We were obviously happy to see Regulation P was finally updated, which we passed along to you last week. As a reminder, you qualify for the exemption to the annual notice requirement if you 1) Are not required to provide a Gramm-Leach-Bliley Act (GLBA) opt-out; and, 2) You have not changed your Regulation P sharing practices since your last notice was provided.
So, what if you aren’t required to provide an opt-out under GLBA but you ARE required to provide an opt-out under the Fair Credit Reporting Act (FCRA)? The FCRA requires an opt-out for banks that share with affiliates for marketing purposes and another opt-out for banks that share credit report or other information (beyond first-hand, transaction and experience information) with affiliates. There is some good news buried within the Final Rule!
You can still qualify for the GLBA exemption from sending annual privacy notices even if you provide an opt-out for either of the FCRA sharing provisions. However, you must still meet any FCRA requirements to provide subsequent opt-outs. While these opt-outs don’t need to be provided annually, you do need to give the opt-out prior to sharing information that falls under the FCRA. If you allow an opt-out to expire (for example, affiliate marketing must remain in effect for at least five years), you would need to provide an opt-out again, prior to sharing.