AGENCY:

Federal Trade Commission.

ACTION:

Notice of proposed rulemaking.

SUMMARY:

In this document, the Federal Trade Commission (the “Commission” or “FTC”) issues a Notice of Proposed Rulemaking that is required by Section 504(a) of the Gramm-Leach-Bliley Act, (the “G-L-B Act” or “Act”) with respect to financial institutions and other persons under the Commission's jurisdiction, as set forth in Section 505(a)(7) of the Act. The Commission requests comment on this proposed privacy Rule. Section 504 of the Act requires the Commission and other federal agencies to issue regulations implementing notice requirements and restrictions on a financial institution's ability to disclose nonpublic personal information about consumers to nonaffiliated third parties. Pursuant to Section 503 of the G-L-B Act, a financial institution must provide its customers with a notice of its privacy policies and practices. Section 502 of the Act prohibits a financial institution from disclosing nonpublic personal information about a consumer to nonaffiliated third parties unless the institution satisfies various disclosure requirements and the consumer has not elected to opt out of the disclosure. This proposed Rule would implement the requirements outlined above.

DATES:

Comments must be received on or before March 31, 2000.

ADDRESSES:

Written comments should be addressed to: Secretary, Federal Trade Commission, Room H-159, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The Commission requests that commenters submit the original plus five copies, if feasible. Comments should also be submitted if possible, in electronic form, on either a 51/4 or a 31/2 inch computer disk, with a disk label stating the name of the commenter and the name and version of the word processing program used to create the document. (Programs based on DOS or Windows are preferred. Files from other operating systems should be submitted in ASCII format.) Alternatively, the Commission will accept comments submitted to the following E-mail address: GLBRule@ftc.gov. Those commenters submitting comments by e-mail are advised to confirm receipt by consulting the postings on the Commission's website at www.ftc.gov. Individual members of the public filing comments need not submit multiple copies or comments in electronic form. All submissions should be captioned: “Gramm-Leach-Bliley Act Privacy Rule, 16 CFR Part 313—Comment.”

Comments related to the Paperwork Reduction Act should also be submitted to the Office of Information and Regulatory Affairs, Office of Management and Budget, Room 10235, New Executive Office Building, Washington, DC 20503, Attention: Desk Officer for FTC.

FOR FURTHER INFORMATION CONTACT:

Kellie A. Cosgrove or Clarke Brinckerhoff, Attorneys, Division of Financial Practices, Federal Trade Commission, Washington, DC 20580, 202-326-3224.

SUPPLEMENTARY INFORMATION:

Section A. Background

On November 12, 1999, President Clinton signed the G-L-B Act (Public Law 106-102, codified at 15 U.S.C. 6801 et seq.) into law. Subtitle A of Title V of the Act, captioned Disclosure of Nonpublic Personal Information, limits the instances in which a financial institution may disclose nonpublic personal information about a consumer to nonaffiliated third parties, and requires a financial institution to disclose to all of its customers the institution's privacy policies and practices with respect to information sharing with both affiliates and nonaffiliated third parties. Title V also requires the Commission, along with the Federal banking agencies and other authorities (Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of Thrift Supervision, National Credit Union Administration, Secretary of the Treasury, and Securities and Exchange Commission (hereinafter referred to collectively as “the Agencies”)), after consulting with representatives of State insurance authorities designated by the National Association of Insurance Commissioners, to prescribe such regulations as may be necessary to carry out the purposes of the provisions in Title V, Subtitle A, that govern disclosure of nonpublic personal information.

The Commission and the Agencies have prepared proposed rules to implement Subtitle A that are consistent and comparable to the extent possible, as is required by the statute. The Commission requests comment on all aspects of its proposed Rule, as well as comment on the specific provisions and issues highlighted in the Section-by-Section Analysis of the Proposed Rule, below.

Section B. Section-by-Section Analysis of the Proposed Rule

The discussion that follows explains in detail each section of the Commission's proposed Rule.

Section 313.1 Purpose and Scope

Proposed paragraph (a) of this section identifies three purposes of the Rule. First, the Rule requires a financial institution to provide notice in specified circumstances to consumers about the institution's privacy policies and practices. Second, the Rule describes the conditions under which a financial institution may disclose nonpublic personal information about a consumer to a nonaffiliated third party. Third, the Rule provides a method for a consumer to “opt out” of the disclosure of that information to nonaffiliated third parties, subject to the exceptions in proposed §§ 313.9, 313.10, and 313.11, as discussed below.

Proposed paragraph (b) sets out the scope of the Commission's proposed Rule, and tracks the scope of enforcement set out in section 505(a)(7) of the G-L-B Act. This paragraph states that the Rule applies only to information about individuals who obtain a financial product or service from a financial institution to be used for personal, family, or household purposes. The principal type of entity subject to the Rule is a “financial institution,” a term which is very broad under the Act. Section 509(3) defines the term to mean “any institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956” (12 U.S.C. 1843(k)). Those “financial activities” include not only a number of traditional financial activities specified in Section 4(k) itself,^[1] but also those activities that the Federal Reserve Board has found to be closely related to banking,^[2] or usual Start Printed Page 11175in connection with the transaction of banking or other financial operations abroad.^[3] The Commission invites comment on whether the activities as set forth in the Board regulations (many of which are listed in notes 2-3 below) may be interpreted narrowly under the language of those regulations.^[4] Issues relating to the scope of the Act are also discussed in the Section-by-Section Analysis of the definition of the term “financial institution” in § 313.3(j).

Paragraph (b) lists some examples of “financial institutions” subject to Commission jurisdiction under the Act. The Commission is also authorized to enforce the Act against “other persons” who are not financial institutions, but receive protected information from a financial institution and are subject to the Act's restrictions on reuse of the information set forth in proposed § 313.12.

Section 313.2 Rule of Construction

Proposed § 313.2 of the Rule sets out a rule of construction intended to clarify the effect of the examples used in the Rule. Given the wide variety of transactions that Title V, Subtitle A, of the G-L-B Act covers, the Commission and Agencies propose to adopt rules of general applicability and provide examples of conduct that would, and would not, comply with the Rule. While the general rules are consistent among the Commission's and Agencies' proposals to the extent possible, the examples used by the Commission and individual agencies differ on occasion from those used by the other agencies in order to provide guidance that may be most meaningful to entities within a given agency's jurisdiction. These examples are not intended to be exhaustive; rather they are intended to provide guidance about how the Rule would apply in specific circumstances. The Commission invites comment on whether including examples in the Rule is useful and suggestions on additional or different examples that may be helpful in illustrating compliance with the Rule.

Section 313.3 Definitions

a. Affiliate. The proposed Rule adopts the definition of “affiliate” that is used in section 509(6) of the G-L-B Act. An affiliation will be found when one company “controls” (which is defined in § 313.3(g)), is controlled by, or is under common control with another company. The definition includes both financial institutions and entities that are not financial institutions.

b. Clear and conspicuous. Title V, Subtitle A, of the G-L-B Act and the proposed Rule require that various notices be “clear and conspicuous.” The proposed Rule defines this term to mean that the notice is reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice.

The proposed Rule does not mandate the use of any particular technique for making the notices clear and conspicuous, but instead allows each financial institution the flexibility to decide for itself how best to comply with this requirement. Ways in which a notice may satisfy the clear and conspicuous standard would include, for instance, using a plain-language caption, in a type set easily seen, that is designed to call attention to the information contained in the notice. Other plain language principles are provided in the examples that follow the general rule.

c. Collect. The proposed Rule defines “collect” to mean obtaining any information that is organized or retrievable on a personally identifiable basis, irrespective of the source of the underlying information. Several sections of the proposed Rule (see, e.g., §§ 313.6 and 313.7) impose obligations that arise when a financial institution collects information about a consumer. This proposed definition clarifies that these obligations arise when the information enables the user to identify a particular consumer. It also clarifies that the obligations arise regardless of whether a financial institution obtains the information from a consumer or from some other source.

d. Company. The proposed Rule defines “company,” which is used in the definition of “affiliate,” as any corporation, limited liability company, business trust, general or limited partnership, association, or similar organization.

e. Consumer. The proposed Rule defines “consumer” to mean an individual who obtains, from a financial institution, financial products or services that are to be used primarily for personal, family, or household purposes. An individual also will be deemed to be a consumer of a financial institution if that institution purchases the individual's account from some other institution. The definition also includes the legal representative of an individual.

The G-L-B Act distinguishes “consumers” from “customers” for purposes of the notice requirements imposed by the Act. As explained more fully in the discussion of proposed § 313.4, below, a financial institution is required to give a “consumer” the notices required under Title V, Subtitle A, only if the institution intends to disclose nonpublic personal information about the consumer to a nonaffiliated third party for a purpose that is not authorized by one of several exceptions set out in proposed §§ 313.10 and 313.11. By contrast, a financial institution must give all “customers” a notice of the institution's privacy policy at the time of establishing a customer relationship and annually thereafter during the continuation of the customer relationship.

A person is a “consumer” under the proposed Rule if he or she obtains a financial product or service from a financial institution. The definition of “financial product or service” in proposed § 313.3(k), below, includes, Start Printed Page 11176among other things, the evaluation by a financial institution of an application that a person submits to obtain a financial product or service. Thus, a financial institution that intends to share nonpublic personal information about a consumer with nonaffiliated third parties, outside of the exceptions described in §§ 313.10 and 313.11, will have to give the requisite notices, even if the consumer does not enter into a customer relationship with the institution.

The examples that follow the definition of “consumer” clarify when someone is a consumer. They include situations where someone applies for credit or provides information for the purpose of determining whether he or she prequalifies for a loan, or a person provides information in connection with seeking to obtain financial advisory services. The examples also clarify the status of someone whose credit account has been sold.

f. Consumer reporting agency. The proposed Rule adopts the definition of “consumer reporting agency” that is used in section 603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f)). This term is used in proposed §§ 313.11 and 313.13.

g. Control. The proposed Rule defines “control” using the tests applied in section 23A of the Federal Reserve Act (12 U.S.C. 371c). This definition is used to determine when companies are affiliated (see discussion of proposed § 313.3(a) above), and would result in financial institutions being considered affiliates regardless of whether the control is by a company or individual. The Commission invites comment on whether “control” should be defined by a more flexible standard than the percentage test set forth in proposed § 313.3(g)(1).

h. Customer. The proposed Rule defines “customer” as any consumer who has a “customer relationship” with a particular financial institution. As is explained more fully in the discussion of proposed § 313.4 below, a consumer becomes a customer of a financial institution at the time of entering into a continuing relationship with the institution. Thus, for instance, a consumer would become a customer at the time the consumer executes the documents needed to borrow money from a financial institution, or agrees to employ a broker to obtain (or try to obtain) a mortgage loan.

The distinction between consumers and customers determines what notices a financial institution must provide. If a consumer never becomes a customer, the institution is not required to provide any notices to the consumer unless the institution intends to disclose nonpublic personal information about that consumer to nonaffiliated third parties outside of the exceptions as set out in proposed §§ 313.10 and 313.11. By contrast, if a consumer becomes a customer, the institution must provide a copy of its privacy policy prior to the time it establishes the customer relationship and at least annually thereafter during the continuation of the customer relationship even if the institution is not going to share the consumer's information with nonaffiliated third parties.

i. Customer relationship. The proposed Rule defines “customer relationship” as a continuing relationship between a consumer and a financial institution whereby the institution provides a financial product or service to a consumer that is to be used primarily for personal, family, or household purposes. The Commission has interpreted the Act as requiring more than isolated transactions between a financial institution and a consumer to establish a customer relationship. The proposed Rule defines “customer relationship” as being of a “continuing” nature in order to encompass those business dealings that are not isolated, including those that involve a consumer becoming a client of the institution. As noted in the examples that follow the definition, these would include, for instance, cases where an institution opens a credit account for the consumer, a loan broker undertakes to assist a consumer to obtain a home mortgage, or an automobile dealer helps a consumer arrange credit to purchase a vehicle.

A one-time transaction may be sufficient to establish a customer relationship, depending on the nature of the transaction. The examples that follow the definition of “customer relationship” clarify, for instance, that the purchase of an insurance policy would be sufficient to establish a customer relationship, whereas using an automated teller machine at a bank at which a consumer transacts no other business, cashing a check, purchasing travelers checks or money orders, or making a wire transfer would not. Similarly, simply purchasing airline tickets would not establish a customer relationship.^[5] While a person engaging in one of these latter types of transactions would be a consumer under the regulation (thereby requiring the financial institution to provide notices if the institution intends to disclose nonpublic personal information about the consumer to nonaffiliated third parties outside of the exceptions), the consumer would not be a customer. A consumer would not necessarily become a customer simply by repeatedly engaging in isolated transactions, such as withdrawing funds at regular intervals from an ATM owned by an institution with whom the consumer has no account.

The examples also clarify that a consumer will have a customer relationship with a financial institution that makes a loan to the consumer and then sells the loan but retains the servicing rights. In that case, the person will be a customer of both the institution that sold the loan and the institution that bought it.

A consumer has a “customer relationship” with a debt collector that purchases an account from the original creditor (because he or she would have a credit account with the collector), but not with a debt collector that simply attempts to collect amounts owed to the creditor. However, the latter type of debt collector would still be generally bound by the limits on redisclosure and reuse of nonpublic personal information as set forth in proposed § 313.12.^[6]

j. Financial institution. The proposed Rule adopts the definition of “financial institution” that is used in the G-L-B Act, namely, any institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). The exceptions to this definition contained in the G-L-B Act also are set out in the proposed Rule. As indicated by proposed §§ 313.3(j)(2) and 313.3(j)(3)(iv), the Commission views an entity as a financial institution “the business of which is engaging in financial activities” only if it is significantly engaged in a financial activity. Thus, a retail business that issues its own credit card directly to consumers is a financial institution engaged in the extension of credit, but a retail business that merely establishes Start Printed Page 11177layaway or deferred payment plans is not a financial institution. The Commission invites comment concerning whether “significantly engaged” should be specifically defined in the Rule and, if so, how such a definition should be drafted. The Commission also invites comment on whether an individual who otherwise meets the definition (for example the sole proprietor of a mortgage loan brokerage business) can be a financial institution.

Due to the wide range of activities that are defined as financial in nature under Section 4(k) of the Bank Holding Company Act, the definition of “financial institution” encompasses a broad spectrum of businesses. (See discussion of the scope of the Act and the Rule at § 313.1.) The Commission recognizes that the plain meaning of the Act mandates this broad scope and requests general comment on this interpretation as well as comment on the application of the Rule to what might be considered the nontraditional financial institutions included in its scope.^[7]

Many entities that come within the broad definition of financial institution will likely not be subject to the disclosure requirements of the Rule because not all financial institutions have “consumers” or establish “customer relationships.” For example, management consulting is a “financial activity” but it is not likely that any individual obtains management consulting services for personal, family or household purposes. Likewise, courier services and data processors who perform services for a financial institution, but do not provide financial products or services to individuals, will not be required to make the disclosures mandated by the Rule because they do not have “consumers” or “customers” as defined by the Rule.^[8] The Commission invites comment on these and other entities that may be “financial institutions” under the Act, but may not be subject to the disclosure requirements of the Rule because they have no “consumers” or “customers” under the Rule.

Proposed § 313.3(j)(3)(iii) also incorporates the Act's exception for institutions chartered by Congress to engage in secondary market sales and similar transactions related to consumers, as long as the institution does not sell or transfer nonpublic personal information to a third party. The Commission interprets this exception in its proposed Rule to apply even if the chartered institution sells or transfers information as permitted by the exceptions to the notice and opt out requirements in proposed §§ 313.10 and 313.11. The proposed Rule reflects this interpretation. The Commission invites comment on this interpretation and on whether those entities that receive consumers' nonpublic personal information from such chartered institutions are nonetheless subject to the Rule's limitations on reuse. The Commission also seeks comment on whether chartered institutions should be required to enter into a confidentiality agreement with those nonaffiliated third parties with whom they share information pursuant to §§ 313.10 and 313.11 as a condition of their exemption.

k. Financial product or service. The proposed Rule defines “financial product or service” as a product or service that a financial holding company could offer by engaging in an activity that is financial in nature under section 4(k) of the Bank Holding Company Act of 1956. It includes the financial institution's evaluation of information collected in connection with an application by a consumer for a financial product or service. The proposed Rule states that the definition includes the financial institution's evaluation of information collected in connection with an application by a consumer for a financial product or service even if the application ultimately is rejected or withdrawn. It also includes the distribution of information about a consumer for the purpose of assisting the consumer in obtaining a financial product or service (by, for example, a mortgage broker or automobile dealer).

A product or service that does not result from a financial activity is not within the definition, even if the business is a financial institution; thus, a department store that issues its own credit card directly to consumers provides a financial service (credit) to consumers who utilize the card, but when it sells merchandise, it provides a nonfinancial product or service (retail sale of merchandise).

l. Government regulator. The proposed Rule adopts the definition of “government regulator” that includes the Commission, the Agencies, and state insurance authorities under the circumstances identified in the definition. This term is used in the exception set out in proposed § 313.11(a)(4) for disclosures to law enforcement agencies, “including government regulators.”

m. Nonaffiliated third party. The proposed Rule defines “nonaffiliated third party” as any person (which includes natural persons as well as business entities such as corporations, partnerships, trusts, and so on) except (1) an affiliate of a financial institution, and (2) a joint employee of a financial institution and a third party. This definition is intended to be substantively the same as the definition used in Section 509(5) of the G-L-B Act.

n. Nonpublic personal information. Section 509(4) of the G-L-B Act defines “nonpublic personal information” to mean “personally identifiable financial information” (which term is not defined in the Act) that is provided by a consumer to a financial institution, results from any transaction with the consumer or any service performed for the consumer, or is otherwise obtained by the financial institution. The definition of “nonpublic personal information” also includes any list, description, or other grouping of consumers—and “publicly available information” (which also is undefined in the G-L-B Act) pertaining to them—that is derived using any nonpublic personal information other than publicly available information.”

The proposed Rule implements this provision of the G-L-B Act by restating, in paragraph (1) of proposed § 313.3(n), the categories of information described above. However, the proposed Rule presents two alternatives (labeled Alternative A and Alternative B) concerning the treatment, for purposes of the definition of “nonpublic personal information,” of information that can be obtained from sources available to the general public.

The alternatives are based on differences in the definitions of “personally identifiable financial information” and “publicly available information,” which, when read together, result in more information being treated as “nonpublic personal information” under Alternative A than would be the case under Alternative B. The primary difference arises in the two definitions of “publicly available information.” Under Alternative A, information is “publicly available information” only if the financial Start Printed Page 11178institution actually obtains the information from a public source. Under Alternative B, information is “publicly available information” if it could be obtained from a public source, regardless of its actual source. The Commission invites comment on both Alternatives. The Commission also invites comment on whether a variation of Alternative A and Alternative B should be adopted that would require a financial institution to undertake reasonable procedures to establish that information is, in fact, available from public sources before the financial institution may disclose it without restriction as “publicly available information.”

The two Alternatives are substantially similar when viewed in the context of a list, but differ considerably in what information a financial institution can disclose about an individual who is not included on a list. Based on the definitions of “publicly available information” and “personally identifiable financial information” under Alternative A, any information that a financial institution obtains from an individual consumer is “nonpublic personal information” and cannot be disclosed by the financial institution without first providing notice and opt out to the consumer. Under Alternative B, however, if that same information could be obtained from public sources, the definitions dictate that the information is not “nonpublic personal information” and the financial institution may disclose it without restriction as “publicly available information.” Thus, if a consumer provided name and address as part of an application for a financial product or service, a financial institution could not, under Alternative A, disclose the consumer's name and address without providing notice and opt out. Under Alternative B, however, if that same individual consumer's name and address could otherwise be obtained from a public source, the financial institution could disclose it without restriction.

While an individual consumer's information may be treated differently under the two Alternatives, a list of consumers receives virtually identical protection. Both alternatives include in the definition of “nonpublic personal information” any list, description, or other grouping of consumers that is derived using “personally identifiable financial information.” The proposed Rule makes clear that “personally identifiable financial information” includes the fact that an individual is a consumer or customer of a financial institution. Therefore, any list of a financial institution's customers is nonpublic personal information because it is necessarily derived from the fact of the customer relationship.^[9] Thus, under Alternative B, even if the names and addresses of the financial institution's customers could have been obtained from a public source (and are, therefore, publicly available), the financial institution cannot reveal them as part of a customer list because that list was derived using personally identifiable financial information (the fact of the customer relationship).^[10]

o. Personally identifiable financial information. As discussed above, the G-L-B Act defines “nonpublic personal information” to include, among other things, “personally identifiable financial information” but does not define the latter term.

As a general matter, the proposed Rule treats any personally identifiable information as financial if it is obtained by a financial institution in connection with providing a financial product or service to a consumer. The Commission believes that this approach reasonably interprets the word “financial” and creates a workable and clear standard for distinguishing information that is financial from other personal information. The Commission recognizes that this interpretation may result in certain information being covered by the rules that may not be considered intrinsically financial, such as health status, and specifically invites comment on the proposed definition of “personally identifiable financial information.”

The proposed Rule defines “personally identifiable financial information” to include three categories of information. While the three categories are for the most part identical in both Alternatives (see discussion concerning differences in the third category, below), the differences in how Alternatives A and B treat publicly available information result in different applications of what “personally identifiable financial information” is included within the definition of “nonpublic personal information.”

The first category of information considered to be “personally identifiable financial information” is any information that a consumer provides to a financial institution in order to obtain a financial product or service. As noted in the examples that follow the definition, this would include information provided on an application to obtain a loan, credit card, or other financial product or service. If, for instance, medical information is provided on an application to obtain a financial product or service (such as would be the case if a consumer applies for a life insurance policy), that information would be considered “personally identifiable financial information” for purposes of the proposed Rule.

The second category of information covered by the proposed definition of “personally identifiable financial information” includes any information resulting from any transaction between the consumer and the financial institution involving a financial product or service. This would include, as noted in the examples following the definition, account balance information, payment or overdraft history, and credit or debit card purchase information.

The third category includes any financial information about a consumer otherwise obtained by the financial institution in connection with providing a financial product or service. This would include, for example, information obtained from a consumer report or from an outside source to verify information a consumer provides on an application to obtain a financial product or service. There is a difference in the statement of this third category between Alternatives A and B. Alternative A expressly excludes from this category “publicly available information,” while Alternative B does not. However, given the definitions of “nonpublic personal information” and “publicly available information” in Alternative B, the result is that any of the three categories of personally identifiable financial information in Alternative B will exclude publicly available information from the personally identifiable financial information that is considered “nonpublic personal information.”

The examples clarify that the definition of “personally identifiable information” does not include a list of names and addresses of people who are customers of an entity that is not a financial institution. Thus, the names and addresses of people who subscribe, for instance, to a particular magazine fall outside the definition. If, however, a financial institution discloses those Start Printed Page 11179names and addresses as part of a list of the institution's customers, then the names and addresses become nonpublic personal information.

The Commission notes that there are other laws that may impose limitations on disclosures of nonpublic personal information in addition to those imposed by the G-L-B Act and this proposed Rule. For instance, the Fair Credit Reporting Act imposes conditions on the sharing of application information and credit report information between affiliates and nonaffiliated third parties.^[11] The recently proposed Department of Health and Human Services regulations ^[12] that implement the Health Insurance Portability and Accountability Act of 1996 would, if adopted in final, limit the circumstances under which medical information may be disclosed. There may be State laws that affect a financial institution's ability to disclose information. Thus, financial institutions will need to comply with relevant laws and monitor legislative and regulatory developments that affect the disclosure of consumer information.

The Commission seeks comment on whether further definition of “personally identifiable” would be helpful.

p. Publicly available information. The proposed Rule contains two versions of the definition of “publicly available information.” The definitions differ in that Alternative A does not treat information as publicly available unless it is obtained from one of the public sources listed in the proposed Rule. Alternative B, by contrast, treats information as publicly available if it could be obtained from one of the public sources listed in the rules, even if it was obtained from a source not listed in the definition. The Commission invites comment on which alternative is more appropriate.

The remaining parts of the two alternative versions are identical. Thus, under either alternative, the definition of “publicly available information” includes information from official public records, such as real estate recordations or security interest filings. It also includes information from widely distributed media (such as a telephone book, television or radio program, or newspaper) and information that is required to be disclosed to the general public by Federal, State, or local law (such as securities disclosure documents). The proposed Rule states that information obtained over the Internet will be considered publicly available information if the information is obtainable from a site available to the general public without requiring a password or similar restriction. The Commission invites comment on what information is appropriately considered publicly available, particularly in the context of information available over the Internet.

(q) You includes each “financial institution” (but excludes any “other person”) over which the Commission has enforcement jurisdiction pursuant to Section 505(a)(7) of the Act.

§ 313.4 Initial Notice to Customers and Consumers of Privacy Policies and Practices Required.

Initial notice required. The G-L-B Act requires a financial institution to provide an initial notice of its privacy policies and practices in two circumstances. For customers, the notice must be provided at the time of establishing a customer relationship. For consumers who do not become customers, the notice must be provided prior to disclosing nonpublic personal information about the consumer to a nonaffiliated third party. In addition, as discussed more fully in § 313.8(c) below, a revised notice must be provided to such consumers prior to disclosing nonpublic personal information to nonaffiliated third parties if a financial institution's policies or practices have changed and previous notices do not accurately describe the financial institution's policies or practices.

Paragraph (a) of proposed § 313.4 states the general rule regarding these notices. Pursuant to that paragraph, a financial institution must provide a clear and conspicuous notice (i.e., a notice that is reasonably understandable and designed to call attention to the nature and significance of the information it provides) that accurately reflects the institution's privacy policies and practices. Thus, a financial institution may not fail to maintain the protections that it represents in the notice that it will provide. The Commission expects that financial institutions will take appropriate measures to adhere to their stated privacy policies.

The proposed Rule does not prohibit affiliated institutions from using a common initial, annual, or opt out notice, so long as the notice is delivered in accordance with the Rule and is accurate for all recipients. Similarly, the Rule does not prohibit an institution from establishing different privacy policies and practices for different categories of consumers, customers, or products, so long as each customer or consumer receive a notice that is accurate with respect to him or her.

Notice to customers. The proposed Rule requires that a financial institution provide a privacy notice to the consumer prior to the time that it has established a customer relationship. Thus, the notices may be provided at the same time a financial institution is required to give other notices, such as those required by the Board's regulations implementing the Truth-in-Lending Act. (12 CFR § 226.6) This approach is intended to strike a balance between (1) ensuring that consumers will receive privacy notices at a meaningful point along the continuum of “establishing a customer relationship” and (2) minimizing unnecessary burdens on financial institutions that may result if a financial institution is required to provide a consumer with a series of notices at different times in a transaction. Nothing in the proposed Rule is intended to discourage a financial institution from providing an individual with a privacy notice at an earlier point in the relationship if the institution wishes to do so in order to make it easier for the consumer to compare its privacy policies and practices with those of other financial institutions in advance of conducting transactions.

Paragraph (c) of proposed § 313.4 identifies the time a customer relationship is established as the point at which a financial institution and a consumer enter into a continuing relationship. The examples that are provided after the statement of the general rule inform the reader that, for customer relationships that are contractual in nature (including, for example, loans), a customer relationship is established upon the execution by the consumer of the contract that is necessary to conduct the transaction in question. In the case of a credit card account, the customer relationship is established when the consumer opens the account. A consumer opens a credit card account when he or she becomes obligated on the account, such as when he or she makes the first purchase, receives the first advance, or becomes Start Printed Page 11180obligated for any fee or charge under the account other than an application fee or refundable membership fee. For transactions that may not involve a contract (including, for instance, providing investment advisory, loan brokerage, or tax preparation services), a customer relationship will be established when the consumer pays or agrees to pay a fee or commission for the service, and/or becomes a client of the business.

Notice to consumers. For consumers who do not establish a customer relationship, the initial notice may be provided at any point before the financial institution discloses nonpublic personal information to nonaffiliated third parties. An initial notice is not required, as provided in paragraph (b) of the proposed Rule, if the institution does not intend to disclose the information in question or intends to make only those disclosures that are authorized by one of the exceptions set out in §§ 313.10 and 313.11 of the proposed Rule.

How to provide notice. Paragraph (d) of proposed § 313.4 sets out the rules governing how financial institutions must provide the initial notices. The general rule requires that the initial notice be provided so that each recipient can reasonably be expected to receive actual notice. The Commission invites comment on whether, when there is more than one party to an account, there are instances where all parties to the account need not receive the notice.

The notice may be delivered in writing or, if the consumer agrees, electronically. Oral notices alone are insufficient. In the case of customers, the notice must be given in a way so that the customer may either retain it or access it at a later time. This requirement that the notice be given in a manner permitting access at a later time does not preclude a financial institution from changing its privacy policy. See proposed § 313.8(c), below. Rather, the Rule is intended only to require that a customer be able to access the most recently adopted privacy policy.

Examples of acceptable ways the notice may be delivered include hand-delivering a copy of the notice, mailing a copy to the consumer's last known address, or sending it via electronic mail to a consumer who obtains a financial product or service from the institution electronically. It would not be sufficient to provide only a posted copy of the notice in a lobby. Similarly, it would not be sufficient to provide the initial notice only on a Web page, unless the consumer is required to access that page to obtain the product or service in question. Electronic delivery generally should be in the form of electronic mail so as to ensure that a consumer actually receives the notice. In those circumstances where a consumer is in the process of conducting a transaction over the Internet, electronic delivery also may include posting on a Web page as described above. If a financial institution and consumer orally agree to enter into a contract for a financial product or service over the telephone, the institution may provide the consumer with the option of receiving the initial notice after providing the product or service so as not to delay the transaction. The Commission invites comment on the regulatory burden of providing the initial notices and on the methods financial institutions anticipate using to provide the notices.

The Commission recognizes that in some circumstances a customer does not have a choice as to the institution with which he or she has a customer relationship, such as when an institution purchases the customer's loan in the secondary market. In these situations, it may not be practicable for the institution to provide a notice prior to the time the customer relationship is established. The proposed Rule provides that if a financial institution purchases a loan or assumes a deposit liability from another financial institution or in the secondary market and the customer does not have a choice about the purchase or assumption, the acquiring financial institution may provide the initial notice within a reasonable time thereafter. The Commission invites comment on whether there are other similar situations for which an exception is necessary.

The Commission also recognizes that certain consumers may have requested that a financial institution not send statements, notices, or other communications to them, such as in certain private banking relationships. The Commission requests comment on whether and how the Rule should address these situations with respect to the notices required by this Rule. The Commission also requests comment on whether there are other situations where providing notice by mail is impracticable.

Section 313.5 Annual Notice to Customers of Privacy Policies and Practices Required

Section 503 of the G-L-B Act requires a financial institution to provide notices of its privacy policies and practices at least annually to its customers. The proposed Rule implements this requirement by requiring a clear and conspicuous notice that accurately reflects the privacy policies and practices then in effect to be provided at least once during any period of twelve consecutive months. The rules governing how to provide an initial notice also apply to annual notices.

Section 503(a) of the G-L-B Act requires that the annual notices be provided “during the continuation” of a customer relationship. To implement this requirement, the proposed Rule states that a financial institution is not required to provide annual notices to a customer with whom it no longer has a continuing relationship. The examples that follow this general rule provide guidance on when there no longer is a continuing relationship for purposes of the Rule. These include, for instance, loans that are paid in full or charged off, or accounts sold without retaining servicing rights.

There will be certain customer relationships (such as obtaining investment advice from a stock broker) that do not present a clear event after which there is no longer a customer relationship. The proposed Rule contains an example intended to cover these situations, stating that a relationship will no longer be deemed continuing for purposes of the proposed Rule if the financial institution has not communicated with a customer, other than providing an annual privacy policy notice, for a period of 12 consecutive months.

The Commission invites comment generally on whether the examples provided in proposed § 313.5 are adequate and on whether the proposed standard deeming an account relationship to have terminated after 12 months of no communication is appropriate. The Commission also invites comment on the regulatory burden of providing the annual notices and on the methods financial institutions anticipate using to provide the notices.

Section 313.6 Information to be Included in Initial and Annual Notices of Privacy Policies and Practices

Section 503 of the G-L-B Act identifies the items of information that must be included in a financial institution's initial and annual notices. Section 503(a) of the G-L-B Act sets out the general requirement that a financial institution must provide customers with a notice describing the institution's policies and practices with respect to, among other things, disclosing nonpublic personal information to affiliates and nonaffiliated third parties. Section 503(b) of the Act identifies Start Printed Page 11181certain elements that must be addressed in that notice.

The required content is the same for both the initial and annual notices of privacy policies and practices. While the information contained in the notices must be accurate as of the time the notices are provided, a financial institution may prepare its notices based on current and anticipated policies and practices.

The information to be included is as follows:

1. Categories of nonpublic personal information that a financial institution may collect. Section 503(b) requires a financial institution to inform its customers about the categories of nonpublic personal information that the institution collects. The proposed Rule implements this requirement in proposed § 313.6(a)(1) and provides an example of how to comply with this requirement that focuses the notice on the source of the information collected. As noted in the example, a financial institution will satisfy this requirement if it categorizes the information according to the sources, such as application information, transaction information, and credit report information. Financial institutions may provide more detail about the categories of information collected but are not required to do so by the proposed Rule.

2. Categories of nonpublic personal information that a financial institution may disclose. Section 503(a)(1) of the G-L-B Act requires the financial institution's initial and annual notice to provide information about the categories of nonpublic personal information that may be disclosed either to affiliates or nonaffiliated third parties.

The proposed Rule implements this requirement in proposed § 313.6(a)(2). The examples of how to comply with this rule focus on the content of the information to be disclosed. As stated in the relevant examples, a financial institution may satisfy this requirement by categorizing information according to source and providing illustrative examples of the content of the information. These categories might include application information (such as assets and income), identifying information (such as name, address, and social security number), transaction information (such as information about account activity, account balances, and purchases), and information from credit reports (such as credit history).

Financial institutions are free to provide more detailed information in the initial and annual notices if they choose to do so. Conversely, if a financial institution does not disclose, and does not intend to disclose, nonpublic personal information to affiliates or nonaffiliated third parties, its initial and annual notices may simply state this fact without further elaboration about categories of information disclosed.

3. Categories of affiliates and nonaffiliated third parties to whom a financial institution discloses nonpublic personal information. As previously noted, section 503(a) includes a general requirement that a financial institution provide a notice to its customers of the institution's policies and practices with respect to disclosing nonpublic personal information to affiliates and nonaffiliated third parties. Section 503(b) states that the notice required by section 503(a) shall include certain specified items. Among those is the requirement, set out in section 503(b)(1), that a financial institution inform its consumers about its policies and practices with respect to disclosing nonpublic personal information to nonaffiliated third parties. The Commission believes that, when read together, Sections 503(a) and 503(b) of the G-L-B Act require a financial institution's notice to address disclosures of nonpublic personal information to both affiliates and nonaffiliated third parties.

The proposed Rule implements this requirement in § 313.6(a)(3). The example illustrating how a financial institution may comply with the Rule states that a financial institution will adequately categorize the affiliates and nonaffiliated third parties to whom it discloses nonpublic personal information about consumers if it identifies the types of businesses in which they engage. Types of businesses may be described by general terms only if the financial institution provides illustrative examples of the significant lines of businesses of the recipient. The Commission's intent is that any illustrations must be reasonably designed to be meaningful to consumers. Proposed § 313.6 includes examples of general types of businesses and appropriate corresponding illustrative examples for each. Other appropriate examples include an institution that referred to “retail stores” and explained that this includes grocery stores and drug stores, or to “manufacturers of consumer products” and provided meaningful examples such as pharmaceutical products and children's toys.

The G-L-B Act does not require a financial institution to list the categories of persons to whom information may be disclosed pursuant to one of the exceptions set out in proposed §§ 313.10 and 313.11. The proposed Rule states that a financial institution is required only to inform customers that it makes disclosures as permitted by law to nonaffiliated third parties in addition to those described in the notice. The Commission invites comment on whether such a notice would be adequate.

If a financial institution does not disclose, and does not intend to disclose, nonpublic personal information to affiliates or nonaffiliated third parties, its initial and annual notices may simply state this fact without further elaboration about categories of third parties.

4. Information about former customers. Section 503(a)(2) of the Act requires the financial institution's initial and annual privacy notices to include the institution's policies and practices with respect to disclosing the nonpublic personal information of persons who have ceased to be customers of the institution. Section 503(b)(1)(B) requires that this information be provided with respect to information disclosed to nonaffiliated third parties.

The Commission has concluded that, when read together, Sections 503(a)(2) and 503(b)(1)(B) require a financial institution to include in the initial and annual notices the institution's policies and practices with respect to sharing information about former customers with all affiliates and nonaffiliated third parties. This requirement is set out in the proposed Rule at § 313.6(a)(4). This requirement does not require a financial institution to provide a notice and opportunity to opt out to a former customer before sharing nonpublic personal information about that former customer with an affiliate.

5. Information disclosed to service providers. Section 502(b)(2) of the G-L-B Act permits a financial institution to disclose nonpublic personal information about a consumer to a nonaffiliated third party for the purpose of the third party performing services for the institution, including marketing financial products or services under a joint agreement between the financial institution and at least one other financial institution. In this case, a consumer has no right to opt out. However, the financial institution must inform the consumer that it will be disclosing the information in question, unless the service falls within one of the exceptions listed in Section 502(e) of the Act.

Proposed § 313.6(a)(5) implements these provisions by requiring that, if a financial institution discloses nonpublic personal information to a nonaffiliated third party pursuant to the exception for service providers and joint marketing, Start Printed Page 11182the institution is to include in the initial and annual notices a separate description of the categories of information that are disclosed and the categories of third parties providing the services. However, proposed §§ 313.6(a)(3) and (a)(4) specify that no disclosure is required if a financial institution discloses nonpublic personal information to a nonaffiliated third party service provider pursuant to proposed §§ 313.10 or 313.11. A financial institution may comply with these requirements by providing the same level of detail in the notice as is required to satisfy the requirements in proposed §§ 313.6(a)(2) and (3).

6. Right to opt out. As previously noted, Sections 503(a)(1) and 503(b)(1) of the G-L-B Act require a financial institution to provide customers with a notice of its privacy policies and practices concerning, among other things, disclosing nonpublic personal information consistent with Section 502 of the Act.

Proposed § 313.6(a)(6) implements this requirement by requiring the initial and annual notices to explain the right to opt out of disclosures of nonpublic personal information to nonaffiliated third parties, including the methods available to exercise that right.

7. Disclosures made under the FCRA. Section 503(b)(4) of the G-L-B Act requires a financial institution's initial and annual notice to include the disclosures required, if any, under Section 603(d)(2)(A)(iii) of the FCRA. Section 603(d)(2)(A)(iii) excludes from the definition of “consumer report” the communication of certain consumer information among affiliated entities if the consumer is notified about the disclosure of such information and given an opportunity to opt out of that information sharing. The information that can be shared among affiliates under this provision includes, for instance, information from consumer reports and applications for financial products or services. In general, this information represents personal information provided directly by the consumer to the institution, such as income and social security number, in addition to information contained within credit bureau reports.

The proposed Rule implements Section 503(b)(4) of the G-L-B Act by including the requirement that a financial institution's initial and annual notice include any disclosures a financial institution is required to make under Section 603(d)(2)(A)(iii) of the FCRA.

8. Confidentiality, security, and integrity. Section 503(a)(3) of the G-L-B Act requires the initial and annual notices to provide information about a financial institution's policies and practices with respect to protecting the nonpublic personal information of consumers. Section 503(b)(3) of the Act requires the notices to include the policies that the institution maintains to protect the confidentiality and security of nonpublic personal information, in accordance with section 501 (which requires the Commission and the Agencies to establish standards governing the administrative, technical, and physical safeguards of customer information).

The proposed Rule implements these provisions by requiring a financial institution to include in the initial and annual notices the institution's policies and practices with respect to protecting the confidentiality, security, and integrity of nonpublic personal information. The relevant example in the proposed Rule states that a financial institution may comply with the requirement as it concerns confidentiality and security if the institution explains matters such as who has access to the information and the circumstances under which the information may be accessed. The information about integrity should focus on the measures the institution takes to protect against reasonably anticipated threats or hazards. The proposed Rule does not require a financial institution to provide technical or proprietary information about how it safeguards consumer information.

The Commission is in the process of preparing the section 501 standards, and will publish a separate notice of proposed rulemaking concerning them as soon as practicable.

§ 313.7 Limitation on Disclosure of Nonpublic Personal Information About Consumers to Nonaffiliated Third Parties

Section 502(a) of the G-L-B Act generally prohibits a financial institution from sharing nonpublic personal information about a consumer with a nonaffiliated third party unless the institution provides the consumer with a notice of the institution's privacy policies and practices. Section 502(b) further requires that the financial institution provide the consumer with a clear and conspicuous notice that the consumer's nonpublic personal information may be disclosed to nonaffiliated third parties, that the consumer be given an opportunity to opt out of that disclosure, and that the consumer be informed of how to opt out.

Section 313.7 of the proposed Rule implements these provisions. Paragraph (a)(1) of § 313.7 sets out the criteria that a financial institution must satisfy before disclosing nonpublic personal information to nonaffiliated third parties. As stated in the text of the proposed Rule, these criteria apply to direct and indirect disclosures through an affiliate. The Commission invites comment on how the right to opt out should apply in the case of joint accounts. Should, for instance, a financial institution require all parties to an account to opt out before the opt out becomes effective? If not, and only one of the parties opts out, should the opt out apply only to information about the party opting out or should it apply to all parties to the account?

Paragraph (a)(2) defines “opt out” in a way that incorporates the exceptions to the right to opt out stated in proposed §§ 313.9, 313.10, and 313.11.

The proposed Rule implements the requirement that a consumer be given an opportunity to opt out before information is disclosed by requiring that the opportunity be reasonable. The examples that follow the general rule provide guidance in situations involving notices that are mailed and notices that are provided in connection with isolated transactions. In the former case, a consumer will have a reasonable opportunity to opt out if the financial institution provides 30 days in which to opt out. In the latter case, an opportunity will be reasonable if the consumer must decide as part of the transaction whether to opt out before completing the transaction. The Commission invites comment on whether 30 days is a reasonable opportunity to opt out in the case of notices sent by mail, and on whether an example in the context of transactions conducted using an electronic medium would be helpful.

The requirement that a consumer have a reasonable opportunity to opt out does not mean that a consumer forfeits that right once the opportunity lapses. The consumer always has the right to opt out (as discussed further in proposed § 313.8, below). However, if an individual does not exercise that opt out right when first presented with an opportunity, the financial institution would be permitted to disclose nonpublic personal information to nonaffiliated third parties for some period of time necessary to implement the consumer's opt out direction.

Paragraph (b) of proposed § 313.7 clarifies that the right to opt out applies regardless of whether a consumer has established a customer relationship with a financial institution. As noted above, all customers are consumers under the proposed Rule. Thus, the fact that a Start Printed Page 11183consumer establishes a customer relationship with a financial institution does not change the institution's obligations to comply with the requirements of proposed § 313.7(a) before sharing nonpublic personal information about that consumer with nonaffiliated third parties. This also applies in the context of a consumer who had a customer relationship with a financial institution but then terminated that relationship. Paragraph (b) also clarifies that the consumer protections afforded by paragraph (a) of proposed § 313.7 apply to all nonpublic personal information collected by a financial institution, regardless of when collected. Thus, if a consumer elects to opt out of information sharing with nonaffiliated third parties, that election applies to all nonpublic personal information about that consumer in the financial institution's possession, regardless of when the information is obtained.

Paragraph (c) of proposed § 313.7 states that a financial institution may, but is not required to, provide consumers with the option of a partial opt out in addition to the opt out required by this section. This could enable a consumer to limit, for instance, the types of information disclosed to nonaffiliated third parties or the types of recipients of the nonpublic personal information about that consumer. If the partial opt out option is provided, a financial institution must state this option in a way that clearly informs the consumer about the choices available and consequences thereof.

Section 313.8 Form and Method of Providing Opt Out Notice to Consumer

Paragraph (a) of proposed § 313.8 requires that any opt out notice provided by a financial institution pursuant to proposed § 313.7 be clear and conspicuous and accurately explain the right to opt out. The notice must inform the consumer that the institution may disclose nonpublic personal information to nonaffiliated third parties, state that the consumer has a right to opt out, and provide the consumer with a reasonable means by which to opt out.

The examples that follow the general rule state that a financial institution will adequately provide notice of the right to opt out if it identifies the categories of information that may be disclosed and the categories of nonaffiliated third parties to whom the information may be disclosed and that the consumer may opt out of those disclosures. A financial institution that plans to disclose only limited types of information, or to only a specific type of nonaffiliated third party, may provide a correspondingly narrow notice to consumers. However, to minimize the number of opt out notices a financial institution must provide, the institution may wish to base its notices on current and anticipated information sharing plans. A new opt out notice is required if the financial institution discloses information to different types of nonaffiliated third parties, or discloses different types of information, unless the most recent opt out notice is sufficiently broad to cover the entities or information in question. Nor is a financial institution required to provide a subsequent opt-out notice when a consumer establishes a new type of customer relationship with that financial institution, unless the institution's opt out policies differ depending on the type of customer relationship.

The examples also suggest several ways in which a financial institution may provide reasonable means to opt out, including check-off boxes, reply forms, self-addressed stamped envelopes, toll-free phone numbers, and electronic mail addresses. A financial institution does not provide a reasonable means to opt out if the only means provided is for a consumer to write his or her own letter to the institution to exercise the right, although an institution may honor such a letter if received. The Commission invites comment on whether financial institutions should be required to accept opt outs through any means the institution has already established to communicate with consumers. For example, if a financial institution has established a toll free telephone number for its customer service department, should the institution be required to accept opt outs at that number? Similarly, if a financial institution has established a Web site, should it be required to accept opt outs at that site?

Paragraph (b) applies the same rules to delivery of the opt out notice that apply to delivery of the initial and annual notices. In addition, paragraph (b) clarifies that the opt out notice may be provided together with, or on the same form as, the initial and annual notices. However, if the opt out notice is provided after the initial notice, a financial institution must provide a copy of the initial notice along with the opt out notice. If a financial institution and consumer orally agree to enter into a customer relationship, the institution may provide the opt out notice within a reasonable time thereafter if the consumer agrees. The Commission invites comment on whether a more specific time by which the notice must be given would be appropriate.

Paragraph (c) sets out the rules governing a financial institution's obligations in the event the institution changes its disclosure policies. As stated in that paragraph, a financial institution may not disclose nonpublic personal information to a nonaffiliated third party unless the institution first provides a revised notice and new opportunity to opt out. The institution must wait a reasonable period of time before disclosing information according to the terms of the revised notice in order to afford the consumer a reasonable opportunity to opt out. A financial institution must provide the revised notice of its policies and practices and opt out notice to a consumer using the means permitted for providing the initial notice and opt out notice to that consumer under §§ 313.4(c) and 313.8(b), respectively, which require that the notices be given in a manner so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, in electronic form.

Paragraph (d) states that a consumer has the right to opt out at any time. The Commission considered whether to include a time limit by which financial institutions must effectuate a consumer's opt out election, but decided that the wide variety of practices of financial institutions made one limit inappropriate. Instead, the Commission's proposed Rule requires that the disclosures stop as soon as reasonably practicable. The Commission solicits comment on whether it would be more appropriate to require a specific time to implement these opt-outs.

Paragraph (e) states that an opt out will continue until a consumer revokes it. The proposed Rule requires that such revocation be in writing, or, if the consumer has agreed, electronically.

The Commission invites comment on the likely burden of complying with the requirement to provide opt out notices, the methods financial institutions anticipate using to deliver the opt out notices, and the approximate number of opt out notices they expect to deliver and process.

Section 313.9 Exception to opt out Requirements for Service Providers and Joint Marketing

Section 502(b) of the G-L-B Act creates an exception to the opt-out rules for the disclosure of information to a nonaffiliated third party for use by the third party to perform services for, or functions on behalf of, the financial institution, including the marketing of the financial institution's own products Start Printed Page 11184or services or financial products or services offered pursuant to a joint agreement between two or more financial institutions.^[13] A consumer will not have the right to opt out of disclosing nonpublic personal information about the consumer to nonaffiliated third parties under these circumstances, if the financial institution satisfies certain requirements.

First, the institution must, as stated in section 502(b), “fully disclose” to the consumer that it will provide this information to the nonaffiliated third party before the information is shared. This disclosure should be provided as part of the initial notice that is required by § 313.4. The Commission invites comment on whether the proposed Rule appropriately implements the “fully disclose” requirement in section 502(b)(2).

Second, the financial institution must enter into a contract with the third party that requires the third party to maintain the confidentiality of the information. This contract should be designed to ensure that the third party (a) will maintain the confidentiality of the information at least to the same extent as is required for the financial institution that discloses it, and (b) will use the information solely for the purposes for which the information is disclosed or as otherwise permitted by §§ 313.10 and 313.11 of the proposed Rule. The Commission invites comment on whether third party contractors should be permitted to use information received pursuant to proposed § 313.9 to improve credit scoring models or analyze marketing trends, as long as the third parties do not maintain the information in a way that would permit identification of a particular consumer.

Section 502(b)(2) of the G-L-B Act allows the Commission to impose requirements on the disclosure of information pursuant to the exception for service providers beyond those imposed in the statute. The Commission has not done so in the proposed Rule, but invites comment on whether additional requirements should be imposed, and, if so, what those requirements should address. The Commission also invites comments on any other requirements that would be appropriate to protect a consumer's financial privacy, and on whether the Rule should provide examples of the types of joint agreements that are covered.

Section 313.10 Exceptions for Processing and Servicing Transactions

Section 502(e) of the G-L-B Act creates exceptions to the requirements that apply to the disclosure of nonpublic personal information to nonaffiliated third parties. Paragraph (1) of that section sets out certain exceptions for disclosures made, generally speaking, in connection with the administration, processing, servicing, and sale of a consumer's account.

Paragraph (a) of proposed § 313.10 sets out those exceptions, making only stylistic changes to the statutory text that are intended to make the exceptions easier to read. Paragraph (b) sets out the definition of “necessary to effect, administer, or enforce” that is contained in section 509(7) of the G-L-B Act, making only stylistic changes intended to clarify the definition.

The exceptions set out in proposed § 313.10, and the exceptions discussed in proposed § 313.11, below, do not affect a financial institution's obligation to provide initial notices of its privacy policies and practices prior to the time it establishes a customer relationship and annual notices thereafter. Those notices must be provided to all customers, regardless of whether the institution intends to disclose the nonpublic personal information.

Section 313.11 Other Exceptions to opt out Requirements

As noted above, section 502(e) contains several exceptions to the requirements that otherwise would apply to the disclosures of nonpublic personal information to nonaffiliated third parties. Proposed § 313.11 sets out those exceptions that are not made in connection with the administration, processing, servicing, and sale of a consumer's account, and makes stylistic changes intended to clarify the exceptions.

One of the exceptions stated in proposed § 313.11 is for disclosures made with the consent or at the direction of the consumer, provided the consumer has not revoked the consent. Following the list of exceptions is an example of consent in which a financial institution that has received an application from a consumer for a mortgage loan informs a nonaffiliated insurance company that the consumer has applied for a loan so that the insurance company can contact the person about homeowner's insurance. Consent in such a situation would enable the financial institution to make the disclosure to the third party without first providing the initial notice required by § 313.4 or the opt out notice required by § 313.7, but the disclosure must not exceed the purposes for which consent was given. The example also states that consent may be revoked by a consumer at any time by the consumer exercising the right to opt out of future disclosures. The Commission intends that a “consent” that was not clearly made by a consumer (for example, one in the form of a line buried in a document or a negative option not clearly explained to the consumer) would not provide an effective exception to the opt-out right. The Commission invites comment on whether specific safeguards should be added to the exception for consent in order to minimize the potential for consumer confusion. Such safeguards might include, for instance, a requirement that consent be written or that it be indicated on a separate signature line in a relevant document or on a distinct Web page, or that it may be effective for only a limited period of time.

Section 313.12 Limits on Redisclosure and Reuse of Information

Section 313.12 of the proposed Rule implements the Act's limitations on redisclosure and reuse of nonpublic personal information about consumers. Section 502(c) of the Act provides that a nonaffiliated third party that receives nonpublic personal information from a financial institution shall not, directly or indirectly through an affiliate, disclose the information to any person that is not affiliated with either the financial institution or the third party, unless the disclosure would be lawful if made directly by the financial institution. Paragraph (a)(1) sets out the Act's redisclosure limitation as it applies to a financial institution that receives information from another nonaffiliated financial institution. Paragraph (b)(1) mirrors the provisions of paragraph (a)(1), but applies the redisclosure limits to any nonaffiliated third party that receives nonpublic personal information from a financial institution.

The Act appears to place the institution that receives the information into the shoes of the institution that disclosed the information for purposes of determining whether redisclosures by the receiving institution are “lawful.” Thus, the Act appears to permit the receiving institution to redisclose the information only to: (1) An entity to whom the original transferring institution could disclose the information pursuant to one of the exceptions in § 313.9, 313.10, or 313.11; Start Printed Page 11185or (2) an entity to whom the original transferring institution could have disclosed the information as described under its notice of privacy policies and practices, unless the consumer has exercised the right to opt out of that disclosure. Because a consumer can exercise the right to opt out of a disclosure at any time, the Act may effectively preclude third parties that receive information to which the opt out right applies from redisclosing the information, except pursuant to one of the exceptions in §§ 313.9, 313.10, or 313.11. The Commission invites comment on whether the Rule should require a financial institution that discloses nonpublic personal information to a nonaffiliated third party to develop policies and procedures to ensure that the third party complies with the limits on redisclosure of that information.

Sections 502(b)(2) and 502(e) (as implemented by §§ 313.9, 313.10, and 313.11 of the proposed Rule) describe when a financial institution may disclose nonpublic personal information without providing the consumer with initial privacy notice and an opportunity to opt out, but those exceptions apply only when the information is used for the specific purposes set out in those sections. Paragraph (a)(2) of proposed § 313.12 clarifies this limitation on reuse as it applies to financial institutions. Paragraph (a)(2) provides that a financial institution may use nonpublic personal information about a consumer that it receives from a nonaffiliated financial institution in accordance with an exception under §§ 313.9, 313.10, or 313.11 only for the purpose of that exception. Paragraph (b)(2) applies the same limits on reuse to any nonaffiliated third party that receives nonpublic personal information from a financial institution. The Commission requests comment on whether proposed §§ 313.12(a)(2) and 313.12(b)(2) would restrict a nonaffiliated third party from using information obtained in accordance with the exceptions in §§ 313.9, 313.10, and 313.11 for purposes beyond the scope of those exceptions if the information is not used in a personally identifiable form. This might occur, for example, in the case of a credit scoring vendor using information to improve its scoring models.

The Commission invites comments on the meaning of the word “lawful” as that term is used in section 502(c). The Commission specifically solicits comment on whether it would be lawful for a nonaffiliated third party to disclose information pursuant to the exception provided in proposed § 313.9 of the Rule. Under that exception, a financial institution must comply with certain requirements before disclosing information to a nonaffiliated third party. Given that the statute and proposed Rule impose those requirements on the financial institution making the initial disclosure, the Commission invites comment on whether subsequent disclosures by the third party could satisfy the requirement that those disclosures be lawful when the financial institution is not party to the subsequent disclosure.

Section 313.13 Limits on Sharing of Account Number Information for Marketing Purposes

Section 502(d) of the G-L-B Act prohibits a financial institution from disclosing, other than to a consumer reporting agency, account numbers or similar form of access number or access code for a credit card account, deposit account, or transaction account of a consumer to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer. Proposed § 313.13 applies this statutory prohibition to disclosures made directly or indirectly by a financial institution.

The Commission notes that there is no exception in Title V, Subtitle A, to the flat prohibition established by section 502(d). The Statement of Managers contained in the Conference Report to S. 900 encourages the Commission and Agencies to adopt an exception to section 502(d) to permit disclosures of account numbers in limited instances. It states:

In exercising their authority under section 504(b) [which vests the Commission and Agencies with authority to grant exceptions to section 502(a)-(d) beyond those set out in the statute], the agencies and authorities described in section 504(a)(1) may consider it consistent with the purposes of this subtitle to permit the disclosure of customer account numbers or similar forms of access numbers or access codes in an encrypted, scrambled, or similarly coded form, where the disclosure is expressly authorized by the customer and is necessary to service or process a transaction expressly requested or authorized by the customer.

Managers' Statement at 18. The Commission has not proposed an exception to the prohibition of section 502(d) because of the risks associated with third parties' direct access to a consumer's account. The Commission seeks comment on whether an exception to the section 502(d) prohibition that permits third parties access to account numbers is appropriate, the circumstances under which an exception would be appropriate, and how such an exception should be formulated to provide consumers with adequate protection. The Commission also seeks comment on whether a flat prohibition as set out in section 502(d) might unintentionally disrupt certain routine practices, such as the disclosure of account numbers to a service provider who handles the preparation and distribution of monthly account statements for a financial institution coupled with a request by the institution that the service provider include marketing literature with the statement about a product. In addition, the Commission invites comment on whether a consumer ought to be able to consent to the disclosure of his or her account number, notwithstanding the general prohibition in section 502(d) and, if so, what standards should apply. The Commission also seeks comment on whether section 502(d) prohibits the disclosure by a financial institution to a marketing firm of encrypted account numbers if the financial institution does not provide the marketer the key to decrypt the number.

Section 313.14 Protection of Fair Credit Reporting Act

Section 506 makes several amendments to the FCRA to vest rulemaking authority in various agencies and to restore the Agencies' regular examination authority. Paragraph (c) of section 506 states that, except for the amendments noted regarding rulemaking authority, nothing in Title V, Subtitle A is to be construed to modify, limit, or supersede the operation of the FCRA, and no inference is to be drawn on the basis of the provisions of Title V, Subtitle A as to whether information is transaction or experience information under section 603 of the FCRA.

Proposed § 313.14 implements section 506(c) of the G-L-B Act by restating the statute, making only minor stylistic changes intended to make the Rule clearer.

Section 313.15 Relation to State Laws

Section 507 of the G-L-B Act states, in essence, that Subtitle A of Title V does not preempt any state law that provides greater protections than are provided by that Subtitle of the Act. Determinations of whether a State law or Subtitle A of Title V provides greater protections are to be made by the Commission after consultation with the agency that regulates either the party filing a complaint or the financial institution about whom the complaint was filed. Determinations of whether Start Printed Page 11186State or Federal law afford greater protections may be initiated by any interested party or on the Commission's own motion.

Proposed § 313.15 is substantively identical to section 507, noting that the proposed Rule (as opposed to the statute) does not preempt state laws that provide greater protection for consumers than does the Rule.

Section 313.16 Effective Date; Transition Rule

Section 510 of the G-L-B Act states that, as a general rule, the relevant provisions of Subtitle A of Title V take effect 6 months after the date on which rules are required to be prescribed. However, section 510(1) authorizes the Commission and the Agencies to prescribe a later date in the rules enacted pursuant to section 504.

Proposed § 313.16 states, in paragraph (a), an effective date of November 13, 2000. This assumes that a final Rule will be enacted within the time frame prescribed by section 504(a)(3). The Commission intends to provide at least six months following the adoption of a final Rule for financial institutions to bring their policies and procedures into compliance with the requirements of the final Rule. The Commission invites comment on whether six months following adoption of a final Rule is sufficient to enable financial institutions to comply with the Rule.

Paragraph (b) of proposed § 313.16 provides a transition rule for consumers who were customers as of the effective date of the Rule. Since those customer relationships already will have been established as of the Rule's effective date (thereby making it inappropriate to require a financial institution to provide those customers with a copy of the institution's initial notice at the time of establishing a customer relationship), the Rule requires instead that the initial notice be provided within 30 days of the effective date. The Commission invites comment on whether 30 days is enough time to permit a financial institution to deliver the required notices, bearing in mind that the G-L-B Act contemplates at least a six-month delayed effective date from the date the Rule is adopted.

If a financial institution intends to disclose nonpublic personal information about someone who was a consumer before the effective date, the institution must provide the notices required by §§ 313.4 and 313.7 and provide a reasonable opportunity to opt out before the effective date. If, in this instance, the institution already is disclosing information about such a consumer, it may continue to do so without interruption until the consumer opts out, in which case the institution must stop disclosing nonpublic personal information about that consumer to nonaffiliated third parties as soon as reasonably practicable.

Section C. Invitation to Comment

Before adopting this Rule as final, the Commission will give consideration to any written comments submitted to the Secretary of the Commission on or before March 31, 2000. Comments submitted will be available for public inspection in accordance with the Freedom of Information Act (5 U.S.C. 552) and Commission regulations, on normal business days between the hours of 8:30 a.m. and 5 p.m. at the Public Reference Section, Room 130, Federal Trade Commission, 600 Pennsylvania Avenue NW., Washington, DC 20580. Comments will also be posted on the Commission website; <www.ftc.gov>.

Section D. Communications by Outside Parties to Commissioners or Their Advisors

Written communications and summaries or transcripts of oral communications respecting the merits of this proceeding from any outside party to any Commissioner or Commissioner's advisor will be placed on the public record. See 16 CFR. § 1.26(b)(5) (1998).

Section E. Regulatory Flexibility Act

The Commission believes that the proposed Rule's requirements are expressly mandated by the G-L-B Act, and the Act's requirements account for most, if not all, of the economic impact of the proposed Rule. While the Commission believes that it could certify that the proposed Rule will not have a significant impact on a substantial number of small entities, the Commission has decided, nonetheless, to publish the following initial regulatory flexibility analysis pursuant to the Regulatory Flexibility Act, 5 U.S.C. 601-612, as amended, and request public comment on the impact on small businesses of its proposed Rule implementing the G-L-B Act.

Description of the Reasons That Action by the Agency is Being Considered

Section 504 of the G-L-B Act requires the Commission to promulgate this Rule not later than six months after the date of enactment of the Act, or May 12, 2000.

Succinct Statement of the Objectives of, and Legal Basis for, the Proposed Rule

To implement the disclosure requirements and restrictions on certain financial institutions' abilities to disclose nonpublic personal information about consumers to nonaffiliated third parties. The legal basis for the proposed Rule is Section 504 of the G-L-B Act.

Description of and, Where Feasible, an Estimate of the Number of Small Entities to Which the Proposed Rule Will Apply

In general, the Rule will apply to any financial institution subject to the Commission's jurisdiction that shares nonpublic personal information with nonaffiliated third parties or that establishes customer relationships with consumers. The definition of “financial institution” includes any institution the business of which is engaging in a financial activity, as defined under Section 4(k) of the Bank Holding Company Act, which incorporates by reference the activities listed in 12 CFR 225.28 and 12 CFR 211.5(d). (G-L-B Act § 509(3)(A).) A precise estimate of the number of small entities that are financial institutions within the meaning of the proposed Rule is not currently feasible. In addition, of those small entities that are financial institutions, there is no way to precisely estimate the number that share consumers' nonpublic personal information with nonaffiliated third parties or that establish customer relationships with consumers. The Commission seeks any information or comment on these issues, as noted below.

Description of the Projected Reporting, Recordkeeping and Other Compliance Requirements of the Proposed Rule, Including an Estimate of the Classes of Small Entities That Will be Subject to the Requirement and the Type of Professional Skills Necessary for Preparation of the Report or Record

The statute and proposed Rule do not directly impose any “reporting” or “recordkeeping” requirements on financial institutions within the meaning of the Paperwork Reduction Act, but would require that financial institutions, in specified circumstances, make certain third party disclosures to the public. These disclosures include: notice of the financial institution's privacy policy to consumers at the time of establishing a customer relationship with a consumer (Proposed Rule § 313.4); annual notice of the financial institution's privacy policy to those consumers with whom it continues to have a customer relationship (Proposed Rule § 313.5); notice to consumers, regardless of whether a customer relationship has been established, of a financial institution's privacy policy and notice and opportunity to opt-out Start Printed Page 11187prior to the financial institution's sharing of a consumer's nonpublic personal information with nonaffiliated third parties (Proposed Rule § 313.8(a)); and notice to customers of any changes that the financial institution makes in its policies concerning sharing nonpublic personal information with nonaffiliated third parties (Proposed Rule § 313.8(c)). The Commission is seeking clearance from the Office of Management and Budget (“OMB”) for these requirements and the Commission's Supporting Statement submitted as part of that process will be made available on the public record of this rulemaking.

Because the proposed Rule does not directly mandate “reporting” or “recordkeeping” within the meaning of the Paperwork Reduction Act, the Rule does not require professional skills for the preparation of “reports” or “records” under the Act. The disclosures and other burdens referenced above likely will require some amount of managerial and/or professional (including attorney), clerical, and in some instances, skilled technical time to develop and disseminate the required disclosures. For purposes of its Supporting Statement to OMB under the Paperwork Reduction Act, the Commission estimated that the average yearly burden over the three-year period of clearance is 4.03 million hours and $87.3 million. The Commission, as noted below, seeks further comment on the costs and burdens of small entities in complying with the requirements of the proposed Rule.

Identification, to the Extent Practicable, of all Relevant Federal Rules That May Duplicate, Overlap or Conflict With the Proposed Rule

While the scope of the proposed Rule is unique, there may be some overlap in certain circumstances with other Federal laws. Because there is a relationship between the proposed requirements and the notice requirements under the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. 1681-1681u, the proposed Rule requires that the financial institution's initial and annual notices shall also include any disclosure that it is required to make under the FCRA. (Rule § 313.6(a)(7).) Also, at the time a consumer contracts for an electronic fund transfer service, the Electronic Funds Transfer Act requires the terms and conditions of such transfer to be disclosed, including under what circumstances the entity will in the ordinary course of business disclose information concerning the consumer's account to third persons. Finally, the Children's Online Privacy Protection Act generally requires online service operators collecting personal information from a child to obtain parental consent and post a privacy notice on the Website. As noted below, the Commission seeks comment and information on any other rules that may be duplicative, overlapping, or in conflict with this proposed rule.

Description of any significant alternatives to the proposed Rule that accomplish the stated objectives of applicable statutes and that minimize any significant economic impact of the proposed Rule on small entities, including alternatives considered, such as: (1) Establishment of differing compliance or reporting requirements or timetables that take into account resources available to small entities; (2) clarification, consolidation, or simplification of compliance and reporting requirements under the rule for such small entities; (3) use of performance rather than design standards; (4) any exemption from coverage of the rule, or any part thereof, for such small entities. In drafting the proposed Rule, the Commission has made every effort to avoid unduly burdensome requirements for financial institutions of all sizes. In a number of respects the proposed Rule is flexible and allows financial institutions to select methods of compliance that are reasonable, taking into account the financial institution's business practices and capabilities.

For example, financial institutions that are required to provide disclosures to consumers must provide the notice so that the consumer can reasonably be expected to actually receive it. (Proposed Rule § 313.4(d).) The proposed Rule allows the financial institutions to choose a delivery method that imposes the least burden on the financial institution while also complying with the statutory mandate that the consumer be provided with the appropriate disclosures. Regarding the law's clear and conspicuous requirements, the proposed Rule does not mandate the use of any particular technique for making the notices clear and conspicuous, but instead allows each financial institution the flexibility to decide for itself how best to comply with this requirement. (Proposed Rule § 313.4(b).) In addition, the proposed Rule requires that a financial institution provide the opportunity to opt-out directly to a consumer but provides alternate means of providing that notice—a small entity, or any entity, can choose a means that is reasonable taking into account its circumstances. (Proposed Rule § 313.8(b).) No recordkeeping requirement has been included in the proposed Rule. Thus, no entity, regardless of size, is unnecessarily burdened by recordkeeping requirements.

The Commission has made every effort to minimize the burden on small entities—and all entities—and to be reasonable in its rulemaking. To that end, the Commission has clarified the breadth of the statutory term “financial institution” to include an institution significantly engaged in a financial activity. (Proposed Rule § 313.3(j).) The effect of this definition is twofold: it encompasses and subjects to its requirements those institutions that are not solely in the business of a financial activity but that are significantly engaged in such an activity as part of their business; and excludes from coverage those entities, large or small, that may engage in financial activities as some small, insignificant portion of their business.

The proposed Rule also provides for a streamlined version of the content of an institution's privacy policy for any entity that does not share nonpublic personal information with third parties. (Proposed Rule § 313.4(b).) Thus, entities of any size that do not share information are not unduly burdened. Moreover, those financial institutions, regardless of size, that engage in only one-time isolated transactions with consumers are not required to provide a privacy policy to consumers unless they intend to share the consumer's nonpublic personal information with a nonaffiliated third party. (Proposed Rule § 313.4(b).)

Questions for Comment To Assist Regulatory Flexibility Analysis

1. Please provide information or comment on the number and type of small entities affected by the proposed Rule. Include in your comments the number of small entities that share consumers' nonpublic personal information with nonaffiliated third parties or that establish customer relationships with consumers.

2. Please provide comment on any or all of the provisions in the proposed Rule with regard to (a) the impact of the provision(s) (including any benefits and costs), if any, the Commission should consider, as well as the costs and benefits of those alternatives, paying specific attention to the effect of the Rule on small entities in light of the above analysis. Costs to implement and comply with the Rule include expenditures of time and money for: any employee training; attorney or other Start Printed Page 11188professional time; preparing relevant materials; and processing materials.

3. Please describe ways in which the Rule could be modified to reduce any costs or burdens for small entities consistent with the G-L-B Act's mandated requirements.

4. Please provide any information quantifying the economic benefits to financial institutions of sharing consumers' nonpublic personal information.

5. Please identify all relevant Federal, state or local rules that may duplicate, overlap or conflict with the proposed Rule. In addition, please identify any industry rules or policies that require financial institutions to implement business practices (e.g., disclosure of privacy policy and right to opt-out, etc.) that would already comply with the requirements of the Commission's proposed Rule.

Section F. Paperwork Reduction Act

The Commission has submitted this proposed Rule to the Office of Management and Budget for review under the Paperwork Reduction Act (“PRA”) (44 U.S.C. 3501-3517). As required by the G-L-B Act, the proposed Rule specifies disclosure requirements for financial institutions subject to the Commission's jurisdiction that are subject to the requirements of PRA. The required disclosures include: (1) Initial notice of the financial institution's privacy policy at the time it establishes a customer relationship with a consumer and/or prior to its sharing a consumer's nonpublic personal information with nonaffiliated third parties; (2) notice of the consumer's right to opt-out of information sharing with nonaffiliated third parties; (3) annual notice of the financial institution's privacy policy to any continuing customer; and (4) notice to consumers when the financial institution changes its practices on information sharing with nonaffiliated third parties. Although the proposed Rule's disclosure requirements are expressly required by the G-L-B Act, the Commission has adopted a performance standard to provide flexibility in implementing the requirements.

The Commission has estimated the paperwork burden of the proposed Rule for financial institutions that are subject to the Commission's jurisdiction, based on staff's knowledge of the financial services industry. Under Section 505(a)(7) of the G-L-B Act, the Commission has jurisdiction over an estimated 100,000 businesses that are not subject to the jurisdiction of one of the other agencies responsible for enforcing the G-L-B Act. FTC staff considered many variables affecting the broad spectrum of covered businesses. Some covered businesses may already make the required disclosures in the ordinary course of business. Some may use highly automated means of providing the required disclosures. Others may use low-technology means. The burden estimate also acknowledges that significant start-up burden and attendant costs, such as for determining compliance obligations and developing necessary privacy policies, will be born in the first year that the Rule takes effect. The paperwork burden in subsequent years will be significantly lower. Factoring in start-up costs, the Commission has estimated that the average annual burden during the three year period for which OMB clearance is sought will be 4.03 million burden hours. The estimated annual labor cost associated with these paperwork burdens is $87.3 million. The estimate is also based on the determination that the time required for consumers to respond affirmatively to financial institutions' opt-out notices (be it manually or electronically) will be minimal.

The Commission invites comment that will enable it to:

1. Evaluate whether the proposed collections of information are necessary for the proper performance of the functions of the Commission, including whether the information will have practical utility;

2. Evaluate the accuracy of the Commission's estimate of the burden of the proposed collections of information, including the validity of the methodology and assumptions used;

3. Enhance the quality, utility, and clarity of the information to be collected; and

4. Minimize the burden of the collections of information on those who are to respond, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology.

Section G. Questions Concerning Comprehensibility of the Rule

The Commission invites your comments on how to make this proposed Rule easier to understand. For example:

• Have we organized the material to suit your needs? If not, how could the material be better organized?
• Are the requirements in the Rule clearly stated? If not, how could the Rule be more clearly stated?
• Does the Rule contain technical language or jargon that is not clear? If not, which language requires clarification?
• Would a different format (grouping and order of sections, use of headings, paragraphing) make the Rule easier to understand? If so, what changes to the format would make the Rule easier to understand?
• Would more (but shorter) sections be better? Which ones?
• What else could we do to make the Rule easier to understand?

Section H. Proposed Rule

List of Subjects in 16 CFR Part 313

• Consumer protection
• Credit
• Data protection
• Privacy
• Trade practices

Accordingly, the Commission proposes to amend 16 CFR Ch. I, Subchapter C, by adding a new Part 313 to read as follows:

PART 313—PRIVACY OF CONSUMER FINANCIAL INFORMATION

Authority: 15 U.S.C. 6804(a).

Footnotes