The CFPB has proposed allowing financial institutions to forgo mailing annual privacy notices by posting such notices online, if the financial institution meets certain conditions. While the proposal is welcome, it needs clarification to ensure that it actually provides the intended relief of easing the burden imposed by the annual privacy notice requirement under the Gramm-Leach-Bliley Act.

Introduction

Financial institutions currently mail a separate privacy notice every year to each customer. The proposed amendment to the GLBA Privacy Rule would allow institutions that meet certain requirements, such as using the CFPB's Model Privacy Notice, to post the privacy notice online and include a reminder of the notice's availability in regular mailings to consumers once per year.

The proposed amendment, however, does not acknowledge that most institutions have tailored the Model Notice to fit each institution's policies and circumstances. This creates ambiguity with regard to whether such institutions may take advantage of the proposal and online notifications.

In addition, the alternative delivery method would not be available to financial institutions that offer consumers an opportunity to opt out of affiliate sharing under FCRA § 603(d)(2)(A)(iii), greatly diminishing the proposal's usefulness.

Comments are due June 12, 2014.

Current Requirements

Financial institutions are required to provide an initial privacy notice to consumers when such institutions establish a customer relationship with a consumer, and to mail another copy of the privacy notice to their customers each year. These notices must alert consumers to whether and how the institution shares consumers' nonpublic personal information. For example, an institution must typically notify consumers if it shares nonpublic personal information with unaffiliated third parties and how to opt out of such sharing.

The Proposal

Under the proposed amendment, a financial institution would be allowed to post its privacy notice online rather than mailing the notice, if the institution meets the following conditions:

  • it does not share information with unaffiliated third parties except for the purposes permitted under 12 C.F.R. §§ 1016.13, 1016.14, and 1016.15;
  • it does not provide consumers with an opportunity to opt out of the sharing of consumer report information among affiliates under FCRA § 603(d)(2)(A)(iii) (under the CFPB's GLBA Privacy Rule, if an institution offers an FCRA affiliate sharing opt-out, it must include that opt-out in its annual privacy notice);
  • if it provides an affiliate marketing opt-out under FCRA § 624, it satisfies the requirements of FCRA § 624 with a separate notice, outside its annual privacy notice;
  • it has not changed the content of its privacy notice since it last provided an annual notice to its customers; and
  • it uses the CFPB's Model Privacy Notice.

Under the proposal, financial institutions that do not mail an annual notice would be required to clearly and conspicuously notify consumers where the notice can be found, and to promptly mail to consumers a notice upon their request at a toll-free telephone number.

The Missing Pieces

Although many financial institutions use the CFPB's Model Privacy Notice, many of these institutions have slightly modified the Model to tailor it to their specific circumstances. The CFPB has made clear that such modifications, however minor, may mean that the financial institution will not be entitled to the safe harbor afforded by the Model Privacy Notice. See 12 CFR part 1016, App. B(1)(b) ("Institutions seeking to obtain the safe harbor through use of the model form may modify it only as described in these Instructions."). As long as the notice is consistent with the requirements of the GLBA Privacy Rule, however, the regulators should not take issue with the notice. See 74 Fed. Reg. 62890, 62890 (Dec. 1, 2009) (final rulemaking notice) ("While the model form provides a legal safe harbor, institutions may continue to use other types of notices that vary from the model form so long as these notices comply with the privacy rule.").

Under the CFPB proposal, however, using the Model would become a requirement for institutions seeking to use the alternative delivery method, and the proposal is unclear as to whether and to what extent financial institutions could modify the Model Privacy Notice, and still take advantage of the alternative delivery method. If institutions seeking to use the alternative delivery method are held to the same standard as institutions seeking to use the safe harbor, those institutions will not be permitted to vary from the Model Notice at all beyond what the Instructions to the Model Notice specifically allow.

Additionally, institutions that provide an FCRA affiliate sharing opt-out, under FCRA § 603(d)(2)(A)(iii), will not be able to use the new delivery method. This substantially reduces the impact of the proposal.

Combined, these restrictions on use of the proposed amendment could prevent financial institutions from changing their practice of mailing annual privacy notices. Clarification in the final rule, at least as to the use of the model form, would greatly add to the potential utility of the proposal.

Pending Legislation would be Preferable to the CFPB Proposal

Recent legislation that has passed in the House and has been introduced in the Senate would provide an exception to the annual written notice requirement to any financial institution that "provides nonpublic personal information in accordance with" the GLBA and Regulation P, has not updated its privacy policy since its last written disclosure, and provides online access to its most recent disclosure to all customers. See Eliminate Privacy Notice Confusion Act, H.R. 749, 113th, Cong. (passed Mar. 12, 2013); Privacy Notice Modernization Act of 2013, S. 635, 113th Cong. (introduced Mar. 21, 2013).

That is, this legislation would provide the needed regulatory relief, without regard to whether a financial institution provides an FCRA affiliate sharing opt-out or uses the CFPB Model Privacy Notice.

Below please find links to the CFPB's Press Release and Proposed Rule.

CFPB Press Release:

http://www.consumerfinance.gov/newsroom/cfpb-proposes-rule-to-promote-more-effective-privacy-disclosures/ .

Federal Register Notice of Proposed Rulemaking:

https://www.federalregister.gov/articles/2014/05/13/2014-10713/amendment-to-the-annual-privacy-notice-requirement-under-the-gramm-leach-bliley-act-regulation-p

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved