On December 1, 2009, the “Agencies,” including the Federal Deposit Insurance Corporation, the Federal Reserve Board, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, the National Credit Union Administration, the Federal Trade Commission, the Commodity Futures Trading Commission, and the Securities and Exchange Commission, adopted a model privacy notice form, which was developed to comply with the requirements of the Gramm-Leach-Bliley Act (GLB). The December 2009 issue of Basis Points discussed the publication of the Agencies’ final rule (Final Rule) and the model privacy form adopted under the Final Rule. In this article, I will focus on ten notable items concerning the model form and highlight some issues that may not be readily apparent from the form itself, but which are discussed in detail in the Supplementary Information accompanying the Final Rule and the model form Instructions.
1. More than One Version
There are three versions of the model privacy form (and one alternative format of the Version 3 mail-in form) and an institution that does not select the appropriate version is not afforded the Final Rule‘s “safe harbor.” Version 1, referred to as “Model Form With No Opt-Out,” should be used only when an institution does not share information that a customer is legally entitled to limit under GLB or the Fair Credit Reporting Act (FCRA) and where the institution does not voluntarily allow a customer to limit sharing that is not otherwise limited by law. Version 2, referred to as “Model Form With Opt-Out by Telephone and/or Online,” should be used when an institution shares information that a customer is legally entitled to limit or where the institution voluntarily allows a customer to limit sharing that is not otherwise limited by law and where the customer is not offered the option of exercising the choice to limit such sharing through the mail. Version 3 is similar to Version 2 in all respects, except that Version 3 affords the customer the option of informing the institution of her choice to limit sharing by mail. The alternative mail-in format in Version 4 does not include the full model form, but simply provides a different mail-in form, which alters the placement of the institution’s “mail to” information. An institution should take the opportunity to carefully review its sharing information practices and available opt-out methods prior to selecting the appropriate model form version.
2. “Opt-out”
Search as you may, you will not find the term “opt-out” used in any version of the model form. The snub is in fact intentional. The Agencies reasoned that the form should be designed “to help consumers understand that some sharing is necessary and that consumers cannot stop all sharing – a concept that consumers who knew the term equated with ‘opt-out.’” Instead of the term “opt-out,” the model form uses the phrase “to limit” sharing. Consequently, to maintain consistency with that terminology and to avoid any customer confusion as to the extent of the right, any system through which the customer may exercise the right to limit sharing – be it phone or online – should use the same terminology. This may entail updating the institution’s current script used on its phone-in option and on its online option to remove references to “opt-out” and replace those references with the customer’s ability “to limit” sharing.
3. Affiliate Marketing
The sixth line of the disclosure table on page 1, which reads “[f]or our affiliates to market to you,” provides the FCRA affiliate marketing notice. This disclosure is optional in the model form and may be omitted. However, if the institution elects not to include the notice in the model form, then the institution is required to provide the notice in a separate disclosure that complies with the FCRA affiliate marketing rule requirements. Under the FCRA requirements, the consumer’s opt-out election is limited to a period of five years (after which the consumer must receive and exercise a further opt-out notice to extend the period for an additional five years). This five-year limitation does not apply where the institution elects to provide the FCRA affiliate marketing notice in the model form. When used in the model form the customer’s exercise of the right to limit such sharing (and more technically the use of the information) is for an “indefinite duration” coincident with the customer’s election as to the other sharing limitations. The Agencies trade-off for the extended opt-out is to provide a “safe harbor” for the FCRA affiliate marketing notice when used in conjunction with the model form.
4. Use of Account #
Both versions of the mail-in form invite an institution to use an “Account #” as a method of customer identification by including that reference directly on the form. However, the Agencies have advised in a not so subtle recommendation (as discussed in the Supplementary Information) that they “strongly encourage institutions to use some other sort of identifier.” Indeed, the Agencies recommend that an institution consider using a randomly generated opt-out code or a truncated account number, as opposed to the full account number. The Agencies remind institutions that any identifying information requested from customers who wish to exercise their opt-out right “must be reasonable under the privacy rule and reasonable and simple under the affiliate marketing rule.” To that end, the Agencies caution institutions about “requesting information beyond the consumer’s name and address.” In light of the Agencies seemingly inconsistent guidance, an institution should decline the invitation to use a customer’s full account number as a requirement to exercise the right to limit information sharing and should modify the model form accordingly.
5. Privacy Policy
You may have thought (as one logically would) of the model form as your institution’s privacy policy or privacy notice. Although this may be technically true, the Agencies do not want the institution to title it as such. The Agencies extensive research of how customers react to forms labeled as privacy policy or privacy notice shows that these terms deterred consumers from reading the notice. As a result, the Agencies use the following title for the privacy notice: “What Does [name of financial institution] Do With Your Personal Information?” Institutions may be affected by this change in terminology because the institution may have collateral documents or correspondence that refers to its “privacy policy” or “privacy notice.” Because the Agencies have concluded that customers are less likely to read a “privacy policy” or “privacy notice,” the institution should consider revising the references to those terms in its other documents to refer to the document under its new title.
6. Page 2
At the top of page 2 of the model form, you will note that there is a shaded box labeled “Page 2.” This is not an informal reference to distinguish it from page 1 under the Final Rule. It is actually part of the model form. The Agencies call it the “heading” for page 2 of the model form. Although it is not clear why the placement of the page number makes the notice any more clear or conspicuous, it is just such an item that institutions may be tempted to move. However, regardless of the significance of its placement, moving the page number will jeopardize the institution’s ability to rely on the Final Rule’s safe harbor.
7. Definitions
The Instructions addressing how an institution must complete the page 2 definitions’ section are very specific. First, the institution must complete the bullets for “affiliate information,” “nonaffiliate information,” and “joint marketing information,” in italics. Secondly, the institution must use the exact language provided in the Instructions to complete the definitions – with one important exception. As an example, to complete the definition of “Affiliates,” the institution has three choices. If the institution has no affiliates, the institution must complete the definition by stating that the institution “has no affiliates.” If the institution has affiliates, but does not share information with those affiliates, the institution must state that the institution “does not share with our affiliates.” Notably, although this section is labeled definitions, when using the non-sharing option, the institution is not required to define its affiliates. If the institution does share information with affiliates, the institution must customize the definition to include an “illustrative list of companies” with which the information is shared. The institution is not required to list all of its affiliates in this section. Similarly, an institution must “list categories of companies,” such as mortgage companies or credit card companies, as applicable, to comply with the “nonaffiliate information” and “joint marketing information” definitions. Again, the institution is not required to (and in fact may not) list the actual names of the nonaffilaites with which it shares information and the actual names of the companies with which it has joint marketing agreements.
8. Acknowledgement
The model form does not provide a signature block for a customer’s acknowledgement of receipt. However, the Agencies permit the addition of a customer acknowledgement of receipt as stated in both the Supplemental Information and the Instructions, which expressly allow an institution to add and obtain a customer’s acknowledgement of receipt in the box labeled “Other important information” on page 2 of the model form. Because the customer must be able to retain the full content of the model form, the institution should provide the model form in duplicate to the customer so the institution and the customer may each retain one fully acknowledged copy or, alternatively, the institution may add a page 3 to the model form to capture the customer’s acknowledgement.
9. Additional Opt-outs v. Opt-Ins
The Agencies permit institutions to offer customers additional opt-outs under state law requirements, such as the California-specific opt-out right for joint marketing. Those additional opt-outs must be included in the “Other important information” box on page 2 of the model form. However, the Agencies do not permit institutions to use the model form (in the “Other important information” box or otherwise) to provide state-specific opt-in requirements. If the institution is subject to state-specific opt-in requirements, the institution must provide the customer notice of those requirements in a separate disclosure.
10. The Model Forms are Optional
The model forms are, in fact, optional and an institution may choose to meet GLB’s content and opt-out privacy notice requirements by creating its own form. However, in reality this option is a classic Hobson’s choice, where an institution is actually given a free choice of only one offered option. Specifically, an institution that elects not to use the model form is not entitled to the Final Rule’s “safe harbor,” which provides that the use of the appropriate model form, consistent with the Instructions, constitutes compliance with GLB’s content and opt-out privacy notice requirements. Therefore, an institution that does not rest on the available safe harbor by not using the appropriate model form faces a rigorous burden to prove that its non-model form meets all of GLB’s content and opt-out notice requirements, including GLB’s clear and conspicuous standard. That burden would likely require that the institution produce its own testing research to demonstrate compliance with the standard because the Agencies spent numerous years and engaged in significant testing in determining that their model form meets this standard, in addition to, each of GLB’s other disclosure and notice requirements.
Dana Frederick Clarke is a partner in the California office of Hudson Cook, LLP. Basis Points readers can reach Dana at 714-263-0427 or by email at dclarke@hudco.com.