Interagency Proposal for Model Privacy Form Under the Gramm-Leach-Bliley Act, 14940-15000 [07-1476]

Download as PDF 14940 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules National Credit Union Administration (NCUA); Federal Trade Commission (FTC); Commodity Futures Trading Commission (CFTC); and Securities and Exchange Commission (SEC). ACTION: Proposed rule. DEPARTMENT OF THE TREASURY Office of the Comptroller of the Currency 12 CFR Part 40 [Docket ID OCC–2007–0003] RIN 1557–AC80 FEDERAL RESERVE SYSTEM 12 CFR Part 216 [Docket No. R–1280] FEDERAL DEPOSIT INSURANCE CORPORATION 12 CFR Part 332 RIN 3064–AD16 DEPARTMENT OF THE TREASURY Office of Thrift Supervision 12 CFR Part 573 [Docket ID OTS–2007–0005] RIN 1550–AC12 NATIONAL CREDIT UNION ADMINISTRATION 12 CFR Part 716 RIN 3133–AC84 FEDERAL TRADE COMMISSION 16 CFR Part 313 [Project No. 034815] RIN 3084–AA94 COMMODITY FUTURES TRADING COMMISSION 17 CFR Part 160 RIN 3038–AC04 SECURITIES AND EXCHANGE COMMISSION 17 CFR Part 248 [Release Nos. 34–55497, IA–2598, IC–27755; File No. S7–09–07] RIN 3235–AJO6 rwilkins on PROD1PC63 with PROPOSALS Interagency Proposal for Model Privacy Form Under the Gramm-LeachBliley Act Office of the Comptroller of the Currency, Treasury (OCC); Board of Governors of the Federal Reserve System (Board); Federal Deposit Insurance Corporation (FDIC); Office of Thrift Supervision, Treasury (OTS); AGENCIES: VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 SUMMARY: The OCC, Board, FDIC, OTS, NCUA, FTC, CFTC, and SEC (the Agencies) are proposing amendments to their rules that implement the privacy provisions of the Gramm-Leach-Bliley Act (GLB Act), Title V, Subtitle A. These rules require financial institutions to provide initial and annual privacy notices to their customers. As required under section 728 of the Financial Services Regulatory Relief Act of 2006 (Regulatory Relief Act or Act), the Agencies are proposing a safe harbor model privacy form that financial institutions may use to provide disclosures under the privacy rules. Institutions that use notices based on the Sample Clauses currently contained in most of the privacy rules would lose the benefit of a safe harbor for compliance with respect to those notices if they are provided more than one year following the date of publication of a final rule. Similarly, institutions that use notices based on the Sample Clauses in the SEC’s privacy rule could no longer rely on the guidance provided with respect to those notices if they are provided more than one year following the date of publication of a final rule. DATES: Comments must be submitted on or before May 29, 2007. For information regarding the effective dates of the provisions proposed in this document, see the discussion under ‘‘Proposed Effective Dates’’ in the SUPPLEMENTARY INFORMATION section. ADDRESSES: Because the Agencies will jointly review all of the comments submitted, interested parties may send comments to any of the Agencies and need not send comments (or copies) to all of the Agencies. Commenters are encouraged to use the title ‘‘Model Privacy Form’’ to facilitate the organization and distribution of comments among the Agencies. Interested parties are invited to submit written comments to: Office of the Comptroller of the Currency: You may submit comments by any of the following methods: • Federal eRulemaking Portal— ‘‘Regulations.gov’’: Go to https:// www.regulations.gov, select ‘‘Comptroller of the Currency’’ from the agency drop-down menu, then click ‘‘Submit.’’ In the ‘‘Docket ID’’ column, select ‘‘OCC–2007–0003’’ to submit or PO 00000 Frm 00002 Fmt 4701 Sfmt 4702 view public comments and to view supporting and related materials for this notice of proposed rulemaking. The ‘‘User Tips’’ link at the top of the Regulations.gov home page provides information on using Regulations.gov, including instructions for submitting or viewing public comments, viewing other supporting and related materials, and viewing the docket after the close of the comment period. • Mail: Office of the Comptroller of the Currency, 250 E Street, SW., Mail Stop 1–5, Washington, DC 20219. • Hand Delivery/Courier: 250 E Street, SW., Attn: Public Information Room, Mail Stop 1–5, Washington, DC 20219. Instructions: You must include ‘‘OCC’’ as the agency name and ‘‘Docket Number OCC–2007–0003’’ in your comment. In general, OCC will enter all comments received into the docket and publish them on Regulations.gov without change, including any business or personal information that you provide such as name and address information, e-mail addresses, or phone numbers. Comments, including attachments and other supporting materials, received are part of the public record and subject to public disclosure. Do not enclose any information in your comment or supporting materials that you consider confidential or inappropriate for public disclosure. You may review comments and other related materials by any of the following methods: • Viewing Comments Electronically: Go to https://www.regulations.gov, select ‘‘Comptroller of the Currency’’ from the agency drop-down menu, then click ‘‘Submit.’’ In the ‘‘Docket ID’’ column, select ‘‘OCC–2007–0003’’ to view public comments for this notice of proposed rulemaking. • Viewing Comments Personally: You may personally inspect and photocopy comments at the OCC’s Public Information Room, 250 E Street, SW., Washington, DC. You can make an appointment to inspect comments by calling (202) 874–5043. • Docket: You may also view or request available background documents and project summaries using the methods described above. Board of Governors of the Federal Reserve System: You may submit comments, identified by Docket No. R– 1280, by any of the following methods: • Agency Web Site: https:// www.federalreserve.gov. Follow the instructions for submitting comments at https://www.federalreserve.gov/ generalinfo/foia/ProposedRegs.cfm. E:\FR\FM\29MRP2.SGM 29MRP2 rwilkins on PROD1PC63 with PROPOSALS Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules • Federal eRulemaking Portal: https:// www.regulations.gov. Follow the instructions for submitting comments. • E-mail: regs.comments@ federalreserve.gov. Include docket number in the subject line of the message. • Fax: 202/452–3819 or 202/452– 3102. • Mail: Jennifer J. Johnson, Secretary, Board of Governors of the Federal Reserve System, 20th Street and Constitution Avenue, NW., Washington, DC 20551. All public comments are available from the Board’s Web site at https:// www.federalreserve.gov/generalinfo/ foia/ProposedRegs.cfm as submitted, unless modified for technical reasons. Accordingly, your comments will not be edited to remove any identifying or contact information. Public comments may also be viewed electronically or in paper in Room MP–500 of the Board’s Martin Building (20th and C Streets, NW.,) between 9 a.m. and 5 p.m. on weekdays. FDIC: You may submit comments by any of the following methods: Agency Web Site: https:// www.fdic.gov/regulations/laws/federal. Follow instructions for submitting comments on the Agency Web Site. E-mail: Comments@FDIC.gov. Include ‘‘Model Privacy Form’’ in the subject line of the message. Mail: Robert E. Feldman, Executive Secretary, Attention: Comments, Federal Deposit Insurance Corporation, 550 17th Street, NW., Washington, DC 20429. Hand Delivery/Courier: Guard station at the rear of the 550 17th Street Building (located on F Street) on business days between 7 a.m. and 5 p.m. (EST). Federal eRulemaking Portal: https:// www.regulations.gov. Follow the instructions for submitting comments. Public Inspection: All comments received will be posted without change to https://www.fdic.gov/regulations/laws/ federal including any personal information provided. Comments may be inspected and photocopied in the FDIC Public Information Center, 3501 North Fairfax Drive, Room E–1002, Arlington, VA 22226, between 9 a.m. and 5 p.m. (EST) on business days. Paper copies of public comments may be ordered from the Public Information Center by telephone at (877) 275–3342 or (703) 562–2200. Office of Thrift Supervision: You may submit comments, identified by OTS– 2007–0005, by any of the following methods: • Federal eRulemaking Portal: Go to https://www.regulations.gov, select ‘‘Office of Thrift Supervision’’ from the VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 agency drop-down menu, then click submit. Select Docket ID ‘‘OTS–2007– 0005’’ to submit or view public comments and to view supporting and related materials for this notice of proposed rulemaking. The ‘‘User Tips’’ link at the top of the page provides information on using Regulations.gov, including instructions for submitting or viewing public comments, viewing other supporting and related materials, and viewing the docket after the close of the comment period. • Mail: Regulation Comments, Chief Counsel’s Office, Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552, Attention: OTS– 2007–0005. • Hand Delivery/Courier: Guard’s Desk, East Lobby Entrance, 1700 G Street, NW., from 9 a.m. to 4 p.m. on business days, Attention: Regulation Comments, Chief Counsel’s Office, Attention: OTS–2007–0005. Instructions: All submissions received must include the agency name and docket number for this rulemaking. All comments received will be entered into the docket and posted on Regulations.gov without change, including any personal information provided. Comments, including attachments and other supporting materials received are part of the public record and subject to public disclosure. Do not enclose any information in your comment or supporting materials that you consider confidential or inappropriate for public disclosure. Viewing Comments Electronically: Go to https://www.regulations.gov, select ‘‘Office of Thrift Supervision’’ from the agency drop-down menu, then click ‘‘Submit.’’ Select Docket ID ‘‘OTS– 2007–0005’’ to view public comments for this notice of proposed rulemaking. Viewing Comments On-Site: You may inspect comments at the Public Reading Room, 1700 G Street, NW., by appointment. To make an appointment for access, call (202) 906–5922, send an e-mail to public.info@ots.treas.gov, or send a facsimile transmission to (202) 906–6518. (Prior notice identifying the materials you will be requesting will assist us in serving you.) We schedule appointments on business days between 10 a.m. and 4 p.m. In most cases, appointments will be available the next business day following the date we receive a request. National Credit Union Administration: Comments should be directed to Mary Rupp, Secretary of the Board. You may submit comments by any of the following methods (Please send comments by one method only): PO 00000 Frm 00003 Fmt 4701 Sfmt 4702 14941 • Federal eRulemaking Portal: https:// www.regulations.gov. Follow the instructions for submitting comments. • NCUA Web Site: https:// www.ncua.gov/news/proposed_regs/ proposed_regs.html. Follow the instructions for submitting comments. • E-mail: Address to regcomments@ncua.gov. Include ‘‘[Your name] Comments on Proposed Rule Part 716 (Model Form for Privacy Notice)’’ in the e-mail subject line. • Fax: (703) 518–6319. Use the subject line described above for e-mail. • Mail: Address to Mary Rupp, Secretary of the Board, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314– 3428. • Hand Delivery/Courier: Same as mail address. Federal Trade Commission: All persons are invited to submit written comments. Comments should refer to ‘‘Model Privacy Form, FTC File No. P034815’’ to facilitate the organization of comments. Comments filed in paper form should include this reference both in the text and on the envelope, and should be mailed or delivered to: Federal Trade Commission/Office of the Secretary, Room 135 (Annex C), 600 Pennsylvania Avenue, NW., Washington, DC 20580. Because paper mail in the Washington area and at the Commission is subject to delay, please consider submitting your comments in electronic form, as prescribed below. If the comment contains any material for which confidential treatment is requested, it must be filed in paper (rather than electronic) form, and the first page of the document must be clearly labeled ‘‘Confidential.’’ 1 The FTC is requesting that any comment filed in paper form be sent by courier or overnight service, if possible. Comments filed in electronic form should be submitted by using the following Web link: https:// secure.commentworks.com/ftcmodelform (and following the instructions on the Web-based form). To ensure that the Commission considers an electronic comment, you must file it on the Web-based form at the Web link https://secure.commentworks.com/ftcmodelform. If this notice appears at www.regulations.gov, you may also file an electronic comment through that 1 Commission Rule 4.2(d), 16 CFR 4.2(d). The comment must also be accompanied by an explicit request for confidential treatment, including the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. The request will be granted or denied by the Commission’s General Counsel, consistent with applicable law and the public interest. See Commission Rule 4.9(c), 16 CFR 4.9(c). E:\FR\FM\29MRP2.SGM 29MRP2 14942 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules Web site. The Commission will consider all comments that www.regulations.gov forwards to it.2 The FTC Act and other laws the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. All timely and responsive public comments with all required fields completed, whether filed in paper or electronic form, will be considered by the Commission, and will be available to the public on the FTC Web site, to the extent practicable, at https://www.ftc.gov. As a matter of discretion, the Commission makes every effort to remove home contact information for individuals it receives from the public comments before placing those comments on the FTC Web site. More information, including routine uses permitted by the Privacy Act, may be found in the FTC’s privacy policy, at https://www.ftc.gov/ftc/ privacy.htm. Commodity Futures Trading Commission: Comments should be directed to Eileen Donovan, Acting Secretary of the Commission, Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st Street, NW., Washington, DC 20581. Comments may be sent by facsimile transmission to (202) 418– 5528 or by e-mail to secretary@cftc.gov. Securities and Exchange Commission: Comments may be submitted by any of the following methods: Electronic Comments • Use the Commission’s Internet comment form (https://www.sec.gov/ rules/proposed.shtml); or • Send an e-mail to rulecomments@sec.gov. Please include File Number S7–09–07 and ‘‘Model Privacy Form’’ on the subject line; or • Use the Federal eRulemaking Portal (https://www.regulations.gov). Follow the instructions for submitting comments. Paper Comments rwilkins on PROD1PC63 with PROPOSALS • Send paper comments in triplicate to Nancy M. Morris, Secretary, Securities and Exchange Commission, 2 An electronic comment can be filed by (1) clicking on https://www.regulations.gov; (2) selecting ‘‘Federal Trade Commission’’ at ‘‘Search for Open Regulations;’’ (3) locating the summary of this notice; (4) clicking on ‘‘Submit a Comment on this Regulation;’’ and (5) completing the form. For a given electronic comment, any information placed in the following fields—‘‘Title,’’ ‘‘First Name,’’ ‘‘Last Name,’’ ‘‘Organization Name,’’ ‘‘State,’’ ‘‘Comment,’’ and ‘‘Attachment’’—will be publicly available on the FTC Web site. The fields marked with an asterisk on the form are required in order for the FTC to fully consider a particular comment. Commenters may choose not to fill in one or more of these fields, but if they do so, their comments may not be considered. VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 100 F Street, NE., Washington, DC 20549–1090. All submissions should refer to File Number S7–09–07 and ‘‘Model Privacy Form.’’ This file number should be included on the subject line if e-mail is used. To help us process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission’s Internet Web site (https:// www.sec.gov/rules/proposed.shtml). Comments are also available for public inspection and copying in the Commission’s Public Reference Room, 100 F Street, NE., Washington, DC 20549. All comments received will be posted without change; we do not edit personal identifying information from submissions. You should submit only information that you wish to make available publicly. FOR FURTHER INFORMATION CONTACT: OCC: Amy Friend, Assistant Chief Counsel, (202) 874–5200; Heidi Thomas, Special Counsel, Jonathan Mitchell, Attorney, Legislative and Regulatory Activities Division, (202) 874–5090; David H. Nebhut, Director, Policy Analysis, (202) 874–5387; or Paul Utterback, NBE Compliance Specialist, (202) 874–4428, Office of the Comptroller of the Currency, 250 E Street, SW., Washington, DC 20219. Board: Adrianne Threatt, Counsel, Legal Division, (202) 452–3554; Jeanne Hogarth, Consumer Policies Program Manager, or Krista Ayoub, Senior Attorney, or Ky Tran-Trong, Counsel, Division of Consumer and Community Affairs, (202) 452–3667; or Michelle E. Shore, Federal Reserve Board Clearance Officer, (202) 452–3829 (for Paperwork Reduction Act questions only), Board of Governors of the Federal Reserve System, 20th Street and Constitution Avenue, NW., Washington, DC 20551. FDIC: David P. Lafleur, Senior Policy Analyst, Compliance Section, Division of Supervision and Consumer Protection, (202) 898–6569; or Ruth R. Amberg, Senior Counsel, (202) 898– 3736, or Kimberly A. Stock, Attorney, (202) 898–3815, Legal Division; Federal Deposit Insurance Corporation, 550 17th Street, NW., Washington, DC 20429. OTS: Ekita Mitchell, Consumer Regulations Analyst, Examinations, Supervision, and Consumer Protection, (202) 906–6451; or Richard Bennett, Counsel, Regulations and Legislation Division, (202) 906–7409, 1700 G Street, NW., Washington, DC 20552. NCUA: Regina Metz, Staff Attorney, (703) 518–6561, or Ross Kendall, Staff Attorney, Office of General Counsel, (703) 518–6562, National Credit Union PO 00000 Frm 00004 Fmt 4701 Sfmt 4702 Administration, 1775 Duke Street, Alexandria, Virginia 22314–3428. FTC: Loretta Garrison, Senior Attorney, Division of Privacy and Identity Protection, Bureau of Consumer Protection, (202) 326–3043, Federal Trade Commission, 600 Pennsylvania Avenue, NW., Stop NJ–3158, Washington, DC 20580. CFTC: Laura Richards, Senior Assistant General Counsel, (202) 418– 5126, or Gail B. Scott, Attorney, Office of General Counsel, (202) 418–5139, Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st Street, NW., Washington, DC 20581. SEC: Catherine McGuire, Chief Counsel, or Brice Prince, Special Counsel, Office of the Chief Counsel, Division of Market Regulation, (202) 551–5550; or Penelope Saltzman, Branch Chief, or Vincent Meehan, Senior Counsel, Office of Regulatory Policy, Division of Investment Management, (202) 551–6792, Securities and Exchange Commission, 100 F Street, NE., Washington, DC 20549. The Agencies are proposing amendments to each of their rules (which are consistent and comparable) that implement the privacy provisions of the GLB Act: 12 CFR part 40 (OCC); 12 CFR part 216 (Board); 12 CFR part 332 (FDIC); 12 CFR part 573 (OTS); 12 CFR part 716 (NCUA); 16 CFR part 313 (FTC); 17 CFR part 160 (CFTC); and 17 CFR part 248 (SEC) (collectively, the ‘‘privacy rule’’).3 SUPPLEMENTARY INFORMATION: I. Background The Regulatory Relief Act was enacted on October 13, 2006.4 Section 728 of the Act directs the Agencies to ‘‘jointly develop a model form which may be used, at the option of the financial institution, for the provision of disclosures under [section 503 of the GLB Act].’’ 5 The Regulatory Relief Act stipulates that the model form shall be a safe harbor for financial institutions 3 Because each Agency’s privacy rule has the same section numbers, relevant sections will be cited, for example, as ‘‘section l.6’’ unless otherwise noted. 4 Pub. L. 109–351 (Oct. 13, 2006), 120 Stat. 1966. 5 Id., adding 15 U.S.C. 6803(e). Section 728 of the Regulatory Relief Act directs the agencies named in Section 504(a)(1) of the GLB Act, 15 U.S.C. 6804(a)(1), to develop a model form. The CFTC, which did not become subject to Title V of the GLB Act until 2000, is not named in that section. The Commodity Exchange Act (‘‘CEA’’) was amended in 2000 by the Commodity Futures Modernization Act of 2000 to make the CFTC a ‘‘federal functional regulator’’ subject to the GLB Act Title V. See Section 5g of the CEA, 7 U.S.C. 7b–2. The CFTC interprets Section 728 of the Regulatory Relief Act as applying to it through Section 5g. E:\FR\FM\29MRP2.SGM 29MRP2 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules that elect to use it. Section 728 further directs that the model form shall: (A) Be comprehensible to consumers, with a clear format and design; (B) Provide for clear and conspicuous disclosures; (C) Enable consumers easily to identify the sharing practices of a financial institution and to compare privacy practices among financial institutions; and (D) Be succinct, and use an easily readable type font. The Agencies are required to propose a model form for public comment by April 11, 2007. A. The Gramm-Leach-Bliley Act Privacy Notices Subtitle A of title V of the GLB Act, captioned Disclosure of Nonpublic Personal Information,6 requires each financial institution to provide a notice of its privacy policies and practices to its customers who are consumers.7 In general, the privacy notices must describe a financial institution’s policies and practices with respect to disclosing nonpublic personal information about a consumer to both affiliated and nonaffiliated third parties.8 The notices also must provide a consumer a reasonable opportunity to direct the institution generally not to share nonpublic personal information 9 about the consumer (that is, to ‘‘opt out’’) with nonaffiliated third parties other than as permitted by the statute (for example, sharing for everyday business purposes, such as processing transactions and maintaining customers’ accounts, and in response to properly executed governmental requests).10 The privacy notice must provide, where applicable under the Fair Credit Reporting Act (FCRA), a notice and an opportunity for 6 Codified at 15 U.S.C. 6801–6809. U.S.C. 6803(a). A ‘‘customer’’ means a consumer who has a ‘‘customer relationship with a financial institution.’’ Privacy rule, section l.3(h), SEC section 248.3(j), CFTC section 160.3(k). A ‘‘consumer’’ is ‘‘an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes, and also means the legal representative of such an individual.’’ 15 U.S.C. 6809(9); privacy rule, section l.3(e), SEC section 248.3(g)(1), CFTC section 160.3(h)(1). 8 15 U.S.C. 6803(a)–(c). 9 15 U.S.C. 6809(4). ‘‘Nonpublic personal information’’ is generally defined as personally identifiable financial information provided by a consumer to a financial institution, resulting from any transaction or any service performed for the consumer, or otherwise obtained by the financial institution. See privacy rule, sections l.3(n) and (o), SEC sections 248.3(t) and (u), CFTC sections 160.3(t) and (u). 10 15 U.S.C. 6802; privacy rule, sections l.14 and l.15. rwilkins on PROD1PC63 with PROPOSALS 7 15 VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 a consumer to opt out of certain information sharing among affiliates.11 The privacy rule requires a financial institution to provide a privacy notice to its customers no later than when a customer relationship is formed and annually for as long as the relationship continues. The notice must accurately reflect the institution’s information collection and disclosure practices and must include specific information. Section l.6 of the privacy rule requires the privacy notice to include the following: (1) The categories of nonpublic personal information that the institution collects; (2) With respect to both current and former customers, the categories of nonpublic personal information that it discloses and the categories of affiliates and nonaffiliated third parties to whom it discloses such information other than as permitted by the exceptions in sections l.14 and l.15; (3) Where the institution relies on the exception in section l.13 to share nonpublic personal information (pertaining to joint marketing), the categories of information disclosed, and the categories of third parties with which the institution has contracted; (4) Where applicable, an explanation of the consumer’s right under section l.10(a) to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties and the methods by which the consumer may opt out; (5) Disclosures made under section 603(d)(2)(A)(iii) of the FCRA (pertaining to the ability to opt out of certain sharing with affiliates) and the applicable opt-out notice; (6) The institution’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; and (7) Where applicable, a statement that the institution discloses nonpublic personal information to nonaffiliated third parties pursuant to the section l.14 and l.15 exceptions. The privacy rule does not prescribe any specific format or standardized wording for these notices. Instead, institutions may design their own notices based on their individual practices provided they comply with the law and meet the ‘‘clear and conspicuous’’ standard in the statute and the privacy rule.12 The Appendix to the privacy rule contains model language (Sample Clauses) that 11 15 U.S.C. 1681a(d)(2)(A)(iii) (FCRA); 15 U.S.C. 6803(c)(4) (GLB Act). 12 15 U.S.C. 6802, 6803; privacy rule, section l.3(b), SEC 248.3(c). PO 00000 Frm 00005 Fmt 4701 Sfmt 4702 14943 institutions may use in privacy notices to satisfy the privacy rule. Financial institutions first were required to distribute privacy notices to their customers by July 1, 2001.13 Many privacy notices in the initial effort were long and complex. In addition, because the privacy rule allows institutions flexibility in designing their privacy notices, notices have been formatted in various ways and as a result have been difficult to compare, even among financial institutions with identical privacy policies. In response to broad-based concerns expressed by representatives of financial institutions, consumers, privacy advocates, and members of Congress, the Agencies conducted a workshop in December 2001 to provide a forum to consider how financial institutions could provide more useful privacy notices to consumers.14 The workshop featured panel presentations by financial institutions, consumer advocates, and communications experts, and highlighted key communication principles to improve the notices. A number of institutions, particularly those with complex information-sharing practices, described the challenges they faced in explaining their practices and the choices available to consumers in a simple fashion while meeting all of the legal requirements for notice. Some institutions described results of consumer testing and their efforts to make privacy notices clearer and more useful to consumers. On December 30, 2003, the Agencies published an Advance Notice of Proposed Rulemaking to Consider Alternative Forms of Privacy Notices under the Gramm-Leach-Bliley Act 15 (ANPR) to solicit comment on a wide range of issues related to improving privacy notices. The Agencies sought, for example, comment on issues associated with the format, elements, and language used in privacy notices that would make the notices more accessible, readable, and useful, and whether to develop a model privacy notice that would be short and simple. The Agencies also solicited examples of 13 The CFTC was added by Section 5g of the Commodity Exchange Act, 7 U.S.C. 7b-2 (as amended by the Commodity Futures Modernization Act of 2000), on December 21, 2000, and privacy notices were required to be delivered to consumers by March 31, 2002. 14 Get Noticed: Writing Effective Financial Privacy Notices, Interagency Public Workshop (Dec. 4, 2001), workshop transcripts and other supporting documents are available at https://www.ftc.gov/bcp/ workshops/glb/. 15 See Interagency Proposal to Consider Alternative Forms of Privacy Notices Under the Gramm-Leach-Bliley Act, 68 FR 75164 (Dec. 30, 2003), available at https://www.ftc.gov/os/2003/12/ 031223anprfinalglbnotices.pdf. E:\FR\FM\29MRP2.SGM 29MRP2 14944 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules forms, model clauses, and other information, such as applicable research that has been conducted in this area. The ANPR stated that the Agencies expected that consumer testing would be a key component in the development of any specific proposals. During January and February 2004, the Agencies met with a number of interested groups and individuals to discuss the issues raised in the ANPR.16 The Agencies received forty-four comments in response to the ANPR.17 While commenters expressed a variety of views on the questions posed in the ANPR, many commenters agreed that the Agencies should conduct consumer testing before proposing any alternative privacy notice. rwilkins on PROD1PC63 with PROPOSALS B. The Interagency Notice Project In the summer of 2004, six Agencies 18 agreed to launch a project to fund consumer research (Notice Project). Their goals were to identify barriers to consumer understanding of current privacy notices and to develop an alternative privacy notice, or elements of a notice, that consumers could more easily use and understand compared to current notices. When the Agencies initiated this project, they contemplated conducting the consumer research in two sequential phases. The first phase was designed as qualitative testing, that is, form development research. This research involved a series of in-depth individual consumer interviews to develop an alternative privacy notice that would be easier for consumers to use and understand. The second phase was designed as quantitative testing, to test the effectiveness of the alternative privacy notice developed in phase one among a larger number of consumers. The first phase has been completed and resulted in the model notice we are proposing for comment today. The Agencies expect to conduct the second phase of testing after receipt of comments in response to this proposal.19 In September 2004, the six Agencies selected Kleimann Communication Group, Inc. (Kleimann) as their contractor for the phase one form development research. The research objectives of the Notice Project included 16 Summaries of the outside meetings are available at https://www.ftc.gov/privacy/ privacyinitiatives/financial_rule_inrp.html. 17 Public comments to the ANPR are available at https://www.ftc.gov/privacy/privacyinitiatives/ financial_rule_inrp.html. 18 The six Agencies are the Board, FDIC, FTC, NCUA, OCC, and SEC. Information related to the Notice Project can be found at https://www.ftc.gov/ privacy/privacyinitiatives/financial_rule_inrp.html. 19 OTS has joined the Notice Project for the phase two research. VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 designing a privacy notice that consumers could understand and use, that facilitated comparison of sharing practices and policies across privacy notices, and that addressed all relevant legal requirements of the GLB Act and FCRA. At the outset of the research, the Agencies considered a range of possible options for the notice, including a short notice, a layered approach (highlighting key information upfront), as well as a longer fully-compliant notice. The Agencies limited the project to paperbased notices, reasoning that a successful paper notice could be readily adapted to another medium such as the Internet. The Agencies used a readable font 20 and, in order not to confound the research findings on comprehension by introducing too many variables into the test notice, expressly did not use color, logos, or other graphical designs in the test notices. Instead, the Agencies focused on formulating and testing content that consumers could understand and use in order to develop a short, simplified privacy notice that met the research objectives. The form development phase culminated in an extensive research report released by the Agencies in March 2006. Prepared by Kleimann, ‘‘Evolution of a Prototype Financial Privacy Notice,’’ details the process by which the Agencies and Kleimann developed an alternative privacy notice.21 As explained more fully in the Kleimann Report, over a one-year period, Kleimann conducted two focus groups followed by a series of 46 indepth, individual interviews, conducted sequentially at seven sites around the country. The interviews tested consumers on their ability to comprehend, use, and compare notices based on variations in vocabulary, ordering of content, and format. The structure, content, ordering of the text information, and title of the proposed model form all reflect the research findings in the qualitative consumer testing. The Agencies now are proposing the model privacy notice produced in the form development phase with some minor revisions (the proposed model form) for comment in accordance with the Regulatory Relief Act. The Agencies contemplate that the safe harbor for the proposed model form will be effective upon publication of the final rule in order to permit institutions that elect to use the form to do so immediately. The Agencies recognize that institutions may post their privacy notices on their Internet sites, as well as deliver paper or email versions to their customers. The Agencies contemplate that institutions that post a pdf version of the proposed model privacy form may obtain a safe harbor, but are requesting comment on whether to develop a Web-based design for financial institutions to use on their Internet sites, including comment on particular design and/or technical considerations. The Agencies believe that the proposed model form meets all the requirements of the Act and is easier to understand than most privacy notices currently being disseminated. The following section describes the proposed model form and highlights some key research findings. For more detailed information on the research methodology and the form development process, commenters are encouraged to review the full Kleimann Report. The Agencies also are proposing instructions on how institutions may obtain a safe harbor by using the proposed model form, including an explanation of aspects of the form that may and may not be varied.22 Institutions would not be able to vary content or format, other than as described in this proposal, to take advantage of the safe harbor. Moreover, institutions would not be able to include any other information in the proposed model form nor incorporate this model form into any other document. 20 The text of the prototype notice is in 10 point BK Avenir Book font. 21 See Kleimann Communication Group, Inc., Evolution of a Prototype Financial Privacy Notice: A Report on the Form Development Project (Feb. 28, 2006) (Kleimann Report). For a copy of the full report, go to https://www.ftc.gov/privacy/ privacyinitiatives/ftcfinalreport060228.pdf. For the executive summary, go to https://www.ftc.gov/ privacy/privacyinitiatives/ FTCFinalReportExecutiveSummary.pdf. 22 While the model form would provide a safe harbor, institutions could continue to use other types of notices that vary from the model form so long as these notices comply with the privacy rule. For example, an institution could continue to use a simplified notice as described in section l.6(c)(5) (NCUA 716.6(e)(5)) of the privacy rule if it does not have affiliates and does not intend to share nonpublic personal information with nonaffiliated third parties outside of the exceptions provided in sections l.14 and l.15. PO 00000 Frm 00006 Fmt 4701 Sfmt 4702 II. The Proposed Model Form A. The Structure The proposed model form has either two or three pages, depending on whether the financial institution provides an opt-out. While the research showed that page one alone was adequate for comprehension and usability, page one together with page two address the legal requirements of applicable Federal financial privacy laws and increase consumer comprehension. Each of the pages of the model form is printed separately and E:\FR\FM\29MRP2.SGM 29MRP2 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules only on one side of an 8.5 by 11 inch piece of paper because, during testing, consumers expressed a preference for the model which allowed them to view the information on pages one and two side-by-side.23 The proposed model form in Appendix A is designed to be customized by each financial institution that elects to use it by inserting, for example, the institution’s name, contact information, and information about affiliates, nonaffiliates, or joint marketing partners, if any, with which it shares personal information. In addition, the disclosure table requires rwilkins on PROD1PC63 with PROPOSALS 23 The proposed model form has the opt-out options and instructions on a separate page. Staff of certain of the Agencies issued Frequently Asked Questions in December 2001 (Privacy FAQs), stating that a consumer should be able to detach a mail-in opt-out form from a privacy notice without removing text from the privacy policy. Otherwise, the institution may violate section l.9(e) of the privacy rule, which requires that a privacy policy must be provided in such a way that a customer can retain the text of the notices or obtain them later. See F.4 of the Privacy FAQs, available at https:// www.ftc.gov/privacy/glbact/glb-faq.htm. VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 that each institution complete the responses in each of the boxes provided in a manner that accurately reflects its information sharing policies and practices. Below is one example of a completed model form for a fictional financial institution, Neptune, whose privacy policy provides for broad sharing in a manner that triggers consumer opt-out rights. For comparison, a second example is also provided for another fictional institution, Mars, whose privacy policy limits sharing and does not trigger consumer opt-out rights. Each of these institutions uses and shares personal information in different ways; thus, their responses in the disclosure table vary, as do the descriptions of their affiliates, nonaffiliates, or joint marketing partners in the definition section.24 Importantly, 24 The Agencies understand that many consumers are not familiar with institutions’ information sharing practices. During the Notice Project’s initial research, some consumers expressed concern about financial institutions changing their practices and PO 00000 Frm 00007 Fmt 4701 Sfmt 4702 14945 since Mars does not share in a way that triggers an opt-out, the opt-out form (page 3 of the proposed model form) is not required and so is not included in the Mars notice. Thus, not every institution subject to the privacy rule will have to provide page three of the model form; only those institutions whose privacy practices require delivery of an opt-out notice or those institutions that choose to provide opt-outs beyond those required by law. policies without adequately informing consumers about such changes. A few consumers suggested that, at a minimum, the notices should be dated to reflect the most recent revision so consumers would know when the notice was last changed and could more easily identify the most recent policy statement. Changes to an institution’s policy may be reflected in a revised notice under section l.8 of the privacy rule or in an annual notice. Some institutions highlight changes to their privacy notices in some distinctive way, so that consumers can readily identify the change. As discussed later in Section V, the Agencies invite comment on whether financial institutions should be required to alert consumers to changes in an institution’s privacy practices as part of the proposed model form. E:\FR\FM\29MRP2.SGM 29MRP2 14946 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 PO 00000 Frm 00008 Fmt 4701 Sfmt 4725 E:\FR\FM\29MRP2.SGM 29MRP2 EP29MR07.000</GPH> rwilkins on PROD1PC63 with PROPOSALS Example 1. Neptune Model Privacy Form VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 PO 00000 Frm 00009 Fmt 4701 Sfmt 4725 E:\FR\FM\29MRP2.SGM 29MRP2 14947 EP29MR07.001</GPH> rwilkins on PROD1PC63 with PROPOSALS Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules VerDate Aug<31>2005 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules 19:04 Mar 28, 2007 Jkt 211001 PO 00000 Frm 00010 Fmt 4701 Sfmt 4725 E:\FR\FM\29MRP2.SGM 29MRP2 EP29MR07.002</GPH> rwilkins on PROD1PC63 with PROPOSALS 14948 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules 14949 VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 PO 00000 Frm 00011 Fmt 4701 Sfmt 4725 E:\FR\FM\29MRP2.SGM 29MRP2 EP29MR07.003</GPH> rwilkins on PROD1PC63 with PROPOSALS Example 2. Mars Model Privacy Form VerDate Aug<31>2005 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules 19:04 Mar 28, 2007 Jkt 211001 PO 00000 Frm 00012 Fmt 4701 Sfmt 4725 E:\FR\FM\29MRP2.SGM 29MRP2 EP29MR07.004</GPH> rwilkins on PROD1PC63 with PROPOSALS 14950 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules 14951 Example 3. Illustration of Type Size for the Various Elements of the Model Form 25 Page one of the proposed model form has four parts: (1) The title; (2) an introductory section called the ‘‘key frame,’’ which provides context to help the consumer better understand the required disclosures; (3) a table that describes the types of sharing Federal law allows, which of those types of sharing the institution actually does, and whether the consumer can opt out of any type of the institution’s sharing; and (4) the institution’s contact information. The research showed that the title, ‘‘FACTS What Does [name of financial 25 See infra note and accompanying text. This illustration displays the font sizes of the various elements in the model form. VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 PO 00000 Frm 00013 Fmt 4701 Sfmt 4702 E:\FR\FM\29MRP2.SGM 29MRP2 EP29MR07.005</GPH> rwilkins on PROD1PC63 with PROPOSALS B. Page One—Background Information and the Disclosure Table 14952 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules rwilkins on PROD1PC63 with PROPOSALS institution] Do With Your Personal Information,’’ is more likely to catch consumers’ attention so they will read the notice. The title can be used by all institutions regardless of their information sharing practices. The ‘‘key frame,’’ with its three short headings—Why, What, and How—is included because the research showed that, unless consumers have some basic facts about information sharing, they are less likely to understand why they are receiving a privacy notice and what to do with one. The ‘‘Why’’ box tells consumers that Federal law requires that the financial institution send the notice. The ‘‘What’’ box explains the types of personal information financial institutions collect and share.26 The ‘‘How’’ box explains that some information sharing is necessary for all institutions in order to provide the products and services that consumers request. It also briefly explains what information consumers will find in the disclosure table below. The research found that these particular headings and the bulleted explanations enhanced consumers’ understanding of the purpose of the notice, enabled them to make an informed decision about the use of their personal information, and aided their overall comprehension. The disclosure table at the bottom of page one provides information about the financial institution’s sharing practices. The research found that this table is the ‘‘heart’’ of the proposed model form, ‘‘enabl[ing] consumers to understand the details of their financial institution’s sharing practices in the context of how other financial institutions can share. It is critical for comprehension and comparability.’’ 27 The table is featured on page one because it is one of the most important elements of the model form. Key research findings were that providing this information in a table form greatly increased consumers’ ability to readily identify and understand an institution’s sharing practices and what, if any, choices they 26 The Agencies recognize that some financial institutions may not collect each type of information described in the ‘‘What’’ box. As reflected in the introductory clause, which states that the ‘‘information [collected] can include * * *,’’ the standardized terms are designed to reflect the range of information typically collected by financial institutions required to provide privacy notices under the GLB Act and FCRA, rather than the specific information collected by each particular institution, and therefore, are not to be modified to reflect an institution’s particular practices. The SEC’s model privacy form reflects modified terms in the ‘‘What’’ box that are intended to include the range of information typically collected by brokers, dealers, investment advisers registered with the Commission, and investment companies. 27 See Kleimann Report, supra note , at v and 7. VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 had to limit any of that sharing, and easily compare these practices and choices among institutions. The Agencies asked Kleimann to develop and test a ‘‘prose’’ version describing information sharing practices since such a format would be more comparable to notices currently used by financial institutions. However, the research found that the table design of the proposed model form outperformed the prose design on a variety of measures, including comprehension, comparability, and usability.28 The disclosure table includes a description of the possible types of sharing and uses of personal information and the associated opt-out choices that must be disclosed. The optout disclosures are required under: (1) Section 502(b) of the GLB Act (regarding certain sharing with nonaffiliated third parties); (2) section 603(d)(2)(A) of the FCRA (regarding sharing of creditworthiness and credit report information among affiliates); and (3) section 624 of the FCRA, as added by section 214 of the Fair and Accurate Credit Transactions Act of 2003 (Fact Act), 15 U.S.C. 1681s–3 (use of that information for marketing).29 The table provides important context about what information sharing a financial institution actually does relative to what it could do. The research showed that the table, with its standardized content, facilitates easy comparison of information sharing practices among different institutions. The structure of the disclosure table and the reasons for sharing are designed to be consistent for all financial institutions.30 The 28 See id. at 185, 215, 256. L. 108–159, 117 Stat. 1952. Section 624 provides that information that may be shared among affiliates—including transaction and experience information and certain creditworthiness information—cannot be used for marketing purposes unless the consumer has received a notice of such use and an opportunity to opt out, and the consumer does not opt out. The Agencies have included language pertaining to this affiliate marketing provision and the related opt-out on the notice developed in the consumer research in response to comments to the ANPR. While the Agencies have not yet issued a final regulation implementing this provision of the FACT Act, they are coordinating this rulemaking with the affiliate marketing rulemaking to ensure that language addressing the section 624 opt-out as incorporated in this model form (when finalized) would be deemed to comply with the affiliate marketing rule. Institutions would not be required to include reference to this provision until a final rule for section 624 is issued and becomes effective, and only in the event that institutions choose to consolidate the 624 notice and opt-out with the GLB Act privacy notice. 30 The reasons for sharing are grouped into three main categories. The first three reasons describe what financial institutions do with their consumers’ personal information. The next three reasons describe what a financial institution’s affiliates do with that information. The last reason describes 29 Pub. PO 00000 Frm 00014 Fmt 4701 Sfmt 4702 institution-specific information lies in the answers to the questions within each of the boxes. Accordingly, even if a financial institution does not share for one of the reasons listed in the table (for example, it has no affiliates and therefore does not share with affiliates), the institution could not exclude that reason from the table, but would answer ‘‘No’’ under ‘‘Does [name of financial institution] share?’’ The language used in the disclosure table is based on Kleimann’s research. The simplified phrases describing information sharing practices were continually refined through the consumer testing process to allow consumers to better understand the information sharing and use possibilities. The laws governing the disclosure of consumers’ personal information are not easily translated into short, comprehensible phrases that are also legally precise. Thus, the table in some cases uses more easily understandable short-hand terms to describe sharing practices required to be in the notice. For example, the table uses the term ‘‘everyday business purposes’’ to describe the sharing contemplated by the exceptions in sections l.14 and l.15 of the privacy rule, which does not trigger opt-out rights. The research found that consumers understood that ‘‘everyday business purposes’’ means that companies must share in some basic ways in order to provide the financial products or services that consumers request. The table also speaks in terms of the institution’s own ‘‘marketing purposes’’ to capture the idea that nearly all, if not all, financial institutions share information in connection with marketing their own products and services to their customers (for example, with a service provider such as a bulk mailer or data processor) in a manner that does not trigger an optout right. With respect to the reasons for information sharing among affiliated companies that track the FCRA provisions 31 (the sharing of ‘‘transaction and experience information’’ and the sharing of ‘‘other information’’), the disclosure table uses ‘‘Information about your creditworthiness’’ as a short-hand term for the statutory term ‘‘other information.’’ The institution’s contact information appears at the bottom of page one in what nonaffiliated companies may do with the personal information, other than acting as a service provider to or acting jointly with the financial institution (that is, outside the exceptions provided in sections l.13, l.14, and l.15). This generally means marketing by the nonaffiliated company. 31 See section 603(d)(2)(A) of the FCRA. E:\FR\FM\29MRP2.SGM 29MRP2 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules response to consumers’ preferences expressed during testing. C. Page Two—Supplemental Information The second page provides additional explanatory information that, in combination with page one, ensures that the notice includes all elements described in the GLB Act as implemented by the privacy rule. There is supplemental information in the form of Frequently Asked Questions (FAQs) 32 at the top and definitions below.33 The research showed that although consumers generally understood the concepts of certain technical words, they found that the four definitions on page two provided helpful additional information that further clarified the nature and type of information sharing by a financial institution. Some of the definitions include institution-specific information required by the GLB Act. For example, an institution that has affiliates must identify the categories of its affiliates after the definition. Likewise, an institution that has no affiliates can explain after the definition that it does not have affiliates. Examples of institution-specific information are shown for the last three definitions in the italicized print in both the Neptune and Mars forms. Thus, Neptune has affiliates with which it shares certain information and, under the definition of ‘‘affiliates,’’ Neptune includes information in italics that describes the categories of its affiliates. Since Mars has no affiliates, the Mars form states ‘‘Mars has no affiliates.’’ rwilkins on PROD1PC63 with PROPOSALS D. Page Three—The Opt-Out Form The third page provides an opt-out form, for use by those financial institutions that share in a manner that triggers consumer opt-out rights under the GLB Act or FCRA (see the proposed model privacy form in Appendix A and the Neptune form). Institutions using the proposed model form must include page three in their notices only if they 32 Note that financial institutions should insert their names as indicated in the first three questions in this section. 33 The FAQ box regarding sources of information does not permit a financial institution to customize the sources of information it collects. As with the standardized terms describing information the institution collects on page one, see supra note , the disclosure is intended to include the range of information sources typically used by institutions subject to the GLB Act and FCRA rather than the information sources used by each particular institution. The SEC’s model form reflects additional terms in this box that are intended to include the range of sources of information typically used by brokers, dealers, investment advisers registered with the Commission, and investment companies. VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 (1) share or use information in a manner that triggers an opt-out, or (2) choose to provide opt-outs beyond what is required by law. The opt-out page lists three common methods for opting out—by telephone, on the Web, and by mail—and summarizes the opt-out choices available to the consumer in a clear and easy-to-read format that the research found consumers appreciated. Financial institutions that provide opt-out forms are not required to provide all the optout choices and methods described in the Neptune opt-out form. The Agencies expect that institutions may need to tailor the opt-out page to reflect accurately the institution’s particular practices.34 The model form, for example, includes information for the customer’s account number as a means of identifying both the customer and account to which the opt-out should apply. Institutions requiring consumers with multiple account numbers to list each account number to which the optout should apply should modify that portion of the form. Institutions requiring information other than an account number should modify that portion of the form. Institutions that allow more than 30 days from issuing the notice may insert that time period in place of the number ‘‘30’’. The proposed rule accordingly provides instructions explaining permissible variations to page three of the Neptune notice. E. Additional Opt-Outs in the Model Form The third column in the disclosure table in the proposed model form is intended to provide flexibility for financial institutions to include additional opt-out choices that are not required by Federal law. For example, a financial institution may give its customers the opportunity to limit sharing for joint marketing. In that case, the financial institution would answer the question ‘‘Can you limit this sharing?’’ in the far right column with ‘‘Yes (Check your choices, p. 3)’’ and would describe the additional opt-out choice on its opt-out form, for example by stating, ‘‘Do not share my personal 34 See note 29. For institutions that choose to consolidate the 624 notice into the model form and offer this opt-out, the italicized language accompanying the affiliate sharing opt-out choice on page three of the proposed model form is required only if an institution wants to limit the time of the opt-out period, with 5 years the minimum opt-out period required by the statute. Where an institution elects to limit the time period for which the opt-out is effective, it should look to the Agencies’ affiliate marketing rule for guidance on the manner and form in which to provide any additional notice that would effectively permit a consumer to renew or extend the opt-out period. PO 00000 Frm 00015 Fmt 4701 Sfmt 4702 14953 information with other financial institutions to jointly market to me.’’ Likewise, if a financial institution wanted to offer its customers the opportunity to opt out of its own marketing, it could provide for that option by answering ‘‘Yes’’ in the appropriate box of the disclosure table and by describing the opt-out choice on the opt-out form, for example by stating ‘‘Do not share [or use] my personal information to market to me.’’ To obtain the safe harbor for use of the proposed model form, an institution that uses the disclosure table to show any additional opt-out choice must include the opt-out form on page three to provide consumers with a method for opting out. The Agencies specifically invite comment on other opt-outs that financial institutions may provide, and on whether the Agencies should provide model language based on the opt-out provisions provided in the proposed model form. F. Appearance of the Model Form In addition to the requirements that the proposed model form be comprehensible, clear and conspicuous, and allow for easy comparison of privacy practices among financial institutions, the law requires that the model form use an easily readable type font. The prototype notice developed in the Agencies’ phase one research and shown here as the proposed model form, reflects consideration of a number of typographical factors in the design.35 Type size, type style, leading, x-height, serif versus sans serif,36 upper and lower case type, along with the page layout—all play an important role in designing a typeface that is highly readable. Consumers who saw the prototype notice during the research process commented on how easy the type was to see and read.37 35 The prototype notice developed in the consumer research is 10 on 12 BK Avenir Book. The ‘‘10 on 12’’ means that the font size is 10 points, and the leading (that is, the additional space between the lines of type) is 2 points of spacing. 36 Serif typeface has small strokes at the ends of the lines that form each letter. Sans serif typeface does not have those small strokes. 37 Example 3 in this proposal illustrates the different font sizes used in the prototype notice for the title, headings, and key text. Thus, the word ‘‘FACTS’’ in the title is in 17-point type; the remainder of the title is in 11-point; the Why, Why, How, and Contact Us headings are in 14 point; the headings in the disclosure table, the reasons in the left column of the disclosure table, and the questions in the left column of the FAQs are in 10.5-point; and the text in the body of the form is in 10-point. This information shows the relative sizes of the various elements of the prototype and is intended only as a guide (and not a requirement) to those institutions that elect to use the proposed model form so that they can design the key E:\FR\FM\29MRP2.SGM Continued 29MRP2 14954 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules All of these factors together affect the readability of a document. Therefore, in considering these various factors for the design of an easily readable type font, the Agencies are proposing 10-point font as the minimum type size and sufficient spacing between the lines of type (leading). The Agencies are further providing general guidance on type styles. Type size: The readability of type size is highly dependent on the selection of the type style. Some styles in 10-point font are more readable than others in 12point font and appear larger because of their design. Accordingly, the Agencies are proposing 10-point type size as the minimum size for use on the model form. Leading: Leading is the spacing between lines of type, measured in points. If the line spacing is too narrow, the type is hard to read. In such a case, the ascenders (such as the upward line in the letter ‘‘h’’) and descenders (such as the downward line in a ‘‘g’’) may touch, blending the lines of type and making it much harder to distinguish the letters on the page. Research on the legibility of typography indicates that people read faster when text is set with 1 to 4 points of leading.38 The Agencies are proposing a requirement that the leading used allow for sufficient spacing between the lines, but are not mandating a specific amount. Nevertheless, the Agencies are providing these general recommendations for use with the model form: 10- or 11-point type should have between 1 and 3 points of leading. Twelve-point type should have between 2 and 4 points of leading.39 Type style and ‘‘x’’-height: Experts differ on the question of the most desirable type style. The model form uses both sans serif and ‘‘monoweight’’ type, and upper and lower case lettering in the body of the form. While much of the printed material in the United States and western Europe uses serif styles, Web designers are increasingly using sans serif type, as they have found that serif type is harder to read in this new medium. These changes in Web design are also beginning to affect font styles in printed materials. Accordingly, some typography designers are now using sans serif typefaces, as well as type with a uniform thickness throughout the letter (monoweight typeface), finding such typefaces easier to read than those with variable thickness. While a variety of type styles would be suitable for the model notice, the Agencies caution that institutions that use idiosyncratic fonts or highly stylized typefaces will not meet the model form safe harbor standard. Larger x-height 40 makes a font appear larger and thus more readable, and fonts with larger x-heights are better for smaller text. Research shows that our eyes ‘‘scan the top of the letters’’ xheights during the normal reading process, so that is where the primary identification of each letter takes place.’’ 41 Generally, a font with an xheight ratio of around .66 is easier to read.42 The Agencies are not mandating a particular type style or x-height in order for a financial institution to obtain a safe harbor. Nevertheless, based on the research, the Agencies are providing these general guidelines for type style in the model form: For typefaces with a smaller x-height, 11- or 12-point font should be used; for typefaces with a larger x-height, a 10-point font would be sufficient.43 Fonts that satisfy the type style and x-height guidelines for the proposed model form include sans serif fonts such as Tahoma, Century Gothic, Myriad, Avant Garde, Bk Avenir Book, ITS Franklin Gothic, Arial, and Gill Sans, and serif fonts such as the Chaparral Pro Family, Minion Pro, Garamond, Monotype Bodoni, and Monotype Century.44 For ease of reference, the following table summarizes the recommendations discussed here for institutions that choose to use the model form and obtain the safe harbor. If Then use And use And use font with Font is 10-point ............... Font is 11-point ............... 1–3 points leading ......... 1–3 points leading ......... Monoweight typeface ........... Monoweight typeface ........... Font is 12-point ............... 2–4 points leading ......... Monoweight or variable typeface. Large x-height sans serif (around .66 ratio). Smaller x-height is acceptable; either serif or sans serif (less than .66 ratio is acceptable). Smaller x-height is acceptable; either serif or sans serif (less than .66 ratio is acceptable). G. Printing, Logos, and Color rwilkins on PROD1PC63 with PROPOSALS The Agencies recognize that financial institutions have a strong interest in ensuring that documents they provide to the public have a distinctive look that may be readily recognized by consumers. Thus, a financial institution that uses the proposed model form may include its corporate logo on any of the pages, so long as the logo design does not interfere with the readability of the model form or space constraints of each page. elements, such as the headings and title, larger than the 10-point font size in the text. 38 Karen A. Schriver, Dynamics In Document Design, 274 (1997). 39 Id. at 262; see also James Hartley, Designing Instructional Text (1994); and Barbara Chaparro et al., Reading Online Text: A Comparison of Four White Space Layouts, 6(2) (2004). VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 The model form used in the consumer testing was printed on 8.5 by 11 inch non-glossy paper, using varying shades of black ink to achieve the black and gray tones in the published prototype. The Agencies propose printing each page of the model form on one side of an 8.5 by 11 inch piece of paper so that each page of the model form can be viewed simultaneously. The Agencies seek comment on other formats that may achieve the readability and ease of use preferred by consumers. The Agencies propose that institutions using the model form use white or light color paper (such as cream) with black or suitable contrasting color ink. Spot color is permitted to achieve visual interest to the model form, so long as the color contrast is distinctive and the color does not detract from the form’s readability. The Agencies seek comment on whether, how, and to what extent institutions that elect to use the model form will use logos and/or color. 40 The ‘‘x-height’’ is the height of the lower-case ‘‘x’’ in relation to full height letters, such as a capital G. X-height is critical to type legibility. 41 Erik Spiekermann & E.M. Ginger, Stop Stealing Sheep & Find Out How Type Works, 93 (1993). 42 See, e.g., Hewlett-Packard Corporation, Panose Classification Metrics Guide (2006), available at https://www.monotypeimaging.com/ productsservices/pan2.aspx. 43 See Schriver, supra note at 264; see also pp. 258–59. 44 A number of these font styles, including Arial, Tahoma, Century Gothic, Garamond, and Bodoni, are preloaded on commonly used operating systems with most new personal computers. The other font styles are commercially available as well. PO 00000 Frm 00016 Fmt 4701 Sfmt 4702 E:\FR\FM\29MRP2.SGM 29MRP2 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules rwilkins on PROD1PC63 with PROPOSALS III. The Sample Clauses The proposed model form is a standardized notice that would replace the Sample Clauses currently found in Appendix A of the privacy rule. It could be used by a financial institution at its option to comply with requirements for a clear and conspicuous privacy notice that meets the content requirements in sections l.6 and l.7 of the privacy rule.45 Research to date indicates that the language in the Sample Clauses is confusing, and accordingly, the Agencies propose to eliminate the Sample Clauses from the privacy rule. However, to ease the compliance burden for those institutions that currently have privacy notices based on the Sample Clauses, the Agencies are proposing a transition period of one year after which financial institutions would no longer obtain a safe harbor by using the sample clauses. Privacy notices using the Sample Clauses that are delivered to consumers (either in paper form or by electronic delivery such as email) or, alternatively, are posted electronically to meet the annual notice requirement of section l.9(c), would have a safe harbor for one year. Privacy notices using the Sample Clauses that are delivered or posted electronically after the one-year transition period would no longer obtain the safe harbor. Since institutions are required to send notices annually to their customers, annual notices that are delivered to consumers (either in paper form or by electronic delivery such as email) within the transition period would continue to get the safe harbor until the next annual privacy notice is due one year later.46 The Sample Clauses would be rescinded one year after the transition period ends. The Agencies note that the SEC’s privacy rule does not provide a safe harbor for financial institutions that use the Sample Clauses. Rather, the Sample Clauses provide guidance concerning the SEC privacy rule’s application in ordinary circumstances.47 Consistent 45 The Agencies are also proposing conforming amendments to sections l.2, l.6, and l.7 of the privacy rule and to the Appendix. 46 For example, if an institution provides a notice using the Sample Clauses on day 361 after the effective date of the rule, it would continue to have the safe harbor for one year until its next annual notice is due. If an institution provides a notice using the Sample Clauses on day 369 after the effective date of the rule, it would not obtain the safe harbor. Privacy notices using the Sample Clauses posted on an institution’s Web site to meet the annual notice requirements of section l.9(c) would no longer get the safe harbor beginning one year after the final rule becomes effective. 47 See SEC privacy rule, section 248.2(a). The facts and circumstances of each individual situation determine whether use of the Sample Clauses constitutes compliance with the SEC’s privacy rule. VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 with this proposal, the SEC proposes that one year after the end of the transition period, the Sample Clauses would be rescinded and no longer provide guidance regarding the rule’s application to financial institutions subject to the SEC’s privacy rule. IV. Proposed Effective Dates The provisions of the final rule will be effective [DATE OF PUBLICATION OF THE FINAL RULE], with the following exceptions: Sec. l.6, paragraph (g) will be effective [DATE OF PUBLICATION OF THE FINAL RULE] until [DATE 2 YEARS AFTER PUBLICATION OF THE FINAL RULE]. Newly redesignated Appendix B will be effective [DATE OF PUBLICATION OF THE FINAL RULE] until [DATE 2 YEARS AFTER PUBLICATION OF THE FINAL RULE]. 14955 modifications that could be made to page one and/or page three in accordance with legal requirements and the intent to keep the table on the first page of the form. 4. The extent to which financial institutions intend to incorporate the FCRA section 624 disclosure and optout for affiliate marketing in the model form, with an explanation of why or why not, and the time period they may offer to consumers for the opt-out period. 5. Whether financial institutions should be required to alert consumers to changes in an institution’s privacy practices as part of the model form. B. Format of the Model Form 1. Whether each page of the proposed model form should be required to be on a separate piece of paper or whether another format could also allow consumers to readily see all the V. Request for Comments information in the model form at the The Agencies seek comment on all same time. aspects of the proposed model form. 2. Whether the guidance on easily The Agencies also invite commenters to readable type font in the instructions is submit any additional consumer helpful and/or sufficient for institutions research that may inform the statutory that use the proposed model form. requirements. Commenters proposing 3. What size paper would be alternative model notices or elements of appropriate for the model form while a notice should submit any available conforming to the guidance for easily supporting consumer research and readable type font and layout. 4. Whether financial institutions want documentation demonstrating that these to use color and/or logos on the alternatives meet the statutory proposed model form, and the manner requirements. The Agencies expect to and extent to which they would use do additional testing before finalizing a them without conflicting with model form. We solicit comment on readability of the form and space particular approaches to consumer requirements. testing for the Agencies to consider. The Agencies particularly seek C. Additional Information comment on the following issues: 1. The extent to which financial A. Content of the Model Form institutions subject to the GLB Act are 1. Whether a commenter believes likely to use the proposed model form, particular aspects of the form are not including a detailed explanation of why clear and conspicuous or the commenter does or does not expect comprehensible; and, if so, identify financial institutions to use the form. 2. Particular approaches to additional those aspects and explain in detail the consumer testing of the model form that basis for that conclusion. 2. Whether financial institutions can the Agencies should consider. 3. The proposal to replace the Sample accurately disclose their information Clauses with the proposed model form, sharing practices by using the standardized provisions and vocabulary including—(1) the transition period after which use of these clauses no in the proposed model form, including longer qualifies for a safe harbor, or, for whether the proposed disclosure table institutions subject to the SEC’s privacy provides a financial institution with rule, guidance concerning the rule’s sufficient flexibility to disclose its sharing practices, or any additional opt- application and (2) whether the Agencies should retain Sample Clauses outs it offers, including a detailed A–1, A–3, and A–7, or develop model explanation of why or why not. 3. The extent to which modifications clauses to replace those sample clauses, to the opt-out form are necessary for a for use as a safe harbor only by those financial institution to describe its institutions that provide the simplified information practices accurately, notice described in section l.6(c)(5) facilitate consumer use of the opt-out (NCUA 716.6(e)(5)) of the privacy rule. 4. Whether the Agencies should form, or offer additional opt-outs, develop a Web-based design for those including an explanation of the PO 00000 Frm 00017 Fmt 4701 Sfmt 4702 E:\FR\FM\29MRP2.SGM 29MRP2 rwilkins on PROD1PC63 with PROPOSALS 14956 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules financial institutions that would like to use an electronic version of the proposed model form, and if so, whether institutions have suggestions for particular design and/or technical considerations. 5. Whether the Agencies should develop and make available on their Web sites a readily accessible and downloadable model form with ‘‘fillable’’ fields for institutions that wish to use the model form to create their own privacy notices; if so, whether institutions would use this downloadable model form; and whether it would be useful, particularly for smaller institutions that want to obtain the safe harbor. 6. Whether an SEC-regulated entity and an affiliated institution regulated by another Agency that intend to provide a joint privacy notice should be able to choose to rely on either the SEC model privacy form or the model privacy form proposed by the other Agency.48 7. The Agencies are aware that many institutions, but not all, currently request the customer to provide his or her account number or Social Security number (or other personal information, separately or in conjunction with such information) in order to opt out, whether by toll-free telephone, by electronic means such as e-mail, or by regular mail. Do institutions need that information in order to process opt-out requests, or would the customer’s name and address alone, or the customer’s name, address, and a truncated account number for a single account, be sufficient to process opt-out requests, including for customers with multiple accounts at the same institution? Should the Agencies consider omitting a line for such information on the opt-out page for the model privacy form in order to better protect customers and make it easier to opt out? Alternatively, should the opt-out page on the model form contain a line for a truncated account number or other identifying information? The SEC specifically requests the following additional comment from its regulated entities: 1. Whether the standardized provisions and vocabulary in the proposed model form for SEC-regulated financial institutions are sufficient to allow these financial institutions accurately to disclose their information sharing practices, and specifically on the terms used in: (a) the description of 48 As noted above, see supra notes 26, 33, the SEC model privacy form provides slightly modified terms on pages one and two of the model form, which include the range of information typically collected by brokers, dealers, investment advisers registered with the SEC, and investment companies. VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 the types of personal information that may be collected (in the key frame on page one), and (b) the examples of sources of information collection (in the FAQ on sharing practices on page two). The SEC requests that commenters who believe the proposed terms are not sufficient suggest alternative or additional terms that would be more accurate and explain why those terms would more accurately reflect typical information collection and sharing practices for brokers, dealers, investment advisers registered with the SEC, and investment companies. 2. Whether institutions should be able to omit certain terms that may not apply to their information collection practices or their sources of information. VI. Regulatory Flexibility Act The Regulatory Flexibility Act (‘‘RFA’’), 5 U.S.C. 601–612, requires an agency to provide an Initial Regulatory Flexibility Analysis (‘‘IRFA’’) with a proposed rule and a Final Regulatory Flexibility Analysis (‘‘FRFA’’) with the final rule, if any, unless the agency certifies that the rule would not have a significant economic impact on a substantial number of small entities. See 5 U.S.C. 603–605. Because the use of the model form issued in this proposal is optional, the Agencies do not expect that the rule will have a significant economic impact on a substantial number of small entities. However, because the statute creates a new safe harbor for institutions by replacing the Sample Clauses in the current rule, with a model form, we have determined that it is appropriate to publish the following IRFA in order to inquire into the impact of the proposed rule on small entities. A. Reasons for the Proposed Action The Agencies are issuing this proposed rule for comment because the Regulatory Relief Act specifically requires them, no later than April 11, 2007, to publish for comment a model form that financial institutions may use as a safe harbor to satisfy their notice requirements under the Agencies’ existing privacy rule. B. Objectives of, and Legal Basis for, the Proposed Action The goal of the proposed amendments is to satisfy the requirements of section 728 of the Regulatory Relief Act, which requires that the Agencies propose a model form that is comprehensible, clear and conspicuous, and succinct. The final model form that the Agencies adopt after reviewing comments would, if properly used, serve as a safe harbor for satisfying the privacy rule’s requirements regarding content of PO 00000 Frm 00018 Fmt 4701 Sfmt 4702 privacy notices. The Act also requires that the proposed model form enable consumers easily to identify a financial institution’s sharing practices and compare it with others. As indicated in Section I of this release, the amendments to Appendix A of the Agencies’ privacy rule are proposed pursuant to the authority set forth in § 503 (as amended by section 728 of the Regulatory Relief Act) and § 504 of the GLB Act.49 C. Small Entities Subject to the Proposed Rule Amendments The proposed amendments to Appendix A and conforming amendments to sections l.2, l.6, and l.7 of the Agencies’ privacy rules could potentially affect financial institutions, including financial institutions that are small businesses or small organizations, that choose to rely on the proposed model privacy form as a safe harbor. 1. OCC. The OCC estimates that 1,050 insured national banks, uninsured national banks and trust companies, and foreign branches and agencies are small entities for purpose of the Regulatory Flexibility Act. 2. Board. The Board estimates that 473 state member banks are small entities for purposes of the Regulatory Flexibility Act. 3. FDIC. The FDIC estimates that 3,302 state nonmember banks are small entities for purposes of the Regulatory Flexibility Act. 4. OTS. The OTS estimates that 429 small savings associations are small entities for purposes of the Regulatory Flexibility Act. 5. NCUA. The Regulatory Flexibility Act requires NCUA to prepare an analysis to describe any significant economic impact a regulation may have on a substantial number of small credit unions (primarily those under $10 million in assets). The NCUA estimates that 3,805 credit unions are small entities for purposes of the Regulatory Flexibility Act. 6. FTC. Determining a precise estimate of the number of small entities that are financial institutions within the meaning of the proposed rule is not readily feasible. The GLB Act does not identify for purposes of the Commission’s jurisdiction any specific 49 The SEC also is proposing the amendments under section 504 of the GLB Act [15 U.S.C. 6804], section 23 of the Securities Exchange Act of 1934 [15 U.S.C. 78w], section 38(a) of the Investment Company Act of 1940 [15 U.S.C. 80a–37(a)], and section 211 of the Investment Advisers Act of 1940 [15 U.S.C. 80b–11]. The CFTC also is proposing the amendments under Section 504 of the GLB Act [15 U.S.C. 6804], and Sections 5g and 8a(5) of the Commodity Exchange Act [7 U.S.C. 7b–2, 12a(5)]. E:\FR\FM\29MRP2.SGM 29MRP2 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules rwilkins on PROD1PC63 with PROPOSALS category of financial institution. In the absence of such information, there is no way to estimate precisely the number of affected entities that share nonpublic personal information with nonaffiliated third parties or that establish customer relationships with consumers and therefore assume greater disclosure obligations. 7. CFTC. The CFTC is unable to determine a precise estimate of its registrants that are small entities, or that would be using the model form. 8. SEC. The SEC estimates that 911 broker-dealers, 210 investment companies registered with the Commission, and 710 investment advisers registered with the Commission are small entities for purposes of the Regulatory Flexibility Act.50 Because use of the model privacy form would be entirely voluntary, the Agencies have no way to estimate how many small financial institutions would use it.51 The Agencies expect, however, that small financial institutions, particularly those that do not have permanent staff available to address compliance matters associated with the privacy rule, would be relatively more likely to rely on the model privacy form than larger institutions. We believe that most financial institutions currently have legal counsel review their privacy notices for compliance with the GLB Act, the FCRA, and the privacy rule. We believe that a financial institution that uses the model form for its privacy notice would need little, if any, review by legal counsel because the proposed regulation does not permit institutions to vary the form to obtain the benefit of a safe harbor, except as necessary to 50 For purposes of the Regulatory Flexibility Act, under the Securities Exchange Act of 1934 a small entity is a broker or dealer that (i) had total capital of less than $500,000 on the date in its prior fiscal year as of which its audited financial statements were prepared or, if not required to file audited financial statements, on the last business day of its prior fiscal year, and (ii) is not affiliated with any person that is not a small entity and is not affiliated with any person that is not a small entity. 17 CFR 240.0–1. Under the Investment Company Act of 1940, a ‘‘small entity’’ is an investment company that, together with other investment companies in the same group of related investment companies, has net assets of $50 million or less as of the end of its most recent fiscal year. 17 CFR 270.0–10. Under the Investment Advisers Act of 1940, a small entity is an investment adviser that ‘‘(i) manages less than $25 million in assets, (ii) has total assets of less than $5 million on the last day of its most recent fiscal year, and (iii) does not control, is not controlled by, and is not under common control with another investment adviser that manages $25 million or more in assets, or any person that had total assets of $5 million or more on the last day of the most recent fiscal year.’’ 17 CFR 275.0–7. 51 The Agencies have requested comment on the likelihood that financial institutions would use the model privacy form. See supra section V. VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 identify their sharing and opt-out policies. D. Reporting, Recordkeeping, and Other Compliance Requirements The proposed rule does not itself impose any additional recordkeeping, reporting, disclosure, or compliance requirements. Financial institutions, including small entities, have been required to provide notice to consumers about the institution’s privacy policies and practices since July 1, 2001 (or March 31, 2002 in the case of the CFTC). The proposed amendments would not affect these requirements and financial institutions would be under no obligation to modify their current privacy notices as a result of the proposed amendments. Instead, the amendments propose a specific model privacy form that a financial institution may use to comply with notice requirements under the GLB Act, the FCRA (as amended by the FACT Act), and the privacy rule. Nonetheless, if the proposed amendments are adopted, some of the financial institutions that rely on the Sample Clauses in the current privacy rules’ appendixes may wish to transition to the proposed model form and may incur some small, incremental costs in making this transition.52 The Agencies expect, however, that the availability of a standardized model form would offset these costs because the form’s standardized formatting and language would make it easier for institutions to prepare and revise their privacy policies. E. Duplicative, Overlapping, or Conflicting Federal Rules We believe there are no federal rules that duplicate, overlap, or conflict with the proposed amendments. In fact, the Agencies have designed the model form so that a financial institution may use it to satisfy disclosure requirements for both the GLB Act and the FCRA (as amended by the FACT Act). F. Significant Alternatives The RFA directs the Agencies to consider significant alternatives that would accomplish the stated objectives, while minimizing any significant adverse impact on small entities. In connection with the proposed amendments, we considered the following alternatives: 1. Different reporting or compliance standards. As noted above, the 52 We believe that institutions review their privacy policies annually, and the costs associated with this annual review, including professional costs, for compliance are likely to be the same as the costs to complete the proposed model form. PO 00000 Frm 00019 Fmt 4701 Sfmt 4702 14957 Regulatory Relief Act requires the Agencies to publish ‘‘a’’ model form that, among other things, will facilitate comparison of the information sharing practices of different financial institutions. In light of these statutory requirements, the Agencies are proposing only one model form, which includes alternative language in some places that allows a financial institution to accurately describe its particular information sharing practices. The specific model form that the Agencies are proposing was developed as part of a careful and thorough consumer testing process designed to produce a clear, comprehensible, and comparable notice. The proposed model form emerged as the most effective of several notice formats considered as part of this testing. Although the Agencies know of no other model privacy notice that has been developed in this manner, we are specifically inviting comments about alternative model notices or elements of notices, along with supporting research and documentation. The Agencies will carefully consider any such submissions before adopting a final model form. 2. Clarification, consolidation, or simplification of reporting and compliance requirements. The Agencies believe that the proposed model form would simplify the reporting requirements for all entities, including small entities, that choose to use the model form. We anticipate that financial institutions that choose to use the proposed model form would spend less time preparing notices than if they had to draft one on their own. Because the model form was developed as part of a consumer testing process, it is difficult for the Agencies to further clarify, consolidate, or simplify the model notice without compromising the research findings. 3. Performance rather than design standards. Section 728 of the Regulatory Relief Act specifically requires that the Agencies propose a model form. The model form is an alternative means of providing a privacy notice that institutions may choose to use. The privacy rule does not mandate the format of privacy notices; thus neither the rule nor the proposed amendment would impose a design standard. 4. Exempting small entities. We believe that an exemption for small entities would not be appropriate or desirable. The Agencies note that the model form is available for use at the discretion of all financial institutions, including small institutions. Moreover, two key objectives of the proposed model form are that (1) consumers can understand an institution’s information sharing practices and (2) they may more E:\FR\FM\29MRP2.SGM 29MRP2 14958 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules easily compare financial institutions’ sharing practices and policies across privacy notices. An exemption for small entities would directly conflict with both of these key objectives, particularly enabling comparison across notices. G. Solicitation of Comments We encourage the submission of comments with respect to any aspect of this IRFA. In particular, we request comments regarding: (i) The number of small entities that would be affected by the proposed amendments; (ii) the existence or nature of the potential impact of the proposed amendments on small entities discussed in the analysis; (iii) how to quantify the impact of the proposed amendments; and (iv) the consideration of alternatives. Commenters are asked to describe the nature of any impact and provide empirical data supporting the extent of the impact. As noted above in Section V, the Agencies specifically request comment on whether a downloadable version of the proposed model form would be useful for financial institutions, and particularly small entities that would like to take advantage of the safe harbor. All comments on this IRFA will be considered in the preparation of the Final Regulatory Flexibility Analysis, if the proposed amendments are adopted. OCC and OTS Executive Order 12866 Determination The OCC and OTS each has determined that its portion of the proposed rulemaking is not a significant regulatory action under Executive Order 12866. OCC and OTS Executive Order 13132 Determination The OCC and OTS each has determined that its portion of the proposed rulemaking does not have any federalism implications, as required by Executive Order 13132. rwilkins on PROD1PC63 with PROPOSALS VII. Paperwork Reduction Act NCUA Executive Order 13132 Determination Executive Order 13132 encourages independent regulatory agencies to consider the impact of their actions on State and local interests. In adherence to fundamental federalism principles, the NCUA, an independent regulatory agency as defined in 44 U.S.C. 3502(5) voluntarily complies with the Executive Order. The proposed rule would not have substantial direct effects on the States, on the connection between the national government and the States, or on the distribution of power and responsibilities among the various levels of government. The NCUA has determined that this proposed rule does not constitute a policy that has federalism implications for purposes of the Executive Order. The final rules governing the privacy of consumer financial information contain disclosures that are considered collections of information under the Paperwork Reduction Act (PRA, 44 U.S.C. 3501 et seq.). Before the Agencies issued their privacy rules, they obtained approval from OMB for the collections. OMB control numbers for the collections appear below. These proposed rules do not introduce any new collections of information into the Agencies’ privacy rules, nor do they amend the rules in a way that substantively modifies the collections of information that OMB has approved. Therefore, no PRA submissions to OMB are required. OCC: Control number 1557–0216. Board: Control number 7100–0294. FDIC: Control number 3064–0136. OTS: Control number 1550–0103. NCUA: Control number 3133–0163 (NCUA in separate submissions to OMB is currently in the process of requesting reinstatement, with revisions due to the decrease in the number of respondent credit unions, to this number.) FTC: Control number 3084–0121. SEC: Control number 3235–0537. CFTC: Control number 3038–0055. OCC and OTS Unfunded Mandates Reform Act of 1995 Determination Section 202 of the Unfunded Mandates Reform Act of 1995, Public Law 104–4 (Unfunded Mandates Act) requires that an agency prepare a budgetary impact statement before promulgating a rule that includes a Federal mandate that may result in expenditure by State, local, and tribal governments, in the aggregate, or by the private sector, of $100 million or more in any one year. If a budgetary impact statement is required, section 205 of the Unfunded Mandates Act also requires an agency to identify and consider a reasonable number of regulatory alternatives before promulgating a rule. However, the Unfunded Mandates Act provisions do not apply to regulations that incorporate requirements specifically set forth in law. Because this notice of proposed rulemaking is issued pursuant to section 728 of the Regulatory Relief Act, the OTS and OCC are not required to conduct an Unfunded Mandates Analysis for this rulemaking. Nevertheless, the OCC and OTS each has determined that this proposed rule will not result in expenditures by State, local, and tribal VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 PO 00000 Frm 00020 Fmt 4701 Sfmt 4702 governments, or by the private sector, of $100 million or more. Accordingly, neither the OCC nor the OTS has prepared a budgetary impact statement or specifically addressed the regulatory alternatives considered. SEC Cost Benefit Analysis The SEC is sensitive to the costs and benefits imposed by its rules. As discussed above, the amendments the Agencies are proposing today would replace the sample clauses included in Regulation S–P’s Appendix A (17 CFR part 248, appendix A) with a model privacy form that financial institutions could choose to provide to consumers. The proposed amendments are designed to implement section 728 of the Regulatory Relief Act. This Act directs the Agencies to ‘‘jointly develop a model form which may be used, at the option of the financial institution, for the provision of disclosures under [section 503 of the GLB Act].’’ Use of the model form would be voluntary so a financial institution could itself determine the benefits and costs in deciding whether using the model form would be suitable for its business and customers. Moreover, a financial institution that elected to use the model privacy form would benefit from the safe harbor it provides for disclosures required under the GLB Act. There would be no incremental costs of the information requirements for the proposed model privacy form because the disclosures are already required under Regulation S–P. However, financial institutions could incur some personnel costs in implementing the proposed model form. We expect these would be minimal because the language and format in the form are standardized and particularly if the form could be downloaded from a Web site.53 Financial institutions can only customize very limited sections of the model privacy form. Insofar as the Sample Clauses in current Regulation S–P may have some value to some financial institutions, their phase-out under the proposed amendments to the rule could create some costs to those institutions. If financial institutions, including SEC-regulated institutions, make widespread use of the model privacy form, we anticipate that consumers will benefit from notices that are more comprehensible and easier to compare and use. 53 We have asked for comment in section V on whether a downloadable version of the model form would be useful. E:\FR\FM\29MRP2.SGM 29MRP2 rwilkins on PROD1PC63 with PROPOSALS Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules A. Benefits We anticipate that brokers, dealers, investment advisers registered with the SEC, and investment companies would benefit from the proposed model privacy form’s standardized formatting and language. The notice requirements of Regulation S–P have been effective since July 1, 2001, and would not be altered by the proposed amendments, but new brokers, dealers, investment companies, and registered investment advisers would be able to use the model privacy form without investing the time and resources previously necessary to develop their own notices. We believe that institutions currently review their Regulation S–P privacy policies annually. To the extent that these institutions are required to change their policies to reflect changes in their privacy practices, they may find it easier to use the proposed model privacy form as a revised or annual privacy notice rather than to revise their existing notices. In addition, the SEC expects that revisions to an institution’s privacy policies would be easier to record in the model form’s standardized format. The SEC also anticipates that a financial institution that chooses to use the model notice would need little, if any, ongoing review by legal counsel because an institution cannot vary the form except as necessary to identify certain specific sharing and opt-out policies. Appendix A of Regulation S–P currently contains sample clauses that the SEC has said provide guidance in ordinary circumstances. The SEC has said, however, that the ‘‘facts and circumstances of each individual situation’’ will determine whether ‘‘use of a sample clause’’ constitutes compliance.54 In contrast, if the proposed amendments are adopted, SEC-regulated institutions would benefit from the certainty that proper use of the model notice entitles them to a safe harbor for disclosures required under the GLB Act and FCRA. Finally, as discussed more fully in section I.B above, the proposed model form was developed in an extensive consumer research testing process that evaluated consumers’ ability to comprehend, use, and compare privacy notices. The SEC anticipates therefore that if financial institutions choose to use the proposed model form, consumers’ comprehension and their ability to use and compare privacy policies would be enhanced. Institutions also might benefit from consumers’ enhanced ability to understand and use the notices to the 54 See 17 CFR 248.2(a). VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 extent that consumers have more trust and confidence in an institution’s privacy policies because the consumers understand those policies. B. Costs While the proposed amendments would not affect Regulation S–P’s substantive requirements, and financial institutions would be under no obligation to modify their current privacy notices, we believe that financial institutions that elect to use the model privacy form could incur some small, incremental costs in making the transition from their current notices to the proposed model form. These costs could include staff time to review the model form and its instructions and complete the proposed form. As noted above, we anticipate there would be minimal computer costs associated with using the form, particularly if the form could be downloaded from a Web site. We also believe that a financial institution that would use the model privacy form would need little, if any, review by legal counsel because almost all the disclosures in the form are mandated. Institution-specific information consists of contact information, ‘‘yes’’ or ‘‘no’’ answers and brief descriptions, as necessary, of the types of entities with which they share information. Moreover, we believe that financial institutions currently review their privacy polices annually, and we anticipate that the costs associated with this annual review would likely be the same as the costs of completing the model form. Although there may be some costs to firms that currently rely on the sample clauses for guidance in preparing their privacy notices, we expect those costs to be minimal. As noted above, we believe that financial institutions take approximately the same time to prepare a notice using the proposed form as they currently take to review annual notices. Moreover, the Agencies are proposing to give financial institutions one year in which they can continue to rely on the Sample Clauses as guidance, which should allow time to minimize the costs of transition for institutions that would transition to the model privacy form. The SEC requests commenters to provide data on these and any other costs of transition or implementation, and to specify the type of financial institution (broker, dealer, investment adviser registered with the Commission, or investment company) that would incur the estimated costs. As discussed above, we cannot estimate the number of institutions that would take advantage of the safe harbor. Accordingly, we cannot estimate the overall costs to broker-dealers, PO 00000 Frm 00021 Fmt 4701 Sfmt 4702 14959 investment advisers registered with the Commission, and investment companies that may use the proposed model form. C. Request for Comments The SEC requests comment on the potential costs and benefits of the proposed amendments to Appendix A of Regulation S–P. The SEC specifically requests comment on the costs of each item discussed above that institutions could incur in using the model form and whether any of those costs would differ if the form were downloadable from a Web site. Commenters should specify the type of institution associated with estimates of cost and benefits. The SEC encourages commenters to identify, discuss, analyze, and supply relevant data regarding any additional costs and benefits. For purposes of the Small Business Regulatory Enforcement Fairness Act of 1996,55 the SEC also requests information regarding the potential impact of the proposals on the U.S. economy on an annual basis. SEC Consideration of Burden on Competition Securities Exchange Act Section 23(a)(2) requires the SEC, in adopting rules under that Act, to consider the impact that any such rule would have on competition.56 Section 23(a)(2) also prohibits the SEC from adopting any rule that would impose a burden on competition not necessary or appropriate in furtherance of the purposes of the Securities Exchange Act. As discussed above, the proposed amendments to Regulation S–P, including the proposed model form, are designed to comply with section 728 of the Regulatory Relief Act, mandating that the Agencies propose a model form that is comprehensible, clear and conspicuous, and succinct. If adopted, SEC-regulated institutions would be able to use the model form in order to comply with the notice requirements under the GLB Act, the FCRA, and Regulation S–P. The SEC does not expect the proposed amendments to have a significant impact on competition, and believes that any effect on competition would be favorable. Use of the proposed model form would be voluntary, permitting a financial institution to determine whether using the model form would enhance its competitive position. All brokers and dealers, investment companies, and registered investment advisers would be able to use the model form and take advantage of the safe 55 Pub. 56 See E:\FR\FM\29MRP2.SGM L. 104–121, Title II, 110 Stat. 857 (1996). 15 U.S.C. 78w(a)(2). 29MRP2 14960 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules harbor. Other financial institutions would be able to use the form and take advantage of the safe harbor under comparable rules proposed by the other Agencies. Under the Regulatory Relief Act, the Agencies have worked in consultation in order to ensure the consistency and comparability of the proposed amendments. Therefore, all financial institutions would have the same opportunity to use the model form and rely on the safe harbor. Further, if financial institutions choose to use the proposed model form, the proposed amendments could promote competition by enabling consumers more easily to understand and compare competing institutions’ privacy policies. The SEC also anticipates that the proposed model form’s standardized formatting would reduce the relative burden of compliance on smaller financial institutions, allowing them to compete more effectively with larger institutions that are more likely to have a dedicated compliance staff. As such, the SEC expects any small impact on competition caused by the proposed amendments would be beneficial. We request comment on whether the proposal, if adopted, would have an impact or burden on competition. Commenters are requested to provide empirical data and other factual support for their views if possible. rwilkins on PROD1PC63 with PROPOSALS NCUA: The Treasury and General Government Appropriations Act, 1999— Assessment of Federal Regulations and Policies on Families The NCUA has determined that this proposed rule would not affect family well-being within the meaning of section 654 of the Treasury and General Government Appropriations Act, 1999, Pub. L. 105–277, 112 Stat. 2681 (1998). CFTC Cost-Benefit Analysis Section 15 of the Commodity Exchange Act requires the CFTC to consider the costs and benefits of its action before issuing a new regulation under the Act. The CFTC understands that, by its terms, section 15 does not require the CFTC to quantify the costs and benefits of a new regulation or to determine whether the benefits of the proposed regulation outweigh its costs. Nor does it require that each proposed rule be analyzed piecemeal or in isolation when that rule is a component of a larger package of rules or rule revisions. Rather, section 15 simply requires the CFTC to ‘‘consider the costs and benefits’’ of its action. Section 15 further specifies that costs and benefits shall be evaluated in light of five broad areas of market and public VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 concern: Protection of market participants and the public; efficiency, competitiveness, and financial integrity of futures markets; price discovery; sound risk management practices; and other public interest considerations. Accordingly, the CFTC could in its discretion give greater weight to any one of the five enumerated areas of concern and could in its discretion determine that, notwithstanding its costs, a particular rule was necessary or appropriate to protect the public interest or to effectuate any of the provisions or to accomplish any of the purposes of the Act. The CFTC has considered the costs and benefits of the proposed model form as a totality. The form provides a voluntary alternative means of complying with existing requirements of the privacy provisions of the GLB Act and section 5g of the CEA, and thus imposes no mandatory new costs. The CFTC solicits comment on the transitional costs that may be incurred by institutions electing to use the model form, including costs in addition to those already imposed. The CFTC believes that the model form should benefit futures industry consumer customers in better understanding a financial institution’s privacy policies, and may facilitate customers in comparing the privacy policies of financial institutions. The Commission invites public comment on its application of the cost-benefit provision. Commenters also are invited to submit any data that they may have quantifying the costs and benefits of the proposed rules with their comment letters. List of Subjects 12 CFR Part 40 Banks, banking, Consumer protection, National banks, Privacy, Reporting and recordkeeping requirements. 12 CFR Part 216 Banks, banking, Consumer protection, Foreign banking, Holding companies, Privacy, Reporting and recordkeeping requirements. 12 CFR Part 332 Banks, banking, Consumer protection, Foreign banking, Privacy, Reporting and recordkeeping requirements. 12 CFR Part 573 Consumer protection, Privacy, Reporting and recordkeeping requirements, Savings associations. 12 CFR Part 716 Consumer protection, Credit unions, Privacy, Reporting and recordkeeping requirements. PO 00000 Frm 00022 Fmt 4701 Sfmt 4702 16 CFR Part 313 Consumer protection, Credit, Privacy, Reporting and recordkeeping requirements, Trade practices. 17 CFR Part 160 Brokers, Consumer protection, Privacy, Reporting and recordkeeping requirements. 17 CFR Part 248 Brokers, Consumer protection, Investment companies, Privacy, Reporting and recordkeeping requirements, Securities. Office of the Comptroller of the Currency 12 CFR Chapter I Authority and Issuance For the reasons set forth in the joint preamble, part 40 of chapter I of title 12 of the Code of Federal Regulations is proposed to be revised as follows: PART 40—PRIVACY OF CONSUMER FINANCIAL INFORMATION 1. The authority citation for part 40 continues to read as follows: Authority: 12 U.S.C. 93a; 15 U.S.C. 6801 et seq. 2. Revise § 40.2 to read as follows: § 40.2 Model privacy form and examples. (a) Model privacy form. Use of the model privacy form in Appendix A of this part, consistent with the instructions in Appendix A, constitutes compliance with the notice content requirements of §§ 40.6 and 40.7 of this part, although use of the model privacy form is not required. (b) Examples. The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part. 3. In § 40.6, revise paragraph (f) and add paragraph (g) to read as follows: § 40.6 Information to be included in privacy notices. * * * * * (f) Model privacy form. Pursuant to § 40.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part. (g) Sample clauses. Sample clauses illustrating some of the notice content required by this section are included in Appendix B of this part. Use of a sample clause in a privacy notice provided on or before [DATE ONE YEAR FOLLOWING THE DATE OF PUBLICATION OF THE FINAL RULE], to the extent applicable, constitutes compliance with this part. E:\FR\FM\29MRP2.SGM 29MRP2 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules § 40.7 Form of opt-out notice to consumers; opt-out methods. * * * * (i) Model privacy form. Pursuant to § 40.2(a) of this part, a model privacy rwilkins on PROD1PC63 with PROPOSALS * VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 form that meets the notice content requirements of this section is included in Appendix A of this part. Appendix A [Redesignated as Appendix B] 5. Redesignate Appendix A as Appendix B. PO 00000 Frm 00023 Fmt 4701 Sfmt 4725 6. Add new Appendix A to read as follows: Appendix A to Part 40—Model Privacy Form A. The Model Privacy Form E:\FR\FM\29MRP2.SGM 29MRP2 EP29MR07.006</GPH> 4. In § 40.7, add paragraph (i) to read as follows: 14961 VerDate Aug<31>2005 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules 19:04 Mar 28, 2007 Jkt 211001 PO 00000 Frm 00024 Fmt 4701 Sfmt 4725 E:\FR\FM\29MRP2.SGM 29MRP2 EP29MR07.007</GPH> rwilkins on PROD1PC63 with PROPOSALS 14962 rwilkins on PROD1PC63 with PROPOSALS B. General Instructions 1. How the Model Privacy Form Is Used The model form may be used, at the option of a financial institution, including a group of financial holding company affiliates that use a common privacy notice, to meet the content requirements of the privacy notice and opt-out notice set forth in sections 40.6 and 40.7 of this part. (Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 1681– 1681x] (FCRA), such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.) 2. The Contents of the Model Privacy Form The model form consists of two or three pages, depending on whether a financial institution shares in a manner that requires VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 it to provide a third page with opt-out information. (a) Page One. The first page consists of the following components: (1) The title. (2) The key frame (Why?, What?, How?). (3) The disclosure table (‘‘Reasons we can share your personal information’’). (4) Contact information. (b) Page Two. The second page consists of the following components: (1) The title. (2) The Frequently Asked Questions on sharing practices. (3) The definitions. (c) Page Three. The third page consists of a financial institution’s opt-out form. 3. The Format of the Model Privacy Form The model form is a standardized form, including page layout, page content, format, style, pagination, and shading. No other information may be included in the model form, and the model form may be modified only as described below. PO 00000 Frm 00025 Fmt 4701 Sfmt 4702 14963 (a) Easily readable type font. Financial institutions that use the model form must use an easily readable type font. Easily readable type font includes a minimum of 10-point font and sufficient spacing between the lines of type. (b) Logo. A financial institution may include a corporate logo on any page of the notice, so long as it does not interfere with the readability of the model form or the space constraints of each page. (c) Page size and orientation. Each page of the model form must be printed on one side of an 8.5 by 11 inch paper in portrait orientation. (d) Color. The model form may be printed on white or light color paper (such as cream) with black or suitable contrasting color ink. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract from the readability of the model form. E:\FR\FM\29MRP2.SGM 29MRP2 EP29MR07.008</GPH> Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules 14964 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules C. Information Required in the Model Privacy Form The model form is a standardized form, and institutions seeking to obtain the safe harbor through use of the model form may modify the form only as described below: rwilkins on PROD1PC63 with PROPOSALS 1. Name of the Institution or Group of Affiliated Institutions Providing the Notice Include the name of the financial institution or group of affiliated institutions providing the notice on the form wherever [name of financial institution] appears. Contact information, such as the institution’s toll-free telephone number, Web address, or mailing address, or other contact information, should be inserted as appropriate, wherever [toll-free telephone] or [web address] or [mailing address] appear. 2. Page One (a) General instructions for the disclosure table. There are reasons for sharing or using personal information listed in the left column of the disclosure table. Each of these reasons correlates to certain legal provisions described below. In the middle column, each institution must provide a ‘‘Yes’’ or ‘‘No’’ response in each box that accurately reflects its information sharing policies and practices with respect to the reason listed on the left. Each institution also must complete each box in the right column as to whether a consumer can limit such sharing. If an institution answers ‘‘No’’ to sharing for a particular reason in the middle column, it must answer ‘‘We don’t share’’ in the corresponding right column. If an institution answers ‘‘Yes’’ to sharing for a particular reason in the middle column, it must, in the right column, answer either ‘‘No’’ if it does not offer an opt-out or ‘‘Yes (Check your choices, p.3)’’ if it does offer an opt-out. Except for the sixth row (‘‘For our affiliates to market to you’’), an institution must list all reasons for sharing, and complete the middle and right columns of the disclosure table. (b) Specific disclosures and corresponding legal provisions. (1) For our everyday business purposes. Because all financial institutions share information for everyday business purposes, as contemplated by sections 40.14 and 40.15 of this part, the financial institution must answer ‘‘Yes’’ to the sharing of such information and ‘‘No’’ to the availability of an opt-out. (2) For our marketing purposes. The financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that shares for this reason may or may not elect to provide an opt-out and must provide the corresponding answer in the right column as described in paragraph C.2.(a) of this Instruction. This provision includes service providers contemplated by section 40.13 of this part. (3) For joint marketing with other financial companies. As contemplated by section 40.13 of this part, the financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 shares for this reason may or may not elect to provide an opt-out and must provide the corresponding answer in the right column as described in paragraph C.2.(a) of this Instruction. (4) For our affiliates’ everyday business purposes—information about transactions and experiences. This provision applies to sharing of certain information with an institution’s affiliates, as contemplated by sections 603(d)(2)(A)(i) and (ii) of the FCRA. The financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that does not have any affiliates will also use this answer. Institutions that share for this reason may or may not elect to provide an opt-out and must provide the corresponding answer in the right column as described in paragraph C.2.(a) of this Instruction. (5) For our affiliates’ everyday business purposes—information about creditworthiness. This provision applies to the sharing of certain information with an institution’s affiliates, as contemplated by section 603(d)(2)(A)(iii) of the FCRA. The financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that does not have any affiliates will also use this answer. Institutions that share for this reason must provide an opt-out and must provide the appropriate answer in the right column as described in paragraph C.2.(a) of this Instruction. (6) For our affiliates to market to you. This provision applies to information shared among affiliates that is used by those affiliates for marketing, as contemplated by section 624 of the FCRA. Following the effective date of the rules implementing section 624, institutions that elect to incorporate this provision into the model form to satisfy their obligations under this part must include this reason for sharing as set forth in the model form in order to obtain the benefit of the safe harbor. Institutions whose affiliates receive such information and use it for marketing must answer ‘‘Yes’’ in the middle column, and ‘‘Yes (Check your choices, p.3)’’ in the right column corresponding to the availability of an optout. Institutions whose affiliates receive such information and do not use it for marketing may elect to include this provision in the model form and answer ‘‘No’’ in the middle column and ‘‘We don’t share’’ in the right column; however, institutions whose affiliates receive such information and do not use it for marketing are not required to use this provision. Institutions that do not have affiliates and elect to include this provision in their notice will answer ‘‘No’’ in the middle column and ‘‘We don’t share’’ in the right column. (7) For nonaffiliates to market to you. This provision applies to sharing under sections 40.7 and 40.10(a) of this part. Financial institutions that do not share for this reason must answer ‘‘No’’ in the middle column and ‘‘We don’t share’’ in the right column. Financial institutions that do share for this PO 00000 Frm 00026 Fmt 4701 Sfmt 4702 reason must answer ‘‘Yes’’ in the middle column and ‘‘Yes (check your choices, p. 3)’’ corresponding to the availability of an optout. (8) Additional opt-outs. A financial institution may customize the model form to offer opt-outs beyond those required under Federal law, so long as the additional information falls within the space constraints of the model form. If the institution chooses to offer its customers an opt-out for its own marketing or for joint marketing, for example, it can provide for that option by stating: ‘‘Yes (Check your choices, p.3)’’ as to the availability of the opt-out. 3. Page Two (a) General instructions for the Definitions. The financial institution must customize the space below the last three definitions in this section (affiliates, nonafffiliates, and joint marketing). This specific information must be in italicized lettering to set off the information from the standardized definitions. (b) Affiliates. As required by section 40.6(a)(3) of this part, the financial institution must identify the categories of its affiliates or state ‘‘[name of financial institution] has no affiliates’’ in italicized lettering where [affiliate information] appears. A financial institution that shares with affiliates must use, as applicable, the following format: ‘‘Our affiliates include companies with a [name of financial institution] name; financial companies such as [list companies]; and nonfinancial companies, such as [list companies].’’ (c) Nonaffiliates. If the financial institution shares with nonaffiliated third parties outside the exceptions in sections 40.14 and 40.15 of this part, the institution must identify the types of nonaffiliated third parties with which it shares or state ‘‘[name of financial institution] does not share with nonaffiliates so they can market to you.’’ in italicized lettering where [nonaffiliate information] appears. A financial institution that shares with nonaffiliated third parties as described here must use, as applicable, the following format: ‘‘Nonaffiliates we share with can include [list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations].’’ (d) Joint Marketing. As required by section 40.13 of this part, the financial institution must identify the types of financial institutions with which it engages in joint marketing or state ‘‘[name of financial institution] doesn’t jointly market.’’ in italicized lettering where [joint marketing] appears. A financial institution that shares with joint marketing partners must use, as applicable, the following format: ‘‘Our joint marketing partners include [list categories of companies such as credit card companies].’’ 4. Page Three Opt-out form. Financial institutions must use page three only if they: (1) share or use information in a manner that triggers an optout; or (2) choose to provide an opt-out (as disclosed in the table on page 1) in addition to what is required by law. The model optout form must be provided on a separate page of the model form. E:\FR\FM\29MRP2.SGM 29MRP2 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules rwilkins on PROD1PC63 with PROPOSALS (a) Contact us. The section describes three common methods by which a consumer exercises an opt-out—by telephone, on the Web, and by mail. Financial institutions may customize this section to provide for the particular opt-out methods and options the institution provides. For example, if an institution offers opting out by telephone and the Web but not by mail, it would provide only telephone and Web information as shown in the model form in the ‘‘Contact Us’’ box. Only institutions that allow more than 30 days after providing the notice before sharing information may change the number of days in the lower right hand section of the box. (b) Check your choices. Institutions must display the applicable opt-out options in the ‘‘Check your choices’’ box shown on this page. If an institution chooses not to offer an opt-out by mail, it must delete the boxes for name, address, account number, and mailing directions in the lower right-hand corner of the model form. Financial institutions that only offer one or two of the opt-out options listed on the model form must list only those options from the model form that apply to their practices and correspond accurately to the disclosures on page one. Thus, if an institution does not share in a manner that requires an opt-out for sharing with nonaffiliates, it must not include that opt-out option on page three of the model form. Institutions requiring information from consumers on the opt-out form other than an account number should modify that designation in the ‘‘Check your choices’’ box. Institutions that require customers with multiple accounts to identify each account to which the opt-out should apply should modify that portion of the model form. (c) Section 624 opt-out. If the financial institution’s affiliates use information for marketing pursuant to section 624 of the FCRA, and the institution elects to consolidate that opt-out notice in the model form, it must include that disclosure and optout election as shown in the model form. Institutions that elect to limit the time for the affiliate marketing opt-out, consistent with the requirements of section 624, must adhere to the requirements of that section and the Agencies’ implementing rule with respect to any subsequent notice and opt-out. Institutions that elect to limit the opt-out period must include a statement in italics, as shown on the model form, that states the period of time for which the opt-out applies. VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 (d) Additional opt-outs. A financial institution that uses the disclosure table to indicate any opt-out choices available to consumers beyond those required by Federal law must include those opt-outs on page three of the model form. For example, if the financial institution discloses in the table that it offers an opt-out for joint marketing, the institution must revise the opt-out form on page three to reflect the availability of an opt-out, such as by adding a check-off box with the words ‘‘Do not share my personal information with other financial institutions to jointly market to me.’’ Likewise, if a financial institution chooses to offer its customers an opt-out for its marketing, it can provide for that option in the disclosure table and on the opt-out form by adding a checkoff box with the words ‘‘Do not share [or use] my personal information to market to me.’’ 7. Amend newly redesignated Appendix B by adding a new sentence immediately after the heading: Appendix B to Part 40—Sample Clauses This Appendix only applies to privacy notices provided until the date that is on or before one year following the date of final publication of this rule. * * * * * * * * Federal Reserve System 12 CFR Chapter II Authority and Issuance For the reasons set forth in the joint preamble, the Board proposes to amend part 216 of chapter II of title 12 of the Code of Federal Regulations as follows: PART 216—PRIVACY OF CONSUMER FINANCIAL INFORMATION (REGULATION P) 1. The authority citation for part 216 continues to read as follows: Authority: 15 U.S.C. 6801 et seq. 2. Revise § 216.2 to read as follows: § 216.2 Model privacy form and examples. (a) Model privacy form. Use of the model privacy form in Appendix A of this part, consistent with the PO 00000 Frm 00027 Fmt 4701 Sfmt 4702 14965 instructions in Appendix A, constitutes compliance with the notice content requirements of §§ 216.6 and 216.7 of this part, although use of the model privacy form is not required. (b) Examples. The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part. 3. In § 216.6, revise paragraph (f) and add paragraph (g) to read as follows: § 216.6 Information to be included in privacy notices. * * * * * (f) Model privacy form. Pursuant to § 216.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part. (g) Sample clauses. Sample clauses illustrating some of the notice content required by this section are included in Appendix B of this part. Use of a sample clause in a privacy notice provided on or before [DATE ONE YEAR FOLLOWING THE DATE OF PUBLICATION OF THE FINAL RULE], to the extent applicable, constitutes compliance with this part. 4. In § 216.7, add paragraph (i) to read as follows: § 216.7 Form of opt-out notice to consumers; opt-out methods. * * * * * (i) Model privacy form. Pursuant to § 216.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part. Appendix A [Redesignated as Appendix B] 5. Redesignate Appendix A as Appendix B. 6. Add new Appendix A to read as follows: Appendix A to Part 216—Model Privacy Form A. The Model Privacy Form E:\FR\FM\29MRP2.SGM 29MRP2 VerDate Aug<31>2005 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules 19:04 Mar 28, 2007 Jkt 211001 PO 00000 Frm 00028 Fmt 4701 Sfmt 4725 E:\FR\FM\29MRP2.SGM 29MRP2 EP29MR07.009</GPH> rwilkins on PROD1PC63 with PROPOSALS 14966 VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 PO 00000 Frm 00029 Fmt 4701 Sfmt 4725 E:\FR\FM\29MRP2.SGM 29MRP2 14967 EP29MR07.010</GPH> rwilkins on PROD1PC63 with PROPOSALS Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules rwilkins on PROD1PC63 with PROPOSALS B. General Instructions 1. How the Model Privacy Form Is Used The model form may be used, at the option of a financial institution, including a group of financial holding company affiliates that use a common privacy notice, to meet the content requirements of the privacy notice and opt-out notice set forth in sections 216.6 and 216.7 of this part. (Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 1681– 1681x] (FCRA), such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.) 2. The Contents of the Model Privacy Form The model form consists of two or three pages, depending on whether a financial institution shares in a manner that requires VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 it to provide a third page with opt-out information. (a) Page One. The first page consists of the following components: (1) The title. (2) The key frame (Why?, What?, How?). (3) The disclosure table (‘‘Reasons we can share your personal information’’). (4) Contact information. (b) Page Two. The second page consists of the following components: (1) The title. (2) The Frequently Asked Questions on sharing practices. (3) The definitions. (c) Page Three. The third page consists of a financial institution’s opt-out form. 3. The Format of the Model Privacy Form The model form is a standardized form, including page layout, page content, format, style, pagination, and shading. No other information may be included in the model form, and the model form may be modified only as described below. PO 00000 Frm 00030 Fmt 4701 Sfmt 4702 (a) Easily readable type font. Financial institutions that use the model form must use an easily readable type font. Easily readable type font includes a minimum of 10-point font and sufficient spacing between the lines of type. (b) Logo. A financial institution may include a corporate logo on any page of the notice, so long as it does not interfere with the readability of the model form or the space constraints of each page. (c) Page size and orientation. Each page of the model form must be printed on one side of an 8.5 by 11 inch paper in portrait orientation. (d) Color. The model form may be printed on white or light color paper (such as cream) with black or suitable contrasting color ink. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract from the readability of the model form. E:\FR\FM\29MRP2.SGM 29MRP2 EP29MR07.011</GPH> 14968 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules C. Information Required in the Model Privacy Form The model form is a standardized form, and institutions seeking to obtain the safe harbor through use of the model form may modify the form only as described below: rwilkins on PROD1PC63 with PROPOSALS 1. Name of the Institution or Group of Affiliated Institutions Providing the Notice Include the name of the financial institution or group of affiliated institutions providing the notice on the form wherever [name of financial institution] appears. Contact information, such as the institution’s toll-free telephone number, Web address, or mailing address, or other contact information, should be inserted as appropriate, wherever [toll-free telephone] or [web address] or [mailing address] appear. 2. Page One (a) General instructions for the disclosure table. There are reasons for sharing or using personal information listed in the left column of the disclosure table. Each of these reasons correlates to certain legal provisions described below. In the middle column, each institution must provide a ‘‘Yes’’ or ‘‘No’’ response in each box that accurately reflects its information sharing policies and practices with respect to the reason listed on the left. Each institution also must complete each box in the right column as to whether a consumer can limit such sharing. If an institution answers ‘‘No’’ to sharing for a particular reason in the middle column, it must answer ‘‘We don’t share’’ in the corresponding right column. If an institution answers ‘‘Yes’’ to sharing for a particular reason in the middle column, it must, in the right column, answer either ‘‘No’’ if it does not offer an opt-out or ‘‘Yes (Check your choices, p. 3)’’ if it does offer an opt-out. Except for the sixth row (‘‘For our affiliates to market to you’’), an institution must list all reasons for sharing, and complete the middle and right columns of the disclosure table. (b) Specific disclosures and corresponding legal provisions. (1) For our everyday business purposes. Because all financial institutions share information for everyday business purposes, as contemplated by sections 216.14 and 216.15 of this part, the financial institution must answer ‘‘Yes’’ to the sharing of such information and ‘‘No’’ to the availability of an opt-out. (2) For our marketing purposes. The financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that shares for this reason may or may not elect to provide an opt-out and must provide the corresponding answer in the right column as described in paragraph C.2.(a) of this Instruction. This provision includes service providers contemplated by section 216.13 of this part. (3) For joint marketing with other financial companies. As contemplated by section 216.13 of this part, the financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 shares for this reason may or may not elect to provide an opt-out and must provide the corresponding answer in the right column as described in paragraph C.2.(a) of this Instruction. (4) For our affiliates’ everyday business purposes—information about transactions and experiences. This provision applies to sharing of certain information with an institution’s affiliates, as contemplated by sections 603(d)(2)(A)(i) and (ii) of the FCRA. The financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that does not have any affiliates will also use this answer. Institutions that share for this reason may or may not elect to provide an opt-out and must provide the corresponding answer in the right column as described in paragraph C.2.(a) of this Instruction. (5) For our affiliates’ everyday business purposes—information about creditworthiness. This provision applies to the sharing of certain information with an institution’s affiliates, as contemplated by section 603(d)(2)(A)(iii) of the FCRA. The financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that does not have any affiliates will also use this answer. Institutions that share for this reason must provide an opt-out and must provide the appropriate answer in the right column as described in paragraph C.2.(a) of this Instruction. (6) For our affiliates to market to you. This provision applies to information shared among affiliates that is used by those affiliates for marketing, as contemplated by section 624 of the FCRA. Following the effective date of the rules implementing section 624, institutions that elect to incorporate this provision into the model form to satisfy their obligations under this part must include this reason for sharing as set forth in the model form in order to obtain the benefit of the safe harbor. Institutions whose affiliates receive such information and use it for marketing must answer ‘‘Yes’’ in the middle column, and ‘‘Yes (Check your choices, p. 3)’’ in the right column corresponding to the availability of an optout. Institutions whose affiliates receive such information and do not use it for marketing may elect to include this provision in the model form and answer ‘‘No’’ in the middle column and ‘‘We don’t share’’ in the right column; however, institutions whose affiliates receive such information and do not use it for marketing are not required to use this provision. Institutions that do not have affiliates and elect to include this provision in their notice will answer ‘‘No’’ in the middle column and ‘‘We don’t share’’ in the right column. (7) For nonaffiliates to market to you. This provision applies to sharing under sections 216.7 and 216.10(a) of this part. Financial institutions that do not share for this reason must answer ‘‘No’’ in the middle column and ‘‘We don’t share’’ in the right column. Financial institutions that do share for this PO 00000 Frm 00031 Fmt 4701 Sfmt 4702 14969 reason must answer ‘‘Yes’’ in the middle column and ‘‘Yes (check your choices, p. 3)’’ corresponding to the availability of an optout. (8) Additional opt-outs. A financial institution may customize the model form to offer opt-outs beyond those required under Federal law, so long as the additional information falls within the space constraints of the model form. If the institution chooses to offer its customers an opt-out for its own marketing or for joint marketing, for example, it can provide for that option by stating: ‘‘Yes (Check your choices, p. 3)’’ as to the availability of the opt-out. 3. Page Two (a) General instructions for the Definitions. The financial institution must customize the space below the last three definitions in this section (affiliates, nonafffiliates, and joint marketing). This specific information must be in italicized lettering to set off the information from the standardized definitions. (b) Affiliates. As required by section 216.6(a)(3) of this part, the financial institution must identify the categories of its affiliates or state ‘‘[name of financial institution] has no affiliates’’ in italicized lettering where [affiliate information] appears. A financial institution that shares with affiliates must use, as applicable, the following format: ‘‘Our affiliates include companies with a [name of financial institution] name; financial companies such as [list companies]; and nonfinancial companies, such as [list companies].’’ (c) Nonaffiliates. If the financial institution shares with nonaffiliated third parties outside the exceptions in sections 216.14 and 216.15 of this part, the institution must identify the types of nonaffiliated third parties with which it shares or state ‘‘[name of financial institution] does not share with nonaffiliates so they can market to you.’’ in italicized lettering where [nonaffiliate information] appears. A financial institution that shares with nonaffiliated third parties as described here must use, as applicable, the following format: ‘‘Nonaffiliates we share with can include [list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations].’’ (d) Joint Marketing. As required by section 216.13 of this part, the financial institution must identify the types of financial institutions with which it engages in joint marketing or state ‘‘[name of financial institution] doesn’t jointly market.’’ in italicized lettering where [joint marketing] appears. A financial institution that shares with joint marketing partners must use, as applicable, the following format: ‘‘Our joint marketing partners include [list categories of companies such as credit card companies].’’ 4. Page Three Opt-out form. Financial institutions must use page three only if they: (1) share or use information in a manner that triggers an optout; or (2) choose to provide an opt-out (as disclosed in the table on page 1) in addition to what is required by law. The model optout form must be provided on a separate page of the model form. E:\FR\FM\29MRP2.SGM 29MRP2 14970 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules rwilkins on PROD1PC63 with PROPOSALS (a) Contact us. The section describes three common methods by which a consumer exercises an opt-out—by telephone, on the Web, and by mail. Financial institutions may customize this section to provide for the particular opt-out methods and options the institution provides. For example, if an institution offers opting out by telephone and the Web but not by mail, it would provide only telephone and Web information as shown in the model form in the ‘‘Contact Us’’ box. Only institutions that allow more than 30 days after providing the notice before sharing information may change the number of days in the lower right hand section of the box. (b) Check your choices. Institutions must display the applicable opt-out options in the ‘‘Check your choices’’ box shown on this page. If an institution chooses not to offer an opt-out by mail, it must delete the boxes for name, address, account number, and mailing directions in the lower right-hand corner of the model form. Financial institutions that only offer one or two of the opt-out options listed on the model form must list only those options from the model form that apply to their practices and correspond accurately to the disclosures on page one. Thus, if an institution does not share in a manner that requires an opt-out for sharing with nonaffiliates, it must not include that opt-out option on page three of the model form. Institutions requiring information from consumers on the opt-out form other than an account number should modify that designation in the ‘‘Check your choices’’ box. Institutions that require customers with multiple accounts to identify each account to which the opt-out should apply should modify that portion of the model form. (c) Section 624 opt-out. If the financial institution’s affiliates use information for marketing pursuant to section 624 of the FCRA, and the institution elects to consolidate that opt-out notice in the model form, it must include that disclosure and optout election as shown in the model form. Institutions that elect to limit the time for the affiliate marketing opt-out, consistent with the requirements of section 624, must adhere to the requirements of that section and the Agencies’ implementing rule with respect to any subsequent notice and opt-out. Institutions that elect to limit the opt-out period must include a statement in italics, as shown on the model form, that states the period of time for which the opt-out applies. VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 (d) Additional opt-outs. A financial institution that uses the disclosure table to indicate any opt-out choices available to consumers beyond those required by Federal law must include those opt-outs on page three of the model form. For example, if the financial institution discloses in the table that it offers an opt-out for joint marketing, the institution must revise the opt-out form on page three to reflect the availability of an opt-out, such as by adding a check-off box with the words ‘‘Do not share my personal information with other financial institutions to jointly market to me.’’ Likewise, if a financial institution chooses to offer its customers an opt-out for its marketing, it can provide for that option in the disclosure table and on the opt-out form by adding a checkoff box with the words ‘‘Do not share [or use] my personal information to market to me.’’ 7. Amend newly redesignated Appendix B by adding a new sentence immediately after the heading: Appendix B to Part 216—Sample Clauses This Appendix only applies to privacy notices provided until the date that is on or before one year following the date of final publication of this rule. * * * * * * * * Federal Deposit Insurance Corporation 12 CFR Chapter III Authority and Issuance For the reasons set forth in the joint preamble, the Federal Deposit Insurance Corporation proposes to amend part 332 of chapter III of title 12 of the Code of Federal Regulations as follows: PART 332—PRIVACY OF CONSUMER FINANCIAL INFORMATION 1. The authority citation for part 332 continues to read as follows: Authority: 12 U.S.C. 1819 (Seventh and Tenth); 15 U.S.C. 6801 et seq. 2. Revise § 332.2 to read as follows: § 332.2 Model privacy form and examples. (a) Model privacy form. Use of the model privacy form in Appendix A of PO 00000 Frm 00032 Fmt 4701 Sfmt 4702 this part, consistent with the instructions in Appendix A, constitutes compliance with the notice content requirements of §§ 332.6 and 332.7 of this part, although use of the model privacy form is not required. (b) Examples. The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part. 3. In § 332.6, revise paragraph (f) and add paragraph (g) to read as follows: § 332.6 Information to be included in privacy notices. * * * * * (f) Model privacy form. Pursuant to § 332.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part. (g) Sample clauses. Sample clauses illustrating some of the notice content required by this section are included in Appendix B of this part. Use of a sample clause in a privacy notice provided on or before [DATE ONE YEAR FOLLOWING THE DATE OF PUBLICATION OF THE FINAL RULE], to the extent applicable, constitutes compliance with this part. 4. In § 332.7 add paragraph (i) to read as follows: § 332.7 Form of opt-out notice to consumers; opt-out methods. * * * * * (i) Model privacy form. Pursuant to § 332.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part. Appendix A [Redesignated as Appendix B] 5. Redesignate Appendix A as Appendix B. 6. Add new Appendix A to read as follows: Appendix A to Part 332—Model Privacy Form A. The Model Privacy Form E:\FR\FM\29MRP2.SGM 29MRP2 VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 PO 00000 Frm 00033 Fmt 4701 Sfmt 4725 E:\FR\FM\29MRP2.SGM 29MRP2 14971 EP29MR07.012</GPH> rwilkins on PROD1PC63 with PROPOSALS Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules VerDate Aug<31>2005 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules 19:04 Mar 28, 2007 Jkt 211001 PO 00000 Frm 00034 Fmt 4701 Sfmt 4725 E:\FR\FM\29MRP2.SGM 29MRP2 EP29MR07.013</GPH> rwilkins on PROD1PC63 with PROPOSALS 14972 rwilkins on PROD1PC63 with PROPOSALS B. General Instructions 1. How the Model Privacy Form Is Used The model form may be used, at the option of a financial institution, including a group of financial holding company affiliates that use a common privacy notice, to meet the content requirements of the privacy notice and opt-out notice set forth in sections 332.6 and 332.7 of this part. (Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 1681– 1681x] (FCRA), such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.) 2. The Contents of the Model Privacy Form The model form consists of two or three pages, depending on whether a financial institution shares in a manner that requires VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 it to provide a third page with opt-out information. (a) Page One. The first page consists of the following components: (1) The title. (2) The key frame (Why?, What?, How?). (3) The disclosure table (‘‘Reasons we can share your personal information’’). (4) Contact information. (b) Page Two. The second page consists of the following components: (1) The title. (2) The Frequently Asked Questions on sharing practices. (3) The definitions. (c) Page Three. The third page consists of a financial institution’s opt-out form. 3. The Format of the Model Privacy Form The model form is a standardized form, including page layout, page content, format, style, pagination, and shading. No other information may be included in the model form, and the model form may be modified only as described below. PO 00000 Frm 00035 Fmt 4701 Sfmt 4702 14973 (a) Easily readable type font. Financial institutions that use the model form must use an easily readable type font. Easily readable type font includes a minimum of 10-point font and sufficient spacing between the lines of type. (b) Logo. A financial institution may include a corporate logo on any page of the notice, so long as it does not interfere with the readability of the model form or the space constraints of each page. (c) Page size and orientation. Each page of the model form must be printed on one side of an 8.5 by 11 inch paper in portrait orientation. (d) Color. The model form may be printed on white or light color paper (such as cream) with black or suitable contrasting color ink. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract from the readability of the model form. E:\FR\FM\29MRP2.SGM 29MRP2 EP29MR07.014</GPH> Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules 14974 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules C. Information Required in the Model Privacy Form The model form is a standardized form, and institutions seeking to obtain the safe harbor through use of the model form may modify the form only as described below: rwilkins on PROD1PC63 with PROPOSALS 1. Name of the Institution or Group of Affiliated Institutions Providing the Notice Include the name of the financial institution or group of affiliated institutions providing the notice on the form wherever [name of financial institution] appears. Contact information, such as the institution’s toll-free telephone number, Web address, or mailing address, or other contact information, should be inserted as appropriate, wherever [toll-free telephone] or [web address] or [mailing address] appear. 2. Page One (a) General instructions for the disclosure table. There are reasons for sharing or using personal information listed in the left column of the disclosure table. Each of these reasons correlates to certain legal provisions described below. In the middle column, each institution must provide a ‘‘Yes’’ or ‘‘No’’ response in each box that accurately reflects its information sharing policies and practices with respect to the reason listed on the left. Each institution also must complete each box in the right column as to whether a consumer can limit such sharing. If an institution answers ‘‘No’’ to sharing for a particular reason in the middle column, it must answer ‘‘We don’t share’’ in the corresponding right column. If an institution answers ‘‘Yes’’ to sharing for a particular reason in the middle column, it must, in the right column, answer either ‘‘No’’ if it does not offer an opt-out or ‘‘Yes (Check your choices, p. 3)’’ if it does offer an opt-out. Except for the sixth row (‘‘For our affiliates to market to you’’), an institution must list all reasons for sharing, and complete the middle and right columns of the disclosure table. (b) Specific disclosures and corresponding legal provisions. (1) For our everyday business purposes. Because all financial institutions share information for everyday business purposes, as contemplated by sections 332.14 and 332.15 of this part, the financial institution must answer ‘‘Yes’’ to the sharing of such information and ‘‘No’’ to the availability of an opt-out. (2) For our marketing purposes. The financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that shares for this reason may or may not elect to provide an opt-out and must provide the corresponding answer in the right column as described in paragraph C.2.(a) of this Instruction. This provision includes service providers contemplated by section 332.13 of this part. (3) For joint marketing with other financial companies. As contemplated by section 332.13 of this part, the financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 shares for this reason may or may not elect to provide an opt-out and must provide the corresponding answer in the right column as described in paragraph C.2.(a) of this Instruction. (4) For our affiliates’ everyday business purposes—information about transactions and experiences. This provision applies to sharing of certain information with an institution’s affiliates, as contemplated by sections 603(d)(2)(A)(i) and (ii) of the FCRA. The financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that does not have any affiliates will also use this answer. Institutions that share for this reason may or may not elect to provide an opt-out and must provide the corresponding answer in the right column as described in paragraph C.2.(a) of this Instruction. (5) For our affiliates’ everyday business purposes—information about creditworthiness. This provision applies to the sharing of certain information with an institution’s affiliates, as contemplated by section 603(d)(2)(A)(iii) of the FCRA. The financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that does not have any affiliates will also use this answer. Institutions that share for this reason must provide an opt-out and must provide the appropriate answer in the right column as described in paragraph C.2.(a) of this Instruction. (6) For our affiliates to market to you. This provision applies to information shared among affiliates that is used by those affiliates for marketing, as contemplated by section 624 of the FCRA. Following the effective date of the rules implementing section 624, institutions that elect to incorporate this provision into the model form to satisfy their obligations under this part must include this reason for sharing as set forth in the model form in order to obtain the benefit of the safe harbor. Institutions whose affiliates receive such information and use it for marketing must answer ‘‘Yes’’ in the middle column, and ‘‘Yes (Check your choices, p. 3)’’ in the right column corresponding to the availability of an optout. Institutions whose affiliates receive such information and do not use it for marketing may elect to include this provision in the model form and answer ‘‘No’’ in the middle column and ‘‘We don’t share’’ in the right column; however, institutions whose affiliates receive such information and do not use it for marketing are not required to use this provision. Institutions that do not have affiliates and elect to include this provision in their notice will answer ‘‘No’’ in the middle column and ‘‘We don’t share’’ in the right column. (7) For nonaffiliates to market to you. This provision applies to sharing under sections 332.7 and 332.10(a) of this part. Financial institutions that do not share for this reason must answer ‘‘No’’ in the middle column and ‘‘We don’t share’’ in the right column. Financial institutions that do share for this PO 00000 Frm 00036 Fmt 4701 Sfmt 4702 reason must answer ‘‘Yes’’ in the middle column and ‘‘Yes (check your choices, p. 3)’’ corresponding to the availability of an optout. (8) Additional opt-outs. A financial institution may customize the model form to offer opt-outs beyond those required under Federal law, so long as the additional information falls within the space constraints of the model form. If the institution chooses to offer its customers an opt-out for its own marketing or for joint marketing, for example, it can provide for that option by stating: ‘‘Yes (Check your choices, p. 3)’’ as to the availability of the opt-out. 3. Page Two (a) General instructions for the Definitions. The financial institution must customize the space below the last three definitions in this section (affiliates, nonaffiliates, and joint marketing). This specific information must be in italicized lettering to set off the information from the standardized definitions. (b) Affiliates. As required by section 332.6(a)(3) of this part, the financial institution must identify the categories of its affiliates or state ‘‘[name of financial institution] has no affiliates’’ in italicized lettering where [affiliate information] appears. A financial institution that shares with affiliates must use, as applicable, the following format: ‘‘Our affiliates include companies with a [name of financial institution] name; financial companies such as [list companies]; and nonfinancial companies, such as [list companies].’’ (c) Nonaffiliates. If the financial institution shares with nonaffiliated third parties outside the exceptions in sections 332.14 and 332.15 of this part, the institution must identify the types of nonaffiliated third parties with which it shares or state ‘‘[name of financial institution] does not share with nonaffiliates so they can market to you.’’ in italicized lettering where [nonaffiliate information] appears. A financial institution that shares with nonaffiliated third parties as described here must use, as applicable, the following format: ‘‘Nonaffiliates we share with can include [list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations].’’ (d) Joint Marketing. As required by section 332.13 of this part, the financial institution must identify the types of financial institutions with which it engages in joint marketing or state ‘‘[name of financial institution] doesn’t jointly market.’’ in italicized lettering where [joint marketing] appears. A financial institution that shares with joint marketing partners must use, as applicable, the following format: ‘‘Our joint marketing partners include [list categories of companies such as credit card companies].’’ 4. Page Three Opt-out form. Financial institutions must use page three only if they: (1) share or use information in a manner that triggers an optout; or (2) choose to provide an opt-out (as disclosed in the table on page 1) in addition to what is required by law. The model optout form must be provided on a separate page of the model form. E:\FR\FM\29MRP2.SGM 29MRP2 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules rwilkins on PROD1PC63 with PROPOSALS (a) Contact us. The section describes three common methods by which a consumer exercises an opt-out—by telephone, on the Web, and by mail. Financial institutions may customize this section to provide for the particular opt-out methods and options the institution provides. For example, if an institution offers opting out by telephone and the Web but not by mail, it would provide only telephone and Web information as shown in the model form in the ‘‘Contact Us’’ box. Only institutions that allow more than 30 days after providing the notice before sharing information may change the number of days in the lower right hand section of the box. (b) Check your choices. Institutions must display the applicable opt-out options in the ‘‘Check your choices’’ box shown on this page. If an institution chooses not to offer an opt-out by mail, it must delete the boxes for name, address, account number, and mailing directions in the lower right-hand corner of the model form. Financial institutions that only offer one or two of the opt-out options listed on the model form must list only those options from the model form that apply to their practices and correspond accurately to the disclosures on page one. Thus, if an institution does not share in a manner that requires an opt-out for sharing with nonaffiliates, it must not include that opt-out option on page three of the model form. Institutions requiring information from consumers on the opt-out form other than an account number should modify that designation in the ‘‘Check your choices’’ box. Institutions that require customers with multiple accounts to identify each account to which the opt-out should apply should modify that portion of the model form. (c) Section 624 opt-out. If the financial institution’s affiliates use information for marketing pursuant to section 624 of the FCRA, and the institution elects to consolidate that opt-out notice in the model form, it must include that disclosure and optout election as shown in the model form. Institutions that elect to limit the time for the affiliate marketing opt-out, consistent with the requirements of section 624, must adhere to the requirements of that section and the Agencies’ implementing rule with respect to any subsequent notice and opt-out. Institutions that elect to limit the opt-out period must include a statement in italics, as shown on the model form, that states the period of time for which the opt-out applies. VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 (d) Additional opt-outs. A financial institution that uses the disclosure table to indicate any opt-out choices available to consumers beyond those required by Federal law must include those opt-outs on page three of the model form. For example, if the financial institution discloses in the table that it offers an opt-out for joint marketing, the institution must revise the opt-out form on page three to reflect the availability of an opt-out, such as by adding a check-off box with the words ‘‘Do not share my personal information with other financial institutions to jointly market to me.’’ Likewise, if a financial institution chooses to offer its customers an opt-out for its marketing, it can provide for that option in the disclosure table and on the opt-out form by adding a checkoff box with the words ‘‘Do not share [or use] my personal information to market to me.’’ 7. Amend newly redesignated Appendix B by adding a new sentence immediately after the heading: Appendix B to Part 332—Sample Clauses This Appendix only applies to privacy notices provided until the date that is on or before one year following the date of final publication of this rule. * * * * * * * * Office of Thrift Supervision 12 CFR Chapter V Authority and Issuance For the reasons set forth in the joint preamble, the Office of Thrift Supervision proposes to amend part 573 of Chapter V of title 12 of the Code of Federal Regulations as follows: PART 573—PRIVACY OF CONSUMER FINANCIAL INFORMATION 1. The authority citation for part 573 continues to read as follows: Authority: 12 U.S.C. 1462a; 1463, 1464, 1828; 15 U.S.C. 6801 et seq. 2. Revise § 573.2 to read as follows: § 573.2 Model privacy form and examples. (a) Model privacy form. Use of the model privacy form in Appendix A of PO 00000 Frm 00037 Fmt 4701 Sfmt 4702 14975 this part, consistent with the instructions in Appendix A, constitutes compliance with the notice content requirements of §§ 573.6 and 573.7 of this part, although use of the model privacy form is not required. (b) Examples. The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part. 3. In § 573.6, revise paragraph (f) and add paragraph (g) to read as follows: § 573.6 Information to be included in privacy notices. * * * * * (f) Model privacy form. Pursuant to § 573.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part. (g) Sample clauses. Sample clauses illustrating some of the notice content required by this section are included in Appendix B of this part. Use of a sample clause in a privacy notice provided on or before [DATE ONE YEAR FOLLOWING THE DATE OF PUBLICATION OF THE FINAL RULE], to the extent applicable, constitutes compliance with this part. 4. In § 573.7, add paragraph (i) to read as follows: § 573.7 Form of opt-out notice to consumers; opt-out methods. * * * * * (i) Model privacy form. Pursuant to § 573.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part. Appendix A [Redesignated as Appendix B] 5. Redesignate Appendix A as Appendix B. 6. Add new Appendix A to read as follows: Appendix A to Part 573—Model Privacy Form A. The Model Privacy Form E:\FR\FM\29MRP2.SGM 29MRP2 VerDate Aug<31>2005 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules 19:04 Mar 28, 2007 Jkt 211001 PO 00000 Frm 00038 Fmt 4701 Sfmt 4725 E:\FR\FM\29MRP2.SGM 29MRP2 EP29MR07.015</GPH> rwilkins on PROD1PC63 with PROPOSALS 14976 VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 PO 00000 Frm 00039 Fmt 4701 Sfmt 4725 E:\FR\FM\29MRP2.SGM 29MRP2 14977 EP29MR07.016</GPH> rwilkins on PROD1PC63 with PROPOSALS Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules rwilkins on PROD1PC63 with PROPOSALS B. General Instructions 1. How the Model Privacy Form Is Used The model form may be used, at the option of a financial institution, including a group of financial holding company affiliates that use a common privacy notice, to meet the content requirements of the privacy notice and opt-out notice set forth in sections 573.6 and 573.7 of this part. (Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 1681– 1681x] (FCRA), such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.) 2. The Contents of the Model Privacy Form The model form consists of two or three pages, depending on whether a financial institution shares in a manner that requires VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 it to provide a third page with opt-out information. (a) Page One. The first page consists of the following components: (1) The title. (2) The key frame (Why?, What?, How?). (3) The disclosure table (‘‘Reasons we can share your personal information’’). (4) Contact information. (b) Page Two. The second page consists of the following components: (1) The title. (2) The Frequently Asked Questions on sharing practices. (3) The definitions. (c) Page Three. The third page consists of a financial institution’s opt-out form. 3. The Format of the Model Privacy Form The model form is a standardized form, including page layout, page content, format, style, pagination, and shading. No other information may be included in the model form, and the model form may be modified only as described below. PO 00000 Frm 00040 Fmt 4701 Sfmt 4702 (a) Easily readable type font. Financial institutions that use the model form must use an easily readable type font. Easily readable type font includes a minimum of 10-point font and sufficient spacing between the lines of type. (b) Logo. A financial institution may include a corporate logo on any page of the notice, so long as it does not interfere with the readability of the model form or the space constraints of each page. (c) Page size and orientation. Each page of the model form must be printed on one side of an 8.5 by 11 inch paper in portrait orientation. (d) Color. The model form may be printed on white or light color paper (such as cream) with black or suitable contrasting color ink. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract from the readability of the model form. E:\FR\FM\29MRP2.SGM 29MRP2 EP29MR07.017</GPH> 14978 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules C. Information Required in the Model Privacy Form The model form is a standardized form, and institutions seeking to obtain the safe harbor through use of the model form may modify the form only as described below: rwilkins on PROD1PC63 with PROPOSALS 1. Name of the Institution or Group of Affiliated Institutions Providing the Notice Include the name of the financial institution or group of affiliated institutions providing the notice on the form wherever [name of financial institution] appears. Contact information, such as the institution’s toll-free telephone number, Web address, or mailing address, or other contact information, should be inserted as appropriate, wherever [toll-free telephone] or [web address] or [mailing address] appear. 2. Page One (a) General instructions for the disclosure table. There are reasons for sharing or using personal information listed in the left column of the disclosure table. Each of these reasons correlates to certain legal provisions described below. In the middle column, each institution must provide a ‘‘Yes’’ or ‘‘No’’ response in each box that accurately reflects its information sharing policies and practices with respect to the reason listed on the left. Each institution also must complete each box in the right column as to whether a consumer can limit such sharing. If an institution answers ‘‘No’’ to sharing for a particular reason in the middle column, it must answer ‘‘We don’t share’’ in the corresponding right column. If an institution answers ‘‘Yes’’ to sharing for a particular reason in the middle column, it must, in the right column, answer either ‘‘No’’ if it does not offer an opt-out or ‘‘Yes (Check your choices, p. 3)’’ if it does offer an opt-out. Except for the sixth row (‘‘For our affiliates to market to you’’), an institution must list all reasons for sharing, and complete the middle and right columns of the disclosure table. (b) Specific disclosures and corresponding legal provisions. (1) For our everyday business purposes. Because all financial institutions share information for everyday business purposes, as contemplated by sections 573.14 and 573.15 of this part, the financial institution must answer ‘‘Yes’’ to the sharing of such information and ‘‘No’’ to the availability of an opt-out. (2) For our marketing purposes. The financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that shares for this reason may or may not elect to provide an opt-out and must provide the corresponding answer in the right column as described in paragraph C.2.(a) of this Instruction. This provision includes service providers contemplated by section 573.13 of this part. (3) For joint marketing with other financial companies. As contemplated by section 573.13 of this part, the financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 shares for this reason may or may not elect to provide an opt-out and must provide the corresponding answer in the right column as described in paragraph C.2.(a) of this Instruction. (4) For our affiliates’ everyday business purposes—information about transactions and experiences. This provision applies to sharing of certain information with an institution’s affiliates, as contemplated by sections 603(d)(2)(A)(i) and (ii) of the FCRA. The financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that does not have any affiliates will also use this answer. Institutions that share for this reason may or may not elect to provide an opt-out and must provide the corresponding answer in the right column as described in paragraph C.2.(a) of this Instruction. (5) For our affiliates’ everyday business purposes—information about creditworthiness. This provision applies to the sharing of certain information with an institution’s affiliates, as contemplated by section 603(d)(2)(A)(iii) of the FCRA. The financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that does not have any affiliates will also use this answer. Institutions that share for this reason must provide an opt-out and must provide the appropriate answer in the right column as described in paragraph C.2.(a) of this Instruction. (6) For our affiliates to market to you. This provision applies to information shared among affiliates that is used by those affiliates for marketing, as contemplated by section 624 of the FCRA. Following the effective date of the rules implementing section 624, institutions that elect to incorporate this provision into the model form to satisfy their obligations under this part must include this reason for sharing as set forth in the model form in order to obtain the benefit of the safe harbor. Institutions whose affiliates receive such information and use it for marketing must answer ‘‘Yes’’ in the middle column, and ‘‘Yes (Check your choices, p. 3)’’ in the right column corresponding to the availability of an optout. Institutions whose affiliates receive such information and do not use it for marketing may elect to include this provision in the model form and answer ‘‘No’’ in the middle column and ‘‘We don’t share’’ in the right column; however, institutions whose affiliates receive such information and do not use it for marketing are not required to use this provision. Institutions that do not have affiliates and elect to include this provision in their notice will answer ‘‘No’’ in the middle column and ‘‘We don’t share’’ in the right column. (7) For nonaffiliates to market to you. This provision applies to sharing under sections 573.7 and 573.10(a) of this part. Financial institutions that do not share for this reason must answer ‘‘No’’ in the middle column and ‘‘We don’t share’’ in the right column. Financial institutions that do share for this PO 00000 Frm 00041 Fmt 4701 Sfmt 4702 14979 reason must answer ‘‘Yes’’ in the middle column and ‘‘Yes (check your choices, p. 3)’’ corresponding to the availability of an optout. (8) Additional opt-outs. A financial institution may customize the model form to offer opt-outs beyond those required under Federal law, so long as the additional information falls within the space constraints of the model form. If the institution chooses to offer its customers an opt-out for its own marketing or for joint marketing, for example, it can provide for that option by stating: ‘‘Yes (Check your choices, p. 3)’’ as to the availability of the opt-out. 3. Page Two (a) General instructions for the Definitions. The financial institution must customize the space below the last three definitions in this section (affiliates, nonafffiliates, and joint marketing). This specific information must be in italicized lettering to set off the information from the standardized definitions. (b) Affiliates. As required by section 573.6(a)(3) of this part, the financial institution must identify the categories of its affiliates or state ‘‘[name of financial institution] has no affiliates’’ in italicized lettering where [affiliate information] appears. A financial institution that shares with affiliates must use, as applicable, the following format: ‘‘Our affiliates include companies with a [name of financial institution] name; financial companies such as [list companies]; and nonfinancial companies, such as [list companies].’’ (c) Nonaffiliates. If the financial institution shares with nonaffiliated third parties outside the exceptions in sections 573.14 and 573.15 of this part, the institution must identify the types of nonaffiliated third parties with which it shares or state ‘‘[name of financial institution] does not share with nonaffiliates so they can market to you.’’ in italicized lettering where [nonaffiliate information] appears. A financial institution that shares with nonaffiliated third parties as described here must use, as applicable, the following format: ‘‘Nonaffiliates we share with can include [list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations].’’ (d) Joint Marketing. As required by section 573.13 of this part, the financial institution must identify the types of financial institutions with which it engages in joint marketing or state ‘‘[name of financial institution] doesn’t jointly market.’’ in italicized lettering where [joint marketing] appears. A financial institution that shares with joint marketing partners must use, as applicable, the following format: ‘‘Our joint marketing partners include [list categories of companies such as credit card companies].’’ 4. Page Three Opt-out form. Financial institutions must use page three only if they: (1) share or use information in a manner that triggers an optout; or (2) choose to provide an opt-out (as disclosed in the table on page 1) in addition to what is required by law. The model optout form must be provided on a separate page of the model form. E:\FR\FM\29MRP2.SGM 29MRP2 14980 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules rwilkins on PROD1PC63 with PROPOSALS (a) Contact us. The section describes three common methods by which a consumer exercises an opt-out ‘‘ by telephone, on the Web, and by mail. Financial institutions may customize this section to provide for the particular opt-out methods and options the institution provides. For example, if an institution offers opting out by telephone and the Web but not by mail, it would provide only telephone and Web information as shown in the model form in the ‘‘Contact Us’’ box. Only institutions that allow more than 30 days after providing the notice before sharing information may change the number of days in the lower right hand section of the box. (b) Check your choices. Institutions must display the applicable opt-out options in the ‘‘Check your choices’’ box shown on this page. If an institution chooses not to offer an opt-out by mail, it must delete the boxes for name, address, account number, and mailing directions in the lower right-hand corner of the model form. Financial institutions that only offer one or two of the opt-out options listed on the model form must list only those options from the model form that apply to their practices and correspond accurately to the disclosures on page one. Thus, if an institution does not share in a manner that requires an opt-out for sharing with nonaffiliates, it must not include that opt-out option on page three of the model form. Institutions requiring information from consumers on the opt-out form other than an account number should modify that designation in the ‘‘Check your choices’’ box. Institutions that require customers with multiple accounts to identify each account to which the opt-out should apply should modify that portion of the model form. (c) Section 624 opt-out. If the financial institution’s affiliates use information for marketing pursuant to section 624 of the FCRA, and the institution elects to consolidate that opt-out notice in the model form, it must include that disclosure and optout election as shown in the model form. Institutions that elect to limit the time for the affiliate marketing opt-out, consistent with the requirements of section 624, must adhere to the requirements of that section and the Agencies’ implementing rule with respect to any subsequent notice and opt-out. Institutions that elect to limit the opt-out period must include a statement in italic, as shown on the model form, that states the period of time for which the opt-out applies. VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 (d) Additional opt-outs. A financial institution that uses the disclosure table to indicate any opt-out choices available to consumers beyond those required by Federal law must include those opt-outs on page three of the model form. For example, if the financial institution discloses in the table that it offers an opt-out for joint marketing, the institution must revise the opt-out form on page three to reflect the availability of an opt-out, such as by adding a check-off box with the words ‘‘Do not share my personal information with other financial institutions to jointly market to me.’’ Likewise, if a financial institution chooses to offer its customers an opt-out for its marketing, it can provide for that option in the disclosure table and on the opt-out form by adding a checkoff box with the words ‘‘Do not share [or use] my personal information to market to me.’’ 7. Amend newly redesignated Appendix B by adding a new sentence immediately after the heading: Appendix B to Part 573—Sample Clauses This Appendix only applies to privacy notices provided until the date that is on or before one year following the date of final publication of this rule. * * * * * * * * National Credit Union Administration 12 CFR Chapter V Authority and Issuance For the reasons set forth in the joint preamble, the National Credit Union Administration proposes to amend part 716 of Chapter V of title 12 of the Code of Federal Regulations as follows: § 716.2 Model privacy form and examples. (a) Model privacy form. Use of the model privacy form in Appendix A of this part, consistent with the instructions in Appendix A, constitutes compliance with the notice content requirements of §§ 716.6 and 716.7 of this part, although use of the model privacy form is not required. (b) Examples. The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part. 3. In § 716.6, add paragraphs (f) and (g) to read as follows: § 716.6 Information to be included in privacy notices. * * * * * (f) Model privacy form. Pursuant to § 716.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part. (g) Sample clauses. Sample clauses illustrating some of the notice content required by this section are included in Appendix B of this part. Use of a sample clause in a privacy notice provided on or before [DATE ONE YEAR FOLLOWING THE DATE OF PUBLICATION OF THE FINAL RULE], to the extent applicable, constitutes compliance with this part. 4. In § 716.7 add paragraph (i) to read as follows: § 716.7 Form of opt-out notice to consumers; opt-out methods. PART 716—PRIVACY OF CONSUMER FINANCIAL INFORMATION * * * * (i) Model privacy form. Pursuant to § 716.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part. 1. The authority citation for part 716 continues to read as follows: Appendix A [Redesignated as Appendix B] Authority: 12 U.S.C. 1751 et seq.; 15 U.S.C. 6801 et seq. 5. Redesignate Appendix A as Appendix B. 6. Add new Appendix A to read as follows: 2. Revise § 716.2 to read as follows: PO 00000 Frm 00042 Fmt 4701 Sfmt 4702 * E:\FR\FM\29MRP2.SGM 29MRP2 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules 14981 Appendix A to Part 716—Model Privacy Form VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 PO 00000 Frm 00043 Fmt 4701 Sfmt 4725 E:\FR\FM\29MRP2.SGM 29MRP2 EP29MR07.018</GPH> rwilkins on PROD1PC63 with PROPOSALS A. The Model Privacy Form VerDate Aug<31>2005 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules 19:04 Mar 28, 2007 Jkt 211001 PO 00000 Frm 00044 Fmt 4701 Sfmt 4725 E:\FR\FM\29MRP2.SGM 29MRP2 EP29MR07.019</GPH> rwilkins on PROD1PC63 with PROPOSALS 14982 B. General Instructions rwilkins on PROD1PC63 with PROPOSALS 1. How the Model Privacy Form Is Used The model form may be used, at the option of a financial institution, including a group of affiliates that use a common privacy notice, to meet the content requirements of the privacy notice and opt-out notice set forth in sections 716.6 and 716.7 of this part. (Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 1681– 1681x] (FCRA), such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.) 2. The Contents of the Model Privacy Form The model form consists of two or three pages, depending on whether a financial institution shares in a manner that requires VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 it to provide a third page with opt-out information. (a) Page One. The first page consists of the following components: (1) The title. (2) The key frame (Why?, What?, How?). (3) The disclosure table (‘‘Reasons we can share your personal information’’). (4) Contact information. (b) Page Two. The second page consists of the following components: (1) The title. (2) The Frequently Asked Questions on sharing practices. (3) The definitions. (c) Page Three. The third page consists of a financial institution’s opt-out form. 3. The Format of the Model Privacy Form The model form is a standardized form, including page layout, page content, format, style, pagination, and shading. No other information may be included in the model form, and the model form may be modified only as described below. PO 00000 Frm 00045 Fmt 4701 Sfmt 4702 14983 (a) Easily readable type font. Financial institutions that use the model form must use an easily readable type font. Easily readable type font includes a minimum of 10-point font and sufficient spacing between the lines of type. (b) Logo. A financial institution may include a corporate logo on any page of the notice, so long as it does not interfere with the readability of the model form or the space constraints of each page. (c) Page size and orientation. Each page of the model form must be printed on one side of an 8.5 by 11 inch paper in portrait orientation. (d) Color. The model form may be printed on white or light color paper (such as cream) with black or suitable contrasting color ink. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract from the readability of the model form. E:\FR\FM\29MRP2.SGM 29MRP2 EP29MR07.020</GPH> Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules 14984 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules C. Information Required in the Model Privacy Form The model form is a standardized form, and institutions seeking to obtain the safe harbor through use of the model form may modify the form only as described below: rwilkins on PROD1PC63 with PROPOSALS 1. Name of the Institution or Group of Affiliated Institutions Providing the Notice Include the name of the financial institution or group of affiliated institutions providing the notice on the form wherever [name of financial institution] appears. Contact information, such as the institution’s toll-free telephone number, Web address, or mailing address, or other contact information, should be inserted as appropriate, wherever [toll-free telephone] or [web address] or [mailing address] appear. 2. Page One (a) General instructions for the disclosure table. There are reasons for sharing or using personal information listed in the left column of the disclosure table. Each of these reasons correlates to certain legal provisions described below. In the middle column, each institution must provide a ‘‘Yes’’ or ‘‘No’’ response in each box that accurately reflects its information sharing policies and practices with respect to the reason listed on the left. Each institution also must complete each box in the right column as to whether a consumer can limit such sharing. If an institution answers ‘‘No’’ to sharing for a particular reason in the middle column, it must answer ‘‘We don’t share’’ in the corresponding right column. If an institution answers ‘‘Yes’’ to sharing for a particular reason in the middle column, it must, in the right column, answer either ‘‘No’’ if it does not offer an opt-out or ‘‘Yes (Check your choices, p. 3)’’ if it does offer an opt-out. Except for the sixth row (‘‘For our affiliates to market to you’’), an institution must list all reasons for sharing, and complete the middle and right columns of the disclosure table. (b) Specific disclosures and corresponding legal provisions. (1) For our everyday business purposes. Because all financial institutions share information for everyday business purposes, as contemplated by sections 716.14 and 716.15 of this part, the financial institution must answer ‘‘Yes’’ to the sharing of such information and ‘‘No’’ to the availability of an opt-out. (2) For our marketing purposes. The financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that shares for this reason may or may not elect to provide an opt-out and must provide the corresponding answer in the right column as described in paragraph C.2.(a) of this Instruction. This provision includes service providers contemplated by section 716.13 of this part. (3) For joint marketing with other financial companies. As contemplated by section 716.13 of this part, the financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 shares for this reason may or may not elect to provide an opt-out and must provide the corresponding answer in the right column as described in paragraph C.2.(a) of this Instruction. (4) For our affiliates’ everyday business purposes—information about transactions and experiences. This provision applies to sharing of certain information with an institution’s affiliates, as contemplated by sections 603(d)(2)(A)(i) and (ii) of the FCRA. The financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that does not have any affiliates will also use this answer. Institutions that share for this reason may or may not elect to provide an opt-out and must provide the corresponding answer in the right column as described in paragraph C.2.(a) of this Instruction. (5) For our affiliates’ everyday business purposes—information about creditworthiness. This provision applies to the sharing of certain information with an institution’s affiliates, as contemplated by section 603(d)(2)(A)(iii) of the FCRA. The financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that does not have any affiliates will also use this answer. Institutions that share for this reason must provide an opt-out and must provide the appropriate answer in the right column as described in paragraph C.2.(a) of this Instruction. (6) For our affiliates to market to you. This provision applies to information shared among affiliates that is used by those affiliates for marketing, as contemplated by section 624 of the FCRA. Following the effective date of the rules implementing section 624, institutions that elect to incorporate this provision into the model form to satisfy their obligations under this part must include this reason for sharing as set forth in the model form in order to obtain the benefit of the safe harbor. Institutions whose affiliates receive such information and use it for marketing must answer ‘‘Yes’’ in the middle column, and ‘‘Yes (Check your choices, p. 3)’’ in the right column corresponding to the availability of an optout. Institutions whose affiliates receive such information and do not use it for marketing may elect to include this provision in the model form and answer ‘‘No’’ in the middle column and ‘‘We don’t share’’ in the right column; however, institutions whose affiliates receive such information and do not use it for marketing are not required to use this provision. Institutions that do not have affiliates and elect to include this provision in their notice will answer ‘‘No’’ in the middle column and ‘‘We don’t share’’ in the right column. (7) For nonaffiliates to market to you. This provision applies to sharing under sections 716.7 and 716.10(a) of this part. Financial institutions that do not share for this reason must answer ‘‘No’’ in the middle column and ‘‘We don’t share’’ in the right column. Financial institutions that do share for this PO 00000 Frm 00046 Fmt 4701 Sfmt 4702 reason must answer ‘‘Yes’’ in the middle column and ‘‘Yes (check your choices, p. 3)’’ corresponding to the availability of an optout. (8) Additional opt-outs. A financial institution may customize the model form to offer opt-outs beyond those required under Federal law, so long as the additional information falls within the space constraints of the model form. If the institution chooses to offer its customers an opt-out for its own marketing or for joint marketing, for example, it can provide for that option by stating: ‘‘Yes (Check your choices, p.3)’’ as to the availability of the opt-out. 3. Page Two (a) General instructions for the definitions. The financial institution must customize the space below the last three definitions in this section (affiliates, nonaffiliates, and joint marketing). This specific information must be in italicized lettering to set off the information from the standardized definitions. (b) Affiliates. As required by section 716.6(a)(3) of this part, the financial institution must identify the categories of its affiliates or state ‘‘[name of financial institution] has no affiliates’’ in italicized lettering where [affiliate information] appears. A financial institution that shares with affiliates must use, as applicable, the following format: ‘‘Our affiliates include companies with a [name of financial institution] name; financial companies such as [list companies]; and nonfinancial companies, such as [list companies].’’ (c) Nonaffiliates. If the financial institution shares with nonaffiliated third parties outside the exceptions in sections 716.14 and 716.15 of this part, the institution must identify the types of nonaffiliated third parties with which it shares or state ‘‘[name of financial institution] does not share with nonaffiliates so they can market to you.’’ in italicized lettering where [nonaffiliate information] appears. A financial institution that shares with nonaffiliated third parties as described here must use, as applicable, the following format: ‘‘Nonaffiliates we share with can include [list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations].’’ (d) Joint Marketing. As required by section 716.13 of this part, the financial institution must identify the types of financial institutions with which it engages in joint marketing or state ‘‘[name of financial institution] doesn’t jointly market.’’ in italicized lettering where [joint marketing] appears. A financial institution that shares with joint marketing partners must use, as applicable, the following format: ‘‘Our joint marketing partners include [list categories of companies such as credit card companies].’’ 4. Page Three Opt-out form. Financial institutions must use page three only if they: (1) Share or use information in a manner that triggers an optout; or (2) choose to provide an opt-out (as disclosed in the table on page 1) in addition to what is required by law. The model opt- E:\FR\FM\29MRP2.SGM 29MRP2 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules rwilkins on PROD1PC63 with PROPOSALS out form must be provided on a separate page of the model form. (a) Contact us. The section describes three common methods by which a consumer exercises an opt-out—by telephone, on the Web, and by mail. Financial institutions may customize this section to provide for the particular opt-out methods and options the institution provides. For example, if an institution offers opting out by telephone and the Web but not by mail, it would provide only telephone and Web information as shown in the model form in the ‘‘Contact Us’’ box. Only institutions that allow more than 30 days after providing the notice before sharing information may change the number of days in the lower right hand section of the box. (b) Check your choices. Institutions must display the applicable opt-out options in the ‘‘Check your choices’’ box shown on this page. If an institution chooses not to offer an opt-out by mail, it must delete the boxes for name, address, account number, and mailing directions in the lower right-hand corner of the model form. Financial institutions that only offer one or two of the opt-out options listed on the model form must list only those options from the model form that apply to their practices and correspond accurately to the disclosures on page one. Thus, if an institution does not share in a manner that requires an opt-out for sharing with nonaffiliates, it must not include that opt-out option on page three of the model form. Institutions requiring information from consumers on the opt-out form other than an account number should modify that designation in the ‘‘Check your choices’’ box. Institutions that require customers with multiple accounts to identify each account to which the opt-out should apply should modify that portion of the model form. (c) Section 624 opt-out. If the financial institution’s affiliates use information for marketing pursuant to section 624 of the FCRA, and the institution elects to consolidate that opt-out notice in the model form, it must include that disclosure and optout election as shown in the model form. Institutions that elect to limit the time for the affiliate marketing opt-out, consistent with the requirements of section 624, must adhere to the requirements of that section and the Agencies’ implementing rule with respect to any subsequent notice and opt-out. Institutions that elect to limit the opt-out period must include a statement in italics, as shown on the model form, that states the period of time for which the opt-out applies. (d) Additional opt-outs. A financial institution that uses the disclosure table to indicate any opt-out choices available to VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 consumers beyond those required by Federal law must include those opt-outs on page three of the model form. For example, if the financial institution discloses in the table that it offers an opt-out for joint marketing, the institution must revise the opt-out form on page three to reflect the availability of an opt-out, such as by adding a check-off box with the words ‘‘Do not share my personal information with other financial institutions to jointly market to me.’’ Likewise, if a financial institution chooses to offer its customers an opt-out for its marketing, it can provide for that option in the disclosure table and on the opt-out form by adding a checkoff box with the words ‘‘Do not share [or use] my personal information to market to me.’’ 7. Amend newly redesignated Appendix B by adding a new sentence immediately after the heading: Appendix B to Part 716—Sample Clauses This Appendix only applies to privacy notices provided until the date that is on or before one year following the date of final publication of this rule. * * * * * * * * 14985 (b) Examples. The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part. (c) Compliance. For non-federally insured credit unions, compliance with an example contained in 12 CFR part 716, to the extent applicable, constitutes compliance with this part. For intrastate securities broker-dealers and investment advisors not registered with the Securities and Exchange Commission, compliance with an example contained in 17 CFR part 248, to the extent applicable, constitutes compliance with this part. 3. In § 313.6, revise paragraph (f) and add paragraph (g) to read as follows: § 313.6 Information to be included in privacy notices. PART 313—PRIVACY OF CONSUMER FINANCIAL INFORMATION * * * * (f) Model privacy form. Pursuant to § 313.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part. (g) Sample clauses. Sample clauses illustrating some of the notice content required by this section are included in Appendix B of this part. Use of a sample clause in a privacy notice provided on or before [DATE ONE YEAR FOLLOWING THE DATE OF PUBLICATION OF THE FINAL RULE], to the extent applicable, constitutes compliance with this part. 4. In § 313.7 add paragraph (i) to read as follows: 1. The authority citation for part 313 continues to read as follows: § 313.7 Form of opt-out notice to consumers; opt-out methods. Federal Trade Commission 16 CFR Chapter I Authority and Issuance For the reasons set forth in the joint preamble, the Federal Trade Commission proposes to amend part 313 of chapter I of title 16 of the Code of Federal Regulations as follows: Authority: 15 U.S.C. 6801 et seq. 2. Revise § 313.2 to read as follows: § 313.2 Model privacy form and rules of construction. (a) Model privacy form. Use of the model privacy form in Appendix A of this part, consistent with the instructions in Appendix A, constitutes compliance with the notice content requirements of §§ 313.6 and 313.7 of this part, although use of the model privacy form is not required. PO 00000 Frm 00047 Fmt 4701 Sfmt 4702 * * * * * * (i) Model privacy form. Pursuant to § 313.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part. Appendix A [Redesignated as Appendix B] 5. Redesignate Appendix A as Appendix B. 6. Add new Appendix A to read as follows: E:\FR\FM\29MRP2.SGM 29MRP2 14986 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules Appendix A to Part 313—Model Privacy Form VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 PO 00000 Frm 00048 Fmt 4701 Sfmt 4725 E:\FR\FM\29MRP2.SGM 29MRP2 EP29MR07.021</GPH> rwilkins on PROD1PC63 with PROPOSALS A. The Model Privacy Form VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 PO 00000 Frm 00049 Fmt 4701 Sfmt 4725 E:\FR\FM\29MRP2.SGM 29MRP2 14987 EP29MR07.022</GPH> rwilkins on PROD1PC63 with PROPOSALS Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules B. General Instructions rwilkins on PROD1PC63 with PROPOSALS 1. How the model privacy form is used. The model form may be used, at the option of a financial institution, including a group of financial holding company affiliates that use a common privacy notice, to meet the content requirements of the privacy notice and opt-out notice set forth in sections 313.6 and 313.7 of this part. (Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 1681– 1681x] (FCRA), such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.) 2. The Contents of the Model Privacy Form The model form consists of two or three pages, depending on whether a financial institution shares in a manner that requires VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 it to provide a third page with opt-out information. (a) Page One. The first page consists of the following components: (1) The title. (2) The key frame (Why?, What?, How?). (3) The disclosure table (‘‘Reasons we can share your personal information’’). (4) Contact information. (b) Page Two. The second page consists of the following components: (1) The title. (2) The Frequently Asked Questions on sharing practices. (3) The definitions. (c) Page Three. The third page consists of a financial institution’s opt-out form. 3. The Format of the Model Privacy Form The model form is a standardized form, including page layout, page content, format, style, pagination, and shading. No other information may be included in the model form, and the model form may be modified only as described below. PO 00000 Frm 00050 Fmt 4701 Sfmt 4702 (a) Easily readable type font. Financial institutions that use the model form must use an easily readable type font. Easily readable type font includes a minimum of 10-point font and sufficient spacing between the lines of type. (b) Logo. A financial institution may include a corporate logo on any page of the notice, so long as it does not interfere with the readability of the model form or the space constraints of each page. (c) Page size and orientation. Each page of the model form must be printed on one side of an 8.5 by 11 inch paper in portrait orientation. (d) Color. The model form may be printed on white or light color paper (such as cream) with black or suitable contrasting color ink. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract from the readability of the model form. E:\FR\FM\29MRP2.SGM 29MRP2 EP29MR07.023</GPH> 14988 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules C. Information Required in the Model Privacy Form The model form is a standardized form, and institutions seeking to obtain the safe harbor through use of the model form may modify the form only as described below: rwilkins on PROD1PC63 with PROPOSALS 1. Name of the Institution or Group of Affiliated Institutions Providing the Notice Include the name of the financial institution or group of affiliated institutions providing the notice on the form wherever [name of financial institution] appears. Contact information, such as the institution’s toll-free telephone number, Web address, or mailing address, or other contact information, should be inserted as appropriate, wherever [toll-free telephone] or [web address] or [mailing address] appear. 2. Page One (a) General instructions for the disclosure table. There are reasons for sharing or using personal information listed in the left column of the disclosure table. Each of these reasons correlates to certain legal provisions described below. In the middle column, each institution must provide a ‘‘Yes’’ or ‘‘No’’ response in each box that accurately reflects its information sharing policies and practices with respect to the reason listed on the left. Each institution also must complete each box in the right column as to whether a consumer can limit such sharing. If an institution answers ‘‘No’’ to sharing for a particular reason in the middle column, it must answer ‘‘We don’t share’’ in the corresponding right column. If an institution answers ‘‘Yes’’ to sharing for a particular reason in the middle column, it must, in the right column, answer either ‘‘No’’ if it does not offer an opt-out or ‘‘Yes (Check your choices, p. 3)’’ if it does offer an opt-out. Except for the sixth row (‘‘For our affiliates to market to you’’), an institution must list all reasons for sharing, and complete the middle and right columns of the disclosure table. (b) Specific disclosures and corresponding legal provisions. (1) For our everyday business purposes. Because all financial institutions share information for everyday business purposes, as contemplated by sections 313.14 and 313.15 of this part, the financial institution must answer ‘‘Yes’’ to the sharing of such information and ‘‘No’’ to the availability of an opt-out. (2) For our marketing purposes. The financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that shares for this reason may or may not elect to provide an opt-out and must provide the corresponding answer in the right column as described in paragraph C.2.(a) of this Instruction. This provision includes service providers contemplated by section 313.13 of this part. (3) For joint marketing with other financial companies. As contemplated by section 313.13 of this part, the financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 shares for this reason may or may not elect to provide an opt-out and must provide the corresponding answer in the right column as described in paragraph C.2.(a) of this Instruction. (4) For our affiliates’ everyday business purposes—information about transactions and experiences. This provision applies to sharing of certain information with an institution’s affiliates, as contemplated by sections 603(d)(2)(A)(i) and (ii) of the FCRA. The financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that does not have any affiliates will also use this answer. Institutions that share for this reason may or may not elect to provide an opt-out and must provide the corresponding answer in the right column as described in paragraph C.2.(a) of this Instruction. (5) For our affiliates’ everyday business purposes—information about creditworthiness. This provision applies to the sharing of certain information with an institution’s affiliates, as contemplated by section 603(d)(2)(A)(iii) of the FCRA. The financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that does not have any affiliates will also use this answer. Institutions that share for this reason must provide an opt-out and must provide the appropriate answer in the right column as described in paragraph C.2.(a) of this Instruction. (6) For our affiliates to market to you. This provision applies to information shared among affiliates that is used by those affiliates for marketing, as contemplated by section 624 of the FCRA. Following the effective date of the rules implementing section 624, institutions that elect to incorporate this provision into the model form to satisfy their obligations under this part must include this reason for sharing as set forth in the model form in order to obtain the benefit of the safe harbor. Institutions whose affiliates receive such information and use it for marketing must answer ‘‘Yes’’ in the middle column, and ‘‘Yes (Check your choices, p. 3)’’ in the right column corresponding to the availability of an optout. Institutions whose affiliates receive such information and do not use it for marketing may elect to include this provision in the model form and answer ‘‘No’’ in the middle column and ‘‘We don’t share’’ in the right column; however, institutions whose affiliates receive such information and do not use it for marketing are not required to use this provision. Institutions that do not have affiliates and elect to include this provision in their notice will answer ‘‘No’’ in the middle column and ‘‘We don’t share’’ in the right column. (7) For nonaffiliates to market to you. This provision applies to sharing under sections 313.7 and 313.10(a) of this part. Financial institutions that do not share for this reason must answer ‘‘No’’ in the middle column and ‘‘We don’t share’’ in the right column. Financial institutions that do share for this PO 00000 Frm 00051 Fmt 4701 Sfmt 4702 14989 reason must answer ‘‘Yes’’ in the middle column and ‘‘Yes (check your choices, p. 3)’’ corresponding to the availability of an optout. (8) Additional opt-outs. A financial institution may customize the model form to offer opt-outs beyond those required under Federal law, so long as the additional information falls within the space constraints of the model form. If the institution chooses to offer its customers an opt-out for its own marketing or for joint marketing, for example, it can provide for that option by stating: ‘‘Yes (Check your choices, p. 3)’’ as to the availability of the opt-out. 3. Page Two (a) General instructions for the Definitions. The financial institution must customize the space below the last three definitions in this section (affiliates, nonafffiliates, and joint marketing). This specific information must be in italicized lettering to set off the information from the standardized definitions. (b) Affiliates. As required by section 313.6(a)(3) of this part, the financial institution must identify the categories of its affiliates or state ‘‘[name of financial institution] has no affiliates’’ in italicized lettering where [affiliate information] appears. A financial institution that shares with affiliates must use, as applicable, the following format: ‘‘Our affiliates include companies with a [name of financial institution] name; financial companies such as [list companies]; and nonfinancial companies, such as [list companies].’’ (c) Nonaffiliates. If the financial institution shares with nonaffiliated third parties outside the exceptions in sections 313.14 and 313.15 of this part, the institution must identify the types of nonaffiliated third parties with which it shares or state ‘‘[name of financial institution] does not share with nonaffiliates so they can market to you.’’ in italicized lettering where [nonaffiliate information] appears. A financial institution that shares with nonaffiliated third parties as described here must use, as applicable, the following format: ‘‘Nonaffiliates we share with can include [list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations].’’ (d) Joint Marketing. As required by section 313.13 of this part, the financial institution must identify the types of financial institutions with which it engages in joint marketing or state ‘‘[name of financial institution] doesn’t jointly market.’’ in italicized lettering where [joint marketing] appears. A financial institution that shares with joint marketing partners must use, as applicable, the following format: ‘‘Our joint marketing partners include [list categories of companies such as credit card companies].’’ 4. Page Three Opt-out form. Financial institutions must use page three only if they: (1) share or use information in a manner that triggers an optout; or (2) choose to provide an opt-out (as disclosed in the table on page 1) in addition to what is required by law. The model optout form must be provided on a separate page of the model form. E:\FR\FM\29MRP2.SGM 29MRP2 14990 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules rwilkins on PROD1PC63 with PROPOSALS (a) Contact us. The section describes three common methods by which a consumer exercises an opt-out—by telephone, on the Web, and by mail. Financial institutions may customize this section to provide for the particular opt-out methods and options the institution provides. For example, if an institution offers opting out by telephone and the Web but not by mail, it would provide only telephone and Web information as shown in the model form in the ‘‘Contact Us’’ box. Only institutions that allow more than 30 days after providing the notice before sharing information may change the number of days in the lower right hand section of the box. (b) Check your choices. Institutions must display the applicable opt-out options in the ‘‘Check your choices’’ box shown on this page. If an institution chooses not to offer an opt-out by mail, it must delete the boxes for name, address, account number, and mailing directions in the lower right-hand corner of the model form. Financial institutions that only offer one or two of the opt-out options listed on the model form must list only those options from the model form that apply to their practices and correspond accurately to the disclosures on page one. Thus, if an institution does not share in a manner that requires an opt-out for sharing with nonaffiliates, it must not include that opt-out option on page three of the model form. Institutions requiring information from consumers on the opt-out form other than an account number should modify that designation in the ‘‘Check your choices’’ box. Institutions that require customers with multiple accounts to identify each account to which the opt-out should apply should modify that portion of the model form. (c) Section 624 opt-out. If the financial institution’s affiliates use information for marketing pursuant to section 624 of the FCRA, and the institution elects to consolidate that opt-out notice in the model form, it must include that disclosure and optout election as shown in the model form. Institutions that elect to limit the time for the affiliate marketing opt-out, consistent with the requirements of section 624, must adhere to the requirements of that section and the Agencies’ implementing rule with respect to any subsequent notice and opt-out. Institutions that elect to limit the opt-out period must include a statement in italics, as shown on the model form, that states the period of time for which the opt-out applies. (d) Additional opt-outs. A financial institution that uses the disclosure table to indicate any opt-out choices available to consumers beyond those required by Federal law must include those opt-outs on page three of the model form. For example, if the financial institution discloses in the table VerDate Aug<31>2005 19:33 Mar 28, 2007 Jkt 211001 that it offers an opt-out for joint marketing, the institution must revise the opt-out form on page three to reflect the availability of an opt-out, such as by adding a check-off box with the words ‘‘Do not share my personal information with other financial institutions to jointly market to me.’’ Likewise, if a financial institution chooses to offer its customers an opt-out for its marketing, it can provide for that option in the disclosure table and on the opt-out form by adding a checkoff box with the words ‘‘Do not share [or use] my personal information to market to me.’’ 7. Amend newly redesignated Appendix B by adding a new sentence immediately after the heading: Appendix B to Part 313–Sample Clauses This Appendix only applies to privacy notices provided until the date that is on or before one year following the date of final publication of this rule. * * * * * * * * Commodity Futures Trading Commission 17 CFR Chapter I Authority and Issuance For the reasons set forth in the joint preamble, the Commodity Futures Trading Commission proposes to amend part 160 of chapter I of title 17 of the Code of Federal Regulations as follows: PART 160—PRIVACY OF CONSUMER FINANCIAL INFORMATION 1. The authority citation for part 160 continues to read as follows: Authority: 7 U.S.C. 7b–2 and 12a(5); 15 U.S.C. 6801 et seq. 2. Revise § 160.2 to read as follows: § 160.2 Model privacy form and rules of construction. (a) Model privacy form. Use of the model privacy form in Appendix A of this part, consistent with the instructions in Appendix A, constitutes compliance with the notice content requirements of §§ 160.6 and 160.7 of this part, although use of the model privacy form is not required. (b) Examples. The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part. (c) Substituted compliance. PO 00000 Frm 00052 Fmt 4701 Sfmt 4702 (1) Any person or entity otherwise subject to this part that is subject to and in compliance with the Securities and Exchange Commission Regulation S–P, 17 CFR part 248, will be deemed to be in compliance with this part. (2) Any commodity trading advisor otherwise subject to this part that is registered or required to be registered as an investment adviser in the state in which it maintains its principal office and place of business as defined in § 275.203A–3 of this title, and that is subject to and in compliance with 16 CFR part 313, will be deemed to be in compliance with this part. 3. In § 160.6, revise paragraph (f) and add paragraph (g) to read as follows: § 160.6 Information to be included in privacy notices. * * * * * (f) Model privacy form. Pursuant to § 160.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part. (g) Sample clauses. Sample clauses illustrating some of the notice content required by this section are included in Appendix B of this part. Use of a sample clause in a privacy notice provided on or before [DATE ONE YEAR FOLLOWING THE DATE OF PUBLICATION OF THE FINAL RULE], to the extent applicable, constitutes compliance with this part. 4. In § 160.7 add paragraph (i) to read as follows: § 160.7 Form of opt-out notice to consumers; opt-out methods. * * * * * (i) Model privacy form. Pursuant to § 160.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part. Appendix A [Redesignated as Appendix B] 5. Redesignate Appendix A as Appendix B. 6. Add new Appendix A to read as follows: Appendix A to Part 160—Model Privacy Form A. The Model Privacy Form E:\FR\FM\29MRP2.SGM 29MRP2 VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 PO 00000 Frm 00053 Fmt 4701 Sfmt 4725 E:\FR\FM\29MRP2.SGM 29MRP2 14991 EP29MR07.024</GPH> rwilkins on PROD1PC63 with PROPOSALS Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules VerDate Aug<31>2005 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules 19:04 Mar 28, 2007 Jkt 211001 PO 00000 Frm 00054 Fmt 4701 Sfmt 4725 E:\FR\FM\29MRP2.SGM 29MRP2 EP29MR07.025</GPH> rwilkins on PROD1PC63 with PROPOSALS 14992 B. General Instructions rwilkins on PROD1PC63 with PROPOSALS 1. How the Model Privacy Form Is Used The model form may be used, at the option of a financial institution, including a group of financial holding company affiliates that use a common privacy notice, to meet the content requirements of the privacy notice and opt-out notice set forth in sections 160.6 and 160.7 of this part. (Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 1681– 1681x] (FCRA), such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.) 2. The Contents of the Model Privacy Form The model form consists of two or three pages, depending on whether a financial institution shares in a manner that requires VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 it to provide a third page with opt-out information. (a) Page One. The first page consists of the following components: (1) The title. (2) The key frame (Why?, What?, How?). (3) The disclosure table (‘‘Reasons we can share your personal information’’). (4) Contact information. (b) Page Two. The second page consists of the following components: (1) The title. (2) The Frequently Asked Questions on sharing practices. (3) The definitions. (c) Page Three. The third page consists of a financial institution’s opt-out form. 3. The Format of the Model Privacy Form The model form is a standardized form, including page layout, page content, format, style, pagination, and shading. No other information may be included in the model form, and the model form may be modified only as described below. PO 00000 Frm 00055 Fmt 4701 Sfmt 4702 14993 (a) Easily readable type font. Financial institutions that use the model form must use an easily readable type font. Easily readable type font includes a minimum of 10-point font and sufficient spacing between the lines of type. (b) Logo. A financial institution may include a corporate logo on any page of the notice, so long as it does not interfere with the readability of the model form or the space constraints of each page. (c) Page size and orientation. Each page of the model form must be printed on one side of an 8.5 by 11 inch paper in portrait orientation. (d) Color. The model form may be printed on white or light color paper (such as cream) with black or suitable contrasting color ink. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract from the readability of the model form. E:\FR\FM\29MRP2.SGM 29MRP2 EP29MR07.026</GPH> Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules 14994 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules C. Information Required in the Model Privacy Form The model form is a standardized form, and institutions seeking to obtain the safe harbor through use of the model form may modify the form only as described below: rwilkins on PROD1PC63 with PROPOSALS 1. Name of the Institution or Group of Affiliated Institutions Providing the Notice Include the name of the financial institution or group of affiliated institutions providing the notice on the form wherever [name of financial institution] appears. Contact information, such as the institution’s toll-free telephone number, Web address, or mailing address, or other contact information, should be inserted as appropriate, wherever [toll-free telephone] or [web address] or [mailing address] appear. 2. Page One (a) General instructions for the disclosure table. There are reasons for sharing or using personal information listed in the left column of the disclosure table. Each of these reasons correlates to certain legal provisions described below. In the middle column, each institution must provide a ‘‘Yes’’ or ‘‘No’’ response in each box that accurately reflects its information sharing policies and practices with respect to the reason listed on the left. Each institution also must complete each box in the right column as to whether a consumer can limit such sharing. If an institution answers ‘‘No’’ to sharing for a particular reason in the middle column, it must answer ‘‘We don’t share’’ in the corresponding right column. If an institution answers ‘‘Yes’’ to sharing for a particular reason in the middle column, it must, in the right column, answer either ‘‘No’’ if it does not offer an opt-out or ‘‘Yes (Check your choices, p.3)’’ if it does offer an opt-out. Except for the sixth row (‘‘For our affiliates to market to you’’), an institution must list all reasons for sharing, and complete the middle and right columns of the disclosure table. (b) Specific disclosures and corresponding legal provisions. (1) For our everyday business purposes. Because all financial institutions share information for everyday business purposes, as contemplated by sections 160.14 and 160.15 of this part, the financial institution must answer ‘‘Yes’’ to the sharing of such information and ‘‘No’’ to the availability of an opt-out. (2) For our marketing purposes. The financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that shares for this reason may or may not elect to provide an opt-out and must provide the corresponding answer in the right column as described in paragraph C.2.(a) of this Instruction. This provision includes service providers contemplated by section 160.13 of this part. (3) For joint marketing with other financial companies. As contemplated by section 160.13 of this part, the financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 shares for this reason may or may not elect to provide an opt-out and must provide the corresponding answer in the right column as described in paragraph C.2.(a) of this Instruction. (4) For our affiliates’ everyday business purposes ‘‘ information about transactions and experiences. This provision applies to sharing of certain information with an institution’s affiliates, as contemplated by sections 603(d)(2)(A) (i) and (ii) of the FCRA. The financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that does not have any affiliates will also use this answer. Institutions that share for this reason may or may not elect to provide an opt-out and must provide the corresponding answer in the right column as described in paragraph C.2.(a) of this Instruction. (5) For our affiliates’ everyday business purposes ‘‘ information about creditworthiness. This provision applies to the sharing of certain information with an institution’s affiliates, as contemplated by section 603(d)(2)(A)(iii) of the FCRA. The financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that does not have any affiliates will also use this answer. Institutions that share for this reason must provide an opt-out and must provide the appropriate answer in the right column as described in paragraph C.2.(a) of this Instruction. (6) For our affiliates to market to you. This provision applies to information shared among affiliates that is used by those affiliates for marketing, as contemplated by section 624 of the FCRA. Following the effective date of the rules implementing section 624, institutions that elect to incorporate this provision into the model form to satisfy their obligations under this part must include this reason for sharing as set forth in the model form in order to obtain the benefit of the safe harbor. Institutions whose affiliates receive such information and use it for marketing must answer ‘‘Yes’’ in the middle column, and ‘‘Yes (Check your choices, p.3)’’ in the right column corresponding to the availability of an optout. Institutions whose affiliates receive such information and do not use it for marketing may elect to include this provision in the model form and answer ‘‘No’’ in the middle column and ‘‘We don’t share’’ in the right column; however, institutions whose affiliates receive such information and do not use it for marketing are not required to use this provision. Institutions that do not have affiliates and elect to include this provision in their notice will answer ‘‘No’’ in the middle column and ‘‘We don’t share’’ in the right column. (7) For nonaffiliates to market to you. This provision applies to sharing under sections 160.7 and 160.10(a) of this part. Financial institutions that do not share for this reason must answer ‘‘No’’ in the middle column and ‘‘We don’t share’’ in the right column. Financial institutions that do share for this PO 00000 Frm 00056 Fmt 4701 Sfmt 4702 reason must answer ‘‘Yes’’ in the middle column and ‘‘Yes (check your choices, p. 3)’’ corresponding to the availability of an optout. (8) Additional opt-outs. A financial institution may customize the model form to offer opt-outs beyond those required under Federal law, so long as the additional information falls within the space constraints of the model form. If the institution chooses to offer its customers an opt-out for its own marketing or for joint marketing, for example, it can provide for that option by stating: ‘‘Yes (Check your choices, p.3)’’ as to the availability of the opt-out. 3. Page Two (a) General instructions for the Definitions. The financial institution must customize the space below the last three definitions in this section (affiliates, nonafffiliates, and joint marketing). This specific information must be in italicized lettering to set off the information from the standardized definitions. (b) Affiliates. As required by section 160.6(a)(3) of this part, the financial institution must identify the categories of its affiliates or state ‘‘[name of financial institution] has no affiliates’’ in italicized lettering where [affiliate information] appears. A financial institution that shares with affiliates must use, as applicable, the following format: ‘‘Our affiliates include companies with a [name of financial institution] name; financial companies such as [list companies]; and nonfinancial companies, such as [list companies].’’ (c) Nonaffiliates. If the financial institution shares with nonaffiliated third parties outside the exceptions in sections 160.14 and 160.15 of this part, the institution must identify the types of nonaffiliated third parties with which it shares or state ‘‘[name of financial institution] does not share with nonaffiliates so they can market to you.’’ in italicized lettering where [nonaffiliate information] appears. A financial institution that shares with nonaffiliated third parties as described here must use, as applicable, the following format: ‘‘Nonaffiliates we share with can include [list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations].’’ (d) Joint Marketing. As required by section 160.13 of this part, the financial institution must identify the types of financial institutions with which it engages in joint marketing or state ‘‘[name of financial institution] doesn’t jointly market.’’ in italicized lettering where [joint marketing] appears. A financial institution that shares with joint marketing partners must use, as applicable, the following format: ‘‘Our joint marketing partners include [list categories of companies such as credit card companies].’’ 4. Page Three Opt-out form. Financial institutions must use page three only if they: (1) Share or use information in a manner that triggers an optout; or (2) choose to provide an opt-out (as disclosed in the table on page 1) in addition to what is required by law. The model optout form must be provided on a separate page of the model form. E:\FR\FM\29MRP2.SGM 29MRP2 rwilkins on PROD1PC63 with PROPOSALS Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules (a) Contact us. The section describes three common methods by which a consumer exercises an opt-out—by telephone, on the Web, and by mail. Financial institutions may customize this section to provide for the particular opt-out methods and options the institution provides. For example, if an institution offers opting out by telephone and the Web but not by mail, it would provide only telephone and Web information as shown in the model form in the ‘‘Contact Us’’ box. Only institutions that allow more than 30 days after providing the notice before sharing information may change the number of days in the lower right hand section of the box. (b) Check your choices. Institutions must display the applicable opt-out options in the ‘‘Check your choices’’ box shown on this page. If an institution chooses not to offer an opt-out by mail, it must delete the boxes for name, address, account number, and mailing directions in the lower right-hand corner of the model form. Financial institutions that only offer one or two of the opt-out options listed on the model form must list only those options from the model form that apply to their practices and correspond accurately to the disclosures on page one. Thus, if an institution does not share in a manner that requires an opt-out for sharing with nonaffiliates, it must not include that opt-out option on page three of the model form. Institutions requiring information from consumers on the opt-out form other than an account number should modify that designation in the ‘‘Check your choices’’ box. Institutions that require customers with multiple accounts to identify each account to which the opt-out should apply should modify that portion of the model form. (c) Section 624 opt-out. If the financial institution’s affiliates use information for marketing pursuant to section 624 of the FCRA, and the institution elects to consolidate that opt-out notice in the model form, it must include that disclosure and optout election as shown in the model form. Institutions that elect to limit the time for the affiliate marketing opt-out, consistent with the requirements of section 624, must adhere to the requirements of that section and the Agencies’ implementing rule with respect to any subsequent notice and opt-out. Institutions that elect to limit the opt-out period must include a statement in italics, as shown on the model form, that states the period of time for which the opt-out applies. (d) Additional opt-outs. A financial institution that uses the disclosure table to indicate any opt-out choices available to consumers beyond those required by Federal law must include those opt-outs on page three of the model form. For example, if the financial institution discloses in the table that it offers an opt-out for joint marketing, the institution must revise the opt-out form on page three to reflect the availability of an opt-out, such as by adding a check-off box with the words ‘‘Do not share my personal information with other financial institutions to jointly market to me.’’ Likewise, if a financial institution chooses to offer its customers an opt-out for its marketing, it can provide for that option in the disclosure table and on the opt-out form by adding a check- VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 off box with the words ‘‘Do not share [or use] my personal information to market to me.’’ 7. Amend newly redesignated Appendix B by adding a new sentence immediately after the heading: Appendix B to Part 160—Sample Clauses This Appendix only applies to privacy notices provided until the date that is on or before one year following the date of final publication of this rule. * * * * * * * * Securities and Exchange Commission Statutory Authority The Commission is proposing to amend Regulation S–P pursuant to authority set forth in section 728 of the Regulatory Relief Act [Pub. L. 109–351], section 504 of the GLB Act [15 U.S.C. 6804], section 23 of the Securities Exchange Act [15 U.S.C. 78w], section 38(a) of the Investment Company Act [15 U.S.C. 80a–37(a)], and section 211 of the Investment Advisers Act [15 U.S.C. 80b–11]. Text of Proposed Amendments For the reasons set forth in the preamble, the Commission proposes to amend Title 17, Chapter II of the Code of Federal Regulations as follows: PART 248—REGULATION S–P: PRIVACY OF CONSUMER FINANCIAL INFORMATION 1. Revise the authority citation for part 248 to read as follows: Authority: 15 U.S.C. 78q; 78w; 78mm; 80a– 30(a); 80a–37; 80b–4; 80b–11; 1681w; and 6801–6809. 2. Revise § 248.2 to read as follows: 14995 merchant or introducing broker (as those terms are defined in the Commodity Exchange Act (7 U.S.C. 1, et seq.)) registered by notice with the Commission for the purpose of conducting business in security futures products pursuant to section 15(b)(11)(A) of the Securities Exchange Act of 1934 (15 U.S.C. 78o(b)(11)(A)) that is subject to and in compliance with the financial privacy rules of the Commodity Futures Trading Commission (17 CFR part 160) will be deemed to be in compliance with this part. * * * * * 3. Amend § 248.6 by revising paragraph (f) and adding paragraph (g) to read as follows: § 248.6 Information to be included in privacy notices. * * * * * (f) Model Form S–P. Pursuant to § 248.2(a) and Appendix A of this part, Form S–P meets the notice content requirements of this section. (g) Sample clauses. Sample clauses illustrating some of the notice content required by this section are included in Appendix B of this part. The sample clauses in Appendix B of this part provide guidance concerning the rule’s application in ordinary circumstances in a privacy notice provided on or before [ONE YEAR FOLLOWING THE DATE OF PUBLICATION OF THE FINAL RULE]. The facts and circumstances of each individual situation, however, will determine whether compliance with a sample clause constitutes compliance with this part. 4. Amend § 248.7 by adding paragraph (i) to read as follows: § 248.2 Model privacy form; rule of construction. § 248.7 Form of opt-out notice to consumers; opt-out methods. (a) Model privacy form. Use of Form S–P (see Appendix A of this part), consistent with the instructions to the form, constitutes compliance with the notice content requirements of §§ 248.6 and 248.7 of this part, although use of Form S–P is not required. (b) Examples. The examples in this part provide guidance concerning the rule’s application in ordinary circumstances. The facts and circumstances of each individual situation, however, will determine whether compliance with an example, to the extent practicable, constitutes compliance with this part. (c) Substituted compliance with CFTC financial privacy rules by futures commission merchants and introducing brokers. Except with respect to § 248.30(b), any futures commission * PO 00000 Frm 00057 Fmt 4701 Sfmt 4702 * * * * (i) Model Form S–P. Pursuant to § 248.2(a) and Appendix A of this part, Form S–P meets the notice content requirements of this section. Appendix A [Redesignated as Appendix B] 5. Redesignate Appendix A to Part 248 as Appendix B. 6. Add new Appendix A to read as follows: Appendix A to Part 248—Form S–P (1) Any person may obtain a copy of Form S–P prescribed for use in this part by written request to the Securities and Exchange Commission, 100 F Street, NE., Washington, DC 20549. Any person also may view this form at: [Web site URL]. (2) Use of Form S–P by brokers, dealers, and investment companies, and investment E:\FR\FM\29MRP2.SGM 29MRP2 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules rwilkins on PROD1PC63 with PROPOSALS advisers registered with the Commission constitutes compliance with the notice content requirements of §§ 248.6 and 248.7 of this part. VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 7. Form S–P (referenced in Appendix A of this part) is added to read as follows: Note: The text of Form S–P does not, and this amendment will not, appear in the Code of Federal Regulations. PO 00000 Frm 00058 Fmt 4701 Sfmt 4725 Securities and Exchange Commission—Form S–P A. Model Privacy Form E:\FR\FM\29MRP2.SGM 29MRP2 EP29MR07.027</GPH> 14996 VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 PO 00000 Frm 00059 Fmt 4701 Sfmt 4725 E:\FR\FM\29MRP2.SGM 29MRP2 14997 EP29MR07.028</GPH> rwilkins on PROD1PC63 with PROPOSALS Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules 2. The contents of the model privacy form 1. How the Model Privacy Form is Used rwilkins on PROD1PC63 with PROPOSALS B. General Instructions The model form consists of two or three pages, depending on whether a financial institution shares in a manner that requires it to provide a third page with opt-out information. (a) Page One. The first page consists of the following components: (1) The title. (2) The key frame (Why?, What?, How?). (3) The disclosure table (‘‘Reasons we can share your personal information’’). (4) Contact information. (b) Page Two. The second page consists of the following components: (1) The title. (2) The Frequently Asked Questions on sharing practices. (3) The definitions. The model form may be used, at the option of a financial institution, including a group of financial holding company affiliates that use a common privacy notice, to meet the content requirements of the privacy notice and opt-out notice set forth in sections 248.6 and 248.7 of this part. (Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 1681— 1681x] (FCRA), such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.) VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 PO 00000 Frm 00060 Fmt 4701 Sfmt 4702 (c) Page Three. The third page consists of a financial institution’s opt-out form. 3. The Format of the Model Privacy Form The model form is a standardized form, including page layout, page content, format, style, pagination, and shading. No other information may be included in the model form, and the model form may be modified only as described below. (a) Easily readable type font. Financial institutions that use the model form must use an easily readable type font. Easily readable type font includes a minimum of 10-point font and sufficient spacing between the lines of type. (b) Logo. A financial institution may include a corporate logo on any page of the notice, so long as it does not interfere with the readability of the model form or the space constraints of each page. E:\FR\FM\29MRP2.SGM 29MRP2 EP29MR07.029</GPH> 14998 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules (c) Page size and orientation. Each page of the model form must be printed on one side of an 8.5 by 11 inch paper in portrait orientation. (d) Color. The model form may be printed on white or light color paper (such as cream) with black or suitable contrasting color ink. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract from the readability of the model form. C. Information Required in the Model Privacy Form The model form is a standardized form, and institutions seeking to obtain the safe harbor through use of the model form may modify the form only as described below: rwilkins on PROD1PC63 with PROPOSALS 1. Name of the Institution or Group of Affiliated Institutions Providing the Notice Include the name of the financial institution or group of affiliated institutions providing the notice on the form wherever [name of financial institution] appears. Contact information, such as the institution’s toll-free telephone number, Web address, or mailing address, or other contact information, should be inserted as appropriate, wherever [toll-free telephone] or [web address] or [mailing address] appear. 2. Page One (a) General instructions for the disclosure table. There are reasons for sharing or using personal information listed in the left column of the disclosure table. Each of these reasons correlates to certain legal provisions described below. In the middle column, each institution must provide a ‘‘Yes’’ or ‘‘No’’ response in each box that accurately reflects its information sharing policies and practices with respect to the reason listed on the left. Each institution also must complete each box in the right column as to whether a consumer can limit such sharing. If an institution answers ‘‘No’’ to sharing for a particular reason in the middle column, it must answer ‘‘We don’t share’’ in the corresponding right column. If an institution answers ‘‘Yes’’ to sharing for a particular reason in the middle column, it must, in the right column, answer either ‘‘No’’ if it does not offer an opt-out or ‘‘Yes (Check your choices, p.3)’’ if it does offer an opt-out. Except for the sixth row (‘‘For our affiliates to market to you’’), an institution must list all reasons for sharing, and complete the middle and right columns of the disclosure table. (b) Specific disclosures and corresponding legal provisions. (1) For our everyday business purposes. Because all financial institutions share information for everyday business purposes, as contemplated by sections 248.14 and 248.15 of this part, the financial institution must answer ‘‘Yes’’ to the sharing of such information and ‘‘No’’ to the availability of an opt-out. (2) For our marketing purposes. The financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that shares for this reason may or may not elect to provide an opt-out and must provide the corresponding answer in VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 the right column as described in paragraph C.2.(a) of this Instruction. This provision includes service providers contemplated by section 248.13 of this part. (3) For joint marketing with other financial companies. As contemplated by section 248.13 of this part, the financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that shares for this reason may or may not elect to provide an opt-out and must provide the corresponding answer in the right column as described in paragraph C.2.(a) of this Instruction. (4) For our affiliates’ everyday business purposes—information about transactions and experiences. This provision applies to sharing of certain information with an institution’s affiliates, as contemplated by sections 603(d)(2)(A)(i) and (ii) of the FCRA. The financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that does not have any affiliates will also use this answer. Institutions that share for this reason may or may not elect to provide an opt-out and must provide the corresponding answer in the right column as described in paragraph C.2.(a) of this Instruction. (5) For our affiliates’ everyday business purposes—information about creditworthiness. This provision applies to the sharing of certain information with an institution’s affiliates, as contemplated by section 603(d)(2)(A)(iii) of the FCRA. The financial institution must answer ‘‘Yes’’ or ‘‘No’’ in the middle column. An institution that does not share for this reason must answer ‘‘We don’t share’’ in the right column. An institution that does not have any affiliates will also use this answer. Institutions that share for this reason must provide an opt-out and must provide the appropriate answer in the right column as described in paragraph C.2.(a) of this Instruction. (6) For our affiliates to market to you. This provision applies to information shared among affiliates that is used by those affiliates for marketing, as contemplated by section 624 of the FCRA. Following the effective date of the rules implementing section 624, institutions that elect to incorporate this provision into the notice required under this part must include this reason for sharing as set forth in the model form. Institutions whose affiliates receive such information and use it for marketing must answer ‘‘Yes’’ in the middle column, and ‘‘Yes (Check your choices, p.3)’’ in the right column corresponding to the availability of an opt-out. Institutions whose affiliates receive such information and do not use it for marketing may elect to include this provision in the model form and answer ‘‘No’’ in the middle column and ‘‘We don’t share’’ in the right column; however, institutions whose affiliates receive such information and do not use it for marketing are not required to use this provision. Institutions that do not have affiliates and elect to include this provision in their notice PO 00000 Frm 00061 Fmt 4701 Sfmt 4702 14999 will answer ‘‘No’’ in the middle column and ‘‘We don’t share’’ in the right column. (7) For nonaffiliates to market to you. This provision applies to sharing under sections 248.7 and 248.10(a) of this part. Financial institutions that do not share for this reason must answer ‘‘No’’ in the middle column and ‘‘We don’t share’’ in the right column. Financial institutions that do share for this reason must answer ‘‘Yes’’ in the middle column and ‘‘Yes (check your choices, p. 3)’’ corresponding to the availability of an optout. (8) Additional opt-outs. A financial institution may customize the model form to offer opt-outs beyond those required under Federal law, so long as the additional information falls within the space constraints of the model form. If the institution chooses to offer its customers an opt-out for its own marketing or for joint marketing, for example, it can provide for that option by stating: ‘‘Yes (Check your choices, p.3)’’ as to the availability of the opt-out. 3. Page Two (a) General instructions for the Definitions. The financial institution must customize the space below the last three definitions in this section (affiliates, nonafffiliates, and joint marketing). This specific information must be in italicized lettering to set off the information from the standardized definitions. (b) Affiliates. As required by section 248.6(a)(3) of this part, the financial institution must identify the categories of its affiliates or state ‘‘[name of financial institution] has no affiliates’’ in italicized lettering where [affiliate information] appears. A financial institution that shares with affiliates must use, as applicable, the following format: ‘‘Our affiliates include companies with a [name of financial institution] name; financial companies such as [list companies]; and nonfinancial companies, such as [list companies].’’ (c) Nonaffiliates. If the financial institution shares with nonaffiliated third parties outside the exceptions in sections 248.14 and 248.15 of this part, the institution must identify the types of nonaffiliated third parties with which it shares or state ‘‘[name of financial institution] does not share with nonaffiliates so they can market to you.’’ in italicized lettering where [nonaffiliate information] appears. A financial institution that shares with nonaffiliated third parties as described here must use, as applicable, the following format: ‘‘Nonaffiliates we share with can include [list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations].’’ (d) Joint Marketing. As required by section 248.13 of this part, the financial institution must identify the types of financial institutions with which it engages in joint marketing or state ‘‘[name of financial institution] doesn’t jointly market.’’ in italicized lettering where [joint marketing] appears. A financial institution that shares with joint marketing partners must use, as applicable, the following format: ‘‘Our joint marketing partners include [list categories of companies such as credit card companies].’’ E:\FR\FM\29MRP2.SGM 29MRP2 15000 Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / Proposed Rules rwilkins on PROD1PC63 with PROPOSALS 4. Page Three Opt-out form. Financial institutions must use page three only if they: (1) Share or use information in a manner that triggers an optout; or (2) choose to provide an opt-out (as disclosed in the table on page 1) in addition to what is required by law. The model optout form must be provided on a separate page of the model form. (a) Contact us. The section describes three common methods by which a consumer exercises an opt-out—by telephone, on the Web, and by mail. Financial institutions may customize this section to provide for the particular opt-out methods and options the institution provides. For example, if an institution offers opting out by telephone and the Web but not by mail, it would provide only telephone and Web information as shown in the model form in the ‘‘Contact Us’’ box. Only institutions that allow more than 30 days after providing the notice before sharing information may change the number of days in the lower right hand section of the box. (b) Check your choices. Institutions must display the applicable opt-out options in the ‘‘Check your choices’’ box shown on this page. If an institution chooses not to offer an opt-out by mail, it must delete the boxes for name, address, account number, and mailing directions in the lower right-hand corner of the model form. Financial institutions that only offer one or two of the opt-out options listed on the model form must list only those options from the model form that apply to their practices and correspond accurately to the disclosures on page one. Thus, if an institution does not share in a manner that requires an opt-out for sharing with nonaffiliates, it must not include that opt-out option on page three of the model form. Institutions requiring information from consumers on the opt-out form other than an account number should modify that designation in the ‘‘Check your choices’’ box. Institutions that require customers with multiple accounts to identify each account to which the opt-out should apply should modify that portion of the model form. VerDate Aug<31>2005 19:04 Mar 28, 2007 Jkt 211001 (c) Section 624 opt-out. If the financial institution’s affiliates use information for marketing pursuant to section 624 of the FCRA, and the institution elects to consolidate that opt-out notice in the model form, it must include that disclosure and optout election as shown in the model form. Institutions that elect to limit the time for the affiliate marketing opt-out, consistent with the requirements of section 624, must adhere to the requirements of that section and the Agencies’ implementing rule with respect to any subsequent notice and opt-out. Institutions that elect to limit the opt-out period must include a statement in italics, as shown on the model form, that states the period of time for which the opt-out applies. (d) Additional opt-outs. A financial institution that uses the disclosure table to indicate any opt-out choices available to consumers beyond those required by Federal law must include those opt-outs on page three of the model form. For example, if the financial institution discloses in the table that it offers an opt-out for joint marketing, the institution must revise the opt-out form on page three to reflect the availability of an opt-out, such as by adding a check-off box with the words ‘‘Do not share my personal information with other financial institutions to jointly market to me.’’ Likewise, if a financial institution chooses to offer its customers an opt-out for its marketing, it can provide for that option in the disclosure table and on the opt-out form by adding a checkoff box with the words ‘‘Do not share [or use] my personal information to market to me.’’ 8. Amend newly designated Appendix B by adding a new sentence immediately after the heading to read as follows: Appendix B to Part 248—Sample Clauses This appendix provides guidance only for privacy notices provided on or before [ONE YEAR AFTER THE PO 00000 Frm 00062 Fmt 4701 Sfmt 4702 PUBLICATION DATE OF THE FINAL RULE]. * * * * * * * * Dated: March 9, 2007. John C. Dugan, Comptroller of the Currency. By order of the Board of Governors of the Federal Reserve System, March 16, 2007. Jennifer J. Johnson, Secretary of the Board. By order of the Board of Directors. Dated at Washington, DC, this 20th day of March, 2007. Federal Deposit Insurance Corporation. Robert E. Feldman, Executive Secretary. Dated: March 19, 2007. By the Office of Thrift Supervision. John M. Reich, Director. By the National Credit Union Administration Board on March 15, 2007. Mary Rupp, Secretary of the Board. The Federal Trade Commission. Dated: March 20, 2007. By direction of the Commission. Donald S. Clark, Secretary. Dated: March 20, 2007. Eileen A. Donovan, Acting Secretary of the Commodity Futures Trading Commission. By the Securities and Exchange Commission. Dated: March 20, 2007. Florence E. Harmon, Deputy Secretary. [FR Doc. 07–1476 Filed 3–28–07; 8:45 am] BILLING CODE 4810–33–P, 6210–01–P, 6714–01–P, 6720–01–P, 7535–01–P, 6750–01–P, 6351–01–P, 8010–01– P E:\FR\FM\29MRP2.SGM 29MRP2

Agencies

[Federal Register Volume 72, Number 60 (Thursday, March 29, 2007)]
[Proposed Rules]
[Pages 14940-15000]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 07-1476]



[[Page 14939]]

-----------------------------------------------------------------------


Part III

Department of the Treasury



Office of the Comptroller of the Currency



12 CFR Part 40



-----------------------------------------------------------------------



Office of Thrift Supervision

12 CFR Part 573



-----------------------------------------------------------------------
Federal Reserve System

12 CFR Part 216



-----------------------------------------------------------------------
Federal Deposit Insurance Corporation

12 CFR Part 332



-----------------------------------------------------------------------
National Credit Union Administration

12 CFR Part 716



-----------------------------------------------------------------------
Federal Trade Commission

16 CFR Part 313



-----------------------------------------------------------------------
Commodity Futures Trading Commission

17 CFR Part 160



-----------------------------------------------------------------------
Securities and Exchange Commission

17 CFR Part 248



-----------------------------------------------------------------------



Interagency Proposal for Model Privacy Form Under the Gramm-Leach-
Bliley Act; Proposed Rule

Federal Register / Vol. 72, No. 60 / Thursday, March 29, 2007 / 
Proposed Rules

[[Page 14940]]


-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Part 40

[Docket ID OCC-2007-0003]
RIN 1557-AC80

FEDERAL RESERVE SYSTEM

12 CFR Part 216

[Docket No. R-1280]

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Part 332

RIN 3064-AD16

DEPARTMENT OF THE TREASURY

Office of Thrift Supervision

12 CFR Part 573

[Docket ID OTS-2007-0005]
RIN 1550-AC12

NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Part 716

RIN 3133-AC84

FEDERAL TRADE COMMISSION

16 CFR Part 313

[Project No. 034815]
RIN 3084-AA94

COMMODITY FUTURES TRADING COMMISSION

17 CFR Part 160

RIN 3038-AC04

SECURITIES AND EXCHANGE COMMISSION

17 CFR Part 248

[Release Nos. 34-55497, IA-2598, IC-27755; File No. S7-09-07]
RIN 3235-AJO6


Interagency Proposal for Model Privacy Form Under the Gramm-
Leach-Bliley Act

AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC); 
Board of Governors of the Federal Reserve System (Board); Federal 
Deposit Insurance Corporation (FDIC); Office of Thrift Supervision, 
Treasury (OTS); National Credit Union Administration (NCUA); Federal 
Trade Commission (FTC); Commodity Futures Trading Commission (CFTC); 
and Securities and Exchange Commission (SEC).

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: The OCC, Board, FDIC, OTS, NCUA, FTC, CFTC, and SEC (the 
Agencies) are proposing amendments to their rules that implement the 
privacy provisions of the Gramm-Leach-Bliley Act (GLB Act), Title V, 
Subtitle A. These rules require financial institutions to provide 
initial and annual privacy notices to their customers. As required 
under section 728 of the Financial Services Regulatory Relief Act of 
2006 (Regulatory Relief Act or Act), the Agencies are proposing a safe 
harbor model privacy form that financial institutions may use to 
provide disclosures under the privacy rules. Institutions that use 
notices based on the Sample Clauses currently contained in most of the 
privacy rules would lose the benefit of a safe harbor for compliance 
with respect to those notices if they are provided more than one year 
following the date of publication of a final rule. Similarly, 
institutions that use notices based on the Sample Clauses in the SEC's 
privacy rule could no longer rely on the guidance provided with respect 
to those notices if they are provided more than one year following the 
date of publication of a final rule.

DATES: Comments must be submitted on or before May 29, 2007.
    For information regarding the effective dates of the provisions 
proposed in this document, see the discussion under ``Proposed 
Effective Dates'' in the SUPPLEMENTARY INFORMATION section.

ADDRESSES: Because the Agencies will jointly review all of the comments 
submitted, interested parties may send comments to any of the Agencies 
and need not send comments (or copies) to all of the Agencies. 
Commenters are encouraged to use the title ``Model Privacy Form'' to 
facilitate the organization and distribution of comments among the 
Agencies. Interested parties are invited to submit written comments to:
    Office of the Comptroller of the Currency: You may submit comments 
by any of the following methods:
     Federal eRulemaking Portal--``Regulations.gov'': Go to 
https://www.regulations.gov, select ``Comptroller of the Currency'' from 
the agency drop-down menu, then click ``Submit.'' In the ``Docket ID'' 
column, select ``OCC-2007-0003'' to submit or view public comments and 
to view supporting and related materials for this notice of proposed 
rulemaking. The ``User Tips'' link at the top of the Regulations.gov 
home page provides information on using Regulations.gov, including 
instructions for submitting or viewing public comments, viewing other 
supporting and related materials, and viewing the docket after the 
close of the comment period.
     Mail: Office of the Comptroller of the Currency, 250 E 
Street, SW., Mail Stop 1-5, Washington, DC 20219.
     Hand Delivery/Courier: 250 E Street, SW., Attn: Public 
Information Room, Mail Stop 1-5, Washington, DC 20219.
    Instructions: You must include ``OCC'' as the agency name and 
``Docket Number OCC-2007-0003'' in your comment. In general, OCC will 
enter all comments received into the docket and publish them on 
Regulations.gov without change, including any business or personal 
information that you provide such as name and address information, e-
mail addresses, or phone numbers. Comments, including attachments and 
other supporting materials, received are part of the public record and 
subject to public disclosure. Do not enclose any information in your 
comment or supporting materials that you consider confidential or 
inappropriate for public disclosure.
    You may review comments and other related materials by any of the 
following methods:
     Viewing Comments Electronically: Go to https://
www.regulations.gov, select ``Comptroller of the Currency'' from the 
agency drop-down menu, then click ``Submit.'' In the ``Docket ID'' 
column, select ``OCC-2007-0003'' to view public comments for this 
notice of proposed rulemaking.
     Viewing Comments Personally: You may personally inspect 
and photocopy comments at the OCC's Public Information Room, 250 E 
Street, SW., Washington, DC. You can make an appointment to inspect 
comments by calling (202) 874-5043.
     Docket: You may also view or request available background 
documents and project summaries using the methods described above.
    Board of Governors of the Federal Reserve System: You may submit 
comments, identified by Docket No. R-1280, by any of the following 
methods:
     Agency Web Site: https://www.federalreserve.gov. Follow the 
instructions for submitting comments at https://www.federalreserve.gov/
generalinfo/foia/ProposedRegs.cfm.

[[Page 14941]]

     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments.
     E-mail: regs.comments@federalreserve.gov. Include docket 
number in the subject line of the message.
     Fax: 202/452-3819 or 202/452-3102.
     Mail: Jennifer J. Johnson, Secretary, Board of Governors 
of the Federal Reserve System, 20th Street and Constitution Avenue, 
NW., Washington, DC 20551.
    All public comments are available from the Board's Web site at 
https://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as 
submitted, unless modified for technical reasons. Accordingly, your 
comments will not be edited to remove any identifying or contact 
information. Public comments may also be viewed electronically or in 
paper in Room MP-500 of the Board's Martin Building (20th and C 
Streets, NW.,) between 9 a.m. and 5 p.m. on weekdays.
    FDIC: You may submit comments by any of the following methods:
    Agency Web Site: https://www.fdic.gov/regulations/laws/federal. 
Follow instructions for submitting comments on the Agency Web Site.
    E-mail: Comments@FDIC.gov. Include ``Model Privacy Form'' in the 
subject line of the message.
    Mail: Robert E. Feldman, Executive Secretary, Attention: Comments, 
Federal Deposit Insurance Corporation, 550 17th Street, NW., 
Washington, DC 20429.
    Hand Delivery/Courier: Guard station at the rear of the 550 17th 
Street Building (located on F Street) on business days between 7 a.m. 
and 5 p.m. (EST).
    Federal eRulemaking Portal: https://www.regulations.gov. Follow the 
instructions for submitting comments.
    Public Inspection: All comments received will be posted without 
change to https://www.fdic.gov/regulations/laws/federal including any 
personal information provided. Comments may be inspected and 
photocopied in the FDIC Public Information Center, 3501 North Fairfax 
Drive, Room E-1002, Arlington, VA 22226, between 9 a.m. and 5 p.m. 
(EST) on business days. Paper copies of public comments may be ordered 
from the Public Information Center by telephone at (877) 275-3342 or 
(703) 562-2200.
    Office of Thrift Supervision: You may submit comments, identified 
by OTS-2007-0005, by any of the following methods:
     Federal eRulemaking Portal: Go to https://
www.regulations.gov, select ``Office of Thrift Supervision'' from the 
agency drop-down menu, then click submit. Select Docket ID ``OTS-2007-
0005'' to submit or view public comments and to view supporting and 
related materials for this notice of proposed rulemaking. The ``User 
Tips'' link at the top of the page provides information on using 
Regulations.gov, including instructions for submitting or viewing 
public comments, viewing other supporting and related materials, and 
viewing the docket after the close of the comment period.
     Mail: Regulation Comments, Chief Counsel's Office, Office 
of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552, 
Attention: OTS-2007-0005.
     Hand Delivery/Courier: Guard's Desk, East Lobby Entrance, 
1700 G Street, NW., from 9 a.m. to 4 p.m. on business days, Attention: 
Regulation Comments, Chief Counsel's Office, Attention: OTS-2007-0005.
    Instructions: All submissions received must include the agency name 
and docket number for this rulemaking. All comments received will be 
entered into the docket and posted on Regulations.gov without change, 
including any personal information provided. Comments, including 
attachments and other supporting materials received are part of the 
public record and subject to public disclosure. Do not enclose any 
information in your comment or supporting materials that you consider 
confidential or inappropriate for public disclosure.
    Viewing Comments Electronically: Go to https://www.regulations.gov, 
select ``Office of Thrift Supervision'' from the agency drop-down menu, 
then click ``Submit.'' Select Docket ID ``OTS-2007-0005'' to view 
public comments for this notice of proposed rulemaking.
    Viewing Comments On-Site: You may inspect comments at the Public 
Reading Room, 1700 G Street, NW., by appointment. To make an 
appointment for access, call (202) 906-5922, send an e-mail to 
public.info@ots.treas.gov, or send a facsimile transmission to (202) 
906-6518. (Prior notice identifying the materials you will be 
requesting will assist us in serving you.) We schedule appointments on 
business days between 10 a.m. and 4 p.m. In most cases, appointments 
will be available the next business day following the date we receive a 
request.
    National Credit Union Administration: Comments should be directed 
to Mary Rupp, Secretary of the Board. You may submit comments by any of 
the following methods (Please send comments by one method only):
     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments.
     NCUA Web Site: https://www.ncua.gov/news/proposed_regs/
proposed_regs.html. Follow the instructions for submitting comments.
     E-mail: Address to regcomments@ncua.gov. Include ``[Your 
name] Comments on Proposed Rule Part 716 (Model Form for Privacy 
Notice)'' in the e-mail subject line.
     Fax: (703) 518-6319. Use the subject line described above 
for e-mail.
     Mail: Address to Mary Rupp, Secretary of the Board, 
National Credit Union Administration, 1775 Duke Street, Alexandria, 
Virginia 22314-3428.
     Hand Delivery/Courier: Same as mail address.
    Federal Trade Commission: All persons are invited to submit written 
comments. Comments should refer to ``Model Privacy Form, FTC File No. 
P034815'' to facilitate the organization of comments. Comments filed in 
paper form should include this reference both in the text and on the 
envelope, and should be mailed or delivered to: Federal Trade 
Commission/Office of the Secretary, Room 135 (Annex C), 600 
Pennsylvania Avenue, NW., Washington, DC 20580. Because paper mail in 
the Washington area and at the Commission is subject to delay, please 
consider submitting your comments in electronic form, as prescribed 
below. If the comment contains any material for which confidential 
treatment is requested, it must be filed in paper (rather than 
electronic) form, and the first page of the document must be clearly 
labeled ``Confidential.'' \1\ The FTC is requesting that any comment 
filed in paper form be sent by courier or overnight service, if 
possible.
---------------------------------------------------------------------------

    \1\ Commission Rule 4.2(d), 16 CFR 4.2(d). The comment must also 
be accompanied by an explicit request for confidential treatment, 
including the factual and legal basis for the request, and must 
identify the specific portions of the comment to be withheld from 
the public record. The request will be granted or denied by the 
Commission's General Counsel, consistent with applicable law and the 
public interest. See Commission Rule 4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------

    Comments filed in electronic form should be submitted by using the 
following Web link: https://secure.commentworks.com/ftc-modelform (and 
following the instructions on the Web-based form). To ensure that the 
Commission considers an electronic comment, you must file it on the 
Web-based form at the Web link https://secure.commentworks.com/ftc-
modelform. If this notice appears at www.regulations.gov, you may also 
file an electronic comment through that

[[Page 14942]]

Web site. The Commission will consider all comments that 
www.regulations.gov forwards to it.\2\ The FTC Act and other laws the 
Commission administers permit the collection of public comments to 
consider and use in this proceeding as appropriate. All timely and 
responsive public comments with all required fields completed, whether 
filed in paper or electronic form, will be considered by the 
Commission, and will be available to the public on the FTC Web site, to 
the extent practicable, at https://www.ftc.gov. As a matter of 
discretion, the Commission makes every effort to remove home contact 
information for individuals it receives from the public comments before 
placing those comments on the FTC Web site. More information, including 
routine uses permitted by the Privacy Act, may be found in the FTC's 
privacy policy, at https://www.ftc.gov/ftc/privacy.htm.
---------------------------------------------------------------------------

    \2\ An electronic comment can be filed by (1) clicking on http:/
/www.regulations.gov; (2) selecting ``Federal Trade Commission'' at 
``Search for Open Regulations;'' (3) locating the summary of this 
notice; (4) clicking on ``Submit a Comment on this Regulation;'' and 
(5) completing the form. For a given electronic comment, any 
information placed in the following fields--``Title,'' ``First 
Name,'' ``Last Name,'' ``Organization Name,'' ``State,'' 
``Comment,'' and ``Attachment''--will be publicly available on the 
FTC Web site. The fields marked with an asterisk on the form are 
required in order for the FTC to fully consider a particular 
comment. Commenters may choose not to fill in one or more of these 
fields, but if they do so, their comments may not be considered.
---------------------------------------------------------------------------

    Commodity Futures Trading Commission: Comments should be directed 
to Eileen Donovan, Acting Secretary of the Commission, Commodity 
Futures Trading Commission, Three Lafayette Centre, 1155 21st Street, 
NW., Washington, DC 20581. Comments may be sent by facsimile 
transmission to (202) 418-5528 or by e-mail to secretary@cftc.gov.
    Securities and Exchange Commission: Comments may be submitted by 
any of the following methods:

Electronic Comments

     Use the Commission's Internet comment form (https://
www.sec.gov/rules/proposed.shtml); or
     Send an e-mail to rule-comments@sec.gov. Please include 
File Number S7-09-07 and ``Model Privacy Form'' on the subject line; or
     Use the Federal eRulemaking Portal (https://
www.regulations.gov). Follow the instructions for submitting comments.

Paper Comments

     Send paper comments in triplicate to Nancy M. Morris, 
Secretary, Securities and Exchange Commission, 100 F Street, NE., 
Washington, DC 20549-1090.

All submissions should refer to File Number S7-09-07 and ``Model 
Privacy Form.'' This file number should be included on the subject line 
if e-mail is used. To help us process and review your comments more 
efficiently, please use only one method. The Commission will post all 
comments on the Commission's Internet Web site (https://www.sec.gov/
rules/proposed.shtml). Comments are also available for public 
inspection and copying in the Commission's Public Reference Room, 100 F 
Street, NE., Washington, DC 20549. All comments received will be posted 
without change; we do not edit personal identifying information from 
submissions. You should submit only information that you wish to make 
available publicly.

FOR FURTHER INFORMATION CONTACT: OCC: Amy Friend, Assistant Chief 
Counsel, (202) 874-5200; Heidi Thomas, Special Counsel, Jonathan 
Mitchell, Attorney, Legislative and Regulatory Activities Division, 
(202) 874-5090; David H. Nebhut, Director, Policy Analysis, (202) 874-
5387; or Paul Utterback, NBE Compliance Specialist, (202) 874-4428, 
Office of the Comptroller of the Currency, 250 E Street, SW., 
Washington, DC 20219.
    Board: Adrianne Threatt, Counsel, Legal Division, (202) 452-3554; 
Jeanne Hogarth, Consumer Policies Program Manager, or Krista Ayoub, 
Senior Attorney, or Ky Tran-Trong, Counsel, Division of Consumer and 
Community Affairs, (202) 452-3667; or Michelle E. Shore, Federal 
Reserve Board Clearance Officer, (202) 452-3829 (for Paperwork 
Reduction Act questions only), Board of Governors of the Federal 
Reserve System, 20th Street and Constitution Avenue, NW., Washington, 
DC 20551.
    FDIC: David P. Lafleur, Senior Policy Analyst, Compliance Section, 
Division of Supervision and Consumer Protection, (202) 898-6569; or 
Ruth R. Amberg, Senior Counsel, (202) 898-3736, or Kimberly A. Stock, 
Attorney, (202) 898-3815, Legal Division; Federal Deposit Insurance 
Corporation, 550 17th Street, NW., Washington, DC 20429.
    OTS: Ekita Mitchell, Consumer Regulations Analyst, Examinations, 
Supervision, and Consumer Protection, (202) 906-6451; or Richard 
Bennett, Counsel, Regulations and Legislation Division, (202) 906-7409, 
1700 G Street, NW., Washington, DC 20552.
    NCUA: Regina Metz, Staff Attorney, (703) 518-6561, or Ross Kendall, 
Staff Attorney, Office of General Counsel, (703) 518-6562, National 
Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 
22314-3428.
    FTC: Loretta Garrison, Senior Attorney, Division of Privacy and 
Identity Protection, Bureau of Consumer Protection, (202) 326-3043, 
Federal Trade Commission, 600 Pennsylvania Avenue, NW., Stop NJ-3158, 
Washington, DC 20580.
    CFTC: Laura Richards, Senior Assistant General Counsel, (202) 418-
5126, or Gail B. Scott, Attorney, Office of General Counsel, (202) 418-
5139, Commodity Futures Trading Commission, Three Lafayette Centre, 
1155 21st Street, NW., Washington, DC 20581.
    SEC: Catherine McGuire, Chief Counsel, or Brice Prince, Special 
Counsel, Office of the Chief Counsel, Division of Market Regulation, 
(202) 551-5550; or Penelope Saltzman, Branch Chief, or Vincent Meehan, 
Senior Counsel, Office of Regulatory Policy, Division of Investment 
Management, (202) 551-6792, Securities and Exchange Commission, 100 F 
Street, NE., Washington, DC 20549.

SUPPLEMENTARY INFORMATION: The Agencies are proposing amendments to 
each of their rules (which are consistent and comparable) that 
implement the privacy provisions of the GLB Act: 12 CFR part 40 (OCC); 
12 CFR part 216 (Board); 12 CFR part 332 (FDIC); 12 CFR part 573 (OTS); 
12 CFR part 716 (NCUA); 16 CFR part 313 (FTC); 17 CFR part 160 (CFTC); 
and 17 CFR part 248 (SEC) (collectively, the ``privacy rule'').\3\
---------------------------------------------------------------------------

    \3\ Because each Agency's privacy rule has the same section 
numbers, relevant sections will be cited, for example, as ``section 
--.6'' unless otherwise noted.
---------------------------------------------------------------------------

I. Background

    The Regulatory Relief Act was enacted on October 13, 2006.\4\ 
Section 728 of the Act directs the Agencies to ``jointly develop a 
model form which may be used, at the option of the financial 
institution, for the provision of disclosures under [section 503 of the 
GLB Act].'' \5\ The Regulatory Relief Act stipulates that the model 
form shall be a safe harbor for financial institutions

[[Page 14943]]

that elect to use it. Section 728 further directs that the model form 
shall:
---------------------------------------------------------------------------

    \4\ Pub. L. 109-351 (Oct. 13, 2006), 120 Stat. 1966.
    \5\ Id., adding 15 U.S.C. 6803(e). Section 728 of the Regulatory 
Relief Act directs the agencies named in Section 504(a)(1) of the 
GLB Act, 15 U.S.C. 6804(a)(1), to develop a model form. The CFTC, 
which did not become subject to Title V of the GLB Act until 2000, 
is not named in that section. The Commodity Exchange Act (``CEA'') 
was amended in 2000 by the Commodity Futures Modernization Act of 
2000 to make the CFTC a ``federal functional regulator'' subject to 
the GLB Act Title V. See Section 5g of the CEA, 7 U.S.C. 7b-2. The 
CFTC interprets Section 728 of the Regulatory Relief Act as applying 
to it through Section 5g.
---------------------------------------------------------------------------

    (A) Be comprehensible to consumers, with a clear format and design;
    (B) Provide for clear and conspicuous disclosures;
    (C) Enable consumers easily to identify the sharing practices of a 
financial institution and to compare privacy practices among financial 
institutions; and
    (D) Be succinct, and use an easily readable type font.
    The Agencies are required to propose a model form for public 
comment by April 11, 2007.

A. The Gramm-Leach-Bliley Act Privacy Notices

    Subtitle A of title V of the GLB Act, captioned Disclosure of 
Nonpublic Personal Information,\6\ requires each financial institution 
to provide a notice of its privacy policies and practices to its 
customers who are consumers.\7\ In general, the privacy notices must 
describe a financial institution's policies and practices with respect 
to disclosing nonpublic personal information about a consumer to both 
affiliated and nonaffiliated third parties.\8\ The notices also must 
provide a consumer a reasonable opportunity to direct the institution 
generally not to share nonpublic personal information \9\ about the 
consumer (that is, to ``opt out'') with nonaffiliated third parties 
other than as permitted by the statute (for example, sharing for 
everyday business purposes, such as processing transactions and 
maintaining customers' accounts, and in response to properly executed 
governmental requests).\10\ The privacy notice must provide, where 
applicable under the Fair Credit Reporting Act (FCRA), a notice and an 
opportunity for a consumer to opt out of certain information sharing 
among affiliates.\11\
---------------------------------------------------------------------------

    \6\ Codified at 15 U.S.C. 6801-6809.
    \7\ 15 U.S.C. 6803(a). A ``customer'' means a consumer who has a 
``customer relationship with a financial institution.'' Privacy 
rule, section --.3(h), SEC section 248.3(j), CFTC section 160.3(k). 
A ``consumer'' is ``an individual who obtains, from a financial 
institution, financial products or services which are to be used 
primarily for personal, family, or household purposes, and also 
means the legal representative of such an individual.'' 15 U.S.C. 
6809(9); privacy rule, section --.3(e), SEC section 248.3(g)(1), 
CFTC section 160.3(h)(1).
    \8\ 15 U.S.C. 6803(a)-(c).
    \9\ 15 U.S.C. 6809(4). ``Nonpublic personal information'' is 
generally defined as personally identifiable financial information 
provided by a consumer to a financial institution, resulting from 
any transaction or any service performed for the consumer, or 
otherwise obtained by the financial institution. See privacy rule, 
sections --.3(n) and (o), SEC sections 248.3(t) and (u), CFTC 
sections 160.3(t) and (u).
    \10\ 15 U.S.C. 6802; privacy rule, sections --.14 and --.15.
    \11\ 15 U.S.C. 1681a(d)(2)(A)(iii) (FCRA); 15 U.S.C. 6803(c)(4) 
(GLB Act).
---------------------------------------------------------------------------

    The privacy rule requires a financial institution to provide a 
privacy notice to its customers no later than when a customer 
relationship is formed and annually for as long as the relationship 
continues. The notice must accurately reflect the institution's 
information collection and disclosure practices and must include 
specific information. Section --.6 of the privacy rule requires the 
privacy notice to include the following:
    (1) The categories of nonpublic personal information that the 
institution collects;
    (2) With respect to both current and former customers, the 
categories of nonpublic personal information that it discloses and the 
categories of affiliates and nonaffiliated third parties to whom it 
discloses such information other than as permitted by the exceptions in 
sections --.14 and --.15;
    (3) Where the institution relies on the exception in section --.13 
to share nonpublic personal information (pertaining to joint 
marketing), the categories of information disclosed, and the categories 
of third parties with which the institution has contracted;
    (4) Where applicable, an explanation of the consumer's right under 
section --.10(a) to opt out of the disclosure of nonpublic personal 
information to nonaffiliated third parties and the methods by which the 
consumer may opt out;
    (5) Disclosures made under section 603(d)(2)(A)(iii) of the FCRA 
(pertaining to the ability to opt out of certain sharing with 
affiliates) and the applicable opt-out notice;
    (6) The institution's policies and practices with respect to 
protecting the confidentiality and security of nonpublic personal 
information; and
    (7) Where applicable, a statement that the institution discloses 
nonpublic personal information to nonaffiliated third parties pursuant 
to the section --.14 and --.15 exceptions.
    The privacy rule does not prescribe any specific format or 
standardized wording for these notices. Instead, institutions may 
design their own notices based on their individual practices provided 
they comply with the law and meet the ``clear and conspicuous'' 
standard in the statute and the privacy rule.\12\ The Appendix to the 
privacy rule contains model language (Sample Clauses) that institutions 
may use in privacy notices to satisfy the privacy rule.
---------------------------------------------------------------------------

    \12\ 15 U.S.C. 6802, 6803; privacy rule, section --.3(b), SEC 
248.3(c).
---------------------------------------------------------------------------

    Financial institutions first were required to distribute privacy 
notices to their customers by July 1, 2001.\13\ Many privacy notices in 
the initial effort were long and complex. In addition, because the 
privacy rule allows institutions flexibility in designing their privacy 
notices, notices have been formatted in various ways and as a result 
have been difficult to compare, even among financial institutions with 
identical privacy policies.
---------------------------------------------------------------------------

    \13\ The CFTC was added by Section 5g of the Commodity Exchange 
Act, 7 U.S.C. 7b-2 (as amended by the Commodity Futures 
Modernization Act of 2000), on December 21, 2000, and privacy 
notices were required to be delivered to consumers by March 31, 
2002.
---------------------------------------------------------------------------

    In response to broad-based concerns expressed by representatives of 
financial institutions, consumers, privacy advocates, and members of 
Congress, the Agencies conducted a workshop in December 2001 to provide 
a forum to consider how financial institutions could provide more 
useful privacy notices to consumers.\14\ The workshop featured panel 
presentations by financial institutions, consumer advocates, and 
communications experts, and highlighted key communication principles to 
improve the notices. A number of institutions, particularly those with 
complex information-sharing practices, described the challenges they 
faced in explaining their practices and the choices available to 
consumers in a simple fashion while meeting all of the legal 
requirements for notice. Some institutions described results of 
consumer testing and their efforts to make privacy notices clearer and 
more useful to consumers.
---------------------------------------------------------------------------

    \14\ Get Noticed: Writing Effective Financial Privacy Notices, 
Interagency Public Workshop (Dec. 4, 2001), workshop transcripts and 
other supporting documents are available at https://www.ftc.gov/bcp/
workshops/glb/.
---------------------------------------------------------------------------

    On December 30, 2003, the Agencies published an Advance Notice of 
Proposed Rulemaking to Consider Alternative Forms of Privacy Notices 
under the Gramm-Leach-Bliley Act \15\ (ANPR) to solicit comment on a 
wide range of issues related to improving privacy notices. The Agencies 
sought, for example, comment on issues associated with the format, 
elements, and language used in privacy notices that would make the 
notices more accessible, readable, and useful, and whether to develop a 
model privacy notice that would be short and simple. The Agencies also 
solicited examples of

[[Page 14944]]

forms, model clauses, and other information, such as applicable 
research that has been conducted in this area. The ANPR stated that the 
Agencies expected that consumer testing would be a key component in the 
development of any specific proposals.
---------------------------------------------------------------------------

    \15\ See Interagency Proposal to Consider Alternative Forms of 
Privacy Notices Under the Gramm-Leach-Bliley Act, 68 FR 75164 (Dec. 
30, 2003), available at https://www.ftc.gov/os/2003/12/
031223anprfinalglbnotices.pdf.
---------------------------------------------------------------------------

    During January and February 2004, the Agencies met with a number of 
interested groups and individuals to discuss the issues raised in the 
ANPR.\16\ The Agencies received forty-four comments in response to the 
ANPR.\17\ While commenters expressed a variety of views on the 
questions posed in the ANPR, many commenters agreed that the Agencies 
should conduct consumer testing before proposing any alternative 
privacy notice.
---------------------------------------------------------------------------

    \16\ Summaries of the outside meetings are available at https://
www.ftc.gov/privacy/privacyinitiatives/financial_rule_inrp.html.
    \17\ Public comments to the ANPR are available at https://
www.ftc.gov/privacy/privacyinitiatives/financial_rule_inrp.html.
---------------------------------------------------------------------------

B. The Interagency Notice Project

    In the summer of 2004, six Agencies \18\ agreed to launch a project 
to fund consumer research (Notice Project). Their goals were to 
identify barriers to consumer understanding of current privacy notices 
and to develop an alternative privacy notice, or elements of a notice, 
that consumers could more easily use and understand compared to current 
notices. When the Agencies initiated this project, they contemplated 
conducting the consumer research in two sequential phases. The first 
phase was designed as qualitative testing, that is, form development 
research. This research involved a series of in-depth individual 
consumer interviews to develop an alternative privacy notice that would 
be easier for consumers to use and understand. The second phase was 
designed as quantitative testing, to test the effectiveness of the 
alternative privacy notice developed in phase one among a larger number 
of consumers. The first phase has been completed and resulted in the 
model notice we are proposing for comment today. The Agencies expect to 
conduct the second phase of testing after receipt of comments in 
response to this proposal.\19\
---------------------------------------------------------------------------

    \18\ The six Agencies are the Board, FDIC, FTC, NCUA, OCC, and 
SEC. Information related to the Notice Project can be found at 
https://www.ftc.gov/privacy/privacyinitiatives/financial_rule_
inrp.html.
    \19\ OTS has joined the Notice Project for the phase two 
research.
---------------------------------------------------------------------------

    In September 2004, the six Agencies selected Kleimann Communication 
Group, Inc. (Kleimann) as their contractor for the phase one form 
development research. The research objectives of the Notice Project 
included designing a privacy notice that consumers could understand and 
use, that facilitated comparison of sharing practices and policies 
across privacy notices, and that addressed all relevant legal 
requirements of the GLB Act and FCRA. At the outset of the research, 
the Agencies considered a range of possible options for the notice, 
including a short notice, a layered approach (highlighting key 
information upfront), as well as a longer fully-compliant notice. The 
Agencies limited the project to paper-based notices, reasoning that a 
successful paper notice could be readily adapted to another medium such 
as the Internet. The Agencies used a readable font \20\ and, in order 
not to confound the research findings on comprehension by introducing 
too many variables into the test notice, expressly did not use color, 
logos, or other graphical designs in the test notices. Instead, the 
Agencies focused on formulating and testing content that consumers 
could understand and use in order to develop a short, simplified 
privacy notice that met the research objectives.
---------------------------------------------------------------------------

    \20\ The text of the prototype notice is in 10 point BK Avenir 
Book font.
---------------------------------------------------------------------------

    The form development phase culminated in an extensive research 
report released by the Agencies in March 2006. Prepared by Kleimann, 
``Evolution of a Prototype Financial Privacy Notice,'' details the 
process by which the Agencies and Kleimann developed an alternative 
privacy notice.\21\ As explained more fully in the Kleimann Report, 
over a one-year period, Kleimann conducted two focus groups followed by 
a series of 46 in-depth, individual interviews, conducted sequentially 
at seven sites around the country. The interviews tested consumers on 
their ability to comprehend, use, and compare notices based on 
variations in vocabulary, ordering of content, and format. The 
structure, content, ordering of the text information, and title of the 
proposed model form all reflect the research findings in the 
qualitative consumer testing.
---------------------------------------------------------------------------

    \21\ See Kleimann Communication Group, Inc., Evolution of a 
Prototype Financial Privacy Notice: A Report on the Form Development 
Project (Feb. 28, 2006) (Kleimann Report). For a copy of the full 
report, go to https://www.ftc.gov/privacy/privacyinitiatives/
ftcfinalreport060228.pdf. For the executive summary, go to https://
www.ftc.gov/privacy/privacyinitiatives/
FTCFinalReportExecutiveSummary.pdf.
---------------------------------------------------------------------------

    The Agencies now are proposing the model privacy notice produced in 
the form development phase with some minor revisions (the proposed 
model form) for comment in accordance with the Regulatory Relief Act. 
The Agencies contemplate that the safe harbor for the proposed model 
form will be effective upon publication of the final rule in order to 
permit institutions that elect to use the form to do so immediately. 
The Agencies recognize that institutions may post their privacy notices 
on their Internet sites, as well as deliver paper or email versions to 
their customers. The Agencies contemplate that institutions that post a 
pdf version of the proposed model privacy form may obtain a safe 
harbor, but are requesting comment on whether to develop a Web-based 
design for financial institutions to use on their Internet sites, 
including comment on particular design and/or technical considerations.
    The Agencies believe that the proposed model form meets all the 
requirements of the Act and is easier to understand than most privacy 
notices currently being disseminated. The following section describes 
the proposed model form and highlights some key research findings. For 
more detailed information on the research methodology and the form 
development process, commenters are encouraged to review the full 
Kleimann Report. The Agencies also are proposing instructions on how 
institutions may obtain a safe harbor by using the proposed model form, 
including an explanation of aspects of the form that may and may not be 
varied.\22\ Institutions would not be able to vary content or format, 
other than as described in this proposal, to take advantage of the safe 
harbor. Moreover, institutions would not be able to include any other 
information in the proposed model form nor incorporate this model form 
into any other document.
---------------------------------------------------------------------------

    \22\ While the model form would provide a safe harbor, 
institutions could continue to use other types of notices that vary 
from the model form so long as these notices comply with the privacy 
rule. For example, an institution could continue to use a simplified 
notice as described in section --.6(c)(5) (NCUA 716.6(e)(5)) of the 
privacy rule if it does not have affiliates and does not intend to 
share nonpublic personal information with nonaffiliated third 
parties outside of the exceptions provided in sections --.14 and 
--.15.
---------------------------------------------------------------------------

II. The Proposed Model Form

A. The Structure

    The proposed model form has either two or three pages, depending on 
whether the financial institution provides an opt-out. While the 
research showed that page one alone was adequate for comprehension and 
usability, page one together with page two address the legal 
requirements of applicable Federal financial privacy laws and increase 
consumer comprehension. Each of the pages of the model form is printed 
separately and

[[Page 14945]]

only on one side of an 8.5 by 11 inch piece of paper because, during 
testing, consumers expressed a preference for the model which allowed 
them to view the information on pages one and two side-by-side.\23\ The 
proposed model form in Appendix A is designed to be customized by each 
financial institution that elects to use it by inserting, for example, 
the institution's name, contact information, and information about 
affiliates, nonaffiliates, or joint marketing partners, if any, with 
which it shares personal information. In addition, the disclosure table 
requires that each institution complete the responses in each of the 
boxes provided in a manner that accurately reflects its information 
sharing policies and practices.
---------------------------------------------------------------------------

    \23\ The proposed model form has the opt-out options and 
instructions on a separate page. Staff of certain of the Agencies 
issued Frequently Asked Questions in December 2001 (Privacy FAQs), 
stating that a consumer should be able to detach a mail-in opt-out 
form from a privacy notice without removing text from the privacy 
policy. Otherwise, the institution may violate section --.9(e) of 
the privacy rule, which requires that a privacy policy must be 
provided in such a way that a customer can retain the text of the 
notices or obtain them later. See F.4 of the Privacy FAQs, available 
at https://www.ftc.gov/privacy/glbact/glb-faq.htm.
---------------------------------------------------------------------------

    Below is one example of a completed model form for a fictional 
financial institution, Neptune, whose privacy policy provides for broad 
sharing in a manner that triggers consumer opt-out rights. For 
comparison, a second example is also provided for another fictional 
institution, Mars, whose privacy policy limits sharing and does not 
trigger consumer opt-out rights. Each of these institutions uses and 
shares personal information in different ways; thus, their responses in 
the disclosure table vary, as do the descriptions of their affiliates, 
nonaffiliates, or joint marketing partners in the definition 
section.\24\ Importantly, since Mars does not share in a way that 
triggers an opt-out, the opt-out form (page 3 of the proposed model 
form) is not required and so is not included in the Mars notice. Thus, 
not every institution subject to the privacy rule will have to provide 
page three of the model form; only those institutions whose privacy 
practices require delivery of an opt-out notice or those institutions 
that choose to provide opt-outs beyond those required by law.
---------------------------------------------------------------------------

    \24\ The Agencies understand that many consumers are not 
familiar with institutions' information sharing practices. During 
the Notice Project's initial research, some consumers expressed 
concern about financial institutions changing their practices and 
policies without adequately informing consumers about such changes. 
A few consumers suggested that, at a minimum, the notices should be 
dated to reflect the most recent revision so consumers would know 
when the notice was last changed and could more easily identify the 
most recent policy statement. Changes to an institution's policy may 
be reflected in a revised notice under section --.8 of the privacy 
rule or in an annual notice. Some institutions highlight changes to 
their privacy notices in some distinctive way, so that consumers can 
readily identify the change. As discussed later in Section V, the 
Agencies invite comment on whether financial institutions should be 
required to alert consumers to changes in an institution's privacy 
practices as part of the proposed model form.

---------------------------------------------------------------------------

[[Page 14946]]

Example 1. Neptune Model Privacy Form
[GRAPHIC] [TIFF OMITTED] TP29MR07.000


[[Page 14947]]


[GRAPHIC] [TIFF OMITTED] TP29MR07.001


[[Page 14948]]


[GRAPHIC] [TIFF OMITTED] TP29MR07.002


[[Page 14949]]



Example 2. Mars Model Privacy Form
[GRAPHIC] [TIFF OMITTED] TP29MR07.003


[[Page 14950]]


[GRAPHIC] [TIFF OMITTED] TP29MR07.004


[[Page 14951]]



Example 3. Illustration of Type Size for the Various Elements of the 
Model Form \25\

     
---------------------------------------------------------------------------

    \25\ See infra note and accompanying text. This illustration 
displays the font sizes of the various elements in the model form.
[GRAPHIC] [TIFF OMITTED] TP29MR07.005

B. Page One--Background Information and the Disclosure Table

    Page one of the proposed model form has four parts: (1) The title; 
(2) an introductory section called the ``key frame,'' which provides 
context to help the consumer better understand the required 
disclosures; (3) a table that describes the types of sharing Federal 
law allows, which of those types of sharing the institution actually 
does, and whether the consumer can opt out of any type of the 
institution's sharing; and (4) the institution's contact information.
    The research showed that the title, ``FACTS What Does [name of 
financial

[[Page 14952]]

institution] Do With Your Personal Information,'' is more likely to 
catch consumers' attention so they will read the notice. The title can 
be used by all institutions regardless of their information sharing 
practices.
    The ``key frame,'' with its three short headings--Why, What, and 
How--is included because the research showed that, unless consumers 
have some basic facts about information sharing, they are less likely 
to understand why they are receiving a privacy notice and what to do 
with one. The ``Why'' box tells consumers that Federal law requires 
that the financial institution send the notice. The ``What'' box 
explains the types of personal information financial institutions 
collect and share.\26\ The ``How'' box explains that some information 
sharing is necessary for all institutions in order to provide the 
products and services that consumers request. It also briefly explains 
what information consumers will find in the disclosure table below. The 
research found that these particular headings and the bulleted 
explanations enhanced consumers' understanding of the purpose of the 
notice, enabled them to make an informed decision about the use of 
their personal information, and aided their overall comprehension.
---------------------------------------------------------------------------

    \26\ The Agencies recognize that some financial institutions may 
not collect each type of information described in the ``What'' box. 
As reflected in the introductory clause, which states that the 
``information [collected] can include * * *,'' the standardized 
terms are designed to reflect the range of information typically 
collected by financial institutions required to provide privacy 
notices under the GLB Act and FCRA, rather than the specific 
information collected by each particular institution, and therefore, 
are not to be modified to reflect an institution's particular 
practices. The SEC's model privacy form reflects modified terms in 
the ``What'' box that are intended to include the range of 
information typically collected by brokers, dealers, investment 
advisers registered with the Commission, and investment companies.
---------------------------------------------------------------------------

    The disclosure table at the bottom of page one provides information 
about the financial institution's sharing practices. The research found 
that this table is the ``heart'' of the proposed model form, 
``enabl[ing] consumers to understand the details of their financial 
institution's sharing practices in the context of how other financial 
institutions can share. It is critical for comprehension and 
comparability.'' \27\ The table is featured on page one because it is 
one of the most important elements of the model form.
---------------------------------------------------------------------------

    \27\ See Kleimann Report, supra note , at v and 7.
---------------------------------------------------------------------------

    Key research findings were that providing this information in a 
table form greatly increased consumers' ability to readily identify and 
understand an institution's sharing practices and what, if any, choices 
they had to limit any of that sharing, and easily compare these 
practices and choices among institutions. The Agencies asked Kleimann 
to develop and test a ``prose'' version describing information sharing 
practices since such a format would be more comparable to notices 
currently used by financial institutions. However, the research found 
that the table design of the proposed model form outperformed the prose 
design on a variety of measures, including comprehension, 
comparability, and usability.\28\
---------------------------------------------------------------------------

    \28\ See id. at 185, 215, 256.
---------------------------------------------------------------------------

    The disclosure table includes a description of the possible types 
of sharing and uses of personal information and the associated opt-out 
choices that must be disclosed. The opt-out disclosures are required 
under: (1) Section 502(b) of the GLB Act (regarding certain sharing 
with nonaffiliated third parties); (2) section 603(d)(2)(A) of the FCRA 
(regarding sharing of creditworthiness and credit report information 
among affiliates); and (3) section 624 of the FCRA, as added by section 
214 of the Fair and Accurate Credit Transactions Act of 2003 (Fact 
Act), 15 U.S.C. 1681s-3 (use of that information for marketing).\29\ 
The table provides important context about what information sharing a 
financial institution actually does relative to what it could do. The 
research showed that the table, with its standardized content, 
facilitates easy comparison of information sharing practices among 
different institutions. The structure of the disclosure table and the 
reasons for sharing are designed to be consistent for all financial 
institutions.\30\ The institution-specific information lies in the 
answers to the questions within each of the boxes. Accordingly, even if 
a financial institution does not share for one of the reasons listed in 
the table (for example, it has no affiliates and therefore does not 
share with affiliates), the institution could not exclude that reason 
from the table, but would answer ``No'' under ``Does [name of financial 
institution] share?''
---------------------------------------------------------------------------

    \29\ Pub. L. 108-159, 117 Stat. 1952. Section 624 provides that 
information that may be shared among affiliates--including 
transaction and experience information and certain creditworthiness 
information--cannot be used for marketing purposes unless the 
consumer has received a notice of such use and an opportunity to opt 
out, and the consumer does not opt out. The Agencies have included 
language pertaining to this affiliate marketing provision and the 
related opt-out on the notice developed in the consumer research in 
response to comments to the ANPR. While the Agencies have not yet 
issued a final regulation implementing this provision of the FACT 
Act, they are coordinating this rulemaking with the affiliate 
marketing rulemaking to ensure that language addressing the section 
624 opt-out as incorporated in this model form (when finalized) 
would be deemed to comply with the affiliate marketing rule. 
Institutions would not be required to include reference to this 
provision until a final rule for section 624 is issued and becomes 
effective, and only in the event that institutions choose to 
consolidate the 624 notice and opt-out with the GLB Act privacy 
notice.
    \30\ The reasons for sharing are grouped into three main 
categories. The first three reasons describe what financial 
institutions do with their consumers' personal information. The next 
three reasons describe what a financial institution's affiliates do 
with that information. The last reason describes what nonaffiliated 
companies may do with the personal information, other than acting as 
a service provider to or acting jointly with the financial 
institution (that is, outside the exceptions provided in sections 
--.13, --.14, and --.15). This generally means marketing by the 
nonaffiliated company.
---------------------------------------------------------------------------

    The language used in the disclosure table is based on Kleimann's 
research. The simplified phrases describing information sharing 
practices were continually refined through the consumer testing process 
to allow consumers to better understand the information sharing and use 
possibilities. The laws governing the disclosure of consumers' personal 
information are not easily translated into short, comprehensible 
phrases that are also legally precise. Thus, the table in some cases 
uses more easily understandable short-hand terms to describe sharing 
practices required to be in the notice. For example, the table uses the 
term ``everyday business purposes'' to describe the sharing 
contemplated by the exceptions in sections --.14 and --.15 of the 
privacy rule, which does not trigger opt-out rights. The research found 
that consumers understood that ``everyday business purposes'' means 
that companies must share in some basic ways in order to provide the 
financial products or services that consumers request. The table also 
speaks in terms of the institution's own ``marketing purposes'' to 
capture the idea that nearly all, if not all, financial institutions 
share information in connection with marketing their own products and 
services to their customers (for example, with a service provider such 
as a bulk mailer or data processor) in a manner that does not trigger 
an opt-out right. With respect to the reasons for information sharing 
among affiliated companies that track the FCRA provisions \31\ (the 
sharing of ``transaction and experience information'' and the sharing 
of ``other information''), the disclosure table uses ``Information 
about your creditworthiness'' as a short-hand term for the statutory 
term ``other information.''
---------------------------------------------------------------------------

    \31\ See section 603(d)(2)(A) of the FCRA.
---------------------------------------------------------------------------

    The institution's contact information appears at the bottom of page 
one in

[[Page 14953]]

response to consumers' preferences expressed during testing.

C. Page Two--Supplemental Information

    The second page provides additional explanatory information that, 
in combination with page one, ensures that the notice includes all 
elements described in the GLB Act as implemented by the privacy rule. 
There is supplemental information in the form of Frequently Asked 
Questions (FAQs) \32\ at the top and definitions below.\33\ The 
research showed that although consumers generally understood the 
concepts of certain technical words, they found that the four 
definitions on page two provided helpful additional information that 
further clarified the nature and type of information sharing by a 
financial institution. Some of the definitions include institution-
specific information required by the GLB Act. For example, an 
institution that has affiliates must identify the categories of its 
affiliates after the definition. Likewise, an institution that has no 
affiliates can explain after the definition that it does not have 
affiliates.
---------------------------------------------------------------------------

    \32\ Note that financial institutions should insert their names 
as indicated in the first three questions in this section.
    \33\ The FAQ box regarding sources of information does not 
permit a financial institution to customize the sources of 
information it collects. As with the standardized terms describing 
information the institution collects on page one, see supra note , 
the disclosure is intended to include the range of information 
sources typically used by institutions subject to the GLB Act and 
FCRA rather than the information sources used by each particular 
institution. The SEC's model form reflects additional terms in this 
box that are intended to include the range of sources of information 
typically used by brokers, dealers, investment advisers registered 
with the Commission, and investment companies.
---------------------------------------------------------------------------

    Examples of institution-specific information are shown for the last 
three definitions in the italicized print in both the Neptune and Mars 
forms. Thus, Neptune has affiliates with which it shares certain 
information and, under the definition of ``affiliates,'' Neptune 
includes information in italics that describes the categories of its 
affiliates. Since Mars has no affiliates, the Mars form states ``Mars 
has no affiliates.''

D. Page Three--The Opt-Out Form

    The third page provides an opt-out form, for use by those financial 
institutions that share in a manner that triggers consumer opt-out 
rights under the GLB Act or FCRA (see the proposed model privacy form 
in Appendix A and the Neptune form). Institutions using the proposed 
model form must include page three in their notices only if they (1) 
share or use information in a manner that triggers an opt-out, or (2) 
choose to provide opt-outs beyond what is required by law.
    The opt-out page lists three common methods for opting out--by 
telephone, on the Web, and by mail--and summarizes the opt-out choices 
available to the consumer in a clear and easy-to-read format that the 
research found consumers appreciated. Financial institutions that 
provide opt-out forms are not required to provide all the opt-out 
choices and methods described in the Neptune opt-out form. The Agencies 
expect that institutions may need to tailor the opt-out page to reflect 
accurately the institution's particular practices.\34\ The model form, 
for example, includes information for the customer's account number as 
a means of identifying both the customer and account to which the opt-
out should apply. Institutions requiring consumers with multiple 
account numbers to list each account number to which the opt-out should 
apply should modify that portion of the form. Institutions requiring 
information other than an account number should modify that portion of 
the form. Institutions that allow more than 30 days from issuing the 
notice may insert that time period in place of the number ``30''. The 
proposed rule accordingly provides instructions explaining permissible 
variations to page three of the Neptune notice.
---------------------------------------------------------------------------

    \34\ See note 29. For institutions that choose to consolidate 
the 624 notice into the model form and offer this opt-out, the 
italicized language accompanying the affiliate sharing opt-out 
choice on page three of the proposed model form is required only if 
an institution wants to limit the time of the opt-out period, with 5 
years the minimum opt-out period required by the statute. Where an 
institution elects to limit the time period for which the opt-out is 
effective, it should look to the Agencies' affiliate marketing rule 
for guidance on the manner and form in which to provide any 
additional notice that would effectively permit a consumer to renew 
or extend the opt-out period.
---------------------------------------------------------------------------

E. Additional Opt-Outs in the Model Form

    The third column in the disclosure table in the proposed model form 
is intended to provide flexibility for financial institutions to 
include additional opt-out choices that are not required by Federal 
law. For example, a financial institution may give its customers the 
opportunity to limit sharing for joint marketing. In that case, the 
financial institution would answer the question ``Can you limit this 
sharing?'' in the far right column with ``Yes (Check your choices, p. 
3)'' and would describe the additional opt-out choice on its opt-out 
form, for example by stating, ``Do not share my personal information 
with other financial institutions to jointly market to me.'' Likewise, 
if a financial institution wanted to offer its customers the 
opportunity to opt out of its own marketing, it could provide for that 
option by answering ``Yes'' in the appropriate box of the disclosure 
table and by describing the opt-out choice on the opt-out form, for 
example by stating ``Do not share [or use] my personal information to 
market to me.'' To obtain the safe harbor for use of the proposed model 
form, an institution that uses the disclosure table to show any 
additional opt-out choice must include the opt-out form on page three 
to provide consumers with a method for opting out. The Agencies 
specifically invite comment on other opt-outs that financial 
institutions may provide, and on whether the Agencies should provide 
model language based on the opt-out provisions provided in the proposed 
model form.

F. Appearance of the Model Form

    In addition to the requirements that the proposed model form be 
comprehensible, clear and conspicuous, and allow for easy comparison of 
privacy practices among financial institutions, the law requires that 
the model form use an easily readable type font. The prototype notice 
developed in the Agencies' phase one research and shown here as the 
proposed model form, reflects consideration of a number of 
typographical factors in the design.\35\ Type size, type style, 
leading, x-height, serif versus sans serif,\36\ upper and lower case 
type, along with the page layout--all play an important role in 
designing a typeface that is highly readable. Consumers who saw the 
prototype notice during the research process commented on how easy the 
type was to see and read.\37\
---------------------------------------------------------------------------

    \35\ The prototype notice developed in the consumer research is 
10 on 12 BK Avenir Book. The ``10 on 12'' means that the font size 
is 10 points, and the leading (that is, the additional space between 
the lines of type) is 2 points of spacing.
    \36\ Serif typeface has small strokes at the ends of the lines 
that form each letter. Sans serif typeface
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.