WASHINGTON, D.C. — The Consumer Financial Protection Bureau (CFPB) proposed a rule Tuesday to promote more effective privacy disclosures from financial institutions to their customers. The rule would allow companies that limit their consumer data-sharing and meet other requirements to post their annual privacy notices online rather than delivering them to each individual customer.
“Consumers need clear information about how their personal information is being used by financial institutions,” said CFPB Director Richard Cordray. “This proposal would make it easier for consumers to find and access privacy policies, while also making it cheaper for industry to provide disclosures.”
The Gramm-Leach-Bliley Act (GLBA) generally requires that financial institutions send annual privacy notices to customers. These notices must describe whether and how the financial institution shares consumers’ nonpublic personal information. If the institution does share this information with an unaffiliated third party, it typically must notify consumers of their right to opt out of the sharing and inform them of how to do so.
The CFPB’s proposal would allow institutions to post privacy notices online instead of distributing an annual paper copy if they satisfy certain conditions such as not sharing data in ways that would trigger consumers’ opt-out rights. This proposal would apply to both banks and those nonbanks that are within the CFPB’s jurisdiction under the GLBA. Institutions that choose to rely on this new method of delivering privacy notices would be required to use the model disclosure form developed by federal regulatory agencies in 2009.
Under the proposal, if an institution is qualified for and wants to rely on the online disclosure method, it would have to inform consumers annually about the availability of the disclosures. Currently, institutions must send consumers a separate communication about privacy disclosures. Under this proposal they could include an insert in regular consumer communication, such as a monthly billing statement for a credit card, informing consumers that the annual privacy notice is available online and in paper by request at a toll-free telephone number. If an institution chooses not to use the online disclosure method, it would need to continue to deliver annual privacy notices to its customers.
According to CFPB officials, there are several benefits of the proposed rule. Online privacy notices would not require a login to view, making them accessible to customers 24/7 instead of once a year. For those customers with limited or no internet access, financial institutions would have to mail annual notices promptly to customers who request them by phone. This would also make it easy for customers to comparison shop before deciding which financial institution to use.
Additionally, under the proposal, if an institution shares data with unaffiliated third parties in a way that triggers customers’ right to opt out of such sharing, then that institution generally would not be allowed to use the alternative delivery method. For this reason, financial institutions would have an incentive to limit their sharing to reduce their costs. The bureau estimates that about $17 million could be saved by the industry annually if institutions were to choose the proposed online disclosure method.
The bureau will accept comments on the proposed rule for 30 days after its publication in the Federal Register. A copy of the proposed rule is available here.