This has been an exciting year in the world of privacy law! With the European Union breaking new ground with the General Data Protection Regulation, California following close behind with the passage of the California Consumer Privacy Act, and Vermont amending its rules, the compliance officers and lawyers of the world are hard at work parsing the voluminous codes, attempting to ascertain applicability and operationalization. Not to be outdone, the Consumer Financial Protection Bureau (“CFPB”) caught up to its 2015 mandate and finally published the final rule amending Regulation P, which implements the Gramm-Leach-Bliley Act (“GLBA”). Back in 2015, the Fixing America’s Surface Transportation Act (“FAST Act”) amended the GLBA, providing for the exception and requiring the CFPB to promulgate a corresponding rule. The new rule becomes effective September 17, 2018.
Under the CFPB’s new rule, financial institutions do not have to send an annual privacy notice where: (1) the financial institution only shares nonpublic personal information (“NPI”) with nonaffiliated third parties to the extent that it does not trigger consumer opt-out rights under the GLBA; and (2) the financial institution has not changed its policies and procedures related to disclosing NPI from the most recent version of the privacy notice sent to customers. Further, the rule provides timeframes by which financial institutions that no longer qualify for the exception must provide updated notice. Where a formerly-qualified financial institution subsequently amends its privacy policies in such a way that requires it to provide a revised policy to customers and it no longer qualifies for the exception, the revised notice will be treated as an initial notice and the institution may resume providing the annual notice from then on. However, if the formerly-qualified financial institution changes its policies such that it is no longer qualified, but not to the extent that it is required to provide a revised privacy notice, the institution must deliver the annual notice within 100 calendar days of the change in policy.
Because a financial institution that meets the conditions for alternative delivery methods will meet the conditions for the exception in the final rule, the CFPB has removed section 10169(c)(2), eliminating the alternative delivery method for annual notices. In footnote 30 of the final rule, the CFPB states that a financial institution will not jeopardize the availability of the exception by providing a privacy notice to a consumer, such as upon the consumer’s request. This is good news for organizations that look to take a measured approach to change.
It is more important than ever for financial institutions to implement and maintain a consistent change management protocol. With the state privacy laws changing rapidly, financial institutions should closely evaluate the latent consequences of altering their privacy notice procedures.