On October 17, 2014, the Consumer Financial Protection Bureau (CFPB) finalized a rule allowing financial institutions, under certain circumstances, to provide their privacy notices online, rather than through mail to each customer individually.  The primary purpose of the new rule is to reduce unduly burdensome regulations on financial institutions, and the CFPB believes that it will save the industry approximately $17 million annually.

New Law

The Gramm-Leach-Bliley Act (GLBA) currently mandates that financial institutions provide initial and annual notices to their customers regarding the institution’s privacy policy.  Additionally, if the institution shares a consumer’s nonpublic information with unaffiliated third parties, both the GLBA and the Fair Credit Reporting Act (FCRA) require the institution to notify the consumer of that disclosure and, generally, provide an opportunity to opt out of the sharing.

In the past, financial institutions typically have mailed these notices.  However, under the CFPB’s new rule, a financial institution may post its annual privacy notice on its website if it meets the following requirements:

  • The financial institution’s information sharing practices do not trigger opt-out rights under GLBA or FCRA;
  • The financial institution has previously provided opt-out notices required by FCRA, if applicable, or the annual privacy notice is not the only notice provided to satisfy those requirements;
  • Information included in the privacy notice must not have changed since the customer’s receipt of the previous notice; and
  • The financial institution uses the model form provided in Regulation P.

Additionally, to use this alternative method, the financial institution must comply with several other provisions to make customers aware of the annual privacy notice such as:

  • Continuously posting the annual privacy notice in a clear and conspicuous manner on a page of its website, without requiring a login or similar steps or agreement to any conditions to access the notice; 
  • Mailing annual notices to customers who request them by telephone, within ten days of the request;
  • Insert[ing] a clear and conspicuous statement at least once per year on an account statement, coupon book, or a notice or disclosure the institution issues under any provision of law.  The statement must inform customers that the annual privacy notice is available on the financial institution’s website, the institution will mail the notice to customers who request it by calling a specific telephone number and the notice has not changed.


Aside from the cost savings that paperless notice will provide financial institutions, the CFPB cited several other benefits that will result from the implementation of the new rule.  The CFPB expects that consumers will benefit by having constant access to privacy policies online as opposed to the once-per-year paper copies they had received in the past.  Additionally, the CFPB hopes the new rule will provide incentives for financial institutions to limit sharing of consumers’ nonpublic personal information, because institutions that share data with unaffiliated third parties in a way that triggers customers’ rights to opt out are no longer eligible to use the alternative delivery method.