In late 2015, Congress passed the Fixing America’s Surface Transportation Act − a vehicle for an amendment to the Gramm-Leach-Bliley Act (GLBA) meant to eliminate the need for certain companies to provide annual privacy disclosures to consumers.
The amendment, which took effect immediately, eliminates the annual notice requirement for financial institutions that:
- do not share consumer nonpublic personal information with nonaffiliated third parties (with some limited exceptions), and
- have not changed their policies and practices, with regard to disclosing nonpublic personal information, from the policies and practices disclosed in the most recent annual notice.
This amendment addresses long-held complaints that the GLBA’s previous disclosure requirements were unnecessarily onerous and expensive for some businesses. In fact, the December 2015 amendment was just the most recent in a number of actions proposed to mitigate the burden and expense that resulted from the GLBA’s annual notice requirements.
In October 2014, the Consumer Financial Protection Bureau (CFPB) amended Regulation P to allow for electronic delivery or posting of annual privacy notices by financial institutions regulated by the CFPB. The amendment allowed for alternative online delivery of the privacy notice, but only if the financial institution met a lengthy list of requirements.
However, the 2014 CFPB revision likely had limited impact for two reasons. First, online delivery was permitted only for parties that met a laundry list of requirements, which may have been infeasible or impossible for certain financial institutions. Second, the revision applied only to entities subject to GLBA regulations issued by the CFPB − not those regulated by the Federal Trade Commission (FTC), the Securities and Exchange Commission, or the Commodities Futures Trading Commission.
In June 2015, the FTC proposed to amend its own GLBA rules, which apply specifically to motor vehicle dealers. Like the earlier CFPB amendment, the FTC proposal would have permitted certain motor vehicle dealers to notify customers that the annual privacy policy was available electronically, on the dealer’s website.
Unlike the CFPB and FTC actions, the most recent congressional amendment applies equally to all entities regulated by the GLBA, regardless of the regulator. Regulation S-P and Regulation P will likely be amended by the SEC and the CFPB, respectively, to correspond to the congressional amendment.