The Consumer Financial Protection Bureau (“CFPB”) has issued a final rule that will allow a financial institution to post its annual privacy notice on its website in lieu of mailing it to customers if certain conditions are met.
The final rule amends Regulation P, which implements the Gramm-Leach-Bliley Act (“GLBA”). Regulation P requires financial institutions to provide customers with both initial and annual privacy notices. The notices must disclose whether the financial institution shares certain customer information with third parties and, in certain cases, must give the customer an opportunity to opt out of such sharing. The current method by which financial institutions are generally required to provide these notices is by mailing printed copies of all required disclosures and opt-out forms.
In response to industry concerns that the current method causes information overload for consumers and unnecessary expense for financial institutions, the CFPB has now finalized a rule which allows financial institutions to use an alternative delivery method to provide the annual privacy notices. An institution may post its annual notice on the financial institution’s website - if certain conditions are met. The final rule is effective as of October 28, 2014.
A financial institution is eligible to post its annual privacy notice on its web site in lieu of mailing it if all the following apply:
- No opt-out rights are triggered by the financial institution’s information sharing practices under the GLBA or section 603 of the Fair Credit Reporting Act (“FCRA”)[1] (in other words, the institution does not share FCRA-sensitive data among affiliates), and opt-out notices that are required by section 624 of the FCRA[2](i.e., affiliate marketing under the Fair and Accurate Credit Transactions Act of 2003) have previously been provided, if applicable, or the annual privacy notice is not the only notice provided to satisfy those requirements;
- The information included in the privacy notice has not changed since the customer received the previous notice; and
- The financial institution uses the model form provided in Regulation P as its annual privacy notice.
To use the alternative delivery method, a financial institution must continuously post the annual privacy notice in a clear and conspicuous manner on a page of its website. This page must not require a login, similar steps to a login, or an agreement to any conditions in order to access the notice. Additionally, if a customer requests by telephone that the annual privacy notice be mailed to the them, the financial institution must mail such notice within 10 days of the customer’s request.
Furthermore, to ensure customers are aware that the annual privacy notice is available through the alternative delivery method, a financial institution must insert a clear and conspicuous statement on an account statement, coupon book, or a notice or disclosure the institution issues under any provision of the law, at least once per year. This statement must notify the customer that the annual privacy notice is available on the financial institution’s website (and state the specific web address where it can be found), that the notice has not changed, and that the privacy notice will be mailed to customers who request a mailing by calling a specific telephone number. The amended regulation contains a sample statement which, when used, will be deemed to satisfy the requirement to provide an annual statement regarding the availability of the annual privacy notice.
If a financial institution amends its privacy notice or engages in information-sharing activities for which customers have the right to opt out, the financial institution will be required to use the standard delivery methods under Regulation P and may not use the alternative delivery method.
As noted above, the final rule is effective as of October 28, 2014. If you have any questions regarding the final rule, or the GLBA or Regulation P in general, please feel free to contact Joseph D. Simon at 516-357-3710 or via email at jsimon@cullenanddykman.com, Kevin Patterson at 516-296-9196 or via email at kpatterson@cullenanddykman.com, or Elizabeth A. Murphy at 516-296-9154 or via email at emurphy@cullenanddykman.com.
[1] Section 603(d)(2)(A)(iii) of the FCRA requires a financial institution that wants to share certain customer information with affiliated companies to provide customers with a notice of such information sharing and an opportunity to opt out.
[2] Under Section 624 of the FCRA, in order for a financial institution to use certain consumer information received from an affiliate to solicit that consumer for a product or service, the consumer must be given a notice of such information sharing and an opportunity to opt out of such solicitations.