Consumer Financial Protection Bureau Issues Final Rule Regarding Online Annual Consumer Privacy Notices

The Consumer Financial Protection Bureau (CFPB) recently adopted the Privacy Notice Rule, a final rule that permits the financial institutions it regulates the option to post annual consumer privacy notices online, rather than mailing paper copies to customers, under certain conditions.¹

The Privacy Notice Rule is the latest instance of regulatory relief provided to financial institutions by the CFPB. The new rule, which follows on the heels of other streamlining rulemakings by the CFPB, aims to reduce unnecessary or unduly burdensome regulatory requirements in the financial sector: the CFPB estimates that, as a result of the rule, financial institutions’ compliance expenses will decrease by approximately $17 million annually.²

In addition to this significant, recurring reduction in compliance expenses for financial institutions, the CFPB anticipates that the rule will benefit consumers by providing constant online access to privacy policies presented in an understandable form. The CFPB also hopes the new rule will benefit consumers by providing incentives for financial institutions to avoid or limit the sharing of consumers’ nonpublic personal information.

The Privacy Notice Rule applies only to certain depository institutions, such as commercial and savings banks, and to non-depository entities subject to the jurisdiction of the CFPB, such as mortgage bankers, loan servicers, payday lenders, debt collectors, and remittance transfer providers. The rule does not apply to institutions that are subject to the privacy jurisdiction of the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), or the Federal Trade Commission (FTC) (save for certain motor vehicle dealers that are subject to FTC jurisdiction).

The CFPB consulted and coordinated with these other federal regulators and with state insurance authorities in developing the alternative method of delivering the annual privacy notices, as required by the Gramm-Leach-Bliley Act (GLBA),³ to ensure harmonization among the agencies’ rules, to the extent possible.⁴

Overview of the Privacy Notice Rule

As of October 28, 2014, a financial institution that is regulated by the CFPB is permitted to post annual privacy notices online, rather than by mailing paper copies to customers, if the institution satisfies the following conditions:

• The financial institution does not share its customers’ nonpublic personal information with nonaffiliated third parties in a manner that triggers opt-out rights under GLBA
• The financial institution does not include in its annual privacy notice information about certain consumer opt-out rights under Section 603 of the Fair Credit Reporting Act (FCRA)
• The financial institution’s annual privacy notice is not the only notice provided to satisfy the requirements of the affiliate marketing provisions of the FCRA⁵
• The information the financial institution includes in the privacy notice has not changed since the customer received the previous notice
• The financial institution uses the model form provided in GLBA’s implementing Regulation P⁶

A financial institution that avails itself of this alternative method of delivering annual privacy notices must also comply with several other provisions aimed at ensuring that customers are aware of the online annual privacy notice. Financial institutions providing online privacy notices online must:

• Continuously post the annual privacy notice in a clear and conspicuous manner on a page of its website, without requiring a login or similar steps or agreement to any conditions to access the notice⁷
• Mail a printed copy of its annual notice to any customer who requests such a notice by telephone, within ten days of the request
• Insert a clear and conspicuous statement at least once per year on an account statement, coupon book, or a notice or disclosure the institution issues under any provision of law. The statement must inform customers that the annual privacy notice is available on the financial institution’s website, the institution will mail the notice to customers who request it by calling a specific telephone number and the notice has not changed

A financial institution that has changed its privacy practices or that engages in information-sharing activities for which consumers have a right to opt out must continue to deliver annual privacy notices using the permissible delivery methods predating the Privacy Notice Rule.

The Final Privacy Notice Rule, or More to Come from Congress?

The CFPB characterized the final rule as a win-win for consumers and financial institutions, with consumers receiving 24/7-access to privacy policies, educating them about the various types of privacy policies, and potentially limiting the amount of an institution’s data sharing with third parties to avoid having to send additional notices, while institutions benefit from reduced costs.

“Consumers need clear and accessible information about how their personal information is being used in the marketplace, but some of these requirements were redundant,” CFPB Director Richard Cordray said in a statement. “Posting privacy notices online will make it easier for consumers to access these important policies, while also making it cheaper for financial institutions to provide disclosures.”

Despite protestations from the financial industry that the Privacy Notice Rule, as proposed, would do little or nothing to ease the burden of annual privacy notices on most financial institutions, the CFPB issued the final rule with little or no substantive modification. Legislation currently pending in Congress could prove to be more effective than the CFPB’s rule, and it is possible that those legislative proposals will not be derailed by the CFPB’s effort here. These legislative proposals would, for instance, provide an exception to the annual written notice requirement for any financial institution that provides nonpublic personal information in accordance with the GLBA and Regulation P, has not updated its privacy policy since its last written disclosure, and provides online access to its most recent disclosure to all customers.⁸ Unlike the Privacy Notice Rule, which requires financial institutions to use the GLBA model form and prohibits sharing FCRA information with affiliates, effectively denying relief to all but the smallest financial institutions, the pending legislative proposals in Congress would provide regulatory relief regardless of whether a financial institution provides an FCRA affiliate sharing opt-out or uses the CFPB model privacy notice.

Compliance with the Privacy Notice Rule

Even though financial institutions seeking to use the alternative delivery method must use the CFPB’s model privacy notice, the Privacy Notice Rule does not provide clear guidance as to how covered institutions may modify the model notice while still taking advantage of the alternative delivery method. Many financial institutions use the model privacy notice, and many of these institutions have slightly modified it to tailor it to their specific circumstances. The CFPB has made clear that such modifications, however minor, may mean that the financial institution will not be entitled to the safe harbor afforded by the model privacy notice.⁹ The CFPB failed to provide helpful guidance on this issue, noting that “financial institutions may consult counsel on how to comply so as to limit the risk of government enforcement” as a result of departures from the model privacy notice. This does not serve as much encouragement for financial institutions seeking to post annual notices online, and may ultimately limit the degree to which financial institutions adopt what could be, if properly structured, a sensible and consumer-friendly alternative means of notice.

¹ Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley Act (Regulation P), 79 Fed. Reg. 64057 (October 28, 2014).

² 79 Fed. Reg. 64057, 64077.

³ 15 U.S.C. § 6801 et seq.

⁴ 15 U.S.C. § 6804(a)(2).

⁵ 15 U.S.C. § 1681s-3 and 12 C.F.R. part 1022, subpart C.

⁶ See 12 C.F.R. 1016.

⁷ The Privacy Notice Rule preamble explains that the CFPB will not consider occasional or unavoidable website interruptions to violate the requirement for continuous posting. 79 Fed. Reg. 64072.

⁸ See, e.g., Eliminate Privacy Notice Confusion Act, H.R. 749, 113th, Cong. (passed Mar. 12, 2013); Privacy Notice Modernization Act of 2013, S. 635, 113th Cong. (introduced March 21, 2013).

⁹ See 12 CFR part 1016, App. B(1)(b). Regulators should not take issue with the notice, however, if the notice is consistent with the requirements of the GLBA Privacy Rule. See, e.g.,
74 Fed. Reg. 62890, 62890 (December 1, 2009) (final rulemaking notice) (“While the model form provides a legal safe harbor, institutions may continue to use other types of notices that vary from the model form so long as these notices comply with the privacy rule.”)