The Federal Deposit Insurance Corporation, the Federal Reserve Board, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, the National Credit Union Administration, the Federal Trade Commission, the Commodity Futures Trading Commission, and the Securities and Exchange Commission (“Agencies”) adopted final model privacy notice forms developed pursuant to the Gramm-Leach-Bliley Act (“GLB”). Congress directed the Agencies to develop model forms in the 2006 Financial Services Regulatory Relief Act. The final model privacy notice forms mark the end of a six-year process to improve the clarity and consistency of GLB privacy notices, a large part of which was devoted to extensive consumer testing.
The Agencies’ new model forms phase out the current Sample Clauses as the GLB privacy rules’ safe harbor. During a transition period for compliance that will begin 30 days after the forms are published in the Federal Register and continue through December 31, 2010, the GLB privacy notice rules will provide safe harbor protection to privacy notices that either adopt the new model forms or continue to use the existing Sample Clauses. Any compliant privacy notice delivered or posted online by a financial institution during that transition period will have a one-year safe harbor from the date of delivery or posting. Beginning January 1, 2011, financial institutions cannot rely on the Sample Clauses: privacy notices delivered or posted on or after that date must adopt the new model forms to take advantage of the safe harbor.
The Agencies have released three model notices: one for financial institutions that are not required to provide an opt-out notice and opportunity, a second for financial institutions that wish to provide an opt-out mechanism by telephone and Internet, and a third for financial institutions that wish to provide an opt-out mechanism with a mail-in form. In each case, the model notice is two pages and may be printed on a single piece of paper.
The model notice’s first page calls for background information, including the notice’s title, context, and date of last revision as well as the financial institution’s contact information and a description of the personal information at issue; information about a financial institution’s sharing policies presented in table form; and an opt-out notice, if applicable. Notably, the model notice’s table lists various types of information sharing that the financial institution may or may not engage in. The table calls for the financial institution to indicate whether it engages in each form of sharing and, if so, whether applicable law gives consumers the right to opt out of that sharing. In other words, the model notice, unlike the existing Sample Clauses, requires financial institutions to provide information about their sharing policies even if the consumer has no right to limit that activity.
The model notice’s second page calls for what the Agencies label “supplemental information.” This includes answers to several frequently asked questions and relevant definitions. The model notice also allows a financial institution to add “other important informati on” at the bottom of page two. In response to public comments, this could include a discussion of state or international privacy standards or a space for customers to sign an acknowledgement of receipt.
The Agencies’ release responds to objections to the model notice submitted by industry representatives in public comments. These commenters were concerned that the model notice was too simplistic to present an accurate description of a financial institution’s actual information sharing practices. Without much discussion, the Agencies state that the advantages of a standardized format from consumers’ perspective overwhelmed industry’s challenges. The Agencies also note that financial institutions that are not satisfied with the model notice are free to develop their own compliant notice if they wish.
The release devotes dozens of pages to providing compliance guidance. This guidance includes explanations on issues both big and small – from a discussion of the pros and cons of a standardized form to matters of paper size, type size, and general readability.
Michael Goodman is a partner in the Washington, D.C., office of Hudson Cook, LLP. Basis Points readers can reach Michael at 202-327-9704 or by email at mgoodman@hudco.com.
Meghan Musselman is an associate in the Maryland office of Hudson Cook, LLP. Basis Points readers can reach Meghan at 410-865-5403 or by email at mmusselman@hudco.com.