On October 28, 2014, the Consumer Financial Protection Bureau (“CFPB”) issued a final rule amending Regulation P (the “Amendment”), which implements the consumer privacy provisions of the Gramm-Leach-Bliley Act (“GLBA”). In most cases prior to the amendment, Regulation P required financial institutions to mail paper copies of the annual privacy disclosure, which many in the financial industry felt was overly costly and needlessly burdensome. The new rule permits covered institutions to publish privacy notices electronically on their websites, but only after satisfying the following conditions:
- The financial institution does not disclose nonpublic personal information to nonaffiliated third parties other than for the exception purposes that do not allow for consumer opt-outs, such as for servicing or processing the consumer’s account;
- The financial institution’s information sharing practices do not trigger opt-out rights pursuant to Regulation P or Section 603 of the Fair Credit Reporting Act (“FCRA”);
- The requirements of the affiliate sharing provisions of FCRA Section 624, as applicable, were previously satisfied or the annual privacy notice is not the only notice provided to satisfy those requirements;
- The information contained in the privacy notice has not changed since the customer received the previous notice, except for changes to eliminate categories of information the institution disclosures or categories of third parties to whom the information is disclosed;
- The financial institution uses the model form provided in Regulation P as its annual privacy notice;
- The financial institution must make its customers aware that its privacy notice is available on its website, that it will mail a paper copy of the notice to customers who request it by calling a specific number, and that the notice has not changed since the prior year’s version. The financial institution can satisfy this requirement by inserting, at least once per year, a clear and conspicuous statement on an account statement, a coupon book, or on a notice or disclosure required by any provision of law. The statement must include a specific URL that can be used to access the website;
- The financial institution must continuously post the annual privacy notice in a clear and conspicuous manner on a page of its website, without requiring a login or similar steps or agreement to any conditions to access the notice; and
- The financial institution must mail, within ten days of a request, a paper copy of the notice to any customer who makes such request by telephone.
Importantly, if the financial institution changes its privacy practices or engages in information-sharing activities for which customers have a right to opt-out, it must use one of the permissible delivery methods that predated the rule change (paper notices or electronic with E-Sign consent).
Although the final rule falls short in many respects to requests by the banking industry, it does offer hope that the CFPB might in the future consider further lessening of disclosure requirements.
Section 503 of the GLBA requires “financial institutions”—which under the GLBA includes not only depository institutions, but also non-depository institutions such as payday lenders, mortgage brokers, check cashers, and debt collectors—to provide privacy notices to their customers. Financial institutions must disclose their privacy policies:
- at the time of establishing the customer relationship;
- not less than annually during the continuation of such relationship; and
- in a clear and conspicuous manner.
Prior to the Amendment, financial institutions always had to provide these disclosures in paper form unless the consumer consented to electronic disclosures in compliance with E-Sign.
On July 21, 2010, President Obama signed into law the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”). Among many other things, Dodd-Frank transferred rulemaking authority for Regulation P and most other federal consumer financial protection laws to the CFPB. In its proposed rule published May 13, 2014, the CFPB proposed allowing financial institutions to use “alternative delivery methods” for the annual disclosure required by GLBA Section 503. The CFPB implemented the alternative method through revised Section 1016.9(c)(2) of Regulation P (12 CFR 1016.9(c)(2)).
Although in theory revised Section 1016.9(c)(2) provides relief to financial institutions from having to mail paper copies of the required annual disclosure notices, many industry pundits argue the result falls short. Among the complaints is the CFPB’s insistence that a financial institution risks losing safe harbor status if it in any way modifies the model form, even though such modification often is necessary to tailor the notice to a particular institution’s circumstances. Moreover, industry participants criticize the CFPB’s prohibition against financial institutions sharing FCRA information with affiliates, which effectively limits the electronic disclosure option to only the smallest financial institutions. The pundits point to legislative proposals pending in Congress that would further reduce privacy disclosure obligations and permit greater information sharing among affiliates. Whether these proposals will gain traction in upcoming sessions of Congress remains to be seen.