• CFPB Issues Final Rule on Annual Privacy Notices
  • November 28, 2014 | Authors: Peter L. Cockrell; Brett M. Kitt; Gil Rudolph; J. Scott Sheehan
  • Law Firms: Greenberg Traurig, LLP - McLean Office ; Greenberg Traurig, LLP - Washington Office ; Greenberg Traurig, LLP - Houston Office
  • On October 20th, the CFPB issued a final rule that will permit financial institutions subject to the CFPB’s Regulation P, which implements the Gramm-Leach-Bliley Act’s privacy provisions (GLBA), to provide their customers with the annual privacy notice by an alternative method. Under GLBA, financial institutions must provide their customers with initial and annual notices regarding their privacy policies. Currently, most financial institutions mail printed copies of annual privacy notices to their customers. To address concerns that this practice is unhelpful to consumers and produces unnecessary costs for financial institutions, the CFPB issued a proposed rule in May 2014 that would permit financial institutions to provide annual privacy notices to their customers by posting it on their website, so long as certain other conditions are met. The CFPB has finalized the rule largely as proposed.

    In order to be able to provide the annual privacy notice by this alternative method, the financial institutions must first satisfy the following requirements: (1) the financial institution’s information sharing practices must not trigger a GLBA opt-out right; (2) the financial institution must otherwise have complied with the Fair Credit Reporting Act’s opt-out notice requirements, if applicable; (3) the information included in the privacy notice must not have changed since the customer received the previous notice; and (4) the financial institution must use the model form provided in Regulation P as its annual privacy notice.

    In addition, to take advantage of the new alternative method, the financial institution must continuously post the annual privacy notice in a clear and conspicuous manner on its website. It must also provide customers with limited or no access to the Internet with a means to request a copy of the privacy notice. Finally, it must provide a clear and conspicuous statement to customers at least once per year on some other required disclosure that informs customers that: (1) the privacy notice is available online; (2) the institution will mail the notice to customers who request it; and (3) the notice has not changed.

    If the event a financial institution changes its privacy practices or engages in information-sharing activities for which customers have an opt-out right, the financial institution is still obligated under the new rule to send the annual privacy notice by mail.

    Note that this rule only applies to financial institutions subject to the CFPB’s Regulation P. Thus, entities subject to GLBA as implemented by the SEC, CFTC and FCC may not utilize this alternative method for providing their customers with the annual privacy notice.

    The rule became effective October 28, 2014.