Why it matters
Historically, the notice has been provided in an annual mailing.
Under the new rule, which largely tracks a proposal issued earlier this year, the CFPB established an alternative delivery method for annual privacy notices if certain requirements are met.
First, no opt-out rights can be triggered by the institution’s data-sharing practices or if required opt-out notices have already been provided; second, certain material information included in the privacy notice must not have changed since receipt of the prior notice; and finally, the financial institution must use the model form provided in Regulation P.
Additional requirements regarding availability of the notice include posting it “in a clear and conspicuous manner” on a page of the institution’s website without the need for a login or agreement to any conditions for access. To make customers aware that the annual privacy notice is available online, financial institutions “must insert a clear and conspicuous statement at least once per year on an account statement, coupon book, or a notice or disclosure the institution issues under any provision of law,” the CFPB said.
This statement must explain to customers that the annual privacy notice is available on the institution’s website, that a physical copy can be obtained by making a request (with phone number provided), and that the notice itself hasn’t changed. If a customer requests a hard copy by phone, it must be provided within 10 days.
When a financial institution changes its privacy notice or policy on information sharing triggering a customer opt-out right, then it must revert to the pre-rule delivery methods.
The CFPB characterized the final rule as a win-win for consumers and financial institutions, with consumers receiving 24/7 access to privacy policies, educating them about the various types of privacy policies and potentially limiting the amount of an institution’s data sharing with third parties to avoid having to send additional notices, while institutions benefit from reduced costs.
“Consumers need clear and accessible information about how their personal information is being used in the marketplace, but some of these requirements were redundant,” CFPB Director Richard Cordray said in a statement. “Posting privacy notices online will make it easier for consumers to access these important policies, while also making it cheaper for financial institutions to provide disclosures.”
To read the final rule, click here.