Time to change CFPB privacy forms, GAO finds

(Nov. 25, 2020) Model privacy forms from the CFPB that many credit unions and banks use to disclose their information-sharing practices to their members and customers should be updated, according to a report issued this week by the Governmental Accountability Office (GAO).

The report, requested by Senate Banking Committee Chairman Mike Crapo (R-Idaho), said the current model form provided under the Gramm-Leach-Bliley Act (GLBA) for required disclosures gives consumers only a limited understanding of institutions’ information sharing. The GAO specifically recommended that the CFPB update the model privacy form and consider including more information about third-party sharing.

Noting that the GLBA-related model privacy form, providing a safe harbor under the law, was created more than 10 years ago, the report states it thus provides a limited view of what information is collected and with whom it is shared. GAO said consumer and privacy groups interviewed by the GAO cited similar limitations.

The proliferation of data-sharing since the form’s creation in 2009 “suggests a reassessment of the form is warranted,” the report adds.

The bureau, in response to the report, said it would consider doing updating the form, adding that it would require a joint rulemaking with other agencies.

CONSUMER PRIVACY: Better Disclosures Needed on Information Sharing by Banks and Credit Unions (GAO-21-36)