Bureau Amends Privacy Notice Regulation

The Bureau of Consumer Financial Protection (Consumer Financial Protection Bureau) on Friday finalized amendments to implement legislation that allows financial institutions that meet certain requirements to be exempt from sending annual privacy notices to their customers.

The Bureau said the final rule (https://files.consumerfinance.gov/f/documents/bcfp_glba-privacy-notices_final-rule_amendment_2018-08.pdf) is intended to “ease the burden on financial instituions and reduce risk of consumer confusion.”

Specifically, the rule allows financial institutions that meet certain conditions an exemption under the Gramm-Leach-Bliley Act that requires that financial institutions send annual privacy notices to customers. A financial institution can use the annual notice exception if it limits its sharing of customer information so that the customer does not have the right to opt out, and has not changed its privacy notice from the one previously delivered to its customer.

These notices must describe the privacy practices of financial institutions, including whether and how they share customers’ nonpublic personal information. If the institution shares this information with unaffiliated third parties in ways other than specified by Gramm-Leach-Bliley, the institution typically must notify customers of their right to opt out of having their information shared and inform them how to do so.

In 2014, the Bureau adopted a rule to allow financial institutions to use an alternative delivery method to provide annual privacy notices through posting the notices on their websites if they meet certain conditions. Specifically, financial institutions were allowed to use the alternative delivery method for annual notices if: (1) no opt-out rights were triggered by the financial institution’s information sharing practices under Gramm-Leach-Bliley; (2) no Fair Credit Reporting Act section 603 opt-out notices were required to appear on the annual notice and any opt-outs required by FCRA section 624 had previously been provided, if applicable, or the annual notice was not the only notice provided to satisfy those requirements; (3) the information included in the annual notice had not changed since the customer received the previous notice; and (4) the financial institution used the model form provided in Regulation P for its annual notice.

The Bureau said it does not believe that this final rule will impose any new or substantively revised collections of information as defined by the PRA, and instead believes that it will have the overall effect of reducing the previously approved estimated burden on industry for the information collections associated with the Regulation P annual privacy notice.