August 29, 2018

GLBA Annual Privacy Notice Update

2 min

The CFPB has revised the exception for annual privacy notice delivery under the Gramm-Leach-Bliley Act (GLBA), implementing statutory amendments to the GLBA passed in 2015. The final rule replaces the current annual privacy notice exception under Regulation P. Under the new exception, financial institutions (FIs) do not need to send annual privacy notices if:

  1. The FI shares non-public information (NPI) with non-affiliated third parties only under the exceptions of Subpart C of Regulation P, which do not require a consumer opt-out; and
  2. The FI's practice of sharing NPI has not changed since the last annual privacy notice was sent. Changes to elements of the annual privacy notice that do not address information sharing, including information collection, confidentiality, and security practices, do not affect the exception. Changes in affiliate sharing practices and opt-outs covered by the Fair Credit Reporting Act (FCRA) are also excluded from this provision.

When an FI does revise its privacy notice, the final rule provides two alternatives, depending on whether the change at issue would trigger the requirement for a revised notice under Regulation P. First, if the change would trigger a revised notice, FIs must send the revised notice and provide any required opt-out period before the change in information sharing; an annual notice must be sent the following year (thus preventing FIs from having to send out multiple notices within the same year). For all other changes to the privacy policy, the final rule provides that FIs must send the annual notice within 100 days of the change in the policies or practices that result in the loss of the exception.

Generally, the CFPB's final rule relaxes the regulatory burden inherent in the annual notice requirement. Also, the preamble to the final rule clarifies that FIs that fall within the annual notice exemption can continue to post online privacy notices, provide privacy notices to requesting consumers, and notify consumers of the notices' availability—which will not affect FIs' eligibility for the new exception.

The amendments were finalized by the CFPB on August 10, 2018 and will become effective September 17, 2018.