On October 20, the CFPB finalized its amendment to Regulation P, which requires, among other things, that financial institutions provide an annual disclosure of their privacy policies to their customers. The Gramm-Leach-Bliley Act (GLBA) and Regulation P mandate that financial institutions provide their customers with initial and annual notices regarding their privacy policies. If financial institutions share certain customer information with particular types of third parties, the institutions are also required to provide notice to their customers and an opportunity to opt out of the sharing. The GLBA was enacted into law in 1999. The statute, among other things, is intended to provide a comprehensive framework for regulating the privacy practices of an extremely broad range of entities.
The finalized amendment creates an alternative delivery method for this annual disclosure, which financial institutions will be able to use under certain circumstances. Under the new rule, bank and nonbank institutions under the CFPB’s jurisdiction will now be allowed to post privacy notices online, rather than deliver an annual paper copy. Institutions that choose to post notices online must meet certain conditions, including: providing notice to consumers if the institution shares any data to third parties, in addition to providing an opportunity to opt out of such sharing; and using the 2009 model disclosure form developed by federal regulatory agencies. The institutions that choose to rely on the new delivery method must ensure that customers are aware of the notices posted online; provide paper copies within ten days of a customer’s request; and make customers aware that the privacy notice(s) are available online—and that a paper copy will be provided at the customer’s request—by inserting a “clear and conspicuous statement at least once per year on an account statement, coupon book, or a notice or disclosure.”
The CFPB anticipates that the rule will: provide consumers with constant access to privacy notices; limit the amount of an institution’s data sharing with third parties; educate consumers on various types of privacy policies; and reduce the cost for companies to provide privacy notices.