The Consumer Financial Protection Bureau has issued a final rule that amends Regulation P to allow financial institutions that meet certain requirements to deliver annual privacy notices to their customers using an alternative online delivery method. The rule will be effective immediately upon its publication in the Federal Register.

Under the Gramm-Leach-Bliley Act (GLBA), which Regulation P implements, financial institutions must provide initial and annual privacy notices that inform customers about the sharing of their nonpublic personal information (NPPI) with third parties.

Financial institutions have typically mailed these notices. Under the CFPB’s final rule, a financial institution that meets the requirements described below will be able to save on mailing costs by posting its annual privacy notice on its website. While offering potential benefits to banks and nonbanks, the CFPB’s final rule does not amend separate GLBA regulations that have been issued by the Securities and Exchange Commission, the Commodities Futures Trading Commission, or the Federal Trade Commission (FTC).

This means the CFPB’s final rule will not apply to an entity that is subject to the GLBA regulations of these other agencies. For example, auto dealers for whom the FTC has GLBA rulewriting authority would not be able to take advantage of the final rule. (The CFPB indicated in the final rule’s supplementary information that as mandated by the GLBA, it conferred with these other agencies concerning the alternative delivery method.)

Under the final rule, a financial institution can use the alternative online delivery method for its annual privacy notice if it:

  • Does not share the customer’s NPPI with nonaffiliated third parties in a manner that triggers GLBA opt-out rights.

  • Does not include in its annual privacy notice the notice and opt-out right regarding the sharing of certain customer information with affiliates as described in Section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (FCRA).

  • Shares certain customer information with an affiliate and has previously provided the customer with the notice and opt-out right described in FCRA Section 624 regarding the affiliate’s use of such information for marketing purposes (affiliate marketing notice), or the annual privacy notice is not the only notice used by the institution to provide the affiliate marketing notice.

  • Had no change in the information in its annual privacy notice since it provided the most recent notice (whether initial, annual, or revised) to the customer, other than to eliminate categories of information the institution discloses or categories of third parties to whom it discloses information.

  • Provides an annual notice that follows the Regulation P model form.

  • Provides a clear and conspicuous annual statement “on any account statement, coupon book, or a notice or disclosure [it is] required or expressly permitted to issue to the customer under any other provision of law.” This statement must inform the customer that the annual privacy notice is available on the financial institution’s website, will be mailed at the customer’s request, and has not changed, and include a specific Web address that links directly to the page where the privacy notice is posted and a telephone number for the customer to request that the notice be mailed. The notice must be mailed within 10 days of receiving a telephone request. (The rule includes an example of a statement that satisfies these requirements.)

  • Posts its annual privacy notice continuously and in a clear and conspicuous manner on a page of its website where the notice is the only content and does not require the customer to provide a login name, password, or other information or agree to any conditions to access the page.

A financial institution that cannot satisfy these conditions must continue to send its annual privacy notices using the currently permitted delivery methods, either mailing written notices or sending notices electronically to customers who have agreed to receive electronic disclosures.

Our Consumer Financial Services Group is nationally recognized for its guidance in structuring and documenting new consumer financial services products, its experience with the full range of federal and state consumer credit laws, and its skill in litigation defense and avoidance.

Members of the Group who are also part of the Privacy and Data Security Group help clients navigate the many laws designed to safeguard health, financial, and other private information. We are available to assist financial institutions in evaluating the feasibility of restructuring any internal information sharing systems to take advantage of the final rule. In addition, we can help clients respond to security breaches.

For more information, please contact CFS Practice Leader Alan S. Kaplinsky at 215.864.8544 or

Copyright © 2014 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

Related Practices

Consumer Financial Services
Privacy and Data Security


Visit CFPB Monitor, our blog on the Consumer Financial Protection Bureau >

Subscribe to the blog via e-mail >