On October 28, 2014, the Consumer Financial Protection Bureau (CFPB) published a final rule in the Federal Register amending the annual privacy notice requirement under the Gramm-Leach-Bliley Act and Regulation P. The GLBA and Regulation P require financial institutions to provide an initial privacy notice to consumers when they establish a customer relationship with the individual and annually thereafter.
The CFPB says the amendment to Regulation P “will expand the permissible methods by which financial institutions subject to Regulation P may deliver annual privacy notices to their customers.” However, the amendments are unlikely to ease the regulatory burden on many financial institutions because financial institutions seeking to use the alternative delivery method established under the final rule must use the CFPB’s Model Privacy Notice, and institutions often make changes to the notice to comply with other legal requirements, such as state laws. Legislation currently pending in Congress would be far superior to the CFPB’s rule, and hopefully the considerable momentum that has built up behind those legislative proposals will not be derailed by the CFPB’s effort here.
In addition, the Final Rule does not provide any clear guidance to financial institutions on how they can modify the Model Privacy Notice and still take advantage of the alternative delivery method. The CFPB’s view is that modifications, however minor, may mean that the financial institution will not be entitled to the safe harbor afforded by the Model Privacy Notice. Regarding this issue, the CFPB said that “financial institutions may consult with counsel on how to comply so as to limit the risk of government enforcement.”
The Final Rule was effective immediately upon publication in the Federal Register. For a more detailed discussion of this issue, please see our client alert.