CFPB Proposes Data Privacy Notification Rules
In 1999, Congress passed the Gramm-Leach Bliley Act (GLBA) to reform the country’s financial services industry, due to its growing use of digital technology and the consequent threat to consumer financial privacy. The GLBA authorizes federal agencies like the Federal Trade Commission to implement regulations for financial institutions to ensure they securely maintain their customer data. The law required full compliance by July 2001.
The Annual Reporting Rule
Under the law, financial institutions that collect “nonpublic information” (NPI) from their customers must provide “clear and conspicuous” annual reports detailing how their corporate privacy policies and practices keep that data safe. Affected data includes any information that could connect the data to a customer’s account, such as a Social Security number, login phrase or password information. The financial institution must issue privacy notices at the commencement of the client relationship, as well as annually after that.
Additionally, if the agency intends to or does share the NPI with a non-affiliated third party (any entity that is not wholly owned by the financial company), then it must give its customers the option to “opt-out” of the sharing process. Instructions for the opt-out process must also be clear and concise.
Events Since 2001
Since the introduction of the law, consumers have received vital information about the security of their NPI in the hands of their banks and financial institutions. However, industry analysts noted that the requirement has resulted in millions of redundant mailings. Often, privacy policies and practices don’t change from year to year, or, when changes happen that trigger a new report, those changes reflect only internal actions and do not include external parties (essentially creating no escalation of risk in the data security process). Consequently, there was a growing consternation that consumers stopped reading the duplicate notices, which nullified the relevance of their existence.
In response to the “unnecessary duplication” concern, U.S. Rep. Blaine Luetkemeyer (R-MO) sponsored an amendment to the GLBA, which was signed into law in December 2015 within the “Fixing America’s Surface Transportation Act” (FASTA), and added section 503(f) to the GLBA. Section 503(f) introduces exceptions to the annual reporting and “option to opt-out” requirements for financial institutions that meet certain conditions.
On July 1, the Consumer Financial Protection Bureau (CFPB) proposed rules amending Regulation P of the GLBA to facilitate the statutory changes made to the GLBA by the FASTA. Those proposed rules clarify how qualifying financial entities can structure their activities under the exceptions. Neither the exceptions nor the proposed rules affect the laws regarding the use or collection of consumer’s NPI, or the requirement for issuing an initial privacy notice that includes an opt-out clause.
The B+GLBA Rule
Title 12 CFR § 1016.7 establishes the parameters of compliance regarding informing consumers of their right to opt-out of sharing their NPI with associates of their financial institution. The opt-out policy must be clearly defined, and the procedure must provide adequate information and time to ensure that a consumer can successfully maintain the privacy of their private information when it is in the hands of another party.
Title 12 CFR § 1016.13 authorizes one exception to compliance with §1016.7 which has two provisions:
- When the institution has already provided opt-out information in the initial Notice
- The information is shared with an associate who also has a written agreement prohibiting disclosure of the NPI for any purpose.
The exception specifically identifies agencies that provide “joint marketing” services as the “non-affiliated third party” contemplated by the new rule.
Disclosure of NPI without giving an annual opt-out notice is also acceptable when the information is necessary to administer, effect or enforce any transaction that the consumer has already requested or authorized. This exception includes activities such as servicing an account or financial product at the request of the customer, maintenance of the client accounts within the organization (such as an extension of credit), or a secondary transaction related to a transaction of the customer.
Waiver of the obligation to share NPI without an annual opt-out notice is also appropriate when:
- The customer consents to the disclosure
- It protects the security of the financial enterprise from fraud or liability, facilitates resolution of consumer complaints, or you are dealing with a legal, beneficial, fiduciary or representative relationship with the customer
- It informs insurance advisory or other compliance organizations that are assessing the financial enterprise
- It is to a consumer reporting agency
- It is in connection with a proposed or actual business sale transaction and the data belong to customers of the subject business; and it complies with other federal, state or local laws.
CFPB Proposed Rules
The Bureau proposes adding a new statute — 12 CFR §1016.5(e) — to incorporate the exceptions created by new §503 of the GLBA:
- New section 1016.5(e)(1)(i) permits qualification for the annual notice exception for data sharing when it is limited to those entities identified in §§1016.13, 14, and 15.
- New section 1016.5(e)(1)(ii) incorporates the exception from the rule when entities do not change their policies or practices from one year to the next, and when the consumer is already in possession of current policies per the most recent notice provided.
- New section 16.5(e)(2) would provide timing requirements for the issuance of an annual report after an institution becomes disqualified from the exception, by either sharing information with entities not covered by the relevant statutes, or changing its policies regarding security of consumer data.
The CFPB is requesting comments on the proposed rules.