🔒 Add annual privacy notice update

[JFWooten4]

Creates an annual privacy notice exception update for Regulation S-P compliance under 17 CFR § 248.5(e). The update should define when BlockTransfer is not required to deliver an annual privacy notice, when the exception no longer applies, and how annual notice timing resumes after a change in privacy policies or practices.

Regulatory basis

Subsection (a)(1): annual privacy notice general rule

Except as provided by paragraph (e) of this section, you must provide a clear and conspicuous notice to customers that accurately reflects your privacy policies and practices not less than annually during the continuation of the customer relationship.

Annually means at least once in any period of 12 consecutive months during which that relationship exists.

You may define the 12-consecutive-month period, but you must apply it to the customer on a consistent basis.

Subsection (d): delivery

When you are required to deliver an annual privacy notice by this section, you must deliver it according to § 248.9.

Subsection (e)(1): when exception is available

You are not required to deliver an annual privacy notice if you:

a. Provide nonpublic personal information to nonaffiliated third parties only in accordance with § 248.13, § 248.14, or § 248.15; and

b. Have not changed your policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under § 248.6(a)(2) through (5) and (9) in the most recent privacy notice provided pursuant to this part.

Subsection (e)(2): when the exception no longer applies

If you have been excepted from delivering an annual privacy notice pursuant to paragraph (e)(1) of this section and change your policies or practices in such a way that you no longer meet the requirements for that exception, you must comply with paragraph (e)(2)(i) or (ii) of this section, as applicable.

Subsection (e)(2)(i): changes preceded by a revised privacy notice

If you no longer meet the requirements of paragraph (e)(1) of this section because you change your policies or practices in such a way that § 248.8 requires you to provide a revised privacy notice, you must provide an annual privacy notice in accordance with the timing requirement in paragraph (a) of this section, treating the revised privacy notice as an initial privacy notice.

Subsection (e)(2)(ii): changes not preceded by a revised privacy notice

If you no longer meet the requirements of paragraph (e)(1) of this section because you change your policies or practices in such a way that § 248.8 does not require you to provide a revised privacy notice, you must provide an annual privacy notice within 100 days of the change in your policies or practices that causes you to no longer meet the requirement of paragraph (e)(1) of this section.

Changes to be made

• Update annual privacy notice procedures to reflect the Regulation S-P annual notice exception.
• Define when BlockTransfer is not required to deliver an annual privacy notice.
• Confirm whether BlockTransfer provides nonpublic personal information to nonaffiliated third parties only under § 248.13, § 248.14, or § 248.15.
• Define how BlockTransfer tracks whether its disclosure policies and practices have changed from the most recent privacy notice.
• Define when a revised privacy notice under § 248.8 resets annual notice timing.
• Add a 100-day workflow for policy or practice changes that end the exception but do not require a revised privacy notice.
• Cross-reference the privacy notice, revised privacy notice, and transfer-agent recordkeeping workstreams.

[JFWooten4]

I need to check more on this and #6 because §§ 248.4–248.15 still use the older scope. Full ref