Privacy & Information Security Law Blog

On May 6, 2014, the Consumer Financial Protection Bureau (“CFPB”) announced a new proposed rule impacting privacy notices that financial institutions are required to issue under the Gramm-Leach-Bliley Act (“GLB”). Under the current GLB Privacy Rule, financial institutions must mail an annual privacy notice (the “GLB Privacy Notice”) to their customers that sets forth how they collect, use and disclose those customers’ nonpublic personal information (“NPI”) and whether customers may limit such sharing.

Under the proposed rule, certain financial institutions may forego the annual mailing requirement and instead include a brief disclosure in a billing statement or other communication that the GLB Privacy Notice is available online, then post that notice “in a clear and conspicuous manner” on the institution’s website. Financial institutions also must inform consumers that they may request a paper version of the GLB Privacy Notice by calling a toll-free number. To qualify for this online privacy notice option:

• A financial institution must not share NPI with nonaffiliated third parties in a manner that requires an opt-out right be provided to customers;
• The GLB Privacy Notice must not include an opt out pursuant to the Fair Credit Reporting Act;
• The GLB Privacy Notice cannot be the only notice the financial institution provides to satisfy FCRA requirements;
• The GLB Privacy Notice must not have changed since the last time it was provided to customers; and
• The GLB Privacy Notice must use the model form regulators have developed to comply with the notice requirement.

If a financial institution does not meet all of the requirements listed above, it must continue to mail the GLB Privacy Notice annually to its customers. In announcing the proposed rule, CFPB Director Richard Cordray noted that the changes would both improve customers’ abilities to “find and access privacy policies” and reduce the costs “for industry to provide disclosures.”