The Consumer Financial Protection Bureau (CFPB) recently published a final rule regarding annual privacy notices from financial institutions to their customers. The rule allows financial institutions that limit their consumer data-sharing and meet other requirements to post their annual privacy notices online rather than delivering them individually.
Under the Gramm-Leach-Bliley Act (GLBA), financial institutions generally must send annual privacy notices to customers. These notices must describe whether and how the financial institution shares consumers’ nonpublic personal information. If the institution shares this information with an unaffiliated third party, it usually is required to notify consumers of their right to opt out of the sharing and provide directions how to do so.
Under the CFPB’s new rule, financial institutions will be able to post privacy notices online instead of distributing an annual paper copy, but only if they satisfy certain conditions such as not sharing data in ways that would trigger consumers’ opt-out rights. The new rule applies to both banks and those nonbanks that are within the CFPB’s jurisdiction under the GLBA. Institutions that post their privacy notices online are required to use the model privacy disclosure form developed by federal regulatory agencies in 2009.
“Consumers need clear and accessible information about how their personal information is being used in the marketplace, but some of these requirements were redundant,” said CFPB Director Richard Cordray when the new rule was published. “Posting privacy notices online will make it easier for consumers to access these important policies, while also making it cheaper for financial institutions to provide disclosures.”