January 28, 2023

Volume XIII, Number 28


January 27, 2023

Subscribe to Latest Legal News and Analysis

January 26, 2023

Subscribe to Latest Legal News and Analysis

January 25, 2023

Subscribe to Latest Legal News and Analysis

Final Rule Updates Regulation P With Exemptions From Annual Notice Requirements

The Bureau of Consumer Financial Protection (the “Bureau”) is amending its Regulation P requirements governing annual notices that financial institutions must provide to their customers describing their privacy policies and practices. These long-awaited amendments implement 2015 amendments to the Gramm-Leach-Bliley Act (GLBA) that permit financial institutions that meet specified criteria to be exempted from the annual notice obligation. The final rule will take effect on September 17, 2018.

As a general rule, the GLBA requires financial institutions to send annual privacy notices to all customers, describing the institution’s privacy practices and permitting customers to opt out of the institution’s practice of sharing with third parties certain nonpublic personal information (NPPI). In December 2015, Congress amended the GLBA to permit financial institutions satisfying specified criteria to be exempt from the annual notice requirement. In particular, if a financial institution restricts its sharing of information such that it does not trigger a customer’s right to opt out, and has not changed its privacy notice from the one previously delivered to its customers, the GLBA exempts the institution from the requirement to keep sending annual notices. Although the statutory exemption from the annual notice requirement became effective in December 2015, the newly promulgated amendments to Regulation P will now implement that statutory amendment. It also establishes deadlines for institutions required to resume providing annual privacy notices after their practices change from their most recent privacy notice.

Under the revised Regulation P, financial institutions are not required to deliver the annual privacy notice to customers if the institution satisfies both of these criteria:

  1. The institution only shares NPPI with nonaffiliated third parties only under one of the GLBA statutory safe harbors that do not trigger a customer’s right to opt out of such sharing; and
  2. The institution has not changed its NPPI disclosure policies and practices from the policies and practices in the institution’s most recent annual notice to customers.

Note that neither the 2015 GLBA amendments nor Regulation P exempt financial institutions from all disclosure obligations. To the extent that the Fair Credit Reporting Act (FCRA) separately requires an opt-out disclosure be provided, each institution must continue to comply with that obligation regardless of the changes to the GLBA and Regulation P. The Bureau indicates that the following does not constitute a change to the institution’s NPPI policies and practices that would require issuance of a new annual notice under the GLBA: (a) making changes to a financial institution’s FCRA disclosures, or (b) making changes to voluntary disclosures and opt-outs that were provided in the institution’s most recent privacy notice. In particular, “the Bureau has determined that disclosures describing sharing with affiliates under FCRA section 624 or voluntary disclosures and opt-outs will not affect a financial institution’s eligibility for the annual privacy notice exception” under the GLBA amendments and revised Regulation P.

The Bureau also noted that the GLBA already requires that financial institutions provide a revised notice to consumers before implementing certain types of changes, whereas in other cases the law simply requires that the content of the next regular annual notice provided to customers must be updated. Consistent with this approach, the timing requirements in the revised Regulation P differ depending on whether the change that causes the institution to no longer satisfy the conditions for the exception also trigger a requirement under existing Regulation P to deliver a revised notice. In particular, Regulation P already requires a financial institution to provide revised notices before it begins to share NPPI with a nonaffiliated third party if that sharing would be different from what was described in the initial privacy notice delivered to the customer. Under the revised Regulation P, institutions that lose the exemption for reasons that would trigger this prior notice requirement will also be required to resume providing the annual notices before implementing the change. Otherwise, the institution must resume sending the annual notices within 100 days after making the change.

© 2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.National Law Review, Volume VIII, Number 247

About this Author

Dan Brown, insurance lawyer, Drinker Biddle

Dan Brown represents insurance companies, agents and brokers, and others in all aspects of the admitted, exempt, and surplus lines insurance markets in the United States. This includes advising alien or foreign insurers on how to comply with various state laws in placing business; advising insures on exempt and specialty lines such as marine, aviation, and transportation risks; advising producers on licensing, placement and premium tax issues; and advising insureds on coverage and placement issues. Dan advises participants in the London market on how to...

(415) 591-7585
Katherine Armstrong, Drinker Biddle Law Firm, Washington DC, Data Privacy Attorney

Katherine E. Armstrong is counsel in the firm’s Government & Regulatory Affairs Practice Group where she focuses her practice on data privacy issues, including law enforcement investigations, and research and analysis of big data information practices including data broker issues.

Katherine has more than 30 years of consumer protection experience at the Federal Trade Commission (FTC), where she served in a variety of roles, including most recently as a Senior Attorney in the Division of Privacy and Identity Protection.  In the Division of...

Jeremiah Posedel, Privacy & Data Security lawyer, Drinker Biddle

Jeremiah Posedel assists clients in two distinct but overlapping domains: (i) information technology transactions and (ii) information privacy and security. First, Jeremiah advises on and negotiates a wide array of transactions involving the acquisition, development and leveraging of information technology assets, including hardware, software and database licensing, outsourcing and cloud-based services arrangements, and system implementation and support agreements. Second, Jeremiah counsels clients on domestic and international privacy and security...