The US Consumer Financial Protection Bureau, after liaising with the SEC and CFTC, is to let some banks and other financial institutions to post their privacy policies online rather than having to send them off in the post every year.

Under the US Gramm–Leach–Bliley Act 1999, every financial institution must provide each client with a privacy notice that describes the information it gathers about him and states how it safeguards and/or shares this information and with whom. The bank (or mortgage broker, insurance carrier or other 'covered institution') must hand this privacy notice to the client before it can obtain his formal agreement to begin doing business with him. It must then do so annually thereafter.

Now, once a rule (RIN 3170-AA39) issued by the Consumer Financial Protection Bureau appears in the Federal Register, some banks and other financial institutions will be allowed to post their privacy policies online rather than having to send them off in the post every year. In exchange, the financial institution can only use the alternative delivery method if:

(1) it does not disclose the customer’s nonpublic personal information to non-affiliated third parties in a manner that triggers GLBA opt-out rights;

(2) it does not include on its annual privacy notice an opt-out notice under s603(d)(2)(A)(iii) Fair Credit Reporting Act;

(3) the requirements of s624 FCRA and the Affiliate Marketing Rule, if applicable, have been satisfied previously or the annual privacy notice is not the only notice provided to satisfy such requirements;

(4) the information included in the privacy notice has not changed since the customer received the previous notice (subject to an exception); and

(5) it uses the model form provided in the G-L-B Act’s implementing Regulation P.

Under the alternative delivery method, the financial institution would have to:

(1) convey in a clear and conspicuous manner not less than annually on an account statement, coupon book, or a notice or disclosure the institution issues under any provision of law that its privacy notice is available on its website, it will be mailed to customers who request it by telephone, and it has not changed;

(2) post its current privacy notice in a continuous and clear and conspicuous manner on a page of its website on which the only content is the privacy notice, without requiring a login name or similar steps or agreeing to any conditions to access the page; and

(3) mail its current privacy notice to customers who request it by telephone within ten days of the request.