On Monday, the Consumer Financial Protection Bureau (CFPB) finalized a rule that promotes more effective privacy disclosures and saves the financial services industry around $17 million dollars. The new rule permits financial institutions that restrict data-sharing to post their annual privacy notices online rather than delivering them to customers individually. The rule will be effective as soon as it is published in the Federal Register.
Under the Gramm-Leach-Bliley Act (GBLA), a financial institution generally must send annual privacy notices to customers that describe whether and how the financial institution shares their nonpublic personal information. An institution that shares this information with unaffiliated third parties generally must notify customers of their right to opt out of the sharing and provide instructions on how to do so.
Under the new rule, a financial institution may meet GBLA requirements by posting privacy notices online instead of distributing an annual paper copy, as long as the institution adheres to certain requirements. For instance, the institution may not share data in ways that trigger customers’ opt-out rights. They must also continue to send notices through existing delivery methods if the policies’ terms change or if a customer with limited internet access requests by phone to receive a notice.
Before the new rule, a financial institution was required to send customers a separate communication about privacy disclosures, and customers would receive a copy of their financial institution’s privacy policies once per year. Under the new rule, if an institution chooses the new disclosure method, the institution may notify customers through regular consumer communications (like a monthly bill) that the annual privacy notice is available online and in paper by request. An institution that chooses the new disclosure method must use the model privacy form developed by federal regulatory agencies in 2009.
The CFPB has highlighted the benefits the new rule offers both to the financial services industry as well as to consumers. On the industry side, the CFPB expects the rule will reduce the costs for companies to provide annual privacy notices. Specifically, the CFPB estimates that the new method could save the industry around $17 million annually.
On the consumer side, the CFPB notes the new rule will allow consumers constant access to privacy policies. Because the model disclosure form allows consumers to better understand their financial institution’s privacy policy, the rule also helps educate consumers about the various types of privacy policies. Furthermore, the possibility of reducing mailing costs incentivizes companies to limit sharing consumers’ data.
Consumer advocacy groups have yet to address the rule, but some responses from the financial services industry have begun to emerge. The National Association of Federal Credit Unions (NAFCU), for example, supports the CFPB’s efforts to ease the GLBA’s disclosure requirement but would still like to see legislation enacting more significant reforms that would reduce the financial burden associated with privacy disclosures.
When the CFPB first proposed the rule in May of this year, the NAFCU had concerns that a continuous posting requirement could be problematic if a credit union’s website was temporarily down. The CFPB responded to these concerns in the preamble of the final rule, clarifying that financial institutions would not violate the rule because of a temporary website malfunction.