The CFPB has proposed allowing financial institutions to forgo mailing annual privacy notices by posting such notices online, if the financial institution meets certain conditions. While the proposal is welcome, it needs clarification to ensure that it actually provides the intended relief of easing the burden imposed by the annual privacy notice requirement under the Gramm-Leach-Bliley Act.


Financial institutions currently mail a separate privacy notice every year to each customer.  The proposed amendment to the GLBA Privacy Rule would allow institutions that meet certain requirements, such as using the CFPB's Model Privacy Notice, to post the privacy notice online and include a reminder of the notice’s availability in regular mailings to consumers once per year.

The proposed amendment, however, does not acknowledge that most institutions have tailored the Model Notice to fit each institution’s policies and circumstances. This creates ambiguity with regard to whether such institutions may take advantage of the proposal and online notifications.

In addition, the alternative delivery method would not be available to financial institutions that offer consumers an opportunity to opt out of affiliate sharing under FCRA § 603(d)(2)(A)(iii), greatly diminishing the proposal's usefulness.

Comments are due 30 days from the proposal’s publication in the Federal Register.

Current Requirements

Financial institutions are required to provide an initial privacy notice to consumers when such institutions establish a customer relationship with a consumer, and to mail another copy of the privacy notice to their customers each year.  These notices must alert consumers to the institution’s privacy policy, including whether and how the institution shares consumers’ nonpublic personal information.  For example, an institution must typically notify consumers if it shares nonpublic personal information with unaffiliated third parties and how to opt out of such sharing.

The Proposal

Under the proposed amendment, a financial institution would be allowed to post its privacy notice online rather than mailing the notice, if the institution meets the following conditions:

  • it does not share information with unaffiliated third parties except for the purposes permitted under 12 C.F.R. §§ 1016.13, 1016.14, and 1016.15;
  • it does not provide consumers with an opportunity to opt out of the sharing of consumer report information among affiliates under FCRA § 603(d)(2)(A)(iii) (under the CFPB's GLBA Privacy Rule, if an institution offers an FCRA affiliate sharing opt-out, it must include that opt-out in its annual privacy notice);
  • if it provides an affiliate marketing opt-out under FCRA § 624, it also provides consumers with an opportunity to exercise that opt-out outside its annual privacy notice;
  • it has not changed its privacy policy since it last provided an annual notice to its customers; and
  • it uses the CFPB’s Model Privacy Notice.

Under the proposal, financial institutions that do not mail an annual notice would be required to clearly and conspicuously notify consumers where the notice can be found, and to promptly mail to consumers a notice upon their request at a toll-free telephone number.

The Missing Piece

Although many financial institutions use the CFPB’s Model Privacy Notice, many of these institutions have slightly modified the Model to tailor it to their specific circumstances. The CFPB has made clear that such modifications, however minor, may mean that the financial institution will not be entitled to the safe harbor afforded by the Model Privacy Notice.  See 12 CFR part 1016, App. B(1)(b) (“Institutions seeking to obtain the safe harbor through use  of the model form may modify it only as described in these Instructions.”). As long as the notice is consistent with the requirements of the GLBA Privacy Rule, however, the agency should not take issue with the notice.  See 74 Fed. Reg. 62890, 62890 (Dec. 1, 2009) (final rulemaking notice) (“While the model form provides a legal safe harbor, institutions may continue to use other types of notices that vary from the model form so long as these notices comply with the privacy rule.”).

Under the proposal, however, using the Model would become a requirement for institutions seeking to use the alternative delivery method, and the proposed amendment is unclear as to whether and to what extent financial institutions could modify the Model Privacy Notice, and still take advantage of the alternative delivery method. If institutions seeking to use the alternative delivery method are held to the same standard as institutions seeking to use the safe harbor, those institutions will not be permitted to vary from the Model Notice at all beyond what the Instructions to the Model Notice specifically allow.

Below please find links to the CFPB’s Press Release and Proposed Rule.

CFPB Press Release:

CFPB Proposed Rule: