Bryan Cave Leighton Paisner Banking Blog

Bank Bryan Cave

Consumer Protection and Data Privacy

Main Content

Complying with the Rules When Posting Privacy Notices Online

On October 28, 2014, the CFPB amended the consumer privacy rules of Regulation P to allow financial institutions to post privacy notices online rather than mailing the required annual notice each year.  Some institutions are already taking advantage of this alternate delivery method.  There are conditions to this option, however, and some institutions might not be satisfying those conditions.  It is important to confirm that your institution is meeting the following conditions if you have decided to take advantage of the new rule:

  1. No Opt Outs.  The alternate delivery method can be used only if you do not share your customers’ information in any way for which the customer has the right to opt out under Regulation P or Section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (FCRA).  This provision of the FCRA is the one under which information that otherwise would be a “consumer report,” such as credit experience with third parties, may be shared with an affiliate for other than marketing purposes so long as the consumer is given an opt-out right.
  2. Satisfy the FCRA Affiliate Sharing Rules.  You must have previously satisfied the affiliate sharing rules of Section 624 of the FCRA or you do so other than by delivery of the annual Regulation P privacy notice.  This provision seems to cause some confusion.  Section 624 of the FCRA is the provision under which an affiliate of a financial institution that receives certain information (such as transaction information) may not use that information for marketing purposes unless the consumer is notified of such use and given a chance to opt out.  The Section 624 notice would only need to be given one time so long as an institution honors consumers’ opt outs indefinitely, or could be delivered other than as part of a Regulation P privacy notice.  Therefore, so long as you are not relying on the annual Regulation P privacy notice to satisfy Section 624, you satisfy this condition to the alternate method for delivery of your annual Regulation P notice.
  3. No Changes to the Notice.  The privacy notice you post online cannot have changed since consumers received the immediately previous notice, other than to eliminate categories of information that you disclose or categories of third parties to whom you disclose information.  So, for example, if you previously shared information in a way that required that you to offer the consumer an opt-out right, you could stop such sharing.  This would allow you to satisfy the no opt-out rule described above and post your modified privacy notice online.
  4. Model Notice.  You must use the model form of privacy notice included in Regulation P.
  5. Notify Consumers of the Posting.  You must notify your customers each year that your privacy notice is available online and that it will be mailed to customers who request it by telephone.  This notice can be provided on an account statement, coupon book, or any other notice or disclosure that you are required or expressly and specifically permitted to issue to the customer under any other provision of law.
  6. Post the Notice Continuously in a Public Location.  Your privacy notice must be posted continuously and in a clear and conspicuous manner on a page of your Web site that consists only of the privacy notice and that can be accessed by consumers without having to log in, provide a password or agree to any conditions.
  7. Mail Upon Request.  If any customer requests a copy of the privacy notice by telephone, you must mail it to him or her within 10 days.

This alternate method for delivery of the annual Regulation P privacy notice will be attractive to many financial institutions, but don’t forget these conditions to this method.

Read More

New CFPB Disclosure Requirements Come Up Short

On October 28, 2014, the Consumer Financial Protection Bureau (“CFPB”) issued a final rule amending Regulation P (the “Amendment”), which implements the consumer privacy provisions of the Gramm-Leach-Bliley Act (“GLBA”).  In most cases prior to the amendment, Regulation P required financial institutions to mail paper copies of the annual privacy disclosure, which many in the financial industry felt was overly costly and needlessly burdensome.  The new rule permits covered institutions to publish privacy notices electronically on their websites, but only after satisfying the following conditions:

  1. The financial institution does not disclose nonpublic personal information to nonaffiliated third parties other than for the exception purposes that do not allow for consumer opt-outs, such as for servicing or processing the consumer’s account;
  2. The financial institution’s information sharing practices do not trigger opt-out rights pursuant to Regulation P or Section 603 of the Fair Credit Reporting Act (“FCRA”);
  3. The requirements of the affiliate sharing provisions of FCRA Section 624, as applicable, were previously satisfied or the annual privacy notice is not the only notice provided to satisfy those requirements;
  4. The information contained in the privacy notice has not changed since the customer received the previous notice, except for changes to eliminate categories of information the institution disclosures or categories of third parties to whom the information is disclosed;
  5. The financial institution uses the model form provided in Regulation P as its annual privacy notice;
  6. The financial institution must make its customers aware that its privacy notice is available on its website, that it will mail a paper copy of the notice to customers who request it by calling a specific number, and that the notice has not changed since the prior year’s version.  The financial institution can satisfy this requirement by inserting, at least once per year, a clear and conspicuous statement on an account statement, a coupon book, or on a notice or disclosure required by any provision of law.  The statement must include a specific URL that can be used to access the website;
  7. The financial institution must continuously post the annual privacy notice in a clear and conspicuous manner on a page of its website, without requiring a login or similar steps or agreement to any conditions to access the notice; and
  8. The financial institution must mail, within ten days of a request, a paper copy of the notice to any customer who makes such request by telephone.

Importantly, if the financial institution changes its privacy practices or engages in information-sharing activities for which customers have a right to opt-out, it must use one of the permissible delivery methods that predated the rule change (paper notices or electronic with E-Sign consent).

Read More

April 2014 Client Alerts

Practice groups throughout Bryan Cave often prepare alerts on issues of interest to our clients and friends. Listed below are the Client Alerts published in April 2014.  Please click on the title to read the full text of the Alert.

 U.S. Supreme Court Clarifies Test For Standing to Sue Under Federal False Advertising Statute And Rejects Test Used by Several Circuits to Prohibit Suits Brought By Non-Competitor Businessespublished by the Commercial Litigation, Intellectual Property and Trademarks practice groups on April 1, 2014.

The Australian Privacy Principles:  They don’t apply to me, do they?, published by the Data Privacy and Security team, April 1, 2014.

SEC Convenes Cybersecurity Roundtable:  Highlights Importance of Cybersecurity for Public Companies and Financial Market Participants, published by the Corporate Finance and Securities practice group and Data Privacy and Security Team, April 4, 2014.

Now It Gets Personal:  Department of Justice Obtains its First Ever Extradition on Antitrust Charges, published by the Antitrust and Competition White Collar Defense and Investigations practice on April 8, 2014.

SEC Touts Monetary Benefits of Whistleblowing, published by the White Collar Defense and Investigations, Securities Litigation and Enforcement and Labor and Employment practice groups, April 10, 2014. 

Paving The Way for Increased Data Litigation, Court Refuses to Dismiss FTC’s Use of Deception or Unfairness Authority in Data Breach Cases, published by the Data Privacy and Security Team, April 11, 2014.

$5.15B Cleanup:  Anadarko Environmental Settlement Reveals New Government Tactics, published by the White collar Defense and Investigations and Environmental practice groups, April 11, 2014.

Court of Appeals Issues Opinion in Conflict Minerals Case:  Portion of Rule Violates First Amendment, published by the Corporate Finance and Securities practice group, April 14, 2014.

SEC Staff Responds to Court of Appeals Opinion in Conflict Minerals Case:  Game On, published by the Corporate Finance and Securities group, April 30, 2014.

Will This Be Enough?  Competitors Sharing Cyber Threat Information Will Not Result in Federal Antitrust Prosecutions — Sometimes, published by the National Security, Antitrust and Competition practice groups and the Data Privacy and Security Team

We Know Who You Are:  Companies’ Ability To Deal Confidentially With The CPSC is Further Eroded, published by the Consumer Protection and Data Privacy groups, April 18, 2014.

OCIE Issues Risk Alert Regarding Cybersecurity Preparednesspublished by the Broker-Dealer, Litigation, Arbitration and Regulatory,  and Investment Management groups, April 21, 2014.

Missouri Supreme Court Deals With Trade Secret Issues, published by the Labor and Employment practice group, April 22, 2014.

Missouri Supreme Court Introduces Drastic Change to Workers’ Compensation Retaliation Law, published by the Labor and Employment practice group, April 29, 2014.

New York’s Non-Profit Revitalization Act of 2013 and Its Impact on Non-Profit Organizations, published by the Non Profit Organizations practice on April 1, 2014.

U.S. Expands Sanctions Against Russia By Freezing More Assets and Restricting Exports (IRB No. 522), published by the International Trade group, April 29, 2014.

Partnership Tax Changes:  New Salaried Member Rules from 6 April 2014published by the Tax Advice and Controversy practice group (London) on April 3, 2014.

New Consumer Regulations – Implications for Retailers doing Business in the UK, published by the London Retail team, April 17, 2014.

Sunday Trading Laws in the UK — Is The Customer Still King?, published by the London Retail team, April 17, 2014.

UK Deferred Prosecution Agreements — Key Considerations For Companies Deciding Whether To Self-Report, published by the White Collar Defense and Investigations, Global Anti-Corruption/Foreign Corrupt Practices Act Team, April 2, 2014.

New Consumer Protection Law:  A Reinforced Framework for Distribution Agreements, published by the Paris Consumer Protection and Data Privacy group, April 9, 2014.

New Consumer Protection Law:  A Stricter Regime for Payment Terms, published by the Consumer Paris Protection and Data Privacy group, April 9, 2014.

EU & Competition Law Update – April 2014, published by the European Antitrust and Competition group, April 10, 2014.

 

Read More

February 2014 – Bryan Cave Client Alerts

Practice groups throughout Bryan Cave often prepare alerts on issues of interest to our clients and friends.  Listed below are the client alerts published in January 2014.  Please click on the title to read the full text of the Alert.

Voluntary for Now:  Federal Cybersecurity Framework Likely to Become the Base-Line Requirement for Critical Infrastructure Organizations and, Potentially, Many Other Businesses, published by the National Security Data Privacy and Security Team, February 20, 2014.

Managing Legal Risks:  Trends in Data Privacy & Security Class Action Litigation, published by the Data Privacy and Security Team, February 27, 2014.

Bankruptcy Court Limits Credit Bid Right In An Unnecessarily “Rushed” Sale Process, published by the Bankruptcy, Restructuring and Creditors’ Rights Practice, February 14, 2014.

Proposed Regulation Would Limit Ability to Restrict Public Disclosure of Product Information Submitted to the CPSC, published by the Consumer Protection and Data Privacy Practice, February 27, 2014.

FINRA Levies Record Fine for AML Violations, published by the Securities litigation and Enforcement and White Collar Defense and Investigations Practice Groups.

FINRA’s Sweep Letter Targets Cybersecurity, published by the Broker-dealer Litigation, Arbitration and Regulatory Practice, February 10, 2014.

Managing Legal Risks:  Trends in Advertising Class Action Litigation (2013 Year-In-Review), published by the Consumer Protection and Data Privacy and Class and Derivative Actions Practice Groups, February 18, 2014.

DINP Listed as Carcinogen Under Prop. 65, published by the Retail Team, February 28, 2014.

OCIE’s “Never-Before Examined Initiative,” published by the Broker-Dealer Litigation, Arbitration and Regulatory Practice.

Attorney-Client Privilege in FCPA Investigation Nullified Based on Crime-Fraud Exception, published by the White Collar Defense and Investigations, Internal Trade, Global Anti-Corruption/Foreign Corrupt Practices Act Team, February 25, 2014.

Yet Another List to Check:  the Foreign Sanctions Evaders (IRB No. 518), published by the International Trade Group, February 21, 2014.

A Year in the Garden, published by the London labor and Employment Practice, February 19, 2014.

EU & Competition Law Update – February 2014, published by the European Antitrust and Competition Practice, February 10, 2014.

PRC Labor Activity Issues Interim Provisions on Labor Dispatch, published by the Asian Labor and Employment International Practice, February 25, 2014.

The Introduction of Time Limits in Works Council Consultations:  An Attempt at Streamlining Employer-Employee Relations, published by the Paris Labor and Employment Practice, February 3, 2014.

Read More
The attorneys of Bryan Cave Leighton Paisner make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.