It seems the White House and Congress can agree on at least one thing—financial institutions are over-burdened by current privacy notice rules. In a move that is hoped to save financial institutions significant costs on postage, printing and administrative resources, on Friday, December 4, 2015, President Obama signed the Fixing America’s Surface Transportation Act (the ‘‘FAST Act’’) (H.R. 22) into law. Somewhat oddly, the FAST Act, which applies to infrastructure like highways and bridges, also amends the Gramm-Leach-Bliley Act (“GLBA”) provisions pertaining to customer annual privacy notices.
Currently, the GLBA requires financial institutions to mail customers annual privacy notices regarding the collection, use and disclose those customers’ nonpublic personal information (“NPI”). The new GLBA exemption states that a financial institution is not required to provide an annual privacy notice if it (1) only shares NPI with nonaffiliated third-parties in a manner that does not require the financial institution to provide an opt-out and (2) if the financial institution has not changed its policies and practices with respect to disclosing NPI since it last provided the customer a notice.
The GLBA privacy notice exemption only applies so long as the financial institution’s privacy practices do not change. If a financial institution decides to disclose NPI in a manner that requires it to offer an opt-out to its customers, the financial institution would be required to send an updated privacy notice to its customers.