Annual Privacy Notice - 83 FEDERAL REGISTER 40945

The Bureau of Consumer Financial Protection (“CFPB”) recently amended provisions of Regulation P (which implements the Gramm-Leach-Bliley Act) related to the annual privacy notice, effective September 17, 2018.

Unless otherwise provided, a financial institution for which the CFPB has authority must provide a clear and conspicuous notice to customers that accurately reflects the institution’s privacy policies and practices not less than annually during the continuation of the customer relationship.

A financial institution is not required to deliver an annual privacy notice if the institution:

• Provides nonpublic personal information to nonaffiliated third parties only in accordance with 12 CFR 1016.13 (Exception to opt out requirements for service providers and joint marketing), 12 CFR 1016.14 (Exceptions to notice and opt out requirements for processing and servicing transaction) and 12 CFR 1016.15 (Other exceptions to notice and opt out requirements); and
• The institution has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer in the institution’s most recent privacy notice.

If a financial institution has been excepted from delivering an annual privacy notice and changes its policies or practices in such a way that it no longer meets the requirements for that exception, the institution must comply with the above provisions as applicable.

If a financial institution no longer meets the exception requirements because the institution changes its policies or practices in such a way that it is required to provide a revised privacy notice, the institution must provide an annual privacy notice in accordance with the timing requirements, treating the revised privacy notice as an initial privacy notice.

If a financial institution no longer meets the exception requirements because it changes its policies or practices in such a way that it is not required to provide a revised privacy notice, the institution must provide an annual privacy notice within 100 days of the change in its policies or practices that causes it to no longer meet the exception requirements.

The CFPB provided examples of the above scenarios which can be found in the full text of the regulation at:  https://www.consumerfinance.gov/policy-compliance/rulemaking/final-rules/amendment-annual-privacy-notice-requirement-under-gramm-leach-bliley-act/.

A financial institution may reasonably expect that a customer will receive actual notice of its annual privacy notice if:

• The customer uses the financial institution’s website to access financial products and services electronically and agrees to receive notices at the website, and the financial institution posts its current privacy notice continuously in a clear and conspicuous manner on the website; or
• The customer has requested that the financial institution refrain from sending any information regarding the customer relationship, and the institution’s current privacy notice remains available to the customer upon request.