During our audit of Regulation P, we were cited for disclosing information regarding our mobile banking app. The information was required by Google due to push notification and pop-up screens. We tried to create a separate box to add the discloser but was advised by our document provider ”that a box could not be added and to add the information to the Other Important Information box” The auditor is indicating that this is a violation of law and giving the audit a “Needs Improvement” rating. I have a couple of questions:

• Is this a violation of law?
• If so, is this a significant finding?
• If this is a violation, where would put the information on the Privacy Policy or is it ok to create our document.

I don't understand what information is being disclosed or how, are you saying consumers enter banking info for Google?

If the bank offers its app in the Google Play app store, Google requires a disclosure about the acquisition of geolocation if certain features are turned on.

As to whether it's a violation of law to include that information in the "other Important Information" box - it's not, and the auditor needs to re-read the regulation. The model privacy form in the Appendix to Reg. P includes specific instructions about what can and can't go in various places. The "other important information" box is only for state privacy law issues.

So including the geolocation disclosure required by Google in that box means that the bank is not using the model form in accordance with the instructions. But the regulation does not require use of the model form (even though everyone does). So including this information just means that the bank is using a form other than the model. Is it still complying with the regulation? Yes.

We use two linked policies on our mobile app - one is our Reg P Privacy Notice (based on the Reg P model) and one is our Digital Privacy & Cookies Policy. The second policy is where we discuss geolocation and other information on how we gather, use, and share digital information and cookies.