Skip to main content
  1. Home
  2. Consumer and Community Affairs
  3. CFPB's Regulation P
  4. Background and Summary of Regulation P

Background and Summary of Regulation P

6-7393
Regulation P implements title V, subtitle A of the Gramm-Leach-Bliley Act (Pub. L. 106-102, 15 U.S.C. 6801 et seq.). Signed into law on November 12, 1999, the act enables consumers to prevent a financial institution from disclosing private (“nonpublic personal information”) to third parties that are not affiliated with the financial institution. Institutions must provide a reasonable method for consumers to opt out of disclosures to nonaffiliated third parties. “Consumers” are individuals who obtain financial products or services for personal, family, or household purposes. The act does not restrict the disclosure of nonpublic personal information among affiliated companies or of information about businesses and corporations.
6-7394

PRIVACY AND OPT-OUT NOTICES

A financial institution is required to disclose to consumers its policies and practices concerning information sharing with both affiliates and nonaffiliated third parties. They must give new customers accurate, clear, and conspicuous initial notices about their privacy policies, describing the conditions under which they may disclose nonpublic personal information to nonaffiliated third parties and affiliates. “Customers” are consumers with whom the institution has a continuing relationship in which it provides financial products or services for personal, family, or household purposes. Initial notices must also be given to a consumer who is not a customer if the institution shares nonpublic personal information about the consumer with nonaffiliated third parties. Institutions must also give their current customers accurate, clear, and conspicuous annual notices of their privacy policies. When information-sharing practices change, institutions may have to provide a revised notice, as outlined in section 1016.8.
Privacy notices should include the following information:
  • categories of information the institution collects
  • categories of information the institution may disclose
  • categories of affiliates and nonaffiliates to which the institution gives nonpublic personal information
  • the consumer’s right to opt out
  • any disclosures made under the Fair Credit Reporting Act
6-7395

EXERCISE OF THE RIGHT TO OPT OUT

A consumer must be given a reasonable method for opting out of information sharing, such as a reply form or toll-free telephone number. Consumers may exercise their opt-out option at any time. An institution must comply with a consumer’s opt-out direction as soon as reasonably practicable and until the consumer revokes that direction in writing.
6-7396

EXCEPTIONS

Exceptions allow transfers of nonpublic personal information to unaffiliated parties to process and service a consumer’s transaction and to facilitate other normal business transactions. For example, consumers cannot opt out when nonpublic personal information is shared with a nonaffiliated third party to—
  • market the institution’s own financial products or services,
  • market financial products or services offered by two financial institutions (joint marketing),
  • process and service transactions the consumer requests or authorizes,
  • protect against potential fraud or unauthorized transactions,
  • respond to judicial process, or
  • comply with federal, state, or local legal requirements.
To qualify for an opt-out exception, an institution may have to satisfy disclosure and other requirements. For example, the joint-marketing exception requires that any contractual agreement between two nonaffiliated financial institutions—
  • involve joint offering, endorsement, or sponsoring of the financial product or service and
  • limit further use or disclosure of the consumer information transferred.
The institution must also include in the privacy notice a separate statement disclosing the joint-marketing agreement.
Back to top