The Consumer Financial Protection Bureau (CFPB) finalized an amendment last week that allows certain banks and financial institutions to be exempt from sending annual privacy notices to their customers.
The amendment stems from legislation that amends the Gramm-Leach-Bliley Act (GLBA). The GLBA requires that banks and financial institutions send annual privacy notices to customers. The privacy notices must describe the bank’s privacy practices. Specifically, they must indicate whether and how they share customers’ nonpublic personal information. Further, if the bank shares this information with third parties in ways not specified by GLBA, it must notify customers of their right to opt out of having their information shared.
Congress amended the GLBA as part of the Fixing America’s Surface Transportation Act (FAST Act), approved in late 2015. The amendment to the GLBA says banks and financial institutions that meet certain conditions may be exempt from the GLBA requirement to deliver an annual privacy notice. The bank can get the exemption if it limits its sharing of customer information so that the customer does not have the right to opt out. Also, financial institutions can get an exemption if it has not changed its privacy notice from the one previously delivered to customers.
The CFPB’s new amended rule implements this legislation. It also establishes deadlines for institutions resuming annual privacy notices if their practices change and they no longer qualify for the exemption.