• The CFPB Making Life Easier One Stamp at a Time: Post your GLBA Privacy Notice Online.
  • March 23, 2015 | Author: Samuel D. Friedman
  • Law Firm: Sirote & Permutt, P.C. - Birmingham Office
  • See, the CFPB can make life easier.

    In our blog, we have written numerous articles on how the ‘brave new world' of CFPB regulatory oversight is a struggle for consumer finance companies. So, when the CFPB does something to lighten the burden, it is only fair that we write about it as well.

    All finance companies—and other financial institutions— (hopefully) know that the Gramm-Leach-Bliley Act (GLBA) and its accompanying Regulation P require companies to give initial, annual and revised privacy notices. Additionally, a company's privacy notice may include Fair Credit Reporting Act (FCRA) opt-out notices as well. Several years ago, the FTC and federal banking agencies published the Model Privacy Form covering the GLBA and FCRA disclosures, which we have discussed in detail here.

    In October 2014, the CFPB amended Regulation P to allow for online delivery of annual privacy notices in certain circumstances. Prior to these amendments, most companies delivered the annual privacy notice by mail. However, as the CFPB noted, “[T]his practice causes information overload for consumers and unnecessary expense.” Additionally, CFPB Director Richard Cordray noted in the CFPB press release, “Posting privacy notices online will make it easier for consumers to access these important policies, while also making it cheaper for financial institutions to provide disclosures.”

    Thus, with the “goal of reducing unnecessary or unduly burdensome regulations,” the CFPB now allows financial institutions to post annual privacy notices online if:
    1. The company provides an initial privacy notice using the Model Privacy Form.
    2. The company makes the required FCRA disclosures.
    3. The company is not required to give an opt-out notice for sharing consumer information with nonaffiliates (under the GLBA) or for affiliate marketing (under the FCRA).
    4. The company has not changed information in its privacy form (unless the change benefits consumers).
    If the company meets the requirements it can post the annual privacy notice online if:
    1. At least annually, the company lists on an account statement, coupon book or other required notice that the privacy notice is available at the company's website and will be mailed upon telephone request. The disclosure also must include (i) a statement that the privacy notice has not changed, (ii) a url that takes the customer to the privacy notice, and (iii) a telephone number for the customer to request that it be mailed.
    2. The privacy notice is the only content on the web page.
    3. The applicable web page is accessible without a login or password and the customer is not required to agree to any terms or conditions before accessing the page.
    4. When the customer does request a mailed form, it must be sent within 10 days.
    At this point, this rule only applies to annual privacy notices, not initial notices. But, for companies that can take advantage of the new amendments, this is a big deal because it can potentially save paper, stamps and, most importantly, money.