On December 4, 2015, President Obama signed the Highway Bill, dubbed Fixing America’s Surface Transportation Act (“FAST Act”), into law. Buried in the 490 page transportation law is a significant amendment to the Gramm-Leach-Bliley Act’s (“GLBA”) annual consumer privacy notice requirement. Specifically, section 75001 of the FAST Act, entitled “Eliminate Privacy Notice Confusion,” exempts from the annual GLBA privacy notice requirement those financial institutions that (i) only share nonpublic personal information pursuant to the vendor/service provider, joint marketing or general exceptions of GLBA (15 U.S.C. § 6802(b)(2) and (e)), or applicable agency regulations prescribed under 15 U.S.C. § 6804(b); and (ii) have not changed their disclosure policies and practices since their most recent consumer privacy notice. Companies that are subject to GLBA should revisit their obligations under the amended law to determine whether they are eligible for the exemption, which went into effect December 4, 2015.
The GLBA amendment seeks to lessen consumer confusion caused by annual consumer notices, and will also decrease the burden of issuing such notices on some companies. This follows a final rule issued by the Consumer Financial Protection Bureau (“CFPB”) last fall, permitting companies subject to CFPB oversight to post their privacy notices online rather than issue individual notices, to the extent that the companies limit data sharing and satisfy other requirements. As such, the FAST Act’s GLBA amendment provides particular relief for entities not subject to CFPB oversight, such as insurers and investment advisors.
The FAST Act also focuses regulatory attention on the cybersecurity of connected cars, directing the Secretary of Transportation to “assist in the development of cybersecurity research…to help prevent hacking, spoofing, and disruption of connected and automated transportation vehicles.” Further, the FAST Act initiates a study on the potential of Internet of Things to improve transportation services, creates privacy rights relating to data stored in vehicle event data recorders, and addresses regulatory requirements regarding cybersecurity of the electric grid.