CFPB Proposes Rule Benefitting Companies that Limit Data Sharing

The Consumer Financial Protection Bureau (“CFPB”) has proposed a rule to promote more effective privacy disclosures from financial institutions to their customers.  The rule would allow companies that limit their consumer data-sharing and meet other requirements to post their annual privacy notices online rather than delivering them individually.  In other words, the rule would benefit companies that limit consumer data sharing.

“Consumers need clear information about how their personal information is being used by financial institutions,” said CFPB Director Richard Cordray.  “This proposal would make it easier for consumers to find and access privacy policies, while also making it cheaper for industry to provide disclosures.”

The Gramm-Leach-Bliley Act (“GLBA”) generally requires that financial institutions send annual privacy notices to customers.  The GLBA notices must describe whether and how the financial institution shares consumers’ non-public personal information.

If the institution does share this information with an unaffiliated third party, it typically must notify consumers of their right to opt-out of the sharing and inform them of how to do so.

The proposed rule would permit institutions to post privacy notices online instead of distributing an annual paper copy, if they satisfy certain conditions such as not sharing data in ways that would trigger consumers’ opt-out rights.  This proposal would apply to both banks and those nonbanks that are within the CFPB’s jurisdiction under the GLBA.

Institutions that choose to rely on this new method of delivering privacy notices would be required to use the model disclosure developed by federal regulatory agencies in 2009.

Under the proposal, if an institution qualified for and wants to rely on the online disclosure method, it would have to inform consumers annually about the availability of the disclosures.  Currently institutions must send consumers a separate communication about privacy disclosures.

Under this proposal they could include an insert in regular consumer communication, such as a monthly billing statement for a credit card, letting consumers know that the annual privacy notice is available online and in paper by request at a toll-free telephone number.  If an institution chose not to use the online disclosure method, it would need to continue to deliver annual privacy notices to its customers.

From the perspective of a consumer, the benefits of the proposed rule include:

  • Constant access to privacy policies:  Currently, consumers must receive a copy of their financial institution’s privacy policies once per year.  If financial institutions were to choose the proposed alternative delivery method, consumers would be able to view their institution’s privacy policies at any time, while still receiving notices through existing delivery methods if the policies’ terms changed.  The online privacy notices would not require a login to view.  For those customers with limited or no Internet access, financial institutions would have to mail annual notices promptly to customers who request them by phone.
  • Limited data sharing:  Under this proposal, if an institution shares data with unaffiliated third parties in a way that triggers customers’ right to opt-out of such sharing, then that institution generally would not be allowed to use the alternative delivery method.  For this reason, financial institutions would have an incentive to limit their sharing to reduce their costs.
  • Comparison shopping:   Under the proposal, if financial institutions’ privacy policies are posted openly on their websites, they must use the model disclosure form designed by federal regulators.  The model disclosure form would allow consumers who are concerned about their personal information to easily comparison shop before deciding which financial institution to use.  Consumers could better educate themselves about the various types of privacy policies.
  • Cheaper for companies to notify consumers of privacy practices:  The rule would potentially reduce the cost for companies to provide annual privacy notices.  The CFPB estimates that about $17 million could be saved by the industry annually if institutions were to choose the proposed online disclosure method.

A copy of the proposed rule is available here.

Richard B. Newman is an Advertising Law Attorney at Hinch Newman LLP specializing in advertising and digital media matters. His practice includes conducting legal compliance reviews of advertising campaigns, representing clients in investigations and enforcement actions brought by the Federal Trade Commission and state attorneys general, commercial litigation, advising clients on promotional marketing programs, and negotiating and drafting legal agreements.

Information conveyed in this article is provided for informational purposes only and does not constitute, nor should it be relied upon, as legal advice.  This information is not intended to substitute for obtaining legal advice from an attorney.  No person should act or rely on any information in this article without seeking the advice of an attorney.



Please contact us at (212) 756-8777, via email to or via our Online Case Submission Form.