New Law Eliminates the Requirement for Financial Institutions to Mail AnnualDecember 15, 2015
While the Fixing America’s Surface Transportation (“FAST”) Act mainly focuses on reforming and strengthening transportation networks, the law also amends Section 503 of the Gramm-Leach-Bliley Act (“GLBA”) by adding an exemption to the annual privacy notice requirement for financial institutions if two conditions are met.
The first condition is that the financial institution only provides consumers’ nonpublic personal information to nonaffiliated third parties in accordance with exceptions under the GLBA permitting such disclosures without an opt out. For instance, the financial institution can provide nonpublic personal information to a nonaffiliated third party to perform services for or functions on behalf of the financial institution, as long the third party is bound by a confidentiality requirement. This includes disclosures to any nonaffiliated third parties that market the financial institution’s own products or services, or any products or services offered pursuant to joint marketing agreements.
The second condition is that the financial institution has not changed its policies and practices of disclosing nonpublic personal information from its most recent GLBA disclosures sent to consumers.
Please note that the financial institution will no longer be subject to this exemption, and will have to resume providing annual privacy notices to consumers when the institution fails to meet either one of the above two conditions.
This new amendment to the GLBA is separate from and grants broader regulatory relief on the annual privacy notice requirement than, the Consumer Financial Protection Bureau’s 2014 amendment to Regulation P, which offers an alternative online posting delivery method for the annual privacy notice. In order to take advantage of the alternative online posting delivery method under Regulation P (instead of mailing the notice), financial institutions have to meet a number of requirements, including the following:
- The financial institution does not share its consumers’ nonpublic personal information in any way that requires an opt-out under Regulation P or the Fair Credit Reporting Act (“FCRA”);
- The financial institution has previously satisfied the affiliate sharing rules under the FCRA (if applicable) and it does not solely rely on the annual privacy notice to satisfy the affiliate sharing rules under the FCRA;
- The privacy notice has not changed since consumers received the immediately previous privacy notice, other than to eliminate categories of information being disclosed or categories of third parties that receive nonpublic personal information;
- The privacy notice posted online must strictly follow the model privacy form in Regulation P;
- The financial institution must properly notify consumers at least annually that the privacy notice is available on its website and will be mailed to them upon request by telephone;
- The privacy notice must be posted on a page of the financial institution’s website on which the only content is the privacy notice, without requiring consumers to provide any information such as a login name or password or agree to any conditions to access the page; and
- Within 10 days of a consumer’s telephone request about the annual privacy notice, the financial institution must mail the privacy notice to the consumer.
The GLBA amendment is effective on December 4, 2015. It is anticipated that the Consumer Financial Protection Bureau will amend Regulation P in due course to incorporate the new exception.
Please note that this advisory is a general overview of the new amendment to Section 503 of GLBA and is not intended as a comprehensive explanation of all aspects of the amendment or as formal legal advice. If you have any questions regarding the GLBA amendments or Regulation P, please feel free to contact Joseph D. Simon at 516-357-3710 or via email at firstname.lastname@example.org, Kevin Patterson at 516-296-9196 or via email at email@example.com, or Mandy Xu at 516-357-3850 or via email at firstname.lastname@example.org.