Proposed Rule Would Close Privacy Disclosure Loophole

The exemption that allows some financial institutions to skip sending annual privacy notices to consumers could soon be history, if the Consumer Financial Protection Bureau gets its way.

The CFPB announced that it wants to amend the Gramm-Leach-Bliley Act of 1999 (GLBA), which was amended by Congress in December as part of the Fixing America’s Surface Transportation Act. GLBA mandates that certain financial institutions provide their customers with initial and annual notices regarding their privacy practices describing whether and how the institution shares consumers’ nonpublic personal information. If the institution shares nonpublic personal information with an unaffiliated third party, it typically must notify consumers of their right to opt out of the sharing of such information.

But GLBA leaves the door open for some institutions to forego sending the notices. According to the CFPB, “a financial institution can use the annual notice exception if it limits its sharing of customer information so that the customer does not have the right to opt out and has not changed its privacy notice from the one previously delivered to its customer.”

The proposal also creates deadlines for institutions resuming annual privacy notices if their practices change and they no longer qualify for the exemption.

The proposal relates to a 2014 CFPB rule designed to promote more effective privacy disclosures from financial institutions to their customers. That rule allows companies that limit their consumer data-sharing and meet other requirements to post their annual privacy notices online rather than delivering them individually. Financial institutions historically have provided annual notices generally by U.S. postal mail.

Under the new proposal, any financial institution allowed to use the alternative delivery method for privacy notices would also meet the requirements for the exemption, according to the CFPB, which is proposing to remove the alternative delivery method.