Home > Insights > Blogs > Cybersecurity Bits and Bytes > CFPB final rule cuts costs and headaches from annual privacy notices

CFPB final rule cuts costs and headaches from annual privacy notices

James Shreve August 21, 2018

On August 10, the Consumer Financial Protection Bureau (CFPB) released the long-awaited final rule amending Regulation P to conform with statutory changes made to the Gramm-Leach-Bliley Act (GLBA) and the statutory changes made by the FAST Act (Fixing America’s Surface Transportation Act). The new final rule will be effective 30 days from the date it is published in the Federal Register and does not fundamentally restructure the July 2016 proposed rule.

Under the new rule, financial institutions may cease sending annual privacy notices if they do not engage in sharing that requires a consumer opt-out under the GLBA, and if they have not changed their information sharing practices since the last notice, as described in Section 1016.6(a)(2)-(5). However, the latter criteria does not include changes in affiliate sharing practices governed by the Fair Credit Reporting Act.

If financial institutions no longer meet one or both of these criteria, the rule outlines when institutions must resume providing annual notices. While the GLBA does not include exact timing, the new rule looks to Section 1016.8 for existing requirements for revised notices. If a financial institution must resume sending privacy notices because their sharing practices have changed and a revised privacy notice is required under Section 1016.8, they must send the revised notice and provide any required opt-out period before the change in information sharing. Once they meet both criteria again, they may again cease providing an annual notice.

In contrast, if the institution must resume sending annual privacy notices, and a revised notice is not required, they must provide the annual notice within 100 days of the event triggering their loss of exempt status. This is in contrast from the 60-day period included in the proposed rule.

The final rule also would remove the current Alternative Delivery Method provisions in Regulation P, now unnecessary with this streamlined exemption process.

Overall, the final rule’s issuance brings the prospect of major cost savings if financial institutions meet the criteria, and greater certainty around when annual notices must resume if they do not. The rule’s delay, nearly 21 months after the original goal date, demonstrates that even fairly noncontroversial proposals are difficult in the current environment of the CFPB.