As part of the Fixing America’s Surface Transportation Act (FAST Act), President Obama recently signed into law an amendment to the Gramm-LeachBliley Act (GLBA) that would eliminate the annual privacy policy notice (Annual Notice) requirement for certain financial institutions. These changes, which follow a similar move by the Consumer Financial Protection Bureau (CFPB), will ease an existing regulatory burden and allow many financial institutions to avoid providing customers with Annual Notices.


Title V of the GLBA requires financial institutions—including depository institutions, registered investment companies, U.S. private funds, registered investment advisers and securities broker-dealers—to protect the nonpublic personal information (NPI) that they receive and to disclose their policies for collecting, using and disclosing NPI. Under the GLBA, financial institutions generally must provide their customers with: (1) an initial privacy notice with appropriate disclosures, at the time of establishing a customer relationship and (2) Annual Notices thereafter.1

The FAST Act eliminates the Annual Notice requirement, provided two conditions are met:

  • First, the financial institution must only share NPI within the GLBA-listed exceptions that do not trigger the opt-out right. If the information sharing practice falls under one of these exceptions, the financial institution need not provide consumers the right to “opt-out” of such information sharing. Among the GLBA-listed information sharing arrangement exceptions are the following:
    • With non-affiliated third parties for the purposes of performing services for or functions on behalf of the financial institution;
    • As necessary to effect, administer or enforce a transaction requested or authorized by the consumer;
    • To protect the confidentiality or security of the financial institution’s records against fraud and for institutional risk control purposes;
    • To provide information to insurance rate advisory organizations, ratings agencies, the institution’s attorneys, accountants and auditors or others determining compliance with industry standards;
    • To consumer reporting agencies; and
    • To comply with applicable federal, state or local laws or rules.
  • Second, the financial institution must not have changed its policies or procedures with respect to the disclosure of NPI since the last privacy notice was provided to its consumers.

Thus, a financial institution would only be required to provide an Annual Notice if it changes its privacy policies or discloses NPI to non-affiliated third parties in a manner that triggers an opt-out right.


The FAST Act amendments come on the heels of the CFPB’s rule (Final Rule) amending Regulation P, which applies principally to depository institutions, to permit “alternative delivery methods” for Annual Notices (such as notifying consumers in their account statement of the availability of the institution’s privacy policy on its website).2 The Final Rule required covered institutions seeking to take advantage of the alternative delivery methods to meet certain pre-conditions, including both of the requirements set forth in the FAST Act.

The changes in Regulation P are likely to be supplanted by the FAST Act exception, given that the FAST Act allows firms to avoid Annual Notices altogether and given that the FAST Act’s changes apply to all financial institutions and not exclusively those subject to the CFPB’s Regulation P.