The CFPB is finally catching up to Congress by proposing changes to the annual privacy notice requirements under Regulation P to implement amendments Congress made under the Graham Leach Bailey Act ("GLBA") Section 503(f) in December 2015. The GLBA amendment, titled Eliminate Privacy Notice Confusion, was issued under the Fixing America’s Surface Transportation Act (FAST Act) and provides an exception for providing an annual privacy notice. The proposed Regulation P changes would remove the 2014 alternative delivery notice option for GLBA annual privacy notices because if an institution meets the new exception, then, it would opt for not providing one at all rather than jump through hoops to meet the alternative delivery method.
Under the proposed rule, a financial institution would generally not be required to deliver a GLBA annual privacy notice if the institution:
- Does not share nonpublic personal information (NPPI) about customers to nonaffiliated third parties except as permitted under the statutory exceptions that do not trigger a right to a required opt-out ( the 1016.13, .14 and .15 exceptions); and
- Has not changed its policies and practices with respect to disclosing NPPI as provided in the most recent privacy notice sent to its customers.
The proposed rule provide two ways an institution could lose its exception and then be required to deliver an annual GLBA privacy notice. First, an institution must send a new annual GLBA privacy notice if it makes changes its policies and practices with respect to:
- The categories of nonpublic personal information it discloses;
- The categories of affiliates and nonaffiliated third parties to whom it discloses NPPI, other than to those parties it discloses information under the 1016.14 and .15 exceptions;
- The categories of nonpublic personal information about former customers that it discloses and the categories of affiliates and nonaffiliated third parties to whom it discloses NPPI about its former customers, other than to those parties under the 1016.14 and .15 exceptions;
- The institution’s practice to disclose nonpublic personal information to a nonaffiliated third party under 1016.13 (and no other exception in 1016.14 or 1016.15 applies to that disclosure), or makes changes to its separate statement of the categories of information it discloses and the categories of third parties with whom it has contracted; or
- Any disclosure required for the description of nonaffiliated third parties (e.g.,the disclosure “for everyday business purposes, such as [include all that apply] to process transactions, maintain account(s), respond to court orders and legal investigations, or report to credit bureau describing the categories with respect to those parties, it is sufficient to state that you make disclosures to other nonaffiliated companies …”),
The proposed rule refers to “treating the revised privacy notice as an initial privacy notice.” That does not mean that the institution must now look to the initial privacy notice requirements; it proposes that you just send the revised privacy notice before you make the changes and consider it the first notice. Then, the following year, you begin sending the annual notice in accordance with the annual notice requirements.
The second proposed way to lose an exception and trigger an annual GLBA privacy notice is if the institution changes its policies and practices with respect to protecting the confidentiality and security of NPPI. Existing Regulation P provides that no annual notice is required when you make these types of changes, but because the institution would not have been required to provide an annual notice under the new rules, the institution would have to provide an annual notice within 60 days of making the change to its confidentiality and security policies and practices. The good news here is that the CFPB is proposing that the institution may send the annual notice after the change is made. Once you send the revised privacy notice within the 60 days, you would likely meet the exception again and not have to send an annual notice the following year (unless the institution loses its exception again).
The CFPB points out that the proposed rule does not supersede or overwrite any requirements under the Fair Credit Reporting Act (FCRA). Financial institutions that choose to leverage the annual GLBA notice exception must still provide any opt-out notices required under the FCRA. Such opt-out notices are generally provided in the initial privacy notice and are not required to be provided annually.
Now, if you are like many, you skip the preamble and section-by-section analysis and jump straight to the actual rule changes. Well, here, you may need to read those sections to understand all of the bits and pieces and logic behind the somewhat vague writing. And, you may need an antacid or two as you jump around the various sections referenced to in the existing rule. I am not quite sure if recent drafters are newbies or seasoned folks just tired of drafting. But a little plain English writing would be nice now and again.
Be sure to read the proposed rule; it is not very long – 41 pages, double-spaced. Consider submitting comments for clarification or to provide feedback on other considerations the CFPB is seeking comments on, such as FCRA impact and additional triggers for providing the annual notice.