Font Size: AAA // Print // Bookmark

e9-27882

  • FR Doc E9-27882[Federal Register: December 1, 2009 (Volume 74, Number 229)]

    [Rules and Regulations]

    [Page 62889-62994]

    From the Federal Register Online via GPO Access [wais.access.gpo.gov]

    [DOCID:fr01de09-19]

    [[Page 62889]]

    -----------------------------------------------------------------------

    Part II

    Department of the Treasury

    Office of the Comptroller of the Currency

    12 CFR Part 40

    -----------------------------------------------------------------------

    Federal Reserve System

    12 CFR Part 216

    -----------------------------------------------------------------------

    Federal Deposit Insurance Corporation

    12 CFR Part 332

    -----------------------------------------------------------------------

    Department of the Treasury

    Office of Thrift Supervision

    12 CFR Part 573

    -----------------------------------------------------------------------

    National Credit Union Administration

    12 CFR Part 716

    -----------------------------------------------------------------------

    Federal Trade Commission

    16 CFR Part 313

    -----------------------------------------------------------------------

    Commodity Futures Trading Commission

    17 CFR Part 160

    -----------------------------------------------------------------------

    Securities and Exchange Commission

    17 CFR Part 248

    -----------------------------------------------------------------------

    Final Model Privacy Form Under the Gramm-Leach-Bliley Act; Final Rule

    [[Page 62890]]

    -----------------------------------------------------------------------

    DEPARTMENT OF THE TREASURY

    Office of the Comptroller of the Currency

    12 CFR Part 40

    [Docket ID OCC-2009-0011]

    RIN 1557-AC80

    FEDERAL RESERVE SYSTEM

    12 CFR Part 216

    [Docket No. R-1280]

    FEDERAL DEPOSIT INSURANCE CORPORATION

    12 CFR Part 332

    RIN 3064-AD16

    DEPARTMENT OF THE TREASURY

    Office of Thrift Supervision

    12 CFR Part 573

    [Docket ID OTS-2009-0014]

    RIN 1550-AC12

    NATIONAL CREDIT UNION ADMINISTRATION

    12 CFR Part 716

    RIN 3133-AC84

    FEDERAL TRADE COMMISSION

    16 CFR Part 313

    [Project No. 034815]

    RIN 3084-AA94

    COMMODITY FUTURES TRADING COMMISSION

    17 CFR Part 160

    RIN 3038-AC04

    SECURITIES AND EXCHANGE COMMISSION

    17 CFR Part 248

    [Release Nos. 34-61003, IA-2950, IC-28997; File No. S7-09-07]

    RIN 3235-AJO6

    Final Model Privacy Form Under the Gramm-Leach-Bliley Act

    AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC);

    Board of Governors of the Federal Reserve System (Board); Federal

    Deposit Insurance Corporation (FDIC); Office of Thrift Supervision,

    Treasury (OTS); National Credit Union Administration (NCUA); Federal

    Trade Commission (FTC); Commodity Futures Trading Commission (CFTC);

    and Securities and Exchange Commission (SEC).

    ACTION: Final rule.

    -----------------------------------------------------------------------

    SUMMARY: The OCC, Board, FDIC, OTS, NCUA, FTC, CFTC, and SEC (the

    ``Agencies'') are publishing final amendments to their rules that

    implement the privacy provisions of Subtitle A of Title V of the Gramm-

    Leach-Bliley Act (``GLB Act''). These rules require financial

    institutions to provide initial and annual privacy notices to their

    customers. Pursuant to Section 728 of the Financial Services Regulatory

    Relief Act of 2006 (``Regulatory Relief Act'' or ``Act''), the Agencies

    are adopting a model privacy form that financial institutions may rely

    on as a safe harbor to provide disclosures under the privacy rules. In

    addition, the Agencies other than the SEC are eliminating the safe

    harbor permitted for notices based on the Sample Clauses currently

    contained in the privacy rules if the notice is provided after December

    31, 2010. Similarly, the SEC is eliminating the guidance associated

    with the use of notices based on the Sample Clauses in its privacy rule

    if the notice is provided after December 31, 2010.

    DATES: This rule is effective on December 31, 2009, except for the

    following amendments, which are effective January 1, 2012:

    Instructions 3B, 10B, 17B, 24B, 31B, 38B, 45B, and 52B removing

    paragraphs (g) to 12 CFR 40.6, 216.6, 332.6, 573.6, and 716.6, 16 CFR

    313.6, and 17 CFR 160.6 and 248.6, respectively; and

    Instructions 7B, 14B, 21B, 28B, 35B, 42B, 49B, and 55B removing

    Appendixes B to 12 CFR parts 40, 216, 332, 573, and 716, 16 CFR part

    313, and 17 CFR parts 160 and 248, respectively.

    FOR FURTHER INFORMATION CONTACT: OCC: Stephen Van Meter, Assistant

    Director, Community and Consumer Law Division, (202) 874-5750; Heidi

    Thomas, Special Counsel, Legislative and Regulatory Activities

    Division, (202) 874-5090; or David Nebhut, Director, Policy Analysis

    Division, (202) 874-5220, Office of the Comptroller of the Currency,

    250 E Street, SW., Washington, DC 20219.

    Board: Jeanne Hogarth, Consumer Policies Program Manager, Jelena

    McWilliams, Attorney, or Ky Tran-Trong, Counsel, Division of Consumer

    and Community Affairs, (202) 452-3667; Kara Handzlik, Attorney, Legal

    Division, (202) 452-3852; Board of Governors of the Federal Reserve

    System, 20th Street and Constitution Avenue, NW., Washington, DC 20551.

    FDIC: Samuel Frumkin, Senior Policy Analyst, Division of

    Supervision and Consumer Protection, (202) 898-6602; or Kimberly A.

    Stock, Counsel, (202) 898-3815, Legal Division; Federal Deposit

    Insurance Corporation, 550 17th Street, NW., Washington, DC 20429.

    OTS: Ekita Mitchell, Consumer Regulations Analyst, (202) 906-6451;

    or Richard Bennett, Senior Compliance Counsel, Regulations and

    Legislation Division, (202) 906-7409; 1700 G Street, NW., Washington,

    DC 20552.

    NCUA: Regina Metz, Staff Attorney, (703) 518-6561, Office of

    General Counsel, National Credit Union Administration, 1775 Duke

    Street, Alexandria, Virginia 22314-3428.

    FTC: Loretta Garrison, Senior Attorney, and Anthony Rodriguez,

    Attorney, Division of Privacy and Identity Protection, Bureau of

    Consumer Protection, (202) 326-2252, Federal Trade Commission, 600

    Pennsylvania Avenue, NW., Stop NJ-3158, Washington, DC 20580.

    CFTC: Laura Richards, Deputy General Counsel, (202) 418-5126, or

    Gail B. Scott, Counsel, Office of General Counsel, (202) 418-5139,

    Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st

    Street, NW., Washington, DC 20581.

    SEC: Paula Jenson, Deputy Chief Counsel, or Brice Prince, Special

    Counsel, Office of the Chief Counsel, Division of Trading and Markets,

    (202) 551-5550; or Penelope Saltzman, Assistant Director, Thoreau

    Bartmann, Senior Counsel, or Daniel Chang, Staff Attorney, Office of

    Regulatory Policy, Division of Investment Management, (202) 551-6792,

    Securities and Exchange Commission, 100 F Street, NE., Washington, DC

    20549.

    SUPPLEMENTARY INFORMATION: The Agencies are publishing final amendments

    to each of their rules (which are consistent and comparable) that

    implement the privacy provisions of the GLB Act: 12 CFR part 40 (OCC);

    12 CFR part 216 (Board); 12 CFR part 332 (FDIC); 12 CFR part 573 (OTS);

    12 CFR part 716 (NCUA); 16 CFR part 313 (FTC); 17 CFR part 160 (CFTC);

    and 17 CFR part 248 (SEC) (collectively, the ``privacy rule'').\1\

    ---------------------------------------------------------------------------

    \1\ Because the Agencies' privacy rules generally use consistent

    section numbering, relevant sections will be cited, for example, as

    ``section ----.6'' unless otherwise noted.

    I. Introduction

    A. Statutory Authority and Overview

    B. Overview of the Final Model Privacy Form

    II. Background

    A. The Gramm-Leach-Bliley Act Privacy Notices

    [[Page 62891]]

    B. Development of Proposed Model Privacy Form

    C. Overview of Comments Received

    D. Quantitative Research

    E. Public Comments on the Quantitative Test Data

    F. Validation Testing

    III. The Final Model Privacy Form

    A. Standardization

    B. Instructions for Use

    C. Format of the Notice

    D. Appearance of the Model Privacy Form

    E. Optional General Guidance for Easily Readable Type

    F. Printing, Color, and Logos

    G. Jointly-Provided Notices

    H. Use of the Form by Differently-Regulated Entities

    I. Page One of the Model Form

    J. Page Two of the Model Form

    K. Other Issues

    IV. The Sample Clauses

    V. Effective Date

    VI. Final Regulatory Flexibility Analysis

    VII. Paperwork Reduction Act

    VIII. OCC and OTS Executive Order 12866 Determination

    IX. OCC and OTS Executive Order 13132 Determination

    X. OCC and OTS Unfunded Mandates Reform Act of 1995 Determination

    XI. SEC Cost-Benefit Analysis

    XII. SEC Consideration of Burden on Competition

    XIII. NCUA: The Treasury And General Government Apropriations Act,

    1999-Assessment of Federal Regulations and Policies on Families

    XIV. CFTC Cost-Benefit Analysis

    I. Introduction

    A. Statutory Authority and Overview

    The Regulatory Relief Act was enacted on October 13, 2006.\2\

    Section 728 of the Act directs the Agencies to ``jointly develop a

    model form which may be used, at the option of the financial

    institution, for the provision of disclosures under [section 503 of the

    GLB Act].'' \3\ The Regulatory Relief Act stipulates that the model

    form shall be a safe harbor for financial institutions that elect to

    use it. Section 728 further directs that the model form shall:

    ---------------------------------------------------------------------------

    \2\ Public Law No. 109-351, 120 Stat. 1966 (2006).

    \3\ Id., adding 15 U.S.C. 6803(e). See also infra discussion at

    section II.A. on the GLB Act requirements for financial privacy

    notices. Section 728 of the Regulatory Relief Act directs the

    agencies named in Section 504(a)(1) of the GLB Act, 15 U.S.C.

    6804(a)(1), to develop a model form. The CFTC, which did not become

    subject to Title V of the GLB Act until 2000, is not named in that

    section. The Commodity Exchange Act (``CEA'') was amended in 2000 by

    the Commodity Futures Modernization Act of 2000 to make the CFTC a

    ``Federal functional regulator'' subject to the GLB Act Title V. See

    Section 5g of the CEA, 7 U.S.C. 7b-2. The CFTC interprets Section

    728 of the Regulatory Relief Act as applying to it through Section

    5g.

    ---------------------------------------------------------------------------

    (A) Be comprehensible to consumers, with a clear format and design;

    (B) provide for clear and conspicuous disclosures;

    (C) enable consumers easily to identify the sharing practices of a

    financial institution and to compare privacy practices among financial

    institutions; and

    (D) be succinct, and use an easily readable type font.

    On March 29, 2007, the Agencies published a proposed model privacy form

    (the ``proposed model form'') that financial institutions would be able

    to use to comply with certain disclosures under the privacy rule.\4\ On

    April 15, 2009, the SEC reopened the comment period on the proposed

    rulemaking to solicit comment on a research report and test data

    pertaining to additional consumer testing of the proposed model privacy

    form.\5\ Today, the Agencies are amending the privacy rule to include a

    model privacy form that institutions may use to provide required

    disclosures. The final model form is substantially as proposed with

    changes based on comments we received as well as additional consumer

    testing.

    ---------------------------------------------------------------------------

    \4\ See Interagency Proposal for Model Privacy Form under the

    Gramm-Leach-Bliley Act (``Proposed Rule''), 72 FR 14940 (Mar. 29,

    2007), available at http://www.ftc.gov/os/2007/03/

    CorrectedNeptuneMarsandGenericFormsfrn.pdf. A Correction Notice was

    published at 72 FR 16875 (Apr. 5, 2007).

    \5\ See Interagency Proposal for Model Privacy Form under the

    Gramm-Leach-Bliley Act, Securities Exchange Act Release No. 59769,

    Investment Company Act Release No. 28697 (Apr. 15, 2009) [74 FR

    17925 (Apr. 20, 2009)].

    ---------------------------------------------------------------------------

    B. Overview of the Final Model Privacy Form

    As explained more fully in the Agencies' Proposed Rule, key

    elements of the final model form's structure and design, as well as

    vocabulary, reflect the research findings of the qualitative consumer

    testing.\6\ The Agencies believe that the final model form as revised

    meets all the requirements of the Act and, based on the qualitative

    research that led to the development of the proposed model form and the

    quantitative consumer testing described below, is easier to understand

    and use than most privacy notices currently being disseminated.

    ---------------------------------------------------------------------------

    \6\ The Agencies conducted the consumer research in two phases:

    the first was qualitative testing or form development; the second

    was quantitative testing. See infra section II.

    ---------------------------------------------------------------------------

    While the model form provides a legal safe harbor, institutions may

    continue to use other types of notices that vary from the model form so

    long as these notices comply with the privacy rule. For example, an

    institution could continue to use a simplified notice if it does not

    have affiliates and does not intend to share nonpublic personal

    information with nonaffiliated third parties outside of the exceptions

    provided in sections ----.14 and ----.15.\7\ Likewise, while the

    Agencies are eliminating the Sample Clauses and related safe harbor

    (or, for the SEC, guidance), institutions may continue to use notices

    containing these clauses, so long as these notices comply with the

    privacy rule.\8\

    ---------------------------------------------------------------------------

    \7\ See privacy rule, section ----.6(c)(5), NCUA section

    716.6(e)(5).

    \8\ See infra section IV.

    ---------------------------------------------------------------------------

    The following section briefly summarizes the key features of the

    final model form and the changes to the proposed form. A detailed

    discussion of the elements of the final model form appears in section

    III.

    1. The Structure

    The final model form has two pages, rather than the three pages in

    the proposed form, and may be printed on a single piece of paper.\9\

    Together, pages one and two address the legal requirements of

    applicable Federal financial privacy laws and are designed to increase

    consumer comprehension. The Agencies are not mandating a specific paper

    size in the final model form as long as the paper is in portrait

    orientation and sufficient to accommodate minimum font size, spacing,

    and content requirements.

    ---------------------------------------------------------------------------

    \9\ For ease, the Appendix provides three versions of the final

    model form: (1) Model form with no opt-out; (2) model form with

    telephone and Web opt-out only; and (3) model form that includes a

    mail-in opt-out form. An alternative mail-in form (version 4) may be

    substituted for the mail-in portion of the model form in version 3.

    For those institutions that use the model form and need to provide a

    mail-in opt-out form, the reverse side to that opt-out form must not

    include any content of the model form. See F.4 of the Frequently

    Asked Questions for the Privacy Regulation, available at http://

    www.ftc.gov/privacy/glbact/glb-faq.htm (Dec. 2001) (staff guidance

    issued by the Board, FDIC, FTC, OCC, OTS, and NCUA) (stating that a

    consumer generally should be able to detach a mail-in opt-out form

    from a privacy notice without removing text from the privacy

    policy).

    ---------------------------------------------------------------------------

    2. Page One--Background Information, the Disclosure Table, and Opt-Out

    Information

    Page one of the final model form has five parts: (1) The title; (2)

    an introductory section called the ``key frame'' which provides context

    to help the consumer understand the required disclosures; (3) a

    disclosure table that describes the types of sharing used by financial

    institutions consistent with Federal law, which of those types of

    sharing the institution actually does, and whether the consumer can

    limit or opt out of any of the institution's sharing; (4) only if

    needed, a box titled ``To limit our sharing'' for opt-out information;

    and (5) the institution's customer service contact information. Where

    the institution provides a mail-in

    [[Page 62892]]

    opt-out form, that form appears at the bottom of page one.

    There are three significant changes on page one of the final model

    form.\10\ First, the ``What?'' box has been modified to permit

    institutions to select from a menu of terms the types of information

    collected and shared (other than Social Security number). Second,

    information (if needed) about how to limit sharing or opt out follows

    the disclosure table. If the institution provides a mail-in opt-out

    form, that form appears at the bottom of page one. Third, the final

    model form includes at the top of the page in the right-hand corner the

    date by month and year of the most recent version of the notice.

    Institutions may include at the bottom of page one a ``tagline'' (an

    internal identifier) or barcode for information internal to the

    company, so long as these do not interfere with the clarity or text of

    the form.\11\

    ---------------------------------------------------------------------------

    \10\ See infra section III.I.

    \11\ See, e.g., comment letters of T. Rowe Price Associates,

    Inc. (May 29, 2007); Wolters Kluwer Financial Services (May 24,

    2007).

    ---------------------------------------------------------------------------

    3. Page Two--Supplemental Information

    As in the proposed model form, the second page of the final model

    form provides additional explanatory information that, in combination

    with page one, ensures that the notice includes all elements described

    in the GLB Act as implemented by the privacy rule. There is

    supplemental information in the form of Frequently Asked Questions

    (``FAQs'') \12\ at the top and definitions below. There are three

    significant changes to the disclosures on page two of the final

    form.\13\ First, a new FAQ appears at the top of page two that can be

    used to identify those institutions that jointly provide the notice.

    Second, the FAQ on the collection of information has been modified to

    allow institutions to select from a menu of terms. Third, a new box has

    been provided at the bottom of page two titled ``Other important

    information.'' This box can be used in only two ways: (1) to discuss

    state and/or international privacy law requirements; and (2) to provide

    an acknowledgment of receipt form.\14\

    ---------------------------------------------------------------------------

    \12\ Note that a financial institution must insert its name or a

    common corporate identity as indicated in the two questions in this

    section each time that ``[name of financial institution]'' appears.

    The revised form has eliminated the FAQ ``How does [name of

    financial institution] notify me about its practices.''

    \13\ See infra section III.J.

    \14\ This use was provided in response to a request by the

    National Automobile Dealers Ass'n, whose members routinely ask

    customers to sign an acknowledgment of receipt on a copy of the

    dealer's privacy notice and retain this record verifying delivery of

    the notice. Comment letter of the National Automobile Dealers Ass'n

    (May 29, 2007).

    ---------------------------------------------------------------------------

    II. Background

    A. The Gramm-Leach-Bliley Act Privacy Notices

    Subtitle A of title V of the GLB Act, captioned ``Disclosure of

    Nonpublic Personal Information,'' \15\ requires each financial

    institution to provide a notice of its privacy policies and practices

    to its customers who are consumers.\16\ In general, the privacy notice

    must describe a financial institution's policies and practices with

    respect to disclosing nonpublic personal information about a consumer

    to both affiliated and nonaffiliated third parties.\17\ The notice also

    must provide a consumer a reasonable opportunity to direct the

    institution generally not to share nonpublic personal information \18\

    about the consumer (that is, to ``opt out'') with nonaffiliated third

    parties other than as permitted by the statute (for example, sharing

    for everyday business purposes, such as processing transactions and

    maintaining customers' accounts, and in response to properly executed

    governmental requests).\19\ The privacy notice must provide, where

    applicable under the Fair Credit Reporting Act (``FCRA''), a notice and

    an opportunity for a consumer to opt out of certain information sharing

    among affiliates.\20\

    ---------------------------------------------------------------------------

    \15\ Codified at 15 U.S.C. 6801-6809.

    \16\ 15 U.S.C. 6803(a). A ``customer'' means a consumer who has

    a ``customer relationship'' with a financial institution. Privacy

    rule, section ----.3(h), SEC section 248.3(j), CFTC section

    160.3(k), NCUA section 716.3(n). A ``consumer'' is ``an individual

    who obtains, from a financial institution, financial products or

    services which are to be used primarily for personal, family, or

    household purposes, and also means the legal representative of such

    an individual.'' 15 U.S.C. 6809(9); privacy rule, section ----.3(e),

    SEC section 248.3(g)(1), CFTC section 160.3(h)(1). Financial

    institutions are required to provide an initial notice to their

    customers and a notice annually thereafter for as long as the

    customer relationship continues. 15 U.S.C. 6803(a); Privacy rule,

    sections ----.4 and ----.5. Institutions are also required to

    provide to their non-customer consumers a notice if the institution

    discloses nonpublic personal information outside the exceptions in

    sections ----.14 and ----.15 before any such disclosure is made. 15

    U.S.C. 6802(a); privacy rule, sections ----.4.

    \17\ 15 U.S.C. 6803(a)-(c).

    \18\ ``Nonpublic personal information'' is generally defined as

    personally identifiable financial information provided by a consumer

    to a financial institution, resulting from any transaction or any

    service performed for the consumer, or otherwise obtained by the

    financial institution. See 15 U.S.C. 6809(4); privacy rule, sections

    ----.3(n) and (o), SEC sections 248.3(t) and (u), CFTC sections

    160.3(t) and (u).

    \19\ 15 U.S.C. 6802; privacy rule, sections ----.14 and ----.15.

    \20\ 15 U.S.C. 1681a(d)(2)(A)(iii) (FCRA); 15 U.S.C. 6803(c)(4)

    (GLB Act).

    ---------------------------------------------------------------------------

    The privacy rule requires a financial institution to provide a

    privacy notice to its customers no later than when a customer

    relationship is formed and annually thereafter for as long as the

    relationship continues. The notice must accurately reflect the

    institution's information collection and disclosure practices and must

    include specific information.\21\

    ---------------------------------------------------------------------------

    \21\ See sections--.4,--.5, and --.6 of the privacy rule.

    ---------------------------------------------------------------------------

    The privacy rule does not prescribe any specific format or

    standardized wording for these notices. Instead, institutions may

    design their own notices based on their individual practices provided

    they comply with the law and meet the ``clear and conspicuous''

    standard in the statute and the privacy rule.\22\ The Appendix to each

    privacy rule contains Sample Clauses that institutions may use in

    privacy notices to satisfy the privacy rule.

    ---------------------------------------------------------------------------

    \22\ 15 U.S.C. 6802, 6803; privacy rule, section --.3(b), SEC

    section 248.3(c), CFTC section 160.3(b)(1).

    ---------------------------------------------------------------------------

    Financial institutions were required to provide privacy notices to

    their customers by July 1, 2001.\23\ Many notices provided to consumers

    were long and complex. Because the privacy rule allows institutions

    flexibility in designing their privacy notices, notices have been

    formatted in various ways and as a result have been difficult to

    compare, even among financial institutions with identical

    practices.\24\ The Agencies first explored issues related to the

    complexity of privacy notices in a workshop held in December 2001.\25\

    ---------------------------------------------------------------------------

    \23\ See, e.g., Privacy of Consumer Financial Information, 65 FR

    35162 (June 1, 2000). The CFTC was added by Section 5g of the

    Commodity Exchange Act, 7 U.S.C. 7b-2 (as amended by the Commodity

    Futures Modernization Act of 2000), on December 21, 2000, and

    privacy notices were required to be delivered to consumers by March

    31, 2002. Privacy of Consumer Financial Information, 66 FR 21236

    (Apr. 27, 2001).

    \24\ See Rulemaking Petition from Public Citizen, et al., at 4

    (July 26, 2001) (available at http://www.ftc.gov/bcp/workshops/glb/

    comments/nader.pdf) (``Public Citizen Petition'') (stating that

    notices were ``dense,'' ``complicated,'' and written by those

    trained in obfuscation rather than to express ideas clearly).

    \25\ See Get Noticed: Writing Effective Financial Privacy

    Notices, Interagency Public Workshop (Dec. 4, 2001) (``Get Noticed

    Workshop''). Workshop transcripts and other supporting documents are

    available at http://www.ftc.gov/bcp/workshops/glb/index.html. The

    Get Noticed Workshop, discussed in the preamble to the Proposed

    Rule, supra note 4 at n.14, provided a public forum to consider how

    financial institutions could provide more useful privacy notices to

    consumers.

    ---------------------------------------------------------------------------

    On December 30, 2003, the Agencies published an Advance Notice of

    Proposed Rulemaking to Consider Alternative Forms of Privacy Notices

    Under the Gramm-Leach-Bliley Act (``ANPR'') to solicit public comment

    on

    [[Page 62893]]

    a wide range of issues related to improving privacy notices.\26\ The

    ANPR stated that the Agencies expected that consumer testing would be a

    key component in the development of any specific proposals.\27\

    ---------------------------------------------------------------------------

    \26\ See Interagency Proposal to Consider Alternative Forms of

    Privacy Notices Under the Gramm-Leach-Bliley Act, 68 FR 75164 (Dec.

    30, 2003), available at http://www.ftc.gov/os/2003/12/

    031223anprfinalglbnotices.pdf. The Agencies sought, for example,

    comment on issues associated with the format, elements, and language

    used in privacy notices that would make the notices more accessible,

    readable, and useful, and whether to develop a model privacy notice

    that would be short and simple.

    \27\ Id. at text following n.5.

    ---------------------------------------------------------------------------

    During January and February 2004, the Agencies met with a number of

    interested groups and individuals to discuss the issues raised in the

    ANPR and subsequently received forty-four comments in response to the

    ANPR.\28\ While commenters expressed a variety of views on the

    questions posed in the ANPR, many commenters agreed that the Agencies

    should conduct consumer testing before proposing any alternative

    privacy notice.

    ---------------------------------------------------------------------------

    \28\ Summaries of the outside meetings and public comments to

    the ANPR are available at http://www.ftc.gov/privacy/

    privacyinitiatives/financial_rule_inrp.html.

    ---------------------------------------------------------------------------

    B. Development of the Proposed Model Privacy Form

    Over the years during which GLB Act privacy notices have been

    delivered to consumers, the Agencies have observed wide variations in

    these notices. Today, privacy notices vary considerably--not just in

    format, presentation, language, length, style, or tone--but also in how

    they inform consumers of their rights to limit certain sharing of

    personal information. For example, the Agencies have found the

    following variations in current privacy notices. Some institutions

    incorporate privacy notices into lengthy terms and conditions

    statements, making it harder for consumers to find information about

    the institution's privacy practices, and raising questions about

    whether such notices comply with the requirement that they be clear and

    conspicuous. Institutions also use messages in their notices' opening

    statements about how they value privacy and strive to ``protect''

    personal information, thus providing assurances to consumers that imply

    their personal information is not shared broadly, while obscuring or

    directing attention away from the required disclosures of actual

    information sharing practices. Finally, the Agencies have seen a number

    of institutions employ the statement in their privacy policy ``We do

    not sell your information to third parties'' in a context that raises

    concerns about misrepresentations.\29\

    ---------------------------------------------------------------------------

    \29\ In some cases, the Agencies have identified notices that

    violate the privacy rule. For example, one institution's privacy

    notice did not include an opt-out form, but provided that consumers

    could only obtain an opt-out form by visiting a bank office, in

    violation of sections --.7(h), --.9(a), and --.10(a)(1) of the

    privacy rule. Another notice provided that consumers could only opt

    out by writing a letter to the institution, in violation of section

    --.7(a)(1) of the privacy rule. Offering only these very restrictive

    methods of obtaining an opt-out form and opting out also is not

    supported by the examples in the privacy rule. See sections

    --.7(a)(2), --.9(b), and --.10(a)(3) of the privacy rule.

    ---------------------------------------------------------------------------

    These examples illustrate the need to make disclosure of

    institutions' information sharing practices and consumer choices more

    transparent and underscore the Agencies' interest in initiating a joint

    consumer research project to develop an easy-to-read and understandable

    model privacy notice for consumers.

    In the summer of 2004, six of the Agencies \30\ launched a project

    to fund consumer research (``Notice Project''). Their goals were to

    identify barriers to consumer understanding of current privacy notices

    and to develop an alternative privacy notice, or elements of a notice,

    that consumers could more easily use and understand compared to current

    notices. The Agencies conducted the consumer research in two sequential

    phases.\31\

    ---------------------------------------------------------------------------

    \30\ The six agencies that initially sponsored the Notice

    Project were the Board, FDIC, FTC, NCUA, OCC, and SEC. The OTS

    joined the Notice Project for the phase two quantitative testing.

    Information related to the Notice Project is available at http://

    www.ftc.gov/privacy/privacyinitiatives/financial_rule_inrp.html.

    \31\ The first phase was designed as qualitative testing or form

    development research. This research involved a series of in-depth

    individual consumer interviews to develop an alternative privacy

    notice that would be easier for consumers to use and understand. The

    second phase was designed as quantitative testing, to test the

    effectiveness of the alternative privacy notice developed in phase

    one among a larger number of consumers.

    ---------------------------------------------------------------------------

    In September 2004, the Agencies selected Kleimann Communication

    Group, Inc. (``Kleimann'') as their contractor for the phase one form

    development research. The research objectives of the Notice Project

    included designing a privacy notice that consumers could understand and

    use, that facilitated comparison of sharing practices and policies

    across institutions, and that addressed all relevant legal requirements

    of the GLB Act and FCRA.

    The form development phase culminated in an extensive research

    report prepared by Kleimann and released by the Agencies in March 2006

    (the ``Kleimann Report'').\32\ The Kleimann Report details the process

    by which the Agencies and Kleimann developed an alternative privacy

    notice. The structure, content, ordering of the text information, and

    title of the proposed model form all reflect the research findings from

    the qualitative consumer testing.

    ---------------------------------------------------------------------------

    \32\ See Kleimann Communication Group, Inc., Evolution of a

    Prototype Financial Privacy Notice: A Report on the Form Development

    Project (Feb. 28, 2006) (``Kleimann Report''). For a copy of the

    full report, go to http://www.ftc.gov/privacy/privacyinitiatives/

    ftcfinalreport060228.pdf. For the executive summary, go to http://

    www.ftc.gov/privacy/privacyinitiatives/

    FTCFinalReportExecutiveSummary.pdf.

    ---------------------------------------------------------------------------

    In October 2006, Congress passed the Regulatory Relief Act, which

    directed the Agencies to propose a model form based on standards

    similar to the Notice Project research goals. On March 29, 2007, the

    Agencies issued for public comment the proposed model form as produced

    in the form development phase with some minor revisions.

    C. Overview of Comments Received

    The Agencies collectively received approximately 110 unique

    comments from a variety of banks, thrifts, credit unions, credit card

    companies, securities firms, insurance companies, and industry trade

    associations, as well as from consumer and other advocacy groups, the

    National Association of Attorneys General (``NAAG''), the National

    Association of State Insurance Commissioners (``NAIC''), and individual

    consumers.\33\

    ---------------------------------------------------------------------------

    \33\ Comments received by all the Agencies are available at

    http://www.ftc.gov/privacy/privacyinitiatives/financial_rule_

    inrp.html. Many commenters sent copies of the same letter to more

    than one agency. Some association commenters sent several letters,

    both individually and jointly with other associations.

    ---------------------------------------------------------------------------

    A number of institutions expressed support for the model form. Some

    stated that they are either already using it (submitting copies of

    their notices) or intend to use it once it is finalized. One industry

    association conducted an informal poll of its community bank members

    and found that many are likely to use the model form and that most

    found the new form more consumer-friendly than the Sample Clauses.

    These commenters commended the Agencies for proposing simpler language

    and making the disclosure terms more understandable and accessible to

    consumers.

    Consumer and other advocacy groups, the NAIC, NAAG, and individual

    consumers generally supported the Agencies' proposal and the clearer

    language and omission of extraneous information in the proposed model

    form. These commenters stated that the proposal could be strengthened

    in certain respects, for example, by making

    [[Page 62894]]

    the default opt-in rather than opt-out and creating a one-stop opt-out

    repository similar to the National Do Not Call Registry.

    There was general support by many commenters for additional

    consumer research and testing. While some industry commenters provided

    substitute language or submitted alternate forms of the notice, none

    submitted other research findings. However, the NAIC submitted a

    consumer study on notices with research findings that the Agencies did

    consider.

    Most industry commenters, however, objected to several key aspects

    of the proposal. The most significant areas of concern raised by

    industry commenters related to: The standardized approach; the format

    of the proposed model form; the limited examples of types of personal

    information collected and shared; the disclosure table; incorporation

    of state law information; and revocation of the Sample Clauses. The

    thrust of many industry comments was that the proposed form was overly

    simplistic and not nuanced enough to describe precisely what the

    various laws permit or to allow accurate descriptions of more complex

    information sharing policies and practices. One commenter expressed

    concern that the form would lead to consumer confusion because of

    inaccurate disclosures on sharing practices and result in high opt-out

    rates, discouraging use of the form. Many industry commenters expressed

    concern about liability under state unfair or deceptive practice laws

    relating to privacy disclosures. At the same time, many institutions

    urged flexibility to allow inclusion of other information--such as

    describing the benefits of sharing, or providing marketing messages or

    privacy tips such as on identity theft and fraud prevention. One

    institution proposed allowing institutions to pick and choose which

    elements of the notice to use and still receive a safe harbor.

    D. Quantitative Research

    Following publication of the model form proposal in March 2007 and

    subsequent review of the comments, the Agencies revised the proposed

    model form for further testing.\34\ In the fall of 2007, the Agencies

    turned their attention to developing the research protocol and

    methodology for conducting the second phase of the research: The

    quantitative consumer testing. In August 2006, prior to enactment of

    the Regulatory Relief Act, the Agencies had selected Macro

    International Inc. (``Macro'') to conduct the quantitative research

    study.

    ---------------------------------------------------------------------------

    \34\ See Mall Intercept Study of Consumer Understanding of

    Financial Privacy Notices: Methodological Report, submitted by Macro

    International Inc. (``Macro Report''), Appendix C, for copies of the

    test notices. The Macro Report is available at: http://www.ftc.gov/

    privacy/privacyinitiatives/Macro-Report-on-Privacy-Notice-Study.pdf.

    See also infra section III for a discussion about the changes made

    to the final model form since the Proposed Rule was issued for

    comment.

    ---------------------------------------------------------------------------

    In the spring of 2008, Macro conducted a survey of approximately

    1,000 consumers using a mall-intercept methodology. The selected

    participants for the study reflected a range of demographic

    characteristics for gender, age, and educational level. The testing was

    conducted in five shopping mall locations--Baltimore, MD; Dallas, TX;

    Detroit, MI; Los Angeles, CA; and Springfield, MA--over a period of

    five weeks during March and April 2008.\35\

    ---------------------------------------------------------------------------

    \35\ Macro provided the test data to the Agencies in the summer

    of 2008 and its research methodology report in September. The study

    data and codebook are available at: http://www.ftc.gov/privacy/

    privacyinitiatives/Privacy-Notice-Study-Dataset.pdf and http://

    www.ftc.gov/privacy/privacyinitiatives/Privacy-Notice-Study-

    Codebook.pdf.

    ---------------------------------------------------------------------------

    The test objectives were to evaluate the effectiveness of the

    revised proposed model form \36\ developed by Kleimann (``Table

    Notice'') for comprehension and usability as compared to three other

    styles or formats of notices. The other notice formats were: (1) The

    prose version of the prototype table notice also developed and tested

    by Kleimann (``Prose Notice''); (2) a current version of a common

    notice used by financial institutions (``Current Notice''); and (3) a

    notice comprised solely of the Sample Clauses found in the appendix to

    the privacy rule (``Sample Clause Notice''). Within each format, there

    were three different notices, each reflecting a different level of

    sharing. Each level of sharing had a common fictional bank name across

    the four notice formats: Mars Bank had a low level of sharing; Mercury

    Bank had a medium level of sharing; and Neptune Bank had the highest

    level of sharing. Both Mercury and Neptune Banks offered opt-out

    choices; however, the pattern of sharing was such that after exercising

    all available opt-outs, Neptune Bank continued to share more broadly

    than Mercury Bank and Mercury Bank continued to share more than Mars

    Bank. This design was intentional for the comparison testing.\37\

    ---------------------------------------------------------------------------

    \36\ The proposed model form was revised based on the comments

    received, and a version of that revised form was used in the

    quantitative testing.

    \37\ Study participants were randomly assigned to see one of the

    four notice formats. Each participant read three privacy notices in

    the same format and was asked a series of questions, first about one

    pair of notices, and next about a second pair of notices, with one

    of the three notices used twice in each round. The order and

    repetition of the notices were rotated among the participants so

    that the same notice was not always viewed twice. Participants

    answered additional questions about the notices and their attitudes

    on information sharing. The interview sought information about

    participants' choice of a bank based solely on the notice content;

    responses to factual questions, such as which of two banks shared

    more or whether any of the banks offered an opportunity to limit or

    opt out of sharing; performance of a task, such as determining which

    bank shared more after exercising all options to limit or opt out of

    sharing; and responses to questions about their attitudes toward the

    use and sharing of their information. See Macro Report, supra note

    34, Appendix A.

    ---------------------------------------------------------------------------

    On December 15, 2008, two expert advisors to the Agencies, Dr. Alan

    Levy and Dr. Manoj Hastak, submitted a report to the Agencies analyzing

    the research data provided by Macro (the ``Levy-Hastak Report'').\38\

    The Levy-Hastak Report confirmed the overall effectiveness of the

    proposed model form (as modified) as against the three alternative

    notice formats. On April 15, 2009, the SEC published the Levy-Hastak

    Report, along with the Macro Report and test data, for public comment.

    The SEC received nine comments.\39\

    ---------------------------------------------------------------------------

    \38\ See http://www.ftc.gov/privacy/privacyinitiatives/Levy-

    Hastak-Report.pdf.

    \39\ See http://www.sec.gov/comments/s7-09-07/s70907.shtml.

    ---------------------------------------------------------------------------

    The Levy-Hastak Report examined two measures on how effectively the

    notices communicated information: (1) Judgment quality; and (2)

    perceptual accuracy.\40\ According to the Report, judgment quality

    focused on the extent to which study participants could provide

    logical, defensible reasons for choosing one bank over the other based

    solely on the notice. Perceptual accuracy focused on the ability of the

    participants to recognize accurately the differences between the banks

    in information collection and sharing practices, in opt-out choices,

    and in relative sharing after all opt-out choices were exercised.\41\

    ---------------------------------------------------------------------------

    \40\ Levy-Hastak Report at 7-14.

    \41\ Id. at 4-5.

    ---------------------------------------------------------------------------

    The Levy-Hastak Report concluded that, overall, the Table Notice

    outperformed the other notices.\42\ The Table Notice performed

    particularly well on difficult tasks \43\ while the Current Notice

    performed poorly on all measures. While the Sample Clause Notice

    performed well on simple tasks,

    [[Page 62895]]

    about equal to the Table and Prose notices, it performed significantly

    less well than the Table Notice on measures of judgment quality.\44\

    The Report concluded that the table format is likely a key explanation

    for the improvement in comprehension demonstrated by the study

    participants who saw the Table Notice as compared to those who saw the

    other notice styles--especially for difficult perceptual accuracy

    tasks.\45\

    ---------------------------------------------------------------------------

    \42\ Id. at 16.

    \43\ Id. at 17. According to the Report, an example of a

    difficult task was: Participants were asked to assume that they had

    limited or opted out of all possible sharing for both banks; based

    on that assumption, respondents were asked whether one bank shared

    more personal information than the other or whether both banks

    shared information equally. An example of an easy task was: Using

    the notice, participants were asked to identify how they could tell

    the bank that they wanted to limit or opt out of sharing personal

    information.

    \44\ Levy-Hastak Report at 9-10.

    \45\ Levy-Hastak Report at 17.

    ---------------------------------------------------------------------------

    While the notice format significantly affected participants'

    ability to comprehend and compare the notices, the testing showed that

    participants' general attitudes about the sharing of their personal

    information were not affected by the notices they saw.\46\ Following

    the two rounds of questions on the content of, and comparison between,

    the notices, the study participants were asked to rate their attitudes

    in general toward information sharing, for example, sharing with

    affiliated banks and with nonaffiliated banks. The results showed that

    participants' attitudes were about the same across the four notice

    formats.\47\

    ---------------------------------------------------------------------------

    \46\ Id. at 15.

    \47\ Id. Study participants generally did not like their

    information being shared with either affiliates or with

    nonaffiliates.

    ---------------------------------------------------------------------------

    The Levy-Hastak Report analyzed two specific areas where the Table

    Notice seemed to perform less well than the other notices. First, the

    Report described an anomaly with respect to responses to the question

    [Q. 19/30]: ``Which of these two banks gives you the opportunity to

    limit or to opt out of the sharing of your personal information?'' \48\

    Generally participants identified the bank or banks that provided an

    opt-out. However, some participants who saw the Table and Prose notices

    selected Mars Bank, the one that shared the least and offered no opt-

    out option. Because answering ``Mars Bank'' was identified as an

    incorrect answer, the Current and Sample Clause notices out-performed

    the Table and Prose notices on this question.

    ---------------------------------------------------------------------------

    \48\ See id. at 12-14.

    ---------------------------------------------------------------------------

    In contrast, the Table and Prose notices out-performed the other

    two notices on the most difficult task in the test. In this task,

    participants were asked to assume that they had exercised all possible

    options to limit or to opt out of sharing and then to identify which

    bank shared more. Here, the Table and Prose notices significantly out-

    performed the other notices. More participants who saw the Table and

    Prose notices correctly gave as their answer the higher sharing bank.

    This result suggests that participants who saw the Table and Prose

    notices did understand which bank(s) offered an opportunity to limit or

    to opt out of their sharing.

    In analyzing this discrepancy, the Levy-Hastak Report observed that

    the simpler question had two different, yet accurate, responses,

    depending on how participants interpreted the question. Some of the

    participants might have understood the question to apply at the point

    of choosing between the two bank notices; those participants selected

    the lower sharing bank. In contrast, other participants might have

    understood the question to mean: Which bank lets me opt out of sharing

    personal information once I am doing business with the bank. The second

    interpretation was the intended meaning of the question. Drs. Levy and

    Hastak hypothesized that some participants who saw the Table and Prose

    notices understood the question to have the first meaning, while other

    participants, particularly those who saw the Sample Clause and Current

    notices, understood the question to have the second meaning.\49\

    ---------------------------------------------------------------------------

    \49\ Significantly, unlike the Sample Clause and Current

    notices, neither the Table nor the Prose notice uses the word ``opt-

    out'' in the model form; rather, these forms refer to ``limiting

    sharing.'' This word choice was intentional to help consumers

    understand that some sharing is necessary and that consumers cannot

    stop all sharing--a concept that consumers who knew the term equated

    with ``opt-out.'' See Kleimann Report, supra note 32, at 101-108.

    Because the Table and Prose notices did not use the word ``opt-

    out,'' participants using these notices did not have that word as a

    visual ``cue'' when they were asked the question.

    ---------------------------------------------------------------------------

    To test this hypothesis, Drs. Levy and Hastak examined the pattern

    of factual mistakes that participants made when they answered a

    separate set of questions.\50\ There, study participants were asked in

    Q. 16/27 why they preferred one bank over the other, based solely on

    the notice. Some participants who selected a bank that shared

    relatively little information and did not offer an opt-out stated that

    this bank offered more opportunity to limit or to opt out of sharing

    than the higher sharing bank, which was labeled a ``false opt-out

    mistake'' in the Report. The Report found that participants who saw the

    Table and Prose notices were on average almost three times as likely to

    make the false opt-out mistake as those who saw the Current and Sample

    Clause notices.\51\

    ---------------------------------------------------------------------------

    \50\ The Report also examined a second mistake: Where

    participants selected the lower sharing bank when they were asked to

    identify which bank shared more (labeled a ``false sharing

    mistake''). See Levy-Hastak Report at 9. In that case, there was not

    an unusual pattern in the distribution of responses. Rather, the

    Report found that the study participants who made this mistake were

    equally distributed across all four notice styles. Id. at 13.

    \51\ Id.

    ---------------------------------------------------------------------------

    This finding supports the hypothesis that users of the Table and

    Prose notices who selected the lower sharing bank in response to Q. 19/

    30 understood the question in its first meaning: They selected a bank

    that gave them an opportunity to limit or opt out of sharing at the

    time of choosing between the two bank notices. Under that

    interpretation, these participants could limit sharing by selecting the

    bank that shared less information. Thus the Levy-Hastak Report's

    analysis of the false opt-out mistake pattern in Q. 16/27 is consistent

    with their hypothesis regarding the responses to Q. 19/30. In addition,

    the Report found that the educational level of the study participants

    produced a significant effect only on the responses to the opt-out

    question, with better educated participants more likely to answer the

    question in the intended manner.\52\ This finding is also consistent

    with the Report hypothesis that participants who saw the Table and

    Prose notices understood the question in two different, yet equally

    correct ways, unlike those who saw the Sample Clause and Current

    notices.

    ---------------------------------------------------------------------------

    \52\ Id. at 13-14.

    ---------------------------------------------------------------------------

    The Table Notice also seemed to perform less well in a second,

    unrelated area. Specifically, all the test notices provided only two

    methods for consumers to opt out of or limit sharing: Use of a toll-

    free telephone number or access to the opt-out on the institution's Web

    site. When study participants were asked to identify which contact

    modes were identified in the notice as ways to limit or opt out of

    sharing, they correctly identified the two modes more frequently when

    using the Sample Clause Notice than the Table, Prose, and Current

    notices.

    Noting that this type of question appears to invite skimming the

    notice to find the answer quickly and easily, the Levy-Hastak Report

    examined the great variability in notice length and found that the

    Sample Clause Notice was significantly shorter than any of the other

    notices. The Levy-Hastak Report observed that the shortness of the

    Sample Clause Notice may have made it easier for participants to scan

    the notice and find the answer to this question. The Report opined that

    notice length likely has an effect on scanability and reading ease.\53\

    ---------------------------------------------------------------------------

    \53\ Levy-Hastak Report at 14. In addition, the use of check

    boxes in the design of the opt-out section of the Table and Prose

    notices (a carry-over from the original mail-in format of the

    proposed model form) appeared to confuse some participants when they

    were asked this question. The responses recorded for these two

    notices reflected a somewhat higher number of ``other'' responses,

    even though all the notices offered the same two options. Macro

    reported anecdotally that a number of participants who viewed the

    Table and Prose notices reported ``check this box'' as one of the

    methods offered to opt out or limit sharing--a response that was

    recorded as ``other.''

    ---------------------------------------------------------------------------

    [[Page 62896]]

    While the Levy-Hastak Report findings confirmed the overall

    effectiveness of the Table Notice,\54\ the Report's analysis prompted

    the Agencies to consider a further refinement to the proposed model

    form. The change, discussed in more detail later, was to modify the

    opt-out section of the model form to place the opt-out information on

    page one directly following the disclosure table so that all the key

    information appears on that page. \55\ The Agencies considered this

    change to facilitate quick scanning for important information without

    sacrificing the model form's performance in other respects. To ensure

    that locating the opt-out information on page one worked from a

    usability perspective, the Agencies decided to conduct validation

    testing which led to separate formats for the telephone and Internet

    opt-out and for the mail-in opt-out that the Agencies are adopting.

    ---------------------------------------------------------------------------

    \54\ Id. at 17.

    \55\ Some commenters had urged the Agencies to consolidate the

    model form on two sides of a single piece of paper, and a few

    suggested that the Agencies consider moving the opt-out to page one.

    See, e.g., comment letters of Securities Industry and Financial

    Markets Ass'n (May 29, 2007); World's Foremost Bank (May 25, 2007);

    World Financial Network National Bank (May 29, 2007); World

    Financial Capital Bank (May 25, 2007).

    ---------------------------------------------------------------------------

    E. Public Comments on the Quantitative Test Data

    Nine commenters representing insurance, securities, and financial

    services associations, a bank, and two investment advisers submitted

    comments in response to the SEC's solicitation for public comments on

    the quantitative testing. Most of the commenters re-stated their

    earlier general objections to the proposed model form. These concerns

    are addressed in section III.

    All but one of these commenters made general observations about the

    quantitative test methodology and the Levy-Hastak Report. Five

    commenters observed that the test notices were designed for banks and

    not for insurance companies or securities firms (i.e., broker-dealers,

    investment companies, or SEC-registered investment advisers), thereby

    omitting a significant portion of the financial services industry that

    provide these notices.\56\ Two commenters opined that the study

    participants' demographic characteristics did not reflect those

    consumers who will receive financial privacy notices.\57\ One expressed

    concern about the demographic diversity in the mall selections and

    questioned whether there was consistent coding of the open-ended

    responses.\58\ One commented that the testing criteria ruled out non-

    English speaking participants.\59\

    ---------------------------------------------------------------------------

    \56\ See comment letters of American Council of Life Insurers

    (May 20, 2009), National Ass'n of Mutual Insurance Cos. (May 20,

    2009), American Insurance Ass'n (May 20, 2009), Investment Adviser

    Ass'n (May 20, 2009), The Financial Services Roundtable and BITS

    (May 20, 2009).

    \57\ See comment letters of National Ass'n of Mutual Insurance

    Cos. (May 20, 2009); The Financial Services Roundtable and BITS (May

    20, 2009).

    \58\ See comment letter of The Financial Services Roundtable and

    BITS (May 20, 2009).

    \59\ See id. The Agencies used a single form, printed in

    English, for simplicity in conducting the testing. We recognize that

    institutions can and do provide notices in a variety of other

    languages when their customers are non-English speaking. We

    anticipate that those institutions that use the final model form

    will continue to provide their notices in other languages to ensure

    that their non-English speaking customers can read and use the form.

    See also Transcript of Get Noticed Workshop, available at http://

    www.ftc.gov/bcp/workshops/glb/GLBtranscripts.pdf, comments of Irene

    Etzkorn (recognizing that banks do provide financial privacy notices

    in languages other than English); comments of Tena Friery (noting

    that the Privacy Rights Clearinghouse promotes notices and

    educational materials in other languages and that 80-100 different

    languages are spoken in Los Angeles alone).

    ---------------------------------------------------------------------------

    Some of the commenters disagreed with the Levy-Hastak Report's

    conclusion that the Table Notice outperformed the other notice formats.

    They opined that the Report's conclusion is flawed because: (1) The

    Sample Clause Notice did better on simpler tasks than the Table Notice;

    \60\ (2) the anomalies discussed in the Levy-Hastak Report may be due

    to other explanations; \61\ and (3) while the Table Notice's overall

    performance was better than the other notices, actual performance

    accuracy was relatively low.\62\ Several commented that the overly

    simplified and inflexible format of the Table Notice is not a true test

    of consumers' understanding of institutions' actual collection and

    disclosure practices.\63\ In addition, all commenters on the

    quantitative testing urged retention of the Sample Clauses and related

    safe harbor.

    ---------------------------------------------------------------------------

    \60\ See comment letters of American Insurance Ass'n (May 20,

    2009); National Ass'n of Mutual Insurance Cos. (May 20, 2009). While

    some commenters find greater virtue in the better performance of the

    Sample Clause Notice on only the simpler tasks or disagree with the

    Levy-Hastak Report's analyses, the evidence is compelling that the

    Table Notice performed better overall across all comprehension and

    comparison measures. See Levy-Hastak Report at 6.

    \61\ See comment letter of American Council of Life Insurers

    (May 20, 2009).

    \62\ Id.

    \63\ See, e.g., comment letter of The Financial Services

    Roundtable and BITS (May 20, 2009).

    ---------------------------------------------------------------------------

    The test notices for the quantitative study were created for

    fictitious banks, even though the model form can be used by any

    financial institution subject to the GLB Act and the privacy rule.

    Because the vast majority of consumers are familiar with or have

    experience with a bank, the Agencies used a notice designed for a bank

    to increase the likelihood that most of the test participants could

    readily understand the terms in the notice, such as ``account

    balances,'' ``income,'' or ``credit history,'' which describe

    information collected and shared by many banks, as well as by many

    other financial institutions.

    The Macro Report presented data on the demographic characteristics

    of the study participants recruited for the study. Participants at each

    mall were pre-selected for a representative mix based on gender, age,

    and education levels, and information on participants' race/ethnicity,

    income, and household size was obtained at the end of each

    interview.\64\ Since a significant majority of consumers in America

    receive a financial privacy notice--including from banks, credit

    unions, securities firms, insurance companies, auto dealers, debt

    collectors, and payday lenders--the Agencies wanted to ensure that a

    representative cross-section of consumers be included in the study.

    ---------------------------------------------------------------------------

    \64\ Macro Report, supra note 34, at 3 & Appendix B; Levy-Hastak

    Report at 2.

    ---------------------------------------------------------------------------

    The Agencies hired Macro as an outside independent expert to handle

    all aspects of the collection and reporting of the study data. Macro

    conducted all training of field staff, implemented a series of checks

    to ensure greater accuracy of the study data, reviewed, on an ongoing

    basis, all daily downloads of data from the field, and coded all of the

    open-end responses.\65\

    ---------------------------------------------------------------------------

    \65\ Macro Report, supra note 34, at 3-4.

    ---------------------------------------------------------------------------

    With respect to the comment that the accuracy of the study

    participants' responses overall was relatively low, the commenter cited

    the judgment quality measure of the participants' fact-based reasons

    for choosing the lower sharing bank.\66\ While the results showed that

    most consumers likely have a limited

    [[Page 62897]]

    understanding of information sharing practices after a brief exposure

    to any of the notice styles, nevertheless the Levy-Hastak Report

    confirms that overall the Table Notice out-performed the other notices

    and is the most effective notice of all the privacy notices tested.

    ---------------------------------------------------------------------------

    \66\ The commenter looked to the Table Notice score of 40.6% in

    Table 1 of the Levy-Hastak Report. Levy-Hastak Report at 12. This

    data evaluated how well study participants could explain their

    reasons for preferring one bank notice over another where they

    selected, as their preferred bank, the lower sharing bank. While the

    commenter pointed to a single measure in the Levy-Hastak Report, the

    Report relied on a number of accuracy measures that varied in

    difficulty level. See, e.g., id., Table 3 at 12.

    ---------------------------------------------------------------------------

    Finally, two commenters requested that if both the model privacy

    form and the SEC's proposed amendments to its privacy rule, Regulation

    S-P, were adopted, the SEC should coordinate the compliance dates so as

    to minimize the compliance burden and the potential for multiple

    revisions of an institution's privacy notice.\67\ The SEC appreciates

    institutions' desire to minimize revisions to their privacy notices and

    reduce the costs of compliance with its rules. However, the model

    privacy form the Agencies are adopting today is just that--a model--and

    no institution is required to use the model form. A financial

    institution that intends to use the model privacy notice and minimize

    potential costs, if any, related to revising its privacy notices in

    light of amendments to Regulation S-P could begin to use the model form

    after the compliance date of any final amendments to Regulation S-P.

    ---------------------------------------------------------------------------

    \67\ See Part 248-Regulation S-P: Privacy of Consumer Financial

    Information and Safeguarding Personal Information, Securities

    Exchange Act Release No. 57427, Investment Company Act Release No.

    28718 (Mar. 4, 2008) [73 FR 13692 (Mar. 13, 2008)]. See also comment

    letters of American Council of Life Insurers (May 20, 2009) and

    Investment Advisers Ass'n (May 29, 2007).

    ---------------------------------------------------------------------------

    F. Validation Testing

    In revising the model form based on public comments and findings

    from the Levy-Hastak Report, the Agencies streamlined the form to

    consolidate the information on the front and back sides of a single

    piece of paper and moved the opt-out information to the bottom of page

    one. In December 2008, the Agencies engaged Kleimann to conduct

    validation testing to confirm that these changes would not affect the

    comprehension, usability, and design integrity of the model form. In

    particular, Kleimann's new research focused on the placement of the

    opt-out information on page one. Kleimann conducted targeted in-depth

    interviews in January and February 2009 to test, revise, and re-test

    the model form. On February 12, 2009, Kleimann submitted a report to

    the Agencies, ``Financial Privacy Notice: A Report on Validation

    Testing Results,'' with a revised opt-out form recommendation

    (``Kleimann Validation Report'').\68\

    ---------------------------------------------------------------------------

    \68\ http://www.ftc.gov/privacy/privacyinitiatives/

    validation.pdf.

    ---------------------------------------------------------------------------

    The validation testing examined various formats for displaying opt-

    out information where the opt-out methods are by toll-free telephone

    number,\69\ the Internet, or a mail-in form. The validation testing

    confirmed the usability of the following changes to the proposed model

    form: (1) inserting a new box titled ``To limit our sharing'' below the

    disclosure table to inform consumers how they can limit sharing, such

    as by a toll-free telephone number or online; (2) replacing the

    ``Contact Us'' box with a box titled ``Questions'' following the ``To

    limit our sharing'' box; and (3) as applicable, inserting a mail-in

    form at the bottom of the page, which would require a longer piece of

    paper.\70\

    ---------------------------------------------------------------------------

    \69\ See section --.7(a)(2)(ii)(D) of the privacy rule.

    \70\ Kleimann Validation Report, Appendix E. The Kleimann

    Validation Report found that the information for telephone or

    Internet options could be readily displayed on a standard 8[frac12]

    x 11-inch page, but the addition of a mail-in form required a longer

    piece of paper.

    ---------------------------------------------------------------------------

    III. The Final Model Privacy Form

    A. Standardization

    Like the proposed model privacy form, the final model form uses a

    standardized format. Some industry commenters expressed support for the

    standardized format, with one noting that standardized notices would

    serve as an effective means of allowing consumers to understand in a

    simple manner companies' information practices.\71\ Another commenter

    pointed to the success of the ``Schumer box,'' a standardized format

    that makes the disclosure of credit card terms more accessible to

    consumers.\72\

    ---------------------------------------------------------------------------

    \71\ Comment letter of The Direct Marketing Ass'n (May 29, 2007)

    (commenting that it has an automated software program that allows

    companies to create a customized privacy notice in a standardized

    format).

    \72\ See comment letter of Capital One Financial Corporation

    (May 29, 2007); see also 12 CFR 226.5a(a)(2)(i)-(ii).

    ---------------------------------------------------------------------------

    Privacy and advocacy groups and NAAG supported the proposed

    standardized format, recognizing the important findings of the research

    and the model form's structure--in particular the elements on page

    one--as benefiting both consumers and companies by making the

    disclosure information accessible.\73\

    ---------------------------------------------------------------------------

    \73\ See, e.g., comment letters of Center for Democracy and

    Technology (May 29, 2007); National Ass'n of Attorneys General (June

    14, 2007); Privacy Rights Clearinghouse (May 16, 2007). See also The

    Center for Information Policy Leadership (May 29, 2007) (recognizing

    that the proposed model form addresses the requirements of the GLB

    Act and that the research provided insight into what effectively

    communicates to consumers, including ``important information about

    how people learn about privacy, about the use of tables to

    facilitate comparisons across companies, and about the need to

    inform consumers about why they are receiving a privacy notice'').

    ---------------------------------------------------------------------------

    A number of industry commenters, however, objected to the

    standardized form, asserting variously that: It causes confusion;

    because it is an abrupt change in the way information-sharing practices

    are disclosed, it could cause consumers to believe that the institution

    is changing its policies; because the model form has too much

    boilerplate, it detracts from the ability to compare policies; and it

    makes the notice less clear. Others stated that the standardized form

    is too inflexible and does not accurately reflect institutions'

    financial practices or accurately describe the scope of consumers'

    rights. Several stated that the model form language does not adequately

    capture the complex privacy policies and practices of many

    institutions.

    Based on the statutory requirement that the Agencies propose ``a

    model form,'' the final model privacy form utilizes a standardized

    format.\74\ Moreover, as more fully discussed in the preamble to the

    Proposed Rule, the Agencies' research supports uniform disclosures to

    help consumers better understand companies' information sharing

    practices.\75\ We reaffirm that use of the model form is voluntary;

    institutions are not required to use it.

    ---------------------------------------------------------------------------

    \74\ Cf. Press Release, U.S. House of Representatives, Committee

    on Financial Services, Financial Services Committee Democrats Call

    for Simplified Privacy Notices, (July 25, 2003) available at: http:/

    /financialservices.house.gov/pr062503.html.

    \75\ See Proposed Rule, supra note 4 at text accompanying n.30.

    See also Janice Tsai, Serge Egelman, Lorrie Cranor, and Alessandro

    Acquisti, ``The Effect of Online Privacy Information on Purchasing

    Behavior: An Experimental Study,'' The 6th Workshop on the Economics

    of Information Society (WEIS) (June 2007) http://

    weis2007.econinfosec.org/papers/57.pdf (more accessible privacy

    information reduces information asymmetry between the merchant and

    the consumer as to the use of consumers' personal information; aids

    consumers in making informed choices; and demonstrates that

    consumers tend to purchase from merchants offering more privacy

    protection, including paying a premium for such a purchase).

    ---------------------------------------------------------------------------

    B. Instructions for Use

    The General Instructions to the Model Privacy Form require that no

    additional information--other than what is specifically permitted--may

    be included in the model form in order to obtain the benefit of the

    safe harbor.\76\

    ---------------------------------------------------------------------------

    \76\ See Instruction C to the Model Privacy Form.

    ---------------------------------------------------------------------------

    A number of industry commenters objected to the Agencies' statement

    in the preamble to the Proposed Rule that the model form should not be

    incorporated into any other document.\77\

    [[Page 62898]]

    Some expressed concern that this would require the notice to be mailed

    separately.\78\ Several commenters stated that a private label or co-

    branded credit card application incorporates the lender's privacy

    policy into a brochure with a tear-off application to make it easier

    for the store clerks to provide all required information in a single

    document.\79\ Others observed that the privacy notice is typically

    included in a single document with other important reference

    information.

    ---------------------------------------------------------------------------

    \77\ See, e.g., comment letters of American Council of Life

    Insurers (May 29, 2007); Investment Company Institute (May 29,

    2007); National Business Coalition on E-Commerce and Privacy (May

    30, 2007).

    \78\ See, e.g., comment letters of American Bankers Ass'n (May

    25, 2007); American Insurance Ass'n (May 29, 2007) Visa U.S.A., Inc.

    (May 29, 2007).

    \79\ See, e.g., comment letters of Consumer Bankers Ass'n (May

    29, 2009); National Retail Federation (May 29, 2007).

    ---------------------------------------------------------------------------

    Recognizing these concerns, the Agencies agree that institutions

    may incorporate the model form into another document, but they must do

    so in a way that meets all the requirements of the privacy rule and the

    model form instructions, including that: The model form must be

    presented in a way that is clear and conspicuous; \80\ it must be

    intact so that the customer can retain the content of the model form;

    \81\ and it must retain the same page orientation, content, format, and

    order as provided for in this Rule.

    ---------------------------------------------------------------------------

    \80\ The term ``clear and conspicuous'' is defined in the

    privacy rule at section --.3(b), SEC section 248.3(c), and includes

    as a requirement that the notice be designed to call attention to

    the nature and significance of the information in the notice. In

    addition, the privacy rule requires that consumers should reasonably

    be expected to receive the notice. See section --.9 of the privacy

    rule.

    \81\ Institutions that incorporate the model privacy form into

    other documents must take care that the customer's execution of

    other forms in the document will leave the model form intact.

    ---------------------------------------------------------------------------

    C. Format of the Notice

    In response to numerous comments relating to the format of the

    proposed model form, the Agencies have revised certain of the

    requirements relating to paper size, orientation, number of pages, type

    size, and color and logo placements, as discussed below.

    Paper Size: To allow institutions greater flexibility, the final

    model privacy form may be printed on paper the size of which must be

    sufficient to meet the layout and minimum font size requirements with

    sufficient white space on the top, bottom, and sides of the

    content.\82\ Many industry commenters objected to the proposed

    requirement that the model form appear on 8\1/2\ by 11-inch size

    paper.\83\ Commenters stated that the proposed model form would require

    significant materials, postage, and production costs. Industry

    commenters explained that institutions use a variety of sizes and

    styles to present their privacy notices. Some institutions--

    particularly credit card institutions--enclose their privacy notices

    with a billing or periodic statement or a bankcard carrier. Envelopes

    for certain of these statements or for multi-panel formats are smaller

    than 8\1/2\ inches and may not accommodate the proposed size.

    ---------------------------------------------------------------------------

    \82\ See Instruction B to the Model Privacy Form. The Agencies

    understand that most privacy policies provide for opting out by

    toll-free telephone or on the Internet. The paper size for those

    policies will likely be about 8\1/2\ x 11 inches. However, for those

    institutions that provide a mail-in opt-out form, the paper size

    will likely need to be longer, around 8\1/2\ x 14 inches, in order

    to accommodate the mail-in form.

    \83\ See, e.g., comment letters of Consumer Bankers Ass'n (May

    29, 2007); American Bankers Ass'n (May 25, 2007); Bank of America

    Corporation (May 29, 2007); Independent Community Bankers of America

    (May 29, 2007); Securities Industry and Financial Markets Ass'n (May

    29, 2007); Investment Company Institute (May 29, 2007); National

    Retail Federation (May 29, 2007); National Ass'n of Mutual Insurance

    Cos. (May 29, 2007); Credit Union National Ass'n (May 29, 2007).

    ---------------------------------------------------------------------------

    The Agencies have reviewed numerous financial institution privacy

    notices over the past eight years, many of which are printed on

    smaller-sized paper in a multi-panel, multi-fold display. The density

    of the small-font text, in addition to the complex legal language, make

    these notices very difficult to read or understand.\84\ The final

    requirement for paper size is designed to provide financial

    institutions with some flexibility, while prohibiting a paper size that

    is too small to accommodate the font and orientation requirements in

    the model form set forth below.

    ---------------------------------------------------------------------------

    \84\ See supra notes 24-25 and infra note 95.

    ---------------------------------------------------------------------------

    Orientation: Like the proposed model form, the final model privacy

    form must be printed in ``portrait'' orientation. Some institutions

    objected to this orientation, suggesting instead that institutions be

    permitted to design their own model form in other orientations, such as

    the commonly-used multi-fold display.\85\ According to these

    commenters, this landscape format has three or more ``pages'' of text

    visible on each side of the paper when the notice is fully opened. The

    size of the paper varies considerably, with some as small as

    approximately 7 by 11 inches before it is folded. In such a display,

    each ``page'' is approximately 3\1/3\ by 7 inches--considerably smaller

    than can accommodate the model form.\86\

    ---------------------------------------------------------------------------

    \85\ See, e.g., comment letters of National Retail Federation

    (May 29, 2007); Investment Advisers Ass'n (May 20, 2009); American

    Bankers Ass'n (May 25, 2007); Credit Union National Ass'n (May 29,

    2007). Some of these commenters pointed to the preamble language in

    the final privacy rule which states: ``The Agencies believe that in

    most cases the initial and annual disclosure requirements can be

    satisfied by disclosures contained in a tri-fold brochure.'' 65 FR

    33646, 33662 (May 24, 2000) (FTC); 65 FR 35162, 35175 (June 1, 2000)

    (banking agencies); (Regulation S-P) 65 FR 40334, 40347 (June 29,

    2000) (SEC). This statement was written in 2000 before the Agencies

    or institutions had any experience with the GLB Act privacy notices.

    In the intervening period, both the Agencies and institutions have

    learned much through their own testing about improved notice design

    and consumer comprehension. The impetus for the Agencies' consumer

    research, borne out by the research findings, is that the current

    notices, including those utilizing multi-fold formats, are not

    effective. Moreover, the important information on page one of the

    model form--including the context information and disclosure table--

    could not be appropriately displayed in such a cramped format and

    still comply with the minimum space and font requirements of the

    model form.

    \86\ Examples provided by commenters included: 3.5 x 7.5 inches,

    printed double sided; 3.5 x 8; 7 x10.812 inches folded to 7 x 3.625

    inches; 7 x 3.5 inches (finished folded size). See, e.g., comment

    letter of National Retail Federation (May 29, 2007).

    ---------------------------------------------------------------------------

    The design of the model form does not lend itself to a multi-panel

    display. The utility of the form's design for reading ease depends in

    large measure on both larger, more readable type size and how the

    content is presented. While one commenter objected to the ``significant

    empty space'' in the model form,\87\ the guidance from communications

    experts and form designers is that appropriate white space between the

    text and margins, as well as the use of headings and bullets, make a

    more effective, readable notice.\88\ The table--the heart of the model

    form--cannot be squeezed into a tighter space or so reduced in size as

    to make it virtually unreadable. For these reasons, the Agencies do not

    agree that the orientation of the model form should be altered to

    accommodate a multi-panel display.

    ---------------------------------------------------------------------------

    \87\ See comment letter of Consumer Bankers Ass'n (May 29,

    2007).

    \88\ See supra note 25.

    ---------------------------------------------------------------------------

    Number of Pages: In response to numerous commenters, the

    instructions to the final model privacy form permit the form to be

    printed on two sides of a single piece of paper or on two single-sided

    sheets.\89\ By incorporating the opt-out information on the bottom of

    page one, the revised model form may now appear on the front and back

    of a single piece of paper.

    ---------------------------------------------------------------------------

    \89\ See Instruction B.2 to the Model Privacy Form.

    ---------------------------------------------------------------------------

    Industry commenters generally objected to the proposed requirement

    that the model form be printed only on one side of a page.\90\ Many

    raised environmental concerns and the increased costs associated with

    printing the notice on multiple pages.

    ---------------------------------------------------------------------------

    \90\ See, e.g., comment letters of American Insurance Ass'n (May

    29, 2007); Bank of America Corporation (May 29, 2007); Citigroup

    Inc. (May 30, 2007); National Retail Federation (May 29, 2007);

    Securities Industry and Financial Markets Ass'n (May 29, 2007).

    ---------------------------------------------------------------------------

    While the proposed single-sided model form was based on the initial

    [[Page 62899]]

    consumer research and testing, the Agencies believe that the concerns

    expressed by commenters justify double-sided printing. Moreover, the

    Agencies used double-sided printed notices in the quantitative and

    validation testing, with no demonstrable loss in effectiveness relative

    to the single-sided notice.\91\

    ---------------------------------------------------------------------------

    \91\ See Levy-Hastak Report at 15.

    ---------------------------------------------------------------------------

    D. Appearance of the Model Privacy Form

    The Regulatory Relief Act requires that the model form ``use an

    easily readable type font.'' While a number of factors affect the

    readability of a document, as in the proposal, the final model privacy

    form must use: (1) 10-point font as the minimum font size (unless

    otherwise specified in the Instructions) and (2) sufficient spacing

    between the lines of type (leading).\92\

    ---------------------------------------------------------------------------

    \92\ While a variety of type styles would be suitable for the

    model notice, the Agencies caution institutions that use of

    idiosyncratic fonts or highly stylized typefaces will not meet the

    model form safe harbor standard. See Instruction B.3(a) to the Model

    Privacy Form.

    ---------------------------------------------------------------------------

    The Agencies separately provided optional guidance in the preamble

    to the Proposed Rule on readable type styles and other formatting

    suggestions for institutions. This optional guidance is not required;

    it was to assist institutions that want to provide more readable and

    attractive privacy notices to consumers. The Agencies are republishing

    this optional guidance in section III.E to assist interested

    institutions.

    Type Size: A number of commenters expressed various concerns about

    the proposed 10-point minimum font requirement.\93\ A few commenters

    noted that the proposed model form included several different type

    sizes for various parts of the model form and were confused about what

    type size(s) the Agencies proposed as a requirement.\94\ Other

    commenters raised concerns that a minimum type size requirement for the

    model form would conflict with state law mandated requirements. A few

    stated that a minimum font size is not legally required for the model

    form.

    ---------------------------------------------------------------------------

    \93\ See, e.g., comment letters of American Council of Life

    Insurers (May 29, 2007); National Business Coalition on E-Commerce

    and Privacy (May 30, 2007); National Retail Federation (May 29,

    2007); Financial Services Roundtable and BITS (May 29, 2007).

    \94\ The type size information in Example 3 in the preamble to

    the Proposed Rule identified the five type sizes used in various

    elements of the proposed form. This example was intended solely to

    show how key features of the form--such as headings--can be

    distinguished by using different font sizes to make the form more

    visually appealing. Contrary to some commenters' assumption, the

    different sizes were not a proposed requirement for users of the

    model form.

    ---------------------------------------------------------------------------

    Many of the criticisms about current notices are, in part, about

    the tiny print that make these notices so difficult for consumers to

    read.\95\ Based on the statutory directive, as well as the findings

    elicited from the Agencies' consumer research and expert views, the

    Agencies believe that the model form should have a minimum 10-point

    font. Requiring a minimum 10-point font is consistent with state law

    mandates for consumer disclosures.\96\

    ---------------------------------------------------------------------------

    \95\ See Kleimann Report, supra note 32, at 33. See also, e.g.,

    Public Citizen Petition, supra note 24 at 7 (``[S]mall font sizes *

    * * deprive consumers of their right to prevent financial

    institutions from sharing private information.''); ``UNDERSTANDING

    THE FINE PRINT: How to make sure the gotchas don't get you,''

    Consumer Reports Money Adviser (Oct. 2008) (``Fine print is

    everywhere--contracts; retail Web sites; sales receipts; print,

    broadcast, and Internet offers; prospectuses; privacy notices;

    product manuals; and manufacturer warranties.''); David Colker,

    ``Stopping junk mail for living and dead; Opt-outs can slow the

    torrent of solicitations to computer and postal mailboxes and

    phones;'' Los Angeles Times, July 22, 2007, at C3 (``[B]y law,

    financial institutions have to offer an opt-out if they are making

    this data available to non-affiliated businesses. The problem is

    that their guides to opting out are often contained in their privacy

    notices--in small print.'').

    \96\ See, e.g., Cal. Fin. Code div. 1.2 Sec. 4053(d)(1)(B)

    (requiring 10-point minimum font).

    ---------------------------------------------------------------------------

    Leading: Leading is the spacing between lines of type, measured in

    points. If the line spacing is too narrow, the type is hard to read. In

    these circumstances, the ascenders (such as the upward line in the

    letter ``h'') and descenders (such as the downward line in a ``g'') may

    touch, blending the lines of type and making it much harder to

    distinguish the letters on the page. The final instructions to the

    model form require only that the leading used allow for sufficient

    spacing between the lines, but do not mandate a specific amount.

    E. Optional General Guidance for Easily Readable Type

    The Proposed Rule included optional guidance on readable type

    styles and other formatting suggestions for institutions that want to

    provide privacy notices that are more readable and attractive to

    consumers, as well as those that want to develop their own model

    privacy form.\97\ A number of commenters were concerned by this

    guidance for easily readable type, and in some cases, they assumed the

    guidance would be mandatory. The Agencies expressly state that the

    guidance in this section III.E. is not mandatory and is not a

    requirement for proper use of the model form.

    ---------------------------------------------------------------------------

    \97\ See Proposed Rule, supra note 4, at section II.F.

    ---------------------------------------------------------------------------

    In more closely examining the statutory directive for ``easily

    readable type,'' the Agencies determined that a number of type-related

    factors can greatly affect the readability of a form. Type size, type

    style, leading, x-height, serif versus sans serif,\98\ upper and lower

    case type, along with the page layout--together play an important role

    in designing a typeface that is highly readable. Therefore, in

    considering these various factors for the design of an easily readable

    type font, institutions that elect to use the model form may

    voluntarily consider this additional guidance for an easily readable

    appearance to the notice.

    ---------------------------------------------------------------------------

    \98\ Serif typeface has small strokes at the ends of the lines

    that form each letter. Sans serif typeface does not have those small

    strokes.

    ---------------------------------------------------------------------------

    Leading: Research on the legibility of typography indicates that

    people read faster when text is set with 1 to 4 points of leading.\99\

    Institutions may, but are not required to, consider these general

    recommendations for use with the model form: 10- or 11-point type

    should have between 1 and 3 points of leading. Twelve-point type should

    have between 2 and 4 points of leading.\100\

    ---------------------------------------------------------------------------

    \99\ Karen A. Schriver, Dynamics In Document Design

    (``Schriver'') 274 (1997).

    \100\ Id. at 262; see also James Hartley, Designing

    Instructional Text (1994); and Barbara Chaparro et al., Reading

    Online Text: A Comparison of Four White Space Layouts 6(2) (2004).

    ---------------------------------------------------------------------------

    Type style and ``x''-height: The readability of type size is highly

    dependent on the selection of the type style. Some styles in 10-point

    font are more readable than others in 12-point font and appear larger

    because of their design.

    Experts differ on the question of the most desirable type style.

    The model form uses sans serif and ``monoweight'' type, and upper and

    lower case lettering in the body of the form.\101\

    ---------------------------------------------------------------------------

    \101\ While much of the printed material in the United States

    and western Europe uses serif styles, Web designers are increasingly

    using sans serif type, as they have found that serif type is harder

    to read online. These changes in Web design are also beginning to

    affect font styles in printed materials. Some typography designers

    are now using sans serif typefaces, as well as type with a uniform

    thickness throughout the letter (monoweight typeface), finding these

    typefaces easier to read than those with variable thickness.

    ---------------------------------------------------------------------------

    Larger x-height \102\ makes a font appear larger and thus more

    readable, and fonts with larger x-heights are better for smaller text.

    Research shows that our eyes ``scan the top of the letters' x-heights

    during the normal reading process, so that is where the primary

    identification of each letter takes place.'' \103\ Generally, a font

    with an

    [[Page 62900]]

    x-height ratio of around .66 is easier to read.\104\

    ---------------------------------------------------------------------------

    \102\ The ``x-height'' is the height of the lower-case ``x'' in

    relation to full height letters, such as a capital G. X-height is

    critical to type legibility.

    \103\ Erik Spiekermann & E.M. Ginger, Stop Stealing Sheep & Find

    Out How Type Works 93 (1993).

    \104\ See, e.g., Hewlett-Packard Corporation, Panose

    Classification Metrics Guide (2006), available at http://

    www.monotypeimaging.com/productsservices/pan2.aspx.

    ---------------------------------------------------------------------------

    While not mandating a particular type style or x-height, the

    Agencies are providing these general guidelines for type style in the

    model form: For typefaces with a smaller x-height, 11- or 12-point font

    should be used; for typefaces with a larger x-height, a 10-point font

    would be sufficient.\105\

    ---------------------------------------------------------------------------

    \105\ See Schriver, supra note 99, at 264; see also id. at 258-

    59. Fonts that satisfy the type style and x-height recommendations

    include sans serif fonts such as Tahoma, Century Gothic, Myriad,

    Avant Garde, Bk Avenir Book, ITS Franklin Gothic, Arial-Helvetica,

    and Gill Sans, and serif fonts such as the Chaparral Pro Family,

    Minion Pro, Garamond, Monotype Bodoni, and Monotype Century. A

    number of these font styles, including Arial-Helvetica, Tahoma,

    Century Gothic, Garamond, and Bodoni, are preloaded in commonly used

    word processing applications with most new personal computers. The

    other font styles are commercially available as well.

    ---------------------------------------------------------------------------

    For ease of reference, the following table summarizes the optional

    guidance discussed here. None of the standards in the table below is

    mandatory; rather, the information in the table is offered only as

    suggestions for institutions that design their own forms.

    ----------------------------------------------------------------------------------------------------------------

    If Then use And use And use font with

    ----------------------------------------------------------------------------------------------------------------

    Font is 10-point.................. 1-3 points leading.... Monoweight typeface...... Large x-height sans serif

    (around .66 ratio).

    Font is 11-point.................. 1-3 points leading.... Monoweight typeface...... Smaller x-height is

    acceptable; either serif

    or sans serif (less than

    .66 ratio is

    acceptable).

    Font is 12-point.................. 2-4 points leading.... Monoweight or variable Smaller x-height is

    typeface. acceptable; either serif

    or sans serif (less than

    .66 ratio is

    acceptable).

    ----------------------------------------------------------------------------------------------------------------

    F. Printing, Color, and Logos

    We are adopting the requirements for printing, color, and logos in

    the final model form as proposed. Commenters generally commended the

    Agencies' support for the use of color and company logos on the model

    form.\106\ A few industry commenters expressed concern about the

    background shading in certain headers smudging in high-speed printing

    operations.\107\ Some commenters sought clarification as to whether

    logos can use more than one color.

    ---------------------------------------------------------------------------

    \106\ See, e.g., comment letters of American Insurance Ass'n

    (May 29, 2007); National Ass'n of Mutual Insurance Cos. (May 29,

    2007); Securities Industry and Financial Markets Ass'n (May 29,

    2007); Consumer Bankers Ass'n (May 29, 2007).

    \107\ See, e.g., comment letters of National Business Coalition

    on E-Commerce and Privacy (May 30, 2007). With the modern, high-

    speed printing equipment readily available, the Agencies do not

    foresee problems with reproducing background shading, just as they

    see no difficulties with printing blocks of color for company logos

    or advertising materials. Moreover, the validation testing research

    found that consumers appreciated shading as a navigation guide. See

    Kleimann Validation Report at 9-10.

    ---------------------------------------------------------------------------

    The Agencies agree that the distinguishing features of company

    logos along with color are important to ensure that an institution's

    documents have a distinctive look that consumers may readily recognize.

    As the Agencies proposed, a financial institution that uses the model

    form may include its corporate logo on any of the pages, so long as the

    logo design does not interfere with the readability of the model form

    or space constraints of each page. Institutions using the model form

    should use white or light color paper (such as cream) with black or

    suitable contrasting color ink. Spot color is permitted to achieve

    visual interest to the model form, so long as the color contrast is

    distinctive and the color does not detract from the form's readability.

    The Agencies are not prohibiting the use of more than one color in a

    logo.

    Other commenters asked for greater flexibility to include

    ``markings'' or ``graphics'' or other ``visual effects'' or to include

    a ``branding phrase'' or ``advertising slogan.'' \108\ The Agencies

    observe that few institutions' privacy policies include advertising

    slogans. We note that some include pictures or other large designs that

    occupy the front cover. The Agencies believe that these designs or

    slogans would distract from the content of the model form and that

    slogans would be inconsistent with the standardized language throughout

    the form. For these reasons, the final model form does not permit

    institutions to include slogans or images (other than logos) on the

    model form.

    ---------------------------------------------------------------------------

    \108\ See, e.g., comment letters of Consumer Bankers Ass'n (May

    29, 2007); National Business Coalition on E-Commerce and Privacy

    (May 30, 2007).

    ---------------------------------------------------------------------------

    G. Jointly-Provided Notices

    The final model privacy form includes a new FAQ at the top of page

    two: ``Who is providing this notice?'' Many commenters representing

    larger institutions observed that the proposed model form did not

    provide sufficient space to identify multiple entities that jointly

    provide a privacy notice, as permitted by the privacy rule.\109\ Some

    suggested the Agencies provide extra space for this information either

    in the body of the notice or as a footnote. The new FAQ is not required

    where only a single financial institution is providing the notice and

    that institution is identified in the title. As discussed in section

    III.J.1, space is provided for the institution's response.

    ---------------------------------------------------------------------------

    \109\ See, e.g., comment letters of American Council of Life

    Insurers (May 29, 2007); Investment Advisers Ass'n (May 29, 2007).

    ---------------------------------------------------------------------------

    H. Use of the Form by Differently-Regulated Entities

    A number of commenters sought clarification as to whether

    institutions regulated by different Agencies could together provide a

    single joint notice to consumers.\110\ Insurance companies and their

    associations in particular expressed concern that the form did not

    allow for insurance-specific terminology and potentially put these

    institutions--regulated by the states--at some risk.\111\

    ---------------------------------------------------------------------------

    \110\ See, e.g., comment letters of National Business Coalition

    on E-Commerce and Privacy (May 30, 2007); T. Rowe Price Associates,

    Inc. (May 29, 2007); Financial Services Roundtable and BITS (May 29,

    2007); National Ass'n of Mutual Insurance Cos. (May 29, 2007);

    Investment Company Institute (May 29, 2007).

    \111\ See, e.g., comment letters of National Ass'n of Mutual

    Insurance Cos. (May 29, 2007); American Insurance Ass'n (May 29,

    2007); Great-West Life & Annuity Insurance Company (May 29, 2007).

    In addition to including insurance-specific phrases in the menu of

    terms for the ``What?'' box on page one and the collection of

    information FAQ on page two, the Rule also recognizes that

    institutions that provide insurance products or services and elect

    to use this model form can use the word ``policy'' instead of

    ``account'' for the joint accountholder description. See

    Instructions C.2(g)(1) and C.3(a)(5) to the Model Privacy Form. The

    Agencies have periodically consulted with the NAIC to ensure that

    the final model form is sufficiently flexible to address the

    insurance marketplace. The NAIC is continuing to evaluate how best

    to proceed regarding insurance company use and implementation of the

    form by individual jurisdictions. This effort may include the NAIC

    developing a model bulletin for regulatory use or amending its model

    Privacy of Consumer Financial and Health Information Regulation to

    replace the current sample clauses with the new model privacy form.

    ---------------------------------------------------------------------------

    [[Page 62901]]

    The Agencies fully intend that differently-regulated entities can

    provide a single joint notice to consumers by using the final model

    form. The Agencies have consulted with the NAIC, which submitted a

    letter with proposed modifications to certain sections of the form. The

    Agencies have incorporated into the final model form two menus of terms

    adaptable to the wide range of financial institutions. The menus

    include both the SEC's and the NAIC's proposals, and enable a variety

    of institutions, including securities firms and insurance companies, to

    use the model form, either individually or jointly with other types of

    financial institutions.

    I. Page One of the Model Form

    1. Title

    The Agencies are adopting the title, ``What Does [Name of Financial

    Institution] Do With Your Personal Information?,'' as proposed. One

    commenter objected to the title, preferring instead to refer to it as a

    privacy notice.\112\ Other commenters who provided sample revised

    notices also used alternate headings, such as, ``our privacy notice for

    consumers,'' ``privacy information,'' ``privacy statement,'' and

    ``keeping your information safe and secure.'' \113\ The research found

    that the terms ``privacy notice'' or ``privacy policy'' deterred

    consumers from reading the notice.\114\ Consumers understood these

    terms to mean that the institution does not share personal information.

    The validation testing confirmed the effectiveness of the title.\115\

    ---------------------------------------------------------------------------

    \112\ See, e.g., comment letter of MasterCard Worldwide (May 29,

    2007).

    \113\ See, e.g., comment letter of Citigroup Inc. (May 30,

    2007); Wells Fargo & Company (May 29, 2007); Wachovia Corporation

    (May 25, 2007); Sovereign Bank (May 21, 2007).

    \114\ See Kleimann Report, supra note 32, at 43, 66-67.

    \115\ Kleimann Validation Report at 8.

    ---------------------------------------------------------------------------

    2. Key Frame

    The Agencies are adopting the basic structure of the key frame as

    proposed with some language changes to address comments received.

    Industry commenters raised several objections to the key frame--the

    ``Why?,'' ``What?,'' and ``How?'' boxes. Their principal concern was

    the inflexible nature of the information in these boxes. Many

    commenters took particular issue with the list of information collected

    and shared, noting that not all institutions collect and share the

    information listed.\116\ These commenters asked for greater flexibility

    in identifying other types of information that may better relate to

    their practices. Commenters raised other issues about: vocabulary; the

    contents and number of the boxes; and the inclusion of certain

    information not required by the privacy rule. Some commenters proposed

    moving and deleting phrases--as well as using the phrase ``as permitted

    by law'' to describe the types of sharing they can do. Some commenters

    raised questions about the reference to former customers.

    ---------------------------------------------------------------------------

    \116\ See, e.g., comment letters of American Bankers Ass'n (May

    25, 2007); Investment Company Institute (May 29, 2007); Investment

    Advisers Ass'n (May 29, 2007).

    ---------------------------------------------------------------------------

    The Agencies appreciate the various suggestions provided--

    particularly on vocabulary and the structure and contents of the

    boxes--but note that the model form was developed through consumer

    research with the goal of making it understandable to consumers. The

    Agencies have decided to retain the basic structure and content of the

    key frame but have made certain modifications.

    The Agencies recognize that financial institutions may collect and

    share types of information other than those listed on the proposed

    form, including institutions that provide insurance or investment

    advice or sell securities. The Agencies have, after consulting with the

    NAIC and based on consideration of the comments received, provided a

    menu of terms, including each of the terms that was proposed, from

    which institutions may select to fill in the bracketed boxes.\117\

    Since all financial institutions collect Social Security numbers, this

    one term is required in all notices. The terms provided are designed to

    reflect the range of information typically collected by various types

    of institutions in language that consumers can more easily understand.

    ---------------------------------------------------------------------------

    \117\ See Instruction C.2(b)(2) to the Model Privacy Form.

    Similar to the proposal, the final model form requires institutions

    to provide examples that may be applicable to the institution's

    collection and sharing practices.

    ---------------------------------------------------------------------------

    Further, the Agencies have revised the statement about former

    customers to: ``When you are no longer our customer, we continue to

    share information about you as described in this notice.'' While some

    institutions objected in principle to the statement that former

    customers are subject to the same policy as current customers,\118\ no

    commenters asserted that institutions actually implement a different

    policy for former customers.\119\

    ---------------------------------------------------------------------------

    \118\ See, e.g., comment letters of Investment Advisers Ass'n

    (May 29, 2007); American Insurance Ass'n (May 29, 2007).

    \119\ This sentence continues to appear in the ``What?'' box in

    the model form without an opt-out. However, based on the validation

    testing, the opt-out versions of the model form place this sentence

    in the ``To limit our sharing'' box following the sentence

    describing sharing information about a new customer. See Kleimann

    Validation Report at 9-10.

    ---------------------------------------------------------------------------

    3. Disclosure Table

    We are adopting the disclosure table substantially as proposed,

    with some minor changes. Consumer and other advocacy groups, the NAIC,

    NAAG, and some industry commenters appreciated the easily understood

    display of information in the disclosure table of the proposed model

    form. One commenter noted the strength of the Schumer box standardized

    format.\120\ Others lauded the use of a tabular format to display a

    company's sharing practices, noting that framing one institution's

    practices against the industry as a whole is a useful way to inform

    consumers of a company's relative sharing practices and facilitates the

    comparison of different institutions' practices.\121\

    ---------------------------------------------------------------------------

    \120\ Comment letter of Capital One Financial Corporation (May

    29, 2007).

    \121\ See comment letters of The Center for Information Policy

    Leadership (May 29, 2007); Independent Community Bankers of America

    (May 29, 2007).

    ---------------------------------------------------------------------------

    A number of industry commenters and associations, including many

    small community banks and a few larger banks, also expressed support

    for the clarity and consumer-friendly format of the disclosure

    table.\122\

    ---------------------------------------------------------------------------

    \122\ See, e.g., comment letters of Independent Community

    Bankers of America (May 29, 2007); Bank of Edison (May 21, 2007);

    Capital One Financial Corporation (May 29, 2007); Citrus & Chemical

    Bank (May 24, 2007); First National Bank (Edinburg, TX) (Apr. 9,

    2007); Florence Savings Bank (April 30, 2007); Iowa State Bank and

    Trust Company (May 22, 2007); ShoreBank (Apr. 6, 2007); Hometown

    Bank (May 8, 2007).

    ---------------------------------------------------------------------------

    However, many industry commenters sought flexibility in the table

    design for several reasons. Some reported that it is common for a

    financial institution to have multiple privacy policies for different

    products that they offer consumers.\123\ Others asserted that the table

    contains a bias against larger, more complex corporate structures

    because it is overly simplistic and may show that certain types of

    institutions engage in widespread sharing.\124\ One opined that the

    table structure made it appear that the entity was reckless in its

    sharing practices.\125\ These commenters expressed particular concern

    that the model form would lead to high opt-out

    [[Page 62902]]

    rates.\126\ Many particularly objected to listing all the categories of

    sharing--especially when a consumer cannot limit or opt out of certain

    types of sharing--and others wanted to limit the list only to those

    categories used by the institution.\127\ Some commenters wanted to use

    this space to explain the benefits of certain types of sharing.\128\

    Others wanted to convey that, for example, they only shared information

    with certain types of affiliates but not others and asserted that the

    disclosure table did not permit them to make this distinction.\129\

    ---------------------------------------------------------------------------

    \123\ See, e.g., comment letters of Bank of America Corporation

    (May 29, 2007); Securities Industry and Financial Markets Ass'n (May

    29, 2007); MasterCard Worldwide (May 29, 2007).

    \124\ See, e.g., comment letters of Citigroup Inc. (May 30,

    2007); Consumer Bankers Ass'n (May 29, 2007).

    \125\ See comment letter of Consumer Bankers Ass'n (May 29,

    2007).

    \126\ See, e.g., comment letter of Johnson Financial Group (May

    14, 2007).

    \127\ See, e.g., comment letters of Huntington National Bank

    (May 25, 2007); National Business Coalition on E-Commerce and

    Privacy (May 30, 2007); Securities Industry and Financial Markets

    Ass'n (May 29, 2007).

    \128\ See, e.g., comment letter of Consumer Bankers Ass'n (May

    29, 2007).

    \129\ See, e.g., comment letters of American Council of Life

    Insurers (May 29, 2007); Securities Industry and Financial Markets

    Ass'n (May 29, 2007); American Insurance Ass'n (May 29, 2007);

    Consumer Mortgage Coalition (May 29, 2007).

    ---------------------------------------------------------------------------

    As the Agencies stated in the preamble to the Proposed Rule, based

    on the Kleimann Report and as confirmed by the quantitative research

    data and the Levy-Hastak Report, the disclosure table is the heart of

    the model form design and its most effective feature.\130\ The table

    provides for greater transparency of a company's sharing practices. It

    allows consumers to see at a glance the types of information sharing a

    company may engage in, whether that particular company shares in that

    way, and, if so, whether the consumer can limit such sharing.\131\

    Based on the research, the Agencies have retained the disclosure table

    generally unchanged in the final model form.

    ---------------------------------------------------------------------------

    \130\ See Proposed Rule, supra note 4, at text preceding and

    accompanying n.27; see also Levy-Hastak Report at 17.

    \131\ The disclosure table in the model form provides

    information ``at-a-glance'' that facilitates the comparison of a

    company's information sharing practices, both as to the industry as

    a whole and with respect to any other specific companies. In this

    way, it meets the original legislative intent to easily compare

    companies' privacy practices. See H.R. Rep. No. 106-74, at 107

    (1999).

    ---------------------------------------------------------------------------

    Addressing industry concerns about bias against larger

    institutions, the Agencies appreciate these institutions' concern that

    some of their customers may react negatively to the sharing of their

    information. The purpose of the model form is not to direct consumer

    behavior, however, but rather to provide information effectively. While

    the Levy-Hastak Report found that a majority of survey participants

    objected to the sharing of their personal information with affiliated

    companies, and more so with nonaffiliated companies, these objections

    were consistent across all the survey participants and were not

    affected by any particular notice format.\132\ The research confirms

    that the notice design more clearly informs consumers about how each

    company shares or uses the personal information it collects.

    ---------------------------------------------------------------------------

    \132\ Levy-Hastak Report at 15.

    ---------------------------------------------------------------------------

    During the course of this project, the Agencies heard from smaller

    institutions that their customers wanted to stop all sharing and

    expressly asked for opt-outs even when the institution engaged in only

    limited sharing under the section ----.14 and ----.15 exceptions.\133\

    The neutral design of the form, particularly through the table,

    explains that some sharing is necessary for an institution's ``everyday

    business purposes'' and makes clear what sharing occurs. In addition,

    the model form uses the term ``limiting'' sharing, rather than stopping

    sharing altogether. These small institutions commented that this more

    balanced presentation of sharing practices is a very important feature

    of the notice, and one that they welcome, as it makes all institutions'

    sharing practices more transparent.\134\

    ---------------------------------------------------------------------------

    \133\ This comment was made by some of the Agencies' regulated

    entities at various times during the course of this project and was

    also discussed by members of the Board's Consumer Advisory Council

    during its discussions in 2007 about the Notice Project and model

    form proposals.

    \134\ See, e.g., comment letter of Independent Community Bankers

    Ass'n (May 29, 2009).

    ---------------------------------------------------------------------------

    The strength of the table design is that it facilitates comparison

    by showing what a particular institution's sharing practices are as

    compared to what all financial institutions can legally do. For this

    reason, the final model form incorporates all seven reasons for

    sharing, with only the affiliate marketing provision--``For our

    affiliates to market to you''--optional for those companies that elect

    to incorporate that disclosure in their GLB notices.\135\

    ---------------------------------------------------------------------------

    \135\ See infra note 142.

    ---------------------------------------------------------------------------

    While the middle column requires institutions to answer ``yes'' or

    ``no'' to whether it shares for each of the reasons, some commenters

    expressed concern that their information sharing practices were

    sufficiently complex that they could not answer ``yes'' or ``no,''

    stating that they had different practices for different products.

    Institutions that elect to use the model form must answer the questions

    in the final model form as directed in the proposal. If an institution

    elects to use the model form, it must either harmonize its practices so

    one notice applies to all its products, or it must provide separate

    notices for products subject to different information sharing

    practices.

    A few commenters opined that they may not currently share but want

    to reserve the right to share in the future. In such a case, the

    correct response in the middle column is ``yes,'' consistent with the

    privacy rule.\136\

    ---------------------------------------------------------------------------

    \136\ See the privacy rule, section ----.6(e), NCUA section

    716.6(d) (notices can be based on current and anticipated policies

    and practices).

    ---------------------------------------------------------------------------

    Many institution commenters objected that the proposed terms to

    describe sharing practices were abbreviated or incomplete and asserted

    that the Agencies limited sharing that is lawfully permitted. For

    example, commenters objected that the definition of ``everyday business

    purposes'' excluded a long list of permissible disclosures designated

    in sections ----.14 and ----.15.\137\ However, as the Agencies stated

    in the proposal, the phrase ``everyday business purposes'' fully

    incorporates all the disclosures permitted by law under sections --

    --.14 and ----.15 of the privacy rule.\138\ In addition, the Agencies

    have determined that service providers that do not fall under section

    ----.14, but perform direct services to the institution such as opt-out

    scrubbing or market analysis or research under a section ----.13

    agreement, are included under this provision.\139\

    ---------------------------------------------------------------------------

    \137\ See, e.g., comment letters of American Insurance Ass'n

    (May 29, 2007); Consumer Bankers Ass'n (May 29, 2007); Citigroup

    Inc. (May 30, 2007); Securities and Financial Markets Ass'n (May 29,

    2007).

    \138\ See, e.g., comment letters of American Bankers Ass'n (May

    25, 2007); American Insurance Ass'n (May 29, 2007); Securities

    Industry and Financial Markets Ass'n (May 29, 2007). This language

    substantially replaces the ``as permitted by law'' phrase used in

    the Sample Clauses, covering all permitted disclosures--along with

    the attendant requirements on reuse and redisclosure--found under

    sections ----.14 and ----.15 of the privacy rule. Unlike that

    clause, ``everyday business purposes'' conveys more concrete

    information to consumers and, importantly, helps them understand

    that some sharing is necessary in order to obtain financial products

    or services.

    \139\ Joint marketing with other financial institutions and

    section ----.13 service providers contracted to do marketing for a

    financial institution are disclosed separately. See Instruction

    C.2(d)(3) to the Model Privacy Form.

    ---------------------------------------------------------------------------

    The cited examples of ``everyday business purposes'' \140\ are

    illustrative only, to enhance consumer understanding. While commenters

    urged us to include the phrase ``as permitted by law'' in this

    description, research has found that consumers are confused and

    concerned by this phrase; they do not know what it means or what

    [[Page 62903]]

    ``laws'' it encompasses.\141\ Including that phrase would be

    inconsistent with consumers' need for clear language to understand what

    their financial institution does with their information.

    ---------------------------------------------------------------------------

    \140\ The final model form consolidates all references to

    ``everyday business purposes'' in the first reason in the disclosure

    table, thereby eliminating the illustrative explanation in the

    ``How?'' box on page one and the definition on page two.

    \141\ See Survey Research Center at the University of Georgia,

    National Ass'n of Insurance Commissioners Insurance Disclosure Focus

    Group Study (``NAIC Study''), available at http://www.ftc.gov/os/

    comments/modelprivacyform/528621-00012.pdf. See also infra

    discussion at text accompanying note 221.

    ---------------------------------------------------------------------------

    Because the laws governing disclosure of consumers' personal

    information are not easily translated into short, comprehensible

    phrases, the table uses more easily understandable short-hand terms to

    describe sharing practices. We do not believe that these short-hand

    terms diminish the laws' provisions, as some commenters asserted. If,

    as these commenters suggest, the Agencies add to the laundry list of

    descriptive terms to make the provisions in the table more ``precise,''

    we believe it will defeat the purpose of making this information more

    understandable to consumers. Thus, the Agencies have chosen not to

    provide detailed descriptions for each of the reasons in the table; we

    re-affirm that institutions' ability to share information in accordance

    with the statutory provisions would not be limited or otherwise

    modified by using the model form language.

    The phrase ``For our marketing purposes'' captures the idea that

    nearly all, if not all, institutions share information to market their

    own products and services to their customers (for example, using a

    joint marketing agreement with a service provider such as a bulk mailer

    or data processor pursuant to section ----.13 of the privacy rule) in a

    manner that does not trigger an opt-out right. Likewise, the phrase

    ``nonaffiliates to market to you'' does not diminish the information

    sharing permitted by the privacy rule, provided that institutions first

    provide an opportunity for consumers to opt out, as provided for in

    section ----.10 of the privacy rule.

    In all these instances, the lack of explicit references in the

    model form to certain of the exceptions does not mean that an

    institution cannot take advantage of all the exceptions provided for in

    the law.

    4. FCRA Opt-Outs

    The FCRA provisions are adopted in the model privacy form as

    proposed.\142\ A number of industry commenters objected that the

    disclosure table did not provide a sufficiently complete or accurate

    description of the affiliate sharing provisions of the FCRA.\143\ They

    urged the Agencies to revise these provisions to more precisely

    distinguish between the different types of information that can be

    shared with affiliates (both with and without an opt-out), to describe

    the applicable exceptions, and to more accurately describe the opt-out

    pertaining to information that can be used by affiliates for marketing.

    ---------------------------------------------------------------------------

    \142\ The table includes, as an optional disclosure, the opt-out

    required by section 624 of the FCRA (reason 6 in the table), 15

    U.S.C. 1681s-3 (affiliate use of information for marketing), as

    added by section 214 of the Fair and Accurate Credit Transactions

    Act of 2003 (FACT Act), Public Law No. 108-159, 117 Stat. 1952.

    Section 624 generally provides that information that may be shared

    among affiliates--including transaction and experience information

    and certain creditworthiness information--cannot be used by an

    affiliate for marketing purposes unless the consumer has received a

    notice of such use and an opportunity to opt out, and the consumer

    does not opt out. Congress did not grant the CFTC rulemaking

    authority to implement section 624. The other Agencies have issued

    final regulations implementing the affiliate marketing provision of

    the FACT Act, 12 CFR part 41 (OCC), 12 CFR part 222 (Board), 12 CFR

    part 334 (FDIC), 12 CFR part 571 (OTS), 12 CFR part 717 (NCUA), 16

    CFR parts 680 and 698 (FTC), 17 CFR part 248, subpart B (SEC)

    (``affiliate marketing rule''). Because the Agencies' affiliate

    marketing rules generally use consistent section numbering, relevant

    sections will be cited, for example, as ``section --.23'' unless

    otherwise noted. The affiliate marketing rule included language

    stating that the section 624 disclosure as it appears in the model

    form will meet the requirements of that rule. See 72 FR 61424, 61452

    (Oct. 30, 2007) (FTC); 72 FR 62910, 62932 (Nov. 7, 2007) (banking

    agencies); 74 FR 40398, 40418 (Aug. 11, 2009) (SEC) (``use of the

    [GLB Act] model privacy form will satisfy the requirement to provide

    an initial affiliate marketing opt-out notice''). See also section

    ----.23(b) of the affiliate marketing rule.

    \143\ See, e.g., comment letters of Citigroup Inc. (May 30,

    2007); American Bankers Ass'n (May 25, 2007); Consumer Bankers Ass'n

    (May 29, 2007); National Business Coalition on E-Commerce and

    Privacy (May 30, 2007); Visa U.S.A, Inc. (May 29, 2007).

    ---------------------------------------------------------------------------

    The FCRA statutory provisions are quite complex and their legal

    intricacies are difficult for consumers to understand. The Agencies

    found through the consumer testing conducted by Kleimann that the

    short-hand FCRA terms used in the model form describing the types of

    personal information that can be shared with affiliates are sufficient

    to enable consumers to make informed decisions about such sharing.

    Again, these short-hand terms do not in any way diminish or modify the

    affiliate sharing provisions of the FCRA.\144\ To give some meaning to

    the statutory term ``other information,'' the disclosure table uses

    ``Information about your creditworthiness''--a short-hand phrase that

    consumers reasonably understood. Testing also found that consumers

    reasonably understood the phrase ``information about your transactions

    and experience'' without further embellishment.\145\

    ---------------------------------------------------------------------------

    \144\ See section 603(d)(2)(A) of the FCRA relating to the

    sharing of ``transaction and experience information'' and the

    sharing of ``other information'' which triggers an opt-out notice.

    \145\ Kleimann Report, supra note 32, at 63.

    ---------------------------------------------------------------------------

    Some institutions objected to the description of the optional

    affiliate marketing provision enacted under the FACT Act for which the

    Agencies have published final regulations.\146\ These commenters are

    correct that this provision, unlike the others, is about the use of

    shared information for marketing. While the Agencies and Kleimann

    worked to ensure accuracy in the model form, it was evident at the

    outset that this particular provision would be very difficult to

    explain in a simple and clear way to consumers and be precisely true to

    the statutory language.

    ---------------------------------------------------------------------------

    \146\ See supra note 142.

    ---------------------------------------------------------------------------

    The final formulation we proposed tested sufficiently well to show

    that consumers understand its basic meaning.\147\ Including the

    affiliate marketing notice and opt-out in the model form is optional.

    Institutions that are required to provide this notice, and elect not to

    include it in their GLB Act privacy notice, must separately send an

    affiliate marketing notice that complies fully with the affiliate

    marketing rule requirements.

    ---------------------------------------------------------------------------

    \147\ Levy-Hastak Report at 15.

    ---------------------------------------------------------------------------

    For those institutions that elect to incorporate this provision in

    the model form, the Agencies believe that it is simpler and less

    confusing to consumers for the affiliate marketing opt-out to be of

    indefinite duration, consistent with the opt-out required under the GLB

    Act. If an institution elects to limit the time period for which the

    opt-out is effective, as permitted under the affiliate marketing rule,

    it must not include the affiliate marketing opt-out in the model form.

    Instead, the institution must comply separately with the specific

    affiliate marketing rule requirements.

    5. Limiting Sharing: Opt-Out Information

    In response to commenters and the results of the quantitative

    testing, the final model form includes opt-out information for those

    institutions that are required to provide an opt-out on the bottom of

    page one. The Agencies proposed that the information about limiting or

    opting out of certain sharing, as needed, would be provided on a

    separate third page. Many commenters objected to the use of a separate

    piece of paper for this information, particularly if the notice itself

    is quite short.\148\

    ---------------------------------------------------------------------------

    \148\ See, e.g., comment letters of American Council of Life

    Insurers (May 29, 2007); National Automobile Dealers Ass'n (May 29,

    2007); Securities Industry and Financial Markets Ass'n (May 29,

    2007).

    ---------------------------------------------------------------------------

    [[Page 62904]]

    This change eliminates the extra page from the proposed model form

    and places this important information on the first page that the

    consumer sees. In addition to the model form with no opt-out, the

    Agencies are providing two alternate versions to be used, as

    appropriate, depending on whether the institution offers the option to

    limit information sharing by mail.\149\

    ---------------------------------------------------------------------------

    \149\ Some commenters asked about providing the opt-out in an

    in-person transaction so that the customer could execute the opt-out

    at that time or could deliver the completed opt-out form in person.

    The privacy rule does not preclude obtaining a consumer's opt-out

    election in person. However, while an institution may accept an opt-

    out election from a consumer in person, requiring a consumer to

    obtain an opt-out form at a branch office as the only means to opt

    out violates the privacy rule. See sections --.7(h), --.9(a) and

    (b), and --.10(a)(1) and (a)(3) of the privacy rule.

    ---------------------------------------------------------------------------

    Institutions using the model form must include the opt-out section

    in their notices only if they (1) share or use information in a manner

    that triggers an opt-out, or (2) choose to provide opt-outs beyond what

    is required by law. Financial institutions that provide opt-outs are

    not required to provide all the opt-out choices and methods described

    in the model form; they should select those that accurately reflect

    their practices.\150\

    ---------------------------------------------------------------------------

    \150\ Institutions that do not include the affiliate marketing

    disclosure on the model privacy form must not include the affiliate

    marketing notice or opt-out on the model form mail-in form; that

    notice must be provided in accord with the affiliate marketing rule,

    outside the model form.

    ---------------------------------------------------------------------------

    A number of commenters objected to the statement describing the

    time period before information can first be shared according to an

    institution's privacy policy.\151\ Recognizing that institutions will

    provide this form both to new customers and annually to existing

    customers, the Agencies have modified the language accordingly.\152\

    The revised model form allows institutions to insert a time period that

    is 30 days or longer from the date the notice was sent before it can

    begin sharing for new customers. Some commenters opined that in certain

    instances they should be able to require the consumer to make an opt-

    out decision at the time of the in-person or electronic transaction

    rather than waiting 30 days. While the Agencies recognize that certain

    situations may warrant an immediate decision, the basic rule is to

    allow a ``reasonable'' opportunity to opt out.\153\

    ---------------------------------------------------------------------------

    \151\ See, e.g., comment letters of Bank of America Corporation

    (May 29, 2007); Wells Fargo & Company (May 29, 2007); Securities

    Industry and Financial Markets Ass'n (May 29, 2007); American

    Council of Life Insurers (May 29, 2007).

    \152\ The revised language states: ``If you are a new customer,

    we can begin sharing your information [30] days from the date we

    sent this notice.'' See also supra note 119.

    \153\ See, e.g., sections --.10(a)(1)(iii) and --.10(a)(3)(iii)

    of the privacy rule.

    ---------------------------------------------------------------------------

    Telephone and online opt-outs should closely match the options

    provided in the form. Consistent with the direction provided in the

    affiliate marketing rule,\154\ the Agencies also contemplate that a

    toll-free telephone number would be adequately designed and staffed to

    enable consumers to opt out in a single telephone call. In setting up a

    toll-free telephone number that consumers may use to exercise their

    opt-out rights, institutions should minimize extraneous messages

    directed to consumers who are in the process of opting out.

    ---------------------------------------------------------------------------

    \154\ See 72 FR 61424, 61448 (Oct. 30, 2007) (FTC); 72 FR 62910,

    62935 (Nov. 7, 2007) (banking agencies); 74 FR 40398, 40421 (August

    11, 2009) (SEC).

    ---------------------------------------------------------------------------

    A number of industry commenters requested clarification on how

    joint accountholders would be treated.\155\ The Agencies have addressed

    this question with a new FAQ, described below. Further, if an

    institution elects to provide a choice for the joint accountholder to

    apply the opt-out only to that joint accountholder, that option must be

    provided in the telephone or Web prompt, as well as presented in the

    left-hand box on the mail-in form.\156\

    ---------------------------------------------------------------------------

    \155\ See, e.g., comment letters of American Bankers Ass'n (May

    25, 2007); Discover Bank (May 29, 2007).

    \156\ See also privacy rule, section --.7(d), NCUA section

    716.7(d)(6).

    ---------------------------------------------------------------------------

    A number of commenters from both industry and advocacy groups

    addressed the question whether consumers need to provide personal

    information such as a Social Security number, account number, or other

    identification number in order to opt out. The consumer advocacy

    organizations, some industry commenters, and an industry association

    proposed omitting the account number field from the proposed form to

    reduce the risk of fraud.\157\ These commenters expressed concerns

    about phishing and identity theft, and were especially concerned about

    institutions' use of the Social Security number to confirm an opt-out

    request. These commenters argued that a name and address should be

    sufficient to effect an opt-out from an institution's information

    sharing.

    ---------------------------------------------------------------------------

    \157\ See, e.g., comment letters of Center for Democracy and

    Technology (May 29, 2007); Privacy Rights Clearinghouse (May 22,

    2007); National Automobile Dealers Ass'n (May 29, 2007.

    ---------------------------------------------------------------------------

    Many institutions argued that they needed a Social Security number

    or full account or policy number in order to authenticate the person

    who wanted to opt out or to apply the opt-out appropriately to all

    accounts held by the customer or only to specific accounts.\158\ Some

    industry commenters urged limiting the information to only the last

    four digits of an account number as both safe for the consumer and

    sufficient to implement the opt-out.\159\

    ---------------------------------------------------------------------------

    \158\ See, e.g., comment letters of National Retail Federation

    (May 29, 2007); Citicorp (May 29, 2007); National Business Coalition

    on E-Commerce and Privacy (May 30, 2007).

    \159\ See, e.g., comment letters of Sun Trust Banks, Inc. (May

    23, 2007); Central National Bank of Enid (May 24, 2007).

    ---------------------------------------------------------------------------

    Having considered these comments and the context in which such

    sensitive information is used--to implement an opt-out for information

    sharing--the Agencies strongly encourage institutions to use some other

    form of identifier, such as a randomly generated ``opt-out code''

    provided in the notice that consumers can use to exercise their opt-

    outs without jeopardizing the security of their most sensitive personal

    information. A random code--which some institutions currently use--both

    protects consumers' most sensitive information and at the same time can

    be used to link both the customer and account(s) to which the opt-out

    should apply. Such an approach would further simplify the opt-out

    process for consumers. If such an approach is not feasible,

    institutions could use a truncated account or policy number to protect

    sensitive information.\160\ Of course, any opt-out means provided--

    including any information requirements imposed on consumers--must be

    reasonable under the privacy rule and reasonable and simple under the

    affiliate marketing rule.\161\ Institutions should keep these

    requirements in mind when requesting information beyond the consumer's

    name and address.

    ---------------------------------------------------------------------------

    \160\ See also The President's Identity Theft Task Force,

    Combating Identity Theft, at 13 (Apr. 2007) (``Consumer information

    is the currency of identity theft, and perhaps the most valuable

    piece of information for the thief is the SSN'').

    \161\ See section ----.7(a)(1)(iii) of the privacy rule and

    section --.25(a) of the affiliate marketing rule.

    ---------------------------------------------------------------------------

    A number of industry commenters objected to the inability of the

    model form to provide for partial opt-outs, as permitted by the privacy

    rule.\162\ The Agencies have observed that partial opt-outs are not

    widely employed. Trying to incorporate partial opt-outs in this model

    form would be unduly complicated and confusing for consumers, so the

    Agencies have determined to use the default provision of the privacy

    rule that provides for an opt-out that applies to all information.\163\

    Institutions that want to

    [[Page 62905]]

    provide partial opt-outs cannot do so using the model form.

    ---------------------------------------------------------------------------

    \162\ See, e.g., comment letters of American Council of Life

    Insurers (May 29, 2007); Securities Industry and Financial Markets

    Ass'n (May 29, 2007).

    \163\ See section --.10(b) of the privacy rule.

    ---------------------------------------------------------------------------

    A number of commenters wanted to include in the model form the

    statement ``If you have already told us your choice(s), you do not have

    to tell us again.'' \164\ Because this statement would only be accurate

    if the institution has not changed its notice to include new opt-out

    options, the Agencies have decided not to include it in the model form.

    Institutions that choose to use this statement must do so outside the

    model form.

    ---------------------------------------------------------------------------

    \164\ See, e.g., comment letters of MasterCard Worldwide (May

    29, 2007); National Business Coalition on E-Commerce and Privacy

    (May 30, 2007); Wells Fargo & Company (May 29, 2007); Wolters Kluwer

    Financial Services (May 24, 2007).

    ---------------------------------------------------------------------------

    6. Additional Opt-Outs in the Model Form

    Like the proposed form, the final model form permits institutions

    to provide for voluntary or state law-required opt-outs. For example,

    if an institution elects to offer its customers the opportunity to opt

    out of its marketing, it can do so by saying ``yes'' in the third

    column. Similarly, an institution can offer its customers a right to

    opt out of joint marketing, if it chooses.

    Institutions that must comply with various state law requirements,

    depending on their practices and the choices they offer, may be able to

    do so in one of two ways using the model form. For example, Vermont law

    requires institutions to obtain opt-in consent from Vermont consumers

    for affiliate sharing. The disclosure table permits institutions to do

    one of two things: (1) it can provide a notice directed to its Vermont

    customers that answers ``no'' to the question about whether it shares

    creditworthiness information with its affiliates, or (2) it can provide

    a generalized notice for consumers across a number of states including

    Vermont and answer ``yes'' to the question about sharing

    creditworthiness information with its affiliates and include a

    discussion on the application of Vermont law in the ``Other important

    information'' box on page two of the form.\165\

    ---------------------------------------------------------------------------

    \165\ California provides that a consumer can opt out of joint

    marketing. Cal. Fin. Code div. 1.2 Sec. 4053(b)(2). Thus, an

    institution can provide a generalized notice offering no opt-out,

    with California-specific information in the ``Other important

    information'' box. Alternatively, an institution can provide a

    separate notice to its California customers. Institutions cannot use

    the model form to offer opt-in consent. See Instruction C.2(g)(5) to

    the Model Privacy Form.

    ---------------------------------------------------------------------------

    To obtain the safe harbor for use of the proposed model form, an

    institution that uses the disclosure table to show any additional opt-

    out choices (beyond what is required under Federal law) must make that

    opt-out available through the same opt-out options the institution

    provides in the notice, whether by telephone, Internet, or a mail-in

    opt-out form.\166\

    ---------------------------------------------------------------------------

    \166\ See Instruction C.2(g) to the Model Privacy Form.

    ---------------------------------------------------------------------------

    7. Contact Information for Questions

    Like the proposed form, the final model form provides contact

    information at the bottom of page one. Some commenters objected that it

    would be confusing if an opt-out is offered or the institution wants to

    limit such contact to a mail option only.\167\ The Kleimann Report

    found that consumers want a way to contact their financial institution

    if they have any questions.\168\ The NAIC Study likewise found this to

    be one of the most important pieces of information that consumers want

    in a notice.\169\ In revising the proposed model form to include the

    opt-out information on page one, the Agencies have modified the

    ``Contact Us'' box to label it ``Questions'' (to more clearly

    distinguish between the two) and clarified in the Instructions that

    this box is for customer service contact information, either by

    telephone or the Internet or both, at the institution's option.

    ---------------------------------------------------------------------------

    \167\ See, e.g., comment letters of Mastercard Worldwide (May

    29, 2007); American Insurance Ass'n (May 29, 2007); American Council

    of Life Insurers (May 29, 2007); Securities Industry and Financial

    Markets Ass'n (May 29, 2007).

    \168\ Kleimann Report, supra note 32, at 35, 226.

    \169\ NAIC Study, supra note 141.

    ---------------------------------------------------------------------------

    Customer service contact information is for consumers who may have

    questions about the institution's privacy policy and may be the same

    contact information for consumers' questions relating to the

    institution's products or services. The Agencies are not requiring a

    separate customer service number solely to answer questions about the

    institution's privacy policy. The customer service contact information

    is different from the opt-out contact information, unless the customer

    service number is made available for consumers to opt out. The contact

    information should give consumers a way to communicate directly with

    the institution.\170\

    ---------------------------------------------------------------------------

    \170\ See Instruction C.2(f) to the Model Privacy Form.

    ---------------------------------------------------------------------------

    8. Mail-In Opt-Out Form

    The mail-in opt-out form for institutions that provide such a form

    is adopted with two modifications, with the changes based on comments,

    the quantitative testing, and the Levy-Hastak Report. The validation

    testing shaped the design for the opt-out information in the final

    model form.

    As discussed in section III.I.5, the final model form displays all

    opt-out information, including the mail-in form, on page one, for

    institutions that provide an opt-out. In response to commenters, the

    Agencies have added information on joint accountholders to the model

    form by providing a new FAQ on page two. Institutions must include the

    joint accountholder information in the mail-in form only when the

    institution allows a joint accountholder to choose whether to apply an

    opt-out election only to one accountholder.\171\ Otherwise, that space

    is blank or omitted from the mail-in form.

    ---------------------------------------------------------------------------

    \171\ See also infra section III.J.1. Section III.I.5 provides

    guidance on the use of sensitive personal information (such as a

    Social Security number or account number) to effect an opt-out.

    Section III.I.6 discusses how voluntary or state-required privacy

    law opt-outs should appear in the mail-in opt-out form. See also

    Instruction C.2(g) to the Model Privacy Form.

    ---------------------------------------------------------------------------

    Finally, institutions that use the mail-in opt-out form must insert

    the institution's mailing address either in the right-hand box or just

    below the mail-in form, as shown in version 3 and optional version 4 in

    the Appendix and as described in the Instructions to the Model Form.

    J. Page Two of the Model Form

    The Agencies have modified page two of the model form to streamline

    the information on the page and to provide flexibility for institutions

    to insert certain institution-specific information.

    1. Frequently Asked Questions

    To address the concerns about jointly-provided notices, the

    Agencies have added a new FAQ at the top of page two: ``Who is

    providing this notice?'' An institution may omit this FAQ only when one

    financial institution is providing the notice and that institution is

    identified in the title. The space to the right, which is limited (for

    reasons of space constraints) to a maximum of four (4) lines,\172\

    allows institutions that are jointly providing the notice to be

    identified.\173\ This space must be used to:

    ---------------------------------------------------------------------------

    \172\ While the Agencies are limiting the space allotted for

    this FAQ, we do not intend that institutions will constrain the

    width of the left column (with the questions) so as to make this

    page difficult to read. We remind institutions that design experts

    recommend using sufficient white space to set off features such as

    headings, bullets, and key information used by consumers to quickly

    scan a document. We note further that the ratio of the column widths

    of the questions to the responses in the model form is approximately

    1:2.

    \173\ The option of creating a jointly provided notice is not

    limited only to financial holding companies, as one commenter

    observed. Instruction B.1 to the Model Privacy Form has been

    modified to clarify that point.

    ---------------------------------------------------------------------------

    [[Page 62906]]

    1. State the common corporate name or other readily identifiable

    name that is also used for the title and various headings of the model

    form as the ``name of financial institution;'' and

    2. Either (a) identify the entities jointly providing the notice;

    or (b) for institutions with a lengthy list of entities jointly

    providing the notice, identify the general types of entities in the

    response and identify the entities \174\ at the end of the form

    following the ``Other important information'' box, or, if that box is

    not incorporated into the form, following the ``Definitions'' or on an

    additional page. The list at the end of the form must be printed in

    minimum 8-point font and may appear in a multi-column format.

    ---------------------------------------------------------------------------

    \174\ See section --.9(f) of the privacy rule.

    ---------------------------------------------------------------------------

    The Agencies have deleted the FAQ on how often consumers are

    provided notices on an institution's sharing practices due to space

    constraints.\175\

    ---------------------------------------------------------------------------

    \175\ While the testing found it to be helpful background, this

    information is not required by the privacy rule.

    ---------------------------------------------------------------------------

    A number of commenters objected to the response to the question

    about how personal information is protected. Some objected to the

    phrase ``comply with federal laws.'' \176\ The Agencies note that this

    phrase closely tracks current Sample Clause A-7 and is already widely

    used by many institutions. Several objected to the phrase ``secured

    buildings and files,'' preferring ``physical safeguards.'' \177\ As

    explained in the Kleimann Report, the Agencies developed this text to

    help consumers better understand the practical meaning of physical

    security.\178\ The Agencies have determined to retain the FAQ as

    proposed, with one modification. In response to commenters who asked to

    include more specific information,\179\ such as information about

    cookies or online practices or limiting employee access to personal

    information, the Agencies are allowing institutions to add more detail,

    limited to describing their safeguards practices, up to a maximum of

    thirty (30) additional words. This doubles the space allotted for the

    safeguards response and provides flexibility to institutions to

    customize the safeguards description. The optional information must

    appear after the standard response for this FAQ.

    ---------------------------------------------------------------------------

    \176\ See, e.g., comment letters of Consumer Bankers Ass'n (May

    29, 2007); MasterCard Worldwide (May 29, 2007).

    \177\ See comment letters of American Council of Life Insurers

    (May 29, 2007); American Insurance Ass'n (May 29, 2007).

    \178\ Kleimann Report, supra note 32, at 125-26.

    \179\ See, e.g., comment letters of Iowa State Bank and Trust

    (May 22, 2007); PayPal (May 29, 2007); Wachovia Corporation (May 25,

    2007).

    ---------------------------------------------------------------------------

    A number of industry commenters objected to the inflexible nature

    of the description of the sources from which personal information is

    collected, stating that in many cases the proposed descriptions do not

    correlate to their practices or the practices of their particular

    industry.\180\ As with the description of the types of information

    collected and shared on page one, the Agencies are providing a menu of

    terms from which institutions can select to fill in the bulleted

    lists.\181\ The list is designed to include the range of information

    sources typically used by a variety of institutions subject to the GLB

    Act and the FCRA, including those in the insurance, securities, and

    investment advisory businesses, as well as those companies subject to

    FTC jurisdiction. Finally, institutions that collect information from

    their affiliates and/or from credit bureaus must use as the last

    sentence of this response: ``We also collect your personal information

    from others, such as credit bureaus, affiliates, or other companies.''

    Institutions that do not collect personal information from their

    affiliates or credit bureaus but do collect personal information from

    other companies must include the following statement: ``We also collect

    your personal information from other companies.'' Only institutions

    that do not collect any personal information from affiliates, credit

    bureaus, or other companies can omit both statements.

    ---------------------------------------------------------------------------

    \180\ See, e.g., comment letters of American Council of Life

    Insurers (May 29, 2007); American Bankers Ass'n (May 25, 2007);

    Consumer Bankers Ass'n (May 29, 2007); Mastercard Worldwide (May 29,

    2007); Wells Fargo & Company (May 29, 2007); National Ass'n of

    Mutual Insurance Cos. (May 29, 2007); National Automobile Dealers

    Ass'n (May 29, 2007).

    \181\ See Instruction C.3(a)(3) to the Model Privacy Form. See

    supra note 117.

    ---------------------------------------------------------------------------

    A number of industry commenters objected to the FAQ about limiting

    sharing, arguing variously that this is not required and that they

    should only have to include in the response those bullets that apply to

    their sharing practices.\182\ The Agencies have determined to retain

    this FAQ with a revision to the bulleted list, as it helps consumers

    better understand what rights they have under Federal law and

    reinforces the message that information sharing may be limited but not

    stopped completely. The second bullet was revised to more closely track

    the provisions of the affiliate marketing rule. Finally, the Agencies

    have provided an optional sentence for institutions to elect to include

    at the end, as applicable, ``See below for more on your rights under

    state law,'' a reference to the state-specific privacy law information

    that an institution may include in the ``Other important information''

    box.

    ---------------------------------------------------------------------------

    \182\ See, e.g., comment letters of American Council of Life

    Insurers (May 25, 2007); National Ass'n of Mutual Insurance Cos.

    (May 29, 2007).

    ---------------------------------------------------------------------------

    As discussed earlier, a number of commenters asked how an opt-out

    election can be applied to joint accountholders.\183\ This is addressed

    by a new FAQ on page two. Two optional responses are provided for

    institutions to use: The first states that an opt-out election by any

    joint accountholder will be applied to everyone on the account. The

    second provides that the opt-out election will be applied to everyone

    on the account unless the customer elects to have the opt-out apply

    only to him. Institutions must select one or the other as the response

    to this question.\184\

    ---------------------------------------------------------------------------

    \183\ See, e.g., comment letters of American Bankers Ass'n (May

    29, 2007); Discover Bank (May 29, 2007); Mastercard Worldwide (May

    29, 2007); Huntington National Bank (May 25, 2007).

    \184\ See also supra discussion section III.I.8.

    ---------------------------------------------------------------------------

    2. Definitions

    In the final model privacy form, the definition of ``everyday

    business purposes'' has been deleted as superfluous, and the

    description of everyday business purposes has been consolidated in the

    disclosure table on page one. The other three definitions remain as

    proposed, with one modification.

    The Agencies make the following further clarification in response

    to some commenters.\185\ First, if an institution has no affiliates or

    does not share with its affiliates, it does not have to describe the

    categories of affiliates in this definition. Applicable responses in

    such conditions are, respectively: ``[name of financial institution]

    has no affiliates'' or ``[name of financial institution] does not share

    with our affiliates.''

    ---------------------------------------------------------------------------

    \185\ See, e.g., comment letters of Mastercard Worldwide (May

    29, 2007); Huntington National Bank (May 25, 2007); Consumer Bankers

    Ass'n (May 29, 2007); Wells Fargo & Company (May 29, 2007).

    ---------------------------------------------------------------------------

    Similarly, if an institution does not share for joint marketing or

    with nonaffiliated third parties outside of the section ----.14 and --

    --.15 exceptions, applicable responses are: ``[name of financial

    institution] doesn't jointly market'' or ``[name of financial

    institution] does not share with nonaffiliates so they can market to

    you.''

    The Instructions have been modified with respect to an

    institution's sharing with its affiliates so that an institution must

    provide only an illustrative list of affiliates with which it shares,

    and not

    [[Page 62907]]

    a complete list. As proposed, when an institution shares with

    nonaffiliates or with other financial institutions to do joint

    marketing, the institution must describe the categories of entities

    with which it shares.\186\ While the Instructions provide illustrative

    examples of categories, institutions must provide examples consistent

    with their practices. The Instructions provide guidance on these

    points.\187\

    ---------------------------------------------------------------------------

    \186\ See sections ----.6(a)(3), ----.6(a)(5), ----.6(c)(3), and

    ----.6(c)(4) of the privacy rule. The joint marketing provisions

    apply to joint marketing agreements with other financial

    institutions, but not to other types of arrangements with section --

    --.13 service providers.

    \187\ See Instruction C.3(b) to the Model Privacy Form.

    ---------------------------------------------------------------------------

    3. State and International Law Provisions

    To accommodate commenters' requests to incorporate state and

    international law provisions in the notice,\188\ the Agencies have

    added a new optional box at the end of the final model form called

    ``Other important information.'' The size of the box is not limited

    (except where space constraints apply in the Online Form Builder,

    described below), and institutions may use a third page, as necessary,

    for the information in this box. To qualify for the safe harbor,\189\

    institutions that elect to use this box can only use it for the

    following: (1) information about state and/or international privacy law

    requirements, as applicable; or (2) an acknowledgment form to create a

    record of having provided the notice. Certain institutions, for

    example, are required to include specific affiliate sharing information

    for Vermont residents or to meet other requirements under California

    law. Some insurance commenters noted that approximately 16 states have

    privacy laws that require insurers to provide notice of ``access and

    correction'' rights.\190\ Commenters noted that other states require

    disclosures about medical information.\191\ Some large institutions

    noted that they are required to provide international law information.

    Such information may be included in this new box. In addition, one

    association commenter, representing automobile dealers, specifically

    requested a place on the form to allow its members to obtain signatures

    from customers acknowledging that they had received a copy of the

    notice.\192\

    ---------------------------------------------------------------------------

    \188\ See, e.g., comment letters of American Bankers Ass'n (May

    25, 2007); American Council of Life Insurers (May 29, 2007); Bank of

    America Corporation (May 29, 1007); Citigroup Inc. (May 30, 2007);

    Consumer Bankers Ass'n (May 29, 2007); Consumer Mortgage Coalition

    (May 29, 2007); Countrywide Home Loans, Inc. (May 29, 2007);

    Discover Bank (May 29, 2007); Financial Services Institute (May 29,

    2007); Iowa Student Loan (May 22, 2007); KeyCorp (May 25, 2007);

    National Business Coalition on E-Commerce and Privacy (May 30,

    2007); National Retail Federation (May 29, 2007); National Ass'n of

    Mutual Insurance Cos. (May 29, 2007); Sovereign Bank (May 21, 2007);

    Wells Fargo (May 29, 2007); World's Foremost Bank (May 25, 2007);

    Direct Marketing Ass'n (May 29, 2007); Securities Industry and

    Financial Markets Ass'n (May 29, 2007); World Financial Capital Bank

    (May 25, 2007); World Financial Network National Bank (May 29,

    2007).

    \189\ The 10-point minimum font size applies to the contents of

    the ``Other important information box.'' In addition, while the safe

    harbor extends to including this box at the end of the model form,

    it does not extend to the content of the box. Institutions are

    responsible for ensuring that any statements made in this box are

    accurate.

    \190\ See, e.g., comment letters of American Insurance Ass'n

    (May 29, 2007); Great-West Life & Annuity Insurance Co. (May 29,

    2007).

    \191\ See, e.g., comment letters of American Council of Life

    Insurers (May 29, 2007); American Insurance Ass'n (May 29, 2007);

    Huntington National Bank (May 25, 2007).

    \192\ See comment letter of National Automobile Dealers Ass'n

    (May 29, 2007).

    ---------------------------------------------------------------------------

    K. Other Issues

    1. Highlighting Material Changes in Privacy Practices

    We sought comment on whether the model privacy form should

    highlight material changes in the notice. A number of industry

    commenters opposed this suggestion, citing consumer confusion.\193\

    Some stated that the GLB Act requires revised notices when the

    institution's policy has changed.\194\ One advocacy group supported

    adding an extra column to the notice table highlighting specific

    changes made since the previous notice.\195\

    ---------------------------------------------------------------------------

    \193\ See, e.g., comment letters of American Council of Life

    Insurers (May 29, 2007); Consumer Bankers Ass'n (May 29, 2007);

    Citigroup Inc. (May 30, 2007); Mastercard Worldwide (May 29, 2007);

    Securities Industry and Financial Markets Ass'n (May 29, 2007).

    \194\ See comment letters of American Council of Life Insurers

    (May 29, 2007); Citigroup Inc. (May 30, 2007).

    \195\ See, e.g., comment letters of Center for Democracy and

    Technology (May 29, 2007); see also New York State Consumer

    Protection Board (May 29, 2007).

    ---------------------------------------------------------------------------

    After considering these comments, the Agencies determined that the

    simplest way to help consumers identify how recently the notice was

    changed is to include a ``revised [month/year]'' notation in the upper

    right-hand corner of page one of the notice. The revised date, in

    minimum 8-point font, is the date the policy was last revised.\196\ Of

    course, institutions can signal material changes in their policies by,

    for example, use of a cover letter that describes any changes.

    ---------------------------------------------------------------------------

    \196\ Adoption of the model form, with no change in policies or

    practices, would not constitute a revised notice, although

    institutions may elect to consider the format change as a revision,

    at their option. However, inserting the new affiliate marketing opt-

    out in the model form would be a revision of the institution's

    policies and practices.

    ---------------------------------------------------------------------------

    2. Safe Harbor

    A number of industry commenters expressed concern that the safe

    harbor provisions do not fully extend to the GLB Act requirements or do

    not extend to FCRA disclosures.\197\ These commenters seek broader safe

    harbor treatment for the use of the model form, notwithstanding the

    statutory provision that use of the model form will satisfy the notice

    requirements of the GLB Act and the privacy rule.

    ---------------------------------------------------------------------------

    \197\ See, e.g., comment letters of American Bankers Ass'n (May

    25, 2007); California Bankers Ass'n (May 25, 2007); Consumer Bankers

    Ass'n (May 29, 2007).

    ---------------------------------------------------------------------------

    The Agencies agree that the model form satisfies the requirements

    for the content of the notice required by the GLB Act, including

    sections ----.6 and ----.7 of the privacy rule; FCRA section 603(d) as

    described in section ----.6 of the privacy rule; and section ----.23 of

    the affiliate marketing rule. The Agencies note that the safe harbor

    applies to use of the model form, but does not and cannot extend to the

    institution-specific information that is inserted in the model form.

    Proper use of the model form to comply with the privacy rule requires

    that institutions accurately answer the questions about their

    information collection and sharing practices, as well as provide to

    consumers, as applicable, a reasonable means and opportunity to limit

    sharing and honor any opt-out requests submitted.

    3. Online Form Builder

    Commenters generally supported the Agencies' proposal to provide a

    downloadable, fillable version of the model form that institutions

    could use to create their own customized notice.\198\ Many smaller

    institutions were particularly supportive, noting that it simplifies

    adoption and reduces their development costs.

    ---------------------------------------------------------------------------

    \198\ See, e.g., comment letters of American Insurance Ass'n

    (May 29, 2007); Center for Democracy and Technology (May 29, 2007);

    Citrus and Chemical Bank (May 24, 2007); Credit Union National Ass'n

    (May 29, 2007); Independent Community Bankers of America (May 29,

    2007); PayPal (May 29, 2007); Portage National Bank (May 1, 2007);

    Sovereign Bank (May 21, 2007).

    ---------------------------------------------------------------------------

    In response, the Agencies will be providing on each of their

    Websites a link to an Online Form Builder accessible by any institution

    so that the institution can readily create a unique, customized privacy

    notice using the model form template. The Agencies anticipate that a

    temporary Online Form Builder will be available in late 2009

    [[Page 62908]]

    and that a more robust version will be available to institutions in

    late 2010.

    4. Web-Based Design

    Many industry and advocacy group commenters supported development

    of an optional Web-based design, especially as more and more consumers

    are engaging in online activities such as online banking.\199\ Some

    commenters asked the Agencies to test a design for usability. Some

    industry commenters cautioned that the Agencies should leave this task

    to industry as institutions are more knowledgeable and better equipped

    to address such a task.\200\

    ---------------------------------------------------------------------------

    \199\ See, e.g., comment letters of Center for Democracy and

    Technology (May 29, 2007); Investment Company Institute (May 29,

    2007); MasterCard Worldwide (May 29, 2007); National Business

    Coalition on E-Commerce and Privacy (May 30, 2007); PayPal (May 29,

    2007); Target National Bank (May 24, 2007).

    \200\ See, e.g., comment letters of American Bankers Ass'n (May

    25, 2007); American Council of Life Insurers (May 29, 2007); The

    Financial Services Roundtable and BITS (May 29, 2007); Huntington

    National Bank (May 25, 2007); National Retail Federation (May 29,

    2007); Securities Industry and Financial Markets Ass'n (May 29,

    2007); Wachovia Corporation (May 25, 2007).

    ---------------------------------------------------------------------------

    The Board and FTC have agreed to jointly undertake the development

    through consumer research of a Web-based version of the final model

    form. That research work will proceed independent of this rulemaking,

    will be reviewed by all the other Agencies, and will be made publicly

    available for use by all institutions. It is anticipated that the work

    will be completed in late 2009.

    5. Electronic Delivery

    A number of commenters objected to limiting the electronic posting

    of the model form to a PDF format.\201\ Those expressing a view stated

    that providing the form in HTML is more compatible with their systems

    and easier for consumers to download and view. The Agencies agree that

    institutions can provide the notice electronically in either PDF or

    HTML format. Where consumers agree to electronic receipt of the notice,

    institutions can send the notice by email either by attaching the

    notice or providing a link to the notice.

    ---------------------------------------------------------------------------

    \201\ See, e.g., comment letters of Huntington National Bank

    (May 25, 2007); MasterCard Worldwide (May 29, 2007); PayPal (May 29,

    2007); Securities Industry and Financial Markets Ass'n (May 29,

    2007); Wachovia Corporation (May 25, 2007).

    ---------------------------------------------------------------------------

    6. Other Comments

    Some commenters asked if the model form can be adopted for other

    languages.\202\ The Agencies believe that this would be beneficial to

    an institution's non-English speaking customers and note that

    institutions currently provide such notices, consistent with the

    privacy rule.

    ---------------------------------------------------------------------------

    \202\ See, e.g., comment letters of First Bank Americano (May 2,

    2007); First Hawaiian Bank (May 29, 2007); National Retail

    Federation (May 29, 2007).

    ---------------------------------------------------------------------------

    Many industry commenters wanted the flexibility to add other

    information to the form. For example, they asked to include information

    on the benefits of sharing; privacy tips and identity theft

    information; information about fraud prevention; and marketing.\203\

    Some commenters asked that additional information such as seal

    information be included in the model form.\204\

    ---------------------------------------------------------------------------

    \203\ See, e.g., comment letters of American Bankers Ass'n (May

    25, 2007); Bank of America Corporation (May 29, 2007); Comerica Bank

    (May 25, 2007); Consumer Bankers Ass'n (May 29, 2007); Citigroup

    Inc. (May 30, 2007); First Hawaiian Bank (May 29, 2007); California

    Bankers Ass'n (May, 2007); Farmers & Merchants Bank (May 29, 2007);

    Financial Services Roundtable and BITS (May 29, 2007); Huntington

    National Bank (May 25, 2007); KeyCorp (May 25, 2007); Target

    National Bank (May 24, 2007); Wachovia Corporation (May 25, 2007);

    Wells Fargo & Company (May 29, 2007).

    \204\ See comment letters of PayPal (May 29, 2007); TrustE (May

    30, 2007).

    ---------------------------------------------------------------------------

    The Agencies considered these suggestions and decided not to permit

    the inclusion of additional information in the final model form. While

    an institution may believe this information is useful or important, we

    believe that the addition of such information to the model form defeats

    the purpose of providing a clear and usable notice about information

    sharing practices and consumer rights. The Agencies do not preclude an

    institution from providing such information in other, supplemental

    materials, if the institution wishes to do so.

    One commenter proposed requiring institutions that use the model

    form to also have a longer notice that complies with the privacy

    rule.\205\ One notice is sufficient if that notice complies with the

    law and the privacy rule.

    ---------------------------------------------------------------------------

    \205\ See comment letter of TRUSTe (May 30, 2007).

    ---------------------------------------------------------------------------

    Commenters also raised a number of other issues that are beyond the

    scope of this rulemaking. These include making the default opt-in

    rather than opt-out; eliminating the annual notice requirement;

    preempting state law requirements; and establishing an opt-out

    repository similar to the FTC's National ``Do Not Call'' Registry.\206\

    ---------------------------------------------------------------------------

    \206\ See, e.g., comment letters of America's Community Bankers

    (May 29, 2007); Bank of Edison (March 21, 2007); Bank of Frankewing

    (May 18, 2007); Central National Bank of Enid (May 24, 2007);

    FamilyFirst Bank (May 8, 2007); Florence Savings Bank (April 30,

    2007); Glenview State Bank (May 2, 2007); Hometown Bank (May 8,

    2007); Portage National Bank (May 1, 2007).

    ---------------------------------------------------------------------------

    IV. The Sample Clauses

    As proposed, the Agencies are eliminating the Sample Clauses

    appended to the privacy rule along with the safe harbor or for SEC-

    regulated entities, guidance, currently afforded entities.\207\ Many

    industry commenters opposed the proposal.\208\ Some commenters asked

    that we retain certain of the Sample Clauses, such as A-1, A-3, and A-

    7, the use of which does not implicate an opt-out.\209\ Institutions

    expressed concern that elimination of the Sample Clauses and

    corresponding safe harbor would expose them to liability.\210\ A few

    commenters asked the Agencies to improve the current Sample Clauses as

    an interim measure.\211\ Several institutions requested that the

    Agencies at a minimum provide for a transition period that is longer

    than one year, if the Agencies determine to eliminate the Sample

    Clauses.\212\

    ---------------------------------------------------------------------------

    \207\ The Sample Clauses were originally provided in the privacy

    rule to illustrate the level of detail for notices to meet the rule

    requirements and to minimize the compliance burden. See 65 FR 33646,

    33677 (May 24, 2000) (FTC); 65 FR 35162, 35185 (June 1, 2000)

    (banking agencies); 65 FR 40334, 40357 (June 29, 2000) (SEC); 66 FR

    21236, 21238 (Apr. 27, 2001) (CFTC).

    \208\ See, e.g., comment letters of American Bankers Ass'n (May

    25, 2007); American Council of Life Insurers (May 29, 2007);

    American Insurance Ass'n (May 29, 2007); Bank of America Corporation

    (May 29, 2007); Consumer Bankers Ass'n (May 29, 2007); Citigroup

    Inc. (May 30, 2007); Direct Marketing Ass'n (May 29, 2007);

    Investment Adviser Ass'n (May 29, 2007); National Ass'n of Mutual

    Insurance Cos. (May 29, 2007); National Automobile Dealers Ass'n

    (May 29, 2007); National Business Coalition on E-Commerce and

    Privacy (May 30, 2007); T. Rowe Price Associates, Inc. (May 29,

    2007); Visa U.S.A., Inc. (May 29, 2007); Wisconsin Bankers Ass'n

    (May 29, 2007).

    \209\ See, e.g., comment letter of National Automobile Dealers

    Ass'n (May 29, 2007). Sample Clause A-1 describes the categories of

    information that an institution collects. Sample Clause A-3 includes

    the phrase ``as permitted by law'' to describe the sharing that

    institutions are permitted to do under sections ----.14 and ----.15

    without triggering an opt-out. Sample Clause A-7 generally states

    that an institution uses safeguard measures to protect the handling

    of the personal information it obtains.

    \210\ See, e.g., comment letters of Visa U.S.A., Inc. (May 29,

    2007); Citigroup Inc. (May 30, 2007); Huntington National Bank (May

    25, 2009).

    \211\ See, e.g., comment letter of Capital One Financial

    Corporation (May 29, 2007).

    \212\ See, e.g., comment letters of Direct Marketing Ass'n (May

    29, 2007); Investment Adviser Ass'n (May 29, 2007).

    ---------------------------------------------------------------------------

    Notwithstanding these comments, the Agencies are eliminating the

    Sample Clauses and related safe harbor (or guidance) from the privacy

    rule, following a transition period of one year.\213\ The initial

    public and media complaints about the incomprehensibility of the

    privacy notices,\214\ the plain language experts' guidance at the Get

    Noticed Workshop,

    [[Page 62909]]

    and the launch of this Notice Project all examined the problems with

    institutions' privacy notices, including their extensive use of the

    Sample Clauses, and the need to develop a usable consumer notice. These

    same factors led the Agencies to propose eliminating the Sample

    Clauses. One commenter agreed that the research showed the clauses

    ``were found wanting.'' \215\ An association whose members generally

    found the model form to be more consumer-friendly than the Sample

    Clauses asked only that the Agencies provide a sufficient transition

    period before eliminating the Sample Clauses.\216\

    ---------------------------------------------------------------------------

    \213\ The Agencies are also making conforming amendments to

    sections ----.2, ----.6, and ----.7 of the privacy rule and to the

    Appendix with one small change from the Proposed Rule.

    \214\ See, e.g., Public Citizen Petition, supra note 24 at 4-9;

    Press Release of House Committee on Financial Services, supra note

    74.

    \215\ See comment letter of Capital One Financial Corporation

    (May 29, 2007).

    \216\ See comment letter of Independent Community Bankers Ass'n

    (May 29, 2007).

    ---------------------------------------------------------------------------

    In addition, the quantitative testing supports the Agencies'

    proposal to eliminate the Sample Clauses and related safe harbor. The

    Levy-Hastak Report confirms that a notice composed solely of the Sample

    Clauses promotes ease of scanning to perform simple tasks--because the

    notice is short and not because it is understandable--but the Sample

    Clauses do not do well on comprehension measures. Moreover, the testing

    showed that current notices--in which the Sample Clauses are typically

    embedded--do poorly on all measures.

    The Levy-Hastak Report examined the results when study participants

    were asked to choose between two banks based solely on the content of

    the notice and to give reason(s) why they selected a particular bank.

    Participants who saw the Sample Clause Notice were more likely to

    select the higher sharing bank because it offered an opt-out.\217\ When

    these participants were matched with their general attitudinal

    preferences toward sharing, the Levy-Hastak Report found that they

    generally favored less sharing.\218\ According to the Levy-Hastak

    Report, the data suggested that study participants who gave as the

    reason for their choice the availability of opt-outs ``may have

    mistakenly believed that this would lead them to choosing a lower

    sharing bank.'' \219\ In other words, participants who saw the Sample

    Clause Notice and selected the higher sharing bank because it offered

    opt-outs did not understand that a bank offering no opt-out did so

    because it shared less. This finding confirmed reports by small

    institutions.\220\

    ---------------------------------------------------------------------------

    \217\ The Levy-Hastak Report also found that study participants

    who saw the Current Notice were significantly more likely to give

    reasons not based on any information in the notice, for example,

    that Bank X offered a lower interest rate. These same participants

    were also less likely than those who saw the other notices to give

    cogent reasons for choosing the lower sharing bank. Levy-Hastak

    Report at 9.

    \218\ Id. at 15.

    \219\ Id. at 10.

    \220\ See supra note 133 and related text.

    ---------------------------------------------------------------------------

    Further, the NAIC Study,\221\ conducted in March 2005, examined

    several different insurance disclosure forms with participants in three

    focus groups. One was a generic form based on the sample clauses

    adopted in the NAIC Model Privacy Rule and similar in content to the

    Sample Clause Notice used in the Agencies' quantitative testing. The

    NAIC Study highlighted a key finding that is consistent with the

    Agencies' research findings. Among the study participants, there was

    general misunderstanding of and concern about the language in the form,

    in particular the phrase ``as permitted by law'' found in Sample Clause

    A-3. Participants in all three focus groups asked: (1) What does this

    phrase mean?; (2) what is the law and what does it permit?; and (3)

    what if the law changes? Participants who viewed this form did not know

    what to do with it and wanted some way to contact the company to get

    answers to their questions.

    ---------------------------------------------------------------------------

    \221\ See NAIC Study, supra note 141.

    ---------------------------------------------------------------------------

    Also, in the development of the model form, Kleimann found that

    consumers did not understand the language in Sample Clause A-7

    regarding the safeguarding of personal information. Through consumer

    testing, the description was revised to improve consumer comprehension.

    Finally, while many smaller institutions are most likely to engage

    in limited sharing and so would rely on the three Sample Clauses, A-1,

    A-3, and A-7, many of these institutions support the model form. They

    have stated that such a form would make it easier for them to

    demonstrate that they are less likely to share personal information,

    and it would allow for easier comparison of their sharing practices

    with those of other institutions.\222\ One large association commented

    that an informal survey of its community bank members found that ``many

    are likely to use the model forms'' and that ``[m]ost found the new

    forms more consumer-friendly than the existing sample clauses.'' \223\

    ---------------------------------------------------------------------------

    \222\ See, e.g., comment letters of Florence Savings Bank (April

    30, 2007); Community Bankers of America (May 29, 2007), Iowa State

    Bank and Trust Co. (May 22, 2007), Credit Union National Ass'n (May

    29, 2007); see also supra note 133 and related text.

    \223\ See comment letter of Independent Community Bankers of

    America (May 29, 2007).

    ---------------------------------------------------------------------------

    To ease the compliance burden for those institutions that currently

    have privacy notices based on the Sample Clauses, the Agencies are

    implementing a transition period that begins thirty (30) days after the

    date of publication and ends on December 31, 2010. Financial

    institutions will not be able to rely on the safe harbor by using the

    Sample Clauses in notices delivered or posted on or after January 1,

    2011.\224\ Privacy notices using the Sample Clauses that are delivered

    to consumers (either in paper form or by electronic delivery such as e-

    mail) or, alternatively, are posted electronically to meet the annual

    notice requirement of section --.9(c) during the transition period,

    will have a safe harbor for one year after delivery or posting. Privacy

    notices using the Sample Clauses that are delivered or posted

    electronically after the transition period will not be eligible for a

    safe harbor. Since institutions are required to send notices annually

    to their customers, they may continue to rely on the safe harbor for

    annual notices that are delivered to consumers (either in paper form or

    by electronic delivery such as e-mail) within the transition period

    until the next annual privacy notice is due one year later.\225\ The

    Sample Clauses will be removed from codification one year after the

    transition period ends. The SEC, whose privacy rule provides only

    guidance and not a safe harbor for financial institutions that use the

    Sample Clauses, will also remove the Sample Clauses from codification

    one year after the transition period ends.\226\

    ---------------------------------------------------------------------------

    \224\ Institutions relying on the Sample Clauses appended to the

    SEC's privacy rule will not be able to rely on them for guidance in

    notices delivered or posted on or after January 1, 2011.

    \225\ For example, if an institution provides a notice using the

    Sample Clauses on or before December 31, 2010, it could continue to

    rely on the safe harbor for one additional year until its next

    annual notice is due. If an institution provides a notice using the

    Sample Clauses on or after January 1, 2011, however, it could not

    rely on the safe harbor. Privacy notices using the Sample Clauses

    posted on an institution's Web site to meet the annual notice

    requirements of section --.9(c) of the privacy rule would no longer

    be able to rely on the safe harbor beginning on January 1, 2011.

    \226\ See SEC privacy rule, section 248.2(a). The facts and

    circumstances of each individual situation determine whether use of

    the Sample Clauses constitutes compliance with the SEC's privacy

    rule.

    ---------------------------------------------------------------------------

    While the final model form would provide a legal safe harbor,

    institutions could continue to use other types of notices that vary

    from the model form, including notices that use the Sample Clauses, so

    long as these notices comply with the privacy rule.

    The Agencies are also amending section --.6(b) of the privacy rule.

    The FTC is deleting the second sentence of section 313.6(b) and

    substituting the following new sentence, based on the model form

    research: ``When describing the categories with respect to those

    [[Page 62910]]

    parties, it is sufficient to state that you make disclosures to other

    nonaffiliated companies for your everyday business purposes, such as to

    process transactions, maintain account(s), respond to court orders and

    legal investigations, and report to credit bureaus.'' The remaining

    Agencies (Board, CFTC, FDIC, NCUA, OCC, OTS, and SEC) are revising the

    second sentence of section --.6(b) to read as follows, based in part on

    the model form research: ``When describing the categories with respect

    to those parties, it is sufficient to state that you make disclosures

    to other nonaffiliated companies: (1) For your everyday business

    purposes, such as [include all that apply] to process transactions,

    maintain account(s), respond to court orders and legal investigations,

    or report to credit bureaus; or (2) As permitted by law.'' \227\

    ---------------------------------------------------------------------------

    \227\ Institutions using option (1) in this revised sentence to

    section --.6(b) are required to include all applicable examples. See

    12 CFR 40.6(b) (OCC); 12 CFR 216.6(b) (Board); 12 CFR 322.6(b)

    (FDIC); 12 CFR 573.6(b) (OTS); 12 CFR 716.6(b) (NCUA); 17 CFR

    160.6(b) (CFTC); 17 CFR 248.6(b) (SEC).

    ---------------------------------------------------------------------------

    V. Effective Date

    The Agencies proposed that most of the provisions of the final rule

    would take effect on the date of publication.\228\ That approach would

    have allowed institutions that chose to use the model privacy form to

    receive the safe harbor for doing so immediately upon its publication.

    The Agencies received no comments on providing an immediate effective

    date for this portion of the rule. The only comments the Agencies

    received concerning the effective date of the rule pertained to removal

    of the Sample Clauses and related Appendix, as discussed in section IV.

    ---------------------------------------------------------------------------

    \228\ Proposed Rule, supra note 4, at section IV.

    ---------------------------------------------------------------------------

    The final rule makes most of the provisions effective 30 days after

    publication. This approach allows institutions to receive, with only a

    minimal delay, a safe harbor for using the model privacy form and the

    additional, alternative language that may be used to comply with

    section --.6(b) of the privacy rule. The Agencies believe that few, if

    any, institutions would choose to implement those changes in fewer than

    30 days. The 30-day delay will give institutions and the Agencies time

    to implement the changes properly.

    VI. Final Regulatory Flexibility Analysis

    The Regulatory Flexibility Act (``RFA'') \229\ requires the

    Agencies to provide an Initial Regulatory Flexibility Analysis

    (``IRFA'') with a proposed rule and a Final Regulatory Flexibility

    Analysis (``FRFA'') with a final rule, unless the agency certifies that

    the rule will not have a significant economic impact on a substantial

    number of small entities. See 5 U.S.C. 603-605. An IRFA was published

    by the Agencies in their March 20, 2007, Proposed Rule regarding

    amendments to the rules implementing the privacy provisions of the GLB

    Act. The Agencies have prepared the following FRFA in accordance with 5

    U.S.C. 604.

    ---------------------------------------------------------------------------

    \229\ 5 U.S.C. 601-612.

    ---------------------------------------------------------------------------

    A. Need For and Objectives of Rule Amendments

    The goal of the rule amendments is to satisfy the requirements of

    section 728 of the Regulatory Relief Act, which requires that the

    Agencies develop a model form that is comprehensible, clear and

    conspicuous, and succinct. The Act also requires that the model form

    enable consumers to easily identify a financial institution's sharing

    practices and compare those practices with others. The model form that

    the Agencies are adopting today will, if properly used, serve as a safe

    harbor for satisfying the privacy rules' requirements regarding content

    of privacy notices.

    As indicated in section I of the preamble to this final rule, the

    amendments to Appendix A of the Agencies' privacy rules are adopted

    pursuant to the authority set forth in Sec. 503 (as amended by section

    728 of the Regulatory Relief Act) and Sec. 504 of the GLB Act.\230\

    ---------------------------------------------------------------------------

    \230\ The SEC is also adopting the amendments under section 23

    of the Securities Exchange Act of 1934 [15 U.S.C. 78w], section

    38(a) of the Investment Company Act of 1940 [15 U.S.C. 80a-37(a)],

    and section 211(a) of the Investment Advisers Act of 1940 [15 U.S.C.

    80b-11(a)].

    The CFTC also is adopting the amendments under Section 504 of

    the GLB Act [15 U.S.C. 6804], and Sections 5g and 8a(5) of the

    Commodity Exchange Act [7 U.S.C. 7b-2, 12a(5)].

    ---------------------------------------------------------------------------

    B. Significant Issues Raised by Public Comment

    The Agencies requested comments on the IRFA. We specifically

    requested comments on the number of small entities that would be

    affected by the rules' amendments, the existence or nature of the

    impact of the amendments on small entities, how to quantify the impact

    of the amendments, and possible alternatives to the amendments.

    Commenters were also asked whether a downloadable version of the model

    form would be useful for financial institutions, particularly small

    entities that would like to take advantage of the proposed safe harbor.

    Only one commenter directly addressed the IRFA.\231\ That commenter

    disagreed with the Agencies' analysis that some financial institutions

    that may wish to transition to the proposed model form might incur some

    small incremental costs in making the transition, but did not provide

    any explanation of why the analysis is incorrect or estimates regarding

    logistical costs that the commenter asserted would be significant.

    Several associations whose members include small entities, however,

    expressed support for the objectives of the proposed model notice.\232\

    In addition, one association (many of whose members are small entities)

    found that many of its members that participated in an informal survey

    are likely to use the model forms and most found the forms more

    consumer-friendly than the Sample Clauses.\233\ Some commenters

    suggested that the model form is oriented to large, multi-affiliate

    financial institutions and does not accommodate smaller

    institutions.\234\ These commenters stated that the information

    collection policies described in the model form accurately reflect the

    practices of certain large financial institutions but are misleading to

    the extent they are beyond the scope of smaller financial institutions

    that do not offer banking-related products and services. In response to

    these and similar comments, the Agencies have revised the model form to

    allow financial institutions to select from a menu of specific

    disclosures to customize the descriptions of their information

    collection policies.\235\

    ---------------------------------------------------------------------------

    \231\ Comment letter of National Business Coalition on E-

    Commerce and Privacy (May 30, 2007).

    \232\ See, e.g., joint comment letter of American Bankers Ass'n,

    America's Community Bankers, Consumer Bankers Ass'n, and The

    Financial Services Roundtable (May 29, 2007).

    \233\ See comment letter of Independent Community Bankers of

    America (May 29, 2007).

    \234\ See, e.g., comment letters of Financial Services Institute

    (May 29, 2007); Financial Planning Ass'n (May 30, 2007).

    \235\ See supra sections III.I.2 and III.J.1; see also infra,

    Instructions C.2(b) and C.3(a)(3) and (4) to the Model Privacy Form.

    ---------------------------------------------------------------------------

    Several commenters also requested that the Agencies retain the safe

    harbor regarding the Sample Clauses, noting that many small entities'

    privacy notices currently incorporate the Sample Clauses. One commenter

    explained that it would be burdensome and unnecessary for small

    entities to change their privacy notices, especially small entities

    that do not share personal information other than to service their

    clients' accounts.\236\ Another

    [[Page 62911]]

    commenter argued that elimination of the safe harbor for the Sample

    Clauses would transform the model form from an optional elective to a

    burdensome regulatory requirement, particularly for small

    entities.\237\ We note, however, that the research found that there was

    general misunderstanding of and concern among consumers about language

    in the notice based on the Sample Clauses.\238\ Nevertheless, partly in

    response to these comments, the Agencies are allowing financial

    institutions one year in which they can continue to rely on the Sample

    Clauses for safe harbor or guidance when providing notices. In

    addition, as noted above, while the Agencies are eliminating the Sample

    Clauses and related safe harbor (or, for the SEC, guidance),

    institutions may continue to use notices containing these clauses, so

    long as these notices comply with the privacy rule.

    ---------------------------------------------------------------------------

    \236\ See, e.g., comment letter of Investment Adviser Ass'n (May

    29, 2007).

    \237\ See, e.g., comment letter of National Automobile Dealers

    Ass'n (May 29, 2007).

    \238\ See supra section IV and discussion at notes 217-219 and

    related text. See also Public Citizen Petition, supra note 24, at 9

    (``The paragraph employs ambiguous phrases such as `other

    information' (what other information?), `unless otherwise permitted

    by law' (in actuality, the law almost always permits disclosure) * *

    *'').

    ---------------------------------------------------------------------------

    Finally, we received a limited number of comments indicating that a

    downloadable fillable model form may be helpful, especially to small

    entities.\239\ In response to these comments, the Agencies will make

    available an Online Form Builder. We expect the availability of this

    form will, in part, minimize the burden on small businesses of

    developing, using, and customizing the model form for their individual

    needs.

    ---------------------------------------------------------------------------

    \239\ See, e.g., comment letters of Financial Planning Ass'n

    (May 30, 2007); Center for Democracy and Technology (May 29, 2007).

    ---------------------------------------------------------------------------

    C. Small Entities Subject to the Rules

    The amendments to Appendix A and conforming amendments to sections

    ----.2, ----.6, and ----.7 of the Agencies' privacy rules may

    potentially affect financial institutions, including financial

    institutions that are small businesses or small organizations, that

    choose to rely on the model privacy form as a safe harbor.

    1. OCC. The OCC estimates that 690 insured national banks,

    uninsured national banks and trust companies, and foreign branches and

    agencies are small entities for purpose of the RFA.

    2. Board. The Board estimates that 432 state member banks are small

    entities for purposes of the RFA.

    3. FDIC. The FDIC estimates that 3115 state nonmember banks are

    small entities for purposes of the RFA.

    4. OTS. The OTS estimates that 377 small savings associations are

    small entities for purposes of the RFA.

    5. NCUA. The RFA requires NCUA to prepare an analysis to describe

    any significant economic impact a regulation may have on a substantial

    number of small credit unions (primarily those under $10 million in

    assets). The NCUA estimates that 3,168 federally-insured, state-

    chartered credit unions are small entities for purposes of the RFA.

    6. FTC. Determining a precise estimate of the number of small

    entities that are financial institutions within the meaning of the rule

    is not readily feasible. The GLB Act does not identify for purposes of

    the Commission's jurisdiction any specific category of financial

    institution. In the absence of such information, there is no way to

    estimate precisely the number of affected entities that share nonpublic

    personal information with nonaffiliated third parties or that establish

    customer relationships with consumers and therefore assume greater

    disclosure obligations.

    7. CFTC. Section 5g of the CEA, 7 U.S.C. 7b-2, provides that any

    futures commission merchant, commodity trading advisor, commodity pool

    operator, or introducing broker that is subject to the jurisdiction of

    the CFTC with respect to any financial activity, shall be treated as a

    financial institution for purposes of Title V of the GLB Act,

    regardless of size and including commodity trading advisors and

    commodity pool operators that are exempt from the CEA's registration

    requirements. The CFTC has previously established certain definitions

    of ``small entities'' and determined that futures commission merchants

    and commodity pool operators are not small for purposes of the

    Regulatory Flexibility Act. Policy Statement and Establishment of

    Definitions of ``Small Entities,'' 47 FR 18,618 (Apr. 30, 1982). This

    rule applies to commodity trading advisors and introducing brokers of

    all sizes. Because use of the model privacy form is voluntary, and

    because its use is a form of substituted compliance with Part 160 and

    not a new mandatory burden, CFTC believes that the rule will not have a

    significant economic impact on a substantial number of small entities.

    8. SEC. The SEC estimates that 915 broker-dealers, 212 investment

    companies registered with the Commission, and 781 investment advisers

    registered with the Commission are small entities for purposes of the

    RFA.\240\

    ---------------------------------------------------------------------------

    \240\ For purposes of the RFA, under the Securities Exchange Act

    of 1934 a small entity is a broker or dealer that (i) had total

    capital of less than $500,000 on the date in its prior fiscal year

    as of which its audited financial statements were prepared or, if

    not required to file audited financial statements, on the last

    business day of its prior fiscal year, and (ii) is not affiliated

    with any person that is not a small business or small organization.

    17 CFR 240.0-10(c). Under the Investment Company Act of 1940, a

    ``small entity'' is an investment company that, together with other

    investment companies in the same group of related investment

    companies, has net assets of $50 million or less as of the end of

    its most recent fiscal year. 17 CFR 270.0-10(a). Under the

    Investment Advisers Act of 1940, a small entity is an investment

    adviser that (i) manages less than $25 million in assets, (ii) has

    total assets of less than $5 million on the last day of its most

    recent fiscal year, and (iii) does not control, is not controlled

    by, and is not under common control with another investment adviser

    that manages $25 million or more in assets, or any person that had

    total assets of $5 million or more on the last day of the most

    recent fiscal year. 17 CFR 275.0-7(a).

    ---------------------------------------------------------------------------

    Because use of the model privacy form will be entirely voluntary,

    the Agencies cannot estimate how many small financial institutions will

    use it. The Agencies expect, however, that small financial

    institutions, particularly those that do not have permanent staff

    available to address compliance matters associated with the privacy

    rules, will be relatively more likely to rely on the model privacy form

    than larger institutions. We believe that most financial institutions

    currently have legal counsel review their privacy notices for

    compliance with the GLB Act, the FCRA, and the privacy rules. We

    anticipate that a financial institution that uses the model form for

    its privacy notice will need little review by legal counsel because the

    rules do not permit institutions to vary the form if they wish to

    obtain the benefit of a safe harbor, except as necessary within narrow

    parameters to identify their information collection, sharing, and opt-

    out policies. Finally, the Agencies are providing an Online Form

    Builder that will enable institutions to directly create a customized

    model form and thus will facilitate compliance.

    D. Reporting, Recordkeeping, and Other Compliance Requirements

    The amendments to the privacy rules do not impose any additional

    recordkeeping, reporting, disclosure, or compliance requirements.

    Financial institutions, including small entities, have been required to

    provide notice to consumers about the institution's privacy policies

    and practices since July 1, 2001 (or March 31, 2002, in the case of the

    CFTC). The amendments adopted today will not affect these requirements

    and financial institutions will be under no obligation to modify their

    current

    [[Page 62912]]

    privacy notices as a result of the amendments. Instead, the amendments

    provide a specific model privacy form that a financial institution may

    use to comply with notice requirements under the GLB Act, the FCRA (as

    amended by the FACT Act), and the privacy rules.

    Nonetheless, some of the financial institutions that rely on the

    Sample Clauses in the current privacy rules' appendixes may wish to

    transition to the model form and may incur some additional costs in

    making this transition.\241\ The Agencies expect, however, that the

    availability of a standardized model form will minimize these costs

    because the form's standardized formatting and language will make it

    easier for institutions to prepare and revise their privacy notices.

    ---------------------------------------------------------------------------

    \241\ To the extent that institutions review their privacy

    policies annually for compliance, we estimate that the costs

    associated with this annual review, including professional costs,

    will be approximately the same as the costs to complete the model

    form.

    ---------------------------------------------------------------------------

    E. Action by the Agencies To Minimize Effects on Small Entities

    The RFA directs the Agencies to consider significant alternatives

    that would accomplish the stated objectives, while minimizing any

    significant adverse impact on small entities. In connection with the

    amendments, we considered the following alternatives:

    1. Different reporting or compliance standards. As noted above, the

    Regulatory Relief Act requires the Agencies to develop ``a'' model form

    that, among other things, will facilitate comparison of the information

    sharing practices of different financial institutions. In light of

    these statutory requirements, the Agencies are adopting only one model

    form, which includes alternative language in some places that allows a

    financial institution to describe its particular information collection

    and sharing practices. The specific model form that the Agencies are

    adopting today was developed as part of a careful and thorough consumer

    testing process designed to produce a clear, comprehensible, and

    comparable notice. The model form emerged as the most effective of

    several notice formats considered as part of this testing.

    2. Clarification, consolidation, or simplification of reporting and

    compliance requirements. The Agencies believe that the model form will

    simplify the reporting requirements for all entities, including small

    entities, that choose to use the model form. We anticipate that

    financial institutions that choose to use the model form will spend

    less time preparing notices than if they had to draft one on their own.

    Because the model form was developed as part of a consumer testing

    process, further clarifying, consolidating, or simplifying the model

    notice would compromise the research findings.

    3. Performance rather than design standards. Section 728 of the

    Regulatory Relief Act specifically requires that the Agencies develop a

    model form. The model form is an alternative means of providing a

    privacy notice that institutions may choose to use. The privacy rules

    do not mandate the format of privacy notices; thus, neither the privacy

    rules nor the amendments impose a design standard.

    4. Exempting small entities. We believe that an exemption for small

    entities would not be appropriate or desirable. The Agencies note that

    the model form is available for use at the discretion of all financial

    institutions, including small institutions. Moreover, two key

    objectives of the model form are that (1) consumers can understand an

    institution's information sharing practices and (2) they may more

    easily compare financial institutions' sharing practices and policies

    across privacy notices. An exemption for small entities would directly

    conflict with both of these key objectives, particularly that of

    enabling comparison across notices.

    VII. Paperwork Reduction Act

    The final privacy rules governing the privacy of consumer financial

    information contain disclosures that are considered collections of

    information under the Paperwork Reduction Act (PRA).\242\ Before the

    Agencies issued their privacy rules, they obtained approval from OMB

    for the collections. OMB control numbers for the collections appear

    below. The amendments adopted today do not introduce any new

    collections of information into the Agencies' privacy rules, nor do

    they amend the rules in a way that substantively modifies the

    collections of information that OMB has approved. Therefore, no PRA

    submissions to OMB are required.

    ---------------------------------------------------------------------------

    \242\ 44 U.S.C. 3501-3520.

    ---------------------------------------------------------------------------

    OCC: Control number 1557-0216.

    Board: Control number 7100-0294.

    FDIC: Control number 3064-0136.

    OTS: Control number 1550-0103.

    NCUA: Control number 3133-0163.

    FTC: Control number 3084-0121.

    SEC: Control number 3235-0537.

    CFTC: Control number 3038-0055.

    VIII. OCC and OTS Executive Order 12866 Determination

    The OCC and OTS have determined that their respective portions of

    the final rule are not a significant regulatory action under Executive

    Order 12866. We have concluded that the changes made by this rule will

    not have an annual effect on the economy of $100 million or more, and

    does not meet any of the other standards for a significant action set

    forth in E.O. 12866.

    IX. OCC and OTS Executive Order 13132 Determination

    The OCC and OTS have determined that their respective portions of

    the final rule do not have any federalism implications, as required by

    Executive Order 13132.

    X. OCC and OTS Unfunded Mandates Reform Act of 1995 Determination

    Section 202 of the Unfunded Mandates Reform Act of 1995, Public Law

    104-4 (UMRA), requires that an agency prepare a budgetary impact

    statement before promulgating a rule that includes a Federal mandate

    that may result in the expenditure by State, local, and tribal

    governments, in the aggregate, or by the private sector of $100 million

    or more (adjusted annually for inflation) in any one year. The

    inflation adjusted threshold is $133 million or more. If a budgetary

    impact statement is required, section 205 of the UMRA also requires an

    agency to identify and consider a reasonable number of regulatory

    alternatives before promulgating a rule. The OCC and OTS have each

    determined that their respective portions of the final rule will not

    result in expenditures by State, local, and tribal governments, in the

    aggregate, or by the private sector, of $133 million or more in any one

    year. Accordingly, the final rule is not subject to section 202 of the

    UMRA.

    XI. SEC Cost-Benefit Analysis

    The SEC is sensitive to the costs and benefits imposed by its

    rules. As discussed above, the amendments the Agencies are adopting

    today will replace the Sample Clauses included as guidance in

    Regulation S-P's Appendix A (17 CFR part 248, appendix A) with a model

    privacy form that financial institutions can choose to provide to

    consumers. The amendments are designed to implement section 728 of the

    Regulatory Relief Act. This Act directs the Agencies to ``jointly

    develop a model form which may be used, at the option of the financial

    institution, for the provision of disclosures under [section 503 of the

    GLB Act].''

    The SEC identified certain costs and benefits arising from these

    amendments and requested comments on all aspects of the associated

    cost-benefit analysis, including identification and assessment of any

    costs and benefits not discussed

    [[Page 62913]]

    in the analysis. The SEC also sought comments on the accuracy of its

    cost and benefit estimates and requested commenters to identify,

    discuss, analyze, and supply relevant data that would allow the SEC to

    improve its estimates. Finally, the SEC requested comments regarding

    the potential impact of the proposals on the U.S. economy on an annual

    basis.

    A. Benefits

    The goal of the rules is to satisfy the requirements of section 728

    of the Regulatory Relief Act, which requires that the Agencies develop

    a model form that is comprehensible, clear and conspicuous, and

    succinct. The Act also requires that the model form enable consumers

    easily to identify a financial institution's sharing practices and

    compare those practices with others. The model form that the Agencies

    are adopting today will, if properly used, serve as a safe harbor for

    satisfying the privacy rule's requirements regarding the content of

    privacy notices.

    The SEC requested comments on all aspects of the benefits of the

    amendments as proposed. The SEC requested specific comments on

    available metrics to quantify these benefits and any other benefits

    commenters could identify, and requested commenters to identify sources

    of empirical data that could be used for such metrics. The SEC did not

    receive any comments in response to these requests.

    Use of the model form is voluntary, so a financial institution can

    determine for itself its costs and benefits in deciding whether using

    the model form would be suitable for its business and customers.

    However, new financial institutions will likely benefit from using the

    model privacy form because of the savings in time and resources that

    would otherwise be spent developing their own notices.

    The SEC also anticipates that financial institutions regulated by

    the SEC may benefit from the model privacy form's standardized

    formatting and language. The SEC believes that institutions currently

    review their Regulation S-P privacy policies annually. To the extent

    that these institutions are required to change their policies to

    reflect changes in their privacy practices, they may find it easier to

    use the model privacy form rather than revise their existing notices.

    Similarly, the SEC expects that revisions to an institution's

    privacy policies will be easier to record in the model form's

    standardized format. The SEC also anticipates that a financial

    institution that chooses to use the model notice will need little, if

    any, ongoing review by legal counsel because an institution cannot vary

    the form except within stated parameters as necessary to identify

    certain specific information collection, sharing, and opt-out policies.

    Before today's amendments, Appendix A of Regulation S-P contained

    Sample Clauses that the SEC interpreted as providing guidance, as

    opposed to a legal safe harbor. Institutions will therefore benefit

    from the certainty that proper use of the model notice entitles them to

    a safe harbor for disclosures required under the GLB Act and FCRA.\243\

    ---------------------------------------------------------------------------

    \243\ A number of commenters expressed concern that the safe

    harbor provisions might not fully extend to all GLB Act requirements

    or FCRA disclosures. See, e.g., comment letter of Citigroup Inc.

    (May 30, 2007). Several commenters further suggested the safe harbor

    should encompass state and private enforcement. See, e.g., comment

    letters of Consumer Bankers Ass'n (May 29, 2007); Financial Services

    Institute (May 29, 2007). In response to these comments, the

    Agencies have clarified the scope of the safe harbor. See supra

    section III.K.2.

    ---------------------------------------------------------------------------

    Consumers should also benefit from the model form through increased

    comprehension of and enhanced comparability among privacy policies. The

    model form was developed in an extensive consumer research testing

    process that sought to maximize consumers' ability to comprehend, use,

    and compare privacy notices. The model form emerged as the most

    effective of several notice formats considered as part of this testing.

    The SEC therefore anticipates that if financial institutions make

    widespread use of the model form, consumers' comprehension and their

    ability to use and compare privacy policies will be enhanced.

    Institutions also might benefit from consumers' enhanced ability to

    understand and use the notices to the extent that consumers have more

    trust and confidence in an institution's privacy policies because the

    consumers understand those policies.

    B. Costs

    Since the model form is optional, the SEC cannot estimate the

    number of institutions that will adopt it. Accordingly, we cannot

    estimate total overall costs to use the model form by broker-dealers,

    investment advisers registered with the SEC, and investment companies

    that may use the model form. However, in the Proposed Rule, the SEC

    provided estimates of certain types of costs that could result from the

    proposed amendments.

    The SEC also sought comments on its cost estimates and the

    assumptions behind the estimates, as well as whether any of those costs

    would differ if the form were downloadable from a Web site. The

    majority of the comments we received predicted significant cost

    increases in preparation, distribution, and processing of privacy

    notices. Many commenters noted that the prohibition on double-sided

    printing and requirement of a separate third page for mail-in opt-outs,

    if any, would greatly increase printing costs and would result in

    significant environmental waste due to increased paper usage.\244\

    Numerous commenters also raised concerns that the 8\1/2\; x 11-inch

    paper size requirement, coupled with the prohibition on incorporation

    of the model notice into other documents, essentially mandated a

    separate mailing for the model notice.\245\ Commenters concluded that

    separate mailing of privacy notices would result in significant postage

    costs and increase the likelihood that consumers would misplace or fail

    to read the notice because it no longer accompanied important

    documents.\246\ Several commenters suggested that these costs could

    result in lowered adoption rates for the model form.\247\ Based on

    these comments, the Agencies have revised the amendments to allow for

    double-sided printing and incorporation of the mail-in opt-out on the

    bottom of the first page, waiver of a mandatory 8\1/2\ x 11-inch paper

    size, and incorporation of the model notice into other documents. We

    believe these accommodations will result in greatly reducing the

    implementation costs commenters associated with adopting the model

    form.

    ---------------------------------------------------------------------------

    \244\ See, e.g., comment letters of Investment Adviser Ass'n

    (May 29, 2007) (estimating additional printing and mailing costs for

    larger investment advisory firms of $100,000 to more than $300,000

    per mailing); Securities Industry and Financial Markets Ass'n (May

    29, 2007) (estimating additional printing costs of $7.5 million per

    billion notices).

    \245\ See, e.g., comment letters of Investment Adviser Ass'n

    (May 29, 2007); Citigroup Inc. (May 30, 2007).

    \246\ See, e.g., comment letters of Financial Services

    Roundtable and BITS (May 29, 2007) (estimating cost to financial

    services industry of printing and mailing model form of

    approximately $400 million per billion notices); Citigroup Inc. (May

    30, 2007) (consumers ``are more likely to open and read mail that

    contains an `important' communication such as a billing statement

    than an unidentified standalone communication'').

    \247\ See, e.g., comment letter of Capital One Financial

    Corporation (May 29, 2007).

    ---------------------------------------------------------------------------

    We do not expect that financial institutions will incur additional

    disclosure costs in using the model privacy form because the notice

    requirements of Regulation S-P have been effective since July 1, 2001,

    and are not altered by the amendments. Moreover, financial institutions

    will be

    [[Page 62914]]

    under no obligation to adopt the model form or modify their current

    privacy notices. Presumably, financial institutions will not adopt the

    model form without first determining that associated costs are

    justified by the benefits.

    We anticipate that financial institutions that elect to use the

    model privacy form could incur some small, incremental developmental

    costs in making the transition from their current notices to the model

    form. These costs could include staff time to review the model form and

    its instructions and complete the model form. We expect these will be

    minimal because the language and format in the form are standardized

    and financial institutions can only customize very limited sections of

    the model privacy form. Institution-specific information is limited to

    contact information, selection from a menu of terms relating to

    information collection, ``yes'' or ``no'' answers and brief

    descriptions, as necessary, of the types of entities with which the

    institution shares personal information. Furthermore, the model form

    can be downloaded from a Web site so preparation costs should be

    minimal.

    Similarly, we believe that a financial institution that adopts the

    model privacy form would need little, if any, initial or annual review

    by legal counsel because almost all the disclosures in the form are

    already mandated under the current disclosure regime. One commenter

    disagreed and suggested that legal counsel at each financial

    institution will spend at least 50 hours initially and annually

    ensuring that the model form accurately reflects the institution's

    privacy practices.\248\ These estimates seem high because institutions

    already know their information collection and sharing practices and

    there is very little discretion the institution has in choosing from

    among a menu of terms to disclose that information on the model form.

    Even if those estimates are accurate, however, we believe that those

    legal costs would likely have been incurred with respect to any model

    form unless it conformed exactly to the institution's current form.

    ---------------------------------------------------------------------------

    \248\ See comment letter of Securities Industry and Financial

    Markets Ass'n (May 29, 2007).

    ---------------------------------------------------------------------------

    Transition costs may also include administrative, logistical, and

    training costs. For example, several commenters highlighted one-time

    costs stemming from rewriting notices, republishing brochures or

    notices, and revising or reprinting documents that incorporate current

    notices.\249\ We anticipate these costs will be minimal, if any, in

    part because the Agencies are allowing financial institutions a

    transition period of one year during which they can continue to rely on

    the Sample Clauses for safe harbor or guidance. Although an institution

    may choose to replace a current privacy notice with a model privacy

    notice, this should not require substantial rewriting because there are

    few drafting choices in the model form. In addition, the SEC believes

    it is unlikely that many financial institutions have stockpiles of more

    than one year's worth of privacy notices or documents that incorporate

    privacy notices on hand for distribution. Several commenters also

    raised concerns regarding increased customer service demands and the

    necessity for financial institutions to proactively take steps to

    address customer confusion. For example, one commenter noted that

    financial institutions would face one-time costs associated with

    revising or preparing explanatory material for training employees

    regarding the model form, such as scripts and responses for call

    centers.\250\ Since the amendments do not affect Regulation S-P's

    substantive requirements, we anticipate that any substantive questions

    about the institutions' privacy practices should already be addressed

    by existing explanatory materials. We anticipate any new explanatory

    material will be limited to questions regarding the revised format of

    the model form, which due to its standardized nature should be

    relatively simple to address.

    ---------------------------------------------------------------------------

    \249\ See comment letter of T. Rowe Price Associates, Inc. (May

    29, 2007).

    \250\ See comment letter of Investment Adviser Ass'n (May 29,

    2007).

    ---------------------------------------------------------------------------

    Insofar as the Sample Clauses in current Regulation S-P may have

    some value to some financial institutions, their phase-out under the

    amendments to the rules may create some costs to those institutions.

    However, we expect those costs to be minimal. As discussed above, the

    Agencies are giving financial institutions a transition period of one

    year during which they can continue to rely on the Sample Clauses for

    guidance or a safe harbor, which should allow time to minimize the

    transition costs for any institutions that adopt the model privacy

    form. Moreover, as noted above, elimination of the Sample Clauses as

    guidance does not mean that institutions that continue to use these

    clauses are in violation of the SEC's privacy rule. Institutions may

    continue to use notices containing these clauses so long as these

    notices comply with the privacy rule.

    Lastly, customers may experience certain costs associated with

    adoption of the model form. Several commenters suggested that the model

    form sacrifices greater consumer understanding about information

    sharing practices in exchange for a simplified notice format.\251\

    Another commenter speculated that adoption of the model form would

    result in customer confusion and potential loss of customer trust due

    to the misimpression that financial institutions are changing their

    privacy policies.\252\ One commenter concluded that consumer confusion

    resulting from overly simplified disclosures would lead to unacceptably

    high opt-out rates and discourage use of the model form by financial

    institutions.\253\ As discussed above, the model form was developed in

    an extensive consumer research testing process that sought to maximize

    consumers' ability to comprehend, use, and compare privacy notices. The

    model form emerged as the most effective of several notice formats

    considered as part of this testing. Consequently, the SEC believes that

    any customer confusion that results from adoption of the model form

    will be minimal. Furthermore, we expect that any such confusion will be

    rapidly dissipated if financial institutions make widespread use of the

    model privacy form and consumers become more familiar with its

    contents.

    ---------------------------------------------------------------------------

    \251\ See, e.g., comment letter of Bank of America Corporation

    (May 29, 2007).

    \252\ See comment letter of Visa U.S.A. Inc. (May 29, 2007).

    \253\ See comment letter of Financial Services Institute (May

    29, 2007).

    ---------------------------------------------------------------------------

    Although the SEC cannot determine aggregate costs because of the

    unknown number of financial institutions that will adopt the model

    form, we expect each financial institution choosing to adopt the model

    form to incur minimal, if any, costs. As discussed above, we do not

    anticipate that financial institutions will incur additional disclosure

    costs in using the model privacy form because the substantive notice

    requirements of Regulation S-P have been effective since July 1, 2001,

    and are not altered by the amendments. We expect notice development and

    transition costs to be minimal because the language and format in the

    model form are standardized and financial institutions can only

    customize a few sections of the model form by selecting from among a

    menu of specific terms. Furthermore, the model form can be downloaded

    from a Web site so preparation costs should be minimal. Moreover, the

    Agencies are giving financial

    [[Page 62915]]

    institutions one year in which they can continue to rely on the Sample

    Clauses for safe harbor or guidance, which should allow time to

    minimize the transition costs for any institution that adopts the model

    privacy form.

    Similarly, the SEC expects any aggregate costs to consumers that

    may result from adoption of the model form to be minimal, if any. As

    discussed above, the model form emerged as the most effective of

    several notice formats in an extensive consumer research testing

    process that sought to maximize consumers' ability to comprehend, use,

    and compare privacy notices. We anticipate that any initial costs to

    consumers in the form of confusion or reduced understanding will be

    short-lived as increasing numbers of financial institutions use the

    model privacy form and consumers become more familiar with its contents

    and can use the form to compare notices more easily.

    XII. SEC Consideration of Burden on Competition

    Securities Exchange Act Section 23(a)(2) requires the SEC, in

    adopting rules under that Act, to consider the impact that any such

    rule will have on competition.\254\ Section 23(a)(2) also prohibits the

    SEC from adopting any rule that will impose a burden on competition not

    necessary or appropriate in furtherance of the purposes of the

    Securities Exchange Act.

    ---------------------------------------------------------------------------

    \254\ See 15 U.S.C. 78w(a)(2).

    ---------------------------------------------------------------------------

    As discussed above, the amendments to Regulation S-P, including the

    model form, are designed to comply with section 728 of the Regulatory

    Relief Act, mandating that the Agencies develop a model form that is

    comprehensible, clear and conspicuous, and succinct. SEC-regulated

    institutions will be able to use the model form in order to comply with

    the notice requirements under the GLB Act, the FCRA, and Regulation S-

    P.

    The SEC does not expect the amendments to have a significant impact

    on competition. Use of the model form will be voluntary, permitting a

    financial institution to determine whether using the model form will

    enhance its competitive position. All brokers and dealers, investment

    companies, and registered investment advisers will be able to use the

    model form and take advantage of the safe harbor. Other financial

    institutions will be able to use the form and take advantage of the

    safe harbor under comparable rules adopted by the other Agencies. Under

    the Regulatory Relief Act, the Agencies have worked in consultation in

    order to ensure the consistency and comparability of the amendments.

    Therefore, all financial institutions will have the same opportunity to

    use the model form and rely on the safe harbor.

    Further, if financial institutions choose to use the model form,

    the amendments could promote competition by enabling consumers more

    easily to understand and compare competing institutions' privacy

    policies. The SEC also anticipates that the model form's standardized

    formatting may reduce the relative burden of compliance on smaller

    financial institutions, allowing them to compete more effectively with

    larger institutions that are more likely to have a dedicated compliance

    staff. As such, the SEC expects any impact on competition caused by the

    amendments would not be significant.

    XIII. NCUA: The Treasury and General Government Appropriations Act,

    1999-Assessment of Federal Regulations and Policies on Families

    The NCUA has determined that this rule will not affect family well-

    being within the meaning of section 654 of the Treasury and General

    Government Appropriations Act, 1999, Public Law 105-277, 112 Stat. 2681

    (1998).

    XIV. CFTC Cost-Benefit Analysis

    Section 15 of the Commodity Exchange Act requires the CFTC to

    consider the costs and benefits of its action before issuing a new

    regulation under the Act. The CFTC understands that, by its terms,

    section 15 does not require the CFTC to quantify the costs and benefits

    of a new regulation or to determine whether the benefits of the

    regulation outweigh its costs. Nor does it require that each rule be

    analyzed piecemeal or in isolation when that rule is a component of a

    larger package of rules or rule revisions. Rather, section 15 simply

    requires the CFTC to ``consider the costs and benefits'' of its action.

    Section 15 further specifies that costs and benefits shall be

    evaluated in light of five broad areas of market and public concern:

    Protection of market participants and the public; efficiency,

    competitiveness, and financial integrity of futures markets; price

    discovery; sound risk management practices; and other public interest

    considerations. Accordingly, the CFTC could in its discretion give

    greater weight to any one of the five enumerated areas of concern and

    could in its discretion determine that, notwithstanding its costs, a

    particular rule was necessary or appropriate to protect the public

    interest or to effectuate any of the provisions or to accomplish any of

    the purposes of the Act.

    The CFTC has considered the costs and benefits of the model form as

    a totality. The form provides a non-mandatory means of complying with

    existing requirements of the privacy provisions of the GLB Act and

    section 5g of the CEA, and thus imposes no mandatory new costs. The

    CFTC believes that the model form should benefit futures industry

    consumer customers in better understanding a financial institution's

    privacy policies, and may facilitate customers in comparing the privacy

    policies of financial institutions.

    List of Subjects

    12 CFR Part 40

    Banks, banking, Consumer protection, National banks, Privacy,

    Reporting and recordkeeping requirements.

    12 CFR Part 216

    Banks, banking, Consumer protection, Foreign banking, Holding

    companies, Privacy, Reporting and recordkeeping requirements.

    12 CFR Part 332

    Banks, banking, Consumer protection, Foreign banking, Privacy,

    Reporting and recordkeeping requirements.

    12 CFR Part 573

    Consumer protection, Privacy, Reporting and recordkeeping

    requirements, Savings associations.

    12 CFR Part 716

    Consumer protection, Credit unions, Privacy, Reporting and

    recordkeeping requirements.

    16 CFR Part 313

    Consumer protection, Credit, Privacy, Reporting and recordkeeping

    requirements, Trade practices.

    17 CFR Part 160

    Brokers, Consumer protection, Privacy, Reporting and recordkeeping

    requirements.

    17 CFR Part 248

    Brokers, Consumer protection, Investment companies, Privacy,

    Reporting and recordkeeping requirements, Securities.

    [[Page 62916]]

    DEPARTMENT OF THE TREASURY

    Office of the Comptroller of the Currency

    12 CFR Chapter I

    Authority and Issuance

    0

    For the reasons set forth in the joint preamble, part 40 of chapter I

    of title 12 of the Code of Federal Regulations is amended as follows:

    PART 40--PRIVACY OF CONSUMER FINANCIAL INFORMATION

    0

    1. The authority citation for part 40 continues to read as follows:

    Authority: 12 U.S.C. 93a; 15 U.S.C. 6801 et seq.

    0

    2. Revise Sec. 40.2 to read as follows:

    Sec. 40.2 Model privacy form and examples.

    (a) Model privacy form. Use of the model privacy form in Appendix A

    of this part, consistent with the instructions in Appendix A,

    constitutes compliance with the notice content requirements of

    Sec. Sec. 40.6 and 40.7 of this part, although use of the model

    privacy form is not required.

    (b) Examples. The examples in this part are not exclusive.

    Compliance with an example, to the extent applicable, constitutes

    compliance with this part.

    0

    3. In Sec. 40.6:

    0

    A. Revise paragraphs (b) and (f), and add paragraph (g) to read as set

    forth below.

    0

    B. Effective January 1, 2012, remove paragraph (g).

    Sec. 40.6 Information to be included in privacy notices.

    * * * * *

    (b) Description of nonaffiliated third parties subject to

    exceptions. If you disclose nonpublic personal information to third

    parties as authorized under Sec. Sec. 40.14 and 40.15, you are not

    required to list those exceptions in the initial or annual privacy

    notices required by Sec. Sec. 40.4 and 40.5. When describing the

    categories with respect to those parties, it is sufficient to state

    that you make disclosures to other nonaffiliated companies:

    (1) For your everyday business purposes, such as [include all that

    apply] to process transactions, maintain account(s), respond to court

    orders and legal investigations, or report to credit bureaus; or

    (2) As permitted by law.

    * * * * *

    (f) Model privacy form. Pursuant to Sec. 40.2(a) of this part, a

    model privacy form that meets the notice content requirements of this

    section is included in Appendix A of this part.

    (g) Sample clauses. Sample clauses illustrating some of the notice

    content required by this section are included in Appendix B of this

    part. Use of a sample clause in a privacy notice provided on or before

    December 31, 2010, to the extent applicable, constitutes compliance

    with this part.

    0

    4. In Sec. 40.7, add paragraph (i) to read as follows:

    Sec. 40.7 Form of opt-out notice to consumers; opt-out methods.

    * * * * *

    (i) Model privacy form. Pursuant to Sec. 40.2(a) of this part, a

    model privacy form that meets the notice content requirements of this

    section is included in Appendix A of this part.

    Appendix A [Redesignated as Appendix B]

    0

    5. Redesignate Appendix A to part 40 as Appendix B to part 40.

    0

    6. Add new Appendix A to part 40 to read as follows:

    Appendix A to Part 40--Model Privacy Form

    A. The Model Privacy Form

    BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-

    01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-

    P 12.5%

    [[Page 62917]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.000

    [[Page 62918]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.001

    [[Page 62919]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.002

    [[Page 62920]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.003

    [[Page 62921]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.004

    [[Page 62922]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.005

    [[Page 62923]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.006

    BILLING CODE 6750-01-P 12.5%, 6351-01-C 12.5%, 6720-01-C 12.5%, 6714-

    01-C 12.5%, 4810-33-C 12.5%, 6210-01-C 12.5%, 8011-01-C 12.5%, 7535-01-

    C 12.5%

    B. General Instructions

    1. How the Model Privacy Form Is Used

    (a) The model form may be used, at the option of a financial

    institution, including a group of financial institutions that use a

    common privacy notice, to meet the content requirements of the

    privacy notice and opt-out notice set forth in Sec. Sec. 40.6 and

    40.7 of this part.

    (b) The model form is a standardized form, including page

    layout, content, format, style, pagination, and shading.

    Institutions seeking to obtain the safe harbor through use of the

    model form may modify it only as described in these Instructions.

    (c) Note that disclosure of certain information, such as assets,

    income, and information from a consumer reporting agency, may give

    rise to obligations under the Fair Credit Reporting Act [15 U.S.C.

    1681-1681x] (FCRA), such as a requirement to permit a consumer to

    opt out of disclosures to affiliates or designation as a consumer

    reporting agency if disclosures are made to nonaffiliated third

    parties.

    (d) The word ``customer'' may be replaced by the word ``member''

    whenever it appears in the model form, as appropriate.

    2. The Contents of the Model Privacy Form

    The model form consists of two pages, which may be printed on

    both sides of a single sheet of paper, or may appear on two separate

    pages. Where an institution provides a long list of institutions at

    the end of the model form in accordance with Instruction C.3(a)(1),

    or provides additional information in accordance with Instruction

    C.3(c), and such list or additional information exceeds the space

    available on page two of the model form, such list or additional

    information may extend to a third page.

    (a) Page One. The first page consists of the following

    components:

    (1) Date last revised (upper right-hand corner).

    (2) Title.

    (3) Key frame (Why?, What?, How?).

    (4) Disclosure table (``Reasons we can share your personal

    information'').

    (5) ``To limit our sharing'' box, as needed, for the financial

    institution's opt-out information.

    (6) ``Questions'' box, for customer service contact information.

    (7) Mail-in opt-out form, as needed.

    (b) Page Two. The second page consists of the following

    components:

    (1) Heading (Page 2).

    (2) Frequently Asked Questions (``Who we are'' and ``What we

    do'').

    (3) Definitions.

    (4) ``Other important information'' box, as needed.

    3. The Format of the Model Privacy Form

    The format of the model form may be modified only as described

    below.

    (a) Easily readable type font. Financial institutions that use

    the model form must use an easily readable type font. While a number

    of factors together produce easily readable type font, institutions

    are required to use a minimum of 10-point font (unless otherwise

    expressly permitted in these Instructions) and sufficient spacing

    between the lines of type.

    (b) Logo. A financial institution may include a corporate logo

    on any page of the notice, so long as it does not interfere with the

    readability of the model form or the space constraints of each page.

    (c) Page size and orientation. Each page of the model form must

    be printed on paper in portrait orientation, the size of which must

    be sufficient to meet the layout and minimum font size requirements,

    with sufficient white space on the top, bottom, and sides of the

    content.

    (d) Color. The model form must be printed on white or light

    color paper (such as cream) with black or other contrasting ink

    color. Spot color may be used to achieve visual interest, so long as

    the color contrast is distinctive and the color does not detract

    from the readability of the model form. Logos may also be printed in

    color.

    (e) Languages. The model form may be translated into languages

    other than English.

    C. Information Required in the Model Privacy Form

    The information in the model form may be modified only as

    described below:

    1. Name of the Institution or Group of Affiliated Institutions

    Providing the Notice

    Insert the name of the financial institution providing the

    notice or a common identity of affiliated institutions jointly

    providing the notice on the form wherever [name of financial

    institution] appears.

    2. Page One

    (a) Last revised date. The financial institution must insert in

    the upper right-hand corner the date on which the notice was last

    revised. The information shall appear in minimum 8-point font as

    ``rev. [month/year]'' using either the name or number of the month,

    such as ``rev. July 2009'' or ``rev. 7/09''.

    (b) General instructions for the ``What?'' box.

    (1) The bulleted list identifies the types of personal

    information that the institution collects and shares. All

    institutions must use the term ``Social Security number'' in the

    first bullet.

    (2) Institutions must use five (5) of the following terms to

    complete the bulleted list: income; account balances; payment

    history; transaction history; transaction or loss history; credit

    history; credit scores; assets; investment experience; credit-based

    insurance scores; insurance claim history; medical information;

    overdraft history; purchase history; account transactions; risk

    tolerance; medical-related debts; credit card or other debt;

    mortgage rates and payments; retirement assets; checking account

    information; employment information; wire transfer instructions.

    (c) General instructions for the disclosure table. The left

    column lists reasons for

    [[Page 62924]]

    sharing or using personal information. Each reason correlates to a

    specific legal provision described in paragraph C.2(d) of this

    Instruction. In the middle column, each institution must provide a

    ``Yes'' or ``No'' response that accurately reflects its information

    sharing policies and practices with respect to the reason listed on

    the left. In the right column, each institution must provide in each

    box one of the following three (3) responses, as applicable, that

    reflects whether a consumer can limit such sharing: ``Yes'' if it is

    required to or voluntarily provides an opt-out; ``No'' if it does

    not provide an opt-out; or ``We don't share'' if it answers ``No''

    in the middle column. Only the sixth row (``For our affiliates to

    market to you'') may be omitted at the option of the institution.

    See paragraph C.2(d)(6) of this Instruction.

    (d) Specific disclosures and corresponding legal provisions.

    (1) For our everyday business purposes. This reason incorporates

    sharing information under Sec. Sec. 40.14 and 40.15 and with

    service providers pursuant to Sec. 40.13 of this part other than

    the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these

    Instructions.

    (2) For our marketing purposes. This reason incorporates sharing

    information with service providers by an institution for its own

    marketing pursuant to Sec. 40.13 of this part. An institution that

    shares for this reason may choose to provide an opt-out.

    (3) For joint marketing with other financial companies. This

    reason incorporates sharing information under joint marketing

    agreements between two or more financial institutions and with any

    service provider used in connection with such agreements pursuant to

    Sec. 40.13 of this part. An institution that shares for this reason

    may choose to provide an opt-out.

    (4) For our affiliates' everyday business purposes--information

    about transactions and experiences. This reason incorporates sharing

    information specified in sections 603(d)(2)(A)(i) and (ii) of the

    FCRA. An institution that shares for this reason may choose to

    provide an opt-out.

    (5) For our affiliates' everyday business purposes--information

    about creditworthiness. This reason incorporates sharing information

    pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution

    that shares for this reason must provide an opt-out.

    (6) For our affiliates to market to you. This reason

    incorporates sharing information specified in section 624 of the

    FCRA. This reason may be omitted from the disclosure table when: the

    institution does not have affiliates (or does not disclose personal

    information to its affiliates); the institution's affiliates do not

    use personal information in a manner that requires an opt-out; or

    the institution provides the affiliate marketing notice separately.

    Institutions that include this reason must provide an opt-out of

    indefinite duration. An institution that is required to provide an

    affiliate marketing opt-out, but does not include that opt-out in

    the model form under this part, must comply with section 624 of the

    FCRA and 12 CFR part 41, subpart C, with respect to the initial

    notice and opt-out and any subsequent renewal notice and opt-out. An

    institution not required to provide an opt-out under this

    subparagraph may elect to include this reason in the model form.

    (7) For nonaffiliates to market to you. This reason incorporates

    sharing described in Sec. Sec. 40.7 and 40.10(a) of this part. An

    institution that shares personal information for this reason must

    provide an opt-out.

    (e) To limit our sharing: A financial institution must include

    this section of the model form only if it provides an opt-out. The

    word ``choice'' may be written in either the singular or plural, as

    appropriate. Institutions must select one or more of the applicable

    opt-out methods described: telephone, such as by a toll-free number;

    a Web site; or use of a mail-in opt-out form. Institutions may

    include the words ``toll-free'' before telephone, as appropriate. An

    institution that allows consumers to opt out online must provide

    either a specific Web address that takes consumers directly to the

    opt-out page or a general Web address that provides a clear and

    conspicuous direct link to the opt-out page. The opt-out choices

    made available to the consumer who contacts the institution through

    these methods must correspond accurately to the ``Yes'' responses in

    the third column of the disclosure table. In the part titled

    ``Please note'' institutions may insert a number that is 30 or

    greater in the space marked ``[30].'' Instructions on voluntary or

    state privacy law opt-out information are in paragraph C.2(g)(5) of

    these Instructions.

    (f) Questions box. Customer service contact information must be

    inserted as appropriate, where [phone number] or [Web site] appear.

    Institutions may elect to provide either a phone number, such as a

    toll-free number, or a Web address, or both. Institutions may

    include the words ``toll-free'' before the telephone number, as

    appropriate.

    (g) Mail-in opt-out form. Financial institutions must include

    this mail-in form only if they state in the ``To limit our sharing''

    box that consumers can opt out by mail. The mail-in form must

    provide opt-out options that correspond accurately to the ``Yes''

    responses in the third column in the disclosure table. Institutions

    that require customers to provide only name and address may omit the

    section identified as ``[account ].'' Institutions that

    require additional or different information, such as a random opt-

    out number or a truncated account number, to implement an opt-out

    election should modify the ``[account ]'' reference

    accordingly. This includes institutions that require customers with

    multiple accounts to identify each account to which the opt-out

    should apply. An institution must enter its opt-out mailing address:

    In the far right of this form (see version 3); or below the form

    (see version 4). The reverse side of the mail-in opt-out form must

    not include any content of the model form.

    (1) Joint accountholder. Only institutions that provide their

    joint accountholders the choice to opt out for only one

    accountholder, in accordance with paragraph C.3(a)(5) of these

    Instructions, must include in the far left column of the mail-in

    form the following statement: ``If you have a joint account, your

    choice(s) will apply to everyone on your account unless you mark

    below. [squ] Apply my choice(s) only to me.'' The word ``choice''

    may be written in either the singular or plural, as appropriate.

    Financial institutions that provide insurance products or services,

    provide this option, and elect to use the model form may substitute

    the word ``policy'' for ``account'' in this statement. Institutions

    that do not provide this option may eliminate this left column from

    the mail-in form.

    (2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution

    shares personal information pursuant to section 603(d)(2)(A)(iii) of

    the FCRA, it must include in the mail-in opt-out form the following

    statement: ``[squ] Do not share information about my

    creditworthiness with your affiliates for their everyday business

    purposes.''

    (3) FCRA Section 624 opt-out. If the institution incorporates

    section 624 of the FCRA in accord with paragraph C.2(d)(6) of these

    Instructions, it must include in the mail-in opt-out form the

    following statement: ``[squ] Do not allow your affiliates to use my

    personal information to market to me.''

    (4) Nonaffiliate opt-out. If the financial institution shares

    personal information pursuant to Sec. 40.10(a) of this part, it

    must include in the mail-in opt-out form the following statement:

    ``[squ] Do not share my personal information with nonaffiliates to

    market their products and services to me.''

    (5) Additional opt-outs. Financial institutions that use the

    disclosure table to provide opt-out options beyond those required by

    Federal law must provide those opt-outs in this section of the model

    form. A financial institution that chooses to offer an opt-out for

    its own marketing in the mail-in opt-out form must include one of

    the two following statements: ``[squ] Do not share my personal

    information to market to me.'' or ``[squ] Do not use my personal

    information to market to me.'' A financial institution that chooses

    to offer an opt-out for joint marketing must include the following

    statement: ``[squ] Do not share my personal information with other

    financial institutions to jointly market to me.''

    (h) Barcodes. A financial institution may elect to include a

    barcode and/or ``tagline'' (an internal identifier) in 6-point font

    at the bottom of page one, as needed for information internal to the

    institution, so long as these do not interfere with the clarity or

    text of the form.

    3. Page Two

    (a) General Instructions for the Questions. Certain of the

    Questions may be customized as follows:

    (1) ``Who is providing this notice?'' This question may be

    omitted where only one financial institution provides the model form

    and that institution is clearly identified in the title on page one.

    Two or more financial institutions that jointly provide the model

    form must use this question to identify themselves as required by

    Sec. 40.9(f) of this part. Where the list of institutions exceeds

    four (4) lines, the institution must describe in the response to

    this question the general types of institutions jointly providing

    the notice and must separately identify those institutions, in

    minimum 8-point font, directly following the ``Other important

    [[Page 62925]]

    information'' box, or, if that box is not included in the

    institution's form, directly following the ``Definitions.'' The list

    may appear in a multi-column format.

    (2) ``How does [name of financial institution] protect my

    personal information?'' The financial institution may only provide

    additional information pertaining to its safeguards practices

    following the designated response to this question. Such information

    may include information about the institution's use of cookies or

    other measures it uses to safeguard personal information.

    Institutions are limited to a maximum of 30 additional words.

    (3) ``How does [name of financial institution] collect my

    personal information?'' Institutions must use five (5) of the

    following terms to complete the bulleted list for this question:

    Open an account; deposit money; pay your bills; apply for a loan;

    use your credit or debit card; seek financial or tax advice; apply

    for insurance; pay insurance premiums; file an insurance claim; seek

    advice about your investments; buy securities from us; sell

    securities to us; direct us to buy securities; direct us to sell

    your securities; make deposits or withdrawals from your account;

    enter into an investment advisory contract; give us your income

    information; provide employment information; give us your employment

    history; tell us about your investment or retirement portfolio; tell

    us about your investment or retirement earnings; apply for

    financing; apply for a lease; provide account information; give us

    your contact information; pay us by check; give us your wage

    statements; provide your mortgage information; make a wire transfer;

    tell us who receives the money; tell us where to send the money;

    show your government-issued ID; show your driver's license; order a

    commodity futures or option trade. Institutions that collect

    personal information from their affiliates and/or credit bureaus

    must include after the bulleted list the following statement: ``We

    also collect your personal information from others, such as credit

    bureaus, affiliates, or other companies.'' Institutions that do not

    collect personal information from their affiliates or credit bureaus

    but do collect information from other companies must include the

    following statement instead: ``We also collect your personal

    information from other companies.'' Only institutions that do not

    collect any personal information from affiliates, credit bureaus, or

    other companies can omit both statements.

    (4) ``Why can't I limit all sharing?'' Institutions that

    describe state privacy law provisions in the ``Other important

    information'' box must use the bracketed sentence: ``See below for

    more on your rights under state law.'' Other institutions must omit

    this sentence.

    (5) ``What happens when I limit sharing for an account I hold

    jointly with someone else?'' Only financial institutions that

    provide opt-out options must use this question. Other institutions

    must omit this question. Institutions must choose one of the

    following two statements to respond to this question: ``Your choices

    will apply to everyone on your account.'' or ``Your choices will

    apply to everyone on your account--unless you tell us otherwise.''

    Financial institutions that provide insurance products or services

    and elect to use the model form may substitute the word ``policy''

    for ``account'' in these statements.

    (b) General Instructions for the Definitions.

    The financial institution must customize the space below the

    responses to the three definitions in this section. This specific

    information must be in italicized lettering to set off the

    information from the standardized definitions.

    (1) Affiliates. As required by Sec. 40.6(a)(3) of this part,

    where [affiliate information] appears, the financial institution

    must:

    (i) If it has no affiliates, state: ``[name of financial

    institution] has no affiliates;''

    (ii) If it has affiliates but does not share personal

    information, state: ``[name of financial institution] does not share

    with our affiliates;'' or

    (iii) If it shares with its affiliates, state, as applicable:

    ``Our affiliates include companies with a [common corporate identity

    of financial institution] name; financial companies such as [insert

    illustrative list of companies;] nonfinancial companies, such as

    [insert illustrative list of companies]; and others, such as [insert

    illustrative list].''

    (2) Nonaffiliates. As required by Sec. 40.6(c)(3) of this part,

    where [nonaffiliate information] appears, the financial institution

    must:

    (i) If it does not share with nonaffiliated third parties,

    state: ``[name of financial institution] does not share with

    nonaffiliates so they can market to you''; or

    (ii) If it shares with nonaffiliated third parties, state, as

    applicable: ``Nonaffiliates we share with can include [list

    categories of companies such as mortgage companies, insurance

    companies, direct marketing companies, and nonprofit

    organizations].''

    (3) Joint Marketing. As required by Sec. 40.13 of this part,

    where [joint marketing] appears, the financial institution must:

    (i) If it does not engage in joint marketing, state: ``[name of

    financial institution] doesn't jointly market''; or

    (ii) If it shares personal information for joint marketing,

    state, as applicable: ``Our joint marketing partners include [list

    categories of companies such as credit card companies].''

    (c) General instructions for the ``Other important information''

    box. This box is optional. The space provided for information in

    this box is not limited. Only the following types of information can

    appear in this box.

    (1) State and/or international privacy law information; and/or

    (2) Acknowledgment of receipt form.

    0

    7. Amend newly redesignated Appendix B to part 40 as follows:

    0

    A. Add a new sentence to the beginning of the introductory text as set

    forth below.

    0

    B. Effective January 1, 2012, remove Appendix B to part 40.

    Appendix B to Part 40--Sample Clauses

    This Appendix only applies to privacy notices provided before

    January 1, 2011. * * *

    * * * * *

    Federal Reserve System

    12 CFR Chapter II

    Authority and Issuance

    0

    For the reasons set forth in the joint preamble, the Board amends part

    216 of chapter II of title 12 of the Code of Federal Regulations as

    follows:

    PART 216--PRIVACY OF CONSUMER FINANCIAL INFORMATION

    0

    8. The authority citation for part 216 continues to read as follows:

    Authority: 15 U.S.C. 6801 et seq.

    0

    9. Revise Sec. 216.2 to read as follows:

    Sec. 216.2 Model privacy form and examples.

    (a) Model privacy form. Use of the model privacy form in Appendix A

    of this part, consistent with the instructions in Appendix A,

    constitutes compliance with the notice content requirements of

    Sec. Sec. 216.6 and 216.7 of this part, although use of the model

    privacy form is not required.

    (b) Examples. The examples in this part are not exclusive.

    Compliance with an example, to the extent applicable, constitutes

    compliance with this part.

    0

    10. In Sec. 216.6:

    0

    A. Revise paragraphs (b) and (f), and add paragraph (g) to read as set

    forth below.

    0

    B. Effective January 1, 2012, remove paragraph (g).

    Sec. 216.6 Information to be included in privacy notices.

    * * * * *

    (b) Description of nonaffiliated third parties subject to

    exceptions. If you disclose nonpublic personal information to third

    parties as authorized under Sec. Sec. 216.14 and 216.15, you are not

    required to list those exceptions in the initial or annual privacy

    notices required by Sec. Sec. 216.4 and 216.5. When describing the

    categories with respect to those parties, it is sufficient to state

    that you make disclosures to other nonaffiliated companies:

    (1) For your everyday business purposes, such as [include all that

    apply] to process transactions, maintain account(s), respond to court

    orders and legal investigations, or report to credit bureaus; or

    (2) As permitted by law.

    * * * * *

    (f) Model privacy form. Pursuant to Sec. 216.2(a) of this part, a

    model privacy

    [[Page 62926]]

    form that meets the notice content requirements of this section is

    included in Appendix A of this part.

    (g) Sample clauses. Sample clauses illustrating some of the notice

    content required by this section are included in Appendix B of this

    part. Use of a sample clause in a privacy notice provided on or before

    December 31, 2010, to the extent applicable, constitutes compliance

    with this part.

    0

    11. In Sec. 216.7, add paragraph (i) to read as follows:

    Sec. 216.7 Form of opt-out notice to consumers; opt-out methods.

    * * * * *

    (i) Model privacy form. Pursuant to Sec. 216.2(a) of this part, a

    model privacy form that meets the notice content requirements of this

    section is included in Appendix A of this part.

    Appendix A [Redesignated as Appendix B]

    0

    12. Redesignate Appendix A to part 216 as Appendix B to part 216.

    0

    13. Add new Appendix A to part 216 to read as follows:

    Appendix A to Part 216--Model Privacy Form

    A. The Model Privacy Form

    BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-

    01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-

    P 12.5%

    [[Page 62927]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.007

    [[Page 62928]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.008

    [[Page 62929]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.009

    [[Page 62930]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.010

    [[Page 62931]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.011

    [[Page 62932]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.012

    [[Page 62933]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.013

    BILLING CODE 6750-01-C 12.5%, 6351-01-C 12.5%, 6720-01-C 12.5%, 6714-

    01-C 12.5%, 4810-33-C 12.5%, 6210-01-C 12.5%, 8011-01-C 12.5%, 7535-01-

    C 12.5%

    B. General Instructions

    1. How the Model Privacy Form Is Used

    (a) The model form may be used, at the option of a financial

    institution, including a group of financial institutions that use a

    common privacy notice, to meet the content requirements of the

    privacy notice and opt-out notice set forth in Sec. Sec. 216.6 and

    216.7 of this part.

    (b) The model form is a standardized form, including page

    layout, content, format, style, pagination, and shading.

    Institutions seeking to obtain the safe harbor through use of the

    model form may modify it only as described in these Instructions.

    (c) Note that disclosure of certain information, such as assets,

    income, and information from a consumer reporting agency, may give

    rise to obligations under the Fair Credit Reporting Act [15 U.S.C.

    1681-1681x] (FCRA), such as a requirement to permit a consumer to

    opt out of disclosures to affiliates or designation as a consumer

    reporting agency if disclosures are made to nonaffiliated third

    parties.

    (d) The word ``customer'' may be replaced by the word ``member''

    whenever it appears in the model form, as appropriate.

    2. The Contents of the Model Privacy Form

    The model form consists of two pages, which may be printed on

    both sides of a single sheet of paper, or may appear on two separate

    pages. Where an institution provides a long list of institutions at

    the end of the model form in accordance with Instruction C.3(a)(1),

    or provides additional information in accordance with Instruction

    C.3(c), and such list or additional information exceeds the space

    available on page two of the model form, such list or additional

    information may extend to a third page.

    (a) Page One. The first page consists of the following

    components:

    (1) Date last revised (upper right-hand corner).

    (2) Title.

    (3) Key frame (Why?, What?, How?).

    (4) Disclosure table (``Reasons we can share your personal

    information'').

    (5) ``To limit our sharing'' box, as needed, for the financial

    institution's opt-out information.

    (6) ``Questions'' box, for customer service contact information.

    (7) Mail-in opt-out form, as needed.

    (b) Page Two. The second page consists of the following

    components:

    (1) Heading (Page 2).

    (2) Frequently Asked Questions (``Who we are'' and ``What we

    do'').

    (3) Definitions.

    (4) ``Other important information'' box, as needed.

    3. The Format of the Model Privacy Form

    The format of the model form may be modified only as described

    below.

    (a) Easily readable type font. Financial institutions that use

    the model form must use an easily readable type font. While a number

    of factors together produce easily readable type font, institutions

    are required to use a minimum of 10-point font (unless otherwise

    expressly permitted in these Instructions) and sufficient spacing

    between the lines of type.

    (b) Logo. A financial institution may include a corporate logo

    on any page of the notice, so long as it does not interfere with the

    readability of the model form or the space constraints of each page.

    (c) Page size and orientation. Each page of the model form must

    be printed on paper in portrait orientation, the size of which must

    be sufficient to meet the layout and minimum font size requirements,

    with sufficient white space on the top, bottom, and sides of the

    content.

    (d) Color. The model form must be printed on white or light

    color paper (such as cream) with black or other contrasting ink

    color. Spot color may be used to achieve visual interest, so long as

    the color contrast is distinctive and the color does not detract

    from the readability of the model form. Logos may also be printed in

    color.

    (e) Languages. The model form may be translated into languages

    other than English.

    C. Information Required in the Model Privacy Form

    The information in the model form may be modified only as

    described below:

    1. Name of the Institution or Group of Affiliated Institutions

    Providing the Notice

    Insert the name of the financial institution providing the

    notice or a common identity of affiliated institutions jointly

    providing the notice on the form wherever [name of financial

    institution] appears.

    2. Page One

    (a) Last revised date. The financial institution must insert in

    the upper right-hand corner the date on which the notice was last

    revised. The information shall appear in minimum 8-point font as

    ``rev. [month/year]'' using either the name or number of the month,

    such as ``rev. July 2009'' or ``rev. 7/09''.

    (b) General instructions for the ``What?'' box.

    (1) The bulleted list identifies the types of personal

    information that the institution collects and shares. All

    institutions must use the term ``Social Security number'' in the

    first bullet.

    (2) Institutions must use five (5) of the following terms to

    complete the bulleted list: income; account balances; payment

    history; transaction history; transaction or loss history; credit

    history; credit scores; assets; investment experience; credit-based

    insurance scores; insurance claim history; medical information;

    overdraft history; purchase history; account transactions; risk

    tolerance; medical-related debts; credit card or other debt;

    mortgage rates and payments; retirement assets; checking account

    information; employment information; wire transfer instructions.

    (c) General instructions for the disclosure table. The left

    column lists reasons for

    [[Page 62934]]

    sharing or using personal information. Each reason correlates to a

    specific legal provision described in paragraph C.2(d) of this

    Instruction. In the middle column, each institution must provide a

    ``Yes'' or ``No'' response that accurately reflects its information

    sharing policies and practices with respect to the reason listed on

    the left. In the right column, each institution must provide in each

    box one of the following three (3) responses, as applicable, that

    reflects whether a consumer can limit such sharing: ``Yes'' if it is

    required to or voluntarily provides an opt-out; ``No'' if it does

    not provide an opt-out; or ``We don't share'' if it answers ``No''

    in the middle column. Only the sixth row (``For our affiliates to

    market to you'') may be omitted at the option of the institution.

    See paragraph C.2(d)(6) of this Instruction.

    (d) Specific disclosures and corresponding legal provisions.

    (1) For our everyday business purposes. This reason incorporates

    sharing information under Sec. Sec. 216.14 and 216.15 and with

    service providers pursuant to Sec. 216.13 of this part other than

    the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these

    Instructions.

    (2) For our marketing purposes. This reason incorporates sharing

    information with service providers by an institution for its own

    marketing pursuant to Sec. 216.13 of this part. An institution that

    shares for this reason may choose to provide an opt-out.

    (3) For joint marketing with other financial companies. This

    reason incorporates sharing information under joint marketing

    agreements between two or more financial institutions and with any

    service provider used in connection with such agreements pursuant to

    Sec. 216.13 of this part. An institution that shares for this

    reason may choose to provide an opt-out.

    (4) For our affiliates' everyday business purposes--information

    about transactions and experiences. This reason incorporates sharing

    information specified in sections 603(d)(2)(A)(i) and (ii) of the

    FCRA. An institution that shares for this reason may choose to

    provide an opt-out.

    (5) For our affiliates' everyday business purposes--information

    about creditworthiness. This reason incorporates sharing information

    pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution

    that shares for this reason must provide an opt-out.

    (6) For our affiliates to market to you. This reason

    incorporates sharing information specified in section 624 of the

    FCRA. This reason may be omitted from the disclosure table when: the

    institution does not have affiliates (or does not disclose personal

    information to its affiliates); the institution's affiliates do not

    use personal information in a manner that requires an opt-out; or

    the institution provides the affiliate marketing notice separately.

    Institutions that include this reason must provide an opt-out of

    indefinite duration. An institution that is required to provide an

    affiliate marketing opt-out, but does not include that opt-out in

    the model form under this part, must comply with section 624 of the

    FCRA and 12 CFR part 222, subpart C, with respect to the initial

    notice and opt-out and any subsequent renewal notice and opt-out. An

    institution not required to provide an opt-out under this

    subparagraph may elect to include this reason in the model form.

    (7) For nonaffiliates to market to you. This reason incorporates

    sharing described in Sec. Sec. 216.7 and 216.10(a) of this part. An

    institution that shares personal information for this reason must

    provide an opt-out.

    (e) To limit our sharing: A financial institution must include

    this section of the model form only if it provides an opt-out. The

    word ``choice'' may be written in either the singular or plural, as

    appropriate. Institutions must select one or more of the applicable

    opt-out methods described: telephone, such as by a toll-free number;

    a Website; or use of a mail-in opt-out form. Institutions may

    include the words ``toll-free'' before telephone, as appropriate. An

    institution that allows consumers to opt out online must provide

    either a specific Web address that takes consumers directly to the

    opt-out page or a general Web address that provides a clear and

    conspicuous direct link to the opt-out page. The opt-out choices

    made available to the consumer who contacts the institution through

    these methods must correspond accurately to the ``Yes'' responses in

    the third column of the disclosure table. In the part titled

    ``Please note'' institutions may insert a number that is 30 or

    greater in the space marked ``[30].'' Instructions on voluntary or

    state privacy law opt-out information are in paragraph C.2(g)(5) of

    these Instructions.

    (f) Questions box. Customer service contact information must be

    inserted as appropriate, where [phone number] or [website] appear.

    Institutions may elect to provide either a phone number, such as a

    toll-free number, or a Web address, or both. Institutions may

    include the words ``toll-free'' before the telephone number, as

    appropriate.

    (g) Mail-in opt-out form. Financial institutions must include

    this mail-in form only if they state in the ``To limit our sharing''

    box that consumers can opt out by mail. The mail-in form must

    provide opt-out options that correspond accurately to the ``Yes''

    responses in the third column in the disclosure table. Institutions

    that require customers to provide only name and address may omit the

    section identified as ``[account ].'' Institutions that

    require additional or different information, such as a random opt-

    out number or a truncated account number, to implement an opt-out

    election should modify the ``[account ]'' reference

    accordingly. This includes institutions that require customers with

    multiple accounts to identify each account to which the opt-out

    should apply. An institution must enter its opt-out mailing address:

    In the far right of this form (see version 3); or below the form

    (see version 4). The reverse side of the mail-in opt-out form must

    not include any content of the model form.

    (1) Joint accountholder. Only institutions that provide their

    joint accountholders the choice to opt out for only one

    accountholder, in accordance with paragraph C.3(a)(5) of these

    Instructions, must include in the far left column of the mail-in

    form the following statement: ``If you have a joint account, your

    choice(s) will apply to everyone on your account unless you mark

    below. [square] Apply my choice(s) only to me.'' The word ``choice''

    may be written in either the singular or plural, as appropriate.

    Financial institutions that provide insurance products or services,

    provide this option, and elect to use the model form may substitute

    the word ``policy'' for ``account'' in this statement. Institutions

    that do not provide this option may eliminate this left column from

    the mail-in form.

    (2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution

    shares personal information pursuant to section 603(d)(2)(A)(iii) of

    the FCRA, it must include in the mail-in opt-out form the following

    statement: ``[square] Do not share information about my

    creditworthiness with your affiliates for their everyday business

    purposes.''

    (3) FCRA Section 624 opt-out. If the institution incorporates

    section 624 of the FCRA in accord with paragraph C.2(d)(6) of these

    Instructions, it must include in the mail-in opt-out form the

    following statement: ``[square] Do not allow your affiliates to use

    my personal information to market to me.''

    (4) Nonaffiliate opt-out. If the financial institution shares

    personal information pursuant to Sec. 216.10(a) of this part, it

    must include in the mail-in opt-out form the following statement:

    ``[square] Do not share my personal information with nonaffiliates

    to market their products and services to me.''

    (5) Additional opt-outs. Financial institutions that use the

    disclosure table to provide opt-out options beyond those required by

    Federal law must provide those opt-outs in this section of the model

    form. A financial institution that chooses to offer an opt-out for

    its own marketing in the mail-in opt-out form must include one of

    the two following statements: ``[square] Do not share my personal

    information to market to me.'' or ``[square] Do not use my personal

    information to market to me.'' A financial institution that chooses

    to offer an opt-out for joint marketing must include the following

    statement: ``[square] Do not share my personal information with

    other financial institutions to jointly market to me.''

    (h) Barcodes. A financial institution may elect to include a

    barcode and/or ``tagline'' (an internal identifier) in 6-point font

    at the bottom of page one, as needed for information internal to the

    institution, so long as these do not interfere with the clarity or

    text of the form.

    3. Page Two

    (a) General Instructions for the Questions. Certain of the

    Questions may be customized as follows:

    (1) ``Who is providing this notice?'' This question may be

    omitted where only one financial institution provides the model form

    and that institution is clearly identified in the title on page one.

    Two or more financial institutions that jointly provide the model

    form must use this question to identify themselves as required by

    Sec. 216.9(f) of this part. Where the list of institutions exceeds

    four (4) lines, the institution must describe in the response to

    this question the general types of institutions jointly providing

    the notice and must separately identify those institutions, in

    minimum 8-point font, directly following the ``Other important

    [[Page 62935]]

    information'' box, or, if that box is not included in the

    institution's form, directly following the ``Definitions.'' The list

    may appear in a multi-column format.

    (2) ``How does [name of financial institution] protect my

    personal information?'' The financial institution may only provide

    additional information pertaining to its safeguards practices

    following the designated response to this question. Such information

    may include information about the institution's use of cookies or

    other measures it uses to safeguard personal information.

    Institutions are limited to a maximum of 30 additional words.

    (3) ``How does [name of financial institution] collect my

    personal information?'' Institutions must use five (5) of the

    following terms to complete the bulleted list for this question:

    Open an account; deposit money; pay your bills; apply for a loan;

    use your credit or debit card; seek financial or tax advice; apply

    for insurance; pay insurance premiums; file an insurance claim; seek

    advice about your investments; buy securities from us; sell

    securities to us; direct us to buy securities; direct us to sell

    your securities; make deposits or withdrawals from your account;

    enter into an investment advisory contract; give us your income

    information; provide employment information; give us your employment

    history; tell us about your investment or retirement portfolio; tell

    us about your investment or retirement earnings; apply for

    financing; apply for a lease; provide account information; give us

    your contact information; pay us by check; give us your wage

    statements; provide your mortgage information; make a wire transfer;

    tell us who receives the money; tell us where to send the money;

    show your government-issued ID; show your driver's license; order a

    commodity futures or option trade. Institutions that collect

    personal information from their affiliates and/or credit bureaus

    must include after the bulleted list the following statement: ``We

    also collect your personal information from others, such as credit

    bureaus, affiliates, or other companies.'' Institutions that do not

    collect personal information from their affiliates or credit bureaus

    but do collect information from other companies must include the

    following statement instead: ``We also collect your personal

    information from other companies.''

    Only institutions that do not collect any personal information from

    affiliates, credit bureaus, or other companies can omit both

    statements.

    (4) ``Why can't I limit all sharing?'' Institutions that

    describe state privacy law provisions in the ``Other important

    information'' box must use the bracketed sentence: ``See below for

    more on your rights under state law.'' Other institutions must omit

    this sentence.

    (5) ``What happens when I limit sharing for an account I hold

    jointly with someone else?'' Only financial institutions that

    provide opt-out options must use this question. Other institutions

    must omit this question. Institutions must choose one of the

    following two statements to respond to this question: ``Your choices

    will apply to everyone on your account.'' or ``Your choices will

    apply to everyone on your account--unless you tell us otherwise.''

    Financial institutions that provide insurance products or services

    and elect to use the model form may substitute the word ``policy''

    for ``account'' in these statements.

    (b) General Instructions for the Definitions.

    The financial institution must customize the space below the

    responses to the three definitions in this section. This specific

    information must be in italicized lettering to set off the

    information from the standardized definitions.

    (1) Affiliates. As required by Sec. 216.6(a)(3) of this part,

    where [affiliate information] appears, the financial institution

    must:

    (i) If it has no affiliates, state: ``[name of financial

    institution] has no affiliates'';

    (ii) If it has affiliates but does not share personal

    information, state: ``[name of financial institution] does not share

    with our affiliates''; or

    (iii) If it shares with its affiliates, state, as applicable:

    ``Our affiliates include companies with a [common corporate identity

    of financial institution] name; financial companies such as [insert

    illustrative list of companies]; nonfinancial companies, such as

    [insert illustrative list of companies;] and others, such as [insert

    illustrative list].''

    (2) Nonaffiliates. As required by Sec. 216.6(c)(3) of this

    part, where [nonaffiliate information] appears, the financial

    institution must:

    (i) If it does not share with nonaffiliated third parties,

    state: ``[name of financial institution] does not share with

    nonaffiliates so they can market to you''; or

    (ii) If it shares with nonaffiliated third parties, state, as

    applicable: ``Nonaffiliates we share with can include [list

    categories of companies such as mortgage companies, insurance

    companies, direct marketing companies, and nonprofit

    organizations].''

    (3) Joint Marketing. As required by Sec. 216.13 of this part,

    where [joint marketing] appears, the financial institution must:

    (i) If it does not engage in joint marketing, state: ``[name of

    financial institution] doesn't jointly market''; or

    (ii) If it shares personal information for joint marketing,

    state, as applicable: ``Our joint marketing partners include [list

    categories of companies such as credit card companies].''

    (c) General instructions for the ``Other important information''

    box. This box is optional. The space provided for information in

    this box is not limited. Only the following types of information can

    appear in this box.

    (1) State and/or international privacy law information; and/or

    (2) Acknowledgment of receipt form.

    0

    14. Amend newly redesignated Appendix B to part 216 as follows:

    0

    A. Add a new sentence to the beginning of the introductory text as set

    forth below.

    0

    B. Effective January 1, 2012, remove Appendix B to part 216.

    Appendix B to Part 216--Sample Clauses

    This Appendix only applies to privacy notices provided before

    January 1, 2011. * * *

    * * * * *

    Federal Deposit Insurance Corporation

    12 CFR Chapter III

    Authority and Issuance

    0

    For the reasons set forth in the joint preamble, part 332 of chapter

    III of title 12 of the Code of Federal Regulations is amended as

    follows:

    PART 332--PRIVACY OF CONSUMER FINANCIAL INFORMATION

    0

    15. The authority citation for part 332 continues to read as follows:

    Authority: 12 U.S.C. 1819 (Seventh and Tenth); 15 U.S.C. 6801

    et seq.

    0

    16. Revise Sec. 332.2 to read as follows:

    Sec. 332.2 Model privacy form and examples.

    (a) Model privacy form. Use of the model privacy form in Appendix A

    of this part, consistent with the instructions in Appendix A,

    constitutes compliance with the notice content requirements of

    Sec. Sec. 332.6 and 332.7 of this part, although use of the model

    privacy form is not required.

    (b) Examples. The examples in this part are not exclusive.

    Compliance with an example, to the extent applicable, constitutes

    compliance with this part.

    0

    17. In Sec. 332.6:

    0

    A. Revise paragraphs (b) and (f), and add paragraph (g) to read as set

    forth below.

    0

    B. Effective January 1, 2012, remove paragraph (g).

    Sec. 332.6 Information to be included in privacy notices.

    * * * * *

    (b) Description of nonaffiliated third parties subject to

    exceptions. If you disclose nonpublic personal information to third

    parties as authorized under Sec. Sec. 332.14 and 332.15, you are not

    required to list those exceptions in the initial or annual privacy

    notices required by Sec. Sec. 332.4 and 332.5. When describing the

    categories with respect to those parties, it is sufficient to state

    that you make disclosures to other nonaffiliated companies:

    (1) For your everyday business purposes, such as [include all that

    apply] to process transactions, maintain account(s), respond to court

    orders and legal investigations, or report to credit bureaus; or

    (2) As permitted by law.

    * * * * *

    [[Page 62936]]

    (f) Model privacy form. Pursuant to Sec. 332.2(a) of this part, a

    model privacy form that meets the notice content requirements of this

    section is included in Appendix A of this part.

    (g) Sample clauses. Sample clauses illustrating some of the notice

    content required by this section are included in Appendix B of this

    part. Use of a sample clause in a privacy notice provided on or before

    December 31, 2010, to the extent applicable, constitutes compliance

    with this part.

    0

    18. In Sec. 332.7, add paragraph (i) to read as follows:

    Sec. 332.7 Form of opt-out notice to consumers; opt-out methods.

    * * * * *

    (i) Model privacy form. Pursuant to Sec. 332.2(a) of this part, a

    model privacy form that meets the notice content requirements of this

    section is included in Appendix A of this part.

    Appendix A [Redesignated as Appendix B]

    0

    19. Redesignate Appendix A to part 332 as Appendix B to part 332.

    0

    20. Add new Appendix A to part 332 to read as follows:

    Appendix A to Part 332--Model Privacy Form

    A. The Model Privacy Form

    BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-

    01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-

    P 12.5%

    [[Page 62937]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.014

    [[Page 62938]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.015

    [[Continued on page 62939]]

    From the Federal Register Online via GPO Access [wais.access.gpo.gov]

    ]

    [[pp. 62939-62988]] Final Model Privacy Form Under the Gramm-Leach-Bliley Act

    [[Continued from page 62938]]

    [[Page 62939]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.016

    [[Page 62940]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.017

    [[Page 62941]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.018

    [[Page 62942]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.019

    [[Page 62943]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.020

    BILLING CODE 6750-01-C 12.5%, 6351-01-C 12.5%, 6720-01-C 12.5%, 6714-

    01-C 12.5%, 4810-01-C 12.5%, 6210-01-C 12.5%, 8011-01-C 12.5%, 7535-01-

    C 12.5%

    B. General Instructions

    1. How the Model Privacy Form Is Used

    (a) The model form may be used, at the option of a financial

    institution, including a group of financial institutions that use a

    common privacy notice, to meet the content requirements of the

    privacy notice and opt-out notice set forth in Sec. Sec. 332.6 and

    332.7 of this part.

    (b) The model form is a standardized form, including page

    layout, content, format, style, pagination, and shading.

    Institutions seeking to obtain the safe harbor through use of the

    model form may modify it only as described in these Instructions.

    (c) Note that disclosure of certain information, such as assets,

    income, and information from a consumer reporting agency, may give

    rise to obligations under the Fair Credit Reporting Act [15 U.S.C.

    1681-1681x] (FCRA), such as a requirement to permit a consumer to

    opt out of disclosures to affiliates or designation as a consumer

    reporting agency if disclosures are made to nonaffiliated third

    parties.

    (d) The word ``customer'' may be replaced by the word ``member''

    whenever it appears in the model form, as appropriate.

    2. The Contents of the Model Privacy Form

    The model form consists of two pages, which may be printed on

    both sides of a single sheet of paper, or may appear on two separate

    pages. Where an institution provides a long list of institutions at

    the end of the model form in accordance with Instruction C.3(a)(1),

    or provides additional information in accordance with Instruction

    C.3(c), and such list or additional information exceeds the space

    available on page two of the model form, such list or additional

    information may extend to a third page.

    (a) Page One. The first page consists of the following

    components:

    (1) Date last revised (upper right-hand corner).

    (2) Title.

    (3) Key frame (Why?, What?, How?).

    (4) Disclosure table (``Reasons we can share your personal

    information'').

    (5) ``To limit our sharing'' box, as needed, for the financial

    institution's opt-out information.

    (6) ``Questions'' box, for customer service contact information.

    (7) Mail-in opt-out form, as needed.

    (b) Page Two. The second page consists of the following

    components:

    (1) Heading (Page 2).

    (2) Frequently Asked Questions (``Who we are'' and ``What we

    do'').

    (3) Definitions.

    (4) ``Other important information'' box, as needed.

    3. The Format of the Model Privacy Form

    The format of the model form may be modified only as described

    below.

    (a) Easily readable type font. Financial institutions that use

    the model form must use an easily readable type font. While a number

    of factors together produce easily readable type font, institutions

    are required to use a minimum of 10-point font (unless otherwise

    expressly permitted in these Instructions) and sufficient spacing

    between the lines of type.

    (b) Logo. A financial institution may include a corporate logo

    on any page of the notice, so long as it does not interfere with the

    readability of the model form or the space constraints of each page.

    (c) Page size and orientation. Each page of the model form must

    be printed on paper in portrait orientation, the size of which must

    be sufficient to meet the layout and minimum font size requirements,

    with sufficient white space on the top, bottom, and sides of the

    content.

    (d) Color. The model form must be printed on white or light

    color paper (such as cream) with black or other contrasting ink

    color. Spot color may be used to achieve visual interest, so long as

    the color contrast is distinctive and the color does not detract

    from the readability of the model form. Logos may also be printed in

    color.

    (e) Languages. The model form may be translated into languages

    other than English.

    C. Information Required in the Model Privacy Form

    The information in the model form may be modified only as

    described below:

    1. Name of the Institution or Group of Affiliated Institutions

    Providing the Notice

    Insert the name of the financial institution providing the

    notice or a common identity of affiliated institutions jointly

    providing the notice on the form wherever [name of financial

    institution] appears.

    2. Page One

    (a) Last revised date. The financial institution must insert in

    the upper right-hand corner the date on which the notice was last

    revised. The information shall appear in minimum 8-point font as

    ``rev. [month/year]'' using either the name or number of the month,

    such as ``rev. July 2009'' or ``rev. 7/09''.

    (b) General instructions for the ``What?'' box.

    (1) The bulleted list identifies the types of personal

    information that the institution collects and shares. All

    institutions must use the term ``Social Security number'' in the

    first bullet.

    (2) Institutions must use five (5) of the following terms to

    complete the bulleted list: income; account balances; payment

    history; transaction history; transaction or loss history; credit

    history; credit scores; assets; investment experience; credit-based

    insurance scores; insurance claim history; medical information;

    overdraft history; purchase history; account transactions; risk

    tolerance; medical-related debts; credit card or other debt;

    mortgage rates and payments; retirement assets; checking account

    information; employment information; wire transfer instructions.

    (c) General instructions for the disclosure table. The left

    column lists reasons for

    [[Page 62944]]

    sharing or using personal information. Each reason correlates to a

    specific legal provision described in paragraph C.2(d) of this

    Instruction. In the middle column, each institution must provide a

    ``Yes'' or ``No'' response that accurately reflects its information

    sharing policies and practices with respect to the reason listed on

    the left. In the right column, each institution must provide in each

    box one of the following three (3) responses, as applicable, that

    reflects whether a consumer can limit such sharing: ``Yes'' if it is

    required to or voluntarily provides an opt-out; ``No'' if it does

    not provide an opt-out; or ``We don't share'' if it answers ``No''

    in the middle column. Only the sixth row (``For our affiliates to

    market to you'') may be omitted at the option of the institution.

    See paragraph C.2(d)(6) of this Instruction.

    (d) Specific disclosures and corresponding legal provisions.

    (1) For our everyday business purposes. This reason incorporates

    sharing information under Sec. Sec. 332.14 and 332.15 and with

    service providers pursuant to Sec. 332.13 of this part other than

    the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these

    Instructions.

    (2) For our marketing purposes. This reason incorporates sharing

    information with service providers by an institution for its own

    marketing pursuant to Sec. 332.13 of this part. An institution that

    shares for this reason may choose to provide an opt-out.

    (3) For joint marketing with other financial companies. This

    reason incorporates sharing information under joint marketing

    agreements between two or more financial institutions and with any

    service provider used in connection with such agreements pursuant to

    Sec. 332.13 of this part. An institution that shares for this

    reason may choose to provide an opt-out.

    (4) For our affiliates' everyday business purposes--information

    about transactions and experiences. This reason incorporates sharing

    information specified in sections 603(d)(2)(A)(i) and (ii) of the

    FCRA. An institution that shares for this reason may choose to

    provide an opt-out.

    (5) For our affiliates' everyday business purposes--information

    about creditworthiness. This reason incorporates sharing information

    pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution

    that shares for this reason must provide an opt-out.

    (6) For our affiliates to market to you. This reason

    incorporates sharing information specified in section 624 of the

    FCRA. This reason may be omitted from the disclosure table when: The

    institution does not have affiliates (or does not disclose personal

    information to its affiliates); the institution's affiliates do not

    use personal information in a manner that requires an opt-out; or

    the institution provides the affiliate marketing notice separately.

    Institutions that include this reason must provide an opt-out of

    indefinite duration. An institution that is required to provide an

    affiliate marketing opt-out, but does not include that opt-out in

    the model form under this part, must comply with section 624 of the

    FCRA and 12 CFR part 334, subpart C, with respect to the initial

    notice and opt-out and any subsequent renewal notice and opt-out. An

    institution not required to provide an opt-out under this

    subparagraph may elect to include this reason in the model form.

    (7) For nonaffiliates to market to you. This reason incorporates

    sharing described in Sec. Sec. 332.7 and 332.10(a) of this part. An

    institution that shares personal information for this reason must

    provide an opt-out.

    (e) To limit our sharing: A financial institution must include

    this section of the model form only if it provides an opt-out. The

    word ``choice'' may be written in either the singular or plural, as

    appropriate. Institutions must select one or more of the applicable

    opt-out methods described: Telephone, such as by a toll-free number;

    a Web site; or use of a mail-in opt-out form. Institutions may

    include the words ``toll-free'' before telephone, as appropriate. An

    institution that allows consumers to opt out online must provide

    either a specific Web address that takes consumers directly to the

    opt-out page or a general Web address that provides a clear and

    conspicuous direct link to the opt-out page. The opt-out choices

    made available to the consumer who contacts the institution through

    these methods must correspond accurately to the ``Yes'' responses in

    the third column of the disclosure table. In the part titled

    ``Please note'' institutions may insert a number that is 30 or

    greater in the space marked ``[30].'' Instructions on voluntary or

    state privacy law opt-out information are in paragraph C.2(g)(5) of

    these Instructions.

    (f) Questions box. Customer service contact information must be

    inserted as appropriate, where [phone number] or [Web site] appear.

    Institutions may elect to provide either a phone number, such as a

    toll-free number, or a Web address, or both. Institutions may

    include the words ``toll-free'' before the telephone number, as

    appropriate.

    (g) Mail-in opt-out form. Financial institutions must include

    this mail-in form only if they state in the ``To limit our sharing''

    box that consumers can opt out by mail. The mail-in form must

    provide opt-out options that correspond accurately to the ``Yes''

    responses in the third column in the disclosure table. Institutions

    that require customers to provide only name and address may omit the

    section identified as ``[account ].'' Institutions that

    require additional or different information, such as a random opt-

    out number or a truncated account number, to implement an opt-out

    election should modify the ``[account ]'' reference

    accordingly. This includes institutions that require customers with

    multiple accounts to identify each account to which the opt-out

    should apply. An institution must enter its opt-out mailing address:

    In the far right of this form (see version 3); or below the form

    (see version 4). The reverse side of the mail-in opt-out form must

    not include any content of the model form.

    (1) Joint accountholder. Only institutions that provide their

    joint accountholders the choice to opt out for only one

    accountholder, in accordance with paragraph C.3(a)(5) of these

    Instructions, must include in the far left column of the mail-in

    form the following statement: ``If you have a joint account, your

    choice(s) will apply to everyone on your account unless you mark

    below. [square] Apply my choice(s) only to me.'' The word ``choice''

    may be written in either the singular or plural, as appropriate.

    Financial institutions that provide insurance products or services,

    provide this option, and elect to use the model form may substitute

    the word ``policy'' for ``account'' in this statement. Institutions

    that do not provide this option may eliminate this left column from

    the mail-in form.

    (2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution

    shares personal information pursuant to section 603(d)(2)(A)(iii) of

    the FCRA, it must include in the mail-in opt-out form the following

    statement: ``[square] Do not share information about my

    creditworthiness with your affiliates for their everyday business

    purposes.''

    (3) FCRA Section 624 opt-out. If the institution incorporates

    section 624 of the FCRA in accord with paragraph C.2(d)(6) of these

    Instructions, it must include in the mail-in opt-out form the

    following statement: ``[square] Do not allow your affiliates to use

    my personal information to market to me.''

    (4) Nonaffiliate opt-out. If the financial institution shares

    personal information pursuant to Sec. 332.10(a) of this part, it

    must include in the mail-in opt-out form the following statement:

    ``[square] Do not share my personal information with nonaffiliates

    to market their products and services to me.''

    (5) Additional opt-outs. Financial institutions that use the

    disclosure table to provide opt-out options beyond those required by

    Federal law must provide those opt-outs in this section of the model

    form. A financial institution that chooses to offer an opt-out for

    its own marketing in the mail-in opt-out form must include one of

    the two following statements: ``[square] Do not share my personal

    information to market to me.'' or ``[square] Do not use my personal

    information to market to me.'' A financial institution that chooses

    to offer an opt-out for joint marketing must include the following

    statement: ``[square] Do not share my personal information with

    other financial institutions to jointly market to me.''

    (h) Barcodes. A financial institution may elect to include a

    barcode and/or ``tagline'' (an internal identifier) in 6-point font

    at the bottom of page one, as needed for information internal to the

    institution, so long as these do not interfere with the clarity or

    text of the form.

    3. Page Two

    (a) General Instructions for the Questions. Certain of the

    Questions may be customized as follows:

    (1) ``Who is providing this notice?'' This question may be

    omitted where only one financial institution provides the model form

    and that institution is clearly identified in the title on page one.

    Two or more financial institutions that jointly provide the model

    form must use this question to identify themselves as required by

    Sec. 332.9(f) of this part. Where the list of institutions exceeds

    four (4) lines, the institution must describe in the response to

    this question the general types of institutions jointly providing

    the notice and must separately identify those institutions, in

    minimum 8-point font, directly following the ``Other important

    [[Page 62945]]

    information'' box, or, if that box is not included in the

    institution's form, directly following the ``Definitions.'' The list

    may appear in a multi-column format.

    (2) ``How does [name of financial institution] protect my

    personal information?'' The financial institution may only provide

    additional information pertaining to its safeguards practices

    following the designated response to this question. Such information

    may include information about the institution's use of cookies or

    other measures it uses to safeguard personal information.

    Institutions are limited to a maximum of 30 additional words.

    (3) ``How does [name of financial institution] collect my

    personal information?'' Institutions must use five (5) of the

    following terms to complete the bulleted list for this question:

    Open an account; deposit money; pay your bills; apply for a loan;

    use your credit or debit card; seek financial or tax advice; apply

    for insurance; pay insurance premiums; file an insurance claim; seek

    advice about your investments; buy securities from us; sell

    securities to us; direct us to buy securities; direct us to sell

    your securities; make deposits or withdrawals from your account;

    enter into an investment advisory contract; give us your income

    information; provide employment information; give us your employment

    history; tell us about your investment or retirement portfolio; tell

    us about your investment or retirement earnings; apply for

    financing; apply for a lease; provide account information; give us

    your contact information; pay us by check; give us your wage

    statements; provide your mortgage information; make a wire transfer;

    tell us who receives the money; tell us where to send the money;

    show your government-issued ID; show your driver's license; order a

    commodity futures or option trade. Institutions that collect

    personal information from their affiliates and/or credit bureaus

    must include after the bulleted list the following statement: ``We

    also collect your personal information from others, such as credit

    bureaus, affiliates, or other companies.'' Institutions that do not

    collect personal information from their affiliates or credit bureaus

    but do collect information from other companies must include the

    following statement instead: ``We also collect your personal

    information from other companies.'' Only institutions that do not

    collect any personal information from affiliates, credit bureaus, or

    other companies can omit both statements.

    (4) ``Why can't I limit all sharing?'' Institutions that

    describe state privacy law provisions in the ``Other important

    information'' box must use the bracketed sentence: ``See below for

    more on your rights under state law.'' Other institutions must omit

    this sentence.

    (5) ``What happens when I limit sharing for an account I hold

    jointly with someone else?'' Only financial institutions that

    provide opt-out options must use this question. Other institutions

    must omit this question. Institutions must choose one of the

    following two statements to respond to this question: ``Your choices

    will apply to everyone on your account.'' or ``Your choices will

    apply to everyone on your account-unless you tell us otherwise.''

    Financial institutions that provide insurance products or services

    and elect to use the model form may substitute the word ``policy''

    for ``account'' in these statements.

    (b) General Instructions for the Definitions.

    The financial institution must customize the space below the

    responses to the three definitions in this section. This specific

    information must be in italicized lettering to set off the

    information from the standardized definitions.

    (1) Affiliates. As required by Sec. 332.6(a)(3) of this part,

    where [affiliate information] appears, the financial institution

    must:

    (i) If it has no affiliates, state: ``[name of financial

    institution] has no affiliates'';

    (ii) If it has affiliates but does not share personal

    information, state: ``[name of financial institution] does not share

    with our affiliates''; or

    (iii) If it shares with its affiliates, state, as applicable:

    ``Our affiliates include companies with a [common corporate identity

    of financial institution] name; financial companies such as [insert

    illustrative list of companies]; nonfinancial companies, such as

    [insert illustrative list of companies]; and others, such as [insert

    illustrative list].''

    (2) Nonaffiliates. As required by Sec. 332.6(c)(3) of this

    part, where [nonaffiliate information] appears, the financial

    institution must:

    (i) If it does not share with nonaffiliated third parties,

    state: ``[name of financial institution] does not share with

    nonaffiliates so they can market to you''; or

    (ii) If it shares with nonaffiliated third parties, state, as

    applicable: ``Nonaffiliates we share with can include [list

    categories of companies such as mortgage companies, insurance

    companies, direct marketing companies, and nonprofit

    organizations].''

    (3) Joint Marketing. As required by Sec. 332.13 of this part,

    where [joint marketing] appears, the financial institution must:

    (i) If it does not engage in joint marketing, state: ``[name of

    financial institution] doesn't jointly market''; or

    (ii) If it shares personal information for joint marketing,

    state, as applicable: ``Our joint marketing partners include [list

    categories of companies such as credit card companies].''

    (c) General instructions for the ``Other important information''

    box. This box is optional. The space provided for information in

    this box is not limited. Only the following types of information can

    appear in this box.

    (1) State and/or international privacy law information; and/or

    (2) Acknowledgment of receipt form.

    0

    21. Amend newly redesignated Appendix B to part 332 as follows:

    0

    A. Add a new sentence to the beginning of the introductory text as set

    forth below.

    0

    B. Effective January 1, 2012, remove Appendix B to part 332.

    Appendix B to Part 332--Sample Clauses

    This Appendix only applies to privacy notices provided before

    January 1, 2011.

    * * * * *

    DEPARTMENT OF THE TREASURY

    Office of Thrift Supervision

    12 CFR Chapter V

    Authority and Issuance

    0

    For the reasons set forth in the joint preamble, part 573 of chapter V

    of title 12 of the Code of Federal Regulations is amended as follows:

    PART 573--PRIVACY OF CONSUMER FINANCIAL INFORMATION

    0

    22. The authority citation for part 573 continues to read as follows:

    Authority: 12 U.S.C. 1462a, 1463, 1464, 1828; 15 U.S.C. 6801 et

    seq.

    0

    23. Revise Sec. 573.2 to read as follows:

    Sec. 573.2 Model privacy form and examples.

    (a) Model privacy form. Use of the model privacy form in Appendix A

    of this part, consistent with the instructions in Appendix A,

    constitutes compliance with the notice content requirements of

    Sec. Sec. 573.6 and 573.7 of this part, although use of the model

    privacy form is not required.

    (b) Examples. The examples in this part are not exclusive.

    Compliance with an example, to the extent applicable, constitutes

    compliance with this part.

    0

    24. In Sec. 573.6:

    0

    A. Revise paragraphs (b) and (f), and add paragraph (g) to read as set

    forth below.

    0

    B. Effective January 1, 2012, remove paragraph (g).

    Sec. 573.6 Information to be included in privacy notices.

    * * * * *

    (b) Description of nonaffiliated third parties subject to

    exceptions. If you disclose nonpublic personal information to third

    parties as authorized under Sec. Sec. 573.14 and 573.15, you are not

    required to list those exceptions in the initial or annual privacy

    notices required by Sec. Sec. 573.4 and 573.5. When describing the

    categories with respect to those parties, it is sufficient to state

    that you make disclosures to other nonaffiliated companies:

    (1) For your everyday business purposes, such as [include all that

    apply] to process transactions, maintain account(s), respond to court

    orders and legal investigations, or report to credit bureaus; or

    (2) As permitted by law.

    * * * * *

    [[Page 62946]]

    (f) Model privacy form. Pursuant to Sec. 573.2(a) of this part, a

    model privacy form that meets the notice content requirements of this

    section is included in Appendix A of this part.

    (g) Sample clauses. Sample clauses illustrating some of the notice

    content required by this section are included in Appendix B of this

    part. Use of a sample clause in a privacy notice provided on or before

    December 31, 2010, to the extent applicable, constitutes compliance

    with this part.

    0

    25. In Sec. 573.7, add paragraph (i) to read as follows:

    Sec. 573.7 Form of opt-out notice to consumers; opt-out methods.

    * * * * *

    (i) Model privacy form. Pursuant to Sec. 573.2(a) of this part, a

    model privacy form that meets the notice content requirements of this

    section is included in Appendix A of this part.

    Appendix A [Redesignated as Appendix B]

    0

    26. Redesignate Appendix A to part 573 as Appendix B to part 573.

    0

    27. Add new Appendix A to part 573 to read as follows:

    Appendix A to Part 573--Model Privacy Form

    A. The Model Privacy Form

    BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-

    01-P 12.5%, 4810-01-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-

    P 12.5%

    [[Page 62947]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.021

    [[Page 62948]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.022

    [[Page 62949]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.023

    [[Page 62950]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.024

    [[Page 62951]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.025

    [[Page 62952]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.026

    [[Page 62953]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.027

    BILLING CODE 6750-01-C 12.5%, 6351-01-C 12.5%, 6720-01-C 12.5%, 6714-

    01-C 12.5%, 4810-01-C 12.5%, 6210-01-C 12.5%, 8011-01-C 12.5%, 7535-01-

    C 12.5%

    B. General Instructions

    1. How the Model Privacy Form Is Used

    (a) The model form may be used, at the option of a financial

    institution, including a group of financial institutions that use a

    common privacy notice, to meet the content requirements of the

    privacy notice and opt-out notice set forth in Sec. Sec. 573.6 and

    573.7 of this part.

    (b) The model form is a standardized form, including page

    layout, content, format, style, pagination, and shading.

    Institutions seeking to obtain the safe harbor through use of the

    model form may modify it only as described in these Instructions.

    (c) Note that disclosure of certain information, such as assets,

    income, and information from a consumer reporting agency, may give

    rise to obligations under the Fair Credit Reporting Act [15 U.S.C.

    1681-1681x] (FCRA), such as a requirement to permit a consumer to

    opt out of disclosures to affiliates or designation as a consumer

    reporting agency if disclosures are made to nonaffiliated third

    parties.

    (d) The word ``customer'' may be replaced by the word ``member''

    whenever it appears in the model form, as appropriate.

    2. The Contents of the Model Privacy Form

    The model form consists of two pages, which may be printed on

    both sides of a single sheet of paper, or may appear on two separate

    pages. Where an institution provides a long list of institutions at

    the end of the model form in accordance with Instruction C.3(a)(1),

    or provides additional information in accordance with Instruction

    C.3(c), and such list or additional information exceeds the space

    available on page two of the model form, such list or additional

    information may extend to a third page.

    (a) Page One. The first page consists of the following

    components:

    (1) Date last revised (upper right-hand corner).

    (2) Title.

    (3) Key frame (Why?, What?, How?).

    (4) Disclosure table (``Reasons we can share your personal

    information'').

    (5) ``To limit our sharing'' box, as needed, for the financial

    institution's opt-out information.

    (6) ``Questions'' box, for customer service contact information.

    (7) Mail-in opt-out form, as needed.

    (b) Page Two. The second page consists of the following

    components:

    (1) Heading (Page 2).

    (2) Frequently Asked Questions (``Who we are'' and ``What we

    do'').

    (3) Definitions.

    (4) ``Other important information'' box, as needed.

    3. The Format of the Model Privacy Form

    The format of the model form may be modified only as described

    below.

    (a) Easily readable type font. Financial institutions that use

    the model form must use an easily readable type font. While a number

    of factors together produce easily readable type font, institutions

    are required to use a minimum of 10-point font (unless otherwise

    expressly permitted in these Instructions) and sufficient spacing

    between the lines of type.

    (b) Logo. A financial institution may include a corporate logo

    on any page of the notice, so long as it does not interfere with the

    readability of the model form or the space constraints of each page.

    (c) Page size and orientation. Each page of the model form must

    be printed on paper in portrait orientation, the size of which must

    be sufficient to meet the layout and minimum font size requirements,

    with sufficient white space on the top, bottom, and sides of the

    content.

    (d) Color. The model form must be printed on white or light

    color paper (such as cream) with black or other contrasting ink

    color. Spot color may be used to achieve visual interest, so long as

    the color contrast is distinctive and the color does not detract

    from the readability of the model form. Logos may also be printed in

    color.

    (e) Languages. The model form may be translated into languages

    other than English.

    C. Information Required in the Model Privacy Form

    The information in the model form may be modified only as

    described below:

    1. Name of the Institution or Group of Affiliated Institutions

    Providing the Notice

    Insert the name of the financial institution providing the

    notice or a common identity of affiliated institutions jointly

    providing the notice on the form wherever [name of financial

    institution] appears.

    2. Page One

    (a) Last revised date. The financial institution must insert in

    the upper right-hand corner the date on which the notice was last

    revised. The information shall appear in minimum 8-point font as

    ``rev. [month/year]'' using either the name or number of the month,

    such as ``rev. July 2009'' or ``rev. 7/09''.

    (b) General instructions for the ``What?'' box.

    (1) The bulleted list identifies the types of personal

    information that the institution collects and shares. All

    institutions must use the term ``Social Security number'' in the

    first bullet.

    (2) Institutions must use five (5) of the following terms to

    complete the bulleted list: Income; account balances; payment

    history; transaction history; transaction or loss history; credit

    history; credit scores; assets; investment experience; credit-based

    insurance scores; insurance claim history; medical information;

    overdraft history; purchase history; account transactions; risk

    tolerance; medical-related debts; credit card or other debt;

    mortgage rates and payments; retirement assets; checking account

    information; employment information; wire transfer instructions.

    (c) General instructions for the disclosure table. The left

    column lists reasons for

    [[Page 62954]]

    sharing or using personal information. Each reason correlates to a

    specific legal provision described in paragraph C.2(d) of this

    Instruction. In the middle column, each institution must provide a

    ``Yes'' or ``No'' response that accurately reflects its information

    sharing policies and practices with respect to the reason listed on

    the left. In the right column, each institution must provide in each

    box one of the following three (3) responses, as applicable, that

    reflects whether a consumer can limit such sharing: ``Yes'' if it is

    required to or voluntarily provides an opt-out; ``No'' if it does

    not provide an opt-out; or ``We don't share'' if it answers ``No''

    in the middle column. Only the sixth row (``For our affiliates to

    market to you'') may be omitted at the option of the institution.

    See paragraph C.2(d)(6) of this Instruction.

    (d) Specific disclosures and corresponding legal provisions.

    (1) For our everyday business purposes. This reason incorporates

    sharing information under Sec. Sec. 573.14 and 573.15 and with

    service providers pursuant to Sec. 573.13 of this part other than

    the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these

    Instructions.

    (2) For our marketing purposes. This reason incorporates sharing

    information with service providers by an institution for its own

    marketing pursuant to Sec. 573.13 of this part. An institution that

    shares for this reason may choose to provide an opt-out.

    (3) For joint marketing with other financial companies. This

    reason incorporates sharing information under joint marketing

    agreements between two or more financial institutions and with any

    service provider used in connection with such agreements pursuant to

    Sec. 573.13 of this part. An institution that shares for this

    reason may choose to provide an opt-out.

    (4) For our affiliates' everyday business purposes--information

    about transactions and experiences. This reason incorporates sharing

    information specified in sections 603(d)(2)(A)(i) and (ii) of the

    FCRA. An institution that shares for this reason may choose to

    provide an opt-out.

    (5) For our affiliates' everyday business purposes--information

    about creditworthiness. This reason incorporates sharing information

    pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution

    that shares for this reason must provide an opt-out.

    (6) For our affiliates to market to you. This reason

    incorporates sharing information specified in section 624 of the

    FCRA. This reason may be omitted from the disclosure table when: The

    institution does not have affiliates (or does not disclose personal

    information to its affiliates); the institution's affiliates do not

    use personal information in a manner that requires an opt-out; or

    the institution provides the affiliate marketing notice separately.

    Institutions that include this reason must provide an opt-out of

    indefinite duration. An institution that is required to provide an

    affiliate marketing opt-out, but does not include that opt-out in

    the model form under this part, must comply with section 624 of the

    FCRA and 12 CFR part 571, subpart C, with respect to the initial

    notice and opt-out and any subsequent renewal notice and opt-out. An

    institution not required to provide an opt-out under this

    subparagraph may elect to include this reason in the model form.

    (7) For nonaffiliates to market to you. This reason incorporates

    sharing described in Sec. Sec. 573.7 and 573.10(a) of this part. An

    institution that shares personal information for this reason must

    provide an opt-out.

    (e) To limit our sharing: A financial institution must include

    this section of the model form only if it provides an opt-out. The

    word ``choice'' may be written in either the singular or plural, as

    appropriate. Institutions must select one or more of the applicable

    opt-out methods described: Telephone, such as by a toll-free number;

    a Web site; or use of a mail-in opt-out form. Institutions may

    include the words ``toll-free'' before telephone, as appropriate. An

    institution that allows consumers to opt out online must provide

    either a specific Web address that takes consumers directly to the

    opt-out page or a general Web address that provides a clear and

    conspicuous direct link to the opt-out page. The opt-out choices

    made available to the consumer who contacts the institution through

    these methods must correspond accurately to the ``Yes'' responses in

    the third column of the disclosure table. In the part titled

    ``Please note,'' institutions may insert a number that is 30 or

    greater in the space marked ``[30].'' Instructions on voluntary or

    state privacy law opt-out information are in paragraph C.2(g)(5) of

    these Instructions.

    (f) Questions box. Customer service contact information must be

    inserted as appropriate, where [phone number] or [Web site] appear.

    Institutions may elect to provide either a phone number, such as a

    toll-free number, or a Web address, or both. Institutions may

    include the words ``toll-free'' before the telephone number, as

    appropriate.

    (g) Mail-in opt-out form. Financial institutions must include

    this mail-in form only if they state in the ``To limit our sharing''

    box that consumers can opt out by mail. The mail-in form must

    provide opt-out options that correspond accurately to the ``Yes''

    responses in the third column in the disclosure table. Institutions

    that require customers to provide only name and address may omit the

    section identified as ``[account ].'' Institutions that

    require additional or different information, such as a random opt-

    out number or a truncated account number, to implement an opt-out

    election should modify the ``[account ]'' reference

    accordingly. This includes institutions that require customers with

    multiple accounts to identify each account to which the opt-out

    should apply. An institution must enter its opt-out mailing address:

    in the far right of this form (see version 3); or below the form

    (see version 4). The reverse side of the mail-in opt-out form must

    not include any content of the model form.

    (1) Joint accountholder. Only institutions that provide their

    joint accountholders the choice to opt out for only one

    accountholder, in accordance with paragraph C.3(a)(5) of these

    Instructions, must include in the far left column of the mail-in

    form the following statement: ``If you have a joint account, your

    choice(s) will apply to everyone on your account unless you mark

    below. [square] Apply my choice(s) only to me.'' The word ``choice''

    may be written in either the singular or plural, as appropriate.

    Financial institutions that provide insurance products or services,

    provide this option, and elect to use the model form may substitute

    the word ``policy'' for ``account'' in this statement. Institutions

    that do not provide this option may eliminate this left column from

    the mail-in form.

    (2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution

    shares personal information pursuant to section 603(d)(2)(A)(iii) of

    the FCRA, it must include in the mail-in opt-out form the following

    statement: ``[square] Do not share information about my

    creditworthiness with your affiliates for their everyday business

    purposes.''

    (3) FCRA Section 624 opt-out. If the institution incorporates

    section 624 of the FCRA in accord with paragraph C.2(d)(6) of these

    Instructions, it must include in the mail-in opt-out form the

    following statement: ``[square] Do not allow your affiliates to use

    my personal information to market to me.''

    (4) Nonaffiliate opt-out. If the financial institution shares

    personal information pursuant to Sec. 573.10(a) of this part, it

    must include in the mail-in opt-out form the following statement:

    ``[square] Do not share my personal information with nonaffiliates

    to market their products and services to me.''

    (5) Additional opt-outs. Financial institutions that use the

    disclosure table to provide opt-out options beyond those required by

    Federal law must provide those opt-outs in this section of the model

    form. A financial institution that chooses to offer an opt-out for

    its own marketing in the mail-in opt-out form must include one of

    the two following statements: ``[square] Do not share my personal

    information to market to me.'' or ``[square] Do not use my personal

    information to market to me.'' A financial institution that chooses

    to offer an opt-out for joint marketing must include the following

    statement: ``[square] Do not share my personal information with

    other financial institutions to jointly market to me.''

    (h) Barcodes. A financial institution may elect to include a

    barcode and/or ``tagline'' (an internal identifier) in 6-point font

    at the bottom of page one, as needed for information internal to the

    institution, so long as these do not interfere with the clarity or

    text of the form.

    3. Page Two

    (a) General Instructions for the Questions. Certain of the

    Questions may be customized as follows:

    (1) ``Who is providing this notice?'' This question may be

    omitted where only one financial institution provides the model form

    and that institution is clearly identified in the title on page one.

    Two or more financial institutions that jointly provide the model

    form must use this question to identify themselves as required by

    Sec. 573.9(f) of this part. Where the list of institutions exceeds

    four (4) lines, the institution must describe in the response to

    this question the general types of institutions jointly providing

    the notice and must separately identify those institutions, in

    minimum 8-point font, directly following the ``Other important

    [[Page 62955]]

    information'' box, or, if that box is not included in the

    institution's form, directly following the ``Definitions.'' The list

    may appear in a multi-column format.

    (2) ``How does [name of financial institution] protect my

    personal information?'' The financial institution may only provide

    additional information pertaining to its safeguards practices

    following the designated response to this question. Such information

    may include information about the institution's use of cookies or

    other measures it uses to safeguard personal information.

    Institutions are limited to a maximum of 30 additional words.

    (3) ``How does [name of financial institution] collect my

    personal information?'' Institutions must use five (5) of the

    following terms to complete the bulleted list for this question:

    Open an account; deposit money; pay your bills; apply for a loan;

    use your credit or debit card; seek financial or tax advice; apply

    for insurance; pay insurance premiums; file an insurance claim; seek

    advice about your investments; buy securities from us; sell

    securities to us; direct us to buy securities; direct us to sell

    your securities; make deposits or withdrawals from your account;

    enter into an investment advisory contract; give us your income

    information; provide employment information; give us your employment

    history; tell us about your investment or retirement portfolio; tell

    us about your investment or retirement earnings; apply for

    financing; apply for a lease; provide account information; give us

    your contact information; pay us by check; give us your wage

    statements; provide your mortgage information; make a wire transfer;

    tell us who receives the money; tell us where to send the money;

    show your government-issued ID; show your driver's license; order a

    commodity futures or option trade. Institutions that collect

    personal information from their affiliates and/or credit bureaus

    must include after the bulleted list the following statement: ``We

    also collect your personal information from others, such as credit

    bureaus, affiliates, or other companies.'' Institutions that do not

    collect personal information from their affiliates or credit bureaus

    but do collect information from other companies must include the

    following statement instead: ``We also collect your personal

    information from other companies.'' Only institutions that do not

    collect any personal information from affiliates, credit bureaus, or

    other companies can omit both statements.

    (4) ``Why can't I limit all sharing?'' Institutions that

    describe state privacy law provisions in the ``Other important

    information'' box must use the bracketed sentence: ``See below for

    more on your rights under state law.'' Other institutions must omit

    this sentence.

    (5) ``What happens when I limit sharing for an account I hold

    jointly with someone else?'' Only financial institutions that

    provide opt-out options must use this question. Other institutions

    must omit this question. Institutions must choose one of the

    following two statements to respond to this question: ``Your choices

    will apply to everyone on your account.'' or ``Your choices will

    apply to everyone on your account--unless you tell us otherwise.''

    Financial institutions that provide insurance products or services

    and elect to use the model form may substitute the word ``policy''

    for ``account'' in these statements.

    (b) General Instructions for the Definitions.

    The financial institution must customize the space below the

    responses to the three definitions in this section. This specific

    information must be in italicized lettering to set off the

    information from the standardized definitions.

    (1) Affiliates. As required by Sec. 573.6(a)(3) of this part,

    where [affiliate information] appears, the financial institution

    must:

    (i) If it has no affiliates, state: ``[name of financial

    institution] has no affiliates;''

    (ii) If it has affiliates but does not share personal

    information, state: ``[name of financial institution] does not share

    with our affiliates''; or

    (iii) If it shares with its affiliates, state, as applicable:

    ``Our affiliates include companies with a [common corporate identity

    of financial institution] name; financial companies such as [insert

    illustrative list of companies]; nonfinancial companies, such as

    [insert illustrative list of companies]; and others, such as [insert

    illustrative list].''

    (2) Nonaffiliates. As required by Sec. 573.6(c)(3) of this

    part, where [nonaffiliate information] appears, the financial

    institution must:

    (i) If it does not share with nonaffiliated third parties,

    state: ``[name of financial institution] does not share with

    nonaffiliates so they can market to you''; or

    (ii) If it shares with nonaffiliated third parties, state, as

    applicable: ``Nonaffiliates we share with can include [list

    categories of companies such as mortgage companies, insurance

    companies, direct marketing companies, and nonprofit

    organizations].''

    (3) Joint Marketing. As required by Sec. 573.13 of this part,

    where [joint marketing] appears, the financial institution must:

    (i) If it does not engage in joint marketing, state: ``[name of

    financial institution] doesn't jointly market''; or

    (ii) If it shares personal information for joint marketing,

    state, as applicable: ``Our joint marketing partners include [list

    categories of companies such as credit card companies].''

    (c) General instructions for the ``Other important information''

    box. This box is optional. The space provided for information in

    this box is not limited. Only the following types of information can

    appear in this box.

    (1) State and/or international privacy law information; and/or

    (2) Acknowledgment of receipt form.

    0

    28. Amend newly redesignated Appendix B to part 573 as follows:

    0

    A. Add a new sentence to the beginning of the introductory text as set

    forth below.

    0

    B. Effective January 1, 2012, remove Appendix B to part 573.

    Appendix B to Part 573--Sample Clauses

    This Appendix only applies to privacy notices provided before

    January 1, 2011. * * *

    * * * * *

    National Credit Union Administration

    12 CFR Chapter V

    Authority and Issuance

    0

    For the reasons set forth in the joint preamble, part 716 of chapter V

    of title 12 of the Code of Federal Regulations is amended as follows:

    PART 716--PRIVACY OF CONSUMER FINANCIAL INFORMATION

    0

    29. The authority citation for part 716 continues to read as follows:

    Authority: 12 U.S.C. 1751 et seq.; 15 U.S.C. 6801 et seq.

    0

    30. Revise Sec. 716.2 to read as follows:

    Sec. 716.2 Model privacy form and examples.

    (a) Model privacy form. Use of the model privacy form in Appendix A

    of this part, consistent with the instructions in Appendix A,

    constitutes compliance with the notice content requirements of

    Sec. Sec. 716.6 and 716.7 of this part, although use of the model

    privacy form is not required.

    (b) Examples. The examples in this part are not exclusive.

    Compliance with an example, to the extent applicable, constitutes

    compliance with this part.

    0

    31. In Sec. 716.6:

    0

    A. Revise the section heading and paragraph (b), and add paragraphs (f)

    and (g) to read as set forth below.

    0

    B. Effective January 1, 2012, remove paragraph (g).

    Sec. 716.6 Information to be included in privacy notices.

    * * * * *

    (b) Description of nonaffiliated third parties subject to

    exceptions. If you disclose nonpublic personal information to third

    parties as authorized under Sec. Sec. 716.14 and 716.15, you are not

    required to list those exceptions in the initial or annual privacy

    notices required by Sec. Sec. 716.4 and 716.5. When describing the

    categories with respect to those parties, it is sufficient to state

    that you make disclosures to other nonaffiliated companies:

    (1) For your everyday business purposes, such as [include all that

    apply] to process transactions, maintain account(s), respond to court

    orders and legal investigations, or report to credit bureaus; or

    (2) As permitted by law.

    * * * * *

    [[Page 62956]]

    (f) Model privacy form. Pursuant to Sec. 716.2(a) of this part, a

    model privacy form that meets the notice content requirements of this

    section is included in Appendix A of this part.

    (g) Sample clauses. Sample clauses illustrating some of the notice

    content required by this section are included in Appendix B of this

    part. Use of a sample clause in a privacy notice provided on or before

    December 31, 2010, to the extent applicable, constitutes compliance

    with this part.

    0

    32. In Sec. 716.7, add paragraph (i) to read as follows:

    Sec. 716.7 Form of opt-out notice to consumers; opt-out methods.

    * * * * *

    (i) Model privacy form. Pursuant to Sec. 716.2(a) of this part, a

    model privacy form that meets the notice content requirements of this

    section is included in Appendix A of this part.

    Appendix A [Redesignated as Appendix B]

    0

    33. Redesignate Appendix A to part 716 as Appendix B to part 716.

    0

    34. Add new Appendix A to part 716 to read as follows:

    Appendix A to Part 716--Model Privacy Form

    A. The Model Privacy Form

    BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-

    01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-

    P 12.5%;

    [[Page 62957]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.028

    [[Page 62958]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.029

    [[Page 62959]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.030

    [[Page 62960]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.031

    [[Page 62961]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.032

    [[Page 62962]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.033

    [[Page 62963]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.034

    BILLING CODE 6750-01-C 12.5%, 6351-01-C 12.5%, 6720-01-C 12.5%, 6714-

    01-C 12.5%, 4810-33-C 12.5%, 6210-01-C 12.5%, 8011-01-C 12.5%, 7535-01-

    C 12.5%;

    B. General Instructions

    1. How the Model Privacy Form Is Used

    (a) The model form may be used, at the option of a financial

    institution, including a group of financial institutions that use a

    common privacy notice, to meet the content requirements of the

    privacy notice and opt-out notice set forth in Sec. Sec. 716.6 and

    716.7 of this part.

    (b) The model form is a standardized form, including page

    layout, content, format, style, pagination, and shading.

    Institutions seeking to obtain the safe harbor through use of the

    model form may modify it only as described in these Instructions.

    (c) Note that disclosure of certain information, such as assets,

    income, and information from a consumer reporting agency, may give

    rise to obligations under the Fair Credit Reporting Act [15 U.S.C.

    1681--1681x] (FCRA), such as a requirement to permit a consumer to

    opt out of disclosures to affiliates or designation as a consumer

    reporting agency if disclosures are made to nonaffiliated third

    parties.

    (d) The word ``customer'' may be replaced by the word ``member''

    whenever it appears in the model form, as appropriate.

    2. The Contents of the Model Privacy Form

    The model form consists of two pages, which may be printed on

    both sides of a single sheet of paper, or may appear on two separate

    pages. Where an institution provides a long list of institutions at

    the end of the model form in accordance with Instruction C.3(a)(1),

    or provides additional information in accordance with Instruction

    C.3(c), and such list or additional information exceeds the space

    available on page two of the model form, such list or additional

    information may extend to a third page.

    (a) Page One. The first page consists of the following

    components:

    (1) Date last revised (upper right-hand corner).

    (2) Title.

    (3) Key frame (Why?, What?, How?).

    (4) Disclosure table (``Reasons we can share your personal

    information'').

    (5) ``To limit our sharing'' box, as needed, for the financial

    institution's opt-out information.

    (6) ``Questions'' box, for customer service contact information.

    (7) Mail-in opt-out form, as needed.

    (b) Page Two. The second page consists of the following

    components:

    (1) Heading (Page 2).

    (2) Frequently Asked Questions (``Who we are'' and ``What we

    do'').

    (3) Definitions.

    (4) ``Other important information'' box, as needed.

    3. The Format of the Model Privacy Form

    The format of the model form may be modified only as described

    below.

    (a) Easily readable type font. Financial institutions that use

    the model form must use an easily readable type font. While a number

    of factors together produce easily readable type font, institutions

    are required to use a minimum of 10-point font (unless otherwise

    expressly permitted in these Instructions) and sufficient spacing

    between the lines of type.

    (b) Logo. A financial institution may include a corporate logo

    on any page of the notice, so long as it does not interfere with the

    readability of the model form or the space constraints of each page.

    (c) Page size and orientation. Each page of the model form must

    be printed on paper in portrait orientation, the size of which must

    be sufficient to meet the layout and minimum font size requirements,

    with sufficient white space on the top, bottom, and sides of the

    content.

    (d) Color. The model form must be printed on white or light

    color paper (such as cream) with black or other contrasting ink

    color. Spot color may be used to achieve visual interest, so long as

    the color contrast is distinctive and the color does not detract

    from the readability of the model form. Logos may also be printed in

    color.

    (e) Languages. The model form may be translated into languages

    other than English.

    C. Information Required in the Model Privacy Form

    The information in the model form may be modified only as

    described below:

    1. Name of the Institution or Group of Affiliated Institutions

    Providing the Notice

    Insert the name of the financial institution providing the

    notice or a common identity of affiliated institutions jointly

    providing the notice on the form wherever [name of financial

    institution] appears.

    2. Page One

    (a) Last revised date. The financial institution must insert in

    the upper right-hand corner the date on which the notice was last

    revised. The information shall appear in minimum 8-point font as

    ``rev. [month/year]'' using either the name or number of the month,

    such as ``rev. July 2009'' or ``rev. 7/09''.

    (b) General instructions for the ``What?'' box.

    (1) The bulleted list identifies the types of personal

    information that the institution collects and shares. All

    institutions must use the term ``Social Security number'' in the

    first bullet.

    (2) Institutions must use five (5) of the following terms to

    complete the bulleted list: income; account balances; payment

    history; transaction history; transaction or loss history; credit

    history; credit scores; assets; investment experience; credit-based

    insurance scores; insurance claim history; medical information;

    overdraft history; purchase history; account transactions; risk

    tolerance; medical-related debts; credit card or other debt;

    mortgage rates and payments; retirement assets; checking account

    information; employment information; wire transfer instructions.

    (c) General instructions for the disclosure table. The left

    column lists reasons for

    [[Page 62964]]

    sharing or using personal information. Each reason correlates to a

    specific legal provision described in paragraph C.2(d) of this

    Instruction. In the middle column, each institution must provide a

    ``Yes'' or ``No'' response that accurately reflects its information

    sharing policies and practices with respect to the reason listed on

    the left. In the right column, each institution must provide in each

    box one of the following three (3) responses, as applicable, that

    reflects whether a consumer can limit such sharing: ``Yes'' if it is

    required to or voluntarily provides an opt-out; ``No'' if it does

    not provide an opt-out; or ``We don't share'' if it answers ``No''

    in the middle column. Only the sixth row (``For our affiliates to

    market to you'') may be omitted at the option of the institution.

    See paragraph C.2(d)(6) of this Instruction.

    (d) Specific disclosures and corresponding legal provisions.

    (1) For our everyday business purposes. This reason incorporates

    sharing information under Sec. Sec. 716.14 and 716.15 and with

    service providers pursuant to Sec. 716.13 of this part other than

    the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these

    Instructions.

    (2) For our marketing purposes. This reason incorporates sharing

    information with service providers by an institution for its own

    marketing pursuant to Sec. 716.13 of this part. An institution that

    shares for this reason may choose to provide an opt-out.

    (3) For joint marketing with other financial companies. This

    reason incorporates sharing information under joint marketing

    agreements between two or more financial institutions and with any

    service provider used in connection with such agreements pursuant to

    Sec. 716.13 of this part. An institution that shares for this

    reason may choose to provide an opt-out.

    (4) For our affiliates' everyday business purposes--information

    about transactions and experiences. This reason incorporates sharing

    information specified in sections 603(d)(2)(A)(i) and (ii) of the

    FCRA. An institution that shares for this reason may choose to

    provide an opt-out.

    (5) For our affiliates' everyday business purposes--information

    about creditworthiness. This reason incorporates sharing information

    pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution

    that shares for this reason must provide an opt-out.

    (6) For our affiliates to market to you. This reason

    incorporates sharing information specified in section 624 of the

    FCRA. This reason may be omitted from the disclosure table when: the

    institution does not have affiliates (or does not disclose personal

    information to its affiliates); the institution's affiliates do not

    use personal information in a manner that requires an opt-out; or

    the institution provides the affiliate marketing notice separately.

    Institutions that include this reason must provide an opt-out of

    indefinite duration. An institution that is required to provide an

    affiliate marketing opt-out, but does not include that opt-out in

    the model form under this part, must comply with section 624 of the

    FCRA and 12 CFR part 717, subpart C, with respect to the initial

    notice and opt-out and any subsequent renewal notice and opt-out. An

    institution not required to provide an opt-out under this

    subparagraph may elect to include this reason in the model form.

    (7) For nonaffiliates to market to you. This reason incorporates

    sharing described in Sec. Sec. 716.7 and 716.10(a) of this part. An

    institution that shares personal information for this reason must

    provide an opt-out.

    (e) To limit our sharing: A financial institution must include

    this section of the model form only if it provides an opt-out. The

    word ``choice'' may be written in either the singular or plural, as

    appropriate. Institutions must select one or more of the applicable

    opt-out methods described: telephone, such as by a toll-free number;

    a Web site; or use of a mail-in opt-out form. Institutions may

    include the words ``toll-free'' before telephone, as appropriate. An

    institution that allows consumers to opt out online must provide

    either a specific Web address that takes consumers directly to the

    opt-out page or a general Web address that provides a clear and

    conspicuous direct link to the opt-out page. The opt-out choices

    made available to the consumer who contacts the institution through

    these methods must correspond accurately to the ``Yes'' responses in

    the third column of the disclosure table. In the part titled

    ``Please note'' institutions may insert a number that is 30 or

    greater in the space marked ``[30].'' Instructions on voluntary or

    state privacy law opt-out information are in paragraph C.2(g)(5) of

    these Instructions.

    (f) Questions box. Customer service contact information must be

    inserted as appropriate, where [phone number] or [Web site] appear.

    Institutions may elect to provide either a phone number, such as a

    toll-free number, or a Web address, or both. Institutions may

    include the words ``toll-free'' before the telephone number, as

    appropriate.

    (g) Mail-in opt-out form. Financial institutions must include

    this mail-in form only if they state in the ``To limit our sharing''

    box that consumers can opt out by mail. The mail-in form must

    provide opt-out options that correspond accurately to the ``Yes''

    responses in the third column in the disclosure table. Institutions

    that require customers to provide only name and address may omit the

    section identified as ``[account ].'' Institutions that

    require additional or different information, such as a random opt-

    out number or a truncated account number, to implement an opt-out

    election should modify the ``[account ]'' reference

    accordingly. This includes institutions that require customers with

    multiple accounts to identify each account to which the opt-out

    should apply. An institution must enter its opt-out mailing address:

    in the far right of this form (see version 3); or below the form

    (see version 4). The reverse side of the mail-in opt-out form must

    not include any content of the model form.

    (1) Joint accountholder. Only institutions that provide their

    joint accountholders the choice to opt out for only one

    accountholder, in accordance with paragraph C.3(a)(5) of these

    Instructions, must include in the far left column of the mail-in

    form the following statement: ``If you have a joint account, your

    choice(s) will apply to everyone on your account unless you mark

    below. [square] Apply my choice(s) only to me.'' The word ``choice''

    may be written in either the singular or plural, as appropriate.

    Financial institutions that provide insurance products or services,

    provide this option, and elect to use the model form may substitute

    the word ``policy'' for ``account'' in this statement. Institutions

    that do not provide this option may eliminate this left column from

    the mail-in form.

    (2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution

    shares personal information pursuant to section 603(d)(2)(A)(iii) of

    the FCRA, it must include in the mail-in opt-out form the following

    statement: ``[square] Do not share information about my

    creditworthiness with your affiliates for their everyday business

    purposes.''

    (3) FCRA Section 624 opt-out. If the institution incorporates

    section 624 of the FCRA in accord with paragraph C.2(d)(6) of these

    Instructions, it must include in the mail-in opt-out form the

    following statement: ``[square] Do not allow your affiliates to use

    my personal information to market to me.''

    (4) Nonaffiliate opt-out. If the financial institution shares

    personal information pursuant to Sec. 716.10(a) of this part, it

    must include in the mail-in opt-out form the following statement:

    ``[square] Do not share my personal information with nonaffiliates

    to market their products and services to me.''

    (5) Additional opt-outs. Financial institutions that use the

    disclosure table to provide opt-out options beyond those required by

    Federal law must provide those opt-outs in this section of the model

    form. A financial institution that chooses to offer an opt-out for

    its own marketing in the mail-in opt-out form must include one of

    the two following statements: ``[square] Do not share my personal

    information to market to me.'' or ``[square] Do not use my personal

    information to market to me.'' A financial institution that chooses

    to offer an opt-out for joint marketing must include the following

    statement: ``[square] Do not share my personal information with

    other financial institutions to jointly market to me.''

    (h) Barcodes. A financial institution may elect to include a

    barcode and/or ``tagline'' (an internal identifier) in 6-point font

    at the bottom of page one, as needed for information internal to the

    institution, so long as these do not interfere with the clarity or

    text of the form.

    3. Page Two

    (a) General Instructions for the Questions. Certain of the

    Questions may be customized as follows:

    (1) ``Who is providing this notice?'' This question may be

    omitted where only one financial institution provides the model form

    and that institution is clearly identified in the title on page one.

    Two or more financial institutions that jointly provide the model

    form must use this question to identify themselves as required by

    Sec. 716.9(f) of this part. Where the list of institutions exceeds

    four (4) lines, the institution must describe in the response to

    this question the general types of institutions jointly providing

    the notice and must separately identify those institutions, in

    minimum 8-point font, directly following the ``Other important

    [[Page 62965]]

    information'' box, or, if that box is not included in the

    institution's form, directly following the ``Definitions.'' The list

    may appear in a multi-column format.

    (2) ``How does [name of financial institution] protect my

    personal information?'' The financial institution may only provide

    additional information pertaining to its safeguards practices

    following the designated response to this question. Such information

    may include information about the institution's use of cookies or

    other measures it uses to safeguard personal information.

    Institutions are limited to a maximum of 30 additional words.

    (3) ``How does [name of financial institution] collect my

    personal information?'' Institutions must use five (5) of the

    following terms to complete the bulleted list for this question:

    open an account; deposit money; pay your bills; apply for a loan;

    use your credit or debit card; seek financial or tax advice; apply

    for insurance; pay insurance premiums; file an insurance claim; seek

    advice about your investments; buy securities from us; sell

    securities to us; direct us to buy securities; direct us to sell

    your securities; make deposits or withdrawals from your account;

    enter into an investment advisory contract; give us your income

    information; provide employment information; give us your employment

    history; tell us about your investment or retirement portfolio; tell

    us about your investment or retirement earnings; apply for

    financing; apply for a lease; provide account information; give us

    your contact information; pay us by check; give us your wage

    statements; provide your mortgage information; make a wire transfer;

    tell us who receives the money; tell us where to send the money;

    show your government-issued ID; show your driver's license; order a

    commodity futures or option trade. Institutions that collect

    personal information from their affiliates and/or credit bureaus

    must include after the bulleted list the following statement: ``We

    also collect your personal information from others, such as credit

    bureaus, affiliates, or other companies.'' Institutions that do not

    collect personal information from their affiliates or credit bureaus

    but do collect information from other companies must include the

    following statement instead: ``We also collect your personal

    information from other companies.'' Only institutions that do not

    collect any personal information from affiliates, credit bureaus, or

    other companies can omit both statements.

    (4) ``Why can't I limit all sharing?'' Institutions that

    describe state privacy law provisions in the ``Other important

    information'' box must use the bracketed sentence: ``See below for

    more on your rights under state law.'' Other institutions must omit

    this sentence.

    (5) ``What happens when I limit sharing for an account I hold

    jointly with someone else?'' Only financial institutions that

    provide opt-out options must use this question. Other institutions

    must omit this question. Institutions must choose one of the

    following two statements to respond to this question: ``Your choices

    will apply to everyone on your account.'' or ``Your choices will

    apply to everyone on your account--unless you tell us otherwise.''

    Financial institutions that provide insurance products or services

    and elect to use the model form may substitute the word ``policy''

    for ``account'' in these statements.

    (b) General Instructions for the Definitions.

    The financial institution must customize the space below the

    responses to the three definitions in this section. This specific

    information must be in italicized lettering to set off the

    information from the standardized definitions.

    (1) Affiliates. As required by Sec. 716.6(a)(3) of this part,

    where [affiliate information] appears, the financial institution

    must:

    (i) If it has no affiliates, state: ``[name of financial

    institution] has no affiliates'';

    (ii) If it has affiliates but does not share personal

    information, state: ``[name of financial institution] does not share

    with our affiliates; or

    (iii) If it shares with its affiliates, state, as applicable:

    ``Our affiliates include companies with a [common corporate identity

    of financial institution] name; financial companies such as [insert

    illustrative list of companies]; nonfinancial companies, such as

    [insert illustrative list of companies;] and others, such as [insert

    illustrative list].''

    (2) Nonaffiliates. As required by Sec. 716.6(c)(3) of this

    part, where [nonaffiliate information] appears, the financial

    institution must:

    (i) If it does not share with nonaffiliated third parties,

    state: ``[name of financial institution] does not share with

    nonaffiliates so they can market to you''; or

    (ii) If it shares with nonaffiliated third parties, state, as

    applicable: ``Nonaffiliates we share with can include [list

    categories of companies such as mortgage companies, insurance

    companies, direct marketing companies, and nonprofit

    organizations].''

    (3) Joint Marketing. As required by Sec. 716.13 of this part,

    where [joint marketing] appears, the financial institution must:

    (i) If it does not engage in joint marketing, state: ``[name of

    financial institution] doesn't jointly market ''; or

    (ii) If it shares personal information for joint marketing,

    state, as applicable: ``Our joint marketing partners include [list

    categories of companies such as credit card companies].''

    (c) General instructions for the ``Other important information''

    box. This box is optional. The space provided for information in

    this box is not limited. Only the following types of information can

    appear in this box.

    (1) State and/or international privacy law information; and/or

    (2) Acknowledgment of receipt form.

    0

    35. Amend newly redesignated Appendix B to part 716 as follows:

    0

    A. Add a new sentence to the beginning of the introductory text as set

    forth below.

    0

    B. Effective January 1, 2012, remove Appendix B to part 716.

    Appendix B to Part 716--Sample Clauses

    This Appendix only applies to privacy notices provided before

    January 1, 2011. * * *

    * * * * *

    Federal Trade Commission

    16 CFR Chapter I

    0

    For the reasons set forth in the joint preamble, the Federal Trade

    Commission amends part 313 of chapter I of title 16 of the Code of

    Federal Regulations as follows:

    PART 313--PRIVACY OF CONSUMER FINANCIAL INFORMATION

    0

    36. The authority citation for part 313 continues to read as follows:

    Authority: 15 U.S.C. 6801 et seq.

    0

    37. Revise Sec. 313.2 to read as follows:

    Sec. 313.2 Model privacy form and examples.

    (a) Model privacy form. Use of the model privacy form in Appendix A

    of this part, consistent with the instructions in Appendix A,

    constitutes compliance with the notice content requirements of

    Sec. Sec. 313.6 and 313.7 of this part, although use of the model

    privacy form is not required.

    (b) Examples. The examples in this part are not exclusive.

    Compliance with an example, to the extent applicable, constitutes

    compliance with this part.

    0

    38. In Sec. 313.6:

    0

    A. Revise paragraphs (b) and (f), and add paragraph (g) to read as set

    forth below.

    0

    B. Effective January 1, 2012, remove paragraph (g).

    Sec. 313.6 Information to be included in privacy notices.

    * * * * *

    (b) Description of nonaffiliated third parties subject to

    exceptions. If you disclose nonpublic personal information to third

    parties as authorized under Sec. Sec. 313.14 and 313.15, you are not

    required to list those exceptions in the initial or annual privacy

    notices required by Sec. Sec. 313.4 and 313.5. When describing the

    categories with respect to those parties, it is sufficient to state

    that you make disclosures to other nonaffiliated companies for your

    everyday business purposes, such as to process transactions, maintain

    account(s), respond to court orders and legal investigations, or report

    to credit bureaus.

    * * * * *

    (f) Model privacy form. Pursuant to Sec. 313.2(a) of this part, a

    model privacy form that meets the notice content

    [[Page 62966]]

    requirements of this section is included in Appendix A of this part.

    (g) Sample clauses and description of nonaffiliated third parties

    subject to exceptions.

    (1) Sample clauses. Sample clauses illustrating some of the notice

    content required by this section are included in Appendix B of this

    part. Use of a sample clause in a privacy notice provided on or before

    December 31, 2010, to the extent applicable, constitutes compliance

    with this part.

    (2) Description of nonaffiliated third parties subject to

    exceptions. For a privacy notice provided on or before December 31,

    2010, if you disclose nonpublic personal information to third parties

    as authorized under Sec. Sec. 313.14 and 313.15, when describing the

    categories with respect to those parties, it is sufficient to state, as

    an alternative to the language in the second sentence of paragraph (b)

    of this section, that you make disclosures to other nonaffiliated third

    parties as permitted by law.

    0

    39. In Sec. 313.7, add paragraph (i) to read as follows:

    Sec. 313.7 Form of opt-out notice to consumers; opt-out methods.

    * * * * *

    (i) Model privacy form. Pursuant to Sec. 313.2(a) of this part, a

    model privacy form that meets the notice content requirements of this

    section is included in Appendix A of this part.

    Appendix A [Redesignated as Appendix B]

    0

    40. Redesignate Appendix A to part 313 as Appendix B to part 313.

    0

    41. Add new Appendix A to part 313 to read as follows:

    Appendix A to Part 313--Model Privacy Form

    A. The Model Privacy Form

    BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-

    01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-

    P 12.5%

    [[Page 62967]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.035

    [[Page 62968]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.036

    [[Page 62969]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.037

    [[Page 62970]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.038

    [[Page 62971]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.039

    [[Page 62972]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.041

    BILLING CODE 6750-01-C 12.5%, 6351-01-C 12.5%, 6720-01-C 12.5%, 6714-

    01-C 12.5%, 4810-33-C 12.5%, 6210-01-C 12.5%, 8011-01-C 12.5%, 7535-01-

    C 12.5%,

    B. General Instructions

    1. How the Model Privacy Form is Used

    (a) The model form may be used, at the option of a financial

    institution, including a group of financial institutions that use a

    common privacy notice, to meet the content requirements of the

    privacy notice and opt-out notice set forth in Sec. Sec. 313.6 and

    313.7 of this part.

    (b) The model form is a standardized form, including page

    layout, content, format, style, pagination, and shading.

    Institutions seeking to obtain the safe harbor through use of the

    model form may modify it only as described in these Instructions.

    (c) Note that disclosure of certain information, such as assets,

    income, and information from a consumer reporting agency, may give

    rise to obligations under the Fair Credit Reporting Act [15 U.S.C.

    1681-1681x] (FCRA), such as a requirement to permit a consumer to

    opt out of disclosures to affiliates or designation as a consumer

    reporting agency if disclosures are made to nonaffiliated third

    parties.

    (d) The word ``customer'' may be replaced by the word ``member''

    whenever it appears in the model form, as appropriate.

    2. The Contents of the Model Privacy Form

    The model form consists of two pages, which may be printed on

    both sides of a single sheet of paper, or may appear on two separate

    pages. Where an institution provides a long list of institutions at

    the end of the model form in accordance with Instruction C.3(a)(1),

    or provides additional information in accordance with Instruction

    C.3(c), and such list or additional information exceeds the space

    available on page two of the model form, such list or additional

    information may extend to a third page.

    (a) Page One. The first page consists of the following

    components:

    (1) Date last revised (upper right-hand corner).

    (2) Title.

    (3) Key frame (Why?, What?, How?).

    (4) Disclosure table (``Reasons we can share your personal

    information'').

    (5) ``To limit our sharing'' box, as needed, for the financial

    institution's opt-out information.

    (6) ``Questions'' box, for customer service contact information.

    (7) Mail-in opt-out form, as needed.

    (b) Page Two. The second page consists of the following

    components:

    (1) Heading (Page 2).

    (2) Frequently Asked Questions (``Who we are'' and ``What we

    do'').

    (3) Definitions.

    (4) ``Other important information'' box, as needed.

    3. The Format of the Model Privacy Form

    The format of the model form may be modified only as described

    below.

    (a) Easily readable type font. Financial institutions that use

    the model form must use an easily readable type font. While a number

    of factors together produce an easily readable type font,

    institutions are required to use a minimum of 10-point font (unless

    otherwise expressly permitted in these Instructions) and sufficient

    spacing between the lines of type.

    (b) Logo. A financial institution may include a corporate logo

    on any page of the notice, so long as it does not interfere with the

    readability of the model form or the space constraints of each page.

    (c) Page size and orientation. Each page of the model form must

    be printed on paper in portrait orientation, the size of which must

    be sufficient to meet the layout and minimum font size requirements,

    with sufficient white space on the top, bottom, and sides of the

    content.

    (d) Color. The model form must be printed on white or light

    color paper (such as cream) with black or other contrasting ink

    color. Spot color may be used to achieve visual interest, so long as

    the color contrast is distinctive and the color does not detract

    from the readability of the model form. Logos may also be printed in

    color.

    (e) Languages. The model form may be translated into languages

    other than English.

    C. Information Required in the Model Privacy Form

    The information in the model form may be modified only as

    described below:

    1. Name of the Institution or Group of Affiliated Institutions

    Providing the Notice

    Insert the name of the financial institution providing the

    notice or a common identity of affiliated institutions jointly

    providing the notice on the form wherever [name of financial

    institution] appears.

    2. Page One

    (a) Last revised date. The financial institution must insert in

    the upper right-hand corner the date on which the notice was last

    revised. The information shall appear in minimum 8-point font as

    ``rev. [month/year]'' using either the name or number of the month,

    such as ``rev. July 2009'' or ``rev. 7/09''.

    (b) General instructions for the ``What?'' box.

    (1) The bulleted list identifies the types of personal

    information that the institution collects and shares. All

    institutions must use the term ``Social Security number'' in the

    first bullet.

    (2) Institutions must use five (5) of the following terms to

    complete the bulleted list: income; account balances; payment

    history; transaction history; transaction or loss history; credit

    history; credit scores; assets; investment experience; credit-based

    insurance scores; insurance claim history; medical information;

    overdraft history; purchase history; account transactions; risk

    tolerance; medical-related debts; credit card or other debt;

    mortgage rates and payments; retirement assets; checking account

    information; employment information; wire transfer instructions.

    (c) General instructions for the disclosure table. The left

    column lists reasons for

    [[Page 62973]]

    sharing or using personal information. Each reason correlates to a

    specific legal provision described in paragraph C.2(d) of this

    Instruction. In the middle column, each institution must provide a

    ``Yes'' or ``No'' response that accurately reflects its information

    sharing policies and practices with respect to the reason listed on

    the left. In the right column, each institution must provide in each

    box one of the following three (3) responses, as applicable, that

    reflects whether a consumer can limit such sharing: ``Yes'' if it is

    required to or voluntarily provides an opt-out; ``No'' if it does

    not provide an opt-out; or ``We don't share'' if it answers ``No''

    in the middle column. Only the sixth row (``For our affiliates to

    market to you'') may be omitted at the option of the institution.

    See paragraph C.2(d)(6) of this Instruction.

    (d) Specific disclosures and corresponding legal provisions.

    (1) For our everyday business purposes. This reason incorporates

    sharing information under Sec. Sec. 313.14 and 313.15 and with

    service providers pursuant to Sec. 313.13 of this part other than

    the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these

    Instructions.

    (2) For our marketing purposes. This reason incorporates sharing

    information with service providers by an institution for its own

    marketing pursuant to Sec. 313.13 of this part. An institution that

    shares for this reason may choose to provide an opt-out.

    (3) For joint marketing with other financial companies. This

    reason incorporates sharing information under joint marketing

    agreements between two or more financial institutions and with any

    service provider used in connection with such agreements pursuant to

    Sec. 313.13 of this part. An institution that shares for this

    reason may choose to provide an opt-out.

    (4) For our affiliates' everyday business purposes--information

    about transactions and experiences. This reason incorporates sharing

    information specified in sections 603(d)(2)(A)(i) and (ii) of the

    FCRA. An institution that shares for this reason may choose to

    provide an opt-out.

    (5) For our affiliates' everyday business purposes--information

    about creditworthiness. This reason incorporates sharing information

    pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution

    that shares for this reason must provide an opt-out.

    (6) For our affiliates to market to you. This reason

    incorporates sharing information specified in section 624 of the

    FCRA. This reason may be omitted from the disclosure table when: the

    institution does not have affiliates (or does not disclose personal

    information to its affiliates); the institution's affiliates do not

    use personal information in a manner that requires an opt-out; or

    the institution provides the affiliate marketing notice separately.

    Institutions that include this reason must provide an opt-out of

    indefinite duration. An institution that is required to provide an

    affiliate marketing opt-out, but does not include that opt-out in

    the model form under this part, must comply with section 624 of the

    FCRA and 16 CFR parts 680 and 698 with respect to the initial notice

    and opt-out and any subsequent renewal notice and opt-out. An

    institution not required to provide an opt-out under this

    subparagraph may elect to include this reason in the model form.

    (7) For nonaffiliates to market to you. This reason incorporates

    sharing described in Sec. Sec. 313.7 and 313.10(a) of this part. An

    institution that shares personal information for this reason must

    provide an opt-out.

    (e) To limit our sharing: A financial institution must include

    this section of the model form only if it provides an opt-out. The

    word ``choice'' may be written in either the singular or plural, as

    appropriate. Institutions must select one or more of the applicable

    opt-out methods described: telephone, such as by a toll-free number;

    a Web site; or use of a mail-in opt-out form. Institutions may

    include the words ``toll-free'' before telephone, as appropriate. An

    institution that allows consumers to opt out online must provide

    either a specific Web address that takes consumers directly to the

    opt-out page or a general Web address that provides a clear and

    conspicuous direct link to the opt-out page. The opt-out choices

    made available to the consumer who contacts the institution through

    these methods must correspond accurately to the ``Yes'' responses in

    the third column of the disclosure table. In the part titled

    ``Please note'' institutions may insert a number that is 30 or

    greater in the space marked ``[30].'' Instructions on voluntary or

    state privacy law opt-out information are in paragraph C.2(g)(5) of

    these Instructions.

    (f) Questions box. Customer service contact information must be

    inserted as appropriate, where [phone number] or [Web site] appear.

    Institutions may elect to provide either a phone number, such as a

    toll-free number, or a Web address, or both. Institutions may

    include the words ``toll-free'' before the telephone number, as

    appropriate.

    (g) Mail-in opt-out form. Financial institutions must include

    this mail-in form only if they state in the ``To limit our sharing''

    box that consumers can opt out by mail. The mail-in form must

    provide opt-out options that correspond accurately to the ``Yes''

    responses in the third column in the disclosure table. Institutions

    that require customers to provide only name and address may omit the

    section identified as ``[account ].'' Institutions that

    require additional or different information, such as a random opt-

    out number or a truncated account number, to implement an opt-out

    election should modify the ``[account ]'' reference

    accordingly. This includes institutions that require customers with

    multiple accounts to identify each account to which the opt-out

    should apply. An institution must enter its opt-out mailing address:

    In the far right of this form (see version 3); or below the form

    (see version 4). The reverse side of the mail-in opt-out form must

    not include any content of the model form.

    (1) Joint accountholder. Only institutions that provide their

    joint accountholders the choice to opt out for only one

    accountholder, in accordance with paragraph C.3(a)(5) of these

    Instructions, must include in the far left column of the mail-in

    form the following statement: ``If you have a joint account, your

    choice(s) will apply to everyone on your account unless you mark

    below. [square] Apply my choice(s) only to me.'' The word ``choice''

    may be written in either the singular or plural, as appropriate.

    Financial institutions that provide insurance products or services,

    provide this option, and elect to use the model form may substitute

    the word ``policy'' for ``account'' in this statement. Institutions

    that do not provide this option may eliminate this left column from

    the mail-in form.

    (2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution

    shares personal information pursuant to section 603(d)(2)(A)(iii) of

    the FCRA, it must include in the mail-in opt-out form the following

    statement: ``[square] Do not share information about my

    creditworthiness with your affiliates for their everyday business

    purposes.''

    (3) FCRA Section 624 opt-out. If the institution incorporates

    section 624 of the FCRA in accord with paragraph C.2(d)(6) of these

    Instructions, it must include in the mail-in opt-out form the

    following statement: ``[square] Do not allow your affiliates to use

    my personal information to market to me.''

    (4) Nonaffiliate opt-out. If the financial institution shares

    personal information pursuant to Sec. 313.10(a) of this part, it

    must include in the mail-in opt-out form the following statement:

    ``[square] Do not share my personal information with nonaffiliates

    to market their products and services to me.''

    (5) Additional opt-outs. Financial institutions that use the

    disclosure table to provide opt-out options beyond those required by

    Federal law must provide those opt-outs in this section of the model

    form. A financial institution that chooses to offer an opt-out for

    its own marketing in the mail-in opt-out form must include one of

    the two following statements: ``[square] Do not share my personal

    information to market to me.'' or ``[square] Do not use my personal

    information to market to me.'' A financial institution that chooses

    to offer an opt-out for joint marketing must include the following

    statement: ``[square] Do not share my personal information with

    other financial institutions to jointly market to me.''

    (h) Barcodes. A financial institution may elect to include a

    barcode and/or ``tagline'' (an internal identifier) in 6-point font

    at the bottom of page one, as needed for information internal to the

    institution, so long as these do not interfere with the clarity or

    text of the form.

    3. Page Two

    (a) General Instructions for the Questions. Certain of the

    Questions may be customized as follows:

    (1) ``Who is providing this notice?'' This question may be

    omitted where only one financial institution provides the model form

    and that institution is clearly identified in the title on page one.

    Two or more financial institutions that jointly provide the model

    form must use this question to identify themselves as required by

    Sec. 313.9(f) of this part. Where the list of institutions exceeds

    four (4) lines, the institution must describe in the response to

    this question the general types of institutions jointly providing

    the notice and must separately identify those institutions, in

    minimum 8-point font, directly following the ``Other important

    [[Page 62974]]

    information'' box, or, if that box is not included in the

    institution's form, directly following the ``Definitions.'' The list

    may appear in a multi-column format.

    (2) ``How does [name of financial institution] protect my

    personal information?'' The financial institution may only provide

    additional information pertaining to its safeguards practices

    following the designated response to this question. Such information

    may include information about the institution's use of cookies or

    other measures it uses to safeguard personal information.

    Institutions are limited to a maximum of 30 additional words.

    (3) ``How does [name of financial institution] collect my

    personal information?'' Institutions must use five (5) of the

    following terms to complete the bulleted list for this question:

    Open an account; deposit money; pay your bills; apply for a loan;

    use your credit or debit card; seek financial or tax advice; apply

    for insurance; pay insurance premiums; file an insurance claim; seek

    advice about your investments; buy securities from us; sell

    securities to us; direct us to buy securities; direct us to sell

    your securities; make deposits or withdrawals from your account;

    enter into an investment advisory contract; give us your income

    information; provide employment information; give us your employment

    history; tell us about your investment or retirement portfolio; tell

    us about your investment or retirement earnings; apply for

    financing; apply for a lease; provide account information; give us

    your contact information; pay us by check; give us your wage

    statements; provide your mortgage information; make a wire transfer;

    tell us who receives the money; tell us where to send the money;

    show your government-issued ID; show your driver's license; order a

    commodity futures or option trade. Institutions that collect

    personal information from their affiliates and/or credit bureaus

    must include after the bulleted list the following statement: ``We

    also collect your personal information from others, such as credit

    bureaus, affiliates, or other companies.'' Institutions that do not

    collect personal information from their affiliates or credit bureaus

    but do collect information from other companies must include the

    following statement instead: ``We also collect your personal

    information from other companies.'' Only institutions that do not

    collect any personal information from affiliates, credit bureaus, or

    other companies can omit both statements.

    (4) ``Why can't I limit all sharing?'' Institutions that

    describe state privacy law provisions in the ``Other important

    information'' box must use the bracketed sentence: ``See below for

    more on your rights under state law.'' Other institutions must omit

    this sentence.

    (5) ``What happens when I limit sharing for an account I hold

    jointly with someone else?'' Only financial institutions that

    provide opt-out options must use this question. Other institutions

    must omit this question. Institutions must choose one of the

    following two statements to respond to this question: ``Your choices

    will apply to everyone on your account.'' or ``Your choices will

    apply to everyone on your account--unless you tell us otherwise.''

    Financial institutions that provide insurance products or services

    and elect to use the model form may substitute the word ``policy''

    for ``account'' in these statements.

    (b) General Instructions for the Definitions.

    The financial institution must customize the space below the

    responses to the three definitions in this section. This specific

    information must be in italicized lettering to set off the

    information from the standardized definitions.

    (1) Affiliates. As required by Sec. 313.6(a)(3) of this part,

    where [affiliate information] appears, the financial institution

    must:

    (i) If it has no affiliates, state: ``[name of financial

    institution] has no affiliates'';

    (ii) If it has affiliates but does not share personal

    information, state: ``[name of financial institution] does not share

    with our affiliates''; or

    (iii) If it shares with its affiliates, state, as applicable:

    ``Our affiliates include companies with a [common corporate identity

    of financial institution] name; financial companies such as [insert

    illustrative list of companies]; nonfinancial companies, such as

    [insert illustrative list of companies;] and others, such as [insert

    illustrative list].''

    (2) Nonaffiliates. As required by Sec. 313.6(c)(3) of this

    part, where [nonaffiliate information] appears, the financial

    institution must:

    (i) If it does not share with nonaffiliated third parties,

    state: ``[name of financial institution] does not share with

    nonaffiliates so they can market to you''; or

    (ii) If it shares with nonaffiliated third parties, state, as

    applicable: ``Nonaffiliates we share with can include [list

    categories of companies such as mortgage companies, insurance

    companies, direct marketing companies, and nonprofit

    organizations].''

    (3) Joint Marketing. As required by Sec. 313.13 of this part,

    where [joint marketing] appears, the financial institution must:

    (i) If it does not engage in joint marketing, state: ``[name of

    financial institution] doesn't jointly market''; or

    (ii) If it shares personal information for joint marketing,

    state, as applicable: ``Our joint marketing partners include [list

    categories of companies such as credit card companies].''

    (c) General instructions for the ``Other important information''

    box. This box is optional. The space provided for information in

    this box is not limited. Only the following types of information can

    appear in this box.

    (1) State and/or international privacy law information; and/or

    (2) Acknowledgment of receipt form.

    0

    42. Amend newly redesignated Appendix B to part 313 as follows:

    0

    A. Add a new sentence to the beginning of the introductory text as set

    forth below.

    0

    B. Effective January 1, 2012, remove Appendix B to part 313.

    Appendix B to Part 313--Sample Clauses

    This Appendix only applies to privacy notices provided before

    January 1, 2011. * * *

    * * * * *

    Commodity Futures Trading Commission

    17 CFR Chapter I

    Authority and Issuance

    0

    For the reasons set forth in the joint preamble, part 160 of chapter I

    of title 17 of the Code of Federal Regulations is amended as follows:

    PART 160--PRIVACY OF CONSUMER FINANCIAL INFORMATION

    0

    43. The authority citation for part 160 continues to read as follows:

    Authority: 7 U.S.C. 7b-2 and 12a(5); 15 U.S.C. 6801 et seq.

    0

    44. Revise Sec. 160.2 to read as follows:

    Sec. 160.2 Model privacy form and examples.

    (a) Model privacy form. Use of the model privacy form in Appendix A

    of this part, consistent with the instructions in Appendix A,

    constitutes compliance with the notice content requirements of

    Sec. Sec. 160.6 and 160.7 of this part, although use of the model

    privacy form is not required.

    (b) Examples. The examples in this part are not exclusive.

    Compliance with an example, to the extent applicable, constitutes

    compliance with this part.

    0

    45. In Sec. 160.6:

    0

    A. Revise paragraphs (b) and (f), and add paragraph (g) to read as set

    forth below.

    0

    B. Effective January 1, 2012, remove paragraph (g).

    Sec. 160.6 Information to be included in privacy notices.

    * * * * *

    (b) Description of nonaffiliated third parties subject to

    exceptions. If you disclose nonpublic personal information to third

    parties as authorized under Sec. Sec. 160.14 and 160.15, you are not

    required to list those exceptions in the initial or annual privacy

    notices required by Sec. Sec. 160.4 and 160.5. When describing the

    categories with respect to those parties, it is sufficient to state

    that you make disclosures to other nonaffiliated companies:

    (1) For your everyday business purposes, such as [include all that

    apply] to process transactions, maintain account(s), respond to court

    orders and legal investigations, or report to credit bureaus; or

    [[Page 62975]]

    (2) As permitted by law.

    * * * * *

    (f) Model privacy form. Pursuant to Sec. 160.2(a) of this part, a

    model privacy form that meets the notice content requirements of this

    section is included in Appendix A of this part.

    (g) Sample clauses. Sample clauses illustrating some of the notice

    content required by this section are included in Appendix B of this

    part. Use of a sample clause in a privacy notice provided on or before

    December 31, 2010, to the extent applicable, constitutes compliance

    with this part.

    0

    46. In Sec. 160.7, add paragraph (i) to read as follows:

    Sec. 160.7 Form of opt-out notice to consumers; opt-out methods.

    * * * * *

    (i) Model privacy form. Pursuant to Sec. 160.2(a) of this part, a

    model privacy form that meets the notice content requirements of this

    section is included in Appendix A of this part.

    Appendix A [Redesignated as Appendix B]

    0

    47. Redesignate Appendix A to part 160 as Appendix B to part 160.

    0

    48. Add new Appendix A to part 160 to read as follows:

    Appendix A to Part 160--Model Privacy Form

    A. The Model Privacy Form

    BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-

    01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-

    P 12.5%,

    [[Page 62976]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.042

    [[Page 62977]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.043

    [[Page 62978]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.044

    [[Page 62979]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.045

    [[Page 62980]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.046

    [[Page 62981]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.047

    [[Page 62982]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.048

    B. General Instructions

    1. How the Model Privacy Form Is Used

    (a) The model form may be used, at the option of a financial

    institution, including a group of financial institutions that use a

    common privacy notice, to meet the content requirements of the

    privacy notice and opt-out notice set forth in Sec. Sec. 160.6 and

    160.7 of this part.

    (b) The model form is a standardized form, including page

    layout, content, format, style, pagination, and shading.

    Institutions seeking to obtain the safe harbor through use of the

    model form may modify it only as described in these Instructions.

    (c) Note that disclosure of certain information, such as assets,

    income, and information from a consumer reporting agency, may give

    rise to obligations under the Fair Credit Reporting Act [15 U.S.C.

    1681-1681x] (FCRA), such as a requirement to permit a consumer to

    opt out of disclosures to affiliates or designation as a consumer

    reporting agency if disclosures are made to nonaffiliated third

    parties.

    (d) The word ``customer'' may be replaced by the word ``member''

    whenever it appears in the model form, as appropriate.

    BILLING CODE 6750-01-C12.5%, 6351-01-C12.5%, 6720-01-C12.5%, 6714-01-

    C12.5%, 4810-33-C12.5%, 6210-01-C12.5%, 8011-01-C12.5%, 7535-01-C12.5%,

    2. The Contents of the Model Privacy Form

    The model form consists of two pages, which may be printed on

    both sides of a single sheet of paper, or may appear on two separate

    pages. Where an institution provides a long list of institutions at

    the end of the model form in accordance with Instruction C.3(a)(1),

    or provides additional information in accordance with Instruction

    C.3(c), and such list or additional information exceeds the space

    available on page two of the model form, such list or additional

    information may extend to a third page.

    (a) Page One. The first page consists of the following

    components:

    (1) Date last revised (upper right-hand corner).

    (2) Title.

    (3) Key frame (Why?, What?, How?).

    (4) Disclosure table (``Reasons we can share your personal

    information'').

    (5) ``To limit our sharing'' box, as needed, for the financial

    institution's opt-out information.

    (6) ``Questions'' box, for customer service contact information.

    (7) Mail-in opt-out form, as needed.

    (b) Page Two. The second page consists of the following

    components:

    (1) Heading (Page 2).

    (2) Frequently Asked Questions (``Who we are'' and ``What we

    do'').

    (3) Definitions.

    (4) ``Other important information'' box, as needed.

    3. The Format of the Model Privacy Form

    The format of the model form may be modified only as described

    below.

    (a) Easily readable type font. Financial institutions that use

    the model form must use an easily readable type font. While a number

    of factors together produce easily readable type font, institutions

    are required to use a minimum of 10-point font (unless otherwise

    expressly permitted in these Instructions) and sufficient spacing

    between the lines of type.

    (b) Logo. A financial institution may include a corporate logo

    on any page of the notice, so long as it does not interfere with the

    readability of the model form or the space constraints of each page.

    (c) Page size and orientation. Each page of the model form must

    be printed on paper in portrait orientation, the size of which must

    be sufficient to meet the layout and minimum font size requirements,

    with sufficient white space on the top, bottom, and sides of the

    content.

    (d) Color. The model form must be printed on white or light

    color paper (such as cream) with black or other contrasting ink

    color. Spot color may be used to achieve visual interest, so long as

    the color contrast is distinctive and the color does not detract

    from the readability of the model form. Logos may also be printed in

    color.

    (e) Languages. The model form may be translated into languages

    other than English.

    C. Information Required in the Model Privacy Form

    The information in the model form may be modified only as

    described below:

    1. Name of the Institution or Group of Affiliated Institutions

    Providing the Notice

    Insert the name of the financial institution providing the

    notice or a common identity of affiliated institutions jointly

    providing the notice on the form wherever [name of financial

    institution] appears.

    2. Page One

    (a) Last revised date. The financial institution must insert in

    the upper right-hand corner the date on which the notice was last

    revised. The information shall appear in minimum 8-point font as

    ``rev. [month/year]'' using either the name or number of the month,

    such as ``rev. July 2009'' or ``rev. 7/09''.

    (b) General instructions for the ``What?'' box.

    (1) The bulleted list identifies the types of personal

    information that the institution collects and shares. All

    institutions must use the term ``Social Security number'' in the

    first bullet.

    (2) Institutions must use five (5) of the following terms to

    complete the bulleted list: income; account balances; payment

    history; transaction history; transaction or loss history; credit

    history; credit scores; assets; investment experience; credit-based

    insurance scores; insurance claim history; medical information;

    overdraft history; purchase history; account transactions; risk

    tolerance; medical-related debts; credit card or other debt;

    mortgage rates and payments; retirement assets; checking account

    information; employment information; wire transfer instructions.

    (c) General instructions for the disclosure table. The left

    column lists reasons for

    [[Page 62983]]

    sharing or using personal information. Each reason correlates to a

    specific legal provision described in paragraph C.2(d) of this

    Instruction. In the middle column, each institution must provide a

    ``Yes'' or ``No'' response that accurately reflects its information

    sharing policies and practices with respect to the reason listed on

    the left. In the right column, each institution must provide in each

    box one of the following three (3) responses, as applicable, that

    reflects whether a consumer can limit such sharing: ``Yes'' if it is

    required to or voluntarily provides an opt-out; ``No'' if it does

    not provide an opt-out; or ``We don't share'' if it answers ``No''

    in the middle column. Only the sixth row (``For our affiliates to

    market to you'') may be omitted at the option of the institution.

    See paragraph C.2(d)(6) of this Instruction.

    (d) Specific disclosures and corresponding legal provisions.

    (1) For our everyday business purposes. This reason incorporates

    sharing information under Sec. Sec. 160.14 and 160.15 and with

    service providers pursuant to Sec. 160.13 of this part other than

    the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these

    Instructions.

    (2) For our marketing purposes. This reason incorporates sharing

    information with service providers by an institution for its own

    marketing pursuant to Sec. 160.13 of this part. An institution that

    shares for this reason may choose to provide an opt-out.

    (3) For joint marketing with other financial companies. This

    reason incorporates sharing information under joint marketing

    agreements between two or more financial institutions and with any

    service provider used in connection with such agreements pursuant to

    Sec. 160.13 of this part. An institution that shares for this

    reason may choose to provide an opt-out.

    (4) For our affiliates' everyday business purposes--information

    about transactions and experiences. This reason incorporates sharing

    information specified in sections 603(d)(2)(A)(i) and (ii) of the

    FCRA. An institution that shares for this reason may choose to

    provide an opt-out.

    (5) For our affiliates' everyday business purposes--information

    about creditworthiness. This reason incorporates sharing information

    pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution

    that shares for this reason must provide an opt-out.

    (6) For our affiliates to market to you. This reason

    incorporates sharing information specified in section 624 of the

    FCRA. This reason may be omitted from the disclosure table when: the

    institution does not have affiliates (or does not disclose personal

    information to its affiliates); the institution's affiliates do not

    use personal information in a manner that requires an opt-out; or

    the institution provides the affiliate marketing notice separately.

    Institutions that include this reason must provide an opt-out of

    indefinite duration. An institution not required to provide an opt-

    out under this subparagraph may elect to include this reason in the

    model form. Note: The CFTC's Regulations do not address the

    affiliate marketing rule.

    (7) For nonaffiliates to market to you. This reason incorporates

    sharing described in Sec. Sec. 160.7 and 160.10(a) of this part. An

    institution that shares personal information for this reason must

    provide an opt-out.

    (e) To limit our sharing: A financial institution must include

    this section of the model form only if it provides an opt-out. The

    word ``choice'' may be written in either the singular or plural, as

    appropriate. Institutions must select one or more of the applicable

    opt-out methods described: telephone, such as by a toll-free number;

    a Website; or use of a mail-in opt-out form. Institutions may

    include the words ``toll-free'' before telephone, as appropriate. An

    institution that allows consumers to opt out online must provide

    either a specific Web address that takes consumers directly to the

    opt-out page or a general Web address that provides a clear and

    conspicuous direct link to the opt-out page. The opt-out choices

    made available to the consumer who contacts the institution through

    these methods must correspond accurately to the ``Yes'' responses in

    the third column of the disclosure table. In the part titled

    ``Please note'' institutions may insert a number that is 30 or

    greater in the space marked ``[30].'' Instructions on voluntary or

    state privacy law opt-out information are in paragraph C.2(g)(5) of

    these Instructions.

    (f) Questions box. Customer service contact information must be

    inserted as appropriate, where [phone number] or [website] appear.

    Institutions may elect to provide either a phone number, such as a

    toll-free number, or a Web address, or both. Institutions may

    include the words ``toll-free'' before the telephone number, as

    appropriate.

    (g) Mail-in opt-out form. Financial institutions must include

    this mail-in form only if they state in the ``To limit our sharing''

    box that consumers can opt out by mail. The mail-in form must

    provide opt-out options that correspond accurately to the ``Yes''

    responses in the third column in the disclosure table. Institutions

    that require customers to provide only name and address may omit the

    section identified as ``[account ].'' Institutions that

    require additional or different information, such as a random opt-

    out number or a truncated account number, to implement an opt-out

    election should modify the ``[account ]'' reference

    accordingly. This includes institutions that require customers with

    multiple accounts to identify each account to which the opt-out

    should apply. An institution must enter its opt-out mailing address:

    in the far right of this form (see version 3); or below the form

    (see version 4). The reverse side of the mail-in opt-out form must

    not include any content of the model form.

    (1) Joint accountholder. Only institutions that provide their

    joint accountholders the choice to opt out for only one

    accountholder, in accordance with paragraph C.3(a)(5) of these

    Instructions, must include in the far left column of the mail-in

    form the following statement: ``If you have a joint account, your

    choice(s) will apply to everyone on your account unless you mark

    below. [squ] Apply my choice(s) only to me.'' The word

    ``choice'' may be written in either the singular or plural, as

    appropriate. Financial institutions that provide insurance products

    or services, provide this option, and elect to use the model form

    may substitute the word ``policy'' for ``account'' in this

    statement. Institutions that do not provide this option may

    eliminate this left column from the mail-in form.

    (2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution

    shares personal information pursuant to section 603(d)(2)(A)(iii) of

    the FCRA, it must include in the mail-in opt-out form the following

    statement: ``[squ] Do not share information about my

    creditworthiness with your affiliates for their everyday business

    purposes.''

    (3) FCRA Section 624 opt-out. If the institution incorporates

    section 624 of the FCRA in accord with paragraph C.2(d)(6) of these

    Instructions, it must include in the mail-in opt-out form the

    following statement: ``[squ] Do not allow your affiliates

    to use my personal information to market to me.''

    (4) Nonaffiliate opt-out. If the financial institution shares

    personal information pursuant to Sec. 160.10(a) of this part, it

    must include in the mail-in opt-out form the following statement:

    ``[squ] Do not share my personal information with

    nonaffiliates to market their products and services to me.''

    (5) Additional opt-outs. Financial institutions that use the

    disclosure table to provide opt-out options beyond those required by

    Federal law must provide those opt-outs in this section of the model

    form. A financial institution that chooses to offer an opt-out for

    its own marketing in the mail-in opt-out form must include one of

    the two following statements: ``[squ] Do not share my

    personal information to market to me.'' or ``[squ] Do not

    use my personal information to market to me.'' A financial

    institution that chooses to offer an opt-out for joint marketing

    must include the following statement: ``[squ] Do not

    share my personal information with other financial institutions to

    jointly market to me.''

    (h) Barcodes. A financial institution may elect to include a

    barcode and/or ``tagline'' (an internal identifier) in 6-point font

    at the bottom of page one, as needed for information internal to the

    institution, so long as these do not interfere with the clarity or

    text of the form.

    3. Page Two

    (a) General Instructions for the Questions. Certain of the

    Questions may be customized as follows:

    (1) ``Who is providing this notice?'' This question may be

    omitted where only one financial institution provides the model form

    and that institution is clearly identified in the title on page one.

    Two or more financial institutions that jointly provide the model

    form must use this question to identify themselves as required by

    Sec. 160.9(f) of this part. Where the list of institutions exceeds

    four (4) lines, the institution must describe in the response to

    this question the general types of institutions jointly providing

    the notice and must separately identify those institutions, in

    minimum 8-point font, directly following the ``Other important

    information'' box, or, if that box is not included in the

    institution's form, directly following the ``Definitions.'' The list

    may appear in a multi-column format.

    [[Page 62984]]

    (2) ``How does [name of financial institution] protect my

    personal information?'' The financial institution may only provide

    additional information pertaining to its safeguards practices

    following the designated response to this question. Such information

    may include information about the institution's use of cookies or

    other measures it uses to safeguard personal information.

    Institutions are limited to a maximum of 30 additional words.

    (3) ``How does [name of financial institution] collect my

    personal information?'' Institutions must use five (5) of the

    following terms to complete the bulleted list for this question:

    Open an account; deposit money; pay your bills; apply for a loan;

    use your credit or debit card; seek financial or tax advice; apply

    for insurance; pay insurance premiums; file an insurance claim; seek

    advice about your investments; buy securities from us; sell

    securities to us; direct us to buy securities; direct us to sell

    your securities; make deposits or withdrawals from your account;

    enter into an investment advisory contract; give us your income

    information; provide employment information; give us your employment

    history; tell us about your investment or retirement portfolio; tell

    us about your investment or retirement earnings; apply for

    financing; apply for a lease; provide account information; give us

    your contact information; pay us by check; give us your wage

    statements; provide your mortgage information; make a wire transfer;

    tell us who receives the money; tell us where to send the money;

    show your government-issued ID; show your driver's license; order a

    commodity futures or option trade. Institutions that collect

    personal information from their affiliates and/or credit bureaus

    must include after the bulleted list the following statement: ``We

    also collect your personal information from others, such as credit

    bureaus, affiliates, or other companies.'' Institutions that do not

    collect personal information from their affiliates or credit bureaus

    but do collect information from other companies must include the

    following statement instead: ``We also collect your personal

    information from other companies.'' Only institutions that do not

    collect any personal information from affiliates, credit bureaus, or

    other companies can omit both statements.

    (4) ``Why can't I limit all sharing?'' Institutions that

    describe state privacy law provisions in the ``Other important

    information'' box must use the bracketed sentence: ``See below for

    more on your rights under state law.'' Other institutions must omit

    this sentence.

    (5) ``What happens when I limit sharing for an account I hold

    jointly with someone else?'' Only financial institutions that

    provide opt-out options must use this question. Other institutions

    must omit this question. Institutions must choose one of the

    following two statements to respond to this question: ``Your choices

    will apply to everyone on your account.'' or ``Your choices will

    apply to everyone on your account--unless you tell us otherwise.''

    Financial institutions that provide insurance products or services

    and elect to use the model form may substitute the word ``policy''

    for ``account'' in these statements.

    (b) General Instructions for the Definitions.

    The financial institution must customize the space below the

    responses to the three definitions in this section. This specific

    information must be in italicized lettering to set off the

    information from the standardized definitions.

    (1) Affiliates. As required by Sec. 160.6(a)(3) of this part,

    where [affiliate information] appears, the financial institution

    must:

    (i) If it has no affiliates, state: ``[name of financial

    institution] has no affiliates'';

    (ii) If it has affiliates but does not share personal

    information, state: ``[name of financial institution] does not share

    with our affiliates''; or

    (iii) If it shares with its affiliates, state, as applicable:

    ``Our affiliates include companies with a [common corporate identity

    of financial institution] name; financial companies such as [insert

    illustrative list of companies]; nonfinancial companies, such as

    [insert illustrative list of companies]; and others, such as [insert

    illustrative list].''

    (2) Nonaffiliates. As required by Sec. 160.6(c)(3) of this

    part, where [nonaffiliate information] appears, the financial

    institution must:

    (i) If it does not share with nonaffiliated third parties,

    state: ``[name of financial institution] does not share with

    nonaffiliates so they can market to you''; or

    (ii) If it shares with nonaffiliated third parties, state, as

    applicable: ``Nonaffiliates we share with can include [list

    categories of companies such as mortgage companies, insurance

    companies, direct marketing companies, and nonprofit

    organizations].''

    (3) Joint Marketing. As required by Sec. 160.13 of this part,

    where [joint marketing] appears, the financial institution must:

    (i) If it does not engage in joint marketing, state: ``[name of

    financial institution] doesn't jointly market''; or

    (ii) If it shares personal information for joint marketing,

    state, as applicable: ``Our joint marketing partners include [list

    categories of companies such as credit card companies].''

    (c) General instructions for the ``Other important information''

    box. This box is optional. The space provided for information in

    this box is not limited. Only the following types of information can

    appear in this box.

    (1) State and/or international privacy law information; and/or

    (2) Acknowledgment of receipt form.

    0

    49. Amend newly redesignated Appendix B to part 160 as follows:

    0

    A. Add a new sentence to the beginning of the introductory text as set

    forth below.

    0

    B. Effective January 1, 2012, remove Appendix B to part 160.

    Appendix B to Part 160--Sample Clauses

    This Appendix only applies to privacy notices provided before

    January 1, 2011. * * *

    * * * * *

    Securities and Exchange Commission

    Statutory Authority

    0

    The Commission is amending Regulation S-P pursuant to authority set

    forth in section 728 of the Regulatory Relief Act [Pub. L. 109-351],

    section 504 of the GLB Act [15 U.S.C. 6804], section 23 of the

    Securities Exchange Act [15 U.S.C. 78w], section 38(a) of the

    Investment Company Act [15 U.S.C. 80a-37(a)], and section 211 of the

    Investment Advisers Act [15 U.S.C. 80b-11].

    Text of Amendments

    0

    For the reasons set forth in the preamble, the Commission is amending

    Title 17, Chapter II of the Code of Federal Regulations as follows:

    PART 248--REGULATIONS S-P AND S-AM

    0

    50. The authority citation for part 248 continues to read as follows:

    Authority: 15 U.S.C. 78q, 78q-1, 78w, 78mm, 80a-30, 80a-37,

    80b-4, 80b-11, 1681s-3 and note, 1681w(a)(1), 6801-6809, and 6825.

    0

    51. Revise Sec. 248.2 to read as follows:

    Sec. 248.2 Model privacy form: rule of construction.

    (a) Model privacy form. Use of the model privacy form in Appendix A

    to Subpart A of this part, consistent with the instructions in Appendix

    A to Subpart A, constitutes compliance with the notice content

    requirements of Sec. Sec. 248.6 and 248.7 of this part, although use

    of the model privacy form is not required.

    (b) Examples. The examples in this part provide guidance concerning

    the rule's application in ordinary circumstances. The facts and

    circumstances of each individual situation, however, will determine

    whether compliance with an example, to the extent practicable,

    constitutes compliance with this part.

    (c) Substituted compliance with CFTC financial privacy rules by

    futures commission merchants and introducing brokers. Except with

    respect to Sec. 248.30(b), any futures commission merchant or

    introducing broker (as those terms are defined in the Commodity

    Exchange Act (7 U.S.C. 1, et seq.)) registered by notice with the

    Commission for the purpose of conducting business in security futures

    products pursuant to section 15(b)(11)(A) of the Securities Exchange

    Act of 1934 (15 U.S.C. 78o(b)(11)(A)) that is subject to and in

    compliance with the financial privacy rules of the Commodity Futures

    Trading

    [[Page 62985]]

    Commission (17 CFR part 160) will be deemed to be in compliance with

    this part.

    0

    52. In Sec. 248.6:

    0

    A. Revise paragraphs (b) and (f), and add paragraph (g) to read as set

    forth below.

    0

    B. Effective January 1, 2012, remove paragraph (g).

    Sec. 248.6 Information to be included in privacy notices.

    * * * * *

    (b) Description of nonaffiliated third parties subject to

    exceptions. If you disclose nonpublic personal information to third

    parties as authorized under Sec. Sec. 248.14 and 248.15, you are not

    required to list those exceptions in the initial or annual privacy

    notices required by Sec. Sec. 248.4 and 248.5. When describing the

    categories with respect to those parties, it is sufficient to state

    that you make disclosures to other nonaffiliated companies:

    (1) For your everyday business purposes such as [include all that

    apply] to process transactions, maintain account(s), respond to court

    orders and legal investigations, or report to credit bureaus; or

    (2) As permitted by law.

    * * * * *

    (f) Model privacy form. Pursuant to Sec. 248.2(a) and Appendix A

    to Subpart A of this part, Form S-P meets the notice content

    requirements of this section.

    (g) Sample clauses. Sample clauses illustrating some of the notice

    content required by this section are included in Appendix B to Subpart

    A of this part. The sample clauses in Appendix B to Subpart A of this

    part provide guidance concerning the rule's application in ordinary

    circumstances in a privacy notice provided on or before December 31,

    2010. The facts and circumstances of each individual situation,

    however, will determine whether compliance with a sample clause

    constitutes compliance with this part.

    0

    53. In Sec. 248.7, add paragraph (i) to read as follows:

    Sec. 248.7 Form of opt-out notice to consumers; opt-out methods.

    * * * * *

    (i) Model privacy form. Pursuant to Sec. 248.2(a) and Appendix A

    to Subpart A of this part, Form S-P meets the notice content

    requirements of this section.

    0

    54. Add Appendix A to Subpart A to read as follows:

    Appendix A to Subpart A--Forms

    A. Any person may view and print this form at: http://

    www.sec.gov/about/forms/secforms.htm.

    B. Use of Form S-P by brokers, dealers, and investment

    companies, and investment advisers registered with the Commission

    constitutes compliance with the notice content requirements of

    Sec. Sec. 248.6 and 248.7 of this part.

    FORM S-P--Model Privacy Form

    A. The Model Privacy Form

    BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-

    01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-

    P 12.5%,

    [[Page 62986]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.049

    [[Page 62987]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.050

    [[Page 62988]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.051

    [[Continued on page 62989]]

    From the Federal Register Online via GPO Access [wais.access.gpo.gov]

    ]

    [[pp. 62989-62994]] Final Model Privacy Form Under the Gramm-Leach-Bliley Act

    [[Continued from page 62988]]

    [[Page 62989]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.052

    [[Page 62990]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.053

    [[Page 62991]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.054

    [[Page 62992]]

    [GRAPHIC] [TIFF OMITTED] TR01DE09.055

    BILLING CODE 6750-01-C 12.5%, 6351-01-C 12.5%, 6720-01-C 12.5%, 6714-

    01-C 12.5%, 4810-33-C 12.5%, 6210-01-C 12.5%, 8011-01-C 12.5%, 7535-01-

    C 12.5%,

    B. General Instructions

    1. How the Model Privacy Form is Used

    (a) The model form may be used, at the option of a financial

    institution, including a group of financial institutions that use a

    common privacy notice, to meet the content requirements of the

    privacy notice and opt-out notice set forth in Sec. Sec. 248.6 and

    248.7 of this part.

    (b) The model form is a standardized form, including page

    layout, content, format, style, pagination, and shading.

    Institutions seeking to obtain the safe harbor through use of the

    model form may modify it only as described in these instructions.

    (c) Note that disclosure of certain information, such as assets,

    income, and information from a consumer reporting agency, may give

    rise to obligations under the Fair Credit Reporting Act [15 U.S.C.

    1681-1681x] (FCRA), such as a requirement to permit a consumer to

    opt out of disclosures to affiliates or designation as a consumer

    reporting agency if disclosures are made to nonaffiliated third

    parties.

    (d) The word ``customer'' may be replaced by the word ``member''

    whenever it appears in the model form, as appropriate.

    2. The Contents of the Model Privacy Form

    The model form consists of two pages, which may be printed on

    both sides of a single sheet of paper, or may appear on two separate

    pages. Where an institution provides a long list of institutions at

    the end of the model form in accordance with Instruction C.3(a)(1),

    or provides additional information in accordance with Instruction

    C.3(c), and such list or additional information exceeds the space

    available on page two of the model form, such list or additional

    information may extend to a third page.

    (a) Page One. The first page consists of the following

    components:

    (1) Date last revised (upper right-hand corner).

    (2) Title.

    (3) Key frame (Why?, What?, How?).

    (4) Disclosure table (``Reasons we can share your personal

    information'').

    (5) ``To limit our sharing'' box, as needed, for the financial

    institution's opt-out information.

    (6) ``Questions'' box, for customer service contact information.

    (7) Mail-in opt-out form, as needed.

    (b) Page Two. The second page consists of the following

    components:

    (1) Heading (Page 2).

    (2) Frequently Asked Questions (``Who we are'' and ``What we

    do'').

    (3) Definitions.

    (4) ``Other important information'' box, as needed.

    3. The Format of the Model Privacy Form

    The format of the model form may be modified only as described

    below.

    (a) Easily readable type font. Financial institutions that use

    the model form must use an easily readable type font. While a number

    of factors together produce easily readable type font, institutions

    are required to use a minimum of 10-point font (unless otherwise

    expressly permitted in these Instructions) and sufficient spacing

    between the lines of type.

    (b) Logo. A financial institution may include a corporate logo

    on any page of the notice, so long as it does not interfere with the

    readability of the model form or the space constraints of each page.

    (c) Page size and orientation. Each page of the model form must

    be printed on paper in portrait orientation, the size of which must

    be sufficient to meet the layout and minimum font size requirements,

    with sufficient white space on the top, bottom, and sides of the

    content.

    (d) Color. The model form must be printed on white or light

    color paper (such as cream) with black or other contrasting ink

    color. Spot color may be used to achieve visual interest, so long as

    the color contrast is distinctive and the color does not detract

    from the readability of the model form. Logos may also be printed in

    color.

    (e) Languages. The model form may be translated into languages

    other than English.

    C. Information Required in the Model Privacy Form

    The information in the model form may be modified only as

    described below:

    1. Name of the Institution or Group of Affiliated Institutions

    Providing the Notice

    Insert the name of the financial institution providing the

    notice or a common identity of affiliated institutions jointly

    providing the notice on the form wherever [name of financial

    institution] appears.

    2. Page One

    (a) Last revised date. The financial institution must insert in

    the upper right-hand corner the date on which the notice was last

    revised. The information shall appear in minimum 8-point font as

    ``rev. [month/year]'' using either the name or number of the month,

    such as ``rev. July 2009'' or ``rev. 7/09''.

    (b) General instructions for the ``What?'' box.

    (1) The bulleted list identifies the types of personal

    information that the institution collects and shares. All

    institutions must use the term ``Social Security number'' in the

    first bullet.

    (2) Institutions must use five (5) of the following terms to

    complete the bulleted list: income; account balances; payment

    history; transaction history; transaction or loss history; credit

    history; credit scores; assets; investment experience; credit-based

    insurance scores; insurance claim history; medical information;

    overdraft history; purchase history; account transactions; risk

    tolerance; medical-related debts; credit card or other debt;

    mortgage rates and payments; retirement assets; checking account

    information; employment information; wire transfer instructions.

    (c) General instructions for the disclosure table. The left

    column lists reasons for

    [[Page 62993]]

    sharing or using personal information. Each reason correlates to a

    specific legal provision described in paragraph C.2(d) of this

    Instruction. In the middle column, each institution must provide a

    ``Yes'' or ``No'' response that accurately reflects its information

    sharing policies and practices with respect to the reason listed on

    the left. In the right column, each institution must provide in each

    box one of the following three (3) responses, as applicable, that

    reflects whether a consumer can limit such sharing: ``Yes'' if it is

    required to or voluntarily provides an opt-out; ``No'' if it does

    not provide an opt-out; or ``We don't share'' if it answers ``No''

    in the middle column. Only the sixth row (``For our affiliates to

    market to you'') may be omitted at the option of the institution.

    See paragraph C.2(d)(6) of this Instruction.

    (d) Specific disclosures and corresponding legal provisions.

    (1) For our everyday business purposes. This reason incorporates

    sharing information under Sec. Sec. 248.14 and 248.15 and with

    service providers pursuant to Sec. 248.13 of this part other than

    the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these

    Instructions.

    (2) For our marketing purposes. This reason incorporates sharing

    information with service providers by an institution for its own

    marketing pursuant to Sec. 248.13 of this part. An institution that

    shares for this reason may choose to provide an opt-out.

    (3) For joint marketing with other financial companies. This

    reason incorporates sharing information under joint marketing

    agreements between two or more financial institutions and with any

    service provider used in connection with such agreements pursuant to

    Sec. 248.13 of this part. An institution that shares for this

    reason may choose to provide an opt-out.

    (4) For our affiliates' everyday business purposes--information

    about transactions and experiences. This reason incorporates sharing

    information specified in sections 603(d)(2)(A)(i) and (ii) of the

    FCRA. An institution that shares for this reason may choose to

    provide an opt-out.

    (5) For our affiliates' everyday business purposes--information

    about creditworthiness. This reason incorporates sharing information

    pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution

    that shares for this reason must provide an opt-out.

    (6) For our affiliates to market to you. This reason

    incorporates sharing information specified in section 624 of the

    FCRA. This reason may be omitted from the disclosure table when: the

    institution does not have affiliates (or does not disclose personal

    information to its affiliates); the institution's affiliates do not

    use personal information in a manner that requires an opt-out; or

    the institution provides the affiliate marketing notice separately.

    Institutions that include this reason must provide an opt-out of

    indefinite duration. An institution that is required to provide an

    affiliate marketing opt-out, but does not include that opt-out in

    the model form under this part, must comply with section 624 of the

    FCRA and 17 CFR part 248, subpart B, with respect to the initial

    notice and opt-out and any subsequent renewal notice and opt-out. An

    institution not required to provide an opt-out under this

    subparagraph may elect to include this reason in the model form.

    (7) For nonaffiliates to market to you. This reason incorporates

    sharing described in Sec. Sec. 248.7 and 248.10(a) of this part. An

    institution that shares personal information for this reason must

    provide an opt-out.

    (e) To limit our sharing: A financial institution must include

    this section of the model form only if it provides an opt-out. The

    word ``choice'' may be written in either the singular or plural, as

    appropriate. Institutions must select one or more of the applicable

    opt-out methods described: telephone, such as by a toll-free number;

    a Web site; or use of a mail-in opt-out form. Institutions may

    include the words ``toll-free'' before telephone, as appropriate. An

    institution that allows consumers to opt out online must provide

    either a specific Web address that takes consumers directly to the

    opt-out page or a general Web address that provides a clear and

    conspicuous direct link to the opt-out page. The opt-out choices

    made available to the consumer who contacts the institution through

    these methods must correspond accurately to the ``Yes'' responses in

    the third column of the disclosure table. In the part titled

    ``Please note'' institutions may insert a number that is 30 or

    greater in the space marked ``[30].'' Instructions on voluntary or

    state privacy law opt-out information are in paragraph C.2(g)(5) of

    these Instructions.

    (f) Questions box. Customer service contact information must be

    inserted as appropriate, where [phone number] or [Web site] appear.

    Institutions may elect to provide either a phone number, such as a

    toll-free number, or a Web address, or both. Institutions may

    include the words ``toll-free'' before the telephone number, as

    appropriate.

    (g) Mail-in opt-out form. Financial institutions must include

    this mail-in form only if they state in the ``To limit our sharing''

    box that consumers can opt out by mail. The mail-in form must

    provide opt-out options that correspond accurately to the ``Yes''

    responses in the third column in the disclosure table. Institutions

    that require customers to provide only name and address may omit the

    section identified as ``[account ].'' Institutions that

    require additional or different information, such as a random opt-

    out number or a truncated account number, to implement an opt-out

    election should modify the ``[account ]'' reference

    accordingly. This includes institutions that require customers with

    multiple accounts to identify each account to which the opt-out

    should apply. An institution must enter its opt-out mailing address:

    in the far right of this form (see version 3); or below the form

    (see version 4). The reverse side of the mail-in opt-out form must

    not include any content of the model form.

    (1) Joint accountholder. Only institutions that provide their

    joint accountholders the choice to opt out for only one

    accountholder, in accordance with paragraph C.3(a)(5) of these

    Instructions, must include in the far left column of the mail-in

    form the following statement: ``If you have a joint account, your

    choice(s) will apply to everyone on your account unless you mark

    below. [square] Apply my choice(s) only to me.'' The word ``choice''

    may be written in either the singular or plural, as appropriate.

    Financial institutions that provide insurance products or services,

    provide this option, and elect to use the model form may substitute

    the word ``policy'' for ``account'' in this statement. Institutions

    that do not provide this option may eliminate this left column from

    the mail-in form.

    (2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution

    shares personal information pursuant to section 603(d)(2)(A)(iii) of

    the FCRA, it must include in the mail-in opt-out form the following

    statement: ``[square] Do not share information about my

    creditworthiness with your affiliates for their everyday business

    purposes.''

    (3) FCRA Section 624 opt-out. If the institution incorporates

    section 624 of the FCRA in accord with paragraph C.2(d)(6) of these

    Instructions, it must include in the mail-in opt-out form the

    following statement: ``[square] Do not allow your affiliates to use

    my personal information to market to me.''

    (4) Nonaffiliate opt-out. If the financial institution shares

    personal information pursuant to Sec. 248.10(a) of this part, it

    must include in the mail-in opt-out form the following statement:

    ``[square] Do not share my personal information with nonaffiliates

    to market their products and services to me.''

    (5) Additional opt-outs. Financial institutions that use the

    disclosure table to provide opt-out options beyond those required by

    Federal law must provide those opt-outs in this section of the model

    form. A financial institution that chooses to offer an opt-out for

    its own marketing in the mail-in opt-out form must include one of

    the two following statements: ``[square] Do not share my personal

    information to market to me.'' or ``[square] Do not use my personal

    information to market to me.'' A financial institution that chooses

    to offer an opt-out for joint marketing must include the following

    statement: ``[square] Do not share my personal information with

    other financial institutions to jointly market to me.''

    (h) Barcodes. A financial institution may elect to include a

    barcode and/or ``tagline'' (an internal identifier) in 6-point font

    at the bottom of page one, as needed for information internal to the

    institution, so long as these do not interfere with the clarity or

    text of the form.

    3. Page Two

    (a) General Instructions for the Questions. Certain of the

    Questions may be customized as follows:

    (1) ``Who is providing this notice?'' This question may be

    omitted where only one financial institution provides the model form

    and that institution is clearly identified in the title on page one.

    Two or more financial institutions that jointly provide the model

    form must use this question to identify themselves as required by

    Sec. 248.9(f) of this part. Where the list of institutions exceeds

    four (4) lines, the institution must describe in the response to

    this question the general types of institutions jointly providing

    the notice and must separately identify those institutions, in

    minimum 8-point font, directly following the ``Other important

    [[Page 62994]]

    information'' box, or, if that box is not included in the

    institution's form, directly following the ``Definitions.'' The list

    may appear in a multi-column format.

    (2) ``How does [name of financial institution] protect my

    personal information?'' The financial institution may only provide

    additional information pertaining to its safeguards practices

    following the designated response to this question. Such information

    may include information about the institution's use of cookies or

    other measures it uses to safeguard personal information.

    Institutions are limited to a maximum of 30 additional words.

    (3) ``How does [name of financial institution] collect my

    personal information?'' Institutions must use five (5) of the

    following terms to complete the bulleted list for this question:

    open an account; deposit money; pay your bills; apply for a loan;

    use your credit or debit card; seek financial or tax advice; apply

    for insurance; pay insurance premiums; file an insurance claim; seek

    advice about your investments; buy securities from us; sell

    securities to us; direct us to buy securities; direct us to sell

    your securities; make deposits or withdrawals from your account;

    enter into an investment advisory contract; give us your income

    information; provide employment information; give us your employment

    history; tell us about your investment or retirement portfolio; tell

    us about your investment or retirement earnings; apply for

    financing; apply for a lease; provide account information; give us

    your contact information; pay us by check; give us your wage

    statements; provide your mortgage information; make a wire transfer;

    tell us who receives the money; tell us where to send the money;

    show your government-issued ID; show your driver's license; order a

    commodity futures or option trade. Institutions that collect

    personal information from their affiliates and/or credit bureaus

    must include after the bulleted list the following statement: ``We

    also collect your personal information from others, such as credit

    bureaus, affiliates, or other companies.'' Institutions that do not

    collect personal information from their affiliates or credit bureaus

    but do collect information from other companies must include the

    following statement instead: ``We also collect your personal

    information from other companies.'' Only institutions that do not

    collect any personal information from affiliates, credit bureaus, or

    other companies can omit both statements.

    (4) ``Why can't I limit all sharing?'' Institutions that

    describe state privacy law provisions in the ``Other important

    information'' box must use the bracketed sentence: ``See below for

    more on your rights under state law.'' Other institutions must omit

    this sentence.

    (5) ``What happens when I limit sharing for an account I hold

    jointly with someone else?'' Only financial institutions that

    provide opt-out options must use this question. Other institutions

    must omit this question. Institutions must choose one of the

    following two statements to respond to this question: ``Your choices

    will apply to everyone on your account.'' or ``Your choices will

    apply to everyone on your account--unless you tell us otherwise.''

    Financial institutions that provide insurance products or services

    and elect to use the model form may substitute the word ``policy''

    for ``account'' in these statements.

    (b) General Instructions for the Definitions.

    The financial institution must customize the space below the

    responses to the three definitions in this section. This specific

    information must be in italicized lettering to set off the

    information from the standardized definitions.

    (1) Affiliates. As required by Sec. 248.6(a)(3) of this part,

    where [affiliate information] appears, the financial institution

    must:

    (i) If it has no affiliates, state: ``[name of financial

    institution] has no affiliates; ''

    (ii) If it has affiliates but does not share personal

    information, state: ``[name of financial institution] does not share

    with our affiliates; '' or

    (iii) If it shares with its affiliates, state, as applicable:

    ``Our affiliates include companies with a [common corporate identity

    of financial institution] name; financial companies such as [insert

    illustrative list of companies]; nonfinancial companies, such as

    [insert illustrative list of companies;] and others, such as [insert

    illustrative list].''

    (2) Nonaffiliates. As required by Sec. 248.6(c)(3) of this

    part, where [nonaffiliate information] appears, the financial

    institution must:

    (i) If it does not share with nonaffiliated third parties,

    state: ``[name of financial institution] does not share with

    nonaffiliates so they can market to you; '' or

    (ii) If it shares with nonaffiliated third parties, state, as

    applicable: ``Nonaffiliates we share with can include [list

    categories of companies such as mortgage companies, insurance

    companies, direct marketing companies, and nonprofit

    organizations].''

    (3) Joint Marketing. As required by Sec. 248.13 of this part,

    where [joint marketing] appears, the financial institution must:

    (i) If it does not engage in joint marketing, state: ``[name of

    financial institution] doesn't jointly market; '' or

    (ii) If it shares personal information for joint marketing,

    state, as applicable: ``Our joint marketing partners include [list

    categories of companies such as credit card companies].''

    (c) General instructions for the ``Other important information''

    box. This box is optional. The space provided for information in

    this box is not limited. Only the following types of information can

    appear in this box.

    (1) State and/or international privacy law information; and/or

    (2) Acknowledgment of receipt form.

    0

    55. Amend Appendix B to Subpart A of part 248 as follows:

    0

    A. Add a sentence to the beginning of the introductory text as set

    forth below.

    0

    B. Effective January 1, 2012, remove Appendix B to Subpart A of part

    248.

    Appendix B to Subpart A of Part 248--Sample Clauses

    This Appendix only applies to privacy notices provided before

    January 1, 2011.

    * * * * *

    Dated: October 1, 2009.

    John C. Dugan,

    Comptroller of the Currency.

    By order of the Board of Governors of the Federal Reserve

    System, October 27, 2009.

    Robert deV. Frierson,

    Secretary of the Board.

    By Order of the Board of Directors.

    Dated at Washington, DC, this 23rd day of October, 2009.

    Federal Deposit Insurance Corporation.

    Robert E. Feldman,

    Executive Secretary.

    Dated: September 28, 2009.

    By the Office of Thrift Supervision.

    John E. Bowman,

    Acting Director.

    By the National Credit Union Administration Board on November

    10, 2009.

    Mary Rupp,

    Secretary of the Board.

    The Federal Trade Commission.

    Dated: September 25, 2009.

    By Direction of the Commission.

    Donald S. Clark,

    Secretary.

    Dated: September 21, 2009.

    David A. Stawick,

    Secretary of the Commodity Futures Trading Commission.

    Dated: November 16, 2009.

    By the Securities and Exchange Commission.

    Elizabeth M. Murphy,

    Secretary.

    [FR Doc. E9-27882 Filed 11-30-09; 8:45 am]

    BILLING CODE 6750-01-P

    Last Updated: December 1, 2009



See Also:

OpenGov Logo

CFTC's Commitment to Open Government

Gavel and Book

Follow the Status of Enforcement Actions