On May 13, 2014, the Consumer Financial Protection Bureau (“CFPB”) released a Proposed Rule Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley Act. Many financial institutions currently mail printed copies of the annual GLBA privacy notices to their customers, but have expressed concern that this practice causes information overload for consumers and unnecessary expense. In response to such concerns, the CFPB is proposing to allow financial institutions that do not engage in certain types of information-sharing activities to stop mailing an annual disclosure if they post the annual notices on their websites and meet certain other conditions.
The Proposed Rule would apply to various types of financial institutions that provide consumer financial products and services, and the CFPB is currently encouraging comments on the proposal through June 12, 2014. At this time, there is no clear date that the Proposed Rule might go into effect. The CFPB is expected to announce updates after the June 12, 2014 deadline for submission of comments.
Summary of the Proposed Rule
Specifically, the proposal would allow financial institutions to use the proposed alternative delivery method for annual privacy notices if the conditions below are met. Covered financial institutions should analyze if they meet each of these criteria, and therefore may qualify to use the alternative delivery method if/when the Proposed Rule goes into effect.
- the financial institution does not share the customer’s nonpublic personal information with nonaffiliated third parties in a manner that triggers GLBA opt-out rights;
- the financial institution does not include on its annual privacy notice an opt-out notice under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (FCRA);
- the financial institution’s annual privacy notice is not the only notice provided to satisfy the requirements of section 624 of the FCRA;
- the information included in the privacy notice has not changed since the customer received the previous notice; and
- the financial institution uses the model form provided in the GLBA’s implementing Regulation P. A financial institution would still be required to use the currently permitted delivery method if the institution, among other things, has changed its privacy practices or engages in information-sharing activities for which customers have a right to opt out.
Compliance Step 1: Annual Statements to Customers
To comply with the proposed rule (as currently proposed), a financial institution would need to insert a clear and conspicuous statement, at least once per year, on a notice or disclosure issued under any other provision of law, e.g. as an insert with a billing statement. The statement must include the following information for customers:
- the privacy notice is available on the company’s website;
- it will be mailed to customers who request it by calling a toll-free telephone number; and
- the privacy notice has not changed since the customer received the previous notice.
Compliance Step 2: The Alternative Delivery Method via Website Post
To comply with the proposed rule, the current model form would be continuously posted in a clear and conspicuous manner on a page of the financial institution’s website without requiring a login or similar steps to access the notice.
To assist customers with limited or no access to the internet, a company would have to mail annual notices promptly to customers who request them by phone.
To access the Proposed Rule, see the following link: https://www.federalregister.gov/articles/2014/05/13/2014-10713/amendment-to-the-annual-privacy-notice-requirement-under-the-gramm-leach-bliley-act-regulation-p#p-14