June 6, 2020

June 05, 2020

Subscribe to Latest Legal News and Analysis

June 04, 2020

Subscribe to Latest Legal News and Analysis

CFPB Adopts Final Rule Authorizing Website Posting of Annual Privacy Notices

The Consumer Financial Protection Bureau (CFPB) recently adopted a final rule that will permit certain financial institutions to post on their websites the annual privacy notice required under Regulation P rather than mailing the notice to their customers. The final rule became effective on Oct. 28, the date it was published in the Federal Register.

The CFPB noted in the preamble to the final rule that it intends for the new electronic delivery method to reduce information overload for consumers caused by duplicative mailings of paper privacy notices. Under this alternative delivery method, a financial institution may post its privacy notice on its website rather than mail a hard copy to its customers if:

  • the financial institution uses the CFPB’s model privacy form; 

  • the financial institution does not disclose a customer’s nonpublic personal information to nonaffiliated third parties in a manner that triggers opt-out rights under Regulation P; 

  • the financial institution does not include on its annual privacy notice an opt-out notice under Section 603 of the Fair Credit Reporting Act (FCRA); 

  • the financial institution has already provided any required “affiliate marketing” opt-out notice required under section 624 of the FCRA, or uses a method other than website posting to provide this “affiliate marketing” opt-out notice; and 

  • the information in the financial institution’s privacy notice has not changed since the customer’s receipt of the prior notice.

To use the alternative delivery method, the financial institution must:

  • continuously post its annual privacy notice in a clear and conspicuous manner on a page of its website, without requiring a login or similar restriction on access;

  • provide a web address that directly accesses the page that contains the privacy notice without requiring the customer to click on any links; and 

  • mail annual notices to customers who request them by telephone, within ten days of the request. 

To make customers aware that its annual privacy notice is available through these means, the institution must insert a clear and conspicuous statement at least once per year on an account statement, coupon book, or a notice or disclosure that it issues to its customers under any provision of law. The statement must:

  • inform customers that the annual privacy notice is available on the financial institution's website; 

  • state that the institution will mail the notice to customers who request a copy by calling a specific telephone number; and 

  • inform customers that the notice has not changed. 

The CFPB estimates the final rule may reduce the cost of providing annual privacy notices and opt-out notices under Regulation P for all financial institutions by at least $17 million. Each financial institution should consider whether it is eligible to use these streamlined disclosures so that it too can benefit from these reduced costs.



About this Author

Thomas M. Maxwell, Barnes Thornburg Law firm, Indianapolis, Corporate and Finance Law Attorney

Thomas M. Maxwell is a partner in Barnes & Thornburg LLP’s Indianapolis, Indiana office. He practices in the Corporate Department primarily in the areas of securities law, financial institution regulation and general corporate matters. He has acted as issuer’s and underwriter’s counsel in numerous offerings of securities including initial public offerings and private placements. He also regularly advises publicly-held companies and their directors on corporate governance matters, disclosure obligations and other matters under federal securities laws, including compliance with various...

Jason Bernstein Data Security & Privacy Attorney

A co-chair of the firm’s Data Security and Privacy practice, Jason Bernstein is a business adviser who helps clients develop, manage, protect and leverage their IP assets and valuable data. By offering real depth in a multitude of disciplines and industries, Jason is appreciated for his proven business acumen and creative problem-solving ability.

Inventions, innovations and information, particularly information security and privacy matters, are at the core of Jason’s practice. With more than three decades of experience, Jason advises on strategic planning for and the protection of client brands and creations via patents, trademarks and copyrights, as well as negotiates a myriad of technology and business agreements involving valuable IP.

Jason’s clients include startups, universities, and established technology, manufacturing and services companies. His industry experience ranges from medical devices to organic and polymer chemistry to pharmaceuticals, mechanical apparatus and software. Regardless of the client or industry, Jason helps companies minimize their exposure to data security and privacy risks. He works with clients to proactively improve data security risk management and develop policies and procedures for incident response.

He also advises on compliance with laws such as the European General Data Protection Regulation (GDPR), as well as prepares and negotiates agreements involving data security and privacy issues, such as software and website terms of use and privacy policies.

Jason also works with companies after a data breach to evaluate the breach, notify affected individuals and agencies, and guide the company in communications to minimize effects on brand reputation. As a result, Jason is a frequent speaker nationally to various organizations and conferences on how companies can respond to cybersecurity incidents and emerging cybersecurity threats, improve their risk management, and more effectively negotiate agreements with customers and vendors.

In addition, Jason advises on strategic IP planning and due diligence investigations related to mergers and acquisitions, trademark selection and clearance, registration, licensing and infringement. He has worked with a wide range of trademark portfolios in the restaurant, healthcare, cosmetics, nutraceuticals, software and hardware, apparel, medical products, manufacturing and financial services industries.

Moreover, Jason assists vendors and buyers in drafting and negotiating technology-related agreements that improve profitability, reduce expenses, minimize exposure to liability and reduce the time to close deals that are critical to the bottom line. He has drafted and negotiated agreements in licensing, technology transfer, manufacturing, distribution, supply, support, outsourcing, cloud hosting, data storage and processing, software and website development, R&D, joint development, and other areas. Notably, clients rely on Jason to help improve their contracting processes by evaluating current approaches so as to realize the full potential for ROI and by designing professional training programs that improve negotiating effectiveness.

Mark Kindelin, Barnes Thornburg Law Firm, Chicago, Corporate and Finance Law Attorney

Mark T. Kindelin is a partner in the Chicago office of Barnes & Thornburg LLP, where he is a member of the firm’s Corporate Department and chair of the Financial Institutions Practice Group.

Mr. Kindelin has counseled financial institutions for more than 27 years on a wide variety of regulatory, transactional and corporate matters. He advises banks on capital raising transactions, mergers and acquisitions, operational issues and general corporate matters. In addition, he has a unique specialty advising on treasury management issues,...