The Consumer Financial Protection Bureau (CFPB) has issued its final rule adopting changes to Regulation P, which governs the requirements for financial institutions to issue privacy notices to its customers. The final rule implements new timing requirements for sending annual privacy notices pertaining to financial institutions who no longer qualify for the exception and eliminates the "alternative delivery" option for annual privacy notices. The most significant impact of the final rule is the creation of an exception which permits financial institutions to avoid sending annual privacy notices to its customers under certain circumstances.
The final rule will have the biggest impact on financial institutions who only share non-public personal information with non-affiliated third parties and do not have an obligation to provide an opt-out. However, with recent amendments to the Gramm Leach Bliley Act (GLBA) and Regulation P regarding privacy notices, all financial institutions should evaluate their current privacy policies and procedures. The final rule became effective on September 17, 2018.
Creation of Annual Privacy Notice Exception
The changes to Regulation P are intended to align the rule with amendments made by Congress to the Gramm Leach Bliley Act (GLBA) in 2015. Under Regulation P, financial institutions are required to send a privacy notice to all customers every 12 months without exception. This includes information such as whether the financial institution shares consumer information with nonaffiliated third parties, how the financial institution protects nonpublic personal information obtained from customers, and whether the customer has the right to opt out of the sharing of that information.
The final rule now creates an exception to this rule and exempts financial institutions from this requirement if it satisfies two conditions: (1) the financial institution only shares nonpublic personal information with nonaffiliated third parties where there is no obligation to offer an opt-out and (2) the financial institution must not have changed its "policies and procedures with regard to disclosing nonpublic personal information" from the policies and procedures outlined in the most recent privacy notice sent to the consumer. Under the GLBA, there is no requirement to provide an opt-out notice to customers where personal information is shared with (a) service providers performing functions on the company's behalf; (b) non-affiliated third parties who perform joint marketing on your behalf; or (c) if the disclosure is necessary to "effect, administer, or enforce a transaction." This exception only applies to annual privacy notices and does not impact current requirements regarding initial privacy notices or amended privacy notices.
Amendment to Timing Requirements
In addition to creating the annual privacy notice exception, the final rule also adopted new timing requirements for issuing annual privacy notices in the event that a financial institution has made changes to its privacy policies and procedures and no longer qualifies for the exception. The timing requirements are rather nuanced but essentially require a financial institution to issue an annual privacy notice either: (1) before implementing the changes in the policy or practice which trigger the obligation to send a revised privacy notice or (2) within 100 days after adopting a policy or practice that eliminates the financial institution's notice exception but the changes did not trigger the obligation to send a revised privacy notice.
Removal of "Alternative Delivery" Method
Finally, as part of its changes to Regulation P, the CFPB eliminated the "alternative delivery" method for annual privacy notices. Under the "alternative delivery" method, financial institutions were permitted to satisfy the annual privacy notice requirement in certain circumstances by posting a copy of the annual notice on its website. However, the CFPB rationalized that many of the requirements permitting a financial institution to use the "alternative delivery" method were the same as the requirements for a financial institution to qualify for the new annual privacy notice exception and, therefore, the method was now irrelevant.
As regulators continue to amend privacy notice requirements, it is imperative that financial institutions monitor their privacy practices to remain in compliance. If you have any questions regarding the GLBA, the recent amendments to Regulation P, or the impact on the privacy practices of your organization, please contact Alex Koskey.