New Option to Provide Annual Privacy Notices Online

Privacy and Information Security Alert

Client Alert


CFPB Amends Regulation P to Permit Financial Institutions to Post Annual Privacy Notices Online in Lieu of Delivering Hard Copies to Customers

The Consumer Financial Protection Bureau (CFPB) has always touted itself to be a tech-savvy agency—and they are now permitting financial institutions to also move in this same direction, at least as to one disclosure requirement. The CFPB released a new rule on October 20, 2014, amending Regulation P to allow depository and non-depository financial institutions that limit customer data sharing and meet other requirements to post their annual privacy notices online instead of delivering paper copies of these notices to individual customers each year. The new rule was effective October 28, 2014, so financial institutions that mail out hard copies of their annual notices to their customers at year-end may want to review the requirements of this new rule to determine if they can meet their annual notice obligations under Regulation P with this new delivery method.


The Gramm-Leach-Bliley Act (GLBA) and Regulation P require financial institutions to provide their customers with initial and annual notices regarding their privacy policies. If financial institutions share certain customer information with certain third parties, the notices must advise customers of this information sharing and provide customers with an opportunity to opt-out of such sharing. The Fair Credit Reporting Act (FCRA) also requires similar notices of opt-out rights. Many financial institutions meet the requirement to provide an annual copy of their privacy notice to their customers by mailing a copy of the notices to their customers each year. The printing and postage for these annual mailings can be costly and the notices are often simply discarded by customers.

Conditions for Use of Online Delivery Option

To address these concerns, the CFPB has amended Regulation P to permit financial institutions to forego the annual mailings by posting their privacy notices online if:

  1. the institution does not disclose its customers’ nonpublic personal information to nonaffiliated third parties other than for the purposes specifically permitted under Regulation P;
  2. the institution does not include an opt-out right under Section 603 of the FCRA (regarding communication of other information among persons related by common ownership or affiliated by corporate control) in its annual privacy notice;
  3. the requirements of Section 624 of the FCRA and the comparable provision in Regulation P, which implements the requirement of the FCRA (regarding affiliate sharing), if applicable, have been previously satisfied or the annual privacy notice is not the only notice provided to satisfy these requirements;
  4. the information included in the annual privacy notice has not changed since the customer received the previous notice other than to eliminate categories of information disclosed or categories of third parties to whom information is disclosed;
  5. the institution uses the model form provided in the appendix to Regulation P as its annual privacy notice;
  6. the privacy notice is continuously posted in a clear and conspicuous manner on a page of the institution’s website, on which the only content is the privacy notice, and the institution does not require any login, password, consent to any user conditions, or similar requirements to access the notice;
  7. the institution mails annual notices to customers with no or limited access to the internet who request a copy by telephone within 10 days of such request;
  8. a clear and conspicuous statement at least once per year is provided on account statements, coupon books, or other notices or disclosures that informs customers that (i) the annual notice is available on the institution’s website, (ii) the annual notice will be mailed to customers who request it by calling a specific telephone number, and (iii) the notice has not changed. The CFPB even provided a sample statement that meets these requirements. The words “Privacy Notice” below must appear in boldface or otherwise be emphasized with the following notice:

Privacy Notice – Federal law requires us to tell you how we collect, share, and protect your personal information. Our privacy policy has not changed and you may review our policy and practices with respect to your personal information at [Web address] or we will mail you a free copy upon request if you call us at [telephone number].

This alternative delivery method is not available to institutions that have changed their privacy practices or engage in information sharing activities for which customers have the right to opt out.

Compliance “Trick or Treat”

Although there are a number of conditions that must be met to take advantage of the new online delivery option, this regulatory change should be a “treat” for those financial institutions that meet the requirements to move to this alternative delivery option. It will eliminate printing costs—so it is environmentally friendly—and cut postage costs for institutions that separately mail annual privacy notices each year. Cost savings news is not always something a compliance or privacy officer gets to provide to senior management. The only “tricks” are whether an institution can get the required statement printed on its account statements, coupon books, or other notices and disclosures and whether a web page that complies with the new requirements can go live in time.