On August 10, 2018, the Bureau of Consumer Financial Protection (the “Bureau”) issued a final rule implementing a December 2015 amendment to the Gramm-Leach-Bliley Act (“GLBA”), titled “Eliminate Privacy Notice Confusion,” which created an exception to Regulation P’s annual notice requirement for financial institutions that meet certain conditions.
The GLBA and Regulation P generally require that financial institutions provide customers with annual notices that, among other things, identify the institutions’ privacy policies and provide customers with an opportunity to opt out of the financial institutions’ sharing of the customers’ information with certain nonaffiliated third parties. As part of the Fixing America’s Surface Transportation Act (“FAST Act”) that became law in 2015, Congress amended the GLBA to create an exception to the annual privacy notice requirement in new subsection 503(f). A financial institution must meet two conditions to qualify for the exception and to therefore not provide privacy notices to customers each year: (1) it must provide customers’ nonpublic personal information (“NPI”) only in accordance with certain GLBA exceptions that do not trigger consumer opt-out rights; and (2) it must not have changed the policies and practices with respect to disclosing NPI that were described in the institution’s most recent disclosure to customers. The FAST Act amendment to GLBA was effective upon enactment in December 2015.
The Bureau’s proposed rule to implement the amendment was published on July 15, 2016. After considering comments, the Bureau’s final rule updates Regulation P to establish an annual privacy notice exception consistent with the amendment to the FAST Act. In addition, the final rule establishes timing requirements for financial institutions obligated to resume delivery of annual privacy notices because the financial institutions have changed practices or otherwise ceased to qualify for the exception. If a financial institution no longer qualifies for the exception because of a change in privacy policies or practices and that change requires delivery of a revised privacy notice, the financial institution must treat the revised privacy notice as an initial privacy notice and provide an annual privacy notice in accordance with the timing requirements for annual privacy notices in 12 C.F.R. §1016.5(a). If a financial institution no longer qualifies for the exception because of a change in privacy policies or practices but is not required to send a revised privacy notice, the financial institution must provide an annual privacy notice within 100 days of the change in policies or practices.