The Consumer Financial Protection Bureau is proposing to amend Regulation P to implement an amendment to the Gramm-Leach-Bliley Act providing an exception under which certain financial institutions are not required to send customers annual privacy notices. As detailed below, the CFPB's proposal would provide guidance on delivery timing requirements and eliminate a current option to deliver notices via posting on a website.
In December, Congress amended the Gramm-Leach-Bliley Act such that financial institutions will not have to send an annual privacy notice to their customers if: (1) the institution only shares nonpublic personal information ("NPI") with nonaffiliated third parties in a way that does not require the institution to give consumers the choice to opt out (i.e., information shared pursuant to the joint marketing exception or servicing exceptions); and (2) the institution has not changed its policies since its most recent annual privacy notice to consumers. If the institution changes its policies regarding the use and sharing of NPI in a way that requires it to offer consumers the right to opt out, it must send the revised privacy notice to its customers before implementing the change. The statutory exception to the annual notice requirement is already effective.
As part of its proposal, the Bureau is proposing to provide timing requirements for delivery of annual privacy notices if a financial institution that qualified for this annual notice exception later changes its policies or practices in such a way that it no longer qualifies for the exception. The Bureau is also proposing to remove the Regulation P provision that allows for use of the alternative delivery method for annual privacy notices because the Bureau believes the alternative delivery method will no longer be used in light of the annual notice exception. Finally, the Bureau is proposing a technical correction to one of its definitions.
Comments are due 30 days from publication in the Federal Register.