Final Model Privacy Form Under the Gramm-Leach-Bliley Act, 62890-62994 [E9-27882]

Download as PDF 62890 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations (NCUA); Federal Trade Commission (FTC); Commodity Futures Trading Commission (CFTC); and Securities and Exchange Commission (SEC). ACTION: Final rule. DEPARTMENT OF THE TREASURY Office of the Comptroller of the Currency 12 CFR Part 40 [Docket ID OCC–2009–0011] RIN 1557–AC80 FEDERAL RESERVE SYSTEM 12 CFR Part 216 [Docket No. R–1280] FEDERAL DEPOSIT INSURANCE CORPORATION 12 CFR Part 332 RIN 3064–AD16 DEPARTMENT OF THE TREASURY Office of Thrift Supervision 12 CFR Part 573 [Docket ID OTS–2009–0014] RIN 1550–AC12 NATIONAL CREDIT UNION ADMINISTRATION 12 CFR Part 716 RIN 3133–AC84 FEDERAL TRADE COMMISSION 16 CFR Part 313 [Project No. 034815] RIN 3084–AA94 COMMODITY FUTURES TRADING COMMISSION 17 CFR Part 160 RIN 3038–AC04 SECURITIES AND EXCHANGE COMMISSION 17 CFR Part 248 [Release Nos. 34–61003, IA–2950, IC–28997; File No. S7–09–07] mstockstill on DSKH9S0YB1PROD with RULES2 RIN 3235–AJO6 Final Model Privacy Form Under the Gramm-Leach-Bliley Act AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC); Board of Governors of the Federal Reserve System (Board); Federal Deposit Insurance Corporation (FDIC); Office of Thrift Supervision, Treasury (OTS); National Credit Union Administration VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 SUMMARY: The OCC, Board, FDIC, OTS, NCUA, FTC, CFTC, and SEC (the ‘‘Agencies’’) are publishing final amendments to their rules that implement the privacy provisions of Subtitle A of Title V of the GrammLeach-Bliley Act (‘‘GLB Act’’). These rules require financial institutions to provide initial and annual privacy notices to their customers. Pursuant to Section 728 of the Financial Services Regulatory Relief Act of 2006 (‘‘Regulatory Relief Act’’ or ‘‘Act’’), the Agencies are adopting a model privacy form that financial institutions may rely on as a safe harbor to provide disclosures under the privacy rules. In addition, the Agencies other than the SEC are eliminating the safe harbor permitted for notices based on the Sample Clauses currently contained in the privacy rules if the notice is provided after December 31, 2010. Similarly, the SEC is eliminating the guidance associated with the use of notices based on the Sample Clauses in its privacy rule if the notice is provided after December 31, 2010. DATES: This rule is effective on December 31, 2009, except for the following amendments, which are effective January 1, 2012: Instructions 3B, 10B, 17B, 24B, 31B, 38B, 45B, and 52B removing paragraphs (g) to 12 CFR 40.6, 216.6, 332.6, 573.6, and 716.6, 16 CFR 313.6, and 17 CFR 160.6 and 248.6, respectively; and Instructions 7B, 14B, 21B, 28B, 35B, 42B, 49B, and 55B removing Appendixes B to 12 CFR parts 40, 216, 332, 573, and 716, 16 CFR part 313, and 17 CFR parts 160 and 248, respectively. FOR FURTHER INFORMATION CONTACT: OCC: Stephen Van Meter, Assistant Director, Community and Consumer Law Division, (202) 874–5750; Heidi Thomas, Special Counsel, Legislative and Regulatory Activities Division, (202) 874–5090; or David Nebhut, Director, Policy Analysis Division, (202) 874–5220, Office of the Comptroller of the Currency, 250 E Street, SW., Washington, DC 20219. Board: Jeanne Hogarth, Consumer Policies Program Manager, Jelena McWilliams, Attorney, or Ky TranTrong, Counsel, Division of Consumer and Community Affairs, (202) 452– 3667; Kara Handzlik, Attorney, Legal Division, (202) 452–3852; Board of Governors of the Federal Reserve System, 20th Street and Constitution Avenue, NW., Washington, DC 20551. PO 00000 Frm 00002 Fmt 4701 Sfmt 4700 FDIC: Samuel Frumkin, Senior Policy Analyst, Division of Supervision and Consumer Protection, (202) 898–6602; or Kimberly A. Stock, Counsel, (202) 898–3815, Legal Division; Federal Deposit Insurance Corporation, 550 17th Street, NW., Washington, DC 20429. OTS: Ekita Mitchell, Consumer Regulations Analyst, (202) 906–6451; or Richard Bennett, Senior Compliance Counsel, Regulations and Legislation Division, (202) 906–7409; 1700 G Street, NW., Washington, DC 20552. NCUA: Regina Metz, Staff Attorney, (703) 518–6561, Office of General Counsel, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314–3428. FTC: Loretta Garrison, Senior Attorney, and Anthony Rodriguez, Attorney, Division of Privacy and Identity Protection, Bureau of Consumer Protection, (202) 326–2252, Federal Trade Commission, 600 Pennsylvania Avenue, NW., Stop NJ–3158, Washington, DC 20580. CFTC: Laura Richards, Deputy General Counsel, (202) 418–5126, or Gail B. Scott, Counsel, Office of General Counsel, (202) 418–5139, Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st Street, NW., Washington, DC 20581. SEC: Paula Jenson, Deputy Chief Counsel, or Brice Prince, Special Counsel, Office of the Chief Counsel, Division of Trading and Markets, (202) 551–5550; or Penelope Saltzman, Assistant Director, Thoreau Bartmann, Senior Counsel, or Daniel Chang, Staff Attorney, Office of Regulatory Policy, Division of Investment Management, (202) 551–6792, Securities and Exchange Commission, 100 F Street, NE., Washington, DC 20549. SUPPLEMENTARY INFORMATION: The Agencies are publishing final amendments to each of their rules (which are consistent and comparable) that implement the privacy provisions of the GLB Act: 12 CFR part 40 (OCC); 12 CFR part 216 (Board); 12 CFR part 332 (FDIC); 12 CFR part 573 (OTS); 12 CFR part 716 (NCUA); 16 CFR part 313 (FTC); 17 CFR part 160 (CFTC); and 17 CFR part 248 (SEC) (collectively, the ‘‘privacy rule’’).1 I. Introduction A. Statutory Authority and Overview B. Overview of the Final Model Privacy Form II. Background A. The Gramm-Leach-Bliley Act Privacy Notices 1 Because the Agencies’ privacy rules generally use consistent section numbering, relevant sections will be cited, for example, as ‘‘section __.6’’ unless otherwise noted. E:\FR\FM\01DER2.SGM 01DER2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations B. Development of Proposed Model Privacy Form C. Overview of Comments Received D. Quantitative Research E. Public Comments on the Quantitative Test Data F. Validation Testing III. The Final Model Privacy Form A. Standardization B. Instructions for Use C. Format of the Notice D. Appearance of the Model Privacy Form E. Optional General Guidance for Easily Readable Type F. Printing, Color, and Logos G. Jointly-Provided Notices H. Use of the Form by DifferentlyRegulated Entities I. Page One of the Model Form J. Page Two of the Model Form K. Other Issues IV. The Sample Clauses V. Effective Date VI. Final Regulatory Flexibility Analysis VII. Paperwork Reduction Act VIII. OCC and OTS Executive Order 12866 Determination IX. OCC and OTS Executive Order 13132 Determination X. OCC and OTS Unfunded Mandates Reform Act of 1995 Determination XI. SEC Cost-Benefit Analysis XII. SEC Consideration of Burden on Competition XIII. NCUA: The Treasury And General Government Apropriations Act, 1999– Assessment of Federal Regulations and Policies on Families XIV. CFTC Cost-Benefit Analysis I. Introduction A. Statutory Authority and Overview The Regulatory Relief Act was enacted on October 13, 2006.2 Section 728 of the Act directs the Agencies to ‘‘jointly develop a model form which may be used, at the option of the financial institution, for the provision of disclosures under [section 503 of the GLB Act].’’ 3 The Regulatory Relief Act stipulates that the model form shall be a safe harbor for financial institutions that elect to use it. Section 728 further directs that the model form shall: (A) Be comprehensible to consumers, with a clear format and design; (B) provide for clear and conspicuous disclosures; 2 Public Law No. 109–351, 120 Stat. 1966 (2006). adding 15 U.S.C. 6803(e). See also infra discussion at section II.A. on the GLB Act requirements for financial privacy notices. Section 728 of the Regulatory Relief Act directs the agencies named in Section 504(a)(1) of the GLB Act, 15 U.S.C. 6804(a)(1), to develop a model form. The CFTC, which did not become subject to Title V of the GLB Act until 2000, is not named in that section. The Commodity Exchange Act (‘‘CEA’’) was amended in 2000 by the Commodity Futures Modernization Act of 2000 to make the CFTC a ‘‘Federal functional regulator’’ subject to the GLB Act Title V. See Section 5g of the CEA, 7 U.S.C. 7b2. The CFTC interprets Section 728 of the Regulatory Relief Act as applying to it through Section 5g. mstockstill on DSKH9S0YB1PROD with RULES2 3 Id., VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 (C) enable consumers easily to identify the sharing practices of a financial institution and to compare privacy practices among financial institutions; and (D) be succinct, and use an easily readable type font. On March 29, 2007, the Agencies published a proposed model privacy form (the ‘‘proposed model form’’) that financial institutions would be able to use to comply with certain disclosures under the privacy rule.4 On April 15, 2009, the SEC reopened the comment period on the proposed rulemaking to solicit comment on a research report and test data pertaining to additional consumer testing of the proposed model privacy form.5 Today, the Agencies are amending the privacy rule to include a model privacy form that institutions may use to provide required disclosures. The final model form is substantially as proposed with changes based on comments we received as well as additional consumer testing. B. Overview of the Final Model Privacy Form As explained more fully in the Agencies’ Proposed Rule, key elements of the final model form’s structure and design, as well as vocabulary, reflect the research findings of the qualitative consumer testing.6 The Agencies believe that the final model form as revised meets all the requirements of the Act and, based on the qualitative research that led to the development of the proposed model form and the quantitative consumer testing described below, is easier to understand and use than most privacy notices currently being disseminated. While the model form provides a legal safe harbor, institutions may continue to use other types of notices that vary from the model form so long as these notices comply with the privacy rule. For example, an institution could continue to use a simplified notice if it does not have affiliates and does not intend to share nonpublic personal information with nonaffiliated third parties outside of the exceptions provided in sections 4 See Interagency Proposal for Model Privacy Form under the Gramm-Leach-Bliley Act (‘‘Proposed Rule’’), 72 FR 14940 (Mar. 29, 2007), available at http://www.ftc.gov/os/2007/03/ CorrectedNeptuneMarsandGenericFormsfrn.pdf. A Correction Notice was published at 72 FR 16875 (Apr. 5, 2007). 5 See Interagency Proposal for Model Privacy Form under the Gramm-Leach-Bliley Act, Securities Exchange Act Release No. 59769, Investment Company Act Release No. 28697 (Apr. 15, 2009) [74 FR 17925 (Apr. 20, 2009)]. 6 The Agencies conducted the consumer research in two phases: the first was qualitative testing or form development; the second was quantitative testing. See infra section II. PO 00000 Frm 00003 Fmt 4701 Sfmt 4700 62891 __.14 and __.15.7 Likewise, while the Agencies are eliminating the Sample Clauses and related safe harbor (or, for the SEC, guidance), institutions may continue to use notices containing these clauses, so long as these notices comply with the privacy rule.8 The following section briefly summarizes the key features of the final model form and the changes to the proposed form. A detailed discussion of the elements of the final model form appears in section III. 1. The Structure The final model form has two pages, rather than the three pages in the proposed form, and may be printed on a single piece of paper.9 Together, pages one and two address the legal requirements of applicable Federal financial privacy laws and are designed to increase consumer comprehension. The Agencies are not mandating a specific paper size in the final model form as long as the paper is in portrait orientation and sufficient to accommodate minimum font size, spacing, and content requirements. 2. Page One—Background Information, the Disclosure Table, and Opt-Out Information Page one of the final model form has five parts: (1) The title; (2) an introductory section called the ‘‘key frame’’ which provides context to help the consumer understand the required disclosures; (3) a disclosure table that describes the types of sharing used by financial institutions consistent with Federal law, which of those types of sharing the institution actually does, and whether the consumer can limit or opt out of any of the institution’s sharing; (4) only if needed, a box titled ‘‘To limit our sharing’’ for opt-out information; and (5) the institution’s customer service contact information. Where the institution provides a mail-in 7 See privacy rule, section __.6(c)(5), NCUA section 716.6(e)(5). 8 See infra section IV. 9 For ease, the Appendix provides three versions of the final model form: (1) Model form with no optout; (2) model form with telephone and Web optout only; and (3) model form that includes a mailin opt-out form. An alternative mail-in form (version 4) may be substituted for the mail-in portion of the model form in version 3. For those institutions that use the model form and need to provide a mail-in opt-out form, the reverse side to that opt-out form must not include any content of the model form. See F.4 of the Frequently Asked Questions for the Privacy Regulation, available at http://www.ftc.gov/privacy/glbact/glb-faq.htm (Dec. 2001) (staff guidance issued by the Board, FDIC, FTC, OCC, OTS, and NCUA) (stating that a consumer generally should be able to detach a mailin opt-out form from a privacy notice without removing text from the privacy policy). E:\FR\FM\01DER2.SGM 01DER2 62892 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations opt-out form, that form appears at the bottom of page one. There are three significant changes on page one of the final model form.10 First, the ‘‘What?’’ box has been modified to permit institutions to select from a menu of terms the types of information collected and shared (other than Social Security number). Second, information (if needed) about how to limit sharing or opt out follows the disclosure table. If the institution provides a mail-in opt-out form, that form appears at the bottom of page one. Third, the final model form includes at the top of the page in the right-hand corner the date by month and year of the most recent version of the notice. Institutions may include at the bottom of page one a ‘‘tagline’’ (an internal identifier) or barcode for information internal to the company, so long as these do not interfere with the clarity or text of the form.11 3. Page Two—Supplemental Information As in the proposed model form, the second page of the final model form provides additional explanatory information that, in combination with page one, ensures that the notice includes all elements described in the GLB Act as implemented by the privacy rule. There is supplemental information in the form of Frequently Asked Questions (‘‘FAQs’’) 12 at the top and definitions below. There are three significant changes to the disclosures on page two of the final form.13 First, a new FAQ appears at the top of page two that can be used to identify those institutions that jointly provide the notice. Second, the FAQ on the collection of information has been modified to allow institutions to select from a menu of terms. Third, a new box has been provided at the bottom of page two titled ‘‘Other important information.’’ This box can be used in only two ways: (1) to discuss state and/ or international privacy law requirements; and (2) to provide an acknowledgment of receipt form.14 10 See infra section III.I. e.g., comment letters of T. Rowe Price Associates, Inc. (May 29, 2007); Wolters Kluwer Financial Services (May 24, 2007). 12 Note that a financial institution must insert its name or a common corporate identity as indicated in the two questions in this section each time that ‘‘[name of financial institution]’’ appears. The revised form has eliminated the FAQ ‘‘How does [name of financial institution] notify me about its practices.’’ 13 See infra section III.J. 14 This use was provided in response to a request by the National Automobile Dealers Ass’n, whose members routinely ask customers to sign an acknowledgment of receipt on a copy of the dealer’s mstockstill on DSKH9S0YB1PROD with RULES2 11 See, VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 II. Background A. The Gramm-Leach-Bliley Act Privacy Notices Subtitle A of title V of the GLB Act, captioned ‘‘Disclosure of Nonpublic Personal Information,’’ 15 requires each financial institution to provide a notice of its privacy policies and practices to its customers who are consumers.16 In general, the privacy notice must describe a financial institution’s policies and practices with respect to disclosing nonpublic personal information about a consumer to both affiliated and nonaffiliated third parties.17 The notice also must provide a consumer a reasonable opportunity to direct the institution generally not to share nonpublic personal information 18 about the consumer (that is, to ‘‘opt out’’) with nonaffiliated third parties other than as permitted by the statute (for example, sharing for everyday business purposes, such as processing transactions and maintaining customers’ accounts, and in response to properly executed governmental requests).19 The privacy notice must provide, where applicable under the Fair Credit Reporting Act (‘‘FCRA’’), a notice and an opportunity for a consumer to opt out of certain information sharing among affiliates.20 The privacy rule requires a financial institution to provide a privacy notice to privacy notice and retain this record verifying delivery of the notice. Comment letter of the National Automobile Dealers Ass’n (May 29, 2007). 15 Codified at 15 U.S.C. 6801–6809. 16 15 U.S.C. 6803(a). A ‘‘customer’’ means a consumer who has a ‘‘customer relationship’’ with a financial institution. Privacy rule, section __.3(h), SEC section 248.3(j), CFTC section 160.3(k), NCUA section 716.3(n). A ‘‘consumer’’ is ‘‘an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes, and also means the legal representative of such an individual.’’ 15 U.S.C. 6809(9); privacy rule, section __.3(e), SEC section 248.3(g)(1), CFTC section 160.3(h)(1). Financial institutions are required to provide an initial notice to their customers and a notice annually thereafter for as long as the customer relationship continues. 15 U.S.C. 6803(a); Privacy rule, sections __.4 and __.5. Institutions are also required to provide to their non-customer consumers a notice if the institution discloses nonpublic personal information outside the exceptions in sections __.14 and __.15 before any such disclosure is made. 15 U.S.C. 6802(a); privacy rule, sections __.4. 17 15 U.S.C. 6803(a)–(c). 18 ‘‘Nonpublic personal information’’ is generally defined as personally identifiable financial information provided by a consumer to a financial institution, resulting from any transaction or any service performed for the consumer, or otherwise obtained by the financial institution. See 15 U.S.C. 6809(4); privacy rule, sections __.3(n) and (o), SEC sections 248.3(t) and (u), CFTC sections 160.3(t) and (u). 19 15 U.S.C. 6802; privacy rule, sections __.14 and __.15. 20 15 U.S.C. 1681a(d)(2)(A)(iii) (FCRA); 15 U.S.C. 6803(c)(4) (GLB Act). PO 00000 Frm 00004 Fmt 4701 Sfmt 4700 its customers no later than when a customer relationship is formed and annually thereafter for as long as the relationship continues. The notice must accurately reflect the institution’s information collection and disclosure practices and must include specific information.21 The privacy rule does not prescribe any specific format or standardized wording for these notices. Instead, institutions may design their own notices based on their individual practices provided they comply with the law and meet the ‘‘clear and conspicuous’’ standard in the statute and the privacy rule.22 The Appendix to each privacy rule contains Sample Clauses that institutions may use in privacy notices to satisfy the privacy rule. Financial institutions were required to provide privacy notices to their customers by July 1, 2001.23 Many notices provided to consumers were long and complex. Because the privacy rule allows institutions flexibility in designing their privacy notices, notices have been formatted in various ways and as a result have been difficult to compare, even among financial institutions with identical practices.24 The Agencies first explored issues related to the complexity of privacy notices in a workshop held in December 2001.25 On December 30, 2003, the Agencies published an Advance Notice of Proposed Rulemaking to Consider Alternative Forms of Privacy Notices Under the Gramm-Leach-Bliley Act (‘‘ANPR’’) to solicit public comment on 21 See sectionsl.4,l.5, and l.6 of the privacy rule. 22 15 U.S.C. 6802, 6803; privacy rule, section l.3(b), SEC section 248.3(c), CFTC section 160.3(b)(1). 23 See, e.g., Privacy of Consumer Financial Information, 65 FR 35162 (June 1, 2000). The CFTC was added by Section 5g of the Commodity Exchange Act, 7 U.S.C. 7b-2 (as amended by the Commodity Futures Modernization Act of 2000), on December 21, 2000, and privacy notices were required to be delivered to consumers by March 31, 2002. Privacy of Consumer Financial Information, 66 FR 21236 (Apr. 27, 2001). 24 See Rulemaking Petition from Public Citizen, et al., at 4 (July 26, 2001) (available at http:// www.ftc.gov/bcp/workshops/glb/comments/ nader.pdf) (‘‘Public Citizen Petition’’) (stating that notices were ‘‘dense,’’ ‘‘complicated,’’ and written by those trained in obfuscation rather than to express ideas clearly). 25 See Get Noticed: Writing Effective Financial Privacy Notices, Interagency Public Workshop (Dec. 4, 2001) (‘‘Get Noticed Workshop’’). Workshop transcripts and other supporting documents are available at http://www.ftc.gov/bcp/workshops/glb/ index.html. The Get Noticed Workshop, discussed in the preamble to the Proposed Rule, supra note 4 at n.14, provided a public forum to consider how financial institutions could provide more useful privacy notices to consumers. E:\FR\FM\01DER2.SGM 01DER2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations a wide range of issues related to improving privacy notices.26 The ANPR stated that the Agencies expected that consumer testing would be a key component in the development of any specific proposals.27 During January and February 2004, the Agencies met with a number of interested groups and individuals to discuss the issues raised in the ANPR and subsequently received forty-four comments in response to the ANPR.28 While commenters expressed a variety of views on the questions posed in the ANPR, many commenters agreed that the Agencies should conduct consumer testing before proposing any alternative privacy notice. mstockstill on DSKH9S0YB1PROD with RULES2 B. Development of the Proposed Model Privacy Form Over the years during which GLB Act privacy notices have been delivered to consumers, the Agencies have observed wide variations in these notices. Today, privacy notices vary considerably—not just in format, presentation, language, length, style, or tone—but also in how they inform consumers of their rights to limit certain sharing of personal information. For example, the Agencies have found the following variations in current privacy notices. Some institutions incorporate privacy notices into lengthy terms and conditions statements, making it harder for consumers to find information about the institution’s privacy practices, and raising questions about whether such notices comply with the requirement that they be clear and conspicuous. Institutions also use messages in their notices’ opening statements about how they value privacy and strive to ‘‘protect’’ personal information, thus providing assurances to consumers that imply their personal information is not shared broadly, while obscuring or directing attention away from the required disclosures of actual information sharing practices. Finally, the Agencies have seen a number of institutions employ the statement in their privacy policy ‘‘We do not sell your information to third parties’’ in a 26 See Interagency Proposal to Consider Alternative Forms of Privacy Notices Under the Gramm-Leach-Bliley Act, 68 FR 75164 (Dec. 30, 2003), available at http://www.ftc.gov/os/2003/12/ 031223anprfinalglbnotices.pdf. The Agencies sought, for example, comment on issues associated with the format, elements, and language used in privacy notices that would make the notices more accessible, readable, and useful, and whether to develop a model privacy notice that would be short and simple. 27 Id. at text following n.5. 28 Summaries of the outside meetings and public comments to the ANPR are available at http:// www.ftc.gov/privacy/privacyinitiatives/ financial_rule_inrp.html. VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 context that raises concerns about misrepresentations.29 These examples illustrate the need to make disclosure of institutions’ information sharing practices and consumer choices more transparent and underscore the Agencies’ interest in initiating a joint consumer research project to develop an easy-to-read and understandable model privacy notice for consumers. In the summer of 2004, six of the Agencies 30 launched a project to fund consumer research (‘‘Notice Project’’). Their goals were to identify barriers to consumer understanding of current privacy notices and to develop an alternative privacy notice, or elements of a notice, that consumers could more easily use and understand compared to current notices. The Agencies conducted the consumer research in two sequential phases.31 In September 2004, the Agencies selected Kleimann Communication Group, Inc. (‘‘Kleimann’’) as their contractor for the phase one form development research. The research objectives of the Notice Project included designing a privacy notice that consumers could understand and use, that facilitated comparison of sharing practices and policies across institutions, and that addressed all relevant legal requirements of the GLB Act and FCRA. The form development phase culminated in an extensive research report prepared by Kleimann and released by the Agencies in March 2006 (the ‘‘Kleimann Report’’).32 The 29 In some cases, the Agencies have identified notices that violate the privacy rule. For example, one institution’s privacy notice did not include an opt-out form, but provided that consumers could only obtain an opt-out form by visiting a bank office, in violation of sections l.7(h), l.9(a), and l.10(a)(1) of the privacy rule. Another notice provided that consumers could only opt out by writing a letter to the institution, in violation of section l.7(a)(1) of the privacy rule. Offering only these very restrictive methods of obtaining an optout form and opting out also is not supported by the examples in the privacy rule. See sections l.7(a)(2), l.9(b), and l.10(a)(3) of the privacy rule. 30 The six agencies that initially sponsored the Notice Project were the Board, FDIC, FTC, NCUA, OCC, and SEC. The OTS joined the Notice Project for the phase two quantitative testing. Information related to the Notice Project is available at http:// www.ftc.gov/privacy/privacyinitiatives/ financial_rule_inrp.html. 31 The first phase was designed as qualitative testing or form development research. This research involved a series of in-depth individual consumer interviews to develop an alternative privacy notice that would be easier for consumers to use and understand. The second phase was designed as quantitative testing, to test the effectiveness of the alternative privacy notice developed in phase one among a larger number of consumers. 32 See Kleimann Communication Group, Inc., Evolution of a Prototype Financial Privacy Notice: PO 00000 Frm 00005 Fmt 4701 Sfmt 4700 62893 Kleimann Report details the process by which the Agencies and Kleimann developed an alternative privacy notice. The structure, content, ordering of the text information, and title of the proposed model form all reflect the research findings from the qualitative consumer testing. In October 2006, Congress passed the Regulatory Relief Act, which directed the Agencies to propose a model form based on standards similar to the Notice Project research goals. On March 29, 2007, the Agencies issued for public comment the proposed model form as produced in the form development phase with some minor revisions. C. Overview of Comments Received The Agencies collectively received approximately 110 unique comments from a variety of banks, thrifts, credit unions, credit card companies, securities firms, insurance companies, and industry trade associations, as well as from consumer and other advocacy groups, the National Association of Attorneys General (‘‘NAAG’’), the National Association of State Insurance Commissioners (‘‘NAIC’’), and individual consumers.33 A number of institutions expressed support for the model form. Some stated that they are either already using it (submitting copies of their notices) or intend to use it once it is finalized. One industry association conducted an informal poll of its community bank members and found that many are likely to use the model form and that most found the new form more consumerfriendly than the Sample Clauses. These commenters commended the Agencies for proposing simpler language and making the disclosure terms more understandable and accessible to consumers. Consumer and other advocacy groups, the NAIC, NAAG, and individual consumers generally supported the Agencies’ proposal and the clearer language and omission of extraneous information in the proposed model form. These commenters stated that the proposal could be strengthened in certain respects, for example, by making A Report on the Form Development Project (Feb. 28, 2006) (‘‘Kleimann Report’’). For a copy of the full report, go to http://www.ftc.gov/privacy/ privacyinitiatives/ftcfinalreport060228.pdf. For the executive summary, go to http://www.ftc.gov/ privacy/privacyinitiatives/ FTCFinalReportExecutiveSummary.pdf. 33 Comments received by all the Agencies are available at http://www.ftc.gov/privacy/ privacyinitiatives/financial_rule_inrp.html. Many commenters sent copies of the same letter to more than one agency. Some association commenters sent several letters, both individually and jointly with other associations. E:\FR\FM\01DER2.SGM 01DER2 62894 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations the default opt-in rather than opt-out and creating a one-stop opt-out repository similar to the National Do Not Call Registry. There was general support by many commenters for additional consumer research and testing. While some industry commenters provided substitute language or submitted alternate forms of the notice, none submitted other research findings. However, the NAIC submitted a consumer study on notices with research findings that the Agencies did consider. Most industry commenters, however, objected to several key aspects of the proposal. The most significant areas of concern raised by industry commenters related to: The standardized approach; the format of the proposed model form; the limited examples of types of personal information collected and shared; the disclosure table; incorporation of state law information; and revocation of the Sample Clauses. The thrust of many industry comments was that the proposed form was overly simplistic and not nuanced enough to describe precisely what the various laws permit or to allow accurate descriptions of more complex information sharing policies and practices. One commenter expressed concern that the form would lead to consumer confusion because of inaccurate disclosures on sharing practices and result in high opt-out rates, discouraging use of the form. Many industry commenters expressed concern about liability under state unfair or deceptive practice laws relating to privacy disclosures. At the same time, many institutions urged flexibility to allow inclusion of other information—such as describing the benefits of sharing, or providing marketing messages or privacy tips such as on identity theft and fraud prevention. One institution proposed allowing institutions to pick and choose which elements of the notice to use and still receive a safe harbor. mstockstill on DSKH9S0YB1PROD with RULES2 D. Quantitative Research Following publication of the model form proposal in March 2007 and subsequent review of the comments, the Agencies revised the proposed model form for further testing.34 In the fall of 2007, the Agencies turned their 34 See Mall Intercept Study of Consumer Understanding of Financial Privacy Notices: Methodological Report, submitted by Macro International Inc. (‘‘Macro Report’’), Appendix C, for copies of the test notices. The Macro Report is available at: http://www.ftc.gov/privacy/ privacyinitiatives/Macro-Report-on-Privacy-NoticeStudy.pdf. See also infra section III for a discussion about the changes made to the final model form since the Proposed Rule was issued for comment. VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 attention to developing the research protocol and methodology for conducting the second phase of the research: The quantitative consumer testing. In August 2006, prior to enactment of the Regulatory Relief Act, the Agencies had selected Macro International Inc. (‘‘Macro’’) to conduct the quantitative research study. In the spring of 2008, Macro conducted a survey of approximately 1,000 consumers using a mall-intercept methodology. The selected participants for the study reflected a range of demographic characteristics for gender, age, and educational level. The testing was conducted in five shopping mall locations—Baltimore, MD; Dallas, TX; Detroit, MI; Los Angeles, CA; and Springfield, MA—over a period of five weeks during March and April 2008.35 The test objectives were to evaluate the effectiveness of the revised proposed model form 36 developed by Kleimann (‘‘Table Notice’’) for comprehension and usability as compared to three other styles or formats of notices. The other notice formats were: (1) The prose version of the prototype table notice also developed and tested by Kleimann (‘‘Prose Notice’’); (2) a current version of a common notice used by financial institutions (‘‘Current Notice’’); and (3) a notice comprised solely of the Sample Clauses found in the appendix to the privacy rule (‘‘Sample Clause Notice’’). Within each format, there were three different notices, each reflecting a different level of sharing. Each level of sharing had a common fictional bank name across the four notice formats: Mars Bank had a low level of sharing; Mercury Bank had a medium level of sharing; and Neptune Bank had the highest level of sharing. Both Mercury and Neptune Banks offered opt-out choices; however, the pattern of sharing was such that after exercising all available opt-outs, Neptune Bank continued to share more broadly than Mercury Bank and Mercury Bank continued to share more than Mars Bank. This design was intentional for the comparison testing.37 35 Macro provided the test data to the Agencies in the summer of 2008 and its research methodology report in September. The study data and codebook are available at: http://www.ftc.gov/ privacy/privacyinitiatives/Privacy-Notice-StudyDataset.pdf and http://www.ftc.gov/privacy/ privacyinitiatives/Privacy-Notice-StudyCodebook.pdf. 36 The proposed model form was revised based on the comments received, and a version of that revised form was used in the quantitative testing. 37 Study participants were randomly assigned to see one of the four notice formats. Each participant read three privacy notices in the same format and was asked a series of questions, first about one pair of notices, and next about a second pair of notices, with one of the three notices used twice in each PO 00000 Frm 00006 Fmt 4701 Sfmt 4700 On December 15, 2008, two expert advisors to the Agencies, Dr. Alan Levy and Dr. Manoj Hastak, submitted a report to the Agencies analyzing the research data provided by Macro (the ‘‘Levy-Hastak Report’’).38 The LevyHastak Report confirmed the overall effectiveness of the proposed model form (as modified) as against the three alternative notice formats. On April 15, 2009, the SEC published the LevyHastak Report, along with the Macro Report and test data, for public comment. The SEC received nine comments.39 The Levy-Hastak Report examined two measures on how effectively the notices communicated information: (1) Judgment quality; and (2) perceptual accuracy.40 According to the Report, judgment quality focused on the extent to which study participants could provide logical, defensible reasons for choosing one bank over the other based solely on the notice. Perceptual accuracy focused on the ability of the participants to recognize accurately the differences between the banks in information collection and sharing practices, in opt-out choices, and in relative sharing after all opt-out choices were exercised.41 The Levy-Hastak Report concluded that, overall, the Table Notice outperformed the other notices.42 The Table Notice performed particularly well on difficult tasks 43 while the Current Notice performed poorly on all measures. While the Sample Clause Notice performed well on simple tasks, round. The order and repetition of the notices were rotated among the participants so that the same notice was not always viewed twice. Participants answered additional questions about the notices and their attitudes on information sharing. The interview sought information about participants’ choice of a bank based solely on the notice content; responses to factual questions, such as which of two banks shared more or whether any of the banks offered an opportunity to limit or opt out of sharing; performance of a task, such as determining which bank shared more after exercising all options to limit or opt out of sharing; and responses to questions about their attitudes toward the use and sharing of their information. See Macro Report, supra note 34, Appendix A. 38 See http://www.ftc.gov/privacy/ privacyinitiatives/Levy-Hastak-Report.pdf. 39 See http://www.sec.gov/comments/s7-09-07/ s70907.shtml. 40 Levy-Hastak Report at 7–14. 41 Id. at 4–5. 42 Id. at 16. 43 Id. at 17. According to the Report, an example of a difficult task was: Participants were asked to assume that they had limited or opted out of all possible sharing for both banks; based on that assumption, respondents were asked whether one bank shared more personal information than the other or whether both banks shared information equally. An example of an easy task was: Using the notice, participants were asked to identify how they could tell the bank that they wanted to limit or opt out of sharing personal information. E:\FR\FM\01DER2.SGM 01DER2 mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations about equal to the Table and Prose notices, it performed significantly less well than the Table Notice on measures of judgment quality.44 The Report concluded that the table format is likely a key explanation for the improvement in comprehension demonstrated by the study participants who saw the Table Notice as compared to those who saw the other notice styles—especially for difficult perceptual accuracy tasks.45 While the notice format significantly affected participants’ ability to comprehend and compare the notices, the testing showed that participants’ general attitudes about the sharing of their personal information were not affected by the notices they saw.46 Following the two rounds of questions on the content of, and comparison between, the notices, the study participants were asked to rate their attitudes in general toward information sharing, for example, sharing with affiliated banks and with nonaffiliated banks. The results showed that participants’ attitudes were about the same across the four notice formats.47 The Levy-Hastak Report analyzed two specific areas where the Table Notice seemed to perform less well than the other notices. First, the Report described an anomaly with respect to responses to the question [Q. 19/30]: ‘‘Which of these two banks gives you the opportunity to limit or to opt out of the sharing of your personal information?’’ 48 Generally participants identified the bank or banks that provided an opt-out. However, some participants who saw the Table and Prose notices selected Mars Bank, the one that shared the least and offered no opt-out option. Because answering ‘‘Mars Bank’’ was identified as an incorrect answer, the Current and Sample Clause notices out-performed the Table and Prose notices on this question. In contrast, the Table and Prose notices out-performed the other two notices on the most difficult task in the test. In this task, participants were asked to assume that they had exercised all possible options to limit or to opt out of sharing and then to identify which bank shared more. Here, the Table and Prose notices significantly out-performed the other notices. More participants who saw the Table and Prose notices correctly gave as their answer the higher sharing bank. This result suggests that participants who saw the Table and 44 Levy-Hastak 45 Levy-Hastak Report at 9–10. Report at 17. 46 Id. at 15. Study participants generally did not like their information being shared with either affiliates or with nonaffiliates. 48 See id. at 12–14. 47 Id. VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 Prose notices did understand which bank(s) offered an opportunity to limit or to opt out of their sharing. In analyzing this discrepancy, the Levy-Hastak Report observed that the simpler question had two different, yet accurate, responses, depending on how participants interpreted the question. Some of the participants might have understood the question to apply at the point of choosing between the two bank notices; those participants selected the lower sharing bank. In contrast, other participants might have understood the question to mean: Which bank lets me opt out of sharing personal information once I am doing business with the bank. The second interpretation was the intended meaning of the question. Drs. Levy and Hastak hypothesized that some participants who saw the Table and Prose notices understood the question to have the first meaning, while other participants, particularly those who saw the Sample Clause and Current notices, understood the question to have the second meaning.49 To test this hypothesis, Drs. Levy and Hastak examined the pattern of factual mistakes that participants made when they answered a separate set of questions.50 There, study participants were asked in Q. 16/27 why they preferred one bank over the other, based solely on the notice. Some participants who selected a bank that shared relatively little information and did not offer an opt-out stated that this bank offered more opportunity to limit or to opt out of sharing than the higher sharing bank, which was labeled a ‘‘false opt-out mistake’’ in the Report. The Report found that participants who saw the Table and Prose notices were on average almost three times as likely to make the false opt-out mistake as those who saw the Current and Sample Clause notices.51 49 Significantly, unlike the Sample Clause and Current notices, neither the Table nor the Prose notice uses the word ‘‘opt-out’’ in the model form; rather, these forms refer to ‘‘limiting sharing.’’ This word choice was intentional to help consumers understand that some sharing is necessary and that consumers cannot stop all sharing—a concept that consumers who knew the term equated with ‘‘optout.’’ See Kleimann Report, supra note 32, at 101– 108. Because the Table and Prose notices did not use the word ‘‘opt-out,’’ participants using these notices did not have that word as a visual ‘‘cue’’ when they were asked the question. 50 The Report also examined a second mistake: Where participants selected the lower sharing bank when they were asked to identify which bank shared more (labeled a ‘‘false sharing mistake’’). See Levy-Hastak Report at 9. In that case, there was not an unusual pattern in the distribution of responses. Rather, the Report found that the study participants who made this mistake were equally distributed across all four notice styles. Id. at 13. 51 Id. PO 00000 Frm 00007 Fmt 4701 Sfmt 4700 62895 This finding supports the hypothesis that users of the Table and Prose notices who selected the lower sharing bank in response to Q. 19/30 understood the question in its first meaning: They selected a bank that gave them an opportunity to limit or opt out of sharing at the time of choosing between the two bank notices. Under that interpretation, these participants could limit sharing by selecting the bank that shared less information. Thus the LevyHastak Report’s analysis of the false optout mistake pattern in Q. 16/27 is consistent with their hypothesis regarding the responses to Q. 19/30. In addition, the Report found that the educational level of the study participants produced a significant effect only on the responses to the optout question, with better educated participants more likely to answer the question in the intended manner.52 This finding is also consistent with the Report hypothesis that participants who saw the Table and Prose notices understood the question in two different, yet equally correct ways, unlike those who saw the Sample Clause and Current notices. The Table Notice also seemed to perform less well in a second, unrelated area. Specifically, all the test notices provided only two methods for consumers to opt out of or limit sharing: Use of a toll-free telephone number or access to the opt-out on the institution’s Web site. When study participants were asked to identify which contact modes were identified in the notice as ways to limit or opt out of sharing, they correctly identified the two modes more frequently when using the Sample Clause Notice than the Table, Prose, and Current notices. Noting that this type of question appears to invite skimming the notice to find the answer quickly and easily, the Levy-Hastak Report examined the great variability in notice length and found that the Sample Clause Notice was significantly shorter than any of the other notices. The Levy-Hastak Report observed that the shortness of the Sample Clause Notice may have made it easier for participants to scan the notice and find the answer to this question. The Report opined that notice length likely has an effect on scanability and reading ease.53 52 Id. at 13–14. 53 Levy-Hastak Report at 14. In addition, the use of check boxes in the design of the opt-out section of the Table and Prose notices (a carry-over from the original mail-in format of the proposed model form) appeared to confuse some participants when they were asked this question. The responses recorded for these two notices reflected a somewhat higher E:\FR\FM\01DER2.SGM Continued 01DER2 62896 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations While the Levy-Hastak Report findings confirmed the overall effectiveness of the Table Notice,54 the Report’s analysis prompted the Agencies to consider a further refinement to the proposed model form. The change, discussed in more detail later, was to modify the opt-out section of the model form to place the opt-out information on page one directly following the disclosure table so that all the key information appears on that page. 55 The Agencies considered this change to facilitate quick scanning for important information without sacrificing the model form’s performance in other respects. To ensure that locating the opt-out information on page one worked from a usability perspective, the Agencies decided to conduct validation testing which led to separate formats for the telephone and Internet opt-out and for the mail-in opt-out that the Agencies are adopting. mstockstill on DSKH9S0YB1PROD with RULES2 E. Public Comments on the Quantitative Test Data Nine commenters representing insurance, securities, and financial services associations, a bank, and two investment advisers submitted comments in response to the SEC’s solicitation for public comments on the quantitative testing. Most of the commenters re-stated their earlier general objections to the proposed model form. These concerns are addressed in section III. All but one of these commenters made general observations about the quantitative test methodology and the Levy-Hastak Report. Five commenters observed that the test notices were designed for banks and not for insurance companies or securities firms (i.e., broker-dealers, investment companies, or SEC-registered investment advisers), thereby omitting a significant portion of the financial services industry that provide these notices.56 Two commenters opined that number of ‘‘other’’ responses, even though all the notices offered the same two options. Macro reported anecdotally that a number of participants who viewed the Table and Prose notices reported ‘‘check this box’’ as one of the methods offered to opt out or limit sharing—a response that was recorded as ‘‘other.’’ 54 Id. at 17. 55 Some commenters had urged the Agencies to consolidate the model form on two sides of a single piece of paper, and a few suggested that the Agencies consider moving the opt-out to page one. See, e.g., comment letters of Securities Industry and Financial Markets Ass’n (May 29, 2007); World’s Foremost Bank (May 25, 2007); World Financial Network National Bank (May 29, 2007); World Financial Capital Bank (May 25, 2007). 56 See comment letters of American Council of Life Insurers (May 20, 2009), National Ass’n of VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 the study participants’ demographic characteristics did not reflect those consumers who will receive financial privacy notices.57 One expressed concern about the demographic diversity in the mall selections and questioned whether there was consistent coding of the open-ended responses.58 One commented that the testing criteria ruled out non-English speaking participants.59 Some of the commenters disagreed with the Levy-Hastak Report’s conclusion that the Table Notice outperformed the other notice formats. They opined that the Report’s conclusion is flawed because: (1) The Sample Clause Notice did better on simpler tasks than the Table Notice; 60 (2) the anomalies discussed in the LevyHastak Report may be due to other explanations; 61 and (3) while the Table Notice’s overall performance was better than the other notices, actual performance accuracy was relatively low.62 Several commented that the overly simplified and inflexible format of the Table Notice is not a true test of consumers’ understanding of institutions’ actual collection and disclosure practices.63 In addition, all commenters on the quantitative testing Mutual Insurance Cos. (May 20, 2009), American Insurance Ass’n (May 20, 2009), Investment Adviser Ass’n (May 20, 2009), The Financial Services Roundtable and BITS (May 20, 2009). 57 See comment letters of National Ass’n of Mutual Insurance Cos. (May 20, 2009); The Financial Services Roundtable and BITS (May 20, 2009). 58 See comment letter of The Financial Services Roundtable and BITS (May 20, 2009). 59 See id. The Agencies used a single form, printed in English, for simplicity in conducting the testing. We recognize that institutions can and do provide notices in a variety of other languages when their customers are non-English speaking. We anticipate that those institutions that use the final model form will continue to provide their notices in other languages to ensure that their non-English speaking customers can read and use the form. See also Transcript of Get Noticed Workshop, available at http://www.ftc.gov/bcp/workshops/glb/ GLBtranscripts.pdf, comments of Irene Etzkorn (recognizing that banks do provide financial privacy notices in languages other than English); comments of Tena Friery (noting that the Privacy Rights Clearinghouse promotes notices and educational materials in other languages and that 80–100 different languages are spoken in Los Angeles alone). 60 See comment letters of American Insurance Ass’n (May 20, 2009); National Ass’n of Mutual Insurance Cos. (May 20, 2009). While some commenters find greater virtue in the better performance of the Sample Clause Notice on only the simpler tasks or disagree with the Levy-Hastak Report’s analyses, the evidence is compelling that the Table Notice performed better overall across all comprehension and comparison measures. See Levy-Hastak Report at 6. 61 See comment letter of American Council of Life Insurers (May 20, 2009). 62 Id. 63 See, e.g., comment letter of The Financial Services Roundtable and BITS (May 20, 2009). PO 00000 Frm 00008 Fmt 4701 Sfmt 4700 urged retention of the Sample Clauses and related safe harbor. The test notices for the quantitative study were created for fictitious banks, even though the model form can be used by any financial institution subject to the GLB Act and the privacy rule. Because the vast majority of consumers are familiar with or have experience with a bank, the Agencies used a notice designed for a bank to increase the likelihood that most of the test participants could readily understand the terms in the notice, such as ‘‘account balances,’’ ‘‘income,’’ or ‘‘credit history,’’ which describe information collected and shared by many banks, as well as by many other financial institutions. The Macro Report presented data on the demographic characteristics of the study participants recruited for the study. Participants at each mall were pre-selected for a representative mix based on gender, age, and education levels, and information on participants’ race/ethnicity, income, and household size was obtained at the end of each interview.64 Since a significant majority of consumers in America receive a financial privacy notice—including from banks, credit unions, securities firms, insurance companies, auto dealers, debt collectors, and payday lenders—the Agencies wanted to ensure that a representative cross-section of consumers be included in the study. The Agencies hired Macro as an outside independent expert to handle all aspects of the collection and reporting of the study data. Macro conducted all training of field staff, implemented a series of checks to ensure greater accuracy of the study data, reviewed, on an ongoing basis, all daily downloads of data from the field, and coded all of the open-end responses.65 With respect to the comment that the accuracy of the study participants’ responses overall was relatively low, the commenter cited the judgment quality measure of the participants’ fact-based reasons for choosing the lower sharing bank.66 While the results showed that most consumers likely have a limited 64 Macro Report, supra note 34, at 3 & Appendix B; Levy-Hastak Report at 2. 65 Macro Report, supra note 34, at 3–4. 66 The commenter looked to the Table Notice score of 40.6% in Table 1 of the Levy-Hastak Report. Levy-Hastak Report at 12. This data evaluated how well study participants could explain their reasons for preferring one bank notice over another where they selected, as their preferred bank, the lower sharing bank. While the commenter pointed to a single measure in the Levy-Hastak Report, the Report relied on a number of accuracy measures that varied in difficulty level. See, e.g., id., Table 3 at 12. E:\FR\FM\01DER2.SGM 01DER2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations understanding of information sharing practices after a brief exposure to any of the notice styles, nevertheless the LevyHastak Report confirms that overall the Table Notice out-performed the other notices and is the most effective notice of all the privacy notices tested. Finally, two commenters requested that if both the model privacy form and the SEC’s proposed amendments to its privacy rule, Regulation S–P, were adopted, the SEC should coordinate the compliance dates so as to minimize the compliance burden and the potential for multiple revisions of an institution’s privacy notice.67 The SEC appreciates institutions’ desire to minimize revisions to their privacy notices and reduce the costs of compliance with its rules. However, the model privacy form the Agencies are adopting today is just that—a model—and no institution is required to use the model form. A financial institution that intends to use the model privacy notice and minimize potential costs, if any, related to revising its privacy notices in light of amendments to Regulation S–P could begin to use the model form after the compliance date of any final amendments to Regulation S–P. mstockstill on DSKH9S0YB1PROD with RULES2 F. Validation Testing In revising the model form based on public comments and findings from the Levy-Hastak Report, the Agencies streamlined the form to consolidate the information on the front and back sides of a single piece of paper and moved the opt-out information to the bottom of page one. In December 2008, the Agencies engaged Kleimann to conduct validation testing to confirm that these changes would not affect the comprehension, usability, and design integrity of the model form. In particular, Kleimann’s new research focused on the placement of the opt-out information on page one. Kleimann conducted targeted in-depth interviews in January and February 2009 to test, revise, and re-test the model form. On February 12, 2009, Kleimann submitted a report to the Agencies, ‘‘Financial Privacy Notice: A Report on Validation Testing Results,’’ with a revised opt-out form recommendation (‘‘Kleimann Validation Report’’).68 The validation testing examined various formats for displaying opt-out 67 See Part 248–Regulation S–P: Privacy of Consumer Financial Information and Safeguarding Personal Information, Securities Exchange Act Release No. 57427, Investment Company Act Release No. 28718 (Mar. 4, 2008) [73 FR 13692 (Mar. 13, 2008)]. See also comment letters of American Council of Life Insurers (May 20, 2009) and Investment Advisers Ass’n (May 29, 2007). 68 http://www.ftc.gov/privacy/privacyinitiatives/ validation.pdf. VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 information where the opt-out methods are by toll-free telephone number,69 the Internet, or a mail-in form. The validation testing confirmed the usability of the following changes to the proposed model form: (1) inserting a new box titled ‘‘To limit our sharing’’ below the disclosure table to inform consumers how they can limit sharing, such as by a toll-free telephone number or online; (2) replacing the ‘‘Contact Us’’ box with a box titled ‘‘Questions’’ following the ‘‘To limit our sharing’’ box; and (3) as applicable, inserting a mail-in form at the bottom of the page, which would require a longer piece of paper.70 III. The Final Model Privacy Form A. Standardization Like the proposed model privacy form, the final model form uses a standardized format. Some industry commenters expressed support for the standardized format, with one noting that standardized notices would serve as an effective means of allowing consumers to understand in a simple manner companies’ information practices.71 Another commenter pointed to the success of the ‘‘Schumer box,’’ a standardized format that makes the disclosure of credit card terms more accessible to consumers.72 Privacy and advocacy groups and NAAG supported the proposed standardized format, recognizing the important findings of the research and the model form’s structure—in particular the elements on page one—as benefiting both consumers and companies by making the disclosure information accessible.73 section l.7(a)(2)(ii)(D) of the privacy rule. Validation Report, Appendix E. The Kleimann Validation Report found that the information for telephone or Internet options could be readily displayed on a standard 8c x 11-inch page, but the addition of a mail-in form required a longer piece of paper. 71 Comment letter of The Direct Marketing Ass’n (May 29, 2007) (commenting that it has an automated software program that allows companies to create a customized privacy notice in a standardized format). 72 See comment letter of Capital One Financial Corporation (May 29, 2007); see also 12 CFR 226.5a(a)(2)(i)–(ii). 73 See, e.g., comment letters of Center for Democracy and Technology (May 29, 2007); National Ass’n of Attorneys General (June 14, 2007); Privacy Rights Clearinghouse (May 16, 2007). See also The Center for Information Policy Leadership (May 29, 2007) (recognizing that the proposed model form addresses the requirements of the GLB Act and that the research provided insight into what effectively communicates to consumers, including ‘‘important information about how people learn about privacy, about the use of tables to facilitate comparisons across companies, and about the need to inform consumers about why they are receiving a privacy notice’’). 69 See 62897 A number of industry commenters, however, objected to the standardized form, asserting variously that: It causes confusion; because it is an abrupt change in the way information-sharing practices are disclosed, it could cause consumers to believe that the institution is changing its policies; because the model form has too much boilerplate, it detracts from the ability to compare policies; and it makes the notice less clear. Others stated that the standardized form is too inflexible and does not accurately reflect institutions’ financial practices or accurately describe the scope of consumers’ rights. Several stated that the model form language does not adequately capture the complex privacy policies and practices of many institutions. Based on the statutory requirement that the Agencies propose ‘‘a model form,’’ the final model privacy form utilizes a standardized format.74 Moreover, as more fully discussed in the preamble to the Proposed Rule, the Agencies’ research supports uniform disclosures to help consumers better understand companies’ information sharing practices.75 We reaffirm that use of the model form is voluntary; institutions are not required to use it. B. Instructions for Use The General Instructions to the Model Privacy Form require that no additional information—other than what is specifically permitted—may be included in the model form in order to obtain the benefit of the safe harbor.76 A number of industry commenters objected to the Agencies’ statement in the preamble to the Proposed Rule that the model form should not be incorporated into any other document.77 70 Kleimann PO 00000 Frm 00009 Fmt 4701 Sfmt 4700 74 Cf. Press Release, U.S. House of Representatives, Committee on Financial Services, Financial Services Committee Democrats Call for Simplified Privacy Notices, (July 25, 2003) available at: http://financialservices.house.gov/ pr062503.html. 75 See Proposed Rule, supra note 4 at text accompanying n.30. See also Janice Tsai, Serge Egelman, Lorrie Cranor, and Alessandro Acquisti, ‘‘The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study,’’ The 6th Workshop on the Economics of Information Society (WEIS) (June 2007) http:// weis2007.econinfosec.org/papers/57.pdf (more accessible privacy information reduces information asymmetry between the merchant and the consumer as to the use of consumers’ personal information; aids consumers in making informed choices; and demonstrates that consumers tend to purchase from merchants offering more privacy protection, including paying a premium for such a purchase). 76 See Instruction C to the Model Privacy Form. 77 See, e.g., comment letters of American Council of Life Insurers (May 29, 2007); Investment Company Institute (May 29, 2007); National Business Coalition on E-Commerce and Privacy (May 30, 2007). E:\FR\FM\01DER2.SGM 01DER2 62898 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations Some expressed concern that this would require the notice to be mailed separately.78 Several commenters stated that a private label or co-branded credit card application incorporates the lender’s privacy policy into a brochure with a tear-off application to make it easier for the store clerks to provide all required information in a single document.79 Others observed that the privacy notice is typically included in a single document with other important reference information. Recognizing these concerns, the Agencies agree that institutions may incorporate the model form into another document, but they must do so in a way that meets all the requirements of the privacy rule and the model form instructions, including that: The model form must be presented in a way that is clear and conspicuous; 80 it must be intact so that the customer can retain the content of the model form; 81 and it must retain the same page orientation, content, format, and order as provided for in this Rule. mstockstill on DSKH9S0YB1PROD with RULES2 C. Format of the Notice In response to numerous comments relating to the format of the proposed model form, the Agencies have revised certain of the requirements relating to paper size, orientation, number of pages, type size, and color and logo placements, as discussed below. Paper Size: To allow institutions greater flexibility, the final model privacy form may be printed on paper the size of which must be sufficient to meet the layout and minimum font size requirements with sufficient white space on the top, bottom, and sides of the content.82 Many industry commenters objected to the proposed requirement that the model form appear 78 See, e.g., comment letters of American Bankers Ass’n (May 25, 2007); American Insurance Ass’n (May 29, 2007) Visa U.S.A., Inc. (May 29, 2007). 79 See, e.g., comment letters of Consumer Bankers Ass’n (May 29, 2009); National Retail Federation (May 29, 2007). 80 The term ‘‘clear and conspicuous’’ is defined in the privacy rule at section l.3(b), SEC section 248.3(c), and includes as a requirement that the notice be designed to call attention to the nature and significance of the information in the notice. In addition, the privacy rule requires that consumers should reasonably be expected to receive the notice. See section l.9 of the privacy rule. 81 Institutions that incorporate the model privacy form into other documents must take care that the customer’s execution of other forms in the document will leave the model form intact. 82 See Instruction B to the Model Privacy Form. The Agencies understand that most privacy policies provide for opting out by toll-free telephone or on the Internet. The paper size for those policies will likely be about 81⁄2 x 11 inches. However, for those institutions that provide a mail-in opt-out form, the paper size will likely need to be longer, around 81⁄2 x 14 inches, in order to accommodate the mail-in form. VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 on 81⁄2 by 11-inch size paper.83 Commenters stated that the proposed model form would require significant materials, postage, and production costs. Industry commenters explained that institutions use a variety of sizes and styles to present their privacy notices. Some institutions—particularly credit card institutions—enclose their privacy notices with a billing or periodic statement or a bankcard carrier. Envelopes for certain of these statements or for multi-panel formats are smaller than 81⁄2 inches and may not accommodate the proposed size. The Agencies have reviewed numerous financial institution privacy notices over the past eight years, many of which are printed on smaller-sized paper in a multi-panel, multi-fold display. The density of the small-font text, in addition to the complex legal language, make these notices very difficult to read or understand.84 The final requirement for paper size is designed to provide financial institutions with some flexibility, while prohibiting a paper size that is too small to accommodate the font and orientation requirements in the model form set forth below. Orientation: Like the proposed model form, the final model privacy form must be printed in ‘‘portrait’’ orientation. Some institutions objected to this orientation, suggesting instead that institutions be permitted to design their own model form in other orientations, such as the commonly-used multi-fold display.85 According to these 83 See, e.g., comment letters of Consumer Bankers Ass’n (May 29, 2007); American Bankers Ass’n (May 25, 2007); Bank of America Corporation (May 29, 2007); Independent Community Bankers of America (May 29, 2007); Securities Industry and Financial Markets Ass’n (May 29, 2007); Investment Company Institute (May 29, 2007); National Retail Federation (May 29, 2007); National Ass’n of Mutual Insurance Cos. (May 29, 2007); Credit Union National Ass’n (May 29, 2007). 84 See supra notes 24–25 and infra note 95. 85 See, e.g., comment letters of National Retail Federation (May 29, 2007); Investment Advisers Ass’n (May 20, 2009); American Bankers Ass’n (May 25, 2007); Credit Union National Ass’n (May 29, 2007). Some of these commenters pointed to the preamble language in the final privacy rule which states: ‘‘The Agencies believe that in most cases the initial and annual disclosure requirements can be satisfied by disclosures contained in a tri-fold brochure.’’ 65 FR 33646, 33662 (May 24, 2000) (FTC); 65 FR 35162, 35175 (June 1, 2000) (banking agencies); (Regulation S–P) 65 FR 40334, 40347 (June 29, 2000) (SEC). This statement was written in 2000 before the Agencies or institutions had any experience with the GLB Act privacy notices. In the intervening period, both the Agencies and institutions have learned much through their own testing about improved notice design and consumer comprehension. The impetus for the Agencies’ consumer research, borne out by the research findings, is that the current notices, including those utilizing multi-fold formats, are not effective. Moreover, the important information on page one PO 00000 Frm 00010 Fmt 4701 Sfmt 4700 commenters, this landscape format has three or more ‘‘pages’’ of text visible on each side of the paper when the notice is fully opened. The size of the paper varies considerably, with some as small as approximately 7 by 11 inches before it is folded. In such a display, each ‘‘page’’ is approximately 31⁄3 by 7 inches—considerably smaller than can accommodate the model form.86 The design of the model form does not lend itself to a multi-panel display. The utility of the form’s design for reading ease depends in large measure on both larger, more readable type size and how the content is presented. While one commenter objected to the ‘‘significant empty space’’ in the model form,87 the guidance from communications experts and form designers is that appropriate white space between the text and margins, as well as the use of headings and bullets, make a more effective, readable notice.88 The table—the heart of the model form—cannot be squeezed into a tighter space or so reduced in size as to make it virtually unreadable. For these reasons, the Agencies do not agree that the orientation of the model form should be altered to accommodate a multi-panel display. Number of Pages: In response to numerous commenters, the instructions to the final model privacy form permit the form to be printed on two sides of a single piece of paper or on two singlesided sheets.89 By incorporating the optout information on the bottom of page one, the revised model form may now appear on the front and back of a single piece of paper. Industry commenters generally objected to the proposed requirement that the model form be printed only on one side of a page.90 Many raised environmental concerns and the increased costs associated with printing the notice on multiple pages. While the proposed single-sided model form was based on the initial of the model form—including the context information and disclosure table—could not be appropriately displayed in such a cramped format and still comply with the minimum space and font requirements of the model form. 86 Examples provided by commenters included: 3.5 x 7.5 inches, printed double sided; 3.5 x 8; 7 ×10.812 inches folded to 7 x 3.625 inches; 7 x 3.5 inches (finished folded size). See, e.g., comment letter of National Retail Federation (May 29, 2007). 87 See comment letter of Consumer Bankers Ass’n (May 29, 2007). 88 See supra note 25. 89 See Instruction B.2 to the Model Privacy Form. 90 See, e.g., comment letters of American Insurance Ass’n (May 29, 2007); Bank of America Corporation (May 29, 2007); Citigroup Inc. (May 30, 2007); National Retail Federation (May 29, 2007); Securities Industry and Financial Markets Ass’n (May 29, 2007). E:\FR\FM\01DER2.SGM 01DER2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations consumer research and testing, the Agencies believe that the concerns expressed by commenters justify double-sided printing. Moreover, the Agencies used double-sided printed notices in the quantitative and validation testing, with no demonstrable loss in effectiveness relative to the single-sided notice.91 D. Appearance of the Model Privacy Form The Regulatory Relief Act requires that the model form ‘‘use an easily readable type font.’’ While a number of factors affect the readability of a document, as in the proposal, the final model privacy form must use: (1) 10point font as the minimum font size (unless otherwise specified in the Instructions) and (2) sufficient spacing between the lines of type (leading).92 The Agencies separately provided optional guidance in the preamble to the Proposed Rule on readable type styles and other formatting suggestions for institutions. This optional guidance is not required; it was to assist institutions that want to provide more readable and attractive privacy notices to consumers. The Agencies are republishing this optional guidance in section III.E to assist interested institutions. Type Size: A number of commenters expressed various concerns about the proposed 10-point minimum font requirement.93 A few commenters noted that the proposed model form included several different type sizes for various parts of the model form and were confused about what type size(s) the Agencies proposed as a requirement.94 Other commenters raised concerns that a minimum type size requirement for the model form would conflict with state law mandated requirements. A few stated that a minimum font size is not legally required for the model form. 91 See Levy-Hastak Report at 15. a variety of type styles would be suitable for the model notice, the Agencies caution institutions that use of idiosyncratic fonts or highly stylized typefaces will not meet the model form safe harbor standard. See Instruction B.3(a) to the Model Privacy Form. 93 See, e.g., comment letters of American Council of Life Insurers (May 29, 2007); National Business Coalition on E-Commerce and Privacy (May 30, 2007); National Retail Federation (May 29, 2007); Financial Services Roundtable and BITS (May 29, 2007). 94 The type size information in Example 3 in the preamble to the Proposed Rule identified the five type sizes used in various elements of the proposed form. This example was intended solely to show how key features of the form—such as headings— can be distinguished by using different font sizes to make the form more visually appealing. Contrary to some commenters’ assumption, the different sizes were not a proposed requirement for users of the model form. mstockstill on DSKH9S0YB1PROD with RULES2 92 While VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 Many of the criticisms about current notices are, in part, about the tiny print that make these notices so difficult for consumers to read.95 Based on the statutory directive, as well as the findings elicited from the Agencies’ consumer research and expert views, the Agencies believe that the model form should have a minimum 10-point font. Requiring a minimum 10-point font is consistent with state law mandates for consumer disclosures.96 Leading: Leading is the spacing between lines of type, measured in points. If the line spacing is too narrow, the type is hard to read. In these circumstances, the ascenders (such as the upward line in the letter ‘‘h’’) and descenders (such as the downward line in a ‘‘g’’) may touch, blending the lines of type and making it much harder to distinguish the letters on the page. The final instructions to the model form require only that the leading used allow for sufficient spacing between the lines, but do not mandate a specific amount. E. Optional General Guidance for Easily Readable Type The Proposed Rule included optional guidance on readable type styles and other formatting suggestions for institutions that want to provide privacy notices that are more readable and attractive to consumers, as well as those that want to develop their own model privacy form.97 A number of commenters were concerned by this guidance for easily readable type, and in some cases, they assumed the guidance would be mandatory. The Agencies expressly state that the guidance in this section III.E. is not mandatory and is not a requirement for proper use of the model form. In more closely examining the statutory directive for ‘‘easily readable type,’’ the Agencies determined that a number of type-related factors can 95 See Kleimann Report, supra note 32, at 33. See also, e.g., Public Citizen Petition, supra note 24 at 7 (‘‘[S]mall font sizes * * * deprive consumers of their right to prevent financial institutions from sharing private information.’’); ‘‘UNDERSTANDING THE FINE PRINT: How to make sure the gotchas don’t get you,’’ Consumer Reports Money Adviser (Oct. 2008) (‘‘Fine print is everywhere—contracts; retail Web sites; sales receipts; print, broadcast, and Internet offers; prospectuses; privacy notices; product manuals; and manufacturer warranties.’’); David Colker, ‘‘Stopping junk mail for living and dead; Opt-outs can slow the torrent of solicitations to computer and postal mailboxes and phones;’’ Los Angeles Times, July 22, 2007, at C3 (‘‘[B]y law, financial institutions have to offer an opt-out if they are making this data available to non-affiliated businesses. The problem is that their guides to opting out are often contained in their privacy notices—in small print.’’). 96 See, e.g., Cal. Fin. Code div. 1.2 § 4053(d)(1)(B) (requiring 10-point minimum font). 97 See Proposed Rule, supra note 4, at section II.F. PO 00000 Frm 00011 Fmt 4701 Sfmt 4700 62899 greatly affect the readability of a form. Type size, type style, leading, x-height, serif versus sans serif,98 upper and lower case type, along with the page layout—together play an important role in designing a typeface that is highly readable. Therefore, in considering these various factors for the design of an easily readable type font, institutions that elect to use the model form may voluntarily consider this additional guidance for an easily readable appearance to the notice. Leading: Research on the legibility of typography indicates that people read faster when text is set with 1 to 4 points of leading.99 Institutions may, but are not required to, consider these general recommendations for use with the model form: 10- or 11-point type should have between 1 and 3 points of leading. Twelve-point type should have between 2 and 4 points of leading.100 Type style and ‘‘x’’-height: The readability of type size is highly dependent on the selection of the type style. Some styles in 10-point font are more readable than others in 12-point font and appear larger because of their design. Experts differ on the question of the most desirable type style. The model form uses sans serif and ‘‘monoweight’’ type, and upper and lower case lettering in the body of the form.101 Larger x-height 102 makes a font appear larger and thus more readable, and fonts with larger x-heights are better for smaller text. Research shows that our eyes ‘‘scan the top of the letters’ x-heights during the normal reading process, so that is where the primary identification of each letter takes place.’’ 103 Generally, a font with an 98 Serif typeface has small strokes at the ends of the lines that form each letter. Sans serif typeface does not have those small strokes. 99 Karen A. Schriver, Dynamics In Document Design (‘‘Schriver’’) 274 (1997). 100 Id. at 262; see also James Hartley, Designing Instructional Text (1994); and Barbara Chaparro et al., Reading Online Text: A Comparison of Four White Space Layouts 6(2) (2004). 101 While much of the printed material in the United States and western Europe uses serif styles, Web designers are increasingly using sans serif type, as they have found that serif type is harder to read online. These changes in Web design are also beginning to affect font styles in printed materials. Some typography designers are now using sans serif typefaces, as well as type with a uniform thickness throughout the letter (monoweight typeface), finding these typefaces easier to read than those with variable thickness. 102 The ‘‘x-height’’ is the height of the lower-case ‘‘x’’ in relation to full height letters, such as a capital G. X-height is critical to type legibility. 103 Erik Spiekermann & E.M. Ginger, Stop Stealing Sheep & Find Out How Type Works 93 (1993). E:\FR\FM\01DER2.SGM 01DER2 62900 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations x-height ratio of around .66 is easier to read.104 While not mandating a particular type style or x-height, the Agencies are providing these general guidelines for type style in the model form: For typefaces with a smaller x-height, 11- or 12-point font should be used; for typefaces with a larger x-height, a 10point font would be sufficient.105 For ease of reference, the following table summarizes the optional guidance discussed here. None of the standards in the table below is mandatory; rather, the information in the table is offered only as suggestions for institutions that design their own forms. If Then use And use And use font with Font is 10-point ......................... 1–3 points leading .................. Monoweight typeface ......................... Font is 11-point ......................... 1–3 points leading .................. Monoweight typeface ......................... Font is 12-point ......................... 2–4 points leading .................. Monoweight or variable typeface ....... Large x-height sans serif (around .66 ratio). Smaller x-height is acceptable; either serif or sans serif (less than .66 ratio is acceptable). Smaller x-height is acceptable; either serif or sans serif (less than .66 ratio is acceptable). mstockstill on DSKH9S0YB1PROD with RULES2 F. Printing, Color, and Logos We are adopting the requirements for printing, color, and logos in the final model form as proposed. Commenters generally commended the Agencies’ support for the use of color and company logos on the model form.106 A few industry commenters expressed concern about the background shading in certain headers smudging in highspeed printing operations.107 Some commenters sought clarification as to whether logos can use more than one color. The Agencies agree that the distinguishing features of company logos along with color are important to ensure that an institution’s documents have a distinctive look that consumers may readily recognize. As the Agencies proposed, a financial institution that uses the model form may include its corporate logo on any of the pages, so long as the logo design does not interfere with the readability of the model form or space constraints of each page. Institutions using the model form should use white or light color paper (such as cream) with black or suitable contrasting color ink. Spot color is permitted to achieve visual interest to the model form, so long as the color contrast is distinctive and the color does not detract from the form’s readability. The Agencies are not prohibiting the use of more than one color in a logo. Other commenters asked for greater flexibility to include ‘‘markings’’ or ‘‘graphics’’ or other ‘‘visual effects’’ or to include a ‘‘branding phrase’’ or ‘‘advertising slogan.’’ 108 The Agencies observe that few institutions’ privacy policies include advertising slogans. We note that some include pictures or other large designs that occupy the front cover. The Agencies believe that these designs or slogans would distract from the content of the model form and that slogans would be inconsistent with the standardized language throughout the form. For these reasons, the final model form does not permit institutions to include slogans or images (other than logos) on the model form. The final model privacy form includes a new FAQ at the top of page A number of commenters sought clarification as to whether institutions regulated by different Agencies could together provide a single joint notice to consumers.110 Insurance companies and their associations in particular expressed concern that the form did not allow for insurance-specific terminology and potentially put these institutions— regulated by the states—at some risk.111 104 See, e.g., Hewlett-Packard Corporation, Panose Classification Metrics Guide (2006), available at http://www.monotypeimaging.com/ productsservices/pan2.aspx. 105 See Schriver, supra note 99, at 264; see also id. at 258–59. Fonts that satisfy the type style and x-height recommendations include sans serif fonts such as Tahoma, Century Gothic, Myriad, Avant Garde, Bk Avenir Book, ITS Franklin Gothic, ArialHelvetica, and Gill Sans, and serif fonts such as the Chaparral Pro Family, Minion Pro, Garamond, Monotype Bodoni, and Monotype Century. A number of these font styles, including ArialHelvetica, Tahoma, Century Gothic, Garamond, and Bodoni, are preloaded in commonly used word processing applications with most new personal computers. The other font styles are commercially available as well. 106 See, e.g., comment letters of American Insurance Ass’n (May 29, 2007); National Ass’n of Mutual Insurance Cos. (May 29, 2007); Securities Industry and Financial Markets Ass’n (May 29, 2007); Consumer Bankers Ass’n (May 29, 2007). 107 See, e.g., comment letters of National Business Coalition on E-Commerce and Privacy (May 30, 2007). With the modern, high-speed printing equipment readily available, the Agencies do not foresee problems with reproducing background shading, just as they see no difficulties with printing blocks of color for company logos or advertising materials. Moreover, the validation testing research found that consumers appreciated shading as a navigation guide. See Kleimann Validation Report at 9–10. 108 See, e.g., comment letters of Consumer Bankers Ass’n (May 29, 2007); National Business Coalition on E-Commerce and Privacy (May 30, 2007). 109 See, e.g., comment letters of American Council of Life Insurers (May 29, 2007); Investment Advisers Ass’n (May 29, 2007). 110 See, e.g., comment letters of National Business Coalition on E-Commerce and Privacy (May 30, 2007); T. Rowe Price Associates, Inc. (May 29, 2007); Financial Services Roundtable and BITS (May 29, 2007); National Ass’n of Mutual Insurance Cos. (May 29, 2007); Investment Company Institute (May 29, 2007). 111 See, e.g., comment letters of National Ass’n of Mutual Insurance Cos. (May 29, 2007); American Insurance Ass’n (May 29, 2007); Great-West Life & Annuity Insurance Company (May 29, 2007). In addition to including insurance-specific phrases in the menu of terms for the ‘‘What?’’ box on page one and the collection of information FAQ on page two, the Rule also recognizes that institutions that provide insurance products or services and elect to use this model form can use the word ‘‘policy’’ instead of ‘‘account’’ for the joint accountholder description. See Instructions C.2(g)(1) and C.3(a)(5) to the Model Privacy Form. The Agencies have periodically consulted with the NAIC to ensure that the final model form is sufficiently flexible to address the insurance marketplace. The NAIC is continuing to evaluate how best to proceed regarding insurance company use and implementation of the form by individual jurisdictions. This effort may include the NAIC developing a model bulletin for regulatory use or amending its model Privacy of Consumer Financial and Health Information Regulation to replace the VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 G. Jointly-Provided Notices PO 00000 Frm 00012 Fmt 4701 Sfmt 4700 two: ‘‘Who is providing this notice?’’ Many commenters representing larger institutions observed that the proposed model form did not provide sufficient space to identify multiple entities that jointly provide a privacy notice, as permitted by the privacy rule.109 Some suggested the Agencies provide extra space for this information either in the body of the notice or as a footnote. The new FAQ is not required where only a single financial institution is providing the notice and that institution is identified in the title. As discussed in section III.J.1, space is provided for the institution’s response. H. Use of the Form by DifferentlyRegulated Entities E:\FR\FM\01DER2.SGM 01DER2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations The Agencies fully intend that differently-regulated entities can provide a single joint notice to consumers by using the final model form. The Agencies have consulted with the NAIC, which submitted a letter with proposed modifications to certain sections of the form. The Agencies have incorporated into the final model form two menus of terms adaptable to the wide range of financial institutions. The menus include both the SEC’s and the NAIC’s proposals, and enable a variety of institutions, including securities firms and insurance companies, to use the model form, either individually or jointly with other types of financial institutions. I. Page One of the Model Form 1. Title The Agencies are adopting the title, ‘‘What Does [Name of Financial Institution] Do With Your Personal Information?,’’ as proposed. One commenter objected to the title, preferring instead to refer to it as a privacy notice.112 Other commenters who provided sample revised notices also used alternate headings, such as, ‘‘our privacy notice for consumers,’’ ‘‘privacy information,’’ ‘‘privacy statement,’’ and ‘‘keeping your information safe and secure.’’ 113 The research found that the terms ‘‘privacy notice’’ or ‘‘privacy policy’’ deterred consumers from reading the notice.114 Consumers understood these terms to mean that the institution does not share personal information. The validation testing confirmed the effectiveness of the title.115 2. Key Frame mstockstill on DSKH9S0YB1PROD with RULES2 The Agencies are adopting the basic structure of the key frame as proposed with some language changes to address comments received. Industry commenters raised several objections to the key frame—the ‘‘Why?,’’ ‘‘What?,’’ and ‘‘How?’’ boxes. Their principal concern was the inflexible nature of the information in these boxes. Many commenters took particular issue with the list of information collected and shared, noting that not all institutions collect and share the information current sample clauses with the new model privacy form. 112 See, e.g., comment letter of MasterCard Worldwide (May 29, 2007). 113 See, e.g., comment letter of Citigroup Inc. (May 30, 2007); Wells Fargo & Company (May 29, 2007); Wachovia Corporation (May 25, 2007); Sovereign Bank (May 21, 2007). 114 See Kleimann Report, supra note 32, at 43, 66–67. 115 Kleimann Validation Report at 8. VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 listed.116 These commenters asked for greater flexibility in identifying other types of information that may better relate to their practices. Commenters raised other issues about: vocabulary; the contents and number of the boxes; and the inclusion of certain information not required by the privacy rule. Some commenters proposed moving and deleting phrases—as well as using the phrase ‘‘as permitted by law’’ to describe the types of sharing they can do. Some commenters raised questions about the reference to former customers. The Agencies appreciate the various suggestions provided—particularly on vocabulary and the structure and contents of the boxes—but note that the model form was developed through consumer research with the goal of making it understandable to consumers. The Agencies have decided to retain the basic structure and content of the key frame but have made certain modifications. The Agencies recognize that financial institutions may collect and share types of information other than those listed on the proposed form, including institutions that provide insurance or investment advice or sell securities. The Agencies have, after consulting with the NAIC and based on consideration of the comments received, provided a menu of terms, including each of the terms that was proposed, from which institutions may select to fill in the bracketed boxes.117 Since all financial institutions collect Social Security numbers, this one term is required in all notices. The terms provided are designed to reflect the range of information typically collected by various types of institutions in language that consumers can more easily understand. Further, the Agencies have revised the statement about former customers to: ‘‘When you are no longer our customer, we continue to share information about you as described in this notice.’’ While some institutions objected in principle to the statement that former customers are subject to the same policy as current customers,118 no commenters asserted that institutions actually implement a different policy for former customers.119 116 See, e.g., comment letters of American Bankers Ass’n (May 25, 2007); Investment Company Institute (May 29, 2007); Investment Advisers Ass’n (May 29, 2007). 117 See Instruction C.2(b)(2) to the Model Privacy Form. Similar to the proposal, the final model form requires institutions to provide examples that may be applicable to the institution’s collection and sharing practices. 118 See, e.g., comment letters of Investment Advisers Ass’n (May 29, 2007); American Insurance Ass’n (May 29, 2007). 119 This sentence continues to appear in the ‘‘What?’’ box in the model form without an opt-out. PO 00000 Frm 00013 Fmt 4701 Sfmt 4700 62901 3. Disclosure Table We are adopting the disclosure table substantially as proposed, with some minor changes. Consumer and other advocacy groups, the NAIC, NAAG, and some industry commenters appreciated the easily understood display of information in the disclosure table of the proposed model form. One commenter noted the strength of the Schumer box standardized format.120 Others lauded the use of a tabular format to display a company’s sharing practices, noting that framing one institution’s practices against the industry as a whole is a useful way to inform consumers of a company’s relative sharing practices and facilitates the comparison of different institutions’ practices.121 A number of industry commenters and associations, including many small community banks and a few larger banks, also expressed support for the clarity and consumer-friendly format of the disclosure table.122 However, many industry commenters sought flexibility in the table design for several reasons. Some reported that it is common for a financial institution to have multiple privacy policies for different products that they offer consumers.123 Others asserted that the table contains a bias against larger, more complex corporate structures because it is overly simplistic and may show that certain types of institutions engage in widespread sharing.124 One opined that the table structure made it appear that the entity was reckless in its sharing practices.125 These commenters expressed particular concern that the model form would lead to high opt-out However, based on the validation testing, the optout versions of the model form place this sentence in the ‘‘To limit our sharing’’ box following the sentence describing sharing information about a new customer. See Kleimann Validation Report at 9–10. 120 Comment letter of Capital One Financial Corporation (May 29, 2007). 121 See comment letters of The Center for Information Policy Leadership (May 29, 2007); Independent Community Bankers of America (May 29, 2007). 122 See, e.g., comment letters of Independent Community Bankers of America (May 29, 2007); Bank of Edison (May 21, 2007); Capital One Financial Corporation (May 29, 2007); Citrus & Chemical Bank (May 24, 2007); First National Bank (Edinburg, TX) (Apr. 9, 2007); Florence Savings Bank (April 30, 2007); Iowa State Bank and Trust Company (May 22, 2007); ShoreBank (Apr. 6, 2007); Hometown Bank (May 8, 2007). 123 See, e.g., comment letters of Bank of America Corporation (May 29, 2007); Securities Industry and Financial Markets Ass’n (May 29, 2007); MasterCard Worldwide (May 29, 2007). 124 See, e.g., comment letters of Citigroup Inc. (May 30, 2007); Consumer Bankers Ass’n (May 29, 2007). 125 See comment letter of Consumer Bankers Ass’n (May 29, 2007). E:\FR\FM\01DER2.SGM 01DER2 62902 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations mstockstill on DSKH9S0YB1PROD with RULES2 rates.126 Many particularly objected to listing all the categories of sharing— especially when a consumer cannot limit or opt out of certain types of sharing—and others wanted to limit the list only to those categories used by the institution.127 Some commenters wanted to use this space to explain the benefits of certain types of sharing.128 Others wanted to convey that, for example, they only shared information with certain types of affiliates but not others and asserted that the disclosure table did not permit them to make this distinction.129 As the Agencies stated in the preamble to the Proposed Rule, based on the Kleimann Report and as confirmed by the quantitative research data and the Levy-Hastak Report, the disclosure table is the heart of the model form design and its most effective feature.130 The table provides for greater transparency of a company’s sharing practices. It allows consumers to see at a glance the types of information sharing a company may engage in, whether that particular company shares in that way, and, if so, whether the consumer can limit such sharing.131 Based on the research, the Agencies have retained the disclosure table generally unchanged in the final model form. Addressing industry concerns about bias against larger institutions, the Agencies appreciate these institutions’ concern that some of their customers may react negatively to the sharing of their information. The purpose of the model form is not to direct consumer behavior, however, but rather to provide information effectively. While the LevyHastak Report found that a majority of survey participants objected to the sharing of their personal information with affiliated companies, and more so 126 See, e.g., comment letter of Johnson Financial Group (May 14, 2007). 127 See, e.g., comment letters of Huntington National Bank (May 25, 2007); National Business Coalition on E-Commerce and Privacy (May 30, 2007); Securities Industry and Financial Markets Ass’n (May 29, 2007). 128 See, e.g., comment letter of Consumer Bankers Ass’n (May 29, 2007). 129 See, e.g., comment letters of American Council of Life Insurers (May 29, 2007); Securities Industry and Financial Markets Ass’n (May 29, 2007); American Insurance Ass’n (May 29, 2007); Consumer Mortgage Coalition (May 29, 2007). 130 See Proposed Rule, supra note 4, at text preceding and accompanying n.27; see also LevyHastak Report at 17. 131 The disclosure table in the model form provides information ‘‘at-a-glance’’ that facilitates the comparison of a company’s information sharing practices, both as to the industry as a whole and with respect to any other specific companies. In this way, it meets the original legislative intent to easily compare companies’ privacy practices. See H.R. Rep. No. 106–74, at 107 (1999). VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 with nonaffiliated companies, these objections were consistent across all the survey participants and were not affected by any particular notice format.132 The research confirms that the notice design more clearly informs consumers about how each company shares or uses the personal information it collects. During the course of this project, the Agencies heard from smaller institutions that their customers wanted to stop all sharing and expressly asked for opt-outs even when the institution engaged in only limited sharing under the section __.14 and __.15 exceptions.133 The neutral design of the form, particularly through the table, explains that some sharing is necessary for an institution’s ‘‘everyday business purposes’’ and makes clear what sharing occurs. In addition, the model form uses the term ‘‘limiting’’ sharing, rather than stopping sharing altogether. These small institutions commented that this more balanced presentation of sharing practices is a very important feature of the notice, and one that they welcome, as it makes all institutions’ sharing practices more transparent.134 The strength of the table design is that it facilitates comparison by showing what a particular institution’s sharing practices are as compared to what all financial institutions can legally do. For this reason, the final model form incorporates all seven reasons for sharing, with only the affiliate marketing provision—‘‘For our affiliates to market to you’’—optional for those companies that elect to incorporate that disclosure in their GLB notices.135 While the middle column requires institutions to answer ‘‘yes’’ or ‘‘no’’ to whether it shares for each of the reasons, some commenters expressed concern that their information sharing practices were sufficiently complex that they could not answer ‘‘yes’’ or ‘‘no,’’ stating that they had different practices for different products. Institutions that elect to use the model form must answer the questions in the final model form as directed in the proposal. If an institution elects to use the model form, it must either harmonize its practices so one notice applies to all its products, or it must provide separate notices for 132 Levy-Hastak Report at 15. comment was made by some of the Agencies’ regulated entities at various times during the course of this project and was also discussed by members of the Board’s Consumer Advisory Council during its discussions in 2007 about the Notice Project and model form proposals. 134 See, e.g., comment letter of Independent Community Bankers Ass’n (May 29, 2009). 135 See infra note 142. 133 This PO 00000 Frm 00014 Fmt 4701 Sfmt 4700 products subject to different information sharing practices. A few commenters opined that they may not currently share but want to reserve the right to share in the future. In such a case, the correct response in the middle column is ‘‘yes,’’ consistent with the privacy rule.136 Many institution commenters objected that the proposed terms to describe sharing practices were abbreviated or incomplete and asserted that the Agencies limited sharing that is lawfully permitted. For example, commenters objected that the definition of ‘‘everyday business purposes’’ excluded a long list of permissible disclosures designated in sections __.14 and __.15.137 However, as the Agencies stated in the proposal, the phrase ‘‘everyday business purposes’’ fully incorporates all the disclosures permitted by law under sections __.14 and __.15 of the privacy rule.138 In addition, the Agencies have determined that service providers that do not fall under section __.14, but perform direct services to the institution such as optout scrubbing or market analysis or research under a section __.13 agreement, are included under this provision.139 The cited examples of ‘‘everyday business purposes’’ 140 are illustrative only, to enhance consumer understanding. While commenters urged us to include the phrase ‘‘as permitted by law’’ in this description, research has found that consumers are confused and concerned by this phrase; they do not know what it means or what 136 See the privacy rule, section __.6(e), NCUA section 716.6(d) (notices can be based on current and anticipated policies and practices). 137 See, e.g., comment letters of American Insurance Ass’n (May 29, 2007); Consumer Bankers Ass’n (May 29, 2007); Citigroup Inc. (May 30, 2007); Securities and Financial Markets Ass’n (May 29, 2007). 138 See, e.g., comment letters of American Bankers Ass’n (May 25, 2007); American Insurance Ass’n (May 29, 2007); Securities Industry and Financial Markets Ass’n (May 29, 2007). This language substantially replaces the ‘‘as permitted by law’’ phrase used in the Sample Clauses, covering all permitted disclosures—along with the attendant requirements on reuse and redisclosure—found under sections __.14 and __.15 of the privacy rule. Unlike that clause, ‘‘everyday business purposes’’ conveys more concrete information to consumers and, importantly, helps them understand that some sharing is necessary in order to obtain financial products or services. 139 Joint marketing with other financial institutions and section __.13 service providers contracted to do marketing for a financial institution are disclosed separately. See Instruction C.2(d)(3) to the Model Privacy Form. 140 The final model form consolidates all references to ‘‘everyday business purposes’’ in the first reason in the disclosure table, thereby eliminating the illustrative explanation in the ‘‘How?’’ box on page one and the definition on page two. E:\FR\FM\01DER2.SGM 01DER2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations ‘‘laws’’ it encompasses.141 Including that phrase would be inconsistent with consumers’ need for clear language to understand what their financial institution does with their information. Because the laws governing disclosure of consumers’ personal information are not easily translated into short, comprehensible phrases, the table uses more easily understandable short-hand terms to describe sharing practices. We do not believe that these short-hand terms diminish the laws’ provisions, as some commenters asserted. If, as these commenters suggest, the Agencies add to the laundry list of descriptive terms to make the provisions in the table more ‘‘precise,’’ we believe it will defeat the purpose of making this information more understandable to consumers. Thus, the Agencies have chosen not to provide detailed descriptions for each of the reasons in the table; we re-affirm that institutions’ ability to share information in accordance with the statutory provisions would not be limited or otherwise modified by using the model form language. The phrase ‘‘For our marketing purposes’’ captures the idea that nearly all, if not all, institutions share information to market their own products and services to their customers (for example, using a joint marketing agreement with a service provider such as a bulk mailer or data processor pursuant to section __.13 of the privacy rule) in a manner that does not trigger an opt-out right. Likewise, the phrase ‘‘nonaffiliates to market to you’’ does not diminish the information sharing permitted by the privacy rule, provided that institutions first provide an opportunity for consumers to opt out, as provided for in section __.10 of the privacy rule. In all these instances, the lack of explicit references in the model form to certain of the exceptions does not mean that an institution cannot take advantage of all the exceptions provided for in the law. 4. FCRA Opt-Outs mstockstill on DSKH9S0YB1PROD with RULES2 The FCRA provisions are adopted in the model privacy form as proposed.142 141 See Survey Research Center at the University of Georgia, National Ass’n of Insurance Commissioners Insurance Disclosure Focus Group Study (‘‘NAIC Study’’), available at http:// www.ftc.gov/os/comments/modelprivacyform/ 528621-00012.pdf. See also infra discussion at text accompanying note 221. 142 The table includes, as an optional disclosure, the opt-out required by section 624 of the FCRA (reason 6 in the table), 15 U.S.C. 1681s–3 (affiliate use of information for marketing), as added by section 214 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), Public Law No. 108–159, 117 Stat. 1952. Section 624 generally VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 A number of industry commenters objected that the disclosure table did not provide a sufficiently complete or accurate description of the affiliate sharing provisions of the FCRA.143 They urged the Agencies to revise these provisions to more precisely distinguish between the different types of information that can be shared with affiliates (both with and without an optout), to describe the applicable exceptions, and to more accurately describe the opt-out pertaining to information that can be used by affiliates for marketing. The FCRA statutory provisions are quite complex and their legal intricacies are difficult for consumers to understand. The Agencies found through the consumer testing conducted by Kleimann that the short-hand FCRA terms used in the model form describing the types of personal information that can be shared with affiliates are sufficient to enable consumers to make informed decisions about such sharing. Again, these short-hand terms do not in any way diminish or modify the affiliate sharing provisions of the FCRA.144 To give some meaning to the statutory term ‘‘other information,’’ the disclosure table uses ‘‘Information about your creditworthiness’’—a short-hand phrase that consumers reasonably understood. Testing also found that consumers provides that information that may be shared among affiliates—including transaction and experience information and certain creditworthiness information—cannot be used by an affiliate for marketing purposes unless the consumer has received a notice of such use and an opportunity to opt out, and the consumer does not opt out. Congress did not grant the CFTC rulemaking authority to implement section 624. The other Agencies have issued final regulations implementing the affiliate marketing provision of the FACT Act, 12 CFR part 41 (OCC), 12 CFR part 222 (Board), 12 CFR part 334 (FDIC), 12 CFR part 571 (OTS), 12 CFR part 717 (NCUA), 16 CFR parts 680 and 698 (FTC), 17 CFR part 248, subpart B (SEC) (‘‘affiliate marketing rule’’). Because the Agencies’ affiliate marketing rules generally use consistent section numbering, relevant sections will be cited, for example, as ‘‘section l.23’’ unless otherwise noted. The affiliate marketing rule included language stating that the section 624 disclosure as it appears in the model form will meet the requirements of that rule. See 72 FR 61424, 61452 (Oct. 30, 2007) (FTC); 72 FR 62910, 62932 (Nov. 7, 2007) (banking agencies); 74 FR 40398, 40418 (Aug. 11, 2009) (SEC) (‘‘use of the [GLB Act] model privacy form will satisfy the requirement to provide an initial affiliate marketing opt-out notice’’). See also section __.23(b) of the affiliate marketing rule. 143 See, e.g., comment letters of Citigroup Inc. (May 30, 2007); American Bankers Ass’n (May 25, 2007); Consumer Bankers Ass’n (May 29, 2007); National Business Coalition on E-Commerce and Privacy (May 30, 2007); Visa U.S.A, Inc. (May 29, 2007). 144 See section 603(d)(2)(A) of the FCRA relating to the sharing of ‘‘transaction and experience information’’ and the sharing of ‘‘other information’’ which triggers an opt-out notice. PO 00000 Frm 00015 Fmt 4701 Sfmt 4700 62903 reasonably understood the phrase ‘‘information about your transactions and experience’’ without further embellishment.145 Some institutions objected to the description of the optional affiliate marketing provision enacted under the FACT Act for which the Agencies have published final regulations.146 These commenters are correct that this provision, unlike the others, is about the use of shared information for marketing. While the Agencies and Kleimann worked to ensure accuracy in the model form, it was evident at the outset that this particular provision would be very difficult to explain in a simple and clear way to consumers and be precisely true to the statutory language. The final formulation we proposed tested sufficiently well to show that consumers understand its basic meaning.147 Including the affiliate marketing notice and opt-out in the model form is optional. Institutions that are required to provide this notice, and elect not to include it in their GLB Act privacy notice, must separately send an affiliate marketing notice that complies fully with the affiliate marketing rule requirements. For those institutions that elect to incorporate this provision in the model form, the Agencies believe that it is simpler and less confusing to consumers for the affiliate marketing opt-out to be of indefinite duration, consistent with the opt-out required under the GLB Act. If an institution elects to limit the time period for which the opt-out is effective, as permitted under the affiliate marketing rule, it must not include the affiliate marketing opt-out in the model form. Instead, the institution must comply separately with the specific affiliate marketing rule requirements. 5. Limiting Sharing: Opt-Out Information In response to commenters and the results of the quantitative testing, the final model form includes opt-out information for those institutions that are required to provide an opt-out on the bottom of page one. The Agencies proposed that the information about limiting or opting out of certain sharing, as needed, would be provided on a separate third page. Many commenters objected to the use of a separate piece of paper for this information, particularly if the notice itself is quite short.148 145 Kleimann Report, supra note 32, at 63. supra note 142. 147 Levy-Hastak Report at 15. 148 See, e.g., comment letters of American Council of Life Insurers (May 29, 2007); National 146 See E:\FR\FM\01DER2.SGM Continued 01DER2 62904 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations mstockstill on DSKH9S0YB1PROD with RULES2 This change eliminates the extra page from the proposed model form and places this important information on the first page that the consumer sees. In addition to the model form with no optout, the Agencies are providing two alternate versions to be used, as appropriate, depending on whether the institution offers the option to limit information sharing by mail.149 Institutions using the model form must include the opt-out section in their notices only if they (1) share or use information in a manner that triggers an opt-out, or (2) choose to provide optouts beyond what is required by law. Financial institutions that provide optouts are not required to provide all the opt-out choices and methods described in the model form; they should select those that accurately reflect their practices.150 A number of commenters objected to the statement describing the time period before information can first be shared according to an institution’s privacy policy.151 Recognizing that institutions will provide this form both to new customers and annually to existing customers, the Agencies have modified the language accordingly.152 The revised model form allows institutions to insert a time period that is 30 days or longer from the date the notice was sent before it can begin sharing for new customers. Some commenters opined that in certain instances they should be able to require the consumer to make an opt-out decision at the time of the in-person or electronic transaction rather than waiting 30 days. While the Agencies recognize that certain situations may warrant an immediate decision, the Automobile Dealers Ass’n (May 29, 2007); Securities Industry and Financial Markets Ass’n (May 29, 2007). 149 Some commenters asked about providing the opt-out in an in-person transaction so that the customer could execute the opt-out at that time or could deliver the completed opt-out form in person. The privacy rule does not preclude obtaining a consumer’s opt-out election in person. However, while an institution may accept an opt-out election from a consumer in person, requiring a consumer to obtain an opt-out form at a branch office as the only means to opt out violates the privacy rule. See sections l.7(h), l.9(a) and (b), and l.10(a)(1) and (a)(3) of the privacy rule. 150 Institutions that do not include the affiliate marketing disclosure on the model privacy form must not include the affiliate marketing notice or opt-out on the model form mail-in form; that notice must be provided in accord with the affiliate marketing rule, outside the model form. 151 See, e.g., comment letters of Bank of America Corporation (May 29, 2007); Wells Fargo & Company (May 29, 2007); Securities Industry and Financial Markets Ass’n (May 29, 2007); American Council of Life Insurers (May 29, 2007). 152 The revised language states: ‘‘If you are a new customer, we can begin sharing your information [30] days from the date we sent this notice.’’ See also supra note 119. VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 basic rule is to allow a ‘‘reasonable’’ opportunity to opt out.153 Telephone and online opt-outs should closely match the options provided in the form. Consistent with the direction provided in the affiliate marketing rule,154 the Agencies also contemplate that a toll-free telephone number would be adequately designed and staffed to enable consumers to opt out in a single telephone call. In setting up a toll-free telephone number that consumers may use to exercise their opt-out rights, institutions should minimize extraneous messages directed to consumers who are in the process of opting out. A number of industry commenters requested clarification on how joint accountholders would be treated.155 The Agencies have addressed this question with a new FAQ, described below. Further, if an institution elects to provide a choice for the joint accountholder to apply the opt-out only to that joint accountholder, that option must be provided in the telephone or Web prompt, as well as presented in the left-hand box on the mail-in form.156 A number of commenters from both industry and advocacy groups addressed the question whether consumers need to provide personal information such as a Social Security number, account number, or other identification number in order to opt out. The consumer advocacy organizations, some industry commenters, and an industry association proposed omitting the account number field from the proposed form to reduce the risk of fraud.157 These commenters expressed concerns about phishing and identity theft, and were especially concerned about institutions’ use of the Social Security number to confirm an opt-out request. These commenters argued that a name and address should be sufficient to effect an opt-out from an institution’s information sharing. Many institutions argued that they needed a Social Security number or full account or policy number in order to authenticate the person who wanted to opt out or to apply the opt-out 153 See, e.g., sections l.10(a)(1)(iii) and l.10(a)(3)(iii) of the privacy rule. 154 See 72 FR 61424, 61448 (Oct. 30, 2007) (FTC); 72 FR 62910, 62935 (Nov. 7, 2007) (banking agencies); 74 FR 40398, 40421 (August 11, 2009) (SEC). 155 See, e.g., comment letters of American Bankers Ass’n (May 25, 2007); Discover Bank (May 29, 2007). 156 See also privacy rule, section l.7(d), NCUA section 716.7(d)(6). 157 See, e.g., comment letters of Center for Democracy and Technology (May 29, 2007); Privacy Rights Clearinghouse (May 22, 2007); National Automobile Dealers Ass’n (May 29, 2007. PO 00000 Frm 00016 Fmt 4701 Sfmt 4700 appropriately to all accounts held by the customer or only to specific accounts.158 Some industry commenters urged limiting the information to only the last four digits of an account number as both safe for the consumer and sufficient to implement the opt-out.159 Having considered these comments and the context in which such sensitive information is used—to implement an opt-out for information sharing—the Agencies strongly encourage institutions to use some other form of identifier, such as a randomly generated ‘‘opt-out code’’ provided in the notice that consumers can use to exercise their optouts without jeopardizing the security of their most sensitive personal information. A random code—which some institutions currently use—both protects consumers’ most sensitive information and at the same time can be used to link both the customer and account(s) to which the opt-out should apply. Such an approach would further simplify the opt-out process for consumers. If such an approach is not feasible, institutions could use a truncated account or policy number to protect sensitive information.160 Of course, any opt-out means provided— including any information requirements imposed on consumers—must be reasonable under the privacy rule and reasonable and simple under the affiliate marketing rule.161 Institutions should keep these requirements in mind when requesting information beyond the consumer’s name and address. A number of industry commenters objected to the inability of the model form to provide for partial opt-outs, as permitted by the privacy rule.162 The Agencies have observed that partial optouts are not widely employed. Trying to incorporate partial opt-outs in this model form would be unduly complicated and confusing for consumers, so the Agencies have determined to use the default provision of the privacy rule that provides for an opt-out that applies to all information.163 Institutions that want to 158 See, e.g., comment letters of National Retail Federation (May 29, 2007); Citicorp (May 29, 2007); National Business Coalition on E-Commerce and Privacy (May 30, 2007). 159 See, e.g., comment letters of Sun Trust Banks, Inc. (May 23, 2007); Central National Bank of Enid (May 24, 2007). 160 See also The President’s Identity Theft Task Force, Combating Identity Theft, at 13 (Apr. 2007) (‘‘Consumer information is the currency of identity theft, and perhaps the most valuable piece of information for the thief is the SSN’’). 161 See section __.7(a)(1)(iii) of the privacy rule and section l.25(a) of the affiliate marketing rule. 162 See, e.g., comment letters of American Council of Life Insurers (May 29, 2007); Securities Industry and Financial Markets Ass’n (May 29, 2007). 163 See section l.10(b) of the privacy rule. E:\FR\FM\01DER2.SGM 01DER2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations provide partial opt-outs cannot do so using the model form. A number of commenters wanted to include in the model form the statement ‘‘If you have already told us your choice(s), you do not have to tell us again.’’ 164 Because this statement would only be accurate if the institution has not changed its notice to include new opt-out options, the Agencies have decided not to include it in the model form. Institutions that choose to use this statement must do so outside the model form. mstockstill on DSKH9S0YB1PROD with RULES2 6. Additional Opt-Outs in the Model Form Like the proposed form, the final model form permits institutions to provide for voluntary or state lawrequired opt-outs. For example, if an institution elects to offer its customers the opportunity to opt out of its marketing, it can do so by saying ‘‘yes’’ in the third column. Similarly, an institution can offer its customers a right to opt out of joint marketing, if it chooses. Institutions that must comply with various state law requirements, depending on their practices and the choices they offer, may be able to do so in one of two ways using the model form. For example, Vermont law requires institutions to obtain opt-in consent from Vermont consumers for affiliate sharing. The disclosure table permits institutions to do one of two things: (1) it can provide a notice directed to its Vermont customers that answers ‘‘no’’ to the question about whether it shares creditworthiness information with its affiliates, or (2) it can provide a generalized notice for consumers across a number of states including Vermont and answer ‘‘yes’’ to the question about sharing creditworthiness information with its affiliates and include a discussion on the application of Vermont law in the ‘‘Other important information’’ box on page two of the form.165 To obtain the safe harbor for use of the proposed model form, an institution that uses the disclosure table to show any additional opt-out choices (beyond 164 See, e.g., comment letters of MasterCard Worldwide (May 29, 2007); National Business Coalition on E-Commerce and Privacy (May 30, 2007); Wells Fargo & Company (May 29, 2007); Wolters Kluwer Financial Services (May 24, 2007). 165 California provides that a consumer can opt out of joint marketing. Cal. Fin. Code div. 1.2 § 4053(b)(2). Thus, an institution can provide a generalized notice offering no opt-out, with California-specific information in the ‘‘Other important information’’ box. Alternatively, an institution can provide a separate notice to its California customers. Institutions cannot use the model form to offer opt-in consent. See Instruction C.2(g)(5) to the Model Privacy Form. VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 what is required under Federal law) must make that opt-out available through the same opt-out options the institution provides in the notice, whether by telephone, Internet, or a mail-in opt-out form.166 7. Contact Information for Questions Like the proposed form, the final model form provides contact information at the bottom of page one. Some commenters objected that it would be confusing if an opt-out is offered or the institution wants to limit such contact to a mail option only.167 The Kleimann Report found that consumers want a way to contact their financial institution if they have any questions.168 The NAIC Study likewise found this to be one of the most important pieces of information that consumers want in a notice.169 In revising the proposed model form to include the opt-out information on page one, the Agencies have modified the ‘‘Contact Us’’ box to label it ‘‘Questions’’ (to more clearly distinguish between the two) and clarified in the Instructions that this box is for customer service contact information, either by telephone or the Internet or both, at the institution’s option. Customer service contact information is for consumers who may have questions about the institution’s privacy policy and may be the same contact information for consumers’ questions relating to the institution’s products or services. The Agencies are not requiring a separate customer service number solely to answer questions about the institution’s privacy policy. The customer service contact information is different from the opt-out contact information, unless the customer service number is made available for consumers to opt out. The contact information should give consumers a way to communicate directly with the institution.170 8. Mail-In Opt-Out Form The mail-in opt-out form for institutions that provide such a form is adopted with two modifications, with the changes based on comments, the quantitative testing, and the LevyHastak Report. The validation testing 166 See Instruction C.2(g) to the Model Privacy Form. 167 See, e.g., comment letters of Mastercard Worldwide (May 29, 2007); American Insurance Ass’n (May 29, 2007); American Council of Life Insurers (May 29, 2007); Securities Industry and Financial Markets Ass’n (May 29, 2007). 168 Kleimann Report, supra note 32, at 35, 226. 169 NAIC Study, supra note 141. 170 See Instruction C.2(f) to the Model Privacy Form. PO 00000 Frm 00017 Fmt 4701 Sfmt 4700 62905 shaped the design for the opt-out information in the final model form. As discussed in section III.I.5, the final model form displays all opt-out information, including the mail-in form, on page one, for institutions that provide an opt-out. In response to commenters, the Agencies have added information on joint accountholders to the model form by providing a new FAQ on page two. Institutions must include the joint accountholder information in the mail-in form only when the institution allows a joint accountholder to choose whether to apply an opt-out election only to one accountholder.171 Otherwise, that space is blank or omitted from the mail-in form. Finally, institutions that use the mailin opt-out form must insert the institution’s mailing address either in the right-hand box or just below the mail-in form, as shown in version 3 and optional version 4 in the Appendix and as described in the Instructions to the Model Form. J. Page Two of the Model Form The Agencies have modified page two of the model form to streamline the information on the page and to provide flexibility for institutions to insert certain institution-specific information. 1. Frequently Asked Questions To address the concerns about jointlyprovided notices, the Agencies have added a new FAQ at the top of page two: ‘‘Who is providing this notice?’’ An institution may omit this FAQ only when one financial institution is providing the notice and that institution is identified in the title. The space to the right, which is limited (for reasons of space constraints) to a maximum of four (4) lines,172 allows institutions that are jointly providing the notice to be identified.173 This space must be used to: 171 See also infra section III.J.1. Section III.I.5 provides guidance on the use of sensitive personal information (such as a Social Security number or account number) to effect an opt-out. Section III.I.6 discusses how voluntary or state-required privacy law opt-outs should appear in the mail-in opt-out form. See also Instruction C.2(g) to the Model Privacy Form. 172 While the Agencies are limiting the space allotted for this FAQ, we do not intend that institutions will constrain the width of the left column (with the questions) so as to make this page difficult to read. We remind institutions that design experts recommend using sufficient white space to set off features such as headings, bullets, and key information used by consumers to quickly scan a document. We note further that the ratio of the column widths of the questions to the responses in the model form is approximately 1:2. 173 The option of creating a jointly provided notice is not limited only to financial holding companies, as one commenter observed. Instruction E:\FR\FM\01DER2.SGM Continued 01DER2 62906 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations mstockstill on DSKH9S0YB1PROD with RULES2 1. State the common corporate name or other readily identifiable name that is also used for the title and various headings of the model form as the ‘‘name of financial institution;’’ and 2. Either (a) identify the entities jointly providing the notice; or (b) for institutions with a lengthy list of entities jointly providing the notice, identify the general types of entities in the response and identify the entities 174 at the end of the form following the ‘‘Other important information’’ box, or, if that box is not incorporated into the form, following the ‘‘Definitions’’ or on an additional page. The list at the end of the form must be printed in minimum 8-point font and may appear in a multicolumn format. The Agencies have deleted the FAQ on how often consumers are provided notices on an institution’s sharing practices due to space constraints.175 A number of commenters objected to the response to the question about how personal information is protected. Some objected to the phrase ‘‘comply with federal laws.’’ 176 The Agencies note that this phrase closely tracks current Sample Clause A–7 and is already widely used by many institutions. Several objected to the phrase ‘‘secured buildings and files,’’ preferring ‘‘physical safeguards.’’ 177 As explained in the Kleimann Report, the Agencies developed this text to help consumers better understand the practical meaning of physical security.178 The Agencies have determined to retain the FAQ as proposed, with one modification. In response to commenters who asked to include more specific information,179 such as information about cookies or online practices or limiting employee access to personal information, the Agencies are allowing institutions to add more detail, limited to describing their safeguards practices, up to a maximum of thirty (30) additional words. This doubles the space allotted for the safeguards response and provides flexibility to institutions to customize the safeguards description. B.1 to the Model Privacy Form has been modified to clarify that point. 174 See section l.9(f) of the privacy rule. 175 While the testing found it to be helpful background, this information is not required by the privacy rule. 176 See, e.g., comment letters of Consumer Bankers Ass’n (May 29, 2007); MasterCard Worldwide (May 29, 2007). 177 See comment letters of American Council of Life Insurers (May 29, 2007); American Insurance Ass’n (May 29, 2007). 178 Kleimann Report, supra note 32, at 125–26. 179 See, e.g., comment letters of Iowa State Bank and Trust (May 22, 2007); PayPal (May 29, 2007); Wachovia Corporation (May 25, 2007). VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 The optional information must appear after the standard response for this FAQ. A number of industry commenters objected to the inflexible nature of the description of the sources from which personal information is collected, stating that in many cases the proposed descriptions do not correlate to their practices or the practices of their particular industry.180 As with the description of the types of information collected and shared on page one, the Agencies are providing a menu of terms from which institutions can select to fill in the bulleted lists.181 The list is designed to include the range of information sources typically used by a variety of institutions subject to the GLB Act and the FCRA, including those in the insurance, securities, and investment advisory businesses, as well as those companies subject to FTC jurisdiction. Finally, institutions that collect information from their affiliates and/or from credit bureaus must use as the last sentence of this response: ‘‘We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.’’ Institutions that do not collect personal information from their affiliates or credit bureaus but do collect personal information from other companies must include the following statement: ‘‘We also collect your personal information from other companies.’’ Only institutions that do not collect any personal information from affiliates, credit bureaus, or other companies can omit both statements. A number of industry commenters objected to the FAQ about limiting sharing, arguing variously that this is not required and that they should only have to include in the response those bullets that apply to their sharing practices.182 The Agencies have determined to retain this FAQ with a revision to the bulleted list, as it helps consumers better understand what rights they have under Federal law and reinforces the message that information sharing may be limited but not stopped completely. The second bullet was revised to more closely track the provisions of the affiliate marketing rule. Finally, the Agencies have 180 See, e.g., comment letters of American Council of Life Insurers (May 29, 2007); American Bankers Ass’n (May 25, 2007); Consumer Bankers Ass’n (May 29, 2007); Mastercard Worldwide (May 29, 2007); Wells Fargo & Company (May 29, 2007); National Ass’n of Mutual Insurance Cos. (May 29, 2007); National Automobile Dealers Ass’n (May 29, 2007). 181 See Instruction C.3(a)(3) to the Model Privacy Form. See supra note 117. 182 See, e.g., comment letters of American Council of Life Insurers (May 25, 2007); National Ass’n of Mutual Insurance Cos. (May 29, 2007). PO 00000 Frm 00018 Fmt 4701 Sfmt 4700 provided an optional sentence for institutions to elect to include at the end, as applicable, ‘‘See below for more on your rights under state law,’’ a reference to the state-specific privacy law information that an institution may include in the ‘‘Other important information’’ box. As discussed earlier, a number of commenters asked how an opt-out election can be applied to joint accountholders.183 This is addressed by a new FAQ on page two. Two optional responses are provided for institutions to use: The first states that an opt-out election by any joint accountholder will be applied to everyone on the account. The second provides that the opt-out election will be applied to everyone on the account unless the customer elects to have the opt-out apply only to him. Institutions must select one or the other as the response to this question.184 2. Definitions In the final model privacy form, the definition of ‘‘everyday business purposes’’ has been deleted as superfluous, and the description of everyday business purposes has been consolidated in the disclosure table on page one. The other three definitions remain as proposed, with one modification. The Agencies make the following further clarification in response to some commenters.185 First, if an institution has no affiliates or does not share with its affiliates, it does not have to describe the categories of affiliates in this definition. Applicable responses in such conditions are, respectively: ‘‘[name of financial institution] has no affiliates’’ or ‘‘[name of financial institution] does not share with our affiliates.’’ Similarly, if an institution does not share for joint marketing or with nonaffiliated third parties outside of the section __.14 and __.15 exceptions, applicable responses are: ‘‘[name of financial institution] doesn’t jointly market’’ or ‘‘[name of financial institution] does not share with nonaffiliates so they can market to you.’’ The Instructions have been modified with respect to an institution’s sharing with its affiliates so that an institution must provide only an illustrative list of affiliates with which it shares, and not 183 See, e.g., comment letters of American Bankers Ass’n (May 29, 2007); Discover Bank (May 29, 2007); Mastercard Worldwide (May 29, 2007); Huntington National Bank (May 25, 2007). 184 See also supra discussion section III.I.8. 185 See, e.g., comment letters of Mastercard Worldwide (May 29, 2007); Huntington National Bank (May 25, 2007); Consumer Bankers Ass’n (May 29, 2007); Wells Fargo & Company (May 29, 2007). E:\FR\FM\01DER2.SGM 01DER2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations a complete list. As proposed, when an institution shares with nonaffiliates or with other financial institutions to do joint marketing, the institution must describe the categories of entities with which it shares.186 While the Instructions provide illustrative examples of categories, institutions must provide examples consistent with their practices. The Instructions provide guidance on these points.187 mstockstill on DSKH9S0YB1PROD with RULES2 3. State and International Law Provisions To accommodate commenters’ requests to incorporate state and international law provisions in the notice,188 the Agencies have added a new optional box at the end of the final model form called ‘‘Other important information.’’ The size of the box is not limited (except where space constraints apply in the Online Form Builder, described below), and institutions may use a third page, as necessary, for the information in this box. To qualify for the safe harbor,189 institutions that elect to use this box can only use it for the following: (1) information about state and/or international privacy law requirements, as applicable; or (2) an acknowledgment form to create a record of having provided the notice. Certain institutions, for example, are required to include specific affiliate sharing information for Vermont residents or to meet other requirements under California law. Some insurance commenters noted that approximately 186 See sections __.6(a)(3), __.6(a)(5), __.6(c)(3), and __.6(c)(4) of the privacy rule. The joint marketing provisions apply to joint marketing agreements with other financial institutions, but not to other types of arrangements with section __.13 service providers. 187 See Instruction C.3(b) to the Model Privacy Form. 188 See, e.g., comment letters of American Bankers Ass’n (May 25, 2007); American Council of Life Insurers (May 29, 2007); Bank of America Corporation (May 29, 1007); Citigroup Inc. (May 30, 2007); Consumer Bankers Ass’n (May 29, 2007); Consumer Mortgage Coalition (May 29, 2007); Countrywide Home Loans, Inc. (May 29, 2007); Discover Bank (May 29, 2007); Financial Services Institute (May 29, 2007); Iowa Student Loan (May 22, 2007); KeyCorp (May 25, 2007); National Business Coalition on E-Commerce and Privacy (May 30, 2007); National Retail Federation (May 29, 2007); National Ass’n of Mutual Insurance Cos. (May 29, 2007); Sovereign Bank (May 21, 2007); Wells Fargo (May 29, 2007); World’s Foremost Bank (May 25, 2007); Direct Marketing Ass’n (May 29, 2007); Securities Industry and Financial Markets Ass’n (May 29, 2007); World Financial Capital Bank (May 25, 2007); World Financial Network National Bank (May 29, 2007). 189 The 10-point minimum font size applies to the contents of the ‘‘Other important information box.’’ In addition, while the safe harbor extends to including this box at the end of the model form, it does not extend to the content of the box. Institutions are responsible for ensuring that any statements made in this box are accurate. VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 16 states have privacy laws that require insurers to provide notice of ‘‘access and correction’’ rights.190 Commenters noted that other states require disclosures about medical information.191 Some large institutions noted that they are required to provide international law information. Such information may be included in this new box. In addition, one association commenter, representing automobile dealers, specifically requested a place on the form to allow its members to obtain signatures from customers acknowledging that they had received a copy of the notice.192 K. Other Issues 1. Highlighting Material Changes in Privacy Practices We sought comment on whether the model privacy form should highlight material changes in the notice. A number of industry commenters opposed this suggestion, citing consumer confusion.193 Some stated that the GLB Act requires revised notices when the institution’s policy has changed.194 One advocacy group supported adding an extra column to the notice table highlighting specific changes made since the previous notice.195 After considering these comments, the Agencies determined that the simplest way to help consumers identify how recently the notice was changed is to include a ‘‘revised [month/year]’’ notation in the upper right-hand corner of page one of the notice. The revised date, in minimum 8-point font, is the date the policy was last revised.196 Of course, institutions can signal material 190 See, e.g., comment letters of American Insurance Ass’n (May 29, 2007); Great-West Life & Annuity Insurance Co. (May 29, 2007). 191 See, e.g., comment letters of American Council of Life Insurers (May 29, 2007); American Insurance Ass’n (May 29, 2007); Huntington National Bank (May 25, 2007). 192 See comment letter of National Automobile Dealers Ass’n (May 29, 2007). 193 See, e.g., comment letters of American Council of Life Insurers (May 29, 2007); Consumer Bankers Ass’n (May 29, 2007); Citigroup Inc. (May 30, 2007); Mastercard Worldwide (May 29, 2007); Securities Industry and Financial Markets Ass’n (May 29, 2007). 194 See comment letters of American Council of Life Insurers (May 29, 2007); Citigroup Inc. (May 30, 2007). 195 See, e.g., comment letters of Center for Democracy and Technology (May 29, 2007); see also New York State Consumer Protection Board (May 29, 2007). 196 Adoption of the model form, with no change in policies or practices, would not constitute a revised notice, although institutions may elect to consider the format change as a revision, at their option. However, inserting the new affiliate marketing opt-out in the model form would be a revision of the institution’s policies and practices. PO 00000 Frm 00019 Fmt 4701 Sfmt 4700 62907 changes in their policies by, for example, use of a cover letter that describes any changes. 2. Safe Harbor A number of industry commenters expressed concern that the safe harbor provisions do not fully extend to the GLB Act requirements or do not extend to FCRA disclosures.197 These commenters seek broader safe harbor treatment for the use of the model form, notwithstanding the statutory provision that use of the model form will satisfy the notice requirements of the GLB Act and the privacy rule. The Agencies agree that the model form satisfies the requirements for the content of the notice required by the GLB Act, including sections __.6 and __.7 of the privacy rule; FCRA section 603(d) as described in section __.6 of the privacy rule; and section __.23 of the affiliate marketing rule. The Agencies note that the safe harbor applies to use of the model form, but does not and cannot extend to the institution-specific information that is inserted in the model form. Proper use of the model form to comply with the privacy rule requires that institutions accurately answer the questions about their information collection and sharing practices, as well as provide to consumers, as applicable, a reasonable means and opportunity to limit sharing and honor any opt-out requests submitted. 3. Online Form Builder Commenters generally supported the Agencies’ proposal to provide a downloadable, fillable version of the model form that institutions could use to create their own customized notice.198 Many smaller institutions were particularly supportive, noting that it simplifies adoption and reduces their development costs. In response, the Agencies will be providing on each of their Websites a link to an Online Form Builder accessible by any institution so that the institution can readily create a unique, customized privacy notice using the model form template. The Agencies anticipate that a temporary Online Form Builder will be available in late 2009 197 See, e.g., comment letters of American Bankers Ass’n (May 25, 2007); California Bankers Ass’n (May 25, 2007); Consumer Bankers Ass’n (May 29, 2007). 198 See, e.g., comment letters of American Insurance Ass’n (May 29, 2007); Center for Democracy and Technology (May 29, 2007); Citrus and Chemical Bank (May 24, 2007); Credit Union National Ass’n (May 29, 2007); Independent Community Bankers of America (May 29, 2007); PayPal (May 29, 2007); Portage National Bank (May 1, 2007); Sovereign Bank (May 21, 2007). E:\FR\FM\01DER2.SGM 01DER2 62908 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations and that a more robust version will be available to institutions in late 2010. 4. Web-Based Design Many industry and advocacy group commenters supported development of an optional Web-based design, especially as more and more consumers are engaging in online activities such as online banking.199 Some commenters asked the Agencies to test a design for usability. Some industry commenters cautioned that the Agencies should leave this task to industry as institutions are more knowledgeable and better equipped to address such a task.200 The Board and FTC have agreed to jointly undertake the development through consumer research of a Webbased version of the final model form. That research work will proceed independent of this rulemaking, will be reviewed by all the other Agencies, and will be made publicly available for use by all institutions. It is anticipated that the work will be completed in late 2009. 5. Electronic Delivery A number of commenters objected to limiting the electronic posting of the model form to a PDF format.201 Those expressing a view stated that providing the form in HTML is more compatible with their systems and easier for consumers to download and view. The Agencies agree that institutions can provide the notice electronically in either PDF or HTML format. Where consumers agree to electronic receipt of the notice, institutions can send the notice by email either by attaching the notice or providing a link to the notice. mstockstill on DSKH9S0YB1PROD with RULES2 6. Other Comments Some commenters asked if the model form can be adopted for other languages.202 The Agencies believe that this would be beneficial to an 199 See, e.g., comment letters of Center for Democracy and Technology (May 29, 2007); Investment Company Institute (May 29, 2007); MasterCard Worldwide (May 29, 2007); National Business Coalition on E-Commerce and Privacy (May 30, 2007); PayPal (May 29, 2007); Target National Bank (May 24, 2007). 200 See, e.g., comment letters of American Bankers Ass’n (May 25, 2007); American Council of Life Insurers (May 29, 2007); The Financial Services Roundtable and BITS (May 29, 2007); Huntington National Bank (May 25, 2007); National Retail Federation (May 29, 2007); Securities Industry and Financial Markets Ass’n (May 29, 2007); Wachovia Corporation (May 25, 2007). 201 See, e.g., comment letters of Huntington National Bank (May 25, 2007); MasterCard Worldwide (May 29, 2007); PayPal (May 29, 2007); Securities Industry and Financial Markets Ass’n (May 29, 2007); Wachovia Corporation (May 25, 2007). 202 See, e.g., comment letters of First Bank Americano (May 2, 2007); First Hawaiian Bank (May 29, 2007); National Retail Federation (May 29, 2007). VerDate Nov<24>2008 20:48 Nov 30, 2009 Jkt 220001 institution’s non-English speaking customers and note that institutions currently provide such notices, consistent with the privacy rule. Many industry commenters wanted the flexibility to add other information to the form. For example, they asked to include information on the benefits of sharing; privacy tips and identity theft information; information about fraud prevention; and marketing.203 Some commenters asked that additional information such as seal information be included in the model form.204 The Agencies considered these suggestions and decided not to permit the inclusion of additional information in the final model form. While an institution may believe this information is useful or important, we believe that the addition of such information to the model form defeats the purpose of providing a clear and usable notice about information sharing practices and consumer rights. The Agencies do not preclude an institution from providing such information in other, supplemental materials, if the institution wishes to do so. One commenter proposed requiring institutions that use the model form to also have a longer notice that complies with the privacy rule.205 One notice is sufficient if that notice complies with the law and the privacy rule. Commenters also raised a number of other issues that are beyond the scope of this rulemaking. These include making the default opt-in rather than opt-out; eliminating the annual notice requirement; preempting state law requirements; and establishing an optout repository similar to the FTC’s National ‘‘Do Not Call’’ Registry.206 IV. The Sample Clauses As proposed, the Agencies are eliminating the Sample Clauses appended to the privacy rule along with 203 See, e.g., comment letters of American Bankers Ass’n (May 25, 2007); Bank of America Corporation (May 29, 2007); Comerica Bank (May 25, 2007); Consumer Bankers Ass’n (May 29, 2007); Citigroup Inc. (May 30, 2007); First Hawaiian Bank (May 29, 2007); California Bankers Ass’n (May, 2007); Farmers & Merchants Bank (May 29, 2007); Financial Services Roundtable and BITS (May 29, 2007); Huntington National Bank (May 25, 2007); KeyCorp (May 25, 2007); Target National Bank (May 24, 2007); Wachovia Corporation (May 25, 2007); Wells Fargo & Company (May 29, 2007). 204 See comment letters of PayPal (May 29, 2007); TrustE (May 30, 2007). 205 See comment letter of TRUSTe (May 30, 2007). 206 See, e.g., comment letters of America’s Community Bankers (May 29, 2007); Bank of Edison (March 21, 2007); Bank of Frankewing (May 18, 2007); Central National Bank of Enid (May 24, 2007); FamilyFirst Bank (May 8, 2007); Florence Savings Bank (April 30, 2007); Glenview State Bank (May 2, 2007); Hometown Bank (May 8, 2007); Portage National Bank (May 1, 2007). PO 00000 Frm 00020 Fmt 4701 Sfmt 4700 the safe harbor or for SEC-regulated entities, guidance, currently afforded entities.207 Many industry commenters opposed the proposal.208 Some commenters asked that we retain certain of the Sample Clauses, such as A–1, A–3, and A–7, the use of which does not implicate an opt-out.209 Institutions expressed concern that elimination of the Sample Clauses and corresponding safe harbor would expose them to liability.210 A few commenters asked the Agencies to improve the current Sample Clauses as an interim measure.211 Several institutions requested that the Agencies at a minimum provide for a transition period that is longer than one year, if the Agencies determine to eliminate the Sample Clauses.212 Notwithstanding these comments, the Agencies are eliminating the Sample Clauses and related safe harbor (or guidance) from the privacy rule, following a transition period of one year.213 The initial public and media complaints about the incomprehensibility of the privacy notices,214 the plain language experts’ guidance at the Get Noticed Workshop, 207 The Sample Clauses were originally provided in the privacy rule to illustrate the level of detail for notices to meet the rule requirements and to minimize the compliance burden. See 65 FR 33646, 33677 (May 24, 2000) (FTC); 65 FR 35162, 35185 (June 1, 2000) (banking agencies); 65 FR 40334, 40357 (June 29, 2000) (SEC); 66 FR 21236, 21238 (Apr. 27, 2001) (CFTC). 208 See, e.g., comment letters of American Bankers Ass’n (May 25, 2007); American Council of Life Insurers (May 29, 2007); American Insurance Ass’n (May 29, 2007); Bank of America Corporation (May 29, 2007); Consumer Bankers Ass’n (May 29, 2007); Citigroup Inc. (May 30, 2007); Direct Marketing Ass’n (May 29, 2007); Investment Adviser Ass’n (May 29, 2007); National Ass’n of Mutual Insurance Cos. (May 29, 2007); National Automobile Dealers Ass’n (May 29, 2007); National Business Coalition on E-Commerce and Privacy (May 30, 2007); T. Rowe Price Associates, Inc. (May 29, 2007); Visa U.S.A., Inc. (May 29, 2007); Wisconsin Bankers Ass’n (May 29, 2007). 209 See, e.g., comment letter of National Automobile Dealers Ass’n (May 29, 2007). Sample Clause A–1 describes the categories of information that an institution collects. Sample Clause A–3 includes the phrase ‘‘as permitted by law’’ to describe the sharing that institutions are permitted to do under sections __.14 and __.15 without triggering an opt-out. Sample Clause A–7 generally states that an institution uses safeguard measures to protect the handling of the personal information it obtains. 210 See, e.g., comment letters of Visa U.S.A., Inc. (May 29, 2007); Citigroup Inc. (May 30, 2007); Huntington National Bank (May 25, 2009). 211 See, e.g., comment letter of Capital One Financial Corporation (May 29, 2007). 212 See, e.g., comment letters of Direct Marketing Ass’n (May 29, 2007); Investment Adviser Ass’n (May 29, 2007). 213 The Agencies are also making conforming amendments to sections __.2, __.6, and __.7 of the privacy rule and to the Appendix with one small change from the Proposed Rule. 214 See, e.g., Public Citizen Petition, supra note 24 at 4–9; Press Release of House Committee on Financial Services, supra note 74. E:\FR\FM\01DER2.SGM 01DER2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations mstockstill on DSKH9S0YB1PROD with RULES2 and the launch of this Notice Project all examined the problems with institutions’ privacy notices, including their extensive use of the Sample Clauses, and the need to develop a usable consumer notice. These same factors led the Agencies to propose eliminating the Sample Clauses. One commenter agreed that the research showed the clauses ‘‘were found wanting.’’ 215 An association whose members generally found the model form to be more consumer-friendly than the Sample Clauses asked only that the Agencies provide a sufficient transition period before eliminating the Sample Clauses.216 In addition, the quantitative testing supports the Agencies’ proposal to eliminate the Sample Clauses and related safe harbor. The Levy-Hastak Report confirms that a notice composed solely of the Sample Clauses promotes ease of scanning to perform simple tasks—because the notice is short and not because it is understandable—but the Sample Clauses do not do well on comprehension measures. Moreover, the testing showed that current notices—in which the Sample Clauses are typically embedded—do poorly on all measures. The Levy-Hastak Report examined the results when study participants were asked to choose between two banks based solely on the content of the notice and to give reason(s) why they selected a particular bank. Participants who saw the Sample Clause Notice were more likely to select the higher sharing bank because it offered an opt-out.217 When these participants were matched with their general attitudinal preferences toward sharing, the Levy-Hastak Report found that they generally favored less sharing.218 According to the LevyHastak Report, the data suggested that study participants who gave as the reason for their choice the availability of opt-outs ‘‘may have mistakenly believed that this would lead them to choosing a lower sharing bank.’’ 219 In other words, participants who saw the Sample Clause Notice and selected the higher sharing bank because it offered opt-outs did not understand that a bank offering 215 See comment letter of Capital One Financial Corporation (May 29, 2007). 216 See comment letter of Independent Community Bankers Ass’n (May 29, 2007). 217 The Levy-Hastak Report also found that study participants who saw the Current Notice were significantly more likely to give reasons not based on any information in the notice, for example, that Bank X offered a lower interest rate. These same participants were also less likely than those who saw the other notices to give cogent reasons for choosing the lower sharing bank. Levy-Hastak Report at 9. 218 Id. at 15. 219 Id. at 10. VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 no opt-out did so because it shared less. This finding confirmed reports by small institutions.220 Further, the NAIC Study,221 conducted in March 2005, examined several different insurance disclosure forms with participants in three focus groups. One was a generic form based on the sample clauses adopted in the NAIC Model Privacy Rule and similar in content to the Sample Clause Notice used in the Agencies’ quantitative testing. The NAIC Study highlighted a key finding that is consistent with the Agencies’ research findings. Among the study participants, there was general misunderstanding of and concern about the language in the form, in particular the phrase ‘‘as permitted by law’’ found in Sample Clause A–3. Participants in all three focus groups asked: (1) What does this phrase mean?; (2) what is the law and what does it permit?; and (3) what if the law changes? Participants who viewed this form did not know what to do with it and wanted some way to contact the company to get answers to their questions. Also, in the development of the model form, Kleimann found that consumers did not understand the language in Sample Clause A–7 regarding the safeguarding of personal information. Through consumer testing, the description was revised to improve consumer comprehension. Finally, while many smaller institutions are most likely to engage in limited sharing and so would rely on the three Sample Clauses, A–1, A–3, and A–7, many of these institutions support the model form. They have stated that such a form would make it easier for them to demonstrate that they are less likely to share personal information, and it would allow for easier comparison of their sharing practices with those of other institutions.222 One large association commented that an informal survey of its community bank members found that ‘‘many are likely to use the model forms’’ and that ‘‘[m]ost found the new forms more consumer-friendly than the existing sample clauses.’’ 223 To ease the compliance burden for those institutions that currently have privacy notices based on the Sample Clauses, the Agencies are implementing 220 See supra note 133 and related text. NAIC Study, supra note 141. 222 See, e.g., comment letters of Florence Savings Bank (April 30, 2007); Community Bankers of America (May 29, 2007), Iowa State Bank and Trust Co. (May 22, 2007), Credit Union National Ass’n (May 29, 2007); see also supra note 133 and related text. 223 See comment letter of Independent Community Bankers of America (May 29, 2007). 221 See PO 00000 Frm 00021 Fmt 4701 Sfmt 4700 62909 a transition period that begins thirty (30) days after the date of publication and ends on December 31, 2010. Financial institutions will not be able to rely on the safe harbor by using the Sample Clauses in notices delivered or posted on or after January 1, 2011.224 Privacy notices using the Sample Clauses that are delivered to consumers (either in paper form or by electronic delivery such as e-mail) or, alternatively, are posted electronically to meet the annual notice requirement of section l.9(c) during the transition period, will have a safe harbor for one year after delivery or posting. Privacy notices using the Sample Clauses that are delivered or posted electronically after the transition period will not be eligible for a safe harbor. Since institutions are required to send notices annually to their customers, they may continue to rely on the safe harbor for annual notices that are delivered to consumers (either in paper form or by electronic delivery such as e-mail) within the transition period until the next annual privacy notice is due one year later.225 The Sample Clauses will be removed from codification one year after the transition period ends. The SEC, whose privacy rule provides only guidance and not a safe harbor for financial institutions that use the Sample Clauses, will also remove the Sample Clauses from codification one year after the transition period ends.226 While the final model form would provide a legal safe harbor, institutions could continue to use other types of notices that vary from the model form, including notices that use the Sample Clauses, so long as these notices comply with the privacy rule. The Agencies are also amending section l.6(b) of the privacy rule. The FTC is deleting the second sentence of section 313.6(b) and substituting the following new sentence, based on the model form research: ‘‘When describing the categories with respect to those 224 Institutions relying on the Sample Clauses appended to the SEC’s privacy rule will not be able to rely on them for guidance in notices delivered or posted on or after January 1, 2011. 225 For example, if an institution provides a notice using the Sample Clauses on or before December 31, 2010, it could continue to rely on the safe harbor for one additional year until its next annual notice is due. If an institution provides a notice using the Sample Clauses on or after January 1, 2011, however, it could not rely on the safe harbor. Privacy notices using the Sample Clauses posted on an institution’s Web site to meet the annual notice requirements of section l.9(c) of the privacy rule would no longer be able to rely on the safe harbor beginning on January 1, 2011. 226 See SEC privacy rule, section 248.2(a). The facts and circumstances of each individual situation determine whether use of the Sample Clauses constitutes compliance with the SEC’s privacy rule. E:\FR\FM\01DER2.SGM 01DER2 62910 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations parties, it is sufficient to state that you make disclosures to other nonaffiliated companies for your everyday business purposes, such as to process transactions, maintain account(s), respond to court orders and legal investigations, and report to credit bureaus.’’ The remaining Agencies (Board, CFTC, FDIC, NCUA, OCC, OTS, and SEC) are revising the second sentence of section l.6(b) to read as follows, based in part on the model form research: ‘‘When describing the categories with respect to those parties, it is sufficient to state that you make disclosures to other nonaffiliated companies: (1) For your everyday business purposes, such as [include all that apply] to process transactions, maintain account(s), respond to court orders and legal investigations, or report to credit bureaus; or (2) As permitted by law.’’ 227 V. Effective Date The Agencies proposed that most of the provisions of the final rule would take effect on the date of publication.228 That approach would have allowed institutions that chose to use the model privacy form to receive the safe harbor for doing so immediately upon its publication. The Agencies received no comments on providing an immediate effective date for this portion of the rule. The only comments the Agencies received concerning the effective date of the rule pertained to removal of the Sample Clauses and related Appendix, as discussed in section IV. The final rule makes most of the provisions effective 30 days after publication. This approach allows institutions to receive, with only a minimal delay, a safe harbor for using the model privacy form and the additional, alternative language that may be used to comply with section l.6(b) of the privacy rule. The Agencies believe that few, if any, institutions would choose to implement those changes in fewer than 30 days. The 30day delay will give institutions and the Agencies time to implement the changes properly. mstockstill on DSKH9S0YB1PROD with RULES2 VI. Final Regulatory Flexibility Analysis The Regulatory Flexibility Act (‘‘RFA’’) 229 requires the Agencies to provide an Initial Regulatory Flexibility 227 Institutions using option (1) in this revised sentence to section l.6(b) are required to include all applicable examples. See 12 CFR 40.6(b) (OCC); 12 CFR 216.6(b) (Board); 12 CFR 322.6(b) (FDIC); 12 CFR 573.6(b) (OTS); 12 CFR 716.6(b) (NCUA); 17 CFR 160.6(b) (CFTC); 17 CFR 248.6(b) (SEC). 228 Proposed Rule, supra note 4, at section IV. 229 5 U.S.C. 601–612. VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 Analysis (‘‘IRFA’’) with a proposed rule and a Final Regulatory Flexibility Analysis (‘‘FRFA’’) with a final rule, unless the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities. See 5 U.S.C. 603–605. An IRFA was published by the Agencies in their March 20, 2007, Proposed Rule regarding amendments to the rules implementing the privacy provisions of the GLB Act. The Agencies have prepared the following FRFA in accordance with 5 U.S.C. 604. A. Need For and Objectives of Rule Amendments The goal of the rule amendments is to satisfy the requirements of section 728 of the Regulatory Relief Act, which requires that the Agencies develop a model form that is comprehensible, clear and conspicuous, and succinct. The Act also requires that the model form enable consumers to easily identify a financial institution’s sharing practices and compare those practices with others. The model form that the Agencies are adopting today will, if properly used, serve as a safe harbor for satisfying the privacy rules’ requirements regarding content of privacy notices. As indicated in section I of the preamble to this final rule, the amendments to Appendix A of the Agencies’ privacy rules are adopted pursuant to the authority set forth in § 503 (as amended by section 728 of the Regulatory Relief Act) and § 504 of the GLB Act.230 B. Significant Issues Raised by Public Comment The Agencies requested comments on the IRFA. We specifically requested comments on the number of small entities that would be affected by the rules’ amendments, the existence or nature of the impact of the amendments on small entities, how to quantify the impact of the amendments, and possible alternatives to the amendments. Commenters were also asked whether a downloadable version of the model form would be useful for financial institutions, particularly small entities that would like to take advantage of the proposed safe harbor. 230 The SEC is also adopting the amendments under section 23 of the Securities Exchange Act of 1934 [15 U.S.C. 78w], section 38(a) of the Investment Company Act of 1940 [15 U.S.C. 80a– 37(a)], and section 211(a) of the Investment Advisers Act of 1940 [15 U.S.C. 80b–11(a)]. The CFTC also is adopting the amendments under Section 504 of the GLB Act [15 U.S.C. 6804], and Sections 5g and 8a(5) of the Commodity Exchange Act [7 U.S.C. 7b–2, 12a(5)]. PO 00000 Frm 00022 Fmt 4701 Sfmt 4700 Only one commenter directly addressed the IRFA.231 That commenter disagreed with the Agencies’ analysis that some financial institutions that may wish to transition to the proposed model form might incur some small incremental costs in making the transition, but did not provide any explanation of why the analysis is incorrect or estimates regarding logistical costs that the commenter asserted would be significant. Several associations whose members include small entities, however, expressed support for the objectives of the proposed model notice.232 In addition, one association (many of whose members are small entities) found that many of its members that participated in an informal survey are likely to use the model forms and most found the forms more consumer-friendly than the Sample Clauses.233 Some commenters suggested that the model form is oriented to large, multi-affiliate financial institutions and does not accommodate smaller institutions.234 These commenters stated that the information collection policies described in the model form accurately reflect the practices of certain large financial institutions but are misleading to the extent they are beyond the scope of smaller financial institutions that do not offer banking-related products and services. In response to these and similar comments, the Agencies have revised the model form to allow financial institutions to select from a menu of specific disclosures to customize the descriptions of their information collection policies.235 Several commenters also requested that the Agencies retain the safe harbor regarding the Sample Clauses, noting that many small entities’ privacy notices currently incorporate the Sample Clauses. One commenter explained that it would be burdensome and unnecessary for small entities to change their privacy notices, especially small entities that do not share personal information other than to service their clients’ accounts.236 Another 231 Comment letter of National Business Coalition on E–Commerce and Privacy (May 30, 2007). 232 See, e.g., joint comment letter of American Bankers Ass’n, America’s Community Bankers, Consumer Bankers Ass’n, and The Financial Services Roundtable (May 29, 2007). 233 See comment letter of Independent Community Bankers of America (May 29, 2007). 234 See, e.g., comment letters of Financial Services Institute (May 29, 2007); Financial Planning Ass’n (May 30, 2007). 235 See supra sections III.I.2 and III.J.1; see also infra, Instructions C.2(b) and C.3(a)(3) and (4) to the Model Privacy Form. 236 See, e.g., comment letter of Investment Adviser Ass’n (May 29, 2007). E:\FR\FM\01DER2.SGM 01DER2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations commenter argued that elimination of the safe harbor for the Sample Clauses would transform the model form from an optional elective to a burdensome regulatory requirement, particularly for small entities.237 We note, however, that the research found that there was general misunderstanding of and concern among consumers about language in the notice based on the Sample Clauses.238 Nevertheless, partly in response to these comments, the Agencies are allowing financial institutions one year in which they can continue to rely on the Sample Clauses for safe harbor or guidance when providing notices. In addition, as noted above, while the Agencies are eliminating the Sample Clauses and related safe harbor (or, for the SEC, guidance), institutions may continue to use notices containing these clauses, so long as these notices comply with the privacy rule. Finally, we received a limited number of comments indicating that a downloadable fillable model form may be helpful, especially to small entities.239 In response to these comments, the Agencies will make available an Online Form Builder. We expect the availability of this form will, in part, minimize the burden on small businesses of developing, using, and customizing the model form for their individual needs. mstockstill on DSKH9S0YB1PROD with RULES2 C. Small Entities Subject to the Rules The amendments to Appendix A and conforming amendments to sections __.2, __.6, and __.7 of the Agencies’ privacy rules may potentially affect financial institutions, including financial institutions that are small businesses or small organizations, that choose to rely on the model privacy form as a safe harbor. 1. OCC. The OCC estimates that 690 insured national banks, uninsured national banks and trust companies, and foreign branches and agencies are small entities for purpose of the RFA. 2. Board. The Board estimates that 432 state member banks are small entities for purposes of the RFA. 3. FDIC. The FDIC estimates that 3115 state nonmember banks are small entities for purposes of the RFA. 237 See, e.g., comment letter of National Automobile Dealers Ass’n (May 29, 2007). 238 See supra section IV and discussion at notes 217–219 and related text. See also Public Citizen Petition, supra note 24, at 9 (‘‘The paragraph employs ambiguous phrases such as ‘other information’ (what other information?), ‘unless otherwise permitted by law’ (in actuality, the law almost always permits disclosure) * * *’’). 239 See, e.g., comment letters of Financial Planning Ass’n (May 30, 2007); Center for Democracy and Technology (May 29, 2007). VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 4. OTS. The OTS estimates that 377 small savings associations are small entities for purposes of the RFA. 5. NCUA. The RFA requires NCUA to prepare an analysis to describe any significant economic impact a regulation may have on a substantial number of small credit unions (primarily those under $10 million in assets). The NCUA estimates that 3,168 federally-insured, state-chartered credit unions are small entities for purposes of the RFA. 6. FTC. Determining a precise estimate of the number of small entities that are financial institutions within the meaning of the rule is not readily feasible. The GLB Act does not identify for purposes of the Commission’s jurisdiction any specific category of financial institution. In the absence of such information, there is no way to estimate precisely the number of affected entities that share nonpublic personal information with nonaffiliated third parties or that establish customer relationships with consumers and therefore assume greater disclosure obligations. 7. CFTC. Section 5g of the CEA, 7 U.S.C. 7b–2, provides that any futures commission merchant, commodity trading advisor, commodity pool operator, or introducing broker that is subject to the jurisdiction of the CFTC with respect to any financial activity, shall be treated as a financial institution for purposes of Title V of the GLB Act, regardless of size and including commodity trading advisors and commodity pool operators that are exempt from the CEA’s registration requirements. The CFTC has previously established certain definitions of ‘‘small entities’’ and determined that futures commission merchants and commodity pool operators are not small for purposes of the Regulatory Flexibility Act. Policy Statement and Establishment of Definitions of ‘‘Small Entities,’’ 47 FR 18,618 (Apr. 30, 1982). This rule applies to commodity trading advisors and introducing brokers of all sizes. Because use of the model privacy form is voluntary, and because its use is a form of substituted compliance with Part 160 and not a new mandatory burden, CFTC believes that the rule will not have a significant economic impact on a substantial number of small entities. 8. SEC. The SEC estimates that 915 broker-dealers, 212 investment companies registered with the Commission, and 781 investment advisers registered with the Commission PO 00000 Frm 00023 Fmt 4701 Sfmt 4700 62911 are small entities for purposes of the RFA.240 Because use of the model privacy form will be entirely voluntary, the Agencies cannot estimate how many small financial institutions will use it. The Agencies expect, however, that small financial institutions, particularly those that do not have permanent staff available to address compliance matters associated with the privacy rules, will be relatively more likely to rely on the model privacy form than larger institutions. We believe that most financial institutions currently have legal counsel review their privacy notices for compliance with the GLB Act, the FCRA, and the privacy rules. We anticipate that a financial institution that uses the model form for its privacy notice will need little review by legal counsel because the rules do not permit institutions to vary the form if they wish to obtain the benefit of a safe harbor, except as necessary within narrow parameters to identify their information collection, sharing, and opt-out policies. Finally, the Agencies are providing an Online Form Builder that will enable institutions to directly create a customized model form and thus will facilitate compliance. D. Reporting, Recordkeeping, and Other Compliance Requirements The amendments to the privacy rules do not impose any additional recordkeeping, reporting, disclosure, or compliance requirements. Financial institutions, including small entities, have been required to provide notice to consumers about the institution’s privacy policies and practices since July 1, 2001 (or March 31, 2002, in the case of the CFTC). The amendments adopted today will not affect these requirements and financial institutions will be under no obligation to modify their current 240 For purposes of the RFA, under the Securities Exchange Act of 1934 a small entity is a broker or dealer that (i) had total capital of less than $500,000 on the date in its prior fiscal year as of which its audited financial statements were prepared or, if not required to file audited financial statements, on the last business day of its prior fiscal year, and (ii) is not affiliated with any person that is not a small business or small organization. 17 CFR 240.0–10(c). Under the Investment Company Act of 1940, a ‘‘small entity’’ is an investment company that, together with other investment companies in the same group of related investment companies, has net assets of $50 million or less as of the end of its most recent fiscal year. 17 CFR 270.0–10(a). Under the Investment Advisers Act of 1940, a small entity is an investment adviser that (i) manages less than $25 million in assets, (ii) has total assets of less than $5 million on the last day of its most recent fiscal year, and (iii) does not control, is not controlled by, and is not under common control with another investment adviser that manages $25 million or more in assets, or any person that had total assets of $5 million or more on the last day of the most recent fiscal year. 17 CFR 275.0–7(a). E:\FR\FM\01DER2.SGM 01DER2 62912 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations mstockstill on DSKH9S0YB1PROD with RULES2 privacy notices as a result of the amendments. Instead, the amendments provide a specific model privacy form that a financial institution may use to comply with notice requirements under the GLB Act, the FCRA (as amended by the FACT Act), and the privacy rules. Nonetheless, some of the financial institutions that rely on the Sample Clauses in the current privacy rules’ appendixes may wish to transition to the model form and may incur some additional costs in making this transition.241 The Agencies expect, however, that the availability of a standardized model form will minimize these costs because the form’s standardized formatting and language will make it easier for institutions to prepare and revise their privacy notices. E. Action by the Agencies To Minimize Effects on Small Entities The RFA directs the Agencies to consider significant alternatives that would accomplish the stated objectives, while minimizing any significant adverse impact on small entities. In connection with the amendments, we considered the following alternatives: 1. Different reporting or compliance standards. As noted above, the Regulatory Relief Act requires the Agencies to develop ‘‘a’’ model form that, among other things, will facilitate comparison of the information sharing practices of different financial institutions. In light of these statutory requirements, the Agencies are adopting only one model form, which includes alternative language in some places that allows a financial institution to describe its particular information collection and sharing practices. The specific model form that the Agencies are adopting today was developed as part of a careful and thorough consumer testing process designed to produce a clear, comprehensible, and comparable notice. The model form emerged as the most effective of several notice formats considered as part of this testing. 2. Clarification, consolidation, or simplification of reporting and compliance requirements. The Agencies believe that the model form will simplify the reporting requirements for all entities, including small entities, that choose to use the model form. We anticipate that financial institutions that choose to use the model form will spend less time preparing notices than if they had to draft one on their own. Because 241 To the extent that institutions review their privacy policies annually for compliance, we estimate that the costs associated with this annual review, including professional costs, will be approximately the same as the costs to complete the model form. VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 the model form was developed as part of a consumer testing process, further clarifying, consolidating, or simplifying the model notice would compromise the research findings. 3. Performance rather than design standards. Section 728 of the Regulatory Relief Act specifically requires that the Agencies develop a model form. The model form is an alternative means of providing a privacy notice that institutions may choose to use. The privacy rules do not mandate the format of privacy notices; thus, neither the privacy rules nor the amendments impose a design standard. 4. Exempting small entities. We believe that an exemption for small entities would not be appropriate or desirable. The Agencies note that the model form is available for use at the discretion of all financial institutions, including small institutions. Moreover, two key objectives of the model form are that (1) consumers can understand an institution’s information sharing practices and (2) they may more easily compare financial institutions’ sharing practices and policies across privacy notices. An exemption for small entities would directly conflict with both of these key objectives, particularly that of enabling comparison across notices. VII. Paperwork Reduction Act The final privacy rules governing the privacy of consumer financial information contain disclosures that are considered collections of information under the Paperwork Reduction Act (PRA).242 Before the Agencies issued their privacy rules, they obtained approval from OMB for the collections. OMB control numbers for the collections appear below. The amendments adopted today do not introduce any new collections of information into the Agencies’ privacy rules, nor do they amend the rules in a way that substantively modifies the collections of information that OMB has approved. Therefore, no PRA submissions to OMB are required. OCC: Control number 1557–0216. Board: Control number 7100–0294. FDIC: Control number 3064–0136. OTS: Control number 1550–0103. NCUA: Control number 3133–0163. FTC: Control number 3084–0121. SEC: Control number 3235–0537. CFTC: Control number 3038–0055. VIII. OCC and OTS Executive Order 12866 Determination The OCC and OTS have determined that their respective portions of the final rule are not a significant regulatory 242 44 PO 00000 U.S.C. 3501–3520. Frm 00024 Fmt 4701 Sfmt 4700 action under Executive Order 12866. We have concluded that the changes made by this rule will not have an annual effect on the economy of $100 million or more, and does not meet any of the other standards for a significant action set forth in E.O. 12866. IX. OCC and OTS Executive Order 13132 Determination The OCC and OTS have determined that their respective portions of the final rule do not have any federalism implications, as required by Executive Order 13132. X. OCC and OTS Unfunded Mandates Reform Act of 1995 Determination Section 202 of the Unfunded Mandates Reform Act of 1995, Public Law 104–4 (UMRA), requires that an agency prepare a budgetary impact statement before promulgating a rule that includes a Federal mandate that may result in the expenditure by State, local, and tribal governments, in the aggregate, or by the private sector of $100 million or more (adjusted annually for inflation) in any one year. The inflation adjusted threshold is $133 million or more. If a budgetary impact statement is required, section 205 of the UMRA also requires an agency to identify and consider a reasonable number of regulatory alternatives before promulgating a rule. The OCC and OTS have each determined that their respective portions of the final rule will not result in expenditures by State, local, and tribal governments, in the aggregate, or by the private sector, of $133 million or more in any one year. Accordingly, the final rule is not subject to section 202 of the UMRA. XI. SEC Cost-Benefit Analysis The SEC is sensitive to the costs and benefits imposed by its rules. As discussed above, the amendments the Agencies are adopting today will replace the Sample Clauses included as guidance in Regulation S–P’s Appendix A (17 CFR part 248, appendix A) with a model privacy form that financial institutions can choose to provide to consumers. The amendments are designed to implement section 728 of the Regulatory Relief Act. This Act directs the Agencies to ‘‘jointly develop a model form which may be used, at the option of the financial institution, for the provision of disclosures under [section 503 of the GLB Act].’’ The SEC identified certain costs and benefits arising from these amendments and requested comments on all aspects of the associated cost-benefit analysis, including identification and assessment of any costs and benefits not discussed E:\FR\FM\01DER2.SGM 01DER2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations mstockstill on DSKH9S0YB1PROD with RULES2 in the analysis. The SEC also sought comments on the accuracy of its cost and benefit estimates and requested commenters to identify, discuss, analyze, and supply relevant data that would allow the SEC to improve its estimates. Finally, the SEC requested comments regarding the potential impact of the proposals on the U.S. economy on an annual basis. A. Benefits The goal of the rules is to satisfy the requirements of section 728 of the Regulatory Relief Act, which requires that the Agencies develop a model form that is comprehensible, clear and conspicuous, and succinct. The Act also requires that the model form enable consumers easily to identify a financial institution’s sharing practices and compare those practices with others. The model form that the Agencies are adopting today will, if properly used, serve as a safe harbor for satisfying the privacy rule’s requirements regarding the content of privacy notices. The SEC requested comments on all aspects of the benefits of the amendments as proposed. The SEC requested specific comments on available metrics to quantify these benefits and any other benefits commenters could identify, and requested commenters to identify sources of empirical data that could be used for such metrics. The SEC did not receive any comments in response to these requests. Use of the model form is voluntary, so a financial institution can determine for itself its costs and benefits in deciding whether using the model form would be suitable for its business and customers. However, new financial institutions will likely benefit from using the model privacy form because of the savings in time and resources that would otherwise be spent developing their own notices. The SEC also anticipates that financial institutions regulated by the SEC may benefit from the model privacy form’s standardized formatting and language. The SEC believes that institutions currently review their Regulation S–P privacy policies annually. To the extent that these institutions are required to change their policies to reflect changes in their privacy practices, they may find it easier to use the model privacy form rather than revise their existing notices. Similarly, the SEC expects that revisions to an institution’s privacy policies will be easier to record in the model form’s standardized format. The SEC also anticipates that a financial institution that chooses to use the model VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 notice will need little, if any, ongoing review by legal counsel because an institution cannot vary the form except within stated parameters as necessary to identify certain specific information collection, sharing, and opt-out policies. Before today’s amendments, Appendix A of Regulation S–P contained Sample Clauses that the SEC interpreted as providing guidance, as opposed to a legal safe harbor. Institutions will therefore benefit from the certainty that proper use of the model notice entitles them to a safe harbor for disclosures required under the GLB Act and FCRA.243 Consumers should also benefit from the model form through increased comprehension of and enhanced comparability among privacy policies. The model form was developed in an extensive consumer research testing process that sought to maximize consumers’ ability to comprehend, use, and compare privacy notices. The model form emerged as the most effective of several notice formats considered as part of this testing. The SEC therefore anticipates that if financial institutions make widespread use of the model form, consumers’ comprehension and their ability to use and compare privacy policies will be enhanced. Institutions also might benefit from consumers’ enhanced ability to understand and use the notices to the extent that consumers have more trust and confidence in an institution’s privacy policies because the consumers understand those policies. B. Costs Since the model form is optional, the SEC cannot estimate the number of institutions that will adopt it. Accordingly, we cannot estimate total overall costs to use the model form by broker-dealers, investment advisers registered with the SEC, and investment companies that may use the model form. However, in the Proposed Rule, the SEC provided estimates of certain types of costs that could result from the proposed amendments. The SEC also sought comments on its cost estimates and the assumptions behind the estimates, as well as whether 243 A number of commenters expressed concern that the safe harbor provisions might not fully extend to all GLB Act requirements or FCRA disclosures. See, e.g., comment letter of Citigroup Inc. (May 30, 2007). Several commenters further suggested the safe harbor should encompass state and private enforcement. See, e.g., comment letters of Consumer Bankers Ass’n (May 29, 2007); Financial Services Institute (May 29, 2007). In response to these comments, the Agencies have clarified the scope of the safe harbor. See supra section III.K.2. PO 00000 Frm 00025 Fmt 4701 Sfmt 4700 62913 any of those costs would differ if the form were downloadable from a Web site. The majority of the comments we received predicted significant cost increases in preparation, distribution, and processing of privacy notices. Many commenters noted that the prohibition on double-sided printing and requirement of a separate third page for mail-in opt-outs, if any, would greatly increase printing costs and would result in significant environmental waste due to increased paper usage.244 Numerous commenters also raised concerns that the 81⁄2; x 11-inch paper size requirement, coupled with the prohibition on incorporation of the model notice into other documents, essentially mandated a separate mailing for the model notice.245 Commenters concluded that separate mailing of privacy notices would result in significant postage costs and increase the likelihood that consumers would misplace or fail to read the notice because it no longer accompanied important documents.246 Several commenters suggested that these costs could result in lowered adoption rates for the model form.247 Based on these comments, the Agencies have revised the amendments to allow for doublesided printing and incorporation of the mail-in opt-out on the bottom of the first page, waiver of a mandatory 81⁄2 x 11inch paper size, and incorporation of the model notice into other documents. We believe these accommodations will result in greatly reducing the implementation costs commenters associated with adopting the model form. We do not expect that financial institutions will incur additional disclosure costs in using the model privacy form because the notice requirements of Regulation S–P have been effective since July 1, 2001, and are not altered by the amendments. Moreover, financial institutions will be 244 See, e.g., comment letters of Investment Adviser Ass’n (May 29, 2007) (estimating additional printing and mailing costs for larger investment advisory firms of $100,000 to more than $300,000 per mailing); Securities Industry and Financial Markets Ass’n (May 29, 2007) (estimating additional printing costs of $7.5 million per billion notices). 245 See, e.g., comment letters of Investment Adviser Ass’n (May 29, 2007); Citigroup Inc. (May 30, 2007). 246 See, e.g., comment letters of Financial Services Roundtable and BITS (May 29, 2007) (estimating cost to financial services industry of printing and mailing model form of approximately $400 million per billion notices); Citigroup Inc. (May 30, 2007) (consumers ‘‘are more likely to open and read mail that contains an ‘important’ communication such as a billing statement than an unidentified standalone communication’’). 247 See, e.g., comment letter of Capital One Financial Corporation (May 29, 2007). E:\FR\FM\01DER2.SGM 01DER2 mstockstill on DSKH9S0YB1PROD with RULES2 62914 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations under no obligation to adopt the model form or modify their current privacy notices. Presumably, financial institutions will not adopt the model form without first determining that associated costs are justified by the benefits. We anticipate that financial institutions that elect to use the model privacy form could incur some small, incremental developmental costs in making the transition from their current notices to the model form. These costs could include staff time to review the model form and its instructions and complete the model form. We expect these will be minimal because the language and format in the form are standardized and financial institutions can only customize very limited sections of the model privacy form. Institution-specific information is limited to contact information, selection from a menu of terms relating to information collection, ‘‘yes’’ or ‘‘no’’ answers and brief descriptions, as necessary, of the types of entities with which the institution shares personal information. Furthermore, the model form can be downloaded from a Web site so preparation costs should be minimal. Similarly, we believe that a financial institution that adopts the model privacy form would need little, if any, initial or annual review by legal counsel because almost all the disclosures in the form are already mandated under the current disclosure regime. One commenter disagreed and suggested that legal counsel at each financial institution will spend at least 50 hours initially and annually ensuring that the model form accurately reflects the institution’s privacy practices.248 These estimates seem high because institutions already know their information collection and sharing practices and there is very little discretion the institution has in choosing from among a menu of terms to disclose that information on the model form. Even if those estimates are accurate, however, we believe that those legal costs would likely have been incurred with respect to any model form unless it conformed exactly to the institution’s current form. Transition costs may also include administrative, logistical, and training costs. For example, several commenters highlighted one-time costs stemming from rewriting notices, republishing brochures or notices, and revising or reprinting documents that incorporate 248 See comment letter of Securities Industry and Financial Markets Ass’n (May 29, 2007). VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 current notices.249 We anticipate these costs will be minimal, if any, in part because the Agencies are allowing financial institutions a transition period of one year during which they can continue to rely on the Sample Clauses for safe harbor or guidance. Although an institution may choose to replace a current privacy notice with a model privacy notice, this should not require substantial rewriting because there are few drafting choices in the model form. In addition, the SEC believes it is unlikely that many financial institutions have stockpiles of more than one year’s worth of privacy notices or documents that incorporate privacy notices on hand for distribution. Several commenters also raised concerns regarding increased customer service demands and the necessity for financial institutions to proactively take steps to address customer confusion. For example, one commenter noted that financial institutions would face one-time costs associated with revising or preparing explanatory material for training employees regarding the model form, such as scripts and responses for call centers.250 Since the amendments do not affect Regulation S–P’s substantive requirements, we anticipate that any substantive questions about the institutions’ privacy practices should already be addressed by existing explanatory materials. We anticipate any new explanatory material will be limited to questions regarding the revised format of the model form, which due to its standardized nature should be relatively simple to address. Insofar as the Sample Clauses in current Regulation S–P may have some value to some financial institutions, their phase-out under the amendments to the rules may create some costs to those institutions. However, we expect those costs to be minimal. As discussed above, the Agencies are giving financial institutions a transition period of one year during which they can continue to rely on the Sample Clauses for guidance or a safe harbor, which should allow time to minimize the transition costs for any institutions that adopt the model privacy form. Moreover, as noted above, elimination of the Sample Clauses as guidance does not mean that institutions that continue to use these clauses are in violation of the SEC’s privacy rule. Institutions may continue to use notices containing these clauses so long as these notices comply with the privacy rule. 249 See comment letter of T. Rowe Price Associates, Inc. (May 29, 2007). 250 See comment letter of Investment Adviser Ass’n (May 29, 2007). PO 00000 Frm 00026 Fmt 4701 Sfmt 4700 Lastly, customers may experience certain costs associated with adoption of the model form. Several commenters suggested that the model form sacrifices greater consumer understanding about information sharing practices in exchange for a simplified notice format.251 Another commenter speculated that adoption of the model form would result in customer confusion and potential loss of customer trust due to the misimpression that financial institutions are changing their privacy policies.252 One commenter concluded that consumer confusion resulting from overly simplified disclosures would lead to unacceptably high opt-out rates and discourage use of the model form by financial institutions.253 As discussed above, the model form was developed in an extensive consumer research testing process that sought to maximize consumers’ ability to comprehend, use, and compare privacy notices. The model form emerged as the most effective of several notice formats considered as part of this testing. Consequently, the SEC believes that any customer confusion that results from adoption of the model form will be minimal. Furthermore, we expect that any such confusion will be rapidly dissipated if financial institutions make widespread use of the model privacy form and consumers become more familiar with its contents. Although the SEC cannot determine aggregate costs because of the unknown number of financial institutions that will adopt the model form, we expect each financial institution choosing to adopt the model form to incur minimal, if any, costs. As discussed above, we do not anticipate that financial institutions will incur additional disclosure costs in using the model privacy form because the substantive notice requirements of Regulation S–P have been effective since July 1, 2001, and are not altered by the amendments. We expect notice development and transition costs to be minimal because the language and format in the model form are standardized and financial institutions can only customize a few sections of the model form by selecting from among a menu of specific terms. Furthermore, the model form can be downloaded from a Web site so preparation costs should be minimal. Moreover, the Agencies are giving financial 251 See, e.g., comment letter of Bank of America Corporation (May 29, 2007). 252 See comment letter of Visa U.S.A. Inc. (May 29, 2007). 253 See comment letter of Financial Services Institute (May 29, 2007). E:\FR\FM\01DER2.SGM 01DER2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations mstockstill on DSKH9S0YB1PROD with RULES2 institutions one year in which they can continue to rely on the Sample Clauses for safe harbor or guidance, which should allow time to minimize the transition costs for any institution that adopts the model privacy form. Similarly, the SEC expects any aggregate costs to consumers that may result from adoption of the model form to be minimal, if any. As discussed above, the model form emerged as the most effective of several notice formats in an extensive consumer research testing process that sought to maximize consumers’ ability to comprehend, use, and compare privacy notices. We anticipate that any initial costs to consumers in the form of confusion or reduced understanding will be shortlived as increasing numbers of financial institutions use the model privacy form and consumers become more familiar with its contents and can use the form to compare notices more easily. XII. SEC Consideration of Burden on Competition Securities Exchange Act Section 23(a)(2) requires the SEC, in adopting rules under that Act, to consider the impact that any such rule will have on competition.254 Section 23(a)(2) also prohibits the SEC from adopting any rule that will impose a burden on competition not necessary or appropriate in furtherance of the purposes of the Securities Exchange Act. As discussed above, the amendments to Regulation S–P, including the model form, are designed to comply with section 728 of the Regulatory Relief Act, mandating that the Agencies develop a model form that is comprehensible, clear and conspicuous, and succinct. SEC-regulated institutions will be able to use the model form in order to comply with the notice requirements under the GLB Act, the FCRA, and Regulation S–P. The SEC does not expect the amendments to have a significant impact on competition. Use of the model form will be voluntary, permitting a financial institution to determine whether using the model form will enhance its competitive position. All brokers and dealers, investment companies, and registered investment advisers will be able to use the model form and take advantage of the safe harbor. Other financial institutions will be able to use the form and take advantage of the safe harbor under comparable rules adopted by the other Agencies. Under the Regulatory Relief Act, the Agencies have worked in 254 See 15 U.S.C. 78w(a)(2). VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 62915 consultation in order to ensure the consistency and comparability of the amendments. Therefore, all financial institutions will have the same opportunity to use the model form and rely on the safe harbor. Further, if financial institutions choose to use the model form, the amendments could promote competition by enabling consumers more easily to understand and compare competing institutions’ privacy policies. The SEC also anticipates that the model form’s standardized formatting may reduce the relative burden of compliance on smaller financial institutions, allowing them to compete more effectively with larger institutions that are more likely to have a dedicated compliance staff. As such, the SEC expects any impact on competition caused by the amendments would not be significant. or to effectuate any of the provisions or to accomplish any of the purposes of the Act. The CFTC has considered the costs and benefits of the model form as a totality. The form provides a nonmandatory means of complying with existing requirements of the privacy provisions of the GLB Act and section 5g of the CEA, and thus imposes no mandatory new costs. The CFTC believes that the model form should benefit futures industry consumer customers in better understanding a financial institution’s privacy policies, and may facilitate customers in comparing the privacy policies of financial institutions. XIII. NCUA: The Treasury and General Government Appropriations Act, 1999– Assessment of Federal Regulations and Policies on Families The NCUA has determined that this rule will not affect family well-being within the meaning of section 654 of the Treasury and General Government Appropriations Act, 1999, Public Law 105–277, 112 Stat. 2681 (1998). Banks, banking, Consumer protection, National banks, Privacy, Reporting and recordkeeping requirements. XIV. CFTC Cost-Benefit Analysis Section 15 of the Commodity Exchange Act requires the CFTC to consider the costs and benefits of its action before issuing a new regulation under the Act. The CFTC understands that, by its terms, section 15 does not require the CFTC to quantify the costs and benefits of a new regulation or to determine whether the benefits of the regulation outweigh its costs. Nor does it require that each rule be analyzed piecemeal or in isolation when that rule is a component of a larger package of rules or rule revisions. Rather, section 15 simply requires the CFTC to ‘‘consider the costs and benefits’’ of its action. Section 15 further specifies that costs and benefits shall be evaluated in light of five broad areas of market and public concern: Protection of market participants and the public; efficiency, competitiveness, and financial integrity of futures markets; price discovery; sound risk management practices; and other public interest considerations. Accordingly, the CFTC could in its discretion give greater weight to any one of the five enumerated areas of concern and could in its discretion determine that, notwithstanding its costs, a particular rule was necessary or appropriate to protect the public interest PO 00000 Frm 00027 Fmt 4701 Sfmt 4700 List of Subjects 12 CFR Part 40 12 CFR Part 216 Banks, banking, Consumer protection, Foreign banking, Holding companies, Privacy, Reporting and recordkeeping requirements. 12 CFR Part 332 Banks, banking, Consumer protection, Foreign banking, Privacy, Reporting and recordkeeping requirements. 12 CFR Part 573 Consumer protection, Privacy, Reporting and recordkeeping requirements, Savings associations. 12 CFR Part 716 Consumer protection, Credit unions, Privacy, Reporting and recordkeeping requirements. 16 CFR Part 313 Consumer protection, Credit, Privacy, Reporting and recordkeeping requirements, Trade practices. 17 CFR Part 160 Brokers, Consumer protection, Privacy, Reporting and recordkeeping requirements. 17 CFR Part 248 Brokers, Consumer protection, Investment companies, Privacy, Reporting and recordkeeping requirements, Securities. E:\FR\FM\01DER2.SGM 01DER2 62916 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations DEPARTMENT OF THE TREASURY Office of the Comptroller of the Currency 12 CFR Chapter I Authority and Issuance For the reasons set forth in the joint preamble, part 40 of chapter I of title 12 of the Code of Federal Regulations is amended as follows: ■ PART 40—PRIVACY OF CONSUMER FINANCIAL INFORMATION 1. The authority citation for part 40 continues to read as follows: ■ Authority: 12 U.S.C. 93a; 15 U.S.C. 6801 et seq. ■ 2. Revise § 40.2 to read as follows: § 40.2 Model privacy form and examples. mstockstill on DSKH9S0YB1PROD with RULES2 (a) Model privacy form. Use of the model privacy form in Appendix A of this part, consistent with the instructions in Appendix A, constitutes compliance with the notice content requirements of §§ 40.6 and 40.7 of this part, although use of the model privacy form is not required. (b) Examples. The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part. VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 § 40.6 Information to be included in privacy notices. (g) Sample clauses. Sample clauses illustrating some of the notice content required by this section are included in Appendix B of this part. Use of a sample clause in a privacy notice provided on or before December 31, 2010, to the extent applicable, constitutes compliance with this part. * ■ 3. In § 40.6: A. Revise paragraphs (b) and (f), and add paragraph (g) to read as set forth below. ■ B. Effective January 1, 2012, remove paragraph (g). ■ ■ * * * * (b) Description of nonaffiliated third parties subject to exceptions. If you disclose nonpublic personal information to third parties as authorized under §§ 40.14 and 40.15, you are not required to list those exceptions in the initial or annual privacy notices required by §§ 40.4 and 40.5. When describing the categories with respect to those parties, it is sufficient to state that you make disclosures to other nonaffiliated companies: (1) For your everyday business purposes, such as [include all that apply] to process transactions, maintain account(s), respond to court orders and legal investigations, or report to credit bureaus; or (2) As permitted by law. * * * * * (f) Model privacy form. Pursuant to § 40.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part. PO 00000 Frm 00028 Fmt 4701 Sfmt 4700 4. In § 40.7, add paragraph (i) to read as follows: § 40.7 Form of opt-out notice to consumers; opt-out methods. * * * * * (i) Model privacy form. Pursuant to § 40.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part. Appendix A [Redesignated as Appendix B] 5. Redesignate Appendix A to part 40 as Appendix B to part 40. ■ 6. Add new Appendix A to part 40 to read as follows: ■ Appendix A to Part 40—Model Privacy Form A. The Model Privacy Form BILLING CODE 6750–01–P 12.5%, 6351–01–P 12.5%, 6720–01–P 12.5%, 6714–01–P 12.5%, 4810–33–P 12.5%, 6210–01–P 12.5%, 8011–01–P 12.5%, 7535–01–P 12.5% E:\FR\FM\01DER2.SGM 01DER2 VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00029 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 62917 ER01DE09.000</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations VerDate Nov<24>2008 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00030 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.001</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 62918 VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00031 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 62919 ER01DE09.002</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations VerDate Nov<24>2008 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00032 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.003</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 62920 VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00033 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 62921 ER01DE09.004</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations VerDate Nov<24>2008 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00034 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.005</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 62922 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations B. General Instructions 1. How the Model Privacy Form Is Used (a) The model form may be used, at the option of a financial institution, including a group of financial institutions that use a common privacy notice, to meet the content requirements of the privacy notice and optout notice set forth in §§ 40.6 and 40.7 of this part. (b) The model form is a standardized form, including page layout, content, format, style, pagination, and shading. Institutions seeking to obtain the safe harbor through use of the model form may modify it only as described in these Instructions. (c) Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 1681– 1681x] (FCRA), such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties. (d) The word ‘‘customer’’ may be replaced by the word ‘‘member’’ whenever it appears in the model form, as appropriate. 2. The Contents of the Model Privacy Form The model form consists of two pages, which may be printed on both sides of a single sheet of paper, or may appear on two separate pages. Where an institution provides a long list of institutions at the end of the model form in accordance with Instruction C.3(a)(1), or provides additional information in accordance with Instruction C.3(c), and such list or additional information exceeds the space available on page two of the model form, such list or additional information may extend to a third page. (a) Page One. The first page consists of the following components: (1) Date last revised (upper right-hand corner). VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 (2) Title. (3) Key frame (Why?, What?, How?). (4) Disclosure table (‘‘Reasons we can share your personal information’’). (5) ‘‘To limit our sharing’’ box, as needed, for the financial institution’s opt-out information. (6) ‘‘Questions’’ box, for customer service contact information. (7) Mail-in opt-out form, as needed. (b) Page Two. The second page consists of the following components: (1) Heading (Page 2). (2) Frequently Asked Questions (‘‘Who we are’’ and ‘‘What we do’’). (3) Definitions. (4) ‘‘Other important information’’ box, as needed. 3. The Format of the Model Privacy Form The format of the model form may be modified only as described below. (a) Easily readable type font. Financial institutions that use the model form must use an easily readable type font. While a number of factors together produce easily readable type font, institutions are required to use a minimum of 10-point font (unless otherwise expressly permitted in these Instructions) and sufficient spacing between the lines of type. (b) Logo. A financial institution may include a corporate logo on any page of the notice, so long as it does not interfere with the readability of the model form or the space constraints of each page. (c) Page size and orientation. Each page of the model form must be printed on paper in portrait orientation, the size of which must be sufficient to meet the layout and minimum font size requirements, with sufficient white space on the top, bottom, and sides of the content. (d) Color. The model form must be printed on white or light color paper (such as cream) with black or other contrasting ink color. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract PO 00000 Frm 00035 Fmt 4701 Sfmt 4700 from the readability of the model form. Logos may also be printed in color. (e) Languages. The model form may be translated into languages other than English. C. Information Required in the Model Privacy Form The information in the model form may be modified only as described below: 1. Name of the Institution or Group of Affiliated Institutions Providing the Notice Insert the name of the financial institution providing the notice or a common identity of affiliated institutions jointly providing the notice on the form wherever [name of financial institution] appears. 2. Page One (a) Last revised date. The financial institution must insert in the upper righthand corner the date on which the notice was last revised. The information shall appear in minimum 8-point font as ‘‘rev. [month/year]’’ using either the name or number of the month, such as ‘‘rev. July 2009’’ or ‘‘rev. 7/ 09’’. (b) General instructions for the ‘‘What?’’ box. (1) The bulleted list identifies the types of personal information that the institution collects and shares. All institutions must use the term ‘‘Social Security number’’ in the first bullet. (2) Institutions must use five (5) of the following terms to complete the bulleted list: income; account balances; payment history; transaction history; transaction or loss history; credit history; credit scores; assets; investment experience; credit-based insurance scores; insurance claim history; medical information; overdraft history; purchase history; account transactions; risk tolerance; medical-related debts; credit card or other debt; mortgage rates and payments; retirement assets; checking account information; employment information; wire transfer instructions. (c) General instructions for the disclosure table. The left column lists reasons for E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.006</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 BILLING CODE 6750–01–P 12.5%, 6351–01–C 12.5%, 6720–01–C 12.5%, 6714–01–C 12.5%, 4810–33–C 12.5%, 6210–01–C 12.5%, 8011–01–C 12.5%, 7535–01–C 12.5% 62923 mstockstill on DSKH9S0YB1PROD with RULES2 62924 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations sharing or using personal information. Each reason correlates to a specific legal provision described in paragraph C.2(d) of this Instruction. In the middle column, each institution must provide a ‘‘Yes’’ or ‘‘No’’ response that accurately reflects its information sharing policies and practices with respect to the reason listed on the left. In the right column, each institution must provide in each box one of the following three (3) responses, as applicable, that reflects whether a consumer can limit such sharing: ‘‘Yes’’ if it is required to or voluntarily provides an opt-out; ‘‘No’’ if it does not provide an opt-out; or ‘‘We don’t share’’ if it answers ‘‘No’’ in the middle column. Only the sixth row (‘‘For our affiliates to market to you’’) may be omitted at the option of the institution. See paragraph C.2(d)(6) of this Instruction. (d) Specific disclosures and corresponding legal provisions. (1) For our everyday business purposes. This reason incorporates sharing information under §§ 40.14 and 40.15 and with service providers pursuant to § 40.13 of this part other than the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these Instructions. (2) For our marketing purposes. This reason incorporates sharing information with service providers by an institution for its own marketing pursuant to § 40.13 of this part. An institution that shares for this reason may choose to provide an opt-out. (3) For joint marketing with other financial companies. This reason incorporates sharing information under joint marketing agreements between two or more financial institutions and with any service provider used in connection with such agreements pursuant to § 40.13 of this part. An institution that shares for this reason may choose to provide an opt-out. (4) For our affiliates’ everyday business purposes—information about transactions and experiences. This reason incorporates sharing information specified in sections 603(d)(2)(A)(i) and (ii) of the FCRA. An institution that shares for this reason may choose to provide an opt-out. (5) For our affiliates’ everyday business purposes—information about creditworthiness. This reason incorporates sharing information pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution that shares for this reason must provide an opt-out. (6) For our affiliates to market to you. This reason incorporates sharing information specified in section 624 of the FCRA. This reason may be omitted from the disclosure table when: the institution does not have affiliates (or does not disclose personal information to its affiliates); the institution’s affiliates do not use personal information in a manner that requires an opt-out; or the institution provides the affiliate marketing notice separately. Institutions that include this reason must provide an opt-out of indefinite duration. An institution that is required to provide an affiliate marketing opt-out, but does not include that opt-out in the model form under this part, must comply with section 624 of the FCRA and 12 CFR part 41, subpart C, with respect to the initial VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 notice and opt-out and any subsequent renewal notice and opt-out. An institution not required to provide an opt-out under this subparagraph may elect to include this reason in the model form. (7) For nonaffiliates to market to you. This reason incorporates sharing described in §§ 40.7 and 40.10(a) of this part. An institution that shares personal information for this reason must provide an opt-out. (e) To limit our sharing: A financial institution must include this section of the model form only if it provides an opt-out. The word ‘‘choice’’ may be written in either the singular or plural, as appropriate. Institutions must select one or more of the applicable opt-out methods described: telephone, such as by a toll-free number; a Web site; or use of a mail-in opt-out form. Institutions may include the words ‘‘tollfree’’ before telephone, as appropriate. An institution that allows consumers to opt out online must provide either a specific Web address that takes consumers directly to the opt-out page or a general Web address that provides a clear and conspicuous direct link to the opt-out page. The opt-out choices made available to the consumer who contacts the institution through these methods must correspond accurately to the ‘‘Yes’’ responses in the third column of the disclosure table. In the part titled ‘‘Please note’’ institutions may insert a number that is 30 or greater in the space marked ‘‘[30].’’ Instructions on voluntary or state privacy law opt-out information are in paragraph C.2(g)(5) of these Instructions. (f) Questions box. Customer service contact information must be inserted as appropriate, where [phone number] or [Web site] appear. Institutions may elect to provide either a phone number, such as a toll-free number, or a Web address, or both. Institutions may include the words ‘‘toll-free’’ before the telephone number, as appropriate. (g) Mail-in opt-out form. Financial institutions must include this mail-in form only if they state in the ‘‘To limit our sharing’’ box that consumers can opt out by mail. The mail-in form must provide opt-out options that correspond accurately to the ‘‘Yes’’ responses in the third column in the disclosure table. Institutions that require customers to provide only name and address may omit the section identified as ‘‘[account #].’’ Institutions that require additional or different information, such as a random optout number or a truncated account number, to implement an opt-out election should modify the ‘‘[account #]’’ reference accordingly. This includes institutions that require customers with multiple accounts to identify each account to which the opt-out should apply. An institution must enter its opt-out mailing address: In the far right of this form (see version 3); or below the form (see version 4). The reverse side of the mailin opt-out form must not include any content of the model form. (1) Joint accountholder. Only institutions that provide their joint accountholders the choice to opt out for only one accountholder, in accordance with paragraph C.3(a)(5) of these Instructions, must include in the far left column of the mail-in form the following statement: ‘‘If you have a joint account, your PO 00000 Frm 00036 Fmt 4701 Sfmt 4700 choice(s) will apply to everyone on your account unless you mark below. b Apply my choice(s) only to me.’’ The word ‘‘choice’’ may be written in either the singular or plural, as appropriate. Financial institutions that provide insurance products or services, provide this option, and elect to use the model form may substitute the word ‘‘policy’’ for ‘‘account’’ in this statement. Institutions that do not provide this option may eliminate this left column from the mail-in form. (2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution shares personal information pursuant to section 603(d)(2)(A)(iii) of the FCRA, it must include in the mail-in opt-out form the following statement: ‘‘b Do not share information about my creditworthiness with your affiliates for their everyday business purposes.’’ (3) FCRA Section 624 opt-out. If the institution incorporates section 624 of the FCRA in accord with paragraph C.2(d)(6) of these Instructions, it must include in the mail-in opt-out form the following statement: ‘‘b Do not allow your affiliates to use my personal information to market to me.’’ (4) Nonaffiliate opt-out. If the financial institution shares personal information pursuant to § 40.10(a) of this part, it must include in the mail-in opt-out form the following statement: ‘‘b Do not share my personal information with nonaffiliates to market their products and services to me.’’ (5) Additional opt-outs. Financial institutions that use the disclosure table to provide opt-out options beyond those required by Federal law must provide those opt-outs in this section of the model form. A financial institution that chooses to offer an opt-out for its own marketing in the mail-in opt-out form must include one of the two following statements: ‘‘b Do not share my personal information to market to me.’’ or ‘‘b Do not use my personal information to market to me.’’ A financial institution that chooses to offer an opt-out for joint marketing must include the following statement: ‘‘b Do not share my personal information with other financial institutions to jointly market to me.’’ (h) Barcodes. A financial institution may elect to include a barcode and/or ‘‘tagline’’ (an internal identifier) in 6-point font at the bottom of page one, as needed for information internal to the institution, so long as these do not interfere with the clarity or text of the form. 3. Page Two (a) General Instructions for the Questions. Certain of the Questions may be customized as follows: (1) ‘‘Who is providing this notice?’’ This question may be omitted where only one financial institution provides the model form and that institution is clearly identified in the title on page one. Two or more financial institutions that jointly provide the model form must use this question to identify themselves as required by § 40.9(f) of this part. Where the list of institutions exceeds four (4) lines, the institution must describe in the response to this question the general types of institutions jointly providing the notice and must separately identify those institutions, in minimum 8-point font, directly following the ‘‘Other important E:\FR\FM\01DER2.SGM 01DER2 mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations information’’ box, or, if that box is not included in the institution’s form, directly following the ‘‘Definitions.’’ The list may appear in a multi-column format. (2) ‘‘How does [name of financial institution] protect my personal information?’’ The financial institution may only provide additional information pertaining to its safeguards practices following the designated response to this question. Such information may include information about the institution’s use of cookies or other measures it uses to safeguard personal information. Institutions are limited to a maximum of 30 additional words. (3) ‘‘How does [name of financial institution] collect my personal information?’’ Institutions must use five (5) of the following terms to complete the bulleted list for this question: Open an account; deposit money; pay your bills; apply for a loan; use your credit or debit card; seek financial or tax advice; apply for insurance; pay insurance premiums; file an insurance claim; seek advice about your investments; buy securities from us; sell securities to us; direct us to buy securities; direct us to sell your securities; make deposits or withdrawals from your account; enter into an investment advisory contract; give us your income information; provide employment information; give us your employment history; tell us about your investment or retirement portfolio; tell us about your investment or retirement earnings; apply for financing; apply for a lease; provide account information; give us your contact information; pay us by check; give us your wage statements; provide your mortgage information; make a wire transfer; tell us who receives the money; tell us where to send the money; show your government-issued ID; show your driver’s license; order a commodity futures or option trade. Institutions that collect personal information from their affiliates and/or credit bureaus must include after the bulleted list the following statement: ‘‘We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.’’ Institutions that do not collect personal information from their affiliates or credit bureaus but do collect information from other companies must include the following statement instead: ‘‘We also collect your personal information from other companies.’’ Only institutions that do not collect any personal information from affiliates, credit bureaus, or other companies can omit both statements. (4) ‘‘Why can’t I limit all sharing?’’ Institutions that describe state privacy law provisions in the ‘‘Other important information’’ box must use the bracketed sentence: ‘‘See below for more on your rights under state law.’’ Other institutions must omit this sentence. (5) ‘‘What happens when I limit sharing for an account I hold jointly with someone else?’’ Only financial institutions that provide optout options must use this question. Other institutions must omit this question. Institutions must choose one of the following two statements to respond to this question: ‘‘Your choices will apply to everyone on your account.’’ or ‘‘Your choices will apply to VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 everyone on your account—unless you tell us otherwise.’’ Financial institutions that provide insurance products or services and elect to use the model form may substitute the word ‘‘policy’’ for ‘‘account’’ in these statements. (b) General Instructions for the Definitions. The financial institution must customize the space below the responses to the three definitions in this section. This specific information must be in italicized lettering to set off the information from the standardized definitions. (1) Affiliates. As required by § 40.6(a)(3) of this part, where [affiliate information] appears, the financial institution must: (i) If it has no affiliates, state: ‘‘[name of financial institution] has no affiliates;’’ (ii) If it has affiliates but does not share personal information, state: ‘‘[name of financial institution] does not share with our affiliates;’’ or (iii) If it shares with its affiliates, state, as applicable: ‘‘Our affiliates include companies with a [common corporate identity of financial institution] name; financial companies such as [insert illustrative list of companies;] nonfinancial companies, such as [insert illustrative list of companies]; and others, such as [insert illustrative list].’’ (2) Nonaffiliates. As required by § 40.6(c)(3) of this part, where [nonaffiliate information] appears, the financial institution must: (i) If it does not share with nonaffiliated third parties, state: ‘‘[name of financial institution] does not share with nonaffiliates so they can market to you’’; or (ii) If it shares with nonaffiliated third parties, state, as applicable: ‘‘Nonaffiliates we share with can include [list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations].’’ (3) Joint Marketing. As required by § 40.13 of this part, where [joint marketing] appears, the financial institution must: (i) If it does not engage in joint marketing, state: ‘‘[name of financial institution] doesn’t jointly market’’; or (ii) If it shares personal information for joint marketing, state, as applicable: ‘‘Our joint marketing partners include [list categories of companies such as credit card companies].’’ (c) General instructions for the ‘‘Other important information’’ box. This box is optional. The space provided for information in this box is not limited. Only the following types of information can appear in this box. (1) State and/or international privacy law information; and/or (2) Acknowledgment of receipt form. 7. Amend newly redesignated Appendix B to part 40 as follows: ■ A. Add a new sentence to the beginning of the introductory text as set forth below. ■ B. Effective January 1, 2012, remove Appendix B to part 40. ■ PO 00000 Frm 00037 Fmt 4701 Sfmt 4700 62925 Appendix B to Part 40—Sample Clauses This Appendix only applies to privacy notices provided before January 1, 2011. * * * * * * * * Federal Reserve System 12 CFR Chapter II Authority and Issuance For the reasons set forth in the joint preamble, the Board amends part 216 of chapter II of title 12 of the Code of Federal Regulations as follows: ■ PART 216—PRIVACY OF CONSUMER FINANCIAL INFORMATION 8. The authority citation for part 216 continues to read as follows: ■ Authority: 15 U.S.C. 6801 et seq. ■ 9. Revise § 216.2 to read as follows: § 216.2 Model privacy form and examples. (a) Model privacy form. Use of the model privacy form in Appendix A of this part, consistent with the instructions in Appendix A, constitutes compliance with the notice content requirements of §§ 216.6 and 216.7 of this part, although use of the model privacy form is not required. (b) Examples. The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part. 10. In § 216.6: A. Revise paragraphs (b) and (f), and add paragraph (g) to read as set forth below. ■ B. Effective January 1, 2012, remove paragraph (g). ■ ■ § 216.6 Information to be included in privacy notices. * * * * * (b) Description of nonaffiliated third parties subject to exceptions. If you disclose nonpublic personal information to third parties as authorized under §§ 216.14 and 216.15, you are not required to list those exceptions in the initial or annual privacy notices required by §§ 216.4 and 216.5. When describing the categories with respect to those parties, it is sufficient to state that you make disclosures to other nonaffiliated companies: (1) For your everyday business purposes, such as [include all that apply] to process transactions, maintain account(s), respond to court orders and legal investigations, or report to credit bureaus; or (2) As permitted by law. * * * * * (f) Model privacy form. Pursuant to § 216.2(a) of this part, a model privacy E:\FR\FM\01DER2.SGM 01DER2 62926 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations form that meets the notice content requirements of this section is included in Appendix A of this part. (g) Sample clauses. Sample clauses illustrating some of the notice content required by this section are included in Appendix B of this part. Use of a sample clause in a privacy notice provided on or before December 31, 2010, to the extent applicable, constitutes compliance with this part. 11. In § 216.7, add paragraph (i) to read as follows: mstockstill on DSKH9S0YB1PROD with RULES2 ■ VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 § 216.7 Form of opt-out notice to consumers; opt-out methods. * * * * * (i) Model privacy form. Pursuant to § 216.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part. Appendix A [Redesignated as Appendix B] 13. Add new Appendix A to part 216 to read as follows: ■ Appendix A to Part 216—Model Privacy Form A. The Model Privacy Form BILLING CODE 6750–01–P 12.5%, 6351–01–P 12.5%, 6720–01–P 12.5%, 6714–01–P 12.5%, 4810–33–P 12.5%, 6210–01–P 12.5%, 8011–01–P 12.5%, 7535–01–P 12.5% 12. Redesignate Appendix A to part 216 as Appendix B to part 216. ■ PO 00000 Frm 00038 Fmt 4701 Sfmt 4700 E:\FR\FM\01DER2.SGM 01DER2 VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00039 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 62927 ER01DE09.007</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations VerDate Nov<24>2008 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00040 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.008</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 62928 VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00041 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 62929 ER01DE09.009</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations VerDate Nov<24>2008 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00042 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.010</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 62930 VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00043 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 62931 ER01DE09.011</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations VerDate Nov<24>2008 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00044 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.012</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 62932 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations B. General Instructions 1. How the Model Privacy Form Is Used (a) The model form may be used, at the option of a financial institution, including a group of financial institutions that use a common privacy notice, to meet the content requirements of the privacy notice and optout notice set forth in §§ 216.6 and 216.7 of this part. (b) The model form is a standardized form, including page layout, content, format, style, pagination, and shading. Institutions seeking to obtain the safe harbor through use of the model form may modify it only as described in these Instructions. (c) Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 1681– 1681x] (FCRA), such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties. (d) The word ‘‘customer’’ may be replaced by the word ‘‘member’’ whenever it appears in the model form, as appropriate. 2. The Contents of the Model Privacy Form The model form consists of two pages, which may be printed on both sides of a single sheet of paper, or may appear on two separate pages. Where an institution provides a long list of institutions at the end of the model form in accordance with Instruction C.3(a)(1), or provides additional information in accordance with Instruction C.3(c), and such list or additional information exceeds the space available on page two of the model form, such list or additional information may extend to a third page. (a) Page One. The first page consists of the following components: (1) Date last revised (upper right-hand corner). VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 (2) Title. (3) Key frame (Why?, What?, How?). (4) Disclosure table (‘‘Reasons we can share your personal information’’). (5) ‘‘To limit our sharing’’ box, as needed, for the financial institution’s opt-out information. (6) ‘‘Questions’’ box, for customer service contact information. (7) Mail-in opt-out form, as needed. (b) Page Two. The second page consists of the following components: (1) Heading (Page 2). (2) Frequently Asked Questions (‘‘Who we are’’ and ‘‘What we do’’). (3) Definitions. (4) ‘‘Other important information’’ box, as needed. 3. The Format of the Model Privacy Form The format of the model form may be modified only as described below. (a) Easily readable type font. Financial institutions that use the model form must use an easily readable type font. While a number of factors together produce easily readable type font, institutions are required to use a minimum of 10-point font (unless otherwise expressly permitted in these Instructions) and sufficient spacing between the lines of type. (b) Logo. A financial institution may include a corporate logo on any page of the notice, so long as it does not interfere with the readability of the model form or the space constraints of each page. (c) Page size and orientation. Each page of the model form must be printed on paper in portrait orientation, the size of which must be sufficient to meet the layout and minimum font size requirements, with sufficient white space on the top, bottom, and sides of the content. (d) Color. The model form must be printed on white or light color paper (such as cream) with black or other contrasting ink color. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract PO 00000 Frm 00045 Fmt 4701 Sfmt 4700 from the readability of the model form. Logos may also be printed in color. (e) Languages. The model form may be translated into languages other than English. C. Information Required in the Model Privacy Form The information in the model form may be modified only as described below: 1. Name of the Institution or Group of Affiliated Institutions Providing the Notice Insert the name of the financial institution providing the notice or a common identity of affiliated institutions jointly providing the notice on the form wherever [name of financial institution] appears. 2. Page One (a) Last revised date. The financial institution must insert in the upper righthand corner the date on which the notice was last revised. The information shall appear in minimum 8-point font as ‘‘rev. [month/year]’’ using either the name or number of the month, such as ‘‘rev. July 2009’’ or ‘‘rev. 7/ 09’’. (b) General instructions for the ‘‘What?’’ box. (1) The bulleted list identifies the types of personal information that the institution collects and shares. All institutions must use the term ‘‘Social Security number’’ in the first bullet. (2) Institutions must use five (5) of the following terms to complete the bulleted list: income; account balances; payment history; transaction history; transaction or loss history; credit history; credit scores; assets; investment experience; credit-based insurance scores; insurance claim history; medical information; overdraft history; purchase history; account transactions; risk tolerance; medical-related debts; credit card or other debt; mortgage rates and payments; retirement assets; checking account information; employment information; wire transfer instructions. (c) General instructions for the disclosure table. The left column lists reasons for E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.013</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 BILLING CODE 6750–01–C 12.5%, 6351–01–C 12.5%, 6720–01–C 12.5%, 6714–01–C 12.5%, 4810–33–C 12.5%, 6210–01–C 12.5%, 8011–01–C 12.5%, 7535–01–C 12.5% 62933 mstockstill on DSKH9S0YB1PROD with RULES2 62934 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations sharing or using personal information. Each reason correlates to a specific legal provision described in paragraph C.2(d) of this Instruction. In the middle column, each institution must provide a ‘‘Yes’’ or ‘‘No’’ response that accurately reflects its information sharing policies and practices with respect to the reason listed on the left. In the right column, each institution must provide in each box one of the following three (3) responses, as applicable, that reflects whether a consumer can limit such sharing: ‘‘Yes’’ if it is required to or voluntarily provides an opt-out; ‘‘No’’ if it does not provide an opt-out; or ‘‘We don’t share’’ if it answers ‘‘No’’ in the middle column. Only the sixth row (‘‘For our affiliates to market to you’’) may be omitted at the option of the institution. See paragraph C.2(d)(6) of this Instruction. (d) Specific disclosures and corresponding legal provisions. (1) For our everyday business purposes. This reason incorporates sharing information under §§ 216.14 and 216.15 and with service providers pursuant to § 216.13 of this part other than the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these Instructions. (2) For our marketing purposes. This reason incorporates sharing information with service providers by an institution for its own marketing pursuant to § 216.13 of this part. An institution that shares for this reason may choose to provide an opt-out. (3) For joint marketing with other financial companies. This reason incorporates sharing information under joint marketing agreements between two or more financial institutions and with any service provider used in connection with such agreements pursuant to § 216.13 of this part. An institution that shares for this reason may choose to provide an opt-out. (4) For our affiliates’ everyday business purposes—information about transactions and experiences. This reason incorporates sharing information specified in sections 603(d)(2)(A)(i) and (ii) of the FCRA. An institution that shares for this reason may choose to provide an opt-out. (5) For our affiliates’ everyday business purposes—information about creditworthiness. This reason incorporates sharing information pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution that shares for this reason must provide an opt-out. (6) For our affiliates to market to you. This reason incorporates sharing information specified in section 624 of the FCRA. This reason may be omitted from the disclosure table when: the institution does not have affiliates (or does not disclose personal information to its affiliates); the institution’s affiliates do not use personal information in a manner that requires an opt-out; or the institution provides the affiliate marketing notice separately. Institutions that include this reason must provide an opt-out of indefinite duration. An institution that is required to provide an affiliate marketing opt-out, but does not include that opt-out in the model form under this part, must comply with section 624 of the FCRA and 12 CFR part 222, subpart C, with respect to the initial VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 notice and opt-out and any subsequent renewal notice and opt-out. An institution not required to provide an opt-out under this subparagraph may elect to include this reason in the model form. (7) For nonaffiliates to market to you. This reason incorporates sharing described in §§ 216.7 and 216.10(a) of this part. An institution that shares personal information for this reason must provide an opt-out. (e) To limit our sharing: A financial institution must include this section of the model form only if it provides an opt-out. The word ‘‘choice’’ may be written in either the singular or plural, as appropriate. Institutions must select one or more of the applicable opt-out methods described: telephone, such as by a toll-free number; a Website; or use of a mail-in opt-out form. Institutions may include the words ‘‘tollfree’’ before telephone, as appropriate. An institution that allows consumers to opt out online must provide either a specific Web address that takes consumers directly to the opt-out page or a general Web address that provides a clear and conspicuous direct link to the opt-out page. The opt-out choices made available to the consumer who contacts the institution through these methods must correspond accurately to the ‘‘Yes’’ responses in the third column of the disclosure table. In the part titled ‘‘Please note’’ institutions may insert a number that is 30 or greater in the space marked ‘‘[30].’’ Instructions on voluntary or state privacy law opt-out information are in paragraph C.2(g)(5) of these Instructions. (f) Questions box. Customer service contact information must be inserted as appropriate, where [phone number] or [website] appear. Institutions may elect to provide either a phone number, such as a toll-free number, or a Web address, or both. Institutions may include the words ‘‘toll-free’’ before the telephone number, as appropriate. (g) Mail-in opt-out form. Financial institutions must include this mail-in form only if they state in the ‘‘To limit our sharing’’ box that consumers can opt out by mail. The mail-in form must provide opt-out options that correspond accurately to the ‘‘Yes’’ responses in the third column in the disclosure table. Institutions that require customers to provide only name and address may omit the section identified as ‘‘[account #].’’ Institutions that require additional or different information, such as a random optout number or a truncated account number, to implement an opt-out election should modify the ‘‘[account #]’’ reference accordingly. This includes institutions that require customers with multiple accounts to identify each account to which the opt-out should apply. An institution must enter its opt-out mailing address: In the far right of this form (see version 3); or below the form (see version 4). The reverse side of the mailin opt-out form must not include any content of the model form. (1) Joint accountholder. Only institutions that provide their joint accountholders the choice to opt out for only one accountholder, in accordance with paragraph C.3(a)(5) of these Instructions, must include in the far left column of the mail-in form the following statement: ‘‘If you have a joint account, your PO 00000 Frm 00046 Fmt 4701 Sfmt 4700 choice(s) will apply to everyone on your account unless you mark below. b Apply my choice(s) only to me.’’ The word ‘‘choice’’ may be written in either the singular or plural, as appropriate. Financial institutions that provide insurance products or services, provide this option, and elect to use the model form may substitute the word ‘‘policy’’ for ‘‘account’’ in this statement. Institutions that do not provide this option may eliminate this left column from the mail-in form. (2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution shares personal information pursuant to section 603(d)(2)(A)(iii) of the FCRA, it must include in the mail-in opt-out form the following statement: ‘‘b Do not share information about my creditworthiness with your affiliates for their everyday business purposes.’’ (3) FCRA Section 624 opt-out. If the institution incorporates section 624 of the FCRA in accord with paragraph C.2(d)(6) of these Instructions, it must include in the mail-in opt-out form the following statement: ‘‘b Do not allow your affiliates to use my personal information to market to me.’’ (4) Nonaffiliate opt-out. If the financial institution shares personal information pursuant to § 216.10(a) of this part, it must include in the mail-in opt-out form the following statement: ‘‘b Do not share my personal information with nonaffiliates to market their products and services to me.’’ (5) Additional opt-outs. Financial institutions that use the disclosure table to provide opt-out options beyond those required by Federal law must provide those opt-outs in this section of the model form. A financial institution that chooses to offer an opt-out for its own marketing in the mail-in opt-out form must include one of the two following statements: ‘‘b Do not share my personal information to market to me.’’ or ‘‘b Do not use my personal information to market to me.’’ A financial institution that chooses to offer an opt-out for joint marketing must include the following statement: ‘‘b Do not share my personal information with other financial institutions to jointly market to me.’’ (h) Barcodes. A financial institution may elect to include a barcode and/or ‘‘tagline’’ (an internal identifier) in 6-point font at the bottom of page one, as needed for information internal to the institution, so long as these do not interfere with the clarity or text of the form. 3. Page Two (a) General Instructions for the Questions. Certain of the Questions may be customized as follows: (1) ‘‘Who is providing this notice?’’ This question may be omitted where only one financial institution provides the model form and that institution is clearly identified in the title on page one. Two or more financial institutions that jointly provide the model form must use this question to identify themselves as required by § 216.9(f) of this part. Where the list of institutions exceeds four (4) lines, the institution must describe in the response to this question the general types of institutions jointly providing the notice and must separately identify those institutions, in minimum 8-point font, directly following the ‘‘Other important E:\FR\FM\01DER2.SGM 01DER2 mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations information’’ box, or, if that box is not included in the institution’s form, directly following the ‘‘Definitions.’’ The list may appear in a multi-column format. (2) ‘‘How does [name of financial institution] protect my personal information?’’ The financial institution may only provide additional information pertaining to its safeguards practices following the designated response to this question. Such information may include information about the institution’s use of cookies or other measures it uses to safeguard personal information. Institutions are limited to a maximum of 30 additional words. (3) ‘‘How does [name of financial institution] collect my personal information?’’ Institutions must use five (5) of the following terms to complete the bulleted list for this question: Open an account; deposit money; pay your bills; apply for a loan; use your credit or debit card; seek financial or tax advice; apply for insurance; pay insurance premiums; file an insurance claim; seek advice about your investments; buy securities from us; sell securities to us; direct us to buy securities; direct us to sell your securities; make deposits or withdrawals from your account; enter into an investment advisory contract; give us your income information; provide employment information; give us your employment history; tell us about your investment or retirement portfolio; tell us about your investment or retirement earnings; apply for financing; apply for a lease; provide account information; give us your contact information; pay us by check; give us your wage statements; provide your mortgage information; make a wire transfer; tell us who receives the money; tell us where to send the money; show your government-issued ID; show your driver’s license; order a commodity futures or option trade. Institutions that collect personal information from their affiliates and/or credit bureaus must include after the bulleted list the following statement: ‘‘We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.’’ Institutions that do not collect personal information from their affiliates or credit bureaus but do collect information from other companies must include the following statement instead: ‘‘We also collect your personal information from other companies.’’ Only institutions that do not collect any personal information from affiliates, credit bureaus, or other companies can omit both statements. (4) ‘‘Why can’t I limit all sharing?’’ Institutions that describe state privacy law provisions in the ‘‘Other important information’’ box must use the bracketed sentence: ‘‘See below for more on your rights under state law.’’ Other institutions must omit this sentence. (5) ‘‘What happens when I limit sharing for an account I hold jointly with someone else?’’ Only financial institutions that provide optout options must use this question. Other institutions must omit this question. Institutions must choose one of the following two statements to respond to this question: ‘‘Your choices will apply to everyone on your VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 account.’’ or ‘‘Your choices will apply to everyone on your account—unless you tell us otherwise.’’ Financial institutions that provide insurance products or services and elect to use the model form may substitute the word ‘‘policy’’ for ‘‘account’’ in these statements. (b) General Instructions for the Definitions. The financial institution must customize the space below the responses to the three definitions in this section. This specific information must be in italicized lettering to set off the information from the standardized definitions. (1) Affiliates. As required by § 216.6(a)(3) of this part, where [affiliate information] appears, the financial institution must: (i) If it has no affiliates, state: ‘‘[name of financial institution] has no affiliates’’; (ii) If it has affiliates but does not share personal information, state: ‘‘[name of financial institution] does not share with our affiliates’’; or (iii) If it shares with its affiliates, state, as applicable: ‘‘Our affiliates include companies with a [common corporate identity of financial institution] name; financial companies such as [insert illustrative list of companies]; nonfinancial companies, such as [insert illustrative list of companies;] and others, such as [insert illustrative list].’’ (2) Nonaffiliates. As required by § 216.6(c)(3) of this part, where [nonaffiliate information] appears, the financial institution must: (i) If it does not share with nonaffiliated third parties, state: ‘‘[name of financial institution] does not share with nonaffiliates so they can market to you’’; or (ii) If it shares with nonaffiliated third parties, state, as applicable: ‘‘Nonaffiliates we share with can include [list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations].’’ (3) Joint Marketing. As required by § 216.13 of this part, where [joint marketing] appears, the financial institution must: (i) If it does not engage in joint marketing, state: ‘‘[name of financial institution] doesn’t jointly market’’; or (ii) If it shares personal information for joint marketing, state, as applicable: ‘‘Our joint marketing partners include [list categories of companies such as credit card companies].’’ (c) General instructions for the ‘‘Other important information’’ box. This box is optional. The space provided for information in this box is not limited. Only the following types of information can appear in this box. (1) State and/or international privacy law information; and/or (2) Acknowledgment of receipt form. 14. Amend newly redesignated Appendix B to part 216 as follows: ■ A. Add a new sentence to the beginning of the introductory text as set forth below. ■ B. Effective January 1, 2012, remove Appendix B to part 216. ■ PO 00000 Frm 00047 Fmt 4701 Sfmt 4700 62935 Appendix B to Part 216—Sample Clauses This Appendix only applies to privacy notices provided before January 1, 2011. * * * * * * * * Federal Deposit Insurance Corporation 12 CFR Chapter III Authority and Issuance For the reasons set forth in the joint preamble, part 332 of chapter III of title 12 of the Code of Federal Regulations is amended as follows: ■ PART 332—PRIVACY OF CONSUMER FINANCIAL INFORMATION 15. The authority citation for part 332 continues to read as follows: ■ Authority: 12 U.S.C. 1819 (Seventh and Tenth); 15 U.S.C. 6801 et seq. ■ 16. Revise § 332.2 to read as follows: § 332.2 Model privacy form and examples. (a) Model privacy form. Use of the model privacy form in Appendix A of this part, consistent with the instructions in Appendix A, constitutes compliance with the notice content requirements of §§ 332.6 and 332.7 of this part, although use of the model privacy form is not required. (b) Examples. The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part. 17. In § 332.6: A. Revise paragraphs (b) and (f), and add paragraph (g) to read as set forth below. ■ B. Effective January 1, 2012, remove paragraph (g). ■ ■ § 332.6 Information to be included in privacy notices. * * * * * (b) Description of nonaffiliated third parties subject to exceptions. If you disclose nonpublic personal information to third parties as authorized under §§ 332.14 and 332.15, you are not required to list those exceptions in the initial or annual privacy notices required by §§ 332.4 and 332.5. When describing the categories with respect to those parties, it is sufficient to state that you make disclosures to other nonaffiliated companies: (1) For your everyday business purposes, such as [include all that apply] to process transactions, maintain account(s), respond to court orders and legal investigations, or report to credit bureaus; or (2) As permitted by law. * * * * * E:\FR\FM\01DER2.SGM 01DER2 62936 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations mstockstill on DSKH9S0YB1PROD with RULES2 (f) Model privacy form. Pursuant to § 332.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part. (g) Sample clauses. Sample clauses illustrating some of the notice content required by this section are included in Appendix B of this part. Use of a sample clause in a privacy notice provided on or before December 31, 2010, to the extent applicable, constitutes compliance with this part. VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 ■ 18. In § 332.7, add paragraph (i) to read as follows: Appendix A [Redesignated as Appendix B] § 332.7 Form of opt-out notice to consumers; opt-out methods. ■ * * * * * (i) Model privacy form. Pursuant to § 332.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part. PO 00000 Frm 00048 Fmt 4701 Sfmt 4700 19. Redesignate Appendix A to part 332 as Appendix B to part 332. ■ 20. Add new Appendix A to part 332 to read as follows: Appendix A to Part 332—Model Privacy Form A. The Model Privacy Form BILLING CODE 6750–01–P 12.5%, 6351–01–P 12.5%, 6720–01–P 12.5%, 6714–01–P 12.5%, 4810–33–P 12.5%, 6210–01–P 12.5%, 8011–01–P 12.5%, 7535–01–P 12.5% E:\FR\FM\01DER2.SGM 01DER2 VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00049 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 62937 ER01DE09.014</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations VerDate Nov<24>2008 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00050 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.015</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 62938 VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00051 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 62939 ER01DE09.016</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations VerDate Nov<24>2008 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00052 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.017</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 62940 VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00053 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 62941 ER01DE09.018</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations VerDate Nov<24>2008 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00054 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.019</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 62942 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations B. General Instructions 1. How the Model Privacy Form Is Used (a) The model form may be used, at the option of a financial institution, including a group of financial institutions that use a common privacy notice, to meet the content requirements of the privacy notice and optout notice set forth in §§ 332.6 and 332.7 of this part. (b) The model form is a standardized form, including page layout, content, format, style, pagination, and shading. Institutions seeking to obtain the safe harbor through use of the model form may modify it only as described in these Instructions. (c) Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 1681– 1681x] (FCRA), such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties. (d) The word ‘‘customer’’ may be replaced by the word ‘‘member’’ whenever it appears in the model form, as appropriate. 2. The Contents of the Model Privacy Form The model form consists of two pages, which may be printed on both sides of a single sheet of paper, or may appear on two separate pages. Where an institution provides a long list of institutions at the end of the model form in accordance with Instruction C.3(a)(1), or provides additional information in accordance with Instruction C.3(c), and such list or additional information exceeds the space available on page two of the model form, such list or additional information may extend to a third page. (a) Page One. The first page consists of the following components: (1) Date last revised (upper right-hand corner). VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 (2) Title. (3) Key frame (Why?, What?, How?). (4) Disclosure table (‘‘Reasons we can share your personal information’’). (5) ‘‘To limit our sharing’’ box, as needed, for the financial institution’s opt-out information. (6) ‘‘Questions’’ box, for customer service contact information. (7) Mail-in opt-out form, as needed. (b) Page Two. The second page consists of the following components: (1) Heading (Page 2). (2) Frequently Asked Questions (‘‘Who we are’’ and ‘‘What we do’’). (3) Definitions. (4) ‘‘Other important information’’ box, as needed. 3. The Format of the Model Privacy Form The format of the model form may be modified only as described below. (a) Easily readable type font. Financial institutions that use the model form must use an easily readable type font. While a number of factors together produce easily readable type font, institutions are required to use a minimum of 10-point font (unless otherwise expressly permitted in these Instructions) and sufficient spacing between the lines of type. (b) Logo. A financial institution may include a corporate logo on any page of the notice, so long as it does not interfere with the readability of the model form or the space constraints of each page. (c) Page size and orientation. Each page of the model form must be printed on paper in portrait orientation, the size of which must be sufficient to meet the layout and minimum font size requirements, with sufficient white space on the top, bottom, and sides of the content. (d) Color. The model form must be printed on white or light color paper (such as cream) with black or other contrasting ink color. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract PO 00000 Frm 00055 Fmt 4701 Sfmt 4700 from the readability of the model form. Logos may also be printed in color. (e) Languages. The model form may be translated into languages other than English. C. Information Required in the Model Privacy Form The information in the model form may be modified only as described below: 1. Name of the Institution or Group of Affiliated Institutions Providing the Notice Insert the name of the financial institution providing the notice or a common identity of affiliated institutions jointly providing the notice on the form wherever [name of financial institution] appears. 2. Page One (a) Last revised date. The financial institution must insert in the upper righthand corner the date on which the notice was last revised. The information shall appear in minimum 8-point font as ‘‘rev. [month/year]’’ using either the name or number of the month, such as ‘‘rev. July 2009’’ or ‘‘rev. 7/ 09’’. (b) General instructions for the ‘‘What?’’ box. (1) The bulleted list identifies the types of personal information that the institution collects and shares. All institutions must use the term ‘‘Social Security number’’ in the first bullet. (2) Institutions must use five (5) of the following terms to complete the bulleted list: income; account balances; payment history; transaction history; transaction or loss history; credit history; credit scores; assets; investment experience; credit-based insurance scores; insurance claim history; medical information; overdraft history; purchase history; account transactions; risk tolerance; medical-related debts; credit card or other debt; mortgage rates and payments; retirement assets; checking account information; employment information; wire transfer instructions. (c) General instructions for the disclosure table. The left column lists reasons for E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.020</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 BILLING CODE 6750–01–C 12.5%, 6351–01–C 12.5%, 6720–01–C 12.5%, 6714–01–C 12.5%, 4810–01–C 12.5%, 6210–01–C 12.5%, 8011–01–C 12.5%, 7535–01–C 12.5% 62943 mstockstill on DSKH9S0YB1PROD with RULES2 62944 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations sharing or using personal information. Each reason correlates to a specific legal provision described in paragraph C.2(d) of this Instruction. In the middle column, each institution must provide a ‘‘Yes’’ or ‘‘No’’ response that accurately reflects its information sharing policies and practices with respect to the reason listed on the left. In the right column, each institution must provide in each box one of the following three (3) responses, as applicable, that reflects whether a consumer can limit such sharing: ‘‘Yes’’ if it is required to or voluntarily provides an opt-out; ‘‘No’’ if it does not provide an opt-out; or ‘‘We don’t share’’ if it answers ‘‘No’’ in the middle column. Only the sixth row (‘‘For our affiliates to market to you’’) may be omitted at the option of the institution. See paragraph C.2(d)(6) of this Instruction. (d) Specific disclosures and corresponding legal provisions. (1) For our everyday business purposes. This reason incorporates sharing information under §§ 332.14 and 332.15 and with service providers pursuant to § 332.13 of this part other than the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these Instructions. (2) For our marketing purposes. This reason incorporates sharing information with service providers by an institution for its own marketing pursuant to § 332.13 of this part. An institution that shares for this reason may choose to provide an opt-out. (3) For joint marketing with other financial companies. This reason incorporates sharing information under joint marketing agreements between two or more financial institutions and with any service provider used in connection with such agreements pursuant to § 332.13 of this part. An institution that shares for this reason may choose to provide an opt-out. (4) For our affiliates’ everyday business purposes—information about transactions and experiences. This reason incorporates sharing information specified in sections 603(d)(2)(A)(i) and (ii) of the FCRA. An institution that shares for this reason may choose to provide an opt-out. (5) For our affiliates’ everyday business purposes—information about creditworthiness. This reason incorporates sharing information pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution that shares for this reason must provide an opt-out. (6) For our affiliates to market to you. This reason incorporates sharing information specified in section 624 of the FCRA. This reason may be omitted from the disclosure table when: The institution does not have affiliates (or does not disclose personal information to its affiliates); the institution’s affiliates do not use personal information in a manner that requires an opt-out; or the institution provides the affiliate marketing notice separately. Institutions that include this reason must provide an opt-out of indefinite duration. An institution that is required to provide an affiliate marketing opt-out, but does not include that opt-out in the model form under this part, must comply with section 624 of the FCRA and 12 CFR part 334, subpart C, with respect to the initial VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 notice and opt-out and any subsequent renewal notice and opt-out. An institution not required to provide an opt-out under this subparagraph may elect to include this reason in the model form. (7) For nonaffiliates to market to you. This reason incorporates sharing described in §§ 332.7 and 332.10(a) of this part. An institution that shares personal information for this reason must provide an opt-out. (e) To limit our sharing: A financial institution must include this section of the model form only if it provides an opt-out. The word ‘‘choice’’ may be written in either the singular or plural, as appropriate. Institutions must select one or more of the applicable opt-out methods described: Telephone, such as by a toll-free number; a Web site; or use of a mail-in opt-out form. Institutions may include the words ‘‘tollfree’’ before telephone, as appropriate. An institution that allows consumers to opt out online must provide either a specific Web address that takes consumers directly to the opt-out page or a general Web address that provides a clear and conspicuous direct link to the opt-out page. The opt-out choices made available to the consumer who contacts the institution through these methods must correspond accurately to the ‘‘Yes’’ responses in the third column of the disclosure table. In the part titled ‘‘Please note’’ institutions may insert a number that is 30 or greater in the space marked ‘‘[30].’’ Instructions on voluntary or state privacy law opt-out information are in paragraph C.2(g)(5) of these Instructions. (f) Questions box. Customer service contact information must be inserted as appropriate, where [phone number] or [Web site] appear. Institutions may elect to provide either a phone number, such as a toll-free number, or a Web address, or both. Institutions may include the words ‘‘toll-free’’ before the telephone number, as appropriate. (g) Mail-in opt-out form. Financial institutions must include this mail-in form only if they state in the ‘‘To limit our sharing’’ box that consumers can opt out by mail. The mail-in form must provide opt-out options that correspond accurately to the ‘‘Yes’’ responses in the third column in the disclosure table. Institutions that require customers to provide only name and address may omit the section identified as ‘‘[account #].’’ Institutions that require additional or different information, such as a random optout number or a truncated account number, to implement an opt-out election should modify the ‘‘[account #]’’ reference accordingly. This includes institutions that require customers with multiple accounts to identify each account to which the opt-out should apply. An institution must enter its opt-out mailing address: In the far right of this form (see version 3); or below the form (see version 4). The reverse side of the mailin opt-out form must not include any content of the model form. (1) Joint accountholder. Only institutions that provide their joint accountholders the choice to opt out for only one accountholder, in accordance with paragraph C.3(a)(5) of these Instructions, must include in the far left column of the mail-in form the following statement: ‘‘If you have a joint account, your PO 00000 Frm 00056 Fmt 4701 Sfmt 4700 choice(s) will apply to everyone on your account unless you mark below. b Apply my choice(s) only to me.’’ The word ‘‘choice’’ may be written in either the singular or plural, as appropriate. Financial institutions that provide insurance products or services, provide this option, and elect to use the model form may substitute the word ‘‘policy’’ for ‘‘account’’ in this statement. Institutions that do not provide this option may eliminate this left column from the mail-in form. (2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution shares personal information pursuant to section 603(d)(2)(A)(iii) of the FCRA, it must include in the mail-in opt-out form the following statement: ‘‘b Do not share information about my creditworthiness with your affiliates for their everyday business purposes.’’ (3) FCRA Section 624 opt-out. If the institution incorporates section 624 of the FCRA in accord with paragraph C.2(d)(6) of these Instructions, it must include in the mail-in opt-out form the following statement: ‘‘b Do not allow your affiliates to use my personal information to market to me.’’ (4) Nonaffiliate opt-out. If the financial institution shares personal information pursuant to § 332.10(a) of this part, it must include in the mail-in opt-out form the following statement: ‘‘b Do not share my personal information with nonaffiliates to market their products and services to me.’’ (5) Additional opt-outs. Financial institutions that use the disclosure table to provide opt-out options beyond those required by Federal law must provide those opt-outs in this section of the model form. A financial institution that chooses to offer an opt-out for its own marketing in the mail-in opt-out form must include one of the two following statements: ‘‘b Do not share my personal information to market to me.’’ or ‘‘b Do not use my personal information to market to me.’’ A financial institution that chooses to offer an opt-out for joint marketing must include the following statement: ‘‘b Do not share my personal information with other financial institutions to jointly market to me.’’ (h) Barcodes. A financial institution may elect to include a barcode and/or ‘‘tagline’’ (an internal identifier) in 6-point font at the bottom of page one, as needed for information internal to the institution, so long as these do not interfere with the clarity or text of the form. 3. Page Two (a) General Instructions for the Questions. Certain of the Questions may be customized as follows: (1) ‘‘Who is providing this notice?’’ This question may be omitted where only one financial institution provides the model form and that institution is clearly identified in the title on page one. Two or more financial institutions that jointly provide the model form must use this question to identify themselves as required by § 332.9(f) of this part. Where the list of institutions exceeds four (4) lines, the institution must describe in the response to this question the general types of institutions jointly providing the notice and must separately identify those institutions, in minimum 8-point font, directly following the ‘‘Other important E:\FR\FM\01DER2.SGM 01DER2 mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations information’’ box, or, if that box is not included in the institution’s form, directly following the ‘‘Definitions.’’ The list may appear in a multi-column format. (2) ‘‘How does [name of financial institution] protect my personal information?’’ The financial institution may only provide additional information pertaining to its safeguards practices following the designated response to this question. Such information may include information about the institution’s use of cookies or other measures it uses to safeguard personal information. Institutions are limited to a maximum of 30 additional words. (3) ‘‘How does [name of financial institution] collect my personal information?’’ Institutions must use five (5) of the following terms to complete the bulleted list for this question: Open an account; deposit money; pay your bills; apply for a loan; use your credit or debit card; seek financial or tax advice; apply for insurance; pay insurance premiums; file an insurance claim; seek advice about your investments; buy securities from us; sell securities to us; direct us to buy securities; direct us to sell your securities; make deposits or withdrawals from your account; enter into an investment advisory contract; give us your income information; provide employment information; give us your employment history; tell us about your investment or retirement portfolio; tell us about your investment or retirement earnings; apply for financing; apply for a lease; provide account information; give us your contact information; pay us by check; give us your wage statements; provide your mortgage information; make a wire transfer; tell us who receives the money; tell us where to send the money; show your government-issued ID; show your driver’s license; order a commodity futures or option trade. Institutions that collect personal information from their affiliates and/or credit bureaus must include after the bulleted list the following statement: ‘‘We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.’’ Institutions that do not collect personal information from their affiliates or credit bureaus but do collect information from other companies must include the following statement instead: ‘‘We also collect your personal information from other companies.’’ Only institutions that do not collect any personal information from affiliates, credit bureaus, or other companies can omit both statements. (4) ‘‘Why can’t I limit all sharing?’’ Institutions that describe state privacy law provisions in the ‘‘Other important information’’ box must use the bracketed sentence: ‘‘See below for more on your rights under state law.’’ Other institutions must omit this sentence. (5) ‘‘What happens when I limit sharing for an account I hold jointly with someone else?’’ Only financial institutions that provide optout options must use this question. Other institutions must omit this question. Institutions must choose one of the following two statements to respond to this question: ‘‘Your choices will apply to everyone on your account.’’ or ‘‘Your choices will apply to VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 everyone on your account–unless you tell us otherwise.’’ Financial institutions that provide insurance products or services and elect to use the model form may substitute the word ‘‘policy’’ for ‘‘account’’ in these statements. (b) General Instructions for the Definitions. The financial institution must customize the space below the responses to the three definitions in this section. This specific information must be in italicized lettering to set off the information from the standardized definitions. (1) Affiliates. As required by § 332.6(a)(3) of this part, where [affiliate information] appears, the financial institution must: (i) If it has no affiliates, state: ‘‘[name of financial institution] has no affiliates’’; (ii) If it has affiliates but does not share personal information, state: ‘‘[name of financial institution] does not share with our affiliates’’; or (iii) If it shares with its affiliates, state, as applicable: ‘‘Our affiliates include companies with a [common corporate identity of financial institution] name; financial companies such as [insert illustrative list of companies]; nonfinancial companies, such as [insert illustrative list of companies]; and others, such as [insert illustrative list].’’ (2) Nonaffiliates. As required by § 332.6(c)(3) of this part, where [nonaffiliate information] appears, the financial institution must: (i) If it does not share with nonaffiliated third parties, state: ‘‘[name of financial institution] does not share with nonaffiliates so they can market to you’’; or (ii) If it shares with nonaffiliated third parties, state, as applicable: ‘‘Nonaffiliates we share with can include [list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations].’’ (3) Joint Marketing. As required by § 332.13 of this part, where [joint marketing] appears, the financial institution must: (i) If it does not engage in joint marketing, state: ‘‘[name of financial institution] doesn’t jointly market’’; or (ii) If it shares personal information for joint marketing, state, as applicable: ‘‘Our joint marketing partners include [list categories of companies such as credit card companies].’’ (c) General instructions for the ‘‘Other important information’’ box. This box is optional. The space provided for information in this box is not limited. Only the following types of information can appear in this box. (1) State and/or international privacy law information; and/or (2) Acknowledgment of receipt form. 21. Amend newly redesignated Appendix B to part 332 as follows: ■ A. Add a new sentence to the beginning of the introductory text as set forth below. ■ B. Effective January 1, 2012, remove Appendix B to part 332. ■ PO 00000 Frm 00057 Fmt 4701 Sfmt 4700 62945 Appendix B to Part 332—Sample Clauses This Appendix only applies to privacy notices provided before January 1, 2011. * * * * * DEPARTMENT OF THE TREASURY Office of Thrift Supervision 12 CFR Chapter V Authority and Issuance For the reasons set forth in the joint preamble, part 573 of chapter V of title 12 of the Code of Federal Regulations is amended as follows: ■ PART 573—PRIVACY OF CONSUMER FINANCIAL INFORMATION 22. The authority citation for part 573 continues to read as follows: ■ Authority: 12 U.S.C. 1462a, 1463, 1464, 1828; 15 U.S.C. 6801 et seq. ■ 23. Revise § 573.2 to read as follows: § 573.2 Model privacy form and examples. (a) Model privacy form. Use of the model privacy form in Appendix A of this part, consistent with the instructions in Appendix A, constitutes compliance with the notice content requirements of §§ 573.6 and 573.7 of this part, although use of the model privacy form is not required. (b) Examples. The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part. ■ 24. In § 573.6: ■ A. Revise paragraphs (b) and (f), and add paragraph (g) to read as set forth below. ■ B. Effective January 1, 2012, remove paragraph (g). § 573.6 Information to be included in privacy notices. * * * * * (b) Description of nonaffiliated third parties subject to exceptions. If you disclose nonpublic personal information to third parties as authorized under §§ 573.14 and 573.15, you are not required to list those exceptions in the initial or annual privacy notices required by §§ 573.4 and 573.5. When describing the categories with respect to those parties, it is sufficient to state that you make disclosures to other nonaffiliated companies: (1) For your everyday business purposes, such as [include all that apply] to process transactions, maintain account(s), respond to court orders and legal investigations, or report to credit bureaus; or (2) As permitted by law. * * * * * E:\FR\FM\01DER2.SGM 01DER2 62946 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations mstockstill on DSKH9S0YB1PROD with RULES2 (f) Model privacy form. Pursuant to § 573.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part. (g) Sample clauses. Sample clauses illustrating some of the notice content required by this section are included in Appendix B of this part. Use of a sample clause in a privacy notice provided on or before December 31, 2010, to the extent applicable, constitutes compliance with this part. VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 ■ 25. In § 573.7, add paragraph (i) to read as follows: Appendix A [Redesignated as Appendix B] § 573.7 Form of opt-out notice to consumers; opt-out methods. ■ * * * * * (i) Model privacy form. Pursuant to § 573.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part. PO 00000 26. Redesignate Appendix A to part 573 as Appendix B to part 573. ■ 27. Add new Appendix A to part 573 to read as follows: Appendix A to Part 573—Model Privacy Form A. The Model Privacy Form BILLING CODE 6750–01–P 12.5%, 6351–01–P 12.5%, 6720–01–P 12.5%, 6714–01–P 12.5%, 4810–01–P 12.5%, 6210–01–P 12.5%, 8011–01–P 12.5%, 7535–01–P 12.5% Frm 00058 Fmt 4701 Sfmt 4700 E:\FR\FM\01DER2.SGM 01DER2 VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00059 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 62947 ER01DE09.021</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations VerDate Nov<24>2008 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00060 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.022</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 62948 VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00061 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 62949 ER01DE09.023</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations VerDate Nov<24>2008 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00062 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.024</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 62950 VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00063 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 62951 ER01DE09.025</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations VerDate Nov<24>2008 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00064 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.026</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 62952 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations B. General Instructions 1. How the Model Privacy Form Is Used (a) The model form may be used, at the option of a financial institution, including a group of financial institutions that use a common privacy notice, to meet the content requirements of the privacy notice and optout notice set forth in §§ 573.6 and 573.7 of this part. (b) The model form is a standardized form, including page layout, content, format, style, pagination, and shading. Institutions seeking to obtain the safe harbor through use of the model form may modify it only as described in these Instructions. (c) Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 1681– 1681x] (FCRA), such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties. (d) The word ‘‘customer’’ may be replaced by the word ‘‘member’’ whenever it appears in the model form, as appropriate. 2. The Contents of the Model Privacy Form The model form consists of two pages, which may be printed on both sides of a single sheet of paper, or may appear on two separate pages. Where an institution provides a long list of institutions at the end of the model form in accordance with Instruction C.3(a)(1), or provides additional information in accordance with Instruction C.3(c), and such list or additional information exceeds the space available on page two of the model form, such list or additional information may extend to a third page. (a) Page One. The first page consists of the following components: (1) Date last revised (upper right-hand corner). VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 (2) Title. (3) Key frame (Why?, What?, How?). (4) Disclosure table (‘‘Reasons we can share your personal information’’). (5) ‘‘To limit our sharing’’ box, as needed, for the financial institution’s opt-out information. (6) ‘‘Questions’’ box, for customer service contact information. (7) Mail-in opt-out form, as needed. (b) Page Two. The second page consists of the following components: (1) Heading (Page 2). (2) Frequently Asked Questions (‘‘Who we are’’ and ‘‘What we do’’). (3) Definitions. (4) ‘‘Other important information’’ box, as needed. 3. The Format of the Model Privacy Form The format of the model form may be modified only as described below. (a) Easily readable type font. Financial institutions that use the model form must use an easily readable type font. While a number of factors together produce easily readable type font, institutions are required to use a minimum of 10-point font (unless otherwise expressly permitted in these Instructions) and sufficient spacing between the lines of type. (b) Logo. A financial institution may include a corporate logo on any page of the notice, so long as it does not interfere with the readability of the model form or the space constraints of each page. (c) Page size and orientation. Each page of the model form must be printed on paper in portrait orientation, the size of which must be sufficient to meet the layout and minimum font size requirements, with sufficient white space on the top, bottom, and sides of the content. (d) Color. The model form must be printed on white or light color paper (such as cream) with black or other contrasting ink color. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract PO 00000 Frm 00065 Fmt 4701 Sfmt 4700 from the readability of the model form. Logos may also be printed in color. (e) Languages. The model form may be translated into languages other than English. C. Information Required in the Model Privacy Form The information in the model form may be modified only as described below: 1. Name of the Institution or Group of Affiliated Institutions Providing the Notice Insert the name of the financial institution providing the notice or a common identity of affiliated institutions jointly providing the notice on the form wherever [name of financial institution] appears. 2. Page One (a) Last revised date. The financial institution must insert in the upper righthand corner the date on which the notice was last revised. The information shall appear in minimum 8-point font as ‘‘rev. [month/year]’’ using either the name or number of the month, such as ‘‘rev. July 2009’’ or ‘‘rev. 7/09’’. (b) General instructions for the ‘‘What?’’ box. (1) The bulleted list identifies the types of personal information that the institution collects and shares. All institutions must use the term ‘‘Social Security number’’ in the first bullet. (2) Institutions must use five (5) of the following terms to complete the bulleted list: Income; account balances; payment history; transaction history; transaction or loss history; credit history; credit scores; assets; investment experience; credit-based insurance scores; insurance claim history; medical information; overdraft history; purchase history; account transactions; risk tolerance; medical-related debts; credit card or other debt; mortgage rates and payments; retirement assets; checking account information; employment information; wire transfer instructions. (c) General instructions for the disclosure table. The left column lists reasons for E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.027</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 BILLING CODE 6750–01–C 12.5%, 6351–01–C 12.5%, 6720–01–C 12.5%, 6714–01–C 12.5%, 4810–01–C 12.5%, 6210–01–C 12.5%, 8011–01–C 12.5%, 7535–01–C 12.5% 62953 mstockstill on DSKH9S0YB1PROD with RULES2 62954 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations sharing or using personal information. Each reason correlates to a specific legal provision described in paragraph C.2(d) of this Instruction. In the middle column, each institution must provide a ‘‘Yes’’ or ‘‘No’’ response that accurately reflects its information sharing policies and practices with respect to the reason listed on the left. In the right column, each institution must provide in each box one of the following three (3) responses, as applicable, that reflects whether a consumer can limit such sharing: ‘‘Yes’’ if it is required to or voluntarily provides an opt-out; ‘‘No’’ if it does not provide an opt-out; or ‘‘We don’t share’’ if it answers ‘‘No’’ in the middle column. Only the sixth row (‘‘For our affiliates to market to you’’) may be omitted at the option of the institution. See paragraph C.2(d)(6) of this Instruction. (d) Specific disclosures and corresponding legal provisions. (1) For our everyday business purposes. This reason incorporates sharing information under §§ 573.14 and 573.15 and with service providers pursuant to § 573.13 of this part other than the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these Instructions. (2) For our marketing purposes. This reason incorporates sharing information with service providers by an institution for its own marketing pursuant to § 573.13 of this part. An institution that shares for this reason may choose to provide an opt-out. (3) For joint marketing with other financial companies. This reason incorporates sharing information under joint marketing agreements between two or more financial institutions and with any service provider used in connection with such agreements pursuant to § 573.13 of this part. An institution that shares for this reason may choose to provide an opt-out. (4) For our affiliates’ everyday business purposes—information about transactions and experiences. This reason incorporates sharing information specified in sections 603(d)(2)(A)(i) and (ii) of the FCRA. An institution that shares for this reason may choose to provide an opt-out. (5) For our affiliates’ everyday business purposes—information about creditworthiness. This reason incorporates sharing information pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution that shares for this reason must provide an opt-out. (6) For our affiliates to market to you. This reason incorporates sharing information specified in section 624 of the FCRA. This reason may be omitted from the disclosure table when: The institution does not have affiliates (or does not disclose personal information to its affiliates); the institution’s affiliates do not use personal information in a manner that requires an opt-out; or the institution provides the affiliate marketing notice separately. Institutions that include this reason must provide an opt-out of indefinite duration. An institution that is required to provide an affiliate marketing opt-out, but does not include that opt-out in the model form under this part, must comply with section 624 of the FCRA and 12 CFR part 571, subpart C, with respect to the initial VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 notice and opt-out and any subsequent renewal notice and opt-out. An institution not required to provide an opt-out under this subparagraph may elect to include this reason in the model form. (7) For nonaffiliates to market to you. This reason incorporates sharing described in §§ 573.7 and 573.10(a) of this part. An institution that shares personal information for this reason must provide an opt-out. (e) To limit our sharing: A financial institution must include this section of the model form only if it provides an opt-out. The word ‘‘choice’’ may be written in either the singular or plural, as appropriate. Institutions must select one or more of the applicable opt-out methods described: Telephone, such as by a toll-free number; a Web site; or use of a mail-in opt-out form. Institutions may include the words ‘‘tollfree’’ before telephone, as appropriate. An institution that allows consumers to opt out online must provide either a specific Web address that takes consumers directly to the opt-out page or a general Web address that provides a clear and conspicuous direct link to the opt-out page. The opt-out choices made available to the consumer who contacts the institution through these methods must correspond accurately to the ‘‘Yes’’ responses in the third column of the disclosure table. In the part titled ‘‘Please note,’’ institutions may insert a number that is 30 or greater in the space marked ‘‘[30].’’ Instructions on voluntary or state privacy law opt-out information are in paragraph C.2(g)(5) of these Instructions. (f) Questions box. Customer service contact information must be inserted as appropriate, where [phone number] or [Web site] appear. Institutions may elect to provide either a phone number, such as a toll-free number, or a Web address, or both. Institutions may include the words ‘‘toll-free’’ before the telephone number, as appropriate. (g) Mail-in opt-out form. Financial institutions must include this mail-in form only if they state in the ‘‘To limit our sharing’’ box that consumers can opt out by mail. The mail-in form must provide opt-out options that correspond accurately to the ‘‘Yes’’ responses in the third column in the disclosure table. Institutions that require customers to provide only name and address may omit the section identified as ‘‘[account #].’’ Institutions that require additional or different information, such as a random optout number or a truncated account number, to implement an opt-out election should modify the ‘‘[account #]’’ reference accordingly. This includes institutions that require customers with multiple accounts to identify each account to which the opt-out should apply. An institution must enter its opt-out mailing address: in the far right of this form (see version 3); or below the form (see version 4). The reverse side of the mailin opt-out form must not include any content of the model form. (1) Joint accountholder. Only institutions that provide their joint accountholders the choice to opt out for only one accountholder, in accordance with paragraph C.3(a)(5) of these Instructions, must include in the far left column of the mail-in form the following statement: ‘‘If you have a joint account, your PO 00000 Frm 00066 Fmt 4701 Sfmt 4700 choice(s) will apply to everyone on your account unless you mark below. b Apply my choice(s) only to me.’’ The word ‘‘choice’’ may be written in either the singular or plural, as appropriate. Financial institutions that provide insurance products or services, provide this option, and elect to use the model form may substitute the word ‘‘policy’’ for ‘‘account’’ in this statement. Institutions that do not provide this option may eliminate this left column from the mail-in form. (2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution shares personal information pursuant to section 603(d)(2)(A)(iii) of the FCRA, it must include in the mail-in opt-out form the following statement: ‘‘b Do not share information about my creditworthiness with your affiliates for their everyday business purposes.’’ (3) FCRA Section 624 opt-out. If the institution incorporates section 624 of the FCRA in accord with paragraph C.2(d)(6) of these Instructions, it must include in the mail-in opt-out form the following statement: ‘‘b Do not allow your affiliates to use my personal information to market to me.’’ (4) Nonaffiliate opt-out. If the financial institution shares personal information pursuant to § 573.10(a) of this part, it must include in the mail-in opt-out form the following statement: ‘‘b Do not share my personal information with nonaffiliates to market their products and services to me.’’ (5) Additional opt-outs. Financial institutions that use the disclosure table to provide opt-out options beyond those required by Federal law must provide those opt-outs in this section of the model form. A financial institution that chooses to offer an opt-out for its own marketing in the mail-in opt-out form must include one of the two following statements: ‘‘b Do not share my personal information to market to me.’’ or ‘‘b Do not use my personal information to market to me.’’ A financial institution that chooses to offer an opt-out for joint marketing must include the following statement: ‘‘b Do not share my personal information with other financial institutions to jointly market to me.’’ (h) Barcodes. A financial institution may elect to include a barcode and/or ‘‘tagline’’ (an internal identifier) in 6-point font at the bottom of page one, as needed for information internal to the institution, so long as these do not interfere with the clarity or text of the form. 3. Page Two (a) General Instructions for the Questions. Certain of the Questions may be customized as follows: (1) ‘‘Who is providing this notice?’’ This question may be omitted where only one financial institution provides the model form and that institution is clearly identified in the title on page one. Two or more financial institutions that jointly provide the model form must use this question to identify themselves as required by § 573.9(f) of this part. Where the list of institutions exceeds four (4) lines, the institution must describe in the response to this question the general types of institutions jointly providing the notice and must separately identify those institutions, in minimum 8-point font, directly following the ‘‘Other important E:\FR\FM\01DER2.SGM 01DER2 mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations information’’ box, or, if that box is not included in the institution’s form, directly following the ‘‘Definitions.’’ The list may appear in a multi-column format. (2) ‘‘How does [name of financial institution] protect my personal information?’’ The financial institution may only provide additional information pertaining to its safeguards practices following the designated response to this question. Such information may include information about the institution’s use of cookies or other measures it uses to safeguard personal information. Institutions are limited to a maximum of 30 additional words. (3) ‘‘How does [name of financial institution] collect my personal information?’’ Institutions must use five (5) of the following terms to complete the bulleted list for this question: Open an account; deposit money; pay your bills; apply for a loan; use your credit or debit card; seek financial or tax advice; apply for insurance; pay insurance premiums; file an insurance claim; seek advice about your investments; buy securities from us; sell securities to us; direct us to buy securities; direct us to sell your securities; make deposits or withdrawals from your account; enter into an investment advisory contract; give us your income information; provide employment information; give us your employment history; tell us about your investment or retirement portfolio; tell us about your investment or retirement earnings; apply for financing; apply for a lease; provide account information; give us your contact information; pay us by check; give us your wage statements; provide your mortgage information; make a wire transfer; tell us who receives the money; tell us where to send the money; show your government-issued ID; show your driver’s license; order a commodity futures or option trade. Institutions that collect personal information from their affiliates and/or credit bureaus must include after the bulleted list the following statement: ‘‘We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.’’ Institutions that do not collect personal information from their affiliates or credit bureaus but do collect information from other companies must include the following statement instead: ‘‘We also collect your personal information from other companies.’’ Only institutions that do not collect any personal information from affiliates, credit bureaus, or other companies can omit both statements. (4) ‘‘Why can’t I limit all sharing?’’ Institutions that describe state privacy law provisions in the ‘‘Other important information’’ box must use the bracketed sentence: ‘‘See below for more on your rights under state law.’’ Other institutions must omit this sentence. (5) ‘‘What happens when I limit sharing for an account I hold jointly with someone else?’’ Only financial institutions that provide optout options must use this question. Other institutions must omit this question. Institutions must choose one of the following two statements to respond to this question: ‘‘Your choices will apply to everyone on your account.’’ or ‘‘Your choices will apply to VerDate Nov<24>2008 20:48 Nov 30, 2009 Jkt 220001 everyone on your account—unless you tell us otherwise.’’ Financial institutions that provide insurance products or services and elect to use the model form may substitute the word ‘‘policy’’ for ‘‘account’’ in these statements. (b) General Instructions for the Definitions. The financial institution must customize the space below the responses to the three definitions in this section. This specific information must be in italicized lettering to set off the information from the standardized definitions. (1) Affiliates. As required by § 573.6(a)(3) of this part, where [affiliate information] appears, the financial institution must: (i) If it has no affiliates, state: ‘‘[name of financial institution] has no affiliates;’’ (ii) If it has affiliates but does not share personal information, state: ‘‘[name of financial institution] does not share with our affiliates’’; or (iii) If it shares with its affiliates, state, as applicable: ‘‘Our affiliates include companies with a [common corporate identity of financial institution] name; financial companies such as [insert illustrative list of companies]; nonfinancial companies, such as [insert illustrative list of companies]; and others, such as [insert illustrative list].’’ (2) Nonaffiliates. As required by § 573.6(c)(3) of this part, where [nonaffiliate information] appears, the financial institution must: (i) If it does not share with nonaffiliated third parties, state: ‘‘[name of financial institution] does not share with nonaffiliates so they can market to you’’; or (ii) If it shares with nonaffiliated third parties, state, as applicable: ‘‘Nonaffiliates we share with can include [list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations].’’ (3) Joint Marketing. As required by § 573.13 of this part, where [joint marketing] appears, the financial institution must: (i) If it does not engage in joint marketing, state: ‘‘[name of financial institution] doesn’t jointly market’’; or (ii) If it shares personal information for joint marketing, state, as applicable: ‘‘Our joint marketing partners include [list categories of companies such as credit card companies].’’ (c) General instructions for the ‘‘Other important information’’ box. This box is optional. The space provided for information in this box is not limited. Only the following types of information can appear in this box. (1) State and/or international privacy law information; and/or (2) Acknowledgment of receipt form. 28. Amend newly redesignated Appendix B to part 573 as follows: ■ A. Add a new sentence to the beginning of the introductory text as set forth below. ■ B. Effective January 1, 2012, remove Appendix B to part 573. ■ PO 00000 Frm 00067 Fmt 4701 Sfmt 4700 62955 Appendix B to Part 573—Sample Clauses This Appendix only applies to privacy notices provided before January 1, 2011. * * * * * * * * National Credit Union Administration 12 CFR Chapter V Authority and Issuance For the reasons set forth in the joint preamble, part 716 of chapter V of title 12 of the Code of Federal Regulations is amended as follows: ■ PART 716—PRIVACY OF CONSUMER FINANCIAL INFORMATION 29. The authority citation for part 716 continues to read as follows: ■ Authority: 12 U.S.C. 1751 et seq.; 15 U.S.C. 6801 et seq. ■ 30. Revise § 716.2 to read as follows: § 716.2 Model privacy form and examples. (a) Model privacy form. Use of the model privacy form in Appendix A of this part, consistent with the instructions in Appendix A, constitutes compliance with the notice content requirements of §§ 716.6 and 716.7 of this part, although use of the model privacy form is not required. (b) Examples. The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part. 31. In § 716.6: A. Revise the section heading and paragraph (b), and add paragraphs (f) and (g) to read as set forth below. ■ B. Effective January 1, 2012, remove paragraph (g). ■ ■ § 716.6 Information to be included in privacy notices. * * * * * (b) Description of nonaffiliated third parties subject to exceptions. If you disclose nonpublic personal information to third parties as authorized under §§ 716.14 and 716.15, you are not required to list those exceptions in the initial or annual privacy notices required by §§ 716.4 and 716.5. When describing the categories with respect to those parties, it is sufficient to state that you make disclosures to other nonaffiliated companies: (1) For your everyday business purposes, such as [include all that apply] to process transactions, maintain account(s), respond to court orders and legal investigations, or report to credit bureaus; or (2) As permitted by law. * * * * * E:\FR\FM\01DER2.SGM 01DER2 62956 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations mstockstill on DSKH9S0YB1PROD with RULES2 (f) Model privacy form. Pursuant to § 716.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part. (g) Sample clauses. Sample clauses illustrating some of the notice content required by this section are included in Appendix B of this part. Use of a sample clause in a privacy notice provided on or before December 31, 2010, to the extent applicable, constitutes compliance with this part. VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 ■ 32. In § 716.7, add paragraph (i) to read as follows: Appendix A [Redesignated as Appendix B] § 716.7 Form of opt-out notice to consumers; opt-out methods. ■ * * * * * (i) Model privacy form. Pursuant to § 716.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part. PO 00000 33. Redesignate Appendix A to part 716 as Appendix B to part 716. ■ 34. Add new Appendix A to part 716 to read as follows: Appendix A to Part 716—Model Privacy Form A. The Model Privacy Form BILLING CODE 6750–01–P 12.5%, 6351–01–P 12.5%, 6720–01–P 12.5%, 6714–01–P 12.5%, 4810–33–P 12.5%, 6210–01–P 12.5%, 8011–01–P 12.5%, 7535–01–P 12.5%; Frm 00068 Fmt 4701 Sfmt 4700 E:\FR\FM\01DER2.SGM 01DER2 VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00069 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 62957 ER01DE09.028</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations VerDate Nov<24>2008 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00070 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.029</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 62958 VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00071 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 62959 ER01DE09.030</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations VerDate Nov<24>2008 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00072 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.031</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 62960 VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00073 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 62961 ER01DE09.032</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations VerDate Nov<24>2008 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00074 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.033</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 62962 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations B. General Instructions 1. How the Model Privacy Form Is Used (a) The model form may be used, at the option of a financial institution, including a group of financial institutions that use a common privacy notice, to meet the content requirements of the privacy notice and optout notice set forth in §§ 716.6 and 716.7 of this part. (b) The model form is a standardized form, including page layout, content, format, style, pagination, and shading. Institutions seeking to obtain the safe harbor through use of the model form may modify it only as described in these Instructions. (c) Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 1681— 1681x] (FCRA), such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties. (d) The word ‘‘customer’’ may be replaced by the word ‘‘member’’ whenever it appears in the model form, as appropriate. 2. The Contents of the Model Privacy Form The model form consists of two pages, which may be printed on both sides of a single sheet of paper, or may appear on two separate pages. Where an institution provides a long list of institutions at the end of the model form in accordance with Instruction C.3(a)(1), or provides additional information in accordance with Instruction C.3(c), and such list or additional information exceeds the space available on page two of the model form, such list or additional information may extend to a third page. (a) Page One. The first page consists of the following components: (1) Date last revised (upper right-hand corner). VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 (2) Title. (3) Key frame (Why?, What?, How?). (4) Disclosure table (‘‘Reasons we can share your personal information’’). (5) ‘‘To limit our sharing’’ box, as needed, for the financial institution’s opt-out information. (6) ‘‘Questions’’ box, for customer service contact information. (7) Mail-in opt-out form, as needed. (b) Page Two. The second page consists of the following components: (1) Heading (Page 2). (2) Frequently Asked Questions (‘‘Who we are’’ and ‘‘What we do’’). (3) Definitions. (4) ‘‘Other important information’’ box, as needed. 3. The Format of the Model Privacy Form The format of the model form may be modified only as described below. (a) Easily readable type font. Financial institutions that use the model form must use an easily readable type font. While a number of factors together produce easily readable type font, institutions are required to use a minimum of 10-point font (unless otherwise expressly permitted in these Instructions) and sufficient spacing between the lines of type. (b) Logo. A financial institution may include a corporate logo on any page of the notice, so long as it does not interfere with the readability of the model form or the space constraints of each page. (c) Page size and orientation. Each page of the model form must be printed on paper in portrait orientation, the size of which must be sufficient to meet the layout and minimum font size requirements, with sufficient white space on the top, bottom, and sides of the content. (d) Color. The model form must be printed on white or light color paper (such as cream) with black or other contrasting ink color. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract PO 00000 Frm 00075 Fmt 4701 Sfmt 4700 from the readability of the model form. Logos may also be printed in color. (e) Languages. The model form may be translated into languages other than English. C. Information Required in the Model Privacy Form The information in the model form may be modified only as described below: 1. Name of the Institution or Group of Affiliated Institutions Providing the Notice Insert the name of the financial institution providing the notice or a common identity of affiliated institutions jointly providing the notice on the form wherever [name of financial institution] appears. 2. Page One (a) Last revised date. The financial institution must insert in the upper righthand corner the date on which the notice was last revised. The information shall appear in minimum 8-point font as ‘‘rev. [month/year]’’ using either the name or number of the month, such as ‘‘rev. July 2009’’ or ‘‘rev. 7/ 09’’. (b) General instructions for the ‘‘What?’’ box. (1) The bulleted list identifies the types of personal information that the institution collects and shares. All institutions must use the term ‘‘Social Security number’’ in the first bullet. (2) Institutions must use five (5) of the following terms to complete the bulleted list: income; account balances; payment history; transaction history; transaction or loss history; credit history; credit scores; assets; investment experience; credit-based insurance scores; insurance claim history; medical information; overdraft history; purchase history; account transactions; risk tolerance; medical-related debts; credit card or other debt; mortgage rates and payments; retirement assets; checking account information; employment information; wire transfer instructions. (c) General instructions for the disclosure table. The left column lists reasons for E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.034</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 BILLING CODE 6750–01–C 12.5%, 6351–01–C 12.5%, 6720–01–C 12.5%, 6714–01–C 12.5%, 4810–33–C 12.5%, 6210–01–C 12.5%, 8011–01–C 12.5%, 7535–01–C 12.5%; 62963 mstockstill on DSKH9S0YB1PROD with RULES2 62964 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations sharing or using personal information. Each reason correlates to a specific legal provision described in paragraph C.2(d) of this Instruction. In the middle column, each institution must provide a ‘‘Yes’’ or ‘‘No’’ response that accurately reflects its information sharing policies and practices with respect to the reason listed on the left. In the right column, each institution must provide in each box one of the following three (3) responses, as applicable, that reflects whether a consumer can limit such sharing: ‘‘Yes’’ if it is required to or voluntarily provides an opt-out; ‘‘No’’ if it does not provide an opt-out; or ‘‘We don’t share’’ if it answers ‘‘No’’ in the middle column. Only the sixth row (‘‘For our affiliates to market to you’’) may be omitted at the option of the institution. See paragraph C.2(d)(6) of this Instruction. (d) Specific disclosures and corresponding legal provisions. (1) For our everyday business purposes. This reason incorporates sharing information under §§ 716.14 and 716.15 and with service providers pursuant to § 716.13 of this part other than the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these Instructions. (2) For our marketing purposes. This reason incorporates sharing information with service providers by an institution for its own marketing pursuant to § 716.13 of this part. An institution that shares for this reason may choose to provide an opt-out. (3) For joint marketing with other financial companies. This reason incorporates sharing information under joint marketing agreements between two or more financial institutions and with any service provider used in connection with such agreements pursuant to § 716.13 of this part. An institution that shares for this reason may choose to provide an opt-out. (4) For our affiliates’ everyday business purposes—information about transactions and experiences. This reason incorporates sharing information specified in sections 603(d)(2)(A)(i) and (ii) of the FCRA. An institution that shares for this reason may choose to provide an opt-out. (5) For our affiliates’ everyday business purposes—information about creditworthiness. This reason incorporates sharing information pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution that shares for this reason must provide an opt-out. (6) For our affiliates to market to you. This reason incorporates sharing information specified in section 624 of the FCRA. This reason may be omitted from the disclosure table when: the institution does not have affiliates (or does not disclose personal information to its affiliates); the institution’s affiliates do not use personal information in a manner that requires an opt-out; or the institution provides the affiliate marketing notice separately. Institutions that include this reason must provide an opt-out of indefinite duration. An institution that is required to provide an affiliate marketing opt-out, but does not include that opt-out in the model form under this part, must comply with section 624 of the FCRA and 12 CFR part 717, subpart C, with respect to the initial VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 notice and opt-out and any subsequent renewal notice and opt-out. An institution not required to provide an opt-out under this subparagraph may elect to include this reason in the model form. (7) For nonaffiliates to market to you. This reason incorporates sharing described in §§ 716.7 and 716.10(a) of this part. An institution that shares personal information for this reason must provide an opt-out. (e) To limit our sharing: A financial institution must include this section of the model form only if it provides an opt-out. The word ‘‘choice’’ may be written in either the singular or plural, as appropriate. Institutions must select one or more of the applicable opt-out methods described: telephone, such as by a toll-free number; a Web site; or use of a mail-in opt-out form. Institutions may include the words ‘‘tollfree’’ before telephone, as appropriate. An institution that allows consumers to opt out online must provide either a specific Web address that takes consumers directly to the opt-out page or a general Web address that provides a clear and conspicuous direct link to the opt-out page. The opt-out choices made available to the consumer who contacts the institution through these methods must correspond accurately to the ‘‘Yes’’ responses in the third column of the disclosure table. In the part titled ‘‘Please note’’ institutions may insert a number that is 30 or greater in the space marked ‘‘[30].’’ Instructions on voluntary or state privacy law opt-out information are in paragraph C.2(g)(5) of these Instructions. (f) Questions box. Customer service contact information must be inserted as appropriate, where [phone number] or [Web site] appear. Institutions may elect to provide either a phone number, such as a toll-free number, or a Web address, or both. Institutions may include the words ‘‘toll-free’’ before the telephone number, as appropriate. (g) Mail-in opt-out form. Financial institutions must include this mail-in form only if they state in the ‘‘To limit our sharing’’ box that consumers can opt out by mail. The mail-in form must provide opt-out options that correspond accurately to the ‘‘Yes’’ responses in the third column in the disclosure table. Institutions that require customers to provide only name and address may omit the section identified as ‘‘[account #].’’ Institutions that require additional or different information, such as a random optout number or a truncated account number, to implement an opt-out election should modify the ‘‘[account #]’’ reference accordingly. This includes institutions that require customers with multiple accounts to identify each account to which the opt-out should apply. An institution must enter its opt-out mailing address: in the far right of this form (see version 3); or below the form (see version 4). The reverse side of the mailin opt-out form must not include any content of the model form. (1) Joint accountholder. Only institutions that provide their joint accountholders the choice to opt out for only one accountholder, in accordance with paragraph C.3(a)(5) of these Instructions, must include in the far left column of the mail-in form the following statement: ‘‘If you have a joint account, your PO 00000 Frm 00076 Fmt 4701 Sfmt 4700 choice(s) will apply to everyone on your account unless you mark below. b Apply my choice(s) only to me.’’ The word ‘‘choice’’ may be written in either the singular or plural, as appropriate. Financial institutions that provide insurance products or services, provide this option, and elect to use the model form may substitute the word ‘‘policy’’ for ‘‘account’’ in this statement. Institutions that do not provide this option may eliminate this left column from the mail-in form. (2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution shares personal information pursuant to section 603(d)(2)(A)(iii) of the FCRA, it must include in the mail-in opt-out form the following statement: ‘‘b Do not share information about my creditworthiness with your affiliates for their everyday business purposes.’’ (3) FCRA Section 624 opt-out. If the institution incorporates section 624 of the FCRA in accord with paragraph C.2(d)(6) of these Instructions, it must include in the mail-in opt-out form the following statement: ‘‘b Do not allow your affiliates to use my personal information to market to me.’’ (4) Nonaffiliate opt-out. If the financial institution shares personal information pursuant to § 716.10(a) of this part, it must include in the mail-in opt-out form the following statement: ‘‘b Do not share my personal information with nonaffiliates to market their products and services to me.’’ (5) Additional opt-outs. Financial institutions that use the disclosure table to provide opt-out options beyond those required by Federal law must provide those opt-outs in this section of the model form. A financial institution that chooses to offer an opt-out for its own marketing in the mail-in opt-out form must include one of the two following statements: ‘‘b Do not share my personal information to market to me.’’ or ‘‘b Do not use my personal information to market to me.’’ A financial institution that chooses to offer an opt-out for joint marketing must include the following statement: ‘‘b Do not share my personal information with other financial institutions to jointly market to me.’’ (h) Barcodes. A financial institution may elect to include a barcode and/or ‘‘tagline’’ (an internal identifier) in 6-point font at the bottom of page one, as needed for information internal to the institution, so long as these do not interfere with the clarity or text of the form. 3. Page Two (a) General Instructions for the Questions. Certain of the Questions may be customized as follows: (1) ‘‘Who is providing this notice?’’ This question may be omitted where only one financial institution provides the model form and that institution is clearly identified in the title on page one. Two or more financial institutions that jointly provide the model form must use this question to identify themselves as required by § 716.9(f) of this part. Where the list of institutions exceeds four (4) lines, the institution must describe in the response to this question the general types of institutions jointly providing the notice and must separately identify those institutions, in minimum 8-point font, directly following the ‘‘Other important E:\FR\FM\01DER2.SGM 01DER2 mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations information’’ box, or, if that box is not included in the institution’s form, directly following the ‘‘Definitions.’’ The list may appear in a multi-column format. (2) ‘‘How does [name of financial institution] protect my personal information?’’ The financial institution may only provide additional information pertaining to its safeguards practices following the designated response to this question. Such information may include information about the institution’s use of cookies or other measures it uses to safeguard personal information. Institutions are limited to a maximum of 30 additional words. (3) ‘‘How does [name of financial institution] collect my personal information?’’ Institutions must use five (5) of the following terms to complete the bulleted list for this question: open an account; deposit money; pay your bills; apply for a loan; use your credit or debit card; seek financial or tax advice; apply for insurance; pay insurance premiums; file an insurance claim; seek advice about your investments; buy securities from us; sell securities to us; direct us to buy securities; direct us to sell your securities; make deposits or withdrawals from your account; enter into an investment advisory contract; give us your income information; provide employment information; give us your employment history; tell us about your investment or retirement portfolio; tell us about your investment or retirement earnings; apply for financing; apply for a lease; provide account information; give us your contact information; pay us by check; give us your wage statements; provide your mortgage information; make a wire transfer; tell us who receives the money; tell us where to send the money; show your government-issued ID; show your driver’s license; order a commodity futures or option trade. Institutions that collect personal information from their affiliates and/or credit bureaus must include after the bulleted list the following statement: ‘‘We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.’’ Institutions that do not collect personal information from their affiliates or credit bureaus but do collect information from other companies must include the following statement instead: ‘‘We also collect your personal information from other companies.’’ Only institutions that do not collect any personal information from affiliates, credit bureaus, or other companies can omit both statements. (4) ‘‘Why can’t I limit all sharing?’’ Institutions that describe state privacy law provisions in the ‘‘Other important information’’ box must use the bracketed sentence: ‘‘See below for more on your rights under state law.’’ Other institutions must omit this sentence. (5) ‘‘What happens when I limit sharing for an account I hold jointly with someone else?’’ Only financial institutions that provide optout options must use this question. Other institutions must omit this question. Institutions must choose one of the following two statements to respond to this question: ‘‘Your choices will apply to everyone on your account.’’ or ‘‘Your choices will apply to VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 everyone on your account—unless you tell us otherwise.’’ Financial institutions that provide insurance products or services and elect to use the model form may substitute the word ‘‘policy’’ for ‘‘account’’ in these statements. (b) General Instructions for the Definitions. The financial institution must customize the space below the responses to the three definitions in this section. This specific information must be in italicized lettering to set off the information from the standardized definitions. (1) Affiliates. As required by § 716.6(a)(3) of this part, where [affiliate information] appears, the financial institution must: (i) If it has no affiliates, state: ‘‘[name of financial institution] has no affiliates’’; (ii) If it has affiliates but does not share personal information, state: ‘‘[name of financial institution] does not share with our affiliates; or (iii) If it shares with its affiliates, state, as applicable: ‘‘Our affiliates include companies with a [common corporate identity of financial institution] name; financial companies such as [insert illustrative list of companies]; nonfinancial companies, such as [insert illustrative list of companies;] and others, such as [insert illustrative list].’’ (2) Nonaffiliates. As required by § 716.6(c)(3) of this part, where [nonaffiliate information] appears, the financial institution must: (i) If it does not share with nonaffiliated third parties, state: ‘‘[name of financial institution] does not share with nonaffiliates so they can market to you’’; or (ii) If it shares with nonaffiliated third parties, state, as applicable: ‘‘Nonaffiliates we share with can include [list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations].’’ (3) Joint Marketing. As required by § 716.13 of this part, where [joint marketing] appears, the financial institution must: (i) If it does not engage in joint marketing, state: ‘‘[name of financial institution] doesn’t jointly market ’’; or (ii) If it shares personal information for joint marketing, state, as applicable: ‘‘Our joint marketing partners include [list categories of companies such as credit card companies].’’ (c) General instructions for the ‘‘Other important information’’ box. This box is optional. The space provided for information in this box is not limited. Only the following types of information can appear in this box. (1) State and/or international privacy law information; and/or (2) Acknowledgment of receipt form. 35. Amend newly redesignated Appendix B to part 716 as follows: ■ A. Add a new sentence to the beginning of the introductory text as set forth below. ■ B. Effective January 1, 2012, remove Appendix B to part 716. ■ PO 00000 Frm 00077 Fmt 4701 Sfmt 4700 62965 Appendix B to Part 716—Sample Clauses This Appendix only applies to privacy notices provided before January 1, 2011. * * * * * * * * Federal Trade Commission 16 CFR Chapter I For the reasons set forth in the joint preamble, the Federal Trade Commission amends part 313 of chapter I of title 16 of the Code of Federal Regulations as follows: ■ PART 313—PRIVACY OF CONSUMER FINANCIAL INFORMATION 36. The authority citation for part 313 continues to read as follows: ■ Authority: 15 U.S.C. 6801 et seq. ■ 37. Revise § 313.2 to read as follows: § 313.2 Model privacy form and examples. (a) Model privacy form. Use of the model privacy form in Appendix A of this part, consistent with the instructions in Appendix A, constitutes compliance with the notice content requirements of §§ 313.6 and 313.7 of this part, although use of the model privacy form is not required. (b) Examples. The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part. ■ 38. In § 313.6: ■ A. Revise paragraphs (b) and (f), and add paragraph (g) to read as set forth below. ■ B. Effective January 1, 2012, remove paragraph (g). § 313.6 Information to be included in privacy notices. * * * * * (b) Description of nonaffiliated third parties subject to exceptions. If you disclose nonpublic personal information to third parties as authorized under §§ 313.14 and 313.15, you are not required to list those exceptions in the initial or annual privacy notices required by §§ 313.4 and 313.5. When describing the categories with respect to those parties, it is sufficient to state that you make disclosures to other nonaffiliated companies for your everyday business purposes, such as to process transactions, maintain account(s), respond to court orders and legal investigations, or report to credit bureaus. * * * * * (f) Model privacy form. Pursuant to § 313.2(a) of this part, a model privacy form that meets the notice content E:\FR\FM\01DER2.SGM 01DER2 62966 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations mstockstill on DSKH9S0YB1PROD with RULES2 requirements of this section is included in Appendix A of this part. (g) Sample clauses and description of nonaffiliated third parties subject to exceptions. (1) Sample clauses. Sample clauses illustrating some of the notice content required by this section are included in Appendix B of this part. Use of a sample clause in a privacy notice provided on or before December 31, 2010, to the extent applicable, constitutes compliance with this part. (2) Description of nonaffiliated third parties subject to exceptions. For a privacy notice provided on or before December 31, 2010, if you disclose VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 nonpublic personal information to third parties as authorized under §§ 313.14 and 313.15, when describing the categories with respect to those parties, it is sufficient to state, as an alternative to the language in the second sentence of paragraph (b) of this section, that you make disclosures to other nonaffiliated third parties as permitted by law. 39. In § 313.7, add paragraph (i) to read as follows: ■ § 313.7 Form of opt-out notice to consumers; opt-out methods. * * * * * (i) Model privacy form. Pursuant to § 313.2(a) of this part, a model privacy PO 00000 Frm 00078 Fmt 4701 Sfmt 4700 form that meets the notice content requirements of this section is included in Appendix A of this part. Appendix A [Redesignated as Appendix B] 40. Redesignate Appendix A to part 313 as Appendix B to part 313. ■ 41. Add new Appendix A to part 313 to read as follows: ■ Appendix A to Part 313—Model Privacy Form A. The Model Privacy Form BILLING CODE 6750–01–P 12.5%, 6351–01–P 12.5%, 6720–01–P 12.5%, 6714–01–P 12.5%, 4810–33–P 12.5%, 6210–01–P 12.5%, 8011–01–P 12.5%, 7535–01–P 12.5% E:\FR\FM\01DER2.SGM 01DER2 VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00079 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 62967 ER01DE09.035</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations VerDate Nov<24>2008 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00080 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.036</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 62968 VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00081 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 62969 ER01DE09.037</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations VerDate Nov<24>2008 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00082 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.038</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 62970 VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00083 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 62971 ER01DE09.039</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations mstockstill on DSKH9S0YB1PROD with RULES2 BILLING CODE 6750–01–C 12.5%, 6351–01–C 12.5%, 6720–01–C 12.5%, 6714–01–C 12.5%, 4810–33–C 12.5%, 6210–01–C 12.5%, 8011–01–C 12.5%, 7535–01–C 12.5%, B. General Instructions 1. How the Model Privacy Form is Used (a) The model form may be used, at the option of a financial institution, including a group of financial institutions that use a common privacy notice, to meet the content requirements of the privacy notice and optout notice set forth in §§ 313.6 and 313.7 of this part. (b) The model form is a standardized form, including page layout, content, format, style, pagination, and shading. Institutions seeking to obtain the safe harbor through use of the model form may modify it only as described in these Instructions. (c) Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 1681– 1681x] (FCRA), such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties. (d) The word ‘‘customer’’ may be replaced by the word ‘‘member’’ whenever it appears in the model form, as appropriate. 2. The Contents of the Model Privacy Form The model form consists of two pages, which may be printed on both sides of a single sheet of paper, or may appear on two separate pages. Where an institution provides a long list of institutions at the end of the model form in accordance with Instruction C.3(a)(1), or provides additional information in accordance with Instruction C.3(c), and such list or additional information exceeds the space available on page two of the model form, such list or additional information may extend to a third page. (a) Page One. The first page consists of the following components: (1) Date last revised (upper right-hand corner). VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 (2) Title. (3) Key frame (Why?, What?, How?). (4) Disclosure table (‘‘Reasons we can share your personal information’’). (5) ‘‘To limit our sharing’’ box, as needed, for the financial institution’s opt-out information. (6) ‘‘Questions’’ box, for customer service contact information. (7) Mail-in opt-out form, as needed. (b) Page Two. The second page consists of the following components: (1) Heading (Page 2). (2) Frequently Asked Questions (‘‘Who we are’’ and ‘‘What we do’’). (3) Definitions. (4) ‘‘Other important information’’ box, as needed. 3. The Format of the Model Privacy Form The format of the model form may be modified only as described below. (a) Easily readable type font. Financial institutions that use the model form must use an easily readable type font. While a number of factors together produce an easily readable type font, institutions are required to use a minimum of 10-point font (unless otherwise expressly permitted in these Instructions) and sufficient spacing between the lines of type. (b) Logo. A financial institution may include a corporate logo on any page of the notice, so long as it does not interfere with the readability of the model form or the space constraints of each page. (c) Page size and orientation. Each page of the model form must be printed on paper in portrait orientation, the size of which must be sufficient to meet the layout and minimum font size requirements, with sufficient white space on the top, bottom, and sides of the content. (d) Color. The model form must be printed on white or light color paper (such as cream) with black or other contrasting ink color. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract PO 00000 Frm 00084 Fmt 4701 Sfmt 4700 from the readability of the model form. Logos may also be printed in color. (e) Languages. The model form may be translated into languages other than English. C. Information Required in the Model Privacy Form The information in the model form may be modified only as described below: 1. Name of the Institution or Group of Affiliated Institutions Providing the Notice Insert the name of the financial institution providing the notice or a common identity of affiliated institutions jointly providing the notice on the form wherever [name of financial institution] appears. 2. Page One (a) Last revised date. The financial institution must insert in the upper righthand corner the date on which the notice was last revised. The information shall appear in minimum 8-point font as ‘‘rev. [month/year]’’ using either the name or number of the month, such as ‘‘rev. July 2009’’ or ‘‘rev. 7/ 09’’. (b) General instructions for the ‘‘What?’’ box. (1) The bulleted list identifies the types of personal information that the institution collects and shares. All institutions must use the term ‘‘Social Security number’’ in the first bullet. (2) Institutions must use five (5) of the following terms to complete the bulleted list: income; account balances; payment history; transaction history; transaction or loss history; credit history; credit scores; assets; investment experience; credit-based insurance scores; insurance claim history; medical information; overdraft history; purchase history; account transactions; risk tolerance; medical-related debts; credit card or other debt; mortgage rates and payments; retirement assets; checking account information; employment information; wire transfer instructions. (c) General instructions for the disclosure table. The left column lists reasons for E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.041</GPH> 62972 mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations sharing or using personal information. Each reason correlates to a specific legal provision described in paragraph C.2(d) of this Instruction. In the middle column, each institution must provide a ‘‘Yes’’ or ‘‘No’’ response that accurately reflects its information sharing policies and practices with respect to the reason listed on the left. In the right column, each institution must provide in each box one of the following three (3) responses, as applicable, that reflects whether a consumer can limit such sharing: ‘‘Yes’’ if it is required to or voluntarily provides an opt-out; ‘‘No’’ if it does not provide an opt-out; or ‘‘We don’t share’’ if it answers ‘‘No’’ in the middle column. Only the sixth row (‘‘For our affiliates to market to you’’) may be omitted at the option of the institution. See paragraph C.2(d)(6) of this Instruction. (d) Specific disclosures and corresponding legal provisions. (1) For our everyday business purposes. This reason incorporates sharing information under §§ 313.14 and 313.15 and with service providers pursuant to § 313.13 of this part other than the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these Instructions. (2) For our marketing purposes. This reason incorporates sharing information with service providers by an institution for its own marketing pursuant to § 313.13 of this part. An institution that shares for this reason may choose to provide an opt-out. (3) For joint marketing with other financial companies. This reason incorporates sharing information under joint marketing agreements between two or more financial institutions and with any service provider used in connection with such agreements pursuant to § 313.13 of this part. An institution that shares for this reason may choose to provide an opt-out. (4) For our affiliates’ everyday business purposes—information about transactions and experiences. This reason incorporates sharing information specified in sections 603(d)(2)(A)(i) and (ii) of the FCRA. An institution that shares for this reason may choose to provide an opt-out. (5) For our affiliates’ everyday business purposes—information about creditworthiness. This reason incorporates sharing information pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution that shares for this reason must provide an opt-out. (6) For our affiliates to market to you. This reason incorporates sharing information specified in section 624 of the FCRA. This reason may be omitted from the disclosure table when: the institution does not have affiliates (or does not disclose personal information to its affiliates); the institution’s affiliates do not use personal information in a manner that requires an opt-out; or the institution provides the affiliate marketing notice separately. Institutions that include this reason must provide an opt-out of indefinite duration. An institution that is required to provide an affiliate marketing opt-out, but does not include that opt-out in the model form under this part, must comply with section 624 of the FCRA and 16 CFR parts 680 and 698 with respect to the initial VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 notice and opt-out and any subsequent renewal notice and opt-out. An institution not required to provide an opt-out under this subparagraph may elect to include this reason in the model form. (7) For nonaffiliates to market to you. This reason incorporates sharing described in §§ 313.7 and 313.10(a) of this part. An institution that shares personal information for this reason must provide an opt-out. (e) To limit our sharing: A financial institution must include this section of the model form only if it provides an opt-out. The word ‘‘choice’’ may be written in either the singular or plural, as appropriate. Institutions must select one or more of the applicable opt-out methods described: telephone, such as by a toll-free number; a Web site; or use of a mail-in opt-out form. Institutions may include the words ‘‘tollfree’’ before telephone, as appropriate. An institution that allows consumers to opt out online must provide either a specific Web address that takes consumers directly to the opt-out page or a general Web address that provides a clear and conspicuous direct link to the opt-out page. The opt-out choices made available to the consumer who contacts the institution through these methods must correspond accurately to the ‘‘Yes’’ responses in the third column of the disclosure table. In the part titled ‘‘Please note’’ institutions may insert a number that is 30 or greater in the space marked ‘‘[30].’’ Instructions on voluntary or state privacy law opt-out information are in paragraph C.2(g)(5) of these Instructions. (f) Questions box. Customer service contact information must be inserted as appropriate, where [phone number] or [Web site] appear. Institutions may elect to provide either a phone number, such as a toll-free number, or a Web address, or both. Institutions may include the words ‘‘toll-free’’ before the telephone number, as appropriate. (g) Mail-in opt-out form. Financial institutions must include this mail-in form only if they state in the ‘‘To limit our sharing’’ box that consumers can opt out by mail. The mail-in form must provide opt-out options that correspond accurately to the ‘‘Yes’’ responses in the third column in the disclosure table. Institutions that require customers to provide only name and address may omit the section identified as ‘‘[account #].’’ Institutions that require additional or different information, such as a random optout number or a truncated account number, to implement an opt-out election should modify the ‘‘[account #]’’ reference accordingly. This includes institutions that require customers with multiple accounts to identify each account to which the opt-out should apply. An institution must enter its opt-out mailing address: In the far right of this form (see version 3); or below the form (see version 4). The reverse side of the mailin opt-out form must not include any content of the model form. (1) Joint accountholder. Only institutions that provide their joint accountholders the choice to opt out for only one accountholder, in accordance with paragraph C.3(a)(5) of these Instructions, must include in the far left column of the mail-in form the following statement: ‘‘If you have a joint account, your PO 00000 Frm 00085 Fmt 4701 Sfmt 4700 62973 choice(s) will apply to everyone on your account unless you mark below. b Apply my choice(s) only to me.’’ The word ‘‘choice’’ may be written in either the singular or plural, as appropriate. Financial institutions that provide insurance products or services, provide this option, and elect to use the model form may substitute the word ‘‘policy’’ for ‘‘account’’ in this statement. Institutions that do not provide this option may eliminate this left column from the mail-in form. (2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution shares personal information pursuant to section 603(d)(2)(A)(iii) of the FCRA, it must include in the mail-in opt-out form the following statement: ‘‘b Do not share information about my creditworthiness with your affiliates for their everyday business purposes.’’ (3) FCRA Section 624 opt-out. If the institution incorporates section 624 of the FCRA in accord with paragraph C.2(d)(6) of these Instructions, it must include in the mail-in opt-out form the following statement: ‘‘b Do not allow your affiliates to use my personal information to market to me.’’ (4) Nonaffiliate opt-out. If the financial institution shares personal information pursuant to § 313.10(a) of this part, it must include in the mail-in opt-out form the following statement: ‘‘b Do not share my personal information with nonaffiliates to market their products and services to me.’’ (5) Additional opt-outs. Financial institutions that use the disclosure table to provide opt-out options beyond those required by Federal law must provide those opt-outs in this section of the model form. A financial institution that chooses to offer an opt-out for its own marketing in the mail-in opt-out form must include one of the two following statements: ‘‘b Do not share my personal information to market to me.’’ or ‘‘b Do not use my personal information to market to me.’’ A financial institution that chooses to offer an opt-out for joint marketing must include the following statement: ‘‘b Do not share my personal information with other financial institutions to jointly market to me.’’ (h) Barcodes. A financial institution may elect to include a barcode and/or ‘‘tagline’’ (an internal identifier) in 6-point font at the bottom of page one, as needed for information internal to the institution, so long as these do not interfere with the clarity or text of the form. 3. Page Two (a) General Instructions for the Questions. Certain of the Questions may be customized as follows: (1) ‘‘Who is providing this notice?’’ This question may be omitted where only one financial institution provides the model form and that institution is clearly identified in the title on page one. Two or more financial institutions that jointly provide the model form must use this question to identify themselves as required by § 313.9(f) of this part. Where the list of institutions exceeds four (4) lines, the institution must describe in the response to this question the general types of institutions jointly providing the notice and must separately identify those institutions, in minimum 8-point font, directly following the ‘‘Other important E:\FR\FM\01DER2.SGM 01DER2 mstockstill on DSKH9S0YB1PROD with RULES2 62974 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations information’’ box, or, if that box is not included in the institution’s form, directly following the ‘‘Definitions.’’ The list may appear in a multi-column format. (2) ‘‘How does [name of financial institution] protect my personal information?’’ The financial institution may only provide additional information pertaining to its safeguards practices following the designated response to this question. Such information may include information about the institution’s use of cookies or other measures it uses to safeguard personal information. Institutions are limited to a maximum of 30 additional words. (3) ‘‘How does [name of financial institution] collect my personal information?’’ Institutions must use five (5) of the following terms to complete the bulleted list for this question: Open an account; deposit money; pay your bills; apply for a loan; use your credit or debit card; seek financial or tax advice; apply for insurance; pay insurance premiums; file an insurance claim; seek advice about your investments; buy securities from us; sell securities to us; direct us to buy securities; direct us to sell your securities; make deposits or withdrawals from your account; enter into an investment advisory contract; give us your income information; provide employment information; give us your employment history; tell us about your investment or retirement portfolio; tell us about your investment or retirement earnings; apply for financing; apply for a lease; provide account information; give us your contact information; pay us by check; give us your wage statements; provide your mortgage information; make a wire transfer; tell us who receives the money; tell us where to send the money; show your government-issued ID; show your driver’s license; order a commodity futures or option trade. Institutions that collect personal information from their affiliates and/or credit bureaus must include after the bulleted list the following statement: ‘‘We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.’’ Institutions that do not collect personal information from their affiliates or credit bureaus but do collect information from other companies must include the following statement instead: ‘‘We also collect your personal information from other companies.’’ Only institutions that do not collect any personal information from affiliates, credit bureaus, or other companies can omit both statements. (4) ‘‘Why can’t I limit all sharing?’’ Institutions that describe state privacy law provisions in the ‘‘Other important information’’ box must use the bracketed sentence: ‘‘See below for more on your rights under state law.’’ Other institutions must omit this sentence. (5) ‘‘What happens when I limit sharing for an account I hold jointly with someone else?’’ Only financial institutions that provide optout options must use this question. Other institutions must omit this question. Institutions must choose one of the following two statements to respond to this question: ‘‘Your choices will apply to everyone on your account.’’ or ‘‘Your choices will apply to VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 everyone on your account—unless you tell us otherwise.’’ Financial institutions that provide insurance products or services and elect to use the model form may substitute the word ‘‘policy’’ for ‘‘account’’ in these statements. (b) General Instructions for the Definitions. The financial institution must customize the space below the responses to the three definitions in this section. This specific information must be in italicized lettering to set off the information from the standardized definitions. (1) Affiliates. As required by § 313.6(a)(3) of this part, where [affiliate information] appears, the financial institution must: (i) If it has no affiliates, state: ‘‘[name of financial institution] has no affiliates’’; (ii) If it has affiliates but does not share personal information, state: ‘‘[name of financial institution] does not share with our affiliates’’; or (iii) If it shares with its affiliates, state, as applicable: ‘‘Our affiliates include companies with a [common corporate identity of financial institution] name; financial companies such as [insert illustrative list of companies]; nonfinancial companies, such as [insert illustrative list of companies;] and others, such as [insert illustrative list].’’ (2) Nonaffiliates. As required by § 313.6(c)(3) of this part, where [nonaffiliate information] appears, the financial institution must: (i) If it does not share with nonaffiliated third parties, state: ‘‘[name of financial institution] does not share with nonaffiliates so they can market to you’’; or (ii) If it shares with nonaffiliated third parties, state, as applicable: ‘‘Nonaffiliates we share with can include [list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations].’’ (3) Joint Marketing. As required by § 313.13 of this part, where [joint marketing] appears, the financial institution must: (i) If it does not engage in joint marketing, state: ‘‘[name of financial institution] doesn’t jointly market’’; or (ii) If it shares personal information for joint marketing, state, as applicable: ‘‘Our joint marketing partners include [list categories of companies such as credit card companies].’’ (c) General instructions for the ‘‘Other important information’’ box. This box is optional. The space provided for information in this box is not limited. Only the following types of information can appear in this box. (1) State and/or international privacy law information; and/or (2) Acknowledgment of receipt form. 42. Amend newly redesignated Appendix B to part 313 as follows: ■ A. Add a new sentence to the beginning of the introductory text as set forth below. ■ B. Effective January 1, 2012, remove Appendix B to part 313. ■ PO 00000 Frm 00086 Fmt 4701 Sfmt 4700 Appendix B to Part 313—Sample Clauses This Appendix only applies to privacy notices provided before January 1, 2011. * * * * * * * * Commodity Futures Trading Commission 17 CFR Chapter I Authority and Issuance For the reasons set forth in the joint preamble, part 160 of chapter I of title 17 of the Code of Federal Regulations is amended as follows: ■ PART 160—PRIVACY OF CONSUMER FINANCIAL INFORMATION 43. The authority citation for part 160 continues to read as follows: ■ Authority: 7 U.S.C. 7b–2 and 12a(5); 15 U.S.C. 6801 et seq. ■ 44. Revise § 160.2 to read as follows: § 160.2 Model privacy form and examples. (a) Model privacy form. Use of the model privacy form in Appendix A of this part, consistent with the instructions in Appendix A, constitutes compliance with the notice content requirements of §§ 160.6 and 160.7 of this part, although use of the model privacy form is not required. (b) Examples. The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part. 45. In § 160.6: A. Revise paragraphs (b) and (f), and add paragraph (g) to read as set forth below. ■ B. Effective January 1, 2012, remove paragraph (g). ■ ■ § 160.6 Information to be included in privacy notices. * * * * * (b) Description of nonaffiliated third parties subject to exceptions. If you disclose nonpublic personal information to third parties as authorized under §§ 160.14 and 160.15, you are not required to list those exceptions in the initial or annual privacy notices required by §§ 160.4 and 160.5. When describing the categories with respect to those parties, it is sufficient to state that you make disclosures to other nonaffiliated companies: (1) For your everyday business purposes, such as [include all that apply] to process transactions, maintain account(s), respond to court orders and legal investigations, or report to credit bureaus; or E:\FR\FM\01DER2.SGM 01DER2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations (2) As permitted by law. * * * * (f) Model privacy form. Pursuant to § 160.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part. (g) Sample clauses. Sample clauses illustrating some of the notice content required by this section are included in Appendix B of this part. Use of a sample clause in a privacy notice provided on or before December 31, 2010, to the mstockstill on DSKH9S0YB1PROD with RULES2 * VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 62975 extent applicable, constitutes compliance with this part. Appendix A [Redesignated as Appendix B] 46. In § 160.7, add paragraph (i) to read as follows: ■ ■ § 160.7 Form of opt-out notice to consumers; opt-out methods. * * * * * (i) Model privacy form. Pursuant to § 160.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in Appendix A of this part. PO 00000 Frm 00087 Fmt 4701 Sfmt 4700 47. Redesignate Appendix A to part 160 as Appendix B to part 160. ■ 48. Add new Appendix A to part 160 to read as follows: Appendix A to Part 160—Model Privacy Form A. The Model Privacy Form BILLING CODE 6750–01–P 12.5%, 6351–01–P 12.5%, 6720–01–P 12.5%, 6714–01–P 12.5%, 4810–33–P 12.5%, 6210–01–P 12.5%, 8011–01–P 12.5%, 7535–01–P 12.5%, E:\FR\FM\01DER2.SGM 01DER2 VerDate Nov<24>2008 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00088 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.042</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 62976 VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00089 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 62977 ER01DE09.043</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations VerDate Nov<24>2008 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00090 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.044</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 62978 VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00091 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 62979 ER01DE09.045</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations VerDate Nov<24>2008 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00092 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.046</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 62980 VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00093 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 62981 ER01DE09.047</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations B. General Instructions 1. How the Model Privacy Form Is Used (a) The model form may be used, at the option of a financial institution, including a group of financial institutions that use a common privacy notice, to meet the content requirements of the privacy notice and optout notice set forth in §§ 160.6 and 160.7 of this part. (b) The model form is a standardized form, including page layout, content, format, style, pagination, and shading. Institutions seeking to obtain the safe harbor through use of the model form may modify it only as described in these Instructions. (c) Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 1681– 1681x] (FCRA), such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties. (d) The word ‘‘customer’’ may be replaced by the word ‘‘member’’ whenever it appears in the model form, as appropriate. mstockstill on DSKH9S0YB1PROD with RULES2 BILLING CODE 6750–01–C12.5%, 6351–01–C12.5%, 6720– 01–C12.5%, 6714–01–C12.5%, 4810–33–C12.5%, 6210–01– C12.5%, 8011–01–C12.5%, 7535–01–C12.5%, 2. The Contents of the Model Privacy Form The model form consists of two pages, which may be printed on both sides of a single sheet of paper, or may appear on two separate pages. Where an institution provides a long list of institutions at the end of the model form in accordance with Instruction C.3(a)(1), or provides additional information in accordance with Instruction C.3(c), and such list or additional information exceeds the space available on page two of the model form, such list or additional information may extend to a third page. (a) Page One. The first page consists of the following components: (1) Date last revised (upper right-hand corner). VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 (2) Title. (3) Key frame (Why?, What?, How?). (4) Disclosure table (‘‘Reasons we can share your personal information’’). (5) ‘‘To limit our sharing’’ box, as needed, for the financial institution’s opt-out information. (6) ‘‘Questions’’ box, for customer service contact information. (7) Mail-in opt-out form, as needed. (b) Page Two. The second page consists of the following components: (1) Heading (Page 2). (2) Frequently Asked Questions (‘‘Who we are’’ and ‘‘What we do’’). (3) Definitions. (4) ‘‘Other important information’’ box, as needed. 3. The Format of the Model Privacy Form The format of the model form may be modified only as described below. (a) Easily readable type font. Financial institutions that use the model form must use an easily readable type font. While a number of factors together produce easily readable type font, institutions are required to use a minimum of 10-point font (unless otherwise expressly permitted in these Instructions) and sufficient spacing between the lines of type. (b) Logo. A financial institution may include a corporate logo on any page of the notice, so long as it does not interfere with the readability of the model form or the space constraints of each page. (c) Page size and orientation. Each page of the model form must be printed on paper in portrait orientation, the size of which must be sufficient to meet the layout and minimum font size requirements, with sufficient white space on the top, bottom, and sides of the content. (d) Color. The model form must be printed on white or light color paper (such as cream) with black or other contrasting ink color. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract PO 00000 Frm 00094 Fmt 4701 Sfmt 4700 from the readability of the model form. Logos may also be printed in color. (e) Languages. The model form may be translated into languages other than English. C. Information Required in the Model Privacy Form The information in the model form may be modified only as described below: 1. Name of the Institution or Group of Affiliated Institutions Providing the Notice Insert the name of the financial institution providing the notice or a common identity of affiliated institutions jointly providing the notice on the form wherever [name of financial institution] appears. 2. Page One (a) Last revised date. The financial institution must insert in the upper righthand corner the date on which the notice was last revised. The information shall appear in minimum 8-point font as ‘‘rev. [month/year]’’ using either the name or number of the month, such as ‘‘rev. July 2009’’ or ‘‘rev. 7/ 09’’. (b) General instructions for the ‘‘What?’’ box. (1) The bulleted list identifies the types of personal information that the institution collects and shares. All institutions must use the term ‘‘Social Security number’’ in the first bullet. (2) Institutions must use five (5) of the following terms to complete the bulleted list: income; account balances; payment history; transaction history; transaction or loss history; credit history; credit scores; assets; investment experience; credit-based insurance scores; insurance claim history; medical information; overdraft history; purchase history; account transactions; risk tolerance; medical-related debts; credit card or other debt; mortgage rates and payments; retirement assets; checking account information; employment information; wire transfer instructions. (c) General instructions for the disclosure table. The left column lists reasons for E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.048</GPH> 62982 mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations sharing or using personal information. Each reason correlates to a specific legal provision described in paragraph C.2(d) of this Instruction. In the middle column, each institution must provide a ‘‘Yes’’ or ‘‘No’’ response that accurately reflects its information sharing policies and practices with respect to the reason listed on the left. In the right column, each institution must provide in each box one of the following three (3) responses, as applicable, that reflects whether a consumer can limit such sharing: ‘‘Yes’’ if it is required to or voluntarily provides an opt-out; ‘‘No’’ if it does not provide an opt-out; or ‘‘We don’t share’’ if it answers ‘‘No’’ in the middle column. Only the sixth row (‘‘For our affiliates to market to you’’) may be omitted at the option of the institution. See paragraph C.2(d)(6) of this Instruction. (d) Specific disclosures and corresponding legal provisions. (1) For our everyday business purposes. This reason incorporates sharing information under §§ 160.14 and 160.15 and with service providers pursuant to § 160.13 of this part other than the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these Instructions. (2) For our marketing purposes. This reason incorporates sharing information with service providers by an institution for its own marketing pursuant to § 160.13 of this part. An institution that shares for this reason may choose to provide an opt-out. (3) For joint marketing with other financial companies. This reason incorporates sharing information under joint marketing agreements between two or more financial institutions and with any service provider used in connection with such agreements pursuant to § 160.13 of this part. An institution that shares for this reason may choose to provide an opt-out. (4) For our affiliates’ everyday business purposes—information about transactions and experiences. This reason incorporates sharing information specified in sections 603(d)(2)(A)(i) and (ii) of the FCRA. An institution that shares for this reason may choose to provide an opt-out. (5) For our affiliates’ everyday business purposes—information about creditworthiness. This reason incorporates sharing information pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution that shares for this reason must provide an opt-out. (6) For our affiliates to market to you. This reason incorporates sharing information specified in section 624 of the FCRA. This reason may be omitted from the disclosure table when: the institution does not have affiliates (or does not disclose personal information to its affiliates); the institution’s affiliates do not use personal information in a manner that requires an opt-out; or the institution provides the affiliate marketing notice separately. Institutions that include this reason must provide an opt-out of indefinite duration. An institution not required to provide an opt-out under this subparagraph may elect to include this reason in the model form. Note: The CFTC’s Regulations do not address the affiliate marketing rule. VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 (7) For nonaffiliates to market to you. This reason incorporates sharing described in §§ 160.7 and 160.10(a) of this part. An institution that shares personal information for this reason must provide an opt-out. (e) To limit our sharing: A financial institution must include this section of the model form only if it provides an opt-out. The word ‘‘choice’’ may be written in either the singular or plural, as appropriate. Institutions must select one or more of the applicable opt-out methods described: telephone, such as by a toll-free number; a Website; or use of a mail-in opt-out form. Institutions may include the words ‘‘tollfree’’ before telephone, as appropriate. An institution that allows consumers to opt out online must provide either a specific Web address that takes consumers directly to the opt-out page or a general Web address that provides a clear and conspicuous direct link to the opt-out page. The opt-out choices made available to the consumer who contacts the institution through these methods must correspond accurately to the ‘‘Yes’’ responses in the third column of the disclosure table. In the part titled ‘‘Please note’’ institutions may insert a number that is 30 or greater in the space marked ‘‘[30].’’ Instructions on voluntary or state privacy law opt-out information are in paragraph C.2(g)(5) of these Instructions. (f) Questions box. Customer service contact information must be inserted as appropriate, where [phone number] or [website] appear. Institutions may elect to provide either a phone number, such as a toll-free number, or a Web address, or both. Institutions may include the words ‘‘toll-free’’ before the telephone number, as appropriate. (g) Mail-in opt-out form. Financial institutions must include this mail-in form only if they state in the ‘‘To limit our sharing’’ box that consumers can opt out by mail. The mail-in form must provide opt-out options that correspond accurately to the ‘‘Yes’’ responses in the third column in the disclosure table. Institutions that require customers to provide only name and address may omit the section identified as ‘‘[account #].’’ Institutions that require additional or different information, such as a random optout number or a truncated account number, to implement an opt-out election should modify the ‘‘[account #]’’ reference accordingly. This includes institutions that require customers with multiple accounts to identify each account to which the opt-out should apply. An institution must enter its opt-out mailing address: in the far right of this form (see version 3); or below the form (see version 4). The reverse side of the mailin opt-out form must not include any content of the model form. (1) Joint accountholder. Only institutions that provide their joint accountholders the choice to opt out for only one accountholder, in accordance with paragraph C.3(a)(5) of these Instructions, must include in the far left column of the mail-in form the following statement: ‘‘If you have a joint account, your choice(s) will apply to everyone on your account unless you mark below. b Apply my choice(s) only to me.’’ The word ‘‘choice’’ may be written in either the singular or plural, as appropriate. Financial institutions PO 00000 Frm 00095 Fmt 4701 Sfmt 4700 62983 that provide insurance products or services, provide this option, and elect to use the model form may substitute the word ‘‘policy’’ for ‘‘account’’ in this statement. Institutions that do not provide this option may eliminate this left column from the mail-in form. (2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution shares personal information pursuant to section 603(d)(2)(A)(iii) of the FCRA, it must include in the mail-in opt-out form the following statement: ‘‘b Do not share information about my creditworthiness with your affiliates for their everyday business purposes.’’ (3) FCRA Section 624 opt-out. If the institution incorporates section 624 of the FCRA in accord with paragraph C.2(d)(6) of these Instructions, it must include in the mail-in opt-out form the following statement: ‘‘b Do not allow your affiliates to use my personal information to market to me.’’ (4) Nonaffiliate opt-out. If the financial institution shares personal information pursuant to § 160.10(a) of this part, it must include in the mail-in opt-out form the following statement: ‘‘b Do not share my personal information with nonaffiliates to market their products and services to me.’’ (5) Additional opt-outs. Financial institutions that use the disclosure table to provide opt-out options beyond those required by Federal law must provide those opt-outs in this section of the model form. A financial institution that chooses to offer an opt-out for its own marketing in the mail-in opt-out form must include one of the two following statements: ‘‘b Do not share my personal information to market to me.’’ or ‘‘b Do not use my personal information to market to me.’’ A financial institution that chooses to offer an opt-out for joint marketing must include the following statement: ‘‘b Do not share my personal information with other financial institutions to jointly market to me.’’ (h) Barcodes. A financial institution may elect to include a barcode and/or ‘‘tagline’’ (an internal identifier) in 6-point font at the bottom of page one, as needed for information internal to the institution, so long as these do not interfere with the clarity or text of the form. 3. Page Two (a) General Instructions for the Questions. Certain of the Questions may be customized as follows: (1) ‘‘Who is providing this notice?’’ This question may be omitted where only one financial institution provides the model form and that institution is clearly identified in the title on page one. Two or more financial institutions that jointly provide the model form must use this question to identify themselves as required by § 160.9(f) of this part. Where the list of institutions exceeds four (4) lines, the institution must describe in the response to this question the general types of institutions jointly providing the notice and must separately identify those institutions, in minimum 8-point font, directly following the ‘‘Other important information’’ box, or, if that box is not included in the institution’s form, directly following the ‘‘Definitions.’’ The list may appear in a multi-column format. E:\FR\FM\01DER2.SGM 01DER2 mstockstill on DSKH9S0YB1PROD with RULES2 62984 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations (2) ‘‘How does [name of financial institution] protect my personal information?’’ The financial institution may only provide additional information pertaining to its safeguards practices following the designated response to this question. Such information may include information about the institution’s use of cookies or other measures it uses to safeguard personal information. Institutions are limited to a maximum of 30 additional words. (3) ‘‘How does [name of financial institution] collect my personal information?’’ Institutions must use five (5) of the following terms to complete the bulleted list for this question: Open an account; deposit money; pay your bills; apply for a loan; use your credit or debit card; seek financial or tax advice; apply for insurance; pay insurance premiums; file an insurance claim; seek advice about your investments; buy securities from us; sell securities to us; direct us to buy securities; direct us to sell your securities; make deposits or withdrawals from your account; enter into an investment advisory contract; give us your income information; provide employment information; give us your employment history; tell us about your investment or retirement portfolio; tell us about your investment or retirement earnings; apply for financing; apply for a lease; provide account information; give us your contact information; pay us by check; give us your wage statements; provide your mortgage information; make a wire transfer; tell us who receives the money; tell us where to send the money; show your government-issued ID; show your driver’s license; order a commodity futures or option trade. Institutions that collect personal information from their affiliates and/or credit bureaus must include after the bulleted list the following statement: ‘‘We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.’’ Institutions that do not collect personal information from their affiliates or credit bureaus but do collect information from other companies must include the following statement instead: ‘‘We also collect your personal information from other companies.’’ Only institutions that do not collect any personal information from affiliates, credit bureaus, or other companies can omit both statements. (4) ‘‘Why can’t I limit all sharing?’’ Institutions that describe state privacy law provisions in the ‘‘Other important information’’ box must use the bracketed sentence: ‘‘See below for more on your rights under state law.’’ Other institutions must omit this sentence. (5) ‘‘What happens when I limit sharing for an account I hold jointly with someone else?’’ Only financial institutions that provide optout options must use this question. Other institutions must omit this question. Institutions must choose one of the following two statements to respond to this question: ‘‘Your choices will apply to everyone on your account.’’ or ‘‘Your choices will apply to everyone on your account—unless you tell us otherwise.’’ Financial institutions that provide insurance products or services and elect to use the model form may substitute VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 the word ‘‘policy’’ for ‘‘account’’ in these statements. (b) General Instructions for the Definitions. The financial institution must customize the space below the responses to the three definitions in this section. This specific information must be in italicized lettering to set off the information from the standardized definitions. (1) Affiliates. As required by § 160.6(a)(3) of this part, where [affiliate information] appears, the financial institution must: (i) If it has no affiliates, state: ‘‘[name of financial institution] has no affiliates’’; (ii) If it has affiliates but does not share personal information, state: ‘‘[name of financial institution] does not share with our affiliates’’; or (iii) If it shares with its affiliates, state, as applicable: ‘‘Our affiliates include companies with a [common corporate identity of financial institution] name; financial companies such as [insert illustrative list of companies]; nonfinancial companies, such as [insert illustrative list of companies]; and others, such as [insert illustrative list].’’ (2) Nonaffiliates. As required by § 160.6(c)(3) of this part, where [nonaffiliate information] appears, the financial institution must: (i) If it does not share with nonaffiliated third parties, state: ‘‘[name of financial institution] does not share with nonaffiliates so they can market to you’’; or (ii) If it shares with nonaffiliated third parties, state, as applicable: ‘‘Nonaffiliates we share with can include [list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations].’’ (3) Joint Marketing. As required by § 160.13 of this part, where [joint marketing] appears, the financial institution must: (i) If it does not engage in joint marketing, state: ‘‘[name of financial institution] doesn’t jointly market’’; or (ii) If it shares personal information for joint marketing, state, as applicable: ‘‘Our joint marketing partners include [list categories of companies such as credit card companies].’’ (c) General instructions for the ‘‘Other important information’’ box. This box is optional. The space provided for information in this box is not limited. Only the following types of information can appear in this box. (1) State and/or international privacy law information; and/or (2) Acknowledgment of receipt form. 49. Amend newly redesignated Appendix B to part 160 as follows: ■ A. Add a new sentence to the beginning of the introductory text as set forth below. ■ B. Effective January 1, 2012, remove Appendix B to part 160. ■ Appendix B to Part 160—Sample Clauses This Appendix only applies to privacy notices provided before January 1, 2011. * * * * PO 00000 * * Frm 00096 * Fmt 4701 * Sfmt 4700 Securities and Exchange Commission Statutory Authority The Commission is amending Regulation S–P pursuant to authority set forth in section 728 of the Regulatory Relief Act [Pub. L. 109–351], section 504 of the GLB Act [15 U.S.C. 6804], section 23 of the Securities Exchange Act [15 U.S.C. 78w], section 38(a) of the Investment Company Act [15 U.S.C. 80a–37(a)], and section 211 of the Investment Advisers Act [15 U.S.C. 80b–11]. ■ Text of Amendments ■ For the reasons set forth in the preamble, the Commission is amending Title 17, Chapter II of the Code of Federal Regulations as follows: PART 248—REGULATIONS S–P AND S–AM 50. The authority citation for part 248 continues to read as follows: ■ Authority: 15 U.S.C. 78q, 78q–1, 78w, 78mm, 80a–30, 80a–37, 80b–4, 80b–11, 1681s–3 and note, 1681w(a)(1), 6801–6809, and 6825. ■ 51. Revise § 248.2 to read as follows: § 248.2 Model privacy form: rule of construction. (a) Model privacy form. Use of the model privacy form in Appendix A to Subpart A of this part, consistent with the instructions in Appendix A to Subpart A, constitutes compliance with the notice content requirements of §§ 248.6 and 248.7 of this part, although use of the model privacy form is not required. (b) Examples. The examples in this part provide guidance concerning the rule’s application in ordinary circumstances. The facts and circumstances of each individual situation, however, will determine whether compliance with an example, to the extent practicable, constitutes compliance with this part. (c) Substituted compliance with CFTC financial privacy rules by futures commission merchants and introducing brokers. Except with respect to § 248.30(b), any futures commission merchant or introducing broker (as those terms are defined in the Commodity Exchange Act (7 U.S.C. 1, et seq.)) registered by notice with the Commission for the purpose of conducting business in security futures products pursuant to section 15(b)(11)(A) of the Securities Exchange Act of 1934 (15 U.S.C. 78o(b)(11)(A)) that is subject to and in compliance with the financial privacy rules of the Commodity Futures Trading E:\FR\FM\01DER2.SGM 01DER2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations to process transactions, maintain account(s), respond to court orders and legal investigations, or report to credit bureaus; or (2) As permitted by law. * * * * * (f) Model privacy form. Pursuant to § 248.2(a) and Appendix A to Subpart A of this part, Form S–P meets the notice content requirements of this section. § 248.6 Information to be included in (g) Sample clauses. Sample clauses privacy notices. illustrating some of the notice content * * * * * required by this section are included in (b) Description of nonaffiliated third Appendix B to Subpart A of this part. parties subject to exceptions. If you disclose nonpublic personal information The sample clauses in Appendix B to Subpart A of this part provide guidance to third parties as authorized under concerning the rule’s application in §§ 248.14 and 248.15, you are not ordinary circumstances in a privacy required to list those exceptions in the notice provided on or before December initial or annual privacy notices 31, 2010. The facts and circumstances of required by §§ 248.4 and 248.5. When describing the categories with respect to each individual situation, however, will those parties, it is sufficient to state that determine whether compliance with a sample clause constitutes compliance you make disclosures to other with this part. nonaffiliated companies: (1) For your everyday business ■ 53. In § 248.7, add paragraph (i) to purposes such as [include all that apply] read as follows: mstockstill on DSKH9S0YB1PROD with RULES2 Commission (17 CFR part 160) will be deemed to be in compliance with this part. ■ 52. In § 248.6: ■ A. Revise paragraphs (b) and (f), and add paragraph (g) to read as set forth below. ■ B. Effective January 1, 2012, remove paragraph (g). VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00097 Fmt 4701 Sfmt 4700 62985 § 248.7 Form of opt-out notice to consumers; opt-out methods. * * * * * (i) Model privacy form. Pursuant to § 248.2(a) and Appendix A to Subpart A of this part, Form S–P meets the notice content requirements of this section. 54. Add Appendix A to Subpart A to read as follows: ■ Appendix A to Subpart A—Forms A. Any person may view and print this form at: http://www.sec.gov/about/forms/ secforms.htm. B. Use of Form S–P by brokers, dealers, and investment companies, and investment advisers registered with the Commission constitutes compliance with the notice content requirements of §§ 248.6 and 248.7 of this part. FORM S–P—Model Privacy Form A. The Model Privacy Form BILLING CODE 6750–01–P 12.5%, 6351–01–P 12.5%, 6720–01–P 12.5%, 6714–01–P 12.5%, 4810–33–P 12.5%, 6210–01–P 12.5%, 8011–01–P 12.5%, 7535–01–P 12.5%, E:\FR\FM\01DER2.SGM 01DER2 VerDate Nov<24>2008 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00098 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.049</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 62986 VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00099 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 62987 ER01DE09.050</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations VerDate Nov<24>2008 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00100 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.051</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 62988 VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00101 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 62989 ER01DE09.052</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations VerDate Nov<24>2008 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00102 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.053</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 62990 VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 PO 00000 Frm 00103 Fmt 4701 Sfmt 4725 E:\FR\FM\01DER2.SGM 01DER2 62991 ER01DE09.054</GPH> mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations mstockstill on DSKH9S0YB1PROD with RULES2 BILLING CODE 6750–01–C 12.5%, 6351–01–C 12.5%, 6720–01–C 12.5%, 6714–01–C 12.5%, 4810–33–C 12.5%, 6210–01–C 12.5%, 8011–01–C 12.5%, 7535–01–C 12.5%, B. General Instructions 1. How the Model Privacy Form is Used (a) The model form may be used, at the option of a financial institution, including a group of financial institutions that use a common privacy notice, to meet the content requirements of the privacy notice and optout notice set forth in §§ 248.6 and 248.7 of this part. (b) The model form is a standardized form, including page layout, content, format, style, pagination, and shading. Institutions seeking to obtain the safe harbor through use of the model form may modify it only as described in these instructions. (c) Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 1681– 1681x] (FCRA), such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties. (d) The word ‘‘customer’’ may be replaced by the word ‘‘member’’ whenever it appears in the model form, as appropriate. 2. The Contents of the Model Privacy Form The model form consists of two pages, which may be printed on both sides of a single sheet of paper, or may appear on two separate pages. Where an institution provides a long list of institutions at the end of the model form in accordance with Instruction C.3(a)(1), or provides additional information in accordance with Instruction C.3(c), and such list or additional information exceeds the space available on page two of the model form, such list or additional information may extend to a third page. (a) Page One. The first page consists of the following components: (1) Date last revised (upper right-hand corner). VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 (2) Title. (3) Key frame (Why?, What?, How?). (4) Disclosure table (‘‘Reasons we can share your personal information’’). (5) ‘‘To limit our sharing’’ box, as needed, for the financial institution’s opt-out information. (6) ‘‘Questions’’ box, for customer service contact information. (7) Mail-in opt-out form, as needed. (b) Page Two. The second page consists of the following components: (1) Heading (Page 2). (2) Frequently Asked Questions (‘‘Who we are’’ and ‘‘What we do’’). (3) Definitions. (4) ‘‘Other important information’’ box, as needed. 3. The Format of the Model Privacy Form The format of the model form may be modified only as described below. (a) Easily readable type font. Financial institutions that use the model form must use an easily readable type font. While a number of factors together produce easily readable type font, institutions are required to use a minimum of 10-point font (unless otherwise expressly permitted in these Instructions) and sufficient spacing between the lines of type. (b) Logo. A financial institution may include a corporate logo on any page of the notice, so long as it does not interfere with the readability of the model form or the space constraints of each page. (c) Page size and orientation. Each page of the model form must be printed on paper in portrait orientation, the size of which must be sufficient to meet the layout and minimum font size requirements, with sufficient white space on the top, bottom, and sides of the content. (d) Color. The model form must be printed on white or light color paper (such as cream) with black or other contrasting ink color. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract PO 00000 Frm 00104 Fmt 4701 Sfmt 4700 from the readability of the model form. Logos may also be printed in color. (e) Languages. The model form may be translated into languages other than English. C. Information Required in the Model Privacy Form The information in the model form may be modified only as described below: 1. Name of the Institution or Group of Affiliated Institutions Providing the Notice Insert the name of the financial institution providing the notice or a common identity of affiliated institutions jointly providing the notice on the form wherever [name of financial institution] appears. 2. Page One (a) Last revised date. The financial institution must insert in the upper righthand corner the date on which the notice was last revised. The information shall appear in minimum 8-point font as ‘‘rev. [month/year]’’ using either the name or number of the month, such as ‘‘rev. July 2009’’ or ‘‘rev. 7/ 09’’. (b) General instructions for the ‘‘What?’’ box. (1) The bulleted list identifies the types of personal information that the institution collects and shares. All institutions must use the term ‘‘Social Security number’’ in the first bullet. (2) Institutions must use five (5) of the following terms to complete the bulleted list: income; account balances; payment history; transaction history; transaction or loss history; credit history; credit scores; assets; investment experience; credit-based insurance scores; insurance claim history; medical information; overdraft history; purchase history; account transactions; risk tolerance; medical-related debts; credit card or other debt; mortgage rates and payments; retirement assets; checking account information; employment information; wire transfer instructions. (c) General instructions for the disclosure table. The left column lists reasons for E:\FR\FM\01DER2.SGM 01DER2 ER01DE09.055</GPH> 62992 mstockstill on DSKH9S0YB1PROD with RULES2 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations sharing or using personal information. Each reason correlates to a specific legal provision described in paragraph C.2(d) of this Instruction. In the middle column, each institution must provide a ‘‘Yes’’ or ‘‘No’’ response that accurately reflects its information sharing policies and practices with respect to the reason listed on the left. In the right column, each institution must provide in each box one of the following three (3) responses, as applicable, that reflects whether a consumer can limit such sharing: ‘‘Yes’’ if it is required to or voluntarily provides an opt-out; ‘‘No’’ if it does not provide an opt-out; or ‘‘We don’t share’’ if it answers ‘‘No’’ in the middle column. Only the sixth row (‘‘For our affiliates to market to you’’) may be omitted at the option of the institution. See paragraph C.2(d)(6) of this Instruction. (d) Specific disclosures and corresponding legal provisions. (1) For our everyday business purposes. This reason incorporates sharing information under §§ 248.14 and 248.15 and with service providers pursuant to § 248.13 of this part other than the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these Instructions. (2) For our marketing purposes. This reason incorporates sharing information with service providers by an institution for its own marketing pursuant to § 248.13 of this part. An institution that shares for this reason may choose to provide an opt-out. (3) For joint marketing with other financial companies. This reason incorporates sharing information under joint marketing agreements between two or more financial institutions and with any service provider used in connection with such agreements pursuant to § 248.13 of this part. An institution that shares for this reason may choose to provide an opt-out. (4) For our affiliates’ everyday business purposes—information about transactions and experiences. This reason incorporates sharing information specified in sections 603(d)(2)(A)(i) and (ii) of the FCRA. An institution that shares for this reason may choose to provide an opt-out. (5) For our affiliates’ everyday business purposes—information about creditworthiness. This reason incorporates sharing information pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution that shares for this reason must provide an opt-out. (6) For our affiliates to market to you. This reason incorporates sharing information specified in section 624 of the FCRA. This reason may be omitted from the disclosure table when: the institution does not have affiliates (or does not disclose personal information to its affiliates); the institution’s affiliates do not use personal information in a manner that requires an opt-out; or the institution provides the affiliate marketing notice separately. Institutions that include this reason must provide an opt-out of indefinite duration. An institution that is required to provide an affiliate marketing opt-out, but does not include that opt-out in the model form under this part, must comply with section 624 of the FCRA and 17 CFR part 248, subpart B, with respect to the initial VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 notice and opt-out and any subsequent renewal notice and opt-out. An institution not required to provide an opt-out under this subparagraph may elect to include this reason in the model form. (7) For nonaffiliates to market to you. This reason incorporates sharing described in §§ 248.7 and 248.10(a) of this part. An institution that shares personal information for this reason must provide an opt-out. (e) To limit our sharing: A financial institution must include this section of the model form only if it provides an opt-out. The word ‘‘choice’’ may be written in either the singular or plural, as appropriate. Institutions must select one or more of the applicable opt-out methods described: telephone, such as by a toll-free number; a Web site; or use of a mail-in opt-out form. Institutions may include the words ‘‘tollfree’’ before telephone, as appropriate. An institution that allows consumers to opt out online must provide either a specific Web address that takes consumers directly to the opt-out page or a general Web address that provides a clear and conspicuous direct link to the opt-out page. The opt-out choices made available to the consumer who contacts the institution through these methods must correspond accurately to the ‘‘Yes’’ responses in the third column of the disclosure table. In the part titled ‘‘Please note’’ institutions may insert a number that is 30 or greater in the space marked ‘‘[30].’’ Instructions on voluntary or state privacy law opt-out information are in paragraph C.2(g)(5) of these Instructions. (f) Questions box. Customer service contact information must be inserted as appropriate, where [phone number] or [Web site] appear. Institutions may elect to provide either a phone number, such as a toll-free number, or a Web address, or both. Institutions may include the words ‘‘toll-free’’ before the telephone number, as appropriate. (g) Mail-in opt-out form. Financial institutions must include this mail-in form only if they state in the ‘‘To limit our sharing’’ box that consumers can opt out by mail. The mail-in form must provide opt-out options that correspond accurately to the ‘‘Yes’’ responses in the third column in the disclosure table. Institutions that require customers to provide only name and address may omit the section identified as ‘‘[account #].’’ Institutions that require additional or different information, such as a random optout number or a truncated account number, to implement an opt-out election should modify the ‘‘[account #]’’ reference accordingly. This includes institutions that require customers with multiple accounts to identify each account to which the opt-out should apply. An institution must enter its opt-out mailing address: in the far right of this form (see version 3); or below the form (see version 4). The reverse side of the mailin opt-out form must not include any content of the model form. (1) Joint accountholder. Only institutions that provide their joint accountholders the choice to opt out for only one accountholder, in accordance with paragraph C.3(a)(5) of these Instructions, must include in the far left column of the mail-in form the following statement: ‘‘If you have a joint account, your PO 00000 Frm 00105 Fmt 4701 Sfmt 4700 62993 choice(s) will apply to everyone on your account unless you mark below. b Apply my choice(s) only to me.’’ The word ‘‘choice’’ may be written in either the singular or plural, as appropriate. Financial institutions that provide insurance products or services, provide this option, and elect to use the model form may substitute the word ‘‘policy’’ for ‘‘account’’ in this statement. Institutions that do not provide this option may eliminate this left column from the mail-in form. (2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution shares personal information pursuant to section 603(d)(2)(A)(iii) of the FCRA, it must include in the mail-in opt-out form the following statement: ‘‘b Do not share information about my creditworthiness with your affiliates for their everyday business purposes.’’ (3) FCRA Section 624 opt-out. If the institution incorporates section 624 of the FCRA in accord with paragraph C.2(d)(6) of these Instructions, it must include in the mail-in opt-out form the following statement: ‘‘b Do not allow your affiliates to use my personal information to market to me.’’ (4) Nonaffiliate opt-out. If the financial institution shares personal information pursuant to § 248.10(a) of this part, it must include in the mail-in opt-out form the following statement: ‘‘b Do not share my personal information with nonaffiliates to market their products and services to me.’’ (5) Additional opt-outs. Financial institutions that use the disclosure table to provide opt-out options beyond those required by Federal law must provide those opt-outs in this section of the model form. A financial institution that chooses to offer an opt-out for its own marketing in the mail-in opt-out form must include one of the two following statements: ‘‘b Do not share my personal information to market to me.’’ or ‘‘b Do not use my personal information to market to me.’’ A financial institution that chooses to offer an opt-out for joint marketing must include the following statement: ‘‘b Do not share my personal information with other financial institutions to jointly market to me.’’ (h) Barcodes. A financial institution may elect to include a barcode and/or ‘‘tagline’’ (an internal identifier) in 6-point font at the bottom of page one, as needed for information internal to the institution, so long as these do not interfere with the clarity or text of the form. 3. Page Two (a) General Instructions for the Questions. Certain of the Questions may be customized as follows: (1) ‘‘Who is providing this notice?’’ This question may be omitted where only one financial institution provides the model form and that institution is clearly identified in the title on page one. Two or more financial institutions that jointly provide the model form must use this question to identify themselves as required by § 248.9(f) of this part. Where the list of institutions exceeds four (4) lines, the institution must describe in the response to this question the general types of institutions jointly providing the notice and must separately identify those institutions, in minimum 8-point font, directly following the ‘‘Other important E:\FR\FM\01DER2.SGM 01DER2 62994 Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / Rules and Regulations mstockstill on DSKH9S0YB1PROD with RULES2 information’’ box, or, if that box is not included in the institution’s form, directly following the ‘‘Definitions.’’ The list may appear in a multi-column format. (2) ‘‘How does [name of financial institution] protect my personal information?’’ The financial institution may only provide additional information pertaining to its safeguards practices following the designated response to this question. Such information may include information about the institution’s use of cookies or other measures it uses to safeguard personal information. Institutions are limited to a maximum of 30 additional words. (3) ‘‘How does [name of financial institution] collect my personal information?’’ Institutions must use five (5) of the following terms to complete the bulleted list for this question: open an account; deposit money; pay your bills; apply for a loan; use your credit or debit card; seek financial or tax advice; apply for insurance; pay insurance premiums; file an insurance claim; seek advice about your investments; buy securities from us; sell securities to us; direct us to buy securities; direct us to sell your securities; make deposits or withdrawals from your account; enter into an investment advisory contract; give us your income information; provide employment information; give us your employment history; tell us about your investment or retirement portfolio; tell us about your investment or retirement earnings; apply for financing; apply for a lease; provide account information; give us your contact information; pay us by check; give us your wage statements; provide your mortgage information; make a wire transfer; tell us who receives the money; tell us where to send the money; show your government-issued ID; show your driver’s license; order a commodity futures or option trade. Institutions that collect personal information from their affiliates and/or credit bureaus must include after the bulleted list the following statement: ‘‘We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.’’ Institutions that do not collect personal information from their affiliates or credit bureaus but do collect information from other companies must include the following statement instead: ‘‘We also collect your personal information from other companies.’’ Only institutions that do not collect any personal information from affiliates, credit bureaus, or other companies can omit both statements. (4) ‘‘Why can’t I limit all sharing?’’ Institutions that describe state privacy law provisions in the ‘‘Other important information’’ box must use the bracketed sentence: ‘‘See below for more on your rights under state law.’’ Other institutions must omit this sentence. VerDate Nov<24>2008 19:54 Nov 30, 2009 Jkt 220001 (5) ‘‘What happens when I limit sharing for an account I hold jointly with someone else?’’ Only financial institutions that provide optout options must use this question. Other institutions must omit this question. Institutions must choose one of the following two statements to respond to this question: ‘‘Your choices will apply to everyone on your account.’’ or ‘‘Your choices will apply to everyone on your account—unless you tell us otherwise.’’ Financial institutions that provide insurance products or services and elect to use the model form may substitute the word ‘‘policy’’ for ‘‘account’’ in these statements. (b) General Instructions for the Definitions. The financial institution must customize the space below the responses to the three definitions in this section. This specific information must be in italicized lettering to set off the information from the standardized definitions. (1) Affiliates. As required by § 248.6(a)(3) of this part, where [affiliate information] appears, the financial institution must: (i) If it has no affiliates, state: ‘‘[name of financial institution] has no affiliates; ’’ (ii) If it has affiliates but does not share personal information, state: ‘‘[name of financial institution] does not share with our affiliates; ’’ or (iii) If it shares with its affiliates, state, as applicable: ‘‘Our affiliates include companies with a [common corporate identity of financial institution] name; financial companies such as [insert illustrative list of companies]; nonfinancial companies, such as [insert illustrative list of companies;] and others, such as [insert illustrative list].’’ (2) Nonaffiliates. As required by § 248.6(c)(3) of this part, where [nonaffiliate information] appears, the financial institution must: (i) If it does not share with nonaffiliated third parties, state: ‘‘[name of financial institution] does not share with nonaffiliates so they can market to you; ’’ or (ii) If it shares with nonaffiliated third parties, state, as applicable: ‘‘Nonaffiliates we share with can include [list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations].’’ (3) Joint Marketing. As required by § 248.13 of this part, where [joint marketing] appears, the financial institution must: (i) If it does not engage in joint marketing, state: ‘‘[name of financial institution] doesn’t jointly market; ’’ or (ii) If it shares personal information for joint marketing, state, as applicable: ‘‘Our joint marketing partners include [list categories of companies such as credit card companies].’’ (c) General instructions for the ‘‘Other important information’’ box. This box is optional. The space provided for information PO 00000 Frm 00106 Fmt 4701 Sfmt 4700 in this box is not limited. Only the following types of information can appear in this box. (1) State and/or international privacy law information; and/or (2) Acknowledgment of receipt form. 55. Amend Appendix B to Subpart A of part 248 as follows: ■ A. Add a sentence to the beginning of the introductory text as set forth below. ■ B. Effective January 1, 2012, remove Appendix B to Subpart A of part 248. ■ Appendix B to Subpart A of Part 248— Sample Clauses This Appendix only applies to privacy notices provided before January 1, 2011. * * * * * Dated: October 1, 2009. John C. Dugan, Comptroller of the Currency. By order of the Board of Governors of the Federal Reserve System, October 27, 2009. Robert deV. Frierson, Secretary of the Board. By Order of the Board of Directors. Dated at Washington, DC, this 23rd day of October, 2009. Federal Deposit Insurance Corporation. Robert E. Feldman, Executive Secretary. Dated: September 28, 2009. By the Office of Thrift Supervision. John E. Bowman, Acting Director. By the National Credit Union Administration Board on November 10, 2009. Mary Rupp, Secretary of the Board. The Federal Trade Commission. Dated: September 25, 2009. By Direction of the Commission. Donald S. Clark, Secretary. Dated: September 21, 2009. David A. Stawick, Secretary of the Commodity Futures Trading Commission. Dated: November 16, 2009. By the Securities and Exchange Commission. Elizabeth M. Murphy, Secretary. [FR Doc. E9–27882 Filed 11–30–09; 8:45 am] BILLING CODE 6750–01–P 12.5%, 6351–01–P 12.5%, 6720–01–P 12.5%, 6714–01–P 12.5%, 4810–33–P 12.5%, 6210–01–P 12.5%, 8011–01–P 12.5%, 7535–01–P 12.5% E:\FR\FM\01DER2.SGM 01DER2

Agencies

[Federal Register Volume 74, Number 229 (Tuesday, December 1, 2009)]
[Rules and Regulations]
[Pages 62890-62994]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E9-27882]



[[Page 62889]]

-----------------------------------------------------------------------


Part II

Department of the Treasury



Office of the Comptroller of the Currency



12 CFR Part 40



-----------------------------------------------------------------------
Federal Reserve System

12 CFR Part 216



-----------------------------------------------------------------------
Federal Deposit Insurance Corporation

12 CFR Part 332



-----------------------------------------------------------------------
Department of the Treasury



Office of Thrift Supervision

12 CFR Part 573



-----------------------------------------------------------------------
National Credit Union Administration

12 CFR Part 716



-----------------------------------------------------------------------
Federal Trade Commission

16 CFR Part 313



-----------------------------------------------------------------------
Commodity Futures Trading Commission

17 CFR Part 160



-----------------------------------------------------------------------
Securities and Exchange Commission

17 CFR Part 248



-----------------------------------------------------------------------



Final Model Privacy Form Under the Gramm-Leach-Bliley Act; Final Rule

Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / 
Rules and Regulations

[[Page 62890]]


-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Part 40

[Docket ID OCC-2009-0011]
RIN 1557-AC80

FEDERAL RESERVE SYSTEM

12 CFR Part 216

[Docket No. R-1280]

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Part 332

RIN 3064-AD16

DEPARTMENT OF THE TREASURY

Office of Thrift Supervision

12 CFR Part 573

[Docket ID OTS-2009-0014]
RIN 1550-AC12

NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Part 716

RIN 3133-AC84

FEDERAL TRADE COMMISSION

16 CFR Part 313

[Project No. 034815]
RIN 3084-AA94

COMMODITY FUTURES TRADING COMMISSION

17 CFR Part 160

RIN 3038-AC04

SECURITIES AND EXCHANGE COMMISSION

17 CFR Part 248

[Release Nos. 34-61003, IA-2950, IC-28997; File No. S7-09-07]
RIN 3235-AJO6


Final Model Privacy Form Under the Gramm-Leach-Bliley Act

AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC); 
Board of Governors of the Federal Reserve System (Board); Federal 
Deposit Insurance Corporation (FDIC); Office of Thrift Supervision, 
Treasury (OTS); National Credit Union Administration (NCUA); Federal 
Trade Commission (FTC); Commodity Futures Trading Commission (CFTC); 
and Securities and Exchange Commission (SEC).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The OCC, Board, FDIC, OTS, NCUA, FTC, CFTC, and SEC (the 
``Agencies'') are publishing final amendments to their rules that 
implement the privacy provisions of Subtitle A of Title V of the Gramm-
Leach-Bliley Act (``GLB Act''). These rules require financial 
institutions to provide initial and annual privacy notices to their 
customers. Pursuant to Section 728 of the Financial Services Regulatory 
Relief Act of 2006 (``Regulatory Relief Act'' or ``Act''), the Agencies 
are adopting a model privacy form that financial institutions may rely 
on as a safe harbor to provide disclosures under the privacy rules. In 
addition, the Agencies other than the SEC are eliminating the safe 
harbor permitted for notices based on the Sample Clauses currently 
contained in the privacy rules if the notice is provided after December 
31, 2010. Similarly, the SEC is eliminating the guidance associated 
with the use of notices based on the Sample Clauses in its privacy rule 
if the notice is provided after December 31, 2010.

DATES: This rule is effective on December 31, 2009, except for the 
following amendments, which are effective January 1, 2012:
    Instructions 3B, 10B, 17B, 24B, 31B, 38B, 45B, and 52B removing 
paragraphs (g) to 12 CFR 40.6, 216.6, 332.6, 573.6, and 716.6, 16 CFR 
313.6, and 17 CFR 160.6 and 248.6, respectively; and
    Instructions 7B, 14B, 21B, 28B, 35B, 42B, 49B, and 55B removing 
Appendixes B to 12 CFR parts 40, 216, 332, 573, and 716, 16 CFR part 
313, and 17 CFR parts 160 and 248, respectively.

FOR FURTHER INFORMATION CONTACT: OCC: Stephen Van Meter, Assistant 
Director, Community and Consumer Law Division, (202) 874-5750; Heidi 
Thomas, Special Counsel, Legislative and Regulatory Activities 
Division, (202) 874-5090; or David Nebhut, Director, Policy Analysis 
Division, (202) 874-5220, Office of the Comptroller of the Currency, 
250 E Street, SW., Washington, DC 20219.
    Board: Jeanne Hogarth, Consumer Policies Program Manager, Jelena 
McWilliams, Attorney, or Ky Tran-Trong, Counsel, Division of Consumer 
and Community Affairs, (202) 452-3667; Kara Handzlik, Attorney, Legal 
Division, (202) 452-3852; Board of Governors of the Federal Reserve 
System, 20th Street and Constitution Avenue, NW., Washington, DC 20551.
    FDIC: Samuel Frumkin, Senior Policy Analyst, Division of 
Supervision and Consumer Protection, (202) 898-6602; or Kimberly A. 
Stock, Counsel, (202) 898-3815, Legal Division; Federal Deposit 
Insurance Corporation, 550 17th Street, NW., Washington, DC 20429.
    OTS: Ekita Mitchell, Consumer Regulations Analyst, (202) 906-6451; 
or Richard Bennett, Senior Compliance Counsel, Regulations and 
Legislation Division, (202) 906-7409; 1700 G Street, NW., Washington, 
DC 20552.
    NCUA: Regina Metz, Staff Attorney, (703) 518-6561, Office of 
General Counsel, National Credit Union Administration, 1775 Duke 
Street, Alexandria, Virginia 22314-3428.
    FTC: Loretta Garrison, Senior Attorney, and Anthony Rodriguez, 
Attorney, Division of Privacy and Identity Protection, Bureau of 
Consumer Protection, (202) 326-2252, Federal Trade Commission, 600 
Pennsylvania Avenue, NW., Stop NJ-3158, Washington, DC 20580.
    CFTC: Laura Richards, Deputy General Counsel, (202) 418-5126, or 
Gail B. Scott, Counsel, Office of General Counsel, (202) 418-5139, 
Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st 
Street, NW., Washington, DC 20581.
    SEC: Paula Jenson, Deputy Chief Counsel, or Brice Prince, Special 
Counsel, Office of the Chief Counsel, Division of Trading and Markets, 
(202) 551-5550; or Penelope Saltzman, Assistant Director, Thoreau 
Bartmann, Senior Counsel, or Daniel Chang, Staff Attorney, Office of 
Regulatory Policy, Division of Investment Management, (202) 551-6792, 
Securities and Exchange Commission, 100 F Street, NE., Washington, DC 
20549.

SUPPLEMENTARY INFORMATION: The Agencies are publishing final amendments 
to each of their rules (which are consistent and comparable) that 
implement the privacy provisions of the GLB Act: 12 CFR part 40 (OCC); 
12 CFR part 216 (Board); 12 CFR part 332 (FDIC); 12 CFR part 573 (OTS); 
12 CFR part 716 (NCUA); 16 CFR part 313 (FTC); 17 CFR part 160 (CFTC); 
and 17 CFR part 248 (SEC) (collectively, the ``privacy rule'').\1\
---------------------------------------------------------------------------

    \1\ Because the Agencies' privacy rules generally use consistent 
section numbering, relevant sections will be cited, for example, as 
``section ----.6'' unless otherwise noted.

I. Introduction
    A. Statutory Authority and Overview
    B. Overview of the Final Model Privacy Form
II. Background
    A. The Gramm-Leach-Bliley Act Privacy Notices

[[Page 62891]]

    B. Development of Proposed Model Privacy Form
    C. Overview of Comments Received
    D. Quantitative Research
    E. Public Comments on the Quantitative Test Data
    F. Validation Testing
III. The Final Model Privacy Form
    A. Standardization
    B. Instructions for Use
    C. Format of the Notice
    D. Appearance of the Model Privacy Form
    E. Optional General Guidance for Easily Readable Type
    F. Printing, Color, and Logos
    G. Jointly-Provided Notices
    H. Use of the Form by Differently-Regulated Entities
    I. Page One of the Model Form
    J. Page Two of the Model Form
    K. Other Issues
IV. The Sample Clauses
V. Effective Date
VI. Final Regulatory Flexibility Analysis
VII. Paperwork Reduction Act
VIII. OCC and OTS Executive Order 12866 Determination
IX. OCC and OTS Executive Order 13132 Determination
X. OCC and OTS Unfunded Mandates Reform Act of 1995 Determination
XI. SEC Cost-Benefit Analysis
XII. SEC Consideration of Burden on Competition
XIII. NCUA: The Treasury And General Government Apropriations Act, 
1999-Assessment of Federal Regulations and Policies on Families
XIV. CFTC Cost-Benefit Analysis

I. Introduction

A. Statutory Authority and Overview

    The Regulatory Relief Act was enacted on October 13, 2006.\2\ 
Section 728 of the Act directs the Agencies to ``jointly develop a 
model form which may be used, at the option of the financial 
institution, for the provision of disclosures under [section 503 of the 
GLB Act].'' \3\ The Regulatory Relief Act stipulates that the model 
form shall be a safe harbor for financial institutions that elect to 
use it. Section 728 further directs that the model form shall:
---------------------------------------------------------------------------

    \2\ Public Law No. 109-351, 120 Stat. 1966 (2006).
    \3\ Id., adding 15 U.S.C. 6803(e). See also infra discussion at 
section II.A. on the GLB Act requirements for financial privacy 
notices. Section 728 of the Regulatory Relief Act directs the 
agencies named in Section 504(a)(1) of the GLB Act, 15 U.S.C. 
6804(a)(1), to develop a model form. The CFTC, which did not become 
subject to Title V of the GLB Act until 2000, is not named in that 
section. The Commodity Exchange Act (``CEA'') was amended in 2000 by 
the Commodity Futures Modernization Act of 2000 to make the CFTC a 
``Federal functional regulator'' subject to the GLB Act Title V. See 
Section 5g of the CEA, 7 U.S.C. 7b-2. The CFTC interprets Section 
728 of the Regulatory Relief Act as applying to it through Section 
5g.
---------------------------------------------------------------------------

    (A) Be comprehensible to consumers, with a clear format and design;
    (B) provide for clear and conspicuous disclosures;
    (C) enable consumers easily to identify the sharing practices of a 
financial institution and to compare privacy practices among financial 
institutions; and
    (D) be succinct, and use an easily readable type font.
On March 29, 2007, the Agencies published a proposed model privacy form 
(the ``proposed model form'') that financial institutions would be able 
to use to comply with certain disclosures under the privacy rule.\4\ On 
April 15, 2009, the SEC reopened the comment period on the proposed 
rulemaking to solicit comment on a research report and test data 
pertaining to additional consumer testing of the proposed model privacy 
form.\5\ Today, the Agencies are amending the privacy rule to include a 
model privacy form that institutions may use to provide required 
disclosures. The final model form is substantially as proposed with 
changes based on comments we received as well as additional consumer 
testing.
---------------------------------------------------------------------------

    \4\ See Interagency Proposal for Model Privacy Form under the 
Gramm-Leach-Bliley Act (``Proposed Rule''), 72 FR 14940 (Mar. 29, 
2007), available at http://www.ftc.gov/os/2007/03/CorrectedNeptuneMarsandGenericFormsfrn.pdf. A Correction Notice was 
published at 72 FR 16875 (Apr. 5, 2007).
    \5\ See Interagency Proposal for Model Privacy Form under the 
Gramm-Leach-Bliley Act, Securities Exchange Act Release No. 59769, 
Investment Company Act Release No. 28697 (Apr. 15, 2009) [74 FR 
17925 (Apr. 20, 2009)].
---------------------------------------------------------------------------

B. Overview of the Final Model Privacy Form

    As explained more fully in the Agencies' Proposed Rule, key 
elements of the final model form's structure and design, as well as 
vocabulary, reflect the research findings of the qualitative consumer 
testing.\6\ The Agencies believe that the final model form as revised 
meets all the requirements of the Act and, based on the qualitative 
research that led to the development of the proposed model form and the 
quantitative consumer testing described below, is easier to understand 
and use than most privacy notices currently being disseminated.
---------------------------------------------------------------------------

    \6\ The Agencies conducted the consumer research in two phases: 
the first was qualitative testing or form development; the second 
was quantitative testing. See infra section II.
---------------------------------------------------------------------------

    While the model form provides a legal safe harbor, institutions may 
continue to use other types of notices that vary from the model form so 
long as these notices comply with the privacy rule. For example, an 
institution could continue to use a simplified notice if it does not 
have affiliates and does not intend to share nonpublic personal 
information with nonaffiliated third parties outside of the exceptions 
provided in sections ----.14 and ----.15.\7\ Likewise, while the 
Agencies are eliminating the Sample Clauses and related safe harbor 
(or, for the SEC, guidance), institutions may continue to use notices 
containing these clauses, so long as these notices comply with the 
privacy rule.\8\
---------------------------------------------------------------------------

    \7\ See privacy rule, section ----.6(c)(5), NCUA section 
716.6(e)(5).
    \8\ See infra section IV.
---------------------------------------------------------------------------

    The following section briefly summarizes the key features of the 
final model form and the changes to the proposed form. A detailed 
discussion of the elements of the final model form appears in section 
III.
1. The Structure
    The final model form has two pages, rather than the three pages in 
the proposed form, and may be printed on a single piece of paper.\9\ 
Together, pages one and two address the legal requirements of 
applicable Federal financial privacy laws and are designed to increase 
consumer comprehension. The Agencies are not mandating a specific paper 
size in the final model form as long as the paper is in portrait 
orientation and sufficient to accommodate minimum font size, spacing, 
and content requirements.
---------------------------------------------------------------------------

    \9\ For ease, the Appendix provides three versions of the final 
model form: (1) Model form with no opt-out; (2) model form with 
telephone and Web opt-out only; and (3) model form that includes a 
mail-in opt-out form. An alternative mail-in form (version 4) may be 
substituted for the mail-in portion of the model form in version 3. 
For those institutions that use the model form and need to provide a 
mail-in opt-out form, the reverse side to that opt-out form must not 
include any content of the model form. See F.4 of the Frequently 
Asked Questions for the Privacy Regulation, available at http://www.ftc.gov/privacy/glbact/glb-faq.htm (Dec. 2001) (staff guidance 
issued by the Board, FDIC, FTC, OCC, OTS, and NCUA) (stating that a 
consumer generally should be able to detach a mail-in opt-out form 
from a privacy notice without removing text from the privacy 
policy).
---------------------------------------------------------------------------

2. Page One--Background Information, the Disclosure Table, and Opt-Out 
Information
    Page one of the final model form has five parts: (1) The title; (2) 
an introductory section called the ``key frame'' which provides context 
to help the consumer understand the required disclosures; (3) a 
disclosure table that describes the types of sharing used by financial 
institutions consistent with Federal law, which of those types of 
sharing the institution actually does, and whether the consumer can 
limit or opt out of any of the institution's sharing; (4) only if 
needed, a box titled ``To limit our sharing'' for opt-out information; 
and (5) the institution's customer service contact information. Where 
the institution provides a mail-in

[[Page 62892]]

opt-out form, that form appears at the bottom of page one.
    There are three significant changes on page one of the final model 
form.\10\ First, the ``What?'' box has been modified to permit 
institutions to select from a menu of terms the types of information 
collected and shared (other than Social Security number). Second, 
information (if needed) about how to limit sharing or opt out follows 
the disclosure table. If the institution provides a mail-in opt-out 
form, that form appears at the bottom of page one. Third, the final 
model form includes at the top of the page in the right-hand corner the 
date by month and year of the most recent version of the notice. 
Institutions may include at the bottom of page one a ``tagline'' (an 
internal identifier) or barcode for information internal to the 
company, so long as these do not interfere with the clarity or text of 
the form.\11\
---------------------------------------------------------------------------

    \10\ See infra section III.I.
    \11\ See, e.g., comment letters of T. Rowe Price Associates, 
Inc. (May 29, 2007); Wolters Kluwer Financial Services (May 24, 
2007).
---------------------------------------------------------------------------

3. Page Two--Supplemental Information
    As in the proposed model form, the second page of the final model 
form provides additional explanatory information that, in combination 
with page one, ensures that the notice includes all elements described 
in the GLB Act as implemented by the privacy rule. There is 
supplemental information in the form of Frequently Asked Questions 
(``FAQs'') \12\ at the top and definitions below. There are three 
significant changes to the disclosures on page two of the final 
form.\13\ First, a new FAQ appears at the top of page two that can be 
used to identify those institutions that jointly provide the notice. 
Second, the FAQ on the collection of information has been modified to 
allow institutions to select from a menu of terms. Third, a new box has 
been provided at the bottom of page two titled ``Other important 
information.'' This box can be used in only two ways: (1) to discuss 
state and/or international privacy law requirements; and (2) to provide 
an acknowledgment of receipt form.\14\
---------------------------------------------------------------------------

    \12\ Note that a financial institution must insert its name or a 
common corporate identity as indicated in the two questions in this 
section each time that ``[name of financial institution]'' appears. 
The revised form has eliminated the FAQ ``How does [name of 
financial institution] notify me about its practices.''
    \13\ See infra section III.J.
    \14\ This use was provided in response to a request by the 
National Automobile Dealers Ass'n, whose members routinely ask 
customers to sign an acknowledgment of receipt on a copy of the 
dealer's privacy notice and retain this record verifying delivery of 
the notice. Comment letter of the National Automobile Dealers Ass'n 
(May 29, 2007).
---------------------------------------------------------------------------

II. Background

A. The Gramm-Leach-Bliley Act Privacy Notices

    Subtitle A of title V of the GLB Act, captioned ``Disclosure of 
Nonpublic Personal Information,'' \15\ requires each financial 
institution to provide a notice of its privacy policies and practices 
to its customers who are consumers.\16\ In general, the privacy notice 
must describe a financial institution's policies and practices with 
respect to disclosing nonpublic personal information about a consumer 
to both affiliated and nonaffiliated third parties.\17\ The notice also 
must provide a consumer a reasonable opportunity to direct the 
institution generally not to share nonpublic personal information \18\ 
about the consumer (that is, to ``opt out'') with nonaffiliated third 
parties other than as permitted by the statute (for example, sharing 
for everyday business purposes, such as processing transactions and 
maintaining customers' accounts, and in response to properly executed 
governmental requests).\19\ The privacy notice must provide, where 
applicable under the Fair Credit Reporting Act (``FCRA''), a notice and 
an opportunity for a consumer to opt out of certain information sharing 
among affiliates.\20\
---------------------------------------------------------------------------

    \15\ Codified at 15 U.S.C. 6801-6809.
    \16\ 15 U.S.C. 6803(a). A ``customer'' means a consumer who has 
a ``customer relationship'' with a financial institution. Privacy 
rule, section ----.3(h), SEC section 248.3(j), CFTC section 
160.3(k), NCUA section 716.3(n). A ``consumer'' is ``an individual 
who obtains, from a financial institution, financial products or 
services which are to be used primarily for personal, family, or 
household purposes, and also means the legal representative of such 
an individual.'' 15 U.S.C. 6809(9); privacy rule, section ----.3(e), 
SEC section 248.3(g)(1), CFTC section 160.3(h)(1). Financial 
institutions are required to provide an initial notice to their 
customers and a notice annually thereafter for as long as the 
customer relationship continues. 15 U.S.C. 6803(a); Privacy rule, 
sections ----.4 and ----.5. Institutions are also required to 
provide to their non-customer consumers a notice if the institution 
discloses nonpublic personal information outside the exceptions in 
sections ----.14 and ----.15 before any such disclosure is made. 15 
U.S.C. 6802(a); privacy rule, sections ----.4.
    \17\ 15 U.S.C. 6803(a)-(c).
    \18\ ``Nonpublic personal information'' is generally defined as 
personally identifiable financial information provided by a consumer 
to a financial institution, resulting from any transaction or any 
service performed for the consumer, or otherwise obtained by the 
financial institution. See 15 U.S.C. 6809(4); privacy rule, sections 
----.3(n) and (o), SEC sections 248.3(t) and (u), CFTC sections 
160.3(t) and (u).
    \19\ 15 U.S.C. 6802; privacy rule, sections ----.14 and ----.15.
    \20\ 15 U.S.C. 1681a(d)(2)(A)(iii) (FCRA); 15 U.S.C. 6803(c)(4) 
(GLB Act).
---------------------------------------------------------------------------

    The privacy rule requires a financial institution to provide a 
privacy notice to its customers no later than when a customer 
relationship is formed and annually thereafter for as long as the 
relationship continues. The notice must accurately reflect the 
institution's information collection and disclosure practices and must 
include specific information.\21\
---------------------------------------------------------------------------

    \21\ See sections--.4,--.5, and --.6 of the privacy rule.
---------------------------------------------------------------------------

    The privacy rule does not prescribe any specific format or 
standardized wording for these notices. Instead, institutions may 
design their own notices based on their individual practices provided 
they comply with the law and meet the ``clear and conspicuous'' 
standard in the statute and the privacy rule.\22\ The Appendix to each 
privacy rule contains Sample Clauses that institutions may use in 
privacy notices to satisfy the privacy rule.
---------------------------------------------------------------------------

    \22\ 15 U.S.C. 6802, 6803; privacy rule, section --.3(b), SEC 
section 248.3(c), CFTC section 160.3(b)(1).
---------------------------------------------------------------------------

    Financial institutions were required to provide privacy notices to 
their customers by July 1, 2001.\23\ Many notices provided to consumers 
were long and complex. Because the privacy rule allows institutions 
flexibility in designing their privacy notices, notices have been 
formatted in various ways and as a result have been difficult to 
compare, even among financial institutions with identical 
practices.\24\ The Agencies first explored issues related to the 
complexity of privacy notices in a workshop held in December 2001.\25\
---------------------------------------------------------------------------

    \23\ See, e.g., Privacy of Consumer Financial Information, 65 FR 
35162 (June 1, 2000). The CFTC was added by Section 5g of the 
Commodity Exchange Act, 7 U.S.C. 7b-2 (as amended by the Commodity 
Futures Modernization Act of 2000), on December 21, 2000, and 
privacy notices were required to be delivered to consumers by March 
31, 2002. Privacy of Consumer Financial Information, 66 FR 21236 
(Apr. 27, 2001).
    \24\ See Rulemaking Petition from Public Citizen, et al., at 4 
(July 26, 2001) (available at http://www.ftc.gov/bcp/workshops/glb/comments/nader.pdf) (``Public Citizen Petition'') (stating that 
notices were ``dense,'' ``complicated,'' and written by those 
trained in obfuscation rather than to express ideas clearly).
    \25\ See Get Noticed: Writing Effective Financial Privacy 
Notices, Interagency Public Workshop (Dec. 4, 2001) (``Get Noticed 
Workshop''). Workshop transcripts and other supporting documents are 
available at http://www.ftc.gov/bcp/workshops/glb/index.html. The 
Get Noticed Workshop, discussed in the preamble to the Proposed 
Rule, supra note 4 at n.14, provided a public forum to consider how 
financial institutions could provide more useful privacy notices to 
consumers.
---------------------------------------------------------------------------

    On December 30, 2003, the Agencies published an Advance Notice of 
Proposed Rulemaking to Consider Alternative Forms of Privacy Notices 
Under the Gramm-Leach-Bliley Act (``ANPR'') to solicit public comment 
on

[[Page 62893]]

a wide range of issues related to improving privacy notices.\26\ The 
ANPR stated that the Agencies expected that consumer testing would be a 
key component in the development of any specific proposals.\27\
---------------------------------------------------------------------------

    \26\ See Interagency Proposal to Consider Alternative Forms of 
Privacy Notices Under the Gramm-Leach-Bliley Act, 68 FR 75164 (Dec. 
30, 2003), available at http://www.ftc.gov/os/2003/12/031223anprfinalglbnotices.pdf. The Agencies sought, for example, 
comment on issues associated with the format, elements, and language 
used in privacy notices that would make the notices more accessible, 
readable, and useful, and whether to develop a model privacy notice 
that would be short and simple.
    \27\ Id. at text following n.5.
---------------------------------------------------------------------------

    During January and February 2004, the Agencies met with a number of 
interested groups and individuals to discuss the issues raised in the 
ANPR and subsequently received forty-four comments in response to the 
ANPR.\28\ While commenters expressed a variety of views on the 
questions posed in the ANPR, many commenters agreed that the Agencies 
should conduct consumer testing before proposing any alternative 
privacy notice.
---------------------------------------------------------------------------

    \28\ Summaries of the outside meetings and public comments to 
the ANPR are available at http://www.ftc.gov/privacy/privacyinitiatives/financial_rule_inrp.html.
---------------------------------------------------------------------------

B. Development of the Proposed Model Privacy Form

    Over the years during which GLB Act privacy notices have been 
delivered to consumers, the Agencies have observed wide variations in 
these notices. Today, privacy notices vary considerably--not just in 
format, presentation, language, length, style, or tone--but also in how 
they inform consumers of their rights to limit certain sharing of 
personal information. For example, the Agencies have found the 
following variations in current privacy notices. Some institutions 
incorporate privacy notices into lengthy terms and conditions 
statements, making it harder for consumers to find information about 
the institution's privacy practices, and raising questions about 
whether such notices comply with the requirement that they be clear and 
conspicuous. Institutions also use messages in their notices' opening 
statements about how they value privacy and strive to ``protect'' 
personal information, thus providing assurances to consumers that imply 
their personal information is not shared broadly, while obscuring or 
directing attention away from the required disclosures of actual 
information sharing practices. Finally, the Agencies have seen a number 
of institutions employ the statement in their privacy policy ``We do 
not sell your information to third parties'' in a context that raises 
concerns about misrepresentations.\29\
---------------------------------------------------------------------------

    \29\ In some cases, the Agencies have identified notices that 
violate the privacy rule. For example, one institution's privacy 
notice did not include an opt-out form, but provided that consumers 
could only obtain an opt-out form by visiting a bank office, in 
violation of sections --.7(h), --.9(a), and --.10(a)(1) of the 
privacy rule. Another notice provided that consumers could only opt 
out by writing a letter to the institution, in violation of section 
--.7(a)(1) of the privacy rule. Offering only these very restrictive 
methods of obtaining an opt-out form and opting out also is not 
supported by the examples in the privacy rule. See sections 
--.7(a)(2), --.9(b), and --.10(a)(3) of the privacy rule.
---------------------------------------------------------------------------

    These examples illustrate the need to make disclosure of 
institutions' information sharing practices and consumer choices more 
transparent and underscore the Agencies' interest in initiating a joint 
consumer research project to develop an easy-to-read and understandable 
model privacy notice for consumers.
    In the summer of 2004, six of the Agencies \30\ launched a project 
to fund consumer research (``Notice Project''). Their goals were to 
identify barriers to consumer understanding of current privacy notices 
and to develop an alternative privacy notice, or elements of a notice, 
that consumers could more easily use and understand compared to current 
notices. The Agencies conducted the consumer research in two sequential 
phases.\31\
---------------------------------------------------------------------------

    \30\ The six agencies that initially sponsored the Notice 
Project were the Board, FDIC, FTC, NCUA, OCC, and SEC. The OTS 
joined the Notice Project for the phase two quantitative testing. 
Information related to the Notice Project is available at http://www.ftc.gov/privacy/privacyinitiatives/financial_rule_inrp.html.
    \31\ The first phase was designed as qualitative testing or form 
development research. This research involved a series of in-depth 
individual consumer interviews to develop an alternative privacy 
notice that would be easier for consumers to use and understand. The 
second phase was designed as quantitative testing, to test the 
effectiveness of the alternative privacy notice developed in phase 
one among a larger number of consumers.
---------------------------------------------------------------------------

    In September 2004, the Agencies selected Kleimann Communication 
Group, Inc. (``Kleimann'') as their contractor for the phase one form 
development research. The research objectives of the Notice Project 
included designing a privacy notice that consumers could understand and 
use, that facilitated comparison of sharing practices and policies 
across institutions, and that addressed all relevant legal requirements 
of the GLB Act and FCRA.
    The form development phase culminated in an extensive research 
report prepared by Kleimann and released by the Agencies in March 2006 
(the ``Kleimann Report'').\32\ The Kleimann Report details the process 
by which the Agencies and Kleimann developed an alternative privacy 
notice. The structure, content, ordering of the text information, and 
title of the proposed model form all reflect the research findings from 
the qualitative consumer testing.
---------------------------------------------------------------------------

    \32\ See Kleimann Communication Group, Inc., Evolution of a 
Prototype Financial Privacy Notice: A Report on the Form Development 
Project (Feb. 28, 2006) (``Kleimann Report''). For a copy of the 
full report, go to http://www.ftc.gov/privacy/privacyinitiatives/ftcfinalreport060228.pdf. For the executive summary, go to http://www.ftc.gov/privacy/privacyinitiatives/FTCFinalReportExecutiveSummary.pdf.
---------------------------------------------------------------------------

    In October 2006, Congress passed the Regulatory Relief Act, which 
directed the Agencies to propose a model form based on standards 
similar to the Notice Project research goals. On March 29, 2007, the 
Agencies issued for public comment the proposed model form as produced 
in the form development phase with some minor revisions.

C. Overview of Comments Received

    The Agencies collectively received approximately 110 unique 
comments from a variety of banks, thrifts, credit unions, credit card 
companies, securities firms, insurance companies, and industry trade 
associations, as well as from consumer and other advocacy groups, the 
National Association of Attorneys General (``NAAG''), the National 
Association of State Insurance Commissioners (``NAIC''), and individual 
consumers.\33\
---------------------------------------------------------------------------

    \33\ Comments received by all the Agencies are available at 
http://www.ftc.gov/privacy/privacyinitiatives/financial_rule_inrp.html. Many commenters sent copies of the same letter to more 
than one agency. Some association commenters sent several letters, 
both individually and jointly with other associations.
---------------------------------------------------------------------------

    A number of institutions expressed support for the model form. Some 
stated that they are either already using it (submitting copies of 
their notices) or intend to use it once it is finalized. One industry 
association conducted an informal poll of its community bank members 
and found that many are likely to use the model form and that most 
found the new form more consumer-friendly than the Sample Clauses. 
These commenters commended the Agencies for proposing simpler language 
and making the disclosure terms more understandable and accessible to 
consumers.
    Consumer and other advocacy groups, the NAIC, NAAG, and individual 
consumers generally supported the Agencies' proposal and the clearer 
language and omission of extraneous information in the proposed model 
form. These commenters stated that the proposal could be strengthened 
in certain respects, for example, by making

[[Page 62894]]

the default opt-in rather than opt-out and creating a one-stop opt-out 
repository similar to the National Do Not Call Registry.
    There was general support by many commenters for additional 
consumer research and testing. While some industry commenters provided 
substitute language or submitted alternate forms of the notice, none 
submitted other research findings. However, the NAIC submitted a 
consumer study on notices with research findings that the Agencies did 
consider.
    Most industry commenters, however, objected to several key aspects 
of the proposal. The most significant areas of concern raised by 
industry commenters related to: The standardized approach; the format 
of the proposed model form; the limited examples of types of personal 
information collected and shared; the disclosure table; incorporation 
of state law information; and revocation of the Sample Clauses. The 
thrust of many industry comments was that the proposed form was overly 
simplistic and not nuanced enough to describe precisely what the 
various laws permit or to allow accurate descriptions of more complex 
information sharing policies and practices. One commenter expressed 
concern that the form would lead to consumer confusion because of 
inaccurate disclosures on sharing practices and result in high opt-out 
rates, discouraging use of the form. Many industry commenters expressed 
concern about liability under state unfair or deceptive practice laws 
relating to privacy disclosures. At the same time, many institutions 
urged flexibility to allow inclusion of other information--such as 
describing the benefits of sharing, or providing marketing messages or 
privacy tips such as on identity theft and fraud prevention. One 
institution proposed allowing institutions to pick and choose which 
elements of the notice to use and still receive a safe harbor.

D. Quantitative Research

    Following publication of the model form proposal in March 2007 and 
subsequent review of the comments, the Agencies revised the proposed 
model form for further testing.\34\ In the fall of 2007, the Agencies 
turned their attention to developing the research protocol and 
methodology for conducting the second phase of the research: The 
quantitative consumer testing. In August 2006, prior to enactment of 
the Regulatory Relief Act, the Agencies had selected Macro 
International Inc. (``Macro'') to conduct the quantitative research 
study.
---------------------------------------------------------------------------

    \34\ See Mall Intercept Study of Consumer Understanding of 
Financial Privacy Notices: Methodological Report, submitted by Macro 
International Inc. (``Macro Report''), Appendix C, for copies of the 
test notices. The Macro Report is available at: http://www.ftc.gov/privacy/privacyinitiatives/Macro-Report-on-Privacy-Notice-Study.pdf. 
See also infra section III for a discussion about the changes made 
to the final model form since the Proposed Rule was issued for 
comment.
---------------------------------------------------------------------------

    In the spring of 2008, Macro conducted a survey of approximately 
1,000 consumers using a mall-intercept methodology. The selected 
participants for the study reflected a range of demographic 
characteristics for gender, age, and educational level. The testing was 
conducted in five shopping mall locations--Baltimore, MD; Dallas, TX; 
Detroit, MI; Los Angeles, CA; and Springfield, MA--over a period of 
five weeks during March and April 2008.\35\
---------------------------------------------------------------------------

    \35\ Macro provided the test data to the Agencies in the summer 
of 2008 and its research methodology report in September. The study 
data and codebook are available at: http://www.ftc.gov/privacy/privacyinitiatives/Privacy-Notice-Study-Dataset.pdf and http://www.ftc.gov/privacy/privacyinitiatives/Privacy-Notice-Study-Codebook.pdf.
---------------------------------------------------------------------------

    The test objectives were to evaluate the effectiveness of the 
revised proposed model form \36\ developed by Kleimann (``Table 
Notice'') for comprehension and usability as compared to three other 
styles or formats of notices. The other notice formats were: (1) The 
prose version of the prototype table notice also developed and tested 
by Kleimann (``Prose Notice''); (2) a current version of a common 
notice used by financial institutions (``Current Notice''); and (3) a 
notice comprised solely of the Sample Clauses found in the appendix to 
the privacy rule (``Sample Clause Notice''). Within each format, there 
were three different notices, each reflecting a different level of 
sharing. Each level of sharing had a common fictional bank name across 
the four notice formats: Mars Bank had a low level of sharing; Mercury 
Bank had a medium level of sharing; and Neptune Bank had the highest 
level of sharing. Both Mercury and Neptune Banks offered opt-out 
choices; however, the pattern of sharing was such that after exercising 
all available opt-outs, Neptune Bank continued to share more broadly 
than Mercury Bank and Mercury Bank continued to share more than Mars 
Bank. This design was intentional for the comparison testing.\37\
---------------------------------------------------------------------------

    \36\ The proposed model form was revised based on the comments 
received, and a version of that revised form was used in the 
quantitative testing.
    \37\ Study participants were randomly assigned to see one of the 
four notice formats. Each participant read three privacy notices in 
the same format and was asked a series of questions, first about one 
pair of notices, and next about a second pair of notices, with one 
of the three notices used twice in each round. The order and 
repetition of the notices were rotated among the participants so 
that the same notice was not always viewed twice. Participants 
answered additional questions about the notices and their attitudes 
on information sharing. The interview sought information about 
participants' choice of a bank based solely on the notice content; 
responses to factual questions, such as which of two banks shared 
more or whether any of the banks offered an opportunity to limit or 
opt out of sharing; performance of a task, such as determining which 
bank shared more after exercising all options to limit or opt out of 
sharing; and responses to questions about their attitudes toward the 
use and sharing of their information. See Macro Report, supra note 
34, Appendix A.
---------------------------------------------------------------------------

    On December 15, 2008, two expert advisors to the Agencies, Dr. Alan 
Levy and Dr. Manoj Hastak, submitted a report to the Agencies analyzing 
the research data provided by Macro (the ``Levy-Hastak Report'').\38\ 
The Levy-Hastak Report confirmed the overall effectiveness of the 
proposed model form (as modified) as against the three alternative 
notice formats. On April 15, 2009, the SEC published the Levy-Hastak 
Report, along with the Macro Report and test data, for public comment. 
The SEC received nine comments.\39\
---------------------------------------------------------------------------

    \38\ See http://www.ftc.gov/privacy/privacyinitiatives/Levy-Hastak-Report.pdf.
    \39\ See http://www.sec.gov/comments/s7-09-07/s70907.shtml.
---------------------------------------------------------------------------

    The Levy-Hastak Report examined two measures on how effectively the 
notices communicated information: (1) Judgment quality; and (2) 
perceptual accuracy.\40\ According to the Report, judgment quality 
focused on the extent to which study participants could provide 
logical, defensible reasons for choosing one bank over the other based 
solely on the notice. Perceptual accuracy focused on the ability of the 
participants to recognize accurately the differences between the banks 
in information collection and sharing practices, in opt-out choices, 
and in relative sharing after all opt-out choices were exercised.\41\
---------------------------------------------------------------------------

    \40\ Levy-Hastak Report at 7-14.
    \41\ Id. at 4-5.
---------------------------------------------------------------------------

    The Levy-Hastak Report concluded that, overall, the Table Notice 
outperformed the other notices.\42\ The Table Notice performed 
particularly well on difficult tasks \43\ while the Current Notice 
performed poorly on all measures. While the Sample Clause Notice 
performed well on simple tasks,

[[Page 62895]]

about equal to the Table and Prose notices, it performed significantly 
less well than the Table Notice on measures of judgment quality.\44\ 
The Report concluded that the table format is likely a key explanation 
for the improvement in comprehension demonstrated by the study 
participants who saw the Table Notice as compared to those who saw the 
other notice styles--especially for difficult perceptual accuracy 
tasks.\45\
---------------------------------------------------------------------------

    \42\ Id. at 16.
    \43\ Id. at 17. According to the Report, an example of a 
difficult task was: Participants were asked to assume that they had 
limited or opted out of all possible sharing for both banks; based 
on that assumption, respondents were asked whether one bank shared 
more personal information than the other or whether both banks 
shared information equally. An example of an easy task was: Using 
the notice, participants were asked to identify how they could tell 
the bank that they wanted to limit or opt out of sharing personal 
information.
    \44\ Levy-Hastak Report at 9-10.
    \45\ Levy-Hastak Report at 17.
---------------------------------------------------------------------------

    While the notice format significantly affected participants' 
ability to comprehend and compare the notices, the testing showed that 
participants' general attitudes about the sharing of their personal 
information were not affected by the notices they saw.\46\ Following 
the two rounds of questions on the content of, and comparison between, 
the notices, the study participants were asked to rate their attitudes 
in general toward information sharing, for example, sharing with 
affiliated banks and with nonaffiliated banks. The results showed that 
participants' attitudes were about the same across the four notice 
formats.\47\
---------------------------------------------------------------------------

    \46\ Id. at 15.
    \47\ Id. Study participants generally did not like their 
information being shared with either affiliates or with 
nonaffiliates.
---------------------------------------------------------------------------

    The Levy-Hastak Report analyzed two specific areas where the Table 
Notice seemed to perform less well than the other notices. First, the 
Report described an anomaly with respect to responses to the question 
[Q. 19/30]: ``Which of these two banks gives you the opportunity to 
limit or to opt out of the sharing of your personal information?'' \48\ 
Generally participants identified the bank or banks that provided an 
opt-out. However, some participants who saw the Table and Prose notices 
selected Mars Bank, the one that shared the least and offered no opt-
out option. Because answering ``Mars Bank'' was identified as an 
incorrect answer, the Current and Sample Clause notices out-performed 
the Table and Prose notices on this question.
---------------------------------------------------------------------------

    \48\ See id. at 12-14.
---------------------------------------------------------------------------

    In contrast, the Table and Prose notices out-performed the other 
two notices on the most difficult task in the test. In this task, 
participants were asked to assume that they had exercised all possible 
options to limit or to opt out of sharing and then to identify which 
bank shared more. Here, the Table and Prose notices significantly out-
performed the other notices. More participants who saw the Table and 
Prose notices correctly gave as their answer the higher sharing bank. 
This result suggests that participants who saw the Table and Prose 
notices did understand which bank(s) offered an opportunity to limit or 
to opt out of their sharing.
    In analyzing this discrepancy, the Levy-Hastak Report observed that 
the simpler question had two different, yet accurate, responses, 
depending on how participants interpreted the question. Some of the 
participants might have understood the question to apply at the point 
of choosing between the two bank notices; those participants selected 
the lower sharing bank. In contrast, other participants might have 
understood the question to mean: Which bank lets me opt out of sharing 
personal information once I am doing business with the bank. The second 
interpretation was the intended meaning of the question. Drs. Levy and 
Hastak hypothesized that some participants who saw the Table and Prose 
notices understood the question to have the first meaning, while other 
participants, particularly those who saw the Sample Clause and Current 
notices, understood the question to have the second meaning.\49\
---------------------------------------------------------------------------

    \49\ Significantly, unlike the Sample Clause and Current 
notices, neither the Table nor the Prose notice uses the word ``opt-
out'' in the model form; rather, these forms refer to ``limiting 
sharing.'' This word choice was intentional to help consumers 
understand that some sharing is necessary and that consumers cannot 
stop all sharing--a concept that consumers who knew the term equated 
with ``opt-out.'' See Kleimann Report, supra note 32, at 101-108. 
Because the Table and Prose notices did not use the word ``opt-
out,'' participants using these notices did not have that word as a 
visual ``cue'' when they were asked the question.
---------------------------------------------------------------------------

    To test this hypothesis, Drs. Levy and Hastak examined the pattern 
of factual mistakes that participants made when they answered a 
separate set of questions.\50\ There, study participants were asked in 
Q. 16/27 why they preferred one bank over the other, based solely on 
the notice. Some participants who selected a bank that shared 
relatively little information and did not offer an opt-out stated that 
this bank offered more opportunity to limit or to opt out of sharing 
than the higher sharing bank, which was labeled a ``false opt-out 
mistake'' in the Report. The Report found that participants who saw the 
Table and Prose notices were on average almost three times as likely to 
make the false opt-out mistake as those who saw the Current and Sample 
Clause notices.\51\
---------------------------------------------------------------------------

    \50\ The Report also examined a second mistake: Where 
participants selected the lower sharing bank when they were asked to 
identify which bank shared more (labeled a ``false sharing 
mistake''). See Levy-Hastak Report at 9. In that case, there was not 
an unusual pattern in the distribution of responses. Rather, the 
Report found that the study participants who made this mistake were 
equally distributed across all four notice styles. Id. at 13.
    \51\ Id.
---------------------------------------------------------------------------

    This finding supports the hypothesis that users of the Table and 
Prose notices who selected the lower sharing bank in response to Q. 19/
30 understood the question in its first meaning: They selected a bank 
that gave them an opportunity to limit or opt out of sharing at the 
time of choosing between the two bank notices. Under that 
interpretation, these participants could limit sharing by selecting the 
bank that shared less information. Thus the Levy-Hastak Report's 
analysis of the false opt-out mistake pattern in Q. 16/27 is consistent 
with their hypothesis regarding the responses to Q. 19/30. In addition, 
the Report found that the educational level of the study participants 
produced a significant effect only on the responses to the opt-out 
question, with better educated participants more likely to answer the 
question in the intended manner.\52\ This finding is also consistent 
with the Report hypothesis that participants who saw the Table and 
Prose notices understood the question in two different, yet equally 
correct ways, unlike those who saw the Sample Clause and Current 
notices.
---------------------------------------------------------------------------

    \52\ Id. at 13-14.
---------------------------------------------------------------------------

    The Table Notice also seemed to perform less well in a second, 
unrelated area. Specifically, all the test notices provided only two 
methods for consumers to opt out of or limit sharing: Use of a toll-
free telephone number or access to the opt-out on the institution's Web 
site. When study participants were asked to identify which contact 
modes were identified in the notice as ways to limit or opt out of 
sharing, they correctly identified the two modes more frequently when 
using the Sample Clause Notice than the Table, Prose, and Current 
notices.
    Noting that this type of question appears to invite skimming the 
notice to find the answer quickly and easily, the Levy-Hastak Report 
examined the great variability in notice length and found that the 
Sample Clause Notice was significantly shorter than any of the other 
notices. The Levy-Hastak Report observed that the shortness of the 
Sample Clause Notice may have made it easier for participants to scan 
the notice and find the answer to this question. The Report opined that 
notice length likely has an effect on scanability and reading ease.\53\
---------------------------------------------------------------------------

    \53\ Levy-Hastak Report at 14. In addition, the use of check 
boxes in the design of the opt-out section of the Table and Prose 
notices (a carry-over from the original mail-in format of the 
proposed model form) appeared to confuse some participants when they 
were asked this question. The responses recorded for these two 
notices reflected a somewhat higher number of ``other'' responses, 
even though all the notices offered the same two options. Macro 
reported anecdotally that a number of participants who viewed the 
Table and Prose notices reported ``check this box'' as one of the 
methods offered to opt out or limit sharing--a response that was 
recorded as ``other.''

---------------------------------------------------------------------------

[[Page 62896]]

    While the Levy-Hastak Report findings confirmed the overall 
effectiveness of the Table Notice,\54\ the Report's analysis prompted 
the Agencies to consider a further refinement to the proposed model 
form. The change, discussed in more detail later, was to modify the 
opt-out section of the model form to place the opt-out information on 
page one directly following the disclosure table so that all the key 
information appears on that page. \55\ The Agencies considered this 
change to facilitate quick scanning for important information without 
sacrificing the model form's performance in other respects. To ensure 
that locating the opt-out information on page one worked from a 
usability perspective, the Agencies decided to conduct validation 
testing which led to separate formats for the telephone and Internet 
opt-out and for the mail-in opt-out that the Agencies are adopting.
---------------------------------------------------------------------------

    \54\ Id. at 17.
    \55\ Some commenters had urged the Agencies to consolidate the 
model form on two sides of a single piece of paper, and a few 
suggested that the Agencies consider moving the opt-out to page one. 
See, e.g., comment letters of Securities Industry and Financial 
Markets Ass'n (May 29, 2007); World's Foremost Bank (May 25, 2007); 
World Financial Network National Bank (May 29, 2007); World 
Financial Capital Bank (May 25, 2007).
---------------------------------------------------------------------------

E. Public Comments on the Quantitative Test Data

    Nine commenters representing insurance, securities, and financial 
services associations, a bank, and two investment advisers submitted 
comments in response to the SEC's solicitation for public comments on 
the quantitative testing. Most of the commenters re-stated their 
earlier general objections to the proposed model form. These concerns 
are addressed in section III.
    All but one of these commenters made general observations about the 
quantitative test methodology and the Levy-Hastak Report. Five 
commenters observed that the test notices were designed for banks and 
not for insurance companies or securities firms (i.e., broker-dealers, 
investment companies, or SEC-registered investment advisers), thereby 
omitting a significant portion of the financial services industry that 
provide these notices.\56\ Two commenters opined that the study 
participants' demographic characteristics did not reflect those 
consumers who will receive financial privacy notices.\57\ One expressed 
concern about the demographic diversity in the mall selections and 
questioned whether there was consistent coding of the open-ended 
responses.\58\ One commented that the testing criteria ruled out non-
English speaking participants.\59\
---------------------------------------------------------------------------

    \56\ See comment letters of American Council of Life Insurers 
(May 20, 2009), National Ass'n of Mutual Insurance Cos. (May 20, 
2009), American Insurance Ass'n (May 20, 2009), Investment Adviser 
Ass'n (May 20, 2009), The Financial Services Roundtable and BITS 
(May 20, 2009).
    \57\ See comment letters of National Ass'n of Mutual Insurance 
Cos. (May 20, 2009); The Financial Services Roundtable and BITS (May 
20, 2009).
    \58\ See comment letter of The Financial Services Roundtable and 
BITS (May 20, 2009).
    \59\ See id. The Agencies used a single form, printed in 
English, for simplicity in conducting the testing. We recognize that 
institutions can and do provide notices in a variety of other 
languages when their customers are non-English speaking. We 
anticipate that those institutions that use the final model form 
will continue to provide their notices in other languages to ensure 
that their non-English speaking customers can read and use the form. 
See also Transcript of Get Noticed Workshop, available at http://www.ftc.gov/bcp/workshops/glb/GLBtranscripts.pdf, comments of Irene 
Etzkorn (recognizing that banks do provide financial privacy notices 
in languages other than English); comments of Tena Friery (noting 
that the Privacy Rights Clearinghouse promotes notices and 
educational materials in other languages and that 80-100 different 
languages are spoken in Los Angeles alone).
---------------------------------------------------------------------------

    Some of the commenters disagreed with the Levy-Hastak Report's 
conclusion that the Table Notice outperformed the other notice formats. 
They opined that the Report's conclusion is flawed because: (1) The 
Sample Clause Notice did better on simpler tasks than the Table Notice; 
\60\ (2) the anomalies discussed in the Levy-Hastak Report may be due 
to other explanations; \61\ and (3) while the Table Notice's overall 
performance was better than the other notices, actual performance 
accuracy was relatively low.\62\ Several commented that the overly 
simplified and inflexible format of the Table Notice is not a true test 
of consumers' understanding of institutions' actual collection and 
disclosure practices.\63\ In addition, all commenters on the 
quantitative testing urged retention of the Sample Clauses and related 
safe harbor.
---------------------------------------------------------------------------

    \60\ See comment letters of American Insurance Ass'n (May 20, 
2009); National Ass'n of Mutual Insurance Cos. (May 20, 2009). While 
some commenters find greater virtue in the better performance of the 
Sample Clause Notice on only the simpler tasks or disagree with the 
Levy-Hastak Report's analyses, the evidence is compelling that the 
Table Notice performed better overall across all comprehension and 
comparison measures. See Levy-Hastak Report at 6.
    \61\ See comment letter of American Council of Life Insurers 
(May 20, 2009).
    \62\ Id.
    \63\ See, e.g., comment letter of The Financial Services 
Roundtable and BITS (May 20, 2009).
---------------------------------------------------------------------------

    The test notices for the quantitative study were created for 
fictitious banks, even though the model form can be used by any 
financial institution subject to the GLB Act and the privacy rule. 
Because the vast majority of consumers are familiar with or have 
experience with a bank, the Agencies used a notice designed for a bank 
to increase the likelihood that most of the test participants could 
readily understand the terms in the notice, such as ``account 
balances,'' ``income,'' or ``credit history,'' which describe 
information collected and shared by many banks, as well as by many 
other financial institutions.
    The Macro Report presented data on the demographic characteristics 
of the study participants recruited for the study. Participants at each 
mall were pre-selected for a representative mix based on gender, age, 
and education levels, and information on participants' race/ethnicity, 
income, and household size was obtained at the end of each 
interview.\64\ Since a significant majority of consumers in America 
receive a financial privacy notice--including from banks, credit 
unions, securities firms, insurance companies, auto dealers, debt 
collectors, and payday lenders--the Agencies wanted to ensure that a 
representative cross-section of consumers be included in the study.
---------------------------------------------------------------------------

    \64\ Macro Report, supra note 34, at 3 & Appendix B; Levy-Hastak 
Report at 2.
---------------------------------------------------------------------------

    The Agencies hired Macro as an outside independent expert to handle 
all aspects of the collection and reporting of the study data. Macro 
conducted all training of field staff, implemented a series of checks 
to ensure greater accuracy of the study data, reviewed, on an ongoing 
basis, all daily downloads of data from the field, and coded all of the 
open-end responses.\65\
---------------------------------------------------------------------------

    \65\ Macro Report, supra note 34, at 3-4.
---------------------------------------------------------------------------

    With respect to the comment that the accuracy of the study 
participants' responses overall was relatively low, the commenter cited 
the judgment quality measure of the participants' fact-based reasons 
for choosing the lower sharing bank.\66\ While the results showed that 
most consumers likely have a limited

[[Page 62897]]

understanding of information sharing practices after a brief exposure 
to any of the notice styles, nevertheless the Levy-Hastak Report 
confirms that overall the Table Notice out-performed the other notices 
and is the most effective notice of all the privacy notices tested.
---------------------------------------------------------------------------

    \66\ The commenter looked to the Table Notice score of 40.6% in 
Table 1 of the Levy-Hastak Report. Levy-Hastak Report at 12. This 
data evaluated how well study participants could explain their 
reasons for preferring one bank notice over another where they 
selected, as their preferred bank, the lower sharing bank. While the 
commenter pointed to a single measure in the Levy-Hastak Report, the 
Report relied on a number of accuracy measures that varied in 
difficulty level. See, e.g., id., Table 3 at 12.
---------------------------------------------------------------------------

    Finally, two commenters requested that if both the model privacy 
form and the SEC's proposed amendments to its privacy rule, Regulation 
S-P, were adopted, the SEC should coordinate the compliance dates so as 
to minimize the compliance burden and the potential for multiple 
revisions of an institution's privacy notice.\67\ The SEC appreciates 
in