The amendment to the annual privacy notice requirement went into effect on the date of the bill’s signing, December 4, 2015. However, if you are sharing information with affiliates under the Fair Credit Reporting Act (FCRA), we recommend going forward with this year’s annual privacy notice mailing — unless you hear otherwise from your primary federal regulator.
Under the Gramm-Leach-Bliley Act (GLBA) amendment, financial institutions that have not changed their privacy policies and practices are exempt from the annual privacy notice requirement, provided that they share information “only in accordance with the provisions of subsection (b)(2) or (e) of section 502 or regulations prescribed under section 504(b)” of the Gramm-Leach-Bliley Act. None of those exceptions in the GLBA applies to the FCRA, which requires a separate notice and opt-out that frequently are combined with the GLBA annual privacy notice.
Because the amendment does not expressly permit you to share customer information under the FCRA and does not remove the FCRA notice and opt-out requirements for information sharing among affiliates, we recommend that you continue to send annual privacy notices for the time being. In an ideal world, the CFPB will clarify this issue when revising Regulation P to implement the GLBA amendment.
For resources related to our guidance, please see:
- Public Law 114-94, Title LXXV — Eliminate Privacy Notice Confusion (Exempts from the annual privacy notice requirement a financial institution that “(1) provides nonpublic personal information only in accordance with the provisions of subsection (b)(2) or (e) of section 502 or regulations prescribed under section 504(b), and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent disclosure sent to consumers in accordance with this section . . . .”)
- FCRA, 15 USC 1681a(d)(2)(iii) (Exception for information sharing among affiliates, provided that “it is clearly and conspicuously disclosed to the consumer that the information may be communicated among such persons and the consumer is given the opportunity” to opt-out.)
- FCRA, 15 USC 1681s-3(a) (Exception for sharing marketing information among affiliates, provided that “(A) it is clearly and conspicuously disclosed to the consumer that the information may be communicated among such persons for purposes of making such solicitations to the consumer; and (B) the consumer is provided an opportunity” to opt-out.”)