On May 6, 2014, the Consumer Financial Protection Bureau ("CFPB") issued a proposed revision to Regulation P of the Gramm-Leach-Bliley Act ("GLBA").
By way of background, the CFPB was given privacy notice rulemaking authority in 2011 as part of the Dodd-Frank Wall Street Reform and Consumer Protection Act. Later that year, the CFPB implemented Regulation P, or the Privacy Notice Rule, of the GLBA, which stipulated that financial institutions mail to their customers initial and annual privacy notices setting forth the manner in which their customers' nonpublic personal information ("NPI") is collected and shared with other entities and whether such sharing may be limited by a customer "opt-out."
After receiving industry comments, which suggested that annual notices go largely unread and serve little benefit to customers of financial institutions sharing customer NPI within the parameters currently excepted by the GLBA - an estimated 75% of entities do not require an opt-out right - the CFPB has proposed a revision to Regulation P requiring financial institutions meeting certain criteria to "post the annual privacy notice in a clear and conspicuous manner on a page of its website, without requiring a login or similar steps to access the notice," rather than mail the annual notice to customers. Under the suggested amendment, financial institutions would be required to insert a statement at least once per year on any other required notice or disclosure, such as a monthly account statement, announcing availability of the privacy notice on the institution's website and by request via a toll-free telephone number, and that the privacy notice has not changed.
To qualify for this web posting option, however, financial institutions must meet the following requirements:
· A financial institution must not share NPI with nonaffiliated third parties in a manner that requires an opt-out right be provided to customers;
· The GLBA Privacy Notice must not include an opt out pursuant to the Fair Credit Reporting Act;
· The GLBA Privacy Notice cannot be the only notice the financial institution provides to satisfy FCRA requirements;
· The GLBA Privacy Notice must not have changed since the last time it was provided to customers; and
· The GLBA Privacy Notice must use the model form regulators have developed to comply with the notice requirement.
Harry A. Valetk
Of Counsel, New York
Tel: + 1 212 626 4285
If a financial institution does not meet all of the requirements listed above, it must continue to mail the GLBA Privacy Notice annually to its customers.