WASHINGTON, D.C. – The Consumer Financial Protection Bureau (CFPB) today
fnalized a rule to promote more effective privacy disclosures from fnancial institutions
to their customers. The new rule, which was proposed in May, allows companies that
limit their consumer data-sharing and meet other requirements to post their annual
privacy notices online rather than delivering them individually.
“Consumers need clear and accessible information about how their personal
information is being used in the marketplace, but some of these requirements were
redundant,” said CFPB Director Richard Cordray. “Posting privacy notices online will
make it easier for consumers to access these important policies, while also making it
cheaper for fnancial institutions to provide disclosures.”
The Gramm-Leach-Bliley Act (GLBA) generally requires that fnancial institutions send
annual privacy notices to customers. These notices must describe whether and how the
fnancial institution shares consumers’ nonpublic personal information. If the
institution does share this information with an unaffliated third party, it typically must
notify consumers of their right to opt out of the sharing and inform them of how to do
Under the CFPB’s new rule, fnancial institutions will be able to post privacy notices
online instead of distributing an annual paper copy, if they satisfy certain conditions
such as not sharing data in ways that would trigger consumers’ opt-out rights. The new
rule applies to both banks and those nonbanks that are within the CFPB’s jurisdiction
under the GLBA. Institutions that choose to rely on this new method of delivering
privacy notices will be required to use the model disclosure form developed by federal
regulatory agencies in 2009.
Under the new rule, if an institution qualifes for and wants to rely on the online
disclosure method, it will have to inform consumers annually about the availability of
the disclosures. Previously, institutions were required to send consumers a separate
communication about privacy disclosures. The new rule allows institutions to include a
notice on a regular consumer communication, such as a monthly billing statement for a
credit card, letting consumers know that the annual privacy notice is available online
and in paper by request at a provided telephone number. If an institution chooses not
to use the new disclosure method, it will need to continue to deliver annual privacy
notices to its customers using other delivery methods.
The benefts of the new rule include:
Constant access to privacy policies: Previously, consumers would receive a copy of their financial institution’s privacy policies once per year. If financial
institutions choose the new alternative delivery method, consumers will be able
to view their institution’s privacy policies at any time, while still receiving notices
through existing delivery methods if the policies’ terms change. The online
privacy notices will not require a login to view. For those customers with limited
or no internet access, fnancial institutions will have to mail annual notices within
10 days to customers who request them by phone.
Limited data sharing: If an institution shares data with unaffliated third
parties in a way that triggers customers’ rights to opt out of such sharing, then
that institution generally would not be allowed to use the alternative delivery
method. For this reason, fnancial institutions have an incentive to limit their
sharing to reduce their costs.
Educating consumers: When fnancial institutions post their privacy policies
on their websites using the new delivery method, they must use the model
disclosure form designed by federal regulators. The model disclosure form allows
consumers who are concerned about their personal information to easily
educate themselves about the various types of privacy policies.
Cheaper for companies to notify consumers of privacy practices: The
CFPB anticipates that the rule will reduce the cost for companies to provide
annual privacy notices. The Bureau estimates that about $17 million could be
saved by the industry annually if institutions choose the new online disclosure
The Bureau is fnalizing the rule largely as it was proposed in May, with a number of
technical, clarifying, and minor revisions. The rule will be effective immediately upon
publication in the Federal Register.