The Consumer Financial Protection Bureau ("CFPB") recently amended Regulation P, which requires – in connection with the Gramm-Leach-Bliley Act – that financial institutions provide an annual disclosure of their privacy policies to their customers. The amendment allows covered financial institutions to post annual privacy notices on their websites if they satisfy certain requirements. Previously, many financial institutions were required to send their annual privacy notices to customers. These notices describe, among other things, whether and how institutions shared their customers' nonpublic, personal information with nonaffiliated third parties. The CFPB has estimated that the amended rule allowing online disclosures could save the financial services industry about $17 million each year. View the CFPB's summary and analysis of Regulation P here.

Requirements For Online Privacy Disclosures

The amended rule allows online privacy disclosures if a financial institution satisfies the following requirements:

• The financial institution does not share its customer's nonpublic personal information with nonaffiliated third parties (which would otherwise trigger opt-out rights on the part of the customer). 

• Opt-out notices pursuant to Section 624 of the Fair Credit Reporting Act ("FCRA"), which are triggered when a qualifying financial institution shares nonpublic, personal information with an affiliate, have previously been provided to customers by the financial institution, or the annual privacy notice is not the only notice provided to satisfy those requirements. 

• The information included in the privacy notice has not changed since the customer received the previous notice. 

• The financial institution uses the model form provided in Regulation P as its annual privacy notice. View the model form here.

Implementation And Use Of New Method For Noticing Consumers

In order to use this new, alternative method of providing notice to customers, a financial institution must continuously post its annual privacy notice in a clear and conspicuous manner on its website, without requiring a login or similar steps, or any customer agreement to any conditions, to access the notice. Those customers that have limited or no access to the Internet have the right to request that the financial institution resume mailing annual notices. In such an event, the financial institution must resume mailing the annual notices within 10 days of the customer's request.

Additionally, the amended rule requires that financial institutions choosing to post online privacy notices must make their customers aware of the online privacy notice by inserting a clear and conspicuous statement at least once per year on an account statement, coupon book, or written notice or disclosure that the institution issues in satisfaction of any other legal requirement. The statement must also inform the institution's customers that they have the right to request that the annual privacy notice be sent via mail, and provide a telephone number where customers can make such a request.

Online Privacy Notices May Be Discontinued

Notably, if a financial institution later changes its privacy practices, or subsequently engages in sharing a customer's nonpublic, personal information with nonaffiliated third parties, the financial institution must resume sending annual privacy notices through the mail and must describe in the notice whether and how the financial institution shared information with those nonaffiliated third parties.