Interagency Proposal for Model Privacy Form Under the Gramm-Leach-Bliley Act, 14940-15000 [07-1476]

Agencies

• FEDERAL DEPOSIT INSURANCE CORPORATION
• FEDERAL RESERVE SYSTEM
• FEDERAL TRADE COMMISSION
• National Credit Union Administration
• SECURITIES AND EXCHANGE COMMISSION
• Office of the Comptroller of the Currency
• DEPARTMENT OF THE TREASURY
• Office of Thrift Supervision
• Commodity Futures Trading Commission

[Federal Register Volume 72, Number 60 (Thursday, March 29, 2007)]
[Proposed Rules]
[Pages 14940-15000]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 07-1476]



[[Page 14939]]

-----------------------------------------------------------------------


Part III

Department of the Treasury



Office of the Comptroller of the Currency



12 CFR Part 40



-----------------------------------------------------------------------



Office of Thrift Supervision

12 CFR Part 573



-----------------------------------------------------------------------
Federal Reserve System

12 CFR Part 216



-----------------------------------------------------------------------
Federal Deposit Insurance Corporation

12 CFR Part 332



-----------------------------------------------------------------------
National Credit Union Administration

12 CFR Part 716



-----------------------------------------------------------------------
Federal Trade Commission

16 CFR Part 313



-----------------------------------------------------------------------
Commodity Futures Trading Commission

17 CFR Part 160



-----------------------------------------------------------------------
Securities and Exchange Commission

17 CFR Part 248



-----------------------------------------------------------------------



Interagency Proposal for Model Privacy Form Under the Gramm-Leach-
Bliley Act; Proposed Rule

Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / 
Proposed Rules

[[Page 14940]]


-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Part 40

[Docket ID OCC-2007-0003]
RIN 1557-AC80

FEDERAL RESERVE SYSTEM

12 CFR Part 216

[Docket No. R-1280]

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Part 332

RIN 3064-AD16

DEPARTMENT OF THE TREASURY

Office of Thrift Supervision

12 CFR Part 573

[Docket ID OTS-2007-0005]
RIN 1550-AC12

NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Part 716

RIN 3133-AC84

FEDERAL TRADE COMMISSION

16 CFR Part 313

[Project No. 034815]
RIN 3084-AA94

COMMODITY FUTURES TRADING COMMISSION

17 CFR Part 160

RIN 3038-AC04

SECURITIES AND EXCHANGE COMMISSION

17 CFR Part 248

[Release Nos. 34-55497, IA-2598, IC-27755; File No. S7-09-07]
RIN 3235-AJO6


Interagency Proposal for Model Privacy Form Under the Gramm-
Leach-Bliley Act

AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC); 
Board of Governors of the Federal Reserve System (Board); Federal 
Deposit Insurance Corporation (FDIC); Office of Thrift Supervision, 
Treasury (OTS); National Credit Union Administration (NCUA); Federal 
Trade Commission (FTC); Commodity Futures Trading Commission (CFTC); 
and Securities and Exchange Commission (SEC).

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: The OCC, Board, FDIC, OTS, NCUA, FTC, CFTC, and SEC (the 
Agencies) are proposing amendments to their rules that implement the 
privacy provisions of the Gramm-Leach-Bliley Act (GLB Act), Title V, 
Subtitle A. These rules require financial institutions to provide 
initial and annual privacy notices to their customers. As required 
under section 728 of the Financial Services Regulatory Relief Act of 
2006 (Regulatory Relief Act or Act), the Agencies are proposing a safe 
harbor model privacy form that financial institutions may use to 
provide disclosures under the privacy rules. Institutions that use 
notices based on the Sample Clauses currently contained in most of the 
privacy rules would lose the benefit of a safe harbor for compliance 
with respect to those notices if they are provided more than one year 
following the date of publication of a final rule. Similarly, 
institutions that use notices based on the Sample Clauses in the SEC's 
privacy rule could no longer rely on the guidance provided with respect 
to those notices if they are provided more than one year following the 
date of publication of a final rule.

DATES: Comments must be submitted on or before May 29, 2007.
    For information regarding the effective dates of the provisions 
proposed in this document, see the discussion under ``Proposed 
Effective Dates'' in the SUPPLEMENTARY INFORMATION section.

ADDRESSES: Because the Agencies will jointly review all of the comments 
submitted, interested parties may send comments to any of the Agencies 
and need not send comments (or copies) to all of the Agencies. 
Commenters are encouraged to use the title ``Model Privacy Form'' to 
facilitate the organization and distribution of comments among the 
Agencies. Interested parties are invited to submit written comments to:
    Office of the Comptroller of the Currency: You may submit comments 
by any of the following methods:
     Federal eRulemaking Portal--``Regulations.gov'': Go to 
https://www.regulations.gov, select ``Comptroller of the Currency'' from 
the agency drop-down menu, then click ``Submit.'' In the ``Docket ID'' 
column, select ``OCC-2007-0003'' to submit or view public comments and 
to view supporting and related materials for this notice of proposed 
rulemaking. The ``User Tips'' link at the top of the Regulations.gov 
home page provides information on using Regulations.gov, including 
instructions for submitting or viewing public comments, viewing other 
supporting and related materials, and viewing the docket after the 
close of the comment period.
     Mail: Office of the Comptroller of the Currency, 250 E 
Street, SW., Mail Stop 1-5, Washington, DC 20219.
     Hand Delivery/Courier: 250 E Street, SW., Attn: Public 
Information Room, Mail Stop 1-5, Washington, DC 20219.
    Instructions: You must include ``OCC'' as the agency name and 
``Docket Number OCC-2007-0003'' in your comment. In general, OCC will 
enter all comments received into the docket and publish them on 
Regulations.gov without change, including any business or personal 
information that you provide such as name and address information, e-
mail addresses, or phone numbers. Comments, including attachments and 
other supporting materials, received are part of the public record and 
subject to public disclosure. Do not enclose any information in your 
comment or supporting materials that you consider confidential or 
inappropriate for public disclosure.
    You may review comments and other related materials by any of the 
following methods:
     Viewing Comments Electronically: Go to https://
www.regulations.gov, select ``Comptroller of the Currency'' from the 
agency drop-down menu, then click ``Submit.'' In the ``Docket ID'' 
column, select ``OCC-2007-0003'' to view public comments for this 
notice of proposed rulemaking.
     Viewing Comments Personally: You may personally inspect 
and photocopy comments at the OCC's Public Information Room, 250 E 
Street, SW., Washington, DC. You can make an appointment to inspect 
comments by calling (202) 874-5043.
     Docket: You may also view or request available background 
documents and project summaries using the methods described above.
    Board of Governors of the Federal Reserve System: You may submit 
comments, identified by Docket No. R-1280, by any of the following 
methods:
     Agency Web Site: https://www.federalreserve.gov. Follow the 
instructions for submitting comments at https://www.federalreserve.gov/
generalinfo/foia/ProposedRegs.cfm.

[[Page 14941]]

     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments.
     E-mail: regs.comments@federalreserve.gov. Include docket 
number in the subject line of the message.
     Fax: 202/452-3819 or 202/452-3102.
     Mail: Jennifer J. Johnson, Secretary, Board of Governors 
of the Federal Reserve System, 20th Street and Constitution Avenue, 
NW., Washington, DC 20551.
    All public comments are available from the Board's Web site at 
https://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as 
submitted, unless modified for technical reasons. Accordingly, your 
comments will not be edited to remove any identifying or contact 
information. Public comments may also be viewed electronically or in 
paper in Room MP-500 of the Board's Martin Building (20th and C 
Streets, NW.,) between 9 a.m. and 5 p.m. on weekdays.
    FDIC: You may submit comments by any of the following methods:
    Agency Web Site: https://www.fdic.gov/regulations/laws/federal. 
Follow instructions for submitting comments on the Agency Web Site.
    E-mail: Comments@FDIC.gov. Include ``Model Privacy Form'' in the 
subject line of the message.
    Mail: Robert E. Feldman, Executive Secretary, Attention: Comments, 
Federal Deposit Insurance Corporation, 550 17th Street, NW., 
Washington, DC 20429.
    Hand Delivery/Courier: Guard station at the rear of the 550 17th 
Street Building (located on F Street) on business days between 7 a.m. 
and 5 p.m. (EST).
    Federal eRulemaking Portal: https://www.regulations.gov. Follow the 
instructions for submitting comments.
    Public Inspection: All comments received will be posted without 
change to https://www.fdic.gov/regulations/laws/federal including any 
personal information provided. Comments may be inspected and 
photocopied in the FDIC Public Information Center, 3501 North Fairfax 
Drive, Room E-1002, Arlington, VA 22226, between 9 a.m. and 5 p.m. 
(EST) on business days. Paper copies of public comments may be ordered 
from the Public Information Center by telephone at (877) 275-3342 or 
(703) 562-2200.
    Office of Thrift Supervision: You may submit comments, identified 
by OTS-2007-0005, by any of the following methods:
     Federal eRulemaking Portal: Go to https://
www.regulations.gov, select ``Office of Thrift Supervision'' from the 
agency drop-down menu, then click submit. Select Docket ID ``OTS-2007-
0005'' to submit or view public comments and to view supporting and 
related materials for this notice of proposed rulemaking. The ``User 
Tips'' link at the top of the page provides information on using 
Regulations.gov, including instructions for submitting or viewing 
public comments, viewing other supporting and related materials, and 
viewing the docket after the close of the comment period.
     Mail: Regulation Comments, Chief Counsel's Office, Office 
of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552, 
Attention: OTS-2007-0005.
     Hand Delivery/Courier: Guard's Desk, East Lobby Entrance, 
1700 G Street, NW., from 9 a.m. to 4 p.m. on business days, Attention: 
Regulation Comments, Chief Counsel's Office, Attention: OTS-2007-0005.
    Instructions: All submissions received must include the agency name 
and docket number for this rulemaking. All comments received will be 
entered into the docket and posted on Regulations.gov without change, 
including any personal information provided. Comments, including 
attachments and other supporting materials received are part of the 
public record and subject to public disclosure. Do not enclose any 
information in your comment or supporting materials that you consider 
confidential or inappropriate for public disclosure.
    Viewing Comments Electronically: Go to https://www.regulations.gov, 
select ``Office of Thrift Supervision'' from the agency drop-down menu, 
then click ``Submit.'' Select Docket ID ``OTS-2007-0005'' to view 
public comments for this notice of proposed rulemaking.
    Viewing Comments On-Site: You may inspect comments at the Public 
Reading Room, 1700 G Street, NW., by appointment. To make an 
appointment for access, call (202) 906-5922, send an e-mail to 
public.info@ots.treas.gov, or send a facsimile transmission to (202) 
906-6518. (Prior notice identifying the materials you will be 
requesting will assist us in serving you.) We schedule appointments on 
business days between 10 a.m. and 4 p.m. In most cases, appointments 
will be available the next business day following the date we receive a 
request.
    National Credit Union Administration: Comments should be directed 
to Mary Rupp, Secretary of the Board. You may submit comments by any of 
the following methods (Please send comments by one method only):
     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments.
     NCUA Web Site: https://www.ncua.gov/news/proposed_regs/
proposed_regs.html. Follow the instructions for submitting comments.
     E-mail: Address to regcomments@ncua.gov. Include ``[Your 
name] Comments on Proposed Rule Part 716 (Model Form for Privacy 
Notice)'' in the e-mail subject line.
     Fax: (703) 518-6319. Use the subject line described above 
for e-mail.
     Mail: Address to Mary Rupp, Secretary of the Board, 
National Credit Union Administration, 1775 Duke Street, Alexandria, 
Virginia 22314-3428.
     Hand Delivery/Courier: Same as mail address.
    Federal Trade Commission: All persons are invited to submit written 
comments. Comments should refer to ``Model Privacy Form, FTC File No. 
P034815'' to facilitate the organization of comments. Comments filed in 
paper form should include this reference both in the text and on the 
envelope, and should be mailed or delivered to: Federal Trade 
Commission/Office of the Secretary, Room 135 (Annex C), 600 
Pennsylvania Avenue, NW., Washington, DC 20580. Because paper mail in 
the Washington area and at the Commission is subject to delay, please 
consider submitting your comments in electronic form, as prescribed 
below. If the comment contains any material for which confidential 
treatment is requested, it must be filed in paper (rather than 
electronic) form, and the first page of the document must be clearly 
labeled ``Confidential.'' \1\ The FTC is requesting that any comment 
filed in paper form be sent by courier or overnight service, if 
possible.
---------------------------------------------------------------------------

    \1\ Commission Rule 4.2(d), 16 CFR 4.2(d). The comment must also 
be accompanied by an explicit request for confidential treatment, 
including the factual and legal basis for the request, and must 
identify the specific portions of the comment to be withheld from 
the public record. The request will be granted or denied by the 
Commission's General Counsel, consistent with applicable law and the 
public interest. See Commission Rule 4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------

    Comments filed in electronic form should be submitted by using the 
following Web link: https://secure.commentworks.com/ftc-modelform (and 
following the instructions on the Web-based form). To ensure that the 
Commission considers an electronic comment, you must file it on the 
Web-based form at the Web link https://secure.commentworks.com/ftc-
modelform. If this notice appears at www.regulations.gov, you may also 
file an electronic comment through that

[[Page 14942]]

Web site. The Commission will consider all comments that 
www.regulations.gov forwards to it.\2\ The FTC Act and other laws the 
Commission administers permit the collection of public comments to 
consider and use in this proceeding as appropriate. All timely and 
responsive public comments with all required fields completed, whether 
filed in paper or electronic form, will be considered by the 
Commission, and will be available to the public on the FTC Web site, to 
the extent practicable, at https://www.ftc.gov. As a matter of 
discretion, the Commission makes every effort to remove home contact 
information for individuals it receives from the public comments before 
placing those comments on the FTC Web site. More information, including 
routine uses permitted by the Privacy Act, may be found in the FTC's 
privacy policy, at https://www.ftc.gov/ftc/privacy.htm.
---------------------------------------------------------------------------

    \2\ An electronic comment can be filed by (1) clicking on http:/
/www.regulations.gov; (2) selecting ``Federal Trade Commission'' at 
``Search for Open Regulations;'' (3) locating the summary of this 
notice; (4) clicking on ``Submit a Comment on this Regulation;'' and 
(5) completing the form. For a given electronic comment, any 
information placed in the following fields--``Title,'' ``First 
Name,'' ``Last Name,'' ``Organization Name,'' ``State,'' 
``Comment,'' and ``Attachment''--will be publicly available on the 
FTC Web site. The fields marked with an asterisk on the form are 
required in order for the FTC to fully consider a particular 
comment. Commenters may choose not to fill in one or more of these 
fields, but if they do so, their comments may not be considered.
---------------------------------------------------------------------------

    Commodity Futures Trading Commission: Comments should be directed 
to Eileen Donovan, Acting Secretary of the Commission, Commodity 
Futures Trading Commission, Three Lafayette Centre, 1155 21st Street, 
NW., Washington, DC 20581. Comments may be sent by facsimile 
transmission to (202) 418-5528 or by e-mail to secretary@cftc.gov.
    Securities and Exchange Commission: Comments may be submitted by 
any of the following methods:

Electronic Comments

     Use the Commission's Internet comment form (https://
www.sec.gov/rules/proposed.shtml); or
     Send an e-mail to rule-comments@sec.gov. Please include 
File Number S7-09-07 and ``Model Privacy Form'' on the subject line; or
     Use the Federal eRulemaking Portal (https://
www.regulations.gov). Follow the instructions for submitting comments.

Paper Comments

     Send paper comments in triplicate to Nancy M. Morris, 
Secretary, Securities and Exchange Commission, 100 F Street, NE., 
Washington, DC 20549-1090.

All submissions should refer to File Number S7-09-07 and ``Model 
Privacy Form.'' This file number should be included on the subject line 
if e-mail is used. To help us process and review your comments more 
efficiently, please use only one method. The Commission will post all 
comments on the Commission's Internet Web site (https://www.sec.gov/
rules/proposed.shtml). Comments are also available for public 
inspection and copying in the Commission's Public Reference Room, 100 F 
Street, NE., Washington, DC 20549. All comments received will be posted 
without change; we do not edit personal identifying information from 
submissions. You should submit only information that you wish to make 
available publicly.

FOR FURTHER INFORMATION CONTACT: OCC: Amy Friend, Assistant Chief 
Counsel, (202) 874-5200; Heidi Thomas, Special Counsel, Jonathan 
Mitchell, Attorney, Legislative and Regulatory Activities Division, 
(202) 874-5090; David H. Nebhut, Director, Policy Analysis, (202) 874-
5387; or Paul Utterback, NBE Compliance Specialist, (202) 874-4428, 
Office of the Comptroller of the Currency, 250 E Street, SW., 
Washington, DC 20219.
    Board: Adrianne Threatt, Counsel, Legal Division, (202) 452-3554; 
Jeanne Hogarth, Consumer Policies Program Manager, or Krista Ayoub, 
Senior Attorney, or Ky Tran-Trong, Counsel, Division of Consumer and 
Community Affairs, (202) 452-3667; or Michelle E. Shore, Federal 
Reserve Board Clearance Officer, (202) 452-3829 (for Paperwork 
Reduction Act questions only), Board of Governors of the Federal 
Reserve System, 20th Street and Constitution Avenue, NW., Washington, 
DC 20551.
    FDIC: David P. Lafleur, Senior Policy Analyst, Compliance Section, 
Division of Supervision and Consumer Protection, (202) 898-6569; or 
Ruth R. Amberg, Senior Counsel, (202) 898-3736, or Kimberly A. Stock, 
Attorney, (202) 898-3815, Legal Division; Federal Deposit Insurance 
Corporation, 550 17th Street, NW., Washington, DC 20429.
    OTS: Ekita Mitchell, Consumer Regulations Analyst, Examinations, 
Supervision, and Consumer Protection, (202) 906-6451; or Richard 
Bennett, Counsel, Regulations and Legislation Division, (202) 906-7409, 
1700 G Street, NW., Washington, DC 20552.
    NCUA: Regina Metz, Staff Attorney, (703) 518-6561, or Ross Kendall, 
Staff Attorney, Office of General Counsel, (703) 518-6562, National 
Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 
22314-3428.
    FTC: Loretta Garrison, Senior Attorney, Division of Privacy and 
Identity Protection, Bureau of Consumer Protection, (202) 326-3043, 
Federal Trade Commission, 600 Pennsylvania Avenue, NW., Stop NJ-3158, 
Washington, DC 20580.
    CFTC: Laura Richards, Senior Assistant General Counsel, (202) 418-
5126, or Gail B. Scott, Attorney, Office of General Counsel, (202) 418-
5139, Commodity Futures Trading Commission, Three Lafayette Centre, 
1155 21st Street, NW., Washington, DC 20581.
    SEC: Catherine McGuire, Chief Counsel, or Brice Prince, Special 
Counsel, Office of the Chief Counsel, Division of Market Regulation, 
(202) 551-5550; or Penelope Saltzman, Branch Chief, or Vincent Meehan, 
Senior Counsel, Office of Regulatory Policy, Division of Investment 
Management, (202) 551-6792, Securities and Exchange Commission, 100 F 
Street, NE., Washington, DC 20549.

SUPPLEMENTARY INFORMATION: The Agencies are proposing amendments to 
each of their rules (which are consistent and comparable) that 
implement the privacy provisions of the GLB Act: 12 CFR part 40 (OCC); 
12 CFR part 216 (Board); 12 CFR part 332 (FDIC); 12 CFR part 573 (OTS); 
12 CFR part 716 (NCUA); 16 CFR part 313 (FTC); 17 CFR part 160 (CFTC); 
and 17 CFR part 248 (SEC) (collectively, the ``privacy rule'').\3\
---------------------------------------------------------------------------

    \3\ Because each Agency's privacy rule has the same section 
numbers, relevant sections will be cited, for example, as ``section 
--.6'' unless otherwise noted.
---------------------------------------------------------------------------

I. Background

    The Regulatory Relief Act was enacted on October 13, 2006.\4\ 
Section 728 of the Act directs the Agencies to ``jointly develop a 
model form which may be used, at the option of the financial 
institution, for the provision of disclosures under [section 503 of the 
GLB Act].'' \5\ The Regulatory Relief Act stipulates that the model 
form shall be a safe harbor for financial institutions

[[Page 14943]]

that elect to use it. Section 728 further directs that the model form 
shall:
---------------------------------------------------------------------------

    \4\ Pub. L. 109-351 (Oct. 13, 2006), 120 Stat. 1966.
    \5\ Id., adding 15 U.S.C. 6803(e). Section 728 of the Regulatory 
Relief Act directs the agencies named in Section 504(a)(1) of the 
GLB Act, 15 U.S.C. 6804(a)(1), to develop a model form. The CFTC, 
which did not become subject to Title V of the GLB Act until 2000, 
is not named in that section. The Commodity Exchange Act (``CEA'') 
was amended in 2000 by the Commodity Futures Modernization Act of 
2000 to make the CFTC a ``federal functional regulator'' subject to 
the GLB Act Title V. See Section 5g of the CEA, 7 U.S.C. 7b-2. The 
CFTC interprets Section 728 of the Regulatory Relief Act as applying 
to it through Section 5g.
---------------------------------------------------------------------------

    (A) Be comprehensible to consumers, with a clear format and design;
    (B) Provide for clear and conspicuous disclosures;
    (C) Enable consumers easily to identify the sharing practices of a 
financial institution and to compare privacy practices among financial 
institutions; and
    (D) Be succinct, and use an easily readable type font.
    The Agencies are required to propose a model form for public 
comment by April 11, 2007.

A. The Gramm-Leach-Bliley Act Privacy Notices

    Subtitle A of title V of the GLB Act, captioned Disclosure of 
Nonpublic Personal Information,\6\ requires each financial institution 
to provide a notice of its privacy policies and practices to its 
customers who are consumers.\7\ In general, the privacy notices must 
describe a financial institution's policies and practices with respect 
to disclosing nonpublic personal information about a consumer to both 
affiliated and nonaffiliated third parties.\8\ The notices also must 
provide a consumer a reasonable opportunity to direct the institution 
generally not to share nonpublic personal information \9\ about the 
consumer (that is, to ``opt out'') with nonaffiliated third parties 
other than as permitted by the statute (for example, sharing for 
everyday business purposes, such as processing transactions and 
maintaining customers' accounts, and in response to properly executed 
governmental requests).\10\ The privacy notice must provide, where 
applicable under the Fair Credit Reporting Act (FCRA), a notice and an 
opportunity for a consumer to opt out of certain information sharing 
among affiliates.\11\
---------------------------------------------------------------------------

    \6\ Codified at 15 U.S.C. 6801-6809.
    \7\ 15 U.S.C. 6803(a). A ``customer'' means a consumer who has a 
``customer relationship with a financial institution.'' Privacy 
rule, section --.3(h), SEC section 248.3(j), CFTC section 160.3(k). 
A ``consumer'' is ``an individual who obtains, from a financial 
institution, financial products or services which are to be used 
primarily for personal, family, or household purposes, and also 
means the legal representative of such an individual.'' 15 U.S.C. 
6809(9); privacy rule, section --.3(e), SEC section 248.3(g)(1), 
CFTC section 160.3(h)(1).
    \8\ 15 U.S.C. 6803(a)-(c).
    \9\ 15 U.S.C. 6809(4). ``Nonpublic personal information'' is 
generally defined as personally identifiable financial information 
provided by a consumer to a financial institution, resulting from 
any transaction or any service performed for the consumer, or 
otherwise obtained by the financial institution. See privacy rule, 
sections --.3(n) and (o), SEC sections 248.3(t) and (u), CFTC 
sections 160.3(t) and (u).
    \10\ 15 U.S.C. 6802; privacy rule, sections --.14 and --.15.
    \11\ 15 U.S.C. 1681a(d)(2)(A)(iii) (FCRA); 15 U.S.C. 6803(c)(4) 
(GLB Act).
---------------------------------------------------------------------------

    The privacy rule requires a financial institution to provide a 
privacy notice to its customers no later than when a customer 
relationship is formed and annually for as long as the relationship 
continues. The notice must accurately reflect the institution's 
information collection and disclosure practices and must include 
specific information. Section --.6 of the privacy rule requires the 
privacy notice to include the following:
    (1) The categories of nonpublic personal information that the 
institution collects;
    (2) With respect to both current and former customers, the 
categories of nonpublic personal information that it discloses and the 
categories of affiliates and nonaffiliated third parties to whom it 
discloses such information other than as permitted by the exceptions in 
sections --.14 and --.15;
    (3) Where the institution relies on the exception in section --.13 
to share nonpublic personal information (pertaining to joint 
marketing), the categories of information disclosed, and the categories 
of third parties with which the institution has contracted;
    (4) Where applicable, an explanation of the consumer's right under 
section --.10(a) to opt out of the disclosure of nonpublic personal 
information to nonaffiliated third parties and the methods by which the 
consumer may opt out;
    (5) Disclosures made under section 603(d)(2)(A)(iii) of the FCRA 
(pertaining to the ability to opt out of certain sharing with 
affiliates) and the applicable opt-out notice;
    (6) The institution's policies and practices with respect to 
protecting the confidentiality and security of nonpublic personal 
information; and
    (7) Where applicable, a statement that the institution discloses 
nonpublic personal information to nonaffiliated third parties pursuant 
to the section --.14 and --.15 exceptions.
    The privacy rule does not prescribe any specific format or 
standardized wording for these notices. Instead, institutions may 
design their own notices based on their individual practices provided 
they comply with the law and meet the ``clear and conspicuous'' 
standard in the statute and the privacy rule.\12\ The Appendix to the 
privacy rule contains model language (Sample Clauses) that institutions 
may use in privacy notices to satisfy the privacy rule.
---------------------------------------------------------------------------

    \12\ 15 U.S.C. 6802, 6803; privacy rule, section --.3(b), SEC 
248.3(c).
---------------------------------------------------------------------------

    Financial institutions first were required to distribute privacy 
notices to their customers by July 1, 2001.\13\ Many privacy notices in 
the initial effort were long and complex. In addition, because the 
privacy rule allows institutions flexibility in designing their privacy 
notices, notices have been formatted in various ways and as a result 
have been difficult to compare, even among financial institutions with 
identical privacy policies.
---------------------------------------------------------------------------

    \13\ The CFTC was added by Section 5g of the Commodity Exchange 
Act, 7 U.S.C. 7b-2 (as amended by the Commodity Futures 
Modernization Act of 2000), on December 21, 2000, and privacy 
notices were required to be delivered to consumers by March 31, 
2002.
---------------------------------------------------------------------------

    In response to broad-based concerns expressed by representatives of 
financial institutions, consumers, privacy advocates, and members of 
Congress, the Agencies conducted a workshop in December 2001 to provide 
a forum to consider how financial institutions could provide more 
useful privacy notices to consumers.\14\ The workshop featured panel 
presentations by financial institutions, consumer advocates, and 
communications experts, and highlighted key communication principles to 
improve the notices. A number of institutions, particularly those with 
complex information-sharing practices, described the challenges they 
faced in explaining their practices and the choices available to 
consumers in a simple fashion while meeting all of the legal 
requirements for notice. Some institutions described results of 
consumer testing and their efforts to make privacy notices clearer and 
more useful to consumers.
---------------------------------------------------------------------------

    \14\ Get Noticed: Writing Effective Financial Privacy Notices, 
Interagency Public Workshop (Dec. 4, 2001), workshop transcripts and 
other supporting documents are available at https://www.ftc.gov/bcp/
workshops/glb/.
---------------------------------------------------------------------------

    On December 30, 2003, the Agencies published an Advance Notice of 
Proposed Rulemaking to Consider Alternative Forms of Privacy Notices 
under the Gramm-Leach-Bliley Act \15\ (ANPR) to solicit comment on a 
wide range of issues related to improving privacy notices. The Agencies 
sought, for example, comment on issues associated with the format, 
elements, and language used in privacy notices that would make the 
notices more accessible, readable, and useful, and whether to develop a 
model privacy notice that would be short and simple. The Agencies also 
solicited examples of

[[Page 14944]]

forms, model clauses, and other information, such as applicable 
research that has been conducted in this area. The ANPR stated that the 
Agencies expected that consumer testing would be a key component in the 
development of any specific proposals.
---------------------------------------------------------------------------

    \15\ See Interagency Proposal to Consider Alternative Forms of 
Privacy Notices Under the Gramm-Leach-Bliley Act, 68 FR 75164 (Dec. 
30, 2003), available at https://www.ftc.gov/os/2003/12/
031223anprfinalglbnotices.pdf.
---------------------------------------------------------------------------

    During January and February 2004, the Agencies met with a number of 
interested groups and individuals to discuss the issues raised in the 
ANPR.\16\ The Agencies received forty-four comments in response to the 
ANPR.\17\ While commenters expressed a variety of views on the 
questions posed in the ANPR, many commenters agreed that the Agencies 
should conduct consumer testing before proposing any alternative 
privacy notice.
---------------------------------------------------------------------------

    \16\ Summaries of the outside meetings are available at https://
www.ftc.gov/privacy/privacyinitiatives/financial_rule_inrp.html.
    \17\ Public comments to the ANPR are available at https://
www.ftc.gov/privacy/privacyinitiatives/financial_rule_inrp.html.
---------------------------------------------------------------------------

B. The Interagency Notice Project

    In the summer of 2004, six Agencies \18\ agreed to launch a project 
to fund consumer research (Notice Project). Their goals were to 
identify barriers to consumer understanding of current privacy notices 
and to develop an alternative privacy notice, or elements of a notice, 
that consumers could more easily use and understand compared to current 
notices. When the Agencies initiated this project, they contemplated 
conducting the consumer research in two sequential phases. The first 
phase was designed as qualitative testing, that is, form development 
research. This research involved a series of in-depth individual 
consumer interviews to develop an alternative privacy notice that would 
be easier for consumers to use and understand. The second phase was 
designed as quantitative testing, to test the effectiveness of the 
alternative privacy notice developed in phase one among a larger number 
of consumers. The first phase has been completed and resulted in the 
model notice we are proposing for comment today. The Agencies expect to 
conduct the second phase of testing after receipt of comments in 
response to this proposal.\19\
---------------------------------------------------------------------------

    \18\ The six Agencies are the Board, FDIC, FTC, NCUA, OCC, and 
SEC. Information related to the Notice Project can be found at 
https://www.ftc.gov/privacy/privacyinitiatives/financial_rule_
inrp.html.
    \19\ OTS has joined the Notice Project for the phase two 
research.
---------------------------------------------------------------------------

    In September 2004, the six Agencies selected Kleimann Communication 
Group, Inc. (Kleimann) as their contractor for the phase one form 
development research. The research objectives of the Notice Project 
included designing a privacy notice that consumers could understand and 
use, that facilitated comparison of sharing practices and policies 
across privacy notices, and that addressed all relevant legal 
requirements of the GLB Act and FCRA. At the outset of the research, 
the Agencies considered a range of possible options for the notice, 
including a short notice, a layered approach (highlighting key 
information upfront), as well as a longer fully-compliant notice. The 
Agencies limited the project to paper-based notices, reasoning that a 
successful paper notice could be readily adapted to another medium such 
as the Internet. The Agencies used a readable font \20\ and, in order 
not to confound the research findings on comprehension by introducing 
too many variables into the test notice, expressly did not use color, 
logos, or other graphical designs in the test notices. Instead, the 
Agencies focused on formulating and testing content that consumers 
could understand and use in order to develop a short, simplified 
privacy notice that met the research objectives.
---------------------------------------------------------------------------

    \20\ The text of the prototype notice is in 10 point BK Avenir 
Book font.
---------------------------------------------------------------------------

    The form development phase culminated in an extensive research 
report released by the Agencies in March 2006. Prepared by Kleimann, 
``Evolution of a Prototype Financial Privacy Notice,'' details the 
process by which the Agencies and Kleimann developed an alternative 
privacy notice.\21\ As explained more fully in the Kleimann Report, 
over a one-year period, Kleimann conducted two focus groups followed by 
a series of 46 in-depth, individual interviews, conducted sequentially 
at seven sites around the country. The interviews tested consumers on 
their ability to comprehend, use, and compare notices based on 
variations in vocabulary, ordering of content, and format. The 
structure, content, ordering of the text information, and title of the 
proposed model form all reflect the research findings in the 
qualitative consumer testing.
---------------------------------------------------------------------------

    \21\ See Kleimann Communication Group, Inc., Evolution of a 
Prototype Financial Privacy Notice: A Report on the Form Development 
Project (Feb. 28, 2006) (Kleimann Report). For a copy of the full 
report, go to https://www.ftc.gov/privacy/privacyinitiatives/
ftcfinalreport060228.pdf. For the executive summary, go to https://
www.ftc.gov/privacy/privacyinitiatives/
FTCFinalReportExecutiveSummary.pdf.
---------------------------------------------------------------------------

    The Agencies now are proposing the model privacy notice produced in 
the form development phase with some minor revisions (the proposed 
model form) for comment in accordance with the Regulatory Relief Act. 
The Agencies contemplate that the safe harbor for the proposed model 
form will be effective upon publication of the final rule in order to 
permit institutions that elect to use the form to do so immediately. 
The Agencies recognize that institutions may post their privacy notices 
on their Internet sites, as well as deliver paper or email versions to 
their customers. The Agencies contemplate that institutions that post a 
pdf version of the proposed model privacy form may obtain a safe 
harbor, but are requesting comment on whether to develop a Web-based 
design for financial institutions to use on their Internet sites, 
including comment on particular design and/or technical considerations.
    The Agencies believe that the proposed model form meets all the 
requirements of the Act and is easier to understand than most privacy 
notices currently being disseminated. The following section describes 
the proposed model form and highlights some key research findings. For 
more detailed information on the research methodology and the form 
development process, commenters are encouraged to review the full 
Kleimann Report. The Agencies also are proposing instructions on how 
institutions may obtain a safe harbor by using the proposed model form, 
including an explanation of aspects of the form that may and may not be 
varied.\22\ Institutions would not be able to vary content or format, 
other than as described in this proposal, to take advantage of the safe 
harbor. Moreover, institutions would not be able to include any other 
information in the proposed model form nor incorporate this model form 
into any other document.
---------------------------------------------------------------------------

    \22\ While the model form would provide a safe harbor, 
institutions could continue to use other types of notices that vary 
from the model form so long as these notices comply with the privacy 
rule. For example, an institution could continue to use a simplified 
notice as described in section --.6(c)(5) (NCUA 716.6(e)(5)) of the 
privacy rule if it does not have affiliates and does not intend to 
share nonpublic personal information with nonaffiliated third 
parties outside of the exceptions provided in sections --.14 and 
--.15.
---------------------------------------------------------------------------

II. The Proposed Model Form

A. The Structure

    The proposed model form has either two or three pages, depending on 
whether the financial institution provides an opt-out. While the 
research showed that page one alone was adequate for comprehension and 
usability, page one together with page two address the legal 
requirements of applicable Federal financial privacy laws and increase 
consumer comprehension. Each of the pages of the model form is printed 
separately and

[[Page 14945]]

only on one side of an 8.5 by 11 inch piece of paper because, during 
testing, consumers expressed a preference for the model which allowed 
them to view the information on pages one and two side-by-side.\23\ The 
proposed model form in Appendix A is designed to be customized by each 
financial institution that elects to use it by inserting, for example, 
the institution's name, contact information, and information about 
affiliates, nonaffiliates, or joint marketing partners, if any, with 
which it shares personal information. In addition, the disclosure table 
requires that each institution complete the responses in each of the 
boxes provided in a manner that accurately reflects its information 
sharing policies and practices.
---------------------------------------------------------------------------

    \23\ The proposed model form has the opt-out options and 
instructions on a separate page. Staff of certain of the Agencies 
issued Frequently Asked Questions in December 2001 (Privacy FAQs), 
stating that a consumer should be able to detach a mail-in opt-out 
form from a privacy notice without removing text from the privacy 
policy. Otherwise, the institution may violate section --.9(e) of 
the privacy rule, which requires that a privacy policy must be 
provided in such a way that a customer can retain the text of the 
notices or obtain them later. See F.4 of the Privacy FAQs, available 
at https://www.ftc.gov/privacy/glbact/glb-faq.htm.
---------------------------------------------------------------------------

    Below is one example of a completed model form for a fictional 
financial institution, Neptune, whose privacy policy provides for broad 
sharing in a manner that triggers consumer opt-out rights. For 
comparison, a second example is also provided for another fictional 
institution, Mars, whose privacy policy limits sharing and does not 
trigger consumer opt-out rights. Each of these institutions uses and 
shares personal information in different ways; thus, their responses in 
the disclosure table vary, as do the descriptions of their affiliates, 
nonaffiliates, or joint marketing partners in the definition 
section.\24\ Importantly, since Mars does not share in a way that 
triggers an opt-out, the opt-out form (page 3 of the proposed model 
form) is not required and so is not included in the Mars notice. Thus, 
not every institution subject to the privacy rule will have to provide 
page three of the model form; only those institutions whose privacy 
practices require delivery of an opt-out notice or those institutions 
that choose to provide opt-outs beyond those required by law.
---------------------------------------------------------------------------

    \24\ The Agencies understand that many consumers are not 
familiar with institutions' information sharing practices. During 
the Notice Project's initial research, some consumers expressed 
concern about financial institutions changing their practices and 
policies without adequately informing consumers about such changes. 
A few consumers suggested that, at a minimum, the notices should be 
dated to reflect the most recent revision so consumers would know 
when the notice was last changed and could more easily identify the 
most recent policy statement. Changes to an institution's policy may 
be reflected in a revised notice under section --.8 of the privacy 
rule or in an annual notice. Some institutions highlight changes to 
their privacy notices in some distinctive way, so that consumers can 
readily identify the change. As discussed later in Section V, the 
Agencies invite comment on whether financial institutions should be 
required to alert consumers to changes in an institution's privacy 
practices as part of the proposed model form.

---------------------------------------------------------------------------

[[Page 14946]]

Example 1. Neptune Model Privacy Form
[GRAPHIC] [TIFF OMITTED] TP29MR07.000


[[Page 14947]]


[GRAPHIC] [TIFF OMITTED] TP29MR07.001


[[Page 14948]]


[GRAPHIC] [TIFF OMITTED] TP29MR07.002


[[Page 14949]]



Example 2. Mars Model Privacy Form
[GRAPHIC] [TIFF OMITTED] TP29MR07.003


[[Page 14950]]


[GRAPHIC] [TIFF OMITTED] TP29MR07.004


[[Page 14951]]



Example 3. Illustration of Type Size for the Various Elements of the 
Model Form \25\

     
---------------------------------------------------------------------------

    \25\ See infra note and accompanying text. This illustration 
displays the font sizes of the various elements in the model form.
[GRAPHIC] [TIFF OMITTED] TP29MR07.005

B. Page One--Background Information and the Disclosure Table

    Page one of the proposed model form has four parts: (1) The title; 
(2) an introductory section called the ``key frame,'' which provides 
context to help the consumer better understand the required 
disclosures; (3) a table that describes the types of sharing Federal 
law allows, which of those types of sharing the institution actually 
does, and whether the consumer can opt out of any type of the 
institution's sharing; and (4) the institution's contact information.
    The research showed that the title, ``FACTS What Does [name of 
financial

[[Page 14952]]

institution] Do With Your Personal Information,'' is more likely to 
catch consumers' attention so they will read the notice. The title can 
be used by all institutions regardless of their information sharing 
practices.
    The ``key frame,'' with its three short headings--Why, What, and 
How--is included because the research showed that, unless consumers 
have some basic facts about information sharing, they are less likely 
to understand why they are receiving a privacy notice and what to do 
with one. The ``Why'' box tells consumers that Federal law requires 
that the financial institution send the notice. The ``What'' box 
explains the types of personal information financial institutions 
collect and share.\26\ The ``How'' box explains that some information 
sharing is necessary for all institutions in order to provide the 
products and services that consumers request. It also briefly explains 
what information consumers will find in the disclosure table below. The 
research found that these particular headings and the bulleted 
explanations enhanced consumers' understanding of the purpose of the 
notice, enabled them to make an informed decision about the use of 
their personal information, and aided their overall comprehension.
---------------------------------------------------------------------------

    \26\ The Agencies recognize that some financial institutions may 
not collect each type of information described in the ``What'' box. 
As reflected in the introductory clause, which states that the 
``information [collected] can include * * *,'' the standardized 
terms are designed to reflect the range of information typically 
collected by financial institutions required to provide privacy 
notices under the GLB Act and FCRA, rather than the specific 
information collected by each particular institution, and therefore, 
are not to be modified to reflect an institution's particular 
practices. The SEC's model privacy form reflects modified terms in 
the ``What'' box that are intended to include the range of 
information typically collected by brokers, dealers, investment 
advisers registered with the Commission, and investment companies.
---------------------------------------------------------------------------

    The disclosure table at the bottom of page one provides information 
about the financial institution's sharing practices. The research found 
that this table is the ``heart'' of the proposed model form, 
``enabl[ing] consumers to understand the details of their financial 
institution's sharing practices in the context of how other financial 
institutions can share. It is critical for comprehension and 
comparability.'' \27\ The table is featured on page one because it is 
one of the most important elements of the model form.
---------------------------------------------------------------------------

    \27\ See Kleimann Report, supra note , at v and 7.
---------------------------------------------------------------------------

    Key research findings were that providing this information in a 
table form greatly increased consumers' ability to readily identify and 
understand an institution's sharing practices and what, if any, choices 
they had to limit any of that sharing, and easily compare these 
practices and choices among institutions. The Agencies asked Kleimann 
to develop and test a ``prose'' version describing information sharing 
practices since such a format would be more comparable to notices 
currently used by financial institutions. However, the research found 
that the table design of the proposed model form outperformed the prose 
design on a variety of measures, including comprehension, 
comparability, and usability.\28\
---------------------------------------------------------------------------

    \28\ See id. at 185, 215, 256.
---------------------------------------------------------------------------

    The disclosure table includes a description of the possible types 
of sharing and uses of personal information and the associated opt-out 
choices that must be disclosed. The opt-out disclosures are required 
under: (1) Section 502(b) of the GLB Act (regarding certain sharing 
with nonaffiliated third parties); (2) section 603(d)(2)(A) of the FCRA 
(regarding sharing of creditworthiness and credit report information 
among affiliates); and (3) section 624 of the FCRA, as added by section 
214 of the Fair and Accurate Credit Transactions Act of 2003 (Fact 
Act), 15 U.S.C. 1681s-3 (use of that information for marketing).\29\ 
The table provides important context about what information sharing a 
financial institution actually does relative to what it could do. The 
research showed that the table, with its standardized content, 
facilitates easy comparison of information sharing practices among 
different institutions. The structure of the disclosure table and the 
reasons for sharing are designed to be consistent for all financial 
institutions.\30\ The institution-specific information lies in the 
answers to the questions within each of the boxes. Accordingly, even if 
a financial institution does not share for one of the reasons listed in 
the table (for example, it has no affiliates and therefore does not 
share with affiliates), the institution could not exclude that reason 
from the table, but would answer ``No'' under ``Does [name of financial 
institution] share?''
---------------------------------------------------------------------------

    \29\ Pub. L. 108-159, 117 Stat. 1952. Section 624 provides that 
information that may be shared among affiliates--including 
transaction and experience information and certain creditworthiness 
information--cannot be used for marketing purposes unless the 
consumer has received a notice of such use and an opportunity to opt 
out, and the consumer does not opt out. The Agencies have included 
language pertaining to this affiliate marketing provision and the 
related opt-out on the notice developed in the consumer research in 
response to comments to the ANPR. While the Agencies have not yet 
issued a final regulation implementing this provision of the FACT 
Act, they are coordinating this rulemaking with the affiliate 
marketing rulemaking to ensure that language addressing the section 
624 opt-out as incorporated in this model form (when finalized) 
would be deemed to comply with the affiliate marketing rule. 
Institutions would not be required to include reference to this 
provision until a final rule for section 624 is issued and becomes 
effective, and only in the event that institutions choose to 
consolidate the 624 notice and opt-out with the GLB Act privacy 
notice.
    \30\ The reasons for sharing are grouped into three main 
categories. The first three reasons describe what financial 
institutions do with their consumers' personal information. The next 
three reasons describe what a financial institution's affiliates do 
with that information. The last reason describes what nonaffiliated 
companies may do with the personal information, other than acting as 
a service provider to or acting jointly with the financial 
institution (that is, outside the exceptions provided in sections 
--.13, --.14, and --.15). This generally means marketing by the 
nonaffiliated company.
---------------------------------------------------------------------------

    The language used in the disclosure table is based on Kleimann's 
research. The simplified phrases describing information sharing 
practices were continually refined through the consumer testing process 
to allow consumers to better understand the information sharing and use 
possibilities. The laws governing the disclosure of consumers' personal 
information are not easily translated into short, comprehensible 
phrases that are also legally precise. Thus, the table in some cases 
uses more easily understandable short-hand terms to describe sharing 
practices required to be in the notice. For example, the table uses the 
term ``everyday business purposes'' to describe the sharing 
contemplated by the exceptions in sections --.14 and --.15 of the 
privacy rule, which does not trigger opt-out rights. The research found 
that consumers understood that ``everyday business purposes'' means 
that companies must share in some basic ways in order to provide the 
financial products or services that consumers request. The table also 
speaks in terms of the institution's own ``marketing purposes'' to 
capture the idea that nearly all, if not all, financial institutions 
share information in connection with marketing their own products and 
services to their customers (for example, with a service provider such 
as a bulk mailer or data processor) in a manner that does not trigger 
an opt-out right. With respect to the reasons for information sharing 
among affiliated companies that track the FCRA provisions \31\ (the 
sharing of ``transaction and experience information'' and the sharing 
of ``other information''), the disclosure table uses ``Information 
about your creditworthiness'' as a short-hand term for the statutory 
term ``other information.''
---------------------------------------------------------------------------

    \31\ See section 603(d)(2)(A) of the FCRA.
---------------------------------------------------------------------------

    The institution's contact information appears at the bottom of page 
one in

[[Page 14953]]

response to consumers' preferences expressed during testing.

C. Page Two--Supplemental Information

    The second page provides additional explanatory information that, 
in combination with page one, ensures that the notice includes all 
elements described in the GLB Act as implemented by the privacy rule. 
There is supplemental information in the form of Frequently Asked 
Questions (FAQs) \32\ at the top and definitions below.\33\ The 
research showed that although consumers generally understood the 
concepts of certain technical words, they found that the four 
definitions on page two provided helpful additional information that 
further clarified the nature and type of information sharing by a 
financial institution. Some of the definitions include institution-
specific information required by the GLB Act. For example, an 
institution that has affiliates must identify the categories of its 
affiliates after the definition. Likewise, an institution that has no 
affiliates can explain after the definition that it does not have 
affiliates.
---------------------------------------------------------------------------

    \32\ Note that financial institutions should insert their names 
as indicated in the first three questions in this section.
    \33\ The FAQ box regarding sources of information does not 
permit a financial institution to customize the sources of 
information it collects. As with the standardized terms describing 
information the institution collects on page one, see supra note , 
the disclosure is intended to include the range of information 
sources typically used by institutions subject to the GLB Act and 
FCRA rather than the information sources used by each particular 
institution. The SEC's model form reflects additional terms in this 
box that are intended to include the range of sources of information 
typically used by brokers, dealers, investment advisers registered 
with the Commission, and investment companies.
---------------------------------------------------------------------------

    Examples of institution-specific information are shown for the last 
three definitions in the italicized print in both the Neptune and Mars 
forms. Thus, Neptune has affiliates with which it shares certain 
information and, under the definition of ``affiliates,'' Neptune 
includes information in italics that describes the categories of its 
affiliates. Since Mars has no affiliates, the Mars form states ``Mars 
has no affiliates.''

D. Page Three--The Opt-Out Form

    The third page provides an opt-out form, for use by those financial 
institutions that share in a manner that triggers consumer opt-out 
rights under the GLB Act or FCRA (see the proposed model privacy form 
in Appendix A and the Neptune form). Institutions using the proposed 
model form must include page three in their notices only if they (1) 
share or use information in a manner that triggers an opt-out, or (2) 
choose to provide opt-outs beyond what is required by law.
    The opt-out page lists three common methods for opting out--by 
telephone, on the Web, and by mail--and summarizes the opt-out choices 
available to the consumer in a clear and easy-to-read format that the 
research found consumers appreciated. Financial institutions that 
provide opt-out forms are not required to provide all the opt-out 
choices and methods described in the Neptune opt-out form. The Agencies 
expect that institutions may need to tailor the opt-out page to reflect 
accurately the institution's particular practices.\34\ The model form, 
for example, includes information for the customer's account number as 
a means of identifying both the customer and account to which the opt-
out should apply. Institutions requiring consumers with multiple 
account numbers to list each account number to which the opt-out should 
apply should modify that portion of the form. Institutions requiring 
information other than an account number should modify that portion of 
the form. Institutions that allow more than 30 days from issuing the 
notice may insert that time period in place of the number ``30''. The 
proposed rule accordingly provides instructions explaining permissible 
variations to page three of the Neptune notice.
---------------------------------------------------------------------------

    \34\ See note 29. For institutions that choose to consolidate 
the 624 notice into the model form and offer this opt-out, the 
italicized language accompanying the affiliate sharing opt-out 
choice on page three of the proposed model form is required only if 
an institution wants to limit the time of the opt-out period, with 5 
years the minimum opt-out period required by the statute. Where an 
institution elects to limit the time period for which the opt-out is 
effective, it should look to the Agencies' affiliate marketing rule 
for guidance on the manner and form in which to provide any 
additional notice that would effectively permit a consumer to renew 
or extend the opt-out period.
---------------------------------------------------------------------------

E. Additional Opt-Outs in the Model Form

    The third column in the disclosure table in the proposed model form 
is intended to provide flexibility for financial institutions to 
include additional opt-out choices that are not required by Federal 
law. For example, a financial institution may give its customers the 
opportunity to limit sharing for joint marketing. In that case, the 
financial institution would answer the question ``Can you limit this 
sharing?'' in the far right column with ``Yes (Check your choices, p. 
3)'' and would describe the additional opt-out choice on its opt-out 
form, for example by stating, ``Do not share my personal information 
with other financial institutions to jointly market to me.'' Likewise, 
if a financial institution wanted to offer its customers the 
opportunity to opt out of its own marketing, it could provide for that 
option by answering ``Yes'' in the appropriate box of the disclosure 
table and by describing the opt-out choice on the opt-out form, for 
example by stating ``Do not share [or use] my personal information to 
market to me.'' To obtain the safe harbor for use of the proposed model 
form, an institution that uses the disclosure table to show any 
additional opt-out choice must include the opt-out form on page three 
to provide consumers with a method for opting out. The Agencies 
specifically invite comment on other opt-outs that financial 
institutions may provide, and on whether the Agencies should provide 
model language based on the opt-out provisions provided in the proposed 
model form.

F. Appearance of the Model Form

    In addition to the requirements that the proposed model form be 
comprehensible, clear and conspicuous, and allow for easy comparison of 
privacy practices among financial institutions, the law requires that 
the model form use an easily readable type font. The prototype notice 
developed in the Agencies' phase one research and shown here as the 
proposed model form, reflects consideration of a number of 
typographical factors in the design.\35\ Type size, type style, 
leading, x-height, serif versus sans serif,\36\ upper and lower case 
type, along with the page layout--all play an important role in 
designing a typeface that is highly readable. Consumers who saw the 
prototype notice during the research process commented on how easy the 
type was to see and read.\37\
---------------------------------------------------------------------------

    \35\ The prototype notice developed in the consumer research is 
10 on 12 BK Avenir Book. The ``10 on 12'' means that the font size 
is 10 points, and the leading (that is, the additional space between 
the lines of type) is 2 points of spacing.
    \36\ Serif typeface has small strokes at the ends of the lines 
that form each letter. Sans serif typeface