CFPB Proposes Rule Allowing Online Posting Of GLB Privacy Notices

more+
less-

On May 6, the Consumer Financial Protection Bureau ("the CFPB" or "the Bureau") announced a proposed rule that would permit financial institutions to post annual privacy notices required by the Gramm-Leach-Bliley Act ("GLBA") online as an alternative method of delivering the notices.  

The GLBA requires financial institutions to provide customers with initial and annual notices of their privacy policies, including whether they share consumers’ nonpublic information with third parties, and an opportunity to opt out of such information sharing. Many financial institutions mail printed copies of their annual GLBA privacy notices. The Bureau estimates the industry could save $17 million annually by using the proposed online disclosure method.

Rulemaking authority for the GLBA was formerly spread among several agencies, including the Federal Reserve Board (the "Fed"), Office of Comptroller of the Currency ("OCC"), Federal Deposit Insurance Corporation ("FDIC"), National Credit Union Administration ("NCUA"), Securities and Exchange Commission ("SEC"), and the Commodity Futures Trading Commission ("CFTC"). Dodd Frank transferred GLBA rulemaking authority from the Fed, OCC, FDIC and NCUA to the Bureau effective July 21, 2011. Thereafter, the Bureau restated various existing implementing regulations in Reg. P. 

"Financial institutions" for purposes of the proposed CFPB rule include depositary and non-depositary institutions and other entities that provide consumer financial products or services subject to CFPB regulation, including mortgage brokers, loan servicers, and debt collectors. Entities regulated by the SEC and CFTC remain subject to rules issued by those agencies. However, according to the CFPB’s notice of proposed rulemaking, the Bureau consulted and coordinated with those agencies and with the National Association of Insurance Commissioners about the proposed online alternative for delivering privacy notices. 

In response to financial industry concerns about consumer information overload, the proposed new rule would amend Reg. P to permit supervised entities that do not share certain types of consumer information to post annual privacy notices on their websites instead of mailing them. 

The proposed regulation recognizes the pervasive growth of online transactions. It provides that a financial institution may reasonably expect a customer to receive actual notice of its annual privacy notices if that customer uses the institution’s website to access financial products and services, agrees to receive notices at the website, and if the notice is continuously posted in a clear and conspicuous manner on the website; or, if the customer has requested that the institution not send information regarding the customer relationship, but the current privacy notice remains available to the customer on request. 

In addition, for an institution to use the online delivery method instead of mailing the annual privacy notice under the proposed new rule, the following conditions must be met: 

(1) the financial institution must not share nonpublic consumer personal information with nonaffiliated third parties in a manner that triggers GLBA opt-out rights; 

(2) similarly, the institution must not share information with affiliates in a manner that triggers affiliate information sharing opt-out rights under Sec. 603(d)(2)(A)(iii) of the Fair Credit Report Act ("FCRA"); 

(3) if Sec. 624 of the FCRA requires an opt-out notice for sharing of information among affiliates for solicitation and marketing purposes, the online notice must not be the only method for providing such notice; and 

(4) the institution must use the model form provided in the GLBA’s implementing Regulation P.

A 30-day comment period will follow publication in the Federal Register. As reflected by (2) and (3) above, institutions that share with their affiliates certain customer information that triggers the need to provide other GLBA and FCRA opt-out notices would not be able to use online delivery under the current proposal. This will potentially limit its usefulness, especially for larger institutions. The Bureau is soliciting comments, on, among other issues, the extent to which financial institutions provide an FCRA 603(d)(2)(A)(iii) opt-out, which would preclude their use of the alternative delivery method, and the benefit to customers of receiving the notice by the current paper method as opposed to the online method with respect to FCRA and GLBA opt-out rights.

 

Topics:  CFPB, Compliance, Gramm-Leach-Blilely Act, Notice Requirements, Posting Requirements, Privacy Policy, Regulation P, SEC

Published In: Consumer Protection Updates, Finance & Banking Updates, Privacy Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Carlton Fields Jorden Burt | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »