CFPB proposal activates annual privacy notice exceptions

July 5, 2016 -- Exceptions to an annual privacy notice requirement for financial institutions under certain conditions, and which implement a change in the law enacted late last year, has been proposed by the CFPB in an amendment to Regulation P.

The CFPB’s proposal implements a statutory change Congress adopted in December under the Fixing America’s Surface Transportation Act (FAST Act). The proposal would amend Regulation P, which itself implements the Gramm-Leach-Bliley Act (GLBA), and which requires, among other things, that financial institutions provide an annual notice describing their privacy policies and practices to their customers. Additionally, financial institutions that share certain consumer information with particular types of third parties are required to provide customers with an opportunity to opt out of this information sharing via the annual notice.

Under the bureau’s proposal, financial institutions would have to meet certain conditions in order to be granted the exceptions from providing the privacy notices. Among the conditions:

  • The financial institution must not share nonpublic personal information about customers except as otherwise provided;
  • The financial institution must not have changed its policies and practices with regard to disclosing nonpublic personal information from those that the institution disclosed in the most recent privacy notice sent.

Also under the CFPB proposal, the “alternative delivery method” would be eliminated. The alternative allows financial institutions that meet certain conditions to provide an annual privacy notice to customers electronically instead of by U.S. Postal mail.

According to a new NASCUS summary of the proposal, the bureau proposed eliminating the requirement because financial institutions that satisfy the requirements for the alternative delivery method would also satisfy the requirements for the annual privacy notice exception.  The Bureau believes that in those instances, a financial institution will opt to take advantage of the exception from the notice requirement.

NASCUS summary, CFPB proposed amendments to Reg P (on annual privacy notices)