No, we do not believe you are required to send customers an annual privacy notice, since your bank appears to qualify for an exemption from the annual privacy notice requirement.
The Gramm–Leach–Bliley Act (GLBA) generally requires financial institutions to provide initial privacy policy disclosures to new customers and to send their privacy notices annually to all customers. However, the GLBA provides an exemption from the annual privacy notice requirement for financial institutions that have not changed their privacy policy or practices since their most recent disclosure and do not share information in a way that triggers a consumer’s opt-out rights (in other words, they only share information in accordance with Regulation P’s opt-out exceptions in sections 12 CFR 1016.13–15).
In this case, your privacy policy and practices have not changed in over two years, which meets the first prong of the exemption. In addition, you do not appear to share information in a way that triggers a consumer’s opt-out rights, since you do not share information with nonaffiliated third parties other than for your everyday business purposes (which does not trigger a consumer’s opt-out rights).
For resources related to our guidance, please see:
- Regulation P, 12 CFR 1016.5(e)(1) (“Exception to annual privacy notice requirement. (1) When exception available. You are not required to deliver an annual privacy notice if you:
(i) Provide nonpublic personal information to nonaffiliated third parties only in accordance with the provisions of § 1016.13, § 1016.14, or § 1016.15; and
(ii) Have not changed your policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under § 1016.6(a)(2) through (5) and (9) in the most recent privacy notice provided pursuant to this part.”)
- Regulation P, 12 CFR 1016.15(a) (“Exceptions to opt out requirements. The requirements for initial notice in § 1016.4(a)(2), for the opt out in §§ 1016.7 and 1016.10, and for service providers and joint marketing in § 1016.13 do not apply when you disclose nonpublic personal information:
* * * * *
(5) (i) To a consumer reporting agency in accordance with the Fair Credit Reporting Act (15 U.S.C. 1681 **et seq.); or (ii) From a consumer report reported by a consumer reporting agency;
* * * * *
(7) (i) To comply with Federal, state, or local laws, rules and other applicable legal requirements; (ii) To comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by Federal, state, or local authorities; or (iii) To respond to judicial process or government regulatory authorities having jurisdiction over you for examination, compliance, or other purposes as authorized by law.”)