The CFPB has revised the exception for annual privacy notice delivery under the Gramm-Leach-Bliley Act (GLBA), implementing statutory amendments to the GLBA passed in 2015. The final rule replaces the current annual privacy notice exception under Regulation P. Under the new exception, financial institutions (FIs) do not need to send annual privacy notices if:
- The FI shares non-public information (NPI) with non-affiliated third parties only under the exceptions of Subpart C of Regulation P, which do not require a consumer opt-out; and
- The FI's practice of sharing NPI has not changed since the last annual privacy notice was sent. Changes to elements of the annual privacy notice that do not address information sharing, including information collection, confidentiality, and security practices, do not affect the exception. Changes in affiliate sharing practices and opt-outs covered by the Fair Credit Reporting Act (FCRA) are also excluded from this provision.
Generally, the CFPB's final rule relaxes the regulatory burden inherent in the annual notice requirement. Also, the preamble to the final rule clarifies that FIs that fall within the annual notice exemption can continue to post online privacy notices, provide privacy notices to requesting consumers, and notify consumers of the notices' availability—which will not affect FIs' eligibility for the new exception.
The amendments were finalized by the CFPB on August 10, 2018 and will become effective September 17, 2018.