Enacted by Congress on November 12, 1999, the GLBA placed new privacy and security obligations on financial institutions, mandating financial institutions to, among other things, provide annual privacy notices (subject to certain exceptions, including if policies and practices have not changed since the last disclosure) and opt-out rights to consumers.  Accordingly, Regulation P expands on these requirements, with the stated purpose to:

1. Require a financial institution to provide notice about its privacy policies and practices;
2. Describe the conditions under which a financial institution may disclose non-public personal information to non-affiliated third parties; and
3. Provide a method for consumers to “opt out” of certain disclosures of non-public personal information.

12 CFR 1016.1(a).

This white paper provides an overview of the scope of Regulation P and its required disclosures relating to “non-affiliated third parties.”

Scope of Regulation P

As stated above, the GLBA and Regulation P primarily aim to provide transparency to and govern financial institutions’ data security practices.  However, the reach of Regulation P expands beyond simply financial institutions.  Regulation P applies to all “other persons for which the [CFBP] has rulemaking authority” pursuant to section 504(a)(1)(A) of the GLBA, including service providers and other third parties that receive non-public personal information from financial institutions.  12 CFR 1016.1(b)(1).  Although the CFPB has traditionally focused on regulating financial institutions, recently, in April of 2022, the CFPB has expressed its intentions to invoke its dormant supervisory authority over non-financial institution service providers and third parties and supervise such companies more closely. See CFPB Invokes Dormant Authority to Examine Nonbank Companies Posing Risks to Consumers ,Consumer Financial Protection Bureau, (Apr. 25, 2022), https://www.consumerfinance.gov/about-us/newsroom/cfpb-invokes-dormant-authority-to-examine-nonbank-companies-posing-risks-to-consumers/. Thus, both financial institutions and third-party service providers are directly accountable for implementing appropriate practices and safeguards to ensure compliance with the GLBA and Regulation P.

While the CFPB has broad authority to regulate both financial institutions and non-financial institution entities, generally, the scope of the GLBA and Regulation P is limited to “non-public personal information” about consumers or “individuals who obtain financial products or services primarily for personal, family, or household purposes.” 12 CFR 1016.1(b)(1) (emphasis added). It does not apply to information collected about companies or other persons obtaining financial products or services primarily for business, commercial, or agricultural purposes.

As defined in Regulation P, “non-public personal information” includes:

• Any information a consumer provides to obtain a financial product or service;
• Any information about a consumer resulting from any transaction involving a financial product or service;
• Any information otherwise obtained about a consumer in connection with a financial product or service; and
• Any list, description, or other grouping derived using any of the foregoing non-public personal information.

12 CFR 1016.3(p); 12 CFR 1016.3(q).

In sum, the GLBA and Regulation P govern the non-public personal information collected by financial institutions, service providers, and third parties that provide financial products or services to consumers primarily for personal, family, or household purposes.

Regulation P’s Non-affiliated Third-Party Disclosure Requirements

Regulation P is a comprehensive data privacy framework providing consumers greater transparency and control over their personal data.  This is accomplished in various ways, including initial and annual privacy notices, opt-out rights, and limitations on disclosures and redisclosures.  The regulation also sets forth specific requirements regarding the information and disclosures to be included in such privacy notices.  A model privacy notice designed to meet such requirements is provided in the appendix of Regulation P.  As we often receive questions related to such privacy notice disclosure requirements concerning non-affiliated third parties, this will be our focus here.

Similar to the structure of other privacy laws (such as the GDPR, CCPA, and other state legislation), Regulation P sets forth a specific list of the information that a covered entity must disclose in its privacy notices, including (see 12 CFR 1016.6(a)):

1. The categories of non-public personal information collected;
2. The categories of non-public personal information disclosed;
3. The categories of affiliates and non-affiliated third parties to whom non-public personal information is disclosed (excluding information subject to the processing and servicing transactions exception);
4. The categories of non-public personal information about former customers disclosed and the categories of affiliates and non-affiliated third parties such information is disclosed (excluding information subject to the processing and servicing transactions exception)
5. A separate statement of the categories of information disclosed to non-affiliated third parties that are service providers or perform joint marketing and the categories of third parties with whom you have contracted;
6. An explanation of the consumer’s right to opt out of the disclosure of non-public personal information to non-affiliated third parties and the method(s) by which the consumer may exercise that right;
7. Any disclosures that you make under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act;
8. Policies and practices with respect to protecting the confidentiality and security of non-public personal information; and
9. A separate statement of the categories of information disclosed to a non-affiliated third party subject to the processing and servicing transactions exception.

As bolded above, there are three primary required disclosures related to non-affiliated third parties.  Each is addressed in turn.

Categories of Non-affiliated Third Parties

To satisfy this requirement, a covered entity must disclose the categories of non-affiliated third parties (and affiliates) to whom non-public personal information is disclosed.  A common mistake we see is naming specific entities and/or the failure to categorize entities properly.  This disclosure does not require a covered entity to list the names of such third parties but simply group such parties into descriptive categories with illustrative examples as may be applicable.  Regulation P and the model privacy form provide specific examples of acceptable disclosures – the general format of acceptable disclosures under Regulation P is as follows (see 12 CFR 1016.6(c)(3)):

“Non-affiliates we share non-public personal information with can include [Define category: Financial service providers / non-financial service providers / other], such as [list company-types of the third parties with which the financial institution contracts within such category: mortgage bankers, securities broker-dealers, insurance agents, retailers, magazine publishers, airlines, direct marketers, non-profit organizations, etc.].“

Categories of Service Providers and Joint Marketing Partners

To satisfy this requirement, a covered entity must disclose the categories of non-affiliated third parties, that are Service Providers and Joint Marketing Partners, and to whom non-public personal information is disclosed.  Again, this disclosure does not require a covered entity to list the names of such third parties but simply specify the category of such third party as follows (see 12 CFR 1016.6(c)(4)):

“Our joint marketing partners we share non-public personal information with can include [list company-types of third parties with which the financial institution contracts: credit card companies, etc.].“

Covered entities must also include a disclosure of the list of non-public personal information disclosed to such third parties.  The model privacy form addresses this disclosure separately.

Processing and Servicing Transactions Exception

Finally, under the processing and servicing transactions exception, covered entities are generally not required to disclose any information regarding the company type of the non-affiliated third parties it may use to provide such services requested by a consumer.  Instead, Regulation P merely requires a covered entity to inform consumers of the categories of non-public personal information it may share with third parties for these limited purposes.

Complying with Regulation P

Overall, the model privacy form discussed above is an excellent resource for drafting a privacy policy to meet the regulatory requirements of Regulation P.  However, using this model form is not required, and to meet best practices standards for Regulation P privacy policies, we recommend taking the time to personalize and tailor your privacy policy to your business.  As explored above, Regulation P is a far-reaching and comprehensive regulation, and having an expansive privacy policy that meets the standards set out in Regulation P is only one facet of compliance.  Therefore, it is essential to draft and implement a cohesive privacy policy with your financial institution’s (or other covered entity’s) overarching regulatory compliance practices and policies.

Contact us for more information.

Baldini Lang LLC has extensive experience assisting clients in building risk assessment programs and policies to comply with their legal requirements and establish best practice standards.  Contact us if you need additional information or would like assistance drafting or revising your institution’s privacy policies and disclosure to comply with Regulation P and best practice standards.