On May 6, 2014, the Consumer Financial Protection Bureau (“Bureau”) proposed changes to Regulation P, the rule that implements the consumer financial privacy provisions of the Gramm-Leach-Bliley Act. The proposal would “promote more effective privacy disclosures” to consumers and eliminate unnecessary costs to financial institutions by allowing a financial institution to post its annual privacy notice online, rather than requiring such notices to be delivered to customers individually, provided that the institution engages in limited sharing of consumer information and meets certain other requirements.
Regulation P currently requires that a financial institution provide its customers with an annual privacy notice that describes whether and how the institution shares consumers’ nonpublic personal information and whether the consumer may opt out of such sharing. Typically, financial institutions mail the required annual notices to their customers, though Regulation P also permits institutions to deliver the annual notice electronically with a customer’s consent. Under the proposed rule, a financial institution would be permitted to use an “alternative delivery method” for annual privacy notices if it meets certain conditions. The alternative delivery method would require that the financial institution (i) post its current privacy notice continuously on its website, (ii) notify customers at least once annually (on another disclosure or notice required or permitted by law, such as a periodic statement) that the privacy notice is available on the website and that a copy will be mailed to a customer upon request, and (iii) mail the privacy notice to a customer that requests it.
The proposed alternative delivery method would be available to a financial institution that satisfies the following conditions:
- The financial institution does not share the customer’s nonpublic personal information with nonaffiliated third parties other than under the Regulation P exceptions for permissible sharing with such parties (e.g., information sharing with service providers or pursuant to a joint marketing agreement).
- The financial institution does not include on its annual privacy notice an opt-out notice under the Fair Credit Reporting Act (FCRA), which excludes from FCRA’s definition of “consumer report” the sharing of certain information about a consumer among affiliated institutions if the consumer is notified of such sharing and is given an opportunity to opt out.
- The financial institution’s annual privacy notice is not the only notice provided to satisfy the requirements of the “Affiliate Marketing Rule” under FCRA, which provides that an affiliate of a financial institution may not use certain information obtained from the institution for marketing purposes without notifying the consumer and providing the consumer the chance to opt out.
- The information included in the privacy notice has not changed since the institution provided the customer with its previous privacy notice.
- The financial institution uses the model privacy notice provided in the appendix to Regulation P.
The Bureau notes that it proposed the alternative delivery method in connection with its effort to reduce “unnecessary or unduly burdensome” regulations. The Bureau explains that it proposed the change because “any incremental benefit in terms of customers’ awareness of privacy issues that might accrue from requiring delivery pursuant to the existing methods of the annual privacy notice could be outweighed by the costs of providing the notice, costs that ultimately may be passed through to customers.”
The proposed rule has not yet been published in the Federal Register, but is available on the Bureau’s website at:http://www.consumerfinance.gov/f/201405_cfpb_annual-privacy-notice-proposal.pdf.