CFPB Issues Final Rule on Gramm-Leach-Bliley Act Annual Privacy Notices

Alan Kaplinsky
Ballard Spahr LLP
Contact
LinkedIn
Facebook
X
Send
Embed

The Consumer Financial Protection Bureau has issued a final rule that amends Regulation P to allow financial institutions that meet certain requirements to deliver annual privacy notices to their customers using an alternative online delivery method. The rule will be effective immediately upon its publication in the Federal Register.

Under the Gramm-Leach-Bliley Act (GLBA), which Regulation P implements, financial institutions must provide initial and annual privacy notices that inform customers about the sharing of their nonpublic personal information (NPPI) with third parties.

Financial institutions have typically mailed these notices. Under the CFPB’s final rule, a financial institution that meets the requirements described below will be able to save on mailing costs by posting its annual privacy notice on its website. While offering potential benefits to banks and nonbanks, the CFPB’s final rule does not amend separate GLBA regulations that have been issued by the Securities and Exchange Commission, the Commodities Futures Trading Commission, or the Federal Trade Commission (FTC).

This means the CFPB’s final rule will not apply to an entity that is subject to the GLBA regulations of these other agencies. For example, auto dealers for whom the FTC has GLBA rulewriting authority would not be able to take advantage of the final rule. (The CFPB indicated in the final rule’s supplementary information that as mandated by the GLBA, it conferred with these other agencies concerning the alternative delivery method.)

Under the final rule, a financial institution can use the alternative online delivery method for its annual privacy notice if it:

  • Does not share the customer’s NPPI with nonaffiliated third parties in a manner that triggers GLBA opt-out rights.
  • Does not include in its annual privacy notice the notice and opt-out right regarding the sharing of certain customer information with affiliates as described in Section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (FCRA).
  • Shares certain customer information with an affiliate and has previously provided the customer with the notice and opt-out right described in FCRA Section 624 regarding the affiliate’s use of such information for marketing purposes (affiliate marketing notice), or the annual privacy notice is not the only notice used by the institution to provide the affiliate marketing notice.
  • Had no change in the information in its annual privacy notice since it provided the most recent notice (whether initial, annual, or revised) to the customer, other than to eliminate categories of information the institution discloses or categories of third parties to whom it discloses information.
  • Provides an annual notice that follows the Regulation P model form.
  • Provides a clear and conspicuous annual statement “on any account statement, coupon book, or a notice or disclosure [it is] required or expressly permitted to issue to the customer under any other provision of law.” This statement must inform the customer that the annual privacy notice is available on the financial institution’s website, will be mailed at the customer’s request, and has not changed, and include a specific Web address that links directly to the page where the privacy notice is posted and a telephone number for the customer to request that the notice be mailed. The notice must be mailed within 10 days of receiving a telephone request. (The rule includes an example of a statement that satisfies these requirements.)
  • Posts its annual privacy notice continuously and in a clear and conspicuous manner on a page of its website where the notice is the only content and does not require the customer to provide a login name, password, or other information or agree to any conditions to access the page.

A financial institution that cannot satisfy these conditions must continue to send its annual privacy notices using the currently permitted delivery methods, either mailing written notices or sending notices electronically to customers who have agreed to receive electronic disclosures.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP
Ballard Spahr LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide