The CFPB has proposed rules to afford financial institutions an alternative delivery method for annual privacy notices under the privacy provisions of GLBA and Regulation P (12 CFR part 1016). This alternative delivery method would permit financial institutions (under limited circumstances) to post annual privacy notices on their websites in lieu of mailing notices to customers. The CFPB’s intent appears to be reducing consumer information overload and unnecessary expense related to annual mailings. The proposed rules were published in the federal register today, thus opening the comment period which runs until June 12, 2014.
The alternative delivery method would only be available to financial institutions that share information where consumer opt-out rights are not triggered (along with other conditions). Thus, a financial institution that shares nonpublic personal information with a non-affiliate for marketing purposes (other than in the joint marketing context) – of which the consumer may opt-out – may not utilize the alternative delivery method. The same goes for financial institutions that provide FCRA-related opt-out notices in their annual privacy notices (e.g., to share non-transaction and experience information with affiliates, or for affiliate marketing). Consequently, the alternative delivery method may end up having limited utility for many financial institutions required to provide an annual privacy notice under GLBA.
Specifically, the alternative delivery method would be available only if all of the following conditions are met:
(1) The financial institution does not share nonpublic personal information with nonaffiliated third parties in such manner that would trigger consumer opt-out rights, i.e., information is only shared under a Regulation P §§ 13, 14 or 15 exception.
(2) The financial institution does not include on its annual privacy notice an FCRA opt-out notice regarding the sharing of non-transaction and experience information with an affiliate (603(d)(2)(A)(iii)).
(3) The financial institution does not integrate the affiliate marketing disclosure requirements (including opt-out) under section 624 of the FCRA with its annual privacy notice, i.e., the FCRA affiliate sharing opt-out notice is separately provided.
(4) The privacy notice has not changed since the customer received the previous notice. (The amended rules would list the specific disclosures that must not change for the alternative delivery method to apply, including, among others, the categories of NPPI that the financial institution collects and discloses, the categories of affiliates and non-affiliates to which the financial institution discloses NPPI, and the third parties with which the financial institution has contracted with, under a joint marketing arrangement.)
(5) The financial institution uses the GLBA model form.
(6) The financial institution includes a clear and conspicuous statement at least once a year on another legally required notice or disclosure that states that (i) the annual privacy notice is available on the financial institution’s website, (ii) a paper copy will be mailed upon request; and (iii) the notice has not changed.
(7) The financial institution posts the annual privacy notice in a clear and conspicuous manner on a publicly available webpage (i.e., no login or similar steps required).
In addition to seeking comment on the proposed alternative delivery method, the CFPB seeks to collect data on how many financial institutions would take advantage of the alternative delivery method, how many would be precluded from adopting the alternative delivery method (e.g, how many financial institutions include FCRA opt-out notices in their GLBA privacy notices?), and whether financial institutions that distribute annual notices electronically would utilize the proposed alternate delivery method in light of its strict requirements.