The FAST Act GLBA Annual-Notice Exception and the TaxSlayer Case
The FAST Act (December 2015) amended GLBA section 503 so a financial institution may skip the annual privacy notice if it triggers no opt-out and has not changed its policies. The TaxSlayer FTC matter shows how the GLBA Safeguards Rule and GLBA Privacy Rule apply to a single failure.
The FAST Act, enacted in December 2015, amended GLBA section 503. Under the amendment a financial institution is not required to deliver an annual privacy notice when both of two conditions are met.
- It shares nonpublic personal information with nonaffiliated third parties only in ways that do not trigger an opt-out right; and
- It has not changed its privacy policies since the last notice it provided.
Both conditions must hold. If either changes, the obligation to send the annual notice returns.
The exception applies only when there is no opt-out-triggering sharing AND no change in privacy policy since the last notice. Failing either one alone removes the exception.
In the TaxSlayer matter, the FTC examined an online tax-preparation service whose accounts, about 9,000, were accessed by hackers who used them to file fraudulent returns. The FTC alleged TaxSlayer failed to implement adequate authentication and failed to provide a clear privacy notice. The settlement barred TaxSlayer from violating the GLBA Privacy and Safeguards Rules for 20 years.
| Alleged failure | Rule implicated |
|---|---|
| Inadequate authentication allowing account takeover | GLBA Safeguards Rule |
| Failure to provide a clear privacy notice | GLBA Privacy Rule |