CFPB finalizes changes to GLBA annual privacy notice requirement
The CFPB has issued a final rule amending the provisions of Regulation P that implement the Gramm-Leach-Bliley Act (GLBA) annual privacy notice requirement. The final rule is intended to reflect the GLBA amendments made by the Fixing America’s Surface Transportation Act that exempted financial institutions meeting certain conditions from the annual notice requirement. The statutory exemption from the annual notice requirement became effective in December 2015. The amendments to Regulation P made by the final rule will be effective 30 days from the final rule’s publication in the Federal Register.
The final rule provides that a financial institution is not required to deliver a GLBA annual privacy notice if the financial institution (1) only shares nonpublic personal information (NPPI) with nonaffiliated third parties only under one of the GLBA exceptions that do not trigger a customer’s opt-out rights (§ 1016.13, § 1016.14, or § 1016.15); and (2) has not changed its policies and practices with regard to disclosing NPPI from the policies and practices that were disclosed in the most recent privacy notice provided to the customer. Financial institutions that choose to take advantage of the annual notice exemption must still provide any opt-out disclosures required under the Fair Credit Reporting Act (FCRA), which can generally be provided in the initial privacy notice. In the Supplementary Information accompanying the final rule, the CFPB states that it does not interpret the second condition for using the annual notice exemption to include changes to a financial institution’s FCRA disclosures or changes to voluntary disclosures and opt-outs that are provided in the institution’s privacy notice.
The final rule includes timing requirements for providing annual privacy notices by a financial institution that no longer meets the conditions for the exemption. The timing requirements vary depending on whether the change that causes the institution to no longer satisfy the conditions for the exemption also triggers a requirement under Regulation P to provide a revised privacy notice. Under Regulation P, a financial institution must provide revised notices before it begins to share NPPI with a nonaffiliated third party if such sharing would be different from what the institution described in the initial privacy notice it delivered.
The final rule also removes the alternative delivery method for GLBA annual privacy notices that Regulation P (pursuant to a 2014 amendment) allowed financial institutions to use if they met certain conditions. Since any financial institution that met the conditions for using the alternative delivery method would meet the conditions for the statutory exemption, the CFPB believes an institution with both options available to it would choose not to provide an annual privacy notice at all rather than provide it using the alternative delivery method. However, the CFPB indicates in the Supplementary Information that financial institutions that qualify for the annual notice exemption can still, without affecting their eligibility for the exemption, choose to post privacy notices on their websites, provide privacy notices to consumers who request them, and notify consumers of the notices’ availability.