The Bureau of Consumer Financial Protection (CFPB or Bureau) on August 10, 2018 amended Regulation P, which implements the Gramm-Leach Bliley Act (GLBA), to provide an exemption for certain financial institutions from providing an annual privacy notice under GLBA. The amendment will be effective September 17, 2018.
The amendment implements a December 2015 statutory change to GLBA that provided an exception to the annual privacy notice requirement for financial institutions that do not share nonpublic personal information (NPI) about customers except under certain statutory exceptions under GLBA, and have not changed their privacy policies. The statutory change is already effective. The CFPB now has issued this rulemaking to implement the change and provide more specific criteria than what was in the statute. In addition, the rule eliminates the alternative delivery method that allowed providing the annual privacy notice on a website that the CFPB had previously added to Regulation P in 2014 to address regulatory burden, as this statutory amendment applies to the institutions that would have qualified for the CFPB’s alternative method.
Specifically, the new provision generally provides that a financial institution is exempt from the annual notice requirement if it: (i) provides NPI to nonaffiliated third parties only in accordance with the exceptions from the notice and opt-out requirements; and (ii) has not changed its policies and practices with regard to disclosing NPI from those disclosed in its most recent privacy notice. If a financial institution loses the exception because it changes its policies and procedures, it must begin providing annual privacy notices according to the timing required under Regulation P.
As our readers know, information sharing with affiliates, and disclosure and opt-out requirements, intersect under GLBA and FCRA. It is worth noting that financial institutions that share consumer information with their affiliates and must provide an opt-out under FCRA (either under sections FCRA sections 603(d)(2)(A)(iii) or 624) can still qualify for this annual privacy notice exception, but would be required to provide any opt-out disclosure required under FCRA separately. In addition, changes to such sharing with affiliates that would require a new disclosure and opt-out under FCRA would not cause a financial institution to lose this exception (but, again, a separate disclosure under FCRA may be required). It is also worth noting that voluntarily disclosing and providing an opportunity to opt-out from certain unrestricted sharing under GLBA would not preclude an institution from being subject to the exception, even if it changes its policies and procedures for such sharing (although such an institution may want to provide a separate disclosure of any changes to its sharing that was previously the subject of a voluntary disclosure for UDAAP purposes).
We frequently handle federal and state privacy issues for its clients. Please let us know if you’d like to discuss this amendment or would like any additional information.