The Consumer Financial Protection Bureau (“CFPB” or “Bureau”) has issued a final rule amending Regulation P. See, 79 Fed. Reg. 64057 (October 28, 2014), or available at https://www. requirement-under-the-gramm-leach-bliley-act-regulation-p. Under Regulation P of the Gramm- Leach-Bliley Act (“GLBA”), financial institutions are required to provide their customers with initial and annual notices regarding the financial institution’s privacy practices. Such notices must provide customers with information about how the financial institution shares its customers’ personal information with third parties, if applicable, and a method whereby the customer can opt out of such sharing.

Earlier this year, in response to concerns about the cost of mailing out paper notices each year, as well as the potential for information overload, the CFPB proposed changing the requirement to allow financial institutions to post annual notices on their websites. The Bureau sought comment on its proposal to add an alternative delivery method for annual privacy notices and received approximately 130 comments from industry trade associations, consumer groups, public interest groups, individual financial institutions, and others. The Bureau made several revisions and modifications to the proposal in light of some of the comments.

The final rule, which is effective as of October 28, 2014, the day it was published in the Federal Register, requires the financial institution that wishes to utilize this alternative method of delivery to continuously post the annual privacy notice in a clear and conspicuous manner on a page of its

website, without requiring a login or similar steps to access the notice. It allows financial institutions to use the alternative delivery method for annual privacy notices if:

  • no opt-out rights are triggered by the financial institution’s information sharing practices under GLBA or the Fair Credit Reporting Act (“FCRA”) Section 603, and opt-out notices required by FCRA Section 624 have previously been provided, if applicable, or the annual privacy notice is not the only notice provided to satisfy those requirements;
  • the information included in the privacy notice has not changed since the customer received the previous notice; and
  • the financial institution uses the model form provided in Regulation P as its annual privacy notice.

Larger financial institutions submitted comments with respect to the first condition – that no opt-out rights are triggered. Many large financial institutions expressed concern that they would not be able to use the alternative method for delivery since they share information in such a way as to require opt-out notices either under GLBA or FCRA, or both. The CFPB did not alter the proposed revision to address these concerns.

The Bureau modified the proposed rule to clarify that if a financial institution has changed its privacy practices by eliminating categories or information that it discloses, or by eliminating categories of third parties to whom it discloses, the financial institution is still permitted to use the alternative delivery method. The Bureau retained the requirement that the financial institution use the model form, and believes that some financial institutions may begin to use that form in order to take advantage of the alternative delivery method.

A financial institution that wishes to use the alternative method for delivery must alert customers to the fact that the financial institution’s privacy notice is available on its website. This statement of availability can be included on an account statement, coupon book, or a notice or disclosure the institution issues under any provision of law. In addition to stating that the annual privacy notice, which has not changed, is available on the financial institution’s website, the statement of availability must also inform the customer that he or she can request a paper notice be mailed.

To assist customers with limited or no access to the Internet, the institution must mail annual notices to customers who request them by telephone, within   ten days of the request. The telephone number by which customers can make this request does not have to be a toll-free number, but the Bureau encourages financial institutions to utilize such toll-free methods where available.

The Bureau estimates that this change will save financial institutions $17 million annually, which is 58% of the total $30 million annual cost of providing the notices required under Regulation P.