On August 10, 2018, the Bureau of Consumer Financial Protection (the “Bureau”) announced that it had finalized amendments to the Gramm-Leach-Bliley Act (“GLBA”) regulations implementing a statutory change that provides an exemption for certain financial institutions from the GLBA requirement to deliver an annual privacy notice to their customers.

As discussed in our post from December 2015, the exemption was created as part of the Fixing America’s Surface Transportation Act (Public Law 114-94) and allows qualifying financial institutions to be exempt from sending an annual privacy notice to their customers if two conditions are met:

  1. The financial institution only provides non-public personal information to non-affiliated parties in accordance with the statutory or regulatory exceptions that do not trigger consumer opt-out rights; and
  2. The financial institution must not have changed its privacy policies and practices regarding sharing non-public personal information since the last disclosure was sent to the customer.

The final regulation incorporates that statutory provision (which already is in effect) and also establishes timing requirements for resuming delivery of the annual privacy notice to customers if the exemption no longer applies:

  • If, since the last disclosure to customers, the financial institution revises its privacy policies and practices to disclose nonpublic personal information to a nonaffiliated party other than as set forth in the last disclosure, then that change will trigger the requirement to send out a revised privacy notice to the customer before sharing the information in the new way described in the notice; under the new regulation, the revised notice is treated as if it was an initial privacy notice to a customer, which means that after sending the revised notice, the financial institution must thereafter send an annual notice to its customers by the end of the following 12 consecutive months.
  • However, if the financial institution changes its privacy policies and practices, but a revised privacy notice is not required before instituting the changes, the financial institution has 100 days from the date of change in such policies and practices to deliver an annual privacy notice.

Once these requirements are satisfied, the financial institution again could qualify for the exemption until it later institutes changes that trigger a loss of the exemption.

For example, the regulations require that a financial institution covered under the regulations must send an annual privacy notice to its customers at least once in a 12 consecutive month period. If the financial institution uses the calendar year as its 12 month consecutive month period, and provides a revised notice on March 1 because it will be disclosing nonpublic personal information to a nonaffiliated party other than as set forth in the last disclosure, then it must send out its annual privacy notice by December 31 of the next calendar year. If the change does not trigger a revised privacy notice at the time of the change, then it has 100 days from the date of the change to send its annual notice to its customers.

In making these changes, the financial institution could schedule them in such a way so as minimize disruption to its current annual customer privacy notice schedule.

These regulations are effective September 17, 2018.