The Consumer Financial Protection Bureau (CFPB) recently adopted a final rule that will permit certain financial institutions to post on their websites the annual privacy notice required under Regulation P rather than mailing the notice to their customers. The final rule became effective on Oct. 28, the date it was published in the Federal Register.

The CFPB noted in the preamble to the final rule that it intends for the new electronic delivery method to reduce information overload for consumers caused by duplicative mailings of paper privacy notices. Under this alternative delivery method, a financial institution may post its privacy notice on its website rather than mail a hard copy to its customers if:

  • the financial institution uses the CFPB’s model privacy form; 
  • the financial institution does not disclose a customer’s nonpublic personal information to nonaffiliated third parties in a manner that triggers opt-out rights under Regulation P; 
  • the financial institution does not include on its annual privacy notice an opt-out notice under Section 603 of the Fair Credit Reporting Act (FCRA); 
  • the financial institution has already provided any required “affiliate marketing” opt-out notice required under section 624 of the FCRA, or uses a method other than website posting to provide this “affiliate marketing” opt-out notice; and 
  • the information in the financial institution’s privacy notice has not changed since the customer’s receipt of the prior notice.

To use the alternative delivery method, the financial institution must:

  • continuously post its annual privacy notice in a clear and conspicuous manner on a page of its website, without requiring a login or similar restriction on access;
  • provide a web address that directly accesses the page that contains the privacy notice without requiring the customer to click on any links; and 
  • mail annual notices to customers who request them by telephone, within ten days of the request.   

To make customers aware that its annual privacy notice is available through these means, the institution must insert a clear and conspicuous statement at least once per year on an account statement, coupon book, or a notice or disclosure that it issues to its customers under any provision of law. The statement must:

  • inform customers that the annual privacy notice is available on the financial institution's website; 
  • state that the institution will mail the notice to customers who request a copy by calling a specific telephone number; and 
  • inform customers that the notice has not changed.   

The CFPB estimates the final rule may reduce the cost of providing annual privacy notices and opt-out notices under Regulation P for all financial institutions by at least $17 million. Each financial institution should consider whether it is eligible to use these streamlined disclosures so that it too can benefit from these reduced costs.