On October 17, the Consumer Financial Protection Bureau finalized an administrative rule, first proposed in May, that allows qualifying financial institutions to post their privacy policies online in lieu of sending the policies to customers personally. The rule, an amendment to a regulation known as “Regulation P,” 12 C.F.R. Part 1016, applies both to banks and non-banks that fall under the Bureau’s jurisdiction.

Regulation P, enacted pursuant to the Graham-Leach-Bliley Act, 15 U.S.C. § 6801 et seq., formerly required these institutions to mail their customers initial and annual notices concerning their privacy policies.  If the companies shared certain customer information with third parties, the rule also mandated that the companies provide customers with notice and with an opportunity to opt out.

The new version of the rule permits these companies to post their privacy policies online as long as they meet certain conditions.  These include the requirements that the company’s information-sharing practices not trigger a customer’s statutory opt-out rights, that the information within the privacy notice has not changed since last received by the customer, and that the companies use the model form provided by the new rule as its annual notice.  Further requirements are that the policies be displayed clearly and conspicuously, that there be no required log-in to access them online, and that the companies mail annual notices to those without access to the Internet who request them over the telephone.

Financial institutions had expressed concern that that the old rule caused information overload and unnecessary expense.  The CFPB hopes that the new version, which is effective immediately upon publication in the Federal Register, will restrain consumer data sharing with third parties, more effectively educate consumers on their rights, and save money for qualifying companies.