Vermont Regulatory Update

Vermont Regulatory Update

Vermont Regulation B-2018-1


The Vermont Department of Financial Regulation recently issued revised regulations regarding annual privacy notices, effective March 15, 2018.


A financial institution is not required to deliver an annual privacy notice if:

  • The financial institution does not disclose the customer’s nonpublic personal information to nonaffiliated third parties other than for permitted purposes;
  • The financial institution does not disclose information to or among its affiliates in a manner that would require an opt-in under the Vermont Fair Credit Reporting Act;
  • Any disclosures that the financial institution makes under the federal Fair Credit Reporting Act and the federal implementing regulations and the Vermont Fair Credit Reporting Act, if applicable, have been satisfied previously or the annual privacy notice is not the only notice provided to satisfy such requirements;
  • The financial institution has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer in the most recent privacy notice (whether initial, annual, or revised) provided; and
  • The financial institution posts its current privacy notice continuously and in a clear and conspicuous manner on a page of its website on which the only content is the privacy notice, without requiring the customer to provide any information such as a login name or password or agree to any conditions to access the page.


If a financial institution has been excepted from delivering an annual privacy notice and changes its policies or practices in such a way that it no longer meets the requirements for the exception, the financial institution must provide a new privacy notice to customers at least 60 days prior to the effective date of the changes in its policies or practices.  The new privacy notice will be treated as an initial privacy notice for purposes of this regulation and the financial institution’s obligation to provide an annual privacy notice thereafter shall be determined in accordance with the requirements and exceptions of these provisions.