May 6 – The Consumer Financial Protection Bureau has proposed a rule to promote more effective privacy disclosures from financial institutions to their customers. The rule would allow companies that limit their consumer data-sharing and meet other requirements to post their annual privacy notices online rather than delivering them individually.
“Consumers need clear information about how their personal information is being used by financial institutions,” said CFPB Director Richard Cordray. “This proposal would make it easier for consumers to find and access privacy policies, while also making it cheaper for industry to provide disclosures.”
The Gramm-Leach-Bliley Act generally requires that financial institutions send annual privacy notices to customers. These notices must describe whether and how the financial institution shares consumers’ nonpublic personal information. If the institution does share this information with an unaffiliated third party, it typically must notify consumers of their right to opt out of the sharing and inform them of how to do so.
The proposal would allow institutions to post privacy notices online instead of distributing an annual paper copy, if they satisfy certain conditions such as not sharing data in ways that would trigger consumers’ opt-out rights. This proposal would apply to both banks and those nonbanks that are within the CFPB’s jurisdiction under the GLBA. Institutions that choose to rely on this new method of delivering privacy notices would be required to use the model disclosure form developed by federal regulatory agencies in 2009.
Under the proposal, if an institution qualified for and wants to rely on the online disclosure method, it would have to inform consumers annually about the availability of the disclosures. Currently institutions must send consumers a separate communication about privacy disclosures. Under this proposal they could include an insert in regular consumer communication, such as a monthly billing statement for a credit card, letting consumers know that the annual privacy notice is available online and in paper by request at a toll-free telephone number. If an institution chose not to use the online disclosure method, it would need to continue to deliver annual privacy notices to its customers.
The benefits of the proposed rule include:
· Constant access to privacy policies: Currently, consumers must receive a copy of their financial institution’s privacy policies once per year. If financial institutions were to choose the proposed alternative delivery method, consumers would be able to view their institution’s privacy policies at any time, while still receiving notices through existing delivery methods if the policies’ terms changed. The online privacy notices would not require a login to view. For those customers with limited or no internet access, financial institutions would have to mail annual notices promptly to customers who request them by phone.
· Limited data sharing: Under this proposal, if an institution shares data with unaffiliated third parties in a way that triggers customers’ right to opt out of such sharing, then that institution generally would not be allowed to use the alternative delivery method. For this reason, financial institutions would have an incentive to limit their sharing to reduce their costs.
· Comparison shopping: Under the proposal, if financial institutions’ privacy policies are posted openly on their websites, they must use the model disclosure form designed by federal regulators. The model disclosure form would allow consumers who are concerned about their personal information to easily comparison shop before deciding which financial institution to use. Consumers could better educate themselves about the various types of privacy policies.
· Cheaper for companies to notify consumers of privacy practices: The rule would potentially reduce the cost for companies to provide annual privacy notices. The Bureau estimates that about $17 million could be saved by the industry annually if institutions were to choose the proposed online disclosure method.
The CFPB will accept comments on the proposed rule for 30 days after its publication in the Federal Register.
A copy of the proposed rule is available at: http://files.consumerfinance.gov/f/201405_cfpb_annual-privacy-notice-proposal.pdf .