Online Annual Privacy Notices Now Allowed by CFPB
On October 20, 2014, the Consumer Financial Protection Bureau (CFPB) issued a final rule permitting financial institutions to post their annual privacy notices online under certain circumstances. In a time of increasing regulatory requirements, this is a rare rule change that eases the burden somewhat on regulatory compliance.
The rule change was first proposed in May 2014. Among the benefits of the change are: constant access to privacy policies for some consumers and lower costs for some financial institutions. It is estimated that financial institutions could save about $17 million annually by using the new alternative delivery method. The rule took effect October 28, 2014.
Initial and annual privacy notice requirements
Regulation of privacy practices began in 1999 with the Gramm-Leach-Bliley Act (GLBA). The essential protections of GLBA, as implemented by Regulation P and the CFPB, have not changed; there will just be an alternative method for delivering the notices to customers.
Privacy notices must still explain how financial institutions protect the nonpublic personal information they collect and maintain. They also describe whether and how the financial institution shares a consumer’s nonpublic personal information with outside parties. Where appropriate, privacy notices can also explain how consumers can opt out of certain types of sharing.
Arguments against mailing annual notices
Many industry commentators have argued that few consumers actually read the privacy notices provided. Even if they did read them, some argue that reading the notices is only beneficial when the consumer has opt-out rights.
Given the high cost of mailing annual notices, many in the industry wanted a more cost-effective delivery option (email or via website), particularly when the content of the notice has not changed and an exception to opt-out applies. One trade association estimated that 75 percent of financial institutions do not change their privacy notices each year and do not share information beyond the opt-out exceptions.
Summary of the final rule
The final rule creates an alternative delivery method for annual privacy notices when certain conditions are met. The alternative delivery method is posting the annual privacy notice in a clear and conspicuous matter on its own Web page on the financial institution’s website. There can be no login to access the notice or any conditions that must be met to view it. If a customer calls the financial institution and indicates that he or she has no access or limited access to the Internet, the institution must mail the annual notice within 10 days of the request.
A financial institution must meet four conditions before it can avail itself of the alternative delivery method:
- No opt-out rights are triggered by its information-sharing practices under Regulation P or the Fair Credit Reporting Act (FCRA), and opt-out notices required by FCRA have previously been provided, if applicable, or the annual privacy notice is not the only notice provided to satisfy the opt-out notice requirements;
- The privacy notice has not changed since the customer received the previous notice;
- The financial institution uses the Regulation P model form as its annual privacy notice;
- Customers are notified at least once a year about the availability of the privacy notice.
If all four conditions are met, the financial institution can provide the notice using the alternative delivery method. When proposed, the first condition was not popular with many larger financial institutions, which are more likely to share information requiring opt-out. Therefore, they cannot utilize the alternative delivery method. They also feel that consumers rarely exercise their opt-out rights and therefore are not significantly impacted. Nonetheless, the final rule requires that, in order to utilize the alternative delivery method, opt-out rights cannot be an option.
To use the alternative delivery method, a financial institution must notify customers that the annual privacy notice is available on its website. It can notify customers by making a clear and conspicuous statement about the website availability at least once per year in a regular consumer communication (i.e., statement), and it only needs to be provided in one communication as long as all customers receive the notice.
For example, if a customer has a deposit account, loan, and credit card with a financial institution, and if the customer receives a monthly statement for each of these accounts, it is sufficient if the notice is only included on the statement.
For financial institutions offering e-statements and using this alternative delivery notice, the message must also appear on e-statements. The statement must inform customers that the annual privacy notice is available on the financial institution’s website, that the privacy notice has not changed, and that the customer can request a paper copy be mailed by calling a toll-free telephone number. The statement must also include a link to the Web page where the privacy notice is located.
The regulation even includes sample wording: