The Consumer Financial Protection Bureau ("CFPB") recently adopted a final rule that under certain conditions provides financial institutions it regulates with the option of posting annual consumer privacy notices online rather than mailing paper copies to customers (the "Privacy Notice Rule").[1] 

The Privacy Notice Rule is the latest instance of regulatory relief provided to financial institutions by the CFPB. [2] Part of the agency's streamlining initiative, the Privacy Notice Rule aims to reduce unnecessary or unduly burdensome regulatory requirements. The CFPB estimates total reduction in financial institutions' compliance expenses attributable to the Privacy Notice Rule at approximately $17 million dollars annually.[3] 

In addition to this significant, recurring reduction in compliance expenses for financial institutions, the CFPB anticipates that the Privacy Notice Rule will benefit consumers by providing constant online access to privacy policies presented in an understandable form. The CFPB also hopes the Privacy Notice Rule will benefit consumers by providing incentives for financial institutions to avoid or limit sharing of consumers' nonpublic personal information. 

The Privacy Notice Rule applies to depository institutions, such as commercial and savings banks, and to nondepository companies subject to the jurisdiction of the CFPB, such as mortgage bankers, loan servicers, payday lenders, debt collectors, and remittance transfer providers. The Privacy Notice Rule does not apply to institutions that are subject to the privacy jurisdiction of the Securities and Exchange Commission ("SEC") and the Commodity Futures Trading Commission ("CFTC") or to certain motor vehicle dealers that are subject to the jurisdiction of the Federal Trade Commission ("FTC"). 

The CFPB consulted and coordinated with the SEC, CFTC, FTC and state insurance authorities designated by the National Association of Insurance Commissioners in developing the alternative method of delivering annual privacy notices, as required by the Gramm-Leach-Bliley Act ("GLBA"),[4] for the purpose of assuring that, to the extent possible, each agency's rules are consistent and comparable with one another.[5] 

Key Features of the CFPB Privacy Notice Rule

Beginning October 28, 2014, a financial institution that is regulated by the CFPB may post annual privacy notices online rather than mailing paper copies to customers, if the institution satisfies the following conditions set forth in the Privacy Notice Rule

  • The financial institution does not share its customers' nonpublic personal information with nonaffiliated third parties in a manner that triggers opt-out rights under GLBA;
  • The financial institution does not include in its annual privacy notice information about certain consumer opt-out rights under section 603 of the Fair Credit Reporting Act ("FCRA");
  • The financial institution's annual privacy notice is not the only notice provided to satisfy the requirements of the affiliate marketing provisions of the FCRA[6];
  • The information the financial institution includes in the privacy notice has not changed since the customer received the previous notice; and
  • The financial institution uses the model form provided in GLBA's implementing Regulation P.[7] 

A financial institution that chooses to rely on this alternative method of delivering annual privacy notices must insert a clear and conspicuous statement at least annually on a regular consumer communication, such as a monthly billing statement or coupon book, indicating that the institution's annual privacy notice is available on its website and in paper form and will be mailed upon request by calling a specific toll-free number. This statement must include a specific web address that takes the customer directly to the privacy notice.  

A financial institution must post its privacy notice continuously on a page of its website that contains only the privacy notice, without requiring a login or any conditions to access the page. The institution must mail its privacy notice within 10 days to consumers who request a copy by telephone. The preamble to the Privacy Notice Rule explains that the CFPB will not consider occasional or unavoidable website interruptions to violate the requirement for continuous posting.[8]

A financial institution that has changed its privacy practices or that engages in information-sharing activities for which consumers have a right to opt out—for example, selling customers' nonpublic personal information to a nonaffiliated third party—must continue to deliver annual privacy notices using the permissible delivery methods predating the Privacy Notice Rule.