United States

CFPB eases privacy notice requirements


The Consumer Financial Protection Bureau (CFPB) proposed to amend and has now finalized a new rule relating to the privacy notice requirements under the Gramm-Leach-Bliley Act (GLBA) as promulgated by Regulation P.

The GLBA and Regulation P require, among other things, that financial institutions provide their customers with an annual disclosure of the institutions’ privacy policies. To comply with the privacy notice requirements, financial institutions have made it a practice to deliver printed copies of annual privacy notices by mail. In response to concerns of delivery expenses and potentially overloading customers with information regarding the institutions privacy policies, the CFPB has issued a ruling to allow institutions to deliver annual privacy notices through an alternative delivery method.

The new rule will allow a financial institution that does not participate in certain information sharing activities to post its annual privacy notice on its website, rather than mailing annual disclosures, if the following conditions are met:

  1. The financial institution does not share information with nonaffiliated third parties that would trigger GLBA opt-out rights.
  2. The financial institution does not include opt-out disclosures relating to the sharing of information with related or affiliated entities as required under section 603(d) of the Fair Credit Reporting Act (FCRA) within their annual privacy notice.
  3. The financial institution provides additional notices to satisfy the requirements of section 624 of the FCRA and the Affiliated Marketing Rule.
  4. The financial institution has not changed the content of the privacy notice since the customer received the previous notice.
  5. The financial institution’s privacy notice is in the model format as provided by Regulation P. 

If a financial institution meets these conditions and would like to use the alternative method of delivering the annual privacy notice, the financial institution must also:

  1. Continuously post its current privacy notice in a clear and conspicuous manner on a dedicated page of its website without requiring the customer to enter a login or to agree to any conditions to access the page
  2. Mail its current privacy notice to customers requesting it by telephone within 10 days of the request
  3. Insert a clear and conspicuous statement meeting certain conditions, on an account statement, coupon book, or another notice or disclosure that notifies the customer that:
    • The annual privacy notice is available on its website.
    • It will mail the notice to customers who request it by calling a specific telephone number.
    • The privacy notice has not changed. 

Financial institutions that have changed their privacy policies or practices and (or) that participate in information sharing for which the customer may opt-out, must use one of the standard delivery methods that predate this rule.

The final rule is effective as of Oct. 28, 2014.