Earlier this month, the Bureau of Consumer Financial Protection finalized amendments to the Gramm-Leach-Bliley Act (GLBA) Privacy Notice Regulations. And, it only took three years, which by Washington standards is actually pretty fast.
The GLBA and its implementing Regulation P require financial institutions to provide consumers with initial, annual and revised privacy notices describing how the company shares consumer information. In some circumstances, a company must give consumers the right to “opt-out” of information sharing. These rules have been in place for a long time, and all financial institutions should be aware of the requirements.
As reported on our blog three years ago, President Obama signed a broad transportation bill—the Fixing America's Surface Transportation Act or “FAST Act.” Buried deep in the bill in Section 75001 titled “Eliminate Privacy Notice Confusion”, Congress amended the GLBA to eliminate the annual privacy notice requirement for some companies. In December of 2015, we explained “The law became effective immediately upon passage, but the CFPB (and other federal agencies) will need to amend their respective regulations to include this exception.” Well, the Bureau finally got around to making that change.
The amendment to Regulation P mirrors the language of the FAST Act. The key change is that a financial institution no longer must deliver an annual privacy notice if it (i) only shares consumer information within the GLBA listed exceptions (meaning the company does not give an opt-out right) and (ii) has not changed its information sharing practices from the most recent privacy notice. The amendment also addresses the timing of delivery of privacy notices for companies that no longer fall under the exception.
When the FAST Act passed, companies were left in limbo because the GLBA changed immediately but the implementing regulation did not, creating an inconsistency between the statute and its regulation. Many companies decided to stop sending annual privacy notices immediately, even with the regulatory inconsistency. But others still had concern about violating a Bureau-enforced regulation. The good news is, finally—almost three years later—the GLBA and Regulation P are on the same page.
Usually when we write about regulatory changes on our blog, the punchline is that life will become more difficult for companies in the financial services industry. However, these changes will actually make life easier for some. If your company is still sending annual privacy notices, consult with your compliance team to see if the changes to Regulation P apply.
Practice Pointer: Financial institutions must still deliver initial and revised privacy notices describing the information sharing practices of the company, but in some circumstances, companies may eliminate the annual privacy notice.