CFPB Finalizes Rule to Promote More Effective Privacy Disclosures
WASHINGTON, D.C. – The Consumer Financial Protection Bureau (CFPB) today finalized a rule to promote more effective privacy disclosures from financial institutions to their customers. The new rule, which was proposed in May, allows companies that limit their consumer data-sharing and meet other requirements to post their annual privacy notices online rather than delivering them individually.
“Consumers need clear and accessible information about how their personal information is being used in the marketplace, but some of these requirements were redundant,” said CFPB Director Richard Cordray. “Posting privacy notices online will make it easier for consumers to access these important policies, while also making it cheaper for financial institutions to provide disclosures.”
The Gramm-Leach-Bliley Act (GLBA) generally requires that financial institutions send annual privacy notices to customers. These notices must describe whether and how the financial institution shares consumers’ nonpublic personal information. If the institution does share this information with an unaffiliated third party, it typically must notify consumers of their right to opt out of the sharing and inform them of how to do so.
Under the CFPB’s new rule, financial institutions will be able to post privacy notices online instead of distributing an annual paper copy, if they satisfy certain conditions such as not sharing data in ways that would trigger consumers’ opt-out rights. The new rule applies to both banks and those nonbanks that are within the CFPB’s jurisdiction under the GLBA. Institutions that choose to rely on this new method of delivering privacy notices will be required to use the model disclosure form developed by federal regulatory agencies in 2009.
Under the new rule, if an institution qualifies for and wants to rely on the online disclosure method, it will have to inform consumers annually about the availability of the disclosures. Previously, institutions were required to send consumers a separate communication about privacy disclosures. The new rule allows institutions to include a notice on a regular consumer communication, such as a monthly billing statement for a credit card, letting consumers know that the annual privacy notice is available online and in paper by request at a provided telephone number. If an institution chooses not to use the new disclosure method, it will need to continue to deliver annual privacy notices to its customers using other delivery methods.
The benefits of the new rule include:
- Constant access to privacy policies: Previously, consumers would receive a copy of their financial institution’s privacy policies once per year. If financial institutions choose the new alternative delivery method, consumers will be able to view their institution’s privacy policies at any time, while still receiving notices through existing delivery methods if the policies’ terms change. The online privacy notices will not require a login to view. For those customers with limited or no internet access, financial institutions will have to mail annual notices within 10 days to customers who request them by phone.
- Limited data sharing: If an institution shares data with unaffiliated third parties in a way that triggers customers’ rights to opt out of such sharing, then that institution generally would not be allowed to use the alternative delivery method. For this reason, financial institutions have an incentive to limit their sharing to reduce their costs.
- Educating consumers: When financial institutions post their privacy policies on their websites using the new delivery method, they must use the model disclosure form designed by federal regulators. The model disclosure form allows consumers who are concerned about their personal information to easily understand their financial institution’s privacy policy. Consumers can thus better educate themselves about the various types of privacy policies.
- Cheaper for companies to notify consumers of privacy practices: The CFPB anticipates that the rule will reduce the cost for companies to provide annual privacy notices. The Bureau estimates that about $17 million could be saved by the industry annually if institutions choose the new online disclosure method.
The Bureau is finalizing the rule largely as it was proposed in May, with a number of technical, clarifying, and minor revisions. The rule will be effective immediately upon publication in the Federal Register.
The final rule is available at: https://files.consumerfinance.gov/f/201410_cfpb_final-rule_annual-privacy-notice.pdf