The CFPB issued its final rule amending Regulation P to align with its authorizing statute, the Gramm-Leach-Bliley Act (GLBA). On December 4, 2015, Congress amended the GLBA as part of a transportation bill known as the FAST Act. This amendment added a new GLBA section 503(f) which provides an exception under which financial institutions meeting certain conditions are not required to provide annual privacy notices to customers.
To qualify for the annual notice exception the following two conditions must be met: (1) the institution only discloses consumer information under certain circumstances which do not trigger consumer opt-out rights (cannot share with unaffiliated third parties) and (2) the institution has not changed its policies and practices concerning disclosing consumer information since its most recent notice sent to consumers. The CFPB is clear that the annual notice exemption has been available to institutions since passage in December 2015.
Most notably, the final rule amends Regulation P by implementing timing requirements for delivery of annual privacy notices in the event that a financial institution that previously qualified for the annual notice exception later changes its policies or practices in such a way that it no longer qualifies for the exception. The CFPB proposed these re-disclosure amendments to Regulation P in July 2016 and is largely adopting the rule as proposed.
We highly recommend reviewing the regulation if changes are made to privacy sharing as the requirements may vary based on the change, but the new rules provide essentially two options: the institution must issue an annual privacy notice either: (1) before implementing the changes in the policy or practice which trigger the obligation to send a revised privacy notice or (2) within 100 days after adopting a policy or practice that eliminates the financial institution's notice exception but the changes did not trigger the obligation to send a revised privacy notice.
It is important to note that the regulation defines the phrase, “policy and practice” as those items disclosed under sections 1016.6(a)(2), 1016.6(a)(3), 1016.6(a)(4), 1016.6(a)(5), and 1016.6(a)(9). T
This means that the only privacy notice changes that will not trigger an annual disclosure requirement are relative to information collection as defined under 1016.6(a)(1) and confidentiality and security as defined under 1016.6(a)(8).
The CFPB is further removing the Regulation P provision that allows for use of the alternative delivery method for annual privacy notices. The alternative delivery method was implemented in 2014 and allowed for delivery via the institution’s website. The CFPB believes the alternative delivery method will no longer be used in light of the annual notice exception. However, the final rule is clear to state that continuing alternative delivery methods such as notifying customers of the availability of the notice on the website is permitted.
Again, the annual notice exemption has been available to institutions since passage of the FAST ACT in December 2015. The final rule implementing the re-disclosure requirements and removal of the alternative delivery method was published in the Federal Register on April 17, 2018 and will be effective September 18, 2018.
The complete final rule may be found here.