By: Ashley Elmore Drew, Esq. and Jacob Boehner, Esq.
This has been an exciting year in the world of privacy law! With the European Union breaking new ground with the General Data Protection Regulation , California following close behind with the passage of the California Consumer Privacy Act , and Vermont amending its rules , the compliance officers and lawyers of the world are hard at work parsing the voluminous codes, attempting to ascertain applicability and operationalization. Not to be outdone, the Consumer Financial Protection Bureau (“CFPB”) caught up to its 2015 mandate and finally published the final rule amending Regulation P, which implements the Gramm-Leach-Bliley Act (“GLBA”). Back in 2015, the Fixing America’s Surface Transportation Act (“FAST Act”) amended the GLBA, providing for the exception and requiring the CFPB to promulgate a corresponding rule. The new rule becomes effective September 17, 2018.
Under the CFPB’s new rule , financial institutions do not have to send an annual privacy notice where: (1) the financial institution only shares nonpublic personal information (“NPI”) with nonaffiliated third parties to the extent that it does not trigger consumer opt-out rights under the GLBA; and (2) the financial institution has not changed its policies and procedures related to disclosing NPI from the most recent version of the privacy notice sent to customers. Further, the rule provides timeframes by which financial institutions that no longer qualify for the exception must provide updated notice. Where a formerly-qualified financial institution subsequently amends its privacy policies in such a way that requires it to provide a revised policy to customers and it no longer qualifies for the exception, the revised notice will be treated as an initial notice and the institution may resume providing the annual notice from then on. However, if the formerly-qualified financial institution changes its policies such that it is no longer qualified, but not to the extent that it is required to provide a revised privacy notice, the institution must deliver the annual notice within 100 calendar days of the change in policy.
Because a financial institution that meets the conditions for alternative delivery methods will meet the conditions for the exception in the final rule, the CFPB has removed section 10169(c)(2), eliminating the alternative delivery method for annual notices. In footnote 30 of the final rule, the CFPB states that a financial institution will not jeopardize the availability of the exception by providing a privacy notice to a consumer, such as upon the consumer’s request. This is good news for organizations that look to take a measured approach to change.
It is more important than ever for financial institutions to implement and maintain a consistent change management protocol. With the state privacy laws changing rapidly, financial institutions should closely evaluate the latent consequences of altering their privacy notice procedures.
For more information, please reach out to Ashley Elmore Drew at Ashley.ElmoreDrew@gmlaw.com or Jacob Boehner at Jacob.Boehner@gmlaw.com
*The information in this article is provided for general informational purposes only, and may not reflect the current law in your jurisdiction. No information contained in this post should be construed as legal advice from Greenspoon Marder LLP or the individual author(s), nor is it intended to be a substitute for legal counsel on any subject matter. No reader of this post should act or refrain from acting on the basis of any information included in, or accessible through, this Post without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from a lawyer licensed in the recipient’s state, country or other appropriate licensing jurisdiction.
About Greenspoon Marder Greenspoon Marder LLP is committed to providing excellent client service through our cross-disciplinary, client-team approach. Our goal is to understand the challenges that our clients face, build collaborative relationships, and craft creative solutions designed and executed with long-term strategic goals in mind. Since our inception in 1981, Greenspoon Marder LLP has become a full-service, Am Law 200 and NLJ 500 ranked law firm with more than 200 attorneys. We serve Fortune 500, middle-market public and private companies, start-ups, emerging businesses, individuals and entrepreneurs across the United States. For more information, visit www.gmlaw.com .
MEDIA CONTACT michelle.martinez.reyes@gmlaw.com
