The CFPB has issued a proposed rule amending Regulation P to remove the requirement to provide annual privacy notices for financial institutions that satisfy certain conditions. Such institutions would be able to meet the annual privacy notice requirement by posting the privacy notice on their websites and mailing the notice to customers on request. Specifically, the proposed alternative method would require a financial institution to:
- Use the model form for the privacy notice from Regulation P
- Post the annual privacy notice in a clear and conspicuous manner on a separate page of its website, without requiring a login or agreement to website conditions before accessing the notice
- Promptly mail the annual privacy notice to customers who request one by phone
- Provide a clear and conspicuous statement at least once per year on another notice or disclosure announcing that the annual privacy notice is available on the financial institution’s website and that it will be mailed to customers on request
However, a financial institution would have to satisfy several conditions before it could use the alternative method of providing the annual privacy notice. A financial institution would be permitted to use the proposed alternative method only if it:
- Does not share customer nonpublic information in a manner that triggers the opt-out requirement (that is, the financial institution shares information only under the exceptions in Sections 13, 14, and 15 of Regulation P)
- Has not changed the information on its privacy notice since the customer received the previous privacy notice (whether that was the initial or annual privacy notice)
- Does not include in its annual privacy notice the FCRA Affiliate Marketing Rule opt-out notice regarding information sharing among affiliates — instead, the financial institution must provide a separate notice and an opportunity to opt-out under the FCRA Affiliate Marketing Rule, if applicable
The CFPB stated that, based on responses to a survey it conducted, 75% of banks do not change their privacy notices and do not share information in a way that triggers their customers’ opt-out rights—meaning that many financial institutions may be eligible to use the proposed alternative method. Comments will be due thirty days after the proposed rule is published in the Federal Register.