GLBA Regulation P Privacy Notices: What Financial Institutions Must Send, When, and the FAST Act Exception Explained

You sent your initial privacy notice at account opening. Three years later, you still haven’t sent an annual notice — because your privacy practices haven’t changed and you heard something about an exception. That’s probably fine. But do you actually know whether the exception applies to you right now?

This is the quiet compliance gap in most financial institutions’ privacy programs. Regulation P has been around since 2000. Most compliance officers know the basics. But the details — exactly who must send notices, what must be in them, when the FAST Act exception kicks in, and what happens when practices change — are frequently fuzzy, and fuzziness gets cited in exams.

Here’s the practitioner version: who’s covered, what’s required, and when.

TL;DR

• GLBA Regulation P requires an initial privacy notice at or before the start of a customer relationship and an annual notice every 12 months thereafter
• The FAST Act exception (effective December 4, 2015) eliminates the annual notice requirement if you only share under permitted exceptions AND your practices haven’t changed since the last notice
• The opt-out right applies only when sharing with non-affiliated third parties for purposes not covered by the permitted exceptions — most financial institution sharing qualifies for an exception
• Fintechs providing financial products or services to consumers are financial institutions under GLBA and must comply, with or without a bank charter

Who Has to Comply With Regulation P

The starting point is the definition of “financial institution” under GLBA. It’s broader than most fintechs expect.

Any company “significantly engaged” in providing financial products or services to consumers is a financial institution under GLBA, including:

• Banks, credit unions, and savings associations (supervised by CFPB, OCC, FDIC, NCUA, or the Fed)
• Mortgage brokers and lenders
• Check cashers and money transmitters
• Prepaid card issuers
• Payday and installment lenders
• Investment advisors and broker-dealers
• Insurance companies
• Fintechs offering consumer financial products — BNPL, earned wage access, banking-as-a-service front ends, credit products

The regulatory version of Regulation P you must comply with depends on your regulator:

• 12 CFR Part 1016 — CFPB-supervised entities (banks, credit unions, and non-banks supervised by CFPB)
• 16 CFR Part 313 — Non-bank financial institutions supervised by the FTC (most fintechs without a banking charter)

The substantive requirements are essentially identical. The enforcement agency differs.

If you’re a fintech that provides a consumer-facing financial product through a bank partner, you and your bank both have Regulation P obligations — yours for your role as a financial institution, and the bank’s independently. The fintech consumer compliance roadmap covers how GLBA interacts with your other federal obligations.

Consumer vs. Customer: Why the Distinction Matters for Notice Timing

Regulation P uses two terms with different compliance implications:

A consumer is any individual who obtains or has obtained a financial product or service from you primarily for personal, family, or household purposes.

A customer is a consumer who has an ongoing customer relationship with your institution — for example, a checking account holder, a loan borrower with an outstanding balance, or a cardholder.

Why it matters:

• Initial privacy notice: required for customers at or before the time a customer relationship is established. Also required for consumers before you share their nonpublic personal information with a non-affiliated third party (if you plan to share).
• Annual privacy notice: required only for customers — people with ongoing relationships. One-time transaction consumers (someone who cashes a single check and doesn’t return) don’t require an annual notice.

The practical implication: the moment someone opens an account, you need to have the initial notice ready. Don’t wait until after onboarding.

The Initial Privacy Notice: Content Requirements

The initial notice must describe your privacy practices at the time the customer relationship begins. The CFPB’s examination procedures specify what examiners look for in the notice.

Required content categories:

1. Categories of nonpublic personal information collected Examples: information from an application (name, SSN, income, employment), information from your transactions with the customer (account balances, payment history), information from third parties (credit bureau reports, other financial institutions).

2. Categories of nonpublic personal information disclosed and to whom You must identify both the type of information and the categories of entities receiving it — affiliates, non-affiliated service providers, non-affiliated third parties for their own marketing.

3. Affiliated and non-affiliated third parties receiving information Examples of categories: financial service providers (other banks, mortgage brokers, insurance companies), non-financial companies (data analytics vendors, marketing partners).

4. Policies for protecting nonpublic personal information A description of your information security policies — how you protect data from unauthorized access, disclosure, and misuse.

5. Opt-out rights (when applicable) If any of your sharing practices trigger opt-out rights, the notice must describe those rights clearly and provide a “reasonable means” for the customer to opt out — a toll-free phone number, a reply form, a website opt-out mechanism.

The CFPB provides a model privacy notice form under Appendix A to Regulation P. Institutions that use the model form accurately have a compliance safe harbor. If you draft your own notice without the model form, it must contain all required elements and be “clear and conspicuous.”

Timing: The initial notice must be provided no later than when the customer relationship is established. In practice, this means the notice should be included in your account opening documents, presented during the digital onboarding flow, or mailed at account opening — not weeks later.

The Annual Notice Requirement

Before the FAST Act, every financial institution had to send an annual privacy notice to every customer, every year. For large institutions, this was a significant operational burden — millions of notices mailed at cost.

The FAST Act amendment to GLBA (2015) created an exception that eliminated the annual notice requirement for institutions meeting two conditions. The CFPB implemented the exception effective December 4, 2015 (12 CFR 1016.5(e)).

If the exception doesn’t apply, the annual notice must be sent at least once in any 12-month period during which the customer relationship continues. The content requirements are identical to the initial notice.

Delivery options: The annual notice can be sent by mail, electronically (with consent), posted on your website (in certain circumstances), or included with a periodic statement. The method must be reasonably likely to reach the customer.

The FAST Act Exception: When You Don’t Have to Send an Annual Notice

This is the provision most compliance officers know exists but can’t fully articulate. Here are both conditions, precisely:

Condition 1: Your institution shares nonpublic personal information with non-affiliated third parties only under the exceptions that don’t trigger opt-out rights (see the next section for the full list of exceptions). You don’t share customer data with non-affiliated companies for their own marketing or other purposes that would require an opt-out right.

Condition 2: Your privacy practices have not changed since you last provided a privacy notice to the customer.

Both conditions must be met simultaneously. If you change your information-sharing practices — for example, you enter a new marketing partnership that involves sharing customer data — you lose the FAST Act exception and must send a revised notice before the new sharing begins.

Most traditional banks and credit unions meet this exception because they primarily share under service provider arrangements (exempt from opt-out) and haven’t materially changed their practices in years. Many fintechs also qualify — but the exception requires you to actually verify your sharing practices periodically, not just assume you qualify.

A compliance program that says “we use the FAST Act exception” without a documented periodic review of information-sharing practices is assuming something it hasn’t confirmed. Examiners will ask.

The Opt-Out Right: When It Applies and What to Offer

The opt-out right under Regulation P is narrower than most consumers (and some compliance officers) realize. It applies specifically when you share nonpublic personal information with non-affiliated third parties for purposes not covered by a permitted exception.

When opt-out rights apply:

• Sharing customer data with a non-affiliated company for that company’s own marketing to the customer
• Sharing with a non-affiliated company for purposes other than the exceptions below

When opt-out rights are triggered, you must:

1. Provide a notice describing the sharing and the opt-out right
2. Give the customer a reasonable means to opt out (toll-free number, reply form, online form)
3. Allow at least 30 days from the notice before sharing begins (or before the opt-out must be given effect)
4. Honor opt-out elections for the duration of the customer relationship (until revoked or relationship ends)

Sharing Categories Exempt from Opt-Out

Understanding these exceptions is where most compliance teams get the most value. The following categories of sharing do not require opt-out rights:

Service providers under contract: Sharing with a non-affiliated third party that performs services on your behalf — payment processors, cloud infrastructure providers, IT vendors, fraud monitoring services — is exempt, provided you enter a contract requiring the third party to maintain the confidentiality of the information and use it only for the contracted purpose.

Joint marketing arrangements: Sharing with another financial institution for joint marketing of financial products is exempt, provided there is a contract restricting use and disclosure.

Transaction processing: Sharing necessary to complete a transaction the consumer requested or authorized — executing a payment, processing an insurance claim, servicing a loan.

Legal compliance: Sharing to comply with a court order, law enforcement request, or regulatory requirement.

Fraud prevention and security: Sharing to protect against or investigate actual or potential fraud, unauthorized transactions, or liabilities.

Consumer reporting: Sharing with consumer reporting agencies under the Fair Credit Reporting Act is governed by FCRA, not Regulation P.

For most financial institutions, the vast majority of actual data sharing falls into one of these exempt categories — which is exactly why most institutions qualify for the FAST Act exception.

Common Exam Deficiencies Under Regulation P

Examiners applying the CFPB’s Regulation P examination procedures look for specific gaps. The most common:

Missing or late initial notice: The notice wasn’t provided at account opening, was mailed weeks after the relationship began, or wasn’t included in the digital onboarding flow.

Inaccurate notice content: The notice doesn’t accurately describe actual information-sharing practices. The institution added a new data vendor but didn’t update the notice. This is both a Regulation P violation and a potential UDAAP issue.

Assuming the FAST Act exception applies without verification: The institution claims the exception but has never documented what information it actually shares with whom, or the review hasn’t happened in years.

Opt-out mechanism doesn’t function: The toll-free number is disconnected, the website opt-out form errors out, or opt-out requests aren’t being honored operationally.

Fintechs that don’t know they’re financial institutions: Fintech compliance programs that focus on the bank’s obligations under the bank-fintech arrangement without considering the fintech’s own independent Regulation P obligations.

Practices changed without updating the notice: The institution began a new marketing partnership or data analytics arrangement but didn’t provide a revised notice before sharing.

GLBA Privacy Notices and State Privacy Laws

GLBA provides partial preemption of state privacy laws, but it’s narrower than financial institutions typically assume. GLBA preempts state laws that are “inconsistent” with GLBA — but state laws that provide greater privacy protections are not preempted.

For California specifically: the CPRA explicitly carves out GLBA-regulated data from most CCPA requirements only to the extent the data is collected and used by the financial institution in connection with the financial relationship. If the same institution shares data for non-financial purposes, CCPA applies to that sharing. A privacy impact assessment can help you map which data is GLBA-covered and which might fall under state law.

Virginia, Colorado, Connecticut, and most other comprehensive state privacy laws include GLBA safe harbor provisions — but again, they’re narrower than they appear and warrant state-by-state analysis if your institution operates across multiple jurisdictions.

So What?

Regulation P is one of the older requirements in consumer financial services, and familiarity breeds complacency. The FAST Act exception is real and widely applicable — but it requires you to actually document that you qualify, periodically verify your information-sharing practices, and notice when things change.

The practitioners who avoid exam findings on Regulation P are the ones who can answer these questions without hesitation:

• What non-affiliated third parties do we share customer data with, and under what category?
• Do any of those arrangements trigger opt-out rights?
• When did our practices last change, and did we send a revised notice?
• Can we show an examiner our initial notice delivery process?

If those answers aren’t documented somewhere, that’s the work to do.

Building a complete privacy compliance program? The Data Privacy Compliance Kit includes data mapping templates, GLBA-aligned privacy policies, breach notification workflows, and data subject request procedures — the operational tools that turn regulatory requirements into documented processes.

Sources:

• How to Comply with the GLBA Privacy Rule — Federal Trade Commission
• Privacy Notices (GLBA) — CFPB
• GLBA Examination Procedures — CFPB
• FAST Act Amendment to Annual Privacy Notice Requirement — Federal Register
• GLBA Annual Privacy Notice Requirements and Exceptions — LegalClarity