On December 4, 2015, President Obama signed into law the nearly 500-page Fixing America’s Surface Transportation Act, which included an amendment of the consumer privacy provisions within the Gramm-Leach-Bliley Act (the “Amendment”). The Amendment, which went into effect immediately, significantly reduces the need for financial institutions to provide an annual privacy disclosure to consumers that describes the financial institution’s privacy policies and practices. If a financial institution satisfies certain conditions (described below), it need not provide an annual privacy disclosure.
Existing Law. Regulation S-P (17 C.F.R. § 248.1 et seq.), adopted by the SEC pursuant to the Gramm-Leach-Bliley Act (the “GLBA”), implements the GLBA’s requirements with respect to privacy of consumer personal information for registered investment advisers, investment companies, and broker-dealers (each, a “financial institution”).
Regulation P (12 C.F.R. § 1016.1 et seq.), adopted by the Consumer Financial Protection Bureau (the “CFPB”) pursuant to the GLBA, similarly implements the GLBA’s requirements with respect to privacy of consumer personal information, but Regulation P applies to financial institutions, such as private funds, that are not subject to SEC or CFTC privacy regulations (each, also a “financial institution”).
Both Regulation S-P and Regulation P (together, the “Regulations”) require a financial institution to provide an initial notice to consumers describing its privacy policies and practices, including a description of the circumstances in which the financial institution may disclose nonpublic personal information of a consumer to third parties. Thereafter, as long as the customer relationship continues to exist, the Regulations required a financial institution to provide an annual privacy disclosure to its customers describing the financial institution’s privacy policies and practices.1
If a financial institution discloses nonpublic personal information about a consumer to nonaffiliated third parties, the Regulations generally require the financial institution’s privacy notice to (i) describe those data-sharing practices; (ii) provide a consumer the opportunity to opt-out of data sharing; and (iii) explain how the consumer may opt out of that disclosure. However, the Regulations also exempt certain kinds of third-party disclosures by a financial institution of nonpublic personal information of consumers from the opt-out requirement (each an “Exempt Category”). The principal Exempt Categories are:
- Disclosure to the financial institution’s nonaffiliated service providers to perform services on behalf of the institution (e.g., marketing services), provided the sharing is fully disclosed, the contract with each nonaffiliated service provider contains certain confidentiality provisions, and the initial notice provided by the financial institution includes certain specified information.
- Disclosure to the financial institution’s service providers, provided the disclosure is limited to nonpublic personal information as necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or is in connection with maintaining or servicing the consumer’s account.
- Disclosure as required by law.
The Amendment. The Amendment eliminates a financial institution’s obligation to comply with the annual privacy disclosure requirement, as long as the financial institution satisfies two conditions:
- The financial institution does not disclose nonpublic personal information of consumers to third parties, other than disclosure permitted by Exempt Category; and
- The financial institution has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent disclosure sent to consumers.
Implications. For those financial institutions that are able to satisfy the conditions of the Amendment, the Amendment should reduce compliance burdens and eliminate the expenses associated with providing the annual privacy disclosures to consumers. However, the Amendment should not be read as meaning that financial institutions no longer need to provide any privacy notice. Financial institutions are still required under the Gramm-Leach-Bliley Act to provide an initial privacy notice to consumers (for example, a private fund would still be required to provide a privacy notice to investors as part of its standard set of fund offering documents). Further, financial institutions that are unable to satisfy the conditions of the Amendment (for example, financial institutions that share consumers’ nonpublic personal information in connection with marketing activities, as opposed to sharing solely in connection with servicing consumer accounts) would still be required to provide annual privacy disclosures.
Regulation S-P and Regulation P are likely to be amended by the SEC and the CFPB, respectively, to conform the Regulations to the terms of the Amendment.