Final Model Privacy Form Under the Gramm-Leach-Bliley Act, 62890-62994 [E9-27882]
Download as PDF
<![CDATA[
62890
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
(NCUA); Federal Trade Commission
(FTC); Commodity Futures Trading
Commission (CFTC); and Securities and
Exchange Commission (SEC).
ACTION: Final rule.
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the
Currency
12 CFR Part 40
[Docket ID OCC–2009–0011]
RIN 1557–AC80
FEDERAL RESERVE SYSTEM
12 CFR Part 216
[Docket No. R–1280]
FEDERAL DEPOSIT INSURANCE
CORPORATION
12 CFR Part 332
RIN 3064–AD16
DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
12 CFR Part 573
[Docket ID OTS–2009–0014]
RIN 1550–AC12
NATIONAL CREDIT UNION
ADMINISTRATION
12 CFR Part 716
RIN 3133–AC84
FEDERAL TRADE COMMISSION
16 CFR Part 313
[Project No. 034815]
RIN 3084–AA94
COMMODITY FUTURES TRADING
COMMISSION
17 CFR Part 160
RIN 3038–AC04
SECURITIES AND EXCHANGE
COMMISSION
17 CFR Part 248
[Release Nos. 34–61003, IA–2950, IC–28997;
File No. S7–09–07]
mstockstill on DSKH9S0YB1PROD with RULES2
RIN 3235–AJO6
Final Model Privacy Form Under the
Gramm-Leach-Bliley Act
AGENCIES: Office of the Comptroller of
the Currency, Treasury (OCC); Board of
Governors of the Federal Reserve
System (Board); Federal Deposit
Insurance Corporation (FDIC); Office of
Thrift Supervision, Treasury (OTS);
National Credit Union Administration
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
SUMMARY: The OCC, Board, FDIC, OTS,
NCUA, FTC, CFTC, and SEC (the
‘‘Agencies’’) are publishing final
amendments to their rules that
implement the privacy provisions of
Subtitle A of Title V of the GrammLeach-Bliley Act (‘‘GLB Act’’). These
rules require financial institutions to
provide initial and annual privacy
notices to their customers. Pursuant to
Section 728 of the Financial Services
Regulatory Relief Act of 2006
(‘‘Regulatory Relief Act’’ or ‘‘Act’’), the
Agencies are adopting a model privacy
form that financial institutions may rely
on as a safe harbor to provide
disclosures under the privacy rules. In
addition, the Agencies other than the
SEC are eliminating the safe harbor
permitted for notices based on the
Sample Clauses currently contained in
the privacy rules if the notice is
provided after December 31, 2010.
Similarly, the SEC is eliminating the
guidance associated with the use of
notices based on the Sample Clauses in
its privacy rule if the notice is provided
after December 31, 2010.
DATES: This rule is effective on
December 31, 2009, except for the
following amendments, which are
effective January 1, 2012:
Instructions 3B, 10B, 17B, 24B, 31B,
38B, 45B, and 52B removing paragraphs
(g) to 12 CFR 40.6, 216.6, 332.6, 573.6,
and 716.6, 16 CFR 313.6, and 17 CFR
160.6 and 248.6, respectively; and
Instructions 7B, 14B, 21B, 28B, 35B,
42B, 49B, and 55B removing
Appendixes B to 12 CFR parts 40, 216,
332, 573, and 716, 16 CFR part 313, and
17 CFR parts 160 and 248, respectively.
FOR FURTHER INFORMATION CONTACT:
OCC: Stephen Van Meter, Assistant
Director, Community and Consumer
Law Division, (202) 874–5750; Heidi
Thomas, Special Counsel, Legislative
and Regulatory Activities Division,
(202) 874–5090; or David Nebhut,
Director, Policy Analysis Division, (202)
874–5220, Office of the Comptroller of
the Currency, 250 E Street, SW.,
Washington, DC 20219.
Board: Jeanne Hogarth, Consumer
Policies Program Manager, Jelena
McWilliams, Attorney, or Ky TranTrong, Counsel, Division of Consumer
and Community Affairs, (202) 452–
3667; Kara Handzlik, Attorney, Legal
Division, (202) 452–3852; Board of
Governors of the Federal Reserve
System, 20th Street and Constitution
Avenue, NW., Washington, DC 20551.
PO 00000
Frm 00002
Fmt 4701
Sfmt 4700
FDIC: Samuel Frumkin, Senior Policy
Analyst, Division of Supervision and
Consumer Protection, (202) 898–6602;
or Kimberly A. Stock, Counsel, (202)
898–3815, Legal Division; Federal
Deposit Insurance Corporation, 550 17th
Street, NW., Washington, DC 20429.
OTS: Ekita Mitchell, Consumer
Regulations Analyst, (202) 906–6451; or
Richard Bennett, Senior Compliance
Counsel, Regulations and Legislation
Division, (202) 906–7409; 1700 G Street,
NW., Washington, DC 20552.
NCUA: Regina Metz, Staff Attorney,
(703) 518–6561, Office of General
Counsel, National Credit Union
Administration, 1775 Duke Street,
Alexandria, Virginia 22314–3428.
FTC: Loretta Garrison, Senior
Attorney, and Anthony Rodriguez,
Attorney, Division of Privacy and
Identity Protection, Bureau of Consumer
Protection, (202) 326–2252, Federal
Trade Commission, 600 Pennsylvania
Avenue, NW., Stop NJ–3158,
Washington, DC 20580.
CFTC: Laura Richards, Deputy
General Counsel, (202) 418–5126, or
Gail B. Scott, Counsel, Office of General
Counsel, (202) 418–5139, Commodity
Futures Trading Commission, Three
Lafayette Centre, 1155 21st Street, NW.,
Washington, DC 20581.
SEC: Paula Jenson, Deputy Chief
Counsel, or Brice Prince, Special
Counsel, Office of the Chief Counsel,
Division of Trading and Markets, (202)
551–5550; or Penelope Saltzman,
Assistant Director, Thoreau Bartmann,
Senior Counsel, or Daniel Chang, Staff
Attorney, Office of Regulatory Policy,
Division of Investment Management,
(202) 551–6792, Securities and
Exchange Commission, 100 F Street,
NE., Washington, DC 20549.
SUPPLEMENTARY INFORMATION: The
Agencies are publishing final
amendments to each of their rules
(which are consistent and comparable)
that implement the privacy provisions
of the GLB Act: 12 CFR part 40 (OCC);
12 CFR part 216 (Board); 12 CFR part
332 (FDIC); 12 CFR part 573 (OTS); 12
CFR part 716 (NCUA); 16 CFR part 313
(FTC); 17 CFR part 160 (CFTC); and 17
CFR part 248 (SEC) (collectively, the
‘‘privacy rule’’).1
I. Introduction
A. Statutory Authority and Overview
B. Overview of the Final Model Privacy
Form
II. Background
A. The Gramm-Leach-Bliley Act Privacy
Notices
1 Because the Agencies’ privacy rules generally
use consistent section numbering, relevant sections
will be cited, for example, as ‘‘section __.6’’ unless
otherwise noted.
E:\FR\FM\01DER2.SGM
01DER2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
B. Development of Proposed Model Privacy
Form
C. Overview of Comments Received
D. Quantitative Research
E. Public Comments on the Quantitative
Test Data
F. Validation Testing
III. The Final Model Privacy Form
A. Standardization
B. Instructions for Use
C. Format of the Notice
D. Appearance of the Model Privacy Form
E. Optional General Guidance for Easily
Readable Type
F. Printing, Color, and Logos
G. Jointly-Provided Notices
H. Use of the Form by DifferentlyRegulated Entities
I. Page One of the Model Form
J. Page Two of the Model Form
K. Other Issues
IV. The Sample Clauses
V. Effective Date
VI. Final Regulatory Flexibility Analysis
VII. Paperwork Reduction Act
VIII. OCC and OTS Executive Order 12866
Determination
IX. OCC and OTS Executive Order 13132
Determination
X. OCC and OTS Unfunded Mandates Reform
Act of 1995 Determination
XI. SEC Cost-Benefit Analysis
XII. SEC Consideration of Burden on
Competition
XIII. NCUA: The Treasury And General
Government Apropriations Act, 1999–
Assessment of Federal Regulations and
Policies on Families
XIV. CFTC Cost-Benefit Analysis
I. Introduction
A. Statutory Authority and Overview
The Regulatory Relief Act was
enacted on October 13, 2006.2 Section
728 of the Act directs the Agencies to
‘‘jointly develop a model form which
may be used, at the option of the
financial institution, for the provision of
disclosures under [section 503 of the
GLB Act].’’ 3 The Regulatory Relief Act
stipulates that the model form shall be
a safe harbor for financial institutions
that elect to use it. Section 728 further
directs that the model form shall:
(A) Be comprehensible to consumers,
with a clear format and design;
(B) provide for clear and conspicuous
disclosures;
2 Public
Law No. 109–351, 120 Stat. 1966 (2006).
adding 15 U.S.C. 6803(e). See also infra
discussion at section II.A. on the GLB Act
requirements for financial privacy notices. Section
728 of the Regulatory Relief Act directs the agencies
named in Section 504(a)(1) of the GLB Act, 15
U.S.C. 6804(a)(1), to develop a model form. The
CFTC, which did not become subject to Title V of
the GLB Act until 2000, is not named in that
section. The Commodity Exchange Act (‘‘CEA’’) was
amended in 2000 by the Commodity Futures
Modernization Act of 2000 to make the CFTC a
‘‘Federal functional regulator’’ subject to the GLB
Act Title V. See Section 5g of the CEA, 7 U.S.C. 7b2. The CFTC interprets Section 728 of the
Regulatory Relief Act as applying to it through
Section 5g.
mstockstill on DSKH9S0YB1PROD with RULES2
3 Id.,
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
(C) enable consumers easily to
identify the sharing practices of a
financial institution and to compare
privacy practices among financial
institutions; and
(D) be succinct, and use an easily
readable type font.
On March 29, 2007, the Agencies
published a proposed model privacy
form (the ‘‘proposed model form’’) that
financial institutions would be able to
use to comply with certain disclosures
under the privacy rule.4 On April 15,
2009, the SEC reopened the comment
period on the proposed rulemaking to
solicit comment on a research report
and test data pertaining to additional
consumer testing of the proposed model
privacy form.5 Today, the Agencies are
amending the privacy rule to include a
model privacy form that institutions
may use to provide required disclosures.
The final model form is substantially as
proposed with changes based on
comments we received as well as
additional consumer testing.
B. Overview of the Final Model Privacy
Form
As explained more fully in the
Agencies’ Proposed Rule, key elements
of the final model form’s structure and
design, as well as vocabulary, reflect the
research findings of the qualitative
consumer testing.6 The Agencies believe
that the final model form as revised
meets all the requirements of the Act
and, based on the qualitative research
that led to the development of the
proposed model form and the
quantitative consumer testing described
below, is easier to understand and use
than most privacy notices currently
being disseminated.
While the model form provides a legal
safe harbor, institutions may continue to
use other types of notices that vary from
the model form so long as these notices
comply with the privacy rule. For
example, an institution could continue
to use a simplified notice if it does not
have affiliates and does not intend to
share nonpublic personal information
with nonaffiliated third parties outside
of the exceptions provided in sections
4 See Interagency Proposal for Model Privacy
Form under the Gramm-Leach-Bliley Act
(‘‘Proposed Rule’’), 72 FR 14940 (Mar. 29, 2007),
available at https://www.ftc.gov/os/2007/03/
CorrectedNeptuneMarsandGenericFormsfrn.pdf. A
Correction Notice was published at 72 FR 16875
(Apr. 5, 2007).
5 See Interagency Proposal for Model Privacy
Form under the Gramm-Leach-Bliley Act, Securities
Exchange Act Release No. 59769, Investment
Company Act Release No. 28697 (Apr. 15, 2009) [74
FR 17925 (Apr. 20, 2009)].
6 The Agencies conducted the consumer research
in two phases: the first was qualitative testing or
form development; the second was quantitative
testing. See infra section II.
PO 00000
Frm 00003
Fmt 4701
Sfmt 4700
62891
__.14 and __.15.7 Likewise, while the
Agencies are eliminating the Sample
Clauses and related safe harbor (or, for
the SEC, guidance), institutions may
continue to use notices containing these
clauses, so long as these notices comply
with the privacy rule.8
The following section briefly
summarizes the key features of the final
model form and the changes to the
proposed form. A detailed discussion of
the elements of the final model form
appears in section III.
1. The Structure
The final model form has two pages,
rather than the three pages in the
proposed form, and may be printed on
a single piece of paper.9 Together, pages
one and two address the legal
requirements of applicable Federal
financial privacy laws and are designed
to increase consumer comprehension.
The Agencies are not mandating a
specific paper size in the final model
form as long as the paper is in portrait
orientation and sufficient to
accommodate minimum font size,
spacing, and content requirements.
2. Page One—Background Information,
the Disclosure Table, and Opt-Out
Information
Page one of the final model form has
five parts: (1) The title; (2) an
introductory section called the ‘‘key
frame’’ which provides context to help
the consumer understand the required
disclosures; (3) a disclosure table that
describes the types of sharing used by
financial institutions consistent with
Federal law, which of those types of
sharing the institution actually does,
and whether the consumer can limit or
opt out of any of the institution’s
sharing; (4) only if needed, a box titled
‘‘To limit our sharing’’ for opt-out
information; and (5) the institution’s
customer service contact information.
Where the institution provides a mail-in
7 See privacy rule, section __.6(c)(5), NCUA
section 716.6(e)(5).
8 See infra section IV.
9 For ease, the Appendix provides three versions
of the final model form: (1) Model form with no optout; (2) model form with telephone and Web optout only; and (3) model form that includes a mailin opt-out form. An alternative mail-in form
(version 4) may be substituted for the mail-in
portion of the model form in version 3. For those
institutions that use the model form and need to
provide a mail-in opt-out form, the reverse side to
that opt-out form must not include any content of
the model form. See F.4 of the Frequently Asked
Questions for the Privacy Regulation, available at
https://www.ftc.gov/privacy/glbact/glb-faq.htm (Dec.
2001) (staff guidance issued by the Board, FDIC,
FTC, OCC, OTS, and NCUA) (stating that a
consumer generally should be able to detach a mailin opt-out form from a privacy notice without
removing text from the privacy policy).
E:\FR\FM\01DER2.SGM
01DER2
62892
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
opt-out form, that form appears at the
bottom of page one.
There are three significant changes on
page one of the final model form.10
First, the ‘‘What?’’ box has been
modified to permit institutions to select
from a menu of terms the types of
information collected and shared (other
than Social Security number). Second,
information (if needed) about how to
limit sharing or opt out follows the
disclosure table. If the institution
provides a mail-in opt-out form, that
form appears at the bottom of page one.
Third, the final model form includes at
the top of the page in the right-hand
corner the date by month and year of the
most recent version of the notice.
Institutions may include at the bottom
of page one a ‘‘tagline’’ (an internal
identifier) or barcode for information
internal to the company, so long as
these do not interfere with the clarity or
text of the form.11
3. Page Two—Supplemental
Information
As in the proposed model form, the
second page of the final model form
provides additional explanatory
information that, in combination with
page one, ensures that the notice
includes all elements described in the
GLB Act as implemented by the privacy
rule. There is supplemental information
in the form of Frequently Asked
Questions (‘‘FAQs’’) 12 at the top and
definitions below. There are three
significant changes to the disclosures on
page two of the final form.13 First, a new
FAQ appears at the top of page two that
can be used to identify those
institutions that jointly provide the
notice. Second, the FAQ on the
collection of information has been
modified to allow institutions to select
from a menu of terms. Third, a new box
has been provided at the bottom of page
two titled ‘‘Other important
information.’’ This box can be used in
only two ways: (1) to discuss state and/
or international privacy law
requirements; and (2) to provide an
acknowledgment of receipt form.14
10 See
infra section III.I.
e.g., comment letters of T. Rowe Price
Associates, Inc. (May 29, 2007); Wolters Kluwer
Financial Services (May 24, 2007).
12 Note that a financial institution must insert its
name or a common corporate identity as indicated
in the two questions in this section each time that
‘‘[name of financial institution]’’ appears. The
revised form has eliminated the FAQ ‘‘How does
[name of financial institution] notify me about its
practices.’’
13 See infra section III.J.
14 This use was provided in response to a request
by the National Automobile Dealers Ass’n, whose
members routinely ask customers to sign an
acknowledgment of receipt on a copy of the dealer’s
mstockstill on DSKH9S0YB1PROD with RULES2
11 See,
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
II. Background
A. The Gramm-Leach-Bliley Act Privacy
Notices
Subtitle A of title V of the GLB Act,
captioned ‘‘Disclosure of Nonpublic
Personal Information,’’ 15 requires each
financial institution to provide a notice
of its privacy policies and practices to
its customers who are consumers.16 In
general, the privacy notice must
describe a financial institution’s policies
and practices with respect to disclosing
nonpublic personal information about a
consumer to both affiliated and
nonaffiliated third parties.17 The notice
also must provide a consumer a
reasonable opportunity to direct the
institution generally not to share
nonpublic personal information 18 about
the consumer (that is, to ‘‘opt out’’) with
nonaffiliated third parties other than as
permitted by the statute (for example,
sharing for everyday business purposes,
such as processing transactions and
maintaining customers’ accounts, and in
response to properly executed
governmental requests).19 The privacy
notice must provide, where applicable
under the Fair Credit Reporting Act
(‘‘FCRA’’), a notice and an opportunity
for a consumer to opt out of certain
information sharing among affiliates.20
The privacy rule requires a financial
institution to provide a privacy notice to
privacy notice and retain this record verifying
delivery of the notice. Comment letter of the
National Automobile Dealers Ass’n (May 29, 2007).
15 Codified at 15 U.S.C. 6801–6809.
16 15 U.S.C. 6803(a). A ‘‘customer’’ means a
consumer who has a ‘‘customer relationship’’ with
a financial institution. Privacy rule, section __.3(h),
SEC section 248.3(j), CFTC section 160.3(k), NCUA
section 716.3(n). A ‘‘consumer’’ is ‘‘an individual
who obtains, from a financial institution, financial
products or services which are to be used primarily
for personal, family, or household purposes, and
also means the legal representative of such an
individual.’’ 15 U.S.C. 6809(9); privacy rule, section
__.3(e), SEC section 248.3(g)(1), CFTC section
160.3(h)(1). Financial institutions are required to
provide an initial notice to their customers and a
notice annually thereafter for as long as the
customer relationship continues. 15 U.S.C. 6803(a);
Privacy rule, sections __.4 and __.5. Institutions are
also required to provide to their non-customer
consumers a notice if the institution discloses
nonpublic personal information outside the
exceptions in sections __.14 and __.15 before any
such disclosure is made. 15 U.S.C. 6802(a); privacy
rule, sections __.4.
17 15 U.S.C. 6803(a)–(c).
18 ‘‘Nonpublic personal information’’ is generally
defined as personally identifiable financial
information provided by a consumer to a financial
institution, resulting from any transaction or any
service performed for the consumer, or otherwise
obtained by the financial institution. See 15 U.S.C.
6809(4); privacy rule, sections __.3(n) and (o), SEC
sections 248.3(t) and (u), CFTC sections 160.3(t) and
(u).
19 15 U.S.C. 6802; privacy rule, sections __.14 and
__.15.
20 15 U.S.C. 1681a(d)(2)(A)(iii) (FCRA); 15 U.S.C.
6803(c)(4) (GLB Act).
PO 00000
Frm 00004
Fmt 4701
Sfmt 4700
its customers no later than when a
customer relationship is formed and
annually thereafter for as long as the
relationship continues. The notice must
accurately reflect the institution’s
information collection and disclosure
practices and must include specific
information.21
The privacy rule does not prescribe
any specific format or standardized
wording for these notices. Instead,
institutions may design their own
notices based on their individual
practices provided they comply with the
law and meet the ‘‘clear and
conspicuous’’ standard in the statute
and the privacy rule.22 The Appendix to
each privacy rule contains Sample
Clauses that institutions may use in
privacy notices to satisfy the privacy
rule.
Financial institutions were required
to provide privacy notices to their
customers by July 1, 2001.23 Many
notices provided to consumers were
long and complex. Because the privacy
rule allows institutions flexibility in
designing their privacy notices, notices
have been formatted in various ways
and as a result have been difficult to
compare, even among financial
institutions with identical practices.24
The Agencies first explored issues
related to the complexity of privacy
notices in a workshop held in December
2001.25
On December 30, 2003, the Agencies
published an Advance Notice of
Proposed Rulemaking to Consider
Alternative Forms of Privacy Notices
Under the Gramm-Leach-Bliley Act
(‘‘ANPR’’) to solicit public comment on
21 See sectionsl.4,l.5, and l.6 of the privacy
rule.
22 15 U.S.C. 6802, 6803; privacy rule, section
l.3(b), SEC section 248.3(c), CFTC section
160.3(b)(1).
23 See, e.g., Privacy of Consumer Financial
Information, 65 FR 35162 (June 1, 2000). The CFTC
was added by Section 5g of the Commodity
Exchange Act, 7 U.S.C. 7b-2 (as amended by the
Commodity Futures Modernization Act of 2000), on
December 21, 2000, and privacy notices were
required to be delivered to consumers by March 31,
2002. Privacy of Consumer Financial Information,
66 FR 21236 (Apr. 27, 2001).
24 See Rulemaking Petition from Public Citizen, et
al., at 4 (July 26, 2001) (available at https://
www.ftc.gov/bcp/workshops/glb/comments/
nader.pdf) (‘‘Public Citizen Petition’’) (stating that
notices were ‘‘dense,’’ ‘‘complicated,’’ and written
by those trained in obfuscation rather than to
express ideas clearly).
25 See Get Noticed: Writing Effective Financial
Privacy Notices, Interagency Public Workshop (Dec.
4, 2001) (‘‘Get Noticed Workshop’’). Workshop
transcripts and other supporting documents are
available at https://www.ftc.gov/bcp/workshops/glb/
index.html. The Get Noticed Workshop, discussed
in the preamble to the Proposed Rule, supra note
4 at n.14, provided a public forum to consider how
financial institutions could provide more useful
privacy notices to consumers.
E:\FR\FM\01DER2.SGM
01DER2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
a wide range of issues related to
improving privacy notices.26 The ANPR
stated that the Agencies expected that
consumer testing would be a key
component in the development of any
specific proposals.27
During January and February 2004,
the Agencies met with a number of
interested groups and individuals to
discuss the issues raised in the ANPR
and subsequently received forty-four
comments in response to the ANPR.28
While commenters expressed a variety
of views on the questions posed in the
ANPR, many commenters agreed that
the Agencies should conduct consumer
testing before proposing any alternative
privacy notice.
mstockstill on DSKH9S0YB1PROD with RULES2
B. Development of the Proposed Model
Privacy Form
Over the years during which GLB Act
privacy notices have been delivered to
consumers, the Agencies have observed
wide variations in these notices. Today,
privacy notices vary considerably—not
just in format, presentation, language,
length, style, or tone—but also in how
they inform consumers of their rights to
limit certain sharing of personal
information. For example, the Agencies
have found the following variations in
current privacy notices. Some
institutions incorporate privacy notices
into lengthy terms and conditions
statements, making it harder for
consumers to find information about the
institution’s privacy practices, and
raising questions about whether such
notices comply with the requirement
that they be clear and conspicuous.
Institutions also use messages in their
notices’ opening statements about how
they value privacy and strive to
‘‘protect’’ personal information, thus
providing assurances to consumers that
imply their personal information is not
shared broadly, while obscuring or
directing attention away from the
required disclosures of actual
information sharing practices. Finally,
the Agencies have seen a number of
institutions employ the statement in
their privacy policy ‘‘We do not sell
your information to third parties’’ in a
26 See Interagency Proposal to Consider
Alternative Forms of Privacy Notices Under the
Gramm-Leach-Bliley Act, 68 FR 75164 (Dec. 30,
2003), available at https://www.ftc.gov/os/2003/12/
031223anprfinalglbnotices.pdf. The Agencies
sought, for example, comment on issues associated
with the format, elements, and language used in
privacy notices that would make the notices more
accessible, readable, and useful, and whether to
develop a model privacy notice that would be short
and simple.
27 Id. at text following n.5.
28 Summaries of the outside meetings and public
comments to the ANPR are available at https://
www.ftc.gov/privacy/privacyinitiatives/
financial_rule_inrp.html.
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
context that raises concerns about
misrepresentations.29
These examples illustrate the need to
make disclosure of institutions’
information sharing practices and
consumer choices more transparent and
underscore the Agencies’ interest in
initiating a joint consumer research
project to develop an easy-to-read and
understandable model privacy notice for
consumers.
In the summer of 2004, six of the
Agencies 30 launched a project to fund
consumer research (‘‘Notice Project’’).
Their goals were to identify barriers to
consumer understanding of current
privacy notices and to develop an
alternative privacy notice, or elements
of a notice, that consumers could more
easily use and understand compared to
current notices. The Agencies
conducted the consumer research in two
sequential phases.31
In September 2004, the Agencies
selected Kleimann Communication
Group, Inc. (‘‘Kleimann’’) as their
contractor for the phase one form
development research. The research
objectives of the Notice Project included
designing a privacy notice that
consumers could understand and use,
that facilitated comparison of sharing
practices and policies across
institutions, and that addressed all
relevant legal requirements of the GLB
Act and FCRA.
The form development phase
culminated in an extensive research
report prepared by Kleimann and
released by the Agencies in March 2006
(the ‘‘Kleimann Report’’).32 The
29 In some cases, the Agencies have identified
notices that violate the privacy rule. For example,
one institution’s privacy notice did not include an
opt-out form, but provided that consumers could
only obtain an opt-out form by visiting a bank
office, in violation of sections l.7(h), l.9(a), and
l.10(a)(1) of the privacy rule. Another notice
provided that consumers could only opt out by
writing a letter to the institution, in violation of
section l.7(a)(1) of the privacy rule. Offering only
these very restrictive methods of obtaining an optout form and opting out also is not supported by
the examples in the privacy rule. See sections
l.7(a)(2), l.9(b), and l.10(a)(3) of the privacy
rule.
30 The six agencies that initially sponsored the
Notice Project were the Board, FDIC, FTC, NCUA,
OCC, and SEC. The OTS joined the Notice Project
for the phase two quantitative testing. Information
related to the Notice Project is available at https://
www.ftc.gov/privacy/privacyinitiatives/
financial_rule_inrp.html.
31 The first phase was designed as qualitative
testing or form development research. This research
involved a series of in-depth individual consumer
interviews to develop an alternative privacy notice
that would be easier for consumers to use and
understand. The second phase was designed as
quantitative testing, to test the effectiveness of the
alternative privacy notice developed in phase one
among a larger number of consumers.
32 See Kleimann Communication Group, Inc.,
Evolution of a Prototype Financial Privacy Notice:
PO 00000
Frm 00005
Fmt 4701
Sfmt 4700
62893
Kleimann Report details the process by
which the Agencies and Kleimann
developed an alternative privacy notice.
The structure, content, ordering of the
text information, and title of the
proposed model form all reflect the
research findings from the qualitative
consumer testing.
In October 2006, Congress passed the
Regulatory Relief Act, which directed
the Agencies to propose a model form
based on standards similar to the Notice
Project research goals. On March 29,
2007, the Agencies issued for public
comment the proposed model form as
produced in the form development
phase with some minor revisions.
C. Overview of Comments Received
The Agencies collectively received
approximately 110 unique comments
from a variety of banks, thrifts, credit
unions, credit card companies,
securities firms, insurance companies,
and industry trade associations, as well
as from consumer and other advocacy
groups, the National Association of
Attorneys General (‘‘NAAG’’), the
National Association of State Insurance
Commissioners (‘‘NAIC’’), and
individual consumers.33
A number of institutions expressed
support for the model form. Some stated
that they are either already using it
(submitting copies of their notices) or
intend to use it once it is finalized. One
industry association conducted an
informal poll of its community bank
members and found that many are likely
to use the model form and that most
found the new form more consumerfriendly than the Sample Clauses. These
commenters commended the Agencies
for proposing simpler language and
making the disclosure terms more
understandable and accessible to
consumers.
Consumer and other advocacy groups,
the NAIC, NAAG, and individual
consumers generally supported the
Agencies’ proposal and the clearer
language and omission of extraneous
information in the proposed model
form. These commenters stated that the
proposal could be strengthened in
certain respects, for example, by making
A Report on the Form Development Project (Feb.
28, 2006) (‘‘Kleimann Report’’). For a copy of the
full report, go to https://www.ftc.gov/privacy/
privacyinitiatives/ftcfinalreport060228.pdf. For the
executive summary, go to https://www.ftc.gov/
privacy/privacyinitiatives/
FTCFinalReportExecutiveSummary.pdf.
33 Comments received by all the Agencies are
available at https://www.ftc.gov/privacy/
privacyinitiatives/financial_rule_inrp.html. Many
commenters sent copies of the same letter to more
than one agency. Some association commenters sent
several letters, both individually and jointly with
other associations.
E:\FR\FM\01DER2.SGM
01DER2
62894
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
the default opt-in rather than opt-out
and creating a one-stop opt-out
repository similar to the National Do
Not Call Registry.
There was general support by many
commenters for additional consumer
research and testing. While some
industry commenters provided
substitute language or submitted
alternate forms of the notice, none
submitted other research findings.
However, the NAIC submitted a
consumer study on notices with
research findings that the Agencies did
consider.
Most industry commenters, however,
objected to several key aspects of the
proposal. The most significant areas of
concern raised by industry commenters
related to: The standardized approach;
the format of the proposed model form;
the limited examples of types of
personal information collected and
shared; the disclosure table;
incorporation of state law information;
and revocation of the Sample Clauses.
The thrust of many industry comments
was that the proposed form was overly
simplistic and not nuanced enough to
describe precisely what the various laws
permit or to allow accurate descriptions
of more complex information sharing
policies and practices. One commenter
expressed concern that the form would
lead to consumer confusion because of
inaccurate disclosures on sharing
practices and result in high opt-out
rates, discouraging use of the form.
Many industry commenters expressed
concern about liability under state
unfair or deceptive practice laws
relating to privacy disclosures. At the
same time, many institutions urged
flexibility to allow inclusion of other
information—such as describing the
benefits of sharing, or providing
marketing messages or privacy tips such
as on identity theft and fraud
prevention. One institution proposed
allowing institutions to pick and choose
which elements of the notice to use and
still receive a safe harbor.
mstockstill on DSKH9S0YB1PROD with RULES2
D. Quantitative Research
Following publication of the model
form proposal in March 2007 and
subsequent review of the comments, the
Agencies revised the proposed model
form for further testing.34 In the fall of
2007, the Agencies turned their
34 See Mall Intercept Study of Consumer
Understanding of Financial Privacy Notices:
Methodological Report, submitted by Macro
International Inc. (‘‘Macro Report’’), Appendix C,
for copies of the test notices. The Macro Report is
available at: https://www.ftc.gov/privacy/
privacyinitiatives/Macro-Report-on-Privacy-NoticeStudy.pdf. See also infra section III for a discussion
about the changes made to the final model form
since the Proposed Rule was issued for comment.
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
attention to developing the research
protocol and methodology for
conducting the second phase of the
research: The quantitative consumer
testing. In August 2006, prior to
enactment of the Regulatory Relief Act,
the Agencies had selected Macro
International Inc. (‘‘Macro’’) to conduct
the quantitative research study.
In the spring of 2008, Macro
conducted a survey of approximately
1,000 consumers using a mall-intercept
methodology. The selected participants
for the study reflected a range of
demographic characteristics for gender,
age, and educational level. The testing
was conducted in five shopping mall
locations—Baltimore, MD; Dallas, TX;
Detroit, MI; Los Angeles, CA; and
Springfield, MA—over a period of five
weeks during March and April 2008.35
The test objectives were to evaluate
the effectiveness of the revised proposed
model form 36 developed by Kleimann
(‘‘Table Notice’’) for comprehension and
usability as compared to three other
styles or formats of notices. The other
notice formats were: (1) The prose
version of the prototype table notice
also developed and tested by Kleimann
(‘‘Prose Notice’’); (2) a current version of
a common notice used by financial
institutions (‘‘Current Notice’’); and (3)
a notice comprised solely of the Sample
Clauses found in the appendix to the
privacy rule (‘‘Sample Clause Notice’’).
Within each format, there were three
different notices, each reflecting a
different level of sharing. Each level of
sharing had a common fictional bank
name across the four notice formats:
Mars Bank had a low level of sharing;
Mercury Bank had a medium level of
sharing; and Neptune Bank had the
highest level of sharing. Both Mercury
and Neptune Banks offered opt-out
choices; however, the pattern of sharing
was such that after exercising all
available opt-outs, Neptune Bank
continued to share more broadly than
Mercury Bank and Mercury Bank
continued to share more than Mars
Bank. This design was intentional for
the comparison testing.37
35 Macro provided the test data to the Agencies
in the summer of 2008 and its research
methodology report in September. The study data
and codebook are available at: https://www.ftc.gov/
privacy/privacyinitiatives/Privacy-Notice-StudyDataset.pdf and https://www.ftc.gov/privacy/
privacyinitiatives/Privacy-Notice-StudyCodebook.pdf.
36 The proposed model form was revised based on
the comments received, and a version of that
revised form was used in the quantitative testing.
37 Study participants were randomly assigned to
see one of the four notice formats. Each participant
read three privacy notices in the same format and
was asked a series of questions, first about one pair
of notices, and next about a second pair of notices,
with one of the three notices used twice in each
PO 00000
Frm 00006
Fmt 4701
Sfmt 4700
On December 15, 2008, two expert
advisors to the Agencies, Dr. Alan Levy
and Dr. Manoj Hastak, submitted a
report to the Agencies analyzing the
research data provided by Macro (the
‘‘Levy-Hastak Report’’).38 The LevyHastak Report confirmed the overall
effectiveness of the proposed model
form (as modified) as against the three
alternative notice formats. On April 15,
2009, the SEC published the LevyHastak Report, along with the Macro
Report and test data, for public
comment. The SEC received nine
comments.39
The Levy-Hastak Report examined
two measures on how effectively the
notices communicated information: (1)
Judgment quality; and (2) perceptual
accuracy.40 According to the Report,
judgment quality focused on the extent
to which study participants could
provide logical, defensible reasons for
choosing one bank over the other based
solely on the notice. Perceptual
accuracy focused on the ability of the
participants to recognize accurately the
differences between the banks in
information collection and sharing
practices, in opt-out choices, and in
relative sharing after all opt-out choices
were exercised.41
The Levy-Hastak Report concluded
that, overall, the Table Notice
outperformed the other notices.42 The
Table Notice performed particularly
well on difficult tasks 43 while the
Current Notice performed poorly on all
measures. While the Sample Clause
Notice performed well on simple tasks,
round. The order and repetition of the notices were
rotated among the participants so that the same
notice was not always viewed twice. Participants
answered additional questions about the notices
and their attitudes on information sharing. The
interview sought information about participants’
choice of a bank based solely on the notice content;
responses to factual questions, such as which of two
banks shared more or whether any of the banks
offered an opportunity to limit or opt out of sharing;
performance of a task, such as determining which
bank shared more after exercising all options to
limit or opt out of sharing; and responses to
questions about their attitudes toward the use and
sharing of their information. See Macro Report,
supra note 34, Appendix A.
38 See https://www.ftc.gov/privacy/
privacyinitiatives/Levy-Hastak-Report.pdf.
39 See https://www.sec.gov/comments/s7-09-07/
s70907.shtml.
40 Levy-Hastak Report at 7–14.
41 Id. at 4–5.
42 Id. at 16.
43 Id. at 17. According to the Report, an example
of a difficult task was: Participants were asked to
assume that they had limited or opted out of all
possible sharing for both banks; based on that
assumption, respondents were asked whether one
bank shared more personal information than the
other or whether both banks shared information
equally. An example of an easy task was: Using the
notice, participants were asked to identify how they
could tell the bank that they wanted to limit or opt
out of sharing personal information.
E:\FR\FM\01DER2.SGM
01DER2
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
about equal to the Table and Prose
notices, it performed significantly less
well than the Table Notice on measures
of judgment quality.44 The Report
concluded that the table format is likely
a key explanation for the improvement
in comprehension demonstrated by the
study participants who saw the Table
Notice as compared to those who saw
the other notice styles—especially for
difficult perceptual accuracy tasks.45
While the notice format significantly
affected participants’ ability to
comprehend and compare the notices,
the testing showed that participants’
general attitudes about the sharing of
their personal information were not
affected by the notices they saw.46
Following the two rounds of questions
on the content of, and comparison
between, the notices, the study
participants were asked to rate their
attitudes in general toward information
sharing, for example, sharing with
affiliated banks and with nonaffiliated
banks. The results showed that
participants’ attitudes were about the
same across the four notice formats.47
The Levy-Hastak Report analyzed two
specific areas where the Table Notice
seemed to perform less well than the
other notices. First, the Report described
an anomaly with respect to responses to
the question [Q. 19/30]: ‘‘Which of these
two banks gives you the opportunity to
limit or to opt out of the sharing of your
personal information?’’ 48 Generally
participants identified the bank or banks
that provided an opt-out. However,
some participants who saw the Table
and Prose notices selected Mars Bank,
the one that shared the least and offered
no opt-out option. Because answering
‘‘Mars Bank’’ was identified as an
incorrect answer, the Current and
Sample Clause notices out-performed
the Table and Prose notices on this
question.
In contrast, the Table and Prose
notices out-performed the other two
notices on the most difficult task in the
test. In this task, participants were asked
to assume that they had exercised all
possible options to limit or to opt out of
sharing and then to identify which bank
shared more. Here, the Table and Prose
notices significantly out-performed the
other notices. More participants who
saw the Table and Prose notices
correctly gave as their answer the higher
sharing bank. This result suggests that
participants who saw the Table and
44 Levy-Hastak
45 Levy-Hastak
Report at 9–10.
Report at 17.
46 Id.
at 15.
Study participants generally did not like
their information being shared with either affiliates
or with nonaffiliates.
48 See id. at 12–14.
47 Id.
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
Prose notices did understand which
bank(s) offered an opportunity to limit
or to opt out of their sharing.
In analyzing this discrepancy, the
Levy-Hastak Report observed that the
simpler question had two different, yet
accurate, responses, depending on how
participants interpreted the question.
Some of the participants might have
understood the question to apply at the
point of choosing between the two bank
notices; those participants selected the
lower sharing bank. In contrast, other
participants might have understood the
question to mean: Which bank lets me
opt out of sharing personal information
once I am doing business with the bank.
The second interpretation was the
intended meaning of the question. Drs.
Levy and Hastak hypothesized that
some participants who saw the Table
and Prose notices understood the
question to have the first meaning,
while other participants, particularly
those who saw the Sample Clause and
Current notices, understood the
question to have the second meaning.49
To test this hypothesis, Drs. Levy and
Hastak examined the pattern of factual
mistakes that participants made when
they answered a separate set of
questions.50 There, study participants
were asked in Q. 16/27 why they
preferred one bank over the other, based
solely on the notice. Some participants
who selected a bank that shared
relatively little information and did not
offer an opt-out stated that this bank
offered more opportunity to limit or to
opt out of sharing than the higher
sharing bank, which was labeled a
‘‘false opt-out mistake’’ in the Report.
The Report found that participants who
saw the Table and Prose notices were on
average almost three times as likely to
make the false opt-out mistake as those
who saw the Current and Sample Clause
notices.51
49 Significantly, unlike the Sample Clause and
Current notices, neither the Table nor the Prose
notice uses the word ‘‘opt-out’’ in the model form;
rather, these forms refer to ‘‘limiting sharing.’’ This
word choice was intentional to help consumers
understand that some sharing is necessary and that
consumers cannot stop all sharing—a concept that
consumers who knew the term equated with ‘‘optout.’’ See Kleimann Report, supra note 32, at 101–
108. Because the Table and Prose notices did not
use the word ‘‘opt-out,’’ participants using these
notices did not have that word as a visual ‘‘cue’’
when they were asked the question.
50 The Report also examined a second mistake:
Where participants selected the lower sharing bank
when they were asked to identify which bank
shared more (labeled a ‘‘false sharing mistake’’). See
Levy-Hastak Report at 9. In that case, there was not
an unusual pattern in the distribution of responses.
Rather, the Report found that the study participants
who made this mistake were equally distributed
across all four notice styles. Id. at 13.
51 Id.
PO 00000
Frm 00007
Fmt 4701
Sfmt 4700
62895
This finding supports the hypothesis
that users of the Table and Prose notices
who selected the lower sharing bank in
response to Q. 19/30 understood the
question in its first meaning: They
selected a bank that gave them an
opportunity to limit or opt out of
sharing at the time of choosing between
the two bank notices. Under that
interpretation, these participants could
limit sharing by selecting the bank that
shared less information. Thus the LevyHastak Report’s analysis of the false optout mistake pattern in Q. 16/27 is
consistent with their hypothesis
regarding the responses to Q. 19/30. In
addition, the Report found that the
educational level of the study
participants produced a significant
effect only on the responses to the optout question, with better educated
participants more likely to answer the
question in the intended manner.52 This
finding is also consistent with the
Report hypothesis that participants who
saw the Table and Prose notices
understood the question in two
different, yet equally correct ways,
unlike those who saw the Sample
Clause and Current notices.
The Table Notice also seemed to
perform less well in a second, unrelated
area. Specifically, all the test notices
provided only two methods for
consumers to opt out of or limit sharing:
Use of a toll-free telephone number or
access to the opt-out on the institution’s
Web site. When study participants were
asked to identify which contact modes
were identified in the notice as ways to
limit or opt out of sharing, they
correctly identified the two modes more
frequently when using the Sample
Clause Notice than the Table, Prose, and
Current notices.
Noting that this type of question
appears to invite skimming the notice to
find the answer quickly and easily, the
Levy-Hastak Report examined the great
variability in notice length and found
that the Sample Clause Notice was
significantly shorter than any of the
other notices. The Levy-Hastak Report
observed that the shortness of the
Sample Clause Notice may have made it
easier for participants to scan the notice
and find the answer to this question.
The Report opined that notice length
likely has an effect on scanability and
reading ease.53
52 Id.
at 13–14.
53 Levy-Hastak
Report at 14. In addition, the use
of check boxes in the design of the opt-out section
of the Table and Prose notices (a carry-over from the
original mail-in format of the proposed model form)
appeared to confuse some participants when they
were asked this question. The responses recorded
for these two notices reflected a somewhat higher
E:\FR\FM\01DER2.SGM
Continued
01DER2
62896
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
While the Levy-Hastak Report
findings confirmed the overall
effectiveness of the Table Notice,54 the
Report’s analysis prompted the
Agencies to consider a further
refinement to the proposed model form.
The change, discussed in more detail
later, was to modify the opt-out section
of the model form to place the opt-out
information on page one directly
following the disclosure table so that all
the key information appears on that
page. 55 The Agencies considered this
change to facilitate quick scanning for
important information without
sacrificing the model form’s
performance in other respects. To
ensure that locating the opt-out
information on page one worked from a
usability perspective, the Agencies
decided to conduct validation testing
which led to separate formats for the
telephone and Internet opt-out and for
the mail-in opt-out that the Agencies are
adopting.
mstockstill on DSKH9S0YB1PROD with RULES2
E. Public Comments on the Quantitative
Test Data
Nine commenters representing
insurance, securities, and financial
services associations, a bank, and two
investment advisers submitted
comments in response to the SEC’s
solicitation for public comments on the
quantitative testing. Most of the
commenters re-stated their earlier
general objections to the proposed
model form. These concerns are
addressed in section III.
All but one of these commenters made
general observations about the
quantitative test methodology and the
Levy-Hastak Report. Five commenters
observed that the test notices were
designed for banks and not for
insurance companies or securities firms
(i.e., broker-dealers, investment
companies, or SEC-registered
investment advisers), thereby omitting a
significant portion of the financial
services industry that provide these
notices.56 Two commenters opined that
number of ‘‘other’’ responses, even though all the
notices offered the same two options. Macro
reported anecdotally that a number of participants
who viewed the Table and Prose notices reported
‘‘check this box’’ as one of the methods offered to
opt out or limit sharing—a response that was
recorded as ‘‘other.’’
54 Id. at 17.
55 Some commenters had urged the Agencies to
consolidate the model form on two sides of a single
piece of paper, and a few suggested that the
Agencies consider moving the opt-out to page one.
See, e.g., comment letters of Securities Industry and
Financial Markets Ass’n (May 29, 2007); World’s
Foremost Bank (May 25, 2007); World Financial
Network National Bank (May 29, 2007); World
Financial Capital Bank (May 25, 2007).
56 See comment letters of American Council of
Life Insurers (May 20, 2009), National Ass’n of
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
the study participants’ demographic
characteristics did not reflect those
consumers who will receive financial
privacy notices.57 One expressed
concern about the demographic
diversity in the mall selections and
questioned whether there was
consistent coding of the open-ended
responses.58 One commented that the
testing criteria ruled out non-English
speaking participants.59
Some of the commenters disagreed
with the Levy-Hastak Report’s
conclusion that the Table Notice
outperformed the other notice formats.
They opined that the Report’s
conclusion is flawed because: (1) The
Sample Clause Notice did better on
simpler tasks than the Table Notice; 60
(2) the anomalies discussed in the LevyHastak Report may be due to other
explanations; 61 and (3) while the Table
Notice’s overall performance was better
than the other notices, actual
performance accuracy was relatively
low.62 Several commented that the
overly simplified and inflexible format
of the Table Notice is not a true test of
consumers’ understanding of
institutions’ actual collection and
disclosure practices.63 In addition, all
commenters on the quantitative testing
Mutual Insurance Cos. (May 20, 2009), American
Insurance Ass’n (May 20, 2009), Investment Adviser
Ass’n (May 20, 2009), The Financial Services
Roundtable and BITS (May 20, 2009).
57 See comment letters of National Ass’n of
Mutual Insurance Cos. (May 20, 2009); The
Financial Services Roundtable and BITS (May 20,
2009).
58 See comment letter of The Financial Services
Roundtable and BITS (May 20, 2009).
59 See id. The Agencies used a single form,
printed in English, for simplicity in conducting the
testing. We recognize that institutions can and do
provide notices in a variety of other languages when
their customers are non-English speaking. We
anticipate that those institutions that use the final
model form will continue to provide their notices
in other languages to ensure that their non-English
speaking customers can read and use the form. See
also Transcript of Get Noticed Workshop, available
at https://www.ftc.gov/bcp/workshops/glb/
GLBtranscripts.pdf, comments of Irene Etzkorn
(recognizing that banks do provide financial privacy
notices in languages other than English); comments
of Tena Friery (noting that the Privacy Rights
Clearinghouse promotes notices and educational
materials in other languages and that 80–100
different languages are spoken in Los Angeles
alone).
60 See comment letters of American Insurance
Ass’n (May 20, 2009); National Ass’n of Mutual
Insurance Cos. (May 20, 2009). While some
commenters find greater virtue in the better
performance of the Sample Clause Notice on only
the simpler tasks or disagree with the Levy-Hastak
Report’s analyses, the evidence is compelling that
the Table Notice performed better overall across all
comprehension and comparison measures. See
Levy-Hastak Report at 6.
61 See comment letter of American Council of Life
Insurers (May 20, 2009).
62 Id.
63 See, e.g., comment letter of The Financial
Services Roundtable and BITS (May 20, 2009).
PO 00000
Frm 00008
Fmt 4701
Sfmt 4700
urged retention of the Sample Clauses
and related safe harbor.
The test notices for the quantitative
study were created for fictitious banks,
even though the model form can be used
by any financial institution subject to
the GLB Act and the privacy rule.
Because the vast majority of consumers
are familiar with or have experience
with a bank, the Agencies used a notice
designed for a bank to increase the
likelihood that most of the test
participants could readily understand
the terms in the notice, such as
‘‘account balances,’’ ‘‘income,’’ or
‘‘credit history,’’ which describe
information collected and shared by
many banks, as well as by many other
financial institutions.
The Macro Report presented data on
the demographic characteristics of the
study participants recruited for the
study. Participants at each mall were
pre-selected for a representative mix
based on gender, age, and education
levels, and information on participants’
race/ethnicity, income, and household
size was obtained at the end of each
interview.64 Since a significant majority
of consumers in America receive a
financial privacy notice—including
from banks, credit unions, securities
firms, insurance companies, auto
dealers, debt collectors, and payday
lenders—the Agencies wanted to ensure
that a representative cross-section of
consumers be included in the study.
The Agencies hired Macro as an
outside independent expert to handle
all aspects of the collection and
reporting of the study data. Macro
conducted all training of field staff,
implemented a series of checks to
ensure greater accuracy of the study
data, reviewed, on an ongoing basis, all
daily downloads of data from the field,
and coded all of the open-end
responses.65
With respect to the comment that the
accuracy of the study participants’
responses overall was relatively low, the
commenter cited the judgment quality
measure of the participants’ fact-based
reasons for choosing the lower sharing
bank.66 While the results showed that
most consumers likely have a limited
64 Macro Report, supra note 34, at 3 & Appendix
B; Levy-Hastak Report at 2.
65 Macro Report, supra note 34, at 3–4.
66 The commenter looked to the Table Notice
score of 40.6% in Table 1 of the Levy-Hastak
Report. Levy-Hastak Report at 12. This data
evaluated how well study participants could
explain their reasons for preferring one bank notice
over another where they selected, as their preferred
bank, the lower sharing bank. While the commenter
pointed to a single measure in the Levy-Hastak
Report, the Report relied on a number of accuracy
measures that varied in difficulty level. See, e.g.,
id., Table 3 at 12.
E:\FR\FM\01DER2.SGM
01DER2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
understanding of information sharing
practices after a brief exposure to any of
the notice styles, nevertheless the LevyHastak Report confirms that overall the
Table Notice out-performed the other
notices and is the most effective notice
of all the privacy notices tested.
Finally, two commenters requested
that if both the model privacy form and
the SEC’s proposed amendments to its
privacy rule, Regulation S–P, were
adopted, the SEC should coordinate the
compliance dates so as to minimize the
compliance burden and the potential for
multiple revisions of an institution’s
privacy notice.67 The SEC appreciates
institutions’ desire to minimize
revisions to their privacy notices and
reduce the costs of compliance with its
rules. However, the model privacy form
the Agencies are adopting today is just
that—a model—and no institution is
required to use the model form. A
financial institution that intends to use
the model privacy notice and minimize
potential costs, if any, related to revising
its privacy notices in light of
amendments to Regulation S–P could
begin to use the model form after the
compliance date of any final
amendments to Regulation S–P.
mstockstill on DSKH9S0YB1PROD with RULES2
F. Validation Testing
In revising the model form based on
public comments and findings from the
Levy-Hastak Report, the Agencies
streamlined the form to consolidate the
information on the front and back sides
of a single piece of paper and moved the
opt-out information to the bottom of
page one. In December 2008, the
Agencies engaged Kleimann to conduct
validation testing to confirm that these
changes would not affect the
comprehension, usability, and design
integrity of the model form. In
particular, Kleimann’s new research
focused on the placement of the opt-out
information on page one. Kleimann
conducted targeted in-depth interviews
in January and February 2009 to test,
revise, and re-test the model form. On
February 12, 2009, Kleimann submitted
a report to the Agencies, ‘‘Financial
Privacy Notice: A Report on Validation
Testing Results,’’ with a revised opt-out
form recommendation (‘‘Kleimann
Validation Report’’).68
The validation testing examined
various formats for displaying opt-out
67 See Part 248–Regulation S–P: Privacy of
Consumer Financial Information and Safeguarding
Personal Information, Securities Exchange Act
Release No. 57427, Investment Company Act
Release No. 28718 (Mar. 4, 2008) [73 FR 13692
(Mar. 13, 2008)]. See also comment letters of
American Council of Life Insurers (May 20, 2009)
and Investment Advisers Ass’n (May 29, 2007).
68 https://www.ftc.gov/privacy/privacyinitiatives/
validation.pdf.
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
information where the opt-out methods
are by toll-free telephone number,69 the
Internet, or a mail-in form. The
validation testing confirmed the
usability of the following changes to the
proposed model form: (1) inserting a
new box titled ‘‘To limit our sharing’’
below the disclosure table to inform
consumers how they can limit sharing,
such as by a toll-free telephone number
or online; (2) replacing the ‘‘Contact Us’’
box with a box titled ‘‘Questions’’
following the ‘‘To limit our sharing’’
box; and (3) as applicable, inserting a
mail-in form at the bottom of the page,
which would require a longer piece of
paper.70
III. The Final Model Privacy Form
A. Standardization
Like the proposed model privacy
form, the final model form uses a
standardized format. Some industry
commenters expressed support for the
standardized format, with one noting
that standardized notices would serve as
an effective means of allowing
consumers to understand in a simple
manner companies’ information
practices.71 Another commenter pointed
to the success of the ‘‘Schumer box,’’ a
standardized format that makes the
disclosure of credit card terms more
accessible to consumers.72
Privacy and advocacy groups and
NAAG supported the proposed
standardized format, recognizing the
important findings of the research and
the model form’s structure—in
particular the elements on page one—as
benefiting both consumers and
companies by making the disclosure
information accessible.73
section l.7(a)(2)(ii)(D) of the privacy rule.
Validation Report, Appendix E. The
Kleimann Validation Report found that the
information for telephone or Internet options could
be readily displayed on a standard 8c x 11-inch
page, but the addition of a mail-in form required a
longer piece of paper.
71 Comment letter of The Direct Marketing Ass’n
(May 29, 2007) (commenting that it has an
automated software program that allows companies
to create a customized privacy notice in a
standardized format).
72 See comment letter of Capital One Financial
Corporation (May 29, 2007); see also 12 CFR
226.5a(a)(2)(i)–(ii).
73 See, e.g., comment letters of Center for
Democracy and Technology (May 29, 2007);
National Ass’n of Attorneys General (June 14, 2007);
Privacy Rights Clearinghouse (May 16, 2007). See
also The Center for Information Policy Leadership
(May 29, 2007) (recognizing that the proposed
model form addresses the requirements of the GLB
Act and that the research provided insight into
what effectively communicates to consumers,
including ‘‘important information about how
people learn about privacy, about the use of tables
to facilitate comparisons across companies, and
about the need to inform consumers about why they
are receiving a privacy notice’’).
69 See
62897
A number of industry commenters,
however, objected to the standardized
form, asserting variously that: It causes
confusion; because it is an abrupt
change in the way information-sharing
practices are disclosed, it could cause
consumers to believe that the institution
is changing its policies; because the
model form has too much boilerplate, it
detracts from the ability to compare
policies; and it makes the notice less
clear. Others stated that the
standardized form is too inflexible and
does not accurately reflect institutions’
financial practices or accurately
describe the scope of consumers’ rights.
Several stated that the model form
language does not adequately capture
the complex privacy policies and
practices of many institutions.
Based on the statutory requirement
that the Agencies propose ‘‘a model
form,’’ the final model privacy form
utilizes a standardized format.74
Moreover, as more fully discussed in the
preamble to the Proposed Rule, the
Agencies’ research supports uniform
disclosures to help consumers better
understand companies’ information
sharing practices.75 We reaffirm that use
of the model form is voluntary;
institutions are not required to use it.
B. Instructions for Use
The General Instructions to the Model
Privacy Form require that no additional
information—other than what is
specifically permitted—may be
included in the model form in order to
obtain the benefit of the safe harbor.76
A number of industry commenters
objected to the Agencies’ statement in
the preamble to the Proposed Rule that
the model form should not be
incorporated into any other document.77
70 Kleimann
PO 00000
Frm 00009
Fmt 4701
Sfmt 4700
74 Cf. Press Release, U.S. House of
Representatives, Committee on Financial Services,
Financial Services Committee Democrats Call for
Simplified Privacy Notices, (July 25, 2003) available
at: https://financialservices.house.gov/
pr062503.html.
75 See Proposed Rule, supra note 4 at text
accompanying n.30. See also Janice Tsai, Serge
Egelman, Lorrie Cranor, and Alessandro Acquisti,
‘‘The Effect of Online Privacy Information on
Purchasing Behavior: An Experimental Study,’’ The
6th Workshop on the Economics of Information
Society (WEIS) (June 2007) https://
weis2007.econinfosec.org/papers/57.pdf (more
accessible privacy information reduces information
asymmetry between the merchant and the consumer
as to the use of consumers’ personal information;
aids consumers in making informed choices; and
demonstrates that consumers tend to purchase from
merchants offering more privacy protection,
including paying a premium for such a purchase).
76 See Instruction C to the Model Privacy Form.
77 See, e.g., comment letters of American Council
of Life Insurers (May 29, 2007); Investment
Company Institute (May 29, 2007); National
Business Coalition on E-Commerce and Privacy
(May 30, 2007).
E:\FR\FM\01DER2.SGM
01DER2
62898
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
Some expressed concern that this would
require the notice to be mailed
separately.78 Several commenters stated
that a private label or co-branded credit
card application incorporates the
lender’s privacy policy into a brochure
with a tear-off application to make it
easier for the store clerks to provide all
required information in a single
document.79 Others observed that the
privacy notice is typically included in a
single document with other important
reference information.
Recognizing these concerns, the
Agencies agree that institutions may
incorporate the model form into another
document, but they must do so in a way
that meets all the requirements of the
privacy rule and the model form
instructions, including that: The model
form must be presented in a way that is
clear and conspicuous; 80 it must be
intact so that the customer can retain
the content of the model form; 81 and it
must retain the same page orientation,
content, format, and order as provided
for in this Rule.
mstockstill on DSKH9S0YB1PROD with RULES2
C. Format of the Notice
In response to numerous comments
relating to the format of the proposed
model form, the Agencies have revised
certain of the requirements relating to
paper size, orientation, number of pages,
type size, and color and logo
placements, as discussed below.
Paper Size: To allow institutions
greater flexibility, the final model
privacy form may be printed on paper
the size of which must be sufficient to
meet the layout and minimum font size
requirements with sufficient white
space on the top, bottom, and sides of
the content.82 Many industry
commenters objected to the proposed
requirement that the model form appear
78 See, e.g., comment letters of American Bankers
Ass’n (May 25, 2007); American Insurance Ass’n
(May 29, 2007) Visa U.S.A., Inc. (May 29, 2007).
79 See, e.g., comment letters of Consumer Bankers
Ass’n (May 29, 2009); National Retail Federation
(May 29, 2007).
80 The term ‘‘clear and conspicuous’’ is defined in
the privacy rule at section l.3(b), SEC section
248.3(c), and includes as a requirement that the
notice be designed to call attention to the nature
and significance of the information in the notice. In
addition, the privacy rule requires that consumers
should reasonably be expected to receive the notice.
See section l.9 of the privacy rule.
81 Institutions that incorporate the model privacy
form into other documents must take care that the
customer’s execution of other forms in the
document will leave the model form intact.
82 See Instruction B to the Model Privacy Form.
The Agencies understand that most privacy policies
provide for opting out by toll-free telephone or on
the Internet. The paper size for those policies will
likely be about 81⁄2 x 11 inches. However, for those
institutions that provide a mail-in opt-out form, the
paper size will likely need to be longer, around 81⁄2
x 14 inches, in order to accommodate the mail-in
form.
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
on 81⁄2 by 11-inch size paper.83
Commenters stated that the proposed
model form would require significant
materials, postage, and production
costs. Industry commenters explained
that institutions use a variety of sizes
and styles to present their privacy
notices. Some institutions—particularly
credit card institutions—enclose their
privacy notices with a billing or
periodic statement or a bankcard carrier.
Envelopes for certain of these
statements or for multi-panel formats
are smaller than 81⁄2 inches and may not
accommodate the proposed size.
The Agencies have reviewed
numerous financial institution privacy
notices over the past eight years, many
of which are printed on smaller-sized
paper in a multi-panel, multi-fold
display. The density of the small-font
text, in addition to the complex legal
language, make these notices very
difficult to read or understand.84 The
final requirement for paper size is
designed to provide financial
institutions with some flexibility, while
prohibiting a paper size that is too small
to accommodate the font and orientation
requirements in the model form set forth
below.
Orientation: Like the proposed model
form, the final model privacy form must
be printed in ‘‘portrait’’ orientation.
Some institutions objected to this
orientation, suggesting instead that
institutions be permitted to design their
own model form in other orientations,
such as the commonly-used multi-fold
display.85 According to these
83 See, e.g., comment letters of Consumer Bankers
Ass’n (May 29, 2007); American Bankers Ass’n
(May 25, 2007); Bank of America Corporation (May
29, 2007); Independent Community Bankers of
America (May 29, 2007); Securities Industry and
Financial Markets Ass’n (May 29, 2007); Investment
Company Institute (May 29, 2007); National Retail
Federation (May 29, 2007); National Ass’n of
Mutual Insurance Cos. (May 29, 2007); Credit Union
National Ass’n (May 29, 2007).
84 See supra notes 24–25 and infra note 95.
85 See, e.g., comment letters of National Retail
Federation (May 29, 2007); Investment Advisers
Ass’n (May 20, 2009); American Bankers Ass’n
(May 25, 2007); Credit Union National Ass’n (May
29, 2007). Some of these commenters pointed to the
preamble language in the final privacy rule which
states: ‘‘The Agencies believe that in most cases the
initial and annual disclosure requirements can be
satisfied by disclosures contained in a tri-fold
brochure.’’ 65 FR 33646, 33662 (May 24, 2000)
(FTC); 65 FR 35162, 35175 (June 1, 2000) (banking
agencies); (Regulation S–P) 65 FR 40334, 40347
(June 29, 2000) (SEC). This statement was written
in 2000 before the Agencies or institutions had any
experience with the GLB Act privacy notices. In the
intervening period, both the Agencies and
institutions have learned much through their own
testing about improved notice design and consumer
comprehension. The impetus for the Agencies’
consumer research, borne out by the research
findings, is that the current notices, including those
utilizing multi-fold formats, are not effective.
Moreover, the important information on page one
PO 00000
Frm 00010
Fmt 4701
Sfmt 4700
commenters, this landscape format has
three or more ‘‘pages’’ of text visible on
each side of the paper when the notice
is fully opened. The size of the paper
varies considerably, with some as small
as approximately 7 by 11 inches before
it is folded. In such a display, each
‘‘page’’ is approximately 31⁄3 by 7
inches—considerably smaller than can
accommodate the model form.86
The design of the model form does
not lend itself to a multi-panel display.
The utility of the form’s design for
reading ease depends in large measure
on both larger, more readable type size
and how the content is presented. While
one commenter objected to the
‘‘significant empty space’’ in the model
form,87 the guidance from
communications experts and form
designers is that appropriate white
space between the text and margins, as
well as the use of headings and bullets,
make a more effective, readable
notice.88 The table—the heart of the
model form—cannot be squeezed into a
tighter space or so reduced in size as to
make it virtually unreadable. For these
reasons, the Agencies do not agree that
the orientation of the model form
should be altered to accommodate a
multi-panel display.
Number of Pages: In response to
numerous commenters, the instructions
to the final model privacy form permit
the form to be printed on two sides of
a single piece of paper or on two singlesided sheets.89 By incorporating the optout information on the bottom of page
one, the revised model form may now
appear on the front and back of a single
piece of paper.
Industry commenters generally
objected to the proposed requirement
that the model form be printed only on
one side of a page.90 Many raised
environmental concerns and the
increased costs associated with printing
the notice on multiple pages.
While the proposed single-sided
model form was based on the initial
of the model form—including the context
information and disclosure table—could not be
appropriately displayed in such a cramped format
and still comply with the minimum space and font
requirements of the model form.
86 Examples provided by commenters included:
3.5 x 7.5 inches, printed double sided; 3.5 x 8; 7
×10.812 inches folded to 7 x 3.625 inches; 7 x 3.5
inches (finished folded size). See, e.g., comment
letter of National Retail Federation (May 29, 2007).
87 See comment letter of Consumer Bankers Ass’n
(May 29, 2007).
88 See supra note 25.
89 See Instruction B.2 to the Model Privacy Form.
90 See, e.g., comment letters of American
Insurance Ass’n (May 29, 2007); Bank of America
Corporation (May 29, 2007); Citigroup Inc. (May 30,
2007); National Retail Federation (May 29, 2007);
Securities Industry and Financial Markets Ass’n
(May 29, 2007).
E:\FR\FM\01DER2.SGM
01DER2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
consumer research and testing, the
Agencies believe that the concerns
expressed by commenters justify
double-sided printing. Moreover, the
Agencies used double-sided printed
notices in the quantitative and
validation testing, with no demonstrable
loss in effectiveness relative to the
single-sided notice.91
D. Appearance of the Model Privacy
Form
The Regulatory Relief Act requires
that the model form ‘‘use an easily
readable type font.’’ While a number of
factors affect the readability of a
document, as in the proposal, the final
model privacy form must use: (1) 10point font as the minimum font size
(unless otherwise specified in the
Instructions) and (2) sufficient spacing
between the lines of type (leading).92
The Agencies separately provided
optional guidance in the preamble to the
Proposed Rule on readable type styles
and other formatting suggestions for
institutions. This optional guidance is
not required; it was to assist institutions
that want to provide more readable and
attractive privacy notices to consumers.
The Agencies are republishing this
optional guidance in section III.E to
assist interested institutions.
Type Size: A number of commenters
expressed various concerns about the
proposed 10-point minimum font
requirement.93 A few commenters noted
that the proposed model form included
several different type sizes for various
parts of the model form and were
confused about what type size(s) the
Agencies proposed as a requirement.94
Other commenters raised concerns that
a minimum type size requirement for
the model form would conflict with
state law mandated requirements. A few
stated that a minimum font size is not
legally required for the model form.
91 See
Levy-Hastak Report at 15.
a variety of type styles would be suitable
for the model notice, the Agencies caution
institutions that use of idiosyncratic fonts or highly
stylized typefaces will not meet the model form safe
harbor standard. See Instruction B.3(a) to the Model
Privacy Form.
93 See, e.g., comment letters of American Council
of Life Insurers (May 29, 2007); National Business
Coalition on E-Commerce and Privacy (May 30,
2007); National Retail Federation (May 29, 2007);
Financial Services Roundtable and BITS (May 29,
2007).
94 The type size information in Example 3 in the
preamble to the Proposed Rule identified the five
type sizes used in various elements of the proposed
form. This example was intended solely to show
how key features of the form—such as headings—
can be distinguished by using different font sizes
to make the form more visually appealing. Contrary
to some commenters’ assumption, the different
sizes were not a proposed requirement for users of
the model form.
mstockstill on DSKH9S0YB1PROD with RULES2
92 While
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
Many of the criticisms about current
notices are, in part, about the tiny print
that make these notices so difficult for
consumers to read.95 Based on the
statutory directive, as well as the
findings elicited from the Agencies’
consumer research and expert views,
the Agencies believe that the model
form should have a minimum 10-point
font. Requiring a minimum 10-point
font is consistent with state law
mandates for consumer disclosures.96
Leading: Leading is the spacing
between lines of type, measured in
points. If the line spacing is too narrow,
the type is hard to read. In these
circumstances, the ascenders (such as
the upward line in the letter ‘‘h’’) and
descenders (such as the downward line
in a ‘‘g’’) may touch, blending the lines
of type and making it much harder to
distinguish the letters on the page. The
final instructions to the model form
require only that the leading used allow
for sufficient spacing between the lines,
but do not mandate a specific amount.
E. Optional General Guidance for Easily
Readable Type
The Proposed Rule included optional
guidance on readable type styles and
other formatting suggestions for
institutions that want to provide privacy
notices that are more readable and
attractive to consumers, as well as those
that want to develop their own model
privacy form.97 A number of
commenters were concerned by this
guidance for easily readable type, and in
some cases, they assumed the guidance
would be mandatory. The Agencies
expressly state that the guidance in this
section III.E. is not mandatory and is not
a requirement for proper use of the
model form.
In more closely examining the
statutory directive for ‘‘easily readable
type,’’ the Agencies determined that a
number of type-related factors can
95 See Kleimann Report, supra note 32, at 33. See
also, e.g., Public Citizen Petition, supra note 24 at
7 (‘‘[S]mall font sizes * * * deprive consumers of
their right to prevent financial institutions from
sharing private information.’’); ‘‘UNDERSTANDING
THE FINE PRINT: How to make sure the gotchas
don’t get you,’’ Consumer Reports Money Adviser
(Oct. 2008) (‘‘Fine print is everywhere—contracts;
retail Web sites; sales receipts; print, broadcast, and
Internet offers; prospectuses; privacy notices;
product manuals; and manufacturer warranties.’’);
David Colker, ‘‘Stopping junk mail for living and
dead; Opt-outs can slow the torrent of solicitations
to computer and postal mailboxes and phones;’’ Los
Angeles Times, July 22, 2007, at C3 (‘‘[B]y law,
financial institutions have to offer an opt-out if they
are making this data available to non-affiliated
businesses. The problem is that their guides to
opting out are often contained in their privacy
notices—in small print.’’).
96 See, e.g., Cal. Fin. Code div. 1.2 § 4053(d)(1)(B)
(requiring 10-point minimum font).
97 See Proposed Rule, supra note 4, at section II.F.
PO 00000
Frm 00011
Fmt 4701
Sfmt 4700
62899
greatly affect the readability of a form.
Type size, type style, leading, x-height,
serif versus sans serif,98 upper and
lower case type, along with the page
layout—together play an important role
in designing a typeface that is highly
readable. Therefore, in considering
these various factors for the design of an
easily readable type font, institutions
that elect to use the model form may
voluntarily consider this additional
guidance for an easily readable
appearance to the notice.
Leading: Research on the legibility of
typography indicates that people read
faster when text is set with 1 to 4 points
of leading.99 Institutions may, but are
not required to, consider these general
recommendations for use with the
model form: 10- or 11-point type should
have between 1 and 3 points of leading.
Twelve-point type should have between
2 and 4 points of leading.100
Type style and ‘‘x’’-height: The
readability of type size is highly
dependent on the selection of the type
style. Some styles in 10-point font are
more readable than others in 12-point
font and appear larger because of their
design.
Experts differ on the question of the
most desirable type style. The model
form uses sans serif and ‘‘monoweight’’
type, and upper and lower case lettering
in the body of the form.101
Larger x-height 102 makes a font
appear larger and thus more readable,
and fonts with larger x-heights are better
for smaller text. Research shows that our
eyes ‘‘scan the top of the letters’
x-heights during the normal reading
process, so that is where the primary
identification of each letter takes
place.’’ 103 Generally, a font with an
98 Serif typeface has small strokes at the ends of
the lines that form each letter. Sans serif typeface
does not have those small strokes.
99 Karen A. Schriver, Dynamics In Document
Design (‘‘Schriver’’) 274 (1997).
100 Id. at 262; see also James Hartley, Designing
Instructional Text (1994); and Barbara Chaparro et
al., Reading Online Text: A Comparison of Four
White Space Layouts 6(2) (2004).
101 While much of the printed material in the
United States and western Europe uses serif styles,
Web designers are increasingly using sans serif
type, as they have found that serif type is harder
to read online. These changes in Web design are
also beginning to affect font styles in printed
materials. Some typography designers are now
using sans serif typefaces, as well as type with a
uniform thickness throughout the letter
(monoweight typeface), finding these typefaces
easier to read than those with variable thickness.
102 The ‘‘x-height’’ is the height of the lower-case
‘‘x’’ in relation to full height letters, such as a
capital G. X-height is critical to type legibility.
103 Erik Spiekermann & E.M. Ginger, Stop
Stealing Sheep & Find Out How Type Works 93
(1993).
E:\FR\FM\01DER2.SGM
01DER2
62900
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
x-height ratio of around .66 is easier to
read.104
While not mandating a particular type
style or x-height, the Agencies are
providing these general guidelines for
type style in the model form: For
typefaces with a smaller x-height, 11- or
12-point font should be used; for
typefaces with a larger x-height, a 10point font would be sufficient.105
For ease of reference, the following
table summarizes the optional guidance
discussed here. None of the standards in
the table below is mandatory; rather, the
information in the table is offered only
as suggestions for institutions that
design their own forms.
If
Then use
And use
And use font with
Font is 10-point .........................
1–3 points leading ..................
Monoweight typeface .........................
Font is 11-point .........................
1–3 points leading ..................
Monoweight typeface .........................
Font is 12-point .........................
2–4 points leading ..................
Monoweight or variable typeface .......
Large x-height sans serif (around .66
ratio).
Smaller x-height is acceptable; either
serif or sans serif (less than .66
ratio is acceptable).
Smaller x-height is acceptable; either
serif or sans serif (less than .66
ratio is acceptable).
mstockstill on DSKH9S0YB1PROD with RULES2
F. Printing, Color, and Logos
We are adopting the requirements for
printing, color, and logos in the final
model form as proposed. Commenters
generally commended the Agencies’
support for the use of color and
company logos on the model form.106 A
few industry commenters expressed
concern about the background shading
in certain headers smudging in highspeed printing operations.107 Some
commenters sought clarification as to
whether logos can use more than one
color.
The Agencies agree that the
distinguishing features of company
logos along with color are important to
ensure that an institution’s documents
have a distinctive look that consumers
may readily recognize. As the Agencies
proposed, a financial institution that
uses the model form may include its
corporate logo on any of the pages, so
long as the logo design does not
interfere with the readability of the
model form or space constraints of each
page. Institutions using the model form
should use white or light color paper
(such as cream) with black or suitable
contrasting color ink. Spot color is
permitted to achieve visual interest to
the model form, so long as the color
contrast is distinctive and the color does
not detract from the form’s readability.
The Agencies are not prohibiting the use
of more than one color in a logo.
Other commenters asked for greater
flexibility to include ‘‘markings’’ or
‘‘graphics’’ or other ‘‘visual effects’’ or to
include a ‘‘branding phrase’’ or
‘‘advertising slogan.’’ 108 The Agencies
observe that few institutions’ privacy
policies include advertising slogans. We
note that some include pictures or other
large designs that occupy the front
cover. The Agencies believe that these
designs or slogans would distract from
the content of the model form and that
slogans would be inconsistent with the
standardized language throughout the
form. For these reasons, the final model
form does not permit institutions to
include slogans or images (other than
logos) on the model form.
The final model privacy form
includes a new FAQ at the top of page
A number of commenters sought
clarification as to whether institutions
regulated by different Agencies could
together provide a single joint notice to
consumers.110 Insurance companies and
their associations in particular
expressed concern that the form did not
allow for insurance-specific terminology
and potentially put these institutions—
regulated by the states—at some risk.111
104 See, e.g., Hewlett-Packard Corporation, Panose
Classification Metrics Guide (2006), available at
https://www.monotypeimaging.com/
productsservices/pan2.aspx.
105 See Schriver, supra note 99, at 264; see also
id. at 258–59. Fonts that satisfy the type style and
x-height recommendations include sans serif fonts
such as Tahoma, Century Gothic, Myriad, Avant
Garde, Bk Avenir Book, ITS Franklin Gothic, ArialHelvetica, and Gill Sans, and serif fonts such as the
Chaparral Pro Family, Minion Pro, Garamond,
Monotype Bodoni, and Monotype Century. A
number of these font styles, including ArialHelvetica, Tahoma, Century Gothic, Garamond, and
Bodoni, are preloaded in commonly used word
processing applications with most new personal
computers. The other font styles are commercially
available as well.
106 See, e.g., comment letters of American
Insurance Ass’n (May 29, 2007); National Ass’n of
Mutual Insurance Cos. (May 29, 2007); Securities
Industry and Financial Markets Ass’n (May 29,
2007); Consumer Bankers Ass’n (May 29, 2007).
107 See, e.g., comment letters of National Business
Coalition on E-Commerce and Privacy (May 30,
2007). With the modern, high-speed printing
equipment readily available, the Agencies do not
foresee problems with reproducing background
shading, just as they see no difficulties with
printing blocks of color for company logos or
advertising materials. Moreover, the validation
testing research found that consumers appreciated
shading as a navigation guide. See Kleimann
Validation Report at 9–10.
108 See, e.g., comment letters of Consumer
Bankers Ass’n (May 29, 2007); National Business
Coalition on E-Commerce and Privacy (May 30,
2007).
109 See, e.g., comment letters of American Council
of Life Insurers (May 29, 2007); Investment
Advisers Ass’n (May 29, 2007).
110 See, e.g., comment letters of National Business
Coalition on E-Commerce and Privacy (May 30,
2007); T. Rowe Price Associates, Inc. (May 29,
2007); Financial Services Roundtable and BITS
(May 29, 2007); National Ass’n of Mutual Insurance
Cos. (May 29, 2007); Investment Company Institute
(May 29, 2007).
111 See, e.g., comment letters of National Ass’n of
Mutual Insurance Cos. (May 29, 2007); American
Insurance Ass’n (May 29, 2007); Great-West Life &
Annuity Insurance Company (May 29, 2007). In
addition to including insurance-specific phrases in
the menu of terms for the ‘‘What?’’ box on page one
and the collection of information FAQ on page two,
the Rule also recognizes that institutions that
provide insurance products or services and elect to
use this model form can use the word ‘‘policy’’
instead of ‘‘account’’ for the joint accountholder
description. See Instructions C.2(g)(1) and C.3(a)(5)
to the Model Privacy Form. The Agencies have
periodically consulted with the NAIC to ensure that
the final model form is sufficiently flexible to
address the insurance marketplace. The NAIC is
continuing to evaluate how best to proceed
regarding insurance company use and
implementation of the form by individual
jurisdictions. This effort may include the NAIC
developing a model bulletin for regulatory use or
amending its model Privacy of Consumer Financial
and Health Information Regulation to replace the
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
G. Jointly-Provided Notices
PO 00000
Frm 00012
Fmt 4701
Sfmt 4700
two: ‘‘Who is providing this notice?’’
Many commenters representing larger
institutions observed that the proposed
model form did not provide sufficient
space to identify multiple entities that
jointly provide a privacy notice, as
permitted by the privacy rule.109 Some
suggested the Agencies provide extra
space for this information either in the
body of the notice or as a footnote. The
new FAQ is not required where only a
single financial institution is providing
the notice and that institution is
identified in the title. As discussed in
section III.J.1, space is provided for the
institution’s response.
H. Use of the Form by DifferentlyRegulated Entities
E:\FR\FM\01DER2.SGM
01DER2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
The Agencies fully intend that
differently-regulated entities can
provide a single joint notice to
consumers by using the final model
form. The Agencies have consulted with
the NAIC, which submitted a letter with
proposed modifications to certain
sections of the form. The Agencies have
incorporated into the final model form
two menus of terms adaptable to the
wide range of financial institutions. The
menus include both the SEC’s and the
NAIC’s proposals, and enable a variety
of institutions, including securities
firms and insurance companies, to use
the model form, either individually or
jointly with other types of financial
institutions.
I. Page One of the Model Form
1. Title
The Agencies are adopting the title,
‘‘What Does [Name of Financial
Institution] Do With Your Personal
Information?,’’ as proposed. One
commenter objected to the title,
preferring instead to refer to it as a
privacy notice.112 Other commenters
who provided sample revised notices
also used alternate headings, such as,
‘‘our privacy notice for consumers,’’
‘‘privacy information,’’ ‘‘privacy
statement,’’ and ‘‘keeping your
information safe and secure.’’ 113 The
research found that the terms ‘‘privacy
notice’’ or ‘‘privacy policy’’ deterred
consumers from reading the notice.114
Consumers understood these terms to
mean that the institution does not share
personal information. The validation
testing confirmed the effectiveness of
the title.115
2. Key Frame
mstockstill on DSKH9S0YB1PROD with RULES2
The Agencies are adopting the basic
structure of the key frame as proposed
with some language changes to address
comments received. Industry
commenters raised several objections to
the key frame—the ‘‘Why?,’’ ‘‘What?,’’
and ‘‘How?’’ boxes. Their principal
concern was the inflexible nature of the
information in these boxes. Many
commenters took particular issue with
the list of information collected and
shared, noting that not all institutions
collect and share the information
current sample clauses with the new model privacy
form.
112 See, e.g., comment letter of MasterCard
Worldwide (May 29, 2007).
113 See, e.g., comment letter of Citigroup Inc.
(May 30, 2007); Wells Fargo & Company (May 29,
2007); Wachovia Corporation (May 25, 2007);
Sovereign Bank (May 21, 2007).
114 See Kleimann Report, supra note 32, at 43,
66–67.
115 Kleimann Validation Report at 8.
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
listed.116 These commenters asked for
greater flexibility in identifying other
types of information that may better
relate to their practices. Commenters
raised other issues about: vocabulary;
the contents and number of the boxes;
and the inclusion of certain information
not required by the privacy rule. Some
commenters proposed moving and
deleting phrases—as well as using the
phrase ‘‘as permitted by law’’ to
describe the types of sharing they can
do. Some commenters raised questions
about the reference to former customers.
The Agencies appreciate the various
suggestions provided—particularly on
vocabulary and the structure and
contents of the boxes—but note that the
model form was developed through
consumer research with the goal of
making it understandable to consumers.
The Agencies have decided to retain the
basic structure and content of the key
frame but have made certain
modifications.
The Agencies recognize that financial
institutions may collect and share types
of information other than those listed on
the proposed form, including
institutions that provide insurance or
investment advice or sell securities. The
Agencies have, after consulting with the
NAIC and based on consideration of the
comments received, provided a menu of
terms, including each of the terms that
was proposed, from which institutions
may select to fill in the bracketed
boxes.117 Since all financial institutions
collect Social Security numbers, this
one term is required in all notices. The
terms provided are designed to reflect
the range of information typically
collected by various types of institutions
in language that consumers can more
easily understand.
Further, the Agencies have revised the
statement about former customers to:
‘‘When you are no longer our customer,
we continue to share information about
you as described in this notice.’’ While
some institutions objected in principle
to the statement that former customers
are subject to the same policy as current
customers,118 no commenters asserted
that institutions actually implement a
different policy for former customers.119
116 See, e.g., comment letters of American Bankers
Ass’n (May 25, 2007); Investment Company
Institute (May 29, 2007); Investment Advisers Ass’n
(May 29, 2007).
117 See Instruction C.2(b)(2) to the Model Privacy
Form. Similar to the proposal, the final model form
requires institutions to provide examples that may
be applicable to the institution’s collection and
sharing practices.
118 See, e.g., comment letters of Investment
Advisers Ass’n (May 29, 2007); American Insurance
Ass’n (May 29, 2007).
119 This sentence continues to appear in the
‘‘What?’’ box in the model form without an opt-out.
PO 00000
Frm 00013
Fmt 4701
Sfmt 4700
62901
3. Disclosure Table
We are adopting the disclosure table
substantially as proposed, with some
minor changes. Consumer and other
advocacy groups, the NAIC, NAAG, and
some industry commenters appreciated
the easily understood display of
information in the disclosure table of
the proposed model form. One
commenter noted the strength of the
Schumer box standardized format.120
Others lauded the use of a tabular
format to display a company’s sharing
practices, noting that framing one
institution’s practices against the
industry as a whole is a useful way to
inform consumers of a company’s
relative sharing practices and facilitates
the comparison of different institutions’
practices.121
A number of industry commenters
and associations, including many small
community banks and a few larger
banks, also expressed support for the
clarity and consumer-friendly format of
the disclosure table.122
However, many industry commenters
sought flexibility in the table design for
several reasons. Some reported that it is
common for a financial institution to
have multiple privacy policies for
different products that they offer
consumers.123 Others asserted that the
table contains a bias against larger, more
complex corporate structures because it
is overly simplistic and may show that
certain types of institutions engage in
widespread sharing.124 One opined that
the table structure made it appear that
the entity was reckless in its sharing
practices.125 These commenters
expressed particular concern that the
model form would lead to high opt-out
However, based on the validation testing, the optout versions of the model form place this sentence
in the ‘‘To limit our sharing’’ box following the
sentence describing sharing information about a
new customer. See Kleimann Validation Report at
9–10.
120 Comment letter of Capital One Financial
Corporation (May 29, 2007).
121 See comment letters of The Center for
Information Policy Leadership (May 29, 2007);
Independent Community Bankers of America (May
29, 2007).
122 See, e.g., comment letters of Independent
Community Bankers of America (May 29, 2007);
Bank of Edison (May 21, 2007); Capital One
Financial Corporation (May 29, 2007); Citrus &
Chemical Bank (May 24, 2007); First National Bank
(Edinburg, TX) (Apr. 9, 2007); Florence Savings
Bank (April 30, 2007); Iowa State Bank and Trust
Company (May 22, 2007); ShoreBank (Apr. 6, 2007);
Hometown Bank (May 8, 2007).
123 See, e.g., comment letters of Bank of America
Corporation (May 29, 2007); Securities Industry and
Financial Markets Ass’n (May 29, 2007);
MasterCard Worldwide (May 29, 2007).
124 See, e.g., comment letters of Citigroup Inc.
(May 30, 2007); Consumer Bankers Ass’n (May 29,
2007).
125 See comment letter of Consumer Bankers
Ass’n (May 29, 2007).
E:\FR\FM\01DER2.SGM
01DER2
62902
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
mstockstill on DSKH9S0YB1PROD with RULES2
rates.126 Many particularly objected to
listing all the categories of sharing—
especially when a consumer cannot
limit or opt out of certain types of
sharing—and others wanted to limit the
list only to those categories used by the
institution.127 Some commenters
wanted to use this space to explain the
benefits of certain types of sharing.128
Others wanted to convey that, for
example, they only shared information
with certain types of affiliates but not
others and asserted that the disclosure
table did not permit them to make this
distinction.129
As the Agencies stated in the
preamble to the Proposed Rule, based
on the Kleimann Report and as
confirmed by the quantitative research
data and the Levy-Hastak Report, the
disclosure table is the heart of the model
form design and its most effective
feature.130 The table provides for greater
transparency of a company’s sharing
practices. It allows consumers to see at
a glance the types of information
sharing a company may engage in,
whether that particular company shares
in that way, and, if so, whether the
consumer can limit such sharing.131
Based on the research, the Agencies
have retained the disclosure table
generally unchanged in the final model
form.
Addressing industry concerns about
bias against larger institutions, the
Agencies appreciate these institutions’
concern that some of their customers
may react negatively to the sharing of
their information. The purpose of the
model form is not to direct consumer
behavior, however, but rather to provide
information effectively. While the LevyHastak Report found that a majority of
survey participants objected to the
sharing of their personal information
with affiliated companies, and more so
126 See, e.g., comment letter of Johnson Financial
Group (May 14, 2007).
127 See, e.g., comment letters of Huntington
National Bank (May 25, 2007); National Business
Coalition on E-Commerce and Privacy (May 30,
2007); Securities Industry and Financial Markets
Ass’n (May 29, 2007).
128 See, e.g., comment letter of Consumer Bankers
Ass’n (May 29, 2007).
129 See, e.g., comment letters of American Council
of Life Insurers (May 29, 2007); Securities Industry
and Financial Markets Ass’n (May 29, 2007);
American Insurance Ass’n (May 29, 2007);
Consumer Mortgage Coalition (May 29, 2007).
130 See Proposed Rule, supra note 4, at text
preceding and accompanying n.27; see also LevyHastak Report at 17.
131 The disclosure table in the model form
provides information ‘‘at-a-glance’’ that facilitates
the comparison of a company’s information sharing
practices, both as to the industry as a whole and
with respect to any other specific companies. In this
way, it meets the original legislative intent to easily
compare companies’ privacy practices. See H.R.
Rep. No. 106–74, at 107 (1999).
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
with nonaffiliated companies, these
objections were consistent across all the
survey participants and were not
affected by any particular notice
format.132 The research confirms that
the notice design more clearly informs
consumers about how each company
shares or uses the personal information
it collects.
During the course of this project, the
Agencies heard from smaller
institutions that their customers wanted
to stop all sharing and expressly asked
for opt-outs even when the institution
engaged in only limited sharing under
the section __.14 and __.15
exceptions.133 The neutral design of the
form, particularly through the table,
explains that some sharing is necessary
for an institution’s ‘‘everyday business
purposes’’ and makes clear what sharing
occurs. In addition, the model form uses
the term ‘‘limiting’’ sharing, rather than
stopping sharing altogether. These small
institutions commented that this more
balanced presentation of sharing
practices is a very important feature of
the notice, and one that they welcome,
as it makes all institutions’ sharing
practices more transparent.134
The strength of the table design is that
it facilitates comparison by showing
what a particular institution’s sharing
practices are as compared to what all
financial institutions can legally do. For
this reason, the final model form
incorporates all seven reasons for
sharing, with only the affiliate
marketing provision—‘‘For our affiliates
to market to you’’—optional for those
companies that elect to incorporate that
disclosure in their GLB notices.135
While the middle column requires
institutions to answer ‘‘yes’’ or ‘‘no’’ to
whether it shares for each of the
reasons, some commenters expressed
concern that their information sharing
practices were sufficiently complex that
they could not answer ‘‘yes’’ or ‘‘no,’’
stating that they had different practices
for different products. Institutions that
elect to use the model form must answer
the questions in the final model form as
directed in the proposal. If an
institution elects to use the model form,
it must either harmonize its practices so
one notice applies to all its products, or
it must provide separate notices for
132 Levy-Hastak
Report at 15.
comment was made by some of the
Agencies’ regulated entities at various times during
the course of this project and was also discussed by
members of the Board’s Consumer Advisory
Council during its discussions in 2007 about the
Notice Project and model form proposals.
134 See, e.g., comment letter of Independent
Community Bankers Ass’n (May 29, 2009).
135 See infra note 142.
133 This
PO 00000
Frm 00014
Fmt 4701
Sfmt 4700
products subject to different information
sharing practices.
A few commenters opined that they
may not currently share but want to
reserve the right to share in the future.
In such a case, the correct response in
the middle column is ‘‘yes,’’ consistent
with the privacy rule.136
Many institution commenters
objected that the proposed terms to
describe sharing practices were
abbreviated or incomplete and asserted
that the Agencies limited sharing that is
lawfully permitted. For example,
commenters objected that the definition
of ‘‘everyday business purposes’’
excluded a long list of permissible
disclosures designated in sections __.14
and __.15.137 However, as the Agencies
stated in the proposal, the phrase
‘‘everyday business purposes’’ fully
incorporates all the disclosures
permitted by law under sections __.14
and __.15 of the privacy rule.138 In
addition, the Agencies have determined
that service providers that do not fall
under section __.14, but perform direct
services to the institution such as optout scrubbing or market analysis or
research under a section __.13
agreement, are included under this
provision.139
The cited examples of ‘‘everyday
business purposes’’ 140 are illustrative
only, to enhance consumer
understanding. While commenters
urged us to include the phrase ‘‘as
permitted by law’’ in this description,
research has found that consumers are
confused and concerned by this phrase;
they do not know what it means or what
136 See the privacy rule, section __.6(e), NCUA
section 716.6(d) (notices can be based on current
and anticipated policies and practices).
137 See, e.g., comment letters of American
Insurance Ass’n (May 29, 2007); Consumer Bankers
Ass’n (May 29, 2007); Citigroup Inc. (May 30, 2007);
Securities and Financial Markets Ass’n (May 29,
2007).
138 See, e.g., comment letters of American Bankers
Ass’n (May 25, 2007); American Insurance Ass’n
(May 29, 2007); Securities Industry and Financial
Markets Ass’n (May 29, 2007). This language
substantially replaces the ‘‘as permitted by law’’
phrase used in the Sample Clauses, covering all
permitted disclosures—along with the attendant
requirements on reuse and redisclosure—found
under sections __.14 and __.15 of the privacy rule.
Unlike that clause, ‘‘everyday business purposes’’
conveys more concrete information to consumers
and, importantly, helps them understand that some
sharing is necessary in order to obtain financial
products or services.
139 Joint marketing with other financial
institutions and section __.13 service providers
contracted to do marketing for a financial
institution are disclosed separately. See Instruction
C.2(d)(3) to the Model Privacy Form.
140 The final model form consolidates all
references to ‘‘everyday business purposes’’ in the
first reason in the disclosure table, thereby
eliminating the illustrative explanation in the
‘‘How?’’ box on page one and the definition on page
two.
E:\FR\FM\01DER2.SGM
01DER2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
‘‘laws’’ it encompasses.141 Including
that phrase would be inconsistent with
consumers’ need for clear language to
understand what their financial
institution does with their information.
Because the laws governing disclosure
of consumers’ personal information are
not easily translated into short,
comprehensible phrases, the table uses
more easily understandable short-hand
terms to describe sharing practices. We
do not believe that these short-hand
terms diminish the laws’ provisions, as
some commenters asserted. If, as these
commenters suggest, the Agencies add
to the laundry list of descriptive terms
to make the provisions in the table more
‘‘precise,’’ we believe it will defeat the
purpose of making this information
more understandable to consumers.
Thus, the Agencies have chosen not to
provide detailed descriptions for each of
the reasons in the table; we re-affirm
that institutions’ ability to share
information in accordance with the
statutory provisions would not be
limited or otherwise modified by using
the model form language.
The phrase ‘‘For our marketing
purposes’’ captures the idea that nearly
all, if not all, institutions share
information to market their own
products and services to their customers
(for example, using a joint marketing
agreement with a service provider such
as a bulk mailer or data processor
pursuant to section __.13 of the privacy
rule) in a manner that does not trigger
an opt-out right. Likewise, the phrase
‘‘nonaffiliates to market to you’’ does
not diminish the information sharing
permitted by the privacy rule, provided
that institutions first provide an
opportunity for consumers to opt out, as
provided for in section __.10 of the
privacy rule.
In all these instances, the lack of
explicit references in the model form to
certain of the exceptions does not mean
that an institution cannot take
advantage of all the exceptions provided
for in the law.
4. FCRA Opt-Outs
mstockstill on DSKH9S0YB1PROD with RULES2
The FCRA provisions are adopted in
the model privacy form as proposed.142
141 See Survey Research Center at the University
of Georgia, National Ass’n of Insurance
Commissioners Insurance Disclosure Focus Group
Study (‘‘NAIC Study’’), available at https://
www.ftc.gov/os/comments/modelprivacyform/
528621-00012.pdf. See also infra discussion at text
accompanying note 221.
142 The table includes, as an optional disclosure,
the opt-out required by section 624 of the FCRA
(reason 6 in the table), 15 U.S.C. 1681s–3 (affiliate
use of information for marketing), as added by
section 214 of the Fair and Accurate Credit
Transactions Act of 2003 (FACT Act), Public Law
No. 108–159, 117 Stat. 1952. Section 624 generally
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
A number of industry commenters
objected that the disclosure table did
not provide a sufficiently complete or
accurate description of the affiliate
sharing provisions of the FCRA.143 They
urged the Agencies to revise these
provisions to more precisely distinguish
between the different types of
information that can be shared with
affiliates (both with and without an optout), to describe the applicable
exceptions, and to more accurately
describe the opt-out pertaining to
information that can be used by
affiliates for marketing.
The FCRA statutory provisions are
quite complex and their legal intricacies
are difficult for consumers to
understand. The Agencies found
through the consumer testing conducted
by Kleimann that the short-hand FCRA
terms used in the model form describing
the types of personal information that
can be shared with affiliates are
sufficient to enable consumers to make
informed decisions about such sharing.
Again, these short-hand terms do not in
any way diminish or modify the affiliate
sharing provisions of the FCRA.144 To
give some meaning to the statutory term
‘‘other information,’’ the disclosure
table uses ‘‘Information about your
creditworthiness’’—a short-hand phrase
that consumers reasonably understood.
Testing also found that consumers
provides that information that may be shared
among affiliates—including transaction and
experience information and certain
creditworthiness information—cannot be used by
an affiliate for marketing purposes unless the
consumer has received a notice of such use and an
opportunity to opt out, and the consumer does not
opt out. Congress did not grant the CFTC
rulemaking authority to implement section 624. The
other Agencies have issued final regulations
implementing the affiliate marketing provision of
the FACT Act, 12 CFR part 41 (OCC), 12 CFR part
222 (Board), 12 CFR part 334 (FDIC), 12 CFR part
571 (OTS), 12 CFR part 717 (NCUA), 16 CFR parts
680 and 698 (FTC), 17 CFR part 248, subpart B
(SEC) (‘‘affiliate marketing rule’’). Because the
Agencies’ affiliate marketing rules generally use
consistent section numbering, relevant sections will
be cited, for example, as ‘‘section l.23’’ unless
otherwise noted. The affiliate marketing rule
included language stating that the section 624
disclosure as it appears in the model form will meet
the requirements of that rule. See 72 FR 61424,
61452 (Oct. 30, 2007) (FTC); 72 FR 62910, 62932
(Nov. 7, 2007) (banking agencies); 74 FR 40398,
40418 (Aug. 11, 2009) (SEC) (‘‘use of the [GLB Act]
model privacy form will satisfy the requirement to
provide an initial affiliate marketing opt-out
notice’’). See also section __.23(b) of the affiliate
marketing rule.
143 See, e.g., comment letters of Citigroup Inc.
(May 30, 2007); American Bankers Ass’n (May 25,
2007); Consumer Bankers Ass’n (May 29, 2007);
National Business Coalition on E-Commerce and
Privacy (May 30, 2007); Visa U.S.A, Inc. (May 29,
2007).
144 See section 603(d)(2)(A) of the FCRA relating
to the sharing of ‘‘transaction and experience
information’’ and the sharing of ‘‘other
information’’ which triggers an opt-out notice.
PO 00000
Frm 00015
Fmt 4701
Sfmt 4700
62903
reasonably understood the phrase
‘‘information about your transactions
and experience’’ without further
embellishment.145
Some institutions objected to the
description of the optional affiliate
marketing provision enacted under the
FACT Act for which the Agencies have
published final regulations.146 These
commenters are correct that this
provision, unlike the others, is about the
use of shared information for marketing.
While the Agencies and Kleimann
worked to ensure accuracy in the model
form, it was evident at the outset that
this particular provision would be very
difficult to explain in a simple and clear
way to consumers and be precisely true
to the statutory language.
The final formulation we proposed
tested sufficiently well to show that
consumers understand its basic
meaning.147 Including the affiliate
marketing notice and opt-out in the
model form is optional. Institutions that
are required to provide this notice, and
elect not to include it in their GLB Act
privacy notice, must separately send an
affiliate marketing notice that complies
fully with the affiliate marketing rule
requirements.
For those institutions that elect to
incorporate this provision in the model
form, the Agencies believe that it is
simpler and less confusing to consumers
for the affiliate marketing opt-out to be
of indefinite duration, consistent with
the opt-out required under the GLB Act.
If an institution elects to limit the time
period for which the opt-out is effective,
as permitted under the affiliate
marketing rule, it must not include the
affiliate marketing opt-out in the model
form. Instead, the institution must
comply separately with the specific
affiliate marketing rule requirements.
5. Limiting Sharing: Opt-Out
Information
In response to commenters and the
results of the quantitative testing, the
final model form includes opt-out
information for those institutions that
are required to provide an opt-out on
the bottom of page one. The Agencies
proposed that the information about
limiting or opting out of certain sharing,
as needed, would be provided on a
separate third page. Many commenters
objected to the use of a separate piece
of paper for this information,
particularly if the notice itself is quite
short.148
145 Kleimann
Report, supra note 32, at 63.
supra note 142.
147 Levy-Hastak Report at 15.
148 See, e.g., comment letters of American Council
of Life Insurers (May 29, 2007); National
146 See
E:\FR\FM\01DER2.SGM
Continued
01DER2
62904
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
mstockstill on DSKH9S0YB1PROD with RULES2
This change eliminates the extra page
from the proposed model form and
places this important information on the
first page that the consumer sees. In
addition to the model form with no optout, the Agencies are providing two
alternate versions to be used, as
appropriate, depending on whether the
institution offers the option to limit
information sharing by mail.149
Institutions using the model form
must include the opt-out section in their
notices only if they (1) share or use
information in a manner that triggers an
opt-out, or (2) choose to provide optouts beyond what is required by law.
Financial institutions that provide optouts are not required to provide all the
opt-out choices and methods described
in the model form; they should select
those that accurately reflect their
practices.150
A number of commenters objected to
the statement describing the time period
before information can first be shared
according to an institution’s privacy
policy.151 Recognizing that institutions
will provide this form both to new
customers and annually to existing
customers, the Agencies have modified
the language accordingly.152 The revised
model form allows institutions to insert
a time period that is 30 days or longer
from the date the notice was sent before
it can begin sharing for new customers.
Some commenters opined that in certain
instances they should be able to require
the consumer to make an opt-out
decision at the time of the in-person or
electronic transaction rather than
waiting 30 days. While the Agencies
recognize that certain situations may
warrant an immediate decision, the
Automobile Dealers Ass’n (May 29, 2007);
Securities Industry and Financial Markets Ass’n
(May 29, 2007).
149 Some commenters asked about providing the
opt-out in an in-person transaction so that the
customer could execute the opt-out at that time or
could deliver the completed opt-out form in person.
The privacy rule does not preclude obtaining a
consumer’s opt-out election in person. However,
while an institution may accept an opt-out election
from a consumer in person, requiring a consumer
to obtain an opt-out form at a branch office as the
only means to opt out violates the privacy rule. See
sections l.7(h), l.9(a) and (b), and l.10(a)(1) and
(a)(3) of the privacy rule.
150 Institutions that do not include the affiliate
marketing disclosure on the model privacy form
must not include the affiliate marketing notice or
opt-out on the model form mail-in form; that notice
must be provided in accord with the affiliate
marketing rule, outside the model form.
151 See, e.g., comment letters of Bank of America
Corporation (May 29, 2007); Wells Fargo &
Company (May 29, 2007); Securities Industry and
Financial Markets Ass’n (May 29, 2007); American
Council of Life Insurers (May 29, 2007).
152 The revised language states: ‘‘If you are a new
customer, we can begin sharing your information
[30] days from the date we sent this notice.’’ See
also supra note 119.
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
basic rule is to allow a ‘‘reasonable’’
opportunity to opt out.153
Telephone and online opt-outs should
closely match the options provided in
the form. Consistent with the direction
provided in the affiliate marketing
rule,154 the Agencies also contemplate
that a toll-free telephone number would
be adequately designed and staffed to
enable consumers to opt out in a single
telephone call. In setting up a toll-free
telephone number that consumers may
use to exercise their opt-out rights,
institutions should minimize extraneous
messages directed to consumers who are
in the process of opting out.
A number of industry commenters
requested clarification on how joint
accountholders would be treated.155 The
Agencies have addressed this question
with a new FAQ, described below.
Further, if an institution elects to
provide a choice for the joint
accountholder to apply the opt-out only
to that joint accountholder, that option
must be provided in the telephone or
Web prompt, as well as presented in the
left-hand box on the mail-in form.156
A number of commenters from both
industry and advocacy groups
addressed the question whether
consumers need to provide personal
information such as a Social Security
number, account number, or other
identification number in order to opt
out. The consumer advocacy
organizations, some industry
commenters, and an industry
association proposed omitting the
account number field from the proposed
form to reduce the risk of fraud.157
These commenters expressed concerns
about phishing and identity theft, and
were especially concerned about
institutions’ use of the Social Security
number to confirm an opt-out request.
These commenters argued that a name
and address should be sufficient to
effect an opt-out from an institution’s
information sharing.
Many institutions argued that they
needed a Social Security number or full
account or policy number in order to
authenticate the person who wanted to
opt out or to apply the opt-out
153 See, e.g., sections l.10(a)(1)(iii) and
l.10(a)(3)(iii) of the privacy rule.
154 See 72 FR 61424, 61448 (Oct. 30, 2007) (FTC);
72 FR 62910, 62935 (Nov. 7, 2007) (banking
agencies); 74 FR 40398, 40421 (August 11, 2009)
(SEC).
155 See, e.g., comment letters of American Bankers
Ass’n (May 25, 2007); Discover Bank (May 29,
2007).
156 See also privacy rule, section l.7(d), NCUA
section 716.7(d)(6).
157 See, e.g., comment letters of Center for
Democracy and Technology (May 29, 2007); Privacy
Rights Clearinghouse (May 22, 2007); National
Automobile Dealers Ass’n (May 29, 2007.
PO 00000
Frm 00016
Fmt 4701
Sfmt 4700
appropriately to all accounts held by the
customer or only to specific accounts.158
Some industry commenters urged
limiting the information to only the last
four digits of an account number as both
safe for the consumer and sufficient to
implement the opt-out.159
Having considered these comments
and the context in which such sensitive
information is used—to implement an
opt-out for information sharing—the
Agencies strongly encourage institutions
to use some other form of identifier,
such as a randomly generated ‘‘opt-out
code’’ provided in the notice that
consumers can use to exercise their optouts without jeopardizing the security of
their most sensitive personal
information. A random code—which
some institutions currently use—both
protects consumers’ most sensitive
information and at the same time can be
used to link both the customer and
account(s) to which the opt-out should
apply. Such an approach would further
simplify the opt-out process for
consumers. If such an approach is not
feasible, institutions could use a
truncated account or policy number to
protect sensitive information.160 Of
course, any opt-out means provided—
including any information requirements
imposed on consumers—must be
reasonable under the privacy rule and
reasonable and simple under the
affiliate marketing rule.161 Institutions
should keep these requirements in mind
when requesting information beyond
the consumer’s name and address.
A number of industry commenters
objected to the inability of the model
form to provide for partial opt-outs, as
permitted by the privacy rule.162 The
Agencies have observed that partial optouts are not widely employed. Trying to
incorporate partial opt-outs in this
model form would be unduly
complicated and confusing for
consumers, so the Agencies have
determined to use the default provision
of the privacy rule that provides for an
opt-out that applies to all
information.163 Institutions that want to
158 See, e.g., comment letters of National Retail
Federation (May 29, 2007); Citicorp (May 29, 2007);
National Business Coalition on E-Commerce and
Privacy (May 30, 2007).
159 See, e.g., comment letters of Sun Trust Banks,
Inc. (May 23, 2007); Central National Bank of Enid
(May 24, 2007).
160 See also The President’s Identity Theft Task
Force, Combating Identity Theft, at 13 (Apr. 2007)
(‘‘Consumer information is the currency of identity
theft, and perhaps the most valuable piece of
information for the thief is the SSN’’).
161 See section __.7(a)(1)(iii) of the privacy rule
and section l.25(a) of the affiliate marketing rule.
162 See, e.g., comment letters of American Council
of Life Insurers (May 29, 2007); Securities Industry
and Financial Markets Ass’n (May 29, 2007).
163 See section l.10(b) of the privacy rule.
E:\FR\FM\01DER2.SGM
01DER2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
provide partial opt-outs cannot do so
using the model form.
A number of commenters wanted to
include in the model form the statement
‘‘If you have already told us your
choice(s), you do not have to tell us
again.’’ 164 Because this statement would
only be accurate if the institution has
not changed its notice to include new
opt-out options, the Agencies have
decided not to include it in the model
form. Institutions that choose to use this
statement must do so outside the model
form.
mstockstill on DSKH9S0YB1PROD with RULES2
6. Additional Opt-Outs in the Model
Form
Like the proposed form, the final
model form permits institutions to
provide for voluntary or state lawrequired opt-outs. For example, if an
institution elects to offer its customers
the opportunity to opt out of its
marketing, it can do so by saying ‘‘yes’’
in the third column. Similarly, an
institution can offer its customers a right
to opt out of joint marketing, if it
chooses.
Institutions that must comply with
various state law requirements,
depending on their practices and the
choices they offer, may be able to do so
in one of two ways using the model
form. For example, Vermont law
requires institutions to obtain opt-in
consent from Vermont consumers for
affiliate sharing. The disclosure table
permits institutions to do one of two
things: (1) it can provide a notice
directed to its Vermont customers that
answers ‘‘no’’ to the question about
whether it shares creditworthiness
information with its affiliates, or (2) it
can provide a generalized notice for
consumers across a number of states
including Vermont and answer ‘‘yes’’ to
the question about sharing
creditworthiness information with its
affiliates and include a discussion on
the application of Vermont law in the
‘‘Other important information’’ box on
page two of the form.165
To obtain the safe harbor for use of
the proposed model form, an institution
that uses the disclosure table to show
any additional opt-out choices (beyond
164 See, e.g., comment letters of MasterCard
Worldwide (May 29, 2007); National Business
Coalition on E-Commerce and Privacy (May 30,
2007); Wells Fargo & Company (May 29, 2007);
Wolters Kluwer Financial Services (May 24, 2007).
165 California provides that a consumer can opt
out of joint marketing. Cal. Fin. Code div. 1.2
§ 4053(b)(2). Thus, an institution can provide a
generalized notice offering no opt-out, with
California-specific information in the ‘‘Other
important information’’ box. Alternatively, an
institution can provide a separate notice to its
California customers. Institutions cannot use the
model form to offer opt-in consent. See Instruction
C.2(g)(5) to the Model Privacy Form.
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
what is required under Federal law)
must make that opt-out available
through the same opt-out options the
institution provides in the notice,
whether by telephone, Internet, or a
mail-in opt-out form.166
7. Contact Information for Questions
Like the proposed form, the final
model form provides contact
information at the bottom of page one.
Some commenters objected that it
would be confusing if an opt-out is
offered or the institution wants to limit
such contact to a mail option only.167
The Kleimann Report found that
consumers want a way to contact their
financial institution if they have any
questions.168 The NAIC Study likewise
found this to be one of the most
important pieces of information that
consumers want in a notice.169 In
revising the proposed model form to
include the opt-out information on page
one, the Agencies have modified the
‘‘Contact Us’’ box to label it ‘‘Questions’’
(to more clearly distinguish between the
two) and clarified in the Instructions
that this box is for customer service
contact information, either by telephone
or the Internet or both, at the
institution’s option.
Customer service contact information
is for consumers who may have
questions about the institution’s privacy
policy and may be the same contact
information for consumers’ questions
relating to the institution’s products or
services. The Agencies are not requiring
a separate customer service number
solely to answer questions about the
institution’s privacy policy. The
customer service contact information is
different from the opt-out contact
information, unless the customer service
number is made available for consumers
to opt out. The contact information
should give consumers a way to
communicate directly with the
institution.170
8. Mail-In Opt-Out Form
The mail-in opt-out form for
institutions that provide such a form is
adopted with two modifications, with
the changes based on comments, the
quantitative testing, and the LevyHastak Report. The validation testing
166 See Instruction C.2(g) to the Model Privacy
Form.
167 See, e.g., comment letters of Mastercard
Worldwide (May 29, 2007); American Insurance
Ass’n (May 29, 2007); American Council of Life
Insurers (May 29, 2007); Securities Industry and
Financial Markets Ass’n (May 29, 2007).
168 Kleimann Report, supra note 32, at 35, 226.
169 NAIC Study, supra note 141.
170 See Instruction C.2(f) to the Model Privacy
Form.
PO 00000
Frm 00017
Fmt 4701
Sfmt 4700
62905
shaped the design for the opt-out
information in the final model form.
As discussed in section III.I.5, the
final model form displays all opt-out
information, including the mail-in form,
on page one, for institutions that
provide an opt-out. In response to
commenters, the Agencies have added
information on joint accountholders to
the model form by providing a new FAQ
on page two. Institutions must include
the joint accountholder information in
the mail-in form only when the
institution allows a joint accountholder
to choose whether to apply an opt-out
election only to one accountholder.171
Otherwise, that space is blank or
omitted from the mail-in form.
Finally, institutions that use the mailin opt-out form must insert the
institution’s mailing address either in
the right-hand box or just below the
mail-in form, as shown in version 3 and
optional version 4 in the Appendix and
as described in the Instructions to the
Model Form.
J. Page Two of the Model Form
The Agencies have modified page two
of the model form to streamline the
information on the page and to provide
flexibility for institutions to insert
certain institution-specific information.
1. Frequently Asked Questions
To address the concerns about jointlyprovided notices, the Agencies have
added a new FAQ at the top of page
two: ‘‘Who is providing this notice?’’ An
institution may omit this FAQ only
when one financial institution is
providing the notice and that institution
is identified in the title. The space to the
right, which is limited (for reasons of
space constraints) to a maximum of four
(4) lines,172 allows institutions that are
jointly providing the notice to be
identified.173 This space must be used
to:
171 See also infra section III.J.1. Section III.I.5
provides guidance on the use of sensitive personal
information (such as a Social Security number or
account number) to effect an opt-out. Section III.I.6
discusses how voluntary or state-required privacy
law opt-outs should appear in the mail-in opt-out
form. See also Instruction C.2(g) to the Model
Privacy Form.
172 While the Agencies are limiting the space
allotted for this FAQ, we do not intend that
institutions will constrain the width of the left
column (with the questions) so as to make this page
difficult to read. We remind institutions that design
experts recommend using sufficient white space to
set off features such as headings, bullets, and key
information used by consumers to quickly scan a
document. We note further that the ratio of the
column widths of the questions to the responses in
the model form is approximately 1:2.
173 The option of creating a jointly provided
notice is not limited only to financial holding
companies, as one commenter observed. Instruction
E:\FR\FM\01DER2.SGM
Continued
01DER2
62906
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
mstockstill on DSKH9S0YB1PROD with RULES2
1. State the common corporate name
or other readily identifiable name that is
also used for the title and various
headings of the model form as the
‘‘name of financial institution;’’ and
2. Either (a) identify the entities
jointly providing the notice; or (b) for
institutions with a lengthy list of
entities jointly providing the notice,
identify the general types of entities in
the response and identify the entities 174
at the end of the form following the
‘‘Other important information’’ box, or,
if that box is not incorporated into the
form, following the ‘‘Definitions’’ or on
an additional page. The list at the end
of the form must be printed in minimum
8-point font and may appear in a multicolumn format.
The Agencies have deleted the FAQ
on how often consumers are provided
notices on an institution’s sharing
practices due to space constraints.175
A number of commenters objected to
the response to the question about how
personal information is protected. Some
objected to the phrase ‘‘comply with
federal laws.’’ 176 The Agencies note that
this phrase closely tracks current
Sample Clause A–7 and is already
widely used by many institutions.
Several objected to the phrase ‘‘secured
buildings and files,’’ preferring
‘‘physical safeguards.’’ 177 As explained
in the Kleimann Report, the Agencies
developed this text to help consumers
better understand the practical meaning
of physical security.178 The Agencies
have determined to retain the FAQ as
proposed, with one modification. In
response to commenters who asked to
include more specific information,179
such as information about cookies or
online practices or limiting employee
access to personal information, the
Agencies are allowing institutions to
add more detail, limited to describing
their safeguards practices, up to a
maximum of thirty (30) additional
words. This doubles the space allotted
for the safeguards response and
provides flexibility to institutions to
customize the safeguards description.
B.1 to the Model Privacy Form has been modified
to clarify that point.
174 See section l.9(f) of the privacy rule.
175 While the testing found it to be helpful
background, this information is not required by the
privacy rule.
176 See, e.g., comment letters of Consumer
Bankers Ass’n (May 29, 2007); MasterCard
Worldwide (May 29, 2007).
177 See comment letters of American Council of
Life Insurers (May 29, 2007); American Insurance
Ass’n (May 29, 2007).
178 Kleimann Report, supra note 32, at 125–26.
179 See, e.g., comment letters of Iowa State Bank
and Trust (May 22, 2007); PayPal (May 29, 2007);
Wachovia Corporation (May 25, 2007).
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
The optional information must appear
after the standard response for this FAQ.
A number of industry commenters
objected to the inflexible nature of the
description of the sources from which
personal information is collected,
stating that in many cases the proposed
descriptions do not correlate to their
practices or the practices of their
particular industry.180 As with the
description of the types of information
collected and shared on page one, the
Agencies are providing a menu of terms
from which institutions can select to fill
in the bulleted lists.181 The list is
designed to include the range of
information sources typically used by a
variety of institutions subject to the GLB
Act and the FCRA, including those in
the insurance, securities, and
investment advisory businesses, as well
as those companies subject to FTC
jurisdiction. Finally, institutions that
collect information from their affiliates
and/or from credit bureaus must use as
the last sentence of this response: ‘‘We
also collect your personal information
from others, such as credit bureaus,
affiliates, or other companies.’’
Institutions that do not collect personal
information from their affiliates or
credit bureaus but do collect personal
information from other companies must
include the following statement: ‘‘We
also collect your personal information
from other companies.’’ Only
institutions that do not collect any
personal information from affiliates,
credit bureaus, or other companies can
omit both statements.
A number of industry commenters
objected to the FAQ about limiting
sharing, arguing variously that this is
not required and that they should only
have to include in the response those
bullets that apply to their sharing
practices.182 The Agencies have
determined to retain this FAQ with a
revision to the bulleted list, as it helps
consumers better understand what
rights they have under Federal law and
reinforces the message that information
sharing may be limited but not stopped
completely. The second bullet was
revised to more closely track the
provisions of the affiliate marketing
rule. Finally, the Agencies have
180 See, e.g., comment letters of American Council
of Life Insurers (May 29, 2007); American Bankers
Ass’n (May 25, 2007); Consumer Bankers Ass’n
(May 29, 2007); Mastercard Worldwide (May 29,
2007); Wells Fargo & Company (May 29, 2007);
National Ass’n of Mutual Insurance Cos. (May 29,
2007); National Automobile Dealers Ass’n (May 29,
2007).
181 See Instruction C.3(a)(3) to the Model Privacy
Form. See supra note 117.
182 See, e.g., comment letters of American Council
of Life Insurers (May 25, 2007); National Ass’n of
Mutual Insurance Cos. (May 29, 2007).
PO 00000
Frm 00018
Fmt 4701
Sfmt 4700
provided an optional sentence for
institutions to elect to include at the
end, as applicable, ‘‘See below for more
on your rights under state law,’’ a
reference to the state-specific privacy
law information that an institution may
include in the ‘‘Other important
information’’ box.
As discussed earlier, a number of
commenters asked how an opt-out
election can be applied to joint
accountholders.183 This is addressed by
a new FAQ on page two. Two optional
responses are provided for institutions
to use: The first states that an opt-out
election by any joint accountholder will
be applied to everyone on the account.
The second provides that the opt-out
election will be applied to everyone on
the account unless the customer elects
to have the opt-out apply only to him.
Institutions must select one or the other
as the response to this question.184
2. Definitions
In the final model privacy form, the
definition of ‘‘everyday business
purposes’’ has been deleted as
superfluous, and the description of
everyday business purposes has been
consolidated in the disclosure table on
page one. The other three definitions
remain as proposed, with one
modification.
The Agencies make the following
further clarification in response to some
commenters.185 First, if an institution
has no affiliates or does not share with
its affiliates, it does not have to describe
the categories of affiliates in this
definition. Applicable responses in such
conditions are, respectively: ‘‘[name of
financial institution] has no affiliates’’
or ‘‘[name of financial institution] does
not share with our affiliates.’’
Similarly, if an institution does not
share for joint marketing or with
nonaffiliated third parties outside of the
section __.14 and __.15 exceptions,
applicable responses are: ‘‘[name of
financial institution] doesn’t jointly
market’’ or ‘‘[name of financial
institution] does not share with
nonaffiliates so they can market to you.’’
The Instructions have been modified
with respect to an institution’s sharing
with its affiliates so that an institution
must provide only an illustrative list of
affiliates with which it shares, and not
183 See, e.g., comment letters of American Bankers
Ass’n (May 29, 2007); Discover Bank (May 29,
2007); Mastercard Worldwide (May 29, 2007);
Huntington National Bank (May 25, 2007).
184 See also supra discussion section III.I.8.
185 See, e.g., comment letters of Mastercard
Worldwide (May 29, 2007); Huntington National
Bank (May 25, 2007); Consumer Bankers Ass’n
(May 29, 2007); Wells Fargo & Company (May 29,
2007).
E:\FR\FM\01DER2.SGM
01DER2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
a complete list. As proposed, when an
institution shares with nonaffiliates or
with other financial institutions to do
joint marketing, the institution must
describe the categories of entities with
which it shares.186 While the
Instructions provide illustrative
examples of categories, institutions
must provide examples consistent with
their practices. The Instructions provide
guidance on these points.187
mstockstill on DSKH9S0YB1PROD with RULES2
3. State and International Law
Provisions
To accommodate commenters’
requests to incorporate state and
international law provisions in the
notice,188 the Agencies have added a
new optional box at the end of the final
model form called ‘‘Other important
information.’’ The size of the box is not
limited (except where space constraints
apply in the Online Form Builder,
described below), and institutions may
use a third page, as necessary, for the
information in this box. To qualify for
the safe harbor,189 institutions that elect
to use this box can only use it for the
following: (1) information about state
and/or international privacy law
requirements, as applicable; or (2) an
acknowledgment form to create a record
of having provided the notice. Certain
institutions, for example, are required to
include specific affiliate sharing
information for Vermont residents or to
meet other requirements under
California law. Some insurance
commenters noted that approximately
186 See sections __.6(a)(3), __.6(a)(5), __.6(c)(3),
and __.6(c)(4) of the privacy rule. The joint
marketing provisions apply to joint marketing
agreements with other financial institutions, but not
to other types of arrangements with section __.13
service providers.
187 See Instruction C.3(b) to the Model Privacy
Form.
188 See, e.g., comment letters of American Bankers
Ass’n (May 25, 2007); American Council of Life
Insurers (May 29, 2007); Bank of America
Corporation (May 29, 1007); Citigroup Inc. (May 30,
2007); Consumer Bankers Ass’n (May 29, 2007);
Consumer Mortgage Coalition (May 29, 2007);
Countrywide Home Loans, Inc. (May 29, 2007);
Discover Bank (May 29, 2007); Financial Services
Institute (May 29, 2007); Iowa Student Loan (May
22, 2007); KeyCorp (May 25, 2007); National
Business Coalition on E-Commerce and Privacy
(May 30, 2007); National Retail Federation (May 29,
2007); National Ass’n of Mutual Insurance Cos.
(May 29, 2007); Sovereign Bank (May 21, 2007);
Wells Fargo (May 29, 2007); World’s Foremost Bank
(May 25, 2007); Direct Marketing Ass’n (May 29,
2007); Securities Industry and Financial Markets
Ass’n (May 29, 2007); World Financial Capital Bank
(May 25, 2007); World Financial Network National
Bank (May 29, 2007).
189 The 10-point minimum font size applies to the
contents of the ‘‘Other important information box.’’
In addition, while the safe harbor extends to
including this box at the end of the model form, it
does not extend to the content of the box.
Institutions are responsible for ensuring that any
statements made in this box are accurate.
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
16 states have privacy laws that require
insurers to provide notice of ‘‘access
and correction’’ rights.190 Commenters
noted that other states require
disclosures about medical
information.191 Some large institutions
noted that they are required to provide
international law information. Such
information may be included in this
new box. In addition, one association
commenter, representing automobile
dealers, specifically requested a place
on the form to allow its members to
obtain signatures from customers
acknowledging that they had received a
copy of the notice.192
K. Other Issues
1. Highlighting Material Changes in
Privacy Practices
We sought comment on whether the
model privacy form should highlight
material changes in the notice. A
number of industry commenters
opposed this suggestion, citing
consumer confusion.193 Some stated
that the GLB Act requires revised
notices when the institution’s policy has
changed.194 One advocacy group
supported adding an extra column to
the notice table highlighting specific
changes made since the previous
notice.195
After considering these comments, the
Agencies determined that the simplest
way to help consumers identify how
recently the notice was changed is to
include a ‘‘revised [month/year]’’
notation in the upper right-hand corner
of page one of the notice. The revised
date, in minimum 8-point font, is the
date the policy was last revised.196 Of
course, institutions can signal material
190 See, e.g., comment letters of American
Insurance Ass’n (May 29, 2007); Great-West Life &
Annuity Insurance Co. (May 29, 2007).
191 See, e.g., comment letters of American Council
of Life Insurers (May 29, 2007); American Insurance
Ass’n (May 29, 2007); Huntington National Bank
(May 25, 2007).
192 See comment letter of National Automobile
Dealers Ass’n (May 29, 2007).
193 See, e.g., comment letters of American Council
of Life Insurers (May 29, 2007); Consumer Bankers
Ass’n (May 29, 2007); Citigroup Inc. (May 30, 2007);
Mastercard Worldwide (May 29, 2007); Securities
Industry and Financial Markets Ass’n (May 29,
2007).
194 See comment letters of American Council of
Life Insurers (May 29, 2007); Citigroup Inc. (May
30, 2007).
195 See, e.g., comment letters of Center for
Democracy and Technology (May 29, 2007); see
also New York State Consumer Protection Board
(May 29, 2007).
196 Adoption of the model form, with no change
in policies or practices, would not constitute a
revised notice, although institutions may elect to
consider the format change as a revision, at their
option. However, inserting the new affiliate
marketing opt-out in the model form would be a
revision of the institution’s policies and practices.
PO 00000
Frm 00019
Fmt 4701
Sfmt 4700
62907
changes in their policies by, for
example, use of a cover letter that
describes any changes.
2. Safe Harbor
A number of industry commenters
expressed concern that the safe harbor
provisions do not fully extend to the
GLB Act requirements or do not extend
to FCRA disclosures.197 These
commenters seek broader safe harbor
treatment for the use of the model form,
notwithstanding the statutory provision
that use of the model form will satisfy
the notice requirements of the GLB Act
and the privacy rule.
The Agencies agree that the model
form satisfies the requirements for the
content of the notice required by the
GLB Act, including sections __.6 and
__.7 of the privacy rule; FCRA section
603(d) as described in section __.6 of the
privacy rule; and section __.23 of the
affiliate marketing rule. The Agencies
note that the safe harbor applies to use
of the model form, but does not and
cannot extend to the institution-specific
information that is inserted in the model
form. Proper use of the model form to
comply with the privacy rule requires
that institutions accurately answer the
questions about their information
collection and sharing practices, as well
as provide to consumers, as applicable,
a reasonable means and opportunity to
limit sharing and honor any opt-out
requests submitted.
3. Online Form Builder
Commenters generally supported the
Agencies’ proposal to provide a
downloadable, fillable version of the
model form that institutions could use
to create their own customized
notice.198 Many smaller institutions
were particularly supportive, noting that
it simplifies adoption and reduces their
development costs.
In response, the Agencies will be
providing on each of their Websites a
link to an Online Form Builder
accessible by any institution so that the
institution can readily create a unique,
customized privacy notice using the
model form template. The Agencies
anticipate that a temporary Online Form
Builder will be available in late 2009
197 See, e.g., comment letters of American Bankers
Ass’n (May 25, 2007); California Bankers Ass’n
(May 25, 2007); Consumer Bankers Ass’n (May 29,
2007).
198 See, e.g., comment letters of American
Insurance Ass’n (May 29, 2007); Center for
Democracy and Technology (May 29, 2007); Citrus
and Chemical Bank (May 24, 2007); Credit Union
National Ass’n (May 29, 2007); Independent
Community Bankers of America (May 29, 2007);
PayPal (May 29, 2007); Portage National Bank (May
1, 2007); Sovereign Bank (May 21, 2007).
E:\FR\FM\01DER2.SGM
01DER2
62908
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
and that a more robust version will be
available to institutions in late 2010.
4. Web-Based Design
Many industry and advocacy group
commenters supported development of
an optional Web-based design,
especially as more and more consumers
are engaging in online activities such as
online banking.199 Some commenters
asked the Agencies to test a design for
usability. Some industry commenters
cautioned that the Agencies should
leave this task to industry as institutions
are more knowledgeable and better
equipped to address such a task.200
The Board and FTC have agreed to
jointly undertake the development
through consumer research of a Webbased version of the final model form.
That research work will proceed
independent of this rulemaking, will be
reviewed by all the other Agencies, and
will be made publicly available for use
by all institutions. It is anticipated that
the work will be completed in late 2009.
5. Electronic Delivery
A number of commenters objected to
limiting the electronic posting of the
model form to a PDF format.201 Those
expressing a view stated that providing
the form in HTML is more compatible
with their systems and easier for
consumers to download and view. The
Agencies agree that institutions can
provide the notice electronically in
either PDF or HTML format. Where
consumers agree to electronic receipt of
the notice, institutions can send the
notice by email either by attaching the
notice or providing a link to the notice.
mstockstill on DSKH9S0YB1PROD with RULES2
6. Other Comments
Some commenters asked if the model
form can be adopted for other
languages.202 The Agencies believe that
this would be beneficial to an
199 See, e.g., comment letters of Center for
Democracy and Technology (May 29, 2007);
Investment Company Institute (May 29, 2007);
MasterCard Worldwide (May 29, 2007); National
Business Coalition on E-Commerce and Privacy
(May 30, 2007); PayPal (May 29, 2007); Target
National Bank (May 24, 2007).
200 See, e.g., comment letters of American Bankers
Ass’n (May 25, 2007); American Council of Life
Insurers (May 29, 2007); The Financial Services
Roundtable and BITS (May 29, 2007); Huntington
National Bank (May 25, 2007); National Retail
Federation (May 29, 2007); Securities Industry and
Financial Markets Ass’n (May 29, 2007); Wachovia
Corporation (May 25, 2007).
201 See, e.g., comment letters of Huntington
National Bank (May 25, 2007); MasterCard
Worldwide (May 29, 2007); PayPal (May 29, 2007);
Securities Industry and Financial Markets Ass’n
(May 29, 2007); Wachovia Corporation (May 25,
2007).
202 See, e.g., comment letters of First Bank
Americano (May 2, 2007); First Hawaiian Bank
(May 29, 2007); National Retail Federation (May 29,
2007).
VerDate Nov<24>2008
20:48 Nov 30, 2009
Jkt 220001
institution’s non-English speaking
customers and note that institutions
currently provide such notices,
consistent with the privacy rule.
Many industry commenters wanted
the flexibility to add other information
to the form. For example, they asked to
include information on the benefits of
sharing; privacy tips and identity theft
information; information about fraud
prevention; and marketing.203 Some
commenters asked that additional
information such as seal information be
included in the model form.204
The Agencies considered these
suggestions and decided not to permit
the inclusion of additional information
in the final model form. While an
institution may believe this information
is useful or important, we believe that
the addition of such information to the
model form defeats the purpose of
providing a clear and usable notice
about information sharing practices and
consumer rights. The Agencies do not
preclude an institution from providing
such information in other, supplemental
materials, if the institution wishes to do
so.
One commenter proposed requiring
institutions that use the model form to
also have a longer notice that complies
with the privacy rule.205 One notice is
sufficient if that notice complies with
the law and the privacy rule.
Commenters also raised a number of
other issues that are beyond the scope
of this rulemaking. These include
making the default opt-in rather than
opt-out; eliminating the annual notice
requirement; preempting state law
requirements; and establishing an optout repository similar to the FTC’s
National ‘‘Do Not Call’’ Registry.206
IV. The Sample Clauses
As proposed, the Agencies are
eliminating the Sample Clauses
appended to the privacy rule along with
203 See, e.g., comment letters of American Bankers
Ass’n (May 25, 2007); Bank of America Corporation
(May 29, 2007); Comerica Bank (May 25, 2007);
Consumer Bankers Ass’n (May 29, 2007); Citigroup
Inc. (May 30, 2007); First Hawaiian Bank (May 29,
2007); California Bankers Ass’n (May, 2007);
Farmers & Merchants Bank (May 29, 2007);
Financial Services Roundtable and BITS (May 29,
2007); Huntington National Bank (May 25, 2007);
KeyCorp (May 25, 2007); Target National Bank (May
24, 2007); Wachovia Corporation (May 25, 2007);
Wells Fargo & Company (May 29, 2007).
204 See comment letters of PayPal (May 29, 2007);
TrustE (May 30, 2007).
205 See comment letter of TRUSTe (May 30, 2007).
206 See, e.g., comment letters of America’s
Community Bankers (May 29, 2007); Bank of Edison
(March 21, 2007); Bank of Frankewing (May 18,
2007); Central National Bank of Enid (May 24,
2007); FamilyFirst Bank (May 8, 2007); Florence
Savings Bank (April 30, 2007); Glenview State Bank
(May 2, 2007); Hometown Bank (May 8, 2007);
Portage National Bank (May 1, 2007).
PO 00000
Frm 00020
Fmt 4701
Sfmt 4700
the safe harbor or for SEC-regulated
entities, guidance, currently afforded
entities.207 Many industry commenters
opposed the proposal.208 Some
commenters asked that we retain certain
of the Sample Clauses, such as A–1,
A–3, and A–7, the use of which does not
implicate an opt-out.209 Institutions
expressed concern that elimination of
the Sample Clauses and corresponding
safe harbor would expose them to
liability.210 A few commenters asked the
Agencies to improve the current Sample
Clauses as an interim measure.211
Several institutions requested that the
Agencies at a minimum provide for a
transition period that is longer than one
year, if the Agencies determine to
eliminate the Sample Clauses.212
Notwithstanding these comments, the
Agencies are eliminating the Sample
Clauses and related safe harbor (or
guidance) from the privacy rule,
following a transition period of one
year.213 The initial public and media
complaints about the
incomprehensibility of the privacy
notices,214 the plain language experts’
guidance at the Get Noticed Workshop,
207 The Sample Clauses were originally provided
in the privacy rule to illustrate the level of detail
for notices to meet the rule requirements and to
minimize the compliance burden. See 65 FR 33646,
33677 (May 24, 2000) (FTC); 65 FR 35162, 35185
(June 1, 2000) (banking agencies); 65 FR 40334,
40357 (June 29, 2000) (SEC); 66 FR 21236, 21238
(Apr. 27, 2001) (CFTC).
208 See, e.g., comment letters of American Bankers
Ass’n (May 25, 2007); American Council of Life
Insurers (May 29, 2007); American Insurance Ass’n
(May 29, 2007); Bank of America Corporation (May
29, 2007); Consumer Bankers Ass’n (May 29, 2007);
Citigroup Inc. (May 30, 2007); Direct Marketing
Ass’n (May 29, 2007); Investment Adviser Ass’n
(May 29, 2007); National Ass’n of Mutual Insurance
Cos. (May 29, 2007); National Automobile Dealers
Ass’n (May 29, 2007); National Business Coalition
on E-Commerce and Privacy (May 30, 2007); T.
Rowe Price Associates, Inc. (May 29, 2007); Visa
U.S.A., Inc. (May 29, 2007); Wisconsin Bankers
Ass’n (May 29, 2007).
209 See, e.g., comment letter of National
Automobile Dealers Ass’n (May 29, 2007). Sample
Clause A–1 describes the categories of information
that an institution collects. Sample Clause A–3
includes the phrase ‘‘as permitted by law’’ to
describe the sharing that institutions are permitted
to do under sections __.14 and __.15 without
triggering an opt-out. Sample Clause A–7 generally
states that an institution uses safeguard measures to
protect the handling of the personal information it
obtains.
210 See, e.g., comment letters of Visa U.S.A., Inc.
(May 29, 2007); Citigroup Inc. (May 30, 2007);
Huntington National Bank (May 25, 2009).
211 See, e.g., comment letter of Capital One
Financial Corporation (May 29, 2007).
212 See, e.g., comment letters of Direct Marketing
Ass’n (May 29, 2007); Investment Adviser Ass’n
(May 29, 2007).
213 The Agencies are also making conforming
amendments to sections __.2, __.6, and __.7 of the
privacy rule and to the Appendix with one small
change from the Proposed Rule.
214 See, e.g., Public Citizen Petition, supra note 24
at 4–9; Press Release of House Committee on
Financial Services, supra note 74.
E:\FR\FM\01DER2.SGM
01DER2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
mstockstill on DSKH9S0YB1PROD with RULES2
and the launch of this Notice Project all
examined the problems with
institutions’ privacy notices, including
their extensive use of the Sample
Clauses, and the need to develop a
usable consumer notice. These same
factors led the Agencies to propose
eliminating the Sample Clauses. One
commenter agreed that the research
showed the clauses ‘‘were found
wanting.’’ 215 An association whose
members generally found the model
form to be more consumer-friendly than
the Sample Clauses asked only that the
Agencies provide a sufficient transition
period before eliminating the Sample
Clauses.216
In addition, the quantitative testing
supports the Agencies’ proposal to
eliminate the Sample Clauses and
related safe harbor. The Levy-Hastak
Report confirms that a notice composed
solely of the Sample Clauses promotes
ease of scanning to perform simple
tasks—because the notice is short and
not because it is understandable—but
the Sample Clauses do not do well on
comprehension measures. Moreover, the
testing showed that current notices—in
which the Sample Clauses are typically
embedded—do poorly on all measures.
The Levy-Hastak Report examined the
results when study participants were
asked to choose between two banks
based solely on the content of the notice
and to give reason(s) why they selected
a particular bank. Participants who saw
the Sample Clause Notice were more
likely to select the higher sharing bank
because it offered an opt-out.217 When
these participants were matched with
their general attitudinal preferences
toward sharing, the Levy-Hastak Report
found that they generally favored less
sharing.218 According to the LevyHastak Report, the data suggested that
study participants who gave as the
reason for their choice the availability of
opt-outs ‘‘may have mistakenly believed
that this would lead them to choosing
a lower sharing bank.’’ 219 In other
words, participants who saw the Sample
Clause Notice and selected the higher
sharing bank because it offered opt-outs
did not understand that a bank offering
215 See comment letter of Capital One Financial
Corporation (May 29, 2007).
216 See comment letter of Independent
Community Bankers Ass’n (May 29, 2007).
217 The Levy-Hastak Report also found that study
participants who saw the Current Notice were
significantly more likely to give reasons not based
on any information in the notice, for example, that
Bank X offered a lower interest rate. These same
participants were also less likely than those who
saw the other notices to give cogent reasons for
choosing the lower sharing bank. Levy-Hastak
Report at 9.
218 Id. at 15.
219 Id. at 10.
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
no opt-out did so because it shared less.
This finding confirmed reports by small
institutions.220
Further, the NAIC Study,221
conducted in March 2005, examined
several different insurance disclosure
forms with participants in three focus
groups. One was a generic form based
on the sample clauses adopted in the
NAIC Model Privacy Rule and similar in
content to the Sample Clause Notice
used in the Agencies’ quantitative
testing. The NAIC Study highlighted a
key finding that is consistent with the
Agencies’ research findings. Among the
study participants, there was general
misunderstanding of and concern about
the language in the form, in particular
the phrase ‘‘as permitted by law’’ found
in Sample Clause A–3. Participants in
all three focus groups asked: (1) What
does this phrase mean?; (2) what is the
law and what does it permit?; and (3)
what if the law changes? Participants
who viewed this form did not know
what to do with it and wanted some
way to contact the company to get
answers to their questions.
Also, in the development of the model
form, Kleimann found that consumers
did not understand the language in
Sample Clause A–7 regarding the
safeguarding of personal information.
Through consumer testing, the
description was revised to improve
consumer comprehension.
Finally, while many smaller
institutions are most likely to engage in
limited sharing and so would rely on
the three Sample Clauses, A–1, A–3,
and A–7, many of these institutions
support the model form. They have
stated that such a form would make it
easier for them to demonstrate that they
are less likely to share personal
information, and it would allow for
easier comparison of their sharing
practices with those of other
institutions.222 One large association
commented that an informal survey of
its community bank members found that
‘‘many are likely to use the model
forms’’ and that ‘‘[m]ost found the new
forms more consumer-friendly than the
existing sample clauses.’’ 223
To ease the compliance burden for
those institutions that currently have
privacy notices based on the Sample
Clauses, the Agencies are implementing
220 See
supra note 133 and related text.
NAIC Study, supra note 141.
222 See, e.g., comment letters of Florence Savings
Bank (April 30, 2007); Community Bankers of
America (May 29, 2007), Iowa State Bank and Trust
Co. (May 22, 2007), Credit Union National Ass’n
(May 29, 2007); see also supra note 133 and related
text.
223 See comment letter of Independent
Community Bankers of America (May 29, 2007).
221 See
PO 00000
Frm 00021
Fmt 4701
Sfmt 4700
62909
a transition period that begins thirty (30)
days after the date of publication and
ends on December 31, 2010. Financial
institutions will not be able to rely on
the safe harbor by using the Sample
Clauses in notices delivered or posted
on or after January 1, 2011.224 Privacy
notices using the Sample Clauses that
are delivered to consumers (either in
paper form or by electronic delivery
such as e-mail) or, alternatively, are
posted electronically to meet the annual
notice requirement of section l.9(c)
during the transition period, will have
a safe harbor for one year after delivery
or posting. Privacy notices using the
Sample Clauses that are delivered or
posted electronically after the transition
period will not be eligible for a safe
harbor. Since institutions are required to
send notices annually to their
customers, they may continue to rely on
the safe harbor for annual notices that
are delivered to consumers (either in
paper form or by electronic delivery
such as e-mail) within the transition
period until the next annual privacy
notice is due one year later.225 The
Sample Clauses will be removed from
codification one year after the transition
period ends. The SEC, whose privacy
rule provides only guidance and not a
safe harbor for financial institutions that
use the Sample Clauses, will also
remove the Sample Clauses from
codification one year after the transition
period ends.226
While the final model form would
provide a legal safe harbor, institutions
could continue to use other types of
notices that vary from the model form,
including notices that use the Sample
Clauses, so long as these notices comply
with the privacy rule.
The Agencies are also amending
section l.6(b) of the privacy rule. The
FTC is deleting the second sentence of
section 313.6(b) and substituting the
following new sentence, based on the
model form research: ‘‘When describing
the categories with respect to those
224 Institutions relying on the Sample Clauses
appended to the SEC’s privacy rule will not be able
to rely on them for guidance in notices delivered
or posted on or after January 1, 2011.
225 For example, if an institution provides a
notice using the Sample Clauses on or before
December 31, 2010, it could continue to rely on the
safe harbor for one additional year until its next
annual notice is due. If an institution provides a
notice using the Sample Clauses on or after January
1, 2011, however, it could not rely on the safe
harbor. Privacy notices using the Sample Clauses
posted on an institution’s Web site to meet the
annual notice requirements of section l.9(c) of the
privacy rule would no longer be able to rely on the
safe harbor beginning on January 1, 2011.
226 See SEC privacy rule, section 248.2(a). The
facts and circumstances of each individual situation
determine whether use of the Sample Clauses
constitutes compliance with the SEC’s privacy rule.
E:\FR\FM\01DER2.SGM
01DER2
62910
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
parties, it is sufficient to state that you
make disclosures to other nonaffiliated
companies for your everyday business
purposes, such as to process
transactions, maintain account(s),
respond to court orders and legal
investigations, and report to credit
bureaus.’’ The remaining Agencies
(Board, CFTC, FDIC, NCUA, OCC, OTS,
and SEC) are revising the second
sentence of section l.6(b) to read as
follows, based in part on the model form
research: ‘‘When describing the
categories with respect to those parties,
it is sufficient to state that you make
disclosures to other nonaffiliated
companies: (1) For your everyday
business purposes, such as [include all
that apply] to process transactions,
maintain account(s), respond to court
orders and legal investigations, or report
to credit bureaus; or (2) As permitted by
law.’’ 227
V. Effective Date
The Agencies proposed that most of
the provisions of the final rule would
take effect on the date of publication.228
That approach would have allowed
institutions that chose to use the model
privacy form to receive the safe harbor
for doing so immediately upon its
publication. The Agencies received no
comments on providing an immediate
effective date for this portion of the rule.
The only comments the Agencies
received concerning the effective date of
the rule pertained to removal of the
Sample Clauses and related Appendix,
as discussed in section IV.
The final rule makes most of the
provisions effective 30 days after
publication. This approach allows
institutions to receive, with only a
minimal delay, a safe harbor for using
the model privacy form and the
additional, alternative language that
may be used to comply with section
l.6(b) of the privacy rule. The Agencies
believe that few, if any, institutions
would choose to implement those
changes in fewer than 30 days. The 30day delay will give institutions and the
Agencies time to implement the changes
properly.
mstockstill on DSKH9S0YB1PROD with RULES2
VI. Final Regulatory Flexibility
Analysis
The Regulatory Flexibility Act
(‘‘RFA’’) 229 requires the Agencies to
provide an Initial Regulatory Flexibility
227 Institutions
using option (1) in this revised
sentence to section l.6(b) are required to include
all applicable examples. See 12 CFR 40.6(b) (OCC);
12 CFR 216.6(b) (Board); 12 CFR 322.6(b) (FDIC); 12
CFR 573.6(b) (OTS); 12 CFR 716.6(b) (NCUA); 17
CFR 160.6(b) (CFTC); 17 CFR 248.6(b) (SEC).
228 Proposed Rule, supra note 4, at section IV.
229 5 U.S.C. 601–612.
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
Analysis (‘‘IRFA’’) with a proposed rule
and a Final Regulatory Flexibility
Analysis (‘‘FRFA’’) with a final rule,
unless the agency certifies that the rule
will not have a significant economic
impact on a substantial number of small
entities. See 5 U.S.C. 603–605. An IRFA
was published by the Agencies in their
March 20, 2007, Proposed Rule
regarding amendments to the rules
implementing the privacy provisions of
the GLB Act. The Agencies have
prepared the following FRFA in
accordance with 5 U.S.C. 604.
A. Need For and Objectives of Rule
Amendments
The goal of the rule amendments is to
satisfy the requirements of section 728
of the Regulatory Relief Act, which
requires that the Agencies develop a
model form that is comprehensible,
clear and conspicuous, and succinct.
The Act also requires that the model
form enable consumers to easily identify
a financial institution’s sharing
practices and compare those practices
with others. The model form that the
Agencies are adopting today will, if
properly used, serve as a safe harbor for
satisfying the privacy rules’
requirements regarding content of
privacy notices.
As indicated in section I of the
preamble to this final rule, the
amendments to Appendix A of the
Agencies’ privacy rules are adopted
pursuant to the authority set forth in
§ 503 (as amended by section 728 of the
Regulatory Relief Act) and § 504 of the
GLB Act.230
B. Significant Issues Raised by Public
Comment
The Agencies requested comments on
the IRFA. We specifically requested
comments on the number of small
entities that would be affected by the
rules’ amendments, the existence or
nature of the impact of the amendments
on small entities, how to quantify the
impact of the amendments, and possible
alternatives to the amendments.
Commenters were also asked whether a
downloadable version of the model form
would be useful for financial
institutions, particularly small entities
that would like to take advantage of the
proposed safe harbor.
230 The SEC is also adopting the amendments
under section 23 of the Securities Exchange Act of
1934 [15 U.S.C. 78w], section 38(a) of the
Investment Company Act of 1940 [15 U.S.C. 80a–
37(a)], and section 211(a) of the Investment
Advisers Act of 1940 [15 U.S.C. 80b–11(a)].
The CFTC also is adopting the amendments
under Section 504 of the GLB Act [15 U.S.C. 6804],
and Sections 5g and 8a(5) of the Commodity
Exchange Act [7 U.S.C. 7b–2, 12a(5)].
PO 00000
Frm 00022
Fmt 4701
Sfmt 4700
Only one commenter directly
addressed the IRFA.231 That commenter
disagreed with the Agencies’ analysis
that some financial institutions that may
wish to transition to the proposed
model form might incur some small
incremental costs in making the
transition, but did not provide any
explanation of why the analysis is
incorrect or estimates regarding
logistical costs that the commenter
asserted would be significant. Several
associations whose members include
small entities, however, expressed
support for the objectives of the
proposed model notice.232 In addition,
one association (many of whose
members are small entities) found that
many of its members that participated in
an informal survey are likely to use the
model forms and most found the forms
more consumer-friendly than the
Sample Clauses.233 Some commenters
suggested that the model form is
oriented to large, multi-affiliate
financial institutions and does not
accommodate smaller institutions.234
These commenters stated that the
information collection policies
described in the model form accurately
reflect the practices of certain large
financial institutions but are misleading
to the extent they are beyond the scope
of smaller financial institutions that do
not offer banking-related products and
services. In response to these and
similar comments, the Agencies have
revised the model form to allow
financial institutions to select from a
menu of specific disclosures to
customize the descriptions of their
information collection policies.235
Several commenters also requested
that the Agencies retain the safe harbor
regarding the Sample Clauses, noting
that many small entities’ privacy notices
currently incorporate the Sample
Clauses. One commenter explained that
it would be burdensome and
unnecessary for small entities to change
their privacy notices, especially small
entities that do not share personal
information other than to service their
clients’ accounts.236 Another
231 Comment letter of National Business Coalition
on E–Commerce and Privacy (May 30, 2007).
232 See, e.g., joint comment letter of American
Bankers Ass’n, America’s Community Bankers,
Consumer Bankers Ass’n, and The Financial
Services Roundtable (May 29, 2007).
233 See comment letter of Independent
Community Bankers of America (May 29, 2007).
234 See, e.g., comment letters of Financial Services
Institute (May 29, 2007); Financial Planning Ass’n
(May 30, 2007).
235 See supra sections III.I.2 and III.J.1; see also
infra, Instructions C.2(b) and C.3(a)(3) and (4) to the
Model Privacy Form.
236 See, e.g., comment letter of Investment
Adviser Ass’n (May 29, 2007).
E:\FR\FM\01DER2.SGM
01DER2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
commenter argued that elimination of
the safe harbor for the Sample Clauses
would transform the model form from
an optional elective to a burdensome
regulatory requirement, particularly for
small entities.237 We note, however, that
the research found that there was
general misunderstanding of and
concern among consumers about
language in the notice based on the
Sample Clauses.238 Nevertheless, partly
in response to these comments, the
Agencies are allowing financial
institutions one year in which they can
continue to rely on the Sample Clauses
for safe harbor or guidance when
providing notices. In addition, as noted
above, while the Agencies are
eliminating the Sample Clauses and
related safe harbor (or, for the SEC,
guidance), institutions may continue to
use notices containing these clauses, so
long as these notices comply with the
privacy rule.
Finally, we received a limited number
of comments indicating that a
downloadable fillable model form may
be helpful, especially to small
entities.239 In response to these
comments, the Agencies will make
available an Online Form Builder. We
expect the availability of this form will,
in part, minimize the burden on small
businesses of developing, using, and
customizing the model form for their
individual needs.
mstockstill on DSKH9S0YB1PROD with RULES2
C. Small Entities Subject to the Rules
The amendments to Appendix A and
conforming amendments to sections
__.2, __.6, and __.7 of the Agencies’
privacy rules may potentially affect
financial institutions, including
financial institutions that are small
businesses or small organizations, that
choose to rely on the model privacy
form as a safe harbor.
1. OCC. The OCC estimates that 690
insured national banks, uninsured
national banks and trust companies, and
foreign branches and agencies are small
entities for purpose of the RFA.
2. Board. The Board estimates that
432 state member banks are small
entities for purposes of the RFA.
3. FDIC. The FDIC estimates that 3115
state nonmember banks are small
entities for purposes of the RFA.
237 See, e.g., comment letter of National
Automobile Dealers Ass’n (May 29, 2007).
238 See supra section IV and discussion at notes
217–219 and related text. See also Public Citizen
Petition, supra note 24, at 9 (‘‘The paragraph
employs ambiguous phrases such as ‘other
information’ (what other information?), ‘unless
otherwise permitted by law’ (in actuality, the law
almost always permits disclosure) * * *’’).
239 See, e.g., comment letters of Financial
Planning Ass’n (May 30, 2007); Center for
Democracy and Technology (May 29, 2007).
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
4. OTS. The OTS estimates that 377
small savings associations are small
entities for purposes of the RFA.
5. NCUA. The RFA requires NCUA to
prepare an analysis to describe any
significant economic impact a
regulation may have on a substantial
number of small credit unions
(primarily those under $10 million in
assets). The NCUA estimates that 3,168
federally-insured, state-chartered credit
unions are small entities for purposes of
the RFA.
6. FTC. Determining a precise
estimate of the number of small entities
that are financial institutions within the
meaning of the rule is not readily
feasible. The GLB Act does not identify
for purposes of the Commission’s
jurisdiction any specific category of
financial institution. In the absence of
such information, there is no way to
estimate precisely the number of
affected entities that share nonpublic
personal information with nonaffiliated
third parties or that establish customer
relationships with consumers and
therefore assume greater disclosure
obligations.
7. CFTC. Section 5g of the CEA, 7
U.S.C. 7b–2, provides that any futures
commission merchant, commodity
trading advisor, commodity pool
operator, or introducing broker that is
subject to the jurisdiction of the CFTC
with respect to any financial activity,
shall be treated as a financial institution
for purposes of Title V of the GLB Act,
regardless of size and including
commodity trading advisors and
commodity pool operators that are
exempt from the CEA’s registration
requirements. The CFTC has previously
established certain definitions of ‘‘small
entities’’ and determined that futures
commission merchants and commodity
pool operators are not small for
purposes of the Regulatory Flexibility
Act. Policy Statement and
Establishment of Definitions of ‘‘Small
Entities,’’ 47 FR 18,618 (Apr. 30, 1982).
This rule applies to commodity trading
advisors and introducing brokers of all
sizes. Because use of the model privacy
form is voluntary, and because its use is
a form of substituted compliance with
Part 160 and not a new mandatory
burden, CFTC believes that the rule will
not have a significant economic impact
on a substantial number of small
entities.
8. SEC. The SEC estimates that 915
broker-dealers, 212 investment
companies registered with the
Commission, and 781 investment
advisers registered with the Commission
PO 00000
Frm 00023
Fmt 4701
Sfmt 4700
62911
are small entities for purposes of the
RFA.240
Because use of the model privacy
form will be entirely voluntary, the
Agencies cannot estimate how many
small financial institutions will use it.
The Agencies expect, however, that
small financial institutions, particularly
those that do not have permanent staff
available to address compliance matters
associated with the privacy rules, will
be relatively more likely to rely on the
model privacy form than larger
institutions. We believe that most
financial institutions currently have
legal counsel review their privacy
notices for compliance with the GLB
Act, the FCRA, and the privacy rules.
We anticipate that a financial institution
that uses the model form for its privacy
notice will need little review by legal
counsel because the rules do not permit
institutions to vary the form if they wish
to obtain the benefit of a safe harbor,
except as necessary within narrow
parameters to identify their information
collection, sharing, and opt-out policies.
Finally, the Agencies are providing an
Online Form Builder that will enable
institutions to directly create a
customized model form and thus will
facilitate compliance.
D. Reporting, Recordkeeping, and Other
Compliance Requirements
The amendments to the privacy rules
do not impose any additional
recordkeeping, reporting, disclosure, or
compliance requirements. Financial
institutions, including small entities,
have been required to provide notice to
consumers about the institution’s
privacy policies and practices since July
1, 2001 (or March 31, 2002, in the case
of the CFTC). The amendments adopted
today will not affect these requirements
and financial institutions will be under
no obligation to modify their current
240 For purposes of the RFA, under the Securities
Exchange Act of 1934 a small entity is a broker or
dealer that (i) had total capital of less than $500,000
on the date in its prior fiscal year as of which its
audited financial statements were prepared or, if
not required to file audited financial statements, on
the last business day of its prior fiscal year, and (ii)
is not affiliated with any person that is not a small
business or small organization. 17 CFR 240.0–10(c).
Under the Investment Company Act of 1940, a
‘‘small entity’’ is an investment company that,
together with other investment companies in the
same group of related investment companies, has
net assets of $50 million or less as of the end of
its most recent fiscal year. 17 CFR 270.0–10(a).
Under the Investment Advisers Act of 1940, a small
entity is an investment adviser that (i) manages less
than $25 million in assets, (ii) has total assets of less
than $5 million on the last day of its most recent
fiscal year, and (iii) does not control, is not
controlled by, and is not under common control
with another investment adviser that manages $25
million or more in assets, or any person that had
total assets of $5 million or more on the last day
of the most recent fiscal year. 17 CFR 275.0–7(a).
E:\FR\FM\01DER2.SGM
01DER2
62912
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
mstockstill on DSKH9S0YB1PROD with RULES2
privacy notices as a result of the
amendments. Instead, the amendments
provide a specific model privacy form
that a financial institution may use to
comply with notice requirements under
the GLB Act, the FCRA (as amended by
the FACT Act), and the privacy rules.
Nonetheless, some of the financial
institutions that rely on the Sample
Clauses in the current privacy rules’
appendixes may wish to transition to
the model form and may incur some
additional costs in making this
transition.241 The Agencies expect,
however, that the availability of a
standardized model form will minimize
these costs because the form’s
standardized formatting and language
will make it easier for institutions to
prepare and revise their privacy notices.
E. Action by the Agencies To Minimize
Effects on Small Entities
The RFA directs the Agencies to
consider significant alternatives that
would accomplish the stated objectives,
while minimizing any significant
adverse impact on small entities. In
connection with the amendments, we
considered the following alternatives:
1. Different reporting or compliance
standards. As noted above, the
Regulatory Relief Act requires the
Agencies to develop ‘‘a’’ model form
that, among other things, will facilitate
comparison of the information sharing
practices of different financial
institutions. In light of these statutory
requirements, the Agencies are adopting
only one model form, which includes
alternative language in some places that
allows a financial institution to describe
its particular information collection and
sharing practices. The specific model
form that the Agencies are adopting
today was developed as part of a careful
and thorough consumer testing process
designed to produce a clear,
comprehensible, and comparable notice.
The model form emerged as the most
effective of several notice formats
considered as part of this testing.
2. Clarification, consolidation, or
simplification of reporting and
compliance requirements. The Agencies
believe that the model form will
simplify the reporting requirements for
all entities, including small entities, that
choose to use the model form. We
anticipate that financial institutions that
choose to use the model form will spend
less time preparing notices than if they
had to draft one on their own. Because
241 To the extent that institutions review their
privacy policies annually for compliance, we
estimate that the costs associated with this annual
review, including professional costs, will be
approximately the same as the costs to complete the
model form.
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
the model form was developed as part
of a consumer testing process, further
clarifying, consolidating, or simplifying
the model notice would compromise the
research findings.
3. Performance rather than design
standards. Section 728 of the Regulatory
Relief Act specifically requires that the
Agencies develop a model form. The
model form is an alternative means of
providing a privacy notice that
institutions may choose to use. The
privacy rules do not mandate the format
of privacy notices; thus, neither the
privacy rules nor the amendments
impose a design standard.
4. Exempting small entities. We
believe that an exemption for small
entities would not be appropriate or
desirable. The Agencies note that the
model form is available for use at the
discretion of all financial institutions,
including small institutions. Moreover,
two key objectives of the model form are
that (1) consumers can understand an
institution’s information sharing
practices and (2) they may more easily
compare financial institutions’ sharing
practices and policies across privacy
notices. An exemption for small entities
would directly conflict with both of
these key objectives, particularly that of
enabling comparison across notices.
VII. Paperwork Reduction Act
The final privacy rules governing the
privacy of consumer financial
information contain disclosures that are
considered collections of information
under the Paperwork Reduction Act
(PRA).242 Before the Agencies issued
their privacy rules, they obtained
approval from OMB for the collections.
OMB control numbers for the
collections appear below. The
amendments adopted today do not
introduce any new collections of
information into the Agencies’ privacy
rules, nor do they amend the rules in a
way that substantively modifies the
collections of information that OMB has
approved. Therefore, no PRA
submissions to OMB are required.
OCC: Control number 1557–0216.
Board: Control number 7100–0294.
FDIC: Control number 3064–0136.
OTS: Control number 1550–0103.
NCUA: Control number 3133–0163.
FTC: Control number 3084–0121.
SEC: Control number 3235–0537.
CFTC: Control number 3038–0055.
VIII. OCC and OTS Executive Order
12866 Determination
The OCC and OTS have determined
that their respective portions of the final
rule are not a significant regulatory
242 44
PO 00000
U.S.C. 3501–3520.
Frm 00024
Fmt 4701
Sfmt 4700
action under Executive Order 12866. We
have concluded that the changes made
by this rule will not have an annual
effect on the economy of $100 million
or more, and does not meet any of the
other standards for a significant action
set forth in E.O. 12866.
IX. OCC and OTS Executive Order
13132 Determination
The OCC and OTS have determined
that their respective portions of the final
rule do not have any federalism
implications, as required by Executive
Order 13132.
X. OCC and OTS Unfunded Mandates
Reform Act of 1995 Determination
Section 202 of the Unfunded
Mandates Reform Act of 1995, Public
Law 104–4 (UMRA), requires that an
agency prepare a budgetary impact
statement before promulgating a rule
that includes a Federal mandate that
may result in the expenditure by State,
local, and tribal governments, in the
aggregate, or by the private sector of
$100 million or more (adjusted annually
for inflation) in any one year. The
inflation adjusted threshold is $133
million or more. If a budgetary impact
statement is required, section 205 of the
UMRA also requires an agency to
identify and consider a reasonable
number of regulatory alternatives before
promulgating a rule. The OCC and OTS
have each determined that their
respective portions of the final rule will
not result in expenditures by State,
local, and tribal governments, in the
aggregate, or by the private sector, of
$133 million or more in any one year.
Accordingly, the final rule is not subject
to section 202 of the UMRA.
XI. SEC Cost-Benefit Analysis
The SEC is sensitive to the costs and
benefits imposed by its rules. As
discussed above, the amendments the
Agencies are adopting today will
replace the Sample Clauses included as
guidance in Regulation S–P’s Appendix
A (17 CFR part 248, appendix A) with
a model privacy form that financial
institutions can choose to provide to
consumers. The amendments are
designed to implement section 728 of
the Regulatory Relief Act. This Act
directs the Agencies to ‘‘jointly develop
a model form which may be used, at the
option of the financial institution, for
the provision of disclosures under
[section 503 of the GLB Act].’’
The SEC identified certain costs and
benefits arising from these amendments
and requested comments on all aspects
of the associated cost-benefit analysis,
including identification and assessment
of any costs and benefits not discussed
E:\FR\FM\01DER2.SGM
01DER2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
mstockstill on DSKH9S0YB1PROD with RULES2
in the analysis. The SEC also sought
comments on the accuracy of its cost
and benefit estimates and requested
commenters to identify, discuss,
analyze, and supply relevant data that
would allow the SEC to improve its
estimates. Finally, the SEC requested
comments regarding the potential
impact of the proposals on the U.S.
economy on an annual basis.
A. Benefits
The goal of the rules is to satisfy the
requirements of section 728 of the
Regulatory Relief Act, which requires
that the Agencies develop a model form
that is comprehensible, clear and
conspicuous, and succinct. The Act also
requires that the model form enable
consumers easily to identify a financial
institution’s sharing practices and
compare those practices with others.
The model form that the Agencies are
adopting today will, if properly used,
serve as a safe harbor for satisfying the
privacy rule’s requirements regarding
the content of privacy notices.
The SEC requested comments on all
aspects of the benefits of the
amendments as proposed. The SEC
requested specific comments on
available metrics to quantify these
benefits and any other benefits
commenters could identify, and
requested commenters to identify
sources of empirical data that could be
used for such metrics. The SEC did not
receive any comments in response to
these requests.
Use of the model form is voluntary, so
a financial institution can determine for
itself its costs and benefits in deciding
whether using the model form would be
suitable for its business and customers.
However, new financial institutions will
likely benefit from using the model
privacy form because of the savings in
time and resources that would
otherwise be spent developing their
own notices.
The SEC also anticipates that
financial institutions regulated by the
SEC may benefit from the model privacy
form’s standardized formatting and
language. The SEC believes that
institutions currently review their
Regulation S–P privacy policies
annually. To the extent that these
institutions are required to change their
policies to reflect changes in their
privacy practices, they may find it easier
to use the model privacy form rather
than revise their existing notices.
Similarly, the SEC expects that
revisions to an institution’s privacy
policies will be easier to record in the
model form’s standardized format. The
SEC also anticipates that a financial
institution that chooses to use the model
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
notice will need little, if any, ongoing
review by legal counsel because an
institution cannot vary the form except
within stated parameters as necessary to
identify certain specific information
collection, sharing, and opt-out policies.
Before today’s amendments,
Appendix A of Regulation S–P
contained Sample Clauses that the SEC
interpreted as providing guidance, as
opposed to a legal safe harbor.
Institutions will therefore benefit from
the certainty that proper use of the
model notice entitles them to a safe
harbor for disclosures required under
the GLB Act and FCRA.243
Consumers should also benefit from
the model form through increased
comprehension of and enhanced
comparability among privacy policies.
The model form was developed in an
extensive consumer research testing
process that sought to maximize
consumers’ ability to comprehend, use,
and compare privacy notices. The
model form emerged as the most
effective of several notice formats
considered as part of this testing. The
SEC therefore anticipates that if
financial institutions make widespread
use of the model form, consumers’
comprehension and their ability to use
and compare privacy policies will be
enhanced. Institutions also might
benefit from consumers’ enhanced
ability to understand and use the
notices to the extent that consumers
have more trust and confidence in an
institution’s privacy policies because
the consumers understand those
policies.
B. Costs
Since the model form is optional, the
SEC cannot estimate the number of
institutions that will adopt it.
Accordingly, we cannot estimate total
overall costs to use the model form by
broker-dealers, investment advisers
registered with the SEC, and investment
companies that may use the model form.
However, in the Proposed Rule, the SEC
provided estimates of certain types of
costs that could result from the
proposed amendments.
The SEC also sought comments on its
cost estimates and the assumptions
behind the estimates, as well as whether
243 A number of commenters expressed concern
that the safe harbor provisions might not fully
extend to all GLB Act requirements or FCRA
disclosures. See, e.g., comment letter of Citigroup
Inc. (May 30, 2007). Several commenters further
suggested the safe harbor should encompass state
and private enforcement. See, e.g., comment letters
of Consumer Bankers Ass’n (May 29, 2007);
Financial Services Institute (May 29, 2007). In
response to these comments, the Agencies have
clarified the scope of the safe harbor. See supra
section III.K.2.
PO 00000
Frm 00025
Fmt 4701
Sfmt 4700
62913
any of those costs would differ if the
form were downloadable from a Web
site. The majority of the comments we
received predicted significant cost
increases in preparation, distribution,
and processing of privacy notices. Many
commenters noted that the prohibition
on double-sided printing and
requirement of a separate third page for
mail-in opt-outs, if any, would greatly
increase printing costs and would result
in significant environmental waste due
to increased paper usage.244 Numerous
commenters also raised concerns that
the 81⁄2; x 11-inch paper size
requirement, coupled with the
prohibition on incorporation of the
model notice into other documents,
essentially mandated a separate mailing
for the model notice.245 Commenters
concluded that separate mailing of
privacy notices would result in
significant postage costs and increase
the likelihood that consumers would
misplace or fail to read the notice
because it no longer accompanied
important documents.246 Several
commenters suggested that these costs
could result in lowered adoption rates
for the model form.247 Based on these
comments, the Agencies have revised
the amendments to allow for doublesided printing and incorporation of the
mail-in opt-out on the bottom of the first
page, waiver of a mandatory 81⁄2 x 11inch paper size, and incorporation of
the model notice into other documents.
We believe these accommodations will
result in greatly reducing the
implementation costs commenters
associated with adopting the model
form.
We do not expect that financial
institutions will incur additional
disclosure costs in using the model
privacy form because the notice
requirements of Regulation S–P have
been effective since July 1, 2001, and are
not altered by the amendments.
Moreover, financial institutions will be
244 See, e.g., comment letters of Investment
Adviser Ass’n (May 29, 2007) (estimating additional
printing and mailing costs for larger investment
advisory firms of $100,000 to more than $300,000
per mailing); Securities Industry and Financial
Markets Ass’n (May 29, 2007) (estimating additional
printing costs of $7.5 million per billion notices).
245 See, e.g., comment letters of Investment
Adviser Ass’n (May 29, 2007); Citigroup Inc. (May
30, 2007).
246 See, e.g., comment letters of Financial Services
Roundtable and BITS (May 29, 2007) (estimating
cost to financial services industry of printing and
mailing model form of approximately $400 million
per billion notices); Citigroup Inc. (May 30, 2007)
(consumers ‘‘are more likely to open and read mail
that contains an ‘important’ communication such as
a billing statement than an unidentified standalone
communication’’).
247 See, e.g., comment letter of Capital One
Financial Corporation (May 29, 2007).
E:\FR\FM\01DER2.SGM
01DER2
mstockstill on DSKH9S0YB1PROD with RULES2
62914
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
under no obligation to adopt the model
form or modify their current privacy
notices. Presumably, financial
institutions will not adopt the model
form without first determining that
associated costs are justified by the
benefits.
We anticipate that financial
institutions that elect to use the model
privacy form could incur some small,
incremental developmental costs in
making the transition from their current
notices to the model form. These costs
could include staff time to review the
model form and its instructions and
complete the model form. We expect
these will be minimal because the
language and format in the form are
standardized and financial institutions
can only customize very limited
sections of the model privacy form.
Institution-specific information is
limited to contact information, selection
from a menu of terms relating to
information collection, ‘‘yes’’ or ‘‘no’’
answers and brief descriptions, as
necessary, of the types of entities with
which the institution shares personal
information. Furthermore, the model
form can be downloaded from a Web
site so preparation costs should be
minimal.
Similarly, we believe that a financial
institution that adopts the model
privacy form would need little, if any,
initial or annual review by legal counsel
because almost all the disclosures in the
form are already mandated under the
current disclosure regime. One
commenter disagreed and suggested that
legal counsel at each financial
institution will spend at least 50 hours
initially and annually ensuring that the
model form accurately reflects the
institution’s privacy practices.248 These
estimates seem high because institutions
already know their information
collection and sharing practices and
there is very little discretion the
institution has in choosing from among
a menu of terms to disclose that
information on the model form. Even if
those estimates are accurate, however,
we believe that those legal costs would
likely have been incurred with respect
to any model form unless it conformed
exactly to the institution’s current form.
Transition costs may also include
administrative, logistical, and training
costs. For example, several commenters
highlighted one-time costs stemming
from rewriting notices, republishing
brochures or notices, and revising or
reprinting documents that incorporate
248 See comment letter of Securities Industry and
Financial Markets Ass’n (May 29, 2007).
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
current notices.249 We anticipate these
costs will be minimal, if any, in part
because the Agencies are allowing
financial institutions a transition period
of one year during which they can
continue to rely on the Sample Clauses
for safe harbor or guidance. Although an
institution may choose to replace a
current privacy notice with a model
privacy notice, this should not require
substantial rewriting because there are
few drafting choices in the model form.
In addition, the SEC believes it is
unlikely that many financial institutions
have stockpiles of more than one year’s
worth of privacy notices or documents
that incorporate privacy notices on hand
for distribution. Several commenters
also raised concerns regarding increased
customer service demands and the
necessity for financial institutions to
proactively take steps to address
customer confusion. For example, one
commenter noted that financial
institutions would face one-time costs
associated with revising or preparing
explanatory material for training
employees regarding the model form,
such as scripts and responses for call
centers.250 Since the amendments do
not affect Regulation S–P’s substantive
requirements, we anticipate that any
substantive questions about the
institutions’ privacy practices should
already be addressed by existing
explanatory materials. We anticipate
any new explanatory material will be
limited to questions regarding the
revised format of the model form, which
due to its standardized nature should be
relatively simple to address.
Insofar as the Sample Clauses in
current Regulation S–P may have some
value to some financial institutions,
their phase-out under the amendments
to the rules may create some costs to
those institutions. However, we expect
those costs to be minimal. As discussed
above, the Agencies are giving financial
institutions a transition period of one
year during which they can continue to
rely on the Sample Clauses for guidance
or a safe harbor, which should allow
time to minimize the transition costs for
any institutions that adopt the model
privacy form. Moreover, as noted above,
elimination of the Sample Clauses as
guidance does not mean that
institutions that continue to use these
clauses are in violation of the SEC’s
privacy rule. Institutions may continue
to use notices containing these clauses
so long as these notices comply with the
privacy rule.
249 See comment letter of T. Rowe Price
Associates, Inc. (May 29, 2007).
250 See comment letter of Investment Adviser
Ass’n (May 29, 2007).
PO 00000
Frm 00026
Fmt 4701
Sfmt 4700
Lastly, customers may experience
certain costs associated with adoption of
the model form. Several commenters
suggested that the model form sacrifices
greater consumer understanding about
information sharing practices in
exchange for a simplified notice
format.251 Another commenter
speculated that adoption of the model
form would result in customer
confusion and potential loss of customer
trust due to the misimpression that
financial institutions are changing their
privacy policies.252 One commenter
concluded that consumer confusion
resulting from overly simplified
disclosures would lead to unacceptably
high opt-out rates and discourage use of
the model form by financial
institutions.253 As discussed above, the
model form was developed in an
extensive consumer research testing
process that sought to maximize
consumers’ ability to comprehend, use,
and compare privacy notices. The
model form emerged as the most
effective of several notice formats
considered as part of this testing.
Consequently, the SEC believes that any
customer confusion that results from
adoption of the model form will be
minimal. Furthermore, we expect that
any such confusion will be rapidly
dissipated if financial institutions make
widespread use of the model privacy
form and consumers become more
familiar with its contents.
Although the SEC cannot determine
aggregate costs because of the unknown
number of financial institutions that
will adopt the model form, we expect
each financial institution choosing to
adopt the model form to incur minimal,
if any, costs. As discussed above, we do
not anticipate that financial institutions
will incur additional disclosure costs in
using the model privacy form because
the substantive notice requirements of
Regulation S–P have been effective
since July 1, 2001, and are not altered
by the amendments. We expect notice
development and transition costs to be
minimal because the language and
format in the model form are
standardized and financial institutions
can only customize a few sections of the
model form by selecting from among a
menu of specific terms. Furthermore,
the model form can be downloaded
from a Web site so preparation costs
should be minimal. Moreover, the
Agencies are giving financial
251 See, e.g., comment letter of Bank of America
Corporation (May 29, 2007).
252 See comment letter of Visa U.S.A. Inc. (May
29, 2007).
253 See comment letter of Financial Services
Institute (May 29, 2007).
E:\FR\FM\01DER2.SGM
01DER2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
mstockstill on DSKH9S0YB1PROD with RULES2
institutions one year in which they can
continue to rely on the Sample Clauses
for safe harbor or guidance, which
should allow time to minimize the
transition costs for any institution that
adopts the model privacy form.
Similarly, the SEC expects any
aggregate costs to consumers that may
result from adoption of the model form
to be minimal, if any. As discussed
above, the model form emerged as the
most effective of several notice formats
in an extensive consumer research
testing process that sought to maximize
consumers’ ability to comprehend, use,
and compare privacy notices. We
anticipate that any initial costs to
consumers in the form of confusion or
reduced understanding will be shortlived as increasing numbers of financial
institutions use the model privacy form
and consumers become more familiar
with its contents and can use the form
to compare notices more easily.
XII. SEC Consideration of Burden on
Competition
Securities Exchange Act Section
23(a)(2) requires the SEC, in adopting
rules under that Act, to consider the
impact that any such rule will have on
competition.254 Section 23(a)(2) also
prohibits the SEC from adopting any
rule that will impose a burden on
competition not necessary or
appropriate in furtherance of the
purposes of the Securities Exchange
Act.
As discussed above, the amendments
to Regulation S–P, including the model
form, are designed to comply with
section 728 of the Regulatory Relief Act,
mandating that the Agencies develop a
model form that is comprehensible,
clear and conspicuous, and succinct.
SEC-regulated institutions will be able
to use the model form in order to
comply with the notice requirements
under the GLB Act, the FCRA, and
Regulation S–P.
The SEC does not expect the
amendments to have a significant
impact on competition. Use of the
model form will be voluntary,
permitting a financial institution to
determine whether using the model
form will enhance its competitive
position. All brokers and dealers,
investment companies, and registered
investment advisers will be able to use
the model form and take advantage of
the safe harbor. Other financial
institutions will be able to use the form
and take advantage of the safe harbor
under comparable rules adopted by the
other Agencies. Under the Regulatory
Relief Act, the Agencies have worked in
254 See
15 U.S.C. 78w(a)(2).
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
62915
consultation in order to ensure the
consistency and comparability of the
amendments. Therefore, all financial
institutions will have the same
opportunity to use the model form and
rely on the safe harbor.
Further, if financial institutions
choose to use the model form, the
amendments could promote
competition by enabling consumers
more easily to understand and compare
competing institutions’ privacy policies.
The SEC also anticipates that the model
form’s standardized formatting may
reduce the relative burden of
compliance on smaller financial
institutions, allowing them to compete
more effectively with larger institutions
that are more likely to have a dedicated
compliance staff. As such, the SEC
expects any impact on competition
caused by the amendments would not
be significant.
or to effectuate any of the provisions or
to accomplish any of the purposes of the
Act.
The CFTC has considered the costs
and benefits of the model form as a
totality. The form provides a nonmandatory means of complying with
existing requirements of the privacy
provisions of the GLB Act and section
5g of the CEA, and thus imposes no
mandatory new costs. The CFTC
believes that the model form should
benefit futures industry consumer
customers in better understanding a
financial institution’s privacy policies,
and may facilitate customers in
comparing the privacy policies of
financial institutions.
XIII. NCUA: The Treasury and General
Government Appropriations Act, 1999–
Assessment of Federal Regulations and
Policies on Families
The NCUA has determined that this
rule will not affect family well-being
within the meaning of section 654 of the
Treasury and General Government
Appropriations Act, 1999, Public Law
105–277, 112 Stat. 2681 (1998).
Banks, banking, Consumer protection,
National banks, Privacy, Reporting and
recordkeeping requirements.
XIV. CFTC Cost-Benefit Analysis
Section 15 of the Commodity
Exchange Act requires the CFTC to
consider the costs and benefits of its
action before issuing a new regulation
under the Act. The CFTC understands
that, by its terms, section 15 does not
require the CFTC to quantify the costs
and benefits of a new regulation or to
determine whether the benefits of the
regulation outweigh its costs. Nor does
it require that each rule be analyzed
piecemeal or in isolation when that rule
is a component of a larger package of
rules or rule revisions. Rather, section
15 simply requires the CFTC to
‘‘consider the costs and benefits’’ of its
action.
Section 15 further specifies that costs
and benefits shall be evaluated in light
of five broad areas of market and public
concern: Protection of market
participants and the public; efficiency,
competitiveness, and financial integrity
of futures markets; price discovery;
sound risk management practices; and
other public interest considerations.
Accordingly, the CFTC could in its
discretion give greater weight to any one
of the five enumerated areas of concern
and could in its discretion determine
that, notwithstanding its costs, a
particular rule was necessary or
appropriate to protect the public interest
PO 00000
Frm 00027
Fmt 4701
Sfmt 4700
List of Subjects
12 CFR Part 40
12 CFR Part 216
Banks, banking, Consumer protection,
Foreign banking, Holding companies,
Privacy, Reporting and recordkeeping
requirements.
12 CFR Part 332
Banks, banking, Consumer protection,
Foreign banking, Privacy, Reporting and
recordkeeping requirements.
12 CFR Part 573
Consumer protection, Privacy,
Reporting and recordkeeping
requirements, Savings associations.
12 CFR Part 716
Consumer protection, Credit unions,
Privacy, Reporting and recordkeeping
requirements.
16 CFR Part 313
Consumer protection, Credit, Privacy,
Reporting and recordkeeping
requirements, Trade practices.
17 CFR Part 160
Brokers, Consumer protection,
Privacy, Reporting and recordkeeping
requirements.
17 CFR Part 248
Brokers, Consumer protection,
Investment companies, Privacy,
Reporting and recordkeeping
requirements, Securities.
E:\FR\FM\01DER2.SGM
01DER2
62916
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the
Currency
12 CFR Chapter I
Authority and Issuance
For the reasons set forth in the joint
preamble, part 40 of chapter I of title 12
of the Code of Federal Regulations is
amended as follows:
■
PART 40—PRIVACY OF CONSUMER
FINANCIAL INFORMATION
1. The authority citation for part 40
continues to read as follows:
■
Authority: 12 U.S.C. 93a; 15 U.S.C. 6801 et
seq.
■
2. Revise § 40.2 to read as follows:
§ 40.2
Model privacy form and examples.
mstockstill on DSKH9S0YB1PROD with RULES2
(a) Model privacy form. Use of the
model privacy form in Appendix A of
this part, consistent with the
instructions in Appendix A, constitutes
compliance with the notice content
requirements of §§ 40.6 and 40.7 of this
part, although use of the model privacy
form is not required.
(b) Examples. The examples in this
part are not exclusive. Compliance with
an example, to the extent applicable,
constitutes compliance with this part.
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
§ 40.6 Information to be included in
privacy notices.
(g) Sample clauses. Sample clauses
illustrating some of the notice content
required by this section are included in
Appendix B of this part. Use of a sample
clause in a privacy notice provided on
or before December 31, 2010, to the
extent applicable, constitutes
compliance with this part.
*
■
3. In § 40.6:
A. Revise paragraphs (b) and (f), and
add paragraph (g) to read as set forth
below.
■ B. Effective January 1, 2012, remove
paragraph (g).
■
■
*
*
*
*
(b) Description of nonaffiliated third
parties subject to exceptions. If you
disclose nonpublic personal information
to third parties as authorized under
§§ 40.14 and 40.15, you are not required
to list those exceptions in the initial or
annual privacy notices required by
§§ 40.4 and 40.5. When describing the
categories with respect to those parties,
it is sufficient to state that you make
disclosures to other nonaffiliated
companies:
(1) For your everyday business
purposes, such as [include all that
apply] to process transactions, maintain
account(s), respond to court orders and
legal investigations, or report to credit
bureaus; or
(2) As permitted by law.
*
*
*
*
*
(f) Model privacy form. Pursuant to
§ 40.2(a) of this part, a model privacy
form that meets the notice content
requirements of this section is included
in Appendix A of this part.
PO 00000
Frm 00028
Fmt 4701
Sfmt 4700
4. In § 40.7, add paragraph (i) to read
as follows:
§ 40.7 Form of opt-out notice to
consumers; opt-out methods.
*
*
*
*
*
(i) Model privacy form. Pursuant to
§ 40.2(a) of this part, a model privacy
form that meets the notice content
requirements of this section is included
in Appendix A of this part.
Appendix A [Redesignated as Appendix
B]
5. Redesignate Appendix A to part 40
as Appendix B to part 40.
■ 6. Add new Appendix A to part 40 to
read as follows:
■
Appendix A to Part 40—Model Privacy
Form
A. The Model Privacy Form
BILLING CODE 6750–01–P 12.5%, 6351–01–P 12.5%,
6720–01–P 12.5%, 6714–01–P 12.5%, 4810–33–P 12.5%,
6210–01–P 12.5%, 8011–01–P 12.5%, 7535–01–P 12.5%
E:\FR\FM\01DER2.SGM
01DER2
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00029
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
62917
ER01DE09.000</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
VerDate Nov<24>2008
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00030
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.001</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
62918
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00031
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
62919
ER01DE09.002</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
VerDate Nov<24>2008
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00032
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.003</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
62920
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00033
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
62921
ER01DE09.004</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
VerDate Nov<24>2008
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00034
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.005</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
62922
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
B. General Instructions
1. How the Model Privacy Form Is Used
(a) The model form may be used, at the
option of a financial institution, including a
group of financial institutions that use a
common privacy notice, to meet the content
requirements of the privacy notice and optout notice set forth in §§ 40.6 and 40.7 of this
part.
(b) The model form is a standardized form,
including page layout, content, format, style,
pagination, and shading. Institutions seeking
to obtain the safe harbor through use of the
model form may modify it only as described
in these Instructions.
(c) Note that disclosure of certain
information, such as assets, income, and
information from a consumer reporting
agency, may give rise to obligations under the
Fair Credit Reporting Act [15 U.S.C. 1681–
1681x] (FCRA), such as a requirement to
permit a consumer to opt out of disclosures
to affiliates or designation as a consumer
reporting agency if disclosures are made to
nonaffiliated third parties.
(d) The word ‘‘customer’’ may be replaced
by the word ‘‘member’’ whenever it appears
in the model form, as appropriate.
2. The Contents of the Model Privacy Form
The model form consists of two pages,
which may be printed on both sides of a
single sheet of paper, or may appear on two
separate pages. Where an institution provides
a long list of institutions at the end of the
model form in accordance with Instruction
C.3(a)(1), or provides additional information
in accordance with Instruction C.3(c), and
such list or additional information exceeds
the space available on page two of the model
form, such list or additional information may
extend to a third page.
(a) Page One. The first page consists of the
following components:
(1) Date last revised (upper right-hand
corner).
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
(2) Title.
(3) Key frame (Why?, What?, How?).
(4) Disclosure table (‘‘Reasons we can share
your personal information’’).
(5) ‘‘To limit our sharing’’ box, as needed,
for the financial institution’s opt-out
information.
(6) ‘‘Questions’’ box, for customer service
contact information.
(7) Mail-in opt-out form, as needed.
(b) Page Two. The second page consists of
the following components:
(1) Heading (Page 2).
(2) Frequently Asked Questions (‘‘Who we
are’’ and ‘‘What we do’’).
(3) Definitions.
(4) ‘‘Other important information’’ box, as
needed.
3. The Format of the Model Privacy Form
The format of the model form may be
modified only as described below.
(a) Easily readable type font. Financial
institutions that use the model form must use
an easily readable type font. While a number
of factors together produce easily readable
type font, institutions are required to use a
minimum of 10-point font (unless otherwise
expressly permitted in these Instructions)
and sufficient spacing between the lines of
type.
(b) Logo. A financial institution may
include a corporate logo on any page of the
notice, so long as it does not interfere with
the readability of the model form or the space
constraints of each page.
(c) Page size and orientation. Each page of
the model form must be printed on paper in
portrait orientation, the size of which must
be sufficient to meet the layout and
minimum font size requirements, with
sufficient white space on the top, bottom,
and sides of the content.
(d) Color. The model form must be printed
on white or light color paper (such as cream)
with black or other contrasting ink color.
Spot color may be used to achieve visual
interest, so long as the color contrast is
distinctive and the color does not detract
PO 00000
Frm 00035
Fmt 4701
Sfmt 4700
from the readability of the model form. Logos
may also be printed in color.
(e) Languages. The model form may be
translated into languages other than English.
C. Information Required in the Model Privacy
Form
The information in the model form may be
modified only as described below:
1. Name of the Institution or Group of
Affiliated Institutions Providing the Notice
Insert the name of the financial institution
providing the notice or a common identity of
affiliated institutions jointly providing the
notice on the form wherever [name of
financial institution] appears.
2. Page One
(a) Last revised date. The financial
institution must insert in the upper righthand corner the date on which the notice was
last revised. The information shall appear in
minimum 8-point font as ‘‘rev. [month/year]’’
using either the name or number of the
month, such as ‘‘rev. July 2009’’ or ‘‘rev. 7/
09’’.
(b) General instructions for the ‘‘What?’’
box.
(1) The bulleted list identifies the types of
personal information that the institution
collects and shares. All institutions must use
the term ‘‘Social Security number’’ in the
first bullet.
(2) Institutions must use five (5) of the
following terms to complete the bulleted list:
income; account balances; payment history;
transaction history; transaction or loss
history; credit history; credit scores; assets;
investment experience; credit-based
insurance scores; insurance claim history;
medical information; overdraft history;
purchase history; account transactions; risk
tolerance; medical-related debts; credit card
or other debt; mortgage rates and payments;
retirement assets; checking account
information; employment information; wire
transfer instructions.
(c) General instructions for the disclosure
table. The left column lists reasons for
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.006</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
BILLING CODE 6750–01–P 12.5%, 6351–01–C 12.5%,
6720–01–C 12.5%, 6714–01–C 12.5%, 4810–33–C 12.5%,
6210–01–C 12.5%, 8011–01–C 12.5%, 7535–01–C 12.5%
62923
mstockstill on DSKH9S0YB1PROD with RULES2
62924
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
sharing or using personal information. Each
reason correlates to a specific legal provision
described in paragraph C.2(d) of this
Instruction. In the middle column, each
institution must provide a ‘‘Yes’’ or ‘‘No’’
response that accurately reflects its
information sharing policies and practices
with respect to the reason listed on the left.
In the right column, each institution must
provide in each box one of the following
three (3) responses, as applicable, that
reflects whether a consumer can limit such
sharing: ‘‘Yes’’ if it is required to or
voluntarily provides an opt-out; ‘‘No’’ if it
does not provide an opt-out; or ‘‘We don’t
share’’ if it answers ‘‘No’’ in the middle
column. Only the sixth row (‘‘For our
affiliates to market to you’’) may be omitted
at the option of the institution. See paragraph
C.2(d)(6) of this Instruction.
(d) Specific disclosures and corresponding
legal provisions.
(1) For our everyday business purposes.
This reason incorporates sharing information
under §§ 40.14 and 40.15 and with service
providers pursuant to § 40.13 of this part
other than the purposes specified in
paragraphs C.2(d)(2) or C.2(d)(3) of these
Instructions.
(2) For our marketing purposes. This
reason incorporates sharing information with
service providers by an institution for its own
marketing pursuant to § 40.13 of this part. An
institution that shares for this reason may
choose to provide an opt-out.
(3) For joint marketing with other financial
companies. This reason incorporates sharing
information under joint marketing
agreements between two or more financial
institutions and with any service provider
used in connection with such agreements
pursuant to § 40.13 of this part. An
institution that shares for this reason may
choose to provide an opt-out.
(4) For our affiliates’ everyday business
purposes—information about transactions
and experiences. This reason incorporates
sharing information specified in sections
603(d)(2)(A)(i) and (ii) of the FCRA. An
institution that shares for this reason may
choose to provide an opt-out.
(5) For our affiliates’ everyday business
purposes—information about
creditworthiness. This reason incorporates
sharing information pursuant to section
603(d)(2)(A)(iii) of the FCRA. An institution
that shares for this reason must provide an
opt-out.
(6) For our affiliates to market to you. This
reason incorporates sharing information
specified in section 624 of the FCRA. This
reason may be omitted from the disclosure
table when: the institution does not have
affiliates (or does not disclose personal
information to its affiliates); the institution’s
affiliates do not use personal information in
a manner that requires an opt-out; or the
institution provides the affiliate marketing
notice separately. Institutions that include
this reason must provide an opt-out of
indefinite duration. An institution that is
required to provide an affiliate marketing
opt-out, but does not include that opt-out in
the model form under this part, must comply
with section 624 of the FCRA and 12 CFR
part 41, subpart C, with respect to the initial
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
notice and opt-out and any subsequent
renewal notice and opt-out. An institution
not required to provide an opt-out under this
subparagraph may elect to include this
reason in the model form.
(7) For nonaffiliates to market to you. This
reason incorporates sharing described in
§§ 40.7 and 40.10(a) of this part. An
institution that shares personal information
for this reason must provide an opt-out.
(e) To limit our sharing: A financial
institution must include this section of the
model form only if it provides an opt-out.
The word ‘‘choice’’ may be written in either
the singular or plural, as appropriate.
Institutions must select one or more of the
applicable opt-out methods described:
telephone, such as by a toll-free number; a
Web site; or use of a mail-in opt-out form.
Institutions may include the words ‘‘tollfree’’ before telephone, as appropriate. An
institution that allows consumers to opt out
online must provide either a specific Web
address that takes consumers directly to the
opt-out page or a general Web address that
provides a clear and conspicuous direct link
to the opt-out page. The opt-out choices
made available to the consumer who contacts
the institution through these methods must
correspond accurately to the ‘‘Yes’’ responses
in the third column of the disclosure table.
In the part titled ‘‘Please note’’ institutions
may insert a number that is 30 or greater in
the space marked ‘‘[30].’’ Instructions on
voluntary or state privacy law opt-out
information are in paragraph C.2(g)(5) of
these Instructions.
(f) Questions box. Customer service contact
information must be inserted as appropriate,
where [phone number] or [Web site] appear.
Institutions may elect to provide either a
phone number, such as a toll-free number, or
a Web address, or both. Institutions may
include the words ‘‘toll-free’’ before the
telephone number, as appropriate.
(g) Mail-in opt-out form. Financial
institutions must include this mail-in form
only if they state in the ‘‘To limit our
sharing’’ box that consumers can opt out by
mail. The mail-in form must provide opt-out
options that correspond accurately to the
‘‘Yes’’ responses in the third column in the
disclosure table. Institutions that require
customers to provide only name and address
may omit the section identified as ‘‘[account
#].’’ Institutions that require additional or
different information, such as a random optout number or a truncated account number,
to implement an opt-out election should
modify the ‘‘[account #]’’ reference
accordingly. This includes institutions that
require customers with multiple accounts to
identify each account to which the opt-out
should apply. An institution must enter its
opt-out mailing address: In the far right of
this form (see version 3); or below the form
(see version 4). The reverse side of the mailin opt-out form must not include any content
of the model form.
(1) Joint accountholder. Only institutions
that provide their joint accountholders the
choice to opt out for only one accountholder,
in accordance with paragraph C.3(a)(5) of
these Instructions, must include in the far left
column of the mail-in form the following
statement: ‘‘If you have a joint account, your
PO 00000
Frm 00036
Fmt 4701
Sfmt 4700
choice(s) will apply to everyone on your
account unless you mark below. b Apply my
choice(s) only to me.’’ The word ‘‘choice’’
may be written in either the singular or
plural, as appropriate. Financial institutions
that provide insurance products or services,
provide this option, and elect to use the
model form may substitute the word ‘‘policy’’
for ‘‘account’’ in this statement. Institutions
that do not provide this option may eliminate
this left column from the mail-in form.
(2) FCRA Section 603(d)(2)(A)(iii) opt-out.
If the institution shares personal information
pursuant to section 603(d)(2)(A)(iii) of the
FCRA, it must include in the mail-in opt-out
form the following statement: ‘‘b Do not
share information about my creditworthiness
with your affiliates for their everyday
business purposes.’’
(3) FCRA Section 624 opt-out. If the
institution incorporates section 624 of the
FCRA in accord with paragraph C.2(d)(6) of
these Instructions, it must include in the
mail-in opt-out form the following statement:
‘‘b Do not allow your affiliates to use my
personal information to market to me.’’
(4) Nonaffiliate opt-out. If the financial
institution shares personal information
pursuant to § 40.10(a) of this part, it must
include in the mail-in opt-out form the
following statement: ‘‘b Do not share my
personal information with nonaffiliates to
market their products and services to me.’’
(5) Additional opt-outs. Financial
institutions that use the disclosure table to
provide opt-out options beyond those
required by Federal law must provide those
opt-outs in this section of the model form. A
financial institution that chooses to offer an
opt-out for its own marketing in the mail-in
opt-out form must include one of the two
following statements: ‘‘b Do not share my
personal information to market to me.’’ or ‘‘b
Do not use my personal information to
market to me.’’ A financial institution that
chooses to offer an opt-out for joint marketing
must include the following statement: ‘‘b Do
not share my personal information with other
financial institutions to jointly market to
me.’’
(h) Barcodes. A financial institution may
elect to include a barcode and/or ‘‘tagline’’
(an internal identifier) in 6-point font at the
bottom of page one, as needed for
information internal to the institution, so
long as these do not interfere with the clarity
or text of the form.
3. Page Two
(a) General Instructions for the Questions.
Certain of the Questions may be customized
as follows:
(1) ‘‘Who is providing this notice?’’ This
question may be omitted where only one
financial institution provides the model form
and that institution is clearly identified in
the title on page one. Two or more financial
institutions that jointly provide the model
form must use this question to identify
themselves as required by § 40.9(f) of this
part. Where the list of institutions exceeds
four (4) lines, the institution must describe in
the response to this question the general
types of institutions jointly providing the
notice and must separately identify those
institutions, in minimum 8-point font,
directly following the ‘‘Other important
E:\FR\FM\01DER2.SGM
01DER2
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
information’’ box, or, if that box is not
included in the institution’s form, directly
following the ‘‘Definitions.’’ The list may
appear in a multi-column format.
(2) ‘‘How does [name of financial
institution] protect my personal
information?’’ The financial institution may
only provide additional information
pertaining to its safeguards practices
following the designated response to this
question. Such information may include
information about the institution’s use of
cookies or other measures it uses to safeguard
personal information. Institutions are limited
to a maximum of 30 additional words.
(3) ‘‘How does [name of financial
institution] collect my personal
information?’’ Institutions must use five (5)
of the following terms to complete the
bulleted list for this question: Open an
account; deposit money; pay your bills; apply
for a loan; use your credit or debit card; seek
financial or tax advice; apply for insurance;
pay insurance premiums; file an insurance
claim; seek advice about your investments;
buy securities from us; sell securities to us;
direct us to buy securities; direct us to sell
your securities; make deposits or
withdrawals from your account; enter into an
investment advisory contract; give us your
income information; provide employment
information; give us your employment
history; tell us about your investment or
retirement portfolio; tell us about your
investment or retirement earnings; apply for
financing; apply for a lease; provide account
information; give us your contact
information; pay us by check; give us your
wage statements; provide your mortgage
information; make a wire transfer; tell us who
receives the money; tell us where to send the
money; show your government-issued ID;
show your driver’s license; order a
commodity futures or option trade.
Institutions that collect personal information
from their affiliates and/or credit bureaus
must include after the bulleted list the
following statement: ‘‘We also collect your
personal information from others, such as
credit bureaus, affiliates, or other
companies.’’ Institutions that do not collect
personal information from their affiliates or
credit bureaus but do collect information
from other companies must include the
following statement instead: ‘‘We also collect
your personal information from other
companies.’’ Only institutions that do not
collect any personal information from
affiliates, credit bureaus, or other companies
can omit both statements.
(4) ‘‘Why can’t I limit all sharing?’’
Institutions that describe state privacy law
provisions in the ‘‘Other important
information’’ box must use the bracketed
sentence: ‘‘See below for more on your rights
under state law.’’ Other institutions must
omit this sentence.
(5) ‘‘What happens when I limit sharing for
an account I hold jointly with someone else?’’
Only financial institutions that provide optout options must use this question. Other
institutions must omit this question.
Institutions must choose one of the following
two statements to respond to this question:
‘‘Your choices will apply to everyone on your
account.’’ or ‘‘Your choices will apply to
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
everyone on your account—unless you tell us
otherwise.’’ Financial institutions that
provide insurance products or services and
elect to use the model form may substitute
the word ‘‘policy’’ for ‘‘account’’ in these
statements.
(b) General Instructions for the Definitions.
The financial institution must customize
the space below the responses to the three
definitions in this section. This specific
information must be in italicized lettering to
set off the information from the standardized
definitions.
(1) Affiliates. As required by § 40.6(a)(3) of
this part, where [affiliate information]
appears, the financial institution must:
(i) If it has no affiliates, state: ‘‘[name of
financial institution] has no affiliates;’’
(ii) If it has affiliates but does not share
personal information, state: ‘‘[name of
financial institution] does not share with our
affiliates;’’ or
(iii) If it shares with its affiliates, state, as
applicable: ‘‘Our affiliates include companies
with a [common corporate identity of
financial institution] name; financial
companies such as [insert illustrative list of
companies;] nonfinancial companies, such
as [insert illustrative list of companies]; and
others, such as [insert illustrative list].’’
(2) Nonaffiliates. As required by
§ 40.6(c)(3) of this part, where [nonaffiliate
information] appears, the financial
institution must:
(i) If it does not share with nonaffiliated
third parties, state: ‘‘[name of financial
institution] does not share with nonaffiliates
so they can market to you’’; or
(ii) If it shares with nonaffiliated third
parties, state, as applicable: ‘‘Nonaffiliates we
share with can include [list categories of
companies such as mortgage companies,
insurance companies, direct marketing
companies, and nonprofit organizations].’’
(3) Joint Marketing. As required by § 40.13
of this part, where [joint marketing] appears,
the financial institution must:
(i) If it does not engage in joint marketing,
state: ‘‘[name of financial institution] doesn’t
jointly market’’; or
(ii) If it shares personal information for
joint marketing, state, as applicable: ‘‘Our
joint marketing partners include [list
categories of companies such as credit card
companies].’’
(c) General instructions for the ‘‘Other
important information’’ box. This box is
optional. The space provided for information
in this box is not limited. Only the following
types of information can appear in this box.
(1) State and/or international privacy law
information; and/or
(2) Acknowledgment of receipt form.
7. Amend newly redesignated
Appendix B to part 40 as follows:
■ A. Add a new sentence to the
beginning of the introductory text as set
forth below.
■ B. Effective January 1, 2012, remove
Appendix B to part 40.
■
PO 00000
Frm 00037
Fmt 4701
Sfmt 4700
62925
Appendix B to Part 40—Sample Clauses
This Appendix only applies to privacy
notices provided before January 1, 2011.
* * *
*
*
*
*
*
Federal Reserve System
12 CFR Chapter II
Authority and Issuance
For the reasons set forth in the joint
preamble, the Board amends part 216 of
chapter II of title 12 of the Code of
Federal Regulations as follows:
■
PART 216—PRIVACY OF CONSUMER
FINANCIAL INFORMATION
8. The authority citation for part 216
continues to read as follows:
■
Authority: 15 U.S.C. 6801 et seq.
■
9. Revise § 216.2 to read as follows:
§ 216.2
Model privacy form and examples.
(a) Model privacy form. Use of the
model privacy form in Appendix A of
this part, consistent with the
instructions in Appendix A, constitutes
compliance with the notice content
requirements of §§ 216.6 and 216.7 of
this part, although use of the model
privacy form is not required.
(b) Examples. The examples in this
part are not exclusive. Compliance with
an example, to the extent applicable,
constitutes compliance with this part.
10. In § 216.6:
A. Revise paragraphs (b) and (f), and
add paragraph (g) to read as set forth
below.
■ B. Effective January 1, 2012, remove
paragraph (g).
■
■
§ 216.6 Information to be included in
privacy notices.
*
*
*
*
*
(b) Description of nonaffiliated third
parties subject to exceptions. If you
disclose nonpublic personal information
to third parties as authorized under
§§ 216.14 and 216.15, you are not
required to list those exceptions in the
initial or annual privacy notices
required by §§ 216.4 and 216.5. When
describing the categories with respect to
those parties, it is sufficient to state that
you make disclosures to other
nonaffiliated companies:
(1) For your everyday business
purposes, such as [include all that
apply] to process transactions, maintain
account(s), respond to court orders and
legal investigations, or report to credit
bureaus; or
(2) As permitted by law.
*
*
*
*
*
(f) Model privacy form. Pursuant to
§ 216.2(a) of this part, a model privacy
E:\FR\FM\01DER2.SGM
01DER2
62926
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
form that meets the notice content
requirements of this section is included
in Appendix A of this part.
(g) Sample clauses. Sample clauses
illustrating some of the notice content
required by this section are included in
Appendix B of this part. Use of a sample
clause in a privacy notice provided on
or before December 31, 2010, to the
extent applicable, constitutes
compliance with this part.
11. In § 216.7, add paragraph (i) to
read as follows:
mstockstill on DSKH9S0YB1PROD with RULES2
■
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
§ 216.7 Form of opt-out notice to
consumers; opt-out methods.
*
*
*
*
*
(i) Model privacy form. Pursuant to
§ 216.2(a) of this part, a model privacy
form that meets the notice content
requirements of this section is included
in Appendix A of this part.
Appendix A [Redesignated as Appendix
B]
13. Add new Appendix A to part 216
to read as follows:
■
Appendix A to Part 216—Model
Privacy Form
A. The Model Privacy Form
BILLING CODE 6750–01–P 12.5%, 6351–01–P 12.5%,
6720–01–P 12.5%, 6714–01–P 12.5%, 4810–33–P 12.5%,
6210–01–P 12.5%, 8011–01–P 12.5%, 7535–01–P 12.5%
12. Redesignate Appendix A to part
216 as Appendix B to part 216.
■
PO 00000
Frm 00038
Fmt 4701
Sfmt 4700
E:\FR\FM\01DER2.SGM
01DER2
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00039
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
62927
ER01DE09.007</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
VerDate Nov<24>2008
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00040
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.008</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
62928
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00041
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
62929
ER01DE09.009</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
VerDate Nov<24>2008
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00042
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.010</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
62930
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00043
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
62931
ER01DE09.011</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
VerDate Nov<24>2008
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00044
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.012</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
62932
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
B. General Instructions
1. How the Model Privacy Form Is Used
(a) The model form may be used, at the
option of a financial institution, including a
group of financial institutions that use a
common privacy notice, to meet the content
requirements of the privacy notice and optout notice set forth in §§ 216.6 and 216.7 of
this part.
(b) The model form is a standardized form,
including page layout, content, format, style,
pagination, and shading. Institutions seeking
to obtain the safe harbor through use of the
model form may modify it only as described
in these Instructions.
(c) Note that disclosure of certain
information, such as assets, income, and
information from a consumer reporting
agency, may give rise to obligations under the
Fair Credit Reporting Act [15 U.S.C. 1681–
1681x] (FCRA), such as a requirement to
permit a consumer to opt out of disclosures
to affiliates or designation as a consumer
reporting agency if disclosures are made to
nonaffiliated third parties.
(d) The word ‘‘customer’’ may be replaced
by the word ‘‘member’’ whenever it appears
in the model form, as appropriate.
2. The Contents of the Model Privacy Form
The model form consists of two pages,
which may be printed on both sides of a
single sheet of paper, or may appear on two
separate pages. Where an institution provides
a long list of institutions at the end of the
model form in accordance with Instruction
C.3(a)(1), or provides additional information
in accordance with Instruction C.3(c), and
such list or additional information exceeds
the space available on page two of the model
form, such list or additional information may
extend to a third page.
(a) Page One. The first page consists of the
following components:
(1) Date last revised (upper right-hand
corner).
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
(2) Title.
(3) Key frame (Why?, What?, How?).
(4) Disclosure table (‘‘Reasons we can share
your personal information’’).
(5) ‘‘To limit our sharing’’ box, as needed,
for the financial institution’s opt-out
information.
(6) ‘‘Questions’’ box, for customer service
contact information.
(7) Mail-in opt-out form, as needed.
(b) Page Two. The second page consists of
the following components:
(1) Heading (Page 2).
(2) Frequently Asked Questions (‘‘Who we
are’’ and ‘‘What we do’’).
(3) Definitions.
(4) ‘‘Other important information’’ box, as
needed.
3. The Format of the Model Privacy Form
The format of the model form may be
modified only as described below.
(a) Easily readable type font. Financial
institutions that use the model form must use
an easily readable type font. While a number
of factors together produce easily readable
type font, institutions are required to use a
minimum of 10-point font (unless otherwise
expressly permitted in these Instructions)
and sufficient spacing between the lines of
type.
(b) Logo. A financial institution may
include a corporate logo on any page of the
notice, so long as it does not interfere with
the readability of the model form or the space
constraints of each page.
(c) Page size and orientation. Each page of
the model form must be printed on paper in
portrait orientation, the size of which must
be sufficient to meet the layout and
minimum font size requirements, with
sufficient white space on the top, bottom,
and sides of the content.
(d) Color. The model form must be printed
on white or light color paper (such as cream)
with black or other contrasting ink color.
Spot color may be used to achieve visual
interest, so long as the color contrast is
distinctive and the color does not detract
PO 00000
Frm 00045
Fmt 4701
Sfmt 4700
from the readability of the model form. Logos
may also be printed in color.
(e) Languages. The model form may be
translated into languages other than English.
C. Information Required in the Model Privacy
Form
The information in the model form may be
modified only as described below:
1. Name of the Institution or Group of
Affiliated Institutions Providing the Notice
Insert the name of the financial institution
providing the notice or a common identity of
affiliated institutions jointly providing the
notice on the form wherever [name of
financial institution] appears.
2. Page One
(a) Last revised date. The financial
institution must insert in the upper righthand corner the date on which the notice was
last revised. The information shall appear in
minimum 8-point font as ‘‘rev. [month/year]’’
using either the name or number of the
month, such as ‘‘rev. July 2009’’ or ‘‘rev. 7/
09’’.
(b) General instructions for the ‘‘What?’’
box.
(1) The bulleted list identifies the types of
personal information that the institution
collects and shares. All institutions must use
the term ‘‘Social Security number’’ in the
first bullet.
(2) Institutions must use five (5) of the
following terms to complete the bulleted list:
income; account balances; payment history;
transaction history; transaction or loss
history; credit history; credit scores; assets;
investment experience; credit-based
insurance scores; insurance claim history;
medical information; overdraft history;
purchase history; account transactions; risk
tolerance; medical-related debts; credit card
or other debt; mortgage rates and payments;
retirement assets; checking account
information; employment information; wire
transfer instructions.
(c) General instructions for the disclosure
table. The left column lists reasons for
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.013</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
BILLING CODE 6750–01–C 12.5%, 6351–01–C 12.5%,
6720–01–C 12.5%, 6714–01–C 12.5%, 4810–33–C 12.5%,
6210–01–C 12.5%, 8011–01–C 12.5%, 7535–01–C 12.5%
62933
mstockstill on DSKH9S0YB1PROD with RULES2
62934
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
sharing or using personal information. Each
reason correlates to a specific legal provision
described in paragraph C.2(d) of this
Instruction. In the middle column, each
institution must provide a ‘‘Yes’’ or ‘‘No’’
response that accurately reflects its
information sharing policies and practices
with respect to the reason listed on the left.
In the right column, each institution must
provide in each box one of the following
three (3) responses, as applicable, that
reflects whether a consumer can limit such
sharing: ‘‘Yes’’ if it is required to or
voluntarily provides an opt-out; ‘‘No’’ if it
does not provide an opt-out; or ‘‘We don’t
share’’ if it answers ‘‘No’’ in the middle
column. Only the sixth row (‘‘For our
affiliates to market to you’’) may be omitted
at the option of the institution. See paragraph
C.2(d)(6) of this Instruction.
(d) Specific disclosures and corresponding
legal provisions.
(1) For our everyday business purposes.
This reason incorporates sharing information
under §§ 216.14 and 216.15 and with service
providers pursuant to § 216.13 of this part
other than the purposes specified in
paragraphs C.2(d)(2) or C.2(d)(3) of these
Instructions.
(2) For our marketing purposes. This
reason incorporates sharing information with
service providers by an institution for its own
marketing pursuant to § 216.13 of this part.
An institution that shares for this reason may
choose to provide an opt-out.
(3) For joint marketing with other financial
companies. This reason incorporates sharing
information under joint marketing
agreements between two or more financial
institutions and with any service provider
used in connection with such agreements
pursuant to § 216.13 of this part. An
institution that shares for this reason may
choose to provide an opt-out.
(4) For our affiliates’ everyday business
purposes—information about transactions
and experiences. This reason incorporates
sharing information specified in sections
603(d)(2)(A)(i) and (ii) of the FCRA. An
institution that shares for this reason may
choose to provide an opt-out.
(5) For our affiliates’ everyday business
purposes—information about
creditworthiness. This reason incorporates
sharing information pursuant to section
603(d)(2)(A)(iii) of the FCRA. An institution
that shares for this reason must provide an
opt-out.
(6) For our affiliates to market to you. This
reason incorporates sharing information
specified in section 624 of the FCRA. This
reason may be omitted from the disclosure
table when: the institution does not have
affiliates (or does not disclose personal
information to its affiliates); the institution’s
affiliates do not use personal information in
a manner that requires an opt-out; or the
institution provides the affiliate marketing
notice separately. Institutions that include
this reason must provide an opt-out of
indefinite duration. An institution that is
required to provide an affiliate marketing
opt-out, but does not include that opt-out in
the model form under this part, must comply
with section 624 of the FCRA and 12 CFR
part 222, subpart C, with respect to the initial
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
notice and opt-out and any subsequent
renewal notice and opt-out. An institution
not required to provide an opt-out under this
subparagraph may elect to include this
reason in the model form.
(7) For nonaffiliates to market to you. This
reason incorporates sharing described in
§§ 216.7 and 216.10(a) of this part. An
institution that shares personal information
for this reason must provide an opt-out.
(e) To limit our sharing: A financial
institution must include this section of the
model form only if it provides an opt-out.
The word ‘‘choice’’ may be written in either
the singular or plural, as appropriate.
Institutions must select one or more of the
applicable opt-out methods described:
telephone, such as by a toll-free number; a
Website; or use of a mail-in opt-out form.
Institutions may include the words ‘‘tollfree’’ before telephone, as appropriate. An
institution that allows consumers to opt out
online must provide either a specific Web
address that takes consumers directly to the
opt-out page or a general Web address that
provides a clear and conspicuous direct link
to the opt-out page. The opt-out choices
made available to the consumer who contacts
the institution through these methods must
correspond accurately to the ‘‘Yes’’ responses
in the third column of the disclosure table.
In the part titled ‘‘Please note’’ institutions
may insert a number that is 30 or greater in
the space marked ‘‘[30].’’ Instructions on
voluntary or state privacy law opt-out
information are in paragraph C.2(g)(5) of
these Instructions.
(f) Questions box. Customer service contact
information must be inserted as appropriate,
where [phone number] or [website] appear.
Institutions may elect to provide either a
phone number, such as a toll-free number, or
a Web address, or both. Institutions may
include the words ‘‘toll-free’’ before the
telephone number, as appropriate.
(g) Mail-in opt-out form. Financial
institutions must include this mail-in form
only if they state in the ‘‘To limit our
sharing’’ box that consumers can opt out by
mail. The mail-in form must provide opt-out
options that correspond accurately to the
‘‘Yes’’ responses in the third column in the
disclosure table. Institutions that require
customers to provide only name and address
may omit the section identified as ‘‘[account
#].’’ Institutions that require additional or
different information, such as a random optout number or a truncated account number,
to implement an opt-out election should
modify the ‘‘[account #]’’ reference
accordingly. This includes institutions that
require customers with multiple accounts to
identify each account to which the opt-out
should apply. An institution must enter its
opt-out mailing address: In the far right of
this form (see version 3); or below the form
(see version 4). The reverse side of the mailin opt-out form must not include any content
of the model form.
(1) Joint accountholder. Only institutions
that provide their joint accountholders the
choice to opt out for only one accountholder,
in accordance with paragraph C.3(a)(5) of
these Instructions, must include in the far left
column of the mail-in form the following
statement: ‘‘If you have a joint account, your
PO 00000
Frm 00046
Fmt 4701
Sfmt 4700
choice(s) will apply to everyone on your
account unless you mark below. b Apply my
choice(s) only to me.’’ The word ‘‘choice’’
may be written in either the singular or
plural, as appropriate. Financial institutions
that provide insurance products or services,
provide this option, and elect to use the
model form may substitute the word ‘‘policy’’
for ‘‘account’’ in this statement. Institutions
that do not provide this option may eliminate
this left column from the mail-in form.
(2) FCRA Section 603(d)(2)(A)(iii) opt-out.
If the institution shares personal information
pursuant to section 603(d)(2)(A)(iii) of the
FCRA, it must include in the mail-in opt-out
form the following statement: ‘‘b Do not
share information about my creditworthiness
with your affiliates for their everyday
business purposes.’’
(3) FCRA Section 624 opt-out. If the
institution incorporates section 624 of the
FCRA in accord with paragraph C.2(d)(6) of
these Instructions, it must include in the
mail-in opt-out form the following statement:
‘‘b Do not allow your affiliates to use my
personal information to market to me.’’
(4) Nonaffiliate opt-out. If the financial
institution shares personal information
pursuant to § 216.10(a) of this part, it must
include in the mail-in opt-out form the
following statement: ‘‘b Do not share my
personal information with nonaffiliates to
market their products and services to me.’’
(5) Additional opt-outs. Financial
institutions that use the disclosure table to
provide opt-out options beyond those
required by Federal law must provide those
opt-outs in this section of the model form. A
financial institution that chooses to offer an
opt-out for its own marketing in the mail-in
opt-out form must include one of the two
following statements: ‘‘b Do not share my
personal information to market to me.’’ or ‘‘b
Do not use my personal information to
market to me.’’ A financial institution that
chooses to offer an opt-out for joint marketing
must include the following statement: ‘‘b Do
not share my personal information with other
financial institutions to jointly market to
me.’’
(h) Barcodes. A financial institution may
elect to include a barcode and/or ‘‘tagline’’
(an internal identifier) in 6-point font at the
bottom of page one, as needed for
information internal to the institution, so
long as these do not interfere with the clarity
or text of the form.
3. Page Two
(a) General Instructions for the Questions.
Certain of the Questions may be customized
as follows:
(1) ‘‘Who is providing this notice?’’ This
question may be omitted where only one
financial institution provides the model form
and that institution is clearly identified in
the title on page one. Two or more financial
institutions that jointly provide the model
form must use this question to identify
themselves as required by § 216.9(f) of this
part. Where the list of institutions exceeds
four (4) lines, the institution must describe in
the response to this question the general
types of institutions jointly providing the
notice and must separately identify those
institutions, in minimum 8-point font,
directly following the ‘‘Other important
E:\FR\FM\01DER2.SGM
01DER2
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
information’’ box, or, if that box is not
included in the institution’s form, directly
following the ‘‘Definitions.’’ The list may
appear in a multi-column format.
(2) ‘‘How does [name of financial
institution] protect my personal
information?’’ The financial institution may
only provide additional information
pertaining to its safeguards practices
following the designated response to this
question. Such information may include
information about the institution’s use of
cookies or other measures it uses to safeguard
personal information. Institutions are limited
to a maximum of 30 additional words.
(3) ‘‘How does [name of financial
institution] collect my personal
information?’’ Institutions must use five (5)
of the following terms to complete the
bulleted list for this question: Open an
account; deposit money; pay your bills; apply
for a loan; use your credit or debit card; seek
financial or tax advice; apply for insurance;
pay insurance premiums; file an insurance
claim; seek advice about your investments;
buy securities from us; sell securities to us;
direct us to buy securities; direct us to sell
your securities; make deposits or
withdrawals from your account; enter into an
investment advisory contract; give us your
income information; provide employment
information; give us your employment
history; tell us about your investment or
retirement portfolio; tell us about your
investment or retirement earnings; apply for
financing; apply for a lease; provide account
information; give us your contact
information; pay us by check; give us your
wage statements; provide your mortgage
information; make a wire transfer; tell us who
receives the money; tell us where to send the
money; show your government-issued ID;
show your driver’s license; order a
commodity futures or option trade.
Institutions that collect personal information
from their affiliates and/or credit bureaus
must include after the bulleted list the
following statement: ‘‘We also collect your
personal information from others, such as
credit bureaus, affiliates, or other
companies.’’ Institutions that do not collect
personal information from their affiliates or
credit bureaus but do collect information
from other companies must include the
following statement instead: ‘‘We also collect
your personal information from other
companies.’’
Only institutions that do not collect any
personal information from affiliates, credit
bureaus, or other companies can omit both
statements.
(4) ‘‘Why can’t I limit all sharing?’’
Institutions that describe state privacy law
provisions in the ‘‘Other important
information’’ box must use the bracketed
sentence: ‘‘See below for more on your rights
under state law.’’ Other institutions must
omit this sentence.
(5) ‘‘What happens when I limit sharing for
an account I hold jointly with someone else?’’
Only financial institutions that provide optout options must use this question. Other
institutions must omit this question.
Institutions must choose one of the following
two statements to respond to this question:
‘‘Your choices will apply to everyone on your
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
account.’’ or ‘‘Your choices will apply to
everyone on your account—unless you tell us
otherwise.’’ Financial institutions that
provide insurance products or services and
elect to use the model form may substitute
the word ‘‘policy’’ for ‘‘account’’ in these
statements.
(b) General Instructions for the Definitions.
The financial institution must customize
the space below the responses to the three
definitions in this section. This specific
information must be in italicized lettering to
set off the information from the standardized
definitions.
(1) Affiliates. As required by § 216.6(a)(3)
of this part, where [affiliate information]
appears, the financial institution must:
(i) If it has no affiliates, state: ‘‘[name of
financial institution] has no affiliates’’;
(ii) If it has affiliates but does not share
personal information, state: ‘‘[name of
financial institution] does not share with our
affiliates’’; or
(iii) If it shares with its affiliates, state, as
applicable: ‘‘Our affiliates include companies
with a [common corporate identity of
financial institution] name; financial
companies such as [insert illustrative list of
companies]; nonfinancial companies, such
as [insert illustrative list of companies;] and
others, such as [insert illustrative list].’’
(2) Nonaffiliates. As required by
§ 216.6(c)(3) of this part, where [nonaffiliate
information] appears, the financial
institution must:
(i) If it does not share with nonaffiliated
third parties, state: ‘‘[name of financial
institution] does not share with nonaffiliates
so they can market to you’’; or
(ii) If it shares with nonaffiliated third
parties, state, as applicable: ‘‘Nonaffiliates we
share with can include [list categories of
companies such as mortgage companies,
insurance companies, direct marketing
companies, and nonprofit organizations].’’
(3) Joint Marketing. As required by § 216.13
of this part, where [joint marketing] appears,
the financial institution must:
(i) If it does not engage in joint marketing,
state: ‘‘[name of financial institution] doesn’t
jointly market’’; or
(ii) If it shares personal information for
joint marketing, state, as applicable: ‘‘Our
joint marketing partners include [list
categories of companies such as credit card
companies].’’
(c) General instructions for the ‘‘Other
important information’’ box. This box is
optional. The space provided for information
in this box is not limited. Only the following
types of information can appear in this box.
(1) State and/or international privacy law
information; and/or
(2) Acknowledgment of receipt form.
14. Amend newly redesignated
Appendix B to part 216 as follows:
■ A. Add a new sentence to the
beginning of the introductory text as set
forth below.
■ B. Effective January 1, 2012, remove
Appendix B to part 216.
■
PO 00000
Frm 00047
Fmt 4701
Sfmt 4700
62935
Appendix B to Part 216—Sample
Clauses
This Appendix only applies to privacy
notices provided before January 1, 2011.
* * *
*
*
*
*
*
Federal Deposit Insurance Corporation
12 CFR Chapter III
Authority and Issuance
For the reasons set forth in the joint
preamble, part 332 of chapter III of title
12 of the Code of Federal Regulations is
amended as follows:
■
PART 332—PRIVACY OF CONSUMER
FINANCIAL INFORMATION
15. The authority citation for part 332
continues to read as follows:
■
Authority: 12 U.S.C. 1819 (Seventh and
Tenth); 15 U.S.C. 6801 et seq.
■
16. Revise § 332.2 to read as follows:
§ 332.2
Model privacy form and examples.
(a) Model privacy form. Use of the
model privacy form in Appendix A of
this part, consistent with the
instructions in Appendix A, constitutes
compliance with the notice content
requirements of §§ 332.6 and 332.7 of
this part, although use of the model
privacy form is not required.
(b) Examples. The examples in this
part are not exclusive. Compliance with
an example, to the extent applicable,
constitutes compliance with this part.
17. In § 332.6:
A. Revise paragraphs (b) and (f), and
add paragraph (g) to read as set forth
below.
■ B. Effective January 1, 2012, remove
paragraph (g).
■
■
§ 332.6 Information to be included in
privacy notices.
*
*
*
*
*
(b) Description of nonaffiliated third
parties subject to exceptions. If you
disclose nonpublic personal information
to third parties as authorized under
§§ 332.14 and 332.15, you are not
required to list those exceptions in the
initial or annual privacy notices
required by §§ 332.4 and 332.5. When
describing the categories with respect to
those parties, it is sufficient to state that
you make disclosures to other
nonaffiliated companies:
(1) For your everyday business
purposes, such as [include all that
apply] to process transactions, maintain
account(s), respond to court orders and
legal investigations, or report to credit
bureaus; or
(2) As permitted by law.
*
*
*
*
*
E:\FR\FM\01DER2.SGM
01DER2
62936
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
mstockstill on DSKH9S0YB1PROD with RULES2
(f) Model privacy form. Pursuant to
§ 332.2(a) of this part, a model privacy
form that meets the notice content
requirements of this section is included
in Appendix A of this part.
(g) Sample clauses. Sample clauses
illustrating some of the notice content
required by this section are included in
Appendix B of this part. Use of a sample
clause in a privacy notice provided on
or before December 31, 2010, to the
extent applicable, constitutes
compliance with this part.
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
■
18. In § 332.7, add paragraph (i) to
read as follows:
Appendix A [Redesignated as Appendix
B]
§ 332.7 Form of opt-out notice to
consumers; opt-out methods.
■
*
*
*
*
*
(i) Model privacy form. Pursuant to
§ 332.2(a) of this part, a model privacy
form that meets the notice content
requirements of this section is included
in Appendix A of this part.
PO 00000
Frm 00048
Fmt 4701
Sfmt 4700
19. Redesignate Appendix A to part
332 as Appendix B to part 332.
■ 20. Add new Appendix A to part 332
to read as follows:
Appendix A to Part 332—Model
Privacy Form
A. The Model Privacy Form
BILLING CODE 6750–01–P 12.5%, 6351–01–P 12.5%,
6720–01–P 12.5%, 6714–01–P 12.5%, 4810–33–P 12.5%,
6210–01–P 12.5%, 8011–01–P 12.5%, 7535–01–P 12.5%
E:\FR\FM\01DER2.SGM
01DER2
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00049
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
62937
ER01DE09.014</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
VerDate Nov<24>2008
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00050
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.015</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
62938
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00051
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
62939
ER01DE09.016</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
VerDate Nov<24>2008
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00052
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.017</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
62940
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00053
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
62941
ER01DE09.018</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
VerDate Nov<24>2008
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00054
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.019</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
62942
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
B. General Instructions
1. How the Model Privacy Form Is Used
(a) The model form may be used, at the
option of a financial institution, including a
group of financial institutions that use a
common privacy notice, to meet the content
requirements of the privacy notice and optout notice set forth in §§ 332.6 and 332.7 of
this part.
(b) The model form is a standardized form,
including page layout, content, format, style,
pagination, and shading. Institutions seeking
to obtain the safe harbor through use of the
model form may modify it only as described
in these Instructions.
(c) Note that disclosure of certain
information, such as assets, income, and
information from a consumer reporting
agency, may give rise to obligations under the
Fair Credit Reporting Act [15 U.S.C. 1681–
1681x] (FCRA), such as a requirement to
permit a consumer to opt out of disclosures
to affiliates or designation as a consumer
reporting agency if disclosures are made to
nonaffiliated third parties.
(d) The word ‘‘customer’’ may be replaced
by the word ‘‘member’’ whenever it appears
in the model form, as appropriate.
2. The Contents of the Model Privacy Form
The model form consists of two pages,
which may be printed on both sides of a
single sheet of paper, or may appear on two
separate pages. Where an institution provides
a long list of institutions at the end of the
model form in accordance with Instruction
C.3(a)(1), or provides additional information
in accordance with Instruction C.3(c), and
such list or additional information exceeds
the space available on page two of the model
form, such list or additional information may
extend to a third page.
(a) Page One. The first page consists of the
following components:
(1) Date last revised (upper right-hand
corner).
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
(2) Title.
(3) Key frame (Why?, What?, How?).
(4) Disclosure table (‘‘Reasons we can share
your personal information’’).
(5) ‘‘To limit our sharing’’ box, as needed,
for the financial institution’s opt-out
information.
(6) ‘‘Questions’’ box, for customer service
contact information.
(7) Mail-in opt-out form, as needed.
(b) Page Two. The second page consists of
the following components:
(1) Heading (Page 2).
(2) Frequently Asked Questions (‘‘Who we
are’’ and ‘‘What we do’’).
(3) Definitions.
(4) ‘‘Other important information’’ box, as
needed.
3. The Format of the Model Privacy Form
The format of the model form may be
modified only as described below.
(a) Easily readable type font. Financial
institutions that use the model form must use
an easily readable type font. While a number
of factors together produce easily readable
type font, institutions are required to use a
minimum of 10-point font (unless otherwise
expressly permitted in these Instructions)
and sufficient spacing between the lines of
type.
(b) Logo. A financial institution may
include a corporate logo on any page of the
notice, so long as it does not interfere with
the readability of the model form or the space
constraints of each page.
(c) Page size and orientation. Each page of
the model form must be printed on paper in
portrait orientation, the size of which must
be sufficient to meet the layout and
minimum font size requirements, with
sufficient white space on the top, bottom,
and sides of the content.
(d) Color. The model form must be printed
on white or light color paper (such as cream)
with black or other contrasting ink color.
Spot color may be used to achieve visual
interest, so long as the color contrast is
distinctive and the color does not detract
PO 00000
Frm 00055
Fmt 4701
Sfmt 4700
from the readability of the model form. Logos
may also be printed in color.
(e) Languages. The model form may be
translated into languages other than English.
C. Information Required in the Model Privacy
Form
The information in the model form may be
modified only as described below:
1. Name of the Institution or Group of
Affiliated Institutions Providing the Notice
Insert the name of the financial institution
providing the notice or a common identity of
affiliated institutions jointly providing the
notice on the form wherever [name of
financial institution] appears.
2. Page One
(a) Last revised date. The financial
institution must insert in the upper righthand corner the date on which the notice was
last revised. The information shall appear in
minimum 8-point font as ‘‘rev. [month/year]’’
using either the name or number of the
month, such as ‘‘rev. July 2009’’ or ‘‘rev. 7/
09’’.
(b) General instructions for the ‘‘What?’’
box.
(1) The bulleted list identifies the types of
personal information that the institution
collects and shares. All institutions must use
the term ‘‘Social Security number’’ in the
first bullet.
(2) Institutions must use five (5) of the
following terms to complete the bulleted list:
income; account balances; payment history;
transaction history; transaction or loss
history; credit history; credit scores; assets;
investment experience; credit-based
insurance scores; insurance claim history;
medical information; overdraft history;
purchase history; account transactions; risk
tolerance; medical-related debts; credit card
or other debt; mortgage rates and payments;
retirement assets; checking account
information; employment information; wire
transfer instructions.
(c) General instructions for the disclosure
table. The left column lists reasons for
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.020</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
BILLING CODE 6750–01–C 12.5%, 6351–01–C 12.5%,
6720–01–C 12.5%, 6714–01–C 12.5%, 4810–01–C 12.5%,
6210–01–C 12.5%, 8011–01–C 12.5%, 7535–01–C 12.5%
62943
mstockstill on DSKH9S0YB1PROD with RULES2
62944
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
sharing or using personal information. Each
reason correlates to a specific legal provision
described in paragraph C.2(d) of this
Instruction. In the middle column, each
institution must provide a ‘‘Yes’’ or ‘‘No’’
response that accurately reflects its
information sharing policies and practices
with respect to the reason listed on the left.
In the right column, each institution must
provide in each box one of the following
three (3) responses, as applicable, that
reflects whether a consumer can limit such
sharing: ‘‘Yes’’ if it is required to or
voluntarily provides an opt-out; ‘‘No’’ if it
does not provide an opt-out; or ‘‘We don’t
share’’ if it answers ‘‘No’’ in the middle
column. Only the sixth row (‘‘For our
affiliates to market to you’’) may be omitted
at the option of the institution. See paragraph
C.2(d)(6) of this Instruction.
(d) Specific disclosures and corresponding
legal provisions.
(1) For our everyday business purposes.
This reason incorporates sharing information
under §§ 332.14 and 332.15 and with service
providers pursuant to § 332.13 of this part
other than the purposes specified in
paragraphs C.2(d)(2) or C.2(d)(3) of these
Instructions.
(2) For our marketing purposes. This
reason incorporates sharing information with
service providers by an institution for its own
marketing pursuant to § 332.13 of this part.
An institution that shares for this reason may
choose to provide an opt-out.
(3) For joint marketing with other financial
companies. This reason incorporates sharing
information under joint marketing
agreements between two or more financial
institutions and with any service provider
used in connection with such agreements
pursuant to § 332.13 of this part. An
institution that shares for this reason may
choose to provide an opt-out.
(4) For our affiliates’ everyday business
purposes—information about transactions
and experiences. This reason incorporates
sharing information specified in sections
603(d)(2)(A)(i) and (ii) of the FCRA. An
institution that shares for this reason may
choose to provide an opt-out.
(5) For our affiliates’ everyday business
purposes—information about
creditworthiness. This reason incorporates
sharing information pursuant to section
603(d)(2)(A)(iii) of the FCRA. An institution
that shares for this reason must provide an
opt-out.
(6) For our affiliates to market to you. This
reason incorporates sharing information
specified in section 624 of the FCRA. This
reason may be omitted from the disclosure
table when: The institution does not have
affiliates (or does not disclose personal
information to its affiliates); the institution’s
affiliates do not use personal information in
a manner that requires an opt-out; or the
institution provides the affiliate marketing
notice separately. Institutions that include
this reason must provide an opt-out of
indefinite duration. An institution that is
required to provide an affiliate marketing
opt-out, but does not include that opt-out in
the model form under this part, must comply
with section 624 of the FCRA and 12 CFR
part 334, subpart C, with respect to the initial
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
notice and opt-out and any subsequent
renewal notice and opt-out. An institution
not required to provide an opt-out under this
subparagraph may elect to include this
reason in the model form.
(7) For nonaffiliates to market to you. This
reason incorporates sharing described in
§§ 332.7 and 332.10(a) of this part. An
institution that shares personal information
for this reason must provide an opt-out.
(e) To limit our sharing: A financial
institution must include this section of the
model form only if it provides an opt-out.
The word ‘‘choice’’ may be written in either
the singular or plural, as appropriate.
Institutions must select one or more of the
applicable opt-out methods described:
Telephone, such as by a toll-free number; a
Web site; or use of a mail-in opt-out form.
Institutions may include the words ‘‘tollfree’’ before telephone, as appropriate. An
institution that allows consumers to opt out
online must provide either a specific Web
address that takes consumers directly to the
opt-out page or a general Web address that
provides a clear and conspicuous direct link
to the opt-out page. The opt-out choices
made available to the consumer who contacts
the institution through these methods must
correspond accurately to the ‘‘Yes’’ responses
in the third column of the disclosure table.
In the part titled ‘‘Please note’’ institutions
may insert a number that is 30 or greater in
the space marked ‘‘[30].’’ Instructions on
voluntary or state privacy law opt-out
information are in paragraph C.2(g)(5) of
these Instructions.
(f) Questions box. Customer service contact
information must be inserted as appropriate,
where [phone number] or [Web site] appear.
Institutions may elect to provide either a
phone number, such as a toll-free number, or
a Web address, or both. Institutions may
include the words ‘‘toll-free’’ before the
telephone number, as appropriate.
(g) Mail-in opt-out form. Financial
institutions must include this mail-in form
only if they state in the ‘‘To limit our
sharing’’ box that consumers can opt out by
mail. The mail-in form must provide opt-out
options that correspond accurately to the
‘‘Yes’’ responses in the third column in the
disclosure table. Institutions that require
customers to provide only name and address
may omit the section identified as ‘‘[account
#].’’ Institutions that require additional or
different information, such as a random optout number or a truncated account number,
to implement an opt-out election should
modify the ‘‘[account #]’’ reference
accordingly. This includes institutions that
require customers with multiple accounts to
identify each account to which the opt-out
should apply. An institution must enter its
opt-out mailing address: In the far right of
this form (see version 3); or below the form
(see version 4). The reverse side of the mailin opt-out form must not include any content
of the model form.
(1) Joint accountholder. Only institutions
that provide their joint accountholders the
choice to opt out for only one accountholder,
in accordance with paragraph C.3(a)(5) of
these Instructions, must include in the far left
column of the mail-in form the following
statement: ‘‘If you have a joint account, your
PO 00000
Frm 00056
Fmt 4701
Sfmt 4700
choice(s) will apply to everyone on your
account unless you mark below. b Apply my
choice(s) only to me.’’ The word ‘‘choice’’
may be written in either the singular or
plural, as appropriate. Financial institutions
that provide insurance products or services,
provide this option, and elect to use the
model form may substitute the word ‘‘policy’’
for ‘‘account’’ in this statement. Institutions
that do not provide this option may eliminate
this left column from the mail-in form.
(2) FCRA Section 603(d)(2)(A)(iii) opt-out.
If the institution shares personal information
pursuant to section 603(d)(2)(A)(iii) of the
FCRA, it must include in the mail-in opt-out
form the following statement: ‘‘b Do not
share information about my creditworthiness
with your affiliates for their everyday
business purposes.’’
(3) FCRA Section 624 opt-out. If the
institution incorporates section 624 of the
FCRA in accord with paragraph C.2(d)(6) of
these Instructions, it must include in the
mail-in opt-out form the following statement:
‘‘b Do not allow your affiliates to use my
personal information to market to me.’’
(4) Nonaffiliate opt-out. If the financial
institution shares personal information
pursuant to § 332.10(a) of this part, it must
include in the mail-in opt-out form the
following statement: ‘‘b Do not share my
personal information with nonaffiliates to
market their products and services to me.’’
(5) Additional opt-outs. Financial
institutions that use the disclosure table to
provide opt-out options beyond those
required by Federal law must provide those
opt-outs in this section of the model form. A
financial institution that chooses to offer an
opt-out for its own marketing in the mail-in
opt-out form must include one of the two
following statements: ‘‘b Do not share my
personal information to market to me.’’ or ‘‘b
Do not use my personal information to
market to me.’’ A financial institution that
chooses to offer an opt-out for joint marketing
must include the following statement: ‘‘b Do
not share my personal information with other
financial institutions to jointly market to
me.’’
(h) Barcodes. A financial institution may
elect to include a barcode and/or ‘‘tagline’’
(an internal identifier) in 6-point font at the
bottom of page one, as needed for
information internal to the institution, so
long as these do not interfere with the clarity
or text of the form.
3. Page Two
(a) General Instructions for the Questions.
Certain of the Questions may be customized
as follows:
(1) ‘‘Who is providing this notice?’’ This
question may be omitted where only one
financial institution provides the model form
and that institution is clearly identified in
the title on page one. Two or more financial
institutions that jointly provide the model
form must use this question to identify
themselves as required by § 332.9(f) of this
part. Where the list of institutions exceeds
four (4) lines, the institution must describe in
the response to this question the general
types of institutions jointly providing the
notice and must separately identify those
institutions, in minimum 8-point font,
directly following the ‘‘Other important
E:\FR\FM\01DER2.SGM
01DER2
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
information’’ box, or, if that box is not
included in the institution’s form, directly
following the ‘‘Definitions.’’ The list may
appear in a multi-column format.
(2) ‘‘How does [name of financial
institution] protect my personal
information?’’ The financial institution may
only provide additional information
pertaining to its safeguards practices
following the designated response to this
question. Such information may include
information about the institution’s use of
cookies or other measures it uses to safeguard
personal information. Institutions are limited
to a maximum of 30 additional words.
(3) ‘‘How does [name of financial
institution] collect my personal
information?’’ Institutions must use five (5)
of the following terms to complete the
bulleted list for this question: Open an
account; deposit money; pay your bills; apply
for a loan; use your credit or debit card; seek
financial or tax advice; apply for insurance;
pay insurance premiums; file an insurance
claim; seek advice about your investments;
buy securities from us; sell securities to us;
direct us to buy securities; direct us to sell
your securities; make deposits or
withdrawals from your account; enter into an
investment advisory contract; give us your
income information; provide employment
information; give us your employment
history; tell us about your investment or
retirement portfolio; tell us about your
investment or retirement earnings; apply for
financing; apply for a lease; provide account
information; give us your contact
information; pay us by check; give us your
wage statements; provide your mortgage
information; make a wire transfer; tell us who
receives the money; tell us where to send the
money; show your government-issued ID;
show your driver’s license; order a
commodity futures or option trade.
Institutions that collect personal information
from their affiliates and/or credit bureaus
must include after the bulleted list the
following statement: ‘‘We also collect your
personal information from others, such as
credit bureaus, affiliates, or other
companies.’’ Institutions that do not collect
personal information from their affiliates or
credit bureaus but do collect information
from other companies must include the
following statement instead: ‘‘We also collect
your personal information from other
companies.’’ Only institutions that do not
collect any personal information from
affiliates, credit bureaus, or other companies
can omit both statements.
(4) ‘‘Why can’t I limit all sharing?’’
Institutions that describe state privacy law
provisions in the ‘‘Other important
information’’ box must use the bracketed
sentence: ‘‘See below for more on your rights
under state law.’’ Other institutions must
omit this sentence.
(5) ‘‘What happens when I limit sharing for
an account I hold jointly with someone else?’’
Only financial institutions that provide optout options must use this question. Other
institutions must omit this question.
Institutions must choose one of the following
two statements to respond to this question:
‘‘Your choices will apply to everyone on your
account.’’ or ‘‘Your choices will apply to
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
everyone on your account–unless you tell us
otherwise.’’ Financial institutions that
provide insurance products or services and
elect to use the model form may substitute
the word ‘‘policy’’ for ‘‘account’’ in these
statements.
(b) General Instructions for the Definitions.
The financial institution must customize
the space below the responses to the three
definitions in this section. This specific
information must be in italicized lettering to
set off the information from the standardized
definitions.
(1) Affiliates. As required by § 332.6(a)(3)
of this part, where [affiliate information]
appears, the financial institution must:
(i) If it has no affiliates, state: ‘‘[name of
financial institution] has no affiliates’’;
(ii) If it has affiliates but does not share
personal information, state: ‘‘[name of
financial institution] does not share with our
affiliates’’; or
(iii) If it shares with its affiliates, state, as
applicable: ‘‘Our affiliates include companies
with a [common corporate identity of
financial institution] name; financial
companies such as [insert illustrative list of
companies]; nonfinancial companies, such
as [insert illustrative list of companies]; and
others, such as [insert illustrative list].’’
(2) Nonaffiliates. As required by
§ 332.6(c)(3) of this part, where [nonaffiliate
information] appears, the financial
institution must:
(i) If it does not share with nonaffiliated
third parties, state: ‘‘[name of financial
institution] does not share with nonaffiliates
so they can market to you’’; or
(ii) If it shares with nonaffiliated third
parties, state, as applicable: ‘‘Nonaffiliates we
share with can include [list categories of
companies such as mortgage companies,
insurance companies, direct marketing
companies, and nonprofit organizations].’’
(3) Joint Marketing. As required by § 332.13
of this part, where [joint marketing] appears,
the financial institution must:
(i) If it does not engage in joint marketing,
state: ‘‘[name of financial institution] doesn’t
jointly market’’; or
(ii) If it shares personal information for
joint marketing, state, as applicable: ‘‘Our
joint marketing partners include [list
categories of companies such as credit card
companies].’’
(c) General instructions for the ‘‘Other
important information’’ box. This box is
optional. The space provided for information
in this box is not limited. Only the following
types of information can appear in this box.
(1) State and/or international privacy law
information; and/or
(2) Acknowledgment of receipt form.
21. Amend newly redesignated
Appendix B to part 332 as follows:
■ A. Add a new sentence to the
beginning of the introductory text as set
forth below.
■ B. Effective January 1, 2012, remove
Appendix B to part 332.
■
PO 00000
Frm 00057
Fmt 4701
Sfmt 4700
62945
Appendix B to Part 332—Sample
Clauses
This Appendix only applies to privacy
notices provided before January 1, 2011.
*
*
*
*
*
DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
12 CFR Chapter V
Authority and Issuance
For the reasons set forth in the joint
preamble, part 573 of chapter V of title
12 of the Code of Federal Regulations is
amended as follows:
■
PART 573—PRIVACY OF CONSUMER
FINANCIAL INFORMATION
22. The authority citation for part 573
continues to read as follows:
■
Authority: 12 U.S.C. 1462a, 1463, 1464,
1828; 15 U.S.C. 6801 et seq.
■
23. Revise § 573.2 to read as follows:
§ 573.2
Model privacy form and examples.
(a) Model privacy form. Use of the
model privacy form in Appendix A of
this part, consistent with the
instructions in Appendix A, constitutes
compliance with the notice content
requirements of §§ 573.6 and 573.7 of
this part, although use of the model
privacy form is not required.
(b) Examples. The examples in this
part are not exclusive. Compliance with
an example, to the extent applicable,
constitutes compliance with this part.
■ 24. In § 573.6:
■ A. Revise paragraphs (b) and (f), and
add paragraph (g) to read as set forth
below.
■ B. Effective January 1, 2012, remove
paragraph (g).
§ 573.6 Information to be included in
privacy notices.
*
*
*
*
*
(b) Description of nonaffiliated third
parties subject to exceptions. If you
disclose nonpublic personal information
to third parties as authorized under
§§ 573.14 and 573.15, you are not
required to list those exceptions in the
initial or annual privacy notices
required by §§ 573.4 and 573.5. When
describing the categories with respect to
those parties, it is sufficient to state that
you make disclosures to other
nonaffiliated companies:
(1) For your everyday business
purposes, such as [include all that
apply] to process transactions, maintain
account(s), respond to court orders and
legal investigations, or report to credit
bureaus; or
(2) As permitted by law.
*
*
*
*
*
E:\FR\FM\01DER2.SGM
01DER2
62946
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
mstockstill on DSKH9S0YB1PROD with RULES2
(f) Model privacy form. Pursuant to
§ 573.2(a) of this part, a model privacy
form that meets the notice content
requirements of this section is included
in Appendix A of this part.
(g) Sample clauses. Sample clauses
illustrating some of the notice content
required by this section are included in
Appendix B of this part. Use of a sample
clause in a privacy notice provided on
or before December 31, 2010, to the
extent applicable, constitutes
compliance with this part.
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
■
25. In § 573.7, add paragraph (i) to
read as follows:
Appendix A [Redesignated as Appendix
B]
§ 573.7 Form of opt-out notice to
consumers; opt-out methods.
■
*
*
*
*
*
(i) Model privacy form. Pursuant to
§ 573.2(a) of this part, a model privacy
form that meets the notice content
requirements of this section is included
in Appendix A of this part.
PO 00000
26. Redesignate Appendix A to part
573 as Appendix B to part 573.
■ 27. Add new Appendix A to part 573
to read as follows:
Appendix A to Part 573—Model
Privacy Form
A. The Model Privacy Form
BILLING CODE 6750–01–P 12.5%, 6351–01–P 12.5%,
6720–01–P 12.5%, 6714–01–P 12.5%, 4810–01–P 12.5%,
6210–01–P 12.5%, 8011–01–P 12.5%, 7535–01–P 12.5%
Frm 00058
Fmt 4701
Sfmt 4700
E:\FR\FM\01DER2.SGM
01DER2
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00059
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
62947
ER01DE09.021</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
VerDate Nov<24>2008
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00060
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.022</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
62948
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00061
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
62949
ER01DE09.023</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
VerDate Nov<24>2008
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00062
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.024</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
62950
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00063
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
62951
ER01DE09.025</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
VerDate Nov<24>2008
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00064
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.026</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
62952
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
B. General Instructions
1. How the Model Privacy Form Is Used
(a) The model form may be used, at the
option of a financial institution, including a
group of financial institutions that use a
common privacy notice, to meet the content
requirements of the privacy notice and optout notice set forth in §§ 573.6 and 573.7 of
this part.
(b) The model form is a standardized form,
including page layout, content, format, style,
pagination, and shading. Institutions seeking
to obtain the safe harbor through use of the
model form may modify it only as described
in these Instructions.
(c) Note that disclosure of certain
information, such as assets, income, and
information from a consumer reporting
agency, may give rise to obligations under the
Fair Credit Reporting Act [15 U.S.C. 1681–
1681x] (FCRA), such as a requirement to
permit a consumer to opt out of disclosures
to affiliates or designation as a consumer
reporting agency if disclosures are made to
nonaffiliated third parties.
(d) The word ‘‘customer’’ may be replaced
by the word ‘‘member’’ whenever it appears
in the model form, as appropriate.
2. The Contents of the Model Privacy Form
The model form consists of two pages,
which may be printed on both sides of a
single sheet of paper, or may appear on two
separate pages. Where an institution provides
a long list of institutions at the end of the
model form in accordance with Instruction
C.3(a)(1), or provides additional information
in accordance with Instruction C.3(c), and
such list or additional information exceeds
the space available on page two of the model
form, such list or additional information may
extend to a third page.
(a) Page One. The first page consists of the
following components:
(1) Date last revised (upper right-hand
corner).
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
(2) Title.
(3) Key frame (Why?, What?, How?).
(4) Disclosure table (‘‘Reasons we can share
your personal information’’).
(5) ‘‘To limit our sharing’’ box, as needed,
for the financial institution’s opt-out
information.
(6) ‘‘Questions’’ box, for customer service
contact information.
(7) Mail-in opt-out form, as needed.
(b) Page Two. The second page consists of
the following components:
(1) Heading (Page 2).
(2) Frequently Asked Questions (‘‘Who we
are’’ and ‘‘What we do’’).
(3) Definitions.
(4) ‘‘Other important information’’ box, as
needed.
3. The Format of the Model Privacy Form
The format of the model form may be
modified only as described below.
(a) Easily readable type font. Financial
institutions that use the model form must use
an easily readable type font. While a number
of factors together produce easily readable
type font, institutions are required to use a
minimum of 10-point font (unless otherwise
expressly permitted in these Instructions)
and sufficient spacing between the lines of
type.
(b) Logo. A financial institution may
include a corporate logo on any page of the
notice, so long as it does not interfere with
the readability of the model form or the space
constraints of each page.
(c) Page size and orientation. Each page of
the model form must be printed on paper in
portrait orientation, the size of which must
be sufficient to meet the layout and
minimum font size requirements, with
sufficient white space on the top, bottom,
and sides of the content.
(d) Color. The model form must be printed
on white or light color paper (such as cream)
with black or other contrasting ink color.
Spot color may be used to achieve visual
interest, so long as the color contrast is
distinctive and the color does not detract
PO 00000
Frm 00065
Fmt 4701
Sfmt 4700
from the readability of the model form. Logos
may also be printed in color.
(e) Languages. The model form may be
translated into languages other than English.
C. Information Required in the Model Privacy
Form
The information in the model form may be
modified only as described below:
1. Name of the Institution or Group of
Affiliated Institutions Providing the Notice
Insert the name of the financial institution
providing the notice or a common identity of
affiliated institutions jointly providing the
notice on the form wherever [name of
financial institution] appears.
2. Page One
(a) Last revised date. The financial
institution must insert in the upper righthand corner the date on which the notice was
last revised. The information shall appear in
minimum 8-point font as ‘‘rev. [month/year]’’
using either the name or number of the
month, such as ‘‘rev. July 2009’’ or ‘‘rev.
7/09’’.
(b) General instructions for the ‘‘What?’’
box.
(1) The bulleted list identifies the types of
personal information that the institution
collects and shares. All institutions must use
the term ‘‘Social Security number’’ in the
first bullet.
(2) Institutions must use five (5) of the
following terms to complete the bulleted list:
Income; account balances; payment history;
transaction history; transaction or loss
history; credit history; credit scores; assets;
investment experience; credit-based
insurance scores; insurance claim history;
medical information; overdraft history;
purchase history; account transactions; risk
tolerance; medical-related debts; credit card
or other debt; mortgage rates and payments;
retirement assets; checking account
information; employment information; wire
transfer instructions.
(c) General instructions for the disclosure
table. The left column lists reasons for
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.027</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
BILLING CODE 6750–01–C 12.5%, 6351–01–C 12.5%,
6720–01–C 12.5%, 6714–01–C 12.5%, 4810–01–C 12.5%,
6210–01–C 12.5%, 8011–01–C 12.5%, 7535–01–C 12.5%
62953
mstockstill on DSKH9S0YB1PROD with RULES2
62954
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
sharing or using personal information. Each
reason correlates to a specific legal provision
described in paragraph C.2(d) of this
Instruction. In the middle column, each
institution must provide a ‘‘Yes’’ or ‘‘No’’
response that accurately reflects its
information sharing policies and practices
with respect to the reason listed on the left.
In the right column, each institution must
provide in each box one of the following
three (3) responses, as applicable, that
reflects whether a consumer can limit such
sharing: ‘‘Yes’’ if it is required to or
voluntarily provides an opt-out; ‘‘No’’ if it
does not provide an opt-out; or ‘‘We don’t
share’’ if it answers ‘‘No’’ in the middle
column. Only the sixth row (‘‘For our
affiliates to market to you’’) may be omitted
at the option of the institution. See paragraph
C.2(d)(6) of this Instruction.
(d) Specific disclosures and corresponding
legal provisions.
(1) For our everyday business purposes.
This reason incorporates sharing information
under §§ 573.14 and 573.15 and with service
providers pursuant to § 573.13 of this part
other than the purposes specified in
paragraphs C.2(d)(2) or C.2(d)(3) of these
Instructions.
(2) For our marketing purposes. This
reason incorporates sharing information with
service providers by an institution for its own
marketing pursuant to § 573.13 of this part.
An institution that shares for this reason may
choose to provide an opt-out.
(3) For joint marketing with other financial
companies. This reason incorporates sharing
information under joint marketing
agreements between two or more financial
institutions and with any service provider
used in connection with such agreements
pursuant to § 573.13 of this part. An
institution that shares for this reason may
choose to provide an opt-out.
(4) For our affiliates’ everyday business
purposes—information about transactions
and experiences. This reason incorporates
sharing information specified in sections
603(d)(2)(A)(i) and (ii) of the FCRA. An
institution that shares for this reason may
choose to provide an opt-out.
(5) For our affiliates’ everyday business
purposes—information about
creditworthiness. This reason incorporates
sharing information pursuant to section
603(d)(2)(A)(iii) of the FCRA. An institution
that shares for this reason must provide an
opt-out.
(6) For our affiliates to market to you. This
reason incorporates sharing information
specified in section 624 of the FCRA. This
reason may be omitted from the disclosure
table when: The institution does not have
affiliates (or does not disclose personal
information to its affiliates); the institution’s
affiliates do not use personal information in
a manner that requires an opt-out; or the
institution provides the affiliate marketing
notice separately. Institutions that include
this reason must provide an opt-out of
indefinite duration. An institution that is
required to provide an affiliate marketing
opt-out, but does not include that opt-out in
the model form under this part, must comply
with section 624 of the FCRA and 12 CFR
part 571, subpart C, with respect to the initial
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
notice and opt-out and any subsequent
renewal notice and opt-out. An institution
not required to provide an opt-out under this
subparagraph may elect to include this
reason in the model form.
(7) For nonaffiliates to market to you. This
reason incorporates sharing described in
§§ 573.7 and 573.10(a) of this part. An
institution that shares personal information
for this reason must provide an opt-out.
(e) To limit our sharing: A financial
institution must include this section of the
model form only if it provides an opt-out.
The word ‘‘choice’’ may be written in either
the singular or plural, as appropriate.
Institutions must select one or more of the
applicable opt-out methods described:
Telephone, such as by a toll-free number; a
Web site; or use of a mail-in opt-out form.
Institutions may include the words ‘‘tollfree’’ before telephone, as appropriate. An
institution that allows consumers to opt out
online must provide either a specific Web
address that takes consumers directly to the
opt-out page or a general Web address that
provides a clear and conspicuous direct link
to the opt-out page. The opt-out choices
made available to the consumer who contacts
the institution through these methods must
correspond accurately to the ‘‘Yes’’ responses
in the third column of the disclosure table.
In the part titled ‘‘Please note,’’ institutions
may insert a number that is 30 or greater in
the space marked ‘‘[30].’’ Instructions on
voluntary or state privacy law opt-out
information are in paragraph C.2(g)(5) of
these Instructions.
(f) Questions box. Customer service contact
information must be inserted as appropriate,
where [phone number] or [Web site] appear.
Institutions may elect to provide either a
phone number, such as a toll-free number, or
a Web address, or both. Institutions may
include the words ‘‘toll-free’’ before the
telephone number, as appropriate.
(g) Mail-in opt-out form. Financial
institutions must include this mail-in form
only if they state in the ‘‘To limit our
sharing’’ box that consumers can opt out by
mail. The mail-in form must provide opt-out
options that correspond accurately to the
‘‘Yes’’ responses in the third column in the
disclosure table. Institutions that require
customers to provide only name and address
may omit the section identified as ‘‘[account
#].’’ Institutions that require additional or
different information, such as a random optout number or a truncated account number,
to implement an opt-out election should
modify the ‘‘[account #]’’ reference
accordingly. This includes institutions that
require customers with multiple accounts to
identify each account to which the opt-out
should apply. An institution must enter its
opt-out mailing address: in the far right of
this form (see version 3); or below the form
(see version 4). The reverse side of the mailin opt-out form must not include any content
of the model form.
(1) Joint accountholder. Only institutions
that provide their joint accountholders the
choice to opt out for only one accountholder,
in accordance with paragraph C.3(a)(5) of
these Instructions, must include in the far left
column of the mail-in form the following
statement: ‘‘If you have a joint account, your
PO 00000
Frm 00066
Fmt 4701
Sfmt 4700
choice(s) will apply to everyone on your
account unless you mark below. b Apply my
choice(s) only to me.’’ The word ‘‘choice’’
may be written in either the singular or
plural, as appropriate. Financial institutions
that provide insurance products or services,
provide this option, and elect to use the
model form may substitute the word ‘‘policy’’
for ‘‘account’’ in this statement. Institutions
that do not provide this option may eliminate
this left column from the mail-in form.
(2) FCRA Section 603(d)(2)(A)(iii) opt-out.
If the institution shares personal information
pursuant to section 603(d)(2)(A)(iii) of the
FCRA, it must include in the mail-in opt-out
form the following statement: ‘‘b Do not
share information about my creditworthiness
with your affiliates for their everyday
business purposes.’’
(3) FCRA Section 624 opt-out. If the
institution incorporates section 624 of the
FCRA in accord with paragraph C.2(d)(6) of
these Instructions, it must include in the
mail-in opt-out form the following statement:
‘‘b Do not allow your affiliates to use my
personal information to market to me.’’
(4) Nonaffiliate opt-out. If the financial
institution shares personal information
pursuant to § 573.10(a) of this part, it must
include in the mail-in opt-out form the
following statement: ‘‘b Do not share my
personal information with nonaffiliates to
market their products and services to me.’’
(5) Additional opt-outs. Financial
institutions that use the disclosure table to
provide opt-out options beyond those
required by Federal law must provide those
opt-outs in this section of the model form. A
financial institution that chooses to offer an
opt-out for its own marketing in the mail-in
opt-out form must include one of the two
following statements: ‘‘b Do not share my
personal information to market to me.’’ or
‘‘b Do not use my personal information to
market to me.’’ A financial institution that
chooses to offer an opt-out for joint marketing
must include the following statement: ‘‘b Do
not share my personal information with other
financial institutions to jointly market to
me.’’
(h) Barcodes. A financial institution may
elect to include a barcode and/or ‘‘tagline’’
(an internal identifier) in 6-point font at the
bottom of page one, as needed for
information internal to the institution, so
long as these do not interfere with the clarity
or text of the form.
3. Page Two
(a) General Instructions for the Questions.
Certain of the Questions may be customized
as follows:
(1) ‘‘Who is providing this notice?’’ This
question may be omitted where only one
financial institution provides the model form
and that institution is clearly identified in
the title on page one. Two or more financial
institutions that jointly provide the model
form must use this question to identify
themselves as required by § 573.9(f) of this
part. Where the list of institutions exceeds
four (4) lines, the institution must describe in
the response to this question the general
types of institutions jointly providing the
notice and must separately identify those
institutions, in minimum 8-point font,
directly following the ‘‘Other important
E:\FR\FM\01DER2.SGM
01DER2
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
information’’ box, or, if that box is not
included in the institution’s form, directly
following the ‘‘Definitions.’’ The list may
appear in a multi-column format.
(2) ‘‘How does [name of financial
institution] protect my personal
information?’’ The financial institution may
only provide additional information
pertaining to its safeguards practices
following the designated response to this
question. Such information may include
information about the institution’s use of
cookies or other measures it uses to safeguard
personal information. Institutions are limited
to a maximum of 30 additional words.
(3) ‘‘How does [name of financial
institution] collect my personal
information?’’ Institutions must use five (5)
of the following terms to complete the
bulleted list for this question: Open an
account; deposit money; pay your bills; apply
for a loan; use your credit or debit card; seek
financial or tax advice; apply for insurance;
pay insurance premiums; file an insurance
claim; seek advice about your investments;
buy securities from us; sell securities to us;
direct us to buy securities; direct us to sell
your securities; make deposits or
withdrawals from your account; enter into an
investment advisory contract; give us your
income information; provide employment
information; give us your employment
history; tell us about your investment or
retirement portfolio; tell us about your
investment or retirement earnings; apply for
financing; apply for a lease; provide account
information; give us your contact
information; pay us by check; give us your
wage statements; provide your mortgage
information; make a wire transfer; tell us who
receives the money; tell us where to send the
money; show your government-issued ID;
show your driver’s license; order a
commodity futures or option trade.
Institutions that collect personal information
from their affiliates and/or credit bureaus
must include after the bulleted list the
following statement: ‘‘We also collect your
personal information from others, such as
credit bureaus, affiliates, or other
companies.’’ Institutions that do not collect
personal information from their affiliates or
credit bureaus but do collect information
from other companies must include the
following statement instead: ‘‘We also collect
your personal information from other
companies.’’ Only institutions that do not
collect any personal information from
affiliates, credit bureaus, or other companies
can omit both statements.
(4) ‘‘Why can’t I limit all sharing?’’
Institutions that describe state privacy law
provisions in the ‘‘Other important
information’’ box must use the bracketed
sentence: ‘‘See below for more on your rights
under state law.’’ Other institutions must
omit this sentence.
(5) ‘‘What happens when I limit sharing for
an account I hold jointly with someone else?’’
Only financial institutions that provide optout options must use this question. Other
institutions must omit this question.
Institutions must choose one of the following
two statements to respond to this question:
‘‘Your choices will apply to everyone on your
account.’’ or ‘‘Your choices will apply to
VerDate Nov<24>2008
20:48 Nov 30, 2009
Jkt 220001
everyone on your account—unless you tell us
otherwise.’’ Financial institutions that
provide insurance products or services and
elect to use the model form may substitute
the word ‘‘policy’’ for ‘‘account’’ in these
statements.
(b) General Instructions for the Definitions.
The financial institution must customize
the space below the responses to the three
definitions in this section. This specific
information must be in italicized lettering to
set off the information from the standardized
definitions.
(1) Affiliates. As required by § 573.6(a)(3)
of this part, where [affiliate information]
appears, the financial institution must:
(i) If it has no affiliates, state: ‘‘[name of
financial institution] has no affiliates;’’
(ii) If it has affiliates but does not share
personal information, state: ‘‘[name of
financial institution] does not share with our
affiliates’’; or
(iii) If it shares with its affiliates, state, as
applicable: ‘‘Our affiliates include companies
with a [common corporate identity of
financial institution] name; financial
companies such as [insert illustrative list of
companies]; nonfinancial companies, such
as [insert illustrative list of companies]; and
others, such as [insert illustrative list].’’
(2) Nonaffiliates. As required by
§ 573.6(c)(3) of this part, where [nonaffiliate
information] appears, the financial
institution must:
(i) If it does not share with nonaffiliated
third parties, state: ‘‘[name of financial
institution] does not share with nonaffiliates
so they can market to you’’; or
(ii) If it shares with nonaffiliated third
parties, state, as applicable: ‘‘Nonaffiliates we
share with can include [list categories of
companies such as mortgage companies,
insurance companies, direct marketing
companies, and nonprofit organizations].’’
(3) Joint Marketing. As required by § 573.13
of this part, where [joint marketing] appears,
the financial institution must:
(i) If it does not engage in joint marketing,
state: ‘‘[name of financial institution] doesn’t
jointly market’’; or
(ii) If it shares personal information for
joint marketing, state, as applicable: ‘‘Our
joint marketing partners include [list
categories of companies such as credit card
companies].’’
(c) General instructions for the ‘‘Other
important information’’ box. This box is
optional. The space provided for information
in this box is not limited. Only the following
types of information can appear in this box.
(1) State and/or international privacy law
information; and/or
(2) Acknowledgment of receipt form.
28. Amend newly redesignated
Appendix B to part 573 as follows:
■ A. Add a new sentence to the
beginning of the introductory text as set
forth below.
■ B. Effective January 1, 2012, remove
Appendix B to part 573.
■
PO 00000
Frm 00067
Fmt 4701
Sfmt 4700
62955
Appendix B to Part 573—Sample
Clauses
This Appendix only applies to privacy
notices provided before January 1, 2011.
* * *
*
*
*
*
*
National Credit Union Administration
12 CFR Chapter V
Authority and Issuance
For the reasons set forth in the joint
preamble, part 716 of chapter V of title
12 of the Code of Federal Regulations is
amended as follows:
■
PART 716—PRIVACY OF CONSUMER
FINANCIAL INFORMATION
29. The authority citation for part 716
continues to read as follows:
■
Authority: 12 U.S.C. 1751 et seq.; 15 U.S.C.
6801 et seq.
■
30. Revise § 716.2 to read as follows:
§ 716.2
Model privacy form and examples.
(a) Model privacy form. Use of the
model privacy form in Appendix A of
this part, consistent with the
instructions in Appendix A, constitutes
compliance with the notice content
requirements of §§ 716.6 and 716.7 of
this part, although use of the model
privacy form is not required.
(b) Examples. The examples in this
part are not exclusive. Compliance with
an example, to the extent applicable,
constitutes compliance with this part.
31. In § 716.6:
A. Revise the section heading and
paragraph (b), and add paragraphs (f)
and (g) to read as set forth below.
■ B. Effective January 1, 2012, remove
paragraph (g).
■
■
§ 716.6 Information to be included in
privacy notices.
*
*
*
*
*
(b) Description of nonaffiliated third
parties subject to exceptions. If you
disclose nonpublic personal information
to third parties as authorized under
§§ 716.14 and 716.15, you are not
required to list those exceptions in the
initial or annual privacy notices
required by §§ 716.4 and 716.5. When
describing the categories with respect to
those parties, it is sufficient to state that
you make disclosures to other
nonaffiliated companies:
(1) For your everyday business
purposes, such as [include all that
apply] to process transactions, maintain
account(s), respond to court orders and
legal investigations, or report to credit
bureaus; or
(2) As permitted by law.
*
*
*
*
*
E:\FR\FM\01DER2.SGM
01DER2
62956
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
mstockstill on DSKH9S0YB1PROD with RULES2
(f) Model privacy form. Pursuant to
§ 716.2(a) of this part, a model privacy
form that meets the notice content
requirements of this section is included
in Appendix A of this part.
(g) Sample clauses. Sample clauses
illustrating some of the notice content
required by this section are included in
Appendix B of this part. Use of a sample
clause in a privacy notice provided on
or before December 31, 2010, to the
extent applicable, constitutes
compliance with this part.
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
■
32. In § 716.7, add paragraph (i) to
read as follows:
Appendix A [Redesignated as Appendix
B]
§ 716.7 Form of opt-out notice to
consumers; opt-out methods.
■
*
*
*
*
*
(i) Model privacy form. Pursuant to
§ 716.2(a) of this part, a model privacy
form that meets the notice content
requirements of this section is included
in Appendix A of this part.
PO 00000
33. Redesignate Appendix A to part
716 as Appendix B to part 716.
■ 34. Add new Appendix A to part 716
to read as follows:
Appendix A to Part 716—Model
Privacy Form
A.
The Model Privacy Form
BILLING CODE 6750–01–P 12.5%, 6351–01–P 12.5%,
6720–01–P 12.5%, 6714–01–P 12.5%, 4810–33–P 12.5%,
6210–01–P 12.5%, 8011–01–P 12.5%, 7535–01–P 12.5%;
Frm 00068
Fmt 4701
Sfmt 4700
E:\FR\FM\01DER2.SGM
01DER2
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00069
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
62957
ER01DE09.028</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
VerDate Nov<24>2008
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00070
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.029</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
62958
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00071
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
62959
ER01DE09.030</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
VerDate Nov<24>2008
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00072
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.031</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
62960
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00073
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
62961
ER01DE09.032</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
VerDate Nov<24>2008
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00074
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.033</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
62962
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
B. General Instructions
1. How the Model Privacy Form Is Used
(a) The model form may be used, at the
option of a financial institution, including a
group of financial institutions that use a
common privacy notice, to meet the content
requirements of the privacy notice and optout notice set forth in §§ 716.6 and 716.7 of
this part.
(b) The model form is a standardized form,
including page layout, content, format, style,
pagination, and shading. Institutions seeking
to obtain the safe harbor through use of the
model form may modify it only as described
in these Instructions.
(c) Note that disclosure of certain
information, such as assets, income, and
information from a consumer reporting
agency, may give rise to obligations under the
Fair Credit Reporting Act [15 U.S.C. 1681—
1681x] (FCRA), such as a requirement to
permit a consumer to opt out of disclosures
to affiliates or designation as a consumer
reporting agency if disclosures are made to
nonaffiliated third parties.
(d) The word ‘‘customer’’ may be replaced
by the word ‘‘member’’ whenever it appears
in the model form, as appropriate.
2. The Contents of the Model Privacy Form
The model form consists of two pages,
which may be printed on both sides of a
single sheet of paper, or may appear on two
separate pages. Where an institution provides
a long list of institutions at the end of the
model form in accordance with Instruction
C.3(a)(1), or provides additional information
in accordance with Instruction C.3(c), and
such list or additional information exceeds
the space available on page two of the model
form, such list or additional information may
extend to a third page.
(a) Page One. The first page consists of the
following components:
(1) Date last revised (upper right-hand
corner).
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
(2) Title.
(3) Key frame (Why?, What?, How?).
(4) Disclosure table (‘‘Reasons we can share
your personal information’’).
(5) ‘‘To limit our sharing’’ box, as needed,
for the financial institution’s opt-out
information.
(6) ‘‘Questions’’ box, for customer service
contact information.
(7) Mail-in opt-out form, as needed.
(b) Page Two. The second page consists of
the following components:
(1) Heading (Page 2).
(2) Frequently Asked Questions (‘‘Who we
are’’ and ‘‘What we do’’).
(3) Definitions.
(4) ‘‘Other important information’’ box, as
needed.
3. The Format of the Model Privacy Form
The format of the model form may be
modified only as described below.
(a) Easily readable type font. Financial
institutions that use the model form must use
an easily readable type font. While a number
of factors together produce easily readable
type font, institutions are required to use a
minimum of 10-point font (unless otherwise
expressly permitted in these Instructions)
and sufficient spacing between the lines of
type.
(b) Logo. A financial institution may
include a corporate logo on any page of the
notice, so long as it does not interfere with
the readability of the model form or the space
constraints of each page.
(c) Page size and orientation. Each page of
the model form must be printed on paper in
portrait orientation, the size of which must
be sufficient to meet the layout and
minimum font size requirements, with
sufficient white space on the top, bottom,
and sides of the content.
(d) Color. The model form must be printed
on white or light color paper (such as cream)
with black or other contrasting ink color.
Spot color may be used to achieve visual
interest, so long as the color contrast is
distinctive and the color does not detract
PO 00000
Frm 00075
Fmt 4701
Sfmt 4700
from the readability of the model form. Logos
may also be printed in color.
(e) Languages. The model form may be
translated into languages other than English.
C. Information Required in the Model Privacy
Form
The information in the model form may be
modified only as described below:
1. Name of the Institution or Group of
Affiliated Institutions Providing the Notice
Insert the name of the financial institution
providing the notice or a common identity of
affiliated institutions jointly providing the
notice on the form wherever [name of
financial institution] appears.
2. Page One
(a) Last revised date. The financial
institution must insert in the upper righthand corner the date on which the notice was
last revised. The information shall appear in
minimum 8-point font as ‘‘rev. [month/year]’’
using either the name or number of the
month, such as ‘‘rev. July 2009’’ or ‘‘rev. 7/
09’’.
(b) General instructions for the ‘‘What?’’
box.
(1) The bulleted list identifies the types of
personal information that the institution
collects and shares. All institutions must use
the term ‘‘Social Security number’’ in the
first bullet.
(2) Institutions must use five (5) of the
following terms to complete the bulleted list:
income; account balances; payment history;
transaction history; transaction or loss
history; credit history; credit scores; assets;
investment experience; credit-based
insurance scores; insurance claim history;
medical information; overdraft history;
purchase history; account transactions; risk
tolerance; medical-related debts; credit card
or other debt; mortgage rates and payments;
retirement assets; checking account
information; employment information; wire
transfer instructions.
(c) General instructions for the disclosure
table. The left column lists reasons for
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.034</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
BILLING CODE 6750–01–C 12.5%, 6351–01–C 12.5%,
6720–01–C 12.5%, 6714–01–C 12.5%, 4810–33–C 12.5%,
6210–01–C 12.5%, 8011–01–C 12.5%, 7535–01–C 12.5%;
62963
mstockstill on DSKH9S0YB1PROD with RULES2
62964
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
sharing or using personal information. Each
reason correlates to a specific legal provision
described in paragraph C.2(d) of this
Instruction. In the middle column, each
institution must provide a ‘‘Yes’’ or ‘‘No’’
response that accurately reflects its
information sharing policies and practices
with respect to the reason listed on the left.
In the right column, each institution must
provide in each box one of the following
three (3) responses, as applicable, that
reflects whether a consumer can limit such
sharing: ‘‘Yes’’ if it is required to or
voluntarily provides an opt-out; ‘‘No’’ if it
does not provide an opt-out; or ‘‘We don’t
share’’ if it answers ‘‘No’’ in the middle
column. Only the sixth row (‘‘For our
affiliates to market to you’’) may be omitted
at the option of the institution. See paragraph
C.2(d)(6) of this Instruction.
(d) Specific disclosures and corresponding
legal provisions.
(1) For our everyday business purposes.
This reason incorporates sharing information
under §§ 716.14 and 716.15 and with service
providers pursuant to § 716.13 of this part
other than the purposes specified in
paragraphs C.2(d)(2) or C.2(d)(3) of these
Instructions.
(2) For our marketing purposes. This
reason incorporates sharing information with
service providers by an institution for its own
marketing pursuant to § 716.13 of this part.
An institution that shares for this reason may
choose to provide an opt-out.
(3) For joint marketing with other financial
companies. This reason incorporates sharing
information under joint marketing
agreements between two or more financial
institutions and with any service provider
used in connection with such agreements
pursuant to § 716.13 of this part. An
institution that shares for this reason may
choose to provide an opt-out.
(4) For our affiliates’ everyday business
purposes—information about transactions
and experiences. This reason incorporates
sharing information specified in sections
603(d)(2)(A)(i) and (ii) of the FCRA. An
institution that shares for this reason may
choose to provide an opt-out.
(5) For our affiliates’ everyday business
purposes—information about
creditworthiness. This reason incorporates
sharing information pursuant to section
603(d)(2)(A)(iii) of the FCRA. An institution
that shares for this reason must provide an
opt-out.
(6) For our affiliates to market to you. This
reason incorporates sharing information
specified in section 624 of the FCRA. This
reason may be omitted from the disclosure
table when: the institution does not have
affiliates (or does not disclose personal
information to its affiliates); the institution’s
affiliates do not use personal information in
a manner that requires an opt-out; or the
institution provides the affiliate marketing
notice separately. Institutions that include
this reason must provide an opt-out of
indefinite duration. An institution that is
required to provide an affiliate marketing
opt-out, but does not include that opt-out in
the model form under this part, must comply
with section 624 of the FCRA and 12 CFR
part 717, subpart C, with respect to the initial
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
notice and opt-out and any subsequent
renewal notice and opt-out. An institution
not required to provide an opt-out under this
subparagraph may elect to include this
reason in the model form.
(7) For nonaffiliates to market to you. This
reason incorporates sharing described in
§§ 716.7 and 716.10(a) of this part. An
institution that shares personal information
for this reason must provide an opt-out.
(e) To limit our sharing: A financial
institution must include this section of the
model form only if it provides an opt-out.
The word ‘‘choice’’ may be written in either
the singular or plural, as appropriate.
Institutions must select one or more of the
applicable opt-out methods described:
telephone, such as by a toll-free number; a
Web site; or use of a mail-in opt-out form.
Institutions may include the words ‘‘tollfree’’ before telephone, as appropriate. An
institution that allows consumers to opt out
online must provide either a specific Web
address that takes consumers directly to the
opt-out page or a general Web address that
provides a clear and conspicuous direct link
to the opt-out page. The opt-out choices
made available to the consumer who contacts
the institution through these methods must
correspond accurately to the ‘‘Yes’’ responses
in the third column of the disclosure table.
In the part titled ‘‘Please note’’ institutions
may insert a number that is 30 or greater in
the space marked ‘‘[30].’’ Instructions on
voluntary or state privacy law opt-out
information are in paragraph C.2(g)(5) of
these Instructions.
(f) Questions box. Customer service contact
information must be inserted as appropriate,
where [phone number] or [Web site] appear.
Institutions may elect to provide either a
phone number, such as a toll-free number, or
a Web address, or both. Institutions may
include the words ‘‘toll-free’’ before the
telephone number, as appropriate.
(g) Mail-in opt-out form. Financial
institutions must include this mail-in form
only if they state in the ‘‘To limit our
sharing’’ box that consumers can opt out by
mail. The mail-in form must provide opt-out
options that correspond accurately to the
‘‘Yes’’ responses in the third column in the
disclosure table. Institutions that require
customers to provide only name and address
may omit the section identified as ‘‘[account
#].’’ Institutions that require additional or
different information, such as a random optout number or a truncated account number,
to implement an opt-out election should
modify the ‘‘[account #]’’ reference
accordingly. This includes institutions that
require customers with multiple accounts to
identify each account to which the opt-out
should apply. An institution must enter its
opt-out mailing address: in the far right of
this form (see version 3); or below the form
(see version 4). The reverse side of the mailin opt-out form must not include any content
of the model form.
(1) Joint accountholder. Only institutions
that provide their joint accountholders the
choice to opt out for only one accountholder,
in accordance with paragraph C.3(a)(5) of
these Instructions, must include in the far left
column of the mail-in form the following
statement: ‘‘If you have a joint account, your
PO 00000
Frm 00076
Fmt 4701
Sfmt 4700
choice(s) will apply to everyone on your
account unless you mark below. b Apply my
choice(s) only to me.’’ The word ‘‘choice’’
may be written in either the singular or
plural, as appropriate. Financial institutions
that provide insurance products or services,
provide this option, and elect to use the
model form may substitute the word ‘‘policy’’
for ‘‘account’’ in this statement. Institutions
that do not provide this option may eliminate
this left column from the mail-in form.
(2) FCRA Section 603(d)(2)(A)(iii) opt-out.
If the institution shares personal information
pursuant to section 603(d)(2)(A)(iii) of the
FCRA, it must include in the mail-in opt-out
form the following statement: ‘‘b Do not
share information about my creditworthiness
with your affiliates for their everyday
business purposes.’’
(3) FCRA Section 624 opt-out. If the
institution incorporates section 624 of the
FCRA in accord with paragraph C.2(d)(6) of
these Instructions, it must include in the
mail-in opt-out form the following statement:
‘‘b Do not allow your affiliates to use my
personal information to market to me.’’
(4) Nonaffiliate opt-out. If the financial
institution shares personal information
pursuant to § 716.10(a) of this part, it must
include in the mail-in opt-out form the
following statement: ‘‘b Do not share my
personal information with nonaffiliates to
market their products and services to me.’’
(5) Additional opt-outs. Financial
institutions that use the disclosure table to
provide opt-out options beyond those
required by Federal law must provide those
opt-outs in this section of the model form. A
financial institution that chooses to offer an
opt-out for its own marketing in the mail-in
opt-out form must include one of the two
following statements: ‘‘b Do not share my
personal information to market to me.’’ or
‘‘b Do not use my personal information to
market to me.’’ A financial institution that
chooses to offer an opt-out for joint marketing
must include the following statement: ‘‘b Do
not share my personal information with other
financial institutions to jointly market to
me.’’
(h) Barcodes. A financial institution may
elect to include a barcode and/or ‘‘tagline’’
(an internal identifier) in 6-point font at the
bottom of page one, as needed for
information internal to the institution, so
long as these do not interfere with the clarity
or text of the form.
3. Page Two
(a) General Instructions for the Questions.
Certain of the Questions may be customized
as follows:
(1) ‘‘Who is providing this notice?’’ This
question may be omitted where only one
financial institution provides the model form
and that institution is clearly identified in
the title on page one. Two or more financial
institutions that jointly provide the model
form must use this question to identify
themselves as required by § 716.9(f) of this
part. Where the list of institutions exceeds
four (4) lines, the institution must describe in
the response to this question the general
types of institutions jointly providing the
notice and must separately identify those
institutions, in minimum 8-point font,
directly following the ‘‘Other important
E:\FR\FM\01DER2.SGM
01DER2
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
information’’ box, or, if that box is not
included in the institution’s form, directly
following the ‘‘Definitions.’’ The list may
appear in a multi-column format.
(2) ‘‘How does [name of financial
institution] protect my personal
information?’’ The financial institution may
only provide additional information
pertaining to its safeguards practices
following the designated response to this
question. Such information may include
information about the institution’s use of
cookies or other measures it uses to safeguard
personal information. Institutions are limited
to a maximum of 30 additional words.
(3) ‘‘How does [name of financial
institution] collect my personal
information?’’ Institutions must use five (5)
of the following terms to complete the
bulleted list for this question: open an
account; deposit money; pay your bills; apply
for a loan; use your credit or debit card; seek
financial or tax advice; apply for insurance;
pay insurance premiums; file an insurance
claim; seek advice about your investments;
buy securities from us; sell securities to us;
direct us to buy securities; direct us to sell
your securities; make deposits or
withdrawals from your account; enter into an
investment advisory contract; give us your
income information; provide employment
information; give us your employment
history; tell us about your investment or
retirement portfolio; tell us about your
investment or retirement earnings; apply for
financing; apply for a lease; provide account
information; give us your contact
information; pay us by check; give us your
wage statements; provide your mortgage
information; make a wire transfer; tell us who
receives the money; tell us where to send the
money; show your government-issued ID;
show your driver’s license; order a
commodity futures or option trade.
Institutions that collect personal information
from their affiliates and/or credit bureaus
must include after the bulleted list the
following statement: ‘‘We also collect your
personal information from others, such as
credit bureaus, affiliates, or other
companies.’’ Institutions that do not collect
personal information from their affiliates or
credit bureaus but do collect information
from other companies must include the
following statement instead: ‘‘We also collect
your personal information from other
companies.’’ Only institutions that do not
collect any personal information from
affiliates, credit bureaus, or other companies
can omit both statements.
(4) ‘‘Why can’t I limit all sharing?’’
Institutions that describe state privacy law
provisions in the ‘‘Other important
information’’ box must use the bracketed
sentence: ‘‘See below for more on your rights
under state law.’’ Other institutions must
omit this sentence.
(5) ‘‘What happens when I limit sharing for
an account I hold jointly with someone else?’’
Only financial institutions that provide optout options must use this question. Other
institutions must omit this question.
Institutions must choose one of the following
two statements to respond to this question:
‘‘Your choices will apply to everyone on your
account.’’ or ‘‘Your choices will apply to
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
everyone on your account—unless you tell us
otherwise.’’ Financial institutions that
provide insurance products or services and
elect to use the model form may substitute
the word ‘‘policy’’ for ‘‘account’’ in these
statements.
(b) General Instructions for the Definitions.
The financial institution must customize
the space below the responses to the three
definitions in this section. This specific
information must be in italicized lettering to
set off the information from the standardized
definitions.
(1) Affiliates. As required by § 716.6(a)(3)
of this part, where [affiliate information]
appears, the financial institution must:
(i) If it has no affiliates, state: ‘‘[name of
financial institution] has no affiliates’’;
(ii) If it has affiliates but does not share
personal information, state: ‘‘[name of
financial institution] does not share with our
affiliates; or
(iii) If it shares with its affiliates, state, as
applicable: ‘‘Our affiliates include companies
with a [common corporate identity of
financial institution] name; financial
companies such as [insert illustrative list of
companies]; nonfinancial companies, such
as [insert illustrative list of companies;] and
others, such as [insert illustrative list].’’
(2) Nonaffiliates. As required by
§ 716.6(c)(3) of this part, where [nonaffiliate
information] appears, the financial
institution must:
(i) If it does not share with nonaffiliated
third parties, state: ‘‘[name of financial
institution] does not share with nonaffiliates
so they can market to you’’; or
(ii) If it shares with nonaffiliated third
parties, state, as applicable: ‘‘Nonaffiliates we
share with can include [list categories of
companies such as mortgage companies,
insurance companies, direct marketing
companies, and nonprofit organizations].’’
(3) Joint Marketing. As required by § 716.13
of this part, where [joint marketing] appears,
the financial institution must:
(i) If it does not engage in joint marketing,
state: ‘‘[name of financial institution] doesn’t
jointly market ’’; or
(ii) If it shares personal information for
joint marketing, state, as applicable: ‘‘Our
joint marketing partners include [list
categories of companies such as credit card
companies].’’
(c) General instructions for the ‘‘Other
important information’’ box. This box is
optional. The space provided for information
in this box is not limited. Only the following
types of information can appear in this box.
(1) State and/or international privacy law
information; and/or
(2) Acknowledgment of receipt form.
35. Amend newly redesignated
Appendix B to part 716 as follows:
■ A. Add a new sentence to the
beginning of the introductory text as set
forth below.
■ B. Effective January 1, 2012, remove
Appendix B to part 716.
■
PO 00000
Frm 00077
Fmt 4701
Sfmt 4700
62965
Appendix B to Part 716—Sample
Clauses
This Appendix only applies to privacy
notices provided before January 1, 2011.
* * *
*
*
*
*
*
Federal Trade Commission
16 CFR Chapter I
For the reasons set forth in the joint
preamble, the Federal Trade
Commission amends part 313 of chapter
I of title 16 of the Code of Federal
Regulations as follows:
■
PART 313—PRIVACY OF CONSUMER
FINANCIAL INFORMATION
36. The authority citation for part 313
continues to read as follows:
■
Authority: 15 U.S.C. 6801 et seq.
■
37. Revise § 313.2 to read as follows:
§ 313.2
Model privacy form and examples.
(a) Model privacy form. Use of the
model privacy form in Appendix A of
this part, consistent with the
instructions in Appendix A, constitutes
compliance with the notice content
requirements of §§ 313.6 and 313.7 of
this part, although use of the model
privacy form is not required.
(b) Examples. The examples in this
part are not exclusive. Compliance with
an example, to the extent applicable,
constitutes compliance with this part.
■ 38. In § 313.6:
■ A. Revise paragraphs (b) and (f), and
add paragraph (g) to read as set forth
below.
■ B. Effective January 1, 2012, remove
paragraph (g).
§ 313.6 Information to be included in
privacy notices.
*
*
*
*
*
(b) Description of nonaffiliated third
parties subject to exceptions. If you
disclose nonpublic personal information
to third parties as authorized under
§§ 313.14 and 313.15, you are not
required to list those exceptions in the
initial or annual privacy notices
required by §§ 313.4 and 313.5. When
describing the categories with respect to
those parties, it is sufficient to state that
you make disclosures to other
nonaffiliated companies for your
everyday business purposes, such as to
process transactions, maintain
account(s), respond to court orders and
legal investigations, or report to credit
bureaus.
*
*
*
*
*
(f) Model privacy form. Pursuant to
§ 313.2(a) of this part, a model privacy
form that meets the notice content
E:\FR\FM\01DER2.SGM
01DER2
62966
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
mstockstill on DSKH9S0YB1PROD with RULES2
requirements of this section is included
in Appendix A of this part.
(g) Sample clauses and description of
nonaffiliated third parties subject to
exceptions.
(1) Sample clauses. Sample clauses
illustrating some of the notice content
required by this section are included in
Appendix B of this part. Use of a sample
clause in a privacy notice provided on
or before December 31, 2010, to the
extent applicable, constitutes
compliance with this part.
(2) Description of nonaffiliated third
parties subject to exceptions. For a
privacy notice provided on or before
December 31, 2010, if you disclose
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
nonpublic personal information to third
parties as authorized under §§ 313.14
and 313.15, when describing the
categories with respect to those parties,
it is sufficient to state, as an alternative
to the language in the second sentence
of paragraph (b) of this section, that you
make disclosures to other nonaffiliated
third parties as permitted by law.
39. In § 313.7, add paragraph (i) to
read as follows:
■
§ 313.7 Form of opt-out notice to
consumers; opt-out methods.
*
*
*
*
*
(i) Model privacy form. Pursuant to
§ 313.2(a) of this part, a model privacy
PO 00000
Frm 00078
Fmt 4701
Sfmt 4700
form that meets the notice content
requirements of this section is included
in Appendix A of this part.
Appendix A [Redesignated as Appendix
B]
40. Redesignate Appendix A to part
313 as Appendix B to part 313.
■ 41. Add new Appendix A to part 313
to read as follows:
■
Appendix A to Part 313—Model
Privacy Form
A. The Model Privacy Form
BILLING CODE 6750–01–P 12.5%, 6351–01–P 12.5%,
6720–01–P 12.5%, 6714–01–P 12.5%, 4810–33–P 12.5%,
6210–01–P 12.5%, 8011–01–P 12.5%, 7535–01–P 12.5%
E:\FR\FM\01DER2.SGM
01DER2
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00079
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
62967
ER01DE09.035</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
VerDate Nov<24>2008
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00080
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.036</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
62968
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00081
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
62969
ER01DE09.037</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
VerDate Nov<24>2008
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00082
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.038</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
62970
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00083
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
62971
ER01DE09.039</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
mstockstill on DSKH9S0YB1PROD with RULES2
BILLING CODE 6750–01–C 12.5%, 6351–01–C 12.5%,
6720–01–C 12.5%, 6714–01–C 12.5%, 4810–33–C 12.5%,
6210–01–C 12.5%, 8011–01–C 12.5%, 7535–01–C 12.5%,
B. General Instructions
1. How the Model Privacy Form is Used
(a) The model form may be used, at the
option of a financial institution, including a
group of financial institutions that use a
common privacy notice, to meet the content
requirements of the privacy notice and optout notice set forth in §§ 313.6 and 313.7 of
this part.
(b) The model form is a standardized form,
including page layout, content, format, style,
pagination, and shading. Institutions seeking
to obtain the safe harbor through use of the
model form may modify it only as described
in these Instructions.
(c) Note that disclosure of certain
information, such as assets, income, and
information from a consumer reporting
agency, may give rise to obligations under the
Fair Credit Reporting Act [15 U.S.C. 1681–
1681x] (FCRA), such as a requirement to
permit a consumer to opt out of disclosures
to affiliates or designation as a consumer
reporting agency if disclosures are made to
nonaffiliated third parties.
(d) The word ‘‘customer’’ may be replaced
by the word ‘‘member’’ whenever it appears
in the model form, as appropriate.
2. The Contents of the Model Privacy Form
The model form consists of two pages,
which may be printed on both sides of a
single sheet of paper, or may appear on two
separate pages. Where an institution provides
a long list of institutions at the end of the
model form in accordance with Instruction
C.3(a)(1), or provides additional information
in accordance with Instruction C.3(c), and
such list or additional information exceeds
the space available on page two of the model
form, such list or additional information may
extend to a third page.
(a) Page One. The first page consists of the
following components:
(1) Date last revised (upper right-hand
corner).
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
(2) Title.
(3) Key frame (Why?, What?, How?).
(4) Disclosure table (‘‘Reasons we can share
your personal information’’).
(5) ‘‘To limit our sharing’’ box, as needed,
for the financial institution’s opt-out
information.
(6) ‘‘Questions’’ box, for customer service
contact information.
(7) Mail-in opt-out form, as needed.
(b) Page Two. The second page consists of
the following components:
(1) Heading (Page 2).
(2) Frequently Asked Questions (‘‘Who we
are’’ and ‘‘What we do’’).
(3) Definitions.
(4) ‘‘Other important information’’ box, as
needed.
3. The Format of the Model Privacy Form
The format of the model form may be
modified only as described below.
(a) Easily readable type font. Financial
institutions that use the model form must use
an easily readable type font. While a number
of factors together produce an easily readable
type font, institutions are required to use a
minimum of 10-point font (unless otherwise
expressly permitted in these Instructions)
and sufficient spacing between the lines of
type.
(b) Logo. A financial institution may
include a corporate logo on any page of the
notice, so long as it does not interfere with
the readability of the model form or the space
constraints of each page.
(c) Page size and orientation. Each page of
the model form must be printed on paper in
portrait orientation, the size of which must
be sufficient to meet the layout and
minimum font size requirements, with
sufficient white space on the top, bottom,
and sides of the content.
(d) Color. The model form must be printed
on white or light color paper (such as cream)
with black or other contrasting ink color.
Spot color may be used to achieve visual
interest, so long as the color contrast is
distinctive and the color does not detract
PO 00000
Frm 00084
Fmt 4701
Sfmt 4700
from the readability of the model form. Logos
may also be printed in color.
(e) Languages. The model form may be
translated into languages other than English.
C. Information Required in the Model Privacy
Form
The information in the model form may be
modified only as described below:
1. Name of the Institution or Group of
Affiliated Institutions Providing the Notice
Insert the name of the financial institution
providing the notice or a common identity of
affiliated institutions jointly providing the
notice on the form wherever [name of
financial institution] appears.
2. Page One
(a) Last revised date. The financial
institution must insert in the upper righthand corner the date on which the notice was
last revised. The information shall appear in
minimum 8-point font as ‘‘rev. [month/year]’’
using either the name or number of the
month, such as ‘‘rev. July 2009’’ or ‘‘rev. 7/
09’’.
(b) General instructions for the ‘‘What?’’
box.
(1) The bulleted list identifies the types of
personal information that the institution
collects and shares. All institutions must use
the term ‘‘Social Security number’’ in the
first bullet.
(2) Institutions must use five (5) of the
following terms to complete the bulleted list:
income; account balances; payment history;
transaction history; transaction or loss
history; credit history; credit scores; assets;
investment experience; credit-based
insurance scores; insurance claim history;
medical information; overdraft history;
purchase history; account transactions; risk
tolerance; medical-related debts; credit card
or other debt; mortgage rates and payments;
retirement assets; checking account
information; employment information; wire
transfer instructions.
(c) General instructions for the disclosure
table. The left column lists reasons for
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.041</GPH>
62972
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
sharing or using personal information. Each
reason correlates to a specific legal provision
described in paragraph C.2(d) of this
Instruction. In the middle column, each
institution must provide a ‘‘Yes’’ or ‘‘No’’
response that accurately reflects its
information sharing policies and practices
with respect to the reason listed on the left.
In the right column, each institution must
provide in each box one of the following
three (3) responses, as applicable, that
reflects whether a consumer can limit such
sharing: ‘‘Yes’’ if it is required to or
voluntarily provides an opt-out; ‘‘No’’ if it
does not provide an opt-out; or ‘‘We don’t
share’’ if it answers ‘‘No’’ in the middle
column. Only the sixth row (‘‘For our
affiliates to market to you’’) may be omitted
at the option of the institution. See paragraph
C.2(d)(6) of this Instruction.
(d) Specific disclosures and corresponding
legal provisions.
(1) For our everyday business purposes.
This reason incorporates sharing information
under §§ 313.14 and 313.15 and with service
providers pursuant to § 313.13 of this part
other than the purposes specified in
paragraphs C.2(d)(2) or C.2(d)(3) of these
Instructions.
(2) For our marketing purposes. This
reason incorporates sharing information with
service providers by an institution for its own
marketing pursuant to § 313.13 of this part.
An institution that shares for this reason may
choose to provide an opt-out.
(3) For joint marketing with other financial
companies. This reason incorporates sharing
information under joint marketing
agreements between two or more financial
institutions and with any service provider
used in connection with such agreements
pursuant to § 313.13 of this part. An
institution that shares for this reason may
choose to provide an opt-out.
(4) For our affiliates’ everyday business
purposes—information about transactions
and experiences. This reason incorporates
sharing information specified in sections
603(d)(2)(A)(i) and (ii) of the FCRA. An
institution that shares for this reason may
choose to provide an opt-out.
(5) For our affiliates’ everyday business
purposes—information about
creditworthiness. This reason incorporates
sharing information pursuant to section
603(d)(2)(A)(iii) of the FCRA. An institution
that shares for this reason must provide an
opt-out.
(6) For our affiliates to market to you. This
reason incorporates sharing information
specified in section 624 of the FCRA. This
reason may be omitted from the disclosure
table when: the institution does not have
affiliates (or does not disclose personal
information to its affiliates); the institution’s
affiliates do not use personal information in
a manner that requires an opt-out; or the
institution provides the affiliate marketing
notice separately. Institutions that include
this reason must provide an opt-out of
indefinite duration. An institution that is
required to provide an affiliate marketing
opt-out, but does not include that opt-out in
the model form under this part, must comply
with section 624 of the FCRA and 16 CFR
parts 680 and 698 with respect to the initial
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
notice and opt-out and any subsequent
renewal notice and opt-out. An institution
not required to provide an opt-out under this
subparagraph may elect to include this
reason in the model form.
(7) For nonaffiliates to market to you. This
reason incorporates sharing described in
§§ 313.7 and 313.10(a) of this part. An
institution that shares personal information
for this reason must provide an opt-out.
(e) To limit our sharing: A financial
institution must include this section of the
model form only if it provides an opt-out.
The word ‘‘choice’’ may be written in either
the singular or plural, as appropriate.
Institutions must select one or more of the
applicable opt-out methods described:
telephone, such as by a toll-free number; a
Web site; or use of a mail-in opt-out form.
Institutions may include the words ‘‘tollfree’’ before telephone, as appropriate. An
institution that allows consumers to opt out
online must provide either a specific Web
address that takes consumers directly to the
opt-out page or a general Web address that
provides a clear and conspicuous direct link
to the opt-out page. The opt-out choices
made available to the consumer who contacts
the institution through these methods must
correspond accurately to the ‘‘Yes’’ responses
in the third column of the disclosure table.
In the part titled ‘‘Please note’’ institutions
may insert a number that is 30 or greater in
the space marked ‘‘[30].’’ Instructions on
voluntary or state privacy law opt-out
information are in paragraph C.2(g)(5) of
these Instructions.
(f) Questions box. Customer service contact
information must be inserted as appropriate,
where [phone number] or [Web site] appear.
Institutions may elect to provide either a
phone number, such as a toll-free number, or
a Web address, or both. Institutions may
include the words ‘‘toll-free’’ before the
telephone number, as appropriate.
(g) Mail-in opt-out form. Financial
institutions must include this mail-in form
only if they state in the ‘‘To limit our
sharing’’ box that consumers can opt out by
mail. The mail-in form must provide opt-out
options that correspond accurately to the
‘‘Yes’’ responses in the third column in the
disclosure table. Institutions that require
customers to provide only name and address
may omit the section identified as ‘‘[account
#].’’ Institutions that require additional or
different information, such as a random optout number or a truncated account number,
to implement an opt-out election should
modify the ‘‘[account #]’’ reference
accordingly. This includes institutions that
require customers with multiple accounts to
identify each account to which the opt-out
should apply. An institution must enter its
opt-out mailing address: In the far right of
this form (see version 3); or below the form
(see version 4). The reverse side of the mailin opt-out form must not include any content
of the model form.
(1) Joint accountholder. Only institutions
that provide their joint accountholders the
choice to opt out for only one accountholder,
in accordance with paragraph C.3(a)(5) of
these Instructions, must include in the far left
column of the mail-in form the following
statement: ‘‘If you have a joint account, your
PO 00000
Frm 00085
Fmt 4701
Sfmt 4700
62973
choice(s) will apply to everyone on your
account unless you mark below. b Apply my
choice(s) only to me.’’ The word ‘‘choice’’
may be written in either the singular or
plural, as appropriate. Financial institutions
that provide insurance products or services,
provide this option, and elect to use the
model form may substitute the word ‘‘policy’’
for ‘‘account’’ in this statement. Institutions
that do not provide this option may eliminate
this left column from the mail-in form.
(2) FCRA Section 603(d)(2)(A)(iii) opt-out.
If the institution shares personal information
pursuant to section 603(d)(2)(A)(iii) of the
FCRA, it must include in the mail-in opt-out
form the following statement: ‘‘b Do not
share information about my creditworthiness
with your affiliates for their everyday
business purposes.’’
(3) FCRA Section 624 opt-out. If the
institution incorporates section 624 of the
FCRA in accord with paragraph C.2(d)(6) of
these Instructions, it must include in the
mail-in opt-out form the following statement:
‘‘b Do not allow your affiliates to use my
personal information to market to me.’’
(4) Nonaffiliate opt-out. If the financial
institution shares personal information
pursuant to § 313.10(a) of this part, it must
include in the mail-in opt-out form the
following statement: ‘‘b Do not share my
personal information with nonaffiliates to
market their products and services to me.’’
(5) Additional opt-outs. Financial
institutions that use the disclosure table to
provide opt-out options beyond those
required by Federal law must provide those
opt-outs in this section of the model form. A
financial institution that chooses to offer an
opt-out for its own marketing in the mail-in
opt-out form must include one of the two
following statements: ‘‘b Do not share my
personal information to market to me.’’ or ‘‘b
Do not use my personal information to
market to me.’’ A financial institution that
chooses to offer an opt-out for joint marketing
must include the following statement: ‘‘b Do
not share my personal information with other
financial institutions to jointly market to
me.’’
(h) Barcodes. A financial institution may
elect to include a barcode and/or ‘‘tagline’’
(an internal identifier) in 6-point font at the
bottom of page one, as needed for
information internal to the institution, so
long as these do not interfere with the clarity
or text of the form.
3. Page Two
(a) General Instructions for the Questions.
Certain of the Questions may be customized
as follows:
(1) ‘‘Who is providing this notice?’’ This
question may be omitted where only one
financial institution provides the model form
and that institution is clearly identified in
the title on page one. Two or more financial
institutions that jointly provide the model
form must use this question to identify
themselves as required by § 313.9(f) of this
part. Where the list of institutions exceeds
four (4) lines, the institution must describe in
the response to this question the general
types of institutions jointly providing the
notice and must separately identify those
institutions, in minimum 8-point font,
directly following the ‘‘Other important
E:\FR\FM\01DER2.SGM
01DER2
mstockstill on DSKH9S0YB1PROD with RULES2
62974
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
information’’ box, or, if that box is not
included in the institution’s form, directly
following the ‘‘Definitions.’’ The list may
appear in a multi-column format.
(2) ‘‘How does [name of financial
institution] protect my personal
information?’’ The financial institution may
only provide additional information
pertaining to its safeguards practices
following the designated response to this
question. Such information may include
information about the institution’s use of
cookies or other measures it uses to safeguard
personal information. Institutions are limited
to a maximum of 30 additional words.
(3) ‘‘How does [name of financial
institution] collect my personal
information?’’ Institutions must use five (5)
of the following terms to complete the
bulleted list for this question: Open an
account; deposit money; pay your bills; apply
for a loan; use your credit or debit card; seek
financial or tax advice; apply for insurance;
pay insurance premiums; file an insurance
claim; seek advice about your investments;
buy securities from us; sell securities to us;
direct us to buy securities; direct us to sell
your securities; make deposits or
withdrawals from your account; enter into an
investment advisory contract; give us your
income information; provide employment
information; give us your employment
history; tell us about your investment or
retirement portfolio; tell us about your
investment or retirement earnings; apply for
financing; apply for a lease; provide account
information; give us your contact
information; pay us by check; give us your
wage statements; provide your mortgage
information; make a wire transfer; tell us who
receives the money; tell us where to send the
money; show your government-issued ID;
show your driver’s license; order a
commodity futures or option trade.
Institutions that collect personal information
from their affiliates and/or credit bureaus
must include after the bulleted list the
following statement: ‘‘We also collect your
personal information from others, such as
credit bureaus, affiliates, or other
companies.’’ Institutions that do not collect
personal information from their affiliates or
credit bureaus but do collect information
from other companies must include the
following statement instead: ‘‘We also collect
your personal information from other
companies.’’ Only institutions that do not
collect any personal information from
affiliates, credit bureaus, or other companies
can omit both statements.
(4) ‘‘Why can’t I limit all sharing?’’
Institutions that describe state privacy law
provisions in the ‘‘Other important
information’’ box must use the bracketed
sentence: ‘‘See below for more on your rights
under state law.’’ Other institutions must
omit this sentence.
(5) ‘‘What happens when I limit sharing for
an account I hold jointly with someone else?’’
Only financial institutions that provide optout options must use this question. Other
institutions must omit this question.
Institutions must choose one of the following
two statements to respond to this question:
‘‘Your choices will apply to everyone on your
account.’’ or ‘‘Your choices will apply to
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
everyone on your account—unless you tell us
otherwise.’’ Financial institutions that
provide insurance products or services and
elect to use the model form may substitute
the word ‘‘policy’’ for ‘‘account’’ in these
statements.
(b) General Instructions for the Definitions.
The financial institution must customize
the space below the responses to the three
definitions in this section. This specific
information must be in italicized lettering to
set off the information from the standardized
definitions.
(1) Affiliates. As required by § 313.6(a)(3)
of this part, where [affiliate information]
appears, the financial institution must:
(i) If it has no affiliates, state: ‘‘[name of
financial institution] has no affiliates’’;
(ii) If it has affiliates but does not share
personal information, state: ‘‘[name of
financial institution] does not share with our
affiliates’’; or
(iii) If it shares with its affiliates, state, as
applicable: ‘‘Our affiliates include companies
with a [common corporate identity of
financial institution] name; financial
companies such as [insert illustrative list of
companies]; nonfinancial companies, such
as [insert illustrative list of companies;] and
others, such as [insert illustrative list].’’
(2) Nonaffiliates. As required by
§ 313.6(c)(3) of this part, where [nonaffiliate
information] appears, the financial
institution must:
(i) If it does not share with nonaffiliated
third parties, state: ‘‘[name of financial
institution] does not share with nonaffiliates
so they can market to you’’; or
(ii) If it shares with nonaffiliated third
parties, state, as applicable: ‘‘Nonaffiliates we
share with can include [list categories of
companies such as mortgage companies,
insurance companies, direct marketing
companies, and nonprofit organizations].’’
(3) Joint Marketing. As required by § 313.13
of this part, where [joint marketing] appears,
the financial institution must:
(i) If it does not engage in joint marketing,
state: ‘‘[name of financial institution] doesn’t
jointly market’’; or
(ii) If it shares personal information for
joint marketing, state, as applicable: ‘‘Our
joint marketing partners include [list
categories of companies such as credit card
companies].’’
(c) General instructions for the ‘‘Other
important information’’ box. This box is
optional. The space provided for information
in this box is not limited. Only the following
types of information can appear in this box.
(1) State and/or international privacy law
information; and/or
(2) Acknowledgment of receipt form.
42. Amend newly redesignated
Appendix B to part 313 as follows:
■ A. Add a new sentence to the
beginning of the introductory text as set
forth below.
■ B. Effective January 1, 2012, remove
Appendix B to part 313.
■
PO 00000
Frm 00086
Fmt 4701
Sfmt 4700
Appendix B to Part 313—Sample
Clauses
This Appendix only applies to privacy
notices provided before January 1, 2011.
* * *
*
*
*
*
*
Commodity Futures Trading
Commission
17 CFR Chapter I
Authority and Issuance
For the reasons set forth in the joint
preamble, part 160 of chapter I of title
17 of the Code of Federal Regulations is
amended as follows:
■
PART 160—PRIVACY OF CONSUMER
FINANCIAL INFORMATION
43. The authority citation for part 160
continues to read as follows:
■
Authority: 7 U.S.C. 7b–2 and 12a(5); 15
U.S.C. 6801 et seq.
■
44. Revise § 160.2 to read as follows:
§ 160.2
Model privacy form and examples.
(a) Model privacy form. Use of the
model privacy form in Appendix A of
this part, consistent with the
instructions in Appendix A, constitutes
compliance with the notice content
requirements of §§ 160.6 and 160.7 of
this part, although use of the model
privacy form is not required.
(b) Examples. The examples in this
part are not exclusive. Compliance with
an example, to the extent applicable,
constitutes compliance with this part.
45. In § 160.6:
A. Revise paragraphs (b) and (f), and
add paragraph (g) to read as set forth
below.
■ B. Effective January 1, 2012, remove
paragraph (g).
■
■
§ 160.6 Information to be included in
privacy notices.
*
*
*
*
*
(b) Description of nonaffiliated third
parties subject to exceptions. If you
disclose nonpublic personal information
to third parties as authorized under
§§ 160.14 and 160.15, you are not
required to list those exceptions in the
initial or annual privacy notices
required by §§ 160.4 and 160.5. When
describing the categories with respect to
those parties, it is sufficient to state that
you make disclosures to other
nonaffiliated companies:
(1) For your everyday business
purposes, such as [include all that
apply] to process transactions, maintain
account(s), respond to court orders and
legal investigations, or report to credit
bureaus; or
E:\FR\FM\01DER2.SGM
01DER2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
(2) As permitted by law.
*
*
*
*
(f) Model privacy form. Pursuant to
§ 160.2(a) of this part, a model privacy
form that meets the notice content
requirements of this section is included
in Appendix A of this part.
(g) Sample clauses. Sample clauses
illustrating some of the notice content
required by this section are included in
Appendix B of this part. Use of a sample
clause in a privacy notice provided on
or before December 31, 2010, to the
mstockstill on DSKH9S0YB1PROD with RULES2
*
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
62975
extent applicable, constitutes
compliance with this part.
Appendix A [Redesignated as Appendix
B]
46. In § 160.7, add paragraph (i) to
read as follows:
■
■
§ 160.7 Form of opt-out notice to
consumers; opt-out methods.
*
*
*
*
*
(i) Model privacy form. Pursuant to
§ 160.2(a) of this part, a model privacy
form that meets the notice content
requirements of this section is included
in Appendix A of this part.
PO 00000
Frm 00087
Fmt 4701
Sfmt 4700
47. Redesignate Appendix A to part
160 as Appendix B to part 160.
■ 48. Add new Appendix A to part 160
to read as follows:
Appendix A to Part 160—Model
Privacy Form
A. The Model Privacy Form
BILLING CODE 6750–01–P 12.5%, 6351–01–P 12.5%,
6720–01–P 12.5%, 6714–01–P 12.5%, 4810–33–P 12.5%,
6210–01–P 12.5%, 8011–01–P 12.5%, 7535–01–P 12.5%,
E:\FR\FM\01DER2.SGM
01DER2
VerDate Nov<24>2008
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00088
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.042</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
62976
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00089
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
62977
ER01DE09.043</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
VerDate Nov<24>2008
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00090
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.044</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
62978
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00091
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
62979
ER01DE09.045</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
VerDate Nov<24>2008
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00092
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.046</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
62980
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00093
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
62981
ER01DE09.047</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
B. General Instructions
1. How the Model Privacy Form Is Used
(a) The model form may be used, at the
option of a financial institution, including a
group of financial institutions that use a
common privacy notice, to meet the content
requirements of the privacy notice and optout notice set forth in §§ 160.6 and 160.7 of
this part.
(b) The model form is a standardized form,
including page layout, content, format, style,
pagination, and shading. Institutions seeking
to obtain the safe harbor through use of the
model form may modify it only as described
in these Instructions.
(c) Note that disclosure of certain
information, such as assets, income, and
information from a consumer reporting
agency, may give rise to obligations under the
Fair Credit Reporting Act [15 U.S.C. 1681–
1681x] (FCRA), such as a requirement to
permit a consumer to opt out of disclosures
to affiliates or designation as a consumer
reporting agency if disclosures are made to
nonaffiliated third parties.
(d) The word ‘‘customer’’ may be replaced
by the word ‘‘member’’ whenever it appears
in the model form, as appropriate.
mstockstill on DSKH9S0YB1PROD with RULES2
BILLING CODE 6750–01–C12.5%, 6351–01–C12.5%, 6720–
01–C12.5%, 6714–01–C12.5%, 4810–33–C12.5%, 6210–01–
C12.5%, 8011–01–C12.5%, 7535–01–C12.5%,
2. The Contents of the Model Privacy Form
The model form consists of two pages,
which may be printed on both sides of a
single sheet of paper, or may appear on two
separate pages. Where an institution provides
a long list of institutions at the end of the
model form in accordance with Instruction
C.3(a)(1), or provides additional information
in accordance with Instruction C.3(c), and
such list or additional information exceeds
the space available on page two of the model
form, such list or additional information may
extend to a third page.
(a) Page One. The first page consists of the
following components:
(1) Date last revised (upper right-hand
corner).
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
(2) Title.
(3) Key frame (Why?, What?, How?).
(4) Disclosure table (‘‘Reasons we can share
your personal information’’).
(5) ‘‘To limit our sharing’’ box, as needed,
for the financial institution’s opt-out
information.
(6) ‘‘Questions’’ box, for customer service
contact information.
(7) Mail-in opt-out form, as needed.
(b) Page Two. The second page consists of
the following components:
(1) Heading (Page 2).
(2) Frequently Asked Questions (‘‘Who we
are’’ and ‘‘What we do’’).
(3) Definitions.
(4) ‘‘Other important information’’ box, as
needed.
3. The Format of the Model Privacy Form
The format of the model form may be
modified only as described below.
(a) Easily readable type font. Financial
institutions that use the model form must use
an easily readable type font. While a number
of factors together produce easily readable
type font, institutions are required to use a
minimum of 10-point font (unless otherwise
expressly permitted in these Instructions)
and sufficient spacing between the lines of
type.
(b) Logo. A financial institution may
include a corporate logo on any page of the
notice, so long as it does not interfere with
the readability of the model form or the space
constraints of each page.
(c) Page size and orientation. Each page of
the model form must be printed on paper in
portrait orientation, the size of which must
be sufficient to meet the layout and
minimum font size requirements, with
sufficient white space on the top, bottom,
and sides of the content.
(d) Color. The model form must be printed
on white or light color paper (such as cream)
with black or other contrasting ink color.
Spot color may be used to achieve visual
interest, so long as the color contrast is
distinctive and the color does not detract
PO 00000
Frm 00094
Fmt 4701
Sfmt 4700
from the readability of the model form. Logos
may also be printed in color.
(e) Languages. The model form may be
translated into languages other than English.
C. Information Required in the Model Privacy
Form
The information in the model form may be
modified only as described below:
1. Name of the Institution or Group of
Affiliated Institutions Providing the Notice
Insert the name of the financial institution
providing the notice or a common identity of
affiliated institutions jointly providing the
notice on the form wherever [name of
financial institution] appears.
2. Page One
(a) Last revised date. The financial
institution must insert in the upper righthand corner the date on which the notice was
last revised. The information shall appear in
minimum 8-point font as ‘‘rev. [month/year]’’
using either the name or number of the
month, such as ‘‘rev. July 2009’’ or ‘‘rev. 7/
09’’.
(b) General instructions for the ‘‘What?’’
box.
(1) The bulleted list identifies the types of
personal information that the institution
collects and shares. All institutions must use
the term ‘‘Social Security number’’ in the
first bullet.
(2) Institutions must use five (5) of the
following terms to complete the bulleted list:
income; account balances; payment history;
transaction history; transaction or loss
history; credit history; credit scores; assets;
investment experience; credit-based
insurance scores; insurance claim history;
medical information; overdraft history;
purchase history; account transactions; risk
tolerance; medical-related debts; credit card
or other debt; mortgage rates and payments;
retirement assets; checking account
information; employment information; wire
transfer instructions.
(c) General instructions for the disclosure
table. The left column lists reasons for
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.048</GPH>
62982
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
sharing or using personal information. Each
reason correlates to a specific legal provision
described in paragraph C.2(d) of this
Instruction. In the middle column, each
institution must provide a ‘‘Yes’’ or ‘‘No’’
response that accurately reflects its
information sharing policies and practices
with respect to the reason listed on the left.
In the right column, each institution must
provide in each box one of the following
three (3) responses, as applicable, that
reflects whether a consumer can limit such
sharing: ‘‘Yes’’ if it is required to or
voluntarily provides an opt-out; ‘‘No’’ if it
does not provide an opt-out; or ‘‘We don’t
share’’ if it answers ‘‘No’’ in the middle
column. Only the sixth row (‘‘For our
affiliates to market to you’’) may be omitted
at the option of the institution. See paragraph
C.2(d)(6) of this Instruction.
(d) Specific disclosures and corresponding
legal provisions.
(1) For our everyday business purposes.
This reason incorporates sharing information
under §§ 160.14 and 160.15 and with service
providers pursuant to § 160.13 of this part
other than the purposes specified in
paragraphs C.2(d)(2) or C.2(d)(3) of these
Instructions.
(2) For our marketing purposes. This
reason incorporates sharing information with
service providers by an institution for its own
marketing pursuant to § 160.13 of this part.
An institution that shares for this reason may
choose to provide an opt-out.
(3) For joint marketing with other financial
companies. This reason incorporates sharing
information under joint marketing
agreements between two or more financial
institutions and with any service provider
used in connection with such agreements
pursuant to § 160.13 of this part. An
institution that shares for this reason may
choose to provide an opt-out.
(4) For our affiliates’ everyday business
purposes—information about transactions
and experiences. This reason incorporates
sharing information specified in sections
603(d)(2)(A)(i) and (ii) of the FCRA. An
institution that shares for this reason may
choose to provide an opt-out.
(5) For our affiliates’ everyday business
purposes—information about
creditworthiness. This reason incorporates
sharing information pursuant to section
603(d)(2)(A)(iii) of the FCRA. An institution
that shares for this reason must provide an
opt-out.
(6) For our affiliates to market to you. This
reason incorporates sharing information
specified in section 624 of the FCRA. This
reason may be omitted from the disclosure
table when: the institution does not have
affiliates (or does not disclose personal
information to its affiliates); the institution’s
affiliates do not use personal information in
a manner that requires an opt-out; or the
institution provides the affiliate marketing
notice separately. Institutions that include
this reason must provide an opt-out of
indefinite duration. An institution not
required to provide an opt-out under this
subparagraph may elect to include this
reason in the model form. Note: The CFTC’s
Regulations do not address the affiliate
marketing rule.
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
(7) For nonaffiliates to market to you. This
reason incorporates sharing described in
§§ 160.7 and 160.10(a) of this part. An
institution that shares personal information
for this reason must provide an opt-out.
(e) To limit our sharing: A financial
institution must include this section of the
model form only if it provides an opt-out.
The word ‘‘choice’’ may be written in either
the singular or plural, as appropriate.
Institutions must select one or more of the
applicable opt-out methods described:
telephone, such as by a toll-free number; a
Website; or use of a mail-in opt-out form.
Institutions may include the words ‘‘tollfree’’ before telephone, as appropriate. An
institution that allows consumers to opt out
online must provide either a specific Web
address that takes consumers directly to the
opt-out page or a general Web address that
provides a clear and conspicuous direct link
to the opt-out page. The opt-out choices
made available to the consumer who contacts
the institution through these methods must
correspond accurately to the ‘‘Yes’’ responses
in the third column of the disclosure table.
In the part titled ‘‘Please note’’ institutions
may insert a number that is 30 or greater in
the space marked ‘‘[30].’’ Instructions on
voluntary or state privacy law opt-out
information are in paragraph C.2(g)(5) of
these Instructions.
(f) Questions box. Customer service contact
information must be inserted as appropriate,
where [phone number] or [website] appear.
Institutions may elect to provide either a
phone number, such as a toll-free number, or
a Web address, or both. Institutions may
include the words ‘‘toll-free’’ before the
telephone number, as appropriate.
(g) Mail-in opt-out form. Financial
institutions must include this mail-in form
only if they state in the ‘‘To limit our
sharing’’ box that consumers can opt out by
mail. The mail-in form must provide opt-out
options that correspond accurately to the
‘‘Yes’’ responses in the third column in the
disclosure table. Institutions that require
customers to provide only name and address
may omit the section identified as ‘‘[account
#].’’ Institutions that require additional or
different information, such as a random optout number or a truncated account number,
to implement an opt-out election should
modify the ‘‘[account #]’’ reference
accordingly. This includes institutions that
require customers with multiple accounts to
identify each account to which the opt-out
should apply. An institution must enter its
opt-out mailing address: in the far right of
this form (see version 3); or below the form
(see version 4). The reverse side of the mailin opt-out form must not include any content
of the model form.
(1) Joint accountholder. Only institutions
that provide their joint accountholders the
choice to opt out for only one accountholder,
in accordance with paragraph C.3(a)(5) of
these Instructions, must include in the far left
column of the mail-in form the following
statement: ‘‘If you have a joint account, your
choice(s) will apply to everyone on your
account unless you mark below. b Apply my
choice(s) only to me.’’ The word ‘‘choice’’
may be written in either the singular or
plural, as appropriate. Financial institutions
PO 00000
Frm 00095
Fmt 4701
Sfmt 4700
62983
that provide insurance products or services,
provide this option, and elect to use the
model form may substitute the word ‘‘policy’’
for ‘‘account’’ in this statement. Institutions
that do not provide this option may eliminate
this left column from the mail-in form.
(2) FCRA Section 603(d)(2)(A)(iii) opt-out.
If the institution shares personal information
pursuant to section 603(d)(2)(A)(iii) of the
FCRA, it must include in the mail-in opt-out
form the following statement: ‘‘b Do not
share information about my creditworthiness
with your affiliates for their everyday
business purposes.’’
(3) FCRA Section 624 opt-out. If the
institution incorporates section 624 of the
FCRA in accord with paragraph C.2(d)(6) of
these Instructions, it must include in the
mail-in opt-out form the following statement:
‘‘b Do not allow your affiliates to use my
personal information to market to me.’’
(4) Nonaffiliate opt-out. If the financial
institution shares personal information
pursuant to § 160.10(a) of this part, it must
include in the mail-in opt-out form the
following statement: ‘‘b Do not share my
personal information with nonaffiliates to
market their products and services to me.’’
(5) Additional opt-outs. Financial
institutions that use the disclosure table to
provide opt-out options beyond those
required by Federal law must provide those
opt-outs in this section of the model form. A
financial institution that chooses to offer an
opt-out for its own marketing in the mail-in
opt-out form must include one of the two
following statements: ‘‘b Do not share my
personal information to market to me.’’ or ‘‘b
Do not use my personal information to
market to me.’’ A financial institution that
chooses to offer an opt-out for joint marketing
must include the following statement: ‘‘b Do
not share my personal information with other
financial institutions to jointly market to
me.’’
(h) Barcodes. A financial institution may
elect to include a barcode and/or ‘‘tagline’’
(an internal identifier) in 6-point font at the
bottom of page one, as needed for
information internal to the institution, so
long as these do not interfere with the clarity
or text of the form.
3. Page Two
(a) General Instructions for the Questions.
Certain of the Questions may be customized
as follows:
(1) ‘‘Who is providing this notice?’’ This
question may be omitted where only one
financial institution provides the model form
and that institution is clearly identified in
the title on page one. Two or more financial
institutions that jointly provide the model
form must use this question to identify
themselves as required by § 160.9(f) of this
part. Where the list of institutions exceeds
four (4) lines, the institution must describe in
the response to this question the general
types of institutions jointly providing the
notice and must separately identify those
institutions, in minimum 8-point font,
directly following the ‘‘Other important
information’’ box, or, if that box is not
included in the institution’s form, directly
following the ‘‘Definitions.’’ The list may
appear in a multi-column format.
E:\FR\FM\01DER2.SGM
01DER2
mstockstill on DSKH9S0YB1PROD with RULES2
62984
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
(2) ‘‘How does [name of financial
institution] protect my personal
information?’’ The financial institution may
only provide additional information
pertaining to its safeguards practices
following the designated response to this
question. Such information may include
information about the institution’s use of
cookies or other measures it uses to safeguard
personal information. Institutions are limited
to a maximum of 30 additional words.
(3) ‘‘How does [name of financial
institution] collect my personal
information?’’ Institutions must use five (5)
of the following terms to complete the
bulleted list for this question: Open an
account; deposit money; pay your bills; apply
for a loan; use your credit or debit card; seek
financial or tax advice; apply for insurance;
pay insurance premiums; file an insurance
claim; seek advice about your investments;
buy securities from us; sell securities to us;
direct us to buy securities; direct us to sell
your securities; make deposits or
withdrawals from your account; enter into an
investment advisory contract; give us your
income information; provide employment
information; give us your employment
history; tell us about your investment or
retirement portfolio; tell us about your
investment or retirement earnings; apply for
financing; apply for a lease; provide account
information; give us your contact
information; pay us by check; give us your
wage statements; provide your mortgage
information; make a wire transfer; tell us who
receives the money; tell us where to send the
money; show your government-issued ID;
show your driver’s license; order a
commodity futures or option trade.
Institutions that collect personal information
from their affiliates and/or credit bureaus
must include after the bulleted list the
following statement: ‘‘We also collect your
personal information from others, such as
credit bureaus, affiliates, or other
companies.’’ Institutions that do not collect
personal information from their affiliates or
credit bureaus but do collect information
from other companies must include the
following statement instead: ‘‘We also collect
your personal information from other
companies.’’ Only institutions that do not
collect any personal information from
affiliates, credit bureaus, or other companies
can omit both statements.
(4) ‘‘Why can’t I limit all sharing?’’
Institutions that describe state privacy law
provisions in the ‘‘Other important
information’’ box must use the bracketed
sentence: ‘‘See below for more on your rights
under state law.’’ Other institutions must
omit this sentence.
(5) ‘‘What happens when I limit sharing for
an account I hold jointly with someone else?’’
Only financial institutions that provide optout options must use this question. Other
institutions must omit this question.
Institutions must choose one of the following
two statements to respond to this question:
‘‘Your choices will apply to everyone on your
account.’’ or ‘‘Your choices will apply to
everyone on your account—unless you tell us
otherwise.’’ Financial institutions that
provide insurance products or services and
elect to use the model form may substitute
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
the word ‘‘policy’’ for ‘‘account’’ in these
statements.
(b) General Instructions for the Definitions.
The financial institution must customize
the space below the responses to the three
definitions in this section. This specific
information must be in italicized lettering to
set off the information from the standardized
definitions.
(1) Affiliates. As required by § 160.6(a)(3)
of this part, where [affiliate information]
appears, the financial institution must:
(i) If it has no affiliates, state: ‘‘[name of
financial institution] has no affiliates’’;
(ii) If it has affiliates but does not share
personal information, state: ‘‘[name of
financial institution] does not share with our
affiliates’’; or
(iii) If it shares with its affiliates, state, as
applicable: ‘‘Our affiliates include companies
with a [common corporate identity of
financial institution] name; financial
companies such as [insert illustrative list of
companies]; nonfinancial companies, such
as [insert illustrative list of companies]; and
others, such as [insert illustrative list].’’
(2) Nonaffiliates. As required by
§ 160.6(c)(3) of this part, where [nonaffiliate
information] appears, the financial
institution must:
(i) If it does not share with nonaffiliated
third parties, state: ‘‘[name of financial
institution] does not share with nonaffiliates
so they can market to you’’; or
(ii) If it shares with nonaffiliated third
parties, state, as applicable: ‘‘Nonaffiliates we
share with can include [list categories of
companies such as mortgage companies,
insurance companies, direct marketing
companies, and nonprofit organizations].’’
(3) Joint Marketing. As required by § 160.13
of this part, where [joint marketing] appears,
the financial institution must:
(i) If it does not engage in joint marketing,
state: ‘‘[name of financial institution] doesn’t
jointly market’’; or
(ii) If it shares personal information for
joint marketing, state, as applicable: ‘‘Our
joint marketing partners include [list
categories of companies such as credit card
companies].’’
(c) General instructions for the ‘‘Other
important information’’ box. This box is
optional. The space provided for information
in this box is not limited. Only the following
types of information can appear in this box.
(1) State and/or international privacy law
information; and/or
(2) Acknowledgment of receipt form.
49. Amend newly redesignated
Appendix B to part 160 as follows:
■ A. Add a new sentence to the
beginning of the introductory text as set
forth below.
■ B. Effective January 1, 2012, remove
Appendix B to part 160.
■
Appendix B to Part 160—Sample
Clauses
This Appendix only applies to privacy
notices provided before January 1, 2011.
* * *
*
PO 00000
*
*
Frm 00096
*
Fmt 4701
*
Sfmt 4700
Securities and Exchange Commission
Statutory Authority
The Commission is amending
Regulation S–P pursuant to authority set
forth in section 728 of the Regulatory
Relief Act [Pub. L. 109–351], section 504
of the GLB Act [15 U.S.C. 6804], section
23 of the Securities Exchange Act [15
U.S.C. 78w], section 38(a) of the
Investment Company Act [15 U.S.C.
80a–37(a)], and section 211 of the
Investment Advisers Act [15 U.S.C.
80b–11].
■
Text of Amendments
■ For the reasons set forth in the
preamble, the Commission is amending
Title 17, Chapter II of the Code of
Federal Regulations as follows:
PART 248—REGULATIONS S–P AND
S–AM
50. The authority citation for part 248
continues to read as follows:
■
Authority: 15 U.S.C. 78q, 78q–1, 78w,
78mm, 80a–30, 80a–37, 80b–4, 80b–11,
1681s–3 and note, 1681w(a)(1), 6801–6809,
and 6825.
■
51. Revise § 248.2 to read as follows:
§ 248.2 Model privacy form: rule of
construction.
(a) Model privacy form. Use of the
model privacy form in Appendix A to
Subpart A of this part, consistent with
the instructions in Appendix A to
Subpart A, constitutes compliance with
the notice content requirements of
§§ 248.6 and 248.7 of this part, although
use of the model privacy form is not
required.
(b) Examples. The examples in this
part provide guidance concerning the
rule’s application in ordinary
circumstances. The facts and
circumstances of each individual
situation, however, will determine
whether compliance with an example,
to the extent practicable, constitutes
compliance with this part.
(c) Substituted compliance with CFTC
financial privacy rules by futures
commission merchants and introducing
brokers. Except with respect to
§ 248.30(b), any futures commission
merchant or introducing broker (as
those terms are defined in the
Commodity Exchange Act (7 U.S.C. 1, et
seq.)) registered by notice with the
Commission for the purpose of
conducting business in security futures
products pursuant to section
15(b)(11)(A) of the Securities Exchange
Act of 1934 (15 U.S.C. 78o(b)(11)(A))
that is subject to and in compliance
with the financial privacy rules of the
Commodity Futures Trading
E:\FR\FM\01DER2.SGM
01DER2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
to process transactions, maintain
account(s), respond to court orders and
legal investigations, or report to credit
bureaus; or
(2) As permitted by law.
*
*
*
*
*
(f) Model privacy form. Pursuant to
§ 248.2(a) and Appendix A to Subpart A
of this part, Form S–P meets the notice
content requirements of this section.
§ 248.6 Information to be included in
(g) Sample clauses. Sample clauses
privacy notices.
illustrating some of the notice content
*
*
*
*
*
required by this section are included in
(b) Description of nonaffiliated third
Appendix B to Subpart A of this part.
parties subject to exceptions. If you
disclose nonpublic personal information The sample clauses in Appendix B to
Subpart A of this part provide guidance
to third parties as authorized under
concerning the rule’s application in
§§ 248.14 and 248.15, you are not
ordinary circumstances in a privacy
required to list those exceptions in the
notice provided on or before December
initial or annual privacy notices
31, 2010. The facts and circumstances of
required by §§ 248.4 and 248.5. When
describing the categories with respect to each individual situation, however, will
those parties, it is sufficient to state that determine whether compliance with a
sample clause constitutes compliance
you make disclosures to other
with this part.
nonaffiliated companies:
(1) For your everyday business
■ 53. In § 248.7, add paragraph (i) to
purposes such as [include all that apply] read as follows:
mstockstill on DSKH9S0YB1PROD with RULES2
Commission (17 CFR part 160) will be
deemed to be in compliance with this
part.
■ 52. In § 248.6:
■ A. Revise paragraphs (b) and (f), and
add paragraph (g) to read as set forth
below.
■ B. Effective January 1, 2012, remove
paragraph (g).
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00097
Fmt 4701
Sfmt 4700
62985
§ 248.7 Form of opt-out notice to
consumers; opt-out methods.
*
*
*
*
*
(i) Model privacy form. Pursuant to
§ 248.2(a) and Appendix A to Subpart A
of this part, Form S–P meets the notice
content requirements of this section.
54. Add Appendix A to Subpart A to
read as follows:
■
Appendix A to Subpart A—Forms
A. Any person may view and print this
form at: https://www.sec.gov/about/forms/
secforms.htm.
B. Use of Form S–P by brokers, dealers,
and investment companies, and investment
advisers registered with the Commission
constitutes compliance with the notice
content requirements of §§ 248.6 and 248.7 of
this part.
FORM S–P—Model Privacy Form
A. The Model Privacy Form
BILLING CODE 6750–01–P 12.5%, 6351–01–P 12.5%,
6720–01–P 12.5%, 6714–01–P 12.5%, 4810–33–P 12.5%,
6210–01–P 12.5%, 8011–01–P 12.5%, 7535–01–P 12.5%,
E:\FR\FM\01DER2.SGM
01DER2
VerDate Nov<24>2008
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00098
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.049</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
62986
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00099
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
62987
ER01DE09.050</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
VerDate Nov<24>2008
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00100
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.051</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
62988
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00101
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
62989
ER01DE09.052</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
VerDate Nov<24>2008
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00102
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.053</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
62990
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
PO 00000
Frm 00103
Fmt 4701
Sfmt 4725
E:\FR\FM\01DER2.SGM
01DER2
62991
ER01DE09.054</GPH>
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
mstockstill on DSKH9S0YB1PROD with RULES2
BILLING CODE 6750–01–C 12.5%, 6351–01–C 12.5%,
6720–01–C 12.5%, 6714–01–C 12.5%, 4810–33–C 12.5%,
6210–01–C 12.5%, 8011–01–C 12.5%, 7535–01–C 12.5%,
B. General Instructions
1. How the Model Privacy Form is Used
(a) The model form may be used, at the
option of a financial institution, including a
group of financial institutions that use a
common privacy notice, to meet the content
requirements of the privacy notice and optout notice set forth in §§ 248.6 and 248.7 of
this part.
(b) The model form is a standardized form,
including page layout, content, format, style,
pagination, and shading. Institutions seeking
to obtain the safe harbor through use of the
model form may modify it only as described
in these instructions.
(c) Note that disclosure of certain
information, such as assets, income, and
information from a consumer reporting
agency, may give rise to obligations under the
Fair Credit Reporting Act [15 U.S.C. 1681–
1681x] (FCRA), such as a requirement to
permit a consumer to opt out of disclosures
to affiliates or designation as a consumer
reporting agency if disclosures are made to
nonaffiliated third parties.
(d) The word ‘‘customer’’ may be replaced
by the word ‘‘member’’ whenever it appears
in the model form, as appropriate.
2. The Contents of the Model Privacy Form
The model form consists of two pages,
which may be printed on both sides of a
single sheet of paper, or may appear on two
separate pages. Where an institution provides
a long list of institutions at the end of the
model form in accordance with Instruction
C.3(a)(1), or provides additional information
in accordance with Instruction C.3(c), and
such list or additional information exceeds
the space available on page two of the model
form, such list or additional information may
extend to a third page.
(a) Page One. The first page consists of the
following components:
(1) Date last revised (upper right-hand
corner).
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
(2) Title.
(3) Key frame (Why?, What?, How?).
(4) Disclosure table (‘‘Reasons we can share
your personal information’’).
(5) ‘‘To limit our sharing’’ box, as needed,
for the financial institution’s opt-out
information.
(6) ‘‘Questions’’ box, for customer service
contact information.
(7) Mail-in opt-out form, as needed.
(b) Page Two. The second page consists of
the following components:
(1) Heading (Page 2).
(2) Frequently Asked Questions (‘‘Who we
are’’ and ‘‘What we do’’).
(3) Definitions.
(4) ‘‘Other important information’’ box, as
needed.
3. The Format of the Model Privacy Form
The format of the model form may be
modified only as described below.
(a) Easily readable type font. Financial
institutions that use the model form must use
an easily readable type font. While a number
of factors together produce easily readable
type font, institutions are required to use a
minimum of 10-point font (unless otherwise
expressly permitted in these Instructions)
and sufficient spacing between the lines of
type.
(b) Logo. A financial institution may
include a corporate logo on any page of the
notice, so long as it does not interfere with
the readability of the model form or the space
constraints of each page.
(c) Page size and orientation. Each page of
the model form must be printed on paper in
portrait orientation, the size of which must
be sufficient to meet the layout and
minimum font size requirements, with
sufficient white space on the top, bottom,
and sides of the content.
(d) Color. The model form must be printed
on white or light color paper (such as cream)
with black or other contrasting ink color.
Spot color may be used to achieve visual
interest, so long as the color contrast is
distinctive and the color does not detract
PO 00000
Frm 00104
Fmt 4701
Sfmt 4700
from the readability of the model form. Logos
may also be printed in color.
(e) Languages. The model form may be
translated into languages other than English.
C. Information Required in the Model Privacy
Form
The information in the model form may be
modified only as described below:
1. Name of the Institution or Group of
Affiliated Institutions Providing the Notice
Insert the name of the financial institution
providing the notice or a common identity of
affiliated institutions jointly providing the
notice on the form wherever [name of
financial institution] appears.
2. Page One
(a) Last revised date. The financial
institution must insert in the upper righthand corner the date on which the notice was
last revised. The information shall appear in
minimum 8-point font as ‘‘rev. [month/year]’’
using either the name or number of the
month, such as ‘‘rev. July 2009’’ or ‘‘rev. 7/
09’’.
(b) General instructions for the ‘‘What?’’
box.
(1) The bulleted list identifies the types of
personal information that the institution
collects and shares. All institutions must use
the term ‘‘Social Security number’’ in the
first bullet.
(2) Institutions must use five (5) of the
following terms to complete the bulleted list:
income; account balances; payment history;
transaction history; transaction or loss
history; credit history; credit scores; assets;
investment experience; credit-based
insurance scores; insurance claim history;
medical information; overdraft history;
purchase history; account transactions; risk
tolerance; medical-related debts; credit card
or other debt; mortgage rates and payments;
retirement assets; checking account
information; employment information; wire
transfer instructions.
(c) General instructions for the disclosure
table. The left column lists reasons for
E:\FR\FM\01DER2.SGM
01DER2
ER01DE09.055</GPH>
62992
mstockstill on DSKH9S0YB1PROD with RULES2
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
sharing or using personal information. Each
reason correlates to a specific legal provision
described in paragraph C.2(d) of this
Instruction. In the middle column, each
institution must provide a ‘‘Yes’’ or ‘‘No’’
response that accurately reflects its
information sharing policies and practices
with respect to the reason listed on the left.
In the right column, each institution must
provide in each box one of the following
three (3) responses, as applicable, that
reflects whether a consumer can limit such
sharing: ‘‘Yes’’ if it is required to or
voluntarily provides an opt-out; ‘‘No’’ if it
does not provide an opt-out; or ‘‘We don’t
share’’ if it answers ‘‘No’’ in the middle
column. Only the sixth row (‘‘For our
affiliates to market to you’’) may be omitted
at the option of the institution. See paragraph
C.2(d)(6) of this Instruction.
(d) Specific disclosures and corresponding
legal provisions.
(1) For our everyday business purposes.
This reason incorporates sharing information
under §§ 248.14 and 248.15 and with service
providers pursuant to § 248.13 of this part
other than the purposes specified in
paragraphs C.2(d)(2) or C.2(d)(3) of these
Instructions.
(2) For our marketing purposes. This
reason incorporates sharing information with
service providers by an institution for its own
marketing pursuant to § 248.13 of this part.
An institution that shares for this reason may
choose to provide an opt-out.
(3) For joint marketing with other financial
companies. This reason incorporates sharing
information under joint marketing
agreements between two or more financial
institutions and with any service provider
used in connection with such agreements
pursuant to § 248.13 of this part. An
institution that shares for this reason may
choose to provide an opt-out.
(4) For our affiliates’ everyday business
purposes—information about transactions
and experiences. This reason incorporates
sharing information specified in sections
603(d)(2)(A)(i) and (ii) of the FCRA. An
institution that shares for this reason may
choose to provide an opt-out.
(5) For our affiliates’ everyday business
purposes—information about
creditworthiness. This reason incorporates
sharing information pursuant to section
603(d)(2)(A)(iii) of the FCRA. An institution
that shares for this reason must provide an
opt-out.
(6) For our affiliates to market to you. This
reason incorporates sharing information
specified in section 624 of the FCRA. This
reason may be omitted from the disclosure
table when: the institution does not have
affiliates (or does not disclose personal
information to its affiliates); the institution’s
affiliates do not use personal information in
a manner that requires an opt-out; or the
institution provides the affiliate marketing
notice separately. Institutions that include
this reason must provide an opt-out of
indefinite duration. An institution that is
required to provide an affiliate marketing
opt-out, but does not include that opt-out in
the model form under this part, must comply
with section 624 of the FCRA and 17 CFR
part 248, subpart B, with respect to the initial
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
notice and opt-out and any subsequent
renewal notice and opt-out. An institution
not required to provide an opt-out under this
subparagraph may elect to include this
reason in the model form.
(7) For nonaffiliates to market to you. This
reason incorporates sharing described in
§§ 248.7 and 248.10(a) of this part. An
institution that shares personal information
for this reason must provide an opt-out.
(e) To limit our sharing: A financial
institution must include this section of the
model form only if it provides an opt-out.
The word ‘‘choice’’ may be written in either
the singular or plural, as appropriate.
Institutions must select one or more of the
applicable opt-out methods described:
telephone, such as by a toll-free number; a
Web site; or use of a mail-in opt-out form.
Institutions may include the words ‘‘tollfree’’ before telephone, as appropriate. An
institution that allows consumers to opt out
online must provide either a specific Web
address that takes consumers directly to the
opt-out page or a general Web address that
provides a clear and conspicuous direct link
to the opt-out page. The opt-out choices
made available to the consumer who contacts
the institution through these methods must
correspond accurately to the ‘‘Yes’’ responses
in the third column of the disclosure table.
In the part titled ‘‘Please note’’ institutions
may insert a number that is 30 or greater in
the space marked ‘‘[30].’’ Instructions on
voluntary or state privacy law opt-out
information are in paragraph C.2(g)(5) of
these Instructions.
(f) Questions box. Customer service contact
information must be inserted as appropriate,
where [phone number] or [Web site] appear.
Institutions may elect to provide either a
phone number, such as a toll-free number, or
a Web address, or both. Institutions may
include the words ‘‘toll-free’’ before the
telephone number, as appropriate.
(g) Mail-in opt-out form. Financial
institutions must include this mail-in form
only if they state in the ‘‘To limit our
sharing’’ box that consumers can opt out by
mail. The mail-in form must provide opt-out
options that correspond accurately to the
‘‘Yes’’ responses in the third column in the
disclosure table. Institutions that require
customers to provide only name and address
may omit the section identified as ‘‘[account
#].’’ Institutions that require additional or
different information, such as a random optout number or a truncated account number,
to implement an opt-out election should
modify the ‘‘[account #]’’ reference
accordingly. This includes institutions that
require customers with multiple accounts to
identify each account to which the opt-out
should apply. An institution must enter its
opt-out mailing address: in the far right of
this form (see version 3); or below the form
(see version 4). The reverse side of the mailin opt-out form must not include any content
of the model form.
(1) Joint accountholder. Only institutions
that provide their joint accountholders the
choice to opt out for only one accountholder,
in accordance with paragraph C.3(a)(5) of
these Instructions, must include in the far left
column of the mail-in form the following
statement: ‘‘If you have a joint account, your
PO 00000
Frm 00105
Fmt 4701
Sfmt 4700
62993
choice(s) will apply to everyone on your
account unless you mark below. b Apply my
choice(s) only to me.’’ The word ‘‘choice’’
may be written in either the singular or
plural, as appropriate. Financial institutions
that provide insurance products or services,
provide this option, and elect to use the
model form may substitute the word ‘‘policy’’
for ‘‘account’’ in this statement. Institutions
that do not provide this option may eliminate
this left column from the mail-in form.
(2) FCRA Section 603(d)(2)(A)(iii) opt-out.
If the institution shares personal information
pursuant to section 603(d)(2)(A)(iii) of the
FCRA, it must include in the mail-in opt-out
form the following statement: ‘‘b Do not
share information about my creditworthiness
with your affiliates for their everyday
business purposes.’’
(3) FCRA Section 624 opt-out. If the
institution incorporates section 624 of the
FCRA in accord with paragraph C.2(d)(6) of
these Instructions, it must include in the
mail-in opt-out form the following statement:
‘‘b Do not allow your affiliates to use my
personal information to market to me.’’
(4) Nonaffiliate opt-out. If the financial
institution shares personal information
pursuant to § 248.10(a) of this part, it must
include in the mail-in opt-out form the
following statement: ‘‘b Do not share my
personal information with nonaffiliates to
market their products and services to me.’’
(5) Additional opt-outs. Financial
institutions that use the disclosure table to
provide opt-out options beyond those
required by Federal law must provide those
opt-outs in this section of the model form. A
financial institution that chooses to offer an
opt-out for its own marketing in the mail-in
opt-out form must include one of the two
following statements: ‘‘b Do not share my
personal information to market to me.’’ or
‘‘b Do not use my personal information to
market to me.’’ A financial institution that
chooses to offer an opt-out for joint marketing
must include the following statement: ‘‘b Do
not share my personal information with other
financial institutions to jointly market to
me.’’
(h) Barcodes. A financial institution may
elect to include a barcode and/or ‘‘tagline’’
(an internal identifier) in 6-point font at the
bottom of page one, as needed for
information internal to the institution, so
long as these do not interfere with the clarity
or text of the form.
3. Page Two
(a) General Instructions for the Questions.
Certain of the Questions may be customized
as follows:
(1) ‘‘Who is providing this notice?’’ This
question may be omitted where only one
financial institution provides the model form
and that institution is clearly identified in
the title on page one. Two or more financial
institutions that jointly provide the model
form must use this question to identify
themselves as required by § 248.9(f) of this
part. Where the list of institutions exceeds
four (4) lines, the institution must describe in
the response to this question the general
types of institutions jointly providing the
notice and must separately identify those
institutions, in minimum 8-point font,
directly following the ‘‘Other important
E:\FR\FM\01DER2.SGM
01DER2
62994
Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations
mstockstill on DSKH9S0YB1PROD with RULES2
information’’ box, or, if that box is not
included in the institution’s form, directly
following the ‘‘Definitions.’’ The list may
appear in a multi-column format.
(2) ‘‘How does [name of financial
institution] protect my personal
information?’’ The financial institution may
only provide additional information
pertaining to its safeguards practices
following the designated response to this
question. Such information may include
information about the institution’s use of
cookies or other measures it uses to safeguard
personal information. Institutions are limited
to a maximum of 30 additional words.
(3) ‘‘How does [name of financial
institution] collect my personal
information?’’ Institutions must use five (5)
of the following terms to complete the
bulleted list for this question: open an
account; deposit money; pay your bills; apply
for a loan; use your credit or debit card; seek
financial or tax advice; apply for insurance;
pay insurance premiums; file an insurance
claim; seek advice about your investments;
buy securities from us; sell securities to us;
direct us to buy securities; direct us to sell
your securities; make deposits or
withdrawals from your account; enter into an
investment advisory contract; give us your
income information; provide employment
information; give us your employment
history; tell us about your investment or
retirement portfolio; tell us about your
investment or retirement earnings; apply for
financing; apply for a lease; provide account
information; give us your contact
information; pay us by check; give us your
wage statements; provide your mortgage
information; make a wire transfer; tell us who
receives the money; tell us where to send the
money; show your government-issued ID;
show your driver’s license; order a
commodity futures or option trade.
Institutions that collect personal information
from their affiliates and/or credit bureaus
must include after the bulleted list the
following statement: ‘‘We also collect your
personal information from others, such as
credit bureaus, affiliates, or other
companies.’’ Institutions that do not collect
personal information from their affiliates or
credit bureaus but do collect information
from other companies must include the
following statement instead: ‘‘We also collect
your personal information from other
companies.’’ Only institutions that do not
collect any personal information from
affiliates, credit bureaus, or other companies
can omit both statements.
(4) ‘‘Why can’t I limit all sharing?’’
Institutions that describe state privacy law
provisions in the ‘‘Other important
information’’ box must use the bracketed
sentence: ‘‘See below for more on your rights
under state law.’’ Other institutions must
omit this sentence.
VerDate Nov<24>2008
19:54 Nov 30, 2009
Jkt 220001
(5) ‘‘What happens when I limit sharing for
an account I hold jointly with someone else?’’
Only financial institutions that provide optout options must use this question. Other
institutions must omit this question.
Institutions must choose one of the following
two statements to respond to this question:
‘‘Your choices will apply to everyone on your
account.’’ or ‘‘Your choices will apply to
everyone on your account—unless you tell us
otherwise.’’ Financial institutions that
provide insurance products or services and
elect to use the model form may substitute
the word ‘‘policy’’ for ‘‘account’’ in these
statements.
(b) General Instructions for the Definitions.
The financial institution must customize
the space below the responses to the three
definitions in this section. This specific
information must be in italicized lettering to
set off the information from the standardized
definitions.
(1) Affiliates. As required by § 248.6(a)(3)
of this part, where [affiliate information]
appears, the financial institution must:
(i) If it has no affiliates, state: ‘‘[name of
financial institution] has no affiliates; ’’
(ii) If it has affiliates but does not share
personal information, state: ‘‘[name of
financial institution] does not share with our
affiliates; ’’ or
(iii) If it shares with its affiliates, state, as
applicable: ‘‘Our affiliates include companies
with a [common corporate identity of
financial institution] name; financial
companies such as [insert illustrative list of
companies]; nonfinancial companies, such
as [insert illustrative list of companies;] and
others, such as [insert illustrative list].’’
(2) Nonaffiliates. As required by
§ 248.6(c)(3) of this part, where [nonaffiliate
information] appears, the financial
institution must:
(i) If it does not share with nonaffiliated
third parties, state: ‘‘[name of financial
institution] does not share with nonaffiliates
so they can market to you; ’’ or
(ii) If it shares with nonaffiliated third
parties, state, as applicable: ‘‘Nonaffiliates we
share with can include [list categories of
companies such as mortgage companies,
insurance companies, direct marketing
companies, and nonprofit organizations].’’
(3) Joint Marketing. As required by § 248.13
of this part, where [joint marketing] appears,
the financial institution must:
(i) If it does not engage in joint marketing,
state: ‘‘[name of financial institution] doesn’t
jointly market; ’’ or
(ii) If it shares personal information for
joint marketing, state, as applicable: ‘‘Our
joint marketing partners include [list
categories of companies such as credit card
companies].’’
(c) General instructions for the ‘‘Other
important information’’ box. This box is
optional. The space provided for information
PO 00000
Frm 00106
Fmt 4701
Sfmt 4700
in this box is not limited. Only the following
types of information can appear in this box.
(1) State and/or international privacy law
information; and/or
(2) Acknowledgment of receipt form.
55. Amend Appendix B to Subpart A
of part 248 as follows:
■ A. Add a sentence to the beginning of
the introductory text as set forth below.
■ B. Effective January 1, 2012, remove
Appendix B to Subpart A of part 248.
■
Appendix B to Subpart A of Part 248—
Sample Clauses
This Appendix only applies to privacy
notices provided before January 1, 2011.
*
*
*
*
*
Dated: October 1, 2009.
John C. Dugan,
Comptroller of the Currency.
By order of the Board of Governors of the
Federal Reserve System, October 27, 2009.
Robert deV. Frierson,
Secretary of the Board.
By Order of the Board of Directors.
Dated at Washington, DC, this 23rd day of
October, 2009.
Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.
Dated: September 28, 2009.
By the Office of Thrift Supervision.
John E. Bowman,
Acting Director.
By the National Credit Union
Administration Board on November 10, 2009.
Mary Rupp,
Secretary of the Board.
The Federal Trade Commission.
Dated: September 25, 2009.
By Direction of the Commission.
Donald S. Clark,
Secretary.
Dated: September 21, 2009.
David A. Stawick,
Secretary of the Commodity Futures Trading
Commission.
Dated: November 16, 2009.
By the Securities and Exchange
Commission.
Elizabeth M. Murphy,
Secretary.
[FR Doc. E9–27882 Filed 11–30–09; 8:45 am]
BILLING CODE 6750–01–P 12.5%, 6351–01–P 12.5%,
6720–01–P 12.5%, 6714–01–P 12.5%, 4810–33–P 12.5%,
6210–01–P 12.5%, 8011–01–P 12.5%, 7535–01–P 12.5%
E:\FR\FM\01DER2.SGM
01DER2
]]>Agencies
[Federal Register Volume 74, Number 229 (Tuesday, December 1, 2009)]
[Rules and Regulations]
[Pages 62890-62994]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E9-27882]
[[Page 62889]]
-----------------------------------------------------------------------
Part II
Department of the Treasury
Office of the Comptroller of the Currency
12 CFR Part 40
-----------------------------------------------------------------------
Federal Reserve System
12 CFR Part 216
-----------------------------------------------------------------------
Federal Deposit Insurance Corporation
12 CFR Part 332
-----------------------------------------------------------------------
Department of the Treasury
Office of Thrift Supervision
12 CFR Part 573
-----------------------------------------------------------------------
National Credit Union Administration
12 CFR Part 716
-----------------------------------------------------------------------
Federal Trade Commission
16 CFR Part 313
-----------------------------------------------------------------------
Commodity Futures Trading Commission
17 CFR Part 160
-----------------------------------------------------------------------
Securities and Exchange Commission
17 CFR Part 248
-----------------------------------------------------------------------
Final Model Privacy Form Under the Gramm-Leach-Bliley Act; Final Rule
��Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 /
Rules and Regulations��
[[Page 62890]]
-----------------------------------------------------------------------
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the Currency
12 CFR Part 40
[Docket ID OCC-2009-0011]
RIN 1557-AC80
FEDERAL RESERVE SYSTEM
12 CFR Part 216
[Docket No. R-1280]
FEDERAL DEPOSIT INSURANCE CORPORATION
12 CFR Part 332
RIN 3064-AD16
DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
12 CFR Part 573
[Docket ID OTS-2009-0014]
RIN 1550-AC12
NATIONAL CREDIT UNION ADMINISTRATION
12 CFR Part 716
RIN 3133-AC84
FEDERAL TRADE COMMISSION
16 CFR Part 313
[Project No. 034815]
RIN 3084-AA94
COMMODITY FUTURES TRADING COMMISSION
17 CFR Part 160
RIN 3038-AC04
SECURITIES AND EXCHANGE COMMISSION
17 CFR Part 248
[Release Nos. 34-61003, IA-2950, IC-28997; File No. S7-09-07]
RIN 3235-AJO6
Final Model Privacy Form Under the Gramm-Leach-Bliley Act
AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC);
Board of Governors of the Federal Reserve System (Board); Federal
Deposit Insurance Corporation (FDIC); Office of Thrift Supervision,
Treasury (OTS); National Credit Union Administration (NCUA); Federal
Trade Commission (FTC); Commodity Futures Trading Commission (CFTC);
and Securities and Exchange Commission (SEC).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The OCC, Board, FDIC, OTS, NCUA, FTC, CFTC, and SEC (the
``Agencies'') are publishing final amendments to their rules that
implement the privacy provisions of Subtitle A of Title V of the Gramm-
Leach-Bliley Act (``GLB Act''). These rules require financial
institutions to provide initial and annual privacy notices to their
customers. Pursuant to Section 728 of the Financial Services Regulatory
Relief Act of 2006 (``Regulatory Relief Act'' or ``Act''), the Agencies
are adopting a model privacy form that financial institutions may rely
on as a safe harbor to provide disclosures under the privacy rules. In
addition, the Agencies other than the SEC are eliminating the safe
harbor permitted for notices based on the Sample Clauses currently
contained in the privacy rules if the notice is provided after December
31, 2010. Similarly, the SEC is eliminating the guidance associated
with the use of notices based on the Sample Clauses in its privacy rule
if the notice is provided after December 31, 2010.
DATES: This rule is effective on December 31, 2009, except for the
following amendments, which are effective January 1, 2012:
Instructions 3B, 10B, 17B, 24B, 31B, 38B, 45B, and 52B removing
paragraphs (g) to 12 CFR 40.6, 216.6, 332.6, 573.6, and 716.6, 16 CFR
313.6, and 17 CFR 160.6 and 248.6, respectively; and
Instructions 7B, 14B, 21B, 28B, 35B, 42B, 49B, and 55B removing
Appendixes B to 12 CFR parts 40, 216, 332, 573, and 716, 16 CFR part
313, and 17 CFR parts 160 and 248, respectively.
FOR FURTHER INFORMATION CONTACT: OCC: Stephen Van Meter, Assistant
Director, Community and Consumer Law Division, (202) 874-5750; Heidi
Thomas, Special Counsel, Legislative and Regulatory Activities
Division, (202) 874-5090; or David Nebhut, Director, Policy Analysis
Division, (202) 874-5220, Office of the Comptroller of the Currency,
250 E Street, SW., Washington, DC 20219.
Board: Jeanne Hogarth, Consumer Policies Program Manager, Jelena
McWilliams, Attorney, or Ky Tran-Trong, Counsel, Division of Consumer
and Community Affairs, (202) 452-3667; Kara Handzlik, Attorney, Legal
Division, (202) 452-3852; Board of Governors of the Federal Reserve
System, 20th Street and Constitution Avenue, NW., Washington, DC 20551.
FDIC: Samuel Frumkin, Senior Policy Analyst, Division of
Supervision and Consumer Protection, (202) 898-6602; or Kimberly A.
Stock, Counsel, (202) 898-3815, Legal Division; Federal Deposit
Insurance Corporation, 550 17th Street, NW., Washington, DC 20429.
OTS: Ekita Mitchell, Consumer Regulations Analyst, (202) 906-6451;
or Richard Bennett, Senior Compliance Counsel, Regulations and
Legislation Division, (202) 906-7409; 1700 G Street, NW., Washington,
DC 20552.
NCUA: Regina Metz, Staff Attorney, (703) 518-6561, Office of
General Counsel, National Credit Union Administration, 1775 Duke
Street, Alexandria, Virginia 22314-3428.
FTC: Loretta Garrison, Senior Attorney, and Anthony Rodriguez,
Attorney, Division of Privacy and Identity Protection, Bureau of
Consumer Protection, (202) 326-2252, Federal Trade Commission, 600
Pennsylvania Avenue, NW., Stop NJ-3158, Washington, DC 20580.
CFTC: Laura Richards, Deputy General Counsel, (202) 418-5126, or
Gail B. Scott, Counsel, Office of General Counsel, (202) 418-5139,
Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st
Street, NW., Washington, DC 20581.
SEC: Paula Jenson, Deputy Chief Counsel, or Brice Prince, Special
Counsel, Office of the Chief Counsel, Division of Trading and Markets,
(202) 551-5550; or Penelope Saltzman, Assistant Director, Thoreau
Bartmann, Senior Counsel, or Daniel Chang, Staff Attorney, Office of
Regulatory Policy, Division of Investment Management, (202) 551-6792,
Securities and Exchange Commission, 100 F Street, NE., Washington, DC
20549.
SUPPLEMENTARY INFORMATION: The Agencies are publishing final amendments
to each of their rules (which are consistent and comparable) that
implement the privacy provisions of the GLB Act: 12 CFR part 40 (OCC);
12 CFR part 216 (Board); 12 CFR part 332 (FDIC); 12 CFR part 573 (OTS);
12 CFR part 716 (NCUA); 16 CFR part 313 (FTC); 17 CFR part 160 (CFTC);
and 17 CFR part 248 (SEC) (collectively, the ``privacy rule'').\1\
---------------------------------------------------------------------------
\1\ Because the Agencies' privacy rules generally use consistent
section numbering, relevant sections will be cited, for example, as
``section ----.6'' unless otherwise noted.
I. Introduction
A. Statutory Authority and Overview
B. Overview of the Final Model Privacy Form
II. Background
A. The Gramm-Leach-Bliley Act Privacy Notices
[[Page 62891]]
B. Development of Proposed Model Privacy Form
C. Overview of Comments Received
D. Quantitative Research
E. Public Comments on the Quantitative Test Data
F. Validation Testing
III. The Final Model Privacy Form
A. Standardization
B. Instructions for Use
C. Format of the Notice
D. Appearance of the Model Privacy Form
E. Optional General Guidance for Easily Readable Type
F. Printing, Color, and Logos
G. Jointly-Provided Notices
H. Use of the Form by Differently-Regulated Entities
I. Page One of the Model Form
J. Page Two of the Model Form
K. Other Issues
IV. The Sample Clauses
V. Effective Date
VI. Final Regulatory Flexibility Analysis
VII. Paperwork Reduction Act
VIII. OCC and OTS Executive Order 12866 Determination
IX. OCC and OTS Executive Order 13132 Determination
X. OCC and OTS Unfunded Mandates Reform Act of 1995 Determination
XI. SEC Cost-Benefit Analysis
XII. SEC Consideration of Burden on Competition
XIII. NCUA: The Treasury And General Government Apropriations Act,
1999-Assessment of Federal Regulations and Policies on Families
XIV. CFTC Cost-Benefit Analysis
I. Introduction
A. Statutory Authority and Overview
The Regulatory Relief Act was enacted on October 13, 2006.\2\
Section 728 of the Act directs the Agencies to ``jointly develop a
model form which may be used, at the option of the financial
institution, for the provision of disclosures under [section 503 of the
GLB Act].'' \3\ The Regulatory Relief Act stipulates that the model
form shall be a safe harbor for financial institutions that elect to
use it. Section 728 further directs that the model form shall:
---------------------------------------------------------------------------
\2\ Public Law No. 109-351, 120 Stat. 1966 (2006).
\3\ Id., adding 15 U.S.C. 6803(e). See also infra discussion at
section II.A. on the GLB Act requirements for financial privacy
notices. Section 728 of the Regulatory Relief Act directs the
agencies named in Section 504(a)(1) of the GLB Act, 15 U.S.C.
6804(a)(1), to develop a model form. The CFTC, which did not become
subject to Title V of the GLB Act until 2000, is not named in that
section. The Commodity Exchange Act (``CEA'') was amended in 2000 by
the Commodity Futures Modernization Act of 2000 to make the CFTC a
``Federal functional regulator'' subject to the GLB Act Title V. See
Section 5g of the CEA, 7 U.S.C. 7b-2. The CFTC interprets Section
728 of the Regulatory Relief Act as applying to it through Section
5g.
---------------------------------------------------------------------------
(A) Be comprehensible to consumers, with a clear format and design;
(B) provide for clear and conspicuous disclosures;
(C) enable consumers easily to identify the sharing practices of a
financial institution and to compare privacy practices among financial
institutions; and
(D) be succinct, and use an easily readable type font.
On March 29, 2007, the Agencies published a proposed model privacy form
(the ``proposed model form'') that financial institutions would be able
to use to comply with certain disclosures under the privacy rule.\4\ On
April 15, 2009, the SEC reopened the comment period on the proposed
rulemaking to solicit comment on a research report and test data
pertaining to additional consumer testing of the proposed model privacy
form.\5\ Today, the Agencies are amending the privacy rule to include a
model privacy form that institutions may use to provide required
disclosures. The final model form is substantially as proposed with
changes based on comments we received as well as additional consumer
testing.
---------------------------------------------------------------------------
\4\ See Interagency Proposal for Model Privacy Form under the
Gramm-Leach-Bliley Act (``Proposed Rule''), 72 FR 14940 (Mar. 29,
2007), available at https://www.ftc.gov/os/2007/03/CorrectedNeptuneMarsandGenericFormsfrn.pdf. A Correction Notice was
published at 72 FR 16875 (Apr. 5, 2007).
\5\ See Interagency Proposal for Model Privacy Form under the
Gramm-Leach-Bliley Act, Securities Exchange Act Release No. 59769,
Investment Company Act Release No. 28697 (Apr. 15, 2009) [74 FR
17925 (Apr. 20, 2009)].
---------------------------------------------------------------------------
B. Overview of the Final Model Privacy Form
As explained more fully in the Agencies' Proposed Rule, key
elements of the final model form's structure and design, as well as
vocabulary, reflect the research findings of the qualitative consumer
testing.\6\ The Agencies believe that the final model form as revised
meets all the requirements of the Act and, based on the qualitative
research that led to the development of the proposed model form and the
quantitative consumer testing described below, is easier to understand
and use than most privacy notices currently being disseminated.
---------------------------------------------------------------------------
\6\ The Agencies conducted the consumer research in two phases:
the first was qualitative testing or form development; the second
was quantitative testing. See infra section II.
---------------------------------------------------------------------------
While the model form provides a legal safe harbor, institutions may
continue to use other types of notices that vary from the model form so
long as these notices comply with the privacy rule. For example, an
institution could continue to use a simplified notice if it does not
have affiliates and does not intend to share nonpublic personal
information with nonaffiliated third parties outside of the exceptions
provided in sections ----.14 and ----.15.\7\ Likewise, while the
Agencies are eliminating the Sample Clauses and related safe harbor
(or, for the SEC, guidance), institutions may continue to use notices
containing these clauses, so long as these notices comply with the
privacy rule.\8\
---------------------------------------------------------------------------
\7\ See privacy rule, section ----.6(c)(5), NCUA section
716.6(e)(5).
\8\ See infra section IV.
---------------------------------------------------------------------------
The following section briefly summarizes the key features of the
final model form and the changes to the proposed form. A detailed
discussion of the elements of the final model form appears in section
III.
1. The Structure
The final model form has two pages, rather than the three pages in
the proposed form, and may be printed on a single piece of paper.\9\
Together, pages one and two address the legal requirements of
applicable Federal financial privacy laws and are designed to increase
consumer comprehension. The Agencies are not mandating a specific paper
size in the final model form as long as the paper is in portrait
orientation and sufficient to accommodate minimum font size, spacing,
and content requirements.
---------------------------------------------------------------------------
\9\ For ease, the Appendix provides three versions of the final
model form: (1) Model form with no opt-out; (2) model form with
telephone and Web opt-out only; and (3) model form that includes a
mail-in opt-out form. An alternative mail-in form (version 4) may be
substituted for the mail-in portion of the model form in version 3.
For those institutions that use the model form and need to provide a
mail-in opt-out form, the reverse side to that opt-out form must not
include any content of the model form. See F.4 of the Frequently
Asked Questions for the Privacy Regulation, available at https://www.ftc.gov/privacy/glbact/glb-faq.htm (Dec. 2001) (staff guidance
issued by the Board, FDIC, FTC, OCC, OTS, and NCUA) (stating that a
consumer generally should be able to detach a mail-in opt-out form
from a privacy notice without removing text from the privacy
policy).
---------------------------------------------------------------------------
2. Page One--Background Information, the Disclosure Table, and Opt-Out
Information
Page one of the final model form has five parts: (1) The title; (2)
an introductory section called the ``key frame'' which provides context
to help the consumer understand the required disclosures; (3) a
disclosure table that describes the types of sharing used by financial
institutions consistent with Federal law, which of those types of
sharing the institution actually does, and whether the consumer can
limit or opt out of any of the institution's sharing; (4) only if
needed, a box titled ``To limit our sharing'' for opt-out information;
and (5) the institution's customer service contact information. Where
the institution provides a mail-in
[[Page 62892]]
opt-out form, that form appears at the bottom of page one.
There are three significant changes on page one of the final model
form.\10\ First, the ``What?'' box has been modified to permit
institutions to select from a menu of terms the types of information
collected and shared (other than Social Security number). Second,
information (if needed) about how to limit sharing or opt out follows
the disclosure table. If the institution provides a mail-in opt-out
form, that form appears at the bottom of page one. Third, the final
model form includes at the top of the page in the right-hand corner the
date by month and year of the most recent version of the notice.
Institutions may include at the bottom of page one a ``tagline'' (an
internal identifier) or barcode for information internal to the
company, so long as these do not interfere with the clarity or text of
the form.\11\
---------------------------------------------------------------------------
\10\ See infra section III.I.
\11\ See, e.g., comment letters of T. Rowe Price Associates,
Inc. (May 29, 2007); Wolters Kluwer Financial Services (May 24,
2007).
---------------------------------------------------------------------------
3. Page Two--Supplemental Information
As in the proposed model form, the second page of the final model
form provides additional explanatory information that, in combination
with page one, ensures that the notice includes all elements described
in the GLB Act as implemented by the privacy rule. There is
supplemental information in the form of Frequently Asked Questions
(``FAQs'') \12\ at the top and definitions below. There are three
significant changes to the disclosures on page two of the final
form.\13\ First, a new FAQ appears at the top of page two that can be
used to identify those institutions that jointly provide the notice.
Second, the FAQ on the collection of information has been modified to
allow institutions to select from a menu of terms. Third, a new box has
been provided at the bottom of page two titled ``Other important
information.'' This box can be used in only two ways: (1) to discuss
state and/or international privacy law requirements; and (2) to provide
an acknowledgment of receipt form.\14\
---------------------------------------------------------------------------
\12\ Note that a financial institution must insert its name or a
common corporate identity as indicated in the two questions in this
section each time that ``[name of financial institution]'' appears.
The revised form has eliminated the FAQ ``How does [name of
financial institution] notify me about its practices.''
\13\ See infra section III.J.
\14\ This use was provided in response to a request by the
National Automobile Dealers Ass'n, whose members routinely ask
customers to sign an acknowledgment of receipt on a copy of the
dealer's privacy notice and retain this record verifying delivery of
the notice. Comment letter of the National Automobile Dealers Ass'n
(May 29, 2007).
---------------------------------------------------------------------------
II. Background
A. The Gramm-Leach-Bliley Act Privacy Notices
Subtitle A of title V of the GLB Act, captioned ``Disclosure of
Nonpublic Personal Information,'' \15\ requires each financial
institution to provide a notice of its privacy policies and practices
to its customers who are consumers.\16\ In general, the privacy notice
must describe a financial institution's policies and practices with
respect to disclosing nonpublic personal information about a consumer
to both affiliated and nonaffiliated third parties.\17\ The notice also
must provide a consumer a reasonable opportunity to direct the
institution generally not to share nonpublic personal information \18\
about the consumer (that is, to ``opt out'') with nonaffiliated third
parties other than as permitted by the statute (for example, sharing
for everyday business purposes, such as processing transactions and
maintaining customers' accounts, and in response to properly executed
governmental requests).\19\ The privacy notice must provide, where
applicable under the Fair Credit Reporting Act (``FCRA''), a notice and
an opportunity for a consumer to opt out of certain information sharing
among affiliates.\20\
---------------------------------------------------------------------------
\15\ Codified at 15 U.S.C. 6801-6809.
\16\ 15 U.S.C. 6803(a). A ``customer'' means a consumer who has
a ``customer relationship'' with a financial institution. Privacy
rule, section ----.3(h), SEC section 248.3(j), CFTC section
160.3(k), NCUA section 716.3(n). A ``consumer'' is ``an individual
who obtains, from a financial institution, financial products or
services which are to be used primarily for personal, family, or
household purposes, and also means the legal representative of such
an individual.'' 15 U.S.C. 6809(9); privacy rule, section ----.3(e),
SEC section 248.3(g)(1), CFTC section 160.3(h)(1). Financial
institutions are required to provide an initial notice to their
customers and a notice annually thereafter for as long as the
customer relationship continues. 15 U.S.C. 6803(a); Privacy rule,
sections ----.4 and ----.5. Institutions are also required to
provide to their non-customer consumers a notice if the institution
discloses nonpublic personal information outside the exceptions in
sections ----.14 and ----.15 before any such disclosure is made. 15
U.S.C. 6802(a); privacy rule, sections ----.4.
\17\ 15 U.S.C. 6803(a)-(c).
\18\ ``Nonpublic personal information'' is generally defined as
personally identifiable financial information provided by a consumer
to a financial institution, resulting from any transaction or any
service performed for the consumer, or otherwise obtained by the
financial institution. See 15 U.S.C. 6809(4); privacy rule, sections
----.3(n) and (o), SEC sections 248.3(t) and (u), CFTC sections
160.3(t) and (u).
\19\ 15 U.S.C. 6802; privacy rule, sections ----.14 and ----.15.
\20\ 15 U.S.C. 1681a(d)(2)(A)(iii) (FCRA); 15 U.S.C. 6803(c)(4)
(GLB Act).
---------------------------------------------------------------------------
The privacy rule requires a financial institution to provide a
privacy notice to its customers no later than when a customer
relationship is formed and annually thereafter for as long as the
relationship continues. The notice must accurately reflect the
institution's information collection and disclosure practices and must
include specific information.\21\
---------------------------------------------------------------------------
\21\ See sections--.4,--.5, and --.6 of the privacy rule.
---------------------------------------------------------------------------
The privacy rule does not prescribe any specific format or
standardized wording for these notices. Instead, institutions may
design their own notices based on their individual practices provided
they comply with the law and meet the ``clear and conspicuous''
standard in the statute and the privacy rule.\22\ The Appendix to each
privacy rule contains Sample Clauses that institutions may use in
privacy notices to satisfy the privacy rule.
---------------------------------------------------------------------------
\22\ 15 U.S.C. 6802, 6803; privacy rule, section --.3(b), SEC
section 248.3(c), CFTC section 160.3(b)(1).
---------------------------------------------------------------------------
Financial institutions were required to provide privacy notices to
their customers by July 1, 2001.\23\ Many notices provided to consumers
were long and complex. Because the privacy rule allows institutions
flexibility in designing their privacy notices, notices have been
formatted in various ways and as a result have been difficult to
compare, even among financial institutions with identical
practices.\24\ The Agencies first explored issues related to the
complexity of privacy notices in a workshop held in December 2001.\25\
---------------------------------------------------------------------------
\23\ See, e.g., Privacy of Consumer Financial Information, 65 FR
35162 (June 1, 2000). The CFTC was added by Section 5g of the
Commodity Exchange Act, 7 U.S.C. 7b-2 (as amended by the Commodity
Futures Modernization Act of 2000), on December 21, 2000, and
privacy notices were required to be delivered to consumers by March
31, 2002. Privacy of Consumer Financial Information, 66 FR 21236
(Apr. 27, 2001).
\24\ See Rulemaking Petition from Public Citizen, et al., at 4
(July 26, 2001) (available at https://www.ftc.gov/bcp/workshops/glb/comments/nader.pdf) (``Public Citizen Petition'') (stating that
notices were ``dense,'' ``complicated,'' and written by those
trained in obfuscation rather than to express ideas clearly).
\25\ See Get Noticed: Writing Effective Financial Privacy
Notices, Interagency Public Workshop (Dec. 4, 2001) (``Get Noticed
Workshop''). Workshop transcripts and other supporting documents are
available at https://www.ftc.gov/bcp/workshops/glb/. The
Get Noticed Workshop, discussed in the preamble to the Proposed
Rule, supra note 4 at n.14, provided a public forum to consider how
financial institutions could provide more useful privacy notices to
consumers.
---------------------------------------------------------------------------
On December 30, 2003, the Agencies published an Advance Notice of
Proposed Rulemaking to Consider Alternative Forms of Privacy Notices
Under the Gramm-Leach-Bliley Act (``ANPR'') to solicit public comment
on
[[Page 62893]]
a wide range of issues related to improving privacy notices.\26\ The
ANPR stated that the Agencies expected that consumer testing would be a
key component in the development of any specific proposals.\27\
---------------------------------------------------------------------------
\26\ See Interagency Proposal to Consider Alternative Forms of
Privacy Notices Under the Gramm-Leach-Bliley Act, 68 FR 75164 (Dec.
30, 2003), available at https://www.ftc.gov/os/2003/12/031223anprfinalglbnotices.pdf. The Agencies sought, for example,
comment on issues associated with the format, elements, and language
used in privacy notices that would make the notices more accessible,
readable, and useful, and whether to develop a model privacy notice
that would be short and simple.
\27\ Id. at text following n.5.
---------------------------------------------------------------------------
During January and February 2004, the Agencies met with a number of
interested groups and individuals to discuss the issues raised in the
ANPR and subsequently received forty-four comments in response to the
ANPR.\28\ While commenters expressed a variety of views on the
questions posed in the ANPR, many commenters agreed that the Agencies
should conduct consumer testing before proposing any alternative
privacy notice.
---------------------------------------------------------------------------
\28\ Summaries of the outside meetings and public comments to
the ANPR are available at https://www.ftc.gov/privacy/privacyinitiatives/financial_rule_inrp.html.
---------------------------------------------------------------------------
B. Development of the Proposed Model Privacy Form
Over the years during which GLB Act privacy notices have been
delivered to consumers, the Agencies have observed wide variations in
these notices. Today, privacy notices vary considerably--not just in
format, presentation, language, length, style, or tone--but also in how
they inform consumers of their rights to limit certain sharing of
personal information. For example, the Agencies have found the
following variations in current privacy notices. Some institutions
incorporate privacy notices into lengthy terms and conditions
statements, making it harder for consumers to find information about
the institution's privacy practices, and raising questions about
whether such notices comply with the requirement that they be clear and
conspicuous. Institutions also use messages in their notices' opening
statements about how they value privacy and strive to ``protect''
personal information, thus providing assurances to consumers that imply
their personal information is not shared broadly, while obscuring or
directing attention away from the required disclosures of actual
information sharing practices. Finally, the Agencies have seen a number
of institutions employ the statement in their privacy policy ``We do
not sell your information to third parties'' in a context that raises
concerns about misrepresentations.\29\
---------------------------------------------------------------------------
\29\ In some cases, the Agencies have identified notices that
violate the privacy rule. For example, one institution's privacy
notice did not include an opt-out form, but provided that consumers
could only obtain an opt-out form by visiting a bank office, in
violation of sections --.7(h), --.9(a), and --.10(a)(1) of the
privacy rule. Another notice provided that consumers could only opt
out by writing a letter to the institution, in violation of section
--.7(a)(1) of the privacy rule. Offering only these very restrictive
methods of obtaining an opt-out form and opting out also is not
supported by the examples in the privacy rule. See sections
--.7(a)(2), --.9(b), and --.10(a)(3) of the privacy rule.
---------------------------------------------------------------------------
These examples illustrate the need to make disclosure of
institutions' information sharing practices and consumer choices more
transparent and underscore the Agencies' interest in initiating a joint
consumer research project to develop an easy-to-read and understandable
model privacy notice for consumers.
In the summer of 2004, six of the Agencies \30\ launched a project
to fund consumer research (``Notice Project''). Their goals were to
identify barriers to consumer understanding of current privacy notices
and to develop an alternative privacy notice, or elements of a notice,
that consumers could more easily use and understand compared to current
notices. The Agencies conducted the consumer research in two sequential
phases.\31\
---------------------------------------------------------------------------
\30\ The six agencies that initially sponsored the Notice
Project were the Board, FDIC, FTC, NCUA, OCC, and SEC. The OTS
joined the Notice Project for the phase two quantitative testing.
Information related to the Notice Project is available at https://www.ftc.gov/privacy/privacyinitiatives/financial_rule_inrp.html.
\31\ The first phase was designed as qualitative testing or form
development research. This research involved a series of in-depth
individual consumer interviews to develop an alternative privacy
notice that would be easier for consumers to use and understand. The
second phase was designed as quantitative testing, to test the
effectiveness of the alternative privacy notice developed in phase
one among a larger number of consumers.
---------------------------------------------------------------------------
In September 2004, the Agencies selected Kleimann Communication
Group, Inc. (``Kleimann'') as their contractor for the phase one form
development research. The research objectives of the Notice Project
included designing a privacy notice that consumers could understand and
use, that facilitated comparison of sharing practices and policies
across institutions, and that addressed all relevant legal requirements
of the GLB Act and FCRA.
The form development phase culminated in an extensive research
report prepared by Kleimann and released by the Agencies in March 2006
(the ``Kleimann Report'').\32\ The Kleimann Report details the process
by which the Agencies and Kleimann developed an alternative privacy
notice. The structure, content, ordering of the text information, and
title of the proposed model form all reflect the research findings from
the qualitative consumer testing.
---------------------------------------------------------------------------
\32\ See Kleimann Communication Group, Inc., Evolution of a
Prototype Financial Privacy Notice: A Report on the Form Development
Project (Feb. 28, 2006) (``Kleimann Report''). For a copy of the
full report, go to https://www.ftc.gov/privacy/privacyinitiatives/ftcfinalreport060228.pdf. For the executive summary, go to https://www.ftc.gov/privacy/privacyinitiatives/FTCFinalReportExecutiveSummary.pdf.
---------------------------------------------------------------------------
In October 2006, Congress passed the Regulatory Relief Act, which
directed the Agencies to propose a model form based on standards
similar to the Notice Project research goals. On March 29, 2007, the
Agencies issued for public comment the proposed model form as produced
in the form development phase with some minor revisions.
C. Overview of Comments Received
The Agencies collectively received approximately 110 unique
comments from a variety of banks, thrifts, credit unions, credit card
companies, securities firms, insurance companies, and industry trade
associations, as well as from consumer and other advocacy groups, the
National Association of Attorneys General (``NAAG''), the National
Association of State Insurance Commissioners (``NAIC''), and individual
consumers.\33\
---------------------------------------------------------------------------
\33\ Comments received by all the Agencies are available at
https://www.ftc.gov/privacy/privacyinitiatives/financial_rule_inrp.html. Many commenters sent copies of the same letter to more
than one agency. Some association commenters sent several letters,
both individually and jointly with other associations.
---------------------------------------------------------------------------
A number of institutions expressed support for the model form. Some
stated that they are either already using it (submitting copies of
their notices) or intend to use it once it is finalized. One industry
association conducted an informal poll of its community bank members
and found that many are likely to use the model form and that most
found the new form more consumer-friendly than the Sample Clauses.
These commenters commended the Agencies for proposing simpler language
and making the disclosure terms more understandable and accessible to
consumers.
Consumer and other advocacy groups, the NAIC, NAAG, and individual
consumers generally supported the Agencies' proposal and the clearer
language and omission of extraneous information in the proposed model
form. These commenters stated that the proposal could be strengthened
in certain respects, for example, by making
[[Page 62894]]
the default opt-in rather than opt-out and creating a one-stop opt-out
repository similar to the National Do Not Call Registry.
There was general support by many commenters for additional
consumer research and testing. While some industry commenters provided
substitute language or submitted alternate forms of the notice, none
submitted other research findings. However, the NAIC submitted a
consumer study on notices with research findings that the Agencies did
consider.
Most industry commenters, however, objected to several key aspects
of the proposal. The most significant areas of concern raised by
industry commenters related to: The standardized approach; the format
of the proposed model form; the limited examples of types of personal
information collected and shared; the disclosure table; incorporation
of state law information; and revocation of the Sample Clauses. The
thrust of many industry comments was that the proposed form was overly
simplistic and not nuanced enough to describe precisely what the
various laws permit or to allow accurate descriptions of more complex
information sharing policies and practices. One commenter expressed
concern that the form would lead to consumer confusion because of
inaccurate disclosures on sharing practices and result in high opt-out
rates, discouraging use of the form. Many industry commenters expressed
concern about liability under state unfair or deceptive practice laws
relating to privacy disclosures. At the same time, many institutions
urged flexibility to allow inclusion of other information--such as
describing the benefits of sharing, or providing marketing messages or
privacy tips such as on identity theft and fraud prevention. One
institution proposed allowing institutions to pick and choose which
elements of the notice to use and still receive a safe harbor.
D. Quantitative Research
Following publication of the model form proposal in March 2007 and
subsequent review of the comments, the Agencies revised the proposed
model form for further testing.\34\ In the fall of 2007, the Agencies
turned their attention to developing the research protocol and
methodology for conducting the second phase of the research: The
quantitative consumer testing. In August 2006, prior to enactment of
the Regulatory Relief Act, the Agencies had selected Macro
International Inc. (``Macro'') to conduct the quantitative research
study.
---------------------------------------------------------------------------
\34\ See Mall Intercept Study of Consumer Understanding of
Financial Privacy Notices: Methodological Report, submitted by Macro
International Inc. (``Macro Report''), Appendix C, for copies of the
test notices. The Macro Report is available at: https://www.ftc.gov/privacy/privacyinitiatives/Macro-Report-on-Privacy-Notice-Study.pdf.
See also infra section III for a discussion about the changes made
to the final model form since the Proposed Rule was issued for
comment.
---------------------------------------------------------------------------
In the spring of 2008, Macro conducted a survey of approximately
1,000 consumers using a mall-intercept methodology. The selected
participants for the study reflected a range of demographic
characteristics for gender, age, and educational level. The testing was
conducted in five shopping mall locations--Baltimore, MD; Dallas, TX;
Detroit, MI; Los Angeles, CA; and Springfield, MA--over a period of
five weeks during March and April 2008.\35\
---------------------------------------------------------------------------
\35\ Macro provided the test data to the Agencies in the summer
of 2008 and its research methodology report in September. The study
data and codebook are available at: https://www.ftc.gov/privacy/privacyinitiatives/Privacy-Notice-Study-Dataset.pdf and https://www.ftc.gov/privacy/privacyinitiatives/Privacy-Notice-Study-Codebook.pdf.
---------------------------------------------------------------------------
The test objectives were to evaluate the effectiveness of the
revised proposed model form \36\ developed by Kleimann (``Table
Notice'') for comprehension and usability as compared to three other
styles or formats of notices. The other notice formats were: (1) The
prose version of the prototype table notice also developed and tested
by Kleimann (``Prose Notice''); (2) a current version of a common
notice used by financial institutions (``Current Notice''); and (3) a
notice comprised solely of the Sample Clauses found in the appendix to
the privacy rule (``Sample Clause Notice''). Within each format, there
were three different notices, each reflecting a different level of
sharing. Each level of sharing had a common fictional bank name across
the four notice formats: Mars Bank had a low level of sharing; Mercury
Bank had a medium level of sharing; and Neptune Bank had the highest
level of sharing. Both Mercury and Neptune Banks offered opt-out
choices; however, the pattern of sharing was such that after exercising
all available opt-outs, Neptune Bank continued to share more broadly
than Mercury Bank and Mercury Bank continued to share more than Mars
Bank. This design was intentional for the comparison testing.\37\
---------------------------------------------------------------------------
\36\ The proposed model form was revised based on the comments
received, and a version of that revised form was used in the
quantitative testing.
\37\ Study participants were randomly assigned to see one of the
four notice formats. Each participant read three privacy notices in
the same format and was asked a series of questions, first about one
pair of notices, and next about a second pair of notices, with one
of the three notices used twice in each round. The order and
repetition of the notices were rotated among the participants so
that the same notice was not always viewed twice. Participants
answered additional questions about the notices and their attitudes
on information sharing. The interview sought information about
participants' choice of a bank based solely on the notice content;
responses to factual questions, such as which of two banks shared
more or whether any of the banks offered an opportunity to limit or
opt out of sharing; performance of a task, such as determining which
bank shared more after exercising all options to limit or opt out of
sharing; and responses to questions about their attitudes toward the
use and sharing of their information. See Macro Report, supra note
34, Appendix A.
---------------------------------------------------------------------------
On December 15, 2008, two expert advisors to the Agencies, Dr. Alan
Levy and Dr. Manoj Hastak, submitted a report to the Agencies analyzing
the research data provided by Macro (the ``Levy-Hastak Report'').\38\
The Levy-Hastak Report confirmed the overall effectiveness of the
proposed model form (as modified) as against the three alternative
notice formats. On April 15, 2009, the SEC published the Levy-Hastak
Report, along with the Macro Report and test data, for public comment.
The SEC received nine comments.\39\
---------------------------------------------------------------------------
\38\ See https://www.ftc.gov/privacy/privacyinitiatives/Levy-Hastak-Report.pdf.
\39\ See https://www.sec.gov/comments/s7-09-07/s70907.shtml.
---------------------------------------------------------------------------
The Levy-Hastak Report examined two measures on how effectively the
notices communicated information: (1) Judgment quality; and (2)
perceptual accuracy.\40\ According to the Report, judgment quality
focused on the extent to which study participants could provide
logical, defensible reasons for choosing one bank over the other based
solely on the notice. Perceptual accuracy focused on the ability of the
participants to recognize accurately the differences between the banks
in information collection and sharing practices, in opt-out choices,
and in relative sharing after all opt-out choices were exercised.\41\
---------------------------------------------------------------------------
\40\ Levy-Hastak Report at 7-14.
\41\ Id. at 4-5.
---------------------------------------------------------------------------
The Levy-Hastak Report concluded that, overall, the Table Notice
outperformed the other notices.\42\ The Table Notice performed
particularly well on difficult tasks \43\ while the Current Notice
performed poorly on all measures. While the Sample Clause Notice
performed well on simple tasks,
[[Page 62895]]
about equal to the Table and Prose notices, it performed significantly
less well than the Table Notice on measures of judgment quality.\44\
The Report concluded that the table format is likely a key explanation
for the improvement in comprehension demonstrated by the study
participants who saw the Table Notice as compared to those who saw the
other notice styles--especially for difficult perceptual accuracy
tasks.\45\
---------------------------------------------------------------------------
\42\ Id. at 16.
\43\ Id. at 17. According to the Report, an example of a
difficult task was: Participants were asked to assume that they had
limited or opted out of all possible sharing for both banks; based
on that assumption, respondents were asked whether one bank shared
more personal information than the other or whether both banks
shared information equally. An example of an easy task was: Using
the notice, participants were asked to identify how they could tell
the bank that they wanted to limit or opt out of sharing personal
information.
\44\ Levy-Hastak Report at 9-10.
\45\ Levy-Hastak Report at 17.
---------------------------------------------------------------------------
While the notice format significantly affected participants'
ability to comprehend and compare the notices, the testing showed that
participants' general attitudes about the sharing of their personal
information were not affected by the notices they saw.\46\ Following
the two rounds of questions on the content of, and comparison between,
the notices, the study participants were asked to rate their attitudes
in general toward information sharing, for example, sharing with
affiliated banks and with nonaffiliated banks. The results showed that
participants' attitudes were about the same across the four notice
formats.\47\
---------------------------------------------------------------------------
\46\ Id. at 15.
\47\ Id. Study participants generally did not like their
information being shared with either affiliates or with
nonaffiliates.
---------------------------------------------------------------------------
The Levy-Hastak Report analyzed two specific areas where the Table
Notice seemed to perform less well than the other notices. First, the
Report described an anomaly with respect to responses to the question
[Q. 19/30]: ``Which of these two banks gives you the opportunity to
limit or to opt out of the sharing of your personal information?'' \48\
Generally participants identified the bank or banks that provided an
opt-out. However, some participants who saw the Table and Prose notices
selected Mars Bank, the one that shared the least and offered no opt-
out option. Because answering ``Mars Bank'' was identified as an
incorrect answer, the Current and Sample Clause notices out-performed
the Table and Prose notices on this question.
---------------------------------------------------------------------------
\48\ See id. at 12-14.
---------------------------------------------------------------------------
In contrast, the Table and Prose notices out-performed the other
two notices on the most difficult task in the test. In this task,
participants were asked to assume that they had exercised all possible
options to limit or to opt out of sharing and then to identify which
bank shared more. Here, the Table and Prose notices significantly out-
performed the other notices. More participants who saw the Table and
Prose notices correctly gave as their answer the higher sharing bank.
This result suggests that participants who saw the Table and Prose
notices did understand which bank(s) offered an opportunity to limit or
to opt out of their sharing.
In analyzing this discrepancy, the Levy-Hastak Report observed that
the simpler question had two different, yet accurate, responses,
depending on how participants interpreted the question. Some of the
participants might have understood the question to apply at the point
of choosing between the two bank notices; those participants selected
the lower sharing bank. In contrast, other participants might have
understood the question to mean: Which bank lets me opt out of sharing
personal information once I am doing business with the bank. The second
interpretation was the intended meaning of the question. Drs. Levy and
Hastak hypothesized that some participants who saw the Table and Prose
notices understood the question to have the first meaning, while other
participants, particularly those who saw the Sample Clause and Current
notices, understood the question to have the second meaning.\49\
---------------------------------------------------------------------------
\49\ Significantly, unlike the Sample Clause and Current
notices, neither the Table nor the Prose notice uses the word ``opt-
out'' in the model form; rather, these forms refer to ``limiting
sharing.'' This word choice was intentional to help consumers
understand that some sharing is necessary and that consumers cannot
stop all sharing--a concept that consumers who knew the term equated
with ``opt-out.'' See Kleimann Report, supra note 32, at 101-108.
Because the Table and Prose notices did not use the word ``opt-
out,'' participants using these notices did not have that word as a
visual ``cue'' when they were asked the question.
---------------------------------------------------------------------------
To test this hypothesis, Drs. Levy and Hastak examined the pattern
of factual mistakes that participants made when they answered a
separate set of questions.\50\ There, study participants were asked in
Q. 16/27 why they preferred one bank over the other, based solely on
the notice. Some participants who selected a bank that shared
relatively little information and did not offer an opt-out stated that
this bank offered more opportunity to limit or to opt out of sharing
than the higher sharing bank, which was labeled a ``false opt-out
mistake'' in the Report. The Report found that participants who saw the
Table and Prose notices were on average almost three times as likely to
make the false opt-out mistake as those who saw the Current and Sample
Clause notices.\51\
---------------------------------------------------------------------------
\50\ The Report also examined a second mistake: Where
participants selected the lower sharing bank when they were asked to
identify which bank shared more (labeled a ``false sharing
mistake''). See Levy-Hastak Report at 9. In that case, there was not
an unusual pattern in the distribution of responses. Rather, the
Report found that the study participants who made this mistake were
equally distributed across all four notice styles. Id. at 13.
\51\ Id.
---------------------------------------------------------------------------
This finding supports the hypothesis that users of the Table and
Prose notices who selected the lower sharing bank in response to Q. 19/
30 understood the question in its first meaning: They selected a bank
that gave them an opportunity to limit or opt out of sharing at the
time of choosing between the two bank notices. Under that
interpretation, these participants could limit sharing by selecting the
bank that shared less information. Thus the Levy-Hastak Report's
analysis of the false opt-out mistake pattern in Q. 16/27 is consistent
with their hypothesis regarding the responses to Q. 19/30. In addition,
the Report found that the educational level of the study participants
produced a significant effect only on the responses to the opt-out
question, with better educated participants more likely to answer the
question in the intended manner.\52\ This finding is also consistent
with the Report hypothesis that participants who saw the Table and
Prose notices understood the question in two different, yet equally
correct ways, unlike those who saw the Sample Clause and Current
notices.
---------------------------------------------------------------------------
\52\ Id. at 13-14.
---------------------------------------------------------------------------
The Table Notice also seemed to perform less well in a second,
unrelated area. Specifically, all the test notices provided only two
methods for consumers to opt out of or limit sharing: Use of a toll-
free telephone number or access to the opt-out on the institution's Web
site. When study participants were asked to identify which contact
modes were identified in the notice as ways to limit or opt out of
sharing, they correctly identified the two modes more frequently when
using the Sample Clause Notice than the Table, Prose, and Current
notices.
Noting that this type of question appears to invite skimming the
notice to find the answer quickly and easily, the Levy-Hastak Report
examined the great variability in notice length and found that the
Sample Clause Notice was significantly shorter than any of the other
notices. The Levy-Hastak Report observed that the shortness of the
Sample Clause Notice may have made it easier for participants to scan
the notice and find the answer to this question. The Report opined that
notice length likely has an effect on scanability and reading ease.\53\
---------------------------------------------------------------------------
\53\ Levy-Hastak Report at 14. In addition, the use of check
boxes in the design of the opt-out section of the Table and Prose
notices (a carry-over from the original mail-in format of the
proposed model form) appeared to confuse some participants when they
were asked this question. The responses recorded for these two
notices reflected a somewhat higher number of ``other'' responses,
even though all the notices offered the same two options. Macro
reported anecdotally that a number of participants who viewed the
Table and Prose notices reported ``check this box'' as one of the
methods offered to opt out or limit sharing--a response that was
recorded as ``other.''
---------------------------------------------------------------------------
[[Page 62896]]
While the Levy-Hastak Report findings confirmed the overall
effectiveness of the Table Notice,\54\ the Report's analysis prompted
the Agencies to consider a further refinement to the proposed model
form. The change, discussed in more detail later, was to modify the
opt-out section of the model form to place the opt-out information on
page one directly following the disclosure table so that all the key
information appears on that page. \55\ The Agencies considered this
change to facilitate quick scanning for important information without
sacrificing the model form's performance in other respects. To ensure
that locating the opt-out information on page one worked from a
usability perspective, the Agencies decided to conduct validation
testing which led to separate formats for the telephone and Internet
opt-out and for the mail-in opt-out that the Agencies are adopting.
---------------------------------------------------------------------------
\54\ Id. at 17.
\55\ Some commenters had urged the Agencies to consolidate the
model form on two sides of a single piece of paper, and a few
suggested that the Agencies consider moving the opt-out to page one.
See, e.g., comment letters of Securities Industry and Financial
Markets Ass'n (May 29, 2007); World's Foremost Bank (May 25, 2007);
World Financial Network National Bank (May 29, 2007); World
Financial Capital Bank (May 25, 2007).
---------------------------------------------------------------------------
E. Public Comments on the Quantitative Test Data
Nine commenters representing insurance, securities, and financial
services associations, a bank, and two investment advisers submitted
comments in response to the SEC's solicitation for public comments on
the quantitative testing. Most of the commenters re-stated their
earlier general objections to the proposed model form. These concerns
are addressed in section III.
All but one of these commenters made general observations about the
quantitative test methodology and the Levy-Hastak Report. Five
commenters observed that the test notices were designed for banks and
not for insurance companies or securities firms (i.e., broker-dealers,
investment companies, or SEC-registered investment advisers), thereby
omitting a significant portion of the financial services industry that
provide these notices.\56\ Two commenters opined that the study
participants' demographic characteristics did not reflect those
consumers who will receive financial privacy notices.\57\ One expressed
concern about the demographic diversity in the mall selections and
questioned whether there was consistent coding of the open-ended
responses.\58\ One commented that the testing criteria ruled out non-
English speaking participants.\59\
---------------------------------------------------------------------------
\56\ See comment letters of American Council of Life Insurers
(May 20, 2009), National Ass'n of Mutual Insurance Cos. (May 20,
2009), American Insurance Ass'n (May 20, 2009), Investment Adviser
Ass'n (May 20, 2009), The Financial Services Roundtable and BITS
(May 20, 2009).
\57\ See comment letters of National Ass'n of Mutual Insurance
Cos. (May 20, 2009); The Financial Services Roundtable and BITS (May
20, 2009).
\58\ See comment letter of The Financial Services Roundtable and
BITS (May 20, 2009).
\59\ See id. The Agencies used a single form, printed in
English, for simplicity in conducting the testing. We recognize that
institutions can and do provide notices in a variety of other
languages when their customers are non-English speaking. We
anticipate that those institutions that use the final model form
will continue to provide their notices in other languages to ensure
that their non-English speaking customers can read and use the form.
See also Transcript of Get Noticed Workshop, available at https://www.ftc.gov/bcp/workshops/glb/GLBtranscripts.pdf, comments of Irene
Etzkorn (recognizing that banks do provide financial privacy notices
in languages other than English); comments of Tena Friery (noting
that the Privacy Rights Clearinghouse promotes notices and
educational materials in other languages and that 80-100 different
languages are spoken in Los Angeles alone).
---------------------------------------------------------------------------
Some of the commenters disagreed with the Levy-Hastak Report's
conclusion that the Table Notice outperformed the other notice formats.
They opined that the Report's conclusion is flawed because: (1) The
Sample Clause Notice did better on simpler tasks than the Table Notice;
\60\ (2) the anomalies discussed in the Levy-Hastak Report may be due
to other explanations; \61\ and (3) while the Table Notice's overall
performance was better than the other notices, actual performance
accuracy was relatively low.\62\ Several commented that the overly
simplified and inflexible format of the Table Notice is not a true test
of consumers' understanding of institutions' actual collection and
disclosure practices.\63\ In addition, all commenters on the
quantitative testing urged retention of the Sample Clauses and related
safe harbor.
---------------------------------------------------------------------------
\60\ See comment letters of American Insurance Ass'n (May 20,
2009); National Ass'n of Mutual Insurance Cos. (May 20, 2009). While
some commenters find greater virtue in the better performance of the
Sample Clause Notice on only the simpler tasks or disagree with the
Levy-Hastak Report's analyses, the evidence is compelling that the
Table Notice performed better overall across all comprehension and
comparison measures. See Levy-Hastak Report at 6.
\61\ See comment letter of American Council of Life Insurers
(May 20, 2009).
\62\ Id.
\63\ See, e.g., comment letter of The Financial Services
Roundtable and BITS (May 20, 2009).
---------------------------------------------------------------------------
The test notices for the quantitative study were created for
fictitious banks, even though the model form can be used by any
financial institution subject to the GLB Act and the privacy rule.
Because the vast majority of consumers are familiar with or have
experience with a bank, the Agencies used a notice designed for a bank
to increase the likelihood that most of the test participants could
readily understand the terms in the notice, such as ``account
balances,'' ``income,'' or ``credit history,'' which describe
information collected and shared by many banks, as well as by many
other financial institutions.
The Macro Report presented data on the demographic characteristics
of the study participants recruited for the study. Participants at each
mall were pre-selected for a representative mix based on gender, age,
and education levels, and information on participants' race/ethnicity,
income, and household size was obtained at the end of each
interview.\64\ Since a significant majority of consumers in America
receive a financial privacy notice--including from banks, credit
unions, securities firms, insurance companies, auto dealers, debt
collectors, and payday lenders--the Agencies wanted to ensure that a
representative cross-section of consumers be included in the study.
---------------------------------------------------------------------------
\64\ Macro Report, supra note 34, at 3 & Appendix B; Levy-Hastak
Report at 2.
---------------------------------------------------------------------------
The Agencies hired Macro as an outside independent expert to handle
all aspects of the collection and reporting of the study data. Macro
conducted all training of field staff, implemented a series of checks
to ensure greater accuracy of the study data, reviewed, on an ongoing
basis, all daily downloads of data from the field, and coded all of the
open-end responses.\65\
---------------------------------------------------------------------------
\65\ Macro Report, supra note 34, at 3-4.
---------------------------------------------------------------------------
With respect to the comment that the accuracy of the study
participants' responses overall was relatively low, the commenter cited
the judgment quality measure of the participants' fact-based reasons
for choosing the lower sharing bank.\66\ While the results showed that
most consumers likely have a limited
[[Page 62897]]
understanding of information sharing practices after a brief exposure
to any of the notice styles, nevertheless the Levy-Hastak Report
confirms that overall the Table Notice out-performed the other notices
and is the most effective notice of all the privacy notices tested.
---------------------------------------------------------------------------
\66\ The commenter looked to the Table Notice score of 40.6% in
Table 1 of the Levy-Hastak Report. Levy-Hastak Report at 12. This
data evaluated how well study participants could explain their
reasons for preferring one bank notice over another where they
selected, as their preferred bank, the lower sharing bank. While the
commenter pointed to a single measure in the Levy-Hastak Report, the
Report relied on a number of accuracy measures that varied in
difficulty level. See, e.g., id., Table 3 at 12.
---------------------------------------------------------------------------
Finally, two commenters requested that if both the model privacy
form and the SEC's proposed amendments to its privacy rule, Regulation
S-P, were adopted, the SEC should coordinate the compliance dates so as
to minimize the compliance burden and the potential for multiple
revisions of an institution's privacy notice.\67\ The SEC appreciates
in
