On August 17, 2018, the Bureau of Consumer Financial Protection (CFPB) published a final rule amending its Regulation P to include an exception to the Gramm-Leach-Bliley Act (GLBA) annual privacy notice obligation. Nearly three years ago, the Fixing America's Surface Transportation Act (FAST Act) amended the GLBA to provide for such an exception.1 The CFPB has now caught up in order to ensure that Regulation P is consistent with the GLBA as amended. Although the final rule will take effect on September 17, 2018, the FAST Act's statutory amendment has been effective for several years. That is, notwithstanding the fact that Regulation P fell behind the statute, financial institutions have been able to rely on the GLBA's statutory exception to the annual notice obligation.

BACKGROUND ON THE EXCEPTION TO ANNUAL NOTICE REQUIREMENT

Under the GLBA, a financial institution must provide each consumer customer with an annual notice of its privacy policies and practices over the course of its relationship with the customer.2 The FAST Act amended the GLBA to provide an exception to the annual privacy notice requirement for financial institutions that satisfy two conditions. Specifically, a financial institution is not required to provide an annual privacy notice to its customers if: (1) the institution shares nonpublic personal information (NPI) about customers with nonaffiliated third parties only to the extent permitted by exceptions in the GLBA or Regulation P (i.e., the financial institution is not required to provide an opt out for sharing with nonaffiliated third parties), and (2) the financial institution has not changed its policies and practices with respect to disclosing NPI from those described in the most recent privacy notice sent to customers.

AMENDED REGULATION P

In July 2016, the CFPB published its proposed rule to amend Regulation P to implement the FAST Act exception to the annual notice requirement. The CFPB has now adopted the proposal, largely as originally proposed. Specifically, the final rule provides that a financial institution will not be required to deliver an annual privacy notice if: (1) the institution discloses NPI only in accordance with the Regulation P exceptions, and (2) the institution has not changed its disclosure policies and practices since the most recent privacy notice sent to customers.3

The final rule goes beyond the FAST Act in the sense that it provides additional detail surrounding when a financial institution that no longer qualifies for an exception must resume providing annual notices. Specifically, under the final rule, if a financial institution changes its policies in such a way that it is required to provide customers with a revised privacy (and no longer qualifies for the exception),4 the financial institution will then be required to resume providing an annual notice thereafter (i.e., treating the revised notice as an initial notice).5 If the financial institution changes its policies but is not required to provide a revised privacy notice (despite the fact that it no longer qualifies for the exception), the financial institution will be required to deliver the annual notice within 100 calendar days after the change.6

In addition, the final rule eliminates Regulation P's prior alternative delivery method for annual privacy notices. This alternative took effect in October 2015, but provided little practical utility to financial institutions, particularly following the enactment of the FAST Act. The CFPB states in the supplementary information accompanying the final rule that it removed the alternative delivery method because it believes it "will no longer be used in light of the annual notice exception," as an institution that satisfied the conditions to use the alternative delivery method will now qualify for the exception to the annual notice.

Notwithstanding the relief provided by the FAST Act (and reiterated in the CFPB's final rule), financial institutions seeking to rely on the exception to the annual notice requirement should still consider the extent to which they are subject to a state privacy law that would continue to impose an annual notice obligation or that would impose additional conditions on the availability of the exception. For example, Vermont beat the CFPB to the punch in amending its financial privacy rules in March of this year to include an exception similar to the FAST Act (while also removing from the rules the alternative delivery exception that was originally added in 2015 similar to the CFPB's own updates to Regulation P). The Vermont rules, however, impose additional conditions on the availability of an exception including that a financial institution does not disclose information to affiliates in a manner that would require an opt in under the Vermont Fair Credit Reporting Act and the financial institution posts its current privacy notice continuously and in a clear and conspicuous manner on a page of its web site on which the only content is the privacy notice.

Footnotes

1. Pub. L. No. 114-94, 129 Stat 1312 (2015). Our alert on the FAST Act amendment is available here.

2. 12 C.F.R. § 1016.5(a)(1).

3. To be codified at 12 C.F.R. § 1016.5(e)(1).

4. See 12 C.F.R. § 1016.8.

5. To be codified at 12 C.F.R. § 1016.5(e)(2)(i).

6. To be codified at 12 C.F.R. § 1016.5(e)(2)(ii).

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved