements. Use when assessing financial privacy compliance, managing opt-out requirements, or documenting data practices.
Teams using managing-privacy-compliance-financial should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/managing-privacy-compliance-financial/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How managing-privacy-compliance-financial Compares
| Feature / Agent | managing-privacy-compliance-financial | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Evaluates data privacy practices against GLBA, CCPA, and state privacy requirements. Use when assessing financial privacy compliance, managing opt-out requirements, or documenting data practices.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Managing Privacy Compliance Financial Evaluates financial institution data privacy practices against GLBA, CCPA/CPRA, and state-level privacy requirements. Produces gap analyses, opt-out compliance assessments, and privacy notice audits for banks, broker-dealers, insurance companies, and fintech platforms. ## When To Use - Assessing whether a financial institution's privacy notices satisfy GLBA Regulation P requirements - Evaluating CCPA/CPRA compliance for financial data that falls outside the GLBA exemption - Auditing opt-out/opt-in mechanisms for nonpublic personal information (NPI) sharing - Reviewing data-sharing agreements with affiliates, nonaffiliates, and joint-marketing partners - Preparing for state privacy law obligations (e.g., VCDPA, CPA, TDPSA) as they apply to financial entities - Documenting a privacy compliance program ahead of regulatory examination ## Inputs To Gather - Entity type and regulatory charter (bank, credit union, broker-dealer, insurance company, RIA, fintech) [VERIFY] - Current privacy notice and any annual re-delivery records - Categories of NPI collected: account numbers, transaction history, credit data, application data - Data-sharing map: affiliates, nonaffiliated third parties, joint-marketing partners, service providers - Existing opt-out mechanism details (mail-in form, online portal, toll-free number) - State(s) of operation and customer residence — determines which state privacy laws layer on top of GLBA [VERIFY] - Most recent examination findings or self-assessment results related to privacy - Relevant exception claims (e.g., GLBA exemption from CCPA for specific data categories) ## Workflow 1. **Classify the entity and applicable regime** - Determine whether the entity is a "financial institution" under GLBA (15 U.S.C. § 6809(3)) [VERIFY] - Identify which data categories qualify as NPI versus publicly available information - Map state-specific overlays: CCPA/CPRA applies to California consumers for data not covered by the GLBA exemption; check VCDPA, CPA, TDPSA thresholds [VERIFY] 2. **Audit privacy notices** - Compare the initial and annual privacy notices against Regulation P model forms (12 CFR § 1016, Appendix) - Check for required disclosures: categories of NPI collected, categories shared, opt-out rights, safeguarding practices - Verify delivery method compliance: initial notice at customer relationship establishment, annual notice timing [VERIFY] - Flag any missing or ambiguous categories in the sharing disclosure table 3. **Evaluate opt-out/opt-in mechanisms** - Confirm opt-out notice is clear, conspicuous, and provides a reasonable method to exercise the right - Check whether affiliate-sharing triggers FCRA affiliate-marketing opt-out (separate from GLBA opt-out) [VERIFY] - For state laws requiring opt-in (e.g., financial health data under CCPA/CPRA), verify affirmative consent mechanisms - Assess opt-out honoring timelines — Regulation P requires compliance within a reasonable period (generally 30 days) 4. **Review data-sharing agreements and exceptions** - Categorize each third-party relationship: joint marketing, service provider, nonaffiliate - Confirm service-provider and joint-marketing exceptions include required contractual provisions (confidentiality, use limitations) - Identify any sharing that falls outside safe-harbor exceptions and requires opt-out 5. **Assess CCPA/CPRA intersection** - Determine which data categories are exempt under CCPA § 1798.145(e) (GLBA-covered data) vs. which are not - For non-exempt data: verify CCPA privacy policy disclosures, "Do Not Sell/Share" mechanisms, and data subject request workflows - Evaluate whether the institution qualifies as a "business" under CCPA thresholds [VERIFY] 6. **Compile gap analysis and remediation roadmap** - List each compliance gap with severity (critical / moderate / low) - Assign remediation owners, deadlines, and required documentation updates - Prioritize: notice deficiencies and opt-out failures carry direct regulatory risk ## Output - **Privacy Compliance Assessment Report** containing: - Regulatory applicability matrix (GLBA, Regulation P, CCPA/CPRA, state laws) - Privacy notice audit findings with line-item deficiencies - Opt-out mechanism evaluation and consumer-experience assessment - Data-sharing map with exception classification for each relationship - CCPA/CPRA gap analysis for non-GLBA-exempt data - Prioritized remediation roadmap with owners and target dates - Summary of [VERIFY] items requiring legal or jurisdictional confirmation ## Quality Checks - Every data-sharing relationship is classified under an explicit GLBA exception or flagged as requiring opt-out - Privacy notice language is compared against the Regulation P model form — deviations are specifically identified - CCPA exemption claims cite the specific data category and collection context, not a blanket entity-level exemption - State law applicability is determined by customer residence, not entity headquarters [VERIFY] - Opt-out mechanisms are tested or described with sufficient specificity to confirm consumer usability - All jurisdiction-dependent conclusions are marked [VERIFY] for legal review - Report distinguishes between confirmed findings and assumptions clearly throughout
Related Skills
managing-wound-care
Guides wound assessment, classification, and treatment selection with documentation requirements. Use when managing surgical wounds, classifying wound types, or selecting wound care protocols.
managing-wound-assessment-nursing
Structures wound assessment with measurement, staging, and treatment plan documentation. Use when assessing wounds, staging pressure injuries, or documenting wound care.
managing-workplace-safety-healthcare
Tracks OSHA healthcare requirements including bloodborne pathogen, TB, and violence prevention programs. Use when managing OSHA compliance, implementing safety programs, or documenting exposure incidents.
managing-workers-compensation-rehabilitation
Structures workers comp rehab documentation with functional capacity evaluation and return-to-work planning. Use when managing work injury rehab, performing FCEs, or documenting return-to-work status.
managing-vestibular-rehabilitation
Structures vestibular assessment with positional testing and customized exercise programs. Use when evaluating vestibular disorders, performing Dix-Hallpike testing, or designing vestibular exercise programs.
managing-venous-thromboembolism-prophylaxis
Applies VTE risk assessment (Padua, Caprini) with appropriate prophylaxis selection. Use when assessing VTE risk, selecting prophylaxis regimens, or documenting DVT prevention.
managing-valvular-heart-disease
Guides valve disease severity assessment with intervention criteria and surveillance schedules. Use when evaluating valve disease, assessing surgical/interventional timing, or monitoring valve function.
managing-vaccine-schedules
Applies CDC immunization schedules with catch-up protocols and contraindication screening. Use when managing vaccinations, creating catch-up schedules, or documenting immunization decisions.
managing-vaccination-campaigns
Plans mass vaccination campaigns with logistics, cold chain management, and adverse event monitoring. Use when planning vaccination drives, managing immunization logistics, or monitoring VAERS.
managing-traumatic-brain-injury-rehabilitation
Structures TBI rehab with Rancho Los Amigos scoring and cognitive rehabilitation protocols. Use when managing TBI rehab, tracking Rancho levels, or implementing cognitive therapy.
managing-trauma-assessments
Conducts structured primary and secondary trauma surveys following ATLS methodology. Use when assessing trauma patients, documenting trauma workups, or coordinating trauma team activations.
managing-transplant-evaluations
Guides transplant candidacy evaluation with organ-specific criteria and listing documentation. Use when evaluating transplant candidates, documenting listing criteria, or coordinating transplant workups.