[Federal Register: December 30, 2003 (Volume 68, Number 249)]
[Proposed Rules]
[Page 75164-75174]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr30de03-22]

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Part 40

[Docket No. 03-27]

FEDERAL RESERVE SYSTEM

12 CFR Part 216

[Docket No. R-1173]

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Part 332

RIN 3064-AC77

DEPARTMENT OF THE TREASURY

Office of Thrift Supervision

12 CFR Part 573

[Docket No. 2003-62]
RIN 1550-AB86

NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Part 716

FEDERAL TRADE COMMISSION

16 CFR Part 313

RIN 3084-AA94 Project No. 034815

COMMODITY FUTURES TRADING COMMISSION

17 CFR Part 160

RIN 3038-AC04

SECURITIES AND EXCHANGE COMMISSION

17 CFR Part 248

[Release Nos. 34-48966, IA-2206, IC-26316; File No. S7-30-03]
RIN 3235-AJ06


Interagency Proposal to Consider Alternative Forms of Privacy
Notices Under the Gramm-Leach-Bliley Act

AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC);
Office of Thrift Supervision, Treasury (OTS); Board of Governors of the
Federal Reserve System (Board); Federal Deposit Insurance Corporation
(FDIC); National Credit Union Administration (NCUA); Federal Trade
Commission (FTC); Commodity Futures Trading Commission (CFTC); and
Securities and Exchange Commission (SEC).

ACTION: Advance notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The OCC, OTS, Board, FDIC, NCUA, FTC, CFTC, and SEC (the
Agencies) are requesting comment on whether the Agencies should
consider amending the regulations that implement sections 502 and 503
of the Gramm-Leach-Bliley Act (GLB Act) to allow or require financial
institutions to provide alternative types of privacy notices, such as a
short privacy notice, that would be easier for consumers to understand.

DATES: Comments must be submitted on or before March 29, 2004.

ADDRESSES: Because the Agencies will jointly review all of the comments
submitted, interested parties may send comments to any of the Agencies
and need not send comments (or copies) to all of the Agencies.
Commenters that submit trade secrets or confidential commercial or
financial information may request confidential treatment of that
information in accordance with the Freedom of Information Act (5 U.S.C.
552) and the Agencies' respective regulations regarding availability of
information. Because paper mail in the Washington area and at the
Agencies is subject to delay, please consider submitting your comments
by e-mail. Commenters are encouraged to use the title ``Alternative
Forms of Privacy Notices'' to facilitate the organization and
distribution of comments among the Agencies. Interested parties are
invited to submit written comments to:
    Office of the Comptroller of the Currency: Public Information Room,
Office of the Comptroller of the Currency, 250 E Street, SW., Mail stop
1-5, Washington, DC 20219, Attention: Docket No. 03-27, Fax number
(202) 874-4448 or Internet address: regs.comments@occ. treas.gov.
Comments may be inspected and photocopied at the OCC's Public
Information Room, 250 E Street, SW., Washington, DC. You can make an
appointment to inspect the comments by calling (202) 874-5043.
    Office of Thrift Supervision: Send comments to Regulation Comments,
Chief Counsel's Office, Office of Thrift Supervision, 1700 G Street,
NW., Washington, DC 20552, Attention: No. 2003-62. Delivery: Hand
deliver comments to the Guard's Desk, East Lobby Entrance, 1700 G
Street, NW., from 9 a.m. to 4 p.m. on business days, Attention:
Regulation Comments, Chief Counsel's Office, Attention: No. 2003-62.
Facsimiles: Send facsimile transmissions to FAX Number (202) 906-6518,
Attention: No. 2003-62. E-

[[Page 75165]]

Mail: Send e-mails to regs.comments@ots. treas.gov, Attention: No.
2003-62 and include your name and telephone number. Due to temporary
disruptions in mail service in the Washington, DC area, commenters are
encouraged to send comments by fax or e-mail, if possible. Availability
of comments: OTS will post comments and the related index on the OTS
Internet Site at  href="http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log==linklog&to=http://www.ots.treas.gov" shape="rect">http://www.ots.treas.gov. In addition, you may inspect

comments at the Public Reading Room, 1700 G Street, NW., by
appointment. To make an appointment for access, call (202) 906-5922,
send an e-mail to public.info@ots. treas.gov, or send a facsimile
transmission to (202) 906-7755. (Please identify the materials you
would like to inspect to assist us in serving you.) We schedule
appointments on business days between 10 a.m. and 4 p.m. In most cases,
appointments will be available the business day after the date we
receive a request.
    Board of Governors of the Federal Reserve System: Comments should
refer to Docket No. R-1173 and may be mailed to Ms. Jennifer J.
Johnson, Secretary, Board of Governors of the Federal Reserve System,
20th Street and Constitution Avenue, NW., Washington, DC 20551. Please
federalreserve.gov, or faxing them to the Office of the Secretary at
(202) 452-3819 or (202) 452-3102. Members of the public may inspect
comments in Room MP-500 between 9 a.m. and 5 p.m. on weekdays pursuant
to section 261.12, except as provided in section 261.14, of the Board's
Rules Regarding Availability of Information, 12 CFR 261.12 and 261.14.
    Federal Deposit Insurance Corporation: Send written comments to
Robert E. Feldman, Executive Secretary, Attention: Comments/Executive
Secretary Section, Federal Deposit Insurance Corporation, 550 17th
Street, NW., Washington, DC 20429. Comments also may be mailed
electronically to comments@fdic.gov. Comments may be hand delivered to
the guard station at the rear of the 17th Street building (located on F
Street) on business days between 7 a.m. and 5 p.m.; Fax Number (202)
898-3838. Comments may be inspected and photocopied in the FDIC Public
Information Center, Room 100, 801 17th Street, NW., Washington, DC
20429, between 9 a.m. and 5 p.m. on business days.
    National Credit Union Administration: Comments should be directed
to Becky Baker, Secretary of the Board. Mail or hand deliver comments
to: National Credit Union Administration, 1775 Duke Street, Alexandria,
VA 22314-3428. You are encouraged to fax comments to (703) 518-6319 or
please send comments by one method only.
    Federal Trade Commission: Comments should refer to ``Alternative
Forms of Privacy Notices, Project No. P034815.'' Comments filed in
paper form should be mailed or delivered to: Federal Trade Commission/
Office of the Secretary, Room 159-H, 600 Pennsylvania Avenue, NW.,
Washington, DC 20580. Comments filed in electronic form (in ASCII
format, WordPerfect, or Microsoft Word) should be sent to:
GLBnotices@ftc.gov. If the comment contains any material for which
confidential treatment is requested, it must be filed in paper (rather
than electronic) form, and the first page of the document must be
clearly labeled ``Confidential.'' \1\ Regardless of the form in which
they are filed, the Commission will consider all timely comments, and
will make the comments available (with confidential material redacted)
for public inspection and copying at the Commission's principal office
and on the Commission Web site at  href="http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log==linklog&to=http://www.ftc.gov" shape="rect">http://www.ftc.gov. As a matter of

discretion, the Commission makes every effort to remove home contact
information for individuals from the public comments it receives before
placing those comments on the FTC Web site.
---------------------------------------------------------------------------

    \1\ Commission Rule 4.2(d), 16 CFR 4.2(d). The comment must also
be accompanied by an explicit request for confidential treatment,
including the factual and legal basis for the request, and must
identify the specific portions of the comment to be withheld from
the public record. The request will be granted or denied by the
Commission's General Counsel, consistent with applicable law and the
public interest. See Commission Rule 4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------

    Commodity Futures Trading Commission: Comments should be directed
to Jean A. Webb, Secretary, Commodity Futures Trading Commission, Three
Lafayette Centre, 1155 21st Street, NW., Washington, DC 20581. Comments
may be sent by facsimile transmission to (202) 418-5528 or by e-mail to
secretary@cftc.gov.
    Securities and Exchange Commission: To help us process and review
your comments more efficiently, comments should be sent by hard copy or
e-mail, but not by both methods. Comments sent by hard copy should be
submitted in triplicate to Jonathan G. Katz, Secretary, Securities and
Exchange Commission, 450 5th Street, NW., Washington, DC 20549-0609.
Comments may also be submitted electronically at the following e-mail
address: rule-comments@sec.gov. All comment letters should refer to
File No. S7-30-03. This file number should be included on the subject
line if e-mail is used. Comment letters will be available for public
inspection and copying in the Commission's Public Reference Room, 450
5th Street, NW., Washington, DC 20549. All comments received will be
posted on the Commission's Internet Web site ( href="http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.sec.gov" shape="rect">http://www.sec.gov) and

made available for public inspection and copying in the Commission's
Public Reference Room, 450 Fifth Street, NW., Washington, DC 20549.\2\
---------------------------------------------------------------------------

    \2\ The FDIC and SEC do not edit personal, identifying
information such as names or e-mail addresses from electronic
submissions. Submit only information you wish to make publicly
available.

FOR FURTHER INFORMATION CONTACT:
    OCC: Amy Friend, Assistant Chief Counsel, (202) 874-5200; Stephen
Van Meter, Assistant Director, Community and Consumer Law Division,
(202) 874-5750; or Heidi Thomas, Special Counsel, Legislative and
Regulatory Activities Division, (202) 874-5090.
    OTS: Elizabeth C. Baltierra, Program Analyst (Compliance)
Compliance Policy, (202) 906-6540; or Paul Robin, Special Counsel,
Regulations and Legislation Division, (202) 906-6648.
    Board: Thomas E. Scanlon, Counsel, Legal Division, (202) 452-3594;
Minh-Duc T. Le or Ky Tran-Trong, Senior Attorneys, Division of Consumer
and Community Affairs, (202) 452-3667.
    FDIC: April A. Breslaw, Chief, Compliance Section, (202) 898-6609;
David P. Lafleur, Policy Analyst, Division of Supervision and Consumer
Protection, (202) 898-6569; Ruth R. Amberg, Senior Counsel, (202) 898-
3736, or Robert A. Patrick, Counsel, Legal Division, (202) 898-3757.
    NCUA: Regina Metz, Staff Attorney, (703) 518-6561, or Ross Kendall,
Staff Attorney, Office of General Counsel, (703) 518-6562.
    FTC: Toby Milgrom Levin, Senior Attorney, (202) 326-3713, or
Loretta Garrison, Senior Attorney, (202) 326-3043.
    CFTC: Laura Richards, Senior Assistant General Counsel, (202) 418-
5126, or David B. Jacobsohn, Counsel, (202) 418-5161, Office of the
General Counsel.
    SEC: Brian Baysinger, Special Counsel, Office of Chief Counsel,
Division of Market Regulation, (202) 942-0073; or Penelope Saltzman,
Senior Counsel, Division of Investment Management, (202) 942-0690.

SUPPLEMENTARY INFORMATION:

I. Background

    Subtitle A of title V of the GLB Act, captioned Disclosure of
Nonpublic

[[Page 75166]]

Personal Information (codified at 15 U.S.C. 6801 et seq.), requires
each financial institution to provide a notice of its privacy policies
and practices to its consumer customers. In general, the privacy
notices must describe a financial institution's policies and practices
with respect to disclosing nonpublic personal information about a
consumer to both affiliated and nonaffiliated third parties and provide
a consumer a reasonable opportunity to direct the institution not to
share nonpublic personal information about the consumer with
nonaffiliated third parties. The privacy notice must also provide,
where applicable under the Fair Credit Reporting Act (FCRA), a notice
and an opportunity for a consumer to opt out of the sharing of certain
information among affiliates.\3\
---------------------------------------------------------------------------

    \3\ 15 U.S.C. 1681a(d)(2)(A)(iii) (FCRA); 15 U.S.C. 6803(b)(4)
(GLB Act).
---------------------------------------------------------------------------

    The Agencies have published consistent final regulations that
implement the privacy provisions of the GLB Act (collectively referred
to as ``the privacy rule'').\4\ The privacy rule requires a financial
institution to include in its privacy notices specific items of
information, such as the categories of nonpublic personal information
that the institution collects and the categories of third parties to
which the institution may disclose the information. The rule contains
sample clauses that institutions may use in privacy notices. The rule
does not, however, prescribe any specific format or standardized
wording for these notices. Instead, institutions may design their own
notices based on their individual practices provided they are
consistent with the law and meet the ``clear and conspicuous'' standard
in the rule.
---------------------------------------------------------------------------

    \4\ 12 CFR part 40 (OCC); 12 CFR part 216 (Board); 12 CFR part
332 (FDIC); 12 CFR part 573 (OTS); 12 CFR part 716 (NCUA); 16 CFR
part 313 (FTC); 17 CFR part 160 (CFTC); and 17 CFR part 248 (SEC).
---------------------------------------------------------------------------

    Financial institutions first were required to distribute privacy
notices to their customers by July 1, 2001. Many privacy notices in
this initial effort were long and complex. Moreover, because the
privacy rule allows institutions flexibility in designing their privacy
notices, notices have been difficult to compare, even among financial
institutions with identical privacy policies.
    In response to broad-based concerns expressed by representatives of
financial institutions, consumers, privacy advocates, and Members of
Congress, the Agencies conducted a workshop in December 2001 to provide
a forum to consider how financial institutions could provide more
useful privacy notices to consumers. The workshop featured panel
presentations by financial institutions, consumer advocates, and
communications experts, and highlighted key communication principles to
improve the notices. A number of institutions, particularly those with
complex information-sharing practices, described the challenges they
faced in explaining their practices and the choices available to
consumers in a simple fashion while meeting all of the legal
requirements for notice. Some institutions described results of
consumer testing and efforts to make their privacy notices clearer and
more useful to consumers.
    A number of financial institutions have since sought to improve
their notices. Additionally, some industry groups have been working to
formulate short, consumer-friendly notices that could accompany the
longer, legally mandated notices under the rule. The Agencies applaud
the efforts by consumer advocates and industry to improve privacy
notices to make them more readable and useful to consumers.
    To encourage and facilitate the efforts already underway, the
Agencies are considering proposing amendments to the privacy rule to
provide for privacy notices that are more understandable and useful to
consumers. The Agencies believe that this effort could benefit
significantly from the breadth and depth of experience that many
institutions have gained over the past two years in designing privacy
notices, as well as the expertise of communications experts and the
input of consumer organizations and comments from the public.
Accordingly, the Agencies seek comment on a wide range of issues
associated with the format, elements, and language used in privacy
notices that would make the notices more accessible, readable, and
useful. The Agencies also solicit examples of forms, model clauses, and
other information, such as applicable research that has been conducted
in this area, that may provide concrete illustrations or evidence to
assist the Agencies in considering whether and how to develop various
proposals.\5\
---------------------------------------------------------------------------

    \5\ As stated above, the Agencies will jointly review all of the
comments submitted, including those comments submitted to only one
agency. Commenters may request confidential treatment of any trade
secrets and commercial or financial information that is privileged
or confidential information provided to the Agencies in accordance
with the Freedom of Information Act (5 U.S.C. 552) and the Agencies'
respective regulations regarding availability of information. 12 CFR
part 4, subparts B and C (OCC); 12 CFR part 505 (OTS); 12 CFR part
261, subparts A and B (Board); 12 CFR part 309 (FDIC); 12 CFR 792.29
(NCUA); 16 CFR 4.10 (FTC); 17 CFR 145.9 (Petition for Confidential
Treatment) (CFTC); 17 CFR part 200, subpart D (SEC).
---------------------------------------------------------------------------

    Some of the terms and examples used in this Advance Notice of
Proposed Rulemaking (ANPR) and sample notices are not suitable for
credit unions, which have an organizational and operational structure
that is different than other financial institutions. For example, the
term customer, in the context of credit unions, generally will mean
member, and while credit unions may form subsidiaries, they do not
establish corporate affiliations like other financial institutions.
Nevertheless, because of the predominance of issues that are common to
all types of financial institutions, the NCUA believes its
participation is important at this ANPR stage, whether or not it
ultimately determines to publish a separate, but consistent and
comparable, rule for credit unions.
    Based on the information collected for this ANPR, including
information collected through independent research conducted by the
Agencies, the Agencies will determine whether to propose changes to the
privacy rule and, if so, will seek further public comment on specific
proposals. The Agencies expect that consumer testing would be a key
component in the development of any specific proposals.

II. General Considerations for Improving Privacy Notices

    The Agencies are considering developing a range of alternative
proposals for public comment to improve the privacy notices that
financial institutions must provide to consumers under the GLB Act. The
primary matter the Agencies are now considering is whether to develop a
model privacy notice that would be short and simple. In order to
illustrate, generally, this type of short notice and to spur specific
suggestions for additional ideas that the Agencies should consider, a
few of the potential alternative approaches are summarized below. These
alternatives are also intended to help frame a number of important
questions beyond the design of a short notice, such as whether all
financial institutions should be required to use the same form of
notice and whether a short notice could be a substitute for or should
be a supplement to a longer, more detailed notice. The sample notices
included in the appendices do not reflect a determination by the
Agencies that any of these notices would be satisfactory under the
privacy rule or for any particular financial institution. The Agencies
note that these alternatives have not been developed as a result of
specific research or consumer testing and are not being proposed for

[[Page 75167]]

adoption. The Agencies specifically invite suggestions for other
approaches to improve the readability and usefulness of privacy notices
as set out in section III.
    As an initial matter, the Agencies request comment on whether to
pursue the development of a short privacy notice. The Agencies note
that, should they do so, there are several ways the Agencies could
exercise their authority for developing a short notice, and the
Agencies have not settled on any single approach. The Agencies could,
for example, explore whether an interagency interpretation of the
privacy rule, perhaps with model forms or language, would promote the
development of privacy notices that are more understandable and useful
to consumers. Similarly, the Agencies could develop a set of guidelines
or best practices that would enable financial institutions to improve
their privacy notices, or the Agencies could propose amendments to the
privacy rule. The Agencies request comment on what approaches would be
most useful to consumers while taking into consideration the burden on
financial institutions.
    The Agencies have identified the following approaches to simplify
the privacy notices for consideration by commenters. One approach would
be for the Agencies to develop a specific format and standardized
language for a short notice that highlights key elements of an
institution's privacy policy. For instance, a short notice could
describe the types of nonpublic personal information an institution
collects, the institution's policies for sharing that information with
third parties, and a description of how consumers can opt out of
information sharing. Like a nutrition label, a standardized notice
would permit consumers easily to compare these elements of the privacy
policies of different institutions and to become familiar with the
standardized format and text. This type of form could include a
description of how the consumer could obtain a longer, detailed privacy
notice or be provided in combination with a longer, detailed privacy
notice. An example illustrating this kind of format and language for a
short notice appears in Appendix A.
    In a similar approach, the Agencies could develop a short notice
with a specific format and standardized language that would be designed
to address all of the relevant elements listed in the GLB Act and the
privacy rule. Such a notice would permit consumers to compare all
relevant elements listed under federal law of the privacy policies of
different institutions. However, since information sharing practices
may vary, a financial institution may need flexibility in describing
the categories of affiliated and nonaffiliated parties to whom it
discloses nonpublic personal information. An example illustrating this
kind of format and language appears in Appendix B and the categories of
parties that may be modified by a financial institution appear in
brackets.
    Another approach to simplifying privacy notices would involve
establishing a standardized format for privacy notices, but allowing
financial institutions to provide their own descriptions of their
privacy policies and practices. This potential approach may simplify
privacy notices and make them more accessible for consumers, yet would
permit each financial institution to tailor the language in the notice
to suit its own privacy policies and practices. An example of a
standardized format is included in Appendix C. Alternatively, the
Agencies could prescribe standardized language that a financial
institution would use to design its own notice without a format
specified by the privacy rule. Standardized language may facilitate
comparisons among financial institutions' policies and describe key
consumer rights so that consumers could become familiar with
circumstances under which information about them may be disclosed to
third parties.
    Another approach would be to focus attention on the consumer's
right to opt out of disclosures available under the institution's
privacy policies. For example, the opt-out notice could be provided by
itself, with a statement that the institution's privacy policy is
available on request. Alternatively, a description of the consumer's
opt out right and how it could be exercised could be provided on the
first page of a financial institution's privacy notice. The Agencies
could prescribe the language, and its placement so as to ensure
prominence and readability, but not require any further standardization
of privacy notices. An example of this type of notice is included in
Appendix D.
    Detailed descriptions of ways to improve privacy notices, such as
examples of language that may be used, illustrations of formats, and
references to the particular requirements of the privacy rule that may
need to be amended, will assist the Agencies in learning about and
evaluating particular proposals. This ANPR outlines several potential
approaches. The Agencies invite comment on the advantages and
disadvantages of these approaches. Also, the Agencies request comment
on any other approach the Agencies should consider.

III. Request for Comments

    Any change in the privacy rule to provide for short notices raises
a number of issues. In addition to comment on the various approaches
discussed above or illustrated in the appendices, the Agencies request
comment and supporting research and documentation on other matters that
may be raised by the implementation of a short privacy notice. In
particular, the Agencies invite comment on the following questions and
supporting documentation where available:

A. Goals of a Privacy Notice

    1. What should be the goals of a privacy notice? What goals are
most important?
    2. Should the Agencies pursue the development of a short notice to
achieve these goals?
    3. Are there any special issues for the Agencies to consider in
developing a short privacy notice that may arise from potential
differences between federal and state law requirements?
    4. In what ways should a privacy notice be useful to a consumer?
Please identify those ways that are the most or least important.

    a. To permit ready comparison among different institutions' privacy
policies?
    b. To provide sufficient information to make an informed decision
about whether to opt out?
    c. To highlight the consumer's right to opt out?
    d. To provide convenient mechanisms for the consumer to opt out?
    e. To provide a mechanism for the consumer to opt out in the same
medium used to provide the privacy notice?
    f. Other ways?

B. Elements of a Privacy Notice

    1. What are the key elements of a privacy policy that a short
notice should contain?
    2. Are these key elements the same from the perspective of
institutions and consumers? If not, explain the differences and why.
    3. Is there an optimal number of elements (beyond which would be
too many) to include in a short notice?
    4. Should a short privacy notice contain, at a minimum, all of the
relevant elements listed in the GLB Act and the privacy rule? If not,
should it include a statement advising the consumer that an
institution's complete privacy policy will be provided upon request?

[[Page 75168]]

    5. Should certain elements, such as a description of a consumer's
opt-out rights (if applicable), be given prominence or be presented in
a certain order?
    6. Should statements describing information sharing practices not
subject to a consumer's right to opt-out, such as whether a financial
institution discloses information to nonaffiliated financial
institutions under joint marketing agreements for financial products or
services, be highlighted in the short notice?

C. Language of a Privacy Notice

    1. Are there particular ``privacy'' terms or words that consumers
readily understand that should be included in a short notice? Should
any terms or language currently used in notices be avoided?
    2. Should a financial institution be required to use standardized
clauses in a short notice?
    3. Rather than using standardized language, should a financial
institution be permitted to develop its own language in a short notice
so long as the short notice incorporates specified items of
information?

D. Format of a Privacy Notice

    1. Should the Agencies develop a standardized graphic design for a
short notice that financial institutions would use? If so, what graphic
design would be most suitable for the format of a short notice?
    2. Based on experiences with the current privacy notices or tests
that have been conducted in this area, what alternative forms of notice
are likely to be useful to consumers and/or to financial institutions?
    3. Is there a suggested length for a short privacy notice? Is there
a suggested length for phrases or sentences within a short notice?
    4. Are there suggestions for overall design of the notice,
including layout, use of color, graphic devices, font(s), and size(s)
of the text in the notice?
    5. If a financial institution does not disclose information to
third parties that would be subject to a consumer's right to opt out
(under either the FCRA or the GLB Act), what form should the privacy
notice take?
    6. Should an institution be allowed to modify its short privacy
notice to include elements that may be required under state laws? If
so, then how can a short notice be designed to include those elements?

E. Mandatory or Permissible Aspects of a Privacy Notice

    1. Should use of a short notice be mandatory for all financial
institutions?
    2. Should use of standardized language and/or format for a short
notice be mandatory for all financial institutions? Or should each
institution be permitted to create its own short notice following
agency guidelines?
    3. If a short notice is standardized, should only part(s) of the
notice be mandatory, and, if so, what part(s)? Or should all of a
standardized short notice be mandatory?
    4. If use of standardized part(s), such as standardized clauses, is
not required, should the Agencies create a safe harbor from
administrative enforcement for financial institutions that use the
standardized parts in their notices (or a whole, standardized notice)?
    5. Should an institution be required or permitted to deliver both a
short notice and a long notice?
    6. Financial institutions that generally do not share information
with third parties--such as those that do not have any affiliates and
do not share information in a manner that is subject to a consumer's
right to opt out under the FCRA or the GLB Act and do not engage in
joint marketing agreements--currently may have abbreviated and simple
notices. If a short notice is mandated, should the Agencies make an
exception to allow these institutions to continue to use the simple,
abbreviated notices they currently use? Alternatively, should the
Agencies prescribe a special short notice for these institutions to
use?
    7. Some financial institutions offer consumers choices to opt out
of information-sharing arrangements that are not mandated by either the
FCRA or the GLB Act, such as the ability to opt out of an institution's
own marketing or joint marketing arrangements with nonaffiliated
financial institutions for financial products or services. If a short
notice is mandated, should the Agencies allow these institutions to
include in the short notice information about these additional choices
to opt out?
    8. Should the Agencies allow financial institutions to include
other information that relates to their privacy policies and practices
in their short notices? For instance, should a financial institution
that shares information with affiliates for marketing purposes only if
a customer opts in to the sharing be permitted to include this
information in a short notice?

F. Costs and Benefits of a Short Notice

    With respect to consumers or financial institutions, or both:
    1. What are the costs and benefits of providing a short notice and
how do they compare with the requirements under the current privacy
rule?
    2. How, if at all, do the costs and benefits of a short notice
depend on:
    a. Whether the notice is mandatory or permissible?
    b. Whether the format of the notice is standardized? On whether the
language is standardized?
    c. Whether the use of a short notice requires financial
institutions to make supplemental privacy information available upon
request?

G. Additional Information

    1. Are there any models or samples of notices that work
particularly well with consumers that the Agencies should consider?
Provide any samples and research or supporting documentation.
    2. Provide the results and supporting research or documentation of
any consumer testing that has been conducted in this area.
    3. What processes or types of consumer testing should the Agencies
use to evaluate standardized terms or language, formats for notices,
and short notices?
    4. If the Agencies adopt an alternative form of notice, should
consumer education accompany introduction of the new type of notice? If
so, what type of consumer education would be effective?

IV. Conclusion

    In the event that the Agencies decide to proceed, the Agencies
expect to do so through proposed rulemaking. In addition to evaluating
the comments submitted in response to this ANPR, the Agencies
contemplate that consumer testing would be an important element of the
development of any alternative type of privacy notice.

    By Order of the Board of Directors.

    Dated at Washington, DC, this 2nd day of December, 2003. Federal
Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.

    By the National Credit Union Administration Board on December
18, 2003.
Becky Baker,
Secretary of the Board.


[[Page 75169]]


    Dated: December 22, 2003.
By the Securities and Exchange Commission.
Margaret H. McFarland,
Deputy Secretary.

    Dated: December 8, 2003.
By the Office of Thrift Supervision,
James E. Gilleran,
Director.

    Dated: December 18, 2003.
Jean A. Webb,
Secretary of the Commodity Futures Trading Commission.

    Dated: November 14, 2003.
John D. Hawke, Jr.,
Comptroller of the Currency.

    Dated: December 17, 2003.
By Direction of the Commission.
Donald S. Clark,
Secretary.

    By order of the Board of Governors of the Federal Reserve
System, December 22, 2003.
Jennifer J. Johnson,
Secretary of the Board.
BILLING CODE 4810-33-P; 6210-01-P; 6714-01-P; 6720-01-P; 7535-01-P;
6750-01-P; 6351-01-P; 8010-01-P

[[Page 75170]]

[GRAPHIC] [TIFF OMITTED] TP30DE03.000


[[Page 75171]]


[GRAPHIC] [TIFF OMITTED] TP30DE03.001


[[Page 75172]]


[GRAPHIC] [TIFF OMITTED] TP30DE03.002


[[Page 75173]]


[GRAPHIC] [TIFF OMITTED] TP30DE03.003


[[Page 75174]]


[GRAPHIC] [TIFF OMITTED] TP30DE03.004

[FR Doc. 03-31992 Filed 12-29-03; 8:45 am]

BILLING CODE 4810-33-C