Consumer Financial Protection Bureau (CFPB) Proposes Revised Financial Privacy Rule
Wednesday, May 7, 2014
Greg Frischman, Financial Attorney, Covington Law Firm
Print Mail Download i

On May 6, 2014, the Consumer Financial Protection Bureau (“CFPB”) proposed a rule to modify the notice provisions of Regulation P, which implements the financial privacy provisions of the Gramm-Leach-Bliley Act (“GLBA”).

Regulation P requires financial institutions to deliver an annual privacy notice to customers, which is often accomplished through a direct mailing to the customer.  The proposed rule would allow a financial institution to meet this annual privacy notice delivery requirement, in certain circumstances, by continuously posting the privacy notice on its website in a clear and conspicuous manner (described as the “proposed alternative delivery method” in the proposed rule), and providing the customer with a clear and conspicuous annual disclosure that (i) the privacy notice has not changed, (ii) the notice is available on the institution’s website, and (iii) the customer may request a mailed copy of the notice by calling a toll-free number.

Under the proposal, only a financial institution that satisfies the following five conditions may use the proposed alternative delivery method:

  • First, the financial institution does not share the customer’s nonpublic personal information with nonaffiliated third parties in a manner that triggers GLBA opt-out rights.  Put another way, to qualify under this requirement a financial institution may only share information pursuant to the specific exceptions found in Regulation P under 12 C.F.R. §§ 1016.13 (sharing with service providers and pursuant to joint marketing agreements), 1016.14 (sharing for processing and servicing purposes), and 1016.15 (sharing pursuant to other exceptions, including sharing with the consent of the customer).

  • Second, the financial institution does not include on its annual privacy notice an opt-out notice under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (the “FCRA”).  This opt out notice permits a consumer to direct that a financial institution not share certain information about the consumer with its affiliates.

  • Third, the financial institution’s annual privacy notice is not the only notice provided to satisfy the requirements of section 624 of the FCRA.  Section 624 of the FCRA requires a consumer whose information is shared with an affiliate to be given the opportunity to opt out of receiving marketing communications from the affiliate, except where the consumer had a pre-existing relationship with the affiliate.

  • Fourth, the information included in the privacy notice has not changed since the customer received the previous notice.  While the proposed rule makes clear that “stylistic” changes to a privacy notice will not alone constitute changes for purposes of this requirement, changes to certain disclosures will require delivery of the annual privacy notice through another available delivery method (such as direct mail).

(i) the categories of nonpublic personal information the financial institution collects or discloses (including disclosures related to former customers);

(ii) the categories of affiliates and nonaffiliated third parties to whom the financial institution discloses nonpublic personal information (including disclosures related to former customers) other than disclosures pursuant to 12 C.F.R. §§ 1016.14 and 1016.15;

(iii) the categories of nonpublic personal information disclosed to third parties pursuant to 12 C.F.R. § 1016.13, as well as categories of third parties with whom information is shared under this exception;

(iv) the financial institution’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; and

(v) a description of nonaffiliated third parties with whom information is shared under 12 C.F.R. §§ 1016.14 and 1016.15.

  • Finally, the financial institution must use the model privacy form provided in Regulation P.  The proposed rule provides that adoption of the model form, without a change in the underlying privacy policies and practices, would not constitute a “revised” notice.

The CFPB’s proposal invites comment on a number of issues related to the proposed alternative delivery method, and contemplates a 30-day comment period for the submission of comments.

The CFPB’s proposal follows its announcement in July of 2013, covered here, that it was considering potential changes to the annual privacy notice requirements in Regulation P.

© 2024 Covington & Burling LLP

Current Legal Analysis

More from Covington & Burling LLP

Standing Issues in Data Breach Litigation: An Overview
by: Priscilla Fasoro , Lauren Wiseman
Financial Agencies Release Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing
by: Lucille C. Bartholomew
Senate Confirms Kraninger as BCFP Director
by: Luis Urbina
FTC Solicits Public Comment on Identity Theft Detection Rules
by: S. Burr Eckstut
Significant FDA Digital Health Policy Development for Prescription Drug Sponsors
by: Mingham Ji , Christina G. Kuhn
First Significant Pay-to-Play Legislation for the District of Columbia Approved by D.C. Council
by: Kevin Glandon
FTC Settles with PR Firm and Publisher Over Social Media Endorsements
by: Inside Privacy Blog at Covington and Burling
Senate Testimony Highlights Tensions in BSA/AML Reform Efforts as Lawmakers Consider Bipartisan Legislation
by: Sam Adriance
Reprieve in U.S.-China Trade Tensions: U.S. Tariffs on $200 Billion in Chinese Imports to Stay at 10 Percent for 90 Days; China to Purchase U.S. Goods
by: Christopher Adams , John Veroneau
AI Update: FCC Hosts Inaugural Forum on Artificial Intelligence
by: Thomas Parisi

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins