The Consumer Financial Protection Bureau
The CFPB changed Regulation P, which implements the Gramm-Leach-Bliley Act and mandates how financial institutions must provide customers with annual privacy policy notices.
Financial firms are required to annually give customers the opportunity to "opt out" from having their information shared with third parties.
Congress altered the provision in 2015 to provide an exception to financial institutions from providing annual notices to customers if they meet two conditions. Under the new rule, the CFPB tweaked those conditions.
The first condition of sharing of a consumer's nonpublic personal information is allowed if it "does not trigger consumer opt-out rights," the CFPB said.
For the second condition, a financial institution must not have changed its policies and practices for disclosing nonpublic personal information from the most recent disclosure sent to a customer.
As an example, the CFPB said that a mortgage customer has the right to opt out of a financial institution disclosing his or her name and address to an unaffiliated home insurance company.
But a financial institution is not required to allow a consumer to opt out of the institution’s disclosure of his or her nonpublic personal information to third party service providers and pursuant to joint marketing arrangements subject to certain requirements.
The rule does not affect the collection or use of a consumer's nonpublic personal information by financial institutions and consumers will continue to receive privacy policy notices to the extent they are required, the CFPB said.
The amended rule also establishes deadlines for institutions resuming annual privacy notices if their practices change and they cease to qualify for the exemption.