At the end of 2015, Congress passed the Fixing America's Surface Transportation Act or “FAST Act,” a transportation funding bill. Buried hundreds of pages in, the bill included a short-but-sweet amendment to the Gramm-Leach-Bliley Act (GLBA) titled “Eliminate Privacy Notice Confusion.” As we discussed last year, the amendment eliminated the annual privacy notice requirement for some companies.
The FAST Act became effective immediately upon passage. However, the CFPB's Regulation P (i.e., the implementing regulation of the GLBA Privacy Rule) still reflected the pre-amended version of the law. In other words, the GLBA changed with the FAST Act, but the regulations did not change. This created a confusing inconsistency for financial institutions—comply with the law or comply with the regulations. As we noted in December, “[T]he CFPB (and other federal agencies) will need to amend their respective regulations to include this exception.”
Last week, the CFPB addressed the inconsistency and proposed an amendment to Regulation P implementing the FAST Act changes. As expected, the amendment provides that financial institutions are not required to deliver an annual privacy notice if the financial institution: (i) only shares nonpublic personal information with nonaffiliated third parties under a permitted GLBA exception (i.e., the company does not provide an opt-out right); and (ii) has not changed information sharing practices since the last-delivered notice. The amendment will become effective 30 days after a final rule is published.
In addition to the substantive changes to the GLBA, there are two interesting takeaways. The first is that the CFPB reacted relatively quickly (at least by Washington D.C. standards) to the change in the law. When the FAST Act passed, many in the industry feared we would be left with a long-term or perpetual inconsistency between the GLBA and Regulation P.
The second takeaway is that the CFPB and Congress identified a bad law and fixed it. Several years ago, the CFPB pinpointed the annual privacy notice requirement as unnecessarily burdensome for many companies, especially those that do not share consumer information outside of the GLBA exceptions. In 2014, the CFPB amended the rules allowing some companies to post annual privacy notices online. Now, following the implementation of the FAST Act, the CFPB further eased the regulatory burden (and, interestingly, the proposed rule removes the 2014 changes).
This is a good development for many in the financial services industry.