Background
Some banks and other organizations covered under the Gramm-Leach-Bliley Act (GLBA) may now post their privacy policies online rather than having to mail them annually. Earlier this week, the Consumer Financial Protection Bureau (CFPB) finalized a rule to provide more effective and efficient privacy disclosures from covered institutions to their customers. Organizations can take advantage of the new rule only if they limit their sharing of customer information.
Applicability of the GLBA
While the GLBA primarily covers banks, companies should keep in mind that its applicable bill is broader than just traditional banks and other covered institutions. For example, the GLBA applies to insurance companies, mortgage brokers and servicing companies, appraisers and real estate settlement service providers.
The GLBA Annual Privacy Notice Requirements
The GLBA and Regulation P require covered institutions to provide their customers with initial and annual notices regarding their privacy policies, including what types of information are collected and with whom the information is shared. If these companies share certain customer information with particular types of third parties, they are also required to provide notice to their customers and an opportunity to opt out of the sharing. Most covered institutions currently mail printed copies of annual GLBA privacy notices to their customers, including notices of GLBA. For years, the financial industry has expressed concerns that this practice causes information overload for consumers and unnecessary expense.
The New Rule
In response to such concerns, the CFPB passed the rule to allow covered organizations to use an alternative delivery method to provide annual privacy notices through posting the annual notices on their websites if they meet certain conditions. Covered institutions may use the alternative delivery method for annual privacy notices if:
- No opt-out rights are triggered by the covered institution's information sharing practices under GLBA or the Fair Credit Report Act (or the organization has separately complied with the notice and opt-out requirements of FCRA).
- The information included in the privacy notice has not changed since the customer received the previous notice. And,
- The covered institution uses the model form provided in Regulation P as its annual privacy notice.
Online Posting Requirements
Covered organizations must continuously post the annual privacy notice in a clear and conspicuous manner on a page of its website, without requiring a login or similar steps or agreement to any conditions to access the notice.
Customer Can Request Copy by Mail
To assist customers with limited or no access to the internet, the institution must mail annual notices to customers who request them by telephone, within ten days of the request.
Notice of the Online Posting
To make customers aware that its annual privacy notice is available through these means, the institution must insert a clear and conspicuous statement at least once per year on an account statement, coupon book, or a notice or disclosure the institution issues under any provision of law. The statement must inform customers that the annual privacy notice is available on the covered institution's website, the institution will mail the notice to customers who request it by calling a specific telephone number, and the notice has not changed.
Annual Notice Still Required in Some Instances
A covered institution is still required to use one of the permissible delivery methods that predate this rule change (referred to as the standard delivery methods) if the institution, among other things, has changed its privacy practices or engages in information-sharing activities for which customers have a right to opt out. While existing rules under the GLBA permit electronic delivery of annual notices, the circumstances are limited and relate to transactions conducted online.
Conclusion
Organizations that are required to provide an annual privacy notice under the GLBA should determine whether it qualifies under this new rule allowing the posting of the notice online in lieu of mailing. In the event the company does not qualify, it should consider whether a change in its data sharing practices is warranted in order to take advantage of the new rule.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
