-
Start Preamble
Start Printed Page 62890
AGENCIES:
Office of the Comptroller of the Currency, Treasury (OCC); Board of Governors of the Federal Reserve System (Board); Federal Deposit Insurance Corporation (FDIC); Office of Thrift Supervision, Treasury (OTS); National Credit Union Administration (NCUA); Federal Trade Commission (FTC); Commodity Futures Trading Commission (CFTC); and Securities and Exchange Commission (SEC).
ACTION:
Final rule.
SUMMARY:
The OCC, Board, FDIC, OTS, NCUA, FTC, CFTC, and SEC (the “Agencies”) are publishing final amendments to their rules that implement the privacy provisions of Subtitle A of Title V of the Gramm-Leach-Bliley Act (“GLB Act”). These rules require financial institutions to provide initial and annual privacy notices to their customers. Pursuant to Section 728 of the Financial Services Regulatory Relief Act of 2006 (“Regulatory Relief Act” or “Act”), the Agencies are adopting a model privacy form that financial institutions may rely on as a safe harbor to provide disclosures under the privacy rules. In addition, the Agencies other than the SEC are eliminating the safe harbor permitted for notices based on the Sample Clauses currently contained in the privacy rules if the notice is provided after December 31, 2010. Similarly, the SEC is eliminating the guidance associated with the use of notices based on the Sample Clauses in its privacy rule if the notice is provided after December 31, 2010.
DATES:
This rule is effective on December 31, 2009, except for the following amendments, which are effective January 1, 2012:
Instructions 3B, 10B, 17B, 24B, 31B, 38B, 45B, and 52B removing paragraphs (g) to 12 CFR 40.6, 216.6, 332.6, 573.6, and 716.6, 16 CFR 313.6, and 17 CFR 160.6 and 248.6, respectively; and
Instructions 7B, 14B, 21B, 28B, 35B, 42B, 49B, and 55B removing Appendixes B to 12 CFR parts 40, 216, 332, 573, and 716, 16 CFR part 313, and 17 CFR parts 160 and 248, respectively.
Start Further InfoFOR FURTHER INFORMATION CONTACT:
OCC: Stephen Van Meter, Assistant Director, Community and Consumer Law Division, (202) 874-5750; Heidi Thomas, Special Counsel, Legislative and Regulatory Activities Division, (202) 874-5090; or David Nebhut, Director, Policy Analysis Division, (202) 874-5220, Office of the Comptroller of the Currency, 250 E Street, SW., Washington, DC 20219.
Board: Jeanne Hogarth, Consumer Policies Program Manager, Jelena McWilliams, Attorney, or Ky Tran-Trong, Counsel, Division of Consumer and Community Affairs, (202) 452-3667; Kara Handzlik, Attorney, Legal Division, (202) 452-3852; Board of Governors of the Federal Reserve System, 20th Street and Constitution Avenue, NW., Washington, DC 20551.
FDIC: Samuel Frumkin, Senior Policy Analyst, Division of Supervision and Consumer Protection, (202) 898-6602; or Kimberly A. Stock, Counsel, (202) 898-3815, Legal Division; Federal Deposit Insurance Corporation, 550 17th Street, NW., Washington, DC 20429.
OTS: Ekita Mitchell, Consumer Regulations Analyst, (202) 906-6451; or Richard Bennett, Senior Compliance Counsel, Regulations and Legislation Division, (202) 906-7409; 1700 G Street, NW., Washington, DC 20552.
NCUA: Regina Metz, Staff Attorney, (703) 518-6561, Office of General Counsel, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314-3428.
FTC: Loretta Garrison, Senior Attorney, and Anthony Rodriguez, Attorney, Division of Privacy and Identity Protection, Bureau of Consumer Protection, (202) 326-2252, Federal Trade Commission, 600 Pennsylvania Avenue, NW., Stop NJ-3158, Washington, DC 20580.
CFTC: Laura Richards, Deputy General Counsel, (202) 418-5126, or Gail B. Scott, Counsel, Office of General Counsel, (202) 418-5139, Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st Street, NW., Washington, DC 20581.
SEC: Paula Jenson, Deputy Chief Counsel, or Brice Prince, Special Counsel, Office of the Chief Counsel, Division of Trading and Markets, (202) 551-5550; or Penelope Saltzman, Assistant Director, Thoreau Bartmann, Senior Counsel, or Daniel Chang, Staff Attorney, Office of Regulatory Policy, Division of Investment Management, (202) 551-6792, Securities and Exchange Commission, 100 F Street, NE., Washington, DC 20549.
End Further Info End Preamble Start Supplemental InformationSUPPLEMENTARY INFORMATION:
The Agencies are publishing final amendments to each of their rules (which are consistent and comparable) that implement the privacy provisions of the GLB Act: 12 CFR part 40 (OCC); 12 CFR part 216 (Board); 12 CFR part 332 (FDIC); 12 CFR part 573 (OTS); 12 CFR part 716 (NCUA); 16 CFR part 313 (FTC); 17 CFR part 160 (CFTC); and 17 CFR part 248 (SEC) (collectively, the “privacy rule”).[1]
I. Introduction
A. Statutory Authority and Overview
B. Overview of the Final Model Privacy Form
II. Background
A. The Gramm-Leach-Bliley Act Privacy NoticesStart Printed Page 62891
B. Development of Proposed Model Privacy Form
C. Overview of Comments Received
D. Quantitative Research
E. Public Comments on the Quantitative Test Data
F. Validation Testing
III. The Final Model Privacy Form
A. Standardization
B. Instructions for Use
C. Format of the Notice
D. Appearance of the Model Privacy Form
E. Optional General Guidance for Easily Readable Type
F. Printing, Color, and Logos
G. Jointly-Provided Notices
H. Use of the Form by Differently-Regulated Entities
I. Page One of the Model Form
J. Page Two of the Model Form
K. Other Issues
IV. The Sample Clauses
V. Effective Date
VI. Final Regulatory Flexibility Analysis
VII. Paperwork Reduction Act
VIII. OCC and OTS Executive Order 12866 Determination
IX. OCC and OTS Executive Order 13132 Determination
X. OCC and OTS Unfunded Mandates Reform Act of 1995 Determination
XI. SEC Cost-Benefit Analysis
XII. SEC Consideration of Burden on Competition
XIII. NCUA: The Treasury And General Government Apropriations Act, 1999-Assessment of Federal Regulations and Policies on Families
XIV. CFTC Cost-Benefit Analysis
I. Introduction
A. Statutory Authority and Overview
The Regulatory Relief Act was enacted on October 13, 2006.[2] Section 728 of the Act directs the Agencies to “jointly develop a model form which may be used, at the option of the financial institution, for the provision of disclosures under [section 503 of the GLB Act].” [3] The Regulatory Relief Act stipulates that the model form shall be a safe harbor for financial institutions that elect to use it. Section 728 further directs that the model form shall:
(A) Be comprehensible to consumers, with a clear format and design;
(B) provide for clear and conspicuous disclosures;
(C) enable consumers easily to identify the sharing practices of a financial institution and to compare privacy practices among financial institutions; and
(D) be succinct, and use an easily readable type font.
On March 29, 2007, the Agencies published a proposed model privacy form (the “proposed model form”) that financial institutions would be able to use to comply with certain disclosures under the privacy rule.[4] On April 15, 2009, the SEC reopened the comment period on the proposed rulemaking to solicit comment on a research report and test data pertaining to additional consumer testing of the proposed model privacy form.[5] Today, the Agencies are amending the privacy rule to include a model privacy form that institutions may use to provide required disclosures. The final model form is substantially as proposed with changes based on comments we received as well as additional consumer testing.
B. Overview of the Final Model Privacy Form
As explained more fully in the Agencies' Proposed Rule, key elements of the final model form's structure and design, as well as vocabulary, reflect the research findings of the qualitative consumer testing.[6] The Agencies believe that the final model form as revised meets all the requirements of the Act and, based on the qualitative research that led to the development of the proposed model form and the quantitative consumer testing described below, is easier to understand and use than most privacy notices currently being disseminated.
While the model form provides a legal safe harbor, institutions may continue to use other types of notices that vary from the model form so long as these notices comply with the privacy rule. For example, an institution could continue to use a simplified notice if it does not have affiliates and does not intend to share nonpublic personal information with nonaffiliated third parties outside of the exceptions provided in sections __.14 and __.15.[7] Likewise, while the Agencies are eliminating the Sample Clauses and related safe harbor (or, for the SEC, guidance), institutions may continue to use notices containing these clauses, so long as these notices comply with the privacy rule.[8]
The following section briefly summarizes the key features of the final model form and the changes to the proposed form. A detailed discussion of the elements of the final model form appears in section III.
1. The Structure
The final model form has two pages, rather than the three pages in the proposed form, and may be printed on a single piece of paper.[9] Together, pages one and two address the legal requirements of applicable Federal financial privacy laws and are designed to increase consumer comprehension. The Agencies are not mandating a specific paper size in the final model form as long as the paper is in portrait orientation and sufficient to accommodate minimum font size, spacing, and content requirements.
2. Page One—Background Information, the Disclosure Table, and Opt-Out Information
Page one of the final model form has five parts: (1) The title; (2) an introductory section called the “key frame” which provides context to help the consumer understand the required disclosures; (3) a disclosure table that describes the types of sharing used by financial institutions consistent with Federal law, which of those types of sharing the institution actually does, and whether the consumer can limit or opt out of any of the institution's sharing; (4) only if needed, a box titled “To limit our sharing” for opt-out information; and (5) the institution's customer service contact information. Where the institution provides a mail-in Start Printed Page 62892opt-out form, that form appears at the bottom of page one.
There are three significant changes on page one of the final model form.[10] First, the “What?” box has been modified to permit institutions to select from a menu of terms the types of information collected and shared (other than Social Security number). Second, information (if needed) about how to limit sharing or opt out follows the disclosure table. If the institution provides a mail-in opt-out form, that form appears at the bottom of page one. Third, the final model form includes at the top of the page in the right-hand corner the date by month and year of the most recent version of the notice. Institutions may include at the bottom of page one a “tagline” (an internal identifier) or barcode for information internal to the company, so long as these do not interfere with the clarity or text of the form.[11]
3. Page Two—Supplemental Information
As in the proposed model form, the second page of the final model form provides additional explanatory information that, in combination with page one, ensures that the notice includes all elements described in the GLB Act as implemented by the privacy rule. There is supplemental information in the form of Frequently Asked Questions (“FAQs”) [12] at the top and definitions below. There are three significant changes to the disclosures on page two of the final form.[13] First, a new FAQ appears at the top of page two that can be used to identify those institutions that jointly provide the notice. Second, the FAQ on the collection of information has been modified to allow institutions to select from a menu of terms. Third, a new box has been provided at the bottom of page two titled “Other important information.” This box can be used in only two ways: (1) to discuss state and/or international privacy law requirements; and (2) to provide an acknowledgment of receipt form.[14]
II. Background
A. The Gramm-Leach-Bliley Act Privacy Notices
Subtitle A of title V of the GLB Act, captioned “Disclosure of Nonpublic Personal Information,” [15] requires each financial institution to provide a notice of its privacy policies and practices to its customers who are consumers.[16] In general, the privacy notice must describe a financial institution's policies and practices with respect to disclosing nonpublic personal information about a consumer to both affiliated and nonaffiliated third parties.[17] The notice also must provide a consumer a reasonable opportunity to direct the institution generally not to share nonpublic personal information [18] about the consumer (that is, to “opt out”) with nonaffiliated third parties other than as permitted by the statute (for example, sharing for everyday business purposes, such as processing transactions and maintaining customers' accounts, and in response to properly executed governmental requests).[19] The privacy notice must provide, where applicable under the Fair Credit Reporting Act (“FCRA”), a notice and an opportunity for a consumer to opt out of certain information sharing among affiliates.[20]
The privacy rule requires a financial institution to provide a privacy notice to its customers no later than when a customer relationship is formed and annually thereafter for as long as the relationship continues. The notice must accurately reflect the institution's information collection and disclosure practices and must include specific information.[21]
The privacy rule does not prescribe any specific format or standardized wording for these notices. Instead, institutions may design their own notices based on their individual practices provided they comply with the law and meet the “clear and conspicuous” standard in the statute and the privacy rule.[22] The Appendix to each privacy rule contains Sample Clauses that institutions may use in privacy notices to satisfy the privacy rule.
Financial institutions were required to provide privacy notices to their customers by July 1, 2001.[23] Many notices provided to consumers were long and complex. Because the privacy rule allows institutions flexibility in designing their privacy notices, notices have been formatted in various ways and as a result have been difficult to compare, even among financial institutions with identical practices.[24] The Agencies first explored issues related to the complexity of privacy notices in a workshop held in December 2001.[25]
On December 30, 2003, the Agencies published an Advance Notice of Proposed Rulemaking to Consider Alternative Forms of Privacy Notices Under the Gramm-Leach-Bliley Act (“ANPR”) to solicit public comment on Start Printed Page 62893a wide range of issues related to improving privacy notices.[26] The ANPR stated that the Agencies expected that consumer testing would be a key component in the development of any specific proposals.[27]
During January and February 2004, the Agencies met with a number of interested groups and individuals to discuss the issues raised in the ANPR and subsequently received forty-four comments in response to the ANPR.[28] While commenters expressed a variety of views on the questions posed in the ANPR, many commenters agreed that the Agencies should conduct consumer testing before proposing any alternative privacy notice.
B. Development of the Proposed Model Privacy Form
Over the years during which GLB Act privacy notices have been delivered to consumers, the Agencies have observed wide variations in these notices. Today, privacy notices vary considerably—not just in format, presentation, language, length, style, or tone—but also in how they inform consumers of their rights to limit certain sharing of personal information. For example, the Agencies have found the following variations in current privacy notices. Some institutions incorporate privacy notices into lengthy terms and conditions statements, making it harder for consumers to find information about the institution's privacy practices, and raising questions about whether such notices comply with the requirement that they be clear and conspicuous. Institutions also use messages in their notices' opening statements about how they value privacy and strive to “protect” personal information, thus providing assurances to consumers that imply their personal information is not shared broadly, while obscuring or directing attention away from the required disclosures of actual information sharing practices. Finally, the Agencies have seen a number of institutions employ the statement in their privacy policy “We do not sell your information to third parties” in a context that raises concerns about misrepresentations.[29]
These examples illustrate the need to make disclosure of institutions' information sharing practices and consumer choices more transparent and underscore the Agencies' interest in initiating a joint consumer research project to develop an easy-to-read and understandable model privacy notice for consumers.
In the summer of 2004, six of the Agencies [30] launched a project to fund consumer research (“Notice Project”). Their goals were to identify barriers to consumer understanding of current privacy notices and to develop an alternative privacy notice, or elements of a notice, that consumers could more easily use and understand compared to current notices. The Agencies conducted the consumer research in two sequential phases.[31]
In September 2004, the Agencies selected Kleimann Communication Group, Inc. (“Kleimann”) as their contractor for the phase one form development research. The research objectives of the Notice Project included designing a privacy notice that consumers could understand and use, that facilitated comparison of sharing practices and policies across institutions, and that addressed all relevant legal requirements of the GLB Act and FCRA.
The form development phase culminated in an extensive research report prepared by Kleimann and released by the Agencies in March 2006 (the “Kleimann Report”).[32] The Kleimann Report details the process by which the Agencies and Kleimann developed an alternative privacy notice. The structure, content, ordering of the text information, and title of the proposed model form all reflect the research findings from the qualitative consumer testing.
In October 2006, Congress passed the Regulatory Relief Act, which directed the Agencies to propose a model form based on standards similar to the Notice Project research goals. On March 29, 2007, the Agencies issued for public comment the proposed model form as produced in the form development phase with some minor revisions.
C. Overview of Comments Received
The Agencies collectively received approximately 110 unique comments from a variety of banks, thrifts, credit unions, credit card companies, securities firms, insurance companies, and industry trade associations, as well as from consumer and other advocacy groups, the National Association of Attorneys General (“NAAG”), the National Association of State Insurance Commissioners (“NAIC”), and individual consumers.[33]
A number of institutions expressed support for the model form. Some stated that they are either already using it (submitting copies of their notices) or intend to use it once it is finalized. One industry association conducted an informal poll of its community bank members and found that many are likely to use the model form and that most found the new form more consumer-friendly than the Sample Clauses. These commenters commended the Agencies for proposing simpler language and making the disclosure terms more understandable and accessible to consumers.
Consumer and other advocacy groups, the NAIC, NAAG, and individual consumers generally supported the Agencies' proposal and the clearer language and omission of extraneous information in the proposed model form. These commenters stated that the proposal could be strengthened in certain respects, for example, by making Start Printed Page 62894the default opt-in rather than opt-out and creating a one-stop opt-out repository similar to the National Do Not Call Registry.
There was general support by many commenters for additional consumer research and testing. While some industry commenters provided substitute language or submitted alternate forms of the notice, none submitted other research findings. However, the NAIC submitted a consumer study on notices with research findings that the Agencies did consider.
Most industry commenters, however, objected to several key aspects of the proposal. The most significant areas of concern raised by industry commenters related to: The standardized approach; the format of the proposed model form; the limited examples of types of personal information collected and shared; the disclosure table; incorporation of state law information; and revocation of the Sample Clauses. The thrust of many industry comments was that the proposed form was overly simplistic and not nuanced enough to describe precisely what the various laws permit or to allow accurate descriptions of more complex information sharing policies and practices. One commenter expressed concern that the form would lead to consumer confusion because of inaccurate disclosures on sharing practices and result in high opt-out rates, discouraging use of the form. Many industry commenters expressed concern about liability under state unfair or deceptive practice laws relating to privacy disclosures. At the same time, many institutions urged flexibility to allow inclusion of other information—such as describing the benefits of sharing, or providing marketing messages or privacy tips such as on identity theft and fraud prevention. One institution proposed allowing institutions to pick and choose which elements of the notice to use and still receive a safe harbor.
D. Quantitative Research
Following publication of the model form proposal in March 2007 and subsequent review of the comments, the Agencies revised the proposed model form for further testing.[34] In the fall of 2007, the Agencies turned their attention to developing the research protocol and methodology for conducting the second phase of the research: The quantitative consumer testing. In August 2006, prior to enactment of the Regulatory Relief Act, the Agencies had selected Macro International Inc. (“Macro”) to conduct the quantitative research study.
In the spring of 2008, Macro conducted a survey of approximately 1,000 consumers using a mall-intercept methodology. The selected participants for the study reflected a range of demographic characteristics for gender, age, and educational level. The testing was conducted in five shopping mall locations—Baltimore, MD; Dallas, TX; Detroit, MI; Los Angeles, CA; and Springfield, MA—over a period of five weeks during March and April 2008.[35]
The test objectives were to evaluate the effectiveness of the revised proposed model form [36] developed by Kleimann (“Table Notice”) for comprehension and usability as compared to three other styles or formats of notices. The other notice formats were: (1) The prose version of the prototype table notice also developed and tested by Kleimann (“Prose Notice”); (2) a current version of a common notice used by financial institutions (“Current Notice”); and (3) a notice comprised solely of the Sample Clauses found in the appendix to the privacy rule (“Sample Clause Notice”). Within each format, there were three different notices, each reflecting a different level of sharing. Each level of sharing had a common fictional bank name across the four notice formats: Mars Bank had a low level of sharing; Mercury Bank had a medium level of sharing; and Neptune Bank had the highest level of sharing. Both Mercury and Neptune Banks offered opt-out choices; however, the pattern of sharing was such that after exercising all available opt-outs, Neptune Bank continued to share more broadly than Mercury Bank and Mercury Bank continued to share more than Mars Bank. This design was intentional for the comparison testing.[37]
On December 15, 2008, two expert advisors to the Agencies, Dr. Alan Levy and Dr. Manoj Hastak, submitted a report to the Agencies analyzing the research data provided by Macro (the “Levy-Hastak Report”).[38] The Levy-Hastak Report confirmed the overall effectiveness of the proposed model form (as modified) as against the three alternative notice formats. On April 15, 2009, the SEC published the Levy-Hastak Report, along with the Macro Report and test data, for public comment. The SEC received nine comments.[39]
The Levy-Hastak Report examined two measures on how effectively the notices communicated information: (1) Judgment quality; and (2) perceptual accuracy.[40] According to the Report, judgment quality focused on the extent to which study participants could provide logical, defensible reasons for choosing one bank over the other based solely on the notice. Perceptual accuracy focused on the ability of the participants to recognize accurately the differences between the banks in information collection and sharing practices, in opt-out choices, and in relative sharing after all opt-out choices were exercised.[41]
The Levy-Hastak Report concluded that, overall, the Table Notice outperformed the other notices.[42] The Table Notice performed particularly well on difficult tasks [43] while the Current Notice performed poorly on all measures. While the Sample Clause Notice performed well on simple tasks, Start Printed Page 62895about equal to the Table and Prose notices, it performed significantly less well than the Table Notice on measures of judgment quality.[44] The Report concluded that the table format is likely a key explanation for the improvement in comprehension demonstrated by the study participants who saw the Table Notice as compared to those who saw the other notice styles—especially for difficult perceptual accuracy tasks.[45]
While the notice format significantly affected participants' ability to comprehend and compare the notices, the testing showed that participants' general attitudes about the sharing of their personal information were not affected by the notices they saw.[46] Following the two rounds of questions on the content of, and comparison between, the notices, the study participants were asked to rate their attitudes in general toward information sharing, for example, sharing with affiliated banks and with nonaffiliated banks. The results showed that participants' attitudes were about the same across the four notice formats.[47]
The Levy-Hastak Report analyzed two specific areas where the Table Notice seemed to perform less well than the other notices. First, the Report described an anomaly with respect to responses to the question [Q. 19/30]: “Which of these two banks gives you the opportunity to limit or to opt out of the sharing of your personal information?” [48] Generally participants identified the bank or banks that provided an opt-out. However, some participants who saw the Table and Prose notices selected Mars Bank, the one that shared the least and offered no opt-out option. Because answering “Mars Bank” was identified as an incorrect answer, the Current and Sample Clause notices out-performed the Table and Prose notices on this question.
In contrast, the Table and Prose notices out-performed the other two notices on the most difficult task in the test. In this task, participants were asked to assume that they had exercised all possible options to limit or to opt out of sharing and then to identify which bank shared more. Here, the Table and Prose notices significantly out-performed the other notices. More participants who saw the Table and Prose notices correctly gave as their answer the higher sharing bank. This result suggests that participants who saw the Table and Prose notices did understand which bank(s) offered an opportunity to limit or to opt out of their sharing.
In analyzing this discrepancy, the Levy-Hastak Report observed that the simpler question had two different, yet accurate, responses, depending on how participants interpreted the question. Some of the participants might have understood the question to apply at the point of choosing between the two bank notices; those participants selected the lower sharing bank. In contrast, other participants might have understood the question to mean: Which bank lets me opt out of sharing personal information once I am doing business with the bank. The second interpretation was the intended meaning of the question. Drs. Levy and Hastak hypothesized that some participants who saw the Table and Prose notices understood the question to have the first meaning, while other participants, particularly those who saw the Sample Clause and Current notices, understood the question to have the second meaning.[49]
To test this hypothesis, Drs. Levy and Hastak examined the pattern of factual mistakes that participants made when they answered a separate set of questions.[50] There, study participants were asked in Q. 16/27 why they preferred one bank over the other, based solely on the notice. Some participants who selected a bank that shared relatively little information and did not offer an opt-out stated that this bank offered more opportunity to limit or to opt out of sharing than the higher sharing bank, which was labeled a “false opt-out mistake” in the Report. The Report found that participants who saw the Table and Prose notices were on average almost three times as likely to make the false opt-out mistake as those who saw the Current and Sample Clause notices.[51]
This finding supports the hypothesis that users of the Table and Prose notices who selected the lower sharing bank in response to Q. 19/30 understood the question in its first meaning: They selected a bank that gave them an opportunity to limit or opt out of sharing at the time of choosing between the two bank notices. Under that interpretation, these participants could limit sharing by selecting the bank that shared less information. Thus the Levy-Hastak Report's analysis of the false opt-out mistake pattern in Q. 16/27 is consistent with their hypothesis regarding the responses to Q. 19/30. In addition, the Report found that the educational level of the study participants produced a significant effect only on the responses to the opt-out question, with better educated participants more likely to answer the question in the intended manner.[52] This finding is also consistent with the Report hypothesis that participants who saw the Table and Prose notices understood the question in two different, yet equally correct ways, unlike those who saw the Sample Clause and Current notices.
The Table Notice also seemed to perform less well in a second, unrelated area. Specifically, all the test notices provided only two methods for consumers to opt out of or limit sharing: Use of a toll-free telephone number or access to the opt-out on the institution's Web site. When study participants were asked to identify which contact modes were identified in the notice as ways to limit or opt out of sharing, they correctly identified the two modes more frequently when using the Sample Clause Notice than the Table, Prose, and Current notices.
Noting that this type of question appears to invite skimming the notice to find the answer quickly and easily, the Levy-Hastak Report examined the great variability in notice length and found that the Sample Clause Notice was significantly shorter than any of the other notices. The Levy-Hastak Report observed that the shortness of the Sample Clause Notice may have made it easier for participants to scan the notice and find the answer to this question. The Report opined that notice length likely has an effect on scanability and reading ease.[53]
Start Printed Page 62896While the Levy-Hastak Report findings confirmed the overall effectiveness of the Table Notice,[54] the Report's analysis prompted the Agencies to consider a further refinement to the proposed model form. The change, discussed in more detail later, was to modify the opt-out section of the model form to place the opt-out information on page one directly following the disclosure table so that all the key information appears on that page.[55] The Agencies considered this change to facilitate quick scanning for important information without sacrificing the model form's performance in other respects. To ensure that locating the opt-out information on page one worked from a usability perspective, the Agencies decided to conduct validation testing which led to separate formats for the telephone and Internet opt-out and for the mail-in opt-out that the Agencies are adopting.
E. Public Comments on the Quantitative Test Data
Nine commenters representing insurance, securities, and financial services associations, a bank, and two investment advisers submitted comments in response to the SEC's solicitation for public comments on the quantitative testing. Most of the commenters re-stated their earlier general objections to the proposed model form. These concerns are addressed in section III.
All but one of these commenters made general observations about the quantitative test methodology and the Levy-Hastak Report. Five commenters observed that the test notices were designed for banks and not for insurance companies or securities firms (i.e., broker-dealers, investment companies, or SEC-registered investment advisers), thereby omitting a significant portion of the financial services industry that provide these notices.[56] Two commenters opined that the study participants' demographic characteristics did not reflect those consumers who will receive financial privacy notices.[57] One expressed concern about the demographic diversity in the mall selections and questioned whether there was consistent coding of the open-ended responses.[58] One commented that the testing criteria ruled out non-English speaking participants.[59]
Some of the commenters disagreed with the Levy-Hastak Report's conclusion that the Table Notice outperformed the other notice formats. They opined that the Report's conclusion is flawed because: (1) The Sample Clause Notice did better on simpler tasks than the Table Notice; [60] (2) the anomalies discussed in the Levy-Hastak Report may be due to other explanations; [61] and (3) while the Table Notice's overall performance was better than the other notices, actual performance accuracy was relatively low.[62] Several commented that the overly simplified and inflexible format of the Table Notice is not a true test of consumers' understanding of institutions' actual collection and disclosure practices.[63] In addition, all commenters on the quantitative testing urged retention of the Sample Clauses and related safe harbor.
The test notices for the quantitative study were created for fictitious banks, even though the model form can be used by any financial institution subject to the GLB Act and the privacy rule. Because the vast majority of consumers are familiar with or have experience with a bank, the Agencies used a notice designed for a bank to increase the likelihood that most of the test participants could readily understand the terms in the notice, such as “account balances,” “income,” or “credit history,” which describe information collected and shared by many banks, as well as by many other financial institutions.
The Macro Report presented data on the demographic characteristics of the study participants recruited for the study. Participants at each mall were pre-selected for a representative mix based on gender, age, and education levels, and information on participants' race/ethnicity, income, and household size was obtained at the end of each interview.[64] Since a significant majority of consumers in America receive a financial privacy notice—including from banks, credit unions, securities firms, insurance companies, auto dealers, debt collectors, and payday lenders—the Agencies wanted to ensure that a representative cross-section of consumers be included in the study.
The Agencies hired Macro as an outside independent expert to handle all aspects of the collection and reporting of the study data. Macro conducted all training of field staff, implemented a series of checks to ensure greater accuracy of the study data, reviewed, on an ongoing basis, all daily downloads of data from the field, and coded all of the open-end responses.[65]
With respect to the comment that the accuracy of the study participants' responses overall was relatively low, the commenter cited the judgment quality measure of the participants' fact-based reasons for choosing the lower sharing bank.[66] While the results showed that most consumers likely have a limited Start Printed Page 62897understanding of information sharing practices after a brief exposure to any of the notice styles, nevertheless the Levy-Hastak Report confirms that overall the Table Notice out-performed the other notices and is the most effective notice of all the privacy notices tested.
Finally, two commenters requested that if both the model privacy form and the SEC's proposed amendments to its privacy rule, Regulation S-P, were adopted, the SEC should coordinate the compliance dates so as to minimize the compliance burden and the potential for multiple revisions of an institution's privacy notice.[67] The SEC appreciates institutions' desire to minimize revisions to their privacy notices and reduce the costs of compliance with its rules. However, the model privacy form the Agencies are adopting today is just that—a model—and no institution is required to use the model form. A financial institution that intends to use the model privacy notice and minimize potential costs, if any, related to revising its privacy notices in light of amendments to Regulation S-P could begin to use the model form after the compliance date of any final amendments to Regulation S-P.
F. Validation Testing
In revising the model form based on public comments and findings from the Levy-Hastak Report, the Agencies streamlined the form to consolidate the information on the front and back sides of a single piece of paper and moved the opt-out information to the bottom of page one. In December 2008, the Agencies engaged Kleimann to conduct validation testing to confirm that these changes would not affect the comprehension, usability, and design integrity of the model form. In particular, Kleimann's new research focused on the placement of the opt-out information on page one. Kleimann conducted targeted in-depth interviews in January and February 2009 to test, revise, and re-test the model form. On February 12, 2009, Kleimann submitted a report to the Agencies, “Financial Privacy Notice: A Report on Validation Testing Results,” with a revised opt-out form recommendation (“Kleimann Validation Report”).[68]
The validation testing examined various formats for displaying opt-out information where the opt-out methods are by toll-free telephone number,[69] the Internet, or a mail-in form. The validation testing confirmed the usability of the following changes to the proposed model form: (1) inserting a new box titled “To limit our sharing” below the disclosure table to inform consumers how they can limit sharing, such as by a toll-free telephone number or online; (2) replacing the “Contact Us” box with a box titled “Questions” following the “To limit our sharing” box; and (3) as applicable, inserting a mail-in form at the bottom of the page, which would require a longer piece of paper.[70]
III. The Final Model Privacy Form
A. Standardization
Like the proposed model privacy form, the final model form uses a standardized format. Some industry commenters expressed support for the standardized format, with one noting that standardized notices would serve as an effective means of allowing consumers to understand in a simple manner companies' information practices.[71] Another commenter pointed to the success of the “Schumer box,” a standardized format that makes the disclosure of credit card terms more accessible to consumers.[72]
Privacy and advocacy groups and NAAG supported the proposed standardized format, recognizing the important findings of the research and the model form's structure—in particular the elements on page one—as benefiting both consumers and companies by making the disclosure information accessible.[73]
A number of industry commenters, however, objected to the standardized form, asserting variously that: It causes confusion; because it is an abrupt change in the way information-sharing practices are disclosed, it could cause consumers to believe that the institution is changing its policies; because the model form has too much boilerplate, it detracts from the ability to compare policies; and it makes the notice less clear. Others stated that the standardized form is too inflexible and does not accurately reflect institutions' financial practices or accurately describe the scope of consumers' rights. Several stated that the model form language does not adequately capture the complex privacy policies and practices of many institutions.
Based on the statutory requirement that the Agencies propose “a model form,” the final model privacy form utilizes a standardized format.[74] Moreover, as more fully discussed in the preamble to the Proposed Rule, the Agencies' research supports uniform disclosures to help consumers better understand companies' information sharing practices.[75] We reaffirm that use of the model form is voluntary; institutions are not required to use it.
B. Instructions for Use
The General Instructions to the Model Privacy Form require that no additional information—other than what is specifically permitted—may be included in the model form in order to obtain the benefit of the safe harbor.[76]
A number of industry commenters objected to the Agencies' statement in the preamble to the Proposed Rule that the model form should not be incorporated into any other document.[77] Start Printed Page 62898Some expressed concern that this would require the notice to be mailed separately.[78] Several commenters stated that a private label or co-branded credit card application incorporates the lender's privacy policy into a brochure with a tear-off application to make it easier for the store clerks to provide all required information in a single document.[79] Others observed that the privacy notice is typically included in a single document with other important reference information.
Recognizing these concerns, the Agencies agree that institutions may incorporate the model form into another document, but they must do so in a way that meets all the requirements of the privacy rule and the model form instructions, including that: The model form must be presented in a way that is clear and conspicuous; [80] it must be intact so that the customer can retain the content of the model form; [81] and it must retain the same page orientation, content, format, and order as provided for in this Rule.
C. Format of the Notice
In response to numerous comments relating to the format of the proposed model form, the Agencies have revised certain of the requirements relating to paper size, orientation, number of pages, type size, and color and logo placements, as discussed below.
Paper Size: To allow institutions greater flexibility, the final model privacy form may be printed on paper the size of which must be sufficient to meet the layout and minimum font size requirements with sufficient white space on the top, bottom, and sides of the content.[82] Many industry commenters objected to the proposed requirement that the model form appear on 81/2 by 11-inch size paper.[83] Commenters stated that the proposed model form would require significant materials, postage, and production costs. Industry commenters explained that institutions use a variety of sizes and styles to present their privacy notices. Some institutions—particularly credit card institutions—enclose their privacy notices with a billing or periodic statement or a bankcard carrier. Envelopes for certain of these statements or for multi-panel formats are smaller than 81/2 inches and may not accommodate the proposed size.
The Agencies have reviewed numerous financial institution privacy notices over the past eight years, many of which are printed on smaller-sized paper in a multi-panel, multi-fold display. The density of the small-font text, in addition to the complex legal language, make these notices very difficult to read or understand.[84] The final requirement for paper size is designed to provide financial institutions with some flexibility, while prohibiting a paper size that is too small to accommodate the font and orientation requirements in the model form set forth below.
Orientation: Like the proposed model form, the final model privacy form must be printed in “portrait” orientation. Some institutions objected to this orientation, suggesting instead that institutions be permitted to design their own model form in other orientations, such as the commonly-used multi-fold display.[85] According to these commenters, this landscape format has three or more “pages” of text visible on each side of the paper when the notice is fully opened. The size of the paper varies considerably, with some as small as approximately 7 by 11 inches before it is folded. In such a display, each “page” is approximately 31/3 by 7 inches—considerably smaller than can accommodate the model form.[86]
The design of the model form does not lend itself to a multi-panel display. The utility of the form's design for reading ease depends in large measure on both larger, more readable type size and how the content is presented. While one commenter objected to the “significant empty space” in the model form,[87] the guidance from communications experts and form designers is that appropriate white space between the text and margins, as well as the use of headings and bullets, make a more effective, readable notice.[88] The table—the heart of the model form—cannot be squeezed into a tighter space or so reduced in size as to make it virtually unreadable. For these reasons, the Agencies do not agree that the orientation of the model form should be altered to accommodate a multi-panel display.
Number of Pages: In response to numerous commenters, the instructions to the final model privacy form permit the form to be printed on two sides of a single piece of paper or on two single-sided sheets.[89] By incorporating the opt-out information on the bottom of page one, the revised model form may now appear on the front and back of a single piece of paper.
Industry commenters generally objected to the proposed requirement that the model form be printed only on one side of a page.[90] Many raised environmental concerns and the increased costs associated with printing the notice on multiple pages.
While the proposed single-sided model form was based on the initial Start Printed Page 62899consumer research and testing, the Agencies believe that the concerns expressed by commenters justify double-sided printing. Moreover, the Agencies used double-sided printed notices in the quantitative and validation testing, with no demonstrable loss in effectiveness relative to the single-sided notice.[91]
D. Appearance of the Model Privacy Form
The Regulatory Relief Act requires that the model form “use an easily readable type font.” While a number of factors affect the readability of a document, as in the proposal, the final model privacy form must use: (1) 10-point font as the minimum font size (unless otherwise specified in the Instructions) and (2) sufficient spacing between the lines of type (leading).[92]
The Agencies separately provided optional guidance in the preamble to the Proposed Rule on readable type styles and other formatting suggestions for institutions. This optional guidance is not required; it was to assist institutions that want to provide more readable and attractive privacy notices to consumers. The Agencies are republishing this optional guidance in section III.E to assist interested institutions.
Type Size: A number of commenters expressed various concerns about the proposed 10-point minimum font requirement.[93] A few commenters noted that the proposed model form included several different type sizes for various parts of the model form and were confused about what type size(s) the Agencies proposed as a requirement.[94] Other commenters raised concerns that a minimum type size requirement for the model form would conflict with state law mandated requirements. A few stated that a minimum font size is not legally required for the model form.
Many of the criticisms about current notices are, in part, about the tiny print that make these notices so difficult for consumers to read.[95] Based on the statutory directive, as well as the findings elicited from the Agencies' consumer research and expert views, the Agencies believe that the model form should have a minimum 10-point font. Requiring a minimum 10-point font is consistent with state law mandates for consumer disclosures.[96]
Leading: Leading is the spacing between lines of type, measured in points. If the line spacing is too narrow, the type is hard to read. In these circumstances, the ascenders (such as the upward line in the letter “h”) and descenders (such as the downward line in a “g”) may touch, blending the lines of type and making it much harder to distinguish the letters on the page. The final instructions to the model form require only that the leading used allow for sufficient spacing between the lines, but do not mandate a specific amount.
E. Optional General Guidance for Easily Readable Type
The Proposed Rule included optional guidance on readable type styles and other formatting suggestions for institutions that want to provide privacy notices that are more readable and attractive to consumers, as well as those that want to develop their own model privacy form.[97] A number of commenters were concerned by this guidance for easily readable type, and in some cases, they assumed the guidance would be mandatory. The Agencies expressly state that the guidance in this section III.E. is not mandatory and is not a requirement for proper use of the model form.
In more closely examining the statutory directive for “easily readable type,” the Agencies determined that a number of type-related factors can greatly affect the readability of a form. Type size, type style, leading, x-height, serif versus sans serif,[98] upper and lower case type, along with the page layout—together play an important role in designing a typeface that is highly readable. Therefore, in considering these various factors for the design of an easily readable type font, institutions that elect to use the model form may voluntarily consider this additional guidance for an easily readable appearance to the notice.
Leading: Research on the legibility of typography indicates that people read faster when text is set with 1 to 4 points of leading.[99] Institutions may, but are not required to, consider these general recommendations for use with the model form: 10- or 11-point type should have between 1 and 3 points of leading. Twelve-point type should have between 2 and 4 points of leading.[100]
Type style and “x”-height: The readability of type size is highly dependent on the selection of the type style. Some styles in 10-point font are more readable than others in 12-point font and appear larger because of their design.
Experts differ on the question of the most desirable type style. The model form uses sans serif and “monoweight” type, and upper and lower case lettering in the body of the form.[101]
Larger x-height [102] makes a font appear larger and thus more readable, and fonts with larger x-heights are better for smaller text. Research shows that our eyes “scan the top of the letters' x-heights during the normal reading process, so that is where the primary identification of each letter takes place.” [103] Generally, a font with an Start Printed Page 62900x-height ratio of around .66 is easier to read.[104]
While not mandating a particular type style or x-height, the Agencies are providing these general guidelines for type style in the model form: For typefaces with a smaller x-height, 11- or 12-point font should be used; for typefaces with a larger x-height, a 10-point font would be sufficient.[105]
For ease of reference, the following table summarizes the optional guidance discussed here. None of the standards in the table below is mandatory; rather, the information in the table is offered only as suggestions for institutions that design their own forms.
If Then use And use And use font with Font is 10-point 1-3 points leading Monoweight typeface Large x-height sans serif (around .66 ratio). Font is 11-point 1-3 points leading Monoweight typeface Smaller x-height is acceptable; either serif or sans serif (less than .66 ratio is acceptable). Font is 12-point 2-4 points leading Monoweight or variable typeface Smaller x-height is acceptable; either serif or sans serif (less than .66 ratio is acceptable). F. Printing, Color, and Logos
We are adopting the requirements for printing, color, and logos in the final model form as proposed. Commenters generally commended the Agencies' support for the use of color and company logos on the model form.[106] A few industry commenters expressed concern about the background shading in certain headers smudging in high-speed printing operations.[107] Some commenters sought clarification as to whether logos can use more than one color.
The Agencies agree that the distinguishing features of company logos along with color are important to ensure that an institution's documents have a distinctive look that consumers may readily recognize. As the Agencies proposed, a financial institution that uses the model form may include its corporate logo on any of the pages, so long as the logo design does not interfere with the readability of the model form or space constraints of each page. Institutions using the model form should use white or light color paper (such as cream) with black or suitable contrasting color ink. Spot color is permitted to achieve visual interest to the model form, so long as the color contrast is distinctive and the color does not detract from the form's readability. The Agencies are not prohibiting the use of more than one color in a logo.
Other commenters asked for greater flexibility to include “markings” or “graphics” or other “visual effects” or to include a “branding phrase” or “advertising slogan.” [108] The Agencies observe that few institutions' privacy policies include advertising slogans. We note that some include pictures or other large designs that occupy the front cover. The Agencies believe that these designs or slogans would distract from the content of the model form and that slogans would be inconsistent with the standardized language throughout the form. For these reasons, the final model form does not permit institutions to include slogans or images (other than logos) on the model form.
G. Jointly-Provided Notices
The final model privacy form includes a new FAQ at the top of page two: “Who is providing this notice?” Many commenters representing larger institutions observed that the proposed model form did not provide sufficient space to identify multiple entities that jointly provide a privacy notice, as permitted by the privacy rule.[109] Some suggested the Agencies provide extra space for this information either in the body of the notice or as a footnote. The new FAQ is not required where only a single financial institution is providing the notice and that institution is identified in the title. As discussed in section III.J.1, space is provided for the institution's response.
H. Use of the Form by Differently-Regulated Entities
A number of commenters sought clarification as to whether institutions regulated by different Agencies could together provide a single joint notice to consumers.[110] Insurance companies and their associations in particular expressed concern that the form did not allow for insurance-specific terminology and potentially put these institutions—regulated by the states—at some risk.[111]
Start Printed Page 62901The Agencies fully intend that differently-regulated entities can provide a single joint notice to consumers by using the final model form. The Agencies have consulted with the NAIC, which submitted a letter with proposed modifications to certain sections of the form. The Agencies have incorporated into the final model form two menus of terms adaptable to the wide range of financial institutions. The menus include both the SEC's and the NAIC's proposals, and enable a variety of institutions, including securities firms and insurance companies, to use the model form, either individually or jointly with other types of financial institutions.
I. Page One of the Model Form
1. Title
The Agencies are adopting the title, “What Does [Name of Financial Institution] Do With Your Personal Information?,” as proposed. One commenter objected to the title, preferring instead to refer to it as a privacy notice.[112] Other commenters who provided sample revised notices also used alternate headings, such as, “our privacy notice for consumers,” “privacy information,” “privacy statement,” and “keeping your information safe and secure.” [113] The research found that the terms “privacy notice” or “privacy policy” deterred consumers from reading the notice.[114] Consumers understood these terms to mean that the institution does not share personal information. The validation testing confirmed the effectiveness of the title.[115]
2. Key Frame
The Agencies are adopting the basic structure of the key frame as proposed with some language changes to address comments received. Industry commenters raised several objections to the key frame—the “Why?,” “What?,” and “How?” boxes. Their principal concern was the inflexible nature of the information in these boxes. Many commenters took particular issue with the list of information collected and shared, noting that not all institutions collect and share the information listed.[116] These commenters asked for greater flexibility in identifying other types of information that may better relate to their practices. Commenters raised other issues about: vocabulary; the contents and number of the boxes; and the inclusion of certain information not required by the privacy rule. Some commenters proposed moving and deleting phrases—as well as using the phrase “as permitted by law” to describe the types of sharing they can do. Some commenters raised questions about the reference to former customers.
The Agencies appreciate the various suggestions provided—particularly on vocabulary and the structure and contents of the boxes—but note that the model form was developed through consumer research with the goal of making it understandable to consumers. The Agencies have decided to retain the basic structure and content of the key frame but have made certain modifications.
The Agencies recognize that financial institutions may collect and share types of information other than those listed on the proposed form, including institutions that provide insurance or investment advice or sell securities. The Agencies have, after consulting with the NAIC and based on consideration of the comments received, provided a menu of terms, including each of the terms that was proposed, from which institutions may select to fill in the bracketed boxes.[117] Since all financial institutions collect Social Security numbers, this one term is required in all notices. The terms provided are designed to reflect the range of information typically collected by various types of institutions in language that consumers can more easily understand.
Further, the Agencies have revised the statement about former customers to: “When you are no longer our customer, we continue to share information about you as described in this notice.” While some institutions objected in principle to the statement that former customers are subject to the same policy as current customers,[118] no commenters asserted that institutions actually implement a different policy for former customers.[119]
3. Disclosure Table
We are adopting the disclosure table substantially as proposed, with some minor changes. Consumer and other advocacy groups, the NAIC, NAAG, and some industry commenters appreciated the easily understood display of information in the disclosure table of the proposed model form. One commenter noted the strength of the Schumer box standardized format.[120] Others lauded the use of a tabular format to display a company's sharing practices, noting that framing one institution's practices against the industry as a whole is a useful way to inform consumers of a company's relative sharing practices and facilitates the comparison of different institutions' practices.[121]
A number of industry commenters and associations, including many small community banks and a few larger banks, also expressed support for the clarity and consumer-friendly format of the disclosure table.[122]
However, many industry commenters sought flexibility in the table design for several reasons. Some reported that it is common for a financial institution to have multiple privacy policies for different products that they offer consumers.[123] Others asserted that the table contains a bias against larger, more complex corporate structures because it is overly simplistic and may show that certain types of institutions engage in widespread sharing.[124] One opined that the table structure made it appear that the entity was reckless in its sharing practices.[125] These commenters expressed particular concern that the model form would lead to high opt-out Start Printed Page 62902rates.[126] Many particularly objected to listing all the categories of sharing—especially when a consumer cannot limit or opt out of certain types of sharing—and others wanted to limit the list only to those categories used by the institution.[127] Some commenters wanted to use this space to explain the benefits of certain types of sharing.[128] Others wanted to convey that, for example, they only shared information with certain types of affiliates but not others and asserted that the disclosure table did not permit them to make this distinction.[129]
As the Agencies stated in the preamble to the Proposed Rule, based on the Kleimann Report and as confirmed by the quantitative research data and the Levy-Hastak Report, the disclosure table is the heart of the model form design and its most effective feature.[130] The table provides for greater transparency of a company's sharing practices. It allows consumers to see at a glance the types of information sharing a company may engage in, whether that particular company shares in that way, and, if so, whether the consumer can limit such sharing.[131] Based on the research, the Agencies have retained the disclosure table generally unchanged in the final model form.
Addressing industry concerns about bias against larger institutions, the Agencies appreciate these institutions' concern that some of their customers may react negatively to the sharing of their information. The purpose of the model form is not to direct consumer behavior, however, but rather to provide information effectively. While the Levy-Hastak Report found that a majority of survey participants objected to the sharing of their personal information with affiliated companies, and more so with nonaffiliated companies, these objections were consistent across all the survey participants and were not affected by any particular notice format.[132] The research confirms that the notice design more clearly informs consumers about how each company shares or uses the personal information it collects.
During the course of this project, the Agencies heard from smaller institutions that their customers wanted to stop all sharing and expressly asked for opt-outs even when the institution engaged in only limited sharing under the section __.14 and __.15 exceptions.[133] The neutral design of the form, particularly through the table, explains that some sharing is necessary for an institution's “everyday business purposes” and makes clear what sharing occurs. In addition, the model form uses the term “limiting” sharing, rather than stopping sharing altogether. These small institutions commented that this more balanced presentation of sharing practices is a very important feature of the notice, and one that they welcome, as it makes all institutions' sharing practices more transparent.[134]
The strength of the table design is that it facilitates comparison by showing what a particular institution's sharing practices are as compared to what all financial institutions can legally do. For this reason, the final model form incorporates all seven reasons for sharing, with only the affiliate marketing provision—“For our affiliates to market to you”—optional for those companies that elect to incorporate that disclosure in their GLB notices.[135]
While the middle column requires institutions to answer “yes” or “no” to whether it shares for each of the reasons, some commenters expressed concern that their information sharing practices were sufficiently complex that they could not answer “yes” or “no,” stating that they had different practices for different products. Institutions that elect to use the model form must answer the questions in the final model form as directed in the proposal. If an institution elects to use the model form, it must either harmonize its practices so one notice applies to all its products, or it must provide separate notices for products subject to different information sharing practices.
A few commenters opined that they may not currently share but want to reserve the right to share in the future. In such a case, the correct response in the middle column is “yes,” consistent with the privacy rule.[136]
Many institution commenters objected that the proposed terms to describe sharing practices were abbreviated or incomplete and asserted that the Agencies limited sharing that is lawfully permitted. For example, commenters objected that the definition of “everyday business purposes” excluded a long list of permissible disclosures designated in sections __.14 and __.15.[137] However, as the Agencies stated in the proposal, the phrase “everyday business purposes” fully incorporates all the disclosures permitted by law under sections __.14 and __.15 of the privacy rule.[138] In addition, the Agencies have determined that service providers that do not fall under section __.14, but perform direct services to the institution such as opt-out scrubbing or market analysis or research under a section __.13 agreement, are included under this provision.[139]
The cited examples of “everyday business purposes” [140] are illustrative only, to enhance consumer understanding. While commenters urged us to include the phrase “as permitted by law” in this description, research has found that consumers are confused and concerned by this phrase; they do not know what it means or what Start Printed Page 62903“laws” it encompasses.[141] Including that phrase would be inconsistent with consumers' need for clear language to understand what their financial institution does with their information.
Because the laws governing disclosure of consumers' personal information are not easily translated into short, comprehensible phrases, the table uses more easily understandable short-hand terms to describe sharing practices. We do not believe that these short-hand terms diminish the laws' provisions, as some commenters asserted. If, as these commenters suggest, the Agencies add to the laundry list of descriptive terms to make the provisions in the table more “precise,” we believe it will defeat the purpose of making this information more understandable to consumers. Thus, the Agencies have chosen not to provide detailed descriptions for each of the reasons in the table; we re-affirm that institutions' ability to share information in accordance with the statutory provisions would not be limited or otherwise modified by using the model form language.
The phrase “For our marketing purposes” captures the idea that nearly all, if not all, institutions share information to market their own products and services to their customers (for example, using a joint marketing agreement with a service provider such as a bulk mailer or data processor pursuant to section __.13 of the privacy rule) in a manner that does not trigger an opt-out right. Likewise, the phrase “nonaffiliates to market to you” does not diminish the information sharing permitted by the privacy rule, provided that institutions first provide an opportunity for consumers to opt out, as provided for in section __.10 of the privacy rule.
In all these instances, the lack of explicit references in the model form to certain of the exceptions does not mean that an institution cannot take advantage of all the exceptions provided for in the law.
4. FCRA Opt-Outs
The FCRA provisions are adopted in the model privacy form as proposed.[142] A number of industry commenters objected that the disclosure table did not provide a sufficiently complete or accurate description of the affiliate sharing provisions of the FCRA.[143] They urged the Agencies to revise these provisions to more precisely distinguish between the different types of information that can be shared with affiliates (both with and without an opt-out), to describe the applicable exceptions, and to more accurately describe the opt-out pertaining to information that can be used by affiliates for marketing.
The FCRA statutory provisions are quite complex and their legal intricacies are difficult for consumers to understand. The Agencies found through the consumer testing conducted by Kleimann that the short-hand FCRA terms used in the model form describing the types of personal information that can be shared with affiliates are sufficient to enable consumers to make informed decisions about such sharing. Again, these short-hand terms do not in any way diminish or modify the affiliate sharing provisions of the FCRA.[144] To give some meaning to the statutory term “other information,” the disclosure table uses “Information about your creditworthiness”—a short-hand phrase that consumers reasonably understood. Testing also found that consumers reasonably understood the phrase “information about your transactions and experience” without further embellishment.[145]
Some institutions objected to the description of the optional affiliate marketing provision enacted under the FACT Act for which the Agencies have published final regulations.[146] These commenters are correct that this provision, unlike the others, is about the use of shared information for marketing. While the Agencies and Kleimann worked to ensure accuracy in the model form, it was evident at the outset that this particular provision would be very difficult to explain in a simple and clear way to consumers and be precisely true to the statutory language.
The final formulation we proposed tested sufficiently well to show that consumers understand its basic meaning.[147] Including the affiliate marketing notice and opt-out in the model form is optional. Institutions that are required to provide this notice, and elect not to include it in their GLB Act privacy notice, must separately send an affiliate marketing notice that complies fully with the affiliate marketing rule requirements.
For those institutions that elect to incorporate this provision in the model form, the Agencies believe that it is simpler and less confusing to consumers for the affiliate marketing opt-out to be of indefinite duration, consistent with the opt-out required under the GLB Act. If an institution elects to limit the time period for which the opt-out is effective, as permitted under the affiliate marketing rule, it must not include the affiliate marketing opt-out in the model form. Instead, the institution must comply separately with the specific affiliate marketing rule requirements.
5. Limiting Sharing: Opt-Out Information
In response to commenters and the results of the quantitative testing, the final model form includes opt-out information for those institutions that are required to provide an opt-out on the bottom of page one. The Agencies proposed that the information about limiting or opting out of certain sharing, as needed, would be provided on a separate third page. Many commenters objected to the use of a separate piece of paper for this information, particularly if the notice itself is quite short.[148]
Start Printed Page 62904This change eliminates the extra page from the proposed model form and places this important information on the first page that the consumer sees. In addition to the model form with no opt-out, the Agencies are providing two alternate versions to be used, as appropriate, depending on whether the institution offers the option to limit information sharing by mail.[149]
Institutions using the model form must include the opt-out section in their notices only if they (1) share or use information in a manner that triggers an opt-out, or (2) choose to provide opt-outs beyond what is required by law. Financial institutions that provide opt-outs are not required to provide all the opt-out choices and methods described in the model form; they should select those that accurately reflect their practices.[150]
A number of commenters objected to the statement describing the time period before information can first be shared according to an institution's privacy policy.[151] Recognizing that institutions will provide this form both to new customers and annually to existing customers, the Agencies have modified the language accordingly.[152] The revised model form allows institutions to insert a time period that is 30 days or longer from the date the notice was sent before it can begin sharing for new customers. Some commenters opined that in certain instances they should be able to require the consumer to make an opt-out decision at the time of the in-person or electronic transaction rather than waiting 30 days. While the Agencies recognize that certain situations may warrant an immediate decision, the basic rule is to allow a “reasonable” opportunity to opt out.[153]
Telephone and online opt-outs should closely match the options provided in the form. Consistent with the direction provided in the affiliate marketing rule,[154] the Agencies also contemplate that a toll-free telephone number would be adequately designed and staffed to enable consumers to opt out in a single telephone call. In setting up a toll-free telephone number that consumers may use to exercise their opt-out rights, institutions should minimize extraneous messages directed to consumers who are in the process of opting out.
A number of industry commenters requested clarification on how joint accountholders would be treated.[155] The Agencies have addressed this question with a new FAQ, described below. Further, if an institution elects to provide a choice for the joint accountholder to apply the opt-out only to that joint accountholder, that option must be provided in the telephone or Web prompt, as well as presented in the left-hand box on the mail-in form.[156]
A number of commenters from both industry and advocacy groups addressed the question whether consumers need to provide personal information such as a Social Security number, account number, or other identification number in order to opt out. The consumer advocacy organizations, some industry commenters, and an industry association proposed omitting the account number field from the proposed form to reduce the risk of fraud.[157] These commenters expressed concerns about phishing and identity theft, and were especially concerned about institutions' use of the Social Security number to confirm an opt-out request. These commenters argued that a name and address should be sufficient to effect an opt-out from an institution's information sharing.
Many institutions argued that they needed a Social Security number or full account or policy number in order to authenticate the person who wanted to opt out or to apply the opt-out appropriately to all accounts held by the customer or only to specific accounts.[158] Some industry commenters urged limiting the information to only the last four digits of an account number as both safe for the consumer and sufficient to implement the opt-out.[159]
Having considered these comments and the context in which such sensitive information is used—to implement an opt-out for information sharing—the Agencies strongly encourage institutions to use some other form of identifier, such as a randomly generated “opt-out code” provided in the notice that consumers can use to exercise their opt-outs without jeopardizing the security of their most sensitive personal information. A random code—which some institutions currently use—both protects consumers' most sensitive information and at the same time can be used to link both the customer and account(s) to which the opt-out should apply. Such an approach would further simplify the opt-out process for consumers. If such an approach is not feasible, institutions could use a truncated account or policy number to protect sensitive information.[160] Of course, any opt-out means provided—including any information requirements imposed on consumers—must be reasonable under the privacy rule and reasonable and simple under the affiliate marketing rule.[161] Institutions should keep these requirements in mind when requesting information beyond the consumer's name and address.
A number of industry commenters objected to the inability of the model form to provide for partial opt-outs, as permitted by the privacy rule.[162] The Agencies have observed that partial opt-outs are not widely employed. Trying to incorporate partial opt-outs in this model form would be unduly complicated and confusing for consumers, so the Agencies have determined to use the default provision of the privacy rule that provides for an opt-out that applies to all information.[163] Institutions that want to Start Printed Page 62905provide partial opt-outs cannot do so using the model form.
A number of commenters wanted to include in the model form the statement “If you have already told us your choice(s), you do not have to tell us again.” [164] Because this statement would only be accurate if the institution has not changed its notice to include new opt-out options, the Agencies have decided not to include it in the model form. Institutions that choose to use this statement must do so outside the model form.
6. Additional Opt-Outs in the Model Form
Like the proposed form, the final model form permits institutions to provide for voluntary or state law-required opt-outs. For example, if an institution elects to offer its customers the opportunity to opt out of its marketing, it can do so by saying “yes” in the third column. Similarly, an institution can offer its customers a right to opt out of joint marketing, if it chooses.
Institutions that must comply with various state law requirements, depending on their practices and the choices they offer, may be able to do so in one of two ways using the model form. For example, Vermont law requires institutions to obtain opt-in consent from Vermont consumers for affiliate sharing. The disclosure table permits institutions to do one of two things: (1) it can provide a notice directed to its Vermont customers that answers “no” to the question about whether it shares creditworthiness information with its affiliates, or (2) it can provide a generalized notice for consumers across a number of states including Vermont and answer “yes” to the question about sharing creditworthiness information with its affiliates and include a discussion on the application of Vermont law in the “Other important information” box on page two of the form.[165]
To obtain the safe harbor for use of the proposed model form, an institution that uses the disclosure table to show any additional opt-out choices (beyond what is required under Federal law) must make that opt-out available through the same opt-out options the institution provides in the notice, whether by telephone, Internet, or a mail-in opt-out form.[166]
7. Contact Information for Questions
Like the proposed form, the final model form provides contact information at the bottom of page one. Some commenters objected that it would be confusing if an opt-out is offered or the institution wants to limit such contact to a mail option only.[167] The Kleimann Report found that consumers want a way to contact their financial institution if they have any questions.[168] The NAIC Study likewise found this to be one of the most important pieces of information that consumers want in a notice.[169] In revising the proposed model form to include the opt-out information on page one, the Agencies have modified the “Contact Us” box to label it “Questions” (to more clearly distinguish between the two) and clarified in the Instructions that this box is for customer service contact information, either by telephone or the Internet or both, at the institution's option.
Customer service contact information is for consumers who may have questions about the institution's privacy policy and may be the same contact information for consumers' questions relating to the institution's products or services. The Agencies are not requiring a separate customer service number solely to answer questions about the institution's privacy policy. The customer service contact information is different from the opt-out contact information, unless the customer service number is made available for consumers to opt out. The contact information should give consumers a way to communicate directly with the institution.[170]
8. Mail-In Opt-Out Form
The mail-in opt-out form for institutions that provide such a form is adopted with two modifications, with the changes based on comments, the quantitative testing, and the Levy-Hastak Report. The validation testing shaped the design for the opt-out information in the final model form.
As discussed in section III.I.5, the final model form displays all opt-out information, including the mail-in form, on page one, for institutions that provide an opt-out. In response to commenters, the Agencies have added information on joint accountholders to the model form by providing a new FAQ on page two. Institutions must include the joint accountholder information in the mail-in form only when the institution allows a joint accountholder to choose whether to apply an opt-out election only to one accountholder.[171] Otherwise, that space is blank or omitted from the mail-in form.
Finally, institutions that use the mail-in opt-out form must insert the institution's mailing address either in the right-hand box or just below the mail-in form, as shown in version 3 and optional version 4 in the Appendix and as described in the Instructions to the Model Form.
J. Page Two of the Model Form
The Agencies have modified page two of the model form to streamline the information on the page and to provide flexibility for institutions to insert certain institution-specific information.
1. Frequently Asked Questions
To address the concerns about jointly-provided notices, the Agencies have added a new FAQ at the top of page two: “Who is providing this notice?” An institution may omit this FAQ only when one financial institution is providing the notice and that institution is identified in the title. The space to the right, which is limited (for reasons of space constraints) to a maximum of four (4) lines,[172] allows institutions that are jointly providing the notice to be identified.[173] This space must be used to:
Start Printed Page 629061. State the common corporate name or other readily identifiable name that is also used for the title and various headings of the model form as the “name of financial institution;” and
2. Either (a) identify the entities jointly providing the notice; or (b) for institutions with a lengthy list of entities jointly providing the notice, identify the general types of entities in the response and identify the entities [174] at the end of the form following the “Other important information” box, or, if that box is not incorporated into the form, following the “Definitions” or on an additional page. The list at the end of the form must be printed in minimum 8-point font and may appear in a multi-column format.
The Agencies have deleted the FAQ on how often consumers are provided notices on an institution's sharing practices due to space constraints.[175]
A number of commenters objected to the response to the question about how personal information is protected. Some objected to the phrase “comply with federal laws.” [176] The Agencies note that this phrase closely tracks current Sample Clause A-7 and is already widely used by many institutions. Several objected to the phrase “secured buildings and files,” preferring “physical safeguards.” [177] As explained in the Kleimann Report, the Agencies developed this text to help consumers better understand the practical meaning of physical security.[178] The Agencies have determined to retain the FAQ as proposed, with one modification. In response to commenters who asked to include more specific information,[179] such as information about cookies or online practices or limiting employee access to personal information, the Agencies are allowing institutions to add more detail, limited to describing their safeguards practices, up to a maximum of thirty (30) additional words. This doubles the space allotted for the safeguards response and provides flexibility to institutions to customize the safeguards description. The optional information must appear after the standard response for this FAQ.
A number of industry commenters objected to the inflexible nature of the description of the sources from which personal information is collected, stating that in many cases the proposed descriptions do not correlate to their practices or the practices of their particular industry.[180] As with the description of the types of information collected and shared on page one, the Agencies are providing a menu of terms from which institutions can select to fill in the bulleted lists.[181] The list is designed to include the range of information sources typically used by a variety of institutions subject to the GLB Act and the FCRA, including those in the insurance, securities, and investment advisory businesses, as well as those companies subject to FTC jurisdiction. Finally, institutions that collect information from their affiliates and/or from credit bureaus must use as the last sentence of this response: “We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.” Institutions that do not collect personal information from their affiliates or credit bureaus but do collect personal information from other companies must include the following statement: “We also collect your personal information from other companies.” Only institutions that do not collect any personal information from affiliates, credit bureaus, or other companies can omit both statements.
A number of industry commenters objected to the FAQ about limiting sharing, arguing variously that this is not required and that they should only have to include in the response those bullets that apply to their sharing practices.[182] The Agencies have determined to retain this FAQ with a revision to the bulleted list, as it helps consumers better understand what rights they have under Federal law and reinforces the message that information sharing may be limited but not stopped completely. The second bullet was revised to more closely track the provisions of the affiliate marketing rule. Finally, the Agencies have provided an optional sentence for institutions to elect to include at the end, as applicable, “See below for more on your rights under state law,” a reference to the state-specific privacy law information that an institution may include in the “Other important information” box.
As discussed earlier, a number of commenters asked how an opt-out election can be applied to joint accountholders.[183] This is addressed by a new FAQ on page two. Two optional responses are provided for institutions to use: The first states that an opt-out election by any joint accountholder will be applied to everyone on the account. The second provides that the opt-out election will be applied to everyone on the account unless the customer elects to have the opt-out apply only to him. Institutions must select one or the other as the response to this question.[184]
2. Definitions
In the final model privacy form, the definition of “everyday business purposes” has been deleted as superfluous, and the description of everyday business purposes has been consolidated in the disclosure table on page one. The other three definitions remain as proposed, with one modification.
The Agencies make the following further clarification in response to some commenters.[185] First, if an institution has no affiliates or does not share with its affiliates, it does not have to describe the categories of affiliates in this definition. Applicable responses in such conditions are, respectively: “[name of financial institution] has no affiliates” or “[name of financial institution] does not share with our affiliates.”
Similarly, if an institution does not share for joint marketing or with nonaffiliated third parties outside of the section __.14 and __.15 exceptions, applicable responses are: “[name of financial institution] doesn't jointly market” or “[name of financial institution] does not share with nonaffiliates so they can market to you.”
The Instructions have been modified with respect to an institution's sharing with its affiliates so that an institution must provide only an illustrative list of affiliates with which it shares, and not Start Printed Page 62907a complete list. As proposed, when an institution shares with nonaffiliates or with other financial institutions to do joint marketing, the institution must describe the categories of entities with which it shares.[186] While the Instructions provide illustrative examples of categories, institutions must provide examples consistent with their practices. The Instructions provide guidance on these points.[187]
3. State and International Law Provisions
To accommodate commenters' requests to incorporate state and international law provisions in the notice,[188] the Agencies have added a new optional box at the end of the final model form called “Other important information.” The size of the box is not limited (except where space constraints apply in the Online Form Builder, described below), and institutions may use a third page, as necessary, for the information in this box. To qualify for the safe harbor,[189] institutions that elect to use this box can only use it for the following: (1) information about state and/or international privacy law requirements, as applicable; or (2) an acknowledgment form to create a record of having provided the notice. Certain institutions, for example, are required to include specific affiliate sharing information for Vermont residents or to meet other requirements under California law. Some insurance commenters noted that approximately 16 states have privacy laws that require insurers to provide notice of “access and correction” rights.[190] Commenters noted that other states require disclosures about medical information.[191] Some large institutions noted that they are required to provide international law information. Such information may be included in this new box. In addition, one association commenter, representing automobile dealers, specifically requested a place on the form to allow its members to obtain signatures from customers acknowledging that they had received a copy of the notice.[192]
K. Other Issues
1. Highlighting Material Changes in Privacy Practices
We sought comment on whether the model privacy form should highlight material changes in the notice. A number of industry commenters opposed this suggestion, citing consumer confusion.[193] Some stated that the GLB Act requires revised notices when the institution's policy has changed.[194] One advocacy group supported adding an extra column to the notice table highlighting specific changes made since the previous notice.[195]
After considering these comments, the Agencies determined that the simplest way to help consumers identify how recently the notice was changed is to include a “revised [month/year]” notation in the upper right-hand corner of page one of the notice. The revised date, in minimum 8-point font, is the date the policy was last revised.[196] Of course, institutions can signal material changes in their policies by, for example, use of a cover letter that describes any changes.
2. Safe Harbor
A number of industry commenters expressed concern that the safe harbor provisions do not fully extend to the GLB Act requirements or do not extend to FCRA disclosures.[197] These commenters seek broader safe harbor treatment for the use of the model form, notwithstanding the statutory provision that use of the model form will satisfy the notice requirements of the GLB Act and the privacy rule.
The Agencies agree that the model form satisfies the requirements for the content of the notice required by the GLB Act, including sections __.6 and __.7 of the privacy rule; FCRA section 603(d) as described in section __.6 of the privacy rule; and section __.23 of the affiliate marketing rule. The Agencies note that the safe harbor applies to use of the model form, but does not and cannot extend to the institution-specific information that is inserted in the model form. Proper use of the model form to comply with the privacy rule requires that institutions accurately answer the questions about their information collection and sharing practices, as well as provide to consumers, as applicable, a reasonable means and opportunity to limit sharing and honor any opt-out requests submitted.
3. Online Form Builder
Commenters generally supported the Agencies' proposal to provide a downloadable, fillable version of the model form that institutions could use to create their own customized notice.[198] Many smaller institutions were particularly supportive, noting that it simplifies adoption and reduces their development costs.
In response, the Agencies will be providing on each of their Websites a link to an Online Form Builder accessible by any institution so that the institution can readily create a unique, customized privacy notice using the model form template. The Agencies anticipate that a temporary Online Form Builder will be available in late 2009 Start Printed Page 62908and that a more robust version will be available to institutions in late 2010.
4. Web-Based Design
Many industry and advocacy group commenters supported development of an optional Web-based design, especially as more and more consumers are engaging in online activities such as online banking.[199] Some commenters asked the Agencies to test a design for usability. Some industry commenters cautioned that the Agencies should leave this task to industry as institutions are more knowledgeable and better equipped to address such a task.[200]
The Board and FTC have agreed to jointly undertake the development through consumer research of a Web-based version of the final model form. That research work will proceed independent of this rulemaking, will be reviewed by all the other Agencies, and will be made publicly available for use by all institutions. It is anticipated that the work will be completed in late 2009.
5. Electronic Delivery
A number of commenters objected to limiting the electronic posting of the model form to a PDF format.[201] Those expressing a view stated that providing the form in HTML is more compatible with their systems and easier for consumers to download and view. The Agencies agree that institutions can provide the notice electronically in either PDF or HTML format. Where consumers agree to electronic receipt of the notice, institutions can send the notice by email either by attaching the notice or providing a link to the notice.
6. Other Comments
Some commenters asked if the model form can be adopted for other languages.[202] The Agencies believe that this would be beneficial to an institution's non-English speaking customers and note that institutions currently provide such notices, consistent with the privacy rule.
Many industry commenters wanted the flexibility to add other information to the form. For example, they asked to include information on the benefits of sharing; privacy tips and identity theft information; information about fraud prevention; and marketing.[203] Some commenters asked that additional information such as seal information be included in the model form.[204]
The Agencies considered these suggestions and decided not to permit the inclusion of additional information in the final model form. While an institution may believe this information is useful or important, we believe that the addition of such information to the model form defeats the purpose of providing a clear and usable notice about information sharing practices and consumer rights. The Agencies do not preclude an institution from providing such information in other, supplemental materials, if the institution wishes to do so.
One commenter proposed requiring institutions that use the model form to also have a longer notice that complies with the privacy rule.[205] One notice is sufficient if that notice complies with the law and the privacy rule.
Commenters also raised a number of other issues that are beyond the scope of this rulemaking. These include making the default opt-in rather than opt-out; eliminating the annual notice requirement; preempting state law requirements; and establishing an opt-out repository similar to the FTC's National “Do Not Call” Registry.[206]
IV. The Sample Clauses
As proposed, the Agencies are eliminating the Sample Clauses appended to the privacy rule along with the safe harbor or for SEC-regulated entities, guidance, currently afforded entities.[207] Many industry commenters opposed the proposal.[208] Some commenters asked that we retain certain of the Sample Clauses, such as A-1, A-3, and A-7, the use of which does not implicate an opt-out.[209] Institutions expressed concern that elimination of the Sample Clauses and corresponding safe harbor would expose them to liability.[210] A few commenters asked the Agencies to improve the current Sample Clauses as an interim measure.[211] Several institutions requested that the Agencies at a minimum provide for a transition period that is longer than one year, if the Agencies determine to eliminate the Sample Clauses.[212]
Notwithstanding these comments, the Agencies are eliminating the Sample Clauses and related safe harbor (or guidance) from the privacy rule, following a transition period of one year.[213] The initial public and media complaints about the incomprehensibility of the privacy notices,[214] the plain language experts' guidance at the Get Noticed Workshop, Start Printed Page 62909and the launch of this Notice Project all examined the problems with institutions' privacy notices, including their extensive use of the Sample Clauses, and the need to develop a usable consumer notice. These same factors led the Agencies to propose eliminating the Sample Clauses. One commenter agreed that the research showed the clauses “were found wanting.” [215] An association whose members generally found the model form to be more consumer-friendly than the Sample Clauses asked only that the Agencies provide a sufficient transition period before eliminating the Sample Clauses.[216]
In addition, the quantitative testing supports the Agencies' proposal to eliminate the Sample Clauses and related safe harbor. The Levy-Hastak Report confirms that a notice composed solely of the Sample Clauses promotes ease of scanning to perform simple tasks—because the notice is short and not because it is understandable—but the Sample Clauses do not do well on comprehension measures. Moreover, the testing showed that current notices—in which the Sample Clauses are typically embedded—do poorly on all measures.
The Levy-Hastak Report examined the results when study participants were asked to choose between two banks based solely on the content of the notice and to give reason(s) why they selected a particular bank. Participants who saw the Sample Clause Notice were more likely to select the higher sharing bank because it offered an opt-out.[217] When these participants were matched with their general attitudinal preferences toward sharing, the Levy-Hastak Report found that they generally favored less sharing.[218] According to the Levy-Hastak Report, the data suggested that study participants who gave as the reason for their choice the availability of opt-outs “may have mistakenly believed that this would lead them to choosing a lower sharing bank.” [219] In other words, participants who saw the Sample Clause Notice and selected the higher sharing bank because it offered opt-outs did not understand that a bank offering no opt-out did so because it shared less. This finding confirmed reports by small institutions.[220]
Further, the NAIC Study,[221] conducted in March 2005, examined several different insurance disclosure forms with participants in three focus groups. One was a generic form based on the sample clauses adopted in the NAIC Model Privacy Rule and similar in content to the Sample Clause Notice used in the Agencies' quantitative testing. The NAIC Study highlighted a key finding that is consistent with the Agencies' research findings. Among the study participants, there was general misunderstanding of and concern about the language in the form, in particular the phrase “as permitted by law” found in Sample Clause A-3. Participants in all three focus groups asked: (1) What does this phrase mean?; (2) what is the law and what does it permit?; and (3) what if the law changes? Participants who viewed this form did not know what to do with it and wanted some way to contact the company to get answers to their questions.
Also, in the development of the model form, Kleimann found that consumers did not understand the language in Sample Clause A-7 regarding the safeguarding of personal information. Through consumer testing, the description was revised to improve consumer comprehension.
Finally, while many smaller institutions are most likely to engage in limited sharing and so would rely on the three Sample Clauses, A-1, A-3, and A-7, many of these institutions support the model form. They have stated that such a form would make it easier for them to demonstrate that they are less likely to share personal information, and it would allow for easier comparison of their sharing practices with those of other institutions.[222] One large association commented that an informal survey of its community bank members found that “many are likely to use the model forms” and that “[m]ost found the new forms more consumer-friendly than the existing sample clauses.” [223]
To ease the compliance burden for those institutions that currently have privacy notices based on the Sample Clauses, the Agencies are implementing a transition period that begins thirty (30) days after the date of publication and ends on December 31, 2010. Financial institutions will not be able to rely on the safe harbor by using the Sample Clauses in notices delivered or posted on or after January 1, 2011.[224] Privacy notices using the Sample Clauses that are delivered to consumers (either in paper form or by electronic delivery such as e-mail) or, alternatively, are posted electronically to meet the annual notice requirement of section _.9(c) during the transition period, will have a safe harbor for one year after delivery or posting. Privacy notices using the Sample Clauses that are delivered or posted electronically after the transition period will not be eligible for a safe harbor. Since institutions are required to send notices annually to their customers, they may continue to rely on the safe harbor for annual notices that are delivered to consumers (either in paper form or by electronic delivery such as e-mail) within the transition period until the next annual privacy notice is due one year later.[225] The Sample Clauses will be removed from codification one year after the transition period ends. The SEC, whose privacy rule provides only guidance and not a safe harbor for financial institutions that use the Sample Clauses, will also remove the Sample Clauses from codification one year after the transition period ends.[226]
While the final model form would provide a legal safe harbor, institutions could continue to use other types of notices that vary from the model form, including notices that use the Sample Clauses, so long as these notices comply with the privacy rule.
The Agencies are also amending section _.6(b) of the privacy rule. The FTC is deleting the second sentence of section 313.6(b) and substituting the following new sentence, based on the model form research: “When describing the categories with respect to those Start Printed Page 62910parties, it is sufficient to state that you make disclosures to other nonaffiliated companies for your everyday business purposes, such as to process transactions, maintain account(s), respond to court orders and legal investigations, and report to credit bureaus.” The remaining Agencies (Board, CFTC, FDIC, NCUA, OCC, OTS, and SEC) are revising the second sentence of section _.6(b) to read as follows, based in part on the model form research: “When describing the categories with respect to those parties, it is sufficient to state that you make disclosures to other nonaffiliated companies: (1) For your everyday business purposes, such as [include all that apply] to process transactions, maintain account(s), respond to court orders and legal investigations, or report to credit bureaus; or (2) As permitted by law.” [227]
V. Effective Date
The Agencies proposed that most of the provisions of the final rule would take effect on the date of publication.[228] That approach would have allowed institutions that chose to use the model privacy form to receive the safe harbor for doing so immediately upon its publication. The Agencies received no comments on providing an immediate effective date for this portion of the rule. The only comments the Agencies received concerning the effective date of the rule pertained to removal of the Sample Clauses and related Appendix, as discussed in section IV.
The final rule makes most of the provisions effective 30 days after publication. This approach allows institutions to receive, with only a minimal delay, a safe harbor for using the model privacy form and the additional, alternative language that may be used to comply with section _.6(b) of the privacy rule. The Agencies believe that few, if any, institutions would choose to implement those changes in fewer than 30 days. The 30-day delay will give institutions and the Agencies time to implement the changes properly.
VI. Final Regulatory Flexibility Analysis
The Regulatory Flexibility Act (“RFA”) [229] requires the Agencies to provide an Initial Regulatory Flexibility Analysis (“IRFA”) with a proposed rule and a Final Regulatory Flexibility Analysis (“FRFA”) with a final rule, unless the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities. See 5 U.S.C. 603-605. An IRFA was published by the Agencies in their March 20, 2007, Proposed Rule regarding amendments to the rules implementing the privacy provisions of the GLB Act. The Agencies have prepared the following FRFA in accordance with 5 U.S.C. 604.
A. Need For and Objectives of Rule Amendments
The goal of the rule amendments is to satisfy the requirements of section 728 of the Regulatory Relief Act, which requires that the Agencies develop a model form that is comprehensible, clear and conspicuous, and succinct. The Act also requires that the model form enable consumers to easily identify a financial institution's sharing practices and compare those practices with others. The model form that the Agencies are adopting today will, if properly used, serve as a safe harbor for satisfying the privacy rules' requirements regarding content of privacy notices.
As indicated in section I of the preamble to this final rule, the amendments to Appendix A of the Agencies' privacy rules are adopted pursuant to the authority set forth in § 503 (as amended by section 728 of the Regulatory Relief Act) and § 504 of the GLB Act.[230]
B. Significant Issues Raised by Public Comment
The Agencies requested comments on the IRFA. We specifically requested comments on the number of small entities that would be affected by the rules' amendments, the existence or nature of the impact of the amendments on small entities, how to quantify the impact of the amendments, and possible alternatives to the amendments. Commenters were also asked whether a downloadable version of the model form would be useful for financial institutions, particularly small entities that would like to take advantage of the proposed safe harbor.
Only one commenter directly addressed the IRFA.[231] That commenter disagreed with the Agencies' analysis that some financial institutions that may wish to transition to the proposed model form might incur some small incremental costs in making the transition, but did not provide any explanation of why the analysis is incorrect or estimates regarding logistical costs that the commenter asserted would be significant. Several associations whose members include small entities, however, expressed support for the objectives of the proposed model notice.[232] In addition, one association (many of whose members are small entities) found that many of its members that participated in an informal survey are likely to use the model forms and most found the forms more consumer-friendly than the Sample Clauses.[233] Some commenters suggested that the model form is oriented to large, multi-affiliate financial institutions and does not accommodate smaller institutions.[234] These commenters stated that the information collection policies described in the model form accurately reflect the practices of certain large financial institutions but are misleading to the extent they are beyond the scope of smaller financial institutions that do not offer banking-related products and services. In response to these and similar comments, the Agencies have revised the model form to allow financial institutions to select from a menu of specific disclosures to customize the descriptions of their information collection policies.[235]
Several commenters also requested that the Agencies retain the safe harbor regarding the Sample Clauses, noting that many small entities' privacy notices currently incorporate the Sample Clauses. One commenter explained that it would be burdensome and unnecessary for small entities to change their privacy notices, especially small entities that do not share personal information other than to service their clients' accounts.[236] Another Start Printed Page 62911commenter argued that elimination of the safe harbor for the Sample Clauses would transform the model form from an optional elective to a burdensome regulatory requirement, particularly for small entities.[237] We note, however, that the research found that there was general misunderstanding of and concern among consumers about language in the notice based on the Sample Clauses.[238] Nevertheless, partly in response to these comments, the Agencies are allowing financial institutions one year in which they can continue to rely on the Sample Clauses for safe harbor or guidance when providing notices. In addition, as noted above, while the Agencies are eliminating the Sample Clauses and related safe harbor (or, for the SEC, guidance), institutions may continue to use notices containing these clauses, so long as these notices comply with the privacy rule.
Finally, we received a limited number of comments indicating that a downloadable fillable model form may be helpful, especially to small entities.[239] In response to these comments, the Agencies will make available an Online Form Builder. We expect the availability of this form will, in part, minimize the burden on small businesses of developing, using, and customizing the model form for their individual needs.
C. Small Entities Subject to the Rules
The amendments to Appendix A and conforming amendments to sections __.2, __.6, and __.7 of the Agencies' privacy rules may potentially affect financial institutions, including financial institutions that are small businesses or small organizations, that choose to rely on the model privacy form as a safe harbor.
1. OCC. The OCC estimates that 690 insured national banks, uninsured national banks and trust companies, and foreign branches and agencies are small entities for purpose of the RFA.
2. Board. The Board estimates that 432 state member banks are small entities for purposes of the RFA.
3. FDIC. The FDIC estimates that 3115 state nonmember banks are small entities for purposes of the RFA.
4. OTS. The OTS estimates that 377 small savings associations are small entities for purposes of the RFA.
5. NCUA. The RFA requires NCUA to prepare an analysis to describe any significant economic impact a regulation may have on a substantial number of small credit unions (primarily those under $10 million in assets). The NCUA estimates that 3,168 federally-insured, state-chartered credit unions are small entities for purposes of the RFA.
6. FTC. Determining a precise estimate of the number of small entities that are financial institutions within the meaning of the rule is not readily feasible. The GLB Act does not identify for purposes of the Commission's jurisdiction any specific category of financial institution. In the absence of such information, there is no way to estimate precisely the number of affected entities that share nonpublic personal information with nonaffiliated third parties or that establish customer relationships with consumers and therefore assume greater disclosure obligations.
7. CFTC. Section 5g of the CEA, 7 U.S.C. 7b-2, provides that any futures commission merchant, commodity trading advisor, commodity pool operator, or introducing broker that is subject to the jurisdiction of the CFTC with respect to any financial activity, shall be treated as a financial institution for purposes of Title V of the GLB Act, regardless of size and including commodity trading advisors and commodity pool operators that are exempt from the CEA's registration requirements. The CFTC has previously established certain definitions of “small entities” and determined that futures commission merchants and commodity pool operators are not small for purposes of the Regulatory Flexibility Act. Policy Statement and Establishment of Definitions of “Small Entities,” 47 FR 18,618 (Apr. 30, 1982). This rule applies to commodity trading advisors and introducing brokers of all sizes. Because use of the model privacy form is voluntary, and because its use is a form of substituted compliance with Part 160 and not a new mandatory burden, CFTC believes that the rule will not have a significant economic impact on a substantial number of small entities.
8. SEC. The SEC estimates that 915 broker-dealers, 212 investment companies registered with the Commission, and 781 investment advisers registered with the Commission are small entities for purposes of the RFA.[240]
Because use of the model privacy form will be entirely voluntary, the Agencies cannot estimate how many small financial institutions will use it. The Agencies expect, however, that small financial institutions, particularly those that do not have permanent staff available to address compliance matters associated with the privacy rules, will be relatively more likely to rely on the model privacy form than larger institutions. We believe that most financial institutions currently have legal counsel review their privacy notices for compliance with the GLB Act, the FCRA, and the privacy rules. We anticipate that a financial institution that uses the model form for its privacy notice will need little review by legal counsel because the rules do not permit institutions to vary the form if they wish to obtain the benefit of a safe harbor, except as necessary within narrow parameters to identify their information collection, sharing, and opt-out policies. Finally, the Agencies are providing an Online Form Builder that will enable institutions to directly create a customized model form and thus will facilitate compliance.
D. Reporting, Recordkeeping, and Other Compliance Requirements
The amendments to the privacy rules do not impose any additional recordkeeping, reporting, disclosure, or compliance requirements. Financial institutions, including small entities, have been required to provide notice to consumers about the institution's privacy policies and practices since July 1, 2001 (or March 31, 2002, in the case of the CFTC). The amendments adopted today will not affect these requirements and financial institutions will be under no obligation to modify their current Start Printed Page 62912privacy notices as a result of the amendments. Instead, the amendments provide a specific model privacy form that a financial institution may use to comply with notice requirements under the GLB Act, the FCRA (as amended by the FACT Act), and the privacy rules.
Nonetheless, some of the financial institutions that rely on the Sample Clauses in the current privacy rules' appendixes may wish to transition to the model form and may incur some additional costs in making this transition.[241] The Agencies expect, however, that the availability of a standardized model form will minimize these costs because the form's standardized formatting and language will make it easier for institutions to prepare and revise their privacy notices.
E. Action by the Agencies To Minimize Effects on Small Entities
The RFA directs the Agencies to consider significant alternatives that would accomplish the stated objectives, while minimizing any significant adverse impact on small entities. In connection with the amendments, we considered the following alternatives:
1. Different reporting or compliance standards. As noted above, the Regulatory Relief Act requires the Agencies to develop “a” model form that, among other things, will facilitate comparison of the information sharing practices of different financial institutions. In light of these statutory requirements, the Agencies are adopting only one model form, which includes alternative language in some places that allows a financial institution to describe its particular information collection and sharing practices. The specific model form that the Agencies are adopting today was developed as part of a careful and thorough consumer testing process designed to produce a clear, comprehensible, and comparable notice. The model form emerged as the most effective of several notice formats considered as part of this testing.
2. Clarification, consolidation, or simplification of reporting and compliance requirements. The Agencies believe that the model form will simplify the reporting requirements for all entities, including small entities, that choose to use the model form. We anticipate that financial institutions that choose to use the model form will spend less time preparing notices than if they had to draft one on their own. Because the model form was developed as part of a consumer testing process, further clarifying, consolidating, or simplifying the model notice would compromise the research findings.
3. Performance rather than design standards. Section 728 of the Regulatory Relief Act specifically requires that the Agencies develop a model form. The model form is an alternative means of providing a privacy notice that institutions may choose to use. The privacy rules do not mandate the format of privacy notices; thus, neither the privacy rules nor the amendments impose a design standard.
4. Exempting small entities. We believe that an exemption for small entities would not be appropriate or desirable. The Agencies note that the model form is available for use at the discretion of all financial institutions, including small institutions. Moreover, two key objectives of the model form are that (1) consumers can understand an institution's information sharing practices and (2) they may more easily compare financial institutions' sharing practices and policies across privacy notices. An exemption for small entities would directly conflict with both of these key objectives, particularly that of enabling comparison across notices.
VII. Paperwork Reduction Act
The final privacy rules governing the privacy of consumer financial information contain disclosures that are considered collections of information under the Paperwork Reduction Act (PRA).[242] Before the Agencies issued their privacy rules, they obtained approval from OMB for the collections. OMB control numbers for the collections appear below. The amendments adopted today do not introduce any new collections of information into the Agencies' privacy rules, nor do they amend the rules in a way that substantively modifies the collections of information that OMB has approved. Therefore, no PRA submissions to OMB are required.
OCC: Control number 1557-0216.
Board: Control number 7100-0294.
FDIC: Control number 3064-0136.
OTS: Control number 1550-0103.
NCUA: Control number 3133-0163.
FTC: Control number 3084-0121.
SEC: Control number 3235-0537.
CFTC: Control number 3038-0055.
VIII. OCC and OTS Executive Order 12866 Determination
The OCC and OTS have determined that their respective portions of the final rule are not a significant regulatory action under Executive Order 12866. We have concluded that the changes made by this rule will not have an annual effect on the economy of $100 million or more, and does not meet any of the other standards for a significant action set forth in E.O. 12866.
IX. OCC and OTS Executive Order 13132 Determination
The OCC and OTS have determined that their respective portions of the final rule do not have any federalism implications, as required by Executive Order 13132.
X. OCC and OTS Unfunded Mandates Reform Act of 1995 Determination
Section 202 of the Unfunded Mandates Reform Act of 1995, Public Law 104-4 (UMRA), requires that an agency prepare a budgetary impact statement before promulgating a rule that includes a Federal mandate that may result in the expenditure by State, local, and tribal governments, in the aggregate, or by the private sector of $100 million or more (adjusted annually for inflation) in any one year. The inflation adjusted threshold is $133 million or more. If a budgetary impact statement is required, section 205 of the UMRA also requires an agency to identify and consider a reasonable number of regulatory alternatives before promulgating a rule. The OCC and OTS have each determined that their respective portions of the final rule will not result in expenditures by State, local, and tribal governments, in the aggregate, or by the private sector, of $133 million or more in any one year. Accordingly, the final rule is not subject to section 202 of the UMRA.
XI. SEC Cost-Benefit Analysis
The SEC is sensitive to the costs and benefits imposed by its rules. As discussed above, the amendments the Agencies are adopting today will replace the Sample Clauses included as guidance in Regulation S-P's Appendix A (17 CFR part 248, appendix A) with a model privacy form that financial institutions can choose to provide to consumers. The amendments are designed to implement section 728 of the Regulatory Relief Act. This Act directs the Agencies to “jointly develop a model form which may be used, at the option of the financial institution, for the provision of disclosures under [section 503 of the GLB Act].”
The SEC identified certain costs and benefits arising from these amendments and requested comments on all aspects of the associated cost-benefit analysis, including identification and assessment of any costs and benefits not discussed Start Printed Page 62913in the analysis. The SEC also sought comments on the accuracy of its cost and benefit estimates and requested commenters to identify, discuss, analyze, and supply relevant data that would allow the SEC to improve its estimates. Finally, the SEC requested comments regarding the potential impact of the proposals on the U.S. economy on an annual basis.
A. Benefits
The goal of the rules is to satisfy the requirements of section 728 of the Regulatory Relief Act, which requires that the Agencies develop a model form that is comprehensible, clear and conspicuous, and succinct. The Act also requires that the model form enable consumers easily to identify a financial institution's sharing practices and compare those practices with others. The model form that the Agencies are adopting today will, if properly used, serve as a safe harbor for satisfying the privacy rule's requirements regarding the content of privacy notices.
The SEC requested comments on all aspects of the benefits of the amendments as proposed. The SEC requested specific comments on available metrics to quantify these benefits and any other benefits commenters could identify, and requested commenters to identify sources of empirical data that could be used for such metrics. The SEC did not receive any comments in response to these requests.
Use of the model form is voluntary, so a financial institution can determine for itself its costs and benefits in deciding whether using the model form would be suitable for its business and customers. However, new financial institutions will likely benefit from using the model privacy form because of the savings in time and resources that would otherwise be spent developing their own notices.
The SEC also anticipates that financial institutions regulated by the SEC may benefit from the model privacy form's standardized formatting and language. The SEC believes that institutions currently review their Regulation S-P privacy policies annually. To the extent that these institutions are required to change their policies to reflect changes in their privacy practices, they may find it easier to use the model privacy form rather than revise their existing notices.
Similarly, the SEC expects that revisions to an institution's privacy policies will be easier to record in the model form's standardized format. The SEC also anticipates that a financial institution that chooses to use the model notice will need little, if any, ongoing review by legal counsel because an institution cannot vary the form except within stated parameters as necessary to identify certain specific information collection, sharing, and opt-out policies.
Before today's amendments, Appendix A of Regulation S-P contained Sample Clauses that the SEC interpreted as providing guidance, as opposed to a legal safe harbor. Institutions will therefore benefit from the certainty that proper use of the model notice entitles them to a safe harbor for disclosures required under the GLB Act and FCRA.[243]
Consumers should also benefit from the model form through increased comprehension of and enhanced comparability among privacy policies. The model form was developed in an extensive consumer research testing process that sought to maximize consumers' ability to comprehend, use, and compare privacy notices. The model form emerged as the most effective of several notice formats considered as part of this testing. The SEC therefore anticipates that if financial institutions make widespread use of the model form, consumers' comprehension and their ability to use and compare privacy policies will be enhanced. Institutions also might benefit from consumers' enhanced ability to understand and use the notices to the extent that consumers have more trust and confidence in an institution's privacy policies because the consumers understand those policies.
B. Costs
Since the model form is optional, the SEC cannot estimate the number of institutions that will adopt it. Accordingly, we cannot estimate total overall costs to use the model form by broker-dealers, investment advisers registered with the SEC, and investment companies that may use the model form. However, in the Proposed Rule, the SEC provided estimates of certain types of costs that could result from the proposed amendments.
The SEC also sought comments on its cost estimates and the assumptions behind the estimates, as well as whether any of those costs would differ if the form were downloadable from a Web site. The majority of the comments we received predicted significant cost increases in preparation, distribution, and processing of privacy notices. Many commenters noted that the prohibition on double-sided printing and requirement of a separate third page for mail-in opt-outs, if any, would greatly increase printing costs and would result in significant environmental waste due to increased paper usage.[244] Numerous commenters also raised concerns that the 81/2; x 11-inch paper size requirement, coupled with the prohibition on incorporation of the model notice into other documents, essentially mandated a separate mailing for the model notice.[245] Commenters concluded that separate mailing of privacy notices would result in significant postage costs and increase the likelihood that consumers would misplace or fail to read the notice because it no longer accompanied important documents.[246] Several commenters suggested that these costs could result in lowered adoption rates for the model form.[247] Based on these comments, the Agencies have revised the amendments to allow for double-sided printing and incorporation of the mail-in opt-out on the bottom of the first page, waiver of a mandatory 81/2 x 11-inch paper size, and incorporation of the model notice into other documents. We believe these accommodations will result in greatly reducing the implementation costs commenters associated with adopting the model form.
We do not expect that financial institutions will incur additional disclosure costs in using the model privacy form because the notice requirements of Regulation S-P have been effective since July 1, 2001, and are not altered by the amendments. Moreover, financial institutions will be Start Printed Page 62914under no obligation to adopt the model form or modify their current privacy notices. Presumably, financial institutions will not adopt the model form without first determining that associated costs are justified by the benefits.
We anticipate that financial institutions that elect to use the model privacy form could incur some small, incremental developmental costs in making the transition from their current notices to the model form. These costs could include staff time to review the model form and its instructions and complete the model form. We expect these will be minimal because the language and format in the form are standardized and financial institutions can only customize very limited sections of the model privacy form. Institution-specific information is limited to contact information, selection from a menu of terms relating to information collection, “yes” or “no” answers and brief descriptions, as necessary, of the types of entities with which the institution shares personal information. Furthermore, the model form can be downloaded from a Web site so preparation costs should be minimal.
Similarly, we believe that a financial institution that adopts the model privacy form would need little, if any, initial or annual review by legal counsel because almost all the disclosures in the form are already mandated under the current disclosure regime. One commenter disagreed and suggested that legal counsel at each financial institution will spend at least 50 hours initially and annually ensuring that the model form accurately reflects the institution's privacy practices.[248] These estimates seem high because institutions already know their information collection and sharing practices and there is very little discretion the institution has in choosing from among a menu of terms to disclose that information on the model form. Even if those estimates are accurate, however, we believe that those legal costs would likely have been incurred with respect to any model form unless it conformed exactly to the institution's current form.
Transition costs may also include administrative, logistical, and training costs. For example, several commenters highlighted one-time costs stemming from rewriting notices, republishing brochures or notices, and revising or reprinting documents that incorporate current notices.[249] We anticipate these costs will be minimal, if any, in part because the Agencies are allowing financial institutions a transition period of one year during which they can continue to rely on the Sample Clauses for safe harbor or guidance. Although an institution may choose to replace a current privacy notice with a model privacy notice, this should not require substantial rewriting because there are few drafting choices in the model form. In addition, the SEC believes it is unlikely that many financial institutions have stockpiles of more than one year's worth of privacy notices or documents that incorporate privacy notices on hand for distribution. Several commenters also raised concerns regarding increased customer service demands and the necessity for financial institutions to proactively take steps to address customer confusion. For example, one commenter noted that financial institutions would face one-time costs associated with revising or preparing explanatory material for training employees regarding the model form, such as scripts and responses for call centers.[250] Since the amendments do not affect Regulation S-P's substantive requirements, we anticipate that any substantive questions about the institutions' privacy practices should already be addressed by existing explanatory materials. We anticipate any new explanatory material will be limited to questions regarding the revised format of the model form, which due to its standardized nature should be relatively simple to address.
Insofar as the Sample Clauses in current Regulation S-P may have some value to some financial institutions, their phase-out under the amendments to the rules may create some costs to those institutions. However, we expect those costs to be minimal. As discussed above, the Agencies are giving financial institutions a transition period of one year during which they can continue to rely on the Sample Clauses for guidance or a safe harbor, which should allow time to minimize the transition costs for any institutions that adopt the model privacy form. Moreover, as noted above, elimination of the Sample Clauses as guidance does not mean that institutions that continue to use these clauses are in violation of the SEC's privacy rule. Institutions may continue to use notices containing these clauses so long as these notices comply with the privacy rule.
Lastly, customers may experience certain costs associated with adoption of the model form. Several commenters suggested that the model form sacrifices greater consumer understanding about information sharing practices in exchange for a simplified notice format.[251] Another commenter speculated that adoption of the model form would result in customer confusion and potential loss of customer trust due to the misimpression that financial institutions are changing their privacy policies.[252] One commenter concluded that consumer confusion resulting from overly simplified disclosures would lead to unacceptably high opt-out rates and discourage use of the model form by financial institutions.[253] As discussed above, the model form was developed in an extensive consumer research testing process that sought to maximize consumers' ability to comprehend, use, and compare privacy notices. The model form emerged as the most effective of several notice formats considered as part of this testing. Consequently, the SEC believes that any customer confusion that results from adoption of the model form will be minimal. Furthermore, we expect that any such confusion will be rapidly dissipated if financial institutions make widespread use of the model privacy form and consumers become more familiar with its contents.
Although the SEC cannot determine aggregate costs because of the unknown number of financial institutions that will adopt the model form, we expect each financial institution choosing to adopt the model form to incur minimal, if any, costs. As discussed above, we do not anticipate that financial institutions will incur additional disclosure costs in using the model privacy form because the substantive notice requirements of Regulation S-P have been effective since July 1, 2001, and are not altered by the amendments. We expect notice development and transition costs to be minimal because the language and format in the model form are standardized and financial institutions can only customize a few sections of the model form by selecting from among a menu of specific terms. Furthermore, the model form can be downloaded from a Web site so preparation costs should be minimal. Moreover, the Agencies are giving financial Start Printed Page 62915institutions one year in which they can continue to rely on the Sample Clauses for safe harbor or guidance, which should allow time to minimize the transition costs for any institution that adopts the model privacy form.
Similarly, the SEC expects any aggregate costs to consumers that may result from adoption of the model form to be minimal, if any. As discussed above, the model form emerged as the most effective of several notice formats in an extensive consumer research testing process that sought to maximize consumers' ability to comprehend, use, and compare privacy notices. We anticipate that any initial costs to consumers in the form of confusion or reduced understanding will be short-lived as increasing numbers of financial institutions use the model privacy form and consumers become more familiar with its contents and can use the form to compare notices more easily.
XII. SEC Consideration of Burden on Competition
Securities Exchange Act Section 23(a)(2) requires the SEC, in adopting rules under that Act, to consider the impact that any such rule will have on competition.[254] Section 23(a)(2) also prohibits the SEC from adopting any rule that will impose a burden on competition not necessary or appropriate in furtherance of the purposes of the Securities Exchange Act.
As discussed above, the amendments to Regulation S-P, including the model form, are designed to comply with section 728 of the Regulatory Relief Act, mandating that the Agencies develop a model form that is comprehensible, clear and conspicuous, and succinct. SEC-regulated institutions will be able to use the model form in order to comply with the notice requirements under the GLB Act, the FCRA, and Regulation S-P.
The SEC does not expect the amendments to have a significant impact on competition. Use of the model form will be voluntary, permitting a financial institution to determine whether using the model form will enhance its competitive position. All brokers and dealers, investment companies, and registered investment advisers will be able to use the model form and take advantage of the safe harbor. Other financial institutions will be able to use the form and take advantage of the safe harbor under comparable rules adopted by the other Agencies. Under the Regulatory Relief Act, the Agencies have worked in consultation in order to ensure the consistency and comparability of the amendments. Therefore, all financial institutions will have the same opportunity to use the model form and rely on the safe harbor.
Further, if financial institutions choose to use the model form, the amendments could promote competition by enabling consumers more easily to understand and compare competing institutions' privacy policies. The SEC also anticipates that the model form's standardized formatting may reduce the relative burden of compliance on smaller financial institutions, allowing them to compete more effectively with larger institutions that are more likely to have a dedicated compliance staff. As such, the SEC expects any impact on competition caused by the amendments would not be significant.
XIII. NCUA: The Treasury and General Government Appropriations Act, 1999-Assessment of Federal Regulations and Policies on Families
The NCUA has determined that this rule will not affect family well-being within the meaning of section 654 of the Treasury and General Government Appropriations Act, 1999, Public Law 105-277, 112 Stat. 2681 (1998).
XIV. CFTC Cost-Benefit Analysis
Section 15 of the Commodity Exchange Act requires the CFTC to consider the costs and benefits of its action before issuing a new regulation under the Act. The CFTC understands that, by its terms, section 15 does not require the CFTC to quantify the costs and benefits of a new regulation or to determine whether the benefits of the regulation outweigh its costs. Nor does it require that each rule be analyzed piecemeal or in isolation when that rule is a component of a larger package of rules or rule revisions. Rather, section 15 simply requires the CFTC to “consider the costs and benefits” of its action.
Section 15 further specifies that costs and benefits shall be evaluated in light of five broad areas of market and public concern: Protection of market participants and the public; efficiency, competitiveness, and financial integrity of futures markets; price discovery; sound risk management practices; and other public interest considerations. Accordingly, the CFTC could in its discretion give greater weight to any one of the five enumerated areas of concern and could in its discretion determine that, notwithstanding its costs, a particular rule was necessary or appropriate to protect the public interest or to effectuate any of the provisions or to accomplish any of the purposes of the Act.
The CFTC has considered the costs and benefits of the model form as a totality. The form provides a non-mandatory means of complying with existing requirements of the privacy provisions of the GLB Act and section 5g of the CEA, and thus imposes no mandatory new costs. The CFTC believes that the model form should benefit futures industry consumer customers in better understanding a financial institution's privacy policies, and may facilitate customers in comparing the privacy policies of financial institutions.
Start List of SubjectsList of Subjects
12 CFR Part 40
- Banks, banking
- Consumer protection
- National banks
- Privacy
- Reporting and recordkeeping requirements
12 CFR Part 216
- Banks, banking
- Consumer protection
- Foreign banking
- Holding companies
- Privacy
- Reporting and recordkeeping requirements
12 CFR Part 332
- Banks, banking
- Consumer protection
- Foreign banking
- Privacy
- Reporting and recordkeeping requirements
12 CFR Part 573
- Consumer protection
- Privacy
- Reporting and recordkeeping requirements
- Savings associations
12 CFR Part 716
- Consumer protection
- Credit unions
- Privacy
- Reporting and recordkeeping requirements
16 CFR Part 313
- Consumer protection
- Credit
- Privacy
- Reporting and recordkeeping requirements
- Trade practices
17 CFR Part 160
- Brokers
- Consumer protection
- Privacy
- Reporting and recordkeeping requirements
17 CFR Part 248
- Brokers
- Consumer protection
- Investment companies
- Privacy
- Reporting and recordkeeping requirements
- Securities
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the Currency
12 CFR Chapter I
Authority and Issuance
Start Amendment PartFor the reasons set forth in the joint preamble, part 40 of chapter I of title 12 of the Code of Federal Regulations is amended as follows:
End Amendment Part Start PartPART 40—PRIVACY OF CONSUMER FINANCIAL INFORMATION
End Part Start Amendment Part1. The authority citation for part 40 continues to read as follows:
End Amendment Part Start Amendment Part2. Revise § 40.2 to read as follows:
End Amendment PartModel privacy form and examples.(a) Model privacy form. Use of the model privacy form in Appendix A of this part, consistent with the instructions in Appendix A, constitutes compliance with the notice content requirements of §§ 40.6 and 40.7 of this part, although use of the model privacy form is not required.
(b) Examples. The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part.
3. In § 40.6:
End Amendment Part Start Amendment PartA. Revise paragraphs (b) and (f), and add paragraph (g) to read as set forth below.
End Amendment Part Start Amendment PartB. Effective January 1, 2012, remove paragraph (g).
End Amendment PartInformation to be included in privacy notices.* * * * *(b) Description of nonaffiliated third parties subject to exceptions. If you disclose nonpublic personal information to third parties as authorized under §§ 40.14 and 40.15, you are not required to list those exceptions in the initial or annual privacy notices required by §§ 40.4 and 40.5. When describing the categories with respect to those parties, it is sufficient to state that you make disclosures to other nonaffiliated companies:
(1) For your everyday business purposes, such as [include all that apply] to process transactions, maintain account(s), respond to court orders and legal investigations, or report to credit bureaus; or
(2) As permitted by law.
* * * * *(f) Model privacy form. Pursuant to § 40.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part.
(g) Sample clauses. Sample clauses illustrating some of the notice content required by this section are included in Appendix B of this part. Use of a sample clause in a privacy notice provided on or before December 31, 2010, to the extent applicable, constitutes compliance with this part.
4. In § 40.7, add paragraph (i) to read as follows:
End Amendment PartForm of opt-out notice to consumers; opt-out methods.* * * * *(i) Model privacy form. Pursuant to § 40.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part.
Appendix A [Redesignated as Appendix B]
5. Redesignate Appendix A to part 40 as Appendix B to part 40.
End Amendment Part Start Amendment Part6. Add new Appendix A to part 40 to read as follows:
End Amendment PartAppendix A to Part 40—Model Privacy Form
A. The Model Privacy Form
Start Printed Page 62917 Start Printed Page 62918 Start Printed Page 62919 Start Printed Page 62920 Start Printed Page 62921 Start Printed Page 62922 Start Printed Page 62923B. General Instructions
1. How the Model Privacy Form Is Used
(a) The model form may be used, at the option of a financial institution, including a group of financial institutions that use a common privacy notice, to meet the content requirements of the privacy notice and opt-out notice set forth in §§ 40.6 and 40.7 of this part.
(b) The model form is a standardized form, including page layout, content, format, style, pagination, and shading. Institutions seeking to obtain the safe harbor through use of the model form may modify it only as described in these Instructions.
(c) Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 1681-1681x] (FCRA), such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.
(d) The word “customer” may be replaced by the word “member” whenever it appears in the model form, as appropriate.
2. The Contents of the Model Privacy Form
The model form consists of two pages, which may be printed on both sides of a single sheet of paper, or may appear on two separate pages. Where an institution provides a long list of institutions at the end of the model form in accordance with Instruction C.3(a)(1), or provides additional information in accordance with Instruction C.3(c), and such list or additional information exceeds the space available on page two of the model form, such list or additional information may extend to a third page.
(a) Page One. The first page consists of the following components:
(1) Date last revised (upper right-hand corner).
(2) Title.
(3) Key frame (Why?, What?, How?).
(4) Disclosure table (“Reasons we can share your personal information”).
(5) “To limit our sharing” box, as needed, for the financial institution's opt-out information.
(6) “Questions” box, for customer service contact information.
(7) Mail-in opt-out form, as needed.
(b) Page Two. The second page consists of the following components:
(1) Heading (Page 2).
(2) Frequently Asked Questions (“Who we are” and “What we do”).
(3) Definitions.
(4) “Other important information” box, as needed.
3. The Format of the Model Privacy Form
The format of the model form may be modified only as described below.
(a) Easily readable type font. Financial institutions that use the model form must use an easily readable type font. While a number of factors together produce easily readable type font, institutions are required to use a minimum of 10-point font (unless otherwise expressly permitted in these Instructions) and sufficient spacing between the lines of type.
(b) Logo. A financial institution may include a corporate logo on any page of the notice, so long as it does not interfere with the readability of the model form or the space constraints of each page.
(c) Page size and orientation. Each page of the model form must be printed on paper in portrait orientation, the size of which must be sufficient to meet the layout and minimum font size requirements, with sufficient white space on the top, bottom, and sides of the content.
(d) Color. The model form must be printed on white or light color paper (such as cream) with black or other contrasting ink color. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract from the readability of the model form. Logos may also be printed in color.
(e) Languages. The model form may be translated into languages other than English.
C. Information Required in the Model Privacy Form
The information in the model form may be modified only as described below:
1. Name of the Institution or Group of Affiliated Institutions Providing the Notice
Insert the name of the financial institution providing the notice or a common identity of affiliated institutions jointly providing the notice on the form wherever [name of financial institution] appears.
2. Page One
(a) Last revised date. The financial institution must insert in the upper right-hand corner the date on which the notice was last revised. The information shall appear in minimum 8-point font as “rev. [month/year]” using either the name or number of the month, such as “rev. July 2009” or “rev. 7/09”.
(b) General instructions for the “What?” box.
(1) The bulleted list identifies the types of personal information that the institution collects and shares. All institutions must use the term “Social Security number” in the first bullet.
(2) Institutions must use five (5) of the following terms to complete the bulleted list: income; account balances; payment history; transaction history; transaction or loss history; credit history; credit scores; assets; investment experience; credit-based insurance scores; insurance claim history; medical information; overdraft history; purchase history; account transactions; risk tolerance; medical-related debts; credit card or other debt; mortgage rates and payments; retirement assets; checking account information; employment information; wire transfer instructions.
(c) General instructions for the disclosure table. The left column lists reasons for Start Printed Page 62924sharing or using personal information. Each reason correlates to a specific legal provision described in paragraph C.2(d) of this Instruction. In the middle column, each institution must provide a “Yes” or “No” response that accurately reflects its information sharing policies and practices with respect to the reason listed on the left. In the right column, each institution must provide in each box one of the following three (3) responses, as applicable, that reflects whether a consumer can limit such sharing: “Yes” if it is required to or voluntarily provides an opt-out; “No” if it does not provide an opt-out; or “We don't share” if it answers “No” in the middle column. Only the sixth row (“For our affiliates to market to you”) may be omitted at the option of the institution. See paragraph C.2(d)(6) of this Instruction.
(d) Specific disclosures and corresponding legal provisions.
(1) For our everyday business purposes. This reason incorporates sharing information under §§ 40.14 and 40.15 and with service providers pursuant to § 40.13 of this part other than the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these Instructions.
(2) For our marketing purposes. This reason incorporates sharing information with service providers by an institution for its own marketing pursuant to § 40.13 of this part. An institution that shares for this reason may choose to provide an opt-out.
(3) For joint marketing with other financial companies. This reason incorporates sharing information under joint marketing agreements between two or more financial institutions and with any service provider used in connection with such agreements pursuant to § 40.13 of this part. An institution that shares for this reason may choose to provide an opt-out.
(4) For our affiliates' everyday business purposes—information about transactions and experiences. This reason incorporates sharing information specified in sections 603(d)(2)(A)(i) and (ii) of the FCRA. An institution that shares for this reason may choose to provide an opt-out.
(5) For our affiliates' everyday business purposes—information about creditworthiness. This reason incorporates sharing information pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution that shares for this reason must provide an opt-out.
(6) For our affiliates to market to you. This reason incorporates sharing information specified in section 624 of the FCRA. This reason may be omitted from the disclosure table when: the institution does not have affiliates (or does not disclose personal information to its affiliates); the institution's affiliates do not use personal information in a manner that requires an opt-out; or the institution provides the affiliate marketing notice separately. Institutions that include this reason must provide an opt-out of indefinite duration. An institution that is required to provide an affiliate marketing opt-out, but does not include that opt-out in the model form under this part, must comply with section 624 of the FCRA and 12 CFR part 41, subpart C, with respect to the initial notice and opt-out and any subsequent renewal notice and opt-out. An institution not required to provide an opt-out under this subparagraph may elect to include this reason in the model form.
(7) For nonaffiliates to market to you. This reason incorporates sharing described in §§ 40.7 and 40.10(a) of this part. An institution that shares personal information for this reason must provide an opt-out.
(e) To limit our sharing: A financial institution must include this section of the model form only if it provides an opt-out. The word “choice” may be written in either the singular or plural, as appropriate. Institutions must select one or more of the applicable opt-out methods described: telephone, such as by a toll-free number; a Web site; or use of a mail-in opt-out form. Institutions may include the words “toll-free” before telephone, as appropriate. An institution that allows consumers to opt out online must provide either a specific Web address that takes consumers directly to the opt-out page or a general Web address that provides a clear and conspicuous direct link to the opt-out page. The opt-out choices made available to the consumer who contacts the institution through these methods must correspond accurately to the “Yes” responses in the third column of the disclosure table. In the part titled “Please note” institutions may insert a number that is 30 or greater in the space marked “[30].” Instructions on voluntary or state privacy law opt-out information are in paragraph C.2(g)(5) of these Instructions.
(f) Questions box. Customer service contact information must be inserted as appropriate, where [phone number] or [Web site] appear. Institutions may elect to provide either a phone number, such as a toll-free number, or a Web address, or both. Institutions may include the words “toll-free” before the telephone number, as appropriate.
(g) Mail-in opt-out form. Financial institutions must include this mail-in form only if they state in the “To limit our sharing” box that consumers can opt out by mail. The mail-in form must provide opt-out options that correspond accurately to the “Yes” responses in the third column in the disclosure table. Institutions that require customers to provide only name and address may omit the section identified as “[account #].” Institutions that require additional or different information, such as a random opt-out number or a truncated account number, to implement an opt-out election should modify the “[account #]” reference accordingly. This includes institutions that require customers with multiple accounts to identify each account to which the opt-out should apply. An institution must enter its opt-out mailing address: In the far right of this form (see version 3); or below the form (see version 4). The reverse side of the mail-in opt-out form must not include any content of the model form.
(1) Joint accountholder. Only institutions that provide their joint accountholders the choice to opt out for only one accountholder, in accordance with paragraph C.3(a)(5) of these Instructions, must include in the far left column of the mail-in form the following statement: “If you have a joint account, your choice(s) will apply to everyone on your account unless you mark below. □ Apply my choice(s) only to me.” The word “choice” may be written in either the singular or plural, as appropriate. Financial institutions that provide insurance products or services, provide this option, and elect to use the model form may substitute the word “policy” for “account” in this statement. Institutions that do not provide this option may eliminate this left column from the mail-in form.
(2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution shares personal information pursuant to section 603(d)(2)(A)(iii) of the FCRA, it must include in the mail-in opt-out form the following statement: “□ Do not share information about my creditworthiness with your affiliates for their everyday business purposes.”
(3) FCRA Section 624 opt-out. If the institution incorporates section 624 of the FCRA in accord with paragraph C.2(d)(6) of these Instructions, it must include in the mail-in opt-out form the following statement: “□ Do not allow your affiliates to use my personal information to market to me.”
(4) Nonaffiliate opt-out. If the financial institution shares personal information pursuant to § 40.10(a) of this part, it must include in the mail-in opt-out form the following statement: “□ Do not share my personal information with nonaffiliates to market their products and services to me.”
(5) Additional opt-outs. Financial institutions that use the disclosure table to provide opt-out options beyond those required by Federal law must provide those opt-outs in this section of the model form. A financial institution that chooses to offer an opt-out for its own marketing in the mail-in opt-out form must include one of the two following statements: “□ Do not share my personal information to market to me.” or “□ Do not use my personal information to market to me.” A financial institution that chooses to offer an opt-out for joint marketing must include the following statement: “□ Do not share my personal information with other financial institutions to jointly market to me.”
(h) Barcodes. A financial institution may elect to include a barcode and/or “tagline” (an internal identifier) in 6-point font at the bottom of page one, as needed for information internal to the institution, so long as these do not interfere with the clarity or text of the form.
3. Page Two
(a) General Instructions for the Questions. Certain of the Questions may be customized as follows:
(1) “Who is providing this notice?” This question may be omitted where only one financial institution provides the model form and that institution is clearly identified in the title on page one. Two or more financial institutions that jointly provide the model form must use this question to identify themselves as required by § 40.9(f) of this part. Where the list of institutions exceeds four (4) lines, the institution must describe in the response to this question the general types of institutions jointly providing the notice and must separately identify those institutions, in minimum 8-point font, directly following the “Other important Start Printed Page 62925information” box, or, if that box is not included in the institution's form, directly following the “Definitions.” The list may appear in a multi-column format.
(2) “How does [name of financial institution ] protect my personal information?” The financial institution may only provide additional information pertaining to its safeguards practices following the designated response to this question. Such information may include information about the institution's use of cookies or other measures it uses to safeguard personal information. Institutions are limited to a maximum of 30 additional words.
(3) “How does [name of financial institution ] collect my personal information?” Institutions must use five (5) of the following terms to complete the bulleted list for this question: Open an account; deposit money; pay your bills; apply for a loan; use your credit or debit card; seek financial or tax advice; apply for insurance; pay insurance premiums; file an insurance claim; seek advice about your investments; buy securities from us; sell securities to us; direct us to buy securities; direct us to sell your securities; make deposits or withdrawals from your account; enter into an investment advisory contract; give us your income information; provide employment information; give us your employment history; tell us about your investment or retirement portfolio; tell us about your investment or retirement earnings; apply for financing; apply for a lease; provide account information; give us your contact information; pay us by check; give us your wage statements; provide your mortgage information; make a wire transfer; tell us who receives the money; tell us where to send the money; show your government-issued ID; show your driver's license; order a commodity futures or option trade. Institutions that collect personal information from their affiliates and/or credit bureaus must include after the bulleted list the following statement: “We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.” Institutions that do not collect personal information from their affiliates or credit bureaus but do collect information from other companies must include the following statement instead: “We also collect your personal information from other companies.” Only institutions that do not collect any personal information from affiliates, credit bureaus, or other companies can omit both statements.
(4) “Why can't I limit all sharing?” Institutions that describe state privacy law provisions in the “Other important information” box must use the bracketed sentence: “See below for more on your rights under state law.” Other institutions must omit this sentence.
(5) “What happens when I limit sharing for an account I hold jointly with someone else?” Only financial institutions that provide opt-out options must use this question. Other institutions must omit this question. Institutions must choose one of the following two statements to respond to this question: “Your choices will apply to everyone on your account.” or “Your choices will apply to everyone on your account—unless you tell us otherwise.” Financial institutions that provide insurance products or services and elect to use the model form may substitute the word “policy” for “account” in these statements.
(b) General Instructions for the Definitions.
The financial institution must customize the space below the responses to the three definitions in this section. This specific information must be in italicized lettering to set off the information from the standardized definitions.
(1) Affiliates. As required by § 40.6(a)(3) of this part, where [affiliate information] appears, the financial institution must:
(i) If it has no affiliates, state: “[name of financial institution] has no affiliates;”
(ii) If it has affiliates but does not share personal information, state: “[name of financial institution] does not share with our affiliates;” or
(iii) If it shares with its affiliates, state, as applicable: “Our affiliates include companies with a [common corporate identity of financial institution] name; financial companies such as [insert illustrative list of companies;] nonfinancial companies, such as [insert illustrative list of companies]; and others, such as [insert illustrative list].”
(2) Nonaffiliate s. As required by § 40.6(c)(3) of this part, where [nonaffiliate information] appears, the financial institution must:
(i) If it does not share with nonaffiliated third parties, state: “[name of financial institution] does not share with nonaffiliates so they can market to you”; or
(ii) If it shares with nonaffiliated third parties, state, as applicable: “Nonaffiliates we share with can include [list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations].”
(3) Joint Marketing. As required by § 40.13 of this part, where [joint marketing] appears, the financial institution must:
(i) If it does not engage in joint marketing, state: “[name of financial institution] doesn't jointly market”; or
(ii) If it shares personal information for joint marketing, state, as applicable: “Our joint marketing partners include [list categories of companies such as credit card companies].”
(c) General instructions for the “Other important information” box. This box is optional. The space provided for information in this box is not limited. Only the following types of information can appear in this box.
(1) State and/or international privacy law information; and/or
(2) Acknowledgment of receipt form.
Start Amendment Part7. Amend newly redesignated Appendix B to part 40 as follows:
End Amendment Part Start Amendment PartA. Add a new sentence to the beginning of the introductory text as set forth below.
End Amendment Part Start Amendment PartB. Effective January 1, 2012, remove Appendix B to part 40.
End Amendment PartAppendix B to Part 40—Sample Clauses
This Appendix only applies to privacy notices provided before January 1, 2011. * * *
* * * * *Federal Reserve System
12 CFR Chapter II
Authority and Issuance
Start Amendment PartFor the reasons set forth in the joint preamble, the Board amends part 216 of chapter II of title 12 of the Code of Federal Regulations as follows:
End Amendment Part Start PartPART 216—PRIVACY OF CONSUMER FINANCIAL INFORMATION
End Part Start Amendment Part8. The authority citation for part 216 continues to read as follows:
End Amendment Part Start Amendment Part9. Revise § 216.2 to read as follows:
End Amendment PartModel privacy form and examples.(a) Model privacy form. Use of the model privacy form in Appendix A of this part, consistent with the instructions in Appendix A, constitutes compliance with the notice content requirements of §§ 216.6 and 216.7 of this part, although use of the model privacy form is not required.
(b) Examples. The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part.
10. In § 216.6:
End Amendment Part Start Amendment PartA. Revise paragraphs (b) and (f), and add paragraph (g) to read as set forth below.
End Amendment Part Start Amendment PartB. Effective January 1, 2012, remove paragraph (g).
End Amendment PartInformation to be included in privacy notices.* * * * *(b) Description of nonaffiliated third parties subject to exceptions. If you disclose nonpublic personal information to third parties as authorized under §§ 216.14 and 216.15, you are not required to list those exceptions in the initial or annual privacy notices required by §§ 216.4 and 216.5. When describing the categories with respect to those parties, it is sufficient to state that you make disclosures to other nonaffiliated companies:
(1) For your everyday business purposes, such as [include all that apply] to process transactions, maintain account(s), respond to court orders and legal investigations, or report to credit bureaus; or
(2) As permitted by law.
* * * * *(f) Model privacy form. Pursuant to § 216.2(a) of this part, a model privacy Start Printed Page 62926form that meets the notice content requirements of this section is included in Appendix A of this part.
(g) Sample clauses. Sample clauses illustrating some of the notice content required by this section are included in Appendix B of this part. Use of a sample clause in a privacy notice provided on or before December 31, 2010, to the extent applicable, constitutes compliance with this part.
11. In § 216.7, add paragraph (i) to read as follows:
End Amendment PartForm of opt-out notice to consumers; opt-out methods.* * * * *(i) Model privacy form. Pursuant to § 216.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part.
Appendix A [Redesignated as Appendix B]
12. Redesignate Appendix A to part 216 as Appendix B to part 216.
End Amendment Part Start Amendment Part13. Add new Appendix A to part 216 to read as follows:
End Amendment PartAppendix A to Part 216—Model Privacy Form
A. The Model Privacy Form
Start Printed Page 62927 Start Printed Page 62928 Start Printed Page 62929 Start Printed Page 62930 Start Printed Page 62931 Start Printed Page 62932 Start Printed Page 62933B. General Instructions
1. How the Model Privacy Form Is Used
(a) The model form may be used, at the option of a financial institution, including a group of financial institutions that use a common privacy notice, to meet the content requirements of the privacy notice and opt-out notice set forth in §§ 216.6 and 216.7 of this part.
(b) The model form is a standardized form, including page layout, content, format, style, pagination, and shading. Institutions seeking to obtain the safe harbor through use of the model form may modify it only as described in these Instructions.
(c) Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 1681-1681x] (FCRA), such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.
(d) The word “customer” may be replaced by the word “member” whenever it appears in the model form, as appropriate.
2. The Contents of the Model Privacy Form
The model form consists of two pages, which may be printed on both sides of a single sheet of paper, or may appear on two separate pages. Where an institution provides a long list of institutions at the end of the model form in accordance with Instruction C.3(a)(1), or provides additional information in accordance with Instruction C.3(c), and such list or additional information exceeds the space available on page two of the model form, such list or additional information may extend to a third page.
(a) Page One. The first page consists of the following components:
(1) Date last revised (upper right-hand corner).
(2) Title.
(3) Key frame (Why?, What?, How?).
(4) Disclosure table (“Reasons we can share your personal information”).
(5) “To limit our sharing” box, as needed, for the financial institution's opt-out information.
(6) “Questions” box, for customer service contact information.
(7) Mail-in opt-out form, as needed.
(b) Page Two. The second page consists of the following components:
(1) Heading (Page 2).
(2) Frequently Asked Questions (“Who we are” and “What we do”).
(3) Definitions.
(4) “Other important information” box, as needed.
3. The Format of the Model Privacy Form
The format of the model form may be modified only as described below.
(a) Easily readable type font. Financial institutions that use the model form must use an easily readable type font. While a number of factors together produce easily readable type font, institutions are required to use a minimum of 10-point font (unless otherwise expressly permitted in these Instructions) and sufficient spacing between the lines of type.
(b) Logo. A financial institution may include a corporate logo on any page of the notice, so long as it does not interfere with the readability of the model form or the space constraints of each page.
(c) Page size and orientation. Each page of the model form must be printed on paper in portrait orientation, the size of which must be sufficient to meet the layout and minimum font size requirements, with sufficient white space on the top, bottom, and sides of the content.
(d) Color. The model form must be printed on white or light color paper (such as cream) with black or other contrasting ink color. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract from the readability of the model form. Logos may also be printed in color.
(e) Languages. The model form may be translated into languages other than English.
C. Information Required in the Model Privacy Form
The information in the model form may be modified only as described below:
1. Name of the Institution or Group of Affiliated Institutions Providing the Notice
Insert the name of the financial institution providing the notice or a common identity of affiliated institutions jointly providing the notice on the form wherever [name of financial institution] appears.
2. Page One
(a) Last revised date. The financial institution must insert in the upper right-hand corner the date on which the notice was last revised. The information shall appear in minimum 8-point font as “rev. [month/year]” using either the name or number of the month, such as “rev. July 2009” or “rev. 7/09”.
(b) General instructions for the “What?” box.
(1) The bulleted list identifies the types of personal information that the institution collects and shares. All institutions must use the term “Social Security number” in the first bullet.
(2) Institutions must use five (5) of the following terms to complete the bulleted list: income; account balances; payment history; transaction history; transaction or loss history; credit history; credit scores; assets; investment experience; credit-based insurance scores; insurance claim history; medical information; overdraft history; purchase history; account transactions; risk tolerance; medical-related debts; credit card or other debt; mortgage rates and payments; retirement assets; checking account information; employment information; wire transfer instructions.
(c) General instructions for the disclosure table. The left column lists reasons for Start Printed Page 62934sharing or using personal information. Each reason correlates to a specific legal provision described in paragraph C.2(d) of this Instruction. In the middle column, each institution must provide a “Yes” or “No” response that accurately reflects its information sharing policies and practices with respect to the reason listed on the left. In the right column, each institution must provide in each box one of the following three (3) responses, as applicable, that reflects whether a consumer can limit such sharing: “Yes” if it is required to or voluntarily provides an opt-out; “No” if it does not provide an opt-out; or “We don't share” if it answers “No” in the middle column. Only the sixth row (“For our affiliates to market to you”) may be omitted at the option of the institution. See paragraph C.2(d)(6) of this Instruction.
(d) Specific disclosures and corresponding legal provisions.
(1) For our everyday business purposes. This reason incorporates sharing information under §§ 216.14 and 216.15 and with service providers pursuant to § 216.13 of this part other than the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these Instructions.
(2) For our marketing purposes. This reason incorporates sharing information with service providers by an institution for its own marketing pursuant to § 216.13 of this part. An institution that shares for this reason may choose to provide an opt-out.
(3) For joint marketing with other financial companies. This reason incorporates sharing information under joint marketing agreements between two or more financial institutions and with any service provider used in connection with such agreements pursuant to § 216.13 of this part. An institution that shares for this reason may choose to provide an opt-out.
(4) For our affiliates' everyday business purposes—information about transactions and experiences. This reason incorporates sharing information specified in sections 603(d)(2)(A)(i) and (ii) of the FCRA. An institution that shares for this reason may choose to provide an opt-out.
(5) For our affiliates' everyday business purposes—information about creditworthiness. This reason incorporates sharing information pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution that shares for this reason must provide an opt-out.
(6) For our affiliates to market to you. This reason incorporates sharing information specified in section 624 of the FCRA. This reason may be omitted from the disclosure table when: the institution does not have affiliates (or does not disclose personal information to its affiliates); the institution's affiliates do not use personal information in a manner that requires an opt-out; or the institution provides the affiliate marketing notice separately. Institutions that include this reason must provide an opt-out of indefinite duration. An institution that is required to provide an affiliate marketing opt-out, but does not include that opt-out in the model form under this part, must comply with section 624 of the FCRA and 12 CFR part 222, subpart C, with respect to the initial notice and opt-out and any subsequent renewal notice and opt-out. An institution not required to provide an opt-out under this subparagraph may elect to include this reason in the model form.
(7) For nonaffiliates to market to you. This reason incorporates sharing described in §§ 216.7 and 216.10(a) of this part. An institution that shares personal information for this reason must provide an opt-out.
(e) To limit our sharing: A financial institution must include this section of the model form only if it provides an opt-out. The word “choice” may be written in either the singular or plural, as appropriate. Institutions must select one or more of the applicable opt-out methods described: telephone, such as by a toll-free number; a Website; or use of a mail-in opt-out form. Institutions may include the words “toll-free” before telephone, as appropriate. An institution that allows consumers to opt out online must provide either a specific Web address that takes consumers directly to the opt-out page or a general Web address that provides a clear and conspicuous direct link to the opt-out page. The opt-out choices made available to the consumer who contacts the institution through these methods must correspond accurately to the “Yes” responses in the third column of the disclosure table. In the part titled “Please note” institutions may insert a number that is 30 or greater in the space marked “[30].” Instructions on voluntary or state privacy law opt-out information are in paragraph C.2(g)(5) of these Instructions.
(f) Questions box. Customer service contact information must be inserted as appropriate, where [phone number] or [website] appear. Institutions may elect to provide either a phone number, such as a toll-free number, or a Web address, or both. Institutions may include the words “toll-free” before the telephone number, as appropriate.
(g) Mail-in opt-out form. Financial institutions must include this mail-in form only if they state in the “To limit our sharing” box that consumers can opt out by mail. The mail-in form must provide opt-out options that correspond accurately to the “Yes” responses in the third column in the disclosure table. Institutions that require customers to provide only name and address may omit the section identified as “[account #].” Institutions that require additional or different information, such as a random opt-out number or a truncated account number, to implement an opt-out election should modify the “[account #]” reference accordingly. This includes institutions that require customers with multiple accounts to identify each account to which the opt-out should apply. An institution must enter its opt-out mailing address: In the far right of this form (see version 3); or below the form (see version 4). The reverse side of the mail-in opt-out form must not include any content of the model form.
(1) Joint accountholder. Only institutions that provide their joint accountholders the choice to opt out for only one accountholder, in accordance with paragraph C.3(a)(5) of these Instructions, must include in the far left column of the mail-in form the following statement: “If you have a joint account, your choice(s) will apply to everyone on your account unless you mark below. □ Apply my choice(s) only to me.” The word “choice” may be written in either the singular or plural, as appropriate. Financial institutions that provide insurance products or services, provide this option, and elect to use the model form may substitute the word “policy” for “account” in this statement. Institutions that do not provide this option may eliminate this left column from the mail-in form.
(2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution shares personal information pursuant to section 603(d)(2)(A)(iii) of the FCRA, it must include in the mail-in opt-out form the following statement: “□ Do not share information about my creditworthiness with your affiliates for their everyday business purposes.”
(3) FCRA Section 624 opt-out. If the institution incorporates section 624 of the FCRA in accord with paragraph C.2(d)(6) of these Instructions, it must include in the mail-in opt-out form the following statement: “□ Do not allow your affiliates to use my personal information to market to me.”
(4) Nonaffiliate opt-out. If the financial institution shares personal information pursuant to § 216.10(a) of this part, it must include in the mail-in opt-out form the following statement: “□ Do not share my personal information with nonaffiliates to market their products and services to me.”
(5) Additional opt-outs. Financial institutions that use the disclosure table to provide opt-out options beyond those required by Federal law must provide those opt-outs in this section of the model form. A financial institution that chooses to offer an opt-out for its own marketing in the mail-in opt-out form must include one of the two following statements: “□ Do not share my personal information to market to me.” or “□ Do not use my personal information to market to me.” A financial institution that chooses to offer an opt-out for joint marketing must include the following statement: “□ Do not share my personal information with other financial institutions to jointly market to me.”
(h) Barcodes. A financial institution may elect to include a barcode and/or “tagline” (an internal identifier) in 6-point font at the bottom of page one, as needed for information internal to the institution, so long as these do not interfere with the clarity or text of the form.
3. Page Two
(a) General Instructions for the Questions. Certain of the Questions may be customized as follows:
(1) “Who is providing this notice?” This question may be omitted where only one financial institution provides the model form and that institution is clearly identified in the title on page one. Two or more financial institutions that jointly provide the model form must use this question to identify themselves as required by § 216.9(f) of this part. Where the list of institutions exceeds four (4) lines, the institution must describe in the response to this question the general types of institutions jointly providing the notice and must separately identify those institutions, in minimum 8-point font, directly following the “Other important Start Printed Page 62935information” box, or, if that box is not included in the institution's form, directly following the “Definitions.” The list may appear in a multi-column format.
(2) “How does [name of financial institution] protect my personal information?” The financial institution may only provide additional information pertaining to its safeguards practices following the designated response to this question. Such information may include information about the institution's use of cookies or other measures it uses to safeguard personal information. Institutions are limited to a maximum of 30 additional words.
(3) “How does [name of financial institution] collect my personal information?” Institutions must use five (5) of the following terms to complete the bulleted list for this question: Open an account; deposit money; pay your bills; apply for a loan; use your credit or debit card; seek financial or tax advice; apply for insurance; pay insurance premiums; file an insurance claim; seek advice about your investments; buy securities from us; sell securities to us; direct us to buy securities; direct us to sell your securities; make deposits or withdrawals from your account; enter into an investment advisory contract; give us your income information; provide employment information; give us your employment history; tell us about your investment or retirement portfolio; tell us about your investment or retirement earnings; apply for financing; apply for a lease; provide account information; give us your contact information; pay us by check; give us your wage statements; provide your mortgage information; make a wire transfer; tell us who receives the money; tell us where to send the money; show your government-issued ID; show your driver's license; order a commodity futures or option trade. Institutions that collect personal information from their affiliates and/or credit bureaus must include after the bulleted list the following statement: “We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.” Institutions that do not collect personal information from their affiliates or credit bureaus but do collect information from other companies must include the following statement instead: “We also collect your personal information from other companies.”
Only institutions that do not collect any personal information from affiliates, credit bureaus, or other companies can omit both statements.
(4) “Why can't I limit all sharing?” Institutions that describe state privacy law provisions in the “Other important information” box must use the bracketed sentence: “See below for more on your rights under state law.” Other institutions must omit this sentence.
(5) “What happens when I limit sharing for an account I hold jointly with someone else?” Only financial institutions that provide opt-out options must use this question. Other institutions must omit this question. Institutions must choose one of the following two statements to respond to this question: “Your choices will apply to everyone on your account.” or “Your choices will apply to everyone on your account—unless you tell us otherwise.” Financial institutions that provide insurance products or services and elect to use the model form may substitute the word “policy” for “account” in these statements.
(b) General Instructions for the Definitions.
The financial institution must customize the space below the responses to the three definitions in this section. This specific information must be in italicized lettering to set off the information from the standardized definitions.
(1) Affiliates. As required by § 216.6(a)(3) of this part, where [affiliate information] appears, the financial institution must:
(i) If it has no affiliates, state: “[name of financial institution] has no affiliates”;
(ii) If it has affiliates but does not share personal information, state: “[name of financial institution] does not share with our affiliates”; or
(iii) If it shares with its affiliates, state, as applicable: “Our affiliates include companies with a [common corporate identity of financial institution] name; financial companies such as [insert illustrative list of companies]; nonfinancial companies, such as [insert illustrative list of companies;] and others, such as [insert illustrative list].”
(2) Nonaffiliates. As required by § 216.6(c)(3) of this part, where [nonaffiliate information] appears, the financial institution must:
(i) If it does not share with nonaffiliated third parties, state: “[name of financial institution] does not share with nonaffiliates so they can market to you”; or
(ii) If it shares with nonaffiliated third parties, state, as applicable: “Nonaffiliates we share with can include [list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations].”
(3) Joint Marketing. As required by § 216.13 of this part, where [joint marketing] appears, the financial institution must:
(i) If it does not engage in joint marketing, state: “[name of financial institution] doesn't jointly market”; or
(ii) If it shares personal information for joint marketing, state, as applicable: “Our joint marketing partners include [list categories of companies such as credit card companies].”
(c) General instructions for the “Other important information” box. This box is optional. The space provided for information in this box is not limited. Only the following types of information can appear in this box.
(1) State and/or international privacy law information; and/or
(2) Acknowledgment of receipt form.
Start Amendment Part14. Amend newly redesignated Appendix B to part 216 as follows:
End Amendment Part Start Amendment PartA. Add a new sentence to the beginning of the introductory text as set forth below.
End Amendment Part Start Amendment PartB. Effective January 1, 2012, remove Appendix B to part 216.
End Amendment PartAppendix B to Part 216—Sample Clauses
This Appendix only applies to privacy notices provided before January 1, 2011. * * *
* * * * *Federal Deposit Insurance Corporation
12 CFR Chapter III
Authority and Issuance
Start Amendment PartFor the reasons set forth in the joint preamble, part 332 of chapter III of title 12 of the Code of Federal Regulations is amended as follows:
End Amendment Part Start PartPART 332—PRIVACY OF CONSUMER FINANCIAL INFORMATION
End Part Start Amendment Part15. The authority citation for part 332 continues to read as follows:
End Amendment Part Start Amendment Part16. Revise § 332.2 to read as follows:
End Amendment PartModel privacy form and examples.(a) Model privacy form. Use of the model privacy form in Appendix A of this part, consistent with the instructions in Appendix A, constitutes compliance with the notice content requirements of §§ 332.6 and 332.7 of this part, although use of the model privacy form is not required.
(b) Examples. The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part.
17. In § 332.6:
End Amendment Part Start Amendment PartA. Revise paragraphs (b) and (f), and add paragraph (g) to read as set forth below.
End Amendment Part Start Amendment PartB. Effective January 1, 2012, remove paragraph (g).
End Amendment PartInformation to be included in privacy notices.* * * * *(b) Description of nonaffiliated third parties subject to exceptions. If you disclose nonpublic personal information to third parties as authorized under §§ 332.14 and 332.15, you are not required to list those exceptions in the initial or annual privacy notices required by §§ 332.4 and 332.5. When describing the categories with respect to those parties, it is sufficient to state that you make disclosures to other nonaffiliated companies:
(1) For your everyday business purposes, such as [include all that apply] to process transactions, maintain account(s), respond to court orders and legal investigations, or report to credit bureaus; or
(2) As permitted by law.
* * * * *Start Printed Page 62936(f) Model privacy form. Pursuant to § 332.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part.
(g) Sample clauses. Sample clauses illustrating some of the notice content required by this section are included in Appendix B of this part. Use of a sample clause in a privacy notice provided on or before December 31, 2010, to the extent applicable, constitutes compliance with this part.
18. In § 332.7, add paragraph (i) to read as follows:
End Amendment PartForm of opt-out notice to consumers; opt-out methods.* * * * *(i) Model privacy form. Pursuant to § 332.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part.
Appendix A [Redesignated as Appendix B]
19. Redesignate Appendix A to part 332 as Appendix B to part 332.
End Amendment Part Start Amendment Part20. Add new Appendix A to part 332 to read as follows:
End Amendment PartAppendix A to Part 332—Model Privacy Form
A. The Model Privacy Form
Start Printed Page 62937 Start Printed Page 62938 Start Printed Page 62939 Start Printed Page 62940 Start Printed Page 62941 Start Printed Page 62942 Start Printed Page 62943B. General Instructions
1. How the Model Privacy Form Is Used
(a) The model form may be used, at the option of a financial institution, including a group of financial institutions that use a common privacy notice, to meet the content requirements of the privacy notice and opt-out notice set forth in §§ 332.6 and 332.7 of this part.
(b) The model form is a standardized form, including page layout, content, format, style, pagination, and shading. Institutions seeking to obtain the safe harbor through use of the model form may modify it only as described in these Instructions.
(c) Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 1681-1681x] (FCRA), such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.
(d) The word “customer” may be replaced by the word “member” whenever it appears in the model form, as appropriate.
2. The Contents of the Model Privacy Form
The model form consists of two pages, which may be printed on both sides of a single sheet of paper, or may appear on two separate pages. Where an institution provides a long list of institutions at the end of the model form in accordance with Instruction C.3(a)(1), or provides additional information in accordance with Instruction C.3(c), and such list or additional information exceeds the space available on page two of the model form, such list or additional information may extend to a third page.
(a) Page One. The first page consists of the following components:
(1) Date last revised (upper right-hand corner).
(2) Title.
(3) Key frame (Why?, What?, How?).
(4) Disclosure table (“Reasons we can share your personal information”).
(5) “To limit our sharing” box, as needed, for the financial institution's opt-out information.
(6) “Questions” box, for customer service contact information.
(7) Mail-in opt-out form, as needed.
(b) Page Two. The second page consists of the following components:
(1) Heading (Page 2).
(2) Frequently Asked Questions (“Who we are” and “What we do”).
(3) Definitions.
(4) “Other important information” box, as needed.
3. The Format of the Model Privacy Form
The format of the model form may be modified only as described below.
(a) Easily readable type font. Financial institutions that use the model form must use an easily readable type font. While a number of factors together produce easily readable type font, institutions are required to use a minimum of 10-point font (unless otherwise expressly permitted in these Instructions) and sufficient spacing between the lines of type.
(b) Logo. A financial institution may include a corporate logo on any page of the notice, so long as it does not interfere with the readability of the model form or the space constraints of each page.
(c) Page size and orientation. Each page of the model form must be printed on paper in portrait orientation, the size of which must be sufficient to meet the layout and minimum font size requirements, with sufficient white space on the top, bottom, and sides of the content.
(d) Color. The model form must be printed on white or light color paper (such as cream) with black or other contrasting ink color. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract from the readability of the model form. Logos may also be printed in color.
(e) Languages. The model form may be translated into languages other than English.
C. Information Required in the Model Privacy Form
The information in the model form may be modified only as described below:
1. Name of the Institution or Group of Affiliated Institutions Providing the Notice
Insert the name of the financial institution providing the notice or a common identity of affiliated institutions jointly providing the notice on the form wherever [name of financial institution] appears.
2. Page One
(a) Last revised date. The financial institution must insert in the upper right-hand corner the date on which the notice was last revised. The information shall appear in minimum 8-point font as “rev. [month/year]” using either the name or number of the month, such as “rev. July 2009” or “rev. 7/09”.
(b) General instructions for the “What?” box.
(1) The bulleted list identifies the types of personal information that the institution collects and shares. All institutions must use the term “Social Security number” in the first bullet.
(2) Institutions must use five (5) of the following terms to complete the bulleted list: income; account balances; payment history; transaction history; transaction or loss history; credit history; credit scores; assets; investment experience; credit-based insurance scores; insurance claim history; medical information; overdraft history; purchase history; account transactions; risk tolerance; medical-related debts; credit card or other debt; mortgage rates and payments; retirement assets; checking account information; employment information; wire transfer instructions.
(c) General instructions for the disclosure table. The left column lists reasons for Start Printed Page 62944sharing or using personal information. Each reason correlates to a specific legal provision described in paragraph C.2(d) of this Instruction. In the middle column, each institution must provide a “Yes” or “No” response that accurately reflects its information sharing policies and practices with respect to the reason listed on the left. In the right column, each institution must provide in each box one of the following three (3) responses, as applicable, that reflects whether a consumer can limit such sharing: “Yes” if it is required to or voluntarily provides an opt-out; “No” if it does not provide an opt-out; or “We don't share” if it answers “No” in the middle column. Only the sixth row (“For our affiliates to market to you”) may be omitted at the option of the institution. See paragraph C.2(d)(6) of this Instruction.
(d) Specific disclosures and corresponding legal provisions.
(1) For our everyday business purposes. This reason incorporates sharing information under §§ 332.14 and 332.15 and with service providers pursuant to § 332.13 of this part other than the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these Instructions.
(2) For our marketing purposes. This reason incorporates sharing information with service providers by an institution for its own marketing pursuant to § 332.13 of this part. An institution that shares for this reason may choose to provide an opt-out.
(3) For joint marketing with other financial companies. This reason incorporates sharing information under joint marketing agreements between two or more financial institutions and with any service provider used in connection with such agreements pursuant to § 332.13 of this part. An institution that shares for this reason may choose to provide an opt-out.
(4) For our affiliates' everyday business purposes—information about transactions and experiences. This reason incorporates sharing information specified in sections 603(d)(2)(A)(i) and (ii) of the FCRA. An institution that shares for this reason may choose to provide an opt-out.
(5) For our affiliates' everyday business purposes—information about creditworthiness. This reason incorporates sharing information pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution that shares for this reason must provide an opt-out.
(6) For our affiliates to market to you. This reason incorporates sharing information specified in section 624 of the FCRA. This reason may be omitted from the disclosure table when: The institution does not have affiliates (or does not disclose personal information to its affiliates); the institution's affiliates do not use personal information in a manner that requires an opt-out; or the institution provides the affiliate marketing notice separately. Institutions that include this reason must provide an opt-out of indefinite duration. An institution that is required to provide an affiliate marketing opt-out, but does not include that opt-out in the model form under this part, must comply with section 624 of the FCRA and 12 CFR part 334, subpart C, with respect to the initial notice and opt-out and any subsequent renewal notice and opt-out. An institution not required to provide an opt-out under this subparagraph may elect to include this reason in the model form.
(7) For nonaffiliates to market to you. This reason incorporates sharing described in §§ 332.7 and 332.10(a) of this part. An institution that shares personal information for this reason must provide an opt-out.
(e) To limit our sharing: A financial institution must include this section of the model form only if it provides an opt-out. The word “choice” may be written in either the singular or plural, as appropriate. Institutions must select one or more of the applicable opt-out methods described: Telephone, such as by a toll-free number; a Web site; or use of a mail-in opt-out form. Institutions may include the words “toll-free” before telephone, as appropriate. An institution that allows consumers to opt out online must provide either a specific Web address that takes consumers directly to the opt-out page or a general Web address that provides a clear and conspicuous direct link to the opt-out page. The opt-out choices made available to the consumer who contacts the institution through these methods must correspond accurately to the “Yes” responses in the third column of the disclosure table. In the part titled “Please note” institutions may insert a number that is 30 or greater in the space marked “[30].” Instructions on voluntary or state privacy law opt-out information are in paragraph C.2(g)(5) of these Instructions.
(f) Questions box. Customer service contact information must be inserted as appropriate, where [phone number] or [Web site] appear. Institutions may elect to provide either a phone number, such as a toll-free number, or a Web address, or both. Institutions may include the words “toll-free” before the telephone number, as appropriate.
(g) Mail-in opt-out form. Financial institutions must include this mail-in form only if they state in the “To limit our sharing” box that consumers can opt out by mail. The mail-in form must provide opt-out options that correspond accurately to the “Yes” responses in the third column in the disclosure table. Institutions that require customers to provide only name and address may omit the section identified as “[account #].” Institutions that require additional or different information, such as a random opt-out number or a truncated account number, to implement an opt-out election should modify the “[account #]” reference accordingly. This includes institutions that require customers with multiple accounts to identify each account to which the opt-out should apply. An institution must enter its opt-out mailing address: In the far right of this form (see version 3); or below the form (see version 4). The reverse side of the mail-in opt-out form must not include any content of the model form.
(1) Joint accountholder. Only institutions that provide their joint accountholders the choice to opt out for only one accountholder, in accordance with paragraph C.3(a)(5) of these Instructions, must include in the far left column of the mail-in form the following statement: “If you have a joint account, your choice(s) will apply to everyone on your account unless you mark below. □ Apply my choice(s) only to me.” The word “choice” may be written in either the singular or plural, as appropriate. Financial institutions that provide insurance products or services, provide this option, and elect to use the model form may substitute the word “policy” for “account” in this statement. Institutions that do not provide this option may eliminate this left column from the mail-in form.
(2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution shares personal information pursuant to section 603(d)(2)(A)(iii) of the FCRA, it must include in the mail-in opt-out form the following statement: “□ Do not share information about my creditworthiness with your affiliates for their everyday business purposes.”
(3) FCRA Section 624 opt-out. If the institution incorporates section 624 of the FCRA in accord with paragraph C.2(d)(6) of these Instructions, it must include in the mail-in opt-out form the following statement: “□ Do not allow your affiliates to use my personal information to market to me.”
(4) Nonaffiliate opt-out. If the financial institution shares personal information pursuant to § 332.10(a) of this part, it must include in the mail-in opt-out form the following statement: “□ Do not share my personal information with nonaffiliates to market their products and services to me.”
(5) Additional opt-outs. Financial institutions that use the disclosure table to provide opt-out options beyond those required by Federal law must provide those opt-outs in this section of the model form. A financial institution that chooses to offer an opt-out for its own marketing in the mail-in opt-out form must include one of the two following statements: “□ Do not share my personal information to market to me.” or “□ Do not use my personal information to market to me.” A financial institution that chooses to offer an opt-out for joint marketing must include the following statement: “□ Do not share my personal information with other financial institutions to jointly market to me.”
(h) Barcodes. A financial institution may elect to include a barcode and/or “tagline” (an internal identifier) in 6-point font at the bottom of page one, as needed for information internal to the institution, so long as these do not interfere with the clarity or text of the form.
3. Page Two
(a) General Instructions for the Questions. Certain of the Questions may be customized as follows:
(1) “Who is providing this notice?” This question may be omitted where only one financial institution provides the model form and that institution is clearly identified in the title on page one. Two or more financial institutions that jointly provide the model form must use this question to identify themselves as required by § 332.9(f) of this part. Where the list of institutions exceeds four (4) lines, the institution must describe in the response to this question the general types of institutions jointly providing the notice and must separately identify those institutions, in minimum 8-point font, directly following the “Other important Start Printed Page 62945information” box, or, if that box is not included in the institution's form, directly following the “Definitions.” The list may appear in a multi-column format.
(2) “How does [name of financial institution ] protect my personal information?” The financial institution may only provide additional information pertaining to its safeguards practices following the designated response to this question. Such information may include information about the institution's use of cookies or other measures it uses to safeguard personal information. Institutions are limited to a maximum of 30 additional words.
(3) “How does [name of financial institution ] collect my personal information?” Institutions must use five (5) of the following terms to complete the bulleted list for this question: Open an account; deposit money; pay your bills; apply for a loan; use your credit or debit card; seek financial or tax advice; apply for insurance; pay insurance premiums; file an insurance claim; seek advice about your investments; buy securities from us; sell securities to us; direct us to buy securities; direct us to sell your securities; make deposits or withdrawals from your account; enter into an investment advisory contract; give us your income information; provide employment information; give us your employment history; tell us about your investment or retirement portfolio; tell us about your investment or retirement earnings; apply for financing; apply for a lease; provide account information; give us your contact information; pay us by check; give us your wage statements; provide your mortgage information; make a wire transfer; tell us who receives the money; tell us where to send the money; show your government-issued ID; show your driver's license; order a commodity futures or option trade. Institutions that collect personal information from their affiliates and/or credit bureaus must include after the bulleted list the following statement: “We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.” Institutions that do not collect personal information from their affiliates or credit bureaus but do collect information from other companies must include the following statement instead: “We also collect your personal information from other companies.” Only institutions that do not collect any personal information from affiliates, credit bureaus, or other companies can omit both statements.
(4) “Why can't I limit all sharing?” Institutions that describe state privacy law provisions in the “Other important information” box must use the bracketed sentence: “See below for more on your rights under state law.” Other institutions must omit this sentence.
(5) “What happens when I limit sharing for an account I hold jointly with someone else?” Only financial institutions that provide opt-out options must use this question. Other institutions must omit this question. Institutions must choose one of the following two statements to respond to this question: “Your choices will apply to everyone on your account.” or “Your choices will apply to everyone on your account-unless you tell us otherwise.” Financial institutions that provide insurance products or services and elect to use the model form may substitute the word “policy” for “account” in these statements.
(b) General Instructions for the Definitions.
The financial institution must customize the space below the responses to the three definitions in this section. This specific information must be in italicized lettering to set off the information from the standardized definitions.
(1) Affiliates. As required by § 332.6(a)(3) of this part, where [affiliate information] appears, the financial institution must:
(i) If it has no affiliates, state: “[name of financial institution] has no affiliates”;
(ii) If it has affiliates but does not share personal information, state: “[name of financial institution] does not share with our affiliates”; or
(iii) If it shares with its affiliates, state, as applicable: “Our affiliates include companies with a [common corporate identity of financial institution] name; financial companies such as [insert illustrative list of companies]; nonfinancial companies, such as [insert illustrative list of companies]; and others, such as [insert illustrative list].”
(2) Nonaffiliates. As required by § 332.6(c)(3) of this part, where [nonaffiliate information] appears, the financial institution must:
(i) If it does not share with nonaffiliated third parties, state: “[name of financial institution] does not share with nonaffiliates so they can market to you”; or
(ii) If it shares with nonaffiliated third parties, state, as applicable: “Nonaffiliates we share with can include [list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations].”
(3) Joint Marketing. As required by § 332.13 of this part, where [joint marketing] appears, the financial institution must:
(i) If it does not engage in joint marketing, state: “[name of financial institution] doesn't jointly market”; or
(ii) If it shares personal information for joint marketing, state, as applicable: “Our joint marketing partners include [list categories of companies such as credit card companies].”
(c) General instructions for the “Other important information” box. This box is optional. The space provided for information in this box is not limited. Only the following types of information can appear in this box.
(1) State and/or international privacy law information; and/or
(2) Acknowledgment of receipt form.
Start Amendment Part21. Amend newly redesignated Appendix B to part 332 as follows:
End Amendment Part Start Amendment PartA. Add a new sentence to the beginning of the introductory text as set forth below.
End Amendment Part Start Amendment PartB. Effective January 1, 2012, remove Appendix B to part 332.
End Amendment PartAppendix B to Part 332—Sample Clauses
This Appendix only applies to privacy notices provided before January 1, 2011.
* * * * *DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
12 CFR Chapter V
Authority and Issuance
Start Amendment PartFor the reasons set forth in the joint preamble, part 573 of chapter V of title 12 of the Code of Federal Regulations is amended as follows:
End Amendment Part Start PartPART 573—PRIVACY OF CONSUMER FINANCIAL INFORMATION
End Part Start Amendment Part22. The authority citation for part 573 continues to read as follows:
End Amendment Part Start Amendment Part23. Revise § 573.2 to read as follows:
End Amendment PartModel privacy form and examples.(a) Model privacy form. Use of the model privacy form in Appendix A of this part, consistent with the instructions in Appendix A, constitutes compliance with the notice content requirements of §§ 573.6 and 573.7 of this part, although use of the model privacy form is not required.
(b) Examples. The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part.
24. In § 573.6:
End Amendment Part Start Amendment PartA. Revise paragraphs (b) and (f), and add paragraph (g) to read as set forth below.
End Amendment Part Start Amendment PartB. Effective January 1, 2012, remove paragraph (g).
End Amendment PartInformation to be included in privacy notices.* * * * *(b) Description of nonaffiliated third parties subject to exceptions. If you disclose nonpublic personal information to third parties as authorized under §§ 573.14 and 573.15, you are not required to list those exceptions in the initial or annual privacy notices required by §§ 573.4 and 573.5. When describing the categories with respect to those parties, it is sufficient to state that you make disclosures to other nonaffiliated companies:
(1) For your everyday business purposes, such as [include all that apply] to process transactions, maintain account(s), respond to court orders and legal investigations, or report to credit bureaus; or
(2) As permitted by law.
* * * * *Start Printed Page 62946(f) Model privacy form. Pursuant to § 573.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part.
(g) Sample clauses. Sample clauses illustrating some of the notice content required by this section are included in Appendix B of this part. Use of a sample clause in a privacy notice provided on or before December 31, 2010, to the extent applicable, constitutes compliance with this part.
25. In § 573.7, add paragraph (i) to read as follows:
End Amendment PartForm of opt-out notice to consumers; opt-out methods.* * * * *(i) Model privacy form. Pursuant to § 573.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part.
Appendix A [Redesignated as Appendix B]
26. Redesignate Appendix A to part 573 as Appendix B to part 573.
End Amendment Part Start Amendment Part27. Add new Appendix A to part 573 to read as follows:
End Amendment PartAppendix A to Part 573—Model Privacy Form
A. The Model Privacy Form
Start Printed Page 62947 Start Printed Page 62948 Start Printed Page 62949 Start Printed Page 62950 Start Printed Page 62951 Start Printed Page 62952 Start Printed Page 62953B. General Instructions
1. How the Model Privacy Form Is Used
(a) The model form may be used, at the option of a financial institution, including a group of financial institutions that use a common privacy notice, to meet the content requirements of the privacy notice and opt-out notice set forth in §§ 573.6 and 573.7 of this part.
(b) The model form is a standardized form, including page layout, content, format, style, pagination, and shading. Institutions seeking to obtain the safe harbor through use of the model form may modify it only as described in these Instructions.
(c) Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 1681-1681x] (FCRA), such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.
(d) The word “customer” may be replaced by the word “member” whenever it appears in the model form, as appropriate.
2. The Contents of the Model Privacy Form
The model form consists of two pages, which may be printed on both sides of a single sheet of paper, or may appear on two separate pages. Where an institution provides a long list of institutions at the end of the model form in accordance with Instruction C.3(a)(1), or provides additional information in accordance with Instruction C.3(c), and such list or additional information exceeds the space available on page two of the model form, such list or additional information may extend to a third page.
(a) Page One. The first page consists of the following components:
(1) Date last revised (upper right-hand corner).
(2) Title.
(3) Key frame (Why?, What?, How?).
(4) Disclosure table (“Reasons we can share your personal information”).
(5) “To limit our sharing” box, as needed, for the financial institution's opt-out information.
(6) “Questions” box, for customer service contact information.
(7) Mail-in opt-out form, as needed.
(b) Page Two. The second page consists of the following components:
(1) Heading (Page 2).
(2) Frequently Asked Questions (“Who we are” and “What we do”).
(3) Definitions.
(4) “Other important information” box, as needed.
3. The Format of the Model Privacy Form
The format of the model form may be modified only as described below.
(a) Easily readable type font. Financial institutions that use the model form must use an easily readable type font. While a number of factors together produce easily readable type font, institutions are required to use a minimum of 10-point font (unless otherwise expressly permitted in these Instructions) and sufficient spacing between the lines of type.
(b) Logo. A financial institution may include a corporate logo on any page of the notice, so long as it does not interfere with the readability of the model form or the space constraints of each page.
(c) Page size and orientation. Each page of the model form must be printed on paper in portrait orientation, the size of which must be sufficient to meet the layout and minimum font size requirements, with sufficient white space on the top, bottom, and sides of the content.
(d) Color. The model form must be printed on white or light color paper (such as cream) with black or other contrasting ink color. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract from the readability of the model form. Logos may also be printed in color.
(e) Languages. The model form may be translated into languages other than English.
C. Information Required in the Model Privacy Form
The information in the model form may be modified only as described below:
1. Name of the Institution or Group of Affiliated Institutions Providing the Notice
Insert the name of the financial institution providing the notice or a common identity of affiliated institutions jointly providing the notice on the form wherever [name of financial institution] appears.
2. Page One
(a) Last revised date. The financial institution must insert in the upper right-hand corner the date on which the notice was last revised. The information shall appear in minimum 8-point font as “rev. [month/year]” using either the name or number of the month, such as “rev. July 2009” or “rev. 7/09”.
(b) General instructions for the “What?” box.
(1) The bulleted list identifies the types of personal information that the institution collects and shares. All institutions must use the term “Social Security number” in the first bullet.
(2) Institutions must use five (5) of the following terms to complete the bulleted list: Income; account balances; payment history; transaction history; transaction or loss history; credit history; credit scores; assets; investment experience; credit-based insurance scores; insurance claim history; medical information; overdraft history; purchase history; account transactions; risk tolerance; medical-related debts; credit card or other debt; mortgage rates and payments; retirement assets; checking account information; employment information; wire transfer instructions.
(c) General instructions for the disclosure table. The left column lists reasons for Start Printed Page 62954sharing or using personal information. Each reason correlates to a specific legal provision described in paragraph C.2(d) of this Instruction. In the middle column, each institution must provide a “Yes” or “No” response that accurately reflects its information sharing policies and practices with respect to the reason listed on the left. In the right column, each institution must provide in each box one of the following three (3) responses, as applicable, that reflects whether a consumer can limit such sharing: “Yes” if it is required to or voluntarily provides an opt-out; “No” if it does not provide an opt-out; or “We don't share” if it answers “No” in the middle column. Only the sixth row (“For our affiliates to market to you”) may be omitted at the option of the institution. See paragraph C.2(d)(6) of this Instruction.
(d) Specific disclosures and corresponding legal provisions.
(1) For our everyday business purposes. This reason incorporates sharing information under §§ 573.14 and 573.15 and with service providers pursuant to § 573.13 of this part other than the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these Instructions.
(2) For our marketing purposes. This reason incorporates sharing information with service providers by an institution for its own marketing pursuant to § 573.13 of this part. An institution that shares for this reason may choose to provide an opt-out.
(3) For joint marketing with other financial companies. This reason incorporates sharing information under joint marketing agreements between two or more financial institutions and with any service provider used in connection with such agreements pursuant to § 573.13 of this part. An institution that shares for this reason may choose to provide an opt-out.
(4) For our affiliates' everyday business purposes—information about transactions and experiences. This reason incorporates sharing information specified in sections 603(d)(2)(A)(i) and (ii) of the FCRA. An institution that shares for this reason may choose to provide an opt-out.
(5) For our affiliates' everyday business purposes—information about creditworthiness. This reason incorporates sharing information pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution that shares for this reason must provide an opt-out.
(6) For our affiliates to market to you. This reason incorporates sharing information specified in section 624 of the FCRA. This reason may be omitted from the disclosure table when: The institution does not have affiliates (or does not disclose personal information to its affiliates); the institution's affiliates do not use personal information in a manner that requires an opt-out; or the institution provides the affiliate marketing notice separately. Institutions that include this reason must provide an opt-out of indefinite duration. An institution that is required to provide an affiliate marketing opt-out, but does not include that opt-out in the model form under this part, must comply with section 624 of the FCRA and 12 CFR part 571, subpart C, with respect to the initial notice and opt-out and any subsequent renewal notice and opt-out. An institution not required to provide an opt-out under this subparagraph may elect to include this reason in the model form.
(7) For nonaffiliates to market to you. This reason incorporates sharing described in §§ 573.7 and 573.10(a) of this part. An institution that shares personal information for this reason must provide an opt-out.
(e) To limit our sharing: A financial institution must include this section of the model form only if it provides an opt-out. The word “choice” may be written in either the singular or plural, as appropriate. Institutions must select one or more of the applicable opt-out methods described: Telephone, such as by a toll-free number; a Web site; or use of a mail-in opt-out form. Institutions may include the words “toll-free” before telephone, as appropriate. An institution that allows consumers to opt out online must provide either a specific Web address that takes consumers directly to the opt-out page or a general Web address that provides a clear and conspicuous direct link to the opt-out page. The opt-out choices made available to the consumer who contacts the institution through these methods must correspond accurately to the “Yes” responses in the third column of the disclosure table. In the part titled “Please note,” institutions may insert a number that is 30 or greater in the space marked “[30].” Instructions on voluntary or state privacy law opt-out information are in paragraph C.2(g)(5) of these Instructions.
(f) Questions box. Customer service contact information must be inserted as appropriate, where [phone number] or [Web site] appear. Institutions may elect to provide either a phone number, such as a toll-free number, or a Web address, or both. Institutions may include the words “toll-free” before the telephone number, as appropriate.
(g) Mail-in opt-out form. Financial institutions must include this mail-in form only if they state in the “To limit our sharing” box that consumers can opt out by mail. The mail-in form must provide opt-out options that correspond accurately to the “Yes” responses in the third column in the disclosure table. Institutions that require customers to provide only name and address may omit the section identified as “[account #].” Institutions that require additional or different information, such as a random opt-out number or a truncated account number, to implement an opt-out election should modify the “[account #]” reference accordingly. This includes institutions that require customers with multiple accounts to identify each account to which the opt-out should apply. An institution must enter its opt-out mailing address: in the far right of this form (see version 3); or below the form (see version 4). The reverse side of the mail-in opt-out form must not include any content of the model form.
(1) Joint accountholder. Only institutions that provide their joint accountholders the choice to opt out for only one accountholder, in accordance with paragraph C.3(a)(5) of these Instructions, must include in the far left column of the mail-in form the following statement: “If you have a joint account, your choice(s) will apply to everyone on your account unless you mark below. □ Apply my choice(s) only to me.” The word “choice” may be written in either the singular or plural, as appropriate. Financial institutions that provide insurance products or services, provide this option, and elect to use the model form may substitute the word “policy” for “account” in this statement. Institutions that do not provide this option may eliminate this left column from the mail-in form.
(2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution shares personal information pursuant to section 603(d)(2)(A)(iii) of the FCRA, it must include in the mail-in opt-out form the following statement: “□ Do not share information about my creditworthiness with your affiliates for their everyday business purposes.”
(3) FCRA Section 624 opt-out. If the institution incorporates section 624 of the FCRA in accord with paragraph C.2(d)(6) of these Instructions, it must include in the mail-in opt-out form the following statement: “□ Do not allow your affiliates to use my personal information to market to me.”
(4) Nonaffiliate opt-out. If the financial institution shares personal information pursuant to § 573.10(a) of this part, it must include in the mail-in opt-out form the following statement: “□ Do not share my personal information with nonaffiliates to market their products and services to me.”
(5) Additional opt-outs. Financial institutions that use the disclosure table to provide opt-out options beyond those required by Federal law must provide those opt-outs in this section of the model form. A financial institution that chooses to offer an opt-out for its own marketing in the mail-in opt-out form must include one of the two following statements: “□ Do not share my personal information to market to me.” or “□ Do not use my personal information to market to me.” A financial institution that chooses to offer an opt-out for joint marketing must include the following statement: “□ Do not share my personal information with other financial institutions to jointly market to me.”
(h) Barcodes. A financial institution may elect to include a barcode and/or “tagline” (an internal identifier) in 6-point font at the bottom of page one, as needed for information internal to the institution, so long as these do not interfere with the clarity or text of the form.
3. Page Two
(a) General Instructions for the Questions. Certain of the Questions may be customized as follows:
(1) “Who is providing this notice?” This question may be omitted where only one financial institution provides the model form and that institution is clearly identified in the title on page one. Two or more financial institutions that jointly provide the model form must use this question to identify themselves as required by § 573.9(f) of this part. Where the list of institutions exceeds four (4) lines, the institution must describe in the response to this question the general types of institutions jointly providing the notice and must separately identify those institutions, in minimum 8-point font, directly following the “Other important Start Printed Page 62955information” box, or, if that box is not included in the institution's form, directly following the “Definitions.” The list may appear in a multi-column format.
(2) “How does [name of financial institution] protect my personal information?” The financial institution may only provide additional information pertaining to its safeguards practices following the designated response to this question. Such information may include information about the institution's use of cookies or other measures it uses to safeguard personal information. Institutions are limited to a maximum of 30 additional words.
(3) “How does [name of financial institution] collect my personal information?” Institutions must use five (5) of the following terms to complete the bulleted list for this question: Open an account; deposit money; pay your bills; apply for a loan; use your credit or debit card; seek financial or tax advice; apply for insurance; pay insurance premiums; file an insurance claim; seek advice about your investments; buy securities from us; sell securities to us; direct us to buy securities; direct us to sell your securities; make deposits or withdrawals from your account; enter into an investment advisory contract; give us your income information; provide employment information; give us your employment history; tell us about your investment or retirement portfolio; tell us about your investment or retirement earnings; apply for financing; apply for a lease; provide account information; give us your contact information; pay us by check; give us your wage statements; provide your mortgage information; make a wire transfer; tell us who receives the money; tell us where to send the money; show your government-issued ID; show your driver's license; order a commodity futures or option trade. Institutions that collect personal information from their affiliates and/or credit bureaus must include after the bulleted list the following statement: “We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.” Institutions that do not collect personal information from their affiliates or credit bureaus but do collect information from other companies must include the following statement instead: “We also collect your personal information from other companies.” Only institutions that do not collect any personal information from affiliates, credit bureaus, or other companies can omit both statements.
(4) “Why can't I limit all sharing?” Institutions that describe state privacy law provisions in the “Other important information” box must use the bracketed sentence: “See below for more on your rights under state law.” Other institutions must omit this sentence.
(5) “What happens when I limit sharing for an account I hold jointly with someone else?” Only financial institutions that provide opt-out options must use this question. Other institutions must omit this question. Institutions must choose one of the following two statements to respond to this question: “Your choices will apply to everyone on your account.” or “Your choices will apply to everyone on your account—unless you tell us otherwise.” Financial institutions that provide insurance products or services and elect to use the model form may substitute the word “policy” for “account” in these statements.
(b) General Instructions for the Definitions.
The financial institution must customize the space below the responses to the three definitions in this section. This specific information must be in italicized lettering to set off the information from the standardized definitions.
(1) Affiliates. As required by § 573.6(a)(3) of this part, where [affiliate information] appears, the financial institution must:
(i) If it has no affiliates, state: “[name of financial institution] has no affiliates;”
(ii) If it has affiliates but does not share personal information, state: “[name of financial institution] does not share with our affiliates”; or
(iii) If it shares with its affiliates, state, as applicable: “Our affiliates include companies with a [common corporate identity of financial institution] name; financial companies such as [insert illustrative list of companies]; nonfinancial companies, such as [insert illustrative list of companies]; and others, such as [insert illustrative list].”
(2) Nonaffiliates. As required by § 573.6(c)(3) of this part, where [nonaffiliate information] appears, the financial institution must:
(i) If it does not share with nonaffiliated third parties, state: “[name of financial institution] does not share with nonaffiliates so they can market to you”; or
(ii) If it shares with nonaffiliated third parties, state, as applicable: “Nonaffiliates we share with can include [list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations].”
(3) Joint Marketing. As required by § 573.13 of this part, where [joint marketing] appears, the financial institution must:
(i) If it does not engage in joint marketing, state: “[name of financial institution] doesn't jointly market”; or
(ii) If it shares personal information for joint marketing, state, as applicable: “Our joint marketing partners include [list categories of companies such as credit card companies].”
(c) General instructions for the “Other important information” box. This box is optional. The space provided for information in this box is not limited. Only the following types of information can appear in this box.
(1) State and/or international privacy law information; and/or
(2) Acknowledgment of receipt form.
Start Amendment Part28. Amend newly redesignated Appendix B to part 573 as follows:
End Amendment Part Start Amendment PartA. Add a new sentence to the beginning of the introductory text as set forth below.
End Amendment Part Start Amendment PartB. Effective January 1, 2012, remove Appendix B to part 573.
End Amendment PartAppendix B to Part 573—Sample Clauses
This Appendix only applies to privacy notices provided before January 1, 2011. * * *
* * * * *National Credit Union Administration
12 CFR Chapter V
Authority and Issuance
Start Amendment PartFor the reasons set forth in the joint preamble, part 716 of chapter V of title 12 of the Code of Federal Regulations is amended as follows:
End Amendment Part Start PartPART 716—PRIVACY OF CONSUMER FINANCIAL INFORMATION
End Part Start Amendment Part29. The authority citation for part 716 continues to read as follows:
End Amendment Part Start Amendment Part30. Revise § 716.2 to read as follows:
End Amendment PartModel privacy form and examples.(a) Model privacy form. Use of the model privacy form in Appendix A of this part, consistent with the instructions in Appendix A, constitutes compliance with the notice content requirements of §§ 716.6 and 716.7 of this part, although use of the model privacy form is not required.
(b) Examples. The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part.
31. In § 716.6:
End Amendment Part Start Amendment PartA. Revise the section heading and paragraph (b), and add paragraphs (f) and (g) to read as set forth below.
End Amendment Part Start Amendment PartB. Effective January 1, 2012, remove paragraph (g).
End Amendment PartInformation to be included in privacy notices.* * * * *(b) Description of nonaffiliated third parties subject to exceptions. If you disclose nonpublic personal information to third parties as authorized under §§ 716.14 and 716.15, you are not required to list those exceptions in the initial or annual privacy notices required by §§ 716.4 and 716.5. When describing the categories with respect to those parties, it is sufficient to state that you make disclosures to other nonaffiliated companies:
(1) For your everyday business purposes, such as [include all that apply] to process transactions, maintain account(s), respond to court orders and legal investigations, or report to credit bureaus; or
(2) As permitted by law.
* * * * *Start Printed Page 62956(f) Model privacy form. Pursuant to § 716.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part.
(g) Sample clauses. Sample clauses illustrating some of the notice content required by this section are included in Appendix B of this part. Use of a sample clause in a privacy notice provided on or before December 31, 2010, to the extent applicable, constitutes compliance with this part.
32. In § 716.7, add paragraph (i) to read as follows:
End Amendment PartForm of opt-out notice to consumers; opt-out methods.* * * * *(i) Model privacy form. Pursuant to § 716.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part.
Appendix A [Redesignated as Appendix B]
33. Redesignate Appendix A to part 716 as Appendix B to part 716.
End Amendment Part Start Amendment Part34. Add new Appendix A to part 716 to read as follows:
End Amendment PartAppendix A to Part 716—Model Privacy Form
A. The Model Privacy Form
Start Printed Page 62957 Start Printed Page 62958 Start Printed Page 62959 Start Printed Page 62960 Start Printed Page 62961 Start Printed Page 62962 Start Printed Page 62963B. General Instructions
1. How the Model Privacy Form Is Used
(a) The model form may be used, at the option of a financial institution, including a group of financial institutions that use a common privacy notice, to meet the content requirements of the privacy notice and opt-out notice set forth in §§ 716.6 and 716.7 of this part.
(b) The model form is a standardized form, including page layout, content, format, style, pagination, and shading. Institutions seeking to obtain the safe harbor through use of the model form may modify it only as described in these Instructions.
(c) Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 1681—1681x] (FCRA), such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.
(d) The word “customer” may be replaced by the word “member” whenever it appears in the model form, as appropriate.
2. The Contents of the Model Privacy Form
The model form consists of two pages, which may be printed on both sides of a single sheet of paper, or may appear on two separate pages. Where an institution provides a long list of institutions at the end of the model form in accordance with Instruction C.3(a)(1), or provides additional information in accordance with Instruction C.3(c), and such list or additional information exceeds the space available on page two of the model form, such list or additional information may extend to a third page.
(a) Page One. The first page consists of the following components:
(1) Date last revised (upper right-hand corner).
(2) Title.
(3) Key frame (Why?, What?, How?).
(4) Disclosure table (“Reasons we can share your personal information”).
(5) “To limit our sharing” box, as needed, for the financial institution's opt-out information.
(6) “Questions” box, for customer service contact information.
(7) Mail-in opt-out form, as needed.
(b) Page Two. The second page consists of the following components:
(1) Heading (Page 2).
(2) Frequently Asked Questions (“Who we are” and “What we do”).
(3) Definitions.
(4) “Other important information” box, as needed.
3. The Format of the Model Privacy Form
The format of the model form may be modified only as described below.
(a) Easily readable type font. Financial institutions that use the model form must use an easily readable type font. While a number of factors together produce easily readable type font, institutions are required to use a minimum of 10-point font (unless otherwise expressly permitted in these Instructions) and sufficient spacing between the lines of type.
(b) Logo. A financial institution may include a corporate logo on any page of the notice, so long as it does not interfere with the readability of the model form or the space constraints of each page.
(c) Page size and orientation. Each page of the model form must be printed on paper in portrait orientation, the size of which must be sufficient to meet the layout and minimum font size requirements, with sufficient white space on the top, bottom, and sides of the content.
(d) Color. The model form must be printed on white or light color paper (such as cream) with black or other contrasting ink color. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract from the readability of the model form. Logos may also be printed in color.
(e) Languages. The model form may be translated into languages other than English.
C. Information Required in the Model Privacy Form
The information in the model form may be modified only as described below:
1. Name of the Institution or Group of Affiliated Institutions Providing the Notice
Insert the name of the financial institution providing the notice or a common identity of affiliated institutions jointly providing the notice on the form wherever [name of financial institution] appears.
2. Page One
(a) Last revised date. The financial institution must insert in the upper right-hand corner the date on which the notice was last revised. The information shall appear in minimum 8-point font as “rev. [month/year]” using either the name or number of the month, such as “rev. July 2009” or “rev. 7/09”.
(b) General instructions for the “What?” box.
(1) The bulleted list identifies the types of personal information that the institution collects and shares. All institutions must use the term “Social Security number” in the first bullet.
(2) Institutions must use five (5) of the following terms to complete the bulleted list: income; account balances; payment history; transaction history; transaction or loss history; credit history; credit scores; assets; investment experience; credit-based insurance scores; insurance claim history; medical information; overdraft history; purchase history; account transactions; risk tolerance; medical-related debts; credit card or other debt; mortgage rates and payments; retirement assets; checking account information; employment information; wire transfer instructions.
(c) General instructions for the disclosure table. The left column lists reasons for Start Printed Page 62964sharing or using personal information. Each reason correlates to a specific legal provision described in paragraph C.2(d) of this Instruction. In the middle column, each institution must provide a “Yes” or “No” response that accurately reflects its information sharing policies and practices with respect to the reason listed on the left. In the right column, each institution must provide in each box one of the following three (3) responses, as applicable, that reflects whether a consumer can limit such sharing: “Yes” if it is required to or voluntarily provides an opt-out; “No” if it does not provide an opt-out; or “We don't share” if it answers “No” in the middle column. Only the sixth row (“For our affiliates to market to you”) may be omitted at the option of the institution. See paragraph C.2(d)(6) of this Instruction.
(d) Specific disclosures and corresponding legal provisions.
(1) For our everyday business purposes. This reason incorporates sharing information under §§ 716.14 and 716.15 and with service providers pursuant to § 716.13 of this part other than the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these Instructions.
(2) For our marketing purposes. This reason incorporates sharing information with service providers by an institution for its own marketing pursuant to § 716.13 of this part. An institution that shares for this reason may choose to provide an opt-out.
(3) For joint marketing with other financial companies. This reason incorporates sharing information under joint marketing agreements between two or more financial institutions and with any service provider used in connection with such agreements pursuant to § 716.13 of this part. An institution that shares for this reason may choose to provide an opt-out.
(4) For our affiliates' everyday business purposes—information about transactions and experiences. This reason incorporates sharing information specified in sections 603(d)(2)(A)(i) and (ii) of the FCRA. An institution that shares for this reason may choose to provide an opt-out.
(5) For our affiliates' everyday business purposes—information about creditworthiness. This reason incorporates sharing information pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution that shares for this reason must provide an opt-out.
(6) For our affiliates to market to you. This reason incorporates sharing information specified in section 624 of the FCRA. This reason may be omitted from the disclosure table when: the institution does not have affiliates (or does not disclose personal information to its affiliates); the institution's affiliates do not use personal information in a manner that requires an opt-out; or the institution provides the affiliate marketing notice separately. Institutions that include this reason must provide an opt-out of indefinite duration. An institution that is required to provide an affiliate marketing opt-out, but does not include that opt-out in the model form under this part, must comply with section 624 of the FCRA and 12 CFR part 717, subpart C, with respect to the initial notice and opt-out and any subsequent renewal notice and opt-out. An institution not required to provide an opt-out under this subparagraph may elect to include this reason in the model form.
(7) For nonaffiliates to market to you. This reason incorporates sharing described in §§ 716.7 and 716.10(a) of this part. An institution that shares personal information for this reason must provide an opt-out.
(e) To limit our sharing: A financial institution must include this section of the model form only if it provides an opt-out. The word “choice” may be written in either the singular or plural, as appropriate. Institutions must select one or more of the applicable opt-out methods described: telephone, such as by a toll-free number; a Web site; or use of a mail-in opt-out form. Institutions may include the words “toll-free” before telephone, as appropriate. An institution that allows consumers to opt out online must provide either a specific Web address that takes consumers directly to the opt-out page or a general Web address that provides a clear and conspicuous direct link to the opt-out page. The opt-out choices made available to the consumer who contacts the institution through these methods must correspond accurately to the “Yes” responses in the third column of the disclosure table. In the part titled “Please note” institutions may insert a number that is 30 or greater in the space marked “[30].” Instructions on voluntary or state privacy law opt-out information are in paragraph C.2(g)(5) of these Instructions.
(f) Questions box. Customer service contact information must be inserted as appropriate, where [phone number] or [Web site] appear. Institutions may elect to provide either a phone number, such as a toll-free number, or a Web address, or both. Institutions may include the words “toll-free” before the telephone number, as appropriate.
(g) Mail-in opt-out form. Financial institutions must include this mail-in form only if they state in the “To limit our sharing” box that consumers can opt out by mail. The mail-in form must provide opt-out options that correspond accurately to the “Yes” responses in the third column in the disclosure table. Institutions that require customers to provide only name and address may omit the section identified as “[account #].” Institutions that require additional or different information, such as a random opt-out number or a truncated account number, to implement an opt-out election should modify the “[account #]” reference accordingly. This includes institutions that require customers with multiple accounts to identify each account to which the opt-out should apply. An institution must enter its opt-out mailing address: in the far right of this form (see version 3); or below the form (see version 4). The reverse side of the mail-in opt-out form must not include any content of the model form.
(1) Joint accountholder. Only institutions that provide their joint accountholders the choice to opt out for only one accountholder, in accordance with paragraph C.3(a)(5) of these Instructions, must include in the far left column of the mail-in form the following statement: “If you have a joint account, your choice(s) will apply to everyone on your account unless you mark below. □ Apply my choice(s) only to me.” The word “choice” may be written in either the singular or plural, as appropriate. Financial institutions that provide insurance products or services, provide this option, and elect to use the model form may substitute the word “policy” for “account” in this statement. Institutions that do not provide this option may eliminate this left column from the mail-in form.
(2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution shares personal information pursuant to section 603(d)(2)(A)(iii) of the FCRA, it must include in the mail-in opt-out form the following statement: “□ Do not share information about my creditworthiness with your affiliates for their everyday business purposes.”
(3) FCRA Section 624 opt-out. If the institution incorporates section 624 of the FCRA in accord with paragraph C.2(d)(6) of these Instructions, it must include in the mail-in opt-out form the following statement: “□ Do not allow your affiliates to use my personal information to market to me.”
(4) Nonaffiliate opt-out. If the financial institution shares personal information pursuant to § 716.10(a) of this part, it must include in the mail-in opt-out form the following statement: “□ Do not share my personal information with nonaffiliates to market their products and services to me.”
(5) Additional opt-outs. Financial institutions that use the disclosure table to provide opt-out options beyond those required by Federal law must provide those opt-outs in this section of the model form. A financial institution that chooses to offer an opt-out for its own marketing in the mail-in opt-out form must include one of the two following statements: “□ Do not share my personal information to market to me.” or “□ Do not use my personal information to market to me.” A financial institution that chooses to offer an opt-out for joint marketing must include the following statement: “□ Do not share my personal information with other financial institutions to jointly market to me.”
(h) Barcodes. A financial institution may elect to include a barcode and/or “tagline” (an internal identifier) in 6-point font at the bottom of page one, as needed for information internal to the institution, so long as these do not interfere with the clarity or text of the form.
3. Page Two
(a) General Instructions for the Questions. Certain of the Questions may be customized as follows:
(1) “Who is providing this notice?” This question may be omitted where only one financial institution provides the model form and that institution is clearly identified in the title on page one. Two or more financial institutions that jointly provide the model form must use this question to identify themselves as required by § 716.9(f) of this part. Where the list of institutions exceeds four (4) lines, the institution must describe in the response to this question the general types of institutions jointly providing the notice and must separately identify those institutions, in minimum 8-point font, directly following the “Other important Start Printed Page 62965information” box, or, if that box is not included in the institution's form, directly following the “Definitions.” The list may appear in a multi-column format.
(2) “How does [name of financial institution] protect my personal information?” The financial institution may only provide additional information pertaining to its safeguards practices following the designated response to this question. Such information may include information about the institution's use of cookies or other measures it uses to safeguard personal information. Institutions are limited to a maximum of 30 additional words.
(3) “How does [name of financial institution] collect my personal information?” Institutions must use five (5) of the following terms to complete the bulleted list for this question: open an account; deposit money; pay your bills; apply for a loan; use your credit or debit card; seek financial or tax advice; apply for insurance; pay insurance premiums; file an insurance claim; seek advice about your investments; buy securities from us; sell securities to us; direct us to buy securities; direct us to sell your securities; make deposits or withdrawals from your account; enter into an investment advisory contract; give us your income information; provide employment information; give us your employment history; tell us about your investment or retirement portfolio; tell us about your investment or retirement earnings; apply for financing; apply for a lease; provide account information; give us your contact information; pay us by check; give us your wage statements; provide your mortgage information; make a wire transfer; tell us who receives the money; tell us where to send the money; show your government-issued ID; show your driver's license; order a commodity futures or option trade. Institutions that collect personal information from their affiliates and/or credit bureaus must include after the bulleted list the following statement: “We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.” Institutions that do not collect personal information from their affiliates or credit bureaus but do collect information from other companies must include the following statement instead: “We also collect your personal information from other companies.” Only institutions that do not collect any personal information from affiliates, credit bureaus, or other companies can omit both statements.
(4) “Why can't I limit all sharing?” Institutions that describe state privacy law provisions in the “Other important information” box must use the bracketed sentence: “See below for more on your rights under state law.” Other institutions must omit this sentence.
(5) “What happens when I limit sharing for an account I hold jointly with someone else?” Only financial institutions that provide opt-out options must use this question. Other institutions must omit this question. Institutions must choose one of the following two statements to respond to this question: “Your choices will apply to everyone on your account.” or “Your choices will apply to everyone on your account—unless you tell us otherwise.” Financial institutions that provide insurance products or services and elect to use the model form may substitute the word “policy” for “account” in these statements.
(b) General Instructions for the Definitions.
The financial institution must customize the space below the responses to the three definitions in this section. This specific information must be in italicized lettering to set off the information from the standardized definitions.
(1) Affiliates. As required by § 716.6(a)(3) of this part, where [affiliate information] appears, the financial institution must:
(i) If it has no affiliates, state: “[name of financial institution] has no affiliates”;
(ii) If it has affiliates but does not share personal information, state: “[name of financial institution] does not share with our affiliates; or
(iii) If it shares with its affiliates, state, as applicable: “Our affiliates include companies with a [common corporate identity of financial institution] name; financial companies such as [insert illustrative list of companies]; nonfinancial companies, such as [insert illustrative list of companies;] and others, such as [insert illustrative list].”
(2) Nonaffiliates. As required by § 716.6(c)(3) of this part, where [nonaffiliate information] appears, the financial institution must:
(i) If it does not share with nonaffiliated third parties, state: “[name of financial institution] does not share with nonaffiliates so they can market to you”; or
(ii) If it shares with nonaffiliated third parties, state, as applicable: “Nonaffiliates we share with can include [list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations].”
(3) Joint Marketing. As required by § 716.13 of this part, where [joint marketing] appears, the financial institution must:
(i) If it does not engage in joint marketing, state: “[name of financial institution] doesn't jointly market ”; or
(ii) If it shares personal information for joint marketing, state, as applicable: “Our joint marketing partners include [list categories of companies such as credit card companies].”
(c) General instructions for the “Other important information” box. This box is optional. The space provided for information in this box is not limited. Only the following types of information can appear in this box.
(1) State and/or international privacy law information; and/or
(2) Acknowledgment of receipt form.
Start Amendment Part35. Amend newly redesignated Appendix B to part 716 as follows:
End Amendment Part Start Amendment PartA. Add a new sentence to the beginning of the introductory text as set forth below.
End Amendment Part Start Amendment PartB. Effective January 1, 2012, remove Appendix B to part 716.
End Amendment PartAppendix B to Part 716—Sample Clauses
This Appendix only applies to privacy notices provided before January 1, 2011. * * *
* * * * *Federal Trade Commission
16 CFR Chapter I
Start Amendment PartFor the reasons set forth in the joint preamble, the Federal Trade Commission amends part 313 of chapter I of title 16 of the Code of Federal Regulations as follows:
End Amendment Part Start PartPART 313—PRIVACY OF CONSUMER FINANCIAL INFORMATION
End Part Start Amendment Part36. The authority citation for part 313 continues to read as follows:
End Amendment Part Start Amendment Part37. Revise § 313.2 to read as follows:
End Amendment PartModel privacy form and examples.(a) Model privacy form. Use of the model privacy form in Appendix A of this part, consistent with the instructions in Appendix A, constitutes compliance with the notice content requirements of §§ 313.6 and 313.7 of this part, although use of the model privacy form is not required.
(b) Examples. The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part.
38. In § 313.6:
End Amendment Part Start Amendment PartA. Revise paragraphs (b) and (f), and add paragraph (g) to read as set forth below.
End Amendment Part Start Amendment PartB. Effective January 1, 2012, remove paragraph (g).
End Amendment PartInformation to be included in privacy notices.* * * * *(b) Description of nonaffiliated third parties subject to exceptions. If you disclose nonpublic personal information to third parties as authorized under §§ 313.14 and 313.15, you are not required to list those exceptions in the initial or annual privacy notices required by §§ 313.4 and 313.5. When describing the categories with respect to those parties, it is sufficient to state that you make disclosures to other nonaffiliated companies for your everyday business purposes, such as to process transactions, maintain account(s), respond to court orders and legal investigations, or report to credit bureaus.
* * * * *(f) Model privacy form. Pursuant to § 313.2(a) of this part, a model privacy form that meets the notice content Start Printed Page 62966requirements of this section is included in Appendix A of this part.
(g) Sample clauses and description of nonaffiliated third parties subject to exceptions.
(1) Sample clauses. Sample clauses illustrating some of the notice content required by this section are included in Appendix B of this part. Use of a sample clause in a privacy notice provided on or before December 31, 2010, to the extent applicable, constitutes compliance with this part.
(2) Description of nonaffiliated third parties subject to exceptions. For a privacy notice provided on or before December 31, 2010, if you disclose nonpublic personal information to third parties as authorized under §§ 313.14 and 313.15, when describing the categories with respect to those parties, it is sufficient to state, as an alternative to the language in the second sentence of paragraph (b) of this section, that you make disclosures to other nonaffiliated third parties as permitted by law.
39. In § 313.7, add paragraph (i) to read as follows:
End Amendment PartForm of opt-out notice to consumers; opt-out methods.* * * * *(i) Model privacy form. Pursuant to § 313.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part.
Appendix A [Redesignated as Appendix B]
40. Redesignate Appendix A to part 313 as Appendix B to part 313.
End Amendment Part Start Amendment Part41. Add new Appendix A to part 313 to read as follows:
End Amendment PartAppendix A to Part 313—Model Privacy Form
A. The Model Privacy Form
Start Printed Page 62967 Start Printed Page 62968 Start Printed Page 62969 Start Printed Page 62970 Start Printed Page 62971 Start Printed Page 62972B. General Instructions
1. How the Model Privacy Form is Used
(a) The model form may be used, at the option of a financial institution, including a group of financial institutions that use a common privacy notice, to meet the content requirements of the privacy notice and opt-out notice set forth in §§ 313.6 and 313.7 of this part.
(b) The model form is a standardized form, including page layout, content, format, style, pagination, and shading. Institutions seeking to obtain the safe harbor through use of the model form may modify it only as described in these Instructions.
(c) Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 1681-1681x] (FCRA), such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.
(d) The word “customer” may be replaced by the word “member” whenever it appears in the model form, as appropriate.
2. The Contents of the Model Privacy Form
The model form consists of two pages, which may be printed on both sides of a single sheet of paper, or may appear on two separate pages. Where an institution provides a long list of institutions at the end of the model form in accordance with Instruction C.3(a)(1), or provides additional information in accordance with Instruction C.3(c), and such list or additional information exceeds the space available on page two of the model form, such list or additional information may extend to a third page.
(a) Page One. The first page consists of the following components:
(1) Date last revised (upper right-hand corner).
(2) Title.
(3) Key frame (Why?, What?, How?).
(4) Disclosure table (“Reasons we can share your personal information”).
(5) “To limit our sharing” box, as needed, for the financial institution's opt-out information.
(6) “Questions” box, for customer service contact information.
(7) Mail-in opt-out form, as needed.
(b) Page Two. The second page consists of the following components:
(1) Heading (Page 2).
(2) Frequently Asked Questions (“Who we are” and “What we do”).
(3) Definitions.
(4) “Other important information” box, as needed.
3. The Format of the Model Privacy Form
The format of the model form may be modified only as described below.
(a) Easily readable type font. Financial institutions that use the model form must use an easily readable type font. While a number of factors together produce an easily readable type font, institutions are required to use a minimum of 10-point font (unless otherwise expressly permitted in these Instructions) and sufficient spacing between the lines of type.
(b) Logo. A financial institution may include a corporate logo on any page of the notice, so long as it does not interfere with the readability of the model form or the space constraints of each page.
(c) Page size and orientation. Each page of the model form must be printed on paper in portrait orientation, the size of which must be sufficient to meet the layout and minimum font size requirements, with sufficient white space on the top, bottom, and sides of the content.
(d) Color. The model form must be printed on white or light color paper (such as cream) with black or other contrasting ink color. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract from the readability of the model form. Logos may also be printed in color.
(e) Languages. The model form may be translated into languages other than English.
C. Information Required in the Model Privacy Form
The information in the model form may be modified only as described below:
1. Name of the Institution or Group of Affiliated Institutions Providing the Notice
Insert the name of the financial institution providing the notice or a common identity of affiliated institutions jointly providing the notice on the form wherever [name of financial institution] appears.
2. Page One
(a) Last revised date. The financial institution must insert in the upper right-hand corner the date on which the notice was last revised. The information shall appear in minimum 8-point font as “rev. [month/year]” using either the name or number of the month, such as “rev. July 2009” or “rev. 7/09”.
(b) General instructions for the “What?” box.
(1) The bulleted list identifies the types of personal information that the institution collects and shares. All institutions must use the term “Social Security number” in the first bullet.
(2) Institutions must use five (5) of the following terms to complete the bulleted list: income; account balances; payment history; transaction history; transaction or loss history; credit history; credit scores; assets; investment experience; credit-based insurance scores; insurance claim history; medical information; overdraft history; purchase history; account transactions; risk tolerance; medical-related debts; credit card or other debt; mortgage rates and payments; retirement assets; checking account information; employment information; wire transfer instructions.
(c) General instructions for the disclosure table. The left column lists reasons for Start Printed Page 62973sharing or using personal information. Each reason correlates to a specific legal provision described in paragraph C.2(d) of this Instruction. In the middle column, each institution must provide a “Yes” or “No” response that accurately reflects its information sharing policies and practices with respect to the reason listed on the left. In the right column, each institution must provide in each box one of the following three (3) responses, as applicable, that reflects whether a consumer can limit such sharing: “Yes” if it is required to or voluntarily provides an opt-out; “No” if it does not provide an opt-out; or “We don't share” if it answers “No” in the middle column. Only the sixth row (“For our affiliates to market to you”) may be omitted at the option of the institution. See paragraph C.2(d)(6) of this Instruction.
(d) Specific disclosures and corresponding legal provisions.
(1) For our everyday business purposes. This reason incorporates sharing information under §§ 313.14 and 313.15 and with service providers pursuant to § 313.13 of this part other than the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these Instructions.
(2) For our marketing purposes. This reason incorporates sharing information with service providers by an institution for its own marketing pursuant to § 313.13 of this part. An institution that shares for this reason may choose to provide an opt-out.
(3) For joint marketing with other financial companies. This reason incorporates sharing information under joint marketing agreements between two or more financial institutions and with any service provider used in connection with such agreements pursuant to § 313.13 of this part. An institution that shares for this reason may choose to provide an opt-out.
(4) For our affiliates' everyday business purposes—information about transactions and experiences. This reason incorporates sharing information specified in sections 603(d)(2)(A)(i) and (ii) of the FCRA. An institution that shares for this reason may choose to provide an opt-out.
(5) For our affiliates' everyday business purposes—information about creditworthiness. This reason incorporates sharing information pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution that shares for this reason must provide an opt-out.
(6) For our affiliates to market to you. This reason incorporates sharing information specified in section 624 of the FCRA. This reason may be omitted from the disclosure table when: the institution does not have affiliates (or does not disclose personal information to its affiliates); the institution's affiliates do not use personal information in a manner that requires an opt-out; or the institution provides the affiliate marketing notice separately. Institutions that include this reason must provide an opt-out of indefinite duration. An institution that is required to provide an affiliate marketing opt-out, but does not include that opt-out in the model form under this part, must comply with section 624 of the FCRA and 16 CFR parts 680 and 698 with respect to the initial notice and opt-out and any subsequent renewal notice and opt-out. An institution not required to provide an opt-out under this subparagraph may elect to include this reason in the model form.
(7) For nonaffiliates to market to you. This reason incorporates sharing described in §§ 313.7 and 313.10(a) of this part. An institution that shares personal information for this reason must provide an opt-out.
(e) To limit our sharing: A financial institution must include this section of the model form only if it provides an opt-out. The word “choice” may be written in either the singular or plural, as appropriate. Institutions must select one or more of the applicable opt-out methods described: telephone, such as by a toll-free number; a Web site; or use of a mail-in opt-out form. Institutions may include the words “toll-free” before telephone, as appropriate. An institution that allows consumers to opt out online must provide either a specific Web address that takes consumers directly to the opt-out page or a general Web address that provides a clear and conspicuous direct link to the opt-out page. The opt-out choices made available to the consumer who contacts the institution through these methods must correspond accurately to the “Yes” responses in the third column of the disclosure table. In the part titled “Please note” institutions may insert a number that is 30 or greater in the space marked “[30].” Instructions on voluntary or state privacy law opt-out information are in paragraph C.2(g)(5) of these Instructions.
(f) Questions box. Customer service contact information must be inserted as appropriate, where [phone number] or [Web site] appear. Institutions may elect to provide either a phone number, such as a toll-free number, or a Web address, or both. Institutions may include the words “toll-free” before the telephone number, as appropriate.
(g) Mail-in opt-out form. Financial institutions must include this mail-in form only if they state in the “To limit our sharing” box that consumers can opt out by mail. The mail-in form must provide opt-out options that correspond accurately to the “Yes” responses in the third column in the disclosure table. Institutions that require customers to provide only name and address may omit the section identified as “[account #].” Institutions that require additional or different information, such as a random opt-out number or a truncated account number, to implement an opt-out election should modify the “[account #]” reference accordingly. This includes institutions that require customers with multiple accounts to identify each account to which the opt-out should apply. An institution must enter its opt-out mailing address: In the far right of this form (see version 3); or below the form (see version 4). The reverse side of the mail-in opt-out form must not include any content of the model form.
(1) Joint accountholder. Only institutions that provide their joint accountholders the choice to opt out for only one accountholder, in accordance with paragraph C.3(a)(5) of these Instructions, must include in the far left column of the mail-in form the following statement: “If you have a joint account, your choice(s) will apply to everyone on your account unless you mark below. □ Apply my choice(s) only to me.” The word “choice” may be written in either the singular or plural, as appropriate. Financial institutions that provide insurance products or services, provide this option, and elect to use the model form may substitute the word “policy” for “account” in this statement. Institutions that do not provide this option may eliminate this left column from the mail-in form.
(2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution shares personal information pursuant to section 603(d)(2)(A)(iii) of the FCRA, it must include in the mail-in opt-out form the following statement: “□ Do not share information about my creditworthiness with your affiliates for their everyday business purposes.”
(3) FCRA Section 624 opt-out. If the institution incorporates section 624 of the FCRA in accord with paragraph C.2(d)(6) of these Instructions, it must include in the mail-in opt-out form the following statement: “□ Do not allow your affiliates to use my personal information to market to me.”
(4) Nonaffiliate opt-out. If the financial institution shares personal information pursuant to § 313.10(a) of this part, it must include in the mail-in opt-out form the following statement: “□ Do not share my personal information with nonaffiliates to market their products and services to me.”
(5) Additional opt-outs. Financial institutions that use the disclosure table to provide opt-out options beyond those required by Federal law must provide those opt-outs in this section of the model form. A financial institution that chooses to offer an opt-out for its own marketing in the mail-in opt-out form must include one of the two following statements: “□ Do not share my personal information to market to me.” or “□ Do not use my personal information to market to me.” A financial institution that chooses to offer an opt-out for joint marketing must include the following statement: “□ Do not share my personal information with other financial institutions to jointly market to me.”
(h) Barcodes. A financial institution may elect to include a barcode and/or “tagline” (an internal identifier) in 6-point font at the bottom of page one, as needed for information internal to the institution, so long as these do not interfere with the clarity or text of the form.
3. Page Two
(a) General Instructions for the Questions. Certain of the Questions may be customized as follows:
(1) “Who is providing this notice?” This question may be omitted where only one financial institution provides the model form and that institution is clearly identified in the title on page one. Two or more financial institutions that jointly provide the model form must use this question to identify themselves as required by § 313.9(f) of this part. Where the list of institutions exceeds four (4) lines, the institution must describe in the response to this question the general types of institutions jointly providing the notice and must separately identify those institutions, in minimum 8-point font, directly following the “Other important Start Printed Page 62974information” box, or, if that box is not included in the institution's form, directly following the “Definitions.” The list may appear in a multi-column format.
(2) “How does [name of financial institution] protect my personal information?” The financial institution may only provide additional information pertaining to its safeguards practices following the designated response to this question. Such information may include information about the institution's use of cookies or other measures it uses to safeguard personal information. Institutions are limited to a maximum of 30 additional words.
(3) “How does [name of financial institution] collect my personal information?” Institutions must use five (5) of the following terms to complete the bulleted list for this question: Open an account; deposit money; pay your bills; apply for a loan; use your credit or debit card; seek financial or tax advice; apply for insurance; pay insurance premiums; file an insurance claim; seek advice about your investments; buy securities from us; sell securities to us; direct us to buy securities; direct us to sell your securities; make deposits or withdrawals from your account; enter into an investment advisory contract; give us your income information; provide employment information; give us your employment history; tell us about your investment or retirement portfolio; tell us about your investment or retirement earnings; apply for financing; apply for a lease; provide account information; give us your contact information; pay us by check; give us your wage statements; provide your mortgage information; make a wire transfer; tell us who receives the money; tell us where to send the money; show your government-issued ID; show your driver's license; order a commodity futures or option trade. Institutions that collect personal information from their affiliates and/or credit bureaus must include after the bulleted list the following statement: “We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.” Institutions that do not collect personal information from their affiliates or credit bureaus but do collect information from other companies must include the following statement instead: “We also collect your personal information from other companies.” Only institutions that do not collect any personal information from affiliates, credit bureaus, or other companies can omit both statements.
(4) “Why can't I limit all sharing?” Institutions that describe state privacy law provisions in the “Other important information” box must use the bracketed sentence: “See below for more on your rights under state law.” Other institutions must omit this sentence.
(5) “What happens when I limit sharing for an account I hold jointly with someone else?” Only financial institutions that provide opt-out options must use this question. Other institutions must omit this question. Institutions must choose one of the following two statements to respond to this question: “Your choices will apply to everyone on your account.” or “Your choices will apply to everyone on your account—unless you tell us otherwise.” Financial institutions that provide insurance products or services and elect to use the model form may substitute the word “policy” for “account” in these statements.
(b) General Instructions for the Definitions.
The financial institution must customize the space below the responses to the three definitions in this section. This specific information must be in italicized lettering to set off the information from the standardized definitions.
(1) Affiliates. As required by § 313.6(a)(3) of this part, where [affiliate information] appears, the financial institution must:
(i) If it has no affiliates, state: “[name of financial institution] has no affiliates”;
(ii) If it has affiliates but does not share personal information, state: “[name of financial institution] does not share with our affiliates”; or
(iii) If it shares with its affiliates, state, as applicable: “Our affiliates include companies with a [common corporate identity of financial institution] name; financial companies such as [insert illustrative list of companies]; nonfinancial companies, such as [insert illustrative list of companies;] and others, such as [insert illustrative list].”
(2) Nonaffiliates. As required by § 313.6(c)(3) of this part, where [nonaffiliate information] appears, the financial institution must:
(i) If it does not share with nonaffiliated third parties, state: “[name of financial institution] does not share with nonaffiliates so they can market to you”; or
(ii) If it shares with nonaffiliated third parties, state, as applicable: “Nonaffiliates we share with can include [list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations].”
(3) Joint Marketing. As required by § 313.13 of this part, where [joint marketing] appears, the financial institution must:
(i) If it does not engage in joint marketing, state: “[name of financial institution ] doesn't jointly market”; or
(ii) If it shares personal information for joint marketing, state, as applicable: “Our joint marketing partners include [list categories of companies such as credit card companies].”
(c) General instructions for the “Other important information” box. This box is optional. The space provided for information in this box is not limited. Only the following types of information can appear in this box.
(1) State and/or international privacy law information; and/or
(2) Acknowledgment of receipt form.
Start Amendment Part42. Amend newly redesignated Appendix B to part 313 as follows:
End Amendment Part Start Amendment PartA. Add a new sentence to the beginning of the introductory text as set forth below.
End Amendment Part Start Amendment PartB. Effective January 1, 2012, remove Appendix B to part 313.
End Amendment PartAppendix B to Part 313—Sample Clauses
This Appendix only applies to privacy notices provided before January 1, 2011. * * *
* * * * *Commodity Futures Trading Commission
17 CFR Chapter I
Authority and Issuance
Start Amendment PartFor the reasons set forth in the joint preamble, part 160 of chapter I of title 17 of the Code of Federal Regulations is amended as follows:
End Amendment Part Start PartPART 160—PRIVACY OF CONSUMER FINANCIAL INFORMATION
End Part Start Amendment Part43. The authority citation for part 160 continues to read as follows:
End Amendment Part Start Amendment Part44. Revise § 160.2 to read as follows:
End Amendment PartModel privacy form and examples.(a) Model privacy form. Use of the model privacy form in Appendix A of this part, consistent with the instructions in Appendix A, constitutes compliance with the notice content requirements of §§ 160.6 and 160.7 of this part, although use of the model privacy form is not required.
(b) Examples. The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part.
45. In § 160.6:
End Amendment Part Start Amendment PartA. Revise paragraphs (b) and (f), and add paragraph (g) to read as set forth below.
End Amendment Part Start Amendment PartB. Effective January 1, 2012, remove paragraph (g).
End Amendment PartInformation to be included in privacy notices.* * * * *(b) Description of nonaffiliated third parties subject to exceptions. If you disclose nonpublic personal information to third parties as authorized under §§ 160.14 and 160.15, you are not required to list those exceptions in the initial or annual privacy notices required by §§ 160.4 and 160.5. When describing the categories with respect to those parties, it is sufficient to state that you make disclosures to other nonaffiliated companies:
(1) For your everyday business purposes, such as [include all that apply] to process transactions, maintain account(s), respond to court orders and legal investigations, or report to credit bureaus; orStart Printed Page 62975
(2) As permitted by law.
* * * * *(f) Model privacy form. Pursuant to § 160.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part.
(g) Sample clauses. Sample clauses illustrating some of the notice content required by this section are included in Appendix B of this part. Use of a sample clause in a privacy notice provided on or before December 31, 2010, to the extent applicable, constitutes compliance with this part.
46. In § 160.7, add paragraph (i) to read as follows:
End Amendment PartForm of opt-out notice to consumers; opt-out methods.* * * * *(i) Model privacy form. Pursuant to § 160.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part.
Appendix A [Redesignated as Appendix B]
Start Amendment Part47. Redesignate Appendix A to part 160 as Appendix B to part 160.
End Amendment Part Start Amendment Part48. Add new Appendix A to part 160 to read as follows:
End Amendment PartAppendix A to Part 160—Model Privacy Form
A. The Model Privacy Form
Start Printed Page 62976 Start Printed Page 62977 Start Printed Page 62978 Start Printed Page 62979 Start Printed Page 62980 Start Printed Page 62981 Start Printed Page 62982B. General Instructions
1. How the Model Privacy Form Is Used
(a) The model form may be used, at the option of a financial institution, including a group of financial institutions that use a common privacy notice, to meet the content requirements of the privacy notice and opt-out notice set forth in §§ 160.6 and 160.7 of this part.
(b) The model form is a standardized form, including page layout, content, format, style, pagination, and shading. Institutions seeking to obtain the safe harbor through use of the model form may modify it only as described in these Instructions.
(c) Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 1681-1681x] (FCRA), such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.
(d) The word “customer” may be replaced by the word “member” whenever it appears in the model form, as appropriate.
2. The Contents of the Model Privacy Form
The model form consists of two pages, which may be printed on both sides of a single sheet of paper, or may appear on two separate pages. Where an institution provides a long list of institutions at the end of the model form in accordance with Instruction C.3(a)(1), or provides additional information in accordance with Instruction C.3(c), and such list or additional information exceeds the space available on page two of the model form, such list or additional information may extend to a third page.
(a) Page One. The first page consists of the following components:
(1) Date last revised (upper right-hand corner).
(2) Title.
(3) Key frame (Why?, What?, How?).
(4) Disclosure table (“Reasons we can share your personal information”).
(5) “To limit our sharing” box, as needed, for the financial institution's opt-out information.
(6) “Questions” box, for customer service contact information.
(7) Mail-in opt-out form, as needed.
(b) Page Two. The second page consists of the following components:
(1) Heading (Page 2).
(2) Frequently Asked Questions (“Who we are” and “What we do”).
(3) Definitions.
(4) “Other important information” box, as needed.
3. The Format of the Model Privacy Form
The format of the model form may be modified only as described below.
(a) Easily readable type font. Financial institutions that use the model form must use an easily readable type font. While a number of factors together produce easily readable type font, institutions are required to use a minimum of 10-point font (unless otherwise expressly permitted in these Instructions) and sufficient spacing between the lines of type.
(b) Logo. A financial institution may include a corporate logo on any page of the notice, so long as it does not interfere with the readability of the model form or the space constraints of each page.
(c) Page size and orientation. Each page of the model form must be printed on paper in portrait orientation, the size of which must be sufficient to meet the layout and minimum font size requirements, with sufficient white space on the top, bottom, and sides of the content.
(d) Color. The model form must be printed on white or light color paper (such as cream) with black or other contrasting ink color. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract from the readability of the model form. Logos may also be printed in color.
(e) Languages. The model form may be translated into languages other than English.
C. Information Required in the Model Privacy Form
The information in the model form may be modified only as described below:
1. Name of the Institution or Group of Affiliated Institutions Providing the Notice
Insert the name of the financial institution providing the notice or a common identity of affiliated institutions jointly providing the notice on the form wherever [name of financial institution] appears.
2. Page One
(a) Last revised date. The financial institution must insert in the upper right-hand corner the date on which the notice was last revised. The information shall appear in minimum 8-point font as “rev. [month/year]” using either the name or number of the month, such as “rev. July 2009” or “rev. 7/09”.
(b) General instructions for the “What?” box.
(1) The bulleted list identifies the types of personal information that the institution collects and shares. All institutions must use the term “Social Security number” in the first bullet.
(2) Institutions must use five (5) of the following terms to complete the bulleted list: income; account balances; payment history; transaction history; transaction or loss history; credit history; credit scores; assets; investment experience; credit-based insurance scores; insurance claim history; medical information; overdraft history; purchase history; account transactions; risk tolerance; medical-related debts; credit card or other debt; mortgage rates and payments; retirement assets; checking account information; employment information; wire transfer instructions.
(c) General instructions for the disclosure table. The left column lists reasons for Start Printed Page 62983sharing or using personal information. Each reason correlates to a specific legal provision described in paragraph C.2(d) of this Instruction. In the middle column, each institution must provide a “Yes” or “No” response that accurately reflects its information sharing policies and practices with respect to the reason listed on the left. In the right column, each institution must provide in each box one of the following three (3) responses, as applicable, that reflects whether a consumer can limit such sharing: “Yes” if it is required to or voluntarily provides an opt-out; “No” if it does not provide an opt-out; or “We don't share” if it answers “No” in the middle column. Only the sixth row (“For our affiliates to market to you”) may be omitted at the option of the institution. See paragraph C.2(d)(6) of this Instruction.
(d) Specific disclosures and corresponding legal provisions.
(1) For our everyday business purposes. This reason incorporates sharing information under §§ 160.14 and 160.15 and with service providers pursuant to § 160.13 of this part other than the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these Instructions.
(2) For our marketing purposes. This reason incorporates sharing information with service providers by an institution for its own marketing pursuant to § 160.13 of this part. An institution that shares for this reason may choose to provide an opt-out.
(3) For joint marketing with other financial companies. This reason incorporates sharing information under joint marketing agreements between two or more financial institutions and with any service provider used in connection with such agreements pursuant to § 160.13 of this part. An institution that shares for this reason may choose to provide an opt-out.
(4) For our affiliates' everyday business purposes—information about transactions and experiences. This reason incorporates sharing information specified in sections 603(d)(2)(A)(i) and (ii) of the FCRA. An institution that shares for this reason may choose to provide an opt-out.
(5) For our affiliates' everyday business purposes—information about creditworthiness. This reason incorporates sharing information pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution that shares for this reason must provide an opt-out.
(6) For our affiliates to market to you. This reason incorporates sharing information specified in section 624 of the FCRA. This reason may be omitted from the disclosure table when: the institution does not have affiliates (or does not disclose personal information to its affiliates); the institution's affiliates do not use personal information in a manner that requires an opt-out; or the institution provides the affiliate marketing notice separately. Institutions that include this reason must provide an opt-out of indefinite duration. An institution not required to provide an opt-out under this subparagraph may elect to include this reason in the model form. Note: The CFTC's Regulations do not address the affiliate marketing rule.
(7) For nonaffiliates to market to you. This reason incorporates sharing described in §§ 160.7 and 160.10(a) of this part. An institution that shares personal information for this reason must provide an opt-out.
(e) To limit our sharing: A financial institution must include this section of the model form only if it provides an opt-out. The word “choice” may be written in either the singular or plural, as appropriate. Institutions must select one or more of the applicable opt-out methods described: telephone, such as by a toll-free number; a Website; or use of a mail-in opt-out form. Institutions may include the words “toll-free” before telephone, as appropriate. An institution that allows consumers to opt out online must provide either a specific Web address that takes consumers directly to the opt-out page or a general Web address that provides a clear and conspicuous direct link to the opt-out page. The opt-out choices made available to the consumer who contacts the institution through these methods must correspond accurately to the “Yes” responses in the third column of the disclosure table. In the part titled “Please note” institutions may insert a number that is 30 or greater in the space marked “[30].” Instructions on voluntary or state privacy law opt-out information are in paragraph C.2(g)(5) of these Instructions.
(f) Questions box. Customer service contact information must be inserted as appropriate, where [phone number] or [website] appear. Institutions may elect to provide either a phone number, such as a toll-free number, or a Web address, or both. Institutions may include the words “toll-free” before the telephone number, as appropriate.
(g) Mail-in opt-out form. Financial institutions must include this mail-in form only if they state in the “To limit our sharing” box that consumers can opt out by mail. The mail-in form must provide opt-out options that correspond accurately to the “Yes” responses in the third column in the disclosure table. Institutions that require customers to provide only name and address may omit the section identified as “[account #].” Institutions that require additional or different information, such as a random opt-out number or a truncated account number, to implement an opt-out election should modify the “[account #]” reference accordingly. This includes institutions that require customers with multiple accounts to identify each account to which the opt-out should apply. An institution must enter its opt-out mailing address: in the far right of this form (see version 3); or below the form (see version 4). The reverse side of the mail-in opt-out form must not include any content of the model form.
(1) Joint accountholder. Only institutions that provide their joint accountholders the choice to opt out for only one accountholder, in accordance with paragraph C.3(a)(5) of these Instructions, must include in the far left column of the mail-in form the following statement: “If you have a joint account, your choice(s) will apply to everyone on your account unless you mark below.□ Apply my choice(s) only to me.” The word “choice” may be written in either the singular or plural, as appropriate. Financial institutions that provide insurance products or services, provide this option, and elect to use the model form may substitute the word “policy” for “account” in this statement. Institutions that do not provide this option may eliminate this left column from the mail-in form.
(2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution shares personal information pursuant to section 603(d)(2)(A)(iii) of the FCRA, it must include in the mail-in opt-out form the following statement: “□ Do not share information about my creditworthiness with your affiliates for their everyday business purposes.”
(3) FCRA Section 624 opt-out. If the institution incorporates section 624 of the FCRA in accord with paragraph C.2(d)(6) of these Instructions, it must include in the mail-in opt-out form the following statement: “□ Do not allow your affiliates to use my personal information to market to me.”
(4) Nonaffiliate opt-out. If the financial institution shares personal information pursuant to § 160.10(a) of this part, it must include in the mail-in opt-out form the following statement: “□ Do not share my personal information with nonaffiliates to market their products and services to me.”
(5) Additional opt-outs. Financial institutions that use the disclosure table to provide opt-out options beyond those required by Federal law must provide those opt-outs in this section of the model form. A financial institution that chooses to offer an opt-out for its own marketing in the mail-in opt-out form must include one of the two following statements: “□ Do not share my personal information to market to me.” or “□ Do not use my personal information to market to me.” A financial institution that chooses to offer an opt-out for joint marketing must include the following statement: “□ Do not share my personal information with other financial institutions to jointly market to me.”
(h) Barcodes. A financial institution may elect to include a barcode and/or “tagline” (an internal identifier) in 6-point font at the bottom of page one, as needed for information internal to the institution, so long as these do not interfere with the clarity or text of the form.
3. Page Two
(a) General Instructions for the Questions. Certain of the Questions may be customized as follows:
(1) “Who is providing this notice?” This question may be omitted where only one financial institution provides the model form and that institution is clearly identified in the title on page one. Two or more financial institutions that jointly provide the model form must use this question to identify themselves as required by § 160.9(f) of this part. Where the list of institutions exceeds four (4) lines, the institution must describe in the response to this question the general types of institutions jointly providing the notice and must separately identify those institutions, in minimum 8-point font, directly following the “Other important information” box, or, if that box is not included in the institution's form, directly following the “Definitions.” The list may appear in a multi-column format.Start Printed Page 62984
(2) “How does [name of financial institution] protect my personal information?” The financial institution may only provide additional information pertaining to its safeguards practices following the designated response to this question. Such information may include information about the institution's use of cookies or other measures it uses to safeguard personal information. Institutions are limited to a maximum of 30 additional words.
(3) “How does [name of financial institution ] collect my personal information?” Institutions must use five (5) of the following terms to complete the bulleted list for this question: Open an account; deposit money; pay your bills; apply for a loan; use your credit or debit card; seek financial or tax advice; apply for insurance; pay insurance premiums; file an insurance claim; seek advice about your investments; buy securities from us; sell securities to us; direct us to buy securities; direct us to sell your securities; make deposits or withdrawals from your account; enter into an investment advisory contract; give us your income information; provide employment information; give us your employment history; tell us about your investment or retirement portfolio; tell us about your investment or retirement earnings; apply for financing; apply for a lease; provide account information; give us your contact information; pay us by check; give us your wage statements; provide your mortgage information; make a wire transfer; tell us who receives the money; tell us where to send the money; show your government-issued ID; show your driver's license; order a commodity futures or option trade. Institutions that collect personal information from their affiliates and/or credit bureaus must include after the bulleted list the following statement: “We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.” Institutions that do not collect personal information from their affiliates or credit bureaus but do collect information from other companies must include the following statement instead: “We also collect your personal information from other companies.” Only institutions that do not collect any personal information from affiliates, credit bureaus, or other companies can omit both statements.
(4) “Why can't I limit all sharing?” Institutions that describe state privacy law provisions in the “Other important information” box must use the bracketed sentence: “See below for more on your rights under state law.” Other institutions must omit this sentence.
(5) “What happens when I limit sharing for an account I hold jointly with someone else?” Only financial institutions that provide opt-out options must use this question. Other institutions must omit this question. Institutions must choose one of the following two statements to respond to this question: “Your choices will apply to everyone on your account.” or “Your choices will apply to everyone on your account—unless you tell us otherwise.” Financial institutions that provide insurance products or services and elect to use the model form may substitute the word “policy” for “account” in these statements.
(b) General Instructions for the Definitions.
The financial institution must customize the space below the responses to the three definitions in this section. This specific information must be in italicized lettering to set off the information from the standardized definitions.
(1) Affiliates. As required by § 160.6(a)(3) of this part, where [affiliate information] appears, the financial institution must:
(i) If it has no affiliates, state: “[name of financial institution] has no affiliates”;
(ii) If it has affiliates but does not share personal information, state: “[name of financial institution] does not share with our affiliates”; or
(iii) If it shares with its affiliates, state, as applicable: “Our affiliates include companies with a [common corporate identity of financial institution] name; financial companies such as [insert illustrative list of companies]; nonfinancial companies, such as [insert illustrative list of companies]; and others, such as [insert illustrative list].”
(2) Nonaffiliates. As required by § 160.6(c)(3) of this part, where [nonaffiliate information] appears, the financial institution must:
(i) If it does not share with nonaffiliated third parties, state: “[name of financial institution] does not share with nonaffiliates so they can market to you”; or
(ii) If it shares with nonaffiliated third parties, state, as applicable: “Nonaffiliates we share with can include [list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations].”
(3) Joint Marketing. As required by § 160.13 of this part, where [joint marketing] appears, the financial institution must:
(i) If it does not engage in joint marketing, state: “[name of financial institution] doesn't jointly market”; or
(ii) If it shares personal information for joint marketing, state, as applicable: “Our joint marketing partners include [list categories of companies such as credit card companies].”
(c) General instructions for the “Other important information” box. This box is optional. The space provided for information in this box is not limited. Only the following types of information can appear in this box.
(1) State and/or international privacy law information; and/or
(2) Acknowledgment of receipt form.
Start Amendment Part49. Amend newly redesignated Appendix B to part 160 as follows:
End Amendment Part Start Amendment PartA. Add a new sentence to the beginning of the introductory text as set forth below.
End Amendment Part Start Amendment PartB. Effective January 1, 2012, remove Appendix B to part 160.
End Amendment PartAppendix B to Part 160—Sample Clauses
This Appendix only applies to privacy notices provided before January 1, 2011. * * *
* * * * *Securities and Exchange Commission
Statutory Authority
Start Amendment PartThe Commission is amending Regulation S-P pursuant to authority set forth in section 728 of the Regulatory Relief Act [Pub. L. 109-351], section 504 of the GLB Act [15 U.S.C. 6804], section 23 of the Securities Exchange Act [15 U.S.C. 78w], section 38(a) of the Investment Company Act [15 U.S.C. 80a-37(a)], and section 211 of the Investment Advisers Act [15 U.S.C. 80b-11].
End Amendment PartText of Amendments
Start Amendment PartFor the reasons set forth in the preamble, the Commission is amending Title 17, Chapter II of the Code of Federal Regulations as follows:
End Amendment Part Start PartPART 248—REGULATIONS S-P AND S-AM
End Part Start Amendment Part50. The authority citation for part 248 continues to read as follows:
End Amendment Part Start Amendment Part51. Revise § 248.2 to read as follows:
End Amendment PartModel privacy form: rule of construction.(a) Model privacy form. Use of the model privacy form in Appendix A to Subpart A of this part, consistent with the instructions in Appendix A to Subpart A, constitutes compliance with the notice content requirements of §§ 248.6 and 248.7 of this part, although use of the model privacy form is not required.
(b) Examples. The examples in this part provide guidance concerning the rule's application in ordinary circumstances. The facts and circumstances of each individual situation, however, will determine whether compliance with an example, to the extent practicable, constitutes compliance with this part.
(c) Substituted compliance with CFTC financial privacy rules by futures commission merchants and introducing brokers. Except with respect to § 248.30(b), any futures commission merchant or introducing broker (as those terms are defined in the Commodity Exchange Act (7 U.S.C. 1, et seq.)) registered by notice with the Commission for the purpose of conducting business in security futures products pursuant to section 15(b)(11)(A) of the Securities Exchange Act of 1934 (15 U.S.C. 78o(b)(11)(A)) that is subject to and in compliance with the financial privacy rules of the Commodity Futures Trading Start Printed Page 62985Commission (17 CFR part 160) will be deemed to be in compliance with this part.
52. In § 248.6:
End Amendment Part Start Amendment PartA. Revise paragraphs (b) and (f), and add paragraph (g) to read as set forth below.
End Amendment Part Start Amendment PartB. Effective January 1, 2012, remove paragraph (g).
End Amendment PartInformation to be included in privacy notices.* * * * *(b) Description of nonaffiliated third parties subject to exceptions. If you disclose nonpublic personal information to third parties as authorized under §§ 248.14 and 248.15, you are not required to list those exceptions in the initial or annual privacy notices required by §§ 248.4 and 248.5. When describing the categories with respect to those parties, it is sufficient to state that you make disclosures to other nonaffiliated companies:
(1) For your everyday business purposes such as [include all that apply] to process transactions, maintain account(s), respond to court orders and legal investigations, or report to credit bureaus; or
(2) As permitted by law.
* * * * *(f) Model privacy form. Pursuant to § 248.2(a) and Appendix A to Subpart A of this part, Form S-P meets the notice content requirements of this section.
(g) Sample clauses. Sample clauses illustrating some of the notice content required by this section are included in Appendix B to Subpart A of this part. The sample clauses in Appendix B to Subpart A of this part provide guidance concerning the rule's application in ordinary circumstances in a privacy notice provided on or before December 31, 2010. The facts and circumstances of each individual situation, however, will determine whether compliance with a sample clause constitutes compliance with this part.
53. In § 248.7, add paragraph (i) to read as follows:
End Amendment PartForm of opt-out notice to consumers; opt-out methods.* * * * *(i) Model privacy form. Pursuant to § 248.2(a) and Appendix A to Subpart A of this part, Form S-P meets the notice content requirements of this section.
54. Add Appendix A to Subpart A to read as follows:
End Amendment PartAppendix A to Subpart A—Forms
A. Any person may view and print this form at: http://www.sec.gov/about/forms/secforms.htm.
B. Use of Form S-P by brokers, dealers, and investment companies, and investment advisers registered with the Commission constitutes compliance with the notice content requirements of §§ 248.6 and 248.7 of this part.
FORM S-P—Model Privacy Form
A. The Model Privacy Form
Start Printed Page 62986 Start Printed Page 62987 Start Printed Page 62988 Start Printed Page 62989 Start Printed Page 62990 Start Printed Page 62991 Start Printed Page 62992B. General Instructions
1. How the Model Privacy Form is Used
(a) The model form may be used, at the option of a financial institution, including a group of financial institutions that use a common privacy notice, to meet the content requirements of the privacy notice and opt-out notice set forth in §§ 248.6 and 248.7 of this part.
(b) The model form is a standardized form, including page layout, content, format, style, pagination, and shading. Institutions seeking to obtain the safe harbor through use of the model form may modify it only as described in these instructions.
(c) Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 1681-1681x] (FCRA), such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.
(d) The word “customer” may be replaced by the word “member” whenever it appears in the model form, as appropriate.
2. The Contents of the Model Privacy Form
The model form consists of two pages, which may be printed on both sides of a single sheet of paper, or may appear on two separate pages. Where an institution provides a long list of institutions at the end of the model form in accordance with Instruction C.3(a)(1), or provides additional information in accordance with Instruction C.3(c), and such list or additional information exceeds the space available on page two of the model form, such list or additional information may extend to a third page.
(a) Page One. The first page consists of the following components:
(1) Date last revised (upper right-hand corner).
(2) Title.
(3) Key frame (Why?, What?, How?).
(4) Disclosure table (“Reasons we can share your personal information”).
(5) “To limit our sharing” box, as needed, for the financial institution's opt-out information.
(6) “Questions” box, for customer service contact information.
(7) Mail-in opt-out form, as needed.
(b) Page Two. The second page consists of the following components:
(1) Heading (Page 2).
(2) Frequently Asked Questions (“Who we are” and “What we do”).
(3) Definitions.
(4) “Other important information” box, as needed.
3. The Format of the Model Privacy Form
The format of the model form may be modified only as described below.
(a) Easily readable type font. Financial institutions that use the model form must use an easily readable type font. While a number of factors together produce easily readable type font, institutions are required to use a minimum of 10-point font (unless otherwise expressly permitted in these Instructions) and sufficient spacing between the lines of type.
(b) Logo. A financial institution may include a corporate logo on any page of the notice, so long as it does not interfere with the readability of the model form or the space constraints of each page.
(c) Page size and orientation. Each page of the model form must be printed on paper in portrait orientation, the size of which must be sufficient to meet the layout and minimum font size requirements, with sufficient white space on the top, bottom, and sides of the content.
(d) Color. The model form must be printed on white or light color paper (such as cream) with black or other contrasting ink color. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract from the readability of the model form. Logos may also be printed in color.
(e) Languages. The model form may be translated into languages other than English.
C. Information Required in the Model Privacy Form
The information in the model form may be modified only as described below:
1. Name of the Institution or Group of Affiliated Institutions Providing the Notice
Insert the name of the financial institution providing the notice or a common identity of affiliated institutions jointly providing the notice on the form wherever [name of financial institution] appears.
2. Page One
(a) Last revised date. The financial institution must insert in the upper right-hand corner the date on which the notice was last revised. The information shall appear in minimum 8-point font as “rev. [month/year]” using either the name or number of the month, such as “rev. July 2009” or “rev. 7/09”.
(b) General instructions for the “What?” box.
(1) The bulleted list identifies the types of personal information that the institution collects and shares. All institutions must use the term “Social Security number” in the first bullet.
(2) Institutions must use five (5) of the following terms to complete the bulleted list: income; account balances; payment history; transaction history; transaction or loss history; credit history; credit scores; assets; investment experience; credit-based insurance scores; insurance claim history; medical information; overdraft history; purchase history; account transactions; risk tolerance; medical-related debts; credit card or other debt; mortgage rates and payments; retirement assets; checking account information; employment information; wire transfer instructions.
(c) General instructions for the disclosure table. The left column lists reasons for Start Printed Page 62993sharing or using personal information. Each reason correlates to a specific legal provision described in paragraph C.2(d) of this Instruction. In the middle column, each institution must provide a “Yes” or “No” response that accurately reflects its information sharing policies and practices with respect to the reason listed on the left. In the right column, each institution must provide in each box one of the following three (3) responses, as applicable, that reflects whether a consumer can limit such sharing: “Yes” if it is required to or voluntarily provides an opt-out; “No” if it does not provide an opt-out; or “We don't share” if it answers “No” in the middle column. Only the sixth row (“For our affiliates to market to you”) may be omitted at the option of the institution. See paragraph C.2(d)(6) of this Instruction.
(d) Specific disclosures and corresponding legal provisions.
(1) For our everyday business purposes. This reason incorporates sharing information under §§ 248.14 and 248.15 and with service providers pursuant to § 248.13 of this part other than the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these Instructions.
(2) For our marketing purposes. This reason incorporates sharing information with service providers by an institution for its own marketing pursuant to § 248.13 of this part. An institution that shares for this reason may choose to provide an opt-out.
(3) For joint marketing with other financial companies. This reason incorporates sharing information under joint marketing agreements between two or more financial institutions and with any service provider used in connection with such agreements pursuant to § 248.13 of this part. An institution that shares for this reason may choose to provide an opt-out.
(4) For our affiliates' everyday business purposes—information about transactions and experiences. This reason incorporates sharing information specified in sections 603(d)(2)(A)(i) and (ii) of the FCRA. An institution that shares for this reason may choose to provide an opt-out.
(5) For our affiliates' everyday business purposes—information about creditworthiness. This reason incorporates sharing information pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution that shares for this reason must provide an opt-out.
(6) For our affiliates to market to you. This reason incorporates sharing information specified in section 624 of the FCRA. This reason may be omitted from the disclosure table when: the institution does not have affiliates (or does not disclose personal information to its affiliates); the institution's affiliates do not use personal information in a manner that requires an opt-out; or the institution provides the affiliate marketing notice separately. Institutions that include this reason must provide an opt-out of indefinite duration. An institution that is required to provide an affiliate marketing opt-out, but does not include that opt-out in the model form under this part, must comply with section 624 of the FCRA and 17 CFR part 248, subpart B, with respect to the initial notice and opt-out and any subsequent renewal notice and opt-out. An institution not required to provide an opt-out under this subparagraph may elect to include this reason in the model form.
(7) For nonaffiliates to market to you. This reason incorporates sharing described in §§ 248.7 and 248.10(a) of this part. An institution that shares personal information for this reason must provide an opt-out.
(e) To limit our sharing: A financial institution must include this section of the model form only if it provides an opt-out. The word “choice” may be written in either the singular or plural, as appropriate. Institutions must select one or more of the applicable opt-out methods described: telephone, such as by a toll-free number; a Web site; or use of a mail-in opt-out form. Institutions may include the words “toll-free” before telephone, as appropriate. An institution that allows consumers to opt out online must provide either a specific Web address that takes consumers directly to the opt-out page or a general Web address that provides a clear and conspicuous direct link to the opt-out page. The opt-out choices made available to the consumer who contacts the institution through these methods must correspond accurately to the “Yes” responses in the third column of the disclosure table. In the part titled “Please note” institutions may insert a number that is 30 or greater in the space marked “[30].” Instructions on voluntary or state privacy law opt-out information are in paragraph C.2(g)(5) of these Instructions.
(f) Questions box. Customer service contact information must be inserted as appropriate, where [phone number] or [Web site] appear. Institutions may elect to provide either a phone number, such as a toll-free number, or a Web address, or both. Institutions may include the words “toll-free” before the telephone number, as appropriate.
(g) Mail-in opt-out form. Financial institutions must include this mail-in form only if they state in the “To limit our sharing” box that consumers can opt out by mail. The mail-in form must provide opt-out options that correspond accurately to the “Yes” responses in the third column in the disclosure table. Institutions that require customers to provide only name and address may omit the section identified as “[account #].” Institutions that require additional or different information, such as a random opt-out number or a truncated account number, to implement an opt-out election should modify the “[account #]” reference accordingly. This includes institutions that require customers with multiple accounts to identify each account to which the opt-out should apply. An institution must enter its opt-out mailing address: in the far right of this form (see version 3); or below the form (see version 4). The reverse side of the mail-in opt-out form must not include any content of the model form.
(1) Joint accountholder. Only institutions that provide their joint accountholders the choice to opt out for only one accountholder, in accordance with paragraph C.3(a)(5) of these Instructions, must include in the far left column of the mail-in form the following statement: “If you have a joint account, your choice(s) will apply to everyone on your account unless you mark below. □ Apply my choice(s) only to me.” The word “choice” may be written in either the singular or plural, as appropriate. Financial institutions that provide insurance products or services, provide this option, and elect to use the model form may substitute the word “policy” for “account” in this statement. Institutions that do not provide this option may eliminate this left column from the mail-in form.
(2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution shares personal information pursuant to section 603(d)(2)(A)(iii) of the FCRA, it must include in the mail-in opt-out form the following statement: “□ Do not share information about my creditworthiness with your affiliates for their everyday business purposes.”
(3) FCRA Section 624 opt-out. If the institution incorporates section 624 of the FCRA in accord with paragraph C.2(d)(6) of these Instructions, it must include in the mail-in opt-out form the following statement: “□ Do not allow your affiliates to use my personal information to market to me.”
(4) Nonaffiliate opt-out. If the financial institution shares personal information pursuant to § 248.10(a) of this part, it must include in the mail-in opt-out form the following statement: “□ Do not share my personal information with nonaffiliates to market their products and services to me.”
(5) Additional opt-outs. Financial institutions that use the disclosure table to provide opt-out options beyond those required by Federal law must provide those opt-outs in this section of the model form. A financial institution that chooses to offer an opt-out for its own marketing in the mail-in opt-out form must include one of the two following statements: “□ Do not share my personal information to market to me.” or “□ Do not use my personal information to market to me.” A financial institution that chooses to offer an opt-out for joint marketing must include the following statement: “□ Do not share my personal information with other financial institutions to jointly market to me.”
(h) Barcodes. A financial institution may elect to include a barcode and/or “tagline” (an internal identifier) in 6-point font at the bottom of page one, as needed for information internal to the institution, so long as these do not interfere with the clarity or text of the form.
3. Page Two
(a) General Instructions for the Questions. Certain of the Questions may be customized as follows:
(1) “Who is providing this notice?” This question may be omitted where only one financial institution provides the model form and that institution is clearly identified in the title on page one. Two or more financial institutions that jointly provide the model form must use this question to identify themselves as required by § 248.9(f) of this part. Where the list of institutions exceeds four (4) lines, the institution must describe in the response to this question the general types of institutions jointly providing the notice and must separately identify those institutions, in minimum 8-point font, directly following the “Other important Start Printed Page 62994information” box, or, if that box is not included in the institution's form, directly following the “Definitions.” The list may appear in a multi-column format.
(2) “How does [name of financial institution] protect my personal information?” The financial institution may only provide additional information pertaining to its safeguards practices following the designated response to this question. Such information may include information about the institution's use of cookies or other measures it uses to safeguard personal information. Institutions are limited to a maximum of 30 additional words.
(3) “How does [name of financial institution] collect my personal information?” Institutions must use five (5) of the following terms to complete the bulleted list for this question: open an account; deposit money; pay your bills; apply for a loan; use your credit or debit card; seek financial or tax advice; apply for insurance; pay insurance premiums; file an insurance claim; seek advice about your investments; buy securities from us; sell securities to us; direct us to buy securities; direct us to sell your securities; make deposits or withdrawals from your account; enter into an investment advisory contract; give us your income information; provide employment information; give us your employment history; tell us about your investment or retirement portfolio; tell us about your investment or retirement earnings; apply for financing; apply for a lease; provide account information; give us your contact information; pay us by check; give us your wage statements; provide your mortgage information; make a wire transfer; tell us who receives the money; tell us where to send the money; show your government-issued ID; show your driver's license; order a commodity futures or option trade. Institutions that collect personal information from their affiliates and/or credit bureaus must include after the bulleted list the following statement: “We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.” Institutions that do not collect personal information from their affiliates or credit bureaus but do collect information from other companies must include the following statement instead: “We also collect your personal information from other companies.” Only institutions that do not collect any personal information from affiliates, credit bureaus, or other companies can omit both statements.
(4) “Why can't I limit all sharing?” Institutions that describe state privacy law provisions in the “Other important information” box must use the bracketed sentence: “See below for more on your rights under state law.” Other institutions must omit this sentence.
(5) “What happens when I limit sharing for an account I hold jointly with someone else?” Only financial institutions that provide opt-out options must use this question. Other institutions must omit this question. Institutions must choose one of the following two statements to respond to this question: “Your choices will apply to everyone on your account.” or “Your choices will apply to everyone on your account—unless you tell us otherwise.” Financial institutions that provide insurance products or services and elect to use the model form may substitute the word “policy” for “account” in these statements.
(b) General Instructions for the Definitions.
The financial institution must customize the space below the responses to the three definitions in this section. This specific information must be in italicized lettering to set off the information from the standardized definitions.
(1) Affiliates. As required by § 248.6(a)(3) of this part, where [affiliate information] appears, the financial institution must:
(i) If it has no affiliates, state: “[name of financial institution] has no affiliates; ”
(ii) If it has affiliates but does not share personal information, state: “[name of financial institution] does not share with our affiliates; ” or
(iii) If it shares with its affiliates, state, as applicable: “Our affiliates include companies with a [common corporate identity of financial institution] name; financial companies such as [insert illustrative list of companies]; nonfinancial companies, such as [insert illustrative list of companies;] and others, such as [insert illustrative list].”
(2) Nonaffiliates. As required by § 248.6(c)(3) of this part, where [nonaffiliate information] appears, the financial institution must:
(i) If it does not share with nonaffiliated third parties, state: “[name of financial institution] does not share with nonaffiliates so they can market to you; ” or
(ii) If it shares with nonaffiliated third parties, state, as applicable: “Nonaffiliates we share with can include [list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations].”
(3) Joint Marketing. As required by § 248.13 of this part, where [joint marketing] appears, the financial institution must:
(i) If it does not engage in joint marketing, state: “[name of financial institution] doesn't jointly market; ” or
(ii) If it shares personal information for joint marketing, state, as applicable: “Our joint marketing partners include [list categories of companies such as credit card companies].”
(c) General instructions for the “Other important information” box. This box is optional. The space provided for information in this box is not limited. Only the following types of information can appear in this box.
(1) State and/or international privacy law information; and/or
(2) Acknowledgment of receipt form.
Start Amendment Part55. Amend Appendix B to Subpart A of part 248 as follows:
End Amendment Part Start Amendment PartA. Add a sentence to the beginning of the introductory text as set forth below.
End Amendment Part Start Amendment PartB. Effective January 1, 2012, remove Appendix B to Subpart A of part 248.
End Amendment PartAppendix B to Subpart A of Part 248—Sample Clauses
This Appendix only applies to privacy notices provided before January 1, 2011.
* * * * *Start SignatureDated: October 1, 2009.
John C. Dugan,
Comptroller of the Currency.
By order of the Board of Governors of the Federal Reserve System, October 27, 2009.
Robert deV. Frierson,
Secretary of the Board.
By Order of the Board of Directors.
Dated at Washington, DC, this 23rd day of October, 2009.
Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.
Dated: September 28, 2009.
By the Office of Thrift Supervision.
John E. Bowman,
Acting Director.
By the National Credit Union Administration Board on November 10, 2009.
Mary Rupp,
Secretary of the Board.
The Federal Trade Commission.
Dated: September 25, 2009.
By Direction of the Commission.
Donald S. Clark,
Secretary.
Dated: September 21, 2009.
David A. Stawick,
Secretary of the Commodity Futures Trading Commission.
Dated: November 16, 2009.
By the Securities and Exchange Commission.
Elizabeth M. Murphy,
Secretary.
Footnotes
1. Because the Agencies' privacy rules generally use consistent section numbering, relevant sections will be cited, for example, as “section __.6” unless otherwise noted.
Back to Citation2. Public Law No. 109-351, 120 Stat. 1966 (2006).
Back to Citation3. Id., adding 15 U.S.C. 6803(e). See also infra discussion at section II.A. on the GLB Act requirements for financial privacy notices. Section 728 of the Regulatory Relief Act directs the agencies named in Section 504(a)(1) of the GLB Act, 15 U.S.C. 6804(a)(1), to develop a model form. The CFTC, which did not become subject to Title V of the GLB Act until 2000, is not named in that section. The Commodity Exchange Act (“CEA”) was amended in 2000 by the Commodity Futures Modernization Act of 2000 to make the CFTC a “Federal functional regulator” subject to the GLB Act Title V. See Section 5g of the CEA, 7 U.S.C. 7b-2. The CFTC interprets Section 728 of the Regulatory Relief Act as applying to it through Section 5g.
Back to Citation4. See Interagency Proposal for Model Privacy Form under the Gramm-Leach-Bliley Act (“Proposed Rule”), 72 FR 14940 (Mar. 29, 2007), available at http://www.ftc.gov/os/2007/03/CorrectedNeptuneMarsandGenericFormsfrn.pdf. A Correction Notice was published at 72 FR 16875 (Apr. 5, 2007).
Back to Citation5. See Interagency Proposal for Model Privacy Form under the Gramm-Leach-Bliley Act, Securities Exchange Act Release No. 59769, Investment Company Act Release No. 28697 (Apr. 15, 2009) [74 FR 17925 (Apr. 20, 2009)].
Back to Citation6. The Agencies conducted the consumer research in two phases: the first was qualitative testing or form development; the second was quantitative testing. See infra section II.
Back to Citation7. See privacy rule, section __.6(c)(5), NCUA section 716.6(e)(5).
Back to Citation8. See infra section IV.
Back to Citation9. For ease, the Appendix provides three versions of the final model form: (1) Model form with no opt-out; (2) model form with telephone and Web opt-out only; and (3) model form that includes a mail-in opt-out form. An alternative mail-in form (version 4) may be substituted for the mail-in portion of the model form in version 3. For those institutions that use the model form and need to provide a mail-in opt-out form, the reverse side to that opt-out form must not include any content of the model form. See F.4 of the Frequently Asked Questions for the Privacy Regulation, available at http://www.ftc.gov/privacy/glbact/glb-faq.htm (Dec. 2001) (staff guidance issued by the Board, FDIC, FTC, OCC, OTS, and NCUA) (stating that a consumer generally should be able to detach a mail-in opt-out form from a privacy notice without removing text from the privacy policy).
Back to Citation10. See infra section III.I.
Back to Citation11. See, e.g., comment letters of T. Rowe Price Associates, Inc. (May 29, 2007); Wolters Kluwer Financial Services (May 24, 2007).
Back to Citation12. Note that a financial institution must insert its name or a common corporate identity as indicated in the two questions in this section each time that “[name of financial institution]” appears. The revised form has eliminated the FAQ “How does [name of financial institution] notify me about its practices.”
Back to Citation13. See infra section III.J.
Back to Citation14. This use was provided in response to a request by the National Automobile Dealers Ass'n, whose members routinely ask customers to sign an acknowledgment of receipt on a copy of the dealer's privacy notice and retain this record verifying delivery of the notice. Comment letter of the National Automobile Dealers Ass'n (May 29, 2007).
Back to Citation15. Codified at 15 U.S.C. 6801-6809.
Back to Citation16. 15 U.S.C. 6803(a). A “customer” means a consumer who has a “customer relationship” with a financial institution. Privacy rule, section __.3(h), SEC section 248.3(j), CFTC section 160.3(k), NCUA section 716.3(n). A “consumer” is “an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes, and also means the legal representative of such an individual.” 15 U.S.C. 6809(9); privacy rule, section __.3(e), SEC section 248.3(g)(1), CFTC section 160.3(h)(1). Financial institutions are required to provide an initial notice to their customers and a notice annually thereafter for as long as the customer relationship continues. 15 U.S.C. 6803(a); Privacy rule, sections __.4 and __.5. Institutions are also required to provide to their non-customer consumers a notice if the institution discloses nonpublic personal information outside the exceptions in sections __.14 and __.15 before any such disclosure is made. 15 U.S.C. 6802(a); privacy rule, sections __.4.
Back to Citation18. “Nonpublic personal information” is generally defined as personally identifiable financial information provided by a consumer to a financial institution, resulting from any transaction or any service performed for the consumer, or otherwise obtained by the financial institution. See 15 U.S.C. 6809(4); privacy rule, sections __.3(n) and (o), SEC sections 248.3(t) and (u), CFTC sections 160.3(t) and (u).
Back to Citation19. 15 U.S.C. 6802; privacy rule, sections __.14 and __.15.
Back to Citation20. 15 U.S.C. 1681a(d)(2)(A)(iii) (FCRA); 15 U.S.C. 6803(c)(4) (GLB Act).
Back to Citation21. See sections_.4,_.5, and _.6 of the privacy rule.
Back to Citation22. 15 U.S.C. 6802, 6803; privacy rule, section _.3(b), SEC section 248.3(c), CFTC section 160.3(b)(1).
Back to Citation23. See, e.g., Privacy of Consumer Financial Information, 65 FR 35162 (June 1, 2000). The CFTC was added by Section 5g of the Commodity Exchange Act, 7 U.S.C. 7b-2 (as amended by the Commodity Futures Modernization Act of 2000), on December 21, 2000, and privacy notices were required to be delivered to consumers by March 31, 2002. Privacy of Consumer Financial Information, 66 FR 21236 (Apr. 27, 2001).
Back to Citation24. See Rulemaking Petition from Public Citizen, et al., at 4 (July 26, 2001) (available at http://www.ftc.gov/bcp/workshops/glb/comments/nader.pdf) (“Public Citizen Petition”) (stating that notices were “dense,” “complicated,” and written by those trained in obfuscation rather than to express ideas clearly).
Back to Citation25. See Get Noticed: Writing Effective Financial Privacy Notices, Interagency Public Workshop (Dec. 4, 2001) (“Get Noticed Workshop”). Workshop transcripts and other supporting documents are available at http://www.ftc.gov/bcp/workshops/glb/index.html. The Get Noticed Workshop, discussed in the preamble to the Proposed Rule, supra note 4 at n.14, provided a public forum to consider how financial institutions could provide more useful privacy notices to consumers.
Back to Citation26. See Interagency Proposal to Consider Alternative Forms of Privacy Notices Under the Gramm-Leach-Bliley Act, 68 FR 75164 (Dec. 30, 2003), available at http://www.ftc.gov/os/2003/12/031223anprfinalglbnotices.pdf. The Agencies sought, for example, comment on issues associated with the format, elements, and language used in privacy notices that would make the notices more accessible, readable, and useful, and whether to develop a model privacy notice that would be short and simple.
Back to Citation27. Id. at text following n.5.
Back to Citation28. Summaries of the outside meetings and public comments to the ANPR are available at http://www.ftc.gov/privacy/privacyinitiatives/financial_rule_inrp.html.
Back to Citation29. In some cases, the Agencies have identified notices that violate the privacy rule. For example, one institution's privacy notice did not include an opt-out form, but provided that consumers could only obtain an opt-out form by visiting a bank office, in violation of sections _.7(h), _.9(a), and _.10(a)(1) of the privacy rule. Another notice provided that consumers could only opt out by writing a letter to the institution, in violation of section _.7(a)(1) of the privacy rule. Offering only these very restrictive methods of obtaining an opt-out form and opting out also is not supported by the examples in the privacy rule. See sections _.7(a)(2), _.9(b), and _.10(a)(3) of the privacy rule.
Back to Citation30. The six agencies that initially sponsored the Notice Project were the Board, FDIC, FTC, NCUA, OCC, and SEC. The OTS joined the Notice Project for the phase two quantitative testing. Information related to the Notice Project is available at http://www.ftc.gov/privacy/privacyinitiatives/financial_rule_inrp.html.
Back to Citation31. The first phase was designed as qualitative testing or form development research. This research involved a series of in-depth individual consumer interviews to develop an alternative privacy notice that would be easier for consumers to use and understand. The second phase was designed as quantitative testing, to test the effectiveness of the alternative privacy notice developed in phase one among a larger number of consumers.
Back to Citation32. See Kleimann Communication Group, Inc., Evolution of a Prototype Financial Privacy Notice: A Report on the Form Development Project (Feb. 28, 2006) (“Kleimann Report”). For a copy of the full report, go to http://www.ftc.gov/privacy/privacyinitiatives/ftcfinalreport060228.pdf. For the executive summary, go to http://www.ftc.gov/privacy/privacyinitiatives/FTCFinalReportExecutiveSummary.pdf.
Back to Citation33. Comments received by all the Agencies are available at http://www.ftc.gov/privacy/privacyinitiatives/financial_rule_inrp.html. Many commenters sent copies of the same letter to more than one agency. Some association commenters sent several letters, both individually and jointly with other associations.
Back to Citation34. See Mall Intercept Study of Consumer Understanding of Financial Privacy Notices: Methodological Report, submitted by Macro International Inc. (“Macro Report”), Appendix C, for copies of the test notices. The Macro Report is available at: http://www.ftc.gov/privacy/privacyinitiatives/Macro-Report-on-Privacy-Notice-Study.pdf. See also infra section III for a discussion about the changes made to the final model form since the Proposed Rule was issued for comment.
Back to Citation35. Macro provided the test data to the Agencies in the summer of 2008 and its research methodology report in September. The study data and codebook are available at: http://www.ftc.gov/privacy/privacyinitiatives/Privacy-Notice-Study-Dataset.pdf and http://www.ftc.gov/privacy/privacyinitiatives/Privacy-Notice-Study-Codebook.pdf.
Back to Citation36. The proposed model form was revised based on the comments received, and a version of that revised form was used in the quantitative testing.
Back to Citation37. Study participants were randomly assigned to see one of the four notice formats. Each participant read three privacy notices in the same format and was asked a series of questions, first about one pair of notices, and next about a second pair of notices, with one of the three notices used twice in each round. The order and repetition of the notices were rotated among the participants so that the same notice was not always viewed twice. Participants answered additional questions about the notices and their attitudes on information sharing. The interview sought information about participants' choice of a bank based solely on the notice content; responses to factual questions, such as which of two banks shared more or whether any of the banks offered an opportunity to limit or opt out of sharing; performance of a task, such as determining which bank shared more after exercising all options to limit or opt out of sharing; and responses to questions about their attitudes toward the use and sharing of their information. See Macro Report, supra note 34, Appendix A.
Back to Citation40. Levy-Hastak Report at 7-14.
Back to Citation41. Id. at 4-5.
Back to Citation42. Id. at 16.
Back to Citation43. Id. at 17. According to the Report, an example of a difficult task was: Participants were asked to assume that they had limited or opted out of all possible sharing for both banks; based on that assumption, respondents were asked whether one bank shared more personal information than the other or whether both banks shared information equally. An example of an easy task was: Using the notice, participants were asked to identify how they could tell the bank that they wanted to limit or opt out of sharing personal information.
Back to Citation44. Levy-Hastak Report at 9-10.
Back to Citation45. Levy-Hastak Report at 17.
Back to Citation46. Id. at 15.
Back to Citation47. Id. Study participants generally did not like their information being shared with either affiliates or with nonaffiliates.
Back to Citation48. See id. at 12-14.
Back to Citation49. Significantly, unlike the Sample Clause and Current notices, neither the Table nor the Prose notice uses the word “opt-out” in the model form; rather, these forms refer to “limiting sharing.” This word choice was intentional to help consumers understand that some sharing is necessary and that consumers cannot stop all sharing—a concept that consumers who knew the term equated with “opt-out.” See Kleimann Report, supra note 32, at 101-108. Because the Table and Prose notices did not use the word “opt-out,” participants using these notices did not have that word as a visual “cue” when they were asked the question.
Back to Citation50. The Report also examined a second mistake: Where participants selected the lower sharing bank when they were asked to identify which bank shared more (labeled a “false sharing mistake”). See Levy-Hastak Report at 9. In that case, there was not an unusual pattern in the distribution of responses. Rather, the Report found that the study participants who made this mistake were equally distributed across all four notice styles. Id. at 13.
Back to Citation51. Id.
Back to Citation52. Id. at 13-14.
Back to Citation53. Levy-Hastak Report at 14. In addition, the use of check boxes in the design of the opt-out section of the Table and Prose notices (a carry-over from the original mail-in format of the proposed model form) appeared to confuse some participants when they were asked this question. The responses recorded for these two notices reflected a somewhat higher number of “other” responses, even though all the notices offered the same two options. Macro reported anecdotally that a number of participants who viewed the Table and Prose notices reported “check this box” as one of the methods offered to opt out or limit sharing—a response that was recorded as “other.”
Back to Citation54. Id. at 17.
Back to Citation55. Some commenters had urged the Agencies to consolidate the model form on two sides of a single piece of paper, and a few suggested that the Agencies consider moving the opt-out to page one. See, e.g., comment letters of Securities Industry and Financial Markets Ass'n (May 29, 2007); World's Foremost Bank (May 25, 2007); World Financial Network National Bank (May 29, 2007); World Financial Capital Bank (May 25, 2007).
Back to Citation56. See comment letters of American Council of Life Insurers (May 20, 2009), National Ass'n of Mutual Insurance Cos. (May 20, 2009), American Insurance Ass'n (May 20, 2009), Investment Adviser Ass'n (May 20, 2009), The Financial Services Roundtable and BITS (May 20, 2009).
Back to Citation57. See comment letters of National Ass'n of Mutual Insurance Cos. (May 20, 2009); The Financial Services Roundtable and BITS (May 20, 2009).
Back to Citation58. See comment letter of The Financial Services Roundtable and BITS (May 20, 2009).
Back to Citation59. See id. The Agencies used a single form, printed in English, for simplicity in conducting the testing. We recognize that institutions can and do provide notices in a variety of other languages when their customers are non-English speaking. We anticipate that those institutions that use the final model form will continue to provide their notices in other languages to ensure that their non-English speaking customers can read and use the form. See also Transcript of Get Noticed Workshop, available at http://www.ftc.gov/bcp/workshops/glb/GLBtranscripts.pdf,, comments of Irene Etzkorn (recognizing that banks do provide financial privacy notices in languages other than English); comments of Tena Friery (noting that the Privacy Rights Clearinghouse promotes notices and educational materials in other languages and that 80-100 different languages are spoken in Los Angeles alone).
Back to Citation60. See comment letters of American Insurance Ass'n (May 20, 2009); National Ass'n of Mutual Insurance Cos. (May 20, 2009). While some commenters find greater virtue in the better performance of the Sample Clause Notice on only the simpler tasks or disagree with the Levy-Hastak Report's analyses, the evidence is compelling that the Table Notice performed better overall across all comprehension and comparison measures. See Levy-Hastak Report at 6.
Back to Citation61. See comment letter of American Council of Life Insurers (May 20, 2009).
Back to Citation62. Id.
Back to Citation63. See, e.g., comment letter of The Financial Services Roundtable and BITS (May 20, 2009).
Back to Citation64. Macro Report, supra note 34, at 3 & Appendix B; Levy-Hastak Report at 2.
Back to Citation65. Macro Report, supra note 34, at 3-4.
Back to Citation66. The commenter looked to the Table Notice score of 40.6% in Table 1 of the Levy-Hastak Report. Levy-Hastak Report at 12. This data evaluated how well study participants could explain their reasons for preferring one bank notice over another where they selected, as their preferred bank, the lower sharing bank. While the commenter pointed to a single measure in the Levy-Hastak Report, the Report relied on a number of accuracy measures that varied in difficulty level. See, e.g., id., Table 3 at 12.
Back to Citation67. See Part 248-Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information, Securities Exchange Act Release No. 57427, Investment Company Act Release No. 28718 (Mar. 4, 2008) [73 FR 13692 (Mar. 13, 2008)]. See also comment letters of American Council of Life Insurers (May 20, 2009) and Investment Advisers Ass'n (May 29, 2007).
Back to Citation69. See section _.7(a)(2)(ii)(D) of the privacy rule.
Back to Citation70. Kleimann Validation Report, Appendix E. The Kleimann Validation Report found that the information for telephone or Internet options could be readily displayed on a standard 8½ x 11-inch page, but the addition of a mail-in form required a longer piece of paper.
Back to Citation71. Comment letter of The Direct Marketing Ass'n (May 29, 2007) (commenting that it has an automated software program that allows companies to create a customized privacy notice in a standardized format).
Back to Citation72. See comment letter of Capital One Financial Corporation (May 29, 2007); see also 12 CFR 226.5a(a)(2)(i)-(ii).
Back to Citation73. See, e.g., comment letters of Center for Democracy and Technology (May 29, 2007); National Ass'n of Attorneys General (June 14, 2007); Privacy Rights Clearinghouse (May 16, 2007). See also The Center for Information Policy Leadership (May 29, 2007) (recognizing that the proposed model form addresses the requirements of the GLB Act and that the research provided insight into what effectively communicates to consumers, including “important information about how people learn about privacy, about the use of tables to facilitate comparisons across companies, and about the need to inform consumers about why they are receiving a privacy notice”).
Back to Citation74. Cf. Press Release, U.S. House of Representatives, Committee on Financial Services, Financial Services Committee Democrats Call for Simplified Privacy Notices, (July 25, 2003) available at: http://financialservices.house.gov/pr062503.html.
Back to Citation75. See Proposed Rule, supra note 4 at text accompanying n.30. See also Janice Tsai, Serge Egelman, Lorrie Cranor, and Alessandro Acquisti, “The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study,” The 6th Workshop on the Economics of Information Society (WEIS) (June 2007) http://weis2007.econinfosec.org/papers/57.pdf (more accessible privacy information reduces information asymmetry between the merchant and the consumer as to the use of consumers' personal information; aids consumers in making informed choices; and demonstrates that consumers tend to purchase from merchants offering more privacy protection, including paying a premium for such a purchase).
Back to Citation76. See Instruction C to the Model Privacy Form.
Back to Citation77. See, e.g., comment letters of American Council of Life Insurers (May 29, 2007); Investment Company Institute (May 29, 2007); National Business Coalition on E-Commerce and Privacy (May 30, 2007).
Back to Citation78. See, e.g., comment letters of American Bankers Ass'n (May 25, 2007); American Insurance Ass'n (May 29, 2007) Visa U.S.A., Inc. (May 29, 2007).
Back to Citation79. See, e.g., comment letters of Consumer Bankers Ass'n (May 29, 2009); National Retail Federation (May 29, 2007).
Back to Citation80. The term “clear and conspicuous” is defined in the privacy rule at section _.3(b), SEC section 248.3(c), and includes as a requirement that the notice be designed to call attention to the nature and significance of the information in the notice. In addition, the privacy rule requires that consumers should reasonably be expected to receive the notice. See section _.9 of the privacy rule.
Back to Citation81. Institutions that incorporate the model privacy form into other documents must take care that the customer's execution of other forms in the document will leave the model form intact.
Back to Citation82. See Instruction B to the Model Privacy Form. The Agencies understand that most privacy policies provide for opting out by toll-free telephone or on the Internet. The paper size for those policies will likely be about 81/2 x 11 inches. However, for those institutions that provide a mail-in opt-out form, the paper size will likely need to be longer, around 81/2 x 14 inches, in order to accommodate the mail-in form.
Back to Citation83. See, e.g., comment letters of Consumer Bankers Ass'n (May 29, 2007); American Bankers Ass'n (May 25, 2007); Bank of America Corporation (May 29, 2007); Independent Community Bankers of America (May 29, 2007); Securities Industry and Financial Markets Ass'n (May 29, 2007); Investment Company Institute (May 29, 2007); National Retail Federation (May 29, 2007); National Ass'n of Mutual Insurance Cos. (May 29, 2007); Credit Union National Ass'n (May 29, 2007).
Back to Citation84. See supra notes 24-25 and infra note 95.
Back to Citation85. See, e.g., comment letters of National Retail Federation (May 29, 2007); Investment Advisers Ass'n (May 20, 2009); American Bankers Ass'n (May 25, 2007); Credit Union National Ass'n (May 29, 2007). Some of these commenters pointed to the preamble language in the final privacy rule which states: “The Agencies believe that in most cases the initial and annual disclosure requirements can be satisfied by disclosures contained in a tri-fold brochure.” 65 FR 33646, 33662 (May 24, 2000) (FTC); 65 FR 35162, 35175 (June 1, 2000) (banking agencies); (Regulation S-P) 65 FR 40334, 40347 (June 29, 2000) (SEC). This statement was written in 2000 before the Agencies or institutions had any experience with the GLB Act privacy notices. In the intervening period, both the Agencies and institutions have learned much through their own testing about improved notice design and consumer comprehension. The impetus for the Agencies' consumer research, borne out by the research findings, is that the current notices, including those utilizing multi-fold formats, are not effective. Moreover, the important information on page one of the model form—including the context information and disclosure table—could not be appropriately displayed in such a cramped format and still comply with the minimum space and font requirements of the model form.
Back to Citation86. Examples provided by commenters included: 3.5 x 7.5 inches, printed double sided; 3.5 x 8; 7 ×10.812 inches folded to 7 x 3.625 inches; 7 x 3.5 inches (finished folded size). See, e.g., comment letter of National Retail Federation (May 29, 2007).
Back to Citation87. See comment letter of Consumer Bankers Ass'n (May 29, 2007).
Back to Citation88. See supra note 25.
Back to Citation89. See Instruction B.2 to the Model Privacy Form.
Back to Citation90. See, e.g., comment letters of American Insurance Ass'n (May 29, 2007); Bank of America Corporation (May 29, 2007); Citigroup Inc. (May 30, 2007); National Retail Federation (May 29, 2007); Securities Industry and Financial Markets Ass'n (May 29, 2007).
Back to Citation91. See Levy-Hastak Report at 15.
Back to Citation92. While a variety of type styles would be suitable for the model notice, the Agencies caution institutions that use of idiosyncratic fonts or highly stylized typefaces will not meet the model form safe harbor standard. See Instruction B.3(a) to the Model Privacy Form.
Back to Citation93. See, e.g., comment letters of American Council of Life Insurers (May 29, 2007); National Business Coalition on E-Commerce and Privacy (May 30, 2007); National Retail Federation (May 29, 2007); Financial Services Roundtable and BITS (May 29, 2007).
Back to Citation94. The type size information in Example 3 in the preamble to the Proposed Rule identified the five type sizes used in various elements of the proposed form. This example was intended solely to show how key features of the form—such as headings—can be distinguished by using different font sizes to make the form more visually appealing. Contrary to some commenters' assumption, the different sizes were not a proposed requirement for users of the model form.
Back to Citation95. See Kleimann Report, supra note 32, at 33. See also, e.g., Public Citizen Petition, supra note 24 at 7 (“[S]mall font sizes * * * deprive consumers of their right to prevent financial institutions from sharing private information.”); “UNDERSTANDING THE FINE PRINT: How to make sure the gotchas don't get you,” Consumer Reports Money Adviser (Oct. 2008) (“Fine print is everywhere—contracts; retail Web sites; sales receipts; print, broadcast, and Internet offers; prospectuses; privacy notices; product manuals; and manufacturer warranties.”); David Colker, “Stopping junk mail for living and dead; Opt-outs can slow the torrent of solicitations to computer and postal mailboxes and phones;” Los Angeles Times, July 22, 2007, at C3 (“[B]y law, financial institutions have to offer an opt-out if they are making this data available to non-affiliated businesses. The problem is that their guides to opting out are often contained in their privacy notices—in small print.”).
Back to Citation96. See, e.g., Cal. Fin. Code div. 1.2 § 4053(d)(1)(B) (requiring 10-point minimum font).
Back to Citation97. See Proposed Rule, supra note 4, at section II.F.
Back to Citation98. Serif typeface has small strokes at the ends of the lines that form each letter. Sans serif typeface does not have those small strokes.
Back to Citation99. Karen A. Schriver, Dynamics In Document Design (“Schriver”) 274 (1997).
Back to Citation100. Id. at 262; see also James Hartley, Designing Instructional Text (1994); and Barbara Chaparro et al., Reading Online Text: A Comparison of Four White Space Layouts 6(2) (2004).
Back to Citation101. While much of the printed material in the United States and western Europe uses serif styles, Web designers are increasingly using sans serif type, as they have found that serif type is harder to read online. These changes in Web design are also beginning to affect font styles in printed materials. Some typography designers are now using sans serif typefaces, as well as type with a uniform thickness throughout the letter (monoweight typeface), finding these typefaces easier to read than those with variable thickness.
Back to Citation102. The “x-height” is the height of the lower-case “x” in relation to full height letters, such as a capital G. X-height is critical to type legibility.
Back to Citation103. Erik Spiekermann & E.M. Ginger, Stop Stealing Sheep & Find Out How Type Works 93 (1993).
Back to Citation104. See, e.g., Hewlett-Packard Corporation, Panose Classification Metrics Guide (2006), available at http://www.monotypeimaging.com/productsservices/pan2.aspx.
Back to Citation105. See Schriver, supra note 99, at 264; see also id. at 258-59. Fonts that satisfy the type style and x-height recommendations include sans serif fonts such as Tahoma, Century Gothic, Myriad, Avant Garde, Bk Avenir Book, ITS Franklin Gothic, Arial-Helvetica, and Gill Sans, and serif fonts such as the Chaparral Pro Family, Minion Pro, Garamond, Monotype Bodoni, and Monotype Century. A number of these font styles, including Arial-Helvetica, Tahoma, Century Gothic, Garamond, and Bodoni, are preloaded in commonly used word processing applications with most new personal computers. The other font styles are commercially available as well.
Back to Citation106. See, e.g., comment letters of American Insurance Ass'n (May 29, 2007); National Ass'n of Mutual Insurance Cos. (May 29, 2007); Securities Industry and Financial Markets Ass'n (May 29, 2007); Consumer Bankers Ass'n (May 29, 2007).
Back to Citation107. See, e.g., comment letters of National Business Coalition on E-Commerce and Privacy (May 30, 2007). With the modern, high-speed printing equipment readily available, the Agencies do not foresee problems with reproducing background shading, just as they see no difficulties with printing blocks of color for company logos or advertising materials. Moreover, the validation testing research found that consumers appreciated shading as a navigation guide. See Kleimann Validation Report at 9-10.
Back to Citation108. See, e.g., comment letters of Consumer Bankers Ass'n (May 29, 2007); National Business Coalition on E-Commerce and Privacy (May 30, 2007).
Back to Citation109. See, e.g., comment letters of American Council of Life Insurers (May 29, 2007); Investment Advisers Ass'n (May 29, 2007).
Back to Citation110. See, e.g., comment letters of National Business Coalition on E-Commerce and Privacy (May 30, 2007); T. Rowe Price Associates, Inc. (May 29, 2007); Financial Services Roundtable and BITS (May 29, 2007); National Ass'n of Mutual Insurance Cos. (May 29, 2007); Investment Company Institute (May 29, 2007).
Back to Citation111. See, e.g., comment letters of National Ass'n of Mutual Insurance Cos. (May 29, 2007); American Insurance Ass'n (May 29, 2007); Great-West Life & Annuity Insurance Company (May 29, 2007). In addition to including insurance-specific phrases in the menu of terms for the “What?” box on page one and the collection of information FAQ on page two, the Rule also recognizes that institutions that provide insurance products or services and elect to use this model form can use the word “policy” instead of “account” for the joint accountholder description. See Instructions C.2(g)(1) and C.3(a)(5) to the Model Privacy Form. The Agencies have periodically consulted with the NAIC to ensure that the final model form is sufficiently flexible to address the insurance marketplace. The NAIC is continuing to evaluate how best to proceed regarding insurance company use and implementation of the form by individual jurisdictions. This effort may include the NAIC developing a model bulletin for regulatory use or amending its model Privacy of Consumer Financial and Health Information Regulation to replace the current sample clauses with the new model privacy form.
Back to Citation112. See, e.g., comment letter of MasterCard Worldwide (May 29, 2007).
Back to Citation113. See, e.g., comment letter of Citigroup Inc. (May 30, 2007); Wells Fargo & Company (May 29, 2007); Wachovia Corporation (May 25, 2007); Sovereign Bank (May 21, 2007).
Back to Citation114. See Kleimann Report, supra note 32, at 43, 66-67.
Back to Citation115. Kleimann Validation Report at 8.
Back to Citation116. See, e.g., comment letters of American Bankers Ass'n (May 25, 2007); Investment Company Institute (May 29, 2007); Investment Advisers Ass'n (May 29, 2007).
Back to Citation117. See Instruction C.2(b)(2) to the Model Privacy Form. Similar to the proposal, the final model form requires institutions to provide examples that may be applicable to the institution's collection and sharing practices.
Back to Citation118. See, e.g., comment letters of Investment Advisers Ass'n (May 29, 2007); American Insurance Ass'n (May 29, 2007).
Back to Citation119. This sentence continues to appear in the “What?” box in the model form without an opt-out. However, based on the validation testing, the opt-out versions of the model form place this sentence in the “To limit our sharing” box following the sentence describing sharing information about a new customer. See Kleimann Validation Report at 9-10.
Back to Citation120. Comment letter of Capital One Financial Corporation (May 29, 2007).
Back to Citation121. See comment letters of The Center for Information Policy Leadership (May 29, 2007); Independent Community Bankers of America (May 29, 2007).
Back to Citation122. See, e.g., comment letters of Independent Community Bankers of America (May 29, 2007); Bank of Edison (May 21, 2007); Capital One Financial Corporation (May 29, 2007); Citrus & Chemical Bank (May 24, 2007); First National Bank (Edinburg, TX) (Apr. 9, 2007); Florence Savings Bank (April 30, 2007); Iowa State Bank and Trust Company (May 22, 2007); ShoreBank (Apr. 6, 2007); Hometown Bank (May 8, 2007).
Back to Citation123. See, e.g., comment letters of Bank of America Corporation (May 29, 2007); Securities Industry and Financial Markets Ass'n (May 29, 2007); MasterCard Worldwide (May 29, 2007).
Back to Citation124. See, e.g., comment letters of Citigroup Inc. (May 30, 2007); Consumer Bankers Ass'n (May 29, 2007).
Back to Citation125. See comment letter of Consumer Bankers Ass'n (May 29, 2007).
Back to Citation126. See, e.g., comment letter of Johnson Financial Group (May 14, 2007).
Back to Citation127. See, e.g., comment letters of Huntington National Bank (May 25, 2007); National Business Coalition on E-Commerce and Privacy (May 30, 2007); Securities Industry and Financial Markets Ass'n (May 29, 2007).
Back to Citation128. See, e.g., comment letter of Consumer Bankers Ass'n (May 29, 2007).
Back to Citation129. See, e.g., comment letters of American Council of Life Insurers (May 29, 2007); Securities Industry and Financial Markets Ass'n (May 29, 2007); American Insurance Ass'n (May 29, 2007); Consumer Mortgage Coalition (May 29, 2007).
Back to Citation130. See Proposed Rule, supra note 4, at text preceding and accompanying n.27; see also Levy-Hastak Report at 17.
Back to Citation131. The disclosure table in the model form provides information “at-a-glance” that facilitates the comparison of a company's information sharing practices, both as to the industry as a whole and with respect to any other specific companies. In this way, it meets the original legislative intent to easily compare companies' privacy practices. See H.R. Rep. No. 106-74, at 107 (1999).
Back to Citation132. Levy-Hastak Report at 15.
Back to Citation133. This comment was made by some of the Agencies' regulated entities at various times during the course of this project and was also discussed by members of the Board's Consumer Advisory Council during its discussions in 2007 about the Notice Project and model form proposals.
Back to Citation134. See, e.g., comment letter of Independent Community Bankers Ass'n (May 29, 2009).
Back to Citation135. See infra note 142.
Back to Citation136. See the privacy rule, section __.6(e), NCUA section 716.6(d) (notices can be based on current and anticipated policies and practices).
Back to Citation137. See, e.g., comment letters of American Insurance Ass'n (May 29, 2007); Consumer Bankers Ass'n (May 29, 2007); Citigroup Inc. (May 30, 2007); Securities and Financial Markets Ass'n (May 29, 2007).
Back to Citation138. See, e.g., comment letters of American Bankers Ass'n (May 25, 2007); American Insurance Ass'n (May 29, 2007); Securities Industry and Financial Markets Ass'n (May 29, 2007). This language substantially replaces the “as permitted by law” phrase used in the Sample Clauses, covering all permitted disclosures—along with the attendant requirements on reuse and redisclosure—found under sections __.14 and __.15 of the privacy rule. Unlike that clause, “everyday business purposes” conveys more concrete information to consumers and, importantly, helps them understand that some sharing is necessary in order to obtain financial products or services.
Back to Citation139. Joint marketing with other financial institutions and section __.13 service providers contracted to do marketing for a financial institution are disclosed separately. See Instruction C.2(d)(3) to the Model Privacy Form.
Back to Citation140. The final model form consolidates all references to “everyday business purposes” in the first reason in the disclosure table, thereby eliminating the illustrative explanation in the “How?” box on page one and the definition on page two.
Back to Citation141. See Survey Research Center at the University of Georgia, National Ass'n of Insurance Commissioners Insurance Disclosure Focus Group Study (“NAIC Study”), available at http://www.ftc.gov/os/comments/modelprivacyform/528621-00012.pdf. See also infra discussion at text accompanying note 221.
Back to Citation142. The table includes, as an optional disclosure, the opt-out required by section 624 of the FCRA (reason 6 in the table), 15 U.S.C. 1681s-3 (affiliate use of information for marketing), as added by section 214 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), Public Law No. 108-159, 117 Stat. 1952. Section 624 generally provides that information that may be shared among affiliates—including transaction and experience information and certain creditworthiness information—cannot be used by an affiliate for marketing purposes unless the consumer has received a notice of such use and an opportunity to opt out, and the consumer does not opt out. Congress did not grant the CFTC rulemaking authority to implement section 624. The other Agencies have issued final regulations implementing the affiliate marketing provision of the FACT Act, 12 CFR part 41 (OCC), 12 CFR part 222 (Board), 12 CFR part 334 (FDIC), 12 CFR part 571 (OTS), 12 CFR part 717 (NCUA), 16 CFR parts 680 and 698 (FTC), 17 CFR part 248, subpart B (SEC) (“affiliate marketing rule”). Because the Agencies' affiliate marketing rules generally use consistent section numbering, relevant sections will be cited, for example, as “section _.23” unless otherwise noted. The affiliate marketing rule included language stating that the section 624 disclosure as it appears in the model form will meet the requirements of that rule. See 72 FR 61424, 61452 (Oct. 30, 2007) (FTC); 72 FR 62910, 62932 (Nov. 7, 2007) (banking agencies); 74 FR 40398, 40418 (Aug. 11, 2009) (SEC) (“use of the [GLB Act] model privacy form will satisfy the requirement to provide an initial affiliate marketing opt-out notice”). See also section __.23(b) of the affiliate marketing rule.
Back to Citation143. See, e.g., comment letters of Citigroup Inc. (May 30, 2007); American Bankers Ass'n (May 25, 2007); Consumer Bankers Ass'n (May 29, 2007); National Business Coalition on E-Commerce and Privacy (May 30, 2007); Visa U.S.A, Inc. (May 29, 2007).
Back to Citation144. See section 603(d)(2)(A) of the FCRA relating to the sharing of “transaction and experience information” and the sharing of “other information” which triggers an opt-out notice.
Back to Citation145. Kleimann Report, supra note 32, at 63.
Back to Citation146. See supra note 142.
Back to Citation147. Levy-Hastak Report at 15.
Back to Citation148. See, e.g., comment letters of American Council of Life Insurers (May 29, 2007); National Automobile Dealers Ass'n (May 29, 2007); Securities Industry and Financial Markets Ass'n (May 29, 2007).
Back to Citation149. Some commenters asked about providing the opt-out in an in-person transaction so that the customer could execute the opt-out at that time or could deliver the completed opt-out form in person. The privacy rule does not preclude obtaining a consumer's opt-out election in person. However, while an institution may accept an opt-out election from a consumer in person, requiring a consumer to obtain an opt-out form at a branch office as the only means to opt out violates the privacy rule. See sections _.7(h), _.9(a) and (b), and _.10(a)(1) and (a)(3) of the privacy rule.
Back to Citation150. Institutions that do not include the affiliate marketing disclosure on the model privacy form must not include the affiliate marketing notice or opt-out on the model form mail-in form; that notice must be provided in accord with the affiliate marketing rule, outside the model form.
Back to Citation151. See, e.g., comment letters of Bank of America Corporation (May 29, 2007); Wells Fargo & Company (May 29, 2007); Securities Industry and Financial Markets Ass'n (May 29, 2007); American Council of Life Insurers (May 29, 2007).
Back to Citation152. The revised language states: “If you are a new customer, we can begin sharing your information [30] days from the date we sent this notice.” See also supra note 119.
Back to Citation153. See, e.g., sections _.10(a)(1)(iii) and _.10(a)(3)(iii) of the privacy rule.
Back to Citation154. See 72 FR 61424, 61448 (Oct. 30, 2007) (FTC); 72 FR 62910, 62935 (Nov. 7, 2007) (banking agencies); 74 FR 40398, 40421 (August 11, 2009) (SEC).
Back to Citation155. See, e.g., comment letters of American Bankers Ass'n (May 25, 2007); Discover Bank (May 29, 2007).
Back to Citation156. See also privacy rule, section _.7(d), NCUA section 716.7(d)(6).
Back to Citation157. See, e.g., comment letters of Center for Democracy and Technology (May 29, 2007); Privacy Rights Clearinghouse (May 22, 2007); National Automobile Dealers Ass'n (May 29, 2007.
Back to Citation158. See, e.g., comment letters of National Retail Federation (May 29, 2007); Citicorp (May 29, 2007); National Business Coalition on E-Commerce and Privacy (May 30, 2007).
Back to Citation159. See, e.g., comment letters of Sun Trust Banks, Inc. (May 23, 2007); Central National Bank of Enid (May 24, 2007).
Back to Citation160. See also The President's Identity Theft Task Force, Combating Identity Theft, at 13 (Apr. 2007) (“Consumer information is the currency of identity theft, and perhaps the most valuable piece of information for the thief is the SSN”).
Back to Citation161. See section __.7(a)(1)(iii) of the privacy rule and section _.25(a) of the affiliate marketing rule.
Back to Citation162. See, e.g., comment letters of American Council of Life Insurers (May 29, 2007); Securities Industry and Financial Markets Ass'n (May 29, 2007).
Back to Citation163. See section _.10(b) of the privacy rule.
Back to Citation164. See, e.g., comment letters of MasterCard Worldwide (May 29, 2007); National Business Coalition on E-Commerce and Privacy (May 30, 2007); Wells Fargo & Company (May 29, 2007); Wolters Kluwer Financial Services (May 24, 2007).
Back to Citation165. California provides that a consumer can opt out of joint marketing. Cal. Fin. Code div. 1.2 § 4053(b)(2). Thus, an institution can provide a generalized notice offering no opt-out, with California-specific information in the “Other important information” box. Alternatively, an institution can provide a separate notice to its California customers. Institutions cannot use the model form to offer opt-in consent. See Instruction C.2(g)(5) to the Model Privacy Form.
Back to Citation166. See Instruction C.2(g) to the Model Privacy Form.
Back to Citation167. See, e.g., comment letters of Mastercard Worldwide (May 29, 2007); American Insurance Ass'n (May 29, 2007); American Council of Life Insurers (May 29, 2007); Securities Industry and Financial Markets Ass'n (May 29, 2007).
Back to Citation168. Kleimann Report, supra note 32, at 35, 226.
Back to Citation169. NAIC Study, supra note 141.
Back to Citation170. See Instruction C.2(f) to the Model Privacy Form.
Back to Citation171. See also infra section III.J.1. Section III.I.5 provides guidance on the use of sensitive personal information (such as a Social Security number or account number) to effect an opt-out. Section III.I.6 discusses how voluntary or state-required privacy law opt-outs should appear in the mail-in opt-out form. See also Instruction C.2(g) to the Model Privacy Form.
Back to Citation172. While the Agencies are limiting the space allotted for this FAQ, we do not intend that institutions will constrain the width of the left column (with the questions) so as to make this page difficult to read. We remind institutions that design experts recommend using sufficient white space to set off features such as headings, bullets, and key information used by consumers to quickly scan a document. We note further that the ratio of the column widths of the questions to the responses in the model form is approximately 1:2.
Back to Citation173. The option of creating a jointly provided notice is not limited only to financial holding companies, as one commenter observed. Instruction B.1 to the Model Privacy Form has been modified to clarify that point.
Back to Citation174. See section _.9(f) of the privacy rule.
Back to Citation175. While the testing found it to be helpful background, this information is not required by the privacy rule.
Back to Citation176. See, e.g., comment letters of Consumer Bankers Ass'n (May 29, 2007); MasterCard Worldwide (May 29, 2007).
Back to Citation177. See comment letters of American Council of Life Insurers (May 29, 2007); American Insurance Ass'n (May 29, 2007).
Back to Citation178. Kleimann Report, supra note 32, at 125-26.
Back to Citation179. See, e.g., comment letters of Iowa State Bank and Trust (May 22, 2007); PayPal (May 29, 2007); Wachovia Corporation (May 25, 2007).
Back to Citation180. See, e.g., comment letters of American Council of Life Insurers (May 29, 2007); American Bankers Ass'n (May 25, 2007); Consumer Bankers Ass'n (May 29, 2007); Mastercard Worldwide (May 29, 2007); Wells Fargo & Company (May 29, 2007); National Ass'n of Mutual Insurance Cos. (May 29, 2007); National Automobile Dealers Ass'n (May 29, 2007).
Back to Citation181. See Instruction C.3(a)(3) to the Model Privacy Form. See supra note 117.
Back to Citation182. See, e.g., comment letters of American Council of Life Insurers (May 25, 2007); National Ass'n of Mutual Insurance Cos. (May 29, 2007).
Back to Citation183. See, e.g., comment letters of American Bankers Ass'n (May 29, 2007); Discover Bank (May 29, 2007); Mastercard Worldwide (May 29, 2007); Huntington National Bank (May 25, 2007).
Back to Citation184. See also supra discussion section III.I.8.
Back to Citation185. See, e.g., comment letters of Mastercard Worldwide (May 29, 2007); Huntington National Bank (May 25, 2007); Consumer Bankers Ass'n (May 29, 2007); Wells Fargo & Company (May 29, 2007).
Back to Citation186. See sections __.6(a)(3), __.6(a)(5), __.6(c)(3), and __.6(c)(4) of the privacy rule. The joint marketing provisions apply to joint marketing agreements with other financial institutions, but not to other types of arrangements with section __.13 service providers.
Back to Citation187. See Instruction C.3(b) to the Model Privacy Form.
Back to Citation188. See, e.g., comment letters of American Bankers Ass'n (May 25, 2007); American Council of Life Insurers (May 29, 2007); Bank of America Corporation (May 29, 1007); Citigroup Inc. (May 30, 2007); Consumer Bankers Ass'n (May 29, 2007); Consumer Mortgage Coalition (May 29, 2007); Countrywide Home Loans, Inc. (May 29, 2007); Discover Bank (May 29, 2007); Financial Services Institute (May 29, 2007); Iowa Student Loan (May 22, 2007); KeyCorp (May 25, 2007); National Business Coalition on E-Commerce and Privacy (May 30, 2007); National Retail Federation (May 29, 2007); National Ass'n of Mutual Insurance Cos. (May 29, 2007); Sovereign Bank (May 21, 2007); Wells Fargo (May 29, 2007); World's Foremost Bank (May 25, 2007); Direct Marketing Ass'n (May 29, 2007); Securities Industry and Financial Markets Ass'n (May 29, 2007); World Financial Capital Bank (May 25, 2007); World Financial Network National Bank (May 29, 2007).
Back to Citation189. The 10-point minimum font size applies to the contents of the “Other important information box.” In addition, while the safe harbor extends to including this box at the end of the model form, it does not extend to the content of the box. Institutions are responsible for ensuring that any statements made in this box are accurate.
Back to Citation190. See, e.g., comment letters of American Insurance Ass'n (May 29, 2007); Great-West Life & Annuity Insurance Co. (May 29, 2007).
Back to Citation191. See, e.g., comment letters of American Council of Life Insurers (May 29, 2007); American Insurance Ass'n (May 29, 2007); Huntington National Bank (May 25, 2007).
Back to Citation192. See comment letter of National Automobile Dealers Ass'n (May 29, 2007).
Back to Citation193. See, e.g., comment letters of American Council of Life Insurers (May 29, 2007); Consumer Bankers Ass'n (May 29, 2007); Citigroup Inc. (May 30, 2007); Mastercard Worldwide (May 29, 2007); Securities Industry and Financial Markets Ass'n (May 29, 2007).
Back to Citation194. See comment letters of American Council of Life Insurers (May 29, 2007); Citigroup Inc. (May 30, 2007).
Back to Citation195. See, e.g., comment letters of Center for Democracy and Technology (May 29, 2007); see also New York State Consumer Protection Board (May 29, 2007).
Back to Citation196. Adoption of the model form, with no change in policies or practices, would not constitute a revised notice, although institutions may elect to consider the format change as a revision, at their option. However, inserting the new affiliate marketing opt-out in the model form would be a revision of the institution's policies and practices.
Back to Citation197. See, e.g., comment letters of American Bankers Ass'n (May 25, 2007); California Bankers Ass'n (May 25, 2007); Consumer Bankers Ass'n (May 29, 2007).
Back to Citation198. See, e.g., comment letters of American Insurance Ass'n (May 29, 2007); Center for Democracy and Technology (May 29, 2007); Citrus and Chemical Bank (May 24, 2007); Credit Union National Ass'n (May 29, 2007); Independent Community Bankers of America (May 29, 2007); PayPal (May 29, 2007); Portage National Bank (May 1, 2007); Sovereign Bank (May 21, 2007).
Back to Citation199. See, e.g., comment letters of Center for Democracy and Technology (May 29, 2007); Investment Company Institute (May 29, 2007); MasterCard Worldwide (May 29, 2007); National Business Coalition on E-Commerce and Privacy (May 30, 2007); PayPal (May 29, 2007); Target National Bank (May 24, 2007).
Back to Citation200. See, e.g., comment letters of American Bankers Ass'n (May 25, 2007); American Council of Life Insurers (May 29, 2007); The Financial Services Roundtable and BITS (May 29, 2007); Huntington National Bank (May 25, 2007); National Retail Federation (May 29, 2007); Securities Industry and Financial Markets Ass'n (May 29, 2007); Wachovia Corporation (May 25, 2007).
Back to Citation201. See, e.g., comment letters of Huntington National Bank (May 25, 2007); MasterCard Worldwide (May 29, 2007); PayPal (May 29, 2007); Securities Industry and Financial Markets Ass'n (May 29, 2007); Wachovia Corporation (May 25, 2007).
Back to Citation202. See, e.g., comment letters of First Bank Americano (May 2, 2007); First Hawaiian Bank (May 29, 2007); National Retail Federation (May 29, 2007).
Back to Citation203. See, e.g., comment letters of American Bankers Ass'n (May 25, 2007); Bank of America Corporation (May 29, 2007); Comerica Bank (May 25, 2007); Consumer Bankers Ass'n (May 29, 2007); Citigroup Inc. (May 30, 2007); First Hawaiian Bank (May 29, 2007); California Bankers Ass'n (May, 2007); Farmers & Merchants Bank (May 29, 2007); Financial Services Roundtable and BITS (May 29, 2007); Huntington National Bank (May 25, 2007); KeyCorp (May 25, 2007); Target National Bank (May 24, 2007); Wachovia Corporation (May 25, 2007); Wells Fargo & Company (May 29, 2007).
Back to Citation204. See comment letters of PayPal (May 29, 2007); TrustE (May 30, 2007).
Back to Citation205. See comment letter of TRUSTe (May 30, 2007).
Back to Citation206. See, e.g., comment letters of America's Community Bankers (May 29, 2007); Bank of Edison (March 21, 2007); Bank of Frankewing (May 18, 2007); Central National Bank of Enid (May 24, 2007); FamilyFirst Bank (May 8, 2007); Florence Savings Bank (April 30, 2007); Glenview State Bank (May 2, 2007); Hometown Bank (May 8, 2007); Portage National Bank (May 1, 2007).
Back to Citation207. The Sample Clauses were originally provided in the privacy rule to illustrate the level of detail for notices to meet the rule requirements and to minimize the compliance burden. See 65 FR 33646, 33677 (May 24, 2000) (FTC); 65 FR 35162, 35185 (June 1, 2000) (banking agencies); 65 FR 40334, 40357 (June 29, 2000) (SEC); 66 FR 21236, 21238 (Apr. 27, 2001) (CFTC).
Back to Citation208. See, e.g., comment letters of American Bankers Ass'n (May 25, 2007); American Council of Life Insurers (May 29, 2007); American Insurance Ass'n (May 29, 2007); Bank of America Corporation (May 29, 2007); Consumer Bankers Ass'n (May 29, 2007); Citigroup Inc. (May 30, 2007); Direct Marketing Ass'n (May 29, 2007); Investment Adviser Ass'n (May 29, 2007); National Ass'n of Mutual Insurance Cos. (May 29, 2007); National Automobile Dealers Ass'n (May 29, 2007); National Business Coalition on E-Commerce and Privacy (May 30, 2007); T. Rowe Price Associates, Inc. (May 29, 2007); Visa U.S.A., Inc. (May 29, 2007); Wisconsin Bankers Ass'n (May 29, 2007).
Back to Citation209. See, e.g., comment letter of National Automobile Dealers Ass'n (May 29, 2007). Sample Clause A-1 describes the categories of information that an institution collects. Sample Clause A-3 includes the phrase “as permitted by law” to describe the sharing that institutions are permitted to do under sections __.14 and __.15 without triggering an opt-out. Sample Clause A-7 generally states that an institution uses safeguard measures to protect the handling of the personal information it obtains.
Back to Citation210. See, e.g., comment letters of Visa U.S.A., Inc. (May 29, 2007); Citigroup Inc. (May 30, 2007); Huntington National Bank (May 25, 2009).
Back to Citation211. See, e.g., comment letter of Capital One Financial Corporation (May 29, 2007).
Back to Citation212. See, e.g., comment letters of Direct Marketing Ass'n (May 29, 2007); Investment Adviser Ass'n (May 29, 2007).
Back to Citation213. The Agencies are also making conforming amendments to sections __.2, __.6, and __.7 of the privacy rule and to the Appendix with one small change from the Proposed Rule.
Back to Citation214. See, e.g., Public Citizen Petition, supra note 24 at 4-9; Press Release of House Committee on Financial Services, supra note 74.
Back to Citation215. See comment letter of Capital One Financial Corporation (May 29, 2007).
Back to Citation216. See comment letter of Independent Community Bankers Ass'n (May 29, 2007).
Back to Citation217. The Levy-Hastak Report also found that study participants who saw the Current Notice were significantly more likely to give reasons not based on any information in the notice, for example, that Bank X offered a lower interest rate. These same participants were also less likely than those who saw the other notices to give cogent reasons for choosing the lower sharing bank. Levy-Hastak Report at 9.
Back to Citation218. Id. at 15.
Back to Citation219. Id. at 10.
Back to Citation220. See supra note 133 and related text.
Back to Citation221. See NAIC Study, supra note 141.
Back to Citation222. See, e.g., comment letters of Florence Savings Bank (April 30, 2007); Community Bankers of America (May 29, 2007), Iowa State Bank and Trust Co. (May 22, 2007), Credit Union National Ass'n (May 29, 2007); see also supra note 133 and related text.
Back to Citation223. See comment letter of Independent Community Bankers of America (May 29, 2007).
Back to Citation224. Institutions relying on the Sample Clauses appended to the SEC's privacy rule will not be able to rely on them for guidance in notices delivered or posted on or after January 1, 2011.
Back to Citation225. For example, if an institution provides a notice using the Sample Clauses on or before December 31, 2010, it could continue to rely on the safe harbor for one additional year until its next annual notice is due. If an institution provides a notice using the Sample Clauses on or after January 1, 2011, however, it could not rely on the safe harbor. Privacy notices using the Sample Clauses posted on an institution's Web site to meet the annual notice requirements of section _.9(c) of the privacy rule would no longer be able to rely on the safe harbor beginning on January 1, 2011.
Back to Citation226. See SEC privacy rule, section 248.2(a). The facts and circumstances of each individual situation determine whether use of the Sample Clauses constitutes compliance with the SEC's privacy rule.
Back to Citation227. Institutions using option (1) in this revised sentence to section _.6(b) are required to include all applicable examples. See 12 CFR 40.6(b) (OCC); 12 CFR 216.6(b) (Board); 12 CFR 322.6(b) (FDIC); 12 CFR 573.6(b) (OTS); 12 CFR 716.6(b) (NCUA); 17 CFR 160.6(b) (CFTC); 17 CFR 248.6(b) (SEC).
Back to Citation228. Proposed Rule, supra note 4, at section IV.
Back to Citation230. The SEC is also adopting the amendments under section 23 of the Securities Exchange Act of 1934 [15 U.S.C. 78w], section 38(a) of the Investment Company Act of 1940 [15 U.S.C. 80a-37(a)], and section 211(a) of the Investment Advisers Act of 1940 [15 U.S.C. 80b-11(a)].
The CFTC also is adopting the amendments under Section 504 of the GLB Act [15 U.S.C. 6804], and Sections 5g and 8a(5) of the Commodity Exchange Act [7 U.S.C. 7b-2, 12a(5)].
Back to Citation231. Comment letter of National Business Coalition on E-Commerce and Privacy (May 30, 2007).
Back to Citation232. See, e.g., joint comment letter of American Bankers Ass'n, America's Community Bankers, Consumer Bankers Ass'n, and The Financial Services Roundtable (May 29, 2007).
Back to Citation233. See comment letter of Independent Community Bankers of America (May 29, 2007).
Back to Citation234. See, e.g., comment letters of Financial Services Institute (May 29, 2007); Financial Planning Ass'n (May 30, 2007).
Back to Citation235. See supra sections III.I.2 and III.J.1; see also infra, Instructions C.2(b) and C.3(a)(3) and (4) to the Model Privacy Form.
Back to Citation236. See, e.g., comment letter of Investment Adviser Ass'n (May 29, 2007).
Back to Citation237. See, e.g., comment letter of National Automobile Dealers Ass'n (May 29, 2007).
Back to Citation238. See supra section IV and discussion at notes 217-219 and related text. See also Public Citizen Petition, supra note 24, at 9 (“The paragraph employs ambiguous phrases such as `other information' (what other information?), `unless otherwise permitted by law' (in actuality, the law almost always permits disclosure) * * *”).
Back to Citation239. See, e.g., comment letters of Financial Planning Ass'n (May 30, 2007); Center for Democracy and Technology (May 29, 2007).
Back to Citation240. For purposes of the RFA, under the Securities Exchange Act of 1934 a small entity is a broker or dealer that (i) had total capital of less than $500,000 on the date in its prior fiscal year as of which its audited financial statements were prepared or, if not required to file audited financial statements, on the last business day of its prior fiscal year, and (ii) is not affiliated with any person that is not a small business or small organization. 17 CFR 240.0-10(c). Under the Investment Company Act of 1940, a “small entity” is an investment company that, together with other investment companies in the same group of related investment companies, has net assets of $50 million or less as of the end of its most recent fiscal year. 17 CFR 270.0-10(a). Under the Investment Advisers Act of 1940, a small entity is an investment adviser that (i) manages less than $25 million in assets, (ii) has total assets of less than $5 million on the last day of its most recent fiscal year, and (iii) does not control, is not controlled by, and is not under common control with another investment adviser that manages $25 million or more in assets, or any person that had total assets of $5 million or more on the last day of the most recent fiscal year. 17 CFR 275.0-7(a).
Back to Citation241. To the extent that institutions review their privacy policies annually for compliance, we estimate that the costs associated with this annual review, including professional costs, will be approximately the same as the costs to complete the model form.
Back to Citation243. A number of commenters expressed concern that the safe harbor provisions might not fully extend to all GLB Act requirements or FCRA disclosures. See, e.g., comment letter of Citigroup Inc. (May 30, 2007). Several commenters further suggested the safe harbor should encompass state and private enforcement. See, e.g., comment letters of Consumer Bankers Ass'n (May 29, 2007); Financial Services Institute (May 29, 2007). In response to these comments, the Agencies have clarified the scope of the safe harbor. See supra section III.K.2.
Back to Citation244. See, e.g., comment letters of Investment Adviser Ass'n (May 29, 2007) (estimating additional printing and mailing costs for larger investment advisory firms of $100,000 to more than $300,000 per mailing); Securities Industry and Financial Markets Ass'n (May 29, 2007) (estimating additional printing costs of $7.5 million per billion notices).
Back to Citation245. See, e.g., comment letters of Investment Adviser Ass'n (May 29, 2007); Citigroup Inc. (May 30, 2007).
Back to Citation246. See, e.g., comment letters of Financial Services Roundtable and BITS (May 29, 2007) (estimating cost to financial services industry of printing and mailing model form of approximately $400 million per billion notices); Citigroup Inc. (May 30, 2007) (consumers “are more likely to open and read mail that contains an `important' communication such as a billing statement than an unidentified standalone communication”).
Back to Citation247. See, e.g., comment letter of Capital One Financial Corporation (May 29, 2007).
Back to Citation248. See comment letter of Securities Industry and Financial Markets Ass'n (May 29, 2007).
Back to Citation249. See comment letter of T. Rowe Price Associates, Inc. (May 29, 2007).
Back to Citation250. See comment letter of Investment Adviser Ass'n (May 29, 2007).
Back to Citation251. See, e.g., comment letter of Bank of America Corporation (May 29, 2007).
Back to Citation252. See comment letter of Visa U.S.A. Inc. (May 29, 2007).
Back to Citation253. See comment letter of Financial Services Institute (May 29, 2007).
Back to Citation254. See 15 U.S.C. 78w(a)(2).
Back to CitationBILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-P 12.5%
BILLING CODE 6750-01-P 12.5%, 6351-01-C 12.5%, 6720-01-C 12.5%, 6714-01-C 12.5%, 4810-33-C 12.5%, 6210-01-C 12.5%, 8011-01-C 12.5%, 7535-01-C 12.5%
BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-P 12.5%
BILLING CODE 6750-01-C 12.5%, 6351-01-C 12.5%, 6720-01-C 12.5%, 6714-01-C 12.5%, 4810-33-C 12.5%, 6210-01-C 12.5%, 8011-01-C 12.5%, 7535-01-C 12.5%
BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-P 12.5%
BILLING CODE 6750-01-C 12.5%, 6351-01-C 12.5%, 6720-01-C 12.5%, 6714-01-C 12.5%, 4810-01-C 12.5%, 6210-01-C 12.5%, 8011-01-C 12.5%, 7535-01-C 12.5%
BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-01-P 12.5%, 4810-01-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-P 12.5%
BILLING CODE 6750-01-C 12.5%, 6351-01-C 12.5%, 6720-01-C 12.5%, 6714-01-C 12.5%, 4810-01-C 12.5%, 6210-01-C 12.5%, 8011-01-C 12.5%, 7535-01-C 12.5%
BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-P 12.5%;
BILLING CODE 6750-01-C 12.5%, 6351-01-C 12.5%, 6720-01-C 12.5%, 6714-01-C 12.5%, 4810-33-C 12.5%, 6210-01-C 12.5%, 8011-01-C 12.5%, 7535-01-C 12.5%;
BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-P 12.5%
BILLING CODE 6750-01-C 12.5%, 6351-01-C 12.5%, 6720-01-C 12.5%, 6714-01-C 12.5%, 4810-33-C 12.5%, 6210-01-C 12.5%, 8011-01-C 12.5%, 7535-01-C 12.5%,
BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-P 12.5%,
BILLING CODE 6750-01-C12.5%, 6351-01-C12.5%, 6720-01-C12.5%, 6714-01-C12.5%, 4810-33-C12.5%, 6210-01-C12.5%, 8011-01-C12.5%, 7535-01-C12.5%,
BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-P 12.5%,
BILLING CODE 6750-01-C 12.5%, 6351-01-C 12.5%, 6720-01-C 12.5%, 6714-01-C 12.5%, 4810-33-C 12.5%, 6210-01-C 12.5%, 8011-01-C 12.5%, 7535-01-C 12.5%,
[FR Doc. E9-27882 Filed 11-30-09; 8:45 am]
BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-P 12.5%
Document Information
- Comments Received:
- 0 Comments
- Effective Date:
- 12/31/2009
- Published:
- 12/01/2009
- Department:
- Securities and Exchange Commission
- Entry Type:
- Rule
- Action:
- Final rule.
- Document Number:
- E9-27882
- Dates:
- This rule is effective on December 31, 2009, except for the following amendments, which are effective January 1, 2012:
- Pages:
- 62889-62994 (106 pages)
- Docket Numbers:
- Docket ID OCC-2009-0011, Docket No. R-1280, Docket ID OTS-2009-0014, Project No. 034815, Release Nos. 34-61003, IA-2950, IC-28997, File No. S7-09-07
- RINs:
- 1550-AC12: Model Privacy Form Under the Gramm-Leach-Bliley Act, 1557-AC80: Interagency Proposal for Model Privacy Form Under the Gramm-Leach-Bliley Act, 3038-AC04: Interagency Proposal To Consider Alternative Forms of Privacy Notices Under the Gramm-Leach-Bliley Act, 3064-AD16: Interagency Proposal for Model Privacy Form Under the Gramm-Leach-Bliley Act , 3084-AA94: Fair and Accurate Credit Transactions Act of 2003, 3133-AC84: Privacy of Consumer Financial Information, 3235-AJO6
- RIN Links:
- https://www.federalregister.gov/regulations/1550-AC12/model-privacy-form-under-the-gramm-leach-bliley-act, https://www.federalregister.gov/regulations/1557-AC80/interagency-proposal-for-model-privacy-form-under-the-gramm-leach-bliley-act, https://www.federalregister.gov/regulations/3038-AC04/interagency-proposal-to-consider-alternative-forms-of-privacy-notices-under-the-gramm-leach-bliley-a, https://www.federalregister.gov/regulations/3064-AD16/interagency-proposal-for-model-privacy-form-under-...
- Topics:
- Banks, banking, Banks, banking, Banks, banking, Banks, banking, Brokers, Consumer protection, Credit, Credit unions, Foreign banking, Holding companies, Investment companies, National banks, Privacy, Reporting and recordkeeping requirements, Savings associations, Securities, Trade practices
- PDF File:
- e9-27882.pdf
- CFR: (24)
- 17 CFR 40.2
- 17 CFR 40.6
- 17 CFR 40.7
- 17 CFR 160.2
- 17 CFR 160.6
- More ...