On October 28, 2014, the Consumer Financial Protection Bureau (CFPB) published in the Federal Register its final rule allowing some banks and other financial institutions an alternative way to provide the annual privacy notices that they are required to provide customers by posting the notice on its website.
This final rule was effective immediately upon its publication.
Financial institutions must provide an initial, and thereafter annual, notice to their customers that describes the types of nonpublic personal information they collect from customers, what they do with such information, and if such nonpublic personal information is shared with nonaffiliates outside of certain specific regulatory exemptions, the customer must be provided with the ability to opt out of such sharing (known as “the Privacy Rule”).
Oftentimes, these privacy notices also contain information on other consumer opt-out rights regarding a financial institution’s sharing of nonpublic personal information with its affiliates to allow them to market products to the financial institution’s customers (known as “the Affiliate Marketing Rule”) and provision of “consumer reports” to its affiliates that could serve as a factor in the affiliate’s consideration of the customer’s eligibility for certain purposes, such as credit (known as “the Consumer Reports Rule”).
The Privacy Rule regulations have been in effect since 2000 and originally were promulgated by several regulatory agencies. In the Dodd Frank Wall Street Reform and Consumer Protection Act, responsibility for the Privacy Rule was transferred for the most part to the newly created CFPB. The Securities and Exchange Commission and the Commodity Futures Trading Commission still maintain Privacy Rule jurisdiction over their respective regulated businesses, as does the Federal Trade Commission with respect to certain auto dealers.
Over the years, there has been criticism from many financial institutions that mailing annual privacy notices to customers has proven to be expensive and unnecessary, particularly when the information contained in those privacy notices does not change.
The CFPB in May 2014 issued a proposed notice allowing alternative delivery of the annual notice through use of the financial institutions’ websites. After consideration of the comments, a detailed discussion of which appears in the Federal Register notice, the CFPB issued its final rule allowing a financial institution to deliver its annual privacy notice by posting it on its website, under the following conditions:
- there are no customer opt-out rights triggered by the financial institutions’ information sharing practices under the Privacy Rule or the Consumer Reports Rule (that is, any sharing of information is provided only pursuant to certain specified exceptions)
- customer opt-out notices under the Affiliate Marketing Rule have previously been provided, are inapplicable, or are contained in another notice to customers other than the Privacy Rule
- information included in the privacy notice has not changed since the customer received the previous notice, other than to eliminate categories of information disclosed, or categories of third parties to whom information is disclosed
- the financial institution uses the model form provided in the Privacy Rule as its annual privacy notice
- the financial institution must continuously post the annual privacy notice on its website in a “clear and conspicuous” manner, on a page devoted solely to the notice
- the customer must be able to access the privacy notice webpage without having to log on to the website or agree to any conditions before accessing the notice
- within ten calendar days, the financial institution must mail an annual privacy notice to any customer who telephones the financial institution (it need not be a toll-free number) and requests a copy of such notice
- a financial institution must make customers aware that its annual privacy notice is available on its website through posting notices at least once a year on a customer account statement, coupon book, or other required customer notice or disclosure
- this posted notice must state that:
- the financial institution’s privacy notice has not changed
- the privacy notice is available on the financial institution’s website at a specified web address
- if the customer calls a specific telephone number (which need not be toll-free), the notice will be mailed to the customer within ten calendar days of the request
If the financial institution has changed the privacy notice (unless to eliminate information as noted above) or now must offer opt-out rights not previously required, it may not use the alternative delivery method.
Our May 2014 Client Alert discussed the proposed regulation.