Is it correct that we are not required to deliver an annual privacy notice if we fall under the exemptions in 1016.13, 1016.14, and 1016.15? We don’t even have to send the notice on a statement and post on our website?
If you’re not required to provide an GLBA/Reg P opt-out and your policy hasn’t changed that is correct. See excerpt from Reg P 1016.5(e) below:
Exception to annual privacy notice requirement. (1) When exception available. You are not required to deliver an annual privacy notice if you:
(i) Provide nonpublic personal information to nonaffiliated third parties only in accordance with the provisions of § 1016.13, § 1016.14, or § 1016.15; and
(ii) Have not changed your policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under § 1016.6(a)(2) through (5) and (9) in the most recent privacy notice provided pursuant to this part.
You would still need to consider opt-out disclosures required under the Fair Credit Reporting Act (FCRA) – see Regulation V, 1022 subpart C. I believe this can generally be satisfied with the initial privacy notice you provide to consumers (not required annually), but if there is a change or the opt-out expires you would need to provide that option again.