Caveat Vendor

Certain Financial Institutions Can Save Money by Posting Privacy Notices Online, Says the CFPB

October 22, 2014

Mary-Elizabeth M. Hadley

Earlier this week, the Consumer Financial Protection Bureau (CFPB or Bureau) issued a final rule permitting financial institutions to post privacy notices online – instead of distributing an annual copy by mail – but only if they comply with several important conditions.


Under the Gramm-Leach-Bliley Act (GLBA) and Regulation P, financial institutions must provide their customers with initial and annual notices regarding their privacy practices.  Financial institutions that share certain customer information with particular types of third parties must also provide notice to their customers as well as an opportunity to opt out.

Final Rule

Responding to financial institutions' concerns regarding the unnecessary expense and information overload associated with mailing printed copies of annual GLBA notices to consumers, the CFPB's final rule allows financial institutions instead to post annual notices on their websites if the following requirements are met:

  1. 1.  the financial institution chooses not to share customers' nonpublic personal information with nonaffiliated third parties in a manner that triggers the GLBA's opt-out requirements;

  2. 2.  the financial institution's annual privacy notice does not include an opt-out notice under section 603 of the Fair Credit Reporting Act (FCRA);

  3. 3.  opt-out notices required by section 624 of the FCRA have previously been provided, if applicable, or the financial institution's annual privacy notice is not the only notice provided to satisfy those requirements;

  4. 4.  the information included in the privacy notice has not changed since the customers' receipt of the prior notice; and

  5. 5.  the financial institution uses the model form provided in Regulation P.

If a financial institution satisfies these criteria and chooses the alternative notification method, it must continuously and prominently post the annual privacy notice on a public page of its website.

In addition, the institution must insert a clear and conspicuous statement at least annually on an account statement, notice or disclosure it issues under any provision of law.  This statement must inform customers that the annual notice (i) is available on the financial institution's website, (ii) has not changed and (iii) will be mailed if requested by telephone.  Customers who request that an annual notice be mailed to them must receive it within ten days.
Potential Impact of the Rule
According to the Bureau, use of the proposed online disclosure method may save the industry approximately $17 million per year.  Financial institutions seeking to reduce costs may consequently be encouraged to limit sharing with nonaffiliated third parties.  Whether the majority will do so – and whether the change noticeably reduces the clutter of those annual privacy notices in consumers’ mailboxes – remains to be seen.

Caveat Vendor is Paul Hastings’ Consumer Issues blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.

Subscribe to Caveat Vendor by Email. You will receive an email when the blog has been updated.

Get In Touch With Us

Contact Us