The Consumer Financial Protection Bureau (“CFPB”) recently proposed a rule (the “Proposed Rule”)1 allowing companies that do not share customer information with third parties to post their annual privacy notices online, rather than physically or electronically delivering them, in order to promote more effective privacy disclosures from financial institutions to their customers. Permitting electronic posting of privacy notices in this limited circumstance is intended to reduce information overload for consumers, while allowing financial institutions to reduce their compliance expenses. The Proposed Rule would amend the CFPB’s Regulation P,2 implementing Title V of the Gramm-Leach-Bliley Act of 1999 (“GLBA”).
The CFPB has requested comments on various aspects of the Proposed Rule no later than June 12, 2014, which is 30 days after the Proposed Rule was published in the Federal Register.3
GLBA Privacy Requirements
The GLBA generally requires “financial institutions”4:
- to provide notices to consumers about their information-collection and information-sharing practices in a written and physically-delivered privacy notice;5
- not to disclose nonpublic personal information about consumers to any nonaffiliated third party unless consumers are given a reasonable opportunity to opt-out; and
- not to disclose customer account numbers to any nonaffiliated third party for marketing purposes.6
Additionally, the GLBA requires financial institutions to develop, implement, and maintain a comprehensive information security program designed to safeguard consumer information.7
Typically, the annual privacy notice must describe in a physical form whether and how the financial institution shares customers’ nonpublic personal information.8 If the institution shares such information with a third party, it must notify consumers of their right to opt out of the information sharing. The Proposed Rule would change the privacy notice form and delivery requirement for certain banks and non-banks within the CFPB’s jurisdiction under the GLBA. Financial institutions that meet certain requirements would be permitted to post privacy policies online instead of distributing an annual paper copy.
The Proposed Rule
Specifically, the Proposed Rule would allow a financial institution to use a proposed alternative delivery method for annual privacy notices if:
- the financial institution does not share the customer’s nonpublic personal information with nonaffiliated third parties in a manner that triggers the GLBA’s opt-out rights;
- the financial institution does not include on its annual privacy notice an opt-out notice under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (“FCRA”);9
- the financial institution’s annual privacy notice is not the only notice provided to satisfy the requirements of section 624 of the FCRA;10
- the information included in the privacy notice has not changed since the customer received the previous notice; and
- the financial institution uses the model form provided in Regulation P.11
Thus, a financial institution that has changed its privacy practices or engages in certain types of information-sharing activities would still be required to use the traditional physical-written notice delivery method required by Regulation P.
A financial institution using the proposed alternative would be required to insert a clear and conspicuous statement at least once per year on a notice or disclosure the institution issues under any other provision of law announcing that:
- the annual privacy notice is available on the financial institution’s website;
- it will be mailed to customers who request it by calling a toll-free number; and
- it has not changed.
A financial institution would also have to conspicuously post the annual privacy notice on a page of its website available to the public. In addition, financial institutions would be required to mail annual notices promptly to customers who request them by telephone.
Implications for Financial Institutions and Consumers
Currently, Regulation P permits financial institutions to provide notices electronically with a consumer’s consent; however, most annual privacy notices are still provided via U.S. mail, which is costly in both preparation and delivery.12 The Proposed Rule, if adopted, should streamline the process for providing privacy notices for certain financial institutions that do not share customer information. The proposal would eliminate many of the costs of materials, postage, and labor required for those financial institutions that mail their annual privacy notices separate from other materials.
While the Proposed Rule provides regulatory relief to entities with simplistic operations, it could also have the effect of limiting data sharing between financial institutions and nonaffiliated third parties. Under the proposal, if a financial institution shares data in a way that triggers the GLBA’s opt-out requirements, it would generally not be permitted to use the alternative delivery method. This may provide an incentive to reduce data sharing to limit costs.
The CFPB initially publicly discussed the impact of the Proposed Rule in the context of a November 2013 study assessing the adverse effects of certain deposit regulations on financial institutions’ operations. The seven banks that participated in the study generally confirmed that few consumers read privacy notices.13
Because of the limited applicability of the proposal to entities that do not share customer information with third parties, the Proposed Rule is likely to have a minimal effect on most financial institutions. Moreover, the impact on consumers could be negligible, other than potentially reducing the amount of mail they receive. The Proposed Rule also would not affect the collection or use of consumers’ nonpublic personal information, and would not expand the permissible delivery methods of privacy notices when financial institutions change their privacy policies. However, recognizing that there are alternative methods of delivery, the Proposed Rule is a small step to reducing the compliance burden facing financial institutions who must physically issue annual privacy notices to their customers.