The Consumer Financial Protection Bureau (“CFPB”) has issued a proposed rule that would eliminate the requirement for banks and other financial institutions subject to CFPB jurisdiction to deliver an annual privacy notice to their customers, provided the institutions take certain privacy-protective measures. The CFPB proposal demonstrates that the agency is following up on its 2011 streamlining initiative, in which it solicited comment on possible alternatives to delivering the annual privacy notice, and recognizes at least to some extent the online world that most consumers now embrace.
Presently, financial institutions are required under Regulation P, which implements the financial privacy requirements of the Gramm-Leach-Bliley Act (“GLBA”), to provide customers with an annual notice that describes how they use and share nonpublic personal information. These notices are typically delivered through paper mailings although with appropriate customer consent, can be sent electronically. If an institution shares its customers’ information with unaffiliated third parties and an exception (such as service provider sharing) does not otherwise apply, it generally must, at the beginning of the customer relationship and as part of the annual notice, provide customers with an opportunity to opt out from the sharing.
Under the proposal, a financial institution could post its privacy notice online instead of distributing an annual paper copy, as long as the institution did not share information in a way that would trigger customers’ opt-out rights. Accordingly, the proposal provides an incentive for covered financial institutions to limit their data-sharing practices. In addition, to be able to rely upon the online posting method, financial institutions will need to use the federal model privacy form and to provide customers with an annual disclosure stating that (i) the institution’s privacy notice has not changed, (ii) the notice is available on the institution’s website, and (iii) the customer may request a mailed copy of the notice by calling a toll-free number. However, unlike the separate mailing that is required now, institutions will be able to include this information as an insert in a monthly billing statement or other communication.
Financial institutions that intend to share nonpublic personal information with unaffiliated third parties would continue to be required to annually distribute the separate privacy notice in full. The proposed rule does not otherwise propose substantive revisions to the Regulation P framework.
The CFPB has estimated that using the online delivery method will save the industry $17 million annually.