On May 6, the Consumer Financial Protection Bureau (CFPB) proposed a rule that would allow institutions that limit their consumer data-sharing and meet other requirements to post their annual privacy notices online rather than delivering them individually. “Consumers need clear information about how their personal information is being used by financial institutions,” said CFPB Director Richard Cordray. “This proposal would make it easier for consumers to find and access privacy policies, while also making it cheaper for industry to provide disclosures.”
The Gramm-Leach-Bliley Act (GLBA) generally requires that financial institutions send annual privacy notices to customers. These notices must describe whether and how the financial institution shares consumers’ nonpublic personal information. If the institution does share this information with an unaffiliated third party, it typically must notify consumers of their right to opt out of the sharing and inform them of how to do so.
The proposal “would allow institutions to post privacy notices online instead of distributing an annual paper copy, if they satisfy certain conditions such as not sharing data in ways that would trigger consumers’ opt-out rights. This proposal would apply to both banks and those nonbanks that are within the CFPB’s jurisdiction under the GLBA. Institutions that choose to rely on this new method of delivering privacy notices would be required to use the model disclosure form developed by federal regulatory agencies in 2009.” Under the proposal, if an institution qualified for and wants to rely on the online disclosure method, it would have to inform consumers annually about the availability of the disclosures. Currently institutions must send consumers a separate communication about privacy disclosures. Under this proposal they could include inserts in regular consumer communication, such as monthly billing statements for credit cards, letting consumers know that the annual privacy notice is available online and in paper by request at a toll-free telephone number. If an institution chose not to use the online disclosure method, it would need to continue to deliver annual privacy notices to its customers.
The CFPB will accept comments on the proposed rule for 30 days after its publication in the Federal Register.
A copy of the proposed rule is available here.