Summary: BCFP Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach Bliley Act (Regulation P) (Oct. 2018)

Summary:  Final Rule – Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach Bliley Act (Regulation P)

Bureau of Consumer Financial Protection
Prepared by the NASCUS Legislative & Regulatory Division
October 2018

The Bureau of Consumer Financial Protection (Bureau) is amending Regulation P, which requires (among other things) that financial institutions provide an annual notice describing their privacy policies and practices to their customers.  The amendment implements a December 2015 statutory amendment to the Gramm-Leach-Bliley Act providing an exception to annual privacy notice requirements.

The Final Rule became effective on September 17, 2018.  You can find the rule here.

Summary

GLBA and Regulation P require that financial institutions provide consumers with certain notices describing the institution’s privacy policy.  Institutions are generally required to provide consumers with an initial notice of their privacy policies when a consumer relationship is established and an annual notice each year the customer relationship continues.

In December 2015, Congress amended GLBA as part of the Fixing America’s Surface Transportation Act (FAST).  The FAST Act amendment added an exception to GLBA’s annual privacy notice requirements for financial institutions that meet certain conditions.   Specifically, a financial institution can qualify for the annual privacy notice exception if:

  • the financial institution does not share nonpublic personal information about consumers except as described in certain statutory exceptions such as sharing that does not trigger the customer’s statutory right to opt out.
  • the financial institution must not have changed its policies and practices with regard to disclosing nonpublic personal information from those that the institution disclosed in the most recent privacy notice.

The Bureau is also amending Regulation P to provide timing requirements for delivery of annual privacy notices in the event that a financial institution that qualified for the annual notice exception later changes its policies or practices in such a way that it no longer qualifies for the exception.

The final rule also removes the Regulation P provision that allows for the use of the alternative delivery method for annual privacy notices.  The Bureau believes this alternative method will no longer be relevant in light of the annual notice exception.