Some Gramm-Leach-Bliley Notices Can Now Be Posted Online

23 October 2014 Legal News Alert: Privacy, Security & Information Management Publication
Authors: Chanley T. Howell Steven M. Millendorf

Legal News Alert: Privacy, Security & Information Management


Some banks and other organizations covered under the Gramm-Leach-Bliley Act (GLBA) may now post their privacy policies online rather than having to mail them annually. Earlier this week, the Consumer Financial Protection Bureau (CFPB) finalized a rule to provide more effective and efficient privacy disclosures from covered institutions to their customers. Organizations can take advantage of the new rule only if they limit their sharing of customer information.

Applicability of the GLBA

While the GLBA primarily covers banks, companies should keep in mind that its applicable bill is broader than just traditional banks and other covered institutions. For example, the GLBA applies to insurance companies, mortgage brokers and servicing companies, appraisers and real estate settlement service providers.

The GLBA Annual Privacy Notice Requirements

The GLBA and Regulation P require covered institutions to provide their customers with initial and annual notices regarding their privacy policies, including what types of information are collected and with whom the information is shared. If these companies share certain customer information with particular types of third parties, they are also required to provide notice to their customers and an opportunity to opt out of the sharing. Most covered institutions currently mail printed copies of annual GLBA privacy notices to their customers, including notices of GLBA. For years, the financial industry has expressed concerns that this practice causes information overload for consumers and unnecessary expense.

The New Rule

In response to such concerns, the CFPB passed the rule to allow covered organizations to use an alternative delivery method to provide annual privacy notices through posting the annual notices on their websites if they meet certain conditions. Covered institutions may use the alternative delivery method for annual privacy notices if:

  1. No opt-out rights are triggered by the covered institution’s information sharing practices under GLBA or the Fair Credit Report Act (or the organization has separately complied with the notice and opt-out requirements of FCRA). 
  2. The information included in the privacy notice has not changed since the customer received the previous notice. And, 
  3. The covered institution uses the model form provided in Regulation P as its annual privacy notice.


Online Posting Requirements

Covered organizations must continuously post the annual privacy notice in a clear and conspicuous manner on a page of its website, without requiring a login or similar steps or agreement to any conditions to access the notice.

Customer Can Request Copy by Mail

To assist customers with limited or no access to the internet, the institution must mail annual notices to customers who request them by telephone, within ten days of the request.

Notice of the Online Posting

To make customers aware that its annual privacy notice is available through these means, the institution must insert a clear and conspicuous statement at least once per year on an account statement, coupon book, or a notice or disclosure the institution issues under any provision of law. The statement must inform customers that the annual privacy notice is available on the covered institution’s website, the institution will mail the notice to customers who request it by calling a specific telephone number, and the notice has not changed.

Annual Notice Still Required in Some Instances

A covered institution is still required to use one of the permissible delivery methods that predate this rule change (referred to as the standard delivery methods) if the institution, among other things, has changed its privacy practices or engages in information-sharing activities for which customers have a right to opt out. While existing rules under the GLBA permit electronic delivery of annual notices, the circumstances are limited and relate to transactions conducted online.


Organizations that are required to provide an annual privacy notice under the GLBA should determine whether it qualifies under this new rule allowing the posting of the notice online in lieu of mailing. In the event the company does not qualify, it should consider whether a change in its data sharing practices is warranted in order to take advantage of the new rule.

Legal News Alert is part of our ongoing commitment to providing up-to-the-minute information about pressing concerns or industry issues affecting our clients and our colleagues. If you have any questions about this update or would like to discuss this topic further, please contact your Foley attorney or the following:

Chanley T. Howell
Jacksonville, Florida

Steven M. Millendorf
San Diego, California