The Consumer Financial Protection Bureau (CFPB) has finalized a proposed rule that will eliminate the need for certain financial institutions to mail annual privacy notices to their customers, so long as the institutions publish their privacy notices online and engage only in limited sharing of customer information. 

As we previously reported, to be able to rely on the online posting method to satisfy privacy notice requirements under the Gramm-Leach-Bliley Act (GLBA), a financial institution must:

  • Use the federal model privacy form adopted by federal regulators under GLBA;
  • Not engage in information sharing that triggers customer opt-out rights under GLBA (i.e., sharing with unaffiliated third parties outside of certain exceptions) or Section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (i.e., sharing creditworthiness information with affiliates); and
  • Provide customers with an annual disclosure, which can be included in an account statement, coupon book, or other notice or disclosure, that includes the Web address at which the privacy notice can be found, a telephone number for the customer to request a mailed notice, and a statement that the institution’s privacy notice has not changed.

The rule, which will become effective upon publication in the Federal Register, applies to banks and nonbank financial institutions for which the CFPB has rulemaking authority under GLBA (and thus does not extend to financial entities regulated by the Securities and Exchange Commission, the Commodity Futures Trading Commission, or state-regulated insurance companies).