On July 1st, the CFPB proposed to amend Regulation P under the Gramm-Leach-Bliley Act (GLBA) to implement the statutory changes made by the Fixing America’s Surface Transportation Act (see prior post) that provided financial institutions that meet certain conditions with an exemption from the GLBA requirement to deliver annual privacy notices to customers.  The proposed changes would also establish timing requirements to begin re-delivering the annual privacy notices if a financial institution no longer qualifies for the exception.  Companies considering making changes to their privacy policies or practices should carefully assess the impact of the proposed rules.

The proposed rules would provide that a financial institution is not required to deliver a GLBA annual privacy notice if the financial institution:

  • Provides nonpublic personal information to nonaffiliated third parties only under one of the GLBA exceptions to the notice and opt-out requirements (§ 1016.13, § 1016.14, or § 1016.15); and
    Has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent privacy notice provided to the customer.
  • The proposed rule would not affect the collection or use of consumers’ nonpublic personal information by financial institutions.  Nor does the new exception affect the requirement to deliver an initial privacy notice, so all consumers will continue to receive such initial notices describing the privacy policies of any financial institutions with which they do business.  Furthermore, financial institutions that choose to take advantage of the annual notice exception must still provide any opt-out disclosures required under the Fair Credit Reporting Act, which can generally be provided in the initial notice.

The CFPB is also proposing to remove its 2014 rule (as described in our prior post) that established an alternative delivery method for GLBA annual privacy notices. Because financial institutions that meet the conditions in Regulation P to use the alternative delivery method also would meet the conditions for the new statutory exemption, the CFPB has concluded that the alternative delivery method is no longer necessary as the CFPB believes that a financial institution that has both options available to it would choose not to send the annual privacy notice at all, rather than to deliver it pursuant to the alternative delivery method.  However, the CFPB notes that financial institutions that qualify for the new exemption may still choose to post privacy notices on their websites or deliver privacy notices to consumers who request them.

While a positive step forward in regulatory reform, the CFPB could have done this years ago during its 2014 rulemaking process.  However, an act of Congress was required to push the CFPB into making this common-sense change.