FR Doc E9-27882[Federal Register: December 1, 2009 (Volume 74, Number 229)]
[Rules and Regulations]
[Page 62889-62994]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr01de09-19]
[[Page 62889]]
-----------------------------------------------------------------------
Part II
Department of the Treasury
Office of the Comptroller of the Currency
12 CFR Part 40
-----------------------------------------------------------------------
Federal Reserve System
12 CFR Part 216
-----------------------------------------------------------------------
Federal Deposit Insurance Corporation
12 CFR Part 332
-----------------------------------------------------------------------
Department of the Treasury
Office of Thrift Supervision
12 CFR Part 573
-----------------------------------------------------------------------
National Credit Union Administration
12 CFR Part 716
-----------------------------------------------------------------------
Federal Trade Commission
16 CFR Part 313
-----------------------------------------------------------------------
Commodity Futures Trading Commission
17 CFR Part 160
-----------------------------------------------------------------------
Securities and Exchange Commission
17 CFR Part 248
-----------------------------------------------------------------------
Final Model Privacy Form Under the Gramm-Leach-Bliley Act; Final Rule
[[Page 62890]]
-----------------------------------------------------------------------
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the Currency
12 CFR Part 40
[Docket ID OCC-2009-0011]
RIN 1557-AC80
FEDERAL RESERVE SYSTEM
12 CFR Part 216
[Docket No. R-1280]
FEDERAL DEPOSIT INSURANCE CORPORATION
12 CFR Part 332
RIN 3064-AD16
DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
12 CFR Part 573
[Docket ID OTS-2009-0014]
RIN 1550-AC12
NATIONAL CREDIT UNION ADMINISTRATION
12 CFR Part 716
RIN 3133-AC84
FEDERAL TRADE COMMISSION
16 CFR Part 313
[Project No. 034815]
RIN 3084-AA94
COMMODITY FUTURES TRADING COMMISSION
17 CFR Part 160
RIN 3038-AC04
SECURITIES AND EXCHANGE COMMISSION
17 CFR Part 248
[Release Nos. 34-61003, IA-2950, IC-28997; File No. S7-09-07]
RIN 3235-AJO6
Final Model Privacy Form Under the Gramm-Leach-Bliley Act
AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC);
Board of Governors of the Federal Reserve System (Board); Federal
Deposit Insurance Corporation (FDIC); Office of Thrift Supervision,
Treasury (OTS); National Credit Union Administration (NCUA); Federal
Trade Commission (FTC); Commodity Futures Trading Commission (CFTC);
and Securities and Exchange Commission (SEC).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The OCC, Board, FDIC, OTS, NCUA, FTC, CFTC, and SEC (the
``Agencies'') are publishing final amendments to their rules that
implement the privacy provisions of Subtitle A of Title V of the Gramm-
Leach-Bliley Act (``GLB Act''). These rules require financial
institutions to provide initial and annual privacy notices to their
customers. Pursuant to Section 728 of the Financial Services Regulatory
Relief Act of 2006 (``Regulatory Relief Act'' or ``Act''), the Agencies
are adopting a model privacy form that financial institutions may rely
on as a safe harbor to provide disclosures under the privacy rules. In
addition, the Agencies other than the SEC are eliminating the safe
harbor permitted for notices based on the Sample Clauses currently
contained in the privacy rules if the notice is provided after December
31, 2010. Similarly, the SEC is eliminating the guidance associated
with the use of notices based on the Sample Clauses in its privacy rule
if the notice is provided after December 31, 2010.
DATES: This rule is effective on December 31, 2009, except for the
following amendments, which are effective January 1, 2012:
Instructions 3B, 10B, 17B, 24B, 31B, 38B, 45B, and 52B removing
paragraphs (g) to 12 CFR 40.6, 216.6, 332.6, 573.6, and 716.6, 16 CFR
313.6, and 17 CFR 160.6 and 248.6, respectively; and
Instructions 7B, 14B, 21B, 28B, 35B, 42B, 49B, and 55B removing
Appendixes B to 12 CFR parts 40, 216, 332, 573, and 716, 16 CFR part
313, and 17 CFR parts 160 and 248, respectively.
FOR FURTHER INFORMATION CONTACT: OCC: Stephen Van Meter, Assistant
Director, Community and Consumer Law Division, (202) 874-5750; Heidi
Thomas, Special Counsel, Legislative and Regulatory Activities
Division, (202) 874-5090; or David Nebhut, Director, Policy Analysis
Division, (202) 874-5220, Office of the Comptroller of the Currency,
250 E Street, SW., Washington, DC 20219.
Board: Jeanne Hogarth, Consumer Policies Program Manager, Jelena
McWilliams, Attorney, or Ky Tran-Trong, Counsel, Division of Consumer
and Community Affairs, (202) 452-3667; Kara Handzlik, Attorney, Legal
Division, (202) 452-3852; Board of Governors of the Federal Reserve
System, 20th Street and Constitution Avenue, NW., Washington, DC 20551.
FDIC: Samuel Frumkin, Senior Policy Analyst, Division of
Supervision and Consumer Protection, (202) 898-6602; or Kimberly A.
Stock, Counsel, (202) 898-3815, Legal Division; Federal Deposit
Insurance Corporation, 550 17th Street, NW., Washington, DC 20429.
OTS: Ekita Mitchell, Consumer Regulations Analyst, (202) 906-6451;
or Richard Bennett, Senior Compliance Counsel, Regulations and
Legislation Division, (202) 906-7409; 1700 G Street, NW., Washington,
DC 20552.
NCUA: Regina Metz, Staff Attorney, (703) 518-6561, Office of
General Counsel, National Credit Union Administration, 1775 Duke
Street, Alexandria, Virginia 22314-3428.
FTC: Loretta Garrison, Senior Attorney, and Anthony Rodriguez,
Attorney, Division of Privacy and Identity Protection, Bureau of
Consumer Protection, (202) 326-2252, Federal Trade Commission, 600
Pennsylvania Avenue, NW., Stop NJ-3158, Washington, DC 20580.
CFTC: Laura Richards, Deputy General Counsel, (202) 418-5126, or
Gail B. Scott, Counsel, Office of General Counsel, (202) 418-5139,
Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st
Street, NW., Washington, DC 20581.
SEC: Paula Jenson, Deputy Chief Counsel, or Brice Prince, Special
Counsel, Office of the Chief Counsel, Division of Trading and Markets,
(202) 551-5550; or Penelope Saltzman, Assistant Director, Thoreau
Bartmann, Senior Counsel, or Daniel Chang, Staff Attorney, Office of
Regulatory Policy, Division of Investment Management, (202) 551-6792,
Securities and Exchange Commission, 100 F Street, NE., Washington, DC
20549.
SUPPLEMENTARY INFORMATION: The Agencies are publishing final amendments
to each of their rules (which are consistent and comparable) that
implement the privacy provisions of the GLB Act: 12 CFR part 40 (OCC);
12 CFR part 216 (Board); 12 CFR part 332 (FDIC); 12 CFR part 573 (OTS);
12 CFR part 716 (NCUA); 16 CFR part 313 (FTC); 17 CFR part 160 (CFTC);
and 17 CFR part 248 (SEC) (collectively, the ``privacy rule'').\1\
---------------------------------------------------------------------------
\1\ Because the Agencies' privacy rules generally use consistent
section numbering, relevant sections will be cited, for example, as
``section ----.6'' unless otherwise noted.
I. Introduction
A. Statutory Authority and Overview
B. Overview of the Final Model Privacy Form
II. Background
A. The Gramm-Leach-Bliley Act Privacy Notices
[[Page 62891]]
B. Development of Proposed Model Privacy Form
C. Overview of Comments Received
D. Quantitative Research
E. Public Comments on the Quantitative Test Data
F. Validation Testing
III. The Final Model Privacy Form
A. Standardization
B. Instructions for Use
C. Format of the Notice
D. Appearance of the Model Privacy Form
E. Optional General Guidance for Easily Readable Type
F. Printing, Color, and Logos
G. Jointly-Provided Notices
H. Use of the Form by Differently-Regulated Entities
I. Page One of the Model Form
J. Page Two of the Model Form
K. Other Issues
IV. The Sample Clauses
V. Effective Date
VI. Final Regulatory Flexibility Analysis
VII. Paperwork Reduction Act
VIII. OCC and OTS Executive Order 12866 Determination
IX. OCC and OTS Executive Order 13132 Determination
X. OCC and OTS Unfunded Mandates Reform Act of 1995 Determination
XI. SEC Cost-Benefit Analysis
XII. SEC Consideration of Burden on Competition
XIII. NCUA: The Treasury And General Government Apropriations Act,
1999-Assessment of Federal Regulations and Policies on Families
XIV. CFTC Cost-Benefit Analysis
I. Introduction
A. Statutory Authority and Overview
The Regulatory Relief Act was enacted on October 13, 2006.\2\
Section 728 of the Act directs the Agencies to ``jointly develop a
model form which may be used, at the option of the financial
institution, for the provision of disclosures under [section 503 of the
GLB Act].'' \3\ The Regulatory Relief Act stipulates that the model
form shall be a safe harbor for financial institutions that elect to
use it. Section 728 further directs that the model form shall:
---------------------------------------------------------------------------
\2\ Public Law No. 109-351, 120 Stat. 1966 (2006).
\3\ Id., adding 15 U.S.C. 6803(e). See also infra discussion at
section II.A. on the GLB Act requirements for financial privacy
notices. Section 728 of the Regulatory Relief Act directs the
agencies named in Section 504(a)(1) of the GLB Act, 15 U.S.C.
6804(a)(1), to develop a model form. The CFTC, which did not become
subject to Title V of the GLB Act until 2000, is not named in that
section. The Commodity Exchange Act (``CEA'') was amended in 2000 by
the Commodity Futures Modernization Act of 2000 to make the CFTC a
``Federal functional regulator'' subject to the GLB Act Title V. See
Section 5g of the CEA, 7 U.S.C. 7b-2. The CFTC interprets Section
728 of the Regulatory Relief Act as applying to it through Section
5g.
---------------------------------------------------------------------------
(A) Be comprehensible to consumers, with a clear format and design;
(B) provide for clear and conspicuous disclosures;
(C) enable consumers easily to identify the sharing practices of a
financial institution and to compare privacy practices among financial
institutions; and
(D) be succinct, and use an easily readable type font.
On March 29, 2007, the Agencies published a proposed model privacy form
(the ``proposed model form'') that financial institutions would be able
to use to comply with certain disclosures under the privacy rule.\4\ On
April 15, 2009, the SEC reopened the comment period on the proposed
rulemaking to solicit comment on a research report and test data
pertaining to additional consumer testing of the proposed model privacy
form.\5\ Today, the Agencies are amending the privacy rule to include a
model privacy form that institutions may use to provide required
disclosures. The final model form is substantially as proposed with
changes based on comments we received as well as additional consumer
testing.
---------------------------------------------------------------------------
\4\ See Interagency Proposal for Model Privacy Form under the
Gramm-Leach-Bliley Act (``Proposed Rule''), 72 FR 14940 (Mar. 29,
2007), available at http://www.ftc.gov/os/2007/03/
CorrectedNeptuneMarsandGenericFormsfrn.pdf. A Correction Notice was
published at 72 FR 16875 (Apr. 5, 2007).
\5\ See Interagency Proposal for Model Privacy Form under the
Gramm-Leach-Bliley Act, Securities Exchange Act Release No. 59769,
Investment Company Act Release No. 28697 (Apr. 15, 2009) [74 FR
17925 (Apr. 20, 2009)].
---------------------------------------------------------------------------
B. Overview of the Final Model Privacy Form
As explained more fully in the Agencies' Proposed Rule, key
elements of the final model form's structure and design, as well as
vocabulary, reflect the research findings of the qualitative consumer
testing.\6\ The Agencies believe that the final model form as revised
meets all the requirements of the Act and, based on the qualitative
research that led to the development of the proposed model form and the
quantitative consumer testing described below, is easier to understand
and use than most privacy notices currently being disseminated.
---------------------------------------------------------------------------
\6\ The Agencies conducted the consumer research in two phases:
the first was qualitative testing or form development; the second
was quantitative testing. See infra section II.
---------------------------------------------------------------------------
While the model form provides a legal safe harbor, institutions may
continue to use other types of notices that vary from the model form so
long as these notices comply with the privacy rule. For example, an
institution could continue to use a simplified notice if it does not
have affiliates and does not intend to share nonpublic personal
information with nonaffiliated third parties outside of the exceptions
provided in sections ----.14 and ----.15.\7\ Likewise, while the
Agencies are eliminating the Sample Clauses and related safe harbor
(or, for the SEC, guidance), institutions may continue to use notices
containing these clauses, so long as these notices comply with the
privacy rule.\8\
---------------------------------------------------------------------------
\7\ See privacy rule, section ----.6(c)(5), NCUA section
716.6(e)(5).
\8\ See infra section IV.
---------------------------------------------------------------------------
The following section briefly summarizes the key features of the
final model form and the changes to the proposed form. A detailed
discussion of the elements of the final model form appears in section
III.
1. The Structure
The final model form has two pages, rather than the three pages in
the proposed form, and may be printed on a single piece of paper.\9\
Together, pages one and two address the legal requirements of
applicable Federal financial privacy laws and are designed to increase
consumer comprehension. The Agencies are not mandating a specific paper
size in the final model form as long as the paper is in portrait
orientation and sufficient to accommodate minimum font size, spacing,
and content requirements.
---------------------------------------------------------------------------
\9\ For ease, the Appendix provides three versions of the final
model form: (1) Model form with no opt-out; (2) model form with
telephone and Web opt-out only; and (3) model form that includes a
mail-in opt-out form. An alternative mail-in form (version 4) may be
substituted for the mail-in portion of the model form in version 3.
For those institutions that use the model form and need to provide a
mail-in opt-out form, the reverse side to that opt-out form must not
include any content of the model form. See F.4 of the Frequently
Asked Questions for the Privacy Regulation, available at http://
www.ftc.gov/privacy/glbact/glb-faq.htm (Dec. 2001) (staff guidance
issued by the Board, FDIC, FTC, OCC, OTS, and NCUA) (stating that a
consumer generally should be able to detach a mail-in opt-out form
from a privacy notice without removing text from the privacy
policy).
---------------------------------------------------------------------------
2. Page One--Background Information, the Disclosure Table, and Opt-Out
Information
Page one of the final model form has five parts: (1) The title; (2)
an introductory section called the ``key frame'' which provides context
to help the consumer understand the required disclosures; (3) a
disclosure table that describes the types of sharing used by financial
institutions consistent with Federal law, which of those types of
sharing the institution actually does, and whether the consumer can
limit or opt out of any of the institution's sharing; (4) only if
needed, a box titled ``To limit our sharing'' for opt-out information;
and (5) the institution's customer service contact information. Where
the institution provides a mail-in
[[Page 62892]]
opt-out form, that form appears at the bottom of page one.
There are three significant changes on page one of the final model
form.\10\ First, the ``What?'' box has been modified to permit
institutions to select from a menu of terms the types of information
collected and shared (other than Social Security number). Second,
information (if needed) about how to limit sharing or opt out follows
the disclosure table. If the institution provides a mail-in opt-out
form, that form appears at the bottom of page one. Third, the final
model form includes at the top of the page in the right-hand corner the
date by month and year of the most recent version of the notice.
Institutions may include at the bottom of page one a ``tagline'' (an
internal identifier) or barcode for information internal to the
company, so long as these do not interfere with the clarity or text of
the form.\11\
---------------------------------------------------------------------------
\10\ See infra section III.I.
\11\ See, e.g., comment letters of T. Rowe Price Associates,
Inc. (May 29, 2007); Wolters Kluwer Financial Services (May 24,
2007).
---------------------------------------------------------------------------
3. Page Two--Supplemental Information
As in the proposed model form, the second page of the final model
form provides additional explanatory information that, in combination
with page one, ensures that the notice includes all elements described
in the GLB Act as implemented by the privacy rule. There is
supplemental information in the form of Frequently Asked Questions
(``FAQs'') \12\ at the top and definitions below. There are three
significant changes to the disclosures on page two of the final
form.\13\ First, a new FAQ appears at the top of page two that can be
used to identify those institutions that jointly provide the notice.
Second, the FAQ on the collection of information has been modified to
allow institutions to select from a menu of terms. Third, a new box has
been provided at the bottom of page two titled ``Other important
information.'' This box can be used in only two ways: (1) to discuss
state and/or international privacy law requirements; and (2) to provide
an acknowledgment of receipt form.\14\
---------------------------------------------------------------------------
\12\ Note that a financial institution must insert its name or a
common corporate identity as indicated in the two questions in this
section each time that ``[name of financial institution]'' appears.
The revised form has eliminated the FAQ ``How does [name of
financial institution] notify me about its practices.''
\13\ See infra section III.J.
\14\ This use was provided in response to a request by the
National Automobile Dealers Ass'n, whose members routinely ask
customers to sign an acknowledgment of receipt on a copy of the
dealer's privacy notice and retain this record verifying delivery of
the notice. Comment letter of the National Automobile Dealers Ass'n
(May 29, 2007).
---------------------------------------------------------------------------
II. Background
A. The Gramm-Leach-Bliley Act Privacy Notices
Subtitle A of title V of the GLB Act, captioned ``Disclosure of
Nonpublic Personal Information,'' \15\ requires each financial
institution to provide a notice of its privacy policies and practices
to its customers who are consumers.\16\ In general, the privacy notice
must describe a financial institution's policies and practices with
respect to disclosing nonpublic personal information about a consumer
to both affiliated and nonaffiliated third parties.\17\ The notice also
must provide a consumer a reasonable opportunity to direct the
institution generally not to share nonpublic personal information \18\
about the consumer (that is, to ``opt out'') with nonaffiliated third
parties other than as permitted by the statute (for example, sharing
for everyday business purposes, such as processing transactions and
maintaining customers' accounts, and in response to properly executed
governmental requests).\19\ The privacy notice must provide, where
applicable under the Fair Credit Reporting Act (``FCRA''), a notice and
an opportunity for a consumer to opt out of certain information sharing
among affiliates.\20\
---------------------------------------------------------------------------
\15\ Codified at 15 U.S.C. 6801-6809.
\16\ 15 U.S.C. 6803(a). A ``customer'' means a consumer who has
a ``customer relationship'' with a financial institution. Privacy
rule, section ----.3(h), SEC section 248.3(j), CFTC section
160.3(k), NCUA section 716.3(n). A ``consumer'' is ``an individual
who obtains, from a financial institution, financial products or
services which are to be used primarily for personal, family, or
household purposes, and also means the legal representative of such
an individual.'' 15 U.S.C. 6809(9); privacy rule, section ----.3(e),
SEC section 248.3(g)(1), CFTC section 160.3(h)(1). Financial
institutions are required to provide an initial notice to their
customers and a notice annually thereafter for as long as the
customer relationship continues. 15 U.S.C. 6803(a); Privacy rule,
sections ----.4 and ----.5. Institutions are also required to
provide to their non-customer consumers a notice if the institution
discloses nonpublic personal information outside the exceptions in
sections ----.14 and ----.15 before any such disclosure is made. 15
U.S.C. 6802(a); privacy rule, sections ----.4.
\17\ 15 U.S.C. 6803(a)-(c).
\18\ ``Nonpublic personal information'' is generally defined as
personally identifiable financial information provided by a consumer
to a financial institution, resulting from any transaction or any
service performed for the consumer, or otherwise obtained by the
financial institution. See 15 U.S.C. 6809(4); privacy rule, sections
----.3(n) and (o), SEC sections 248.3(t) and (u), CFTC sections
160.3(t) and (u).
\19\ 15 U.S.C. 6802; privacy rule, sections ----.14 and ----.15.
\20\ 15 U.S.C. 1681a(d)(2)(A)(iii) (FCRA); 15 U.S.C. 6803(c)(4)
(GLB Act).
---------------------------------------------------------------------------
The privacy rule requires a financial institution to provide a
privacy notice to its customers no later than when a customer
relationship is formed and annually thereafter for as long as the
relationship continues. The notice must accurately reflect the
institution's information collection and disclosure practices and must
include specific information.\21\
---------------------------------------------------------------------------
\21\ See sections--.4,--.5, and --.6 of the privacy rule.
---------------------------------------------------------------------------
The privacy rule does not prescribe any specific format or
standardized wording for these notices. Instead, institutions may
design their own notices based on their individual practices provided
they comply with the law and meet the ``clear and conspicuous''
standard in the statute and the privacy rule.\22\ The Appendix to each
privacy rule contains Sample Clauses that institutions may use in
privacy notices to satisfy the privacy rule.
---------------------------------------------------------------------------
\22\ 15 U.S.C. 6802, 6803; privacy rule, section --.3(b), SEC
section 248.3(c), CFTC section 160.3(b)(1).
---------------------------------------------------------------------------
Financial institutions were required to provide privacy notices to
their customers by July 1, 2001.\23\ Many notices provided to consumers
were long and complex. Because the privacy rule allows institutions
flexibility in designing their privacy notices, notices have been
formatted in various ways and as a result have been difficult to
compare, even among financial institutions with identical
practices.\24\ The Agencies first explored issues related to the
complexity of privacy notices in a workshop held in December 2001.\25\
---------------------------------------------------------------------------
\23\ See, e.g., Privacy of Consumer Financial Information, 65 FR
35162 (June 1, 2000). The CFTC was added by Section 5g of the
Commodity Exchange Act, 7 U.S.C. 7b-2 (as amended by the Commodity
Futures Modernization Act of 2000), on December 21, 2000, and
privacy notices were required to be delivered to consumers by March
31, 2002. Privacy of Consumer Financial Information, 66 FR 21236
(Apr. 27, 2001).
\24\ See Rulemaking Petition from Public Citizen, et al., at 4
(July 26, 2001) (available at http://www.ftc.gov/bcp/workshops/glb/
comments/nader.pdf) (``Public Citizen Petition'') (stating that
notices were ``dense,'' ``complicated,'' and written by those
trained in obfuscation rather than to express ideas clearly).
\25\ See Get Noticed: Writing Effective Financial Privacy
Notices, Interagency Public Workshop (Dec. 4, 2001) (``Get Noticed
Workshop''). Workshop transcripts and other supporting documents are
available at http://www.ftc.gov/bcp/workshops/glb/index.html. The
Get Noticed Workshop, discussed in the preamble to the Proposed
Rule, supra note 4 at n.14, provided a public forum to consider how
financial institutions could provide more useful privacy notices to
consumers.
---------------------------------------------------------------------------
On December 30, 2003, the Agencies published an Advance Notice of
Proposed Rulemaking to Consider Alternative Forms of Privacy Notices
Under the Gramm-Leach-Bliley Act (``ANPR'') to solicit public comment
on
[[Page 62893]]
a wide range of issues related to improving privacy notices.\26\ The
ANPR stated that the Agencies expected that consumer testing would be a
key component in the development of any specific proposals.\27\
---------------------------------------------------------------------------
\26\ See Interagency Proposal to Consider Alternative Forms of
Privacy Notices Under the Gramm-Leach-Bliley Act, 68 FR 75164 (Dec.
30, 2003), available at http://www.ftc.gov/os/2003/12/
031223anprfinalglbnotices.pdf. The Agencies sought, for example,
comment on issues associated with the format, elements, and language
used in privacy notices that would make the notices more accessible,
readable, and useful, and whether to develop a model privacy notice
that would be short and simple.
\27\ Id. at text following n.5.
---------------------------------------------------------------------------
During January and February 2004, the Agencies met with a number of
interested groups and individuals to discuss the issues raised in the
ANPR and subsequently received forty-four comments in response to the
ANPR.\28\ While commenters expressed a variety of views on the
questions posed in the ANPR, many commenters agreed that the Agencies
should conduct consumer testing before proposing any alternative
privacy notice.
---------------------------------------------------------------------------
\28\ Summaries of the outside meetings and public comments to
the ANPR are available at http://www.ftc.gov/privacy/
privacyinitiatives/financial_rule_inrp.html.
---------------------------------------------------------------------------
B. Development of the Proposed Model Privacy Form
Over the years during which GLB Act privacy notices have been
delivered to consumers, the Agencies have observed wide variations in
these notices. Today, privacy notices vary considerably--not just in
format, presentation, language, length, style, or tone--but also in how
they inform consumers of their rights to limit certain sharing of
personal information. For example, the Agencies have found the
following variations in current privacy notices. Some institutions
incorporate privacy notices into lengthy terms and conditions
statements, making it harder for consumers to find information about
the institution's privacy practices, and raising questions about
whether such notices comply with the requirement that they be clear and
conspicuous. Institutions also use messages in their notices' opening
statements about how they value privacy and strive to ``protect''
personal information, thus providing assurances to consumers that imply
their personal information is not shared broadly, while obscuring or
directing attention away from the required disclosures of actual
information sharing practices. Finally, the Agencies have seen a number
of institutions employ the statement in their privacy policy ``We do
not sell your information to third parties'' in a context that raises
concerns about misrepresentations.\29\
---------------------------------------------------------------------------
\29\ In some cases, the Agencies have identified notices that
violate the privacy rule. For example, one institution's privacy
notice did not include an opt-out form, but provided that consumers
could only obtain an opt-out form by visiting a bank office, in
violation of sections --.7(h), --.9(a), and --.10(a)(1) of the
privacy rule. Another notice provided that consumers could only opt
out by writing a letter to the institution, in violation of section
--.7(a)(1) of the privacy rule. Offering only these very restrictive
methods of obtaining an opt-out form and opting out also is not
supported by the examples in the privacy rule. See sections
--.7(a)(2), --.9(b), and --.10(a)(3) of the privacy rule.
---------------------------------------------------------------------------
These examples illustrate the need to make disclosure of
institutions' information sharing practices and consumer choices more
transparent and underscore the Agencies' interest in initiating a joint
consumer research project to develop an easy-to-read and understandable
model privacy notice for consumers.
In the summer of 2004, six of the Agencies \30\ launched a project
to fund consumer research (``Notice Project''). Their goals were to
identify barriers to consumer understanding of current privacy notices
and to develop an alternative privacy notice, or elements of a notice,
that consumers could more easily use and understand compared to current
notices. The Agencies conducted the consumer research in two sequential
phases.\31\
---------------------------------------------------------------------------
\30\ The six agencies that initially sponsored the Notice
Project were the Board, FDIC, FTC, NCUA, OCC, and SEC. The OTS
joined the Notice Project for the phase two quantitative testing.
Information related to the Notice Project is available at http://
www.ftc.gov/privacy/privacyinitiatives/financial_rule_inrp.html.
\31\ The first phase was designed as qualitative testing or form
development research. This research involved a series of in-depth
individual consumer interviews to develop an alternative privacy
notice that would be easier for consumers to use and understand. The
second phase was designed as quantitative testing, to test the
effectiveness of the alternative privacy notice developed in phase
one among a larger number of consumers.
---------------------------------------------------------------------------
In September 2004, the Agencies selected Kleimann Communication
Group, Inc. (``Kleimann'') as their contractor for the phase one form
development research. The research objectives of the Notice Project
included designing a privacy notice that consumers could understand and
use, that facilitated comparison of sharing practices and policies
across institutions, and that addressed all relevant legal requirements
of the GLB Act and FCRA.
The form development phase culminated in an extensive research
report prepared by Kleimann and released by the Agencies in March 2006
(the ``Kleimann Report'').\32\ The Kleimann Report details the process
by which the Agencies and Kleimann developed an alternative privacy
notice. The structure, content, ordering of the text information, and
title of the proposed model form all reflect the research findings from
the qualitative consumer testing.
---------------------------------------------------------------------------
\32\ See Kleimann Communication Group, Inc., Evolution of a
Prototype Financial Privacy Notice: A Report on the Form Development
Project (Feb. 28, 2006) (``Kleimann Report''). For a copy of the
full report, go to http://www.ftc.gov/privacy/privacyinitiatives/
ftcfinalreport060228.pdf. For the executive summary, go to http://
www.ftc.gov/privacy/privacyinitiatives/
FTCFinalReportExecutiveSummary.pdf.
---------------------------------------------------------------------------
In October 2006, Congress passed the Regulatory Relief Act, which
directed the Agencies to propose a model form based on standards
similar to the Notice Project research goals. On March 29, 2007, the
Agencies issued for public comment the proposed model form as produced
in the form development phase with some minor revisions.
C. Overview of Comments Received
The Agencies collectively received approximately 110 unique
comments from a variety of banks, thrifts, credit unions, credit card
companies, securities firms, insurance companies, and industry trade
associations, as well as from consumer and other advocacy groups, the
National Association of Attorneys General (``NAAG''), the National
Association of State Insurance Commissioners (``NAIC''), and individual
consumers.\33\
---------------------------------------------------------------------------
\33\ Comments received by all the Agencies are available at
http://www.ftc.gov/privacy/privacyinitiatives/financial_rule_
inrp.html. Many commenters sent copies of the same letter to more
than one agency. Some association commenters sent several letters,
both individually and jointly with other associations.
---------------------------------------------------------------------------
A number of institutions expressed support for the model form. Some
stated that they are either already using it (submitting copies of
their notices) or intend to use it once it is finalized. One industry
association conducted an informal poll of its community bank members
and found that many are likely to use the model form and that most
found the new form more consumer-friendly than the Sample Clauses.
These commenters commended the Agencies for proposing simpler language
and making the disclosure terms more understandable and accessible to
consumers.
Consumer and other advocacy groups, the NAIC, NAAG, and individual
consumers generally supported the Agencies' proposal and the clearer
language and omission of extraneous information in the proposed model
form. These commenters stated that the proposal could be strengthened
in certain respects, for example, by making
[[Page 62894]]
the default opt-in rather than opt-out and creating a one-stop opt-out
repository similar to the National Do Not Call Registry.
There was general support by many commenters for additional
consumer research and testing. While some industry commenters provided
substitute language or submitted alternate forms of the notice, none
submitted other research findings. However, the NAIC submitted a
consumer study on notices with research findings that the Agencies did
consider.
Most industry commenters, however, objected to several key aspects
of the proposal. The most significant areas of concern raised by
industry commenters related to: The standardized approach; the format
of the proposed model form; the limited examples of types of personal
information collected and shared; the disclosure table; incorporation
of state law information; and revocation of the Sample Clauses. The
thrust of many industry comments was that the proposed form was overly
simplistic and not nuanced enough to describe precisely what the
various laws permit or to allow accurate descriptions of more complex
information sharing policies and practices. One commenter expressed
concern that the form would lead to consumer confusion because of
inaccurate disclosures on sharing practices and result in high opt-out
rates, discouraging use of the form. Many industry commenters expressed
concern about liability under state unfair or deceptive practice laws
relating to privacy disclosures. At the same time, many institutions
urged flexibility to allow inclusion of other information--such as
describing the benefits of sharing, or providing marketing messages or
privacy tips such as on identity theft and fraud prevention. One
institution proposed allowing institutions to pick and choose which
elements of the notice to use and still receive a safe harbor.
D. Quantitative Research
Following publication of the model form proposal in March 2007 and
subsequent review of the comments, the Agencies revised the proposed
model form for further testing.\34\ In the fall of 2007, the Agencies
turned their attention to developing the research protocol and
methodology for conducting the second phase of the research: The
quantitative consumer testing. In August 2006, prior to enactment of
the Regulatory Relief Act, the Agencies had selected Macro
International Inc. (``Macro'') to conduct the quantitative research
study.
---------------------------------------------------------------------------
\34\ See Mall Intercept Study of Consumer Understanding of
Financial Privacy Notices: Methodological Report, submitted by Macro
International Inc. (``Macro Report''), Appendix C, for copies of the
test notices. The Macro Report is available at: http://www.ftc.gov/
privacy/privacyinitiatives/Macro-Report-on-Privacy-Notice-Study.pdf.
See also infra section III for a discussion about the changes made
to the final model form since the Proposed Rule was issued for
comment.
---------------------------------------------------------------------------
In the spring of 2008, Macro conducted a survey of approximately
1,000 consumers using a mall-intercept methodology. The selected
participants for the study reflected a range of demographic
characteristics for gender, age, and educational level. The testing was
conducted in five shopping mall locations--Baltimore, MD; Dallas, TX;
Detroit, MI; Los Angeles, CA; and Springfield, MA--over a period of
five weeks during March and April 2008.\35\
---------------------------------------------------------------------------
\35\ Macro provided the test data to the Agencies in the summer
of 2008 and its research methodology report in September. The study
data and codebook are available at: http://www.ftc.gov/privacy/
privacyinitiatives/Privacy-Notice-Study-Dataset.pdf and http://
www.ftc.gov/privacy/privacyinitiatives/Privacy-Notice-Study-
Codebook.pdf.
---------------------------------------------------------------------------
The test objectives were to evaluate the effectiveness of the
revised proposed model form \36\ developed by Kleimann (``Table
Notice'') for comprehension and usability as compared to three other
styles or formats of notices. The other notice formats were: (1) The
prose version of the prototype table notice also developed and tested
by Kleimann (``Prose Notice''); (2) a current version of a common
notice used by financial institutions (``Current Notice''); and (3) a
notice comprised solely of the Sample Clauses found in the appendix to
the privacy rule (``Sample Clause Notice''). Within each format, there
were three different notices, each reflecting a different level of
sharing. Each level of sharing had a common fictional bank name across
the four notice formats: Mars Bank had a low level of sharing; Mercury
Bank had a medium level of sharing; and Neptune Bank had the highest
level of sharing. Both Mercury and Neptune Banks offered opt-out
choices; however, the pattern of sharing was such that after exercising
all available opt-outs, Neptune Bank continued to share more broadly
than Mercury Bank and Mercury Bank continued to share more than Mars
Bank. This design was intentional for the comparison testing.\37\
---------------------------------------------------------------------------
\36\ The proposed model form was revised based on the comments
received, and a version of that revised form was used in the
quantitative testing.
\37\ Study participants were randomly assigned to see one of the
four notice formats. Each participant read three privacy notices in
the same format and was asked a series of questions, first about one
pair of notices, and next about a second pair of notices, with one
of the three notices used twice in each round. The order and
repetition of the notices were rotated among the participants so
that the same notice was not always viewed twice. Participants
answered additional questions about the notices and their attitudes
on information sharing. The interview sought information about
participants' choice of a bank based solely on the notice content;
responses to factual questions, such as which of two banks shared
more or whether any of the banks offered an opportunity to limit or
opt out of sharing; performance of a task, such as determining which
bank shared more after exercising all options to limit or opt out of
sharing; and responses to questions about their attitudes toward the
use and sharing of their information. See Macro Report, supra note
34, Appendix A.
---------------------------------------------------------------------------
On December 15, 2008, two expert advisors to the Agencies, Dr. Alan
Levy and Dr. Manoj Hastak, submitted a report to the Agencies analyzing
the research data provided by Macro (the ``Levy-Hastak Report'').\38\
The Levy-Hastak Report confirmed the overall effectiveness of the
proposed model form (as modified) as against the three alternative
notice formats. On April 15, 2009, the SEC published the Levy-Hastak
Report, along with the Macro Report and test data, for public comment.
The SEC received nine comments.\39\
---------------------------------------------------------------------------
\38\ See http://www.ftc.gov/privacy/privacyinitiatives/Levy-
Hastak-Report.pdf.
\39\ See http://www.sec.gov/comments/s7-09-07/s70907.shtml.
---------------------------------------------------------------------------
The Levy-Hastak Report examined two measures on how effectively the
notices communicated information: (1) Judgment quality; and (2)
perceptual accuracy.\40\ According to the Report, judgment quality
focused on the extent to which study participants could provide
logical, defensible reasons for choosing one bank over the other based
solely on the notice. Perceptual accuracy focused on the ability of the
participants to recognize accurately the differences between the banks
in information collection and sharing practices, in opt-out choices,
and in relative sharing after all opt-out choices were exercised.\41\
---------------------------------------------------------------------------
\40\ Levy-Hastak Report at 7-14.
\41\ Id. at 4-5.
---------------------------------------------------------------------------
The Levy-Hastak Report concluded that, overall, the Table Notice
outperformed the other notices.\42\ The Table Notice performed
particularly well on difficult tasks \43\ while the Current Notice
performed poorly on all measures. While the Sample Clause Notice
performed well on simple tasks,
[[Page 62895]]
about equal to the Table and Prose notices, it performed significantly
less well than the Table Notice on measures of judgment quality.\44\
The Report concluded that the table format is likely a key explanation
for the improvement in comprehension demonstrated by the study
participants who saw the Table Notice as compared to those who saw the
other notice styles--especially for difficult perceptual accuracy
tasks.\45\
---------------------------------------------------------------------------
\42\ Id. at 16.
\43\ Id. at 17. According to the Report, an example of a
difficult task was: Participants were asked to assume that they had
limited or opted out of all possible sharing for both banks; based
on that assumption, respondents were asked whether one bank shared
more personal information than the other or whether both banks
shared information equally. An example of an easy task was: Using
the notice, participants were asked to identify how they could tell
the bank that they wanted to limit or opt out of sharing personal
information.
\44\ Levy-Hastak Report at 9-10.
\45\ Levy-Hastak Report at 17.
---------------------------------------------------------------------------
While the notice format significantly affected participants'
ability to comprehend and compare the notices, the testing showed that
participants' general attitudes about the sharing of their personal
information were not affected by the notices they saw.\46\ Following
the two rounds of questions on the content of, and comparison between,
the notices, the study participants were asked to rate their attitudes
in general toward information sharing, for example, sharing with
affiliated banks and with nonaffiliated banks. The results showed that
participants' attitudes were about the same across the four notice
formats.\47\
---------------------------------------------------------------------------
\46\ Id. at 15.
\47\ Id. Study participants generally did not like their
information being shared with either affiliates or with
nonaffiliates.
---------------------------------------------------------------------------
The Levy-Hastak Report analyzed two specific areas where the Table
Notice seemed to perform less well than the other notices. First, the
Report described an anomaly with respect to responses to the question
[Q. 19/30]: ``Which of these two banks gives you the opportunity to
limit or to opt out of the sharing of your personal information?'' \48\
Generally participants identified the bank or banks that provided an
opt-out. However, some participants who saw the Table and Prose notices
selected Mars Bank, the one that shared the least and offered no opt-
out option. Because answering ``Mars Bank'' was identified as an
incorrect answer, the Current and Sample Clause notices out-performed
the Table and Prose notices on this question.
---------------------------------------------------------------------------
\48\ See id. at 12-14.
---------------------------------------------------------------------------
In contrast, the Table and Prose notices out-performed the other
two notices on the most difficult task in the test. In this task,
participants were asked to assume that they had exercised all possible
options to limit or to opt out of sharing and then to identify which
bank shared more. Here, the Table and Prose notices significantly out-
performed the other notices. More participants who saw the Table and
Prose notices correctly gave as their answer the higher sharing bank.
This result suggests that participants who saw the Table and Prose
notices did understand which bank(s) offered an opportunity to limit or
to opt out of their sharing.
In analyzing this discrepancy, the Levy-Hastak Report observed that
the simpler question had two different, yet accurate, responses,
depending on how participants interpreted the question. Some of the
participants might have understood the question to apply at the point
of choosing between the two bank notices; those participants selected
the lower sharing bank. In contrast, other participants might have
understood the question to mean: Which bank lets me opt out of sharing
personal information once I am doing business with the bank. The second
interpretation was the intended meaning of the question. Drs. Levy and
Hastak hypothesized that some participants who saw the Table and Prose
notices understood the question to have the first meaning, while other
participants, particularly those who saw the Sample Clause and Current
notices, understood the question to have the second meaning.\49\
---------------------------------------------------------------------------
\49\ Significantly, unlike the Sample Clause and Current
notices, neither the Table nor the Prose notice uses the word ``opt-
out'' in the model form; rather, these forms refer to ``limiting
sharing.'' This word choice was intentional to help consumers
understand that some sharing is necessary and that consumers cannot
stop all sharing--a concept that consumers who knew the term equated
with ``opt-out.'' See Kleimann Report, supra note 32, at 101-108.
Because the Table and Prose notices did not use the word ``opt-
out,'' participants using these notices did not have that word as a
visual ``cue'' when they were asked the question.
---------------------------------------------------------------------------
To test this hypothesis, Drs. Levy and Hastak examined the pattern
of factual mistakes that participants made when they answered a
separate set of questions.\50\ There, study participants were asked in
Q. 16/27 why they preferred one bank over the other, based solely on
the notice. Some participants who selected a bank that shared
relatively little information and did not offer an opt-out stated that
this bank offered more opportunity to limit or to opt out of sharing
than the higher sharing bank, which was labeled a ``false opt-out
mistake'' in the Report. The Report found that participants who saw the
Table and Prose notices were on average almost three times as likely to
make the false opt-out mistake as those who saw the Current and Sample
Clause notices.\51\
---------------------------------------------------------------------------
\50\ The Report also examined a second mistake: Where
participants selected the lower sharing bank when they were asked to
identify which bank shared more (labeled a ``false sharing
mistake''). See Levy-Hastak Report at 9. In that case, there was not
an unusual pattern in the distribution of responses. Rather, the
Report found that the study participants who made this mistake were
equally distributed across all four notice styles. Id. at 13.
\51\ Id.
---------------------------------------------------------------------------
This finding supports the hypothesis that users of the Table and
Prose notices who selected the lower sharing bank in response to Q. 19/
30 understood the question in its first meaning: They selected a bank
that gave them an opportunity to limit or opt out of sharing at the
time of choosing between the two bank notices. Under that
interpretation, these participants could limit sharing by selecting the
bank that shared less information. Thus the Levy-Hastak Report's
analysis of the false opt-out mistake pattern in Q. 16/27 is consistent
with their hypothesis regarding the responses to Q. 19/30. In addition,
the Report found that the educational level of the study participants
produced a significant effect only on the responses to the opt-out
question, with better educated participants more likely to answer the
question in the intended manner.\52\ This finding is also consistent
with the Report hypothesis that participants who saw the Table and
Prose notices understood the question in two different, yet equally
correct ways, unlike those who saw the Sample Clause and Current
notices.
---------------------------------------------------------------------------
\52\ Id. at 13-14.
---------------------------------------------------------------------------
The Table Notice also seemed to perform less well in a second,
unrelated area. Specifically, all the test notices provided only two
methods for consumers to opt out of or limit sharing: Use of a toll-
free telephone number or access to the opt-out on the institution's Web
site. When study participants were asked to identify which contact
modes were identified in the notice as ways to limit or opt out of
sharing, they correctly identified the two modes more frequently when
using the Sample Clause Notice than the Table, Prose, and Current
notices.
Noting that this type of question appears to invite skimming the
notice to find the answer quickly and easily, the Levy-Hastak Report
examined the great variability in notice length and found that the
Sample Clause Notice was significantly shorter than any of the other
notices. The Levy-Hastak Report observed that the shortness of the
Sample Clause Notice may have made it easier for participants to scan
the notice and find the answer to this question. The Report opined that
notice length likely has an effect on scanability and reading ease.\53\
---------------------------------------------------------------------------
\53\ Levy-Hastak Report at 14. In addition, the use of check
boxes in the design of the opt-out section of the Table and Prose
notices (a carry-over from the original mail-in format of the
proposed model form) appeared to confuse some participants when they
were asked this question. The responses recorded for these two
notices reflected a somewhat higher number of ``other'' responses,
even though all the notices offered the same two options. Macro
reported anecdotally that a number of participants who viewed the
Table and Prose notices reported ``check this box'' as one of the
methods offered to opt out or limit sharing--a response that was
recorded as ``other.''
---------------------------------------------------------------------------
[[Page 62896]]
While the Levy-Hastak Report findings confirmed the overall
effectiveness of the Table Notice,\54\ the Report's analysis prompted
the Agencies to consider a further refinement to the proposed model
form. The change, discussed in more detail later, was to modify the
opt-out section of the model form to place the opt-out information on
page one directly following the disclosure table so that all the key
information appears on that page. \55\ The Agencies considered this
change to facilitate quick scanning for important information without
sacrificing the model form's performance in other respects. To ensure
that locating the opt-out information on page one worked from a
usability perspective, the Agencies decided to conduct validation
testing which led to separate formats for the telephone and Internet
opt-out and for the mail-in opt-out that the Agencies are adopting.
---------------------------------------------------------------------------
\54\ Id. at 17.
\55\ Some commenters had urged the Agencies to consolidate the
model form on two sides of a single piece of paper, and a few
suggested that the Agencies consider moving the opt-out to page one.
See, e.g., comment letters of Securities Industry and Financial
Markets Ass'n (May 29, 2007); World's Foremost Bank (May 25, 2007);
World Financial Network National Bank (May 29, 2007); World
Financial Capital Bank (May 25, 2007).
---------------------------------------------------------------------------
E. Public Comments on the Quantitative Test Data
Nine commenters representing insurance, securities, and financial
services associations, a bank, and two investment advisers submitted
comments in response to the SEC's solicitation for public comments on
the quantitative testing. Most of the commenters re-stated their
earlier general objections to the proposed model form. These concerns
are addressed in section III.
All but one of these commenters made general observations about the
quantitative test methodology and the Levy-Hastak Report. Five
commenters observed that the test notices were designed for banks and
not for insurance companies or securities firms (i.e., broker-dealers,
investment companies, or SEC-registered investment advisers), thereby
omitting a significant portion of the financial services industry that
provide these notices.\56\ Two commenters opined that the study
participants' demographic characteristics did not reflect those
consumers who will receive financial privacy notices.\57\ One expressed
concern about the demographic diversity in the mall selections and
questioned whether there was consistent coding of the open-ended
responses.\58\ One commented that the testing criteria ruled out non-
English speaking participants.\59\
---------------------------------------------------------------------------
\56\ See comment letters of American Council of Life Insurers
(May 20, 2009), National Ass'n of Mutual Insurance Cos. (May 20,
2009), American Insurance Ass'n (May 20, 2009), Investment Adviser
Ass'n (May 20, 2009), The Financial Services Roundtable and BITS
(May 20, 2009).
\57\ See comment letters of National Ass'n of Mutual Insurance
Cos. (May 20, 2009); The Financial Services Roundtable and BITS (May
20, 2009).
\58\ See comment letter of The Financial Services Roundtable and
BITS (May 20, 2009).
\59\ See id. The Agencies used a single form, printed in
English, for simplicity in conducting the testing. We recognize that
institutions can and do provide notices in a variety of other
languages when their customers are non-English speaking. We
anticipate that those institutions that use the final model form
will continue to provide their notices in other languages to ensure
that their non-English speaking customers can read and use the form.
See also Transcript of Get Noticed Workshop, available at http://
www.ftc.gov/bcp/workshops/glb/GLBtranscripts.pdf, comments of Irene
Etzkorn (recognizing that banks do provide financial privacy notices
in languages other than English); comments of Tena Friery (noting
that the Privacy Rights Clearinghouse promotes notices and
educational materials in other languages and that 80-100 different
languages are spoken in Los Angeles alone).
---------------------------------------------------------------------------
Some of the commenters disagreed with the Levy-Hastak Report's
conclusion that the Table Notice outperformed the other notice formats.
They opined that the Report's conclusion is flawed because: (1) The
Sample Clause Notice did better on simpler tasks than the Table Notice;
\60\ (2) the anomalies discussed in the Levy-Hastak Report may be due
to other explanations; \61\ and (3) while the Table Notice's overall
performance was better than the other notices, actual performance
accuracy was relatively low.\62\ Several commented that the overly
simplified and inflexible format of the Table Notice is not a true test
of consumers' understanding of institutions' actual collection and
disclosure practices.\63\ In addition, all commenters on the
quantitative testing urged retention of the Sample Clauses and related
safe harbor.
---------------------------------------------------------------------------
\60\ See comment letters of American Insurance Ass'n (May 20,
2009); National Ass'n of Mutual Insurance Cos. (May 20, 2009). While
some commenters find greater virtue in the better performance of the
Sample Clause Notice on only the simpler tasks or disagree with the
Levy-Hastak Report's analyses, the evidence is compelling that the
Table Notice performed better overall across all comprehension and
comparison measures. See Levy-Hastak Report at 6.
\61\ See comment letter of American Council of Life Insurers
(May 20, 2009).
\62\ Id.
\63\ See, e.g., comment letter of The Financial Services
Roundtable and BITS (May 20, 2009).
---------------------------------------------------------------------------
The test notices for the quantitative study were created for
fictitious banks, even though the model form can be used by any
financial institution subject to the GLB Act and the privacy rule.
Because the vast majority of consumers are familiar with or have
experience with a bank, the Agencies used a notice designed for a bank
to increase the likelihood that most of the test participants could
readily understand the terms in the notice, such as ``account
balances,'' ``income,'' or ``credit history,'' which describe
information collected and shared by many banks, as well as by many
other financial institutions.
The Macro Report presented data on the demographic characteristics
of the study participants recruited for the study. Participants at each
mall were pre-selected for a representative mix based on gender, age,
and education levels, and information on participants' race/ethnicity,
income, and household size was obtained at the end of each
interview.\64\ Since a significant majority of consumers in America
receive a financial privacy notice--including from banks, credit
unions, securities firms, insurance companies, auto dealers, debt
collectors, and payday lenders--the Agencies wanted to ensure that a
representative cross-section of consumers be included in the study.
---------------------------------------------------------------------------
\64\ Macro Report, supra note 34, at 3 & Appendix B; Levy-Hastak
Report at 2.
---------------------------------------------------------------------------
The Agencies hired Macro as an outside independent expert to handle
all aspects of the collection and reporting of the study data. Macro
conducted all training of field staff, implemented a series of checks
to ensure greater accuracy of the study data, reviewed, on an ongoing
basis, all daily downloads of data from the field, and coded all of the
open-end responses.\65\
---------------------------------------------------------------------------
\65\ Macro Report, supra note 34, at 3-4.
---------------------------------------------------------------------------
With respect to the comment that the accuracy of the study
participants' responses overall was relatively low, the commenter cited
the judgment quality measure of the participants' fact-based reasons
for choosing the lower sharing bank.\66\ While the results showed that
most consumers likely have a limited
[[Page 62897]]
understanding of information sharing practices after a brief exposure
to any of the notice styles, nevertheless the Levy-Hastak Report
confirms that overall the Table Notice out-performed the other notices
and is the most effective notice of all the privacy notices tested.
---------------------------------------------------------------------------
\66\ The commenter looked to the Table Notice score of 40.6% in
Table 1 of the Levy-Hastak Report. Levy-Hastak Report at 12. This
data evaluated how well study participants could explain their
reasons for preferring one bank notice over another where they
selected, as their preferred bank, the lower sharing bank. While the
commenter pointed to a single measure in the Levy-Hastak Report, the
Report relied on a number of accuracy measures that varied in
difficulty level. See, e.g., id., Table 3 at 12.
---------------------------------------------------------------------------
Finally, two commenters requested that if both the model privacy
form and the SEC's proposed amendments to its privacy rule, Regulation
S-P, were adopted, the SEC should coordinate the compliance dates so as
to minimize the compliance burden and the potential for multiple
revisions of an institution's privacy notice.\67\ The SEC appreciates
institutions' desire to minimize revisions to their privacy notices and
reduce the costs of compliance with its rules. However, the model
privacy form the Agencies are adopting today is just that--a model--and
no institution is required to use the model form. A financial
institution that intends to use the model privacy notice and minimize
potential costs, if any, related to revising its privacy notices in
light of amendments to Regulation S-P could begin to use the model form
after the compliance date of any final amendments to Regulation S-P.
---------------------------------------------------------------------------
\67\ See Part 248-Regulation S-P: Privacy of Consumer Financial
Information and Safeguarding Personal Information, Securities
Exchange Act Release No. 57427, Investment Company Act Release No.
28718 (Mar. 4, 2008) [73 FR 13692 (Mar. 13, 2008)]. See also comment
letters of American Council of Life Insurers (May 20, 2009) and
Investment Advisers Ass'n (May 29, 2007).
---------------------------------------------------------------------------
F. Validation Testing
In revising the model form based on public comments and findings
from the Levy-Hastak Report, the Agencies streamlined the form to
consolidate the information on the front and back sides of a single
piece of paper and moved the opt-out information to the bottom of page
one. In December 2008, the Agencies engaged Kleimann to conduct
validation testing to confirm that these changes would not affect the
comprehension, usability, and design integrity of the model form. In
particular, Kleimann's new research focused on the placement of the
opt-out information on page one. Kleimann conducted targeted in-depth
interviews in January and February 2009 to test, revise, and re-test
the model form. On February 12, 2009, Kleimann submitted a report to
the Agencies, ``Financial Privacy Notice: A Report on Validation
Testing Results,'' with a revised opt-out form recommendation
(``Kleimann Validation Report'').\68\
---------------------------------------------------------------------------
\68\ http://www.ftc.gov/privacy/privacyinitiatives/
validation.pdf.
---------------------------------------------------------------------------
The validation testing examined various formats for displaying opt-
out information where the opt-out methods are by toll-free telephone
number,\69\ the Internet, or a mail-in form. The validation testing
confirmed the usability of the following changes to the proposed model
form: (1) inserting a new box titled ``To limit our sharing'' below the
disclosure table to inform consumers how they can limit sharing, such
as by a toll-free telephone number or online; (2) replacing the
``Contact Us'' box with a box titled ``Questions'' following the ``To
limit our sharing'' box; and (3) as applicable, inserting a mail-in
form at the bottom of the page, which would require a longer piece of
paper.\70\
---------------------------------------------------------------------------
\69\ See section --.7(a)(2)(ii)(D) of the privacy rule.
\70\ Kleimann Validation Report, Appendix E. The Kleimann
Validation Report found that the information for telephone or
Internet options could be readily displayed on a standard 8[frac12]
x 11-inch page, but the addition of a mail-in form required a longer
piece of paper.
---------------------------------------------------------------------------
III. The Final Model Privacy Form
A. Standardization
Like the proposed model privacy form, the final model form uses a
standardized format. Some industry commenters expressed support for the
standardized format, with one noting that standardized notices would
serve as an effective means of allowing consumers to understand in a
simple manner companies' information practices.\71\ Another commenter
pointed to the success of the ``Schumer box,'' a standardized format
that makes the disclosure of credit card terms more accessible to
consumers.\72\
---------------------------------------------------------------------------
\71\ Comment letter of The Direct Marketing Ass'n (May 29, 2007)
(commenting that it has an automated software program that allows
companies to create a customized privacy notice in a standardized
format).
\72\ See comment letter of Capital One Financial Corporation
(May 29, 2007); see also 12 CFR 226.5a(a)(2)(i)-(ii).
---------------------------------------------------------------------------
Privacy and advocacy groups and NAAG supported the proposed
standardized format, recognizing the important findings of the research
and the model form's structure--in particular the elements on page
one--as benefiting both consumers and companies by making the
disclosure information accessible.\73\
---------------------------------------------------------------------------
\73\ See, e.g., comment letters of Center for Democracy and
Technology (May 29, 2007); National Ass'n of Attorneys General (June
14, 2007); Privacy Rights Clearinghouse (May 16, 2007). See also The
Center for Information Policy Leadership (May 29, 2007) (recognizing
that the proposed model form addresses the requirements of the GLB
Act and that the research provided insight into what effectively
communicates to consumers, including ``important information about
how people learn about privacy, about the use of tables to
facilitate comparisons across companies, and about the need to
inform consumers about why they are receiving a privacy notice'').
---------------------------------------------------------------------------
A number of industry commenters, however, objected to the
standardized form, asserting variously that: It causes confusion;
because it is an abrupt change in the way information-sharing practices
are disclosed, it could cause consumers to believe that the institution
is changing its policies; because the model form has too much
boilerplate, it detracts from the ability to compare policies; and it
makes the notice less clear. Others stated that the standardized form
is too inflexible and does not accurately reflect institutions'
financial practices or accurately describe the scope of consumers'
rights. Several stated that the model form language does not adequately
capture the complex privacy policies and practices of many
institutions.
Based on the statutory requirement that the Agencies propose ``a
model form,'' the final model privacy form utilizes a standardized
format.\74\ Moreover, as more fully discussed in the preamble to the
Proposed Rule, the Agencies' research supports uniform disclosures to
help consumers better understand companies' information sharing
practices.\75\ We reaffirm that use of the model form is voluntary;
institutions are not required to use it.
---------------------------------------------------------------------------
\74\ Cf. Press Release, U.S. House of Representatives, Committee
on Financial Services, Financial Services Committee Democrats Call
for Simplified Privacy Notices, (July 25, 2003) available at: http:/
/financialservices.house.gov/pr062503.html.
\75\ See Proposed Rule, supra note 4 at text accompanying n.30.
See also Janice Tsai, Serge Egelman, Lorrie Cranor, and Alessandro
Acquisti, ``The Effect of Online Privacy Information on Purchasing
Behavior: An Experimental Study,'' The 6th Workshop on the Economics
of Information Society (WEIS) (June 2007) http://
weis2007.econinfosec.org/papers/57.pdf (more accessible privacy
information reduces information asymmetry between the merchant and
the consumer as to the use of consumers' personal information; aids
consumers in making informed choices; and demonstrates that
consumers tend to purchase from merchants offering more privacy
protection, including paying a premium for such a purchase).
---------------------------------------------------------------------------
B. Instructions for Use
The General Instructions to the Model Privacy Form require that no
additional information--other than what is specifically permitted--may
be included in the model form in order to obtain the benefit of the
safe harbor.\76\
---------------------------------------------------------------------------
\76\ See Instruction C to the Model Privacy Form.
---------------------------------------------------------------------------
A number of industry commenters objected to the Agencies' statement
in the preamble to the Proposed Rule that the model form should not be
incorporated into any other document.\77\
[[Page 62898]]
Some expressed concern that this would require the notice to be mailed
separately.\78\ Several commenters stated that a private label or co-
branded credit card application incorporates the lender's privacy
policy into a brochure with a tear-off application to make it easier
for the store clerks to provide all required information in a single
document.\79\ Others observed that the privacy notice is typically
included in a single document with other important reference
information.
---------------------------------------------------------------------------
\77\ See, e.g., comment letters of American Council of Life
Insurers (May 29, 2007); Investment Company Institute (May 29,
2007); National Business Coalition on E-Commerce and Privacy (May
30, 2007).
\78\ See, e.g., comment letters of American Bankers Ass'n (May
25, 2007); American Insurance Ass'n (May 29, 2007) Visa U.S.A., Inc.
(May 29, 2007).
\79\ See, e.g., comment letters of Consumer Bankers Ass'n (May
29, 2009); National Retail Federation (May 29, 2007).
---------------------------------------------------------------------------
Recognizing these concerns, the Agencies agree that institutions
may incorporate the model form into another document, but they must do
so in a way that meets all the requirements of the privacy rule and the
model form instructions, including that: The model form must be
presented in a way that is clear and conspicuous; \80\ it must be
intact so that the customer can retain the content of the model form;
\81\ and it must retain the same page orientation, content, format, and
order as provided for in this Rule.
---------------------------------------------------------------------------
\80\ The term ``clear and conspicuous'' is defined in the
privacy rule at section --.3(b), SEC section 248.3(c), and includes
as a requirement that the notice be designed to call attention to
the nature and significance of the information in the notice. In
addition, the privacy rule requires that consumers should reasonably
be expected to receive the notice. See section --.9 of the privacy
rule.
\81\ Institutions that incorporate the model privacy form into
other documents must take care that the customer's execution of
other forms in the document will leave the model form intact.
---------------------------------------------------------------------------
C. Format of the Notice
In response to numerous comments relating to the format of the
proposed model form, the Agencies have revised certain of the
requirements relating to paper size, orientation, number of pages, type
size, and color and logo placements, as discussed below.
Paper Size: To allow institutions greater flexibility, the final
model privacy form may be printed on paper the size of which must be
sufficient to meet the layout and minimum font size requirements with
sufficient white space on the top, bottom, and sides of the
content.\82\ Many industry commenters objected to the proposed
requirement that the model form appear on 8\1/2\ by 11-inch size
paper.\83\ Commenters stated that the proposed model form would require
significant materials, postage, and production costs. Industry
commenters explained that institutions use a variety of sizes and
styles to present their privacy notices. Some institutions--
particularly credit card institutions--enclose their privacy notices
with a billing or periodic statement or a bankcard carrier. Envelopes
for certain of these statements or for multi-panel formats are smaller
than 8\1/2\ inches and may not accommodate the proposed size.
---------------------------------------------------------------------------
\82\ See Instruction B to the Model Privacy Form. The Agencies
understand that most privacy policies provide for opting out by
toll-free telephone or on the Internet. The paper size for those
policies will likely be about 8\1/2\ x 11 inches. However, for those
institutions that provide a mail-in opt-out form, the paper size
will likely need to be longer, around 8\1/2\ x 14 inches, in order
to accommodate the mail-in form.
\83\ See, e.g., comment letters of Consumer Bankers Ass'n (May
29, 2007); American Bankers Ass'n (May 25, 2007); Bank of America
Corporation (May 29, 2007); Independent Community Bankers of America
(May 29, 2007); Securities Industry and Financial Markets Ass'n (May
29, 2007); Investment Company Institute (May 29, 2007); National
Retail Federation (May 29, 2007); National Ass'n of Mutual Insurance
Cos. (May 29, 2007); Credit Union National Ass'n (May 29, 2007).
---------------------------------------------------------------------------
The Agencies have reviewed numerous financial institution privacy
notices over the past eight years, many of which are printed on
smaller-sized paper in a multi-panel, multi-fold display. The density
of the small-font text, in addition to the complex legal language, make
these notices very difficult to read or understand.\84\ The final
requirement for paper size is designed to provide financial
institutions with some flexibility, while prohibiting a paper size that
is too small to accommodate the font and orientation requirements in
the model form set forth below.
---------------------------------------------------------------------------
\84\ See supra notes 24-25 and infra note 95.
---------------------------------------------------------------------------
Orientation: Like the proposed model form, the final model privacy
form must be printed in ``portrait'' orientation. Some institutions
objected to this orientation, suggesting instead that institutions be
permitted to design their own model form in other orientations, such as
the commonly-used multi-fold display.\85\ According to these
commenters, this landscape format has three or more ``pages'' of text
visible on each side of the paper when the notice is fully opened. The
size of the paper varies considerably, with some as small as
approximately 7 by 11 inches before it is folded. In such a display,
each ``page'' is approximately 3\1/3\ by 7 inches--considerably smaller
than can accommodate the model form.\86\
---------------------------------------------------------------------------
\85\ See, e.g., comment letters of National Retail Federation
(May 29, 2007); Investment Advisers Ass'n (May 20, 2009); American
Bankers Ass'n (May 25, 2007); Credit Union National Ass'n (May 29,
2007). Some of these commenters pointed to the preamble language in
the final privacy rule which states: ``The Agencies believe that in
most cases the initial and annual disclosure requirements can be
satisfied by disclosures contained in a tri-fold brochure.'' 65 FR
33646, 33662 (May 24, 2000) (FTC); 65 FR 35162, 35175 (June 1, 2000)
(banking agencies); (Regulation S-P) 65 FR 40334, 40347 (June 29,
2000) (SEC). This statement was written in 2000 before the Agencies
or institutions had any experience with the GLB Act privacy notices.
In the intervening period, both the Agencies and institutions have
learned much through their own testing about improved notice design
and consumer comprehension. The impetus for the Agencies' consumer
research, borne out by the research findings, is that the current
notices, including those utilizing multi-fold formats, are not
effective. Moreover, the important information on page one of the
model form--including the context information and disclosure table--
could not be appropriately displayed in such a cramped format and
still comply with the minimum space and font requirements of the
model form.
\86\ Examples provided by commenters included: 3.5 x 7.5 inches,
printed double sided; 3.5 x 8; 7 x10.812 inches folded to 7 x 3.625
inches; 7 x 3.5 inches (finished folded size). See, e.g., comment
letter of National Retail Federation (May 29, 2007).
---------------------------------------------------------------------------
The design of the model form does not lend itself to a multi-panel
display. The utility of the form's design for reading ease depends in
large measure on both larger, more readable type size and how the
content is presented. While one commenter objected to the ``significant
empty space'' in the model form,\87\ the guidance from communications
experts and form designers is that appropriate white space between the
text and margins, as well as the use of headings and bullets, make a
more effective, readable notice.\88\ The table--the heart of the model
form--cannot be squeezed into a tighter space or so reduced in size as
to make it virtually unreadable. For these reasons, the Agencies do not
agree that the orientation of the model form should be altered to
accommodate a multi-panel display.
---------------------------------------------------------------------------
\87\ See comment letter of Consumer Bankers Ass'n (May 29,
2007).
\88\ See supra note 25.
---------------------------------------------------------------------------
Number of Pages: In response to numerous commenters, the
instructions to the final model privacy form permit the form to be
printed on two sides of a single piece of paper or on two single-sided
sheets.\89\ By incorporating the opt-out information on the bottom of
page one, the revised model form may now appear on the front and back
of a single piece of paper.
---------------------------------------------------------------------------
\89\ See Instruction B.2 to the Model Privacy Form.
---------------------------------------------------------------------------
Industry commenters generally objected to the proposed requirement
that the model form be printed only on one side of a page.\90\ Many
raised environmental concerns and the increased costs associated with
printing the notice on multiple pages.
---------------------------------------------------------------------------
\90\ See, e.g., comment letters of American Insurance Ass'n (May
29, 2007); Bank of America Corporation (May 29, 2007); Citigroup
Inc. (May 30, 2007); National Retail Federation (May 29, 2007);
Securities Industry and Financial Markets Ass'n (May 29, 2007).
---------------------------------------------------------------------------
While the proposed single-sided model form was based on the initial
[[Page 62899]]
consumer research and testing, the Agencies believe that the concerns
expressed by commenters justify double-sided printing. Moreover, the
Agencies used double-sided printed notices in the quantitative and
validation testing, with no demonstrable loss in effectiveness relative
to the single-sided notice.\91\
---------------------------------------------------------------------------
\91\ See Levy-Hastak Report at 15.
---------------------------------------------------------------------------
D. Appearance of the Model Privacy Form
The Regulatory Relief Act requires that the model form ``use an
easily readable type font.'' While a number of factors affect the
readability of a document, as in the proposal, the final model privacy
form must use: (1) 10-point font as the minimum font size (unless
otherwise specified in the Instructions) and (2) sufficient spacing
between the lines of type (leading).\92\
---------------------------------------------------------------------------
\92\ While a variety of type styles would be suitable for the
model notice, the Agencies caution institutions that use of
idiosyncratic fonts or highly stylized typefaces will not meet the
model form safe harbor standard. See Instruction B.3(a) to the Model
Privacy Form.
---------------------------------------------------------------------------
The Agencies separately provided optional guidance in the preamble
to the Proposed Rule on readable type styles and other formatting
suggestions for institutions. This optional guidance is not required;
it was to assist institutions that want to provide more readable and
attractive privacy notices to consumers. The Agencies are republishing
this optional guidance in section III.E to assist interested
institutions.
Type Size: A number of commenters expressed various concerns about
the proposed 10-point minimum font requirement.\93\ A few commenters
noted that the proposed model form included several different type
sizes for various parts of the model form and were confused about what
type size(s) the Agencies proposed as a requirement.\94\ Other
commenters raised concerns that a minimum type size requirement for the
model form would conflict with state law mandated requirements. A few
stated that a minimum font size is not legally required for the model
form.
---------------------------------------------------------------------------
\93\ See, e.g., comment letters of American Council of Life
Insurers (May 29, 2007); National Business Coalition on E-Commerce
and Privacy (May 30, 2007); National Retail Federation (May 29,
2007); Financial Services Roundtable and BITS (May 29, 2007).
\94\ The type size information in Example 3 in the preamble to
the Proposed Rule identified the five type sizes used in various
elements of the proposed form. This example was intended solely to
show how key features of the form--such as headings--can be
distinguished by using different font sizes to make the form more
visually appealing. Contrary to some commenters' assumption, the
different sizes were not a proposed requirement for users of the
model form.
---------------------------------------------------------------------------
Many of the criticisms about current notices are, in part, about
the tiny print that make these notices so difficult for consumers to
read.\95\ Based on the statutory directive, as well as the findings
elicited from the Agencies' consumer research and expert views, the
Agencies believe that the model form should have a minimum 10-point
font. Requiring a minimum 10-point font is consistent with state law
mandates for consumer disclosures.\96\
---------------------------------------------------------------------------
\95\ See Kleimann Report, supra note 32, at 33. See also, e.g.,
Public Citizen Petition, supra note 24 at 7 (``[S]mall font sizes *
* * deprive consumers of their right to prevent financial
institutions from sharing private information.''); ``UNDERSTANDING
THE FINE PRINT: How to make sure the gotchas don't get you,''
Consumer Reports Money Adviser (Oct. 2008) (``Fine print is
everywhere--contracts; retail Web sites; sales receipts; print,
broadcast, and Internet offers; prospectuses; privacy notices;
product manuals; and manufacturer warranties.''); David Colker,
``Stopping junk mail for living and dead; Opt-outs can slow the
torrent of solicitations to computer and postal mailboxes and
phones;'' Los Angeles Times, July 22, 2007, at C3 (``[B]y law,
financial institutions have to offer an opt-out if they are making
this data available to non-affiliated businesses. The problem is
that their guides to opting out are often contained in their privacy
notices--in small print.'').
\96\ See, e.g., Cal. Fin. Code div. 1.2 Sec. 4053(d)(1)(B)
(requiring 10-point minimum font).
---------------------------------------------------------------------------
Leading: Leading is the spacing between lines of type, measured in
points. If the line spacing is too narrow, the type is hard to read. In
these circumstances, the ascenders (such as the upward line in the
letter ``h'') and descenders (such as the downward line in a ``g'') may
touch, blending the lines of type and making it much harder to
distinguish the letters on the page. The final instructions to the
model form require only that the leading used allow for sufficient
spacing between the lines, but do not mandate a specific amount.
E. Optional General Guidance for Easily Readable Type
The Proposed Rule included optional guidance on readable type
styles and other formatting suggestions for institutions that want to
provide privacy notices that are more readable and attractive to
consumers, as well as those that want to develop their own model
privacy form.\97\ A number of commenters were concerned by this
guidance for easily readable type, and in some cases, they assumed the
guidance would be mandatory. The Agencies expressly state that the
guidance in this section III.E. is not mandatory and is not a
requirement for proper use of the model form.
---------------------------------------------------------------------------
\97\ See Proposed Rule, supra note 4, at section II.F.
---------------------------------------------------------------------------
In more closely examining the statutory directive for ``easily
readable type,'' the Agencies determined that a number of type-related
factors can greatly affect the readability of a form. Type size, type
style, leading, x-height, serif versus sans serif,\98\ upper and lower
case type, along with the page layout--together play an important role
in designing a typeface that is highly readable. Therefore, in
considering these various factors for the design of an easily readable
type font, institutions that elect to use the model form may
voluntarily consider this additional guidance for an easily readable
appearance to the notice.
---------------------------------------------------------------------------
\98\ Serif typeface has small strokes at the ends of the lines
that form each letter. Sans serif typeface does not have those small
strokes.
---------------------------------------------------------------------------
Leading: Research on the legibility of typography indicates that
people read faster when text is set with 1 to 4 points of leading.\99\
Institutions may, but are not required to, consider these general
recommendations for use with the model form: 10- or 11-point type
should have between 1 and 3 points of leading. Twelve-point type should
have between 2 and 4 points of leading.\100\
---------------------------------------------------------------------------
\99\ Karen A. Schriver, Dynamics In Document Design
(``Schriver'') 274 (1997).
\100\ Id. at 262; see also James Hartley, Designing
Instructional Text (1994); and Barbara Chaparro et al., Reading
Online Text: A Comparison of Four White Space Layouts 6(2) (2004).
---------------------------------------------------------------------------
Type style and ``x''-height: The readability of type size is highly
dependent on the selection of the type style. Some styles in 10-point
font are more readable than others in 12-point font and appear larger
because of their design.
Experts differ on the question of the most desirable type style.
The model form uses sans serif and ``monoweight'' type, and upper and
lower case lettering in the body of the form.\101\
---------------------------------------------------------------------------
\101\ While much of the printed material in the United States
and western Europe uses serif styles, Web designers are increasingly
using sans serif type, as they have found that serif type is harder
to read online. These changes in Web design are also beginning to
affect font styles in printed materials. Some typography designers
are now using sans serif typefaces, as well as type with a uniform
thickness throughout the letter (monoweight typeface), finding these
typefaces easier to read than those with variable thickness.
---------------------------------------------------------------------------
Larger x-height \102\ makes a font appear larger and thus more
readable, and fonts with larger x-heights are better for smaller text.
Research shows that our eyes ``scan the top of the letters' x-heights
during the normal reading process, so that is where the primary
identification of each letter takes place.'' \103\ Generally, a font
with an
[[Page 62900]]
x-height ratio of around .66 is easier to read.\104\
---------------------------------------------------------------------------
\102\ The ``x-height'' is the height of the lower-case ``x'' in
relation to full height letters, such as a capital G. X-height is
critical to type legibility.
\103\ Erik Spiekermann & E.M. Ginger, Stop Stealing Sheep & Find
Out How Type Works 93 (1993).
\104\ See, e.g., Hewlett-Packard Corporation, Panose
Classification Metrics Guide (2006), available at http://
www.monotypeimaging.com/productsservices/pan2.aspx.
---------------------------------------------------------------------------
While not mandating a particular type style or x-height, the
Agencies are providing these general guidelines for type style in the
model form: For typefaces with a smaller x-height, 11- or 12-point font
should be used; for typefaces with a larger x-height, a 10-point font
would be sufficient.\105\
---------------------------------------------------------------------------
\105\ See Schriver, supra note 99, at 264; see also id. at 258-
59. Fonts that satisfy the type style and x-height recommendations
include sans serif fonts such as Tahoma, Century Gothic, Myriad,
Avant Garde, Bk Avenir Book, ITS Franklin Gothic, Arial-Helvetica,
and Gill Sans, and serif fonts such as the Chaparral Pro Family,
Minion Pro, Garamond, Monotype Bodoni, and Monotype Century. A
number of these font styles, including Arial-Helvetica, Tahoma,
Century Gothic, Garamond, and Bodoni, are preloaded in commonly used
word processing applications with most new personal computers. The
other font styles are commercially available as well.
---------------------------------------------------------------------------
For ease of reference, the following table summarizes the optional
guidance discussed here. None of the standards in the table below is
mandatory; rather, the information in the table is offered only as
suggestions for institutions that design their own forms.
----------------------------------------------------------------------------------------------------------------
If Then use And use And use font with
----------------------------------------------------------------------------------------------------------------
Font is 10-point.................. 1-3 points leading.... Monoweight typeface...... Large x-height sans serif
(around .66 ratio).
Font is 11-point.................. 1-3 points leading.... Monoweight typeface...... Smaller x-height is
acceptable; either serif
or sans serif (less than
.66 ratio is
acceptable).
Font is 12-point.................. 2-4 points leading.... Monoweight or variable Smaller x-height is
typeface. acceptable; either serif
or sans serif (less than
.66 ratio is
acceptable).
----------------------------------------------------------------------------------------------------------------
F. Printing, Color, and Logos
We are adopting the requirements for printing, color, and logos in
the final model form as proposed. Commenters generally commended the
Agencies' support for the use of color and company logos on the model
form.\106\ A few industry commenters expressed concern about the
background shading in certain headers smudging in high-speed printing
operations.\107\ Some commenters sought clarification as to whether
logos can use more than one color.
---------------------------------------------------------------------------
\106\ See, e.g., comment letters of American Insurance Ass'n
(May 29, 2007); National Ass'n of Mutual Insurance Cos. (May 29,
2007); Securities Industry and Financial Markets Ass'n (May 29,
2007); Consumer Bankers Ass'n (May 29, 2007).
\107\ See, e.g., comment letters of National Business Coalition
on E-Commerce and Privacy (May 30, 2007). With the modern, high-
speed printing equipment readily available, the Agencies do not
foresee problems with reproducing background shading, just as they
see no difficulties with printing blocks of color for company logos
or advertising materials. Moreover, the validation testing research
found that consumers appreciated shading as a navigation guide. See
Kleimann Validation Report at 9-10.
---------------------------------------------------------------------------
The Agencies agree that the distinguishing features of company
logos along with color are important to ensure that an institution's
documents have a distinctive look that consumers may readily recognize.
As the Agencies proposed, a financial institution that uses the model
form may include its corporate logo on any of the pages, so long as the
logo design does not interfere with the readability of the model form
or space constraints of each page. Institutions using the model form
should use white or light color paper (such as cream) with black or
suitable contrasting color ink. Spot color is permitted to achieve
visual interest to the model form, so long as the color contrast is
distinctive and the color does not detract from the form's readability.
The Agencies are not prohibiting the use of more than one color in a
logo.
Other commenters asked for greater flexibility to include
``markings'' or ``graphics'' or other ``visual effects'' or to include
a ``branding phrase'' or ``advertising slogan.'' \108\ The Agencies
observe that few institutions' privacy policies include advertising
slogans. We note that some include pictures or other large designs that
occupy the front cover. The Agencies believe that these designs or
slogans would distract from the content of the model form and that
slogans would be inconsistent with the standardized language throughout
the form. For these reasons, the final model form does not permit
institutions to include slogans or images (other than logos) on the
model form.
---------------------------------------------------------------------------
\108\ See, e.g., comment letters of Consumer Bankers Ass'n (May
29, 2007); National Business Coalition on E-Commerce and Privacy
(May 30, 2007).
---------------------------------------------------------------------------
G. Jointly-Provided Notices
The final model privacy form includes a new FAQ at the top of page
two: ``Who is providing this notice?'' Many commenters representing
larger institutions observed that the proposed model form did not
provide sufficient space to identify multiple entities that jointly
provide a privacy notice, as permitted by the privacy rule.\109\ Some
suggested the Agencies provide extra space for this information either
in the body of the notice or as a footnote. The new FAQ is not required
where only a single financial institution is providing the notice and
that institution is identified in the title. As discussed in section
III.J.1, space is provided for the institution's response.
---------------------------------------------------------------------------
\109\ See, e.g., comment letters of American Council of Life
Insurers (May 29, 2007); Investment Advisers Ass'n (May 29, 2007).
---------------------------------------------------------------------------
H. Use of the Form by Differently-Regulated Entities
A number of commenters sought clarification as to whether
institutions regulated by different Agencies could together provide a
single joint notice to consumers.\110\ Insurance companies and their
associations in particular expressed concern that the form did not
allow for insurance-specific terminology and potentially put these
institutions--regulated by the states--at some risk.\111\
---------------------------------------------------------------------------
\110\ See, e.g., comment letters of National Business Coalition
on E-Commerce and Privacy (May 30, 2007); T. Rowe Price Associates,
Inc. (May 29, 2007); Financial Services Roundtable and BITS (May 29,
2007); National Ass'n of Mutual Insurance Cos. (May 29, 2007);
Investment Company Institute (May 29, 2007).
\111\ See, e.g., comment letters of National Ass'n of Mutual
Insurance Cos. (May 29, 2007); American Insurance Ass'n (May 29,
2007); Great-West Life & Annuity Insurance Company (May 29, 2007).
In addition to including insurance-specific phrases in the menu of
terms for the ``What?'' box on page one and the collection of
information FAQ on page two, the Rule also recognizes that
institutions that provide insurance products or services and elect
to use this model form can use the word ``policy'' instead of
``account'' for the joint accountholder description. See
Instructions C.2(g)(1) and C.3(a)(5) to the Model Privacy Form. The
Agencies have periodically consulted with the NAIC to ensure that
the final model form is sufficiently flexible to address the
insurance marketplace. The NAIC is continuing to evaluate how best
to proceed regarding insurance company use and implementation of the
form by individual jurisdictions. This effort may include the NAIC
developing a model bulletin for regulatory use or amending its model
Privacy of Consumer Financial and Health Information Regulation to
replace the current sample clauses with the new model privacy form.
---------------------------------------------------------------------------
[[Page 62901]]
The Agencies fully intend that differently-regulated entities can
provide a single joint notice to consumers by using the final model
form. The Agencies have consulted with the NAIC, which submitted a
letter with proposed modifications to certain sections of the form. The
Agencies have incorporated into the final model form two menus of terms
adaptable to the wide range of financial institutions. The menus
include both the SEC's and the NAIC's proposals, and enable a variety
of institutions, including securities firms and insurance companies, to
use the model form, either individually or jointly with other types of
financial institutions.
I. Page One of the Model Form
1. Title
The Agencies are adopting the title, ``What Does [Name of Financial
Institution] Do With Your Personal Information?,'' as proposed. One
commenter objected to the title, preferring instead to refer to it as a
privacy notice.\112\ Other commenters who provided sample revised
notices also used alternate headings, such as, ``our privacy notice for
consumers,'' ``privacy information,'' ``privacy statement,'' and
``keeping your information safe and secure.'' \113\ The research found
that the terms ``privacy notice'' or ``privacy policy'' deterred
consumers from reading the notice.\114\ Consumers understood these
terms to mean that the institution does not share personal information.
The validation testing confirmed the effectiveness of the title.\115\
---------------------------------------------------------------------------
\112\ See, e.g., comment letter of MasterCard Worldwide (May 29,
2007).
\113\ See, e.g., comment letter of Citigroup Inc. (May 30,
2007); Wells Fargo & Company (May 29, 2007); Wachovia Corporation
(May 25, 2007); Sovereign Bank (May 21, 2007).
\114\ See Kleimann Report, supra note 32, at 43, 66-67.
\115\ Kleimann Validation Report at 8.
---------------------------------------------------------------------------
2. Key Frame
The Agencies are adopting the basic structure of the key frame as
proposed with some language changes to address comments received.
Industry commenters raised several objections to the key frame--the
``Why?,'' ``What?,'' and ``How?'' boxes. Their principal concern was
the inflexible nature of the information in these boxes. Many
commenters took particular issue with the list of information collected
and shared, noting that not all institutions collect and share the
information listed.\116\ These commenters asked for greater flexibility
in identifying other types of information that may better relate to
their practices. Commenters raised other issues about: vocabulary; the
contents and number of the boxes; and the inclusion of certain
information not required by the privacy rule. Some commenters proposed
moving and deleting phrases--as well as using the phrase ``as permitted
by law'' to describe the types of sharing they can do. Some commenters
raised questions about the reference to former customers.
---------------------------------------------------------------------------
\116\ See, e.g., comment letters of American Bankers Ass'n (May
25, 2007); Investment Company Institute (May 29, 2007); Investment
Advisers Ass'n (May 29, 2007).
---------------------------------------------------------------------------
The Agencies appreciate the various suggestions provided--
particularly on vocabulary and the structure and contents of the
boxes--but note that the model form was developed through consumer
research with the goal of making it understandable to consumers. The
Agencies have decided to retain the basic structure and content of the
key frame but have made certain modifications.
The Agencies recognize that financial institutions may collect and
share types of information other than those listed on the proposed
form, including institutions that provide insurance or investment
advice or sell securities. The Agencies have, after consulting with the
NAIC and based on consideration of the comments received, provided a
menu of terms, including each of the terms that was proposed, from
which institutions may select to fill in the bracketed boxes.\117\
Since all financial institutions collect Social Security numbers, this
one term is required in all notices. The terms provided are designed to
reflect the range of information typically collected by various types
of institutions in language that consumers can more easily understand.
---------------------------------------------------------------------------
\117\ See Instruction C.2(b)(2) to the Model Privacy Form.
Similar to the proposal, the final model form requires institutions
to provide examples that may be applicable to the institution's
collection and sharing practices.
---------------------------------------------------------------------------
Further, the Agencies have revised the statement about former
customers to: ``When you are no longer our customer, we continue to
share information about you as described in this notice.'' While some
institutions objected in principle to the statement that former
customers are subject to the same policy as current customers,\118\ no
commenters asserted that institutions actually implement a different
policy for former customers.\119\
---------------------------------------------------------------------------
\118\ See, e.g., comment letters of Investment Advisers Ass'n
(May 29, 2007); American Insurance Ass'n (May 29, 2007).
\119\ This sentence continues to appear in the ``What?'' box in
the model form without an opt-out. However, based on the validation
testing, the opt-out versions of the model form place this sentence
in the ``To limit our sharing'' box following the sentence
describing sharing information about a new customer. See Kleimann
Validation Report at 9-10.
---------------------------------------------------------------------------
3. Disclosure Table
We are adopting the disclosure table substantially as proposed,
with some minor changes. Consumer and other advocacy groups, the NAIC,
NAAG, and some industry commenters appreciated the easily understood
display of information in the disclosure table of the proposed model
form. One commenter noted the strength of the Schumer box standardized
format.\120\ Others lauded the use of a tabular format to display a
company's sharing practices, noting that framing one institution's
practices against the industry as a whole is a useful way to inform
consumers of a company's relative sharing practices and facilitates the
comparison of different institutions' practices.\121\
---------------------------------------------------------------------------
\120\ Comment letter of Capital One Financial Corporation (May
29, 2007).
\121\ See comment letters of The Center for Information Policy
Leadership (May 29, 2007); Independent Community Bankers of America
(May 29, 2007).
---------------------------------------------------------------------------
A number of industry commenters and associations, including many
small community banks and a few larger banks, also expressed support
for the clarity and consumer-friendly format of the disclosure
table.\122\
---------------------------------------------------------------------------
\122\ See, e.g., comment letters of Independent Community
Bankers of America (May 29, 2007); Bank of Edison (May 21, 2007);
Capital One Financial Corporation (May 29, 2007); Citrus & Chemical
Bank (May 24, 2007); First National Bank (Edinburg, TX) (Apr. 9,
2007); Florence Savings Bank (April 30, 2007); Iowa State Bank and
Trust Company (May 22, 2007); ShoreBank (Apr. 6, 2007); Hometown
Bank (May 8, 2007).
---------------------------------------------------------------------------
However, many industry commenters sought flexibility in the table
design for several reasons. Some reported that it is common for a
financial institution to have multiple privacy policies for different
products that they offer consumers.\123\ Others asserted that the table
contains a bias against larger, more complex corporate structures
because it is overly simplistic and may show that certain types of
institutions engage in widespread sharing.\124\ One opined that the
table structure made it appear that the entity was reckless in its
sharing practices.\125\ These commenters expressed particular concern
that the model form would lead to high opt-out
[[Page 62902]]
rates.\126\ Many particularly objected to listing all the categories of
sharing--especially when a consumer cannot limit or opt out of certain
types of sharing--and others wanted to limit the list only to those
categories used by the institution.\127\ Some commenters wanted to use
this space to explain the benefits of certain types of sharing.\128\
Others wanted to convey that, for example, they only shared information
with certain types of affiliates but not others and asserted that the
disclosure table did not permit them to make this distinction.\129\
---------------------------------------------------------------------------
\123\ See, e.g., comment letters of Bank of America Corporation
(May 29, 2007); Securities Industry and Financial Markets Ass'n (May
29, 2007); MasterCard Worldwide (May 29, 2007).
\124\ See, e.g., comment letters of Citigroup Inc. (May 30,
2007); Consumer Bankers Ass'n (May 29, 2007).
\125\ See comment letter of Consumer Bankers Ass'n (May 29,
2007).
\126\ See, e.g., comment letter of Johnson Financial Group (May
14, 2007).
\127\ See, e.g., comment letters of Huntington National Bank
(May 25, 2007); National Business Coalition on E-Commerce and
Privacy (May 30, 2007); Securities Industry and Financial Markets
Ass'n (May 29, 2007).
\128\ See, e.g., comment letter of Consumer Bankers Ass'n (May
29, 2007).
\129\ See, e.g., comment letters of American Council of Life
Insurers (May 29, 2007); Securities Industry and Financial Markets
Ass'n (May 29, 2007); American Insurance Ass'n (May 29, 2007);
Consumer Mortgage Coalition (May 29, 2007).
---------------------------------------------------------------------------
As the Agencies stated in the preamble to the Proposed Rule, based
on the Kleimann Report and as confirmed by the quantitative research
data and the Levy-Hastak Report, the disclosure table is the heart of
the model form design and its most effective feature.\130\ The table
provides for greater transparency of a company's sharing practices. It
allows consumers to see at a glance the types of information sharing a
company may engage in, whether that particular company shares in that
way, and, if so, whether the consumer can limit such sharing.\131\
Based on the research, the Agencies have retained the disclosure table
generally unchanged in the final model form.
---------------------------------------------------------------------------
\130\ See Proposed Rule, supra note 4, at text preceding and
accompanying n.27; see also Levy-Hastak Report at 17.
\131\ The disclosure table in the model form provides
information ``at-a-glance'' that facilitates the comparison of a
company's information sharing practices, both as to the industry as
a whole and with respect to any other specific companies. In this
way, it meets the original legislative intent to easily compare
companies' privacy practices. See H.R. Rep. No. 106-74, at 107
(1999).
---------------------------------------------------------------------------
Addressing industry concerns about bias against larger
institutions, the Agencies appreciate these institutions' concern that
some of their customers may react negatively to the sharing of their
information. The purpose of the model form is not to direct consumer
behavior, however, but rather to provide information effectively. While
the Levy-Hastak Report found that a majority of survey participants
objected to the sharing of their personal information with affiliated
companies, and more so with nonaffiliated companies, these objections
were consistent across all the survey participants and were not
affected by any particular notice format.\132\ The research confirms
that the notice design more clearly informs consumers about how each
company shares or uses the personal information it collects.
---------------------------------------------------------------------------
\132\ Levy-Hastak Report at 15.
---------------------------------------------------------------------------
During the course of this project, the Agencies heard from smaller
institutions that their customers wanted to stop all sharing and
expressly asked for opt-outs even when the institution engaged in only
limited sharing under the section ----.14 and ----.15 exceptions.\133\
The neutral design of the form, particularly through the table,
explains that some sharing is necessary for an institution's ``everyday
business purposes'' and makes clear what sharing occurs. In addition,
the model form uses the term ``limiting'' sharing, rather than stopping
sharing altogether. These small institutions commented that this more
balanced presentation of sharing practices is a very important feature
of the notice, and one that they welcome, as it makes all institutions'
sharing practices more transparent.\134\
---------------------------------------------------------------------------
\133\ This comment was made by some of the Agencies' regulated
entities at various times during the course of this project and was
also discussed by members of the Board's Consumer Advisory Council
during its discussions in 2007 about the Notice Project and model
form proposals.
\134\ See, e.g., comment letter of Independent Community Bankers
Ass'n (May 29, 2009).
---------------------------------------------------------------------------
The strength of the table design is that it facilitates comparison
by showing what a particular institution's sharing practices are as
compared to what all financial institutions can legally do. For this
reason, the final model form incorporates all seven reasons for
sharing, with only the affiliate marketing provision--``For our
affiliates to market to you''--optional for those companies that elect
to incorporate that disclosure in their GLB notices.\135\
---------------------------------------------------------------------------
\135\ See infra note 142.
---------------------------------------------------------------------------
While the middle column requires institutions to answer ``yes'' or
``no'' to whether it shares for each of the reasons, some commenters
expressed concern that their information sharing practices were
sufficiently complex that they could not answer ``yes'' or ``no,''
stating that they had different practices for different products.
Institutions that elect to use the model form must answer the questions
in the final model form as directed in the proposal. If an institution
elects to use the model form, it must either harmonize its practices so
one notice applies to all its products, or it must provide separate
notices for products subject to different information sharing
practices.
A few commenters opined that they may not currently share but want
to reserve the right to share in the future. In such a case, the
correct response in the middle column is ``yes,'' consistent with the
privacy rule.\136\
---------------------------------------------------------------------------
\136\ See the privacy rule, section ----.6(e), NCUA section
716.6(d) (notices can be based on current and anticipated policies
and practices).
---------------------------------------------------------------------------
Many institution commenters objected that the proposed terms to
describe sharing practices were abbreviated or incomplete and asserted
that the Agencies limited sharing that is lawfully permitted. For
example, commenters objected that the definition of ``everyday business
purposes'' excluded a long list of permissible disclosures designated
in sections ----.14 and ----.15.\137\ However, as the Agencies stated
in the proposal, the phrase ``everyday business purposes'' fully
incorporates all the disclosures permitted by law under sections --
--.14 and ----.15 of the privacy rule.\138\ In addition, the Agencies
have determined that service providers that do not fall under section
----.14, but perform direct services to the institution such as opt-out
scrubbing or market analysis or research under a section ----.13
agreement, are included under this provision.\139\
---------------------------------------------------------------------------
\137\ See, e.g., comment letters of American Insurance Ass'n
(May 29, 2007); Consumer Bankers Ass'n (May 29, 2007); Citigroup
Inc. (May 30, 2007); Securities and Financial Markets Ass'n (May 29,
2007).
\138\ See, e.g., comment letters of American Bankers Ass'n (May
25, 2007); American Insurance Ass'n (May 29, 2007); Securities
Industry and Financial Markets Ass'n (May 29, 2007). This language
substantially replaces the ``as permitted by law'' phrase used in
the Sample Clauses, covering all permitted disclosures--along with
the attendant requirements on reuse and redisclosure--found under
sections ----.14 and ----.15 of the privacy rule. Unlike that
clause, ``everyday business purposes'' conveys more concrete
information to consumers and, importantly, helps them understand
that some sharing is necessary in order to obtain financial products
or services.
\139\ Joint marketing with other financial institutions and
section ----.13 service providers contracted to do marketing for a
financial institution are disclosed separately. See Instruction
C.2(d)(3) to the Model Privacy Form.
---------------------------------------------------------------------------
The cited examples of ``everyday business purposes'' \140\ are
illustrative only, to enhance consumer understanding. While commenters
urged us to include the phrase ``as permitted by law'' in this
description, research has found that consumers are confused and
concerned by this phrase; they do not know what it means or what
[[Page 62903]]
``laws'' it encompasses.\141\ Including that phrase would be
inconsistent with consumers' need for clear language to understand what
their financial institution does with their information.
---------------------------------------------------------------------------
\140\ The final model form consolidates all references to
``everyday business purposes'' in the first reason in the disclosure
table, thereby eliminating the illustrative explanation in the
``How?'' box on page one and the definition on page two.
\141\ See Survey Research Center at the University of Georgia,
National Ass'n of Insurance Commissioners Insurance Disclosure Focus
Group Study (``NAIC Study''), available at http://www.ftc.gov/os/
comments/modelprivacyform/528621-00012.pdf. See also infra
discussion at text accompanying note 221.
---------------------------------------------------------------------------
Because the laws governing disclosure of consumers' personal
information are not easily translated into short, comprehensible
phrases, the table uses more easily understandable short-hand terms to
describe sharing practices. We do not believe that these short-hand
terms diminish the laws' provisions, as some commenters asserted. If,
as these commenters suggest, the Agencies add to the laundry list of
descriptive terms to make the provisions in the table more ``precise,''
we believe it will defeat the purpose of making this information more
understandable to consumers. Thus, the Agencies have chosen not to
provide detailed descriptions for each of the reasons in the table; we
re-affirm that institutions' ability to share information in accordance
with the statutory provisions would not be limited or otherwise
modified by using the model form language.
The phrase ``For our marketing purposes'' captures the idea that
nearly all, if not all, institutions share information to market their
own products and services to their customers (for example, using a
joint marketing agreement with a service provider such as a bulk mailer
or data processor pursuant to section ----.13 of the privacy rule) in a
manner that does not trigger an opt-out right. Likewise, the phrase
``nonaffiliates to market to you'' does not diminish the information
sharing permitted by the privacy rule, provided that institutions first
provide an opportunity for consumers to opt out, as provided for in
section ----.10 of the privacy rule.
In all these instances, the lack of explicit references in the
model form to certain of the exceptions does not mean that an
institution cannot take advantage of all the exceptions provided for in
the law.
4. FCRA Opt-Outs
The FCRA provisions are adopted in the model privacy form as
proposed.\142\ A number of industry commenters objected that the
disclosure table did not provide a sufficiently complete or accurate
description of the affiliate sharing provisions of the FCRA.\143\ They
urged the Agencies to revise these provisions to more precisely
distinguish between the different types of information that can be
shared with affiliates (both with and without an opt-out), to describe
the applicable exceptions, and to more accurately describe the opt-out
pertaining to information that can be used by affiliates for marketing.
---------------------------------------------------------------------------
\142\ The table includes, as an optional disclosure, the opt-out
required by section 624 of the FCRA (reason 6 in the table), 15
U.S.C. 1681s-3 (affiliate use of information for marketing), as
added by section 214 of the Fair and Accurate Credit Transactions
Act of 2003 (FACT Act), Public Law No. 108-159, 117 Stat. 1952.
Section 624 generally provides that information that may be shared
among affiliates--including transaction and experience information
and certain creditworthiness information--cannot be used by an
affiliate for marketing purposes unless the consumer has received a
notice of such use and an opportunity to opt out, and the consumer
does not opt out. Congress did not grant the CFTC rulemaking
authority to implement section 624. The other Agencies have issued
final regulations implementing the affiliate marketing provision of
the FACT Act, 12 CFR part 41 (OCC), 12 CFR part 222 (Board), 12 CFR
part 334 (FDIC), 12 CFR part 571 (OTS), 12 CFR part 717 (NCUA), 16
CFR parts 680 and 698 (FTC), 17 CFR part 248, subpart B (SEC)
(``affiliate marketing rule''). Because the Agencies' affiliate
marketing rules generally use consistent section numbering, relevant
sections will be cited, for example, as ``section --.23'' unless
otherwise noted. The affiliate marketing rule included language
stating that the section 624 disclosure as it appears in the model
form will meet the requirements of that rule. See 72 FR 61424, 61452
(Oct. 30, 2007) (FTC); 72 FR 62910, 62932 (Nov. 7, 2007) (banking
agencies); 74 FR 40398, 40418 (Aug. 11, 2009) (SEC) (``use of the
[GLB Act] model privacy form will satisfy the requirement to provide
an initial affiliate marketing opt-out notice''). See also section
----.23(b) of the affiliate marketing rule.
\143\ See, e.g., comment letters of Citigroup Inc. (May 30,
2007); American Bankers Ass'n (May 25, 2007); Consumer Bankers Ass'n
(May 29, 2007); National Business Coalition on E-Commerce and
Privacy (May 30, 2007); Visa U.S.A, Inc. (May 29, 2007).
---------------------------------------------------------------------------
The FCRA statutory provisions are quite complex and their legal
intricacies are difficult for consumers to understand. The Agencies
found through the consumer testing conducted by Kleimann that the
short-hand FCRA terms used in the model form describing the types of
personal information that can be shared with affiliates are sufficient
to enable consumers to make informed decisions about such sharing.
Again, these short-hand terms do not in any way diminish or modify the
affiliate sharing provisions of the FCRA.\144\ To give some meaning to
the statutory term ``other information,'' the disclosure table uses
``Information about your creditworthiness''--a short-hand phrase that
consumers reasonably understood. Testing also found that consumers
reasonably understood the phrase ``information about your transactions
and experience'' without further embellishment.\145\
---------------------------------------------------------------------------
\144\ See section 603(d)(2)(A) of the FCRA relating to the
sharing of ``transaction and experience information'' and the
sharing of ``other information'' which triggers an opt-out notice.
\145\ Kleimann Report, supra note 32, at 63.
---------------------------------------------------------------------------
Some institutions objected to the description of the optional
affiliate marketing provision enacted under the FACT Act for which the
Agencies have published final regulations.\146\ These commenters are
correct that this provision, unlike the others, is about the use of
shared information for marketing. While the Agencies and Kleimann
worked to ensure accuracy in the model form, it was evident at the
outset that this particular provision would be very difficult to
explain in a simple and clear way to consumers and be precisely true to
the statutory language.
---------------------------------------------------------------------------
\146\ See supra note 142.
---------------------------------------------------------------------------
The final formulation we proposed tested sufficiently well to show
that consumers understand its basic meaning.\147\ Including the
affiliate marketing notice and opt-out in the model form is optional.
Institutions that are required to provide this notice, and elect not to
include it in their GLB Act privacy notice, must separately send an
affiliate marketing notice that complies fully with the affiliate
marketing rule requirements.
---------------------------------------------------------------------------
\147\ Levy-Hastak Report at 15.
---------------------------------------------------------------------------
For those institutions that elect to incorporate this provision in
the model form, the Agencies believe that it is simpler and less
confusing to consumers for the affiliate marketing opt-out to be of
indefinite duration, consistent with the opt-out required under the GLB
Act. If an institution elects to limit the time period for which the
opt-out is effective, as permitted under the affiliate marketing rule,
it must not include the affiliate marketing opt-out in the model form.
Instead, the institution must comply separately with the specific
affiliate marketing rule requirements.
5. Limiting Sharing: Opt-Out Information
In response to commenters and the results of the quantitative
testing, the final model form includes opt-out information for those
institutions that are required to provide an opt-out on the bottom of
page one. The Agencies proposed that the information about limiting or
opting out of certain sharing, as needed, would be provided on a
separate third page. Many commenters objected to the use of a separate
piece of paper for this information, particularly if the notice itself
is quite short.\148\
---------------------------------------------------------------------------
\148\ See, e.g., comment letters of American Council of Life
Insurers (May 29, 2007); National Automobile Dealers Ass'n (May 29,
2007); Securities Industry and Financial Markets Ass'n (May 29,
2007).
---------------------------------------------------------------------------
[[Page 62904]]
This change eliminates the extra page from the proposed model form
and places this important information on the first page that the
consumer sees. In addition to the model form with no opt-out, the
Agencies are providing two alternate versions to be used, as
appropriate, depending on whether the institution offers the option to
limit information sharing by mail.\149\
---------------------------------------------------------------------------
\149\ Some commenters asked about providing the opt-out in an
in-person transaction so that the customer could execute the opt-out
at that time or could deliver the completed opt-out form in person.
The privacy rule does not preclude obtaining a consumer's opt-out
election in person. However, while an institution may accept an opt-
out election from a consumer in person, requiring a consumer to
obtain an opt-out form at a branch office as the only means to opt
out violates the privacy rule. See sections --.7(h), --.9(a) and
(b), and --.10(a)(1) and (a)(3) of the privacy rule.
---------------------------------------------------------------------------
Institutions using the model form must include the opt-out section
in their notices only if they (1) share or use information in a manner
that triggers an opt-out, or (2) choose to provide opt-outs beyond what
is required by law. Financial institutions that provide opt-outs are
not required to provide all the opt-out choices and methods described
in the model form; they should select those that accurately reflect
their practices.\150\
---------------------------------------------------------------------------
\150\ Institutions that do not include the affiliate marketing
disclosure on the model privacy form must not include the affiliate
marketing notice or opt-out on the model form mail-in form; that
notice must be provided in accord with the affiliate marketing rule,
outside the model form.
---------------------------------------------------------------------------
A number of commenters objected to the statement describing the
time period before information can first be shared according to an
institution's privacy policy.\151\ Recognizing that institutions will
provide this form both to new customers and annually to existing
customers, the Agencies have modified the language accordingly.\152\
The revised model form allows institutions to insert a time period that
is 30 days or longer from the date the notice was sent before it can
begin sharing for new customers. Some commenters opined that in certain
instances they should be able to require the consumer to make an opt-
out decision at the time of the in-person or electronic transaction
rather than waiting 30 days. While the Agencies recognize that certain
situations may warrant an immediate decision, the basic rule is to
allow a ``reasonable'' opportunity to opt out.\153\
---------------------------------------------------------------------------
\151\ See, e.g., comment letters of Bank of America Corporation
(May 29, 2007); Wells Fargo & Company (May 29, 2007); Securities
Industry and Financial Markets Ass'n (May 29, 2007); American
Council of Life Insurers (May 29, 2007).
\152\ The revised language states: ``If you are a new customer,
we can begin sharing your information [30] days from the date we
sent this notice.'' See also supra note 119.
\153\ See, e.g., sections --.10(a)(1)(iii) and --.10(a)(3)(iii)
of the privacy rule.
---------------------------------------------------------------------------
Telephone and online opt-outs should closely match the options
provided in the form. Consistent with the direction provided in the
affiliate marketing rule,\154\ the Agencies also contemplate that a
toll-free telephone number would be adequately designed and staffed to
enable consumers to opt out in a single telephone call. In setting up a
toll-free telephone number that consumers may use to exercise their
opt-out rights, institutions should minimize extraneous messages
directed to consumers who are in the process of opting out.
---------------------------------------------------------------------------
\154\ See 72 FR 61424, 61448 (Oct. 30, 2007) (FTC); 72 FR 62910,
62935 (Nov. 7, 2007) (banking agencies); 74 FR 40398, 40421 (August
11, 2009) (SEC).
---------------------------------------------------------------------------
A number of industry commenters requested clarification on how
joint accountholders would be treated.\155\ The Agencies have addressed
this question with a new FAQ, described below. Further, if an
institution elects to provide a choice for the joint accountholder to
apply the opt-out only to that joint accountholder, that option must be
provided in the telephone or Web prompt, as well as presented in the
left-hand box on the mail-in form.\156\
---------------------------------------------------------------------------
\155\ See, e.g., comment letters of American Bankers Ass'n (May
25, 2007); Discover Bank (May 29, 2007).
\156\ See also privacy rule, section --.7(d), NCUA section
716.7(d)(6).
---------------------------------------------------------------------------
A number of commenters from both industry and advocacy groups
addressed the question whether consumers need to provide personal
information such as a Social Security number, account number, or other
identification number in order to opt out. The consumer advocacy
organizations, some industry commenters, and an industry association
proposed omitting the account number field from the proposed form to
reduce the risk of fraud.\157\ These commenters expressed concerns
about phishing and identity theft, and were especially concerned about
institutions' use of the Social Security number to confirm an opt-out
request. These commenters argued that a name and address should be
sufficient to effect an opt-out from an institution's information
sharing.
---------------------------------------------------------------------------
\157\ See, e.g., comment letters of Center for Democracy and
Technology (May 29, 2007); Privacy Rights Clearinghouse (May 22,
2007); National Automobile Dealers Ass'n (May 29, 2007.
---------------------------------------------------------------------------
Many institutions argued that they needed a Social Security number
or full account or policy number in order to authenticate the person
who wanted to opt out or to apply the opt-out appropriately to all
accounts held by the customer or only to specific accounts.\158\ Some
industry commenters urged limiting the information to only the last
four digits of an account number as both safe for the consumer and
sufficient to implement the opt-out.\159\
---------------------------------------------------------------------------
\158\ See, e.g., comment letters of National Retail Federation
(May 29, 2007); Citicorp (May 29, 2007); National Business Coalition
on E-Commerce and Privacy (May 30, 2007).
\159\ See, e.g., comment letters of Sun Trust Banks, Inc. (May
23, 2007); Central National Bank of Enid (May 24, 2007).
---------------------------------------------------------------------------
Having considered these comments and the context in which such
sensitive information is used--to implement an opt-out for information
sharing--the Agencies strongly encourage institutions to use some other
form of identifier, such as a randomly generated ``opt-out code''
provided in the notice that consumers can use to exercise their opt-
outs without jeopardizing the security of their most sensitive personal
information. A random code--which some institutions currently use--both
protects consumers' most sensitive information and at the same time can
be used to link both the customer and account(s) to which the opt-out
should apply. Such an approach would further simplify the opt-out
process for consumers. If such an approach is not feasible,
institutions could use a truncated account or policy number to protect
sensitive information.\160\ Of course, any opt-out means provided--
including any information requirements imposed on consumers--must be
reasonable under the privacy rule and reasonable and simple under the
affiliate marketing rule.\161\ Institutions should keep these
requirements in mind when requesting information beyond the consumer's
name and address.
---------------------------------------------------------------------------
\160\ See also The President's Identity Theft Task Force,
Combating Identity Theft, at 13 (Apr. 2007) (``Consumer information
is the currency of identity theft, and perhaps the most valuable
piece of information for the thief is the SSN'').
\161\ See section ----.7(a)(1)(iii) of the privacy rule and
section --.25(a) of the affiliate marketing rule.
---------------------------------------------------------------------------
A number of industry commenters objected to the inability of the
model form to provide for partial opt-outs, as permitted by the privacy
rule.\162\ The Agencies have observed that partial opt-outs are not
widely employed. Trying to incorporate partial opt-outs in this model
form would be unduly complicated and confusing for consumers, so the
Agencies have determined to use the default provision of the privacy
rule that provides for an opt-out that applies to all information.\163\
Institutions that want to
[[Page 62905]]
provide partial opt-outs cannot do so using the model form.
---------------------------------------------------------------------------
\162\ See, e.g., comment letters of American Council of Life
Insurers (May 29, 2007); Securities Industry and Financial Markets
Ass'n (May 29, 2007).
\163\ See section --.10(b) of the privacy rule.
---------------------------------------------------------------------------
A number of commenters wanted to include in the model form the
statement ``If you have already told us your choice(s), you do not have
to tell us again.'' \164\ Because this statement would only be accurate
if the institution has not changed its notice to include new opt-out
options, the Agencies have decided not to include it in the model form.
Institutions that choose to use this statement must do so outside the
model form.
---------------------------------------------------------------------------
\164\ See, e.g., comment letters of MasterCard Worldwide (May
29, 2007); National Business Coalition on E-Commerce and Privacy
(May 30, 2007); Wells Fargo & Company (May 29, 2007); Wolters Kluwer
Financial Services (May 24, 2007).
---------------------------------------------------------------------------
6. Additional Opt-Outs in the Model Form
Like the proposed form, the final model form permits institutions
to provide for voluntary or state law-required opt-outs. For example,
if an institution elects to offer its customers the opportunity to opt
out of its marketing, it can do so by saying ``yes'' in the third
column. Similarly, an institution can offer its customers a right to
opt out of joint marketing, if it chooses.
Institutions that must comply with various state law requirements,
depending on their practices and the choices they offer, may be able to
do so in one of two ways using the model form. For example, Vermont law
requires institutions to obtain opt-in consent from Vermont consumers
for affiliate sharing. The disclosure table permits institutions to do
one of two things: (1) it can provide a notice directed to its Vermont
customers that answers ``no'' to the question about whether it shares
creditworthiness information with its affiliates, or (2) it can provide
a generalized notice for consumers across a number of states including
Vermont and answer ``yes'' to the question about sharing
creditworthiness information with its affiliates and include a
discussion on the application of Vermont law in the ``Other important
information'' box on page two of the form.\165\
---------------------------------------------------------------------------
\165\ California provides that a consumer can opt out of joint
marketing. Cal. Fin. Code div. 1.2 Sec. 4053(b)(2). Thus, an
institution can provide a generalized notice offering no opt-out,
with California-specific information in the ``Other important
information'' box. Alternatively, an institution can provide a
separate notice to its California customers. Institutions cannot use
the model form to offer opt-in consent. See Instruction C.2(g)(5) to
the Model Privacy Form.
---------------------------------------------------------------------------
To obtain the safe harbor for use of the proposed model form, an
institution that uses the disclosure table to show any additional opt-
out choices (beyond what is required under Federal law) must make that
opt-out available through the same opt-out options the institution
provides in the notice, whether by telephone, Internet, or a mail-in
opt-out form.\166\
---------------------------------------------------------------------------
\166\ See Instruction C.2(g) to the Model Privacy Form.
---------------------------------------------------------------------------
7. Contact Information for Questions
Like the proposed form, the final model form provides contact
information at the bottom of page one. Some commenters objected that it
would be confusing if an opt-out is offered or the institution wants to
limit such contact to a mail option only.\167\ The Kleimann Report
found that consumers want a way to contact their financial institution
if they have any questions.\168\ The NAIC Study likewise found this to
be one of the most important pieces of information that consumers want
in a notice.\169\ In revising the proposed model form to include the
opt-out information on page one, the Agencies have modified the
``Contact Us'' box to label it ``Questions'' (to more clearly
distinguish between the two) and clarified in the Instructions that
this box is for customer service contact information, either by
telephone or the Internet or both, at the institution's option.
---------------------------------------------------------------------------
\167\ See, e.g., comment letters of Mastercard Worldwide (May
29, 2007); American Insurance Ass'n (May 29, 2007); American Council
of Life Insurers (May 29, 2007); Securities Industry and Financial
Markets Ass'n (May 29, 2007).
\168\ Kleimann Report, supra note 32, at 35, 226.
\169\ NAIC Study, supra note 141.
---------------------------------------------------------------------------
Customer service contact information is for consumers who may have
questions about the institution's privacy policy and may be the same
contact information for consumers' questions relating to the
institution's products or services. The Agencies are not requiring a
separate customer service number solely to answer questions about the
institution's privacy policy. The customer service contact information
is different from the opt-out contact information, unless the customer
service number is made available for consumers to opt out. The contact
information should give consumers a way to communicate directly with
the institution.\170\
---------------------------------------------------------------------------
\170\ See Instruction C.2(f) to the Model Privacy Form.
---------------------------------------------------------------------------
8. Mail-In Opt-Out Form
The mail-in opt-out form for institutions that provide such a form
is adopted with two modifications, with the changes based on comments,
the quantitative testing, and the Levy-Hastak Report. The validation
testing shaped the design for the opt-out information in the final
model form.
As discussed in section III.I.5, the final model form displays all
opt-out information, including the mail-in form, on page one, for
institutions that provide an opt-out. In response to commenters, the
Agencies have added information on joint accountholders to the model
form by providing a new FAQ on page two. Institutions must include the
joint accountholder information in the mail-in form only when the
institution allows a joint accountholder to choose whether to apply an
opt-out election only to one accountholder.\171\ Otherwise, that space
is blank or omitted from the mail-in form.
---------------------------------------------------------------------------
\171\ See also infra section III.J.1. Section III.I.5 provides
guidance on the use of sensitive personal information (such as a
Social Security number or account number) to effect an opt-out.
Section III.I.6 discusses how voluntary or state-required privacy
law opt-outs should appear in the mail-in opt-out form. See also
Instruction C.2(g) to the Model Privacy Form.
---------------------------------------------------------------------------
Finally, institutions that use the mail-in opt-out form must insert
the institution's mailing address either in the right-hand box or just
below the mail-in form, as shown in version 3 and optional version 4 in
the Appendix and as described in the Instructions to the Model Form.
J. Page Two of the Model Form
The Agencies have modified page two of the model form to streamline
the information on the page and to provide flexibility for institutions
to insert certain institution-specific information.
1. Frequently Asked Questions
To address the concerns about jointly-provided notices, the
Agencies have added a new FAQ at the top of page two: ``Who is
providing this notice?'' An institution may omit this FAQ only when one
financial institution is providing the notice and that institution is
identified in the title. The space to the right, which is limited (for
reasons of space constraints) to a maximum of four (4) lines,\172\
allows institutions that are jointly providing the notice to be
identified.\173\ This space must be used to:
---------------------------------------------------------------------------
\172\ While the Agencies are limiting the space allotted for
this FAQ, we do not intend that institutions will constrain the
width of the left column (with the questions) so as to make this
page difficult to read. We remind institutions that design experts
recommend using sufficient white space to set off features such as
headings, bullets, and key information used by consumers to quickly
scan a document. We note further that the ratio of the column widths
of the questions to the responses in the model form is approximately
1:2.
\173\ The option of creating a jointly provided notice is not
limited only to financial holding companies, as one commenter
observed. Instruction B.1 to the Model Privacy Form has been
modified to clarify that point.
---------------------------------------------------------------------------
[[Page 62906]]
1. State the common corporate name or other readily identifiable
name that is also used for the title and various headings of the model
form as the ``name of financial institution;'' and
2. Either (a) identify the entities jointly providing the notice;
or (b) for institutions with a lengthy list of entities jointly
providing the notice, identify the general types of entities in the
response and identify the entities \174\ at the end of the form
following the ``Other important information'' box, or, if that box is
not incorporated into the form, following the ``Definitions'' or on an
additional page. The list at the end of the form must be printed in
minimum 8-point font and may appear in a multi-column format.
---------------------------------------------------------------------------
\174\ See section --.9(f) of the privacy rule.
---------------------------------------------------------------------------
The Agencies have deleted the FAQ on how often consumers are
provided notices on an institution's sharing practices due to space
constraints.\175\
---------------------------------------------------------------------------
\175\ While the testing found it to be helpful background, this
information is not required by the privacy rule.
---------------------------------------------------------------------------
A number of commenters objected to the response to the question
about how personal information is protected. Some objected to the
phrase ``comply with federal laws.'' \176\ The Agencies note that this
phrase closely tracks current Sample Clause A-7 and is already widely
used by many institutions. Several objected to the phrase ``secured
buildings and files,'' preferring ``physical safeguards.'' \177\ As
explained in the Kleimann Report, the Agencies developed this text to
help consumers better understand the practical meaning of physical
security.\178\ The Agencies have determined to retain the FAQ as
proposed, with one modification. In response to commenters who asked to
include more specific information,\179\ such as information about
cookies or online practices or limiting employee access to personal
information, the Agencies are allowing institutions to add more detail,
limited to describing their safeguards practices, up to a maximum of
thirty (30) additional words. This doubles the space allotted for the
safeguards response and provides flexibility to institutions to
customize the safeguards description. The optional information must
appear after the standard response for this FAQ.
---------------------------------------------------------------------------
\176\ See, e.g., comment letters of Consumer Bankers Ass'n (May
29, 2007); MasterCard Worldwide (May 29, 2007).
\177\ See comment letters of American Council of Life Insurers
(May 29, 2007); American Insurance Ass'n (May 29, 2007).
\178\ Kleimann Report, supra note 32, at 125-26.
\179\ See, e.g., comment letters of Iowa State Bank and Trust
(May 22, 2007); PayPal (May 29, 2007); Wachovia Corporation (May 25,
2007).
---------------------------------------------------------------------------
A number of industry commenters objected to the inflexible nature
of the description of the sources from which personal information is
collected, stating that in many cases the proposed descriptions do not
correlate to their practices or the practices of their particular
industry.\180\ As with the description of the types of information
collected and shared on page one, the Agencies are providing a menu of
terms from which institutions can select to fill in the bulleted
lists.\181\ The list is designed to include the range of information
sources typically used by a variety of institutions subject to the GLB
Act and the FCRA, including those in the insurance, securities, and
investment advisory businesses, as well as those companies subject to
FTC jurisdiction. Finally, institutions that collect information from
their affiliates and/or from credit bureaus must use as the last
sentence of this response: ``We also collect your personal information
from others, such as credit bureaus, affiliates, or other companies.''
Institutions that do not collect personal information from their
affiliates or credit bureaus but do collect personal information from
other companies must include the following statement: ``We also collect
your personal information from other companies.'' Only institutions
that do not collect any personal information from affiliates, credit
bureaus, or other companies can omit both statements.
---------------------------------------------------------------------------
\180\ See, e.g., comment letters of American Council of Life
Insurers (May 29, 2007); American Bankers Ass'n (May 25, 2007);
Consumer Bankers Ass'n (May 29, 2007); Mastercard Worldwide (May 29,
2007); Wells Fargo & Company (May 29, 2007); National Ass'n of
Mutual Insurance Cos. (May 29, 2007); National Automobile Dealers
Ass'n (May 29, 2007).
\181\ See Instruction C.3(a)(3) to the Model Privacy Form. See
supra note 117.
---------------------------------------------------------------------------
A number of industry commenters objected to the FAQ about limiting
sharing, arguing variously that this is not required and that they
should only have to include in the response those bullets that apply to
their sharing practices.\182\ The Agencies have determined to retain
this FAQ with a revision to the bulleted list, as it helps consumers
better understand what rights they have under Federal law and
reinforces the message that information sharing may be limited but not
stopped completely. The second bullet was revised to more closely track
the provisions of the affiliate marketing rule. Finally, the Agencies
have provided an optional sentence for institutions to elect to include
at the end, as applicable, ``See below for more on your rights under
state law,'' a reference to the state-specific privacy law information
that an institution may include in the ``Other important information''
box.
---------------------------------------------------------------------------
\182\ See, e.g., comment letters of American Council of Life
Insurers (May 25, 2007); National Ass'n of Mutual Insurance Cos.
(May 29, 2007).
---------------------------------------------------------------------------
As discussed earlier, a number of commenters asked how an opt-out
election can be applied to joint accountholders.\183\ This is addressed
by a new FAQ on page two. Two optional responses are provided for
institutions to use: The first states that an opt-out election by any
joint accountholder will be applied to everyone on the account. The
second provides that the opt-out election will be applied to everyone
on the account unless the customer elects to have the opt-out apply
only to him. Institutions must select one or the other as the response
to this question.\184\
---------------------------------------------------------------------------
\183\ See, e.g., comment letters of American Bankers Ass'n (May
29, 2007); Discover Bank (May 29, 2007); Mastercard Worldwide (May
29, 2007); Huntington National Bank (May 25, 2007).
\184\ See also supra discussion section III.I.8.
---------------------------------------------------------------------------
2. Definitions
In the final model privacy form, the definition of ``everyday
business purposes'' has been deleted as superfluous, and the
description of everyday business purposes has been consolidated in the
disclosure table on page one. The other three definitions remain as
proposed, with one modification.
The Agencies make the following further clarification in response
to some commenters.\185\ First, if an institution has no affiliates or
does not share with its affiliates, it does not have to describe the
categories of affiliates in this definition. Applicable responses in
such conditions are, respectively: ``[name of financial institution]
has no affiliates'' or ``[name of financial institution] does not share
with our affiliates.''
---------------------------------------------------------------------------
\185\ See, e.g., comment letters of Mastercard Worldwide (May
29, 2007); Huntington National Bank (May 25, 2007); Consumer Bankers
Ass'n (May 29, 2007); Wells Fargo & Company (May 29, 2007).
---------------------------------------------------------------------------
Similarly, if an institution does not share for joint marketing or
with nonaffiliated third parties outside of the section ----.14 and --
--.15 exceptions, applicable responses are: ``[name of financial
institution] doesn't jointly market'' or ``[name of financial
institution] does not share with nonaffiliates so they can market to
you.''
The Instructions have been modified with respect to an
institution's sharing with its affiliates so that an institution must
provide only an illustrative list of affiliates with which it shares,
and not
[[Page 62907]]
a complete list. As proposed, when an institution shares with
nonaffiliates or with other financial institutions to do joint
marketing, the institution must describe the categories of entities
with which it shares.\186\ While the Instructions provide illustrative
examples of categories, institutions must provide examples consistent
with their practices. The Instructions provide guidance on these
points.\187\
---------------------------------------------------------------------------
\186\ See sections ----.6(a)(3), ----.6(a)(5), ----.6(c)(3), and
----.6(c)(4) of the privacy rule. The joint marketing provisions
apply to joint marketing agreements with other financial
institutions, but not to other types of arrangements with section --
--.13 service providers.
\187\ See Instruction C.3(b) to the Model Privacy Form.
---------------------------------------------------------------------------
3. State and International Law Provisions
To accommodate commenters' requests to incorporate state and
international law provisions in the notice,\188\ the Agencies have
added a new optional box at the end of the final model form called
``Other important information.'' The size of the box is not limited
(except where space constraints apply in the Online Form Builder,
described below), and institutions may use a third page, as necessary,
for the information in this box. To qualify for the safe harbor,\189\
institutions that elect to use this box can only use it for the
following: (1) information about state and/or international privacy law
requirements, as applicable; or (2) an acknowledgment form to create a
record of having provided the notice. Certain institutions, for
example, are required to include specific affiliate sharing information
for Vermont residents or to meet other requirements under California
law. Some insurance commenters noted that approximately 16 states have
privacy laws that require insurers to provide notice of ``access and
correction'' rights.\190\ Commenters noted that other states require
disclosures about medical information.\191\ Some large institutions
noted that they are required to provide international law information.
Such information may be included in this new box. In addition, one
association commenter, representing automobile dealers, specifically
requested a place on the form to allow its members to obtain signatures
from customers acknowledging that they had received a copy of the
notice.\192\
---------------------------------------------------------------------------
\188\ See, e.g., comment letters of American Bankers Ass'n (May
25, 2007); American Council of Life Insurers (May 29, 2007); Bank of
America Corporation (May 29, 1007); Citigroup Inc. (May 30, 2007);
Consumer Bankers Ass'n (May 29, 2007); Consumer Mortgage Coalition
(May 29, 2007); Countrywide Home Loans, Inc. (May 29, 2007);
Discover Bank (May 29, 2007); Financial Services Institute (May 29,
2007); Iowa Student Loan (May 22, 2007); KeyCorp (May 25, 2007);
National Business Coalition on E-Commerce and Privacy (May 30,
2007); National Retail Federation (May 29, 2007); National Ass'n of
Mutual Insurance Cos. (May 29, 2007); Sovereign Bank (May 21, 2007);
Wells Fargo (May 29, 2007); World's Foremost Bank (May 25, 2007);
Direct Marketing Ass'n (May 29, 2007); Securities Industry and
Financial Markets Ass'n (May 29, 2007); World Financial Capital Bank
(May 25, 2007); World Financial Network National Bank (May 29,
2007).
\189\ The 10-point minimum font size applies to the contents of
the ``Other important information box.'' In addition, while the safe
harbor extends to including this box at the end of the model form,
it does not extend to the content of the box. Institutions are
responsible for ensuring that any statements made in this box are
accurate.
\190\ See, e.g., comment letters of American Insurance Ass'n
(May 29, 2007); Great-West Life & Annuity Insurance Co. (May 29,
2007).
\191\ See, e.g., comment letters of American Council of Life
Insurers (May 29, 2007); American Insurance Ass'n (May 29, 2007);
Huntington National Bank (May 25, 2007).
\192\ See comment letter of National Automobile Dealers Ass'n
(May 29, 2007).
---------------------------------------------------------------------------
K. Other Issues
1. Highlighting Material Changes in Privacy Practices
We sought comment on whether the model privacy form should
highlight material changes in the notice. A number of industry
commenters opposed this suggestion, citing consumer confusion.\193\
Some stated that the GLB Act requires revised notices when the
institution's policy has changed.\194\ One advocacy group supported
adding an extra column to the notice table highlighting specific
changes made since the previous notice.\195\
---------------------------------------------------------------------------
\193\ See, e.g., comment letters of American Council of Life
Insurers (May 29, 2007); Consumer Bankers Ass'n (May 29, 2007);
Citigroup Inc. (May 30, 2007); Mastercard Worldwide (May 29, 2007);
Securities Industry and Financial Markets Ass'n (May 29, 2007).
\194\ See comment letters of American Council of Life Insurers
(May 29, 2007); Citigroup Inc. (May 30, 2007).
\195\ See, e.g., comment letters of Center for Democracy and
Technology (May 29, 2007); see also New York State Consumer
Protection Board (May 29, 2007).
---------------------------------------------------------------------------
After considering these comments, the Agencies determined that the
simplest way to help consumers identify how recently the notice was
changed is to include a ``revised [month/year]'' notation in the upper
right-hand corner of page one of the notice. The revised date, in
minimum 8-point font, is the date the policy was last revised.\196\ Of
course, institutions can signal material changes in their policies by,
for example, use of a cover letter that describes any changes.
---------------------------------------------------------------------------
\196\ Adoption of the model form, with no change in policies or
practices, would not constitute a revised notice, although
institutions may elect to consider the format change as a revision,
at their option. However, inserting the new affiliate marketing opt-
out in the model form would be a revision of the institution's
policies and practices.
---------------------------------------------------------------------------
2. Safe Harbor
A number of industry commenters expressed concern that the safe
harbor provisions do not fully extend to the GLB Act requirements or do
not extend to FCRA disclosures.\197\ These commenters seek broader safe
harbor treatment for the use of the model form, notwithstanding the
statutory provision that use of the model form will satisfy the notice
requirements of the GLB Act and the privacy rule.
---------------------------------------------------------------------------
\197\ See, e.g., comment letters of American Bankers Ass'n (May
25, 2007); California Bankers Ass'n (May 25, 2007); Consumer Bankers
Ass'n (May 29, 2007).
---------------------------------------------------------------------------
The Agencies agree that the model form satisfies the requirements
for the content of the notice required by the GLB Act, including
sections ----.6 and ----.7 of the privacy rule; FCRA section 603(d) as
described in section ----.6 of the privacy rule; and section ----.23 of
the affiliate marketing rule. The Agencies note that the safe harbor
applies to use of the model form, but does not and cannot extend to the
institution-specific information that is inserted in the model form.
Proper use of the model form to comply with the privacy rule requires
that institutions accurately answer the questions about their
information collection and sharing practices, as well as provide to
consumers, as applicable, a reasonable means and opportunity to limit
sharing and honor any opt-out requests submitted.
3. Online Form Builder
Commenters generally supported the Agencies' proposal to provide a
downloadable, fillable version of the model form that institutions
could use to create their own customized notice.\198\ Many smaller
institutions were particularly supportive, noting that it simplifies
adoption and reduces their development costs.
---------------------------------------------------------------------------
\198\ See, e.g., comment letters of American Insurance Ass'n
(May 29, 2007); Center for Democracy and Technology (May 29, 2007);
Citrus and Chemical Bank (May 24, 2007); Credit Union National Ass'n
(May 29, 2007); Independent Community Bankers of America (May 29,
2007); PayPal (May 29, 2007); Portage National Bank (May 1, 2007);
Sovereign Bank (May 21, 2007).
---------------------------------------------------------------------------
In response, the Agencies will be providing on each of their
Websites a link to an Online Form Builder accessible by any institution
so that the institution can readily create a unique, customized privacy
notice using the model form template. The Agencies anticipate that a
temporary Online Form Builder will be available in late 2009
[[Page 62908]]
and that a more robust version will be available to institutions in
late 2010.
4. Web-Based Design
Many industry and advocacy group commenters supported development
of an optional Web-based design, especially as more and more consumers
are engaging in online activities such as online banking.\199\ Some
commenters asked the Agencies to test a design for usability. Some
industry commenters cautioned that the Agencies should leave this task
to industry as institutions are more knowledgeable and better equipped
to address such a task.\200\
---------------------------------------------------------------------------
\199\ See, e.g., comment letters of Center for Democracy and
Technology (May 29, 2007); Investment Company Institute (May 29,
2007); MasterCard Worldwide (May 29, 2007); National Business
Coalition on E-Commerce and Privacy (May 30, 2007); PayPal (May 29,
2007); Target National Bank (May 24, 2007).
\200\ See, e.g., comment letters of American Bankers Ass'n (May
25, 2007); American Council of Life Insurers (May 29, 2007); The
Financial Services Roundtable and BITS (May 29, 2007); Huntington
National Bank (May 25, 2007); National Retail Federation (May 29,
2007); Securities Industry and Financial Markets Ass'n (May 29,
2007); Wachovia Corporation (May 25, 2007).
---------------------------------------------------------------------------
The Board and FTC have agreed to jointly undertake the development
through consumer research of a Web-based version of the final model
form. That research work will proceed independent of this rulemaking,
will be reviewed by all the other Agencies, and will be made publicly
available for use by all institutions. It is anticipated that the work
will be completed in late 2009.
5. Electronic Delivery
A number of commenters objected to limiting the electronic posting
of the model form to a PDF format.\201\ Those expressing a view stated
that providing the form in HTML is more compatible with their systems
and easier for consumers to download and view. The Agencies agree that
institutions can provide the notice electronically in either PDF or
HTML format. Where consumers agree to electronic receipt of the notice,
institutions can send the notice by email either by attaching the
notice or providing a link to the notice.
---------------------------------------------------------------------------
\201\ See, e.g., comment letters of Huntington National Bank
(May 25, 2007); MasterCard Worldwide (May 29, 2007); PayPal (May 29,
2007); Securities Industry and Financial Markets Ass'n (May 29,
2007); Wachovia Corporation (May 25, 2007).
---------------------------------------------------------------------------
6. Other Comments
Some commenters asked if the model form can be adopted for other
languages.\202\ The Agencies believe that this would be beneficial to
an institution's non-English speaking customers and note that
institutions currently provide such notices, consistent with the
privacy rule.
---------------------------------------------------------------------------
\202\ See, e.g., comment letters of First Bank Americano (May 2,
2007); First Hawaiian Bank (May 29, 2007); National Retail
Federation (May 29, 2007).
---------------------------------------------------------------------------
Many industry commenters wanted the flexibility to add other
information to the form. For example, they asked to include information
on the benefits of sharing; privacy tips and identity theft
information; information about fraud prevention; and marketing.\203\
Some commenters asked that additional information such as seal
information be included in the model form.\204\
---------------------------------------------------------------------------
\203\ See, e.g., comment letters of American Bankers Ass'n (May
25, 2007); Bank of America Corporation (May 29, 2007); Comerica Bank
(May 25, 2007); Consumer Bankers Ass'n (May 29, 2007); Citigroup
Inc. (May 30, 2007); First Hawaiian Bank (May 29, 2007); California
Bankers Ass'n (May, 2007); Farmers & Merchants Bank (May 29, 2007);
Financial Services Roundtable and BITS (May 29, 2007); Huntington
National Bank (May 25, 2007); KeyCorp (May 25, 2007); Target
National Bank (May 24, 2007); Wachovia Corporation (May 25, 2007);
Wells Fargo & Company (May 29, 2007).
\204\ See comment letters of PayPal (May 29, 2007); TrustE (May
30, 2007).
---------------------------------------------------------------------------
The Agencies considered these suggestions and decided not to permit
the inclusion of additional information in the final model form. While
an institution may believe this information is useful or important, we
believe that the addition of such information to the model form defeats
the purpose of providing a clear and usable notice about information
sharing practices and consumer rights. The Agencies do not preclude an
institution from providing such information in other, supplemental
materials, if the institution wishes to do so.
One commenter proposed requiring institutions that use the model
form to also have a longer notice that complies with the privacy
rule.\205\ One notice is sufficient if that notice complies with the
law and the privacy rule.
---------------------------------------------------------------------------
\205\ See comment letter of TRUSTe (May 30, 2007).
---------------------------------------------------------------------------
Commenters also raised a number of other issues that are beyond the
scope of this rulemaking. These include making the default opt-in
rather than opt-out; eliminating the annual notice requirement;
preempting state law requirements; and establishing an opt-out
repository similar to the FTC's National ``Do Not Call'' Registry.\206\
---------------------------------------------------------------------------
\206\ See, e.g., comment letters of America's Community Bankers
(May 29, 2007); Bank of Edison (March 21, 2007); Bank of Frankewing
(May 18, 2007); Central National Bank of Enid (May 24, 2007);
FamilyFirst Bank (May 8, 2007); Florence Savings Bank (April 30,
2007); Glenview State Bank (May 2, 2007); Hometown Bank (May 8,
2007); Portage National Bank (May 1, 2007).
---------------------------------------------------------------------------
IV. The Sample Clauses
As proposed, the Agencies are eliminating the Sample Clauses
appended to the privacy rule along with the safe harbor or for SEC-
regulated entities, guidance, currently afforded entities.\207\ Many
industry commenters opposed the proposal.\208\ Some commenters asked
that we retain certain of the Sample Clauses, such as A-1, A-3, and A-
7, the use of which does not implicate an opt-out.\209\ Institutions
expressed concern that elimination of the Sample Clauses and
corresponding safe harbor would expose them to liability.\210\ A few
commenters asked the Agencies to improve the current Sample Clauses as
an interim measure.\211\ Several institutions requested that the
Agencies at a minimum provide for a transition period that is longer
than one year, if the Agencies determine to eliminate the Sample
Clauses.\212\
---------------------------------------------------------------------------
\207\ The Sample Clauses were originally provided in the privacy
rule to illustrate the level of detail for notices to meet the rule
requirements and to minimize the compliance burden. See 65 FR 33646,
33677 (May 24, 2000) (FTC); 65 FR 35162, 35185 (June 1, 2000)
(banking agencies); 65 FR 40334, 40357 (June 29, 2000) (SEC); 66 FR
21236, 21238 (Apr. 27, 2001) (CFTC).
\208\ See, e.g., comment letters of American Bankers Ass'n (May
25, 2007); American Council of Life Insurers (May 29, 2007);
American Insurance Ass'n (May 29, 2007); Bank of America Corporation
(May 29, 2007); Consumer Bankers Ass'n (May 29, 2007); Citigroup
Inc. (May 30, 2007); Direct Marketing Ass'n (May 29, 2007);
Investment Adviser Ass'n (May 29, 2007); National Ass'n of Mutual
Insurance Cos. (May 29, 2007); National Automobile Dealers Ass'n
(May 29, 2007); National Business Coalition on E-Commerce and
Privacy (May 30, 2007); T. Rowe Price Associates, Inc. (May 29,
2007); Visa U.S.A., Inc. (May 29, 2007); Wisconsin Bankers Ass'n
(May 29, 2007).
\209\ See, e.g., comment letter of National Automobile Dealers
Ass'n (May 29, 2007). Sample Clause A-1 describes the categories of
information that an institution collects. Sample Clause A-3 includes
the phrase ``as permitted by law'' to describe the sharing that
institutions are permitted to do under sections ----.14 and ----.15
without triggering an opt-out. Sample Clause A-7 generally states
that an institution uses safeguard measures to protect the handling
of the personal information it obtains.
\210\ See, e.g., comment letters of Visa U.S.A., Inc. (May 29,
2007); Citigroup Inc. (May 30, 2007); Huntington National Bank (May
25, 2009).
\211\ See, e.g., comment letter of Capital One Financial
Corporation (May 29, 2007).
\212\ See, e.g., comment letters of Direct Marketing Ass'n (May
29, 2007); Investment Adviser Ass'n (May 29, 2007).
---------------------------------------------------------------------------
Notwithstanding these comments, the Agencies are eliminating the
Sample Clauses and related safe harbor (or guidance) from the privacy
rule, following a transition period of one year.\213\ The initial
public and media complaints about the incomprehensibility of the
privacy notices,\214\ the plain language experts' guidance at the Get
Noticed Workshop,
[[Page 62909]]
and the launch of this Notice Project all examined the problems with
institutions' privacy notices, including their extensive use of the
Sample Clauses, and the need to develop a usable consumer notice. These
same factors led the Agencies to propose eliminating the Sample
Clauses. One commenter agreed that the research showed the clauses
``were found wanting.'' \215\ An association whose members generally
found the model form to be more consumer-friendly than the Sample
Clauses asked only that the Agencies provide a sufficient transition
period before eliminating the Sample Clauses.\216\
---------------------------------------------------------------------------
\213\ The Agencies are also making conforming amendments to
sections ----.2, ----.6, and ----.7 of the privacy rule and to the
Appendix with one small change from the Proposed Rule.
\214\ See, e.g., Public Citizen Petition, supra note 24 at 4-9;
Press Release of House Committee on Financial Services, supra note
74.
\215\ See comment letter of Capital One Financial Corporation
(May 29, 2007).
\216\ See comment letter of Independent Community Bankers Ass'n
(May 29, 2007).
---------------------------------------------------------------------------
In addition, the quantitative testing supports the Agencies'
proposal to eliminate the Sample Clauses and related safe harbor. The
Levy-Hastak Report confirms that a notice composed solely of the Sample
Clauses promotes ease of scanning to perform simple tasks--because the
notice is short and not because it is understandable--but the Sample
Clauses do not do well on comprehension measures. Moreover, the testing
showed that current notices--in which the Sample Clauses are typically
embedded--do poorly on all measures.
The Levy-Hastak Report examined the results when study participants
were asked to choose between two banks based solely on the content of
the notice and to give reason(s) why they selected a particular bank.
Participants who saw the Sample Clause Notice were more likely to
select the higher sharing bank because it offered an opt-out.\217\ When
these participants were matched with their general attitudinal
preferences toward sharing, the Levy-Hastak Report found that they
generally favored less sharing.\218\ According to the Levy-Hastak
Report, the data suggested that study participants who gave as the
reason for their choice the availability of opt-outs ``may have
mistakenly believed that this would lead them to choosing a lower
sharing bank.'' \219\ In other words, participants who saw the Sample
Clause Notice and selected the higher sharing bank because it offered
opt-outs did not understand that a bank offering no opt-out did so
because it shared less. This finding confirmed reports by small
institutions.\220\
---------------------------------------------------------------------------
\217\ The Levy-Hastak Report also found that study participants
who saw the Current Notice were significantly more likely to give
reasons not based on any information in the notice, for example,
that Bank X offered a lower interest rate. These same participants
were also less likely than those who saw the other notices to give
cogent reasons for choosing the lower sharing bank. Levy-Hastak
Report at 9.
\218\ Id. at 15.
\219\ Id. at 10.
\220\ See supra note 133 and related text.
---------------------------------------------------------------------------
Further, the NAIC Study,\221\ conducted in March 2005, examined
several different insurance disclosure forms with participants in three
focus groups. One was a generic form based on the sample clauses
adopted in the NAIC Model Privacy Rule and similar in content to the
Sample Clause Notice used in the Agencies' quantitative testing. The
NAIC Study highlighted a key finding that is consistent with the
Agencies' research findings. Among the study participants, there was
general misunderstanding of and concern about the language in the form,
in particular the phrase ``as permitted by law'' found in Sample Clause
A-3. Participants in all three focus groups asked: (1) What does this
phrase mean?; (2) what is the law and what does it permit?; and (3)
what if the law changes? Participants who viewed this form did not know
what to do with it and wanted some way to contact the company to get
answers to their questions.
---------------------------------------------------------------------------
\221\ See NAIC Study, supra note 141.
---------------------------------------------------------------------------
Also, in the development of the model form, Kleimann found that
consumers did not understand the language in Sample Clause A-7
regarding the safeguarding of personal information. Through consumer
testing, the description was revised to improve consumer comprehension.
Finally, while many smaller institutions are most likely to engage
in limited sharing and so would rely on the three Sample Clauses, A-1,
A-3, and A-7, many of these institutions support the model form. They
have stated that such a form would make it easier for them to
demonstrate that they are less likely to share personal information,
and it would allow for easier comparison of their sharing practices
with those of other institutions.\222\ One large association commented
that an informal survey of its community bank members found that ``many
are likely to use the model forms'' and that ``[m]ost found the new
forms more consumer-friendly than the existing sample clauses.'' \223\
---------------------------------------------------------------------------
\222\ See, e.g., comment letters of Florence Savings Bank (April
30, 2007); Community Bankers of America (May 29, 2007), Iowa State
Bank and Trust Co. (May 22, 2007), Credit Union National Ass'n (May
29, 2007); see also supra note 133 and related text.
\223\ See comment letter of Independent Community Bankers of
America (May 29, 2007).
---------------------------------------------------------------------------
To ease the compliance burden for those institutions that currently
have privacy notices based on the Sample Clauses, the Agencies are
implementing a transition period that begins thirty (30) days after the
date of publication and ends on December 31, 2010. Financial
institutions will not be able to rely on the safe harbor by using the
Sample Clauses in notices delivered or posted on or after January 1,
2011.\224\ Privacy notices using the Sample Clauses that are delivered
to consumers (either in paper form or by electronic delivery such as e-
mail) or, alternatively, are posted electronically to meet the annual
notice requirement of section --.9(c) during the transition period,
will have a safe harbor for one year after delivery or posting. Privacy
notices using the Sample Clauses that are delivered or posted
electronically after the transition period will not be eligible for a
safe harbor. Since institutions are required to send notices annually
to their customers, they may continue to rely on the safe harbor for
annual notices that are delivered to consumers (either in paper form or
by electronic delivery such as e-mail) within the transition period
until the next annual privacy notice is due one year later.\225\ The
Sample Clauses will be removed from codification one year after the
transition period ends. The SEC, whose privacy rule provides only
guidance and not a safe harbor for financial institutions that use the
Sample Clauses, will also remove the Sample Clauses from codification
one year after the transition period ends.\226\
---------------------------------------------------------------------------
\224\ Institutions relying on the Sample Clauses appended to the
SEC's privacy rule will not be able to rely on them for guidance in
notices delivered or posted on or after January 1, 2011.
\225\ For example, if an institution provides a notice using the
Sample Clauses on or before December 31, 2010, it could continue to
rely on the safe harbor for one additional year until its next
annual notice is due. If an institution provides a notice using the
Sample Clauses on or after January 1, 2011, however, it could not
rely on the safe harbor. Privacy notices using the Sample Clauses
posted on an institution's Web site to meet the annual notice
requirements of section --.9(c) of the privacy rule would no longer
be able to rely on the safe harbor beginning on January 1, 2011.
\226\ See SEC privacy rule, section 248.2(a). The facts and
circumstances of each individual situation determine whether use of
the Sample Clauses constitutes compliance with the SEC's privacy
rule.
---------------------------------------------------------------------------
While the final model form would provide a legal safe harbor,
institutions could continue to use other types of notices that vary
from the model form, including notices that use the Sample Clauses, so
long as these notices comply with the privacy rule.
The Agencies are also amending section --.6(b) of the privacy rule.
The FTC is deleting the second sentence of section 313.6(b) and
substituting the following new sentence, based on the model form
research: ``When describing the categories with respect to those
[[Page 62910]]
parties, it is sufficient to state that you make disclosures to other
nonaffiliated companies for your everyday business purposes, such as to
process transactions, maintain account(s), respond to court orders and
legal investigations, and report to credit bureaus.'' The remaining
Agencies (Board, CFTC, FDIC, NCUA, OCC, OTS, and SEC) are revising the
second sentence of section --.6(b) to read as follows, based in part on
the model form research: ``When describing the categories with respect
to those parties, it is sufficient to state that you make disclosures
to other nonaffiliated companies: (1) For your everyday business
purposes, such as [include all that apply] to process transactions,
maintain account(s), respond to court orders and legal investigations,
or report to credit bureaus; or (2) As permitted by law.'' \227\
---------------------------------------------------------------------------
\227\ Institutions using option (1) in this revised sentence to
section --.6(b) are required to include all applicable examples. See
12 CFR 40.6(b) (OCC); 12 CFR 216.6(b) (Board); 12 CFR 322.6(b)
(FDIC); 12 CFR 573.6(b) (OTS); 12 CFR 716.6(b) (NCUA); 17 CFR
160.6(b) (CFTC); 17 CFR 248.6(b) (SEC).
---------------------------------------------------------------------------
V. Effective Date
The Agencies proposed that most of the provisions of the final rule
would take effect on the date of publication.\228\ That approach would
have allowed institutions that chose to use the model privacy form to
receive the safe harbor for doing so immediately upon its publication.
The Agencies received no comments on providing an immediate effective
date for this portion of the rule. The only comments the Agencies
received concerning the effective date of the rule pertained to removal
of the Sample Clauses and related Appendix, as discussed in section IV.
---------------------------------------------------------------------------
\228\ Proposed Rule, supra note 4, at section IV.
---------------------------------------------------------------------------
The final rule makes most of the provisions effective 30 days after
publication. This approach allows institutions to receive, with only a
minimal delay, a safe harbor for using the model privacy form and the
additional, alternative language that may be used to comply with
section --.6(b) of the privacy rule. The Agencies believe that few, if
any, institutions would choose to implement those changes in fewer than
30 days. The 30-day delay will give institutions and the Agencies time
to implement the changes properly.
VI. Final Regulatory Flexibility Analysis
The Regulatory Flexibility Act (``RFA'') \229\ requires the
Agencies to provide an Initial Regulatory Flexibility Analysis
(``IRFA'') with a proposed rule and a Final Regulatory Flexibility
Analysis (``FRFA'') with a final rule, unless the agency certifies that
the rule will not have a significant economic impact on a substantial
number of small entities. See 5 U.S.C. 603-605. An IRFA was published
by the Agencies in their March 20, 2007, Proposed Rule regarding
amendments to the rules implementing the privacy provisions of the GLB
Act. The Agencies have prepared the following FRFA in accordance with 5
U.S.C. 604.
---------------------------------------------------------------------------
\229\ 5 U.S.C. 601-612.
---------------------------------------------------------------------------
A. Need For and Objectives of Rule Amendments
The goal of the rule amendments is to satisfy the requirements of
section 728 of the Regulatory Relief Act, which requires that the
Agencies develop a model form that is comprehensible, clear and
conspicuous, and succinct. The Act also requires that the model form
enable consumers to easily identify a financial institution's sharing
practices and compare those practices with others. The model form that
the Agencies are adopting today will, if properly used, serve as a safe
harbor for satisfying the privacy rules' requirements regarding content
of privacy notices.
As indicated in section I of the preamble to this final rule, the
amendments to Appendix A of the Agencies' privacy rules are adopted
pursuant to the authority set forth in Sec. 503 (as amended by section
728 of the Regulatory Relief Act) and Sec. 504 of the GLB Act.\230\
---------------------------------------------------------------------------
\230\ The SEC is also adopting the amendments under section 23
of the Securities Exchange Act of 1934 [15 U.S.C. 78w], section
38(a) of the Investment Company Act of 1940 [15 U.S.C. 80a-37(a)],
and section 211(a) of the Investment Advisers Act of 1940 [15 U.S.C.
80b-11(a)].
The CFTC also is adopting the amendments under Section 504 of
the GLB Act [15 U.S.C. 6804], and Sections 5g and 8a(5) of the
Commodity Exchange Act [7 U.S.C. 7b-2, 12a(5)].
---------------------------------------------------------------------------
B. Significant Issues Raised by Public Comment
The Agencies requested comments on the IRFA. We specifically
requested comments on the number of small entities that would be
affected by the rules' amendments, the existence or nature of the
impact of the amendments on small entities, how to quantify the impact
of the amendments, and possible alternatives to the amendments.
Commenters were also asked whether a downloadable version of the model
form would be useful for financial institutions, particularly small
entities that would like to take advantage of the proposed safe harbor.
Only one commenter directly addressed the IRFA.\231\ That commenter
disagreed with the Agencies' analysis that some financial institutions
that may wish to transition to the proposed model form might incur some
small incremental costs in making the transition, but did not provide
any explanation of why the analysis is incorrect or estimates regarding
logistical costs that the commenter asserted would be significant.
Several associations whose members include small entities, however,
expressed support for the objectives of the proposed model notice.\232\
In addition, one association (many of whose members are small entities)
found that many of its members that participated in an informal survey
are likely to use the model forms and most found the forms more
consumer-friendly than the Sample Clauses.\233\ Some commenters
suggested that the model form is oriented to large, multi-affiliate
financial institutions and does not accommodate smaller
institutions.\234\ These commenters stated that the information
collection policies described in the model form accurately reflect the
practices of certain large financial institutions but are misleading to
the extent they are beyond the scope of smaller financial institutions
that do not offer banking-related products and services. In response to
these and similar comments, the Agencies have revised the model form to
allow financial institutions to select from a menu of specific
disclosures to customize the descriptions of their information
collection policies.\235\
---------------------------------------------------------------------------
\231\ Comment letter of National Business Coalition on E-
Commerce and Privacy (May 30, 2007).
\232\ See, e.g., joint comment letter of American Bankers Ass'n,
America's Community Bankers, Consumer Bankers Ass'n, and The
Financial Services Roundtable (May 29, 2007).
\233\ See comment letter of Independent Community Bankers of
America (May 29, 2007).
\234\ See, e.g., comment letters of Financial Services Institute
(May 29, 2007); Financial Planning Ass'n (May 30, 2007).
\235\ See supra sections III.I.2 and III.J.1; see also infra,
Instructions C.2(b) and C.3(a)(3) and (4) to the Model Privacy Form.
---------------------------------------------------------------------------
Several commenters also requested that the Agencies retain the safe
harbor regarding the Sample Clauses, noting that many small entities'
privacy notices currently incorporate the Sample Clauses. One commenter
explained that it would be burdensome and unnecessary for small
entities to change their privacy notices, especially small entities
that do not share personal information other than to service their
clients' accounts.\236\ Another
[[Page 62911]]
commenter argued that elimination of the safe harbor for the Sample
Clauses would transform the model form from an optional elective to a
burdensome regulatory requirement, particularly for small
entities.\237\ We note, however, that the research found that there was
general misunderstanding of and concern among consumers about language
in the notice based on the Sample Clauses.\238\ Nevertheless, partly in
response to these comments, the Agencies are allowing financial
institutions one year in which they can continue to rely on the Sample
Clauses for safe harbor or guidance when providing notices. In
addition, as noted above, while the Agencies are eliminating the Sample
Clauses and related safe harbor (or, for the SEC, guidance),
institutions may continue to use notices containing these clauses, so
long as these notices comply with the privacy rule.
---------------------------------------------------------------------------
\236\ See, e.g., comment letter of Investment Adviser Ass'n (May
29, 2007).
\237\ See, e.g., comment letter of National Automobile Dealers
Ass'n (May 29, 2007).
\238\ See supra section IV and discussion at notes 217-219 and
related text. See also Public Citizen Petition, supra note 24, at 9
(``The paragraph employs ambiguous phrases such as `other
information' (what other information?), `unless otherwise permitted
by law' (in actuality, the law almost always permits disclosure) * *
*'').
---------------------------------------------------------------------------
Finally, we received a limited number of comments indicating that a
downloadable fillable model form may be helpful, especially to small
entities.\239\ In response to these comments, the Agencies will make
available an Online Form Builder. We expect the availability of this
form will, in part, minimize the burden on small businesses of
developing, using, and customizing the model form for their individual
needs.
---------------------------------------------------------------------------
\239\ See, e.g., comment letters of Financial Planning Ass'n
(May 30, 2007); Center for Democracy and Technology (May 29, 2007).
---------------------------------------------------------------------------
C. Small Entities Subject to the Rules
The amendments to Appendix A and conforming amendments to sections
----.2, ----.6, and ----.7 of the Agencies' privacy rules may
potentially affect financial institutions, including financial
institutions that are small businesses or small organizations, that
choose to rely on the model privacy form as a safe harbor.
1. OCC. The OCC estimates that 690 insured national banks,
uninsured national banks and trust companies, and foreign branches and
agencies are small entities for purpose of the RFA.
2. Board. The Board estimates that 432 state member banks are small
entities for purposes of the RFA.
3. FDIC. The FDIC estimates that 3115 state nonmember banks are
small entities for purposes of the RFA.
4. OTS. The OTS estimates that 377 small savings associations are
small entities for purposes of the RFA.
5. NCUA. The RFA requires NCUA to prepare an analysis to describe
any significant economic impact a regulation may have on a substantial
number of small credit unions (primarily those under $10 million in
assets). The NCUA estimates that 3,168 federally-insured, state-
chartered credit unions are small entities for purposes of the RFA.
6. FTC. Determining a precise estimate of the number of small
entities that are financial institutions within the meaning of the rule
is not readily feasible. The GLB Act does not identify for purposes of
the Commission's jurisdiction any specific category of financial
institution. In the absence of such information, there is no way to
estimate precisely the number of affected entities that share nonpublic
personal information with nonaffiliated third parties or that establish
customer relationships with consumers and therefore assume greater
disclosure obligations.
7. CFTC. Section 5g of the CEA, 7 U.S.C. 7b-2, provides that any
futures commission merchant, commodity trading advisor, commodity pool
operator, or introducing broker that is subject to the jurisdiction of
the CFTC with respect to any financial activity, shall be treated as a
financial institution for purposes of Title V of the GLB Act,
regardless of size and including commodity trading advisors and
commodity pool operators that are exempt from the CEA's registration
requirements. The CFTC has previously established certain definitions
of ``small entities'' and determined that futures commission merchants
and commodity pool operators are not small for purposes of the
Regulatory Flexibility Act. Policy Statement and Establishment of
Definitions of ``Small Entities,'' 47 FR 18,618 (Apr. 30, 1982). This
rule applies to commodity trading advisors and introducing brokers of
all sizes. Because use of the model privacy form is voluntary, and
because its use is a form of substituted compliance with Part 160 and
not a new mandatory burden, CFTC believes that the rule will not have a
significant economic impact on a substantial number of small entities.
8. SEC. The SEC estimates that 915 broker-dealers, 212 investment
companies registered with the Commission, and 781 investment advisers
registered with the Commission are small entities for purposes of the
RFA.\240\
---------------------------------------------------------------------------
\240\ For purposes of the RFA, under the Securities Exchange Act
of 1934 a small entity is a broker or dealer that (i) had total
capital of less than $500,000 on the date in its prior fiscal year
as of which its audited financial statements were prepared or, if
not required to file audited financial statements, on the last
business day of its prior fiscal year, and (ii) is not affiliated
with any person that is not a small business or small organization.
17 CFR 240.0-10(c). Under the Investment Company Act of 1940, a
``small entity'' is an investment company that, together with other
investment companies in the same group of related investment
companies, has net assets of $50 million or less as of the end of
its most recent fiscal year. 17 CFR 270.0-10(a). Under the
Investment Advisers Act of 1940, a small entity is an investment
adviser that (i) manages less than $25 million in assets, (ii) has
total assets of less than $5 million on the last day of its most
recent fiscal year, and (iii) does not control, is not controlled
by, and is not under common control with another investment adviser
that manages $25 million or more in assets, or any person that had
total assets of $5 million or more on the last day of the most
recent fiscal year. 17 CFR 275.0-7(a).
---------------------------------------------------------------------------
Because use of the model privacy form will be entirely voluntary,
the Agencies cannot estimate how many small financial institutions will
use it. The Agencies expect, however, that small financial
institutions, particularly those that do not have permanent staff
available to address compliance matters associated with the privacy
rules, will be relatively more likely to rely on the model privacy form
than larger institutions. We believe that most financial institutions
currently have legal counsel review their privacy notices for
compliance with the GLB Act, the FCRA, and the privacy rules. We
anticipate that a financial institution that uses the model form for
its privacy notice will need little review by legal counsel because the
rules do not permit institutions to vary the form if they wish to
obtain the benefit of a safe harbor, except as necessary within narrow
parameters to identify their information collection, sharing, and opt-
out policies. Finally, the Agencies are providing an Online Form
Builder that will enable institutions to directly create a customized
model form and thus will facilitate compliance.
D. Reporting, Recordkeeping, and Other Compliance Requirements
The amendments to the privacy rules do not impose any additional
recordkeeping, reporting, disclosure, or compliance requirements.
Financial institutions, including small entities, have been required to
provide notice to consumers about the institution's privacy policies
and practices since July 1, 2001 (or March 31, 2002, in the case of the
CFTC). The amendments adopted today will not affect these requirements
and financial institutions will be under no obligation to modify their
current
[[Page 62912]]
privacy notices as a result of the amendments. Instead, the amendments
provide a specific model privacy form that a financial institution may
use to comply with notice requirements under the GLB Act, the FCRA (as
amended by the FACT Act), and the privacy rules.
Nonetheless, some of the financial institutions that rely on the
Sample Clauses in the current privacy rules' appendixes may wish to
transition to the model form and may incur some additional costs in
making this transition.\241\ The Agencies expect, however, that the
availability of a standardized model form will minimize these costs
because the form's standardized formatting and language will make it
easier for institutions to prepare and revise their privacy notices.
---------------------------------------------------------------------------
\241\ To the extent that institutions review their privacy
policies annually for compliance, we estimate that the costs
associated with this annual review, including professional costs,
will be approximately the same as the costs to complete the model
form.
---------------------------------------------------------------------------
E. Action by the Agencies To Minimize Effects on Small Entities
The RFA directs the Agencies to consider significant alternatives
that would accomplish the stated objectives, while minimizing any
significant adverse impact on small entities. In connection with the
amendments, we considered the following alternatives:
1. Different reporting or compliance standards. As noted above, the
Regulatory Relief Act requires the Agencies to develop ``a'' model form
that, among other things, will facilitate comparison of the information
sharing practices of different financial institutions. In light of
these statutory requirements, the Agencies are adopting only one model
form, which includes alternative language in some places that allows a
financial institution to describe its particular information collection
and sharing practices. The specific model form that the Agencies are
adopting today was developed as part of a careful and thorough consumer
testing process designed to produce a clear, comprehensible, and
comparable notice. The model form emerged as the most effective of
several notice formats considered as part of this testing.
2. Clarification, consolidation, or simplification of reporting and
compliance requirements. The Agencies believe that the model form will
simplify the reporting requirements for all entities, including small
entities, that choose to use the model form. We anticipate that
financial institutions that choose to use the model form will spend
less time preparing notices than if they had to draft one on their own.
Because the model form was developed as part of a consumer testing
process, further clarifying, consolidating, or simplifying the model
notice would compromise the research findings.
3. Performance rather than design standards. Section 728 of the
Regulatory Relief Act specifically requires that the Agencies develop a
model form. The model form is an alternative means of providing a
privacy notice that institutions may choose to use. The privacy rules
do not mandate the format of privacy notices; thus, neither the privacy
rules nor the amendments impose a design standard.
4. Exempting small entities. We believe that an exemption for small
entities would not be appropriate or desirable. The Agencies note that
the model form is available for use at the discretion of all financial
institutions, including small institutions. Moreover, two key
objectives of the model form are that (1) consumers can understand an
institution's information sharing practices and (2) they may more
easily compare financial institutions' sharing practices and policies
across privacy notices. An exemption for small entities would directly
conflict with both of these key objectives, particularly that of
enabling comparison across notices.
VII. Paperwork Reduction Act
The final privacy rules governing the privacy of consumer financial
information contain disclosures that are considered collections of
information under the Paperwork Reduction Act (PRA).\242\ Before the
Agencies issued their privacy rules, they obtained approval from OMB
for the collections. OMB control numbers for the collections appear
below. The amendments adopted today do not introduce any new
collections of information into the Agencies' privacy rules, nor do
they amend the rules in a way that substantively modifies the
collections of information that OMB has approved. Therefore, no PRA
submissions to OMB are required.
---------------------------------------------------------------------------
\242\ 44 U.S.C. 3501-3520.
---------------------------------------------------------------------------
OCC: Control number 1557-0216.
Board: Control number 7100-0294.
FDIC: Control number 3064-0136.
OTS: Control number 1550-0103.
NCUA: Control number 3133-0163.
FTC: Control number 3084-0121.
SEC: Control number 3235-0537.
CFTC: Control number 3038-0055.
VIII. OCC and OTS Executive Order 12866 Determination
The OCC and OTS have determined that their respective portions of
the final rule are not a significant regulatory action under Executive
Order 12866. We have concluded that the changes made by this rule will
not have an annual effect on the economy of $100 million or more, and
does not meet any of the other standards for a significant action set
forth in E.O. 12866.
IX. OCC and OTS Executive Order 13132 Determination
The OCC and OTS have determined that their respective portions of
the final rule do not have any federalism implications, as required by
Executive Order 13132.
X. OCC and OTS Unfunded Mandates Reform Act of 1995 Determination
Section 202 of the Unfunded Mandates Reform Act of 1995, Public Law
104-4 (UMRA), requires that an agency prepare a budgetary impact
statement before promulgating a rule that includes a Federal mandate
that may result in the expenditure by State, local, and tribal
governments, in the aggregate, or by the private sector of $100 million
or more (adjusted annually for inflation) in any one year. The
inflation adjusted threshold is $133 million or more. If a budgetary
impact statement is required, section 205 of the UMRA also requires an
agency to identify and consider a reasonable number of regulatory
alternatives before promulgating a rule. The OCC and OTS have each
determined that their respective portions of the final rule will not
result in expenditures by State, local, and tribal governments, in the
aggregate, or by the private sector, of $133 million or more in any one
year. Accordingly, the final rule is not subject to section 202 of the
UMRA.
XI. SEC Cost-Benefit Analysis
The SEC is sensitive to the costs and benefits imposed by its
rules. As discussed above, the amendments the Agencies are adopting
today will replace the Sample Clauses included as guidance in
Regulation S-P's Appendix A (17 CFR part 248, appendix A) with a model
privacy form that financial institutions can choose to provide to
consumers. The amendments are designed to implement section 728 of the
Regulatory Relief Act. This Act directs the Agencies to ``jointly
develop a model form which may be used, at the option of the financial
institution, for the provision of disclosures under [section 503 of the
GLB Act].''
The SEC identified certain costs and benefits arising from these
amendments and requested comments on all aspects of the associated
cost-benefit analysis, including identification and assessment of any
costs and benefits not discussed
[[Page 62913]]
in the analysis. The SEC also sought comments on the accuracy of its
cost and benefit estimates and requested commenters to identify,
discuss, analyze, and supply relevant data that would allow the SEC to
improve its estimates. Finally, the SEC requested comments regarding
the potential impact of the proposals on the U.S. economy on an annual
basis.
A. Benefits
The goal of the rules is to satisfy the requirements of section 728
of the Regulatory Relief Act, which requires that the Agencies develop
a model form that is comprehensible, clear and conspicuous, and
succinct. The Act also requires that the model form enable consumers
easily to identify a financial institution's sharing practices and
compare those practices with others. The model form that the Agencies
are adopting today will, if properly used, serve as a safe harbor for
satisfying the privacy rule's requirements regarding the content of
privacy notices.
The SEC requested comments on all aspects of the benefits of the
amendments as proposed. The SEC requested specific comments on
available metrics to quantify these benefits and any other benefits
commenters could identify, and requested commenters to identify sources
of empirical data that could be used for such metrics. The SEC did not
receive any comments in response to these requests.
Use of the model form is voluntary, so a financial institution can
determine for itself its costs and benefits in deciding whether using
the model form would be suitable for its business and customers.
However, new financial institutions will likely benefit from using the
model privacy form because of the savings in time and resources that
would otherwise be spent developing their own notices.
The SEC also anticipates that financial institutions regulated by
the SEC may benefit from the model privacy form's standardized
formatting and language. The SEC believes that institutions currently
review their Regulation S-P privacy policies annually. To the extent
that these institutions are required to change their policies to
reflect changes in their privacy practices, they may find it easier to
use the model privacy form rather than revise their existing notices.
Similarly, the SEC expects that revisions to an institution's
privacy policies will be easier to record in the model form's
standardized format. The SEC also anticipates that a financial
institution that chooses to use the model notice will need little, if
any, ongoing review by legal counsel because an institution cannot vary
the form except within stated parameters as necessary to identify
certain specific information collection, sharing, and opt-out policies.
Before today's amendments, Appendix A of Regulation S-P contained
Sample Clauses that the SEC interpreted as providing guidance, as
opposed to a legal safe harbor. Institutions will therefore benefit
from the certainty that proper use of the model notice entitles them to
a safe harbor for disclosures required under the GLB Act and FCRA.\243\
---------------------------------------------------------------------------
\243\ A number of commenters expressed concern that the safe
harbor provisions might not fully extend to all GLB Act requirements
or FCRA disclosures. See, e.g., comment letter of Citigroup Inc.
(May 30, 2007). Several commenters further suggested the safe harbor
should encompass state and private enforcement. See, e.g., comment
letters of Consumer Bankers Ass'n (May 29, 2007); Financial Services
Institute (May 29, 2007). In response to these comments, the
Agencies have clarified the scope of the safe harbor. See supra
section III.K.2.
---------------------------------------------------------------------------
Consumers should also benefit from the model form through increased
comprehension of and enhanced comparability among privacy policies. The
model form was developed in an extensive consumer research testing
process that sought to maximize consumers' ability to comprehend, use,
and compare privacy notices. The model form emerged as the most
effective of several notice formats considered as part of this testing.
The SEC therefore anticipates that if financial institutions make
widespread use of the model form, consumers' comprehension and their
ability to use and compare privacy policies will be enhanced.
Institutions also might benefit from consumers' enhanced ability to
understand and use the notices to the extent that consumers have more
trust and confidence in an institution's privacy policies because the
consumers understand those policies.
B. Costs
Since the model form is optional, the SEC cannot estimate the
number of institutions that will adopt it. Accordingly, we cannot
estimate total overall costs to use the model form by broker-dealers,
investment advisers registered with the SEC, and investment companies
that may use the model form. However, in the Proposed Rule, the SEC
provided estimates of certain types of costs that could result from the
proposed amendments.
The SEC also sought comments on its cost estimates and the
assumptions behind the estimates, as well as whether any of those costs
would differ if the form were downloadable from a Web site. The
majority of the comments we received predicted significant cost
increases in preparation, distribution, and processing of privacy
notices. Many commenters noted that the prohibition on double-sided
printing and requirement of a separate third page for mail-in opt-outs,
if any, would greatly increase printing costs and would result in
significant environmental waste due to increased paper usage.\244\
Numerous commenters also raised concerns that the 8\1/2\; x 11-inch
paper size requirement, coupled with the prohibition on incorporation
of the model notice into other documents, essentially mandated a
separate mailing for the model notice.\245\ Commenters concluded that
separate mailing of privacy notices would result in significant postage
costs and increase the likelihood that consumers would misplace or fail
to read the notice because it no longer accompanied important
documents.\246\ Several commenters suggested that these costs could
result in lowered adoption rates for the model form.\247\ Based on
these comments, the Agencies have revised the amendments to allow for
double-sided printing and incorporation of the mail-in opt-out on the
bottom of the first page, waiver of a mandatory 8\1/2\ x 11-inch paper
size, and incorporation of the model notice into other documents. We
believe these accommodations will result in greatly reducing the
implementation costs commenters associated with adopting the model
form.
---------------------------------------------------------------------------
\244\ See, e.g., comment letters of Investment Adviser Ass'n
(May 29, 2007) (estimating additional printing and mailing costs for
larger investment advisory firms of $100,000 to more than $300,000
per mailing); Securities Industry and Financial Markets Ass'n (May
29, 2007) (estimating additional printing costs of $7.5 million per
billion notices).
\245\ See, e.g., comment letters of Investment Adviser Ass'n
(May 29, 2007); Citigroup Inc. (May 30, 2007).
\246\ See, e.g., comment letters of Financial Services
Roundtable and BITS (May 29, 2007) (estimating cost to financial
services industry of printing and mailing model form of
approximately $400 million per billion notices); Citigroup Inc. (May
30, 2007) (consumers ``are more likely to open and read mail that
contains an `important' communication such as a billing statement
than an unidentified standalone communication'').
\247\ See, e.g., comment letter of Capital One Financial
Corporation (May 29, 2007).
---------------------------------------------------------------------------
We do not expect that financial institutions will incur additional
disclosure costs in using the model privacy form because the notice
requirements of Regulation S-P have been effective since July 1, 2001,
and are not altered by the amendments. Moreover, financial institutions
will be
[[Page 62914]]
under no obligation to adopt the model form or modify their current
privacy notices. Presumably, financial institutions will not adopt the
model form without first determining that associated costs are
justified by the benefits.
We anticipate that financial institutions that elect to use the
model privacy form could incur some small, incremental developmental
costs in making the transition from their current notices to the model
form. These costs could include staff time to review the model form and
its instructions and complete the model form. We expect these will be
minimal because the language and format in the form are standardized
and financial institutions can only customize very limited sections of
the model privacy form. Institution-specific information is limited to
contact information, selection from a menu of terms relating to
information collection, ``yes'' or ``no'' answers and brief
descriptions, as necessary, of the types of entities with which the
institution shares personal information. Furthermore, the model form
can be downloaded from a Web site so preparation costs should be
minimal.
Similarly, we believe that a financial institution that adopts the
model privacy form would need little, if any, initial or annual review
by legal counsel because almost all the disclosures in the form are
already mandated under the current disclosure regime. One commenter
disagreed and suggested that legal counsel at each financial
institution will spend at least 50 hours initially and annually
ensuring that the model form accurately reflects the institution's
privacy practices.\248\ These estimates seem high because institutions
already know their information collection and sharing practices and
there is very little discretion the institution has in choosing from
among a menu of terms to disclose that information on the model form.
Even if those estimates are accurate, however, we believe that those
legal costs would likely have been incurred with respect to any model
form unless it conformed exactly to the institution's current form.
---------------------------------------------------------------------------
\248\ See comment letter of Securities Industry and Financial
Markets Ass'n (May 29, 2007).
---------------------------------------------------------------------------
Transition costs may also include administrative, logistical, and
training costs. For example, several commenters highlighted one-time
costs stemming from rewriting notices, republishing brochures or
notices, and revising or reprinting documents that incorporate current
notices.\249\ We anticipate these costs will be minimal, if any, in
part because the Agencies are allowing financial institutions a
transition period of one year during which they can continue to rely on
the Sample Clauses for safe harbor or guidance. Although an institution
may choose to replace a current privacy notice with a model privacy
notice, this should not require substantial rewriting because there are
few drafting choices in the model form. In addition, the SEC believes
it is unlikely that many financial institutions have stockpiles of more
than one year's worth of privacy notices or documents that incorporate
privacy notices on hand for distribution. Several commenters also
raised concerns regarding increased customer service demands and the
necessity for financial institutions to proactively take steps to
address customer confusion. For example, one commenter noted that
financial institutions would face one-time costs associated with
revising or preparing explanatory material for training employees
regarding the model form, such as scripts and responses for call
centers.\250\ Since the amendments do not affect Regulation S-P's
substantive requirements, we anticipate that any substantive questions
about the institutions' privacy practices should already be addressed
by existing explanatory materials. We anticipate any new explanatory
material will be limited to questions regarding the revised format of
the model form, which due to its standardized nature should be
relatively simple to address.
---------------------------------------------------------------------------
\249\ See comment letter of T. Rowe Price Associates, Inc. (May
29, 2007).
\250\ See comment letter of Investment Adviser Ass'n (May 29,
2007).
---------------------------------------------------------------------------
Insofar as the Sample Clauses in current Regulation S-P may have
some value to some financial institutions, their phase-out under the
amendments to the rules may create some costs to those institutions.
However, we expect those costs to be minimal. As discussed above, the
Agencies are giving financial institutions a transition period of one
year during which they can continue to rely on the Sample Clauses for
guidance or a safe harbor, which should allow time to minimize the
transition costs for any institutions that adopt the model privacy
form. Moreover, as noted above, elimination of the Sample Clauses as
guidance does not mean that institutions that continue to use these
clauses are in violation of the SEC's privacy rule. Institutions may
continue to use notices containing these clauses so long as these
notices comply with the privacy rule.
Lastly, customers may experience certain costs associated with
adoption of the model form. Several commenters suggested that the model
form sacrifices greater consumer understanding about information
sharing practices in exchange for a simplified notice format.\251\
Another commenter speculated that adoption of the model form would
result in customer confusion and potential loss of customer trust due
to the misimpression that financial institutions are changing their
privacy policies.\252\ One commenter concluded that consumer confusion
resulting from overly simplified disclosures would lead to unacceptably
high opt-out rates and discourage use of the model form by financial
institutions.\253\ As discussed above, the model form was developed in
an extensive consumer research testing process that sought to maximize
consumers' ability to comprehend, use, and compare privacy notices. The
model form emerged as the most effective of several notice formats
considered as part of this testing. Consequently, the SEC believes that
any customer confusion that results from adoption of the model form
will be minimal. Furthermore, we expect that any such confusion will be
rapidly dissipated if financial institutions make widespread use of the
model privacy form and consumers become more familiar with its
contents.
---------------------------------------------------------------------------
\251\ See, e.g., comment letter of Bank of America Corporation
(May 29, 2007).
\252\ See comment letter of Visa U.S.A. Inc. (May 29, 2007).
\253\ See comment letter of Financial Services Institute (May
29, 2007).
---------------------------------------------------------------------------
Although the SEC cannot determine aggregate costs because of the
unknown number of financial institutions that will adopt the model
form, we expect each financial institution choosing to adopt the model
form to incur minimal, if any, costs. As discussed above, we do not
anticipate that financial institutions will incur additional disclosure
costs in using the model privacy form because the substantive notice
requirements of Regulation S-P have been effective since July 1, 2001,
and are not altered by the amendments. We expect notice development and
transition costs to be minimal because the language and format in the
model form are standardized and financial institutions can only
customize a few sections of the model form by selecting from among a
menu of specific terms. Furthermore, the model form can be downloaded
from a Web site so preparation costs should be minimal. Moreover, the
Agencies are giving financial
[[Page 62915]]
institutions one year in which they can continue to rely on the Sample
Clauses for safe harbor or guidance, which should allow time to
minimize the transition costs for any institution that adopts the model
privacy form.
Similarly, the SEC expects any aggregate costs to consumers that
may result from adoption of the model form to be minimal, if any. As
discussed above, the model form emerged as the most effective of
several notice formats in an extensive consumer research testing
process that sought to maximize consumers' ability to comprehend, use,
and compare privacy notices. We anticipate that any initial costs to
consumers in the form of confusion or reduced understanding will be
short-lived as increasing numbers of financial institutions use the
model privacy form and consumers become more familiar with its contents
and can use the form to compare notices more easily.
XII. SEC Consideration of Burden on Competition
Securities Exchange Act Section 23(a)(2) requires the SEC, in
adopting rules under that Act, to consider the impact that any such
rule will have on competition.\254\ Section 23(a)(2) also prohibits the
SEC from adopting any rule that will impose a burden on competition not
necessary or appropriate in furtherance of the purposes of the
Securities Exchange Act.
---------------------------------------------------------------------------
\254\ See 15 U.S.C. 78w(a)(2).
---------------------------------------------------------------------------
As discussed above, the amendments to Regulation S-P, including the
model form, are designed to comply with section 728 of the Regulatory
Relief Act, mandating that the Agencies develop a model form that is
comprehensible, clear and conspicuous, and succinct. SEC-regulated
institutions will be able to use the model form in order to comply with
the notice requirements under the GLB Act, the FCRA, and Regulation S-
P.
The SEC does not expect the amendments to have a significant impact
on competition. Use of the model form will be voluntary, permitting a
financial institution to determine whether using the model form will
enhance its competitive position. All brokers and dealers, investment
companies, and registered investment advisers will be able to use the
model form and take advantage of the safe harbor. Other financial
institutions will be able to use the form and take advantage of the
safe harbor under comparable rules adopted by the other Agencies. Under
the Regulatory Relief Act, the Agencies have worked in consultation in
order to ensure the consistency and comparability of the amendments.
Therefore, all financial institutions will have the same opportunity to
use the model form and rely on the safe harbor.
Further, if financial institutions choose to use the model form,
the amendments could promote competition by enabling consumers more
easily to understand and compare competing institutions' privacy
policies. The SEC also anticipates that the model form's standardized
formatting may reduce the relative burden of compliance on smaller
financial institutions, allowing them to compete more effectively with
larger institutions that are more likely to have a dedicated compliance
staff. As such, the SEC expects any impact on competition caused by the
amendments would not be significant.
XIII. NCUA: The Treasury and General Government Appropriations Act,
1999-Assessment of Federal Regulations and Policies on Families
The NCUA has determined that this rule will not affect family well-
being within the meaning of section 654 of the Treasury and General
Government Appropriations Act, 1999, Public Law 105-277, 112 Stat. 2681
(1998).
XIV. CFTC Cost-Benefit Analysis
Section 15 of the Commodity Exchange Act requires the CFTC to
consider the costs and benefits of its action before issuing a new
regulation under the Act. The CFTC understands that, by its terms,
section 15 does not require the CFTC to quantify the costs and benefits
of a new regulation or to determine whether the benefits of the
regulation outweigh its costs. Nor does it require that each rule be
analyzed piecemeal or in isolation when that rule is a component of a
larger package of rules or rule revisions. Rather, section 15 simply
requires the CFTC to ``consider the costs and benefits'' of its action.
Section 15 further specifies that costs and benefits shall be
evaluated in light of five broad areas of market and public concern:
Protection of market participants and the public; efficiency,
competitiveness, and financial integrity of futures markets; price
discovery; sound risk management practices; and other public interest
considerations. Accordingly, the CFTC could in its discretion give
greater weight to any one of the five enumerated areas of concern and
could in its discretion determine that, notwithstanding its costs, a
particular rule was necessary or appropriate to protect the public
interest or to effectuate any of the provisions or to accomplish any of
the purposes of the Act.
The CFTC has considered the costs and benefits of the model form as
a totality. The form provides a non-mandatory means of complying with
existing requirements of the privacy provisions of the GLB Act and
section 5g of the CEA, and thus imposes no mandatory new costs. The
CFTC believes that the model form should benefit futures industry
consumer customers in better understanding a financial institution's
privacy policies, and may facilitate customers in comparing the privacy
policies of financial institutions.
List of Subjects
12 CFR Part 40
Banks, banking, Consumer protection, National banks, Privacy,
Reporting and recordkeeping requirements.
12 CFR Part 216
Banks, banking, Consumer protection, Foreign banking, Holding
companies, Privacy, Reporting and recordkeeping requirements.
12 CFR Part 332
Banks, banking, Consumer protection, Foreign banking, Privacy,
Reporting and recordkeeping requirements.
12 CFR Part 573
Consumer protection, Privacy, Reporting and recordkeeping
requirements, Savings associations.
12 CFR Part 716
Consumer protection, Credit unions, Privacy, Reporting and
recordkeeping requirements.
16 CFR Part 313
Consumer protection, Credit, Privacy, Reporting and recordkeeping
requirements, Trade practices.
17 CFR Part 160
Brokers, Consumer protection, Privacy, Reporting and recordkeeping
requirements.
17 CFR Part 248
Brokers, Consumer protection, Investment companies, Privacy,
Reporting and recordkeeping requirements, Securities.
[[Page 62916]]
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the Currency
12 CFR Chapter I
Authority and Issuance
0
For the reasons set forth in the joint preamble, part 40 of chapter I
of title 12 of the Code of Federal Regulations is amended as follows:
PART 40--PRIVACY OF CONSUMER FINANCIAL INFORMATION
0
1. The authority citation for part 40 continues to read as follows:
Authority: 12 U.S.C. 93a; 15 U.S.C. 6801 et seq.
0
2. Revise Sec. 40.2 to read as follows:
Sec. 40.2 Model privacy form and examples.
(a) Model privacy form. Use of the model privacy form in Appendix A
of this part, consistent with the instructions in Appendix A,
constitutes compliance with the notice content requirements of
Sec. Sec. 40.6 and 40.7 of this part, although use of the model
privacy form is not required.
(b) Examples. The examples in this part are not exclusive.
Compliance with an example, to the extent applicable, constitutes
compliance with this part.
0
3. In Sec. 40.6:
0
A. Revise paragraphs (b) and (f), and add paragraph (g) to read as set
forth below.
0
B. Effective January 1, 2012, remove paragraph (g).
Sec. 40.6 Information to be included in privacy notices.
* * * * *
(b) Description of nonaffiliated third parties subject to
exceptions. If you disclose nonpublic personal information to third
parties as authorized under Sec. Sec. 40.14 and 40.15, you are not
required to list those exceptions in the initial or annual privacy
notices required by Sec. Sec. 40.4 and 40.5. When describing the
categories with respect to those parties, it is sufficient to state
that you make disclosures to other nonaffiliated companies:
(1) For your everyday business purposes, such as [include all that
apply] to process transactions, maintain account(s), respond to court
orders and legal investigations, or report to credit bureaus; or
(2) As permitted by law.
* * * * *
(f) Model privacy form. Pursuant to Sec. 40.2(a) of this part, a
model privacy form that meets the notice content requirements of this
section is included in Appendix A of this part.
(g) Sample clauses. Sample clauses illustrating some of the notice
content required by this section are included in Appendix B of this
part. Use of a sample clause in a privacy notice provided on or before
December 31, 2010, to the extent applicable, constitutes compliance
with this part.
0
4. In Sec. 40.7, add paragraph (i) to read as follows:
Sec. 40.7 Form of opt-out notice to consumers; opt-out methods.
* * * * *
(i) Model privacy form. Pursuant to Sec. 40.2(a) of this part, a
model privacy form that meets the notice content requirements of this
section is included in Appendix A of this part.
Appendix A [Redesignated as Appendix B]
0
5. Redesignate Appendix A to part 40 as Appendix B to part 40.
0
6. Add new Appendix A to part 40 to read as follows:
Appendix A to Part 40--Model Privacy Form
A. The Model Privacy Form
BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-
01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-
P 12.5%
[[Page 62917]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.000
[[Page 62918]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.001
[[Page 62919]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.002
[[Page 62920]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.003
[[Page 62921]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.004
[[Page 62922]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.005
[[Page 62923]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.006
BILLING CODE 6750-01-P 12.5%, 6351-01-C 12.5%, 6720-01-C 12.5%, 6714-
01-C 12.5%, 4810-33-C 12.5%, 6210-01-C 12.5%, 8011-01-C 12.5%, 7535-01-
C 12.5%
B. General Instructions
1. How the Model Privacy Form Is Used
(a) The model form may be used, at the option of a financial
institution, including a group of financial institutions that use a
common privacy notice, to meet the content requirements of the
privacy notice and opt-out notice set forth in Sec. Sec. 40.6 and
40.7 of this part.
(b) The model form is a standardized form, including page
layout, content, format, style, pagination, and shading.
Institutions seeking to obtain the safe harbor through use of the
model form may modify it only as described in these Instructions.
(c) Note that disclosure of certain information, such as assets,
income, and information from a consumer reporting agency, may give
rise to obligations under the Fair Credit Reporting Act [15 U.S.C.
1681-1681x] (FCRA), such as a requirement to permit a consumer to
opt out of disclosures to affiliates or designation as a consumer
reporting agency if disclosures are made to nonaffiliated third
parties.
(d) The word ``customer'' may be replaced by the word ``member''
whenever it appears in the model form, as appropriate.
2. The Contents of the Model Privacy Form
The model form consists of two pages, which may be printed on
both sides of a single sheet of paper, or may appear on two separate
pages. Where an institution provides a long list of institutions at
the end of the model form in accordance with Instruction C.3(a)(1),
or provides additional information in accordance with Instruction
C.3(c), and such list or additional information exceeds the space
available on page two of the model form, such list or additional
information may extend to a third page.
(a) Page One. The first page consists of the following
components:
(1) Date last revised (upper right-hand corner).
(2) Title.
(3) Key frame (Why?, What?, How?).
(4) Disclosure table (``Reasons we can share your personal
information'').
(5) ``To limit our sharing'' box, as needed, for the financial
institution's opt-out information.
(6) ``Questions'' box, for customer service contact information.
(7) Mail-in opt-out form, as needed.
(b) Page Two. The second page consists of the following
components:
(1) Heading (Page 2).
(2) Frequently Asked Questions (``Who we are'' and ``What we
do'').
(3) Definitions.
(4) ``Other important information'' box, as needed.
3. The Format of the Model Privacy Form
The format of the model form may be modified only as described
below.
(a) Easily readable type font. Financial institutions that use
the model form must use an easily readable type font. While a number
of factors together produce easily readable type font, institutions
are required to use a minimum of 10-point font (unless otherwise
expressly permitted in these Instructions) and sufficient spacing
between the lines of type.
(b) Logo. A financial institution may include a corporate logo
on any page of the notice, so long as it does not interfere with the
readability of the model form or the space constraints of each page.
(c) Page size and orientation. Each page of the model form must
be printed on paper in portrait orientation, the size of which must
be sufficient to meet the layout and minimum font size requirements,
with sufficient white space on the top, bottom, and sides of the
content.
(d) Color. The model form must be printed on white or light
color paper (such as cream) with black or other contrasting ink
color. Spot color may be used to achieve visual interest, so long as
the color contrast is distinctive and the color does not detract
from the readability of the model form. Logos may also be printed in
color.
(e) Languages. The model form may be translated into languages
other than English.
C. Information Required in the Model Privacy Form
The information in the model form may be modified only as
described below:
1. Name of the Institution or Group of Affiliated Institutions
Providing the Notice
Insert the name of the financial institution providing the
notice or a common identity of affiliated institutions jointly
providing the notice on the form wherever [name of financial
institution] appears.
2. Page One
(a) Last revised date. The financial institution must insert in
the upper right-hand corner the date on which the notice was last
revised. The information shall appear in minimum 8-point font as
``rev. [month/year]'' using either the name or number of the month,
such as ``rev. July 2009'' or ``rev. 7/09''.
(b) General instructions for the ``What?'' box.
(1) The bulleted list identifies the types of personal
information that the institution collects and shares. All
institutions must use the term ``Social Security number'' in the
first bullet.
(2) Institutions must use five (5) of the following terms to
complete the bulleted list: income; account balances; payment
history; transaction history; transaction or loss history; credit
history; credit scores; assets; investment experience; credit-based
insurance scores; insurance claim history; medical information;
overdraft history; purchase history; account transactions; risk
tolerance; medical-related debts; credit card or other debt;
mortgage rates and payments; retirement assets; checking account
information; employment information; wire transfer instructions.
(c) General instructions for the disclosure table. The left
column lists reasons for
[[Page 62924]]
sharing or using personal information. Each reason correlates to a
specific legal provision described in paragraph C.2(d) of this
Instruction. In the middle column, each institution must provide a
``Yes'' or ``No'' response that accurately reflects its information
sharing policies and practices with respect to the reason listed on
the left. In the right column, each institution must provide in each
box one of the following three (3) responses, as applicable, that
reflects whether a consumer can limit such sharing: ``Yes'' if it is
required to or voluntarily provides an opt-out; ``No'' if it does
not provide an opt-out; or ``We don't share'' if it answers ``No''
in the middle column. Only the sixth row (``For our affiliates to
market to you'') may be omitted at the option of the institution.
See paragraph C.2(d)(6) of this Instruction.
(d) Specific disclosures and corresponding legal provisions.
(1) For our everyday business purposes. This reason incorporates
sharing information under Sec. Sec. 40.14 and 40.15 and with
service providers pursuant to Sec. 40.13 of this part other than
the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these
Instructions.
(2) For our marketing purposes. This reason incorporates sharing
information with service providers by an institution for its own
marketing pursuant to Sec. 40.13 of this part. An institution that
shares for this reason may choose to provide an opt-out.
(3) For joint marketing with other financial companies. This
reason incorporates sharing information under joint marketing
agreements between two or more financial institutions and with any
service provider used in connection with such agreements pursuant to
Sec. 40.13 of this part. An institution that shares for this reason
may choose to provide an opt-out.
(4) For our affiliates' everyday business purposes--information
about transactions and experiences. This reason incorporates sharing
information specified in sections 603(d)(2)(A)(i) and (ii) of the
FCRA. An institution that shares for this reason may choose to
provide an opt-out.
(5) For our affiliates' everyday business purposes--information
about creditworthiness. This reason incorporates sharing information
pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution
that shares for this reason must provide an opt-out.
(6) For our affiliates to market to you. This reason
incorporates sharing information specified in section 624 of the
FCRA. This reason may be omitted from the disclosure table when: the
institution does not have affiliates (or does not disclose personal
information to its affiliates); the institution's affiliates do not
use personal information in a manner that requires an opt-out; or
the institution provides the affiliate marketing notice separately.
Institutions that include this reason must provide an opt-out of
indefinite duration. An institution that is required to provide an
affiliate marketing opt-out, but does not include that opt-out in
the model form under this part, must comply with section 624 of the
FCRA and 12 CFR part 41, subpart C, with respect to the initial
notice and opt-out and any subsequent renewal notice and opt-out. An
institution not required to provide an opt-out under this
subparagraph may elect to include this reason in the model form.
(7) For nonaffiliates to market to you. This reason incorporates
sharing described in Sec. Sec. 40.7 and 40.10(a) of this part. An
institution that shares personal information for this reason must
provide an opt-out.
(e) To limit our sharing: A financial institution must include
this section of the model form only if it provides an opt-out. The
word ``choice'' may be written in either the singular or plural, as
appropriate. Institutions must select one or more of the applicable
opt-out methods described: telephone, such as by a toll-free number;
a Web site; or use of a mail-in opt-out form. Institutions may
include the words ``toll-free'' before telephone, as appropriate. An
institution that allows consumers to opt out online must provide
either a specific Web address that takes consumers directly to the
opt-out page or a general Web address that provides a clear and
conspicuous direct link to the opt-out page. The opt-out choices
made available to the consumer who contacts the institution through
these methods must correspond accurately to the ``Yes'' responses in
the third column of the disclosure table. In the part titled
``Please note'' institutions may insert a number that is 30 or
greater in the space marked ``[30].'' Instructions on voluntary or
state privacy law opt-out information are in paragraph C.2(g)(5) of
these Instructions.
(f) Questions box. Customer service contact information must be
inserted as appropriate, where [phone number] or [Web site] appear.
Institutions may elect to provide either a phone number, such as a
toll-free number, or a Web address, or both. Institutions may
include the words ``toll-free'' before the telephone number, as
appropriate.
(g) Mail-in opt-out form. Financial institutions must include
this mail-in form only if they state in the ``To limit our sharing''
box that consumers can opt out by mail. The mail-in form must
provide opt-out options that correspond accurately to the ``Yes''
responses in the third column in the disclosure table. Institutions
that require customers to provide only name and address may omit the
section identified as ``[account ].'' Institutions that
require additional or different information, such as a random opt-
out number or a truncated account number, to implement an opt-out
election should modify the ``[account ]'' reference
accordingly. This includes institutions that require customers with
multiple accounts to identify each account to which the opt-out
should apply. An institution must enter its opt-out mailing address:
In the far right of this form (see version 3); or below the form
(see version 4). The reverse side of the mail-in opt-out form must
not include any content of the model form.
(1) Joint accountholder. Only institutions that provide their
joint accountholders the choice to opt out for only one
accountholder, in accordance with paragraph C.3(a)(5) of these
Instructions, must include in the far left column of the mail-in
form the following statement: ``If you have a joint account, your
choice(s) will apply to everyone on your account unless you mark
below. [squ] Apply my choice(s) only to me.'' The word ``choice''
may be written in either the singular or plural, as appropriate.
Financial institutions that provide insurance products or services,
provide this option, and elect to use the model form may substitute
the word ``policy'' for ``account'' in this statement. Institutions
that do not provide this option may eliminate this left column from
the mail-in form.
(2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution
shares personal information pursuant to section 603(d)(2)(A)(iii) of
the FCRA, it must include in the mail-in opt-out form the following
statement: ``[squ] Do not share information about my
creditworthiness with your affiliates for their everyday business
purposes.''
(3) FCRA Section 624 opt-out. If the institution incorporates
section 624 of the FCRA in accord with paragraph C.2(d)(6) of these
Instructions, it must include in the mail-in opt-out form the
following statement: ``[squ] Do not allow your affiliates to use my
personal information to market to me.''
(4) Nonaffiliate opt-out. If the financial institution shares
personal information pursuant to Sec. 40.10(a) of this part, it
must include in the mail-in opt-out form the following statement:
``[squ] Do not share my personal information with nonaffiliates to
market their products and services to me.''
(5) Additional opt-outs. Financial institutions that use the
disclosure table to provide opt-out options beyond those required by
Federal law must provide those opt-outs in this section of the model
form. A financial institution that chooses to offer an opt-out for
its own marketing in the mail-in opt-out form must include one of
the two following statements: ``[squ] Do not share my personal
information to market to me.'' or ``[squ] Do not use my personal
information to market to me.'' A financial institution that chooses
to offer an opt-out for joint marketing must include the following
statement: ``[squ] Do not share my personal information with other
financial institutions to jointly market to me.''
(h) Barcodes. A financial institution may elect to include a
barcode and/or ``tagline'' (an internal identifier) in 6-point font
at the bottom of page one, as needed for information internal to the
institution, so long as these do not interfere with the clarity or
text of the form.
3. Page Two
(a) General Instructions for the Questions. Certain of the
Questions may be customized as follows:
(1) ``Who is providing this notice?'' This question may be
omitted where only one financial institution provides the model form
and that institution is clearly identified in the title on page one.
Two or more financial institutions that jointly provide the model
form must use this question to identify themselves as required by
Sec. 40.9(f) of this part. Where the list of institutions exceeds
four (4) lines, the institution must describe in the response to
this question the general types of institutions jointly providing
the notice and must separately identify those institutions, in
minimum 8-point font, directly following the ``Other important
[[Page 62925]]
information'' box, or, if that box is not included in the
institution's form, directly following the ``Definitions.'' The list
may appear in a multi-column format.
(2) ``How does [name of financial institution] protect my
personal information?'' The financial institution may only provide
additional information pertaining to its safeguards practices
following the designated response to this question. Such information
may include information about the institution's use of cookies or
other measures it uses to safeguard personal information.
Institutions are limited to a maximum of 30 additional words.
(3) ``How does [name of financial institution] collect my
personal information?'' Institutions must use five (5) of the
following terms to complete the bulleted list for this question:
Open an account; deposit money; pay your bills; apply for a loan;
use your credit or debit card; seek financial or tax advice; apply
for insurance; pay insurance premiums; file an insurance claim; seek
advice about your investments; buy securities from us; sell
securities to us; direct us to buy securities; direct us to sell
your securities; make deposits or withdrawals from your account;
enter into an investment advisory contract; give us your income
information; provide employment information; give us your employment
history; tell us about your investment or retirement portfolio; tell
us about your investment or retirement earnings; apply for
financing; apply for a lease; provide account information; give us
your contact information; pay us by check; give us your wage
statements; provide your mortgage information; make a wire transfer;
tell us who receives the money; tell us where to send the money;
show your government-issued ID; show your driver's license; order a
commodity futures or option trade. Institutions that collect
personal information from their affiliates and/or credit bureaus
must include after the bulleted list the following statement: ``We
also collect your personal information from others, such as credit
bureaus, affiliates, or other companies.'' Institutions that do not
collect personal information from their affiliates or credit bureaus
but do collect information from other companies must include the
following statement instead: ``We also collect your personal
information from other companies.'' Only institutions that do not
collect any personal information from affiliates, credit bureaus, or
other companies can omit both statements.
(4) ``Why can't I limit all sharing?'' Institutions that
describe state privacy law provisions in the ``Other important
information'' box must use the bracketed sentence: ``See below for
more on your rights under state law.'' Other institutions must omit
this sentence.
(5) ``What happens when I limit sharing for an account I hold
jointly with someone else?'' Only financial institutions that
provide opt-out options must use this question. Other institutions
must omit this question. Institutions must choose one of the
following two statements to respond to this question: ``Your choices
will apply to everyone on your account.'' or ``Your choices will
apply to everyone on your account--unless you tell us otherwise.''
Financial institutions that provide insurance products or services
and elect to use the model form may substitute the word ``policy''
for ``account'' in these statements.
(b) General Instructions for the Definitions.
The financial institution must customize the space below the
responses to the three definitions in this section. This specific
information must be in italicized lettering to set off the
information from the standardized definitions.
(1) Affiliates. As required by Sec. 40.6(a)(3) of this part,
where [affiliate information] appears, the financial institution
must:
(i) If it has no affiliates, state: ``[name of financial
institution] has no affiliates;''
(ii) If it has affiliates but does not share personal
information, state: ``[name of financial institution] does not share
with our affiliates;'' or
(iii) If it shares with its affiliates, state, as applicable:
``Our affiliates include companies with a [common corporate identity
of financial institution] name; financial companies such as [insert
illustrative list of companies;] nonfinancial companies, such as
[insert illustrative list of companies]; and others, such as [insert
illustrative list].''
(2) Nonaffiliates. As required by Sec. 40.6(c)(3) of this part,
where [nonaffiliate information] appears, the financial institution
must:
(i) If it does not share with nonaffiliated third parties,
state: ``[name of financial institution] does not share with
nonaffiliates so they can market to you''; or
(ii) If it shares with nonaffiliated third parties, state, as
applicable: ``Nonaffiliates we share with can include [list
categories of companies such as mortgage companies, insurance
companies, direct marketing companies, and nonprofit
organizations].''
(3) Joint Marketing. As required by Sec. 40.13 of this part,
where [joint marketing] appears, the financial institution must:
(i) If it does not engage in joint marketing, state: ``[name of
financial institution] doesn't jointly market''; or
(ii) If it shares personal information for joint marketing,
state, as applicable: ``Our joint marketing partners include [list
categories of companies such as credit card companies].''
(c) General instructions for the ``Other important information''
box. This box is optional. The space provided for information in
this box is not limited. Only the following types of information can
appear in this box.
(1) State and/or international privacy law information; and/or
(2) Acknowledgment of receipt form.
0
7. Amend newly redesignated Appendix B to part 40 as follows:
0
A. Add a new sentence to the beginning of the introductory text as set
forth below.
0
B. Effective January 1, 2012, remove Appendix B to part 40.
Appendix B to Part 40--Sample Clauses
This Appendix only applies to privacy notices provided before
January 1, 2011. * * *
* * * * *
Federal Reserve System
12 CFR Chapter II
Authority and Issuance
0
For the reasons set forth in the joint preamble, the Board amends part
216 of chapter II of title 12 of the Code of Federal Regulations as
follows:
PART 216--PRIVACY OF CONSUMER FINANCIAL INFORMATION
0
8. The authority citation for part 216 continues to read as follows:
Authority: 15 U.S.C. 6801 et seq.
0
9. Revise Sec. 216.2 to read as follows:
Sec. 216.2 Model privacy form and examples.
(a) Model privacy form. Use of the model privacy form in Appendix A
of this part, consistent with the instructions in Appendix A,
constitutes compliance with the notice content requirements of
Sec. Sec. 216.6 and 216.7 of this part, although use of the model
privacy form is not required.
(b) Examples. The examples in this part are not exclusive.
Compliance with an example, to the extent applicable, constitutes
compliance with this part.
0
10. In Sec. 216.6:
0
A. Revise paragraphs (b) and (f), and add paragraph (g) to read as set
forth below.
0
B. Effective January 1, 2012, remove paragraph (g).
Sec. 216.6 Information to be included in privacy notices.
* * * * *
(b) Description of nonaffiliated third parties subject to
exceptions. If you disclose nonpublic personal information to third
parties as authorized under Sec. Sec. 216.14 and 216.15, you are not
required to list those exceptions in the initial or annual privacy
notices required by Sec. Sec. 216.4 and 216.5. When describing the
categories with respect to those parties, it is sufficient to state
that you make disclosures to other nonaffiliated companies:
(1) For your everyday business purposes, such as [include all that
apply] to process transactions, maintain account(s), respond to court
orders and legal investigations, or report to credit bureaus; or
(2) As permitted by law.
* * * * *
(f) Model privacy form. Pursuant to Sec. 216.2(a) of this part, a
model privacy
[[Page 62926]]
form that meets the notice content requirements of this section is
included in Appendix A of this part.
(g) Sample clauses. Sample clauses illustrating some of the notice
content required by this section are included in Appendix B of this
part. Use of a sample clause in a privacy notice provided on or before
December 31, 2010, to the extent applicable, constitutes compliance
with this part.
0
11. In Sec. 216.7, add paragraph (i) to read as follows:
Sec. 216.7 Form of opt-out notice to consumers; opt-out methods.
* * * * *
(i) Model privacy form. Pursuant to Sec. 216.2(a) of this part, a
model privacy form that meets the notice content requirements of this
section is included in Appendix A of this part.
Appendix A [Redesignated as Appendix B]
0
12. Redesignate Appendix A to part 216 as Appendix B to part 216.
0
13. Add new Appendix A to part 216 to read as follows:
Appendix A to Part 216--Model Privacy Form
A. The Model Privacy Form
BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-
01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-
P 12.5%
[[Page 62927]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.007
[[Page 62928]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.008
[[Page 62929]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.009
[[Page 62930]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.010
[[Page 62931]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.011
[[Page 62932]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.012
[[Page 62933]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.013
BILLING CODE 6750-01-C 12.5%, 6351-01-C 12.5%, 6720-01-C 12.5%, 6714-
01-C 12.5%, 4810-33-C 12.5%, 6210-01-C 12.5%, 8011-01-C 12.5%, 7535-01-
C 12.5%
B. General Instructions
1. How the Model Privacy Form Is Used
(a) The model form may be used, at the option of a financial
institution, including a group of financial institutions that use a
common privacy notice, to meet the content requirements of the
privacy notice and opt-out notice set forth in Sec. Sec. 216.6 and
216.7 of this part.
(b) The model form is a standardized form, including page
layout, content, format, style, pagination, and shading.
Institutions seeking to obtain the safe harbor through use of the
model form may modify it only as described in these Instructions.
(c) Note that disclosure of certain information, such as assets,
income, and information from a consumer reporting agency, may give
rise to obligations under the Fair Credit Reporting Act [15 U.S.C.
1681-1681x] (FCRA), such as a requirement to permit a consumer to
opt out of disclosures to affiliates or designation as a consumer
reporting agency if disclosures are made to nonaffiliated third
parties.
(d) The word ``customer'' may be replaced by the word ``member''
whenever it appears in the model form, as appropriate.
2. The Contents of the Model Privacy Form
The model form consists of two pages, which may be printed on
both sides of a single sheet of paper, or may appear on two separate
pages. Where an institution provides a long list of institutions at
the end of the model form in accordance with Instruction C.3(a)(1),
or provides additional information in accordance with Instruction
C.3(c), and such list or additional information exceeds the space
available on page two of the model form, such list or additional
information may extend to a third page.
(a) Page One. The first page consists of the following
components:
(1) Date last revised (upper right-hand corner).
(2) Title.
(3) Key frame (Why?, What?, How?).
(4) Disclosure table (``Reasons we can share your personal
information'').
(5) ``To limit our sharing'' box, as needed, for the financial
institution's opt-out information.
(6) ``Questions'' box, for customer service contact information.
(7) Mail-in opt-out form, as needed.
(b) Page Two. The second page consists of the following
components:
(1) Heading (Page 2).
(2) Frequently Asked Questions (``Who we are'' and ``What we
do'').
(3) Definitions.
(4) ``Other important information'' box, as needed.
3. The Format of the Model Privacy Form
The format of the model form may be modified only as described
below.
(a) Easily readable type font. Financial institutions that use
the model form must use an easily readable type font. While a number
of factors together produce easily readable type font, institutions
are required to use a minimum of 10-point font (unless otherwise
expressly permitted in these Instructions) and sufficient spacing
between the lines of type.
(b) Logo. A financial institution may include a corporate logo
on any page of the notice, so long as it does not interfere with the
readability of the model form or the space constraints of each page.
(c) Page size and orientation. Each page of the model form must
be printed on paper in portrait orientation, the size of which must
be sufficient to meet the layout and minimum font size requirements,
with sufficient white space on the top, bottom, and sides of the
content.
(d) Color. The model form must be printed on white or light
color paper (such as cream) with black or other contrasting ink
color. Spot color may be used to achieve visual interest, so long as
the color contrast is distinctive and the color does not detract
from the readability of the model form. Logos may also be printed in
color.
(e) Languages. The model form may be translated into languages
other than English.
C. Information Required in the Model Privacy Form
The information in the model form may be modified only as
described below:
1. Name of the Institution or Group of Affiliated Institutions
Providing the Notice
Insert the name of the financial institution providing the
notice or a common identity of affiliated institutions jointly
providing the notice on the form wherever [name of financial
institution] appears.
2. Page One
(a) Last revised date. The financial institution must insert in
the upper right-hand corner the date on which the notice was last
revised. The information shall appear in minimum 8-point font as
``rev. [month/year]'' using either the name or number of the month,
such as ``rev. July 2009'' or ``rev. 7/09''.
(b) General instructions for the ``What?'' box.
(1) The bulleted list identifies the types of personal
information that the institution collects and shares. All
institutions must use the term ``Social Security number'' in the
first bullet.
(2) Institutions must use five (5) of the following terms to
complete the bulleted list: income; account balances; payment
history; transaction history; transaction or loss history; credit
history; credit scores; assets; investment experience; credit-based
insurance scores; insurance claim history; medical information;
overdraft history; purchase history; account transactions; risk
tolerance; medical-related debts; credit card or other debt;
mortgage rates and payments; retirement assets; checking account
information; employment information; wire transfer instructions.
(c) General instructions for the disclosure table. The left
column lists reasons for
[[Page 62934]]
sharing or using personal information. Each reason correlates to a
specific legal provision described in paragraph C.2(d) of this
Instruction. In the middle column, each institution must provide a
``Yes'' or ``No'' response that accurately reflects its information
sharing policies and practices with respect to the reason listed on
the left. In the right column, each institution must provide in each
box one of the following three (3) responses, as applicable, that
reflects whether a consumer can limit such sharing: ``Yes'' if it is
required to or voluntarily provides an opt-out; ``No'' if it does
not provide an opt-out; or ``We don't share'' if it answers ``No''
in the middle column. Only the sixth row (``For our affiliates to
market to you'') may be omitted at the option of the institution.
See paragraph C.2(d)(6) of this Instruction.
(d) Specific disclosures and corresponding legal provisions.
(1) For our everyday business purposes. This reason incorporates
sharing information under Sec. Sec. 216.14 and 216.15 and with
service providers pursuant to Sec. 216.13 of this part other than
the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these
Instructions.
(2) For our marketing purposes. This reason incorporates sharing
information with service providers by an institution for its own
marketing pursuant to Sec. 216.13 of this part. An institution that
shares for this reason may choose to provide an opt-out.
(3) For joint marketing with other financial companies. This
reason incorporates sharing information under joint marketing
agreements between two or more financial institutions and with any
service provider used in connection with such agreements pursuant to
Sec. 216.13 of this part. An institution that shares for this
reason may choose to provide an opt-out.
(4) For our affiliates' everyday business purposes--information
about transactions and experiences. This reason incorporates sharing
information specified in sections 603(d)(2)(A)(i) and (ii) of the
FCRA. An institution that shares for this reason may choose to
provide an opt-out.
(5) For our affiliates' everyday business purposes--information
about creditworthiness. This reason incorporates sharing information
pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution
that shares for this reason must provide an opt-out.
(6) For our affiliates to market to you. This reason
incorporates sharing information specified in section 624 of the
FCRA. This reason may be omitted from the disclosure table when: the
institution does not have affiliates (or does not disclose personal
information to its affiliates); the institution's affiliates do not
use personal information in a manner that requires an opt-out; or
the institution provides the affiliate marketing notice separately.
Institutions that include this reason must provide an opt-out of
indefinite duration. An institution that is required to provide an
affiliate marketing opt-out, but does not include that opt-out in
the model form under this part, must comply with section 624 of the
FCRA and 12 CFR part 222, subpart C, with respect to the initial
notice and opt-out and any subsequent renewal notice and opt-out. An
institution not required to provide an opt-out under this
subparagraph may elect to include this reason in the model form.
(7) For nonaffiliates to market to you. This reason incorporates
sharing described in Sec. Sec. 216.7 and 216.10(a) of this part. An
institution that shares personal information for this reason must
provide an opt-out.
(e) To limit our sharing: A financial institution must include
this section of the model form only if it provides an opt-out. The
word ``choice'' may be written in either the singular or plural, as
appropriate. Institutions must select one or more of the applicable
opt-out methods described: telephone, such as by a toll-free number;
a Website; or use of a mail-in opt-out form. Institutions may
include the words ``toll-free'' before telephone, as appropriate. An
institution that allows consumers to opt out online must provide
either a specific Web address that takes consumers directly to the
opt-out page or a general Web address that provides a clear and
conspicuous direct link to the opt-out page. The opt-out choices
made available to the consumer who contacts the institution through
these methods must correspond accurately to the ``Yes'' responses in
the third column of the disclosure table. In the part titled
``Please note'' institutions may insert a number that is 30 or
greater in the space marked ``[30].'' Instructions on voluntary or
state privacy law opt-out information are in paragraph C.2(g)(5) of
these Instructions.
(f) Questions box. Customer service contact information must be
inserted as appropriate, where [phone number] or [website] appear.
Institutions may elect to provide either a phone number, such as a
toll-free number, or a Web address, or both. Institutions may
include the words ``toll-free'' before the telephone number, as
appropriate.
(g) Mail-in opt-out form. Financial institutions must include
this mail-in form only if they state in the ``To limit our sharing''
box that consumers can opt out by mail. The mail-in form must
provide opt-out options that correspond accurately to the ``Yes''
responses in the third column in the disclosure table. Institutions
that require customers to provide only name and address may omit the
section identified as ``[account ].'' Institutions that
require additional or different information, such as a random opt-
out number or a truncated account number, to implement an opt-out
election should modify the ``[account ]'' reference
accordingly. This includes institutions that require customers with
multiple accounts to identify each account to which the opt-out
should apply. An institution must enter its opt-out mailing address:
In the far right of this form (see version 3); or below the form
(see version 4). The reverse side of the mail-in opt-out form must
not include any content of the model form.
(1) Joint accountholder. Only institutions that provide their
joint accountholders the choice to opt out for only one
accountholder, in accordance with paragraph C.3(a)(5) of these
Instructions, must include in the far left column of the mail-in
form the following statement: ``If you have a joint account, your
choice(s) will apply to everyone on your account unless you mark
below. [square] Apply my choice(s) only to me.'' The word ``choice''
may be written in either the singular or plural, as appropriate.
Financial institutions that provide insurance products or services,
provide this option, and elect to use the model form may substitute
the word ``policy'' for ``account'' in this statement. Institutions
that do not provide this option may eliminate this left column from
the mail-in form.
(2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution
shares personal information pursuant to section 603(d)(2)(A)(iii) of
the FCRA, it must include in the mail-in opt-out form the following
statement: ``[square] Do not share information about my
creditworthiness with your affiliates for their everyday business
purposes.''
(3) FCRA Section 624 opt-out. If the institution incorporates
section 624 of the FCRA in accord with paragraph C.2(d)(6) of these
Instructions, it must include in the mail-in opt-out form the
following statement: ``[square] Do not allow your affiliates to use
my personal information to market to me.''
(4) Nonaffiliate opt-out. If the financial institution shares
personal information pursuant to Sec. 216.10(a) of this part, it
must include in the mail-in opt-out form the following statement:
``[square] Do not share my personal information with nonaffiliates
to market their products and services to me.''
(5) Additional opt-outs. Financial institutions that use the
disclosure table to provide opt-out options beyond those required by
Federal law must provide those opt-outs in this section of the model
form. A financial institution that chooses to offer an opt-out for
its own marketing in the mail-in opt-out form must include one of
the two following statements: ``[square] Do not share my personal
information to market to me.'' or ``[square] Do not use my personal
information to market to me.'' A financial institution that chooses
to offer an opt-out for joint marketing must include the following
statement: ``[square] Do not share my personal information with
other financial institutions to jointly market to me.''
(h) Barcodes. A financial institution may elect to include a
barcode and/or ``tagline'' (an internal identifier) in 6-point font
at the bottom of page one, as needed for information internal to the
institution, so long as these do not interfere with the clarity or
text of the form.
3. Page Two
(a) General Instructions for the Questions. Certain of the
Questions may be customized as follows:
(1) ``Who is providing this notice?'' This question may be
omitted where only one financial institution provides the model form
and that institution is clearly identified in the title on page one.
Two or more financial institutions that jointly provide the model
form must use this question to identify themselves as required by
Sec. 216.9(f) of this part. Where the list of institutions exceeds
four (4) lines, the institution must describe in the response to
this question the general types of institutions jointly providing
the notice and must separately identify those institutions, in
minimum 8-point font, directly following the ``Other important
[[Page 62935]]
information'' box, or, if that box is not included in the
institution's form, directly following the ``Definitions.'' The list
may appear in a multi-column format.
(2) ``How does [name of financial institution] protect my
personal information?'' The financial institution may only provide
additional information pertaining to its safeguards practices
following the designated response to this question. Such information
may include information about the institution's use of cookies or
other measures it uses to safeguard personal information.
Institutions are limited to a maximum of 30 additional words.
(3) ``How does [name of financial institution] collect my
personal information?'' Institutions must use five (5) of the
following terms to complete the bulleted list for this question:
Open an account; deposit money; pay your bills; apply for a loan;
use your credit or debit card; seek financial or tax advice; apply
for insurance; pay insurance premiums; file an insurance claim; seek
advice about your investments; buy securities from us; sell
securities to us; direct us to buy securities; direct us to sell
your securities; make deposits or withdrawals from your account;
enter into an investment advisory contract; give us your income
information; provide employment information; give us your employment
history; tell us about your investment or retirement portfolio; tell
us about your investment or retirement earnings; apply for
financing; apply for a lease; provide account information; give us
your contact information; pay us by check; give us your wage
statements; provide your mortgage information; make a wire transfer;
tell us who receives the money; tell us where to send the money;
show your government-issued ID; show your driver's license; order a
commodity futures or option trade. Institutions that collect
personal information from their affiliates and/or credit bureaus
must include after the bulleted list the following statement: ``We
also collect your personal information from others, such as credit
bureaus, affiliates, or other companies.'' Institutions that do not
collect personal information from their affiliates or credit bureaus
but do collect information from other companies must include the
following statement instead: ``We also collect your personal
information from other companies.''
Only institutions that do not collect any personal information from
affiliates, credit bureaus, or other companies can omit both
statements.
(4) ``Why can't I limit all sharing?'' Institutions that
describe state privacy law provisions in the ``Other important
information'' box must use the bracketed sentence: ``See below for
more on your rights under state law.'' Other institutions must omit
this sentence.
(5) ``What happens when I limit sharing for an account I hold
jointly with someone else?'' Only financial institutions that
provide opt-out options must use this question. Other institutions
must omit this question. Institutions must choose one of the
following two statements to respond to this question: ``Your choices
will apply to everyone on your account.'' or ``Your choices will
apply to everyone on your account--unless you tell us otherwise.''
Financial institutions that provide insurance products or services
and elect to use the model form may substitute the word ``policy''
for ``account'' in these statements.
(b) General Instructions for the Definitions.
The financial institution must customize the space below the
responses to the three definitions in this section. This specific
information must be in italicized lettering to set off the
information from the standardized definitions.
(1) Affiliates. As required by Sec. 216.6(a)(3) of this part,
where [affiliate information] appears, the financial institution
must:
(i) If it has no affiliates, state: ``[name of financial
institution] has no affiliates'';
(ii) If it has affiliates but does not share personal
information, state: ``[name of financial institution] does not share
with our affiliates''; or
(iii) If it shares with its affiliates, state, as applicable:
``Our affiliates include companies with a [common corporate identity
of financial institution] name; financial companies such as [insert
illustrative list of companies]; nonfinancial companies, such as
[insert illustrative list of companies;] and others, such as [insert
illustrative list].''
(2) Nonaffiliates. As required by Sec. 216.6(c)(3) of this
part, where [nonaffiliate information] appears, the financial
institution must:
(i) If it does not share with nonaffiliated third parties,
state: ``[name of financial institution] does not share with
nonaffiliates so they can market to you''; or
(ii) If it shares with nonaffiliated third parties, state, as
applicable: ``Nonaffiliates we share with can include [list
categories of companies such as mortgage companies, insurance
companies, direct marketing companies, and nonprofit
organizations].''
(3) Joint Marketing. As required by Sec. 216.13 of this part,
where [joint marketing] appears, the financial institution must:
(i) If it does not engage in joint marketing, state: ``[name of
financial institution] doesn't jointly market''; or
(ii) If it shares personal information for joint marketing,
state, as applicable: ``Our joint marketing partners include [list
categories of companies such as credit card companies].''
(c) General instructions for the ``Other important information''
box. This box is optional. The space provided for information in
this box is not limited. Only the following types of information can
appear in this box.
(1) State and/or international privacy law information; and/or
(2) Acknowledgment of receipt form.
0
14. Amend newly redesignated Appendix B to part 216 as follows:
0
A. Add a new sentence to the beginning of the introductory text as set
forth below.
0
B. Effective January 1, 2012, remove Appendix B to part 216.
Appendix B to Part 216--Sample Clauses
This Appendix only applies to privacy notices provided before
January 1, 2011. * * *
* * * * *
Federal Deposit Insurance Corporation
12 CFR Chapter III
Authority and Issuance
0
For the reasons set forth in the joint preamble, part 332 of chapter
III of title 12 of the Code of Federal Regulations is amended as
follows:
PART 332--PRIVACY OF CONSUMER FINANCIAL INFORMATION
0
15. The authority citation for part 332 continues to read as follows:
Authority: 12 U.S.C. 1819 (Seventh and Tenth); 15 U.S.C. 6801
et seq.
0
16. Revise Sec. 332.2 to read as follows:
Sec. 332.2 Model privacy form and examples.
(a) Model privacy form. Use of the model privacy form in Appendix A
of this part, consistent with the instructions in Appendix A,
constitutes compliance with the notice content requirements of
Sec. Sec. 332.6 and 332.7 of this part, although use of the model
privacy form is not required.
(b) Examples. The examples in this part are not exclusive.
Compliance with an example, to the extent applicable, constitutes
compliance with this part.
0
17. In Sec. 332.6:
0
A. Revise paragraphs (b) and (f), and add paragraph (g) to read as set
forth below.
0
B. Effective January 1, 2012, remove paragraph (g).
Sec. 332.6 Information to be included in privacy notices.
* * * * *
(b) Description of nonaffiliated third parties subject to
exceptions. If you disclose nonpublic personal information to third
parties as authorized under Sec. Sec. 332.14 and 332.15, you are not
required to list those exceptions in the initial or annual privacy
notices required by Sec. Sec. 332.4 and 332.5. When describing the
categories with respect to those parties, it is sufficient to state
that you make disclosures to other nonaffiliated companies:
(1) For your everyday business purposes, such as [include all that
apply] to process transactions, maintain account(s), respond to court
orders and legal investigations, or report to credit bureaus; or
(2) As permitted by law.
* * * * *
[[Page 62936]]
(f) Model privacy form. Pursuant to Sec. 332.2(a) of this part, a
model privacy form that meets the notice content requirements of this
section is included in Appendix A of this part.
(g) Sample clauses. Sample clauses illustrating some of the notice
content required by this section are included in Appendix B of this
part. Use of a sample clause in a privacy notice provided on or before
December 31, 2010, to the extent applicable, constitutes compliance
with this part.
0
18. In Sec. 332.7, add paragraph (i) to read as follows:
Sec. 332.7 Form of opt-out notice to consumers; opt-out methods.
* * * * *
(i) Model privacy form. Pursuant to Sec. 332.2(a) of this part, a
model privacy form that meets the notice content requirements of this
section is included in Appendix A of this part.
Appendix A [Redesignated as Appendix B]
0
19. Redesignate Appendix A to part 332 as Appendix B to part 332.
0
20. Add new Appendix A to part 332 to read as follows:
Appendix A to Part 332--Model Privacy Form
A. The Model Privacy Form
BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-
01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-
P 12.5%
[[Page 62937]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.014
[[Page 62938]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.015
[[Continued on page 62939]]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
]
[[pp. 62939-62988]] Final Model Privacy Form Under the Gramm-Leach-Bliley Act
[[Continued from page 62938]]
[[Page 62939]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.016
[[Page 62940]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.017
[[Page 62941]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.018
[[Page 62942]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.019
[[Page 62943]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.020
BILLING CODE 6750-01-C 12.5%, 6351-01-C 12.5%, 6720-01-C 12.5%, 6714-
01-C 12.5%, 4810-01-C 12.5%, 6210-01-C 12.5%, 8011-01-C 12.5%, 7535-01-
C 12.5%
B. General Instructions
1. How the Model Privacy Form Is Used
(a) The model form may be used, at the option of a financial
institution, including a group of financial institutions that use a
common privacy notice, to meet the content requirements of the
privacy notice and opt-out notice set forth in Sec. Sec. 332.6 and
332.7 of this part.
(b) The model form is a standardized form, including page
layout, content, format, style, pagination, and shading.
Institutions seeking to obtain the safe harbor through use of the
model form may modify it only as described in these Instructions.
(c) Note that disclosure of certain information, such as assets,
income, and information from a consumer reporting agency, may give
rise to obligations under the Fair Credit Reporting Act [15 U.S.C.
1681-1681x] (FCRA), such as a requirement to permit a consumer to
opt out of disclosures to affiliates or designation as a consumer
reporting agency if disclosures are made to nonaffiliated third
parties.
(d) The word ``customer'' may be replaced by the word ``member''
whenever it appears in the model form, as appropriate.
2. The Contents of the Model Privacy Form
The model form consists of two pages, which may be printed on
both sides of a single sheet of paper, or may appear on two separate
pages. Where an institution provides a long list of institutions at
the end of the model form in accordance with Instruction C.3(a)(1),
or provides additional information in accordance with Instruction
C.3(c), and such list or additional information exceeds the space
available on page two of the model form, such list or additional
information may extend to a third page.
(a) Page One. The first page consists of the following
components:
(1) Date last revised (upper right-hand corner).
(2) Title.
(3) Key frame (Why?, What?, How?).
(4) Disclosure table (``Reasons we can share your personal
information'').
(5) ``To limit our sharing'' box, as needed, for the financial
institution's opt-out information.
(6) ``Questions'' box, for customer service contact information.
(7) Mail-in opt-out form, as needed.
(b) Page Two. The second page consists of the following
components:
(1) Heading (Page 2).
(2) Frequently Asked Questions (``Who we are'' and ``What we
do'').
(3) Definitions.
(4) ``Other important information'' box, as needed.
3. The Format of the Model Privacy Form
The format of the model form may be modified only as described
below.
(a) Easily readable type font. Financial institutions that use
the model form must use an easily readable type font. While a number
of factors together produce easily readable type font, institutions
are required to use a minimum of 10-point font (unless otherwise
expressly permitted in these Instructions) and sufficient spacing
between the lines of type.
(b) Logo. A financial institution may include a corporate logo
on any page of the notice, so long as it does not interfere with the
readability of the model form or the space constraints of each page.
(c) Page size and orientation. Each page of the model form must
be printed on paper in portrait orientation, the size of which must
be sufficient to meet the layout and minimum font size requirements,
with sufficient white space on the top, bottom, and sides of the
content.
(d) Color. The model form must be printed on white or light
color paper (such as cream) with black or other contrasting ink
color. Spot color may be used to achieve visual interest, so long as
the color contrast is distinctive and the color does not detract
from the readability of the model form. Logos may also be printed in
color.
(e) Languages. The model form may be translated into languages
other than English.
C. Information Required in the Model Privacy Form
The information in the model form may be modified only as
described below:
1. Name of the Institution or Group of Affiliated Institutions
Providing the Notice
Insert the name of the financial institution providing the
notice or a common identity of affiliated institutions jointly
providing the notice on the form wherever [name of financial
institution] appears.
2. Page One
(a) Last revised date. The financial institution must insert in
the upper right-hand corner the date on which the notice was last
revised. The information shall appear in minimum 8-point font as
``rev. [month/year]'' using either the name or number of the month,
such as ``rev. July 2009'' or ``rev. 7/09''.
(b) General instructions for the ``What?'' box.
(1) The bulleted list identifies the types of personal
information that the institution collects and shares. All
institutions must use the term ``Social Security number'' in the
first bullet.
(2) Institutions must use five (5) of the following terms to
complete the bulleted list: income; account balances; payment
history; transaction history; transaction or loss history; credit
history; credit scores; assets; investment experience; credit-based
insurance scores; insurance claim history; medical information;
overdraft history; purchase history; account transactions; risk
tolerance; medical-related debts; credit card or other debt;
mortgage rates and payments; retirement assets; checking account
information; employment information; wire transfer instructions.
(c) General instructions for the disclosure table. The left
column lists reasons for
[[Page 62944]]
sharing or using personal information. Each reason correlates to a
specific legal provision described in paragraph C.2(d) of this
Instruction. In the middle column, each institution must provide a
``Yes'' or ``No'' response that accurately reflects its information
sharing policies and practices with respect to the reason listed on
the left. In the right column, each institution must provide in each
box one of the following three (3) responses, as applicable, that
reflects whether a consumer can limit such sharing: ``Yes'' if it is
required to or voluntarily provides an opt-out; ``No'' if it does
not provide an opt-out; or ``We don't share'' if it answers ``No''
in the middle column. Only the sixth row (``For our affiliates to
market to you'') may be omitted at the option of the institution.
See paragraph C.2(d)(6) of this Instruction.
(d) Specific disclosures and corresponding legal provisions.
(1) For our everyday business purposes. This reason incorporates
sharing information under Sec. Sec. 332.14 and 332.15 and with
service providers pursuant to Sec. 332.13 of this part other than
the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these
Instructions.
(2) For our marketing purposes. This reason incorporates sharing
information with service providers by an institution for its own
marketing pursuant to Sec. 332.13 of this part. An institution that
shares for this reason may choose to provide an opt-out.
(3) For joint marketing with other financial companies. This
reason incorporates sharing information under joint marketing
agreements between two or more financial institutions and with any
service provider used in connection with such agreements pursuant to
Sec. 332.13 of this part. An institution that shares for this
reason may choose to provide an opt-out.
(4) For our affiliates' everyday business purposes--information
about transactions and experiences. This reason incorporates sharing
information specified in sections 603(d)(2)(A)(i) and (ii) of the
FCRA. An institution that shares for this reason may choose to
provide an opt-out.
(5) For our affiliates' everyday business purposes--information
about creditworthiness. This reason incorporates sharing information
pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution
that shares for this reason must provide an opt-out.
(6) For our affiliates to market to you. This reason
incorporates sharing information specified in section 624 of the
FCRA. This reason may be omitted from the disclosure table when: The
institution does not have affiliates (or does not disclose personal
information to its affiliates); the institution's affiliates do not
use personal information in a manner that requires an opt-out; or
the institution provides the affiliate marketing notice separately.
Institutions that include this reason must provide an opt-out of
indefinite duration. An institution that is required to provide an
affiliate marketing opt-out, but does not include that opt-out in
the model form under this part, must comply with section 624 of the
FCRA and 12 CFR part 334, subpart C, with respect to the initial
notice and opt-out and any subsequent renewal notice and opt-out. An
institution not required to provide an opt-out under this
subparagraph may elect to include this reason in the model form.
(7) For nonaffiliates to market to you. This reason incorporates
sharing described in Sec. Sec. 332.7 and 332.10(a) of this part. An
institution that shares personal information for this reason must
provide an opt-out.
(e) To limit our sharing: A financial institution must include
this section of the model form only if it provides an opt-out. The
word ``choice'' may be written in either the singular or plural, as
appropriate. Institutions must select one or more of the applicable
opt-out methods described: Telephone, such as by a toll-free number;
a Web site; or use of a mail-in opt-out form. Institutions may
include the words ``toll-free'' before telephone, as appropriate. An
institution that allows consumers to opt out online must provide
either a specific Web address that takes consumers directly to the
opt-out page or a general Web address that provides a clear and
conspicuous direct link to the opt-out page. The opt-out choices
made available to the consumer who contacts the institution through
these methods must correspond accurately to the ``Yes'' responses in
the third column of the disclosure table. In the part titled
``Please note'' institutions may insert a number that is 30 or
greater in the space marked ``[30].'' Instructions on voluntary or
state privacy law opt-out information are in paragraph C.2(g)(5) of
these Instructions.
(f) Questions box. Customer service contact information must be
inserted as appropriate, where [phone number] or [Web site] appear.
Institutions may elect to provide either a phone number, such as a
toll-free number, or a Web address, or both. Institutions may
include the words ``toll-free'' before the telephone number, as
appropriate.
(g) Mail-in opt-out form. Financial institutions must include
this mail-in form only if they state in the ``To limit our sharing''
box that consumers can opt out by mail. The mail-in form must
provide opt-out options that correspond accurately to the ``Yes''
responses in the third column in the disclosure table. Institutions
that require customers to provide only name and address may omit the
section identified as ``[account ].'' Institutions that
require additional or different information, such as a random opt-
out number or a truncated account number, to implement an opt-out
election should modify the ``[account ]'' reference
accordingly. This includes institutions that require customers with
multiple accounts to identify each account to which the opt-out
should apply. An institution must enter its opt-out mailing address:
In the far right of this form (see version 3); or below the form
(see version 4). The reverse side of the mail-in opt-out form must
not include any content of the model form.
(1) Joint accountholder. Only institutions that provide their
joint accountholders the choice to opt out for only one
accountholder, in accordance with paragraph C.3(a)(5) of these
Instructions, must include in the far left column of the mail-in
form the following statement: ``If you have a joint account, your
choice(s) will apply to everyone on your account unless you mark
below. [square] Apply my choice(s) only to me.'' The word ``choice''
may be written in either the singular or plural, as appropriate.
Financial institutions that provide insurance products or services,
provide this option, and elect to use the model form may substitute
the word ``policy'' for ``account'' in this statement. Institutions
that do not provide this option may eliminate this left column from
the mail-in form.
(2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution
shares personal information pursuant to section 603(d)(2)(A)(iii) of
the FCRA, it must include in the mail-in opt-out form the following
statement: ``[square] Do not share information about my
creditworthiness with your affiliates for their everyday business
purposes.''
(3) FCRA Section 624 opt-out. If the institution incorporates
section 624 of the FCRA in accord with paragraph C.2(d)(6) of these
Instructions, it must include in the mail-in opt-out form the
following statement: ``[square] Do not allow your affiliates to use
my personal information to market to me.''
(4) Nonaffiliate opt-out. If the financial institution shares
personal information pursuant to Sec. 332.10(a) of this part, it
must include in the mail-in opt-out form the following statement:
``[square] Do not share my personal information with nonaffiliates
to market their products and services to me.''
(5) Additional opt-outs. Financial institutions that use the
disclosure table to provide opt-out options beyond those required by
Federal law must provide those opt-outs in this section of the model
form. A financial institution that chooses to offer an opt-out for
its own marketing in the mail-in opt-out form must include one of
the two following statements: ``[square] Do not share my personal
information to market to me.'' or ``[square] Do not use my personal
information to market to me.'' A financial institution that chooses
to offer an opt-out for joint marketing must include the following
statement: ``[square] Do not share my personal information with
other financial institutions to jointly market to me.''
(h) Barcodes. A financial institution may elect to include a
barcode and/or ``tagline'' (an internal identifier) in 6-point font
at the bottom of page one, as needed for information internal to the
institution, so long as these do not interfere with the clarity or
text of the form.
3. Page Two
(a) General Instructions for the Questions. Certain of the
Questions may be customized as follows:
(1) ``Who is providing this notice?'' This question may be
omitted where only one financial institution provides the model form
and that institution is clearly identified in the title on page one.
Two or more financial institutions that jointly provide the model
form must use this question to identify themselves as required by
Sec. 332.9(f) of this part. Where the list of institutions exceeds
four (4) lines, the institution must describe in the response to
this question the general types of institutions jointly providing
the notice and must separately identify those institutions, in
minimum 8-point font, directly following the ``Other important
[[Page 62945]]
information'' box, or, if that box is not included in the
institution's form, directly following the ``Definitions.'' The list
may appear in a multi-column format.
(2) ``How does [name of financial institution] protect my
personal information?'' The financial institution may only provide
additional information pertaining to its safeguards practices
following the designated response to this question. Such information
may include information about the institution's use of cookies or
other measures it uses to safeguard personal information.
Institutions are limited to a maximum of 30 additional words.
(3) ``How does [name of financial institution] collect my
personal information?'' Institutions must use five (5) of the
following terms to complete the bulleted list for this question:
Open an account; deposit money; pay your bills; apply for a loan;
use your credit or debit card; seek financial or tax advice; apply
for insurance; pay insurance premiums; file an insurance claim; seek
advice about your investments; buy securities from us; sell
securities to us; direct us to buy securities; direct us to sell
your securities; make deposits or withdrawals from your account;
enter into an investment advisory contract; give us your income
information; provide employment information; give us your employment
history; tell us about your investment or retirement portfolio; tell
us about your investment or retirement earnings; apply for
financing; apply for a lease; provide account information; give us
your contact information; pay us by check; give us your wage
statements; provide your mortgage information; make a wire transfer;
tell us who receives the money; tell us where to send the money;
show your government-issued ID; show your driver's license; order a
commodity futures or option trade. Institutions that collect
personal information from their affiliates and/or credit bureaus
must include after the bulleted list the following statement: ``We
also collect your personal information from others, such as credit
bureaus, affiliates, or other companies.'' Institutions that do not
collect personal information from their affiliates or credit bureaus
but do collect information from other companies must include the
following statement instead: ``We also collect your personal
information from other companies.'' Only institutions that do not
collect any personal information from affiliates, credit bureaus, or
other companies can omit both statements.
(4) ``Why can't I limit all sharing?'' Institutions that
describe state privacy law provisions in the ``Other important
information'' box must use the bracketed sentence: ``See below for
more on your rights under state law.'' Other institutions must omit
this sentence.
(5) ``What happens when I limit sharing for an account I hold
jointly with someone else?'' Only financial institutions that
provide opt-out options must use this question. Other institutions
must omit this question. Institutions must choose one of the
following two statements to respond to this question: ``Your choices
will apply to everyone on your account.'' or ``Your choices will
apply to everyone on your account-unless you tell us otherwise.''
Financial institutions that provide insurance products or services
and elect to use the model form may substitute the word ``policy''
for ``account'' in these statements.
(b) General Instructions for the Definitions.
The financial institution must customize the space below the
responses to the three definitions in this section. This specific
information must be in italicized lettering to set off the
information from the standardized definitions.
(1) Affiliates. As required by Sec. 332.6(a)(3) of this part,
where [affiliate information] appears, the financial institution
must:
(i) If it has no affiliates, state: ``[name of financial
institution] has no affiliates'';
(ii) If it has affiliates but does not share personal
information, state: ``[name of financial institution] does not share
with our affiliates''; or
(iii) If it shares with its affiliates, state, as applicable:
``Our affiliates include companies with a [common corporate identity
of financial institution] name; financial companies such as [insert
illustrative list of companies]; nonfinancial companies, such as
[insert illustrative list of companies]; and others, such as [insert
illustrative list].''
(2) Nonaffiliates. As required by Sec. 332.6(c)(3) of this
part, where [nonaffiliate information] appears, the financial
institution must:
(i) If it does not share with nonaffiliated third parties,
state: ``[name of financial institution] does not share with
nonaffiliates so they can market to you''; or
(ii) If it shares with nonaffiliated third parties, state, as
applicable: ``Nonaffiliates we share with can include [list
categories of companies such as mortgage companies, insurance
companies, direct marketing companies, and nonprofit
organizations].''
(3) Joint Marketing. As required by Sec. 332.13 of this part,
where [joint marketing] appears, the financial institution must:
(i) If it does not engage in joint marketing, state: ``[name of
financial institution] doesn't jointly market''; or
(ii) If it shares personal information for joint marketing,
state, as applicable: ``Our joint marketing partners include [list
categories of companies such as credit card companies].''
(c) General instructions for the ``Other important information''
box. This box is optional. The space provided for information in
this box is not limited. Only the following types of information can
appear in this box.
(1) State and/or international privacy law information; and/or
(2) Acknowledgment of receipt form.
0
21. Amend newly redesignated Appendix B to part 332 as follows:
0
A. Add a new sentence to the beginning of the introductory text as set
forth below.
0
B. Effective January 1, 2012, remove Appendix B to part 332.
Appendix B to Part 332--Sample Clauses
This Appendix only applies to privacy notices provided before
January 1, 2011.
* * * * *
DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
12 CFR Chapter V
Authority and Issuance
0
For the reasons set forth in the joint preamble, part 573 of chapter V
of title 12 of the Code of Federal Regulations is amended as follows:
PART 573--PRIVACY OF CONSUMER FINANCIAL INFORMATION
0
22. The authority citation for part 573 continues to read as follows:
Authority: 12 U.S.C. 1462a, 1463, 1464, 1828; 15 U.S.C. 6801 et
seq.
0
23. Revise Sec. 573.2 to read as follows:
Sec. 573.2 Model privacy form and examples.
(a) Model privacy form. Use of the model privacy form in Appendix A
of this part, consistent with the instructions in Appendix A,
constitutes compliance with the notice content requirements of
Sec. Sec. 573.6 and 573.7 of this part, although use of the model
privacy form is not required.
(b) Examples. The examples in this part are not exclusive.
Compliance with an example, to the extent applicable, constitutes
compliance with this part.
0
24. In Sec. 573.6:
0
A. Revise paragraphs (b) and (f), and add paragraph (g) to read as set
forth below.
0
B. Effective January 1, 2012, remove paragraph (g).
Sec. 573.6 Information to be included in privacy notices.
* * * * *
(b) Description of nonaffiliated third parties subject to
exceptions. If you disclose nonpublic personal information to third
parties as authorized under Sec. Sec. 573.14 and 573.15, you are not
required to list those exceptions in the initial or annual privacy
notices required by Sec. Sec. 573.4 and 573.5. When describing the
categories with respect to those parties, it is sufficient to state
that you make disclosures to other nonaffiliated companies:
(1) For your everyday business purposes, such as [include all that
apply] to process transactions, maintain account(s), respond to court
orders and legal investigations, or report to credit bureaus; or
(2) As permitted by law.
* * * * *
[[Page 62946]]
(f) Model privacy form. Pursuant to Sec. 573.2(a) of this part, a
model privacy form that meets the notice content requirements of this
section is included in Appendix A of this part.
(g) Sample clauses. Sample clauses illustrating some of the notice
content required by this section are included in Appendix B of this
part. Use of a sample clause in a privacy notice provided on or before
December 31, 2010, to the extent applicable, constitutes compliance
with this part.
0
25. In Sec. 573.7, add paragraph (i) to read as follows:
Sec. 573.7 Form of opt-out notice to consumers; opt-out methods.
* * * * *
(i) Model privacy form. Pursuant to Sec. 573.2(a) of this part, a
model privacy form that meets the notice content requirements of this
section is included in Appendix A of this part.
Appendix A [Redesignated as Appendix B]
0
26. Redesignate Appendix A to part 573 as Appendix B to part 573.
0
27. Add new Appendix A to part 573 to read as follows:
Appendix A to Part 573--Model Privacy Form
A. The Model Privacy Form
BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-
01-P 12.5%, 4810-01-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-
P 12.5%
[[Page 62947]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.021
[[Page 62948]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.022
[[Page 62949]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.023
[[Page 62950]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.024
[[Page 62951]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.025
[[Page 62952]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.026
[[Page 62953]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.027
BILLING CODE 6750-01-C 12.5%, 6351-01-C 12.5%, 6720-01-C 12.5%, 6714-
01-C 12.5%, 4810-01-C 12.5%, 6210-01-C 12.5%, 8011-01-C 12.5%, 7535-01-
C 12.5%
B. General Instructions
1. How the Model Privacy Form Is Used
(a) The model form may be used, at the option of a financial
institution, including a group of financial institutions that use a
common privacy notice, to meet the content requirements of the
privacy notice and opt-out notice set forth in Sec. Sec. 573.6 and
573.7 of this part.
(b) The model form is a standardized form, including page
layout, content, format, style, pagination, and shading.
Institutions seeking to obtain the safe harbor through use of the
model form may modify it only as described in these Instructions.
(c) Note that disclosure of certain information, such as assets,
income, and information from a consumer reporting agency, may give
rise to obligations under the Fair Credit Reporting Act [15 U.S.C.
1681-1681x] (FCRA), such as a requirement to permit a consumer to
opt out of disclosures to affiliates or designation as a consumer
reporting agency if disclosures are made to nonaffiliated third
parties.
(d) The word ``customer'' may be replaced by the word ``member''
whenever it appears in the model form, as appropriate.
2. The Contents of the Model Privacy Form
The model form consists of two pages, which may be printed on
both sides of a single sheet of paper, or may appear on two separate
pages. Where an institution provides a long list of institutions at
the end of the model form in accordance with Instruction C.3(a)(1),
or provides additional information in accordance with Instruction
C.3(c), and such list or additional information exceeds the space
available on page two of the model form, such list or additional
information may extend to a third page.
(a) Page One. The first page consists of the following
components:
(1) Date last revised (upper right-hand corner).
(2) Title.
(3) Key frame (Why?, What?, How?).
(4) Disclosure table (``Reasons we can share your personal
information'').
(5) ``To limit our sharing'' box, as needed, for the financial
institution's opt-out information.
(6) ``Questions'' box, for customer service contact information.
(7) Mail-in opt-out form, as needed.
(b) Page Two. The second page consists of the following
components:
(1) Heading (Page 2).
(2) Frequently Asked Questions (``Who we are'' and ``What we
do'').
(3) Definitions.
(4) ``Other important information'' box, as needed.
3. The Format of the Model Privacy Form
The format of the model form may be modified only as described
below.
(a) Easily readable type font. Financial institutions that use
the model form must use an easily readable type font. While a number
of factors together produce easily readable type font, institutions
are required to use a minimum of 10-point font (unless otherwise
expressly permitted in these Instructions) and sufficient spacing
between the lines of type.
(b) Logo. A financial institution may include a corporate logo
on any page of the notice, so long as it does not interfere with the
readability of the model form or the space constraints of each page.
(c) Page size and orientation. Each page of the model form must
be printed on paper in portrait orientation, the size of which must
be sufficient to meet the layout and minimum font size requirements,
with sufficient white space on the top, bottom, and sides of the
content.
(d) Color. The model form must be printed on white or light
color paper (such as cream) with black or other contrasting ink
color. Spot color may be used to achieve visual interest, so long as
the color contrast is distinctive and the color does not detract
from the readability of the model form. Logos may also be printed in
color.
(e) Languages. The model form may be translated into languages
other than English.
C. Information Required in the Model Privacy Form
The information in the model form may be modified only as
described below:
1. Name of the Institution or Group of Affiliated Institutions
Providing the Notice
Insert the name of the financial institution providing the
notice or a common identity of affiliated institutions jointly
providing the notice on the form wherever [name of financial
institution] appears.
2. Page One
(a) Last revised date. The financial institution must insert in
the upper right-hand corner the date on which the notice was last
revised. The information shall appear in minimum 8-point font as
``rev. [month/year]'' using either the name or number of the month,
such as ``rev. July 2009'' or ``rev. 7/09''.
(b) General instructions for the ``What?'' box.
(1) The bulleted list identifies the types of personal
information that the institution collects and shares. All
institutions must use the term ``Social Security number'' in the
first bullet.
(2) Institutions must use five (5) of the following terms to
complete the bulleted list: Income; account balances; payment
history; transaction history; transaction or loss history; credit
history; credit scores; assets; investment experience; credit-based
insurance scores; insurance claim history; medical information;
overdraft history; purchase history; account transactions; risk
tolerance; medical-related debts; credit card or other debt;
mortgage rates and payments; retirement assets; checking account
information; employment information; wire transfer instructions.
(c) General instructions for the disclosure table. The left
column lists reasons for
[[Page 62954]]
sharing or using personal information. Each reason correlates to a
specific legal provision described in paragraph C.2(d) of this
Instruction. In the middle column, each institution must provide a
``Yes'' or ``No'' response that accurately reflects its information
sharing policies and practices with respect to the reason listed on
the left. In the right column, each institution must provide in each
box one of the following three (3) responses, as applicable, that
reflects whether a consumer can limit such sharing: ``Yes'' if it is
required to or voluntarily provides an opt-out; ``No'' if it does
not provide an opt-out; or ``We don't share'' if it answers ``No''
in the middle column. Only the sixth row (``For our affiliates to
market to you'') may be omitted at the option of the institution.
See paragraph C.2(d)(6) of this Instruction.
(d) Specific disclosures and corresponding legal provisions.
(1) For our everyday business purposes. This reason incorporates
sharing information under Sec. Sec. 573.14 and 573.15 and with
service providers pursuant to Sec. 573.13 of this part other than
the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these
Instructions.
(2) For our marketing purposes. This reason incorporates sharing
information with service providers by an institution for its own
marketing pursuant to Sec. 573.13 of this part. An institution that
shares for this reason may choose to provide an opt-out.
(3) For joint marketing with other financial companies. This
reason incorporates sharing information under joint marketing
agreements between two or more financial institutions and with any
service provider used in connection with such agreements pursuant to
Sec. 573.13 of this part. An institution that shares for this
reason may choose to provide an opt-out.
(4) For our affiliates' everyday business purposes--information
about transactions and experiences. This reason incorporates sharing
information specified in sections 603(d)(2)(A)(i) and (ii) of the
FCRA. An institution that shares for this reason may choose to
provide an opt-out.
(5) For our affiliates' everyday business purposes--information
about creditworthiness. This reason incorporates sharing information
pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution
that shares for this reason must provide an opt-out.
(6) For our affiliates to market to you. This reason
incorporates sharing information specified in section 624 of the
FCRA. This reason may be omitted from the disclosure table when: The
institution does not have affiliates (or does not disclose personal
information to its affiliates); the institution's affiliates do not
use personal information in a manner that requires an opt-out; or
the institution provides the affiliate marketing notice separately.
Institutions that include this reason must provide an opt-out of
indefinite duration. An institution that is required to provide an
affiliate marketing opt-out, but does not include that opt-out in
the model form under this part, must comply with section 624 of the
FCRA and 12 CFR part 571, subpart C, with respect to the initial
notice and opt-out and any subsequent renewal notice and opt-out. An
institution not required to provide an opt-out under this
subparagraph may elect to include this reason in the model form.
(7) For nonaffiliates to market to you. This reason incorporates
sharing described in Sec. Sec. 573.7 and 573.10(a) of this part. An
institution that shares personal information for this reason must
provide an opt-out.
(e) To limit our sharing: A financial institution must include
this section of the model form only if it provides an opt-out. The
word ``choice'' may be written in either the singular or plural, as
appropriate. Institutions must select one or more of the applicable
opt-out methods described: Telephone, such as by a toll-free number;
a Web site; or use of a mail-in opt-out form. Institutions may
include the words ``toll-free'' before telephone, as appropriate. An
institution that allows consumers to opt out online must provide
either a specific Web address that takes consumers directly to the
opt-out page or a general Web address that provides a clear and
conspicuous direct link to the opt-out page. The opt-out choices
made available to the consumer who contacts the institution through
these methods must correspond accurately to the ``Yes'' responses in
the third column of the disclosure table. In the part titled
``Please note,'' institutions may insert a number that is 30 or
greater in the space marked ``[30].'' Instructions on voluntary or
state privacy law opt-out information are in paragraph C.2(g)(5) of
these Instructions.
(f) Questions box. Customer service contact information must be
inserted as appropriate, where [phone number] or [Web site] appear.
Institutions may elect to provide either a phone number, such as a
toll-free number, or a Web address, or both. Institutions may
include the words ``toll-free'' before the telephone number, as
appropriate.
(g) Mail-in opt-out form. Financial institutions must include
this mail-in form only if they state in the ``To limit our sharing''
box that consumers can opt out by mail. The mail-in form must
provide opt-out options that correspond accurately to the ``Yes''
responses in the third column in the disclosure table. Institutions
that require customers to provide only name and address may omit the
section identified as ``[account ].'' Institutions that
require additional or different information, such as a random opt-
out number or a truncated account number, to implement an opt-out
election should modify the ``[account ]'' reference
accordingly. This includes institutions that require customers with
multiple accounts to identify each account to which the opt-out
should apply. An institution must enter its opt-out mailing address:
in the far right of this form (see version 3); or below the form
(see version 4). The reverse side of the mail-in opt-out form must
not include any content of the model form.
(1) Joint accountholder. Only institutions that provide their
joint accountholders the choice to opt out for only one
accountholder, in accordance with paragraph C.3(a)(5) of these
Instructions, must include in the far left column of the mail-in
form the following statement: ``If you have a joint account, your
choice(s) will apply to everyone on your account unless you mark
below. [square] Apply my choice(s) only to me.'' The word ``choice''
may be written in either the singular or plural, as appropriate.
Financial institutions that provide insurance products or services,
provide this option, and elect to use the model form may substitute
the word ``policy'' for ``account'' in this statement. Institutions
that do not provide this option may eliminate this left column from
the mail-in form.
(2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution
shares personal information pursuant to section 603(d)(2)(A)(iii) of
the FCRA, it must include in the mail-in opt-out form the following
statement: ``[square] Do not share information about my
creditworthiness with your affiliates for their everyday business
purposes.''
(3) FCRA Section 624 opt-out. If the institution incorporates
section 624 of the FCRA in accord with paragraph C.2(d)(6) of these
Instructions, it must include in the mail-in opt-out form the
following statement: ``[square] Do not allow your affiliates to use
my personal information to market to me.''
(4) Nonaffiliate opt-out. If the financial institution shares
personal information pursuant to Sec. 573.10(a) of this part, it
must include in the mail-in opt-out form the following statement:
``[square] Do not share my personal information with nonaffiliates
to market their products and services to me.''
(5) Additional opt-outs. Financial institutions that use the
disclosure table to provide opt-out options beyond those required by
Federal law must provide those opt-outs in this section of the model
form. A financial institution that chooses to offer an opt-out for
its own marketing in the mail-in opt-out form must include one of
the two following statements: ``[square] Do not share my personal
information to market to me.'' or ``[square] Do not use my personal
information to market to me.'' A financial institution that chooses
to offer an opt-out for joint marketing must include the following
statement: ``[square] Do not share my personal information with
other financial institutions to jointly market to me.''
(h) Barcodes. A financial institution may elect to include a
barcode and/or ``tagline'' (an internal identifier) in 6-point font
at the bottom of page one, as needed for information internal to the
institution, so long as these do not interfere with the clarity or
text of the form.
3. Page Two
(a) General Instructions for the Questions. Certain of the
Questions may be customized as follows:
(1) ``Who is providing this notice?'' This question may be
omitted where only one financial institution provides the model form
and that institution is clearly identified in the title on page one.
Two or more financial institutions that jointly provide the model
form must use this question to identify themselves as required by
Sec. 573.9(f) of this part. Where the list of institutions exceeds
four (4) lines, the institution must describe in the response to
this question the general types of institutions jointly providing
the notice and must separately identify those institutions, in
minimum 8-point font, directly following the ``Other important
[[Page 62955]]
information'' box, or, if that box is not included in the
institution's form, directly following the ``Definitions.'' The list
may appear in a multi-column format.
(2) ``How does [name of financial institution] protect my
personal information?'' The financial institution may only provide
additional information pertaining to its safeguards practices
following the designated response to this question. Such information
may include information about the institution's use of cookies or
other measures it uses to safeguard personal information.
Institutions are limited to a maximum of 30 additional words.
(3) ``How does [name of financial institution] collect my
personal information?'' Institutions must use five (5) of the
following terms to complete the bulleted list for this question:
Open an account; deposit money; pay your bills; apply for a loan;
use your credit or debit card; seek financial or tax advice; apply
for insurance; pay insurance premiums; file an insurance claim; seek
advice about your investments; buy securities from us; sell
securities to us; direct us to buy securities; direct us to sell
your securities; make deposits or withdrawals from your account;
enter into an investment advisory contract; give us your income
information; provide employment information; give us your employment
history; tell us about your investment or retirement portfolio; tell
us about your investment or retirement earnings; apply for
financing; apply for a lease; provide account information; give us
your contact information; pay us by check; give us your wage
statements; provide your mortgage information; make a wire transfer;
tell us who receives the money; tell us where to send the money;
show your government-issued ID; show your driver's license; order a
commodity futures or option trade. Institutions that collect
personal information from their affiliates and/or credit bureaus
must include after the bulleted list the following statement: ``We
also collect your personal information from others, such as credit
bureaus, affiliates, or other companies.'' Institutions that do not
collect personal information from their affiliates or credit bureaus
but do collect information from other companies must include the
following statement instead: ``We also collect your personal
information from other companies.'' Only institutions that do not
collect any personal information from affiliates, credit bureaus, or
other companies can omit both statements.
(4) ``Why can't I limit all sharing?'' Institutions that
describe state privacy law provisions in the ``Other important
information'' box must use the bracketed sentence: ``See below for
more on your rights under state law.'' Other institutions must omit
this sentence.
(5) ``What happens when I limit sharing for an account I hold
jointly with someone else?'' Only financial institutions that
provide opt-out options must use this question. Other institutions
must omit this question. Institutions must choose one of the
following two statements to respond to this question: ``Your choices
will apply to everyone on your account.'' or ``Your choices will
apply to everyone on your account--unless you tell us otherwise.''
Financial institutions that provide insurance products or services
and elect to use the model form may substitute the word ``policy''
for ``account'' in these statements.
(b) General Instructions for the Definitions.
The financial institution must customize the space below the
responses to the three definitions in this section. This specific
information must be in italicized lettering to set off the
information from the standardized definitions.
(1) Affiliates. As required by Sec. 573.6(a)(3) of this part,
where [affiliate information] appears, the financial institution
must:
(i) If it has no affiliates, state: ``[name of financial
institution] has no affiliates;''
(ii) If it has affiliates but does not share personal
information, state: ``[name of financial institution] does not share
with our affiliates''; or
(iii) If it shares with its affiliates, state, as applicable:
``Our affiliates include companies with a [common corporate identity
of financial institution] name; financial companies such as [insert
illustrative list of companies]; nonfinancial companies, such as
[insert illustrative list of companies]; and others, such as [insert
illustrative list].''
(2) Nonaffiliates. As required by Sec. 573.6(c)(3) of this
part, where [nonaffiliate information] appears, the financial
institution must:
(i) If it does not share with nonaffiliated third parties,
state: ``[name of financial institution] does not share with
nonaffiliates so they can market to you''; or
(ii) If it shares with nonaffiliated third parties, state, as
applicable: ``Nonaffiliates we share with can include [list
categories of companies such as mortgage companies, insurance
companies, direct marketing companies, and nonprofit
organizations].''
(3) Joint Marketing. As required by Sec. 573.13 of this part,
where [joint marketing] appears, the financial institution must:
(i) If it does not engage in joint marketing, state: ``[name of
financial institution] doesn't jointly market''; or
(ii) If it shares personal information for joint marketing,
state, as applicable: ``Our joint marketing partners include [list
categories of companies such as credit card companies].''
(c) General instructions for the ``Other important information''
box. This box is optional. The space provided for information in
this box is not limited. Only the following types of information can
appear in this box.
(1) State and/or international privacy law information; and/or
(2) Acknowledgment of receipt form.
0
28. Amend newly redesignated Appendix B to part 573 as follows:
0
A. Add a new sentence to the beginning of the introductory text as set
forth below.
0
B. Effective January 1, 2012, remove Appendix B to part 573.
Appendix B to Part 573--Sample Clauses
This Appendix only applies to privacy notices provided before
January 1, 2011. * * *
* * * * *
National Credit Union Administration
12 CFR Chapter V
Authority and Issuance
0
For the reasons set forth in the joint preamble, part 716 of chapter V
of title 12 of the Code of Federal Regulations is amended as follows:
PART 716--PRIVACY OF CONSUMER FINANCIAL INFORMATION
0
29. The authority citation for part 716 continues to read as follows:
Authority: 12 U.S.C. 1751 et seq.; 15 U.S.C. 6801 et seq.
0
30. Revise Sec. 716.2 to read as follows:
Sec. 716.2 Model privacy form and examples.
(a) Model privacy form. Use of the model privacy form in Appendix A
of this part, consistent with the instructions in Appendix A,
constitutes compliance with the notice content requirements of
Sec. Sec. 716.6 and 716.7 of this part, although use of the model
privacy form is not required.
(b) Examples. The examples in this part are not exclusive.
Compliance with an example, to the extent applicable, constitutes
compliance with this part.
0
31. In Sec. 716.6:
0
A. Revise the section heading and paragraph (b), and add paragraphs (f)
and (g) to read as set forth below.
0
B. Effective January 1, 2012, remove paragraph (g).
Sec. 716.6 Information to be included in privacy notices.
* * * * *
(b) Description of nonaffiliated third parties subject to
exceptions. If you disclose nonpublic personal information to third
parties as authorized under Sec. Sec. 716.14 and 716.15, you are not
required to list those exceptions in the initial or annual privacy
notices required by Sec. Sec. 716.4 and 716.5. When describing the
categories with respect to those parties, it is sufficient to state
that you make disclosures to other nonaffiliated companies:
(1) For your everyday business purposes, such as [include all that
apply] to process transactions, maintain account(s), respond to court
orders and legal investigations, or report to credit bureaus; or
(2) As permitted by law.
* * * * *
[[Page 62956]]
(f) Model privacy form. Pursuant to Sec. 716.2(a) of this part, a
model privacy form that meets the notice content requirements of this
section is included in Appendix A of this part.
(g) Sample clauses. Sample clauses illustrating some of the notice
content required by this section are included in Appendix B of this
part. Use of a sample clause in a privacy notice provided on or before
December 31, 2010, to the extent applicable, constitutes compliance
with this part.
0
32. In Sec. 716.7, add paragraph (i) to read as follows:
Sec. 716.7 Form of opt-out notice to consumers; opt-out methods.
* * * * *
(i) Model privacy form. Pursuant to Sec. 716.2(a) of this part, a
model privacy form that meets the notice content requirements of this
section is included in Appendix A of this part.
Appendix A [Redesignated as Appendix B]
0
33. Redesignate Appendix A to part 716 as Appendix B to part 716.
0
34. Add new Appendix A to part 716 to read as follows:
Appendix A to Part 716--Model Privacy Form
A. The Model Privacy Form
BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-
01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-
P 12.5%;
[[Page 62957]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.028
[[Page 62958]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.029
[[Page 62959]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.030
[[Page 62960]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.031
[[Page 62961]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.032
[[Page 62962]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.033
[[Page 62963]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.034
BILLING CODE 6750-01-C 12.5%, 6351-01-C 12.5%, 6720-01-C 12.5%, 6714-
01-C 12.5%, 4810-33-C 12.5%, 6210-01-C 12.5%, 8011-01-C 12.5%, 7535-01-
C 12.5%;
B. General Instructions
1. How the Model Privacy Form Is Used
(a) The model form may be used, at the option of a financial
institution, including a group of financial institutions that use a
common privacy notice, to meet the content requirements of the
privacy notice and opt-out notice set forth in Sec. Sec. 716.6 and
716.7 of this part.
(b) The model form is a standardized form, including page
layout, content, format, style, pagination, and shading.
Institutions seeking to obtain the safe harbor through use of the
model form may modify it only as described in these Instructions.
(c) Note that disclosure of certain information, such as assets,
income, and information from a consumer reporting agency, may give
rise to obligations under the Fair Credit Reporting Act [15 U.S.C.
1681--1681x] (FCRA), such as a requirement to permit a consumer to
opt out of disclosures to affiliates or designation as a consumer
reporting agency if disclosures are made to nonaffiliated third
parties.
(d) The word ``customer'' may be replaced by the word ``member''
whenever it appears in the model form, as appropriate.
2. The Contents of the Model Privacy Form
The model form consists of two pages, which may be printed on
both sides of a single sheet of paper, or may appear on two separate
pages. Where an institution provides a long list of institutions at
the end of the model form in accordance with Instruction C.3(a)(1),
or provides additional information in accordance with Instruction
C.3(c), and such list or additional information exceeds the space
available on page two of the model form, such list or additional
information may extend to a third page.
(a) Page One. The first page consists of the following
components:
(1) Date last revised (upper right-hand corner).
(2) Title.
(3) Key frame (Why?, What?, How?).
(4) Disclosure table (``Reasons we can share your personal
information'').
(5) ``To limit our sharing'' box, as needed, for the financial
institution's opt-out information.
(6) ``Questions'' box, for customer service contact information.
(7) Mail-in opt-out form, as needed.
(b) Page Two. The second page consists of the following
components:
(1) Heading (Page 2).
(2) Frequently Asked Questions (``Who we are'' and ``What we
do'').
(3) Definitions.
(4) ``Other important information'' box, as needed.
3. The Format of the Model Privacy Form
The format of the model form may be modified only as described
below.
(a) Easily readable type font. Financial institutions that use
the model form must use an easily readable type font. While a number
of factors together produce easily readable type font, institutions
are required to use a minimum of 10-point font (unless otherwise
expressly permitted in these Instructions) and sufficient spacing
between the lines of type.
(b) Logo. A financial institution may include a corporate logo
on any page of the notice, so long as it does not interfere with the
readability of the model form or the space constraints of each page.
(c) Page size and orientation. Each page of the model form must
be printed on paper in portrait orientation, the size of which must
be sufficient to meet the layout and minimum font size requirements,
with sufficient white space on the top, bottom, and sides of the
content.
(d) Color. The model form must be printed on white or light
color paper (such as cream) with black or other contrasting ink
color. Spot color may be used to achieve visual interest, so long as
the color contrast is distinctive and the color does not detract
from the readability of the model form. Logos may also be printed in
color.
(e) Languages. The model form may be translated into languages
other than English.
C. Information Required in the Model Privacy Form
The information in the model form may be modified only as
described below:
1. Name of the Institution or Group of Affiliated Institutions
Providing the Notice
Insert the name of the financial institution providing the
notice or a common identity of affiliated institutions jointly
providing the notice on the form wherever [name of financial
institution] appears.
2. Page One
(a) Last revised date. The financial institution must insert in
the upper right-hand corner the date on which the notice was last
revised. The information shall appear in minimum 8-point font as
``rev. [month/year]'' using either the name or number of the month,
such as ``rev. July 2009'' or ``rev. 7/09''.
(b) General instructions for the ``What?'' box.
(1) The bulleted list identifies the types of personal
information that the institution collects and shares. All
institutions must use the term ``Social Security number'' in the
first bullet.
(2) Institutions must use five (5) of the following terms to
complete the bulleted list: income; account balances; payment
history; transaction history; transaction or loss history; credit
history; credit scores; assets; investment experience; credit-based
insurance scores; insurance claim history; medical information;
overdraft history; purchase history; account transactions; risk
tolerance; medical-related debts; credit card or other debt;
mortgage rates and payments; retirement assets; checking account
information; employment information; wire transfer instructions.
(c) General instructions for the disclosure table. The left
column lists reasons for
[[Page 62964]]
sharing or using personal information. Each reason correlates to a
specific legal provision described in paragraph C.2(d) of this
Instruction. In the middle column, each institution must provide a
``Yes'' or ``No'' response that accurately reflects its information
sharing policies and practices with respect to the reason listed on
the left. In the right column, each institution must provide in each
box one of the following three (3) responses, as applicable, that
reflects whether a consumer can limit such sharing: ``Yes'' if it is
required to or voluntarily provides an opt-out; ``No'' if it does
not provide an opt-out; or ``We don't share'' if it answers ``No''
in the middle column. Only the sixth row (``For our affiliates to
market to you'') may be omitted at the option of the institution.
See paragraph C.2(d)(6) of this Instruction.
(d) Specific disclosures and corresponding legal provisions.
(1) For our everyday business purposes. This reason incorporates
sharing information under Sec. Sec. 716.14 and 716.15 and with
service providers pursuant to Sec. 716.13 of this part other than
the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these
Instructions.
(2) For our marketing purposes. This reason incorporates sharing
information with service providers by an institution for its own
marketing pursuant to Sec. 716.13 of this part. An institution that
shares for this reason may choose to provide an opt-out.
(3) For joint marketing with other financial companies. This
reason incorporates sharing information under joint marketing
agreements between two or more financial institutions and with any
service provider used in connection with such agreements pursuant to
Sec. 716.13 of this part. An institution that shares for this
reason may choose to provide an opt-out.
(4) For our affiliates' everyday business purposes--information
about transactions and experiences. This reason incorporates sharing
information specified in sections 603(d)(2)(A)(i) and (ii) of the
FCRA. An institution that shares for this reason may choose to
provide an opt-out.
(5) For our affiliates' everyday business purposes--information
about creditworthiness. This reason incorporates sharing information
pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution
that shares for this reason must provide an opt-out.
(6) For our affiliates to market to you. This reason
incorporates sharing information specified in section 624 of the
FCRA. This reason may be omitted from the disclosure table when: the
institution does not have affiliates (or does not disclose personal
information to its affiliates); the institution's affiliates do not
use personal information in a manner that requires an opt-out; or
the institution provides the affiliate marketing notice separately.
Institutions that include this reason must provide an opt-out of
indefinite duration. An institution that is required to provide an
affiliate marketing opt-out, but does not include that opt-out in
the model form under this part, must comply with section 624 of the
FCRA and 12 CFR part 717, subpart C, with respect to the initial
notice and opt-out and any subsequent renewal notice and opt-out. An
institution not required to provide an opt-out under this
subparagraph may elect to include this reason in the model form.
(7) For nonaffiliates to market to you. This reason incorporates
sharing described in Sec. Sec. 716.7 and 716.10(a) of this part. An
institution that shares personal information for this reason must
provide an opt-out.
(e) To limit our sharing: A financial institution must include
this section of the model form only if it provides an opt-out. The
word ``choice'' may be written in either the singular or plural, as
appropriate. Institutions must select one or more of the applicable
opt-out methods described: telephone, such as by a toll-free number;
a Web site; or use of a mail-in opt-out form. Institutions may
include the words ``toll-free'' before telephone, as appropriate. An
institution that allows consumers to opt out online must provide
either a specific Web address that takes consumers directly to the
opt-out page or a general Web address that provides a clear and
conspicuous direct link to the opt-out page. The opt-out choices
made available to the consumer who contacts the institution through
these methods must correspond accurately to the ``Yes'' responses in
the third column of the disclosure table. In the part titled
``Please note'' institutions may insert a number that is 30 or
greater in the space marked ``[30].'' Instructions on voluntary or
state privacy law opt-out information are in paragraph C.2(g)(5) of
these Instructions.
(f) Questions box. Customer service contact information must be
inserted as appropriate, where [phone number] or [Web site] appear.
Institutions may elect to provide either a phone number, such as a
toll-free number, or a Web address, or both. Institutions may
include the words ``toll-free'' before the telephone number, as
appropriate.
(g) Mail-in opt-out form. Financial institutions must include
this mail-in form only if they state in the ``To limit our sharing''
box that consumers can opt out by mail. The mail-in form must
provide opt-out options that correspond accurately to the ``Yes''
responses in the third column in the disclosure table. Institutions
that require customers to provide only name and address may omit the
section identified as ``[account ].'' Institutions that
require additional or different information, such as a random opt-
out number or a truncated account number, to implement an opt-out
election should modify the ``[account ]'' reference
accordingly. This includes institutions that require customers with
multiple accounts to identify each account to which the opt-out
should apply. An institution must enter its opt-out mailing address:
in the far right of this form (see version 3); or below the form
(see version 4). The reverse side of the mail-in opt-out form must
not include any content of the model form.
(1) Joint accountholder. Only institutions that provide their
joint accountholders the choice to opt out for only one
accountholder, in accordance with paragraph C.3(a)(5) of these
Instructions, must include in the far left column of the mail-in
form the following statement: ``If you have a joint account, your
choice(s) will apply to everyone on your account unless you mark
below. [square] Apply my choice(s) only to me.'' The word ``choice''
may be written in either the singular or plural, as appropriate.
Financial institutions that provide insurance products or services,
provide this option, and elect to use the model form may substitute
the word ``policy'' for ``account'' in this statement. Institutions
that do not provide this option may eliminate this left column from
the mail-in form.
(2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution
shares personal information pursuant to section 603(d)(2)(A)(iii) of
the FCRA, it must include in the mail-in opt-out form the following
statement: ``[square] Do not share information about my
creditworthiness with your affiliates for their everyday business
purposes.''
(3) FCRA Section 624 opt-out. If the institution incorporates
section 624 of the FCRA in accord with paragraph C.2(d)(6) of these
Instructions, it must include in the mail-in opt-out form the
following statement: ``[square] Do not allow your affiliates to use
my personal information to market to me.''
(4) Nonaffiliate opt-out. If the financial institution shares
personal information pursuant to Sec. 716.10(a) of this part, it
must include in the mail-in opt-out form the following statement:
``[square] Do not share my personal information with nonaffiliates
to market their products and services to me.''
(5) Additional opt-outs. Financial institutions that use the
disclosure table to provide opt-out options beyond those required by
Federal law must provide those opt-outs in this section of the model
form. A financial institution that chooses to offer an opt-out for
its own marketing in the mail-in opt-out form must include one of
the two following statements: ``[square] Do not share my personal
information to market to me.'' or ``[square] Do not use my personal
information to market to me.'' A financial institution that chooses
to offer an opt-out for joint marketing must include the following
statement: ``[square] Do not share my personal information with
other financial institutions to jointly market to me.''
(h) Barcodes. A financial institution may elect to include a
barcode and/or ``tagline'' (an internal identifier) in 6-point font
at the bottom of page one, as needed for information internal to the
institution, so long as these do not interfere with the clarity or
text of the form.
3. Page Two
(a) General Instructions for the Questions. Certain of the
Questions may be customized as follows:
(1) ``Who is providing this notice?'' This question may be
omitted where only one financial institution provides the model form
and that institution is clearly identified in the title on page one.
Two or more financial institutions that jointly provide the model
form must use this question to identify themselves as required by
Sec. 716.9(f) of this part. Where the list of institutions exceeds
four (4) lines, the institution must describe in the response to
this question the general types of institutions jointly providing
the notice and must separately identify those institutions, in
minimum 8-point font, directly following the ``Other important
[[Page 62965]]
information'' box, or, if that box is not included in the
institution's form, directly following the ``Definitions.'' The list
may appear in a multi-column format.
(2) ``How does [name of financial institution] protect my
personal information?'' The financial institution may only provide
additional information pertaining to its safeguards practices
following the designated response to this question. Such information
may include information about the institution's use of cookies or
other measures it uses to safeguard personal information.
Institutions are limited to a maximum of 30 additional words.
(3) ``How does [name of financial institution] collect my
personal information?'' Institutions must use five (5) of the
following terms to complete the bulleted list for this question:
open an account; deposit money; pay your bills; apply for a loan;
use your credit or debit card; seek financial or tax advice; apply
for insurance; pay insurance premiums; file an insurance claim; seek
advice about your investments; buy securities from us; sell
securities to us; direct us to buy securities; direct us to sell
your securities; make deposits or withdrawals from your account;
enter into an investment advisory contract; give us your income
information; provide employment information; give us your employment
history; tell us about your investment or retirement portfolio; tell
us about your investment or retirement earnings; apply for
financing; apply for a lease; provide account information; give us
your contact information; pay us by check; give us your wage
statements; provide your mortgage information; make a wire transfer;
tell us who receives the money; tell us where to send the money;
show your government-issued ID; show your driver's license; order a
commodity futures or option trade. Institutions that collect
personal information from their affiliates and/or credit bureaus
must include after the bulleted list the following statement: ``We
also collect your personal information from others, such as credit
bureaus, affiliates, or other companies.'' Institutions that do not
collect personal information from their affiliates or credit bureaus
but do collect information from other companies must include the
following statement instead: ``We also collect your personal
information from other companies.'' Only institutions that do not
collect any personal information from affiliates, credit bureaus, or
other companies can omit both statements.
(4) ``Why can't I limit all sharing?'' Institutions that
describe state privacy law provisions in the ``Other important
information'' box must use the bracketed sentence: ``See below for
more on your rights under state law.'' Other institutions must omit
this sentence.
(5) ``What happens when I limit sharing for an account I hold
jointly with someone else?'' Only financial institutions that
provide opt-out options must use this question. Other institutions
must omit this question. Institutions must choose one of the
following two statements to respond to this question: ``Your choices
will apply to everyone on your account.'' or ``Your choices will
apply to everyone on your account--unless you tell us otherwise.''
Financial institutions that provide insurance products or services
and elect to use the model form may substitute the word ``policy''
for ``account'' in these statements.
(b) General Instructions for the Definitions.
The financial institution must customize the space below the
responses to the three definitions in this section. This specific
information must be in italicized lettering to set off the
information from the standardized definitions.
(1) Affiliates. As required by Sec. 716.6(a)(3) of this part,
where [affiliate information] appears, the financial institution
must:
(i) If it has no affiliates, state: ``[name of financial
institution] has no affiliates'';
(ii) If it has affiliates but does not share personal
information, state: ``[name of financial institution] does not share
with our affiliates; or
(iii) If it shares with its affiliates, state, as applicable:
``Our affiliates include companies with a [common corporate identity
of financial institution] name; financial companies such as [insert
illustrative list of companies]; nonfinancial companies, such as
[insert illustrative list of companies;] and others, such as [insert
illustrative list].''
(2) Nonaffiliates. As required by Sec. 716.6(c)(3) of this
part, where [nonaffiliate information] appears, the financial
institution must:
(i) If it does not share with nonaffiliated third parties,
state: ``[name of financial institution] does not share with
nonaffiliates so they can market to you''; or
(ii) If it shares with nonaffiliated third parties, state, as
applicable: ``Nonaffiliates we share with can include [list
categories of companies such as mortgage companies, insurance
companies, direct marketing companies, and nonprofit
organizations].''
(3) Joint Marketing. As required by Sec. 716.13 of this part,
where [joint marketing] appears, the financial institution must:
(i) If it does not engage in joint marketing, state: ``[name of
financial institution] doesn't jointly market ''; or
(ii) If it shares personal information for joint marketing,
state, as applicable: ``Our joint marketing partners include [list
categories of companies such as credit card companies].''
(c) General instructions for the ``Other important information''
box. This box is optional. The space provided for information in
this box is not limited. Only the following types of information can
appear in this box.
(1) State and/or international privacy law information; and/or
(2) Acknowledgment of receipt form.
0
35. Amend newly redesignated Appendix B to part 716 as follows:
0
A. Add a new sentence to the beginning of the introductory text as set
forth below.
0
B. Effective January 1, 2012, remove Appendix B to part 716.
Appendix B to Part 716--Sample Clauses
This Appendix only applies to privacy notices provided before
January 1, 2011. * * *
* * * * *
Federal Trade Commission
16 CFR Chapter I
0
For the reasons set forth in the joint preamble, the Federal Trade
Commission amends part 313 of chapter I of title 16 of the Code of
Federal Regulations as follows:
PART 313--PRIVACY OF CONSUMER FINANCIAL INFORMATION
0
36. The authority citation for part 313 continues to read as follows:
Authority: 15 U.S.C. 6801 et seq.
0
37. Revise Sec. 313.2 to read as follows:
Sec. 313.2 Model privacy form and examples.
(a) Model privacy form. Use of the model privacy form in Appendix A
of this part, consistent with the instructions in Appendix A,
constitutes compliance with the notice content requirements of
Sec. Sec. 313.6 and 313.7 of this part, although use of the model
privacy form is not required.
(b) Examples. The examples in this part are not exclusive.
Compliance with an example, to the extent applicable, constitutes
compliance with this part.
0
38. In Sec. 313.6:
0
A. Revise paragraphs (b) and (f), and add paragraph (g) to read as set
forth below.
0
B. Effective January 1, 2012, remove paragraph (g).
Sec. 313.6 Information to be included in privacy notices.
* * * * *
(b) Description of nonaffiliated third parties subject to
exceptions. If you disclose nonpublic personal information to third
parties as authorized under Sec. Sec. 313.14 and 313.15, you are not
required to list those exceptions in the initial or annual privacy
notices required by Sec. Sec. 313.4 and 313.5. When describing the
categories with respect to those parties, it is sufficient to state
that you make disclosures to other nonaffiliated companies for your
everyday business purposes, such as to process transactions, maintain
account(s), respond to court orders and legal investigations, or report
to credit bureaus.
* * * * *
(f) Model privacy form. Pursuant to Sec. 313.2(a) of this part, a
model privacy form that meets the notice content
[[Page 62966]]
requirements of this section is included in Appendix A of this part.
(g) Sample clauses and description of nonaffiliated third parties
subject to exceptions.
(1) Sample clauses. Sample clauses illustrating some of the notice
content required by this section are included in Appendix B of this
part. Use of a sample clause in a privacy notice provided on or before
December 31, 2010, to the extent applicable, constitutes compliance
with this part.
(2) Description of nonaffiliated third parties subject to
exceptions. For a privacy notice provided on or before December 31,
2010, if you disclose nonpublic personal information to third parties
as authorized under Sec. Sec. 313.14 and 313.15, when describing the
categories with respect to those parties, it is sufficient to state, as
an alternative to the language in the second sentence of paragraph (b)
of this section, that you make disclosures to other nonaffiliated third
parties as permitted by law.
0
39. In Sec. 313.7, add paragraph (i) to read as follows:
Sec. 313.7 Form of opt-out notice to consumers; opt-out methods.
* * * * *
(i) Model privacy form. Pursuant to Sec. 313.2(a) of this part, a
model privacy form that meets the notice content requirements of this
section is included in Appendix A of this part.
Appendix A [Redesignated as Appendix B]
0
40. Redesignate Appendix A to part 313 as Appendix B to part 313.
0
41. Add new Appendix A to part 313 to read as follows:
Appendix A to Part 313--Model Privacy Form
A. The Model Privacy Form
BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-
01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-
P 12.5%
[[Page 62967]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.035
[[Page 62968]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.036
[[Page 62969]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.037
[[Page 62970]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.038
[[Page 62971]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.039
[[Page 62972]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.041
BILLING CODE 6750-01-C 12.5%, 6351-01-C 12.5%, 6720-01-C 12.5%, 6714-
01-C 12.5%, 4810-33-C 12.5%, 6210-01-C 12.5%, 8011-01-C 12.5%, 7535-01-
C 12.5%,
B. General Instructions
1. How the Model Privacy Form is Used
(a) The model form may be used, at the option of a financial
institution, including a group of financial institutions that use a
common privacy notice, to meet the content requirements of the
privacy notice and opt-out notice set forth in Sec. Sec. 313.6 and
313.7 of this part.
(b) The model form is a standardized form, including page
layout, content, format, style, pagination, and shading.
Institutions seeking to obtain the safe harbor through use of the
model form may modify it only as described in these Instructions.
(c) Note that disclosure of certain information, such as assets,
income, and information from a consumer reporting agency, may give
rise to obligations under the Fair Credit Reporting Act [15 U.S.C.
1681-1681x] (FCRA), such as a requirement to permit a consumer to
opt out of disclosures to affiliates or designation as a consumer
reporting agency if disclosures are made to nonaffiliated third
parties.
(d) The word ``customer'' may be replaced by the word ``member''
whenever it appears in the model form, as appropriate.
2. The Contents of the Model Privacy Form
The model form consists of two pages, which may be printed on
both sides of a single sheet of paper, or may appear on two separate
pages. Where an institution provides a long list of institutions at
the end of the model form in accordance with Instruction C.3(a)(1),
or provides additional information in accordance with Instruction
C.3(c), and such list or additional information exceeds the space
available on page two of the model form, such list or additional
information may extend to a third page.
(a) Page One. The first page consists of the following
components:
(1) Date last revised (upper right-hand corner).
(2) Title.
(3) Key frame (Why?, What?, How?).
(4) Disclosure table (``Reasons we can share your personal
information'').
(5) ``To limit our sharing'' box, as needed, for the financial
institution's opt-out information.
(6) ``Questions'' box, for customer service contact information.
(7) Mail-in opt-out form, as needed.
(b) Page Two. The second page consists of the following
components:
(1) Heading (Page 2).
(2) Frequently Asked Questions (``Who we are'' and ``What we
do'').
(3) Definitions.
(4) ``Other important information'' box, as needed.
3. The Format of the Model Privacy Form
The format of the model form may be modified only as described
below.
(a) Easily readable type font. Financial institutions that use
the model form must use an easily readable type font. While a number
of factors together produce an easily readable type font,
institutions are required to use a minimum of 10-point font (unless
otherwise expressly permitted in these Instructions) and sufficient
spacing between the lines of type.
(b) Logo. A financial institution may include a corporate logo
on any page of the notice, so long as it does not interfere with the
readability of the model form or the space constraints of each page.
(c) Page size and orientation. Each page of the model form must
be printed on paper in portrait orientation, the size of which must
be sufficient to meet the layout and minimum font size requirements,
with sufficient white space on the top, bottom, and sides of the
content.
(d) Color. The model form must be printed on white or light
color paper (such as cream) with black or other contrasting ink
color. Spot color may be used to achieve visual interest, so long as
the color contrast is distinctive and the color does not detract
from the readability of the model form. Logos may also be printed in
color.
(e) Languages. The model form may be translated into languages
other than English.
C. Information Required in the Model Privacy Form
The information in the model form may be modified only as
described below:
1. Name of the Institution or Group of Affiliated Institutions
Providing the Notice
Insert the name of the financial institution providing the
notice or a common identity of affiliated institutions jointly
providing the notice on the form wherever [name of financial
institution] appears.
2. Page One
(a) Last revised date. The financial institution must insert in
the upper right-hand corner the date on which the notice was last
revised. The information shall appear in minimum 8-point font as
``rev. [month/year]'' using either the name or number of the month,
such as ``rev. July 2009'' or ``rev. 7/09''.
(b) General instructions for the ``What?'' box.
(1) The bulleted list identifies the types of personal
information that the institution collects and shares. All
institutions must use the term ``Social Security number'' in the
first bullet.
(2) Institutions must use five (5) of the following terms to
complete the bulleted list: income; account balances; payment
history; transaction history; transaction or loss history; credit
history; credit scores; assets; investment experience; credit-based
insurance scores; insurance claim history; medical information;
overdraft history; purchase history; account transactions; risk
tolerance; medical-related debts; credit card or other debt;
mortgage rates and payments; retirement assets; checking account
information; employment information; wire transfer instructions.
(c) General instructions for the disclosure table. The left
column lists reasons for
[[Page 62973]]
sharing or using personal information. Each reason correlates to a
specific legal provision described in paragraph C.2(d) of this
Instruction. In the middle column, each institution must provide a
``Yes'' or ``No'' response that accurately reflects its information
sharing policies and practices with respect to the reason listed on
the left. In the right column, each institution must provide in each
box one of the following three (3) responses, as applicable, that
reflects whether a consumer can limit such sharing: ``Yes'' if it is
required to or voluntarily provides an opt-out; ``No'' if it does
not provide an opt-out; or ``We don't share'' if it answers ``No''
in the middle column. Only the sixth row (``For our affiliates to
market to you'') may be omitted at the option of the institution.
See paragraph C.2(d)(6) of this Instruction.
(d) Specific disclosures and corresponding legal provisions.
(1) For our everyday business purposes. This reason incorporates
sharing information under Sec. Sec. 313.14 and 313.15 and with
service providers pursuant to Sec. 313.13 of this part other than
the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these
Instructions.
(2) For our marketing purposes. This reason incorporates sharing
information with service providers by an institution for its own
marketing pursuant to Sec. 313.13 of this part. An institution that
shares for this reason may choose to provide an opt-out.
(3) For joint marketing with other financial companies. This
reason incorporates sharing information under joint marketing
agreements between two or more financial institutions and with any
service provider used in connection with such agreements pursuant to
Sec. 313.13 of this part. An institution that shares for this
reason may choose to provide an opt-out.
(4) For our affiliates' everyday business purposes--information
about transactions and experiences. This reason incorporates sharing
information specified in sections 603(d)(2)(A)(i) and (ii) of the
FCRA. An institution that shares for this reason may choose to
provide an opt-out.
(5) For our affiliates' everyday business purposes--information
about creditworthiness. This reason incorporates sharing information
pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution
that shares for this reason must provide an opt-out.
(6) For our affiliates to market to you. This reason
incorporates sharing information specified in section 624 of the
FCRA. This reason may be omitted from the disclosure table when: the
institution does not have affiliates (or does not disclose personal
information to its affiliates); the institution's affiliates do not
use personal information in a manner that requires an opt-out; or
the institution provides the affiliate marketing notice separately.
Institutions that include this reason must provide an opt-out of
indefinite duration. An institution that is required to provide an
affiliate marketing opt-out, but does not include that opt-out in
the model form under this part, must comply with section 624 of the
FCRA and 16 CFR parts 680 and 698 with respect to the initial notice
and opt-out and any subsequent renewal notice and opt-out. An
institution not required to provide an opt-out under this
subparagraph may elect to include this reason in the model form.
(7) For nonaffiliates to market to you. This reason incorporates
sharing described in Sec. Sec. 313.7 and 313.10(a) of this part. An
institution that shares personal information for this reason must
provide an opt-out.
(e) To limit our sharing: A financial institution must include
this section of the model form only if it provides an opt-out. The
word ``choice'' may be written in either the singular or plural, as
appropriate. Institutions must select one or more of the applicable
opt-out methods described: telephone, such as by a toll-free number;
a Web site; or use of a mail-in opt-out form. Institutions may
include the words ``toll-free'' before telephone, as appropriate. An
institution that allows consumers to opt out online must provide
either a specific Web address that takes consumers directly to the
opt-out page or a general Web address that provides a clear and
conspicuous direct link to the opt-out page. The opt-out choices
made available to the consumer who contacts the institution through
these methods must correspond accurately to the ``Yes'' responses in
the third column of the disclosure table. In the part titled
``Please note'' institutions may insert a number that is 30 or
greater in the space marked ``[30].'' Instructions on voluntary or
state privacy law opt-out information are in paragraph C.2(g)(5) of
these Instructions.
(f) Questions box. Customer service contact information must be
inserted as appropriate, where [phone number] or [Web site] appear.
Institutions may elect to provide either a phone number, such as a
toll-free number, or a Web address, or both. Institutions may
include the words ``toll-free'' before the telephone number, as
appropriate.
(g) Mail-in opt-out form. Financial institutions must include
this mail-in form only if they state in the ``To limit our sharing''
box that consumers can opt out by mail. The mail-in form must
provide opt-out options that correspond accurately to the ``Yes''
responses in the third column in the disclosure table. Institutions
that require customers to provide only name and address may omit the
section identified as ``[account ].'' Institutions that
require additional or different information, such as a random opt-
out number or a truncated account number, to implement an opt-out
election should modify the ``[account ]'' reference
accordingly. This includes institutions that require customers with
multiple accounts to identify each account to which the opt-out
should apply. An institution must enter its opt-out mailing address:
In the far right of this form (see version 3); or below the form
(see version 4). The reverse side of the mail-in opt-out form must
not include any content of the model form.
(1) Joint accountholder. Only institutions that provide their
joint accountholders the choice to opt out for only one
accountholder, in accordance with paragraph C.3(a)(5) of these
Instructions, must include in the far left column of the mail-in
form the following statement: ``If you have a joint account, your
choice(s) will apply to everyone on your account unless you mark
below. [square] Apply my choice(s) only to me.'' The word ``choice''
may be written in either the singular or plural, as appropriate.
Financial institutions that provide insurance products or services,
provide this option, and elect to use the model form may substitute
the word ``policy'' for ``account'' in this statement. Institutions
that do not provide this option may eliminate this left column from
the mail-in form.
(2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution
shares personal information pursuant to section 603(d)(2)(A)(iii) of
the FCRA, it must include in the mail-in opt-out form the following
statement: ``[square] Do not share information about my
creditworthiness with your affiliates for their everyday business
purposes.''
(3) FCRA Section 624 opt-out. If the institution incorporates
section 624 of the FCRA in accord with paragraph C.2(d)(6) of these
Instructions, it must include in the mail-in opt-out form the
following statement: ``[square] Do not allow your affiliates to use
my personal information to market to me.''
(4) Nonaffiliate opt-out. If the financial institution shares
personal information pursuant to Sec. 313.10(a) of this part, it
must include in the mail-in opt-out form the following statement:
``[square] Do not share my personal information with nonaffiliates
to market their products and services to me.''
(5) Additional opt-outs. Financial institutions that use the
disclosure table to provide opt-out options beyond those required by
Federal law must provide those opt-outs in this section of the model
form. A financial institution that chooses to offer an opt-out for
its own marketing in the mail-in opt-out form must include one of
the two following statements: ``[square] Do not share my personal
information to market to me.'' or ``[square] Do not use my personal
information to market to me.'' A financial institution that chooses
to offer an opt-out for joint marketing must include the following
statement: ``[square] Do not share my personal information with
other financial institutions to jointly market to me.''
(h) Barcodes. A financial institution may elect to include a
barcode and/or ``tagline'' (an internal identifier) in 6-point font
at the bottom of page one, as needed for information internal to the
institution, so long as these do not interfere with the clarity or
text of the form.
3. Page Two
(a) General Instructions for the Questions. Certain of the
Questions may be customized as follows:
(1) ``Who is providing this notice?'' This question may be
omitted where only one financial institution provides the model form
and that institution is clearly identified in the title on page one.
Two or more financial institutions that jointly provide the model
form must use this question to identify themselves as required by
Sec. 313.9(f) of this part. Where the list of institutions exceeds
four (4) lines, the institution must describe in the response to
this question the general types of institutions jointly providing
the notice and must separately identify those institutions, in
minimum 8-point font, directly following the ``Other important
[[Page 62974]]
information'' box, or, if that box is not included in the
institution's form, directly following the ``Definitions.'' The list
may appear in a multi-column format.
(2) ``How does [name of financial institution] protect my
personal information?'' The financial institution may only provide
additional information pertaining to its safeguards practices
following the designated response to this question. Such information
may include information about the institution's use of cookies or
other measures it uses to safeguard personal information.
Institutions are limited to a maximum of 30 additional words.
(3) ``How does [name of financial institution] collect my
personal information?'' Institutions must use five (5) of the
following terms to complete the bulleted list for this question:
Open an account; deposit money; pay your bills; apply for a loan;
use your credit or debit card; seek financial or tax advice; apply
for insurance; pay insurance premiums; file an insurance claim; seek
advice about your investments; buy securities from us; sell
securities to us; direct us to buy securities; direct us to sell
your securities; make deposits or withdrawals from your account;
enter into an investment advisory contract; give us your income
information; provide employment information; give us your employment
history; tell us about your investment or retirement portfolio; tell
us about your investment or retirement earnings; apply for
financing; apply for a lease; provide account information; give us
your contact information; pay us by check; give us your wage
statements; provide your mortgage information; make a wire transfer;
tell us who receives the money; tell us where to send the money;
show your government-issued ID; show your driver's license; order a
commodity futures or option trade. Institutions that collect
personal information from their affiliates and/or credit bureaus
must include after the bulleted list the following statement: ``We
also collect your personal information from others, such as credit
bureaus, affiliates, or other companies.'' Institutions that do not
collect personal information from their affiliates or credit bureaus
but do collect information from other companies must include the
following statement instead: ``We also collect your personal
information from other companies.'' Only institutions that do not
collect any personal information from affiliates, credit bureaus, or
other companies can omit both statements.
(4) ``Why can't I limit all sharing?'' Institutions that
describe state privacy law provisions in the ``Other important
information'' box must use the bracketed sentence: ``See below for
more on your rights under state law.'' Other institutions must omit
this sentence.
(5) ``What happens when I limit sharing for an account I hold
jointly with someone else?'' Only financial institutions that
provide opt-out options must use this question. Other institutions
must omit this question. Institutions must choose one of the
following two statements to respond to this question: ``Your choices
will apply to everyone on your account.'' or ``Your choices will
apply to everyone on your account--unless you tell us otherwise.''
Financial institutions that provide insurance products or services
and elect to use the model form may substitute the word ``policy''
for ``account'' in these statements.
(b) General Instructions for the Definitions.
The financial institution must customize the space below the
responses to the three definitions in this section. This specific
information must be in italicized lettering to set off the
information from the standardized definitions.
(1) Affiliates. As required by Sec. 313.6(a)(3) of this part,
where [affiliate information] appears, the financial institution
must:
(i) If it has no affiliates, state: ``[name of financial
institution] has no affiliates'';
(ii) If it has affiliates but does not share personal
information, state: ``[name of financial institution] does not share
with our affiliates''; or
(iii) If it shares with its affiliates, state, as applicable:
``Our affiliates include companies with a [common corporate identity
of financial institution] name; financial companies such as [insert
illustrative list of companies]; nonfinancial companies, such as
[insert illustrative list of companies;] and others, such as [insert
illustrative list].''
(2) Nonaffiliates. As required by Sec. 313.6(c)(3) of this
part, where [nonaffiliate information] appears, the financial
institution must:
(i) If it does not share with nonaffiliated third parties,
state: ``[name of financial institution] does not share with
nonaffiliates so they can market to you''; or
(ii) If it shares with nonaffiliated third parties, state, as
applicable: ``Nonaffiliates we share with can include [list
categories of companies such as mortgage companies, insurance
companies, direct marketing companies, and nonprofit
organizations].''
(3) Joint Marketing. As required by Sec. 313.13 of this part,
where [joint marketing] appears, the financial institution must:
(i) If it does not engage in joint marketing, state: ``[name of
financial institution] doesn't jointly market''; or
(ii) If it shares personal information for joint marketing,
state, as applicable: ``Our joint marketing partners include [list
categories of companies such as credit card companies].''
(c) General instructions for the ``Other important information''
box. This box is optional. The space provided for information in
this box is not limited. Only the following types of information can
appear in this box.
(1) State and/or international privacy law information; and/or
(2) Acknowledgment of receipt form.
0
42. Amend newly redesignated Appendix B to part 313 as follows:
0
A. Add a new sentence to the beginning of the introductory text as set
forth below.
0
B. Effective January 1, 2012, remove Appendix B to part 313.
Appendix B to Part 313--Sample Clauses
This Appendix only applies to privacy notices provided before
January 1, 2011. * * *
* * * * *
Commodity Futures Trading Commission
17 CFR Chapter I
Authority and Issuance
0
For the reasons set forth in the joint preamble, part 160 of chapter I
of title 17 of the Code of Federal Regulations is amended as follows:
PART 160--PRIVACY OF CONSUMER FINANCIAL INFORMATION
0
43. The authority citation for part 160 continues to read as follows:
Authority: 7 U.S.C. 7b-2 and 12a(5); 15 U.S.C. 6801 et seq.
0
44. Revise Sec. 160.2 to read as follows:
Sec. 160.2 Model privacy form and examples.
(a) Model privacy form. Use of the model privacy form in Appendix A
of this part, consistent with the instructions in Appendix A,
constitutes compliance with the notice content requirements of
Sec. Sec. 160.6 and 160.7 of this part, although use of the model
privacy form is not required.
(b) Examples. The examples in this part are not exclusive.
Compliance with an example, to the extent applicable, constitutes
compliance with this part.
0
45. In Sec. 160.6:
0
A. Revise paragraphs (b) and (f), and add paragraph (g) to read as set
forth below.
0
B. Effective January 1, 2012, remove paragraph (g).
Sec. 160.6 Information to be included in privacy notices.
* * * * *
(b) Description of nonaffiliated third parties subject to
exceptions. If you disclose nonpublic personal information to third
parties as authorized under Sec. Sec. 160.14 and 160.15, you are not
required to list those exceptions in the initial or annual privacy
notices required by Sec. Sec. 160.4 and 160.5. When describing the
categories with respect to those parties, it is sufficient to state
that you make disclosures to other nonaffiliated companies:
(1) For your everyday business purposes, such as [include all that
apply] to process transactions, maintain account(s), respond to court
orders and legal investigations, or report to credit bureaus; or
[[Page 62975]]
(2) As permitted by law.
* * * * *
(f) Model privacy form. Pursuant to Sec. 160.2(a) of this part, a
model privacy form that meets the notice content requirements of this
section is included in Appendix A of this part.
(g) Sample clauses. Sample clauses illustrating some of the notice
content required by this section are included in Appendix B of this
part. Use of a sample clause in a privacy notice provided on or before
December 31, 2010, to the extent applicable, constitutes compliance
with this part.
0
46. In Sec. 160.7, add paragraph (i) to read as follows:
Sec. 160.7 Form of opt-out notice to consumers; opt-out methods.
* * * * *
(i) Model privacy form. Pursuant to Sec. 160.2(a) of this part, a
model privacy form that meets the notice content requirements of this
section is included in Appendix A of this part.
Appendix A [Redesignated as Appendix B]
0
47. Redesignate Appendix A to part 160 as Appendix B to part 160.
0
48. Add new Appendix A to part 160 to read as follows:
Appendix A to Part 160--Model Privacy Form
A. The Model Privacy Form
BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-
01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-
P 12.5%,
[[Page 62976]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.042
[[Page 62977]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.043
[[Page 62978]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.044
[[Page 62979]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.045
[[Page 62980]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.046
[[Page 62981]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.047
[[Page 62982]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.048
B. General Instructions
1. How the Model Privacy Form Is Used
(a) The model form may be used, at the option of a financial
institution, including a group of financial institutions that use a
common privacy notice, to meet the content requirements of the
privacy notice and opt-out notice set forth in Sec. Sec. 160.6 and
160.7 of this part.
(b) The model form is a standardized form, including page
layout, content, format, style, pagination, and shading.
Institutions seeking to obtain the safe harbor through use of the
model form may modify it only as described in these Instructions.
(c) Note that disclosure of certain information, such as assets,
income, and information from a consumer reporting agency, may give
rise to obligations under the Fair Credit Reporting Act [15 U.S.C.
1681-1681x] (FCRA), such as a requirement to permit a consumer to
opt out of disclosures to affiliates or designation as a consumer
reporting agency if disclosures are made to nonaffiliated third
parties.
(d) The word ``customer'' may be replaced by the word ``member''
whenever it appears in the model form, as appropriate.
BILLING CODE 6750-01-C12.5%, 6351-01-C12.5%, 6720-01-C12.5%, 6714-01-
C12.5%, 4810-33-C12.5%, 6210-01-C12.5%, 8011-01-C12.5%, 7535-01-C12.5%,
2. The Contents of the Model Privacy Form
The model form consists of two pages, which may be printed on
both sides of a single sheet of paper, or may appear on two separate
pages. Where an institution provides a long list of institutions at
the end of the model form in accordance with Instruction C.3(a)(1),
or provides additional information in accordance with Instruction
C.3(c), and such list or additional information exceeds the space
available on page two of the model form, such list or additional
information may extend to a third page.
(a) Page One. The first page consists of the following
components:
(1) Date last revised (upper right-hand corner).
(2) Title.
(3) Key frame (Why?, What?, How?).
(4) Disclosure table (``Reasons we can share your personal
information'').
(5) ``To limit our sharing'' box, as needed, for the financial
institution's opt-out information.
(6) ``Questions'' box, for customer service contact information.
(7) Mail-in opt-out form, as needed.
(b) Page Two. The second page consists of the following
components:
(1) Heading (Page 2).
(2) Frequently Asked Questions (``Who we are'' and ``What we
do'').
(3) Definitions.
(4) ``Other important information'' box, as needed.
3. The Format of the Model Privacy Form
The format of the model form may be modified only as described
below.
(a) Easily readable type font. Financial institutions that use
the model form must use an easily readable type font. While a number
of factors together produce easily readable type font, institutions
are required to use a minimum of 10-point font (unless otherwise
expressly permitted in these Instructions) and sufficient spacing
between the lines of type.
(b) Logo. A financial institution may include a corporate logo
on any page of the notice, so long as it does not interfere with the
readability of the model form or the space constraints of each page.
(c) Page size and orientation. Each page of the model form must
be printed on paper in portrait orientation, the size of which must
be sufficient to meet the layout and minimum font size requirements,
with sufficient white space on the top, bottom, and sides of the
content.
(d) Color. The model form must be printed on white or light
color paper (such as cream) with black or other contrasting ink
color. Spot color may be used to achieve visual interest, so long as
the color contrast is distinctive and the color does not detract
from the readability of the model form. Logos may also be printed in
color.
(e) Languages. The model form may be translated into languages
other than English.
C. Information Required in the Model Privacy Form
The information in the model form may be modified only as
described below:
1. Name of the Institution or Group of Affiliated Institutions
Providing the Notice
Insert the name of the financial institution providing the
notice or a common identity of affiliated institutions jointly
providing the notice on the form wherever [name of financial
institution] appears.
2. Page One
(a) Last revised date. The financial institution must insert in
the upper right-hand corner the date on which the notice was last
revised. The information shall appear in minimum 8-point font as
``rev. [month/year]'' using either the name or number of the month,
such as ``rev. July 2009'' or ``rev. 7/09''.
(b) General instructions for the ``What?'' box.
(1) The bulleted list identifies the types of personal
information that the institution collects and shares. All
institutions must use the term ``Social Security number'' in the
first bullet.
(2) Institutions must use five (5) of the following terms to
complete the bulleted list: income; account balances; payment
history; transaction history; transaction or loss history; credit
history; credit scores; assets; investment experience; credit-based
insurance scores; insurance claim history; medical information;
overdraft history; purchase history; account transactions; risk
tolerance; medical-related debts; credit card or other debt;
mortgage rates and payments; retirement assets; checking account
information; employment information; wire transfer instructions.
(c) General instructions for the disclosure table. The left
column lists reasons for
[[Page 62983]]
sharing or using personal information. Each reason correlates to a
specific legal provision described in paragraph C.2(d) of this
Instruction. In the middle column, each institution must provide a
``Yes'' or ``No'' response that accurately reflects its information
sharing policies and practices with respect to the reason listed on
the left. In the right column, each institution must provide in each
box one of the following three (3) responses, as applicable, that
reflects whether a consumer can limit such sharing: ``Yes'' if it is
required to or voluntarily provides an opt-out; ``No'' if it does
not provide an opt-out; or ``We don't share'' if it answers ``No''
in the middle column. Only the sixth row (``For our affiliates to
market to you'') may be omitted at the option of the institution.
See paragraph C.2(d)(6) of this Instruction.
(d) Specific disclosures and corresponding legal provisions.
(1) For our everyday business purposes. This reason incorporates
sharing information under Sec. Sec. 160.14 and 160.15 and with
service providers pursuant to Sec. 160.13 of this part other than
the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these
Instructions.
(2) For our marketing purposes. This reason incorporates sharing
information with service providers by an institution for its own
marketing pursuant to Sec. 160.13 of this part. An institution that
shares for this reason may choose to provide an opt-out.
(3) For joint marketing with other financial companies. This
reason incorporates sharing information under joint marketing
agreements between two or more financial institutions and with any
service provider used in connection with such agreements pursuant to
Sec. 160.13 of this part. An institution that shares for this
reason may choose to provide an opt-out.
(4) For our affiliates' everyday business purposes--information
about transactions and experiences. This reason incorporates sharing
information specified in sections 603(d)(2)(A)(i) and (ii) of the
FCRA. An institution that shares for this reason may choose to
provide an opt-out.
(5) For our affiliates' everyday business purposes--information
about creditworthiness. This reason incorporates sharing information
pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution
that shares for this reason must provide an opt-out.
(6) For our affiliates to market to you. This reason
incorporates sharing information specified in section 624 of the
FCRA. This reason may be omitted from the disclosure table when: the
institution does not have affiliates (or does not disclose personal
information to its affiliates); the institution's affiliates do not
use personal information in a manner that requires an opt-out; or
the institution provides the affiliate marketing notice separately.
Institutions that include this reason must provide an opt-out of
indefinite duration. An institution not required to provide an opt-
out under this subparagraph may elect to include this reason in the
model form. Note: The CFTC's Regulations do not address the
affiliate marketing rule.
(7) For nonaffiliates to market to you. This reason incorporates
sharing described in Sec. Sec. 160.7 and 160.10(a) of this part. An
institution that shares personal information for this reason must
provide an opt-out.
(e) To limit our sharing: A financial institution must include
this section of the model form only if it provides an opt-out. The
word ``choice'' may be written in either the singular or plural, as
appropriate. Institutions must select one or more of the applicable
opt-out methods described: telephone, such as by a toll-free number;
a Website; or use of a mail-in opt-out form. Institutions may
include the words ``toll-free'' before telephone, as appropriate. An
institution that allows consumers to opt out online must provide
either a specific Web address that takes consumers directly to the
opt-out page or a general Web address that provides a clear and
conspicuous direct link to the opt-out page. The opt-out choices
made available to the consumer who contacts the institution through
these methods must correspond accurately to the ``Yes'' responses in
the third column of the disclosure table. In the part titled
``Please note'' institutions may insert a number that is 30 or
greater in the space marked ``[30].'' Instructions on voluntary or
state privacy law opt-out information are in paragraph C.2(g)(5) of
these Instructions.
(f) Questions box. Customer service contact information must be
inserted as appropriate, where [phone number] or [website] appear.
Institutions may elect to provide either a phone number, such as a
toll-free number, or a Web address, or both. Institutions may
include the words ``toll-free'' before the telephone number, as
appropriate.
(g) Mail-in opt-out form. Financial institutions must include
this mail-in form only if they state in the ``To limit our sharing''
box that consumers can opt out by mail. The mail-in form must
provide opt-out options that correspond accurately to the ``Yes''
responses in the third column in the disclosure table. Institutions
that require customers to provide only name and address may omit the
section identified as ``[account ].'' Institutions that
require additional or different information, such as a random opt-
out number or a truncated account number, to implement an opt-out
election should modify the ``[account ]'' reference
accordingly. This includes institutions that require customers with
multiple accounts to identify each account to which the opt-out
should apply. An institution must enter its opt-out mailing address:
in the far right of this form (see version 3); or below the form
(see version 4). The reverse side of the mail-in opt-out form must
not include any content of the model form.
(1) Joint accountholder. Only institutions that provide their
joint accountholders the choice to opt out for only one
accountholder, in accordance with paragraph C.3(a)(5) of these
Instructions, must include in the far left column of the mail-in
form the following statement: ``If you have a joint account, your
choice(s) will apply to everyone on your account unless you mark
below. [squ] Apply my choice(s) only to me.'' The word
``choice'' may be written in either the singular or plural, as
appropriate. Financial institutions that provide insurance products
or services, provide this option, and elect to use the model form
may substitute the word ``policy'' for ``account'' in this
statement. Institutions that do not provide this option may
eliminate this left column from the mail-in form.
(2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution
shares personal information pursuant to section 603(d)(2)(A)(iii) of
the FCRA, it must include in the mail-in opt-out form the following
statement: ``[squ] Do not share information about my
creditworthiness with your affiliates for their everyday business
purposes.''
(3) FCRA Section 624 opt-out. If the institution incorporates
section 624 of the FCRA in accord with paragraph C.2(d)(6) of these
Instructions, it must include in the mail-in opt-out form the
following statement: ``[squ] Do not allow your affiliates
to use my personal information to market to me.''
(4) Nonaffiliate opt-out. If the financial institution shares
personal information pursuant to Sec. 160.10(a) of this part, it
must include in the mail-in opt-out form the following statement:
``[squ] Do not share my personal information with
nonaffiliates to market their products and services to me.''
(5) Additional opt-outs. Financial institutions that use the
disclosure table to provide opt-out options beyond those required by
Federal law must provide those opt-outs in this section of the model
form. A financial institution that chooses to offer an opt-out for
its own marketing in the mail-in opt-out form must include one of
the two following statements: ``[squ] Do not share my
personal information to market to me.'' or ``[squ] Do not
use my personal information to market to me.'' A financial
institution that chooses to offer an opt-out for joint marketing
must include the following statement: ``[squ] Do not
share my personal information with other financial institutions to
jointly market to me.''
(h) Barcodes. A financial institution may elect to include a
barcode and/or ``tagline'' (an internal identifier) in 6-point font
at the bottom of page one, as needed for information internal to the
institution, so long as these do not interfere with the clarity or
text of the form.
3. Page Two
(a) General Instructions for the Questions. Certain of the
Questions may be customized as follows:
(1) ``Who is providing this notice?'' This question may be
omitted where only one financial institution provides the model form
and that institution is clearly identified in the title on page one.
Two or more financial institutions that jointly provide the model
form must use this question to identify themselves as required by
Sec. 160.9(f) of this part. Where the list of institutions exceeds
four (4) lines, the institution must describe in the response to
this question the general types of institutions jointly providing
the notice and must separately identify those institutions, in
minimum 8-point font, directly following the ``Other important
information'' box, or, if that box is not included in the
institution's form, directly following the ``Definitions.'' The list
may appear in a multi-column format.
[[Page 62984]]
(2) ``How does [name of financial institution] protect my
personal information?'' The financial institution may only provide
additional information pertaining to its safeguards practices
following the designated response to this question. Such information
may include information about the institution's use of cookies or
other measures it uses to safeguard personal information.
Institutions are limited to a maximum of 30 additional words.
(3) ``How does [name of financial institution] collect my
personal information?'' Institutions must use five (5) of the
following terms to complete the bulleted list for this question:
Open an account; deposit money; pay your bills; apply for a loan;
use your credit or debit card; seek financial or tax advice; apply
for insurance; pay insurance premiums; file an insurance claim; seek
advice about your investments; buy securities from us; sell
securities to us; direct us to buy securities; direct us to sell
your securities; make deposits or withdrawals from your account;
enter into an investment advisory contract; give us your income
information; provide employment information; give us your employment
history; tell us about your investment or retirement portfolio; tell
us about your investment or retirement earnings; apply for
financing; apply for a lease; provide account information; give us
your contact information; pay us by check; give us your wage
statements; provide your mortgage information; make a wire transfer;
tell us who receives the money; tell us where to send the money;
show your government-issued ID; show your driver's license; order a
commodity futures or option trade. Institutions that collect
personal information from their affiliates and/or credit bureaus
must include after the bulleted list the following statement: ``We
also collect your personal information from others, such as credit
bureaus, affiliates, or other companies.'' Institutions that do not
collect personal information from their affiliates or credit bureaus
but do collect information from other companies must include the
following statement instead: ``We also collect your personal
information from other companies.'' Only institutions that do not
collect any personal information from affiliates, credit bureaus, or
other companies can omit both statements.
(4) ``Why can't I limit all sharing?'' Institutions that
describe state privacy law provisions in the ``Other important
information'' box must use the bracketed sentence: ``See below for
more on your rights under state law.'' Other institutions must omit
this sentence.
(5) ``What happens when I limit sharing for an account I hold
jointly with someone else?'' Only financial institutions that
provide opt-out options must use this question. Other institutions
must omit this question. Institutions must choose one of the
following two statements to respond to this question: ``Your choices
will apply to everyone on your account.'' or ``Your choices will
apply to everyone on your account--unless you tell us otherwise.''
Financial institutions that provide insurance products or services
and elect to use the model form may substitute the word ``policy''
for ``account'' in these statements.
(b) General Instructions for the Definitions.
The financial institution must customize the space below the
responses to the three definitions in this section. This specific
information must be in italicized lettering to set off the
information from the standardized definitions.
(1) Affiliates. As required by Sec. 160.6(a)(3) of this part,
where [affiliate information] appears, the financial institution
must:
(i) If it has no affiliates, state: ``[name of financial
institution] has no affiliates'';
(ii) If it has affiliates but does not share personal
information, state: ``[name of financial institution] does not share
with our affiliates''; or
(iii) If it shares with its affiliates, state, as applicable:
``Our affiliates include companies with a [common corporate identity
of financial institution] name; financial companies such as [insert
illustrative list of companies]; nonfinancial companies, such as
[insert illustrative list of companies]; and others, such as [insert
illustrative list].''
(2) Nonaffiliates. As required by Sec. 160.6(c)(3) of this
part, where [nonaffiliate information] appears, the financial
institution must:
(i) If it does not share with nonaffiliated third parties,
state: ``[name of financial institution] does not share with
nonaffiliates so they can market to you''; or
(ii) If it shares with nonaffiliated third parties, state, as
applicable: ``Nonaffiliates we share with can include [list
categories of companies such as mortgage companies, insurance
companies, direct marketing companies, and nonprofit
organizations].''
(3) Joint Marketing. As required by Sec. 160.13 of this part,
where [joint marketing] appears, the financial institution must:
(i) If it does not engage in joint marketing, state: ``[name of
financial institution] doesn't jointly market''; or
(ii) If it shares personal information for joint marketing,
state, as applicable: ``Our joint marketing partners include [list
categories of companies such as credit card companies].''
(c) General instructions for the ``Other important information''
box. This box is optional. The space provided for information in
this box is not limited. Only the following types of information can
appear in this box.
(1) State and/or international privacy law information; and/or
(2) Acknowledgment of receipt form.
0
49. Amend newly redesignated Appendix B to part 160 as follows:
0
A. Add a new sentence to the beginning of the introductory text as set
forth below.
0
B. Effective January 1, 2012, remove Appendix B to part 160.
Appendix B to Part 160--Sample Clauses
This Appendix only applies to privacy notices provided before
January 1, 2011. * * *
* * * * *
Securities and Exchange Commission
Statutory Authority
0
The Commission is amending Regulation S-P pursuant to authority set
forth in section 728 of the Regulatory Relief Act [Pub. L. 109-351],
section 504 of the GLB Act [15 U.S.C. 6804], section 23 of the
Securities Exchange Act [15 U.S.C. 78w], section 38(a) of the
Investment Company Act [15 U.S.C. 80a-37(a)], and section 211 of the
Investment Advisers Act [15 U.S.C. 80b-11].
Text of Amendments
0
For the reasons set forth in the preamble, the Commission is amending
Title 17, Chapter II of the Code of Federal Regulations as follows:
PART 248--REGULATIONS S-P AND S-AM
0
50. The authority citation for part 248 continues to read as follows:
Authority: 15 U.S.C. 78q, 78q-1, 78w, 78mm, 80a-30, 80a-37,
80b-4, 80b-11, 1681s-3 and note, 1681w(a)(1), 6801-6809, and 6825.
0
51. Revise Sec. 248.2 to read as follows:
Sec. 248.2 Model privacy form: rule of construction.
(a) Model privacy form. Use of the model privacy form in Appendix A
to Subpart A of this part, consistent with the instructions in Appendix
A to Subpart A, constitutes compliance with the notice content
requirements of Sec. Sec. 248.6 and 248.7 of this part, although use
of the model privacy form is not required.
(b) Examples. The examples in this part provide guidance concerning
the rule's application in ordinary circumstances. The facts and
circumstances of each individual situation, however, will determine
whether compliance with an example, to the extent practicable,
constitutes compliance with this part.
(c) Substituted compliance with CFTC financial privacy rules by
futures commission merchants and introducing brokers. Except with
respect to Sec. 248.30(b), any futures commission merchant or
introducing broker (as those terms are defined in the Commodity
Exchange Act (7 U.S.C. 1, et seq.)) registered by notice with the
Commission for the purpose of conducting business in security futures
products pursuant to section 15(b)(11)(A) of the Securities Exchange
Act of 1934 (15 U.S.C. 78o(b)(11)(A)) that is subject to and in
compliance with the financial privacy rules of the Commodity Futures
Trading
[[Page 62985]]
Commission (17 CFR part 160) will be deemed to be in compliance with
this part.
0
52. In Sec. 248.6:
0
A. Revise paragraphs (b) and (f), and add paragraph (g) to read as set
forth below.
0
B. Effective January 1, 2012, remove paragraph (g).
Sec. 248.6 Information to be included in privacy notices.
* * * * *
(b) Description of nonaffiliated third parties subject to
exceptions. If you disclose nonpublic personal information to third
parties as authorized under Sec. Sec. 248.14 and 248.15, you are not
required to list those exceptions in the initial or annual privacy
notices required by Sec. Sec. 248.4 and 248.5. When describing the
categories with respect to those parties, it is sufficient to state
that you make disclosures to other nonaffiliated companies:
(1) For your everyday business purposes such as [include all that
apply] to process transactions, maintain account(s), respond to court
orders and legal investigations, or report to credit bureaus; or
(2) As permitted by law.
* * * * *
(f) Model privacy form. Pursuant to Sec. 248.2(a) and Appendix A
to Subpart A of this part, Form S-P meets the notice content
requirements of this section.
(g) Sample clauses. Sample clauses illustrating some of the notice
content required by this section are included in Appendix B to Subpart
A of this part. The sample clauses in Appendix B to Subpart A of this
part provide guidance concerning the rule's application in ordinary
circumstances in a privacy notice provided on or before December 31,
2010. The facts and circumstances of each individual situation,
however, will determine whether compliance with a sample clause
constitutes compliance with this part.
0
53. In Sec. 248.7, add paragraph (i) to read as follows:
Sec. 248.7 Form of opt-out notice to consumers; opt-out methods.
* * * * *
(i) Model privacy form. Pursuant to Sec. 248.2(a) and Appendix A
to Subpart A of this part, Form S-P meets the notice content
requirements of this section.
0
54. Add Appendix A to Subpart A to read as follows:
Appendix A to Subpart A--Forms
A. Any person may view and print this form at: http://
www.sec.gov/about/forms/secforms.htm.
B. Use of Form S-P by brokers, dealers, and investment
companies, and investment advisers registered with the Commission
constitutes compliance with the notice content requirements of
Sec. Sec. 248.6 and 248.7 of this part.
FORM S-P--Model Privacy Form
A. The Model Privacy Form
BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-
01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-
P 12.5%,
[[Page 62986]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.049
[[Page 62987]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.050
[[Page 62988]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.051
[[Continued on page 62989]]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
]
[[pp. 62989-62994]] Final Model Privacy Form Under the Gramm-Leach-Bliley Act
[[Continued from page 62988]]
[[Page 62989]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.052
[[Page 62990]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.053
[[Page 62991]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.054
[[Page 62992]]
[GRAPHIC] [TIFF OMITTED] TR01DE09.055
BILLING CODE 6750-01-C 12.5%, 6351-01-C 12.5%, 6720-01-C 12.5%, 6714-
01-C 12.5%, 4810-33-C 12.5%, 6210-01-C 12.5%, 8011-01-C 12.5%, 7535-01-
C 12.5%,
B. General Instructions
1. How the Model Privacy Form is Used
(a) The model form may be used, at the option of a financial
institution, including a group of financial institutions that use a
common privacy notice, to meet the content requirements of the
privacy notice and opt-out notice set forth in Sec. Sec. 248.6 and
248.7 of this part.
(b) The model form is a standardized form, including page
layout, content, format, style, pagination, and shading.
Institutions seeking to obtain the safe harbor through use of the
model form may modify it only as described in these instructions.
(c) Note that disclosure of certain information, such as assets,
income, and information from a consumer reporting agency, may give
rise to obligations under the Fair Credit Reporting Act [15 U.S.C.
1681-1681x] (FCRA), such as a requirement to permit a consumer to
opt out of disclosures to affiliates or designation as a consumer
reporting agency if disclosures are made to nonaffiliated third
parties.
(d) The word ``customer'' may be replaced by the word ``member''
whenever it appears in the model form, as appropriate.
2. The Contents of the Model Privacy Form
The model form consists of two pages, which may be printed on
both sides of a single sheet of paper, or may appear on two separate
pages. Where an institution provides a long list of institutions at
the end of the model form in accordance with Instruction C.3(a)(1),
or provides additional information in accordance with Instruction
C.3(c), and such list or additional information exceeds the space
available on page two of the model form, such list or additional
information may extend to a third page.
(a) Page One. The first page consists of the following
components:
(1) Date last revised (upper right-hand corner).
(2) Title.
(3) Key frame (Why?, What?, How?).
(4) Disclosure table (``Reasons we can share your personal
information'').
(5) ``To limit our sharing'' box, as needed, for the financial
institution's opt-out information.
(6) ``Questions'' box, for customer service contact information.
(7) Mail-in opt-out form, as needed.
(b) Page Two. The second page consists of the following
components:
(1) Heading (Page 2).
(2) Frequently Asked Questions (``Who we are'' and ``What we
do'').
(3) Definitions.
(4) ``Other important information'' box, as needed.
3. The Format of the Model Privacy Form
The format of the model form may be modified only as described
below.
(a) Easily readable type font. Financial institutions that use
the model form must use an easily readable type font. While a number
of factors together produce easily readable type font, institutions
are required to use a minimum of 10-point font (unless otherwise
expressly permitted in these Instructions) and sufficient spacing
between the lines of type.
(b) Logo. A financial institution may include a corporate logo
on any page of the notice, so long as it does not interfere with the
readability of the model form or the space constraints of each page.
(c) Page size and orientation. Each page of the model form must
be printed on paper in portrait orientation, the size of which must
be sufficient to meet the layout and minimum font size requirements,
with sufficient white space on the top, bottom, and sides of the
content.
(d) Color. The model form must be printed on white or light
color paper (such as cream) with black or other contrasting ink
color. Spot color may be used to achieve visual interest, so long as
the color contrast is distinctive and the color does not detract
from the readability of the model form. Logos may also be printed in
color.
(e) Languages. The model form may be translated into languages
other than English.
C. Information Required in the Model Privacy Form
The information in the model form may be modified only as
described below:
1. Name of the Institution or Group of Affiliated Institutions
Providing the Notice
Insert the name of the financial institution providing the
notice or a common identity of affiliated institutions jointly
providing the notice on the form wherever [name of financial
institution] appears.
2. Page One
(a) Last revised date. The financial institution must insert in
the upper right-hand corner the date on which the notice was last
revised. The information shall appear in minimum 8-point font as
``rev. [month/year]'' using either the name or number of the month,
such as ``rev. July 2009'' or ``rev. 7/09''.
(b) General instructions for the ``What?'' box.
(1) The bulleted list identifies the types of personal
information that the institution collects and shares. All
institutions must use the term ``Social Security number'' in the
first bullet.
(2) Institutions must use five (5) of the following terms to
complete the bulleted list: income; account balances; payment
history; transaction history; transaction or loss history; credit
history; credit scores; assets; investment experience; credit-based
insurance scores; insurance claim history; medical information;
overdraft history; purchase history; account transactions; risk
tolerance; medical-related debts; credit card or other debt;
mortgage rates and payments; retirement assets; checking account
information; employment information; wire transfer instructions.
(c) General instructions for the disclosure table. The left
column lists reasons for
[[Page 62993]]
sharing or using personal information. Each reason correlates to a
specific legal provision described in paragraph C.2(d) of this
Instruction. In the middle column, each institution must provide a
``Yes'' or ``No'' response that accurately reflects its information
sharing policies and practices with respect to the reason listed on
the left. In the right column, each institution must provide in each
box one of the following three (3) responses, as applicable, that
reflects whether a consumer can limit such sharing: ``Yes'' if it is
required to or voluntarily provides an opt-out; ``No'' if it does
not provide an opt-out; or ``We don't share'' if it answers ``No''
in the middle column. Only the sixth row (``For our affiliates to
market to you'') may be omitted at the option of the institution.
See paragraph C.2(d)(6) of this Instruction.
(d) Specific disclosures and corresponding legal provisions.
(1) For our everyday business purposes. This reason incorporates
sharing information under Sec. Sec. 248.14 and 248.15 and with
service providers pursuant to Sec. 248.13 of this part other than
the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these
Instructions.
(2) For our marketing purposes. This reason incorporates sharing
information with service providers by an institution for its own
marketing pursuant to Sec. 248.13 of this part. An institution that
shares for this reason may choose to provide an opt-out.
(3) For joint marketing with other financial companies. This
reason incorporates sharing information under joint marketing
agreements between two or more financial institutions and with any
service provider used in connection with such agreements pursuant to
Sec. 248.13 of this part. An institution that shares for this
reason may choose to provide an opt-out.
(4) For our affiliates' everyday business purposes--information
about transactions and experiences. This reason incorporates sharing
information specified in sections 603(d)(2)(A)(i) and (ii) of the
FCRA. An institution that shares for this reason may choose to
provide an opt-out.
(5) For our affiliates' everyday business purposes--information
about creditworthiness. This reason incorporates sharing information
pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution
that shares for this reason must provide an opt-out.
(6) For our affiliates to market to you. This reason
incorporates sharing information specified in section 624 of the
FCRA. This reason may be omitted from the disclosure table when: the
institution does not have affiliates (or does not disclose personal
information to its affiliates); the institution's affiliates do not
use personal information in a manner that requires an opt-out; or
the institution provides the affiliate marketing notice separately.
Institutions that include this reason must provide an opt-out of
indefinite duration. An institution that is required to provide an
affiliate marketing opt-out, but does not include that opt-out in
the model form under this part, must comply with section 624 of the
FCRA and 17 CFR part 248, subpart B, with respect to the initial
notice and opt-out and any subsequent renewal notice and opt-out. An
institution not required to provide an opt-out under this
subparagraph may elect to include this reason in the model form.
(7) For nonaffiliates to market to you. This reason incorporates
sharing described in Sec. Sec. 248.7 and 248.10(a) of this part. An
institution that shares personal information for this reason must
provide an opt-out.
(e) To limit our sharing: A financial institution must include
this section of the model form only if it provides an opt-out. The
word ``choice'' may be written in either the singular or plural, as
appropriate. Institutions must select one or more of the applicable
opt-out methods described: telephone, such as by a toll-free number;
a Web site; or use of a mail-in opt-out form. Institutions may
include the words ``toll-free'' before telephone, as appropriate. An
institution that allows consumers to opt out online must provide
either a specific Web address that takes consumers directly to the
opt-out page or a general Web address that provides a clear and
conspicuous direct link to the opt-out page. The opt-out choices
made available to the consumer who contacts the institution through
these methods must correspond accurately to the ``Yes'' responses in
the third column of the disclosure table. In the part titled
``Please note'' institutions may insert a number that is 30 or
greater in the space marked ``[30].'' Instructions on voluntary or
state privacy law opt-out information are in paragraph C.2(g)(5) of
these Instructions.
(f) Questions box. Customer service contact information must be
inserted as appropriate, where [phone number] or [Web site] appear.
Institutions may elect to provide either a phone number, such as a
toll-free number, or a Web address, or both. Institutions may
include the words ``toll-free'' before the telephone number, as
appropriate.
(g) Mail-in opt-out form. Financial institutions must include
this mail-in form only if they state in the ``To limit our sharing''
box that consumers can opt out by mail. The mail-in form must
provide opt-out options that correspond accurately to the ``Yes''
responses in the third column in the disclosure table. Institutions
that require customers to provide only name and address may omit the
section identified as ``[account ].'' Institutions that
require additional or different information, such as a random opt-
out number or a truncated account number, to implement an opt-out
election should modify the ``[account ]'' reference
accordingly. This includes institutions that require customers with
multiple accounts to identify each account to which the opt-out
should apply. An institution must enter its opt-out mailing address:
in the far right of this form (see version 3); or below the form
(see version 4). The reverse side of the mail-in opt-out form must
not include any content of the model form.
(1) Joint accountholder. Only institutions that provide their
joint accountholders the choice to opt out for only one
accountholder, in accordance with paragraph C.3(a)(5) of these
Instructions, must include in the far left column of the mail-in
form the following statement: ``If you have a joint account, your
choice(s) will apply to everyone on your account unless you mark
below. [square] Apply my choice(s) only to me.'' The word ``choice''
may be written in either the singular or plural, as appropriate.
Financial institutions that provide insurance products or services,
provide this option, and elect to use the model form may substitute
the word ``policy'' for ``account'' in this statement. Institutions
that do not provide this option may eliminate this left column from
the mail-in form.
(2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution
shares personal information pursuant to section 603(d)(2)(A)(iii) of
the FCRA, it must include in the mail-in opt-out form the following
statement: ``[square] Do not share information about my
creditworthiness with your affiliates for their everyday business
purposes.''
(3) FCRA Section 624 opt-out. If the institution incorporates
section 624 of the FCRA in accord with paragraph C.2(d)(6) of these
Instructions, it must include in the mail-in opt-out form the
following statement: ``[square] Do not allow your affiliates to use
my personal information to market to me.''
(4) Nonaffiliate opt-out. If the financial institution shares
personal information pursuant to Sec. 248.10(a) of this part, it
must include in the mail-in opt-out form the following statement:
``[square] Do not share my personal information with nonaffiliates
to market their products and services to me.''
(5) Additional opt-outs. Financial institutions that use the
disclosure table to provide opt-out options beyond those required by
Federal law must provide those opt-outs in this section of the model
form. A financial institution that chooses to offer an opt-out for
its own marketing in the mail-in opt-out form must include one of
the two following statements: ``[square] Do not share my personal
information to market to me.'' or ``[square] Do not use my personal
information to market to me.'' A financial institution that chooses
to offer an opt-out for joint marketing must include the following
statement: ``[square] Do not share my personal information with
other financial institutions to jointly market to me.''
(h) Barcodes. A financial institution may elect to include a
barcode and/or ``tagline'' (an internal identifier) in 6-point font
at the bottom of page one, as needed for information internal to the
institution, so long as these do not interfere with the clarity or
text of the form.
3. Page Two
(a) General Instructions for the Questions. Certain of the
Questions may be customized as follows:
(1) ``Who is providing this notice?'' This question may be
omitted where only one financial institution provides the model form
and that institution is clearly identified in the title on page one.
Two or more financial institutions that jointly provide the model
form must use this question to identify themselves as required by
Sec. 248.9(f) of this part. Where the list of institutions exceeds
four (4) lines, the institution must describe in the response to
this question the general types of institutions jointly providing
the notice and must separately identify those institutions, in
minimum 8-point font, directly following the ``Other important
[[Page 62994]]
information'' box, or, if that box is not included in the
institution's form, directly following the ``Definitions.'' The list
may appear in a multi-column format.
(2) ``How does [name of financial institution] protect my
personal information?'' The financial institution may only provide
additional information pertaining to its safeguards practices
following the designated response to this question. Such information
may include information about the institution's use of cookies or
other measures it uses to safeguard personal information.
Institutions are limited to a maximum of 30 additional words.
(3) ``How does [name of financial institution] collect my
personal information?'' Institutions must use five (5) of the
following terms to complete the bulleted list for this question:
open an account; deposit money; pay your bills; apply for a loan;
use your credit or debit card; seek financial or tax advice; apply
for insurance; pay insurance premiums; file an insurance claim; seek
advice about your investments; buy securities from us; sell
securities to us; direct us to buy securities; direct us to sell
your securities; make deposits or withdrawals from your account;
enter into an investment advisory contract; give us your income
information; provide employment information; give us your employment
history; tell us about your investment or retirement portfolio; tell
us about your investment or retirement earnings; apply for
financing; apply for a lease; provide account information; give us
your contact information; pay us by check; give us your wage
statements; provide your mortgage information; make a wire transfer;
tell us who receives the money; tell us where to send the money;
show your government-issued ID; show your driver's license; order a
commodity futures or option trade. Institutions that collect
personal information from their affiliates and/or credit bureaus
must include after the bulleted list the following statement: ``We
also collect your personal information from others, such as credit
bureaus, affiliates, or other companies.'' Institutions that do not
collect personal information from their affiliates or credit bureaus
but do collect information from other companies must include the
following statement instead: ``We also collect your personal
information from other companies.'' Only institutions that do not
collect any personal information from affiliates, credit bureaus, or
other companies can omit both statements.
(4) ``Why can't I limit all sharing?'' Institutions that
describe state privacy law provisions in the ``Other important
information'' box must use the bracketed sentence: ``See below for
more on your rights under state law.'' Other institutions must omit
this sentence.
(5) ``What happens when I limit sharing for an account I hold
jointly with someone else?'' Only financial institutions that
provide opt-out options must use this question. Other institutions
must omit this question. Institutions must choose one of the
following two statements to respond to this question: ``Your choices
will apply to everyone on your account.'' or ``Your choices will
apply to everyone on your account--unless you tell us otherwise.''
Financial institutions that provide insurance products or services
and elect to use the model form may substitute the word ``policy''
for ``account'' in these statements.
(b) General Instructions for the Definitions.
The financial institution must customize the space below the
responses to the three definitions in this section. This specific
information must be in italicized lettering to set off the
information from the standardized definitions.
(1) Affiliates. As required by Sec. 248.6(a)(3) of this part,
where [affiliate information] appears, the financial institution
must:
(i) If it has no affiliates, state: ``[name of financial
institution] has no affiliates; ''
(ii) If it has affiliates but does not share personal
information, state: ``[name of financial institution] does not share
with our affiliates; '' or
(iii) If it shares with its affiliates, state, as applicable:
``Our affiliates include companies with a [common corporate identity
of financial institution] name; financial companies such as [insert
illustrative list of companies]; nonfinancial companies, such as
[insert illustrative list of companies;] and others, such as [insert
illustrative list].''
(2) Nonaffiliates. As required by Sec. 248.6(c)(3) of this
part, where [nonaffiliate information] appears, the financial
institution must:
(i) If it does not share with nonaffiliated third parties,
state: ``[name of financial institution] does not share with
nonaffiliates so they can market to you; '' or
(ii) If it shares with nonaffiliated third parties, state, as
applicable: ``Nonaffiliates we share with can include [list
categories of companies such as mortgage companies, insurance
companies, direct marketing companies, and nonprofit
organizations].''
(3) Joint Marketing. As required by Sec. 248.13 of this part,
where [joint marketing] appears, the financial institution must:
(i) If it does not engage in joint marketing, state: ``[name of
financial institution] doesn't jointly market; '' or
(ii) If it shares personal information for joint marketing,
state, as applicable: ``Our joint marketing partners include [list
categories of companies such as credit card companies].''
(c) General instructions for the ``Other important information''
box. This box is optional. The space provided for information in
this box is not limited. Only the following types of information can
appear in this box.
(1) State and/or international privacy law information; and/or
(2) Acknowledgment of receipt form.
0
55. Amend Appendix B to Subpart A of part 248 as follows:
0
A. Add a sentence to the beginning of the introductory text as set
forth below.
0
B. Effective January 1, 2012, remove Appendix B to Subpart A of part
248.
Appendix B to Subpart A of Part 248--Sample Clauses
This Appendix only applies to privacy notices provided before
January 1, 2011.
* * * * *
Dated: October 1, 2009.
John C. Dugan,
Comptroller of the Currency.
By order of the Board of Governors of the Federal Reserve
System, October 27, 2009.
Robert deV. Frierson,
Secretary of the Board.
By Order of the Board of Directors.
Dated at Washington, DC, this 23rd day of October, 2009.
Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.
Dated: September 28, 2009.
By the Office of Thrift Supervision.
John E. Bowman,
Acting Director.
By the National Credit Union Administration Board on November
10, 2009.
Mary Rupp,
Secretary of the Board.
The Federal Trade Commission.
Dated: September 25, 2009.
By Direction of the Commission.
Donald S. Clark,
Secretary.
Dated: September 21, 2009.
David A. Stawick,
Secretary of the Commodity Futures Trading Commission.
Dated: November 16, 2009.
By the Securities and Exchange Commission.
Elizabeth M. Murphy,
Secretary.
[FR Doc. E9-27882 Filed 11-30-09; 8:45 am]
BILLING CODE 6750-01-P
Last Updated: December 1, 2009