CFPB Permits Online Posting of Annual Privacy Notices
The Consumer Financial Protection Bureau ("CFPB") recently adopted a final rule that under certain conditions provides financial institutions it regulates with the option of posting annual consumer privacy notices online rather than mailing paper copies to customers (the "Privacy Notice Rule").[1]
The Privacy Notice Rule is the latest instance of regulatory relief provided to financial institutions by the CFPB. [2] Part of the agency's streamlining initiative, the Privacy Notice Rule aims to reduce unnecessary or unduly burdensome regulatory requirements. The CFPB estimates total reduction in financial institutions' compliance expenses attributable to the Privacy Notice Rule at approximately $17 million dollars annually.[3]
In addition to this significant, recurring reduction in compliance expenses for financial institutions, the CFPB anticipates that the Privacy Notice Rule will benefit consumers by providing constant online access to privacy policies presented in an understandable form. The CFPB also hopes the Privacy Notice Rule will benefit consumers by providing incentives for financial institutions to avoid or limit sharing of consumers' nonpublic personal information.
The Privacy Notice Rule applies to depository institutions, such as commercial and savings banks, and to nondepository companies subject to the jurisdiction of the CFPB, such as mortgage bankers, loan servicers, payday lenders, debt collectors, and remittance transfer providers. The Privacy Notice Rule does not apply to institutions that are subject to the privacy jurisdiction of the Securities and Exchange Commission ("SEC") and the Commodity Futures Trading Commission ("CFTC") or to certain motor vehicle dealers that are subject to the jurisdiction of the Federal Trade Commission ("FTC").
The CFPB consulted and coordinated with the SEC, CFTC, FTC and state insurance authorities designated by the National Association of Insurance Commissioners in developing the alternative method of delivering annual privacy notices, as required by the Gramm-Leach-Bliley Act ("GLBA"),[4] for the purpose of assuring that, to the extent possible, each agency's rules are consistent and comparable with one another.[5]
Key Features of the CFPB Privacy Notice Rule
Beginning October 28, 2014, a financial institution that is regulated by the CFPB may post annual privacy notices online rather than mailing paper copies to customers, if the institution satisfies the following conditions set forth in the Privacy Notice Rule:
- The financial institution does not share its customers' nonpublic personal information with nonaffiliated third parties in a manner that triggers opt-out rights under GLBA;
- The financial institution does not include in its annual privacy notice information about certain consumer opt-out rights under section 603 of the Fair Credit Reporting Act ("FCRA");
- The financial institution's annual privacy notice is not the only notice provided to satisfy the requirements of the affiliate marketing provisions of the FCRA[6];
- The information the financial institution includes in the privacy notice has not changed since the customer received the previous notice; and
- The financial institution uses the model form provided in GLBA's implementing Regulation P.[7]
A financial institution that chooses to rely on this alternative method of delivering annual privacy notices must insert a clear and conspicuous statement at least annually on a regular consumer communication, such as a monthly billing statement or coupon book, indicating that the institution's annual privacy notice is available on its website and in paper form and will be mailed upon request by calling a specific toll-free number. This statement must include a specific web address that takes the customer directly to the privacy notice.
A financial institution must post its privacy notice continuously on a page of its website that contains only the privacy notice, without requiring a login or any conditions to access the page. The institution must mail its privacy notice within 10 days to consumers who request a copy by telephone. The preamble to the Privacy Notice Rule explains that the CFPB will not consider occasional or unavoidable website interruptions to violate the requirement for continuous posting.[8]
A financial institution that has changed its privacy practices or that engages in information-sharing activities for which consumers have a right to opt out—for example, selling customers' nonpublic personal information to a nonaffiliated third party—must continue to deliver annual privacy notices using the permissible delivery methods predating the Privacy Notice Rule.
Lawyer Contacts
For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com.
Lisa M. Ledbetter
Washington
+1.202.879.3933
lledbetter@jonesday.com
Mauricio F. Paez
New York
+1.212.326.7889
mfpaez@jonesday.com
Todd S. McClelland
Atlanta
+1.404.581.8326
tmcclelland@jonesday.com
Katherine S. Ritchey
San Francisco
+1.415.875.5728
ksritchey@jonesday.com
Stephen J. Obie
New York
+1.212.326.3773
sobie@jonesday.com
Michael R. Butowsky
New York
+1.212.326.8375
mrbutowsky@jonesday.com
Jay Johnson
Dallas
+1.214.969.3788
jjohnson@jonesday.com
Zachary Werner and Brigid DeCoursey, associates in the New York and Washington offices respectively, assisted in the preparation of this Commentary.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.
[1] Amendment to the Annual Privacy Notice Requirement Under the Gramm-Leach-Bliley Act (Regulation P), 79 Fed. Reg. 64057 (October 28, 2014).
[2] For example, on October 22, 2014, the CFPB issued a final rule allowing lenders and investors to "cure" mortgage loans for which the points and fees exceed the 3 percent cap for qualified mortgages by refunding, with interest, the amount above the cap. Another recent example of the CFPB providing regulatory flexibility to financial institutions subject to its jurisdiction is the extension of the temporary exception that permits insured depository institutions to estimate certain pricing disclosures for remittance transfers. That rule is effective November 17, 2014. 79 Fed. Reg. 55970 (September 18, 2014).
[3] 79 Fed. Reg. 64057, 64077.
[4] 15 U.S.C. § 6801 et seq.
[5] 15 U.S.C. § 6804(a)(2).
[6] 15 U.S.C. § 1681s-3 and 12 C.F.R. part 1022, subpart C.
[7] Regulation P provides a model form, 12 C.F.R. 1016.
[8] 79 Fed. Reg. 64072.
