CFPB Issues Amendments to Regulation P to Implement GLBA Annual Privacy Notice Exemption
The CFPB recently issued a final rule regarding Regulation P which implements the statutory amendment to the Gramm-Leach-Bliley Act (GLBA) to provide financial institutions that meet certain requirements an exemption from the GLBA requirement to deliver an annual privacy notice. The amendments to Regulation P will become effective on September 17, 2018.
In December 2015, Congress amended GLBA as part of the Fixing America’s Surface Transportation Act (FAST Act) to allow qualifying financial institutions to be exempt from sending annual privacy notices to customers. In implementing this change, the final rule amending Regulation P provides that the exception is available if two conditions are met:
- The financial institution does not share customers’ nonpublic personal information except as expressly described in the three exceptions under Regulation P for which the customer does not have the right to opt out (e.g., sharing with third party service providers or for joint marketing purposes); and
- The financial institution has not changed its policies and practices with regard to disclosing customers’ nonpublic personal information in the previously provided privacy notice.
In addition, the final rule establishes timing requirements for financial institutions to resume delivering annual privacy notices if their privacy policies or practices change and therefore, they cease to qualify for the exemption. If a financial institution changes its policies or practices such that the change requires delivery of a revised privacy notice, the financial institution must treat the revised privacy notice as an initial privacy notice and provide an annual privacy notice in accordance with the general annual privacy notice timing requirements. However, if a financial institution changes its policies or practice in such a way that does not require delivery of a revised privacy notice, the financial institution must provide an annual privacy notice within 100 days of the change in policies or practices.
Further, the final rule also removes provisions under Regulation P that allow an alternative method for providing certain annual privacy notices, i.e., posting a copy of the annual notice on a financial institution’s website under certain circumstances, because the CFPB believes that the alternative delivery method will no longer be used in light of the above described annual privacy notice exception.
The CFPB press release regarding the amendments to Regulation P is available here, and the full text of the amendments is available here.