Everyone’s been waiting a long time for the CFPB to make the FAST Act rule concerning annual privacy notices “official” by way of regulation. Well, that happened on August 17, 2108 but there are still a few caveats. The rule change allows banks to forego annual privacy notification if 2 conditions are satisfied:
- The Bank has not changed its information sharing practices since provision of its last privacy notice; and
- The Bank only shares information under the Regulation P exceptions (part the transaction, joint marketing, etc.)
So, let’s think on that for a moment.
There are 2 kinds of information sharing – Privacy affects information sharing with non-affiliates; FCRA affects information sharing with affiliates. So, what does number 1 affect? It’s in reference to non-affiliate sharing. Changes in information sharing with affiliates under FCRA does not impact the Bank’s right to take advantage of the annual notice waiver, though it must still accurately reflect the Bank’s practices. So, for instance, if the Bank merges with another institution and begins to share customer information, the Privacy Notice must still be updated to accurately reflect that change and provide an opt-out but it does not affect non-affiliate sharing.
One event that might void the exemption from providing annual privacy notices is a change in information sharing practices among non-affiliates, such as third-party service providers or for joint marketing. If information sharing practices change and require an opt-out from the customer, then notice must be provided. Or if sharing is inconsistent with the Bank’s last notice to existing customers, then it needs to re-notify customers within 100 days of the change. This resets the triggering event for annual privacy notices – if there are no further changes, then the next year, the Bank can take advantage of the annual notice exemption again.
Alternative Notice – Another change brought on by the CFPB’s new regulation is regarding the “Alternative Notice.” Many institutions adopted this method of notifying customers that their Privacy Notice was posted on the bank’s website in lieu of actually mailing the notices. Under this method there could be no opt-outs for Privacy (non-affiliate sharing) or FCRA (affiliate sharing). Because the new rule totally exempts an institution from providing an annual privacy notice, which provides broader relief than notice and posting on a website, the “Alternative Notice” is no longer an option. Banks can still post their Privacy Notices on their website, but it is not an alternative to mailing an annual notice when information sharing practices change.
They call it “relief”! I call it “exertion” when we still need to constantly revisit the technical changes.
For additional information contact the author at email@example.com.
Evelyn I. Dehmey | Privacy Fallout