By Alexander F. Koskey
The Consumer Financial Protection Bureau has issued its final rule adopting changes to Regulation P, which governs the requirements for a financial institution to issue privacy notices to its customers. The final rule implements new timing requirements for sending annual privacy notices pertaining to financial institutions that no longer qualify for the exception and eliminates the “alternative delivery” option for annual privacy notices. The most significant impact of the final rule is the creation of an exception that permits financial institutions to avoid sending annual privacy notices to its customers under certain circumstances.
The final rule will have the biggest impact on financial institutions that only share non-public personal information with non-affiliated third parties and do not have an obligation to provide an opt-out. However, with recent amendments to the Gramm-Leach-Bliley Act and Reg P regarding privacy notices, all financial institutions should evaluate their current privacy policies and procedures. The final rule became effective Sept. 17, 2018.
Creation of Annual Privacy Notice Exception
The changes to Reg P are intended to align the rule with amendments made by Congress to GLBA in 2015. Under Reg P, financial institutions are required to send a privacy notice to all customers every 12 months without exception. This includes information such as whether the financial institution shares consumer information with nonaffiliated third parties, how it protects nonpublic personal information obtained from customers, and whether the customer has the right to opt out of the sharing of that information.
The final rule now creates an exception to this rule and exempts financial institutions from this requirement if it satisfies two conditions: (1) it only shares nonpublic personal information with nonaffiliated third parties where there is no obligation to offer an opt-out; and (2) it must not have changed its “policies and procedures with regard to disclosing nonpublic personal information” from the policies and procedures outlined in the most recent privacy notice sent to the consumer. Under GLBA, there is no requirement to provide an opt-out notice to customers where personal information is shared with (1) service providers performing functions on the company’s behalf; (2) nonaffiliated third parties that perform joint marketing on your behalf; or (3) if the disclosure is necessary to “effect, administer, or enforce a transaction.” This exception only applies to annual privacy notices and does not impact current requirements regarding initial privacy notices or amended privacy notices.
Amendment to Timing Requirements
In addition to creating the annual privacy notice exception, the final rule also adopted new timing requirements for issuing annual privacy notices in the event that a financial institution has made changes to its privacy policies and procedures and no longer qualifies for the exception. The timing requirements are rather nuanced but essentially require a financial institution to issue an annual privacy notice either: (1) before implementing the changes in the policy or practice that trigger the obligation to send a revised privacy notice; or (2) within 100 days after adopting a policy or practice that eliminates the financial institution’s notice exception but the changes did not trigger the obligation to send a revised privacy notice.
Removal of “Alternative Delivery” Method
Finally, as part of its changes to Reg P, the CFPB eliminated the “alternative delivery” method for annual privacy notices. Under this method, a financial institution was permitted to satisfy the annual privacy notice requirement in certain circumstances by posting a copy of the annual notice on its website. However, the CFPB rationalized that many of the requirements permitting a financial institution to use the alternative delivery method were the same as the requirements for a financial institution to qualify for the new annual privacy notice exception and, therefore, the method was now irrelevant.
As regulators continue to amend privacy notice requirements, it is imperative that financial institutions monitor their privacy practices to remain in compliance.
Alexander F. Koskey is an associate in the Atlanta office of Baker Donelson. He can be reached at firstname.lastname@example.org.