InfoBytes Blog
CFPB Finalizes Rule To Limit Relief From Annual Privacy Notice Delivery Requirements
On October 20, the CFPB finalized its amendment to Regulation P, which requires that financial institutions meet specific consumer data-sharing requirements, including the delivery of annual privacy notices. Under the new rule, bank and nonbank institutions under the CFPB’s jurisdiction will now be allowed to post privacy notices online, rather than deliver an annual paper copy. Institutions that choose to post notices online must meet certain conditions, including (i) providing notice to consumers if the institution shares any data to third parties, in addition to providing an opportunity to opt out of such sharing; and, (ii) using the 2009 model disclosure form developed by federal regulatory agencies. The institutions that choose to rely on the new delivery method must (i) ensure that customers are aware of the notices posted online; (ii) provide paper copies within ten days of a customer’s request; and, (iii) make customers aware that the privacy notice(s) are available online—and that a paper copy will be provided at the customer’s request—by inserting a “clear and conspicuous statement at least once per year on an account statement, coupon book, or a notice or disclosure.” As outlined when the proposed rule was issued in May, the CFPB anticipates that the rule will: (i) provide consumers with constant access to privacy notices; (ii) limit the amount of an institution’s data sharing with third parties; (iii) educate consumers on the various types of privacy policies available to them; and, (iv) reduce the cost for companies to provide privacy notices.