The Consumer Financial Protection Bureau announced Friday that it has finalized amendments to implement legislation that allows financial institutions that meet certain requirements to be exempt from sending annual privacy notices to their customers.
The amendment implements a 2015 statutory amendment to the Gramm-Leach-Bliley Act providing an exception to annual notice requirement for financial institutions that meet certain conditions.
The GLBA requires that banks and other financial institutions send annual privacy notices to customers that describe how nonpublic personal information is shared. These notices must describe the privacy practices of financial institutions, including whether and how they share customers’ nonpublic personal information.
Regulation P sets forth requirements for how financial institutions must deliver these annual privacy notices. In certain circumstances, it permits financial institutions to use an alternative delivery method to provide annual notices. This method requires, among other things, that the annual notice be posted on a financial institution’s website.
If the institution shares this information with unaffiliated third parties in ways other than specified by the GLBA, the institution typically must notify customers of their right to opt out of having their information shared and inform them how to do so.
In December 2015, Congress amended the GLBA as part of the Fixing America’s Surface Transportation Act (FAST Act). This amendment provides financial institutions that meet certain conditions an exemption to the requirement to deliver an annual privacy notice.
A financial institution can use the annual notice exception if it limits its sharing of customer information so that the customer does not have the right to opt out and has not changed its privacy notice from the one previously delivered to its customer. The rule issued by the CFPB implements this legislation and establishes deadlines for institutions resuming annual privacy notices if their practices change and they therefore cease to qualify for the exemption.
In 2011, the Dodd-Frank Act transferred GLBA privacy notice rulemaking authority from other regulators to the CFPB for financial institutions that fall under its authority.
The Bureau has the authority to promulgate GLBA privacy rules for depository institutions and many non-depository institutions. However, rule-writing authority with regard to securities and futures-related companies is vested in the Securities and Exchange Commission and Commodity Futures Trading Commission. Rule-writing authority with respect to certain motor vehicle dealers is vested in the Federal Trade Commission.