On July 1st, the CFPB released a proposed amendment to Regulation P under the Gramm-Leach-Bliley Act (“GLBA”) that provides financial institutions meeting certain conditions an exception to the requirement to provide an annual privacy notice. The rulemaking will implement changes made by the Fixing America’s Surface Transportation Act (“FAST Act”) that was signed into law in December, 2015.
The current Regulation P requires financial institutions to provide customers with annual notices regarding those institutions’ privacy policies. Depending on the type of consumer information a financial institution shares with certain third parties, the annual notices must also provide customers with an opportunity to opt-out of the sharing arrangement.
The proposed rule would provide that a financial institution is not required to deliver an annual privacy notice to a customer if the financial institution:
- Has not changed its privacy policies and practices with regard to sharing nonpublic personal information (“NPI”) since its most recent privacy notice was sent; and
- Only shares customer financial information with non-affiliated third parties under certain exceptions to the GLBA’s notice and opt-out requirements contained within sections 1016.13, 1016.14, and 1016.15 of the regulation.
If a financial institution later decides to disclose NPI in a way that requires the financial institution to provide an opt-out to its customers, the institution would be required to send an updated privacy notice to all of its customers.
The amendment would also remove a rule the CFPB adopted in 2014 which allows financial institutions to post annual privacy notices on their website instead of using the standard mailing delivery method to provide annual privacy notices, so long as the institution meets certain conditions. According to the CFPB, because any financial institution that meets the criteria for the alternative delivery method would also meet the requirements for the new annual privacy exception, the alternative delivery method would likely not be used as a result of the more convenient new annual notice exemption.
The CFPB Proposal is available here: http://www.consumerfinance.gov/policy-compliance/rulemaking/rules-under-development/amendment-annual-privacy-notice-requirement-under-gramm-leach-bliley-act-regulation-p/.