Law and Regulation
[Federal Register: March 29, 2007 (Volume 72, Number 60)]
[Proposed Rules]
[Page 14939-15000]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr29mr07-31]
[[Page 14939]]
-----------------------------------------------------------------------
Part III
Department of the Treasury
Office of the Comptroller of the Currency
12 CFR Part 40
-----------------------------------------------------------------------
Office of Thrift Supervision
12 CFR Part 573
-----------------------------------------------------------------------
Federal Reserve System
12 CFR Part 216
-----------------------------------------------------------------------
Federal Deposit Insurance Corporation
12 CFR Part 332
-----------------------------------------------------------------------
National Credit Union Administration
12 CFR Part 716
-----------------------------------------------------------------------
Federal Trade Commission
16 CFR Part 313
-----------------------------------------------------------------------
Commodity Futures Trading Commission
17 CFR Part 160
-----------------------------------------------------------------------
Securities and Exchange Commission
17 CFR Part 248
-----------------------------------------------------------------------
Interagency Proposal for Model Privacy Form Under the Gramm-Leach-
Bliley Act; Proposed Rule
[[Page 14940]]
-----------------------------------------------------------------------
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the Currency
12 CFR Part 40
[Docket ID OCC-2007-0003]
RIN 1557-AC80
FEDERAL RESERVE SYSTEM
12 CFR Part 216
[Docket No. R-1280]
FEDERAL DEPOSIT INSURANCE CORPORATION
12 CFR Part 332
RIN 3064-AD16
DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
12 CFR Part 573
[Docket ID OTS-2007-0005]
RIN 1550-AC12
NATIONAL CREDIT UNION ADMINISTRATION
12 CFR Part 716
RIN 3133-AC84
FEDERAL TRADE COMMISSION
16 CFR Part 313
[Project No. 034815]
RIN 3084-AA94
COMMODITY FUTURES TRADING COMMISSION
17 CFR Part 160
RIN 3038-AC04
SECURITIES AND EXCHANGE COMMISSION
17 CFR Part 248
[Release Nos. 34-55497, IA-2598, IC-27755; File No. S7-09-07]
RIN 3235-AJO6
Interagency Proposal for Model Privacy Form Under the Gramm-
Leach-Bliley Act
AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC);
Board of Governors of the Federal Reserve System (Board); Federal
Deposit Insurance Corporation (FDIC); Office of Thrift Supervision,
Treasury (OTS); National Credit Union Administration (NCUA); Federal
Trade Commission (FTC); Commodity Futures Trading Commission (CFTC);
and Securities and Exchange Commission (SEC).
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: The OCC, Board, FDIC, OTS, NCUA, FTC, CFTC, and SEC (the
Agencies) are proposing amendments to their rules that implement the
privacy provisions of the Gramm-Leach-Bliley Act (GLB Act), Title V,
Subtitle A. These rules require financial institutions to provide
initial and annual privacy notices to their customers. As required
under section 728 of the Financial Services Regulatory Relief Act of
2006 (Regulatory Relief Act or Act), the Agencies are proposing a safe
harbor model privacy form that financial institutions may use to
provide disclosures under the privacy rules. Institutions that use
notices based on the Sample Clauses currently contained in most of the
privacy rules would lose the benefit of a safe harbor for compliance
with respect to those notices if they are provided more than one year
following the date of publication of a final rule. Similarly,
institutions that use notices based on the Sample Clauses in the SEC's
privacy rule could no longer rely on the guidance provided with respect
to those notices if they are provided more than one year following the
date of publication of a final rule.
DATES: Comments must be submitted on or before May 29, 2007.
For information regarding the effective dates of the provisions
proposed in this document, see the discussion under "Proposed
Effective Dates" in the SUPPLEMENTARY INFORMATION section.
ADDRESSES: Because the Agencies will jointly review all of the comments
submitted, interested parties may send comments to any of the Agencies
and need not send comments (or copies) to all of the Agencies.
Commenters are encouraged to use the title "Model Privacy Form" to
facilitate the organization and distribution of comments among the
Agencies. Interested parties are invited to submit written comments to:
Office of the Comptroller of the Currency: You may submit comments
by any of the following methods:
Federal eRulemaking Portal--"Regulations.gov": Go to
http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.regulations.gov, select "Comptroller of the Currency" from
the agency drop-down menu, then click "Submit." In the "Docket ID"
column, select "OCC-2007-0003" to submit or view public comments and
to view supporting and related materials for this notice of proposed
rulemaking. The "User Tips" link at the top of the Regulations.gov
home page provides information on using Regulations.gov, including
instructions for submitting or viewing public comments, viewing other
supporting and related materials, and viewing the docket after the
close of the comment period.
Mail: Office of the Comptroller of the Currency, 250 E
Street, SW., Mail Stop 1-5, Washington, DC 20219.
Hand Delivery/Courier: 250 E Street, SW., Attn: Public
Information Room, Mail Stop 1-5, Washington, DC 20219.
Instructions: You must include "OCC" as the agency name and
"Docket Number OCC-2007-0003" in your comment. In general, OCC will
enter all comments received into the docket and publish them on
Regulations.gov without change, including any business or personal
information that you provide such as name and address information, e-
mail addresses, or phone numbers. Comments, including attachments and
other supporting materials, received are part of the public record and
subject to public disclosure. Do not enclose any information in your
comment or supporting materials that you consider confidential or
inappropriate for public disclosure.
You may review comments and other related materials by any of the
following methods:
Viewing Comments Electronically: Go to http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.regulations.gov
, select "Comptroller of the Currency" from the
agency drop-down menu, then click "Submit." In the "Docket ID"
column, select "OCC-2007-0003" to view public comments for this
notice of proposed rulemaking.
Viewing Comments Personally: You may personally inspect
and photocopy comments at the OCC's Public Information Room, 250 E
Street, SW., Washington, DC. You can make an appointment to inspect
comments by calling (202) 874-5043.
Docket: You may also view or request available background
documents and project summaries using the methods described above.
Board of Governors of the Federal Reserve System: You may submit
comments, identified by Docket No. R-1280, by any of the following
methods:
Agency Web Site: http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.federalreserve.gov Follow the instructions for submitting comments at http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.federalreserve.gov/.
.
[[Page 14941]]
Federal eRulemaking Portal: http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.regulations.gov.
Follow the instructions for submitting comments.
number in the subject line of the message.
Fax: 202/452-3819 or 202/452-3102.
Mail: Jennifer J. Johnson, Secretary, Board of Governors
of the Federal Reserve System, 20th Street and Constitution Avenue,
NW., Washington, DC 20551.
All public comments are available from the Board's Web site at
http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as
submitted, unless modified for technical reasons. Accordingly, your
comments will not be edited to remove any identifying or contact
information. Public comments may also be viewed electronically or in
paper in Room MP-500 of the Board's Martin Building (20th and C
Streets, NW.,) between 9 a.m. and 5 p.m. on weekdays.
FDIC: You may submit comments by any of the following methods:
Agency Web Site: http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.fdic.gov/regulations/laws/federal.
Follow instructions for submitting comments on the Agency Web Site.
E-mail: Comments@FDIC.gov. Include "Model Privacy Form" in the
subject line of the message.
Mail: Robert E. Feldman, Executive Secretary, Attention: Comments,
Federal Deposit Insurance Corporation, 550 17th Street, NW.,
Washington, DC 20429.
Hand Delivery/Courier: Guard station at the rear of the 550 17th
Street Building (located on F Street) on business days between 7 a.m.
and 5 p.m. (EST).
Federal eRulemaking Portal: http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.regulations.gov. Follow the
instructions for submitting comments.
Public Inspection: All comments received will be posted without
change to http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.fdic.gov/regulations/laws/federal including any
personal information provided. Comments may be inspected and
photocopied in the FDIC Public Information Center, 3501 North Fairfax
Drive, Room E-1002, Arlington, VA 22226, between 9 a.m. and 5 p.m.
(EST) on business days. Paper copies of public comments may be ordered
from the Public Information Center by telephone at (877) 275-3342 or
(703) 562-2200.
Office of Thrift Supervision: You may submit comments, identified
by OTS-2007-0005, by any of the following methods:
Federal eRulemaking Portal: Go to http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.regulations.gov
, select "Office of Thrift Supervision" from the
agency drop-down menu, then click submit. Select Docket ID "OTS-2007-
0005" to submit or view public comments and to view supporting and
related materials for this notice of proposed rulemaking. The "User
Tips" link at the top of the page provides information on using
Regulations.gov, including instructions for submitting or viewing
public comments, viewing other supporting and related materials, and
viewing the docket after the close of the comment period.
Mail: Regulation Comments, Chief Counsel's Office, Office
of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552,
Attention: OTS-2007-0005.
Hand Delivery/Courier: Guard's Desk, East Lobby Entrance,
1700 G Street, NW., from 9 a.m. to 4 p.m. on business days, Attention:
Regulation Comments, Chief Counsel's Office, Attention: OTS-2007-0005.
Instructions: All submissions received must include the agency name
and docket number for this rulemaking. All comments received will be
entered into the docket and posted on Regulations.gov without change,
including any personal information provided. Comments, including
attachments and other supporting materials received are part of the
public record and subject to public disclosure. Do not enclose any
information in your comment or supporting materials that you consider
confidential or inappropriate for public disclosure.
Viewing Comments Electronically: Go to http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.regulations.gov,
select "Office of Thrift Supervision" from the agency drop-down menu,
then click "Submit." Select Docket ID "OTS-2007-0005" to view
public comments for this notice of proposed rulemaking.
Viewing Comments On-Site: You may inspect comments at the Public
Reading Room, 1700 G Street, NW., by appointment. To make an
appointment for access, call (202) 906-5922, send an e-mail to
public.info@ots.treas.gov, or send a facsimile transmission to (202)
906-6518. (Prior notice identifying the materials you will be
requesting will assist us in serving you.) We schedule appointments on
business days between 10 a.m. and 4 p.m. In most cases, appointments
will be available the next business day following the date we receive a
request.
National Credit Union Administration: Comments should be directed
to Mary Rupp, Secretary of the Board. You may submit comments by any of
the following methods (Please send comments by one method only):
Federal eRulemaking Portal: http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.regulations.gov.
Follow the instructions for submitting comments.
NCUA Web Site: http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.ncua.gov/news/proposed_regs/proposed_regs.html.
Follow the instructions for submitting comments. E-mail: Address to regcomments@ncua.gov. Include "[Your
`[Your
name] Comments on Proposed Rule Part 716 (Model Form for Privacy
Notice)" in the e-mail subject line.
Fax: (703) 518-6319. Use the subject line described above
for e-mail.
Mail: Address to Mary Rupp, Secretary of the Board,
National Credit Union Administration, 1775 Duke Street, Alexandria,
Virginia 22314-3428.
Hand Delivery/Courier: Same as mail address.
Federal Trade Commission: All persons are invited to submit written
comments. Comments should refer to "Model Privacy Form, FTC File No.
P034815" to facilitate the organization of comments. Comments filed in
paper form should include this reference both in the text and on the
envelope, and should be mailed or delivered to: Federal Trade
Commission/Office of the Secretary, Room 135 (Annex C), 600
Pennsylvania Avenue, NW., Washington, DC 20580. Because paper mail in
the Washington area and at the Commission is subject to delay, please
consider submitting your comments in electronic form, as prescribed
below. If the comment contains any material for which confidential
treatment is requested, it must be filed in paper (rather than
electronic) form, and the first page of the document must be clearly
labeled "Confidential." \1\ The FTC is requesting that any comment
filed in paper form be sent by courier or overnight service, if
possible.
---------------------------------------------------------------------------
\1\ Commission Rule 4.2(d), 16 CFR 4.2(d). The comment must also
be accompanied by an explicit request for confidential treatment,
including the factual and legal basis for the request, and must
identify the specific portions of the comment to be withheld from
the public record. The request will be granted or denied by the
Commission's General Counsel, consistent with applicable law and the
public interest. See Commission Rule 4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------
Comments filed in electronic form should be submitted by using the
following Web link: http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=https://secure.commentworks.com/ftc-modelform (and
following the instructions on the Web-based form). To ensure that the
Commission considers an electronic comment, you must file it on the
Web-based form at the Web link http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=https://secure.commentworks.com/ftc-modelform.
If this notice appears at www.regulations.gov, you may also
file an electronic comment through that
[[Page 14942]]
Web site. The Commission will consider all comments that
http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.regulations.gov forwards to it.\2\ The FTC Act and other laws the
Commission administers permit the collection of public comments to
consider and use in this proceeding as appropriate. All timely and
responsive public comments with all required fields completed, whether
filed in paper or electronic form, will be considered by the
Commission, and will be available to the public on the FTC Web site, to
the extent practicable, at http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.ftc.gov. As a matter of
discretion, the Commission makes every effort to remove home contact
information for individuals it receives from the public comments before
placing those comments on the FTC Web site. More information, including
routine uses permitted by the Privacy Act, may be found in the FTC's
privacy policy, at http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.ftc.gov/ftc/privacy.htm.
---------------------------------------------------------------------------
\2\ An electronic comment can be filed by (1) clicking on http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.regulations.gov
; (2) selecting "Federal Trade Commission" at
"Search for Open Regulations;" (3) locating the summary of this
notice; (4) clicking on "Submit a Comment on this Regulation;" and
(5) completing the form. For a given electronic comment, any
information placed in the following fields--"Title," "First
Name," "Last Name," "Organization Name," "State,"
"Comment," and "Attachment"--will be publicly available on the
FTC Web site. The fields marked with an asterisk on the form are
required in order for the FTC to fully consider a particular
comment. Commenters may choose not to fill in one or more of these
fields, but if they do so, their comments may not be considered.
---------------------------------------------------------------------------
Commodity Futures Trading Commission: Comments should be directed
to Eileen Donovan, Acting Secretary of the Commission, Commodity
Futures Trading Commission, Three Lafayette Centre, 1155 21st Street,
NW., Washington, DC 20581. Comments may be sent by facsimile
transmission to (202) 418-5528 or by e-mail to secretary@cftc.gov.
Securities and Exchange Commission: Comments may be submitted by
any of the following methods:
Electronic Comments
Use the Commission's Internet comment form (http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.sec.gov/rules/proposed.shtml.
); or Send an e-mail to rule-comments@sec.gov. Please include
File Number S7-09-07 and "Model Privacy Form" on the subject line; or
Use the Federal eRulemaking Portal (http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.regulations.gov
). Follow the instructions for submitting comments.
Paper Comments
Send paper comments in triplicate to Nancy M. Morris,
Secretary, Securities and Exchange Commission, 100 F Street, NE.,
Washington, DC 20549-1090.
All submissions should refer to File Number S7-09-07 and "Model
Privacy Form." This file number should be included on the subject line
if e-mail is used. To help us process and review your comments more
efficiently, please use only one method. The Commission will post all
comments on the Commission's Internet Web site (http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.sec.gov/rules/proposed.shtml
). Comments are also available for public
inspection and copying in the Commission's Public Reference Room, 100 F
Street, NE., Washington, DC 20549. All comments received will be posted
without change; we do not edit personal identifying information from
submissions. You should submit only information that you wish to make
available publicly.
FOR FURTHER INFORMATION CONTACT: OCC: Amy Friend, Assistant Chief
Counsel, (202) 874-5200; Heidi Thomas, Special Counsel, Jonathan
Mitchell, Attorney, Legislative and Regulatory Activities Division,
(202) 874-5090; David H. Nebhut, Director, Policy Analysis, (202) 874-
5387; or Paul Utterback, NBE Compliance Specialist, (202) 874-4428,
Office of the Comptroller of the Currency, 250 E Street, SW.,
Washington, DC 20219.
Board: Adrianne Threatt, Counsel, Legal Division, (202) 452-3554;
Jeanne Hogarth, Consumer Policies Program Manager, or Krista Ayoub,
Senior Attorney, or Ky Tran-Trong, Counsel, Division of Consumer and
Community Affairs, (202) 452-3667; or Michelle E. Shore, Federal
Reserve Board Clearance Officer, (202) 452-3829 (for Paperwork
Reduction Act questions only), Board of Governors of the Federal
Reserve System, 20th Street and Constitution Avenue, NW., Washington,
DC 20551.
FDIC: David P. Lafleur, Senior Policy Analyst, Compliance Section,
Division of Supervision and Consumer Protection, (202) 898-6569; or
Ruth R. Amberg, Senior Counsel, (202) 898-3736, or Kimberly A. Stock,
Attorney, (202) 898-3815, Legal Division; Federal Deposit Insurance
Corporation, 550 17th Street, NW., Washington, DC 20429.
OTS: Ekita Mitchell, Consumer Regulations Analyst, Examinations,
Supervision, and Consumer Protection, (202) 906-6451; or Richard
Bennett, Counsel, Regulations and Legislation Division, (202) 906-7409,
1700 G Street, NW., Washington, DC 20552.
NCUA: Regina Metz, Staff Attorney, (703) 518-6561, or Ross Kendall,
Staff Attorney, Office of General Counsel, (703) 518-6562, National
Credit Union Administration, 1775 Duke Street, Alexandria, Virginia
22314-3428.
FTC: Loretta Garrison, Senior Attorney, Division of Privacy and
Identity Protection, Bureau of Consumer Protection, (202) 326-3043,
Federal Trade Commission, 600 Pennsylvania Avenue, NW., Stop NJ-3158,
Washington, DC 20580.
CFTC: Laura Richards, Senior Assistant General Counsel, (202) 418-
5126, or Gail B. Scott, Attorney, Office of General Counsel, (202) 418-
5139, Commodity Futures Trading Commission, Three Lafayette Centre,
1155 21st Street, NW., Washington, DC 20581.
SEC: Catherine McGuire, Chief Counsel, or Brice Prince, Special
Counsel, Office of the Chief Counsel, Division of Market Regulation,
(202) 551-5550; or Penelope Saltzman, Branch Chief, or Vincent Meehan,
Senior Counsel, Office of Regulatory Policy, Division of Investment
Management, (202) 551-6792, Securities and Exchange Commission, 100 F
Street, NE., Washington, DC 20549.
SUPPLEMENTARY INFORMATION: The Agencies are proposing amendments to
each of their rules (which are consistent and comparable) that
implement the privacy provisions of the GLB Act: 12 CFR part 40 (OCC);
12 CFR part 216 (Board); 12 CFR part 332 (FDIC); 12 CFR part 573 (OTS);
12 CFR part 716 (NCUA); 16 CFR part 313 (FTC); 17 CFR part 160 (CFTC);
and 17 CFR part 248 (SEC) (collectively, the "privacy rule").\3\
---------------------------------------------------------------------------
\3\ Because each Agency's privacy rule has the same section
numbers, relevant sections will be cited, for example, as "section
--.6" unless otherwise noted.
---------------------------------------------------------------------------
I. Background
The Regulatory Relief Act was enacted on October 13, 2006.\4\
Section 728 of the Act directs the Agencies to "jointly develop a
model form which may be used, at the option of the financial
institution, for the provision of disclosures under [section 503 of the
GLB Act]." \5\ The Regulatory Relief Act stipulates that the model
form shall be a safe harbor for financial institutions
[[Page 14943]]
that elect to use it. Section 728 further directs that the model form
shall:
---------------------------------------------------------------------------
\4\ Pub. L. 109-351 (Oct. 13, 2006), 120 Stat. 1966.
\5\ Id., adding 15 U.S.C. 6803(e). Section 728 of the Regulatory
Relief Act directs the agencies named in Section 504(a)(1) of the
GLB Act, 15 U.S.C. 6804(a)(1), to develop a model form. The CFTC,
which did not become subject to Title V of the GLB Act until 2000,
is not named in that section. The Commodity Exchange Act ("CEA")
was amended in 2000 by the Commodity Futures Modernization Act of
2000 to make the CFTC a "federal functional regulator" subject to
the GLB Act Title V. See Section 5g of the CEA, 7 U.S.C. 7b-2. The
CFTC interprets Section 728 of the Regulatory Relief Act as applying
to it through Section 5g.
---------------------------------------------------------------------------
(A) Be comprehensible to consumers, with a clear format and design;
(B) Provide for clear and conspicuous disclosures;
(C) Enable consumers easily to identify the sharing practices of a
financial institution and to compare privacy practices among financial
institutions; and
(D) Be succinct, and use an easily readable type font.
The Agencies are required to propose a model form for public
comment by April 11, 2007.
A. The Gramm-Leach-Bliley Act Privacy Notices
Subtitle A of title V of the GLB Act, captioned Disclosure of
Nonpublic Personal Information,\6\ requires each financial institution
to provide a notice of its privacy policies and practices to its
customers who are consumers.\7\ In general, the privacy notices must
describe a financial institution's policies and practices with respect
to disclosing nonpublic personal information about a consumer to both
affiliated and nonaffiliated third parties.\8\ The notices also must
provide a consumer a reasonable opportunity to direct the institution
generally not to share nonpublic personal information \9\ about the
consumer (that is, to "opt out") with nonaffiliated third parties
other than as permitted by the statute (for example, sharing for
everyday business purposes, such as processing transactions and
maintaining customers' accounts, and in response to properly executed
governmental requests).\10\ The privacy notice must provide, where
applicable under the Fair Credit Reporting Act (FCRA), a notice and an
opportunity for a consumer to opt out of certain information sharing
among affiliates.\11\
---------------------------------------------------------------------------
\6\ Codified at 15 U.S.C. 6801-6809.
\7\ 15 U.S.C. 6803(a). A "customer" means a consumer who has a
"customer relationship with a financial institution." Privacy
rule, section --.3(h), SEC section 248.3(j), CFTC section 160.3(k).
A "consumer" is "an individual who obtains, from a financial
institution, financial products or services which are to be used
primarily for personal, family, or household purposes, and also
means the legal representative of such an individual." 15 U.S.C.
6809(9); privacy rule, section --.3(e), SEC section 248.3(g)(1),
CFTC section 160.3(h)(1).
\8\ 15 U.S.C. 6803(a)-(c).
\9\ 15 U.S.C. 6809(4). "Nonpublic personal information" is
generally defined as personally identifiable financial information
provided by a consumer to a financial institution, resulting from
any transaction or any service performed for the consumer, or
otherwise obtained by the financial institution. See privacy rule,
sections --.3(n) and (o), SEC sections 248.3(t) and (u), CFTC
sections 160.3(t) and (u).
\10\ 15 U.S.C. 6802; privacy rule, sections --.14 and --.15.
\11\ 15 U.S.C. 1681a(d)(2)(A)(iii) (FCRA); 15 U.S.C. 6803(c)(4)
(GLB Act).
---------------------------------------------------------------------------
The privacy rule requires a financial institution to provide a
privacy notice to its customers no later than when a customer
relationship is formed and annually for as long as the relationship
continues. The notice must accurately reflect the institution's
information collection and disclosure practices and must include
specific information. Section --.6 of the privacy rule requires the
privacy notice to include the following:
(1) The categories of nonpublic personal information that the
institution collects;
(2) With respect to both current and former customers, the
categories of nonpublic personal information that it discloses and the
categories of affiliates and nonaffiliated third parties to whom it
discloses such information other than as permitted by the exceptions in
sections --.14 and --.15;
(3) Where the institution relies on the exception in section --.13
to share nonpublic personal information (pertaining to joint
marketing), the categories of information disclosed, and the categories
of third parties with which the institution has contracted;
(4) Where applicable, an explanation of the consumer's right under
section --.10(a) to opt out of the disclosure of nonpublic personal
information to nonaffiliated third parties and the methods by which the
consumer may opt out;
(5) Disclosures made under section 603(d)(2)(A)(iii) of the FCRA
(pertaining to the ability to opt out of certain sharing with
affiliates) and the applicable opt-out notice;
(6) The institution's policies and practices with respect to
protecting the confidentiality and security of nonpublic personal
information; and
(7) Where applicable, a statement that the institution discloses
nonpublic personal information to nonaffiliated third parties pursuant
to the section --.14 and --.15 exceptions.
The privacy rule does not prescribe any specific format or
standardized wording for these notices. Instead, institutions may
design their own notices based on their individual practices provided
they comply with the law and meet the "clear and conspicuous"
standard in the statute and the privacy rule.\12\ The Appendix to the
privacy rule contains model language (Sample Clauses) that institutions
may use in privacy notices to satisfy the privacy rule.
---------------------------------------------------------------------------
\12\ 15 U.S.C. 6802, 6803; privacy rule, section --.3(b), SEC
248.3(c).
---------------------------------------------------------------------------
Financial institutions first were required to distribute privacy
notices to their customers by July 1, 2001.\13\ Many privacy notices in
the initial effort were long and complex. In addition, because the
privacy rule allows institutions flexibility in designing their privacy
notices, notices have been formatted in various ways and as a result
have been difficult to compare, even among financial institutions with
identical privacy policies.
---------------------------------------------------------------------------
\13\ The CFTC was added by Section 5g of the Commodity Exchange
Act, 7 U.S.C. 7b-2 (as amended by the Commodity Futures
Modernization Act of 2000), on December 21, 2000, and privacy
notices were required to be delivered to consumers by March 31,
2002.
---------------------------------------------------------------------------
In response to broad-based concerns expressed by representatives of
financial institutions, consumers, privacy advocates, and members of
Congress, the Agencies conducted a workshop in December 2001 to provide
a forum to consider how financial institutions could provide more
useful privacy notices to consumers.\14\ The workshop featured panel
presentations by financial institutions, consumer advocates, and
communications experts, and highlighted key communication principles to
improve the notices. A number of institutions, particularly those with
complex information-sharing practices, described the challenges they
faced in explaining their practices and the choices available to
consumers in a simple fashion while meeting all of the legal
requirements for notice. Some institutions described results of
consumer testing and their efforts to make privacy notices clearer and
more useful to consumers.
---------------------------------------------------------------------------
\14\ Get Noticed: Writing Effective Financial Privacy Notices,
Interagency Public Workshop (Dec. 4, 2001), workshop transcripts and
other supporting documents are available at http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.ftc.gov/bcp/workshops/glb/index.html
.
---------------------------------------------------------------------------
On December 30, 2003, the Agencies published an Advance Notice of
Proposed Rulemaking to Consider Alternative Forms of Privacy Notices
under the Gramm-Leach-Bliley Act \15\ (ANPR) to solicit comment on a
wide range of issues related to improving privacy notices. The Agencies
sought, for example, comment on issues associated with the format,
elements, and language used in privacy notices that would make the
notices more accessible, readable, and useful, and whether to develop a
model privacy notice that would be short and simple. The Agencies also
solicited examples of
[[Page 14944]]
forms, model clauses, and other information, such as applicable
research that has been conducted in this area. The ANPR stated that the
Agencies expected that consumer testing would be a key component in the
development of any specific proposals.
---------------------------------------------------------------------------
\15\ See Interagency Proposal to Consider Alternative Forms of
Privacy Notices Under the Gramm-Leach-Bliley Act, 68 FR 75164 (Dec.
30, 2003), available at http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.ftc.gov/os/2003/12/031223anprfinalglbnotices.pdf
.
---------------------------------------------------------------------------
During January and February 2004, the Agencies met with a number of
interested groups and individuals to discuss the issues raised in the
ANPR.\16\ The Agencies received forty-four comments in response to the
ANPR.\17\ While commenters expressed a variety of views on the
questions posed in the ANPR, many commenters agreed that the Agencies
should conduct consumer testing before proposing any alternative
privacy notice.
---------------------------------------------------------------------------
\16\ Summaries of the outside meetings are available at http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.ftc.gov/privacy/privacyinitiatives/financial_rule_inrp.html
.
\17\ Public comments to the ANPR are available at http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.ftc.gov/privacy/privacyinitiatives/financial_rule_inrp.html
.
---------------------------------------------------------------------------
B. The Interagency Notice Project
In the summer of 2004, six Agencies \18\ agreed to launch a project
to fund consumer research (Notice Project). Their goals were to
identify barriers to consumer understanding of current privacy notices
and to develop an alternative privacy notice, or elements of a notice,
that consumers could more easily use and understand compared to current
notices. When the Agencies initiated this project, they contemplated
conducting the consumer research in two sequential phases. The first
phase was designed as qualitative testing, that is, form development
research. This research involved a series of in-depth individual
consumer interviews to develop an alternative privacy notice that would
be easier for consumers to use and understand. The second phase was
designed as quantitative testing, to test the effectiveness of the
alternative privacy notice developed in phase one among a larger number
of consumers. The first phase has been completed and resulted in the
model notice we are proposing for comment today. The Agencies expect to
conduct the second phase of testing after receipt of comments in
response to this proposal.\19\
---------------------------------------------------------------------------
\18\ The six Agencies are the Board, FDIC, FTC, NCUA, OCC, and
SEC. Information related to the Notice Project can be found at
http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.ftc.gov/privacy/privacyinitiatives/financial_rule_inrp.html
.
\19\ OTS has joined the Notice Project for the phase two
research.
---------------------------------------------------------------------------
In September 2004, the six Agencies selected Kleimann Communication
Group, Inc. (Kleimann) as their contractor for the phase one form
development research. The research objectives of the Notice Project
included designing a privacy notice that consumers could understand and
use, that facilitated comparison of sharing practices and policies
across privacy notices, and that addressed all relevant legal
requirements of the GLB Act and FCRA. At the outset of the research,
the Agencies considered a range of possible options for the notice,
including a short notice, a layered approach (highlighting key
information upfront), as well as a longer fully-compliant notice. The
Agencies limited the project to paper-based notices, reasoning that a
successful paper notice could be readily adapted to another medium such
as the Internet. The Agencies used a readable font \20\ and, in order
not to confound the research findings on comprehension by introducing
too many variables into the test notice, expressly did not use color,
logos, or other graphical designs in the test notices. Instead, the
Agencies focused on formulating and testing content that consumers
could understand and use in order to develop a short, simplified
privacy notice that met the research objectives.
---------------------------------------------------------------------------
\20\ The text of the prototype notice is in 10 point BK Avenir
Book font.
---------------------------------------------------------------------------
The form development phase culminated in an extensive research
report released by the Agencies in March 2006. Prepared by Kleimann,
"Evolution of a Prototype Financial Privacy Notice," details the
process by which the Agencies and Kleimann developed an alternative
privacy notice.\21\ As explained more fully in the Kleimann Report,
over a one-year period, Kleimann conducted two focus groups followed by
a series of 46 in-depth, individual interviews, conducted sequentially
at seven sites around the country. The interviews tested consumers on
their ability to comprehend, use, and compare notices based on
variations in vocabulary, ordering of content, and format. The
structure, content, ordering of the text information, and title of the
proposed model form all reflect the research findings in the
qualitative consumer testing.
---------------------------------------------------------------------------
\21\ See Kleimann Communication Group, Inc., Evolution of a
Prototype Financial Privacy Notice: A Report on the Form Development
Project (Feb. 28, 2006) (Kleimann Report). For a copy of the full
report, go to http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.ftc.gov/privacy/privacyinitiatives/ftcfinalreport060228.pdf For the executive summary, go to http://.
//.
FTCFinalReportExecutiveSummary.pdf.
---------------------------------------------------------------------------
The Agencies now are proposing the model privacy notice produced in
the form development phase with some minor revisions (the proposed
model form) for comment in accordance with the Regulatory Relief Act.
The Agencies contemplate that the safe harbor for the proposed model
form will be effective upon publication of the final rule in order to
permit institutions that elect to use the form to do so immediately.
The Agencies recognize that institutions may post their privacy notices
on their Internet sites, as well as deliver paper or email versions to
their customers. The Agencies contemplate that institutions that post a
pdf version of the proposed model privacy form may obtain a safe
harbor, but are requesting comment on whether to develop a Web-based
design for financial institutions to use on their Internet sites,
including comment on particular design and/or technical considerations.
The Agencies believe that the proposed model form meets all the
requirements of the Act and is easier to understand than most privacy
notices currently being disseminated. The following section describes
the proposed model form and highlights some key research findings. For
more detailed information on the research methodology and the form
development process, commenters are encouraged to review the full
Kleimann Report. The Agencies also are proposing instructions on how
institutions may obtain a safe harbor by using the proposed model form,
including an explanation of aspects of the form that may and may not be
varied.\22\ Institutions would not be able to vary content or format,
other than as described in this proposal, to take advantage of the safe
harbor. Moreover, institutions would not be able to include any other
information in the proposed model form nor incorporate this model form
into any other document.
---------------------------------------------------------------------------
\22\ While the model form would provide a safe harbor,
institutions could continue to use other types of notices that vary
from the model form so long as these notices comply with the privacy
rule. For example, an institution could continue to use a simplified
notice as described in section --.6(c)(5) (NCUA 716.6(e)(5)) of the
privacy rule if it does not have affiliates and does not intend to
share nonpublic personal information with nonaffiliated third
parties outside of the exceptions provided in sections --.14 and
--.15.
---------------------------------------------------------------------------
II. The Proposed Model Form
A. The Structure
The proposed model form has either two or three pages, depending on
whether the financial institution provides an opt-out. While the
research showed that page one alone was adequate for comprehension and
usability, page one together with page two address the legal
requirements of applicable Federal financial privacy laws and increase
consumer comprehension. Each of the pages of the model form is printed
separately and
[[Page 14945]]
only on one side of an 8.5 by 11 inch piece of paper because, during
testing, consumers expressed a preference for the model which allowed
them to view the information on pages one and two side-by-side.\23\ The
proposed model form in Appendix A is designed to be customized by each
financial institution that elects to use it by inserting, for example,
the institution's name, contact information, and information about
affiliates, nonaffiliates, or joint marketing partners, if any, with
which it shares personal information. In addition, the disclosure table
requires that each institution complete the responses in each of the
boxes provided in a manner that accurately reflects its information
sharing policies and practices.
---------------------------------------------------------------------------
\23\ The proposed model form has the opt-out options and
instructions on a separate page. Staff of certain of the Agencies
issued Frequently Asked Questions in December 2001 (Privacy FAQs),
stating that a consumer should be able to detach a mail-in opt-out
form from a privacy notice without removing text from the privacy
policy. Otherwise, the institution may violate section --.9(e) of
the privacy rule, which requires that a privacy policy must be
provided in such a way that a customer can retain the text of the
notices or obtain them later. See F.4 of the Privacy FAQs, available
at http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.ftc.gov/privacy/glbact/glb-faq.htm.
---------------------------------------------------------------------------
Below is one example of a completed model form for a fictional
financial institution, Neptune, whose privacy policy provides for broad
sharing in a manner that triggers consumer opt-out rights. For
comparison, a second example is also provided for another fictional
institution, Mars, whose privacy policy limits sharing and does not
trigger consumer opt-out rights. Each of these institutions uses and
shares personal information in different ways; thus, their responses in
the disclosure table vary, as do the descriptions of their affiliates,
nonaffiliates, or joint marketing partners in the definition
section.\24\ Importantly, since Mars does not share in a way that
triggers an opt-out, the opt-out form (page 3 of the proposed model
form) is not required and so is not included in the Mars notice. Thus,
not every institution subject to the privacy rule will have to provide
page three of the model form; only those institutions whose privacy
practices require delivery of an opt-out notice or those institutions
that choose to provide opt-outs beyond those required by law.
---------------------------------------------------------------------------
\24\ The Agencies understand that many consumers are not
familiar with institutions' information sharing practices. During
the Notice Project's initial research, some consumers expressed
concern about financial institutions changing their practices and
policies without adequately informing consumers about such changes.
A few consumers suggested that, at a minimum, the notices should be
dated to reflect the most recent revision so consumers would know
when the notice was last changed and could more easily identify the
most recent policy statement. Changes to an institution's policy may
be reflected in a revised notice under section --.8 of the privacy
rule or in an annual notice. Some institutions highlight changes to
their privacy notices in some distinctive way, so that consumers can
readily identify the change. As discussed later in Section V, the
Agencies invite comment on whether financial institutions should be
required to alert consumers to changes in an institution's privacy
practices as part of the proposed model form.
---------------------------------------------------------------------------
[[Page 14946]]
Example 1. Neptune Model Privacy Form
[GRAPHIC] [TIFF OMITTED] TP29MR07.000
[[Page 14947]]
[GRAPHIC] [TIFF OMITTED] TP29MR07.001
[[Page 14948]]
[GRAPHIC] [TIFF OMITTED] TP29MR07.002
[[Page 14949]]
Example 2. Mars Model Privacy Form
[GRAPHIC] [TIFF OMITTED] TP29MR07.003
[[Page 14950]]
[GRAPHIC] [TIFF OMITTED] TP29MR07.004
[[Page 14951]]
Example 3. Illustration of Type Size for the Various Elements of the
Model Form \25\
---------------------------------------------------------------------------
\25\ See infra note and accompanying text. This illustration
displays the font sizes of the various elements in the model form.
[GRAPHIC] [TIFF OMITTED] TP29MR07.005
B. Page One--Background Information and the Disclosure Table
Page one of the proposed model form has four parts: (1) The title;
(2) an introductory section called the "key frame," which provides
context to help the consumer better understand the required
disclosures; (3) a table that describes the types of sharing Federal
law allows, which of those types of sharing the institution actually
does, and whether the consumer can opt out of any type of the
institution's sharing; and (4) the institution's contact information.
The research showed that the title, "FACTS What Does [name of
financial
[[Page 14952]]
institution] Do With Your Personal Information," is more likely to
catch consumers' attention so they will read the notice. The title can
be used by all institutions regardless of their information sharing
practices.
The "key frame," with its three short headings--Why, What, and
How--is included because the research showed that, unless consumers
have some basic facts about information sharing, they are less likely
to understand why they are receiving a privacy notice and what to do
with one. The "Why" box tells consumers that Federal law requires
that the financial institution send the notice. The "What" box
explains the types of personal information financial institutions
collect and share.\26\ The "How" box explains that some information
sharing is necessary for all institutions in order to provide the
products and services that consumers request. It also briefly explains
what information consumers will find in the disclosure table below. The
research found that these particular headings and the bulleted
explanations enhanced consumers' understanding of the purpose of the
notice, enabled them to make an informed decision about the use of
their personal information, and aided their overall comprehension.
---------------------------------------------------------------------------
\26\ The Agencies recognize that some financial institutions may
not collect each type of information described in the "What" box.
As reflected in the introductory clause, which states that the
"information [collected] can include * * *," the standardized
terms are designed to reflect the range of information typically
collected by financial institutions required to provide privacy
notices under the GLB Act and FCRA, rather than the specific
information collected by each particular institution, and therefore,
are not to be modified to reflect an institution's particular
practices. The SEC's model privacy form reflects modified terms in
the "What" box that are intended to include the range of
information typically collected by brokers, dealers, investment
advisers registered with the Commission, and investment companies.
---------------------------------------------------------------------------
The disclosure table at the bottom of page one provides information
about the financial institution's sharing practices. The research found
that this table is the "heart" of the proposed model form,
"enabl[ing] consumers to understand the details of their financial
institution's sharing practices in the context of how other financial
institutions can share. It is critical for comprehension and
comparability." \27\ The table is featured on page one because it is
one of the most important elements of the model form.
---------------------------------------------------------------------------
\27\ See Kleimann Report, supra note , at v and 7.
---------------------------------------------------------------------------
Key research findings were that providing this information in a
table form greatly increased consumers' ability to readily identify and
understand an institution's sharing practices and what, if any, choices
they had to limit any of that sharing, and easily compare these
practices and choices among institutions. The Agencies asked Kleimann
to develop and test a "prose" version describing information sharing
practices since such a format would be more comparable to notices
currently used by financial institutions. However, the research found
that the table design of the proposed model form outperformed the prose
design on a variety of measures, including comprehension,
comparability, and usability.\28\
---------------------------------------------------------------------------
\28\ See id. at 185, 215, 256.
---------------------------------------------------------------------------
The disclosure table includes a description of the possible types
of sharing and uses of personal information and the associated opt-out
choices that must be disclosed. The opt-out disclosures are required
under: (1) Section 502(b) of the GLB Act (regarding certain sharing
with nonaffiliated third parties); (2) section 603(d)(2)(A) of the FCRA
(regarding sharing of creditworthiness and credit report information
among affiliates); and (3) section 624 of the FCRA, as added by section
214 of the Fair and Accurate Credit Transactions Act of 2003 (Fact
Act), 15 U.S.C. 1681s-3 (use of that information for marketing).\29\
The table provides important context about what information sharing a
financial institution actually does relative to what it could do. The
research showed that the table, with its standardized content,
facilitates easy comparison of information sharing practices among
different institutions. The structure of the disclosure table and the
reasons for sharing are designed to be consistent for all financial
institutions.\30\ The institution-specific information lies in the
answers to the questions within each of the boxes. Accordingly, even if
a financial institution does not share for one of the reasons listed in
the table (for example, it has no affiliates and therefore does not
share with affiliates), the institution could not exclude that reason
from the table, but would answer "No" under "Does [name of financial
institution] share?"
---------------------------------------------------------------------------
\29\ Pub. L. 108-159, 117 Stat. 1952. Section 624 provides that
information that may be shared among affiliates--including
transaction and experience information and certain creditworthiness
information--cannot be used for marketing purposes unless the
consumer has received a notice of such use and an opportunity to opt
out, and the consumer does not opt out. The Agencies have included
language pertaining to this affiliate marketing provision and the
related opt-out on the notice developed in the consumer research in
response to comments to the ANPR. While the Agencies have not yet
issued a final regulation implementing this provision of the FACT
Act, they are coordinating this rulemaking with the affiliate
marketing rulemaking to ensure that language addressing the section
624 opt-out as incorporated in this model form (when finalized)
would be deemed to comply with the affiliate marketing rule.
Institutions would not be required to include reference to this
provision until a final rule for section 624 is issued and becomes
effective, and only in the event that institutions choose to
consolidate the 624 notice and opt-out with the GLB Act privacy
notice.
\30\ The reasons for sharing are grouped into three main
categories. The first three reasons describe what financial
institutions do with their consumers' personal information. The next
three reasons describe what a financial institution's affiliates do
with that information. The last reason describes what nonaffiliated
companies may do with the personal information, other than acting as
a service provider to or acting jointly with the financial
institution (that is, outside the exceptions provided in sections
--.13, --.14, and --.15). This generally means marketing by the
nonaffiliated company.
---------------------------------------------------------------------------
The language used in the disclosure table is based on Kleimann's
research. The simplified phrases describing information sharing
practices were continually refined through the consumer testing process
to allow consumers to better understand the information sharing and use
possibilities. The laws governing the disclosure of consumers' personal
information are not easily translated into short, comprehensible
phrases that are also legally precise. Thus, the table in some cases
uses more easily understandable short-hand terms to describe sharing
practices required to be in the notice. For example, the table uses the
term "everyday business purposes" to describe the sharing
contemplated by the exceptions in sections --.14 and --.15 of the
privacy rule, which does not trigger opt-out rights. The research found
that consumers understood that "everyday business purposes" means
that companies must share in some basic ways in order to provide the
financial products or services that consumers request. The table also
speaks in terms of the institution's own "marketing purposes" to
capture the idea that nearly all, if not all, financial institutions
share information in connection with marketing their own products and
services to their customers (for example, with a service provider such
as a bulk mailer or data processor) in a manner that does not trigger
an opt-out right. With respect to the reasons for information sharing
among affiliated companies that track the FCRA provisions \31\ (the
sharing of "transaction and experience information" and the sharing
of "other information"), the disclosure table uses "Information
about your creditworthiness" as a short-hand term for the statutory
term "other information."
---------------------------------------------------------------------------
\31\ See section 603(d)(2)(A) of the FCRA.
---------------------------------------------------------------------------
The institution's contact information appears at the bottom of page
one in
[[Page 14953]]
response to consumers' preferences expressed during testing.
C. Page Two--Supplemental Information
The second page provides additional explanatory information that,
in combination with page one, ensures that the notice includes all
elements described in the GLB Act as implemented by the privacy rule.
There is supplemental information in the form of Frequently Asked
Questions (FAQs) \32\ at the top and definitions below.\33\ The
research showed that although consumers generally understood the
concepts of certain technical words, they found that the four
definitions on page two provided helpful additional information that
further clarified the nature and type of information sharing by a
financial institution. Some of the definitions include institution-
specific information required by the GLB Act. For example, an
institution that has affiliates must identify the categories of its
affiliates after the definition. Likewise, an institution that has no
affiliates can explain after the definition that it does not have
affiliates.
---------------------------------------------------------------------------
\32\ Note that financial institutions should insert their names
as indicated in the first three questions in this section.
\33\ The FAQ box regarding sources of information does not
permit a financial institution to customize the sources of
information it collects. As with the standardized terms describing
information the institution collects on page one, see supra note ,
the disclosure is intended to include the range of information
sources typically used by institutions subject to the GLB Act and
FCRA rather than the information sources used by each particular
institution. The SEC's model form reflects additional terms in this
box that are intended to include the range of sources of information
typically used by brokers, dealers, investment advisers registered
with the Commission, and investment companies.
---------------------------------------------------------------------------
Examples of institution-specific information are shown for the last
three definitions in the italicized print in both the Neptune and Mars
forms. Thus, Neptune has affiliates with which it shares certain
information and, under the definition of "affiliates," Neptune
includes information in italics that describes the categories of its
affiliates. Since Mars has no affiliates, the Mars form states "Mars
has no affiliates."
D. Page Three--The Opt-Out Form
The third page provides an opt-out form, for use by those financial
institutions that share in a manner that triggers consumer opt-out
rights under the GLB Act or FCRA (see the proposed model privacy form
in Appendix A and the Neptune form). Institutions using the proposed
model form must include page three in their notices only if they (1)
share or use information in a manner that triggers an opt-out, or (2)
choose to provide opt-outs beyond what is required by law.
The opt-out page lists three common methods for opting out--by
telephone, on the Web, and by mail--and summarizes the opt-out choices
available to the consumer in a clear and easy-to-read format that the
research found consumers appreciated. Financial institutions that
provide opt-out forms are not required to provide all the opt-out
choices and methods described in the Neptune opt-out form. The Agencies
expect that institutions may need to tailor the opt-out page to reflect
accurately the institution's particular practices.\34\ The model form,
for example, includes information for the customer's account number as
a means of identifying both the customer and account to which the opt-
out should apply. Institutions requiring consumers with multiple
account numbers to list each account number to which the opt-out should
apply should modify that portion of the form. Institutions requiring
information other than an account number should modify that portion of
the form. Institutions that allow more than 30 days from issuing the
notice may insert that time period in place of the number "30". The
proposed rule accordingly provides instructions explaining permissible
variations to page three of the Neptune notice.
---------------------------------------------------------------------------
\34\ See note 29. For institutions that choose to consolidate
the 624 notice into the model form and offer this opt-out, the
italicized language accompanying the affiliate sharing opt-out
choice on page three of the proposed model form is required only if
an institution wants to limit the time of the opt-out period, with 5
years the minimum opt-out period required by the statute. Where an
institution elects to limit the time period for which the opt-out is
effective, it should look to the Agencies' affiliate marketing rule
for guidance on the manner and form in which to provide any
additional notice that would effectively permit a consumer to renew
or extend the opt-out period.
---------------------------------------------------------------------------
E. Additional Opt-Outs in the Model Form
The third column in the disclosure table in the proposed model form
is intended to provide flexibility for financial institutions to
include additional opt-out choices that are not required by Federal
law. For example, a financial institution may give its customers the
opportunity to limit sharing for joint marketing. In that case, the
financial institution would answer the question "Can you limit this
sharing?" in the far right column with "Yes (Check your choices, p.
3)" and would describe the additional opt-out choice on its opt-out
form, for example by stating, "Do not share my personal information
with other financial institutions to jointly market to me." Likewise,
if a financial institution wanted to offer its customers the
opportunity to opt out of its own marketing, it could provide for that
option by answering "Yes" in the appropriate box of the disclosure
table and by describing the opt-out choice on the opt-out form, for
example by stating "Do not share [or use] my personal information to
market to me." To obtain the safe harbor for use of the proposed model
form, an institution that uses the disclosure table to show any
additional opt-out choice must include the opt-out form on page three
to provide consumers with a method for opting out. The Agencies
specifically invite comment on other opt-outs that financial
institutions may provide, and on whether the Agencies should provide
model language based on the opt-out provisions provided in the proposed
model form.
F. Appearance of the Model Form
In addition to the requirements that the proposed model form be
comprehensible, clear and conspicuous, and allow for easy comparison of
privacy practices among financial institutions, the law requires that
the model form use an easily readable type font. The prototype notice
developed in the Agencies' phase one research and shown here as the
proposed model form, reflects consideration of a number of
typographical factors in the design.\35\ Type size, type style,
leading, x-height, serif versus sans serif,\36\ upper and lower case
type, along with the page layout--all play an important role in
designing a typeface that is highly readable. Consumers who saw the
prototype notice during the research process commented on how easy the
type was to see and read.\37\
---------------------------------------------------------------------------
\35\ The prototype notice developed in the consumer research is
10 on 12 BK Avenir Book. The "10 on 12" means that the font size
is 10 points, and the leading (that is, the additional space between
the lines of type) is 2 points of spacing.
\36\ Serif typeface has small strokes at the ends of the lines
that form each letter. Sans serif typeface does not have those small
strokes.
\37\ Example 3 in this proposal illustrates the different font
sizes used in the prototype notice for the title, headings, and key
text. Thus, the word "FACTS" in the title is in 17-point type; the
remainder of the title is in 11-point; the Why, Why, How, and
Contact Us headings are in 14 point; the headings in the disclosure
table, the reasons in the left column of the disclosure table, and
the questions in the left column of the FAQs are in 10.5-point; and
the text in the body of the form is in 10-point. This information
shows the relative sizes of the various elements of the prototype
and is intended only as a guide (and not a requirement) to those
institutions that elect to use the proposed model form so that they
can design the key elements, such as the headings and title, larger
than the 10-point font size in the text.
---------------------------------------------------------------------------
[[Page 14954]]
All of these factors together affect the readability of a document.
Therefore, in considering these various factors for the design of an
easily readable type font, the Agencies are proposing 10-point font as
the minimum type size and sufficient spacing between the lines of type
(leading). The Agencies are further providing general guidance on type
styles.
Type size: The readability of type size is highly dependent on the
selection of the type style. Some styles in 10-point font are more
readable than others in 12-point font and appear larger because of
their design. Accordingly, the Agencies are proposing 10-point type
size as the minimum size for use on the model form.
Leading: Leading is the spacing between lines of type, measured in
points. If the line spacing is too narrow, the type is hard to read. In
such a case, the ascenders (such as the upward line in the letter
"h") and descenders (such as the downward line in a "g") may touch,
blending the lines of type and making it much harder to distinguish the
letters on the page. Research on the legibility of typography indicates
that people read faster when text is set with 1 to 4 points of
leading.\38\ The Agencies are proposing a requirement that the leading
used allow for sufficient spacing between the lines, but are not
mandating a specific amount. Nevertheless, the Agencies are providing
these general recommendations for use with the model form: 10- or 11-
point type should have between 1 and 3 points of leading. Twelve-point
type should have between 2 and 4 points of leading.\39\
---------------------------------------------------------------------------
\38\ Karen A. Schriver, Dynamics In Document Design, 274 (1997).
\39\ Id. at 262; see also James Hartley, Designing Instructional
Text (1994); and Barbara Chaparro et al., Reading Online Text: A
Comparison of Four White Space Layouts, 6(2) (2004).
---------------------------------------------------------------------------
Type style and "x"-height: Experts differ on the question of the
most desirable type style. The model form uses both sans serif and
"monoweight" type, and upper and lower case lettering in the body of
the form. While much of the printed material in the United States and
western Europe uses serif styles, Web designers are increasingly using
sans serif type, as they have found that serif type is harder to read
in this new medium. These changes in Web design are also beginning to
affect font styles in printed materials. Accordingly, some typography
designers are now using sans serif typefaces, as well as type with a
uniform thickness throughout the letter (monoweight typeface), finding
such typefaces easier to read than those with variable thickness. While
a variety of type styles would be suitable for the model notice, the
Agencies caution that institutions that use idiosyncratic fonts or
highly stylized typefaces will not meet the model form safe harbor
standard.
Larger x-height \40\ makes a font appear larger and thus more
readable, and fonts with larger x-heights are better for smaller text.
Research shows that our eyes "scan the top of the letters" x-heights
during the normal reading process, so that is where the primary
identification of each letter takes place." \41\ Generally, a font
with an x-height ratio of around .66 is easier to read.\42\
---------------------------------------------------------------------------
\40\ The "x-height" is the height of the lower-case "x" in
relation to full height letters, such as a capital G. X-height is
critical to type legibility.
\41\ Erik Spiekermann & E.M. Ginger, Stop Stealing Sheep & Find
Out How Type Works, 93 (1993).
\42\ See, e.g., Hewlett-Packard Corporation, Panose
Classification Metrics Guide (2006), available at http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.monotypeimaging.com/productsservices/pan2.aspx
.
---------------------------------------------------------------------------
The Agencies are not mandating a particular type style or x-height
in order for a financial institution to obtain a safe harbor.
Nevertheless, based on the research, the Agencies are providing these
general guidelines for type style in the model form: For typefaces with
a smaller x-height, 11- or 12-point font should be used; for typefaces
with a larger x-height, a 10-point font would be sufficient.\43\ Fonts
that satisfy the type style and x-height guidelines for the proposed
model form include sans serif fonts such as Tahoma, Century Gothic,
Myriad, Avant Garde, Bk Avenir Book, ITS Franklin Gothic, Arial, and
Gill Sans, and serif fonts such as the Chaparral Pro Family, Minion
Pro, Garamond, Monotype Bodoni, and Monotype Century.\44\
---------------------------------------------------------------------------
\43\ See Schriver, supra note at 264; see also pp. 258-59.
\44\ A number of these font styles, including Arial, Tahoma,
Century Gothic, Garamond, and Bodoni, are preloaded on commonly used
operating systems with most new personal computers. The other font
styles are commercially available as well.
---------------------------------------------------------------------------
For ease of reference, the following table summarizes the
recommendations discussed here for institutions that choose to use the
model form and obtain the safe harbor.
----------------------------------------------------------------------------------------------------------------
If Then use And use And use font with
----------------------------------------------------------------------------------------------------------------
Font is 10-point................. 1-3 points leading............... Monoweight Large x-height sans
typeface. serif (around .66
ratio).
Font is 11-point................. 1-3 points leading............... Monoweight Smaller x-height is
typeface. acceptable; either
serif or sans serif
(less than .66 ratio
is acceptable).
Font is 12-point................. 2-4 points leading............... Monoweight or Smaller x-height is
variable typeface. acceptable; either
serif or sans serif
(less than .66 ratio
is acceptable).
----------------------------------------------------------------------------------------------------------------
G. Printing, Logos, and Color
The Agencies recognize that financial institutions have a strong
interest in ensuring that documents they provide to the public have a
distinctive look that may be readily recognized by consumers. Thus, a
financial institution that uses the proposed model form may include its
corporate logo on any of the pages, so long as the logo design does not
interfere with the readability of the model form or space constraints
of each page.
The model form used in the consumer testing was printed on 8.5 by
11 inch non-glossy paper, using varying shades of black ink to achieve
the black and gray tones in the published prototype. The Agencies
propose printing each page of the model form on one side of an 8.5 by
11 inch piece of paper so that each page of the model form can be
viewed simultaneously. The Agencies seek comment on other formats that
may achieve the readability and ease of use preferred by consumers.
The Agencies propose that institutions using the model form use
white or light color paper (such as cream) with black or suitable
contrasting color ink. Spot color is permitted to achieve visual
interest to the model form, so long as the color contrast is
distinctive and the color does not detract from the form's readability.
The Agencies seek comment on whether, how, and to what extent
institutions that elect to use the model form will use logos and/or
color.
[[Page 14955]]
III. The Sample Clauses
The proposed model form is a standardized notice that would replace
the Sample Clauses currently found in Appendix A of the privacy rule.
It could be used by a financial institution at its option to comply
with requirements for a clear and conspicuous privacy notice that meets
the content requirements in sections --.6 and --.7 of the privacy
rule.\45\ Research to date indicates that the language in the Sample
Clauses is confusing, and accordingly, the Agencies propose to
eliminate the Sample Clauses from the privacy rule.
---------------------------------------------------------------------------
\45\ The Agencies are also proposing conforming amendments to
sections --.2, --.6, and --.7 of the privacy rule and to the
Appendix.
---------------------------------------------------------------------------
However, to ease the compliance burden for those institutions that
currently have privacy notices based on the Sample Clauses, the
Agencies are proposing a transition period of one year after which
financial institutions would no longer obtain a safe harbor by using
the sample clauses. Privacy notices using the Sample Clauses that are
delivered to consumers (either in paper form or by electronic delivery
such as email) or, alternatively, are posted electronically to meet the
annual notice requirement of section --.9(c), would have a safe harbor
for one year. Privacy notices using the Sample Clauses that are
delivered or posted electronically after the one-year transition period
would no longer obtain the safe harbor. Since institutions are required
to send notices annually to their customers, annual notices that are
delivered to consumers (either in paper form or by electronic delivery
such as email) within the transition period would continue to get the
safe harbor until the next annual privacy notice is due one year
later.\46\ The Sample Clauses would be rescinded one year after the
transition period ends.
---------------------------------------------------------------------------
\46\ For example, if an institution provides a notice using the
Sample Clauses on day 361 after the effective date of the rule, it
would continue to have the safe harbor for one year until its next
annual notice is due. If an institution provides a notice using the
Sample Clauses on day 369 after the effective date of the rule, it
would not obtain the safe harbor. Privacy notices using the Sample
Clauses posted on an institution's Web site to meet the annual
notice requirements of section --.9(c) would no longer get the safe
harbor beginning one year after the final rule becomes effective.
---------------------------------------------------------------------------
The Agencies note that the SEC's privacy rule does not provide a
safe harbor for financial institutions that use the Sample Clauses.
Rather, the Sample Clauses provide guidance concerning the SEC privacy
rule's application in ordinary circumstances.\47\ Consistent with this
proposal, the SEC proposes that one year after the end of the
transition period, the Sample Clauses would be rescinded and no longer
provide guidance regarding the rule's application to financial
institutions subject to the SEC's privacy rule.
---------------------------------------------------------------------------
\47\ See SEC privacy rule, section 248.2(a). The facts and
circumstances of each individual situation determine whether use of
the Sample Clauses constitutes compliance with the SEC's privacy
rule.
---------------------------------------------------------------------------
IV. Proposed Effective Dates
The provisions of the final rule will be effective [DATE OF
PUBLICATION OF THE FINAL RULE], with the following exceptions:
Sec. --.6, paragraph (g) will be effective [DATE OF PUBLICATION OF
THE FINAL RULE] until [DATE 2 YEARS AFTER PUBLICATION OF THE FINAL
RULE].
Newly redesignated Appendix B will be effective [DATE OF
PUBLICATION OF THE FINAL RULE] until [DATE 2 YEARS AFTER PUBLICATION OF
THE FINAL RULE].
V. Request for Comments
The Agencies seek comment on all aspects of the proposed model
form. The Agencies also invite commenters to submit any additional
consumer research that may inform the statutory requirements.
Commenters proposing alternative model notices or elements of a notice
should submit any available supporting consumer research and
documentation demonstrating that these alternatives meet the statutory
requirements. The Agencies expect to do additional testing before
finalizing a model form. We solicit comment on particular approaches to
consumer testing for the Agencies to consider.
The Agencies particularly seek comment on the following issues:
A. Content of the Model Form
1. Whether a commenter believes particular aspects of the form are
not clear and conspicuous or comprehensible; and, if so, identify those
aspects and explain in detail the basis for that conclusion.
2. Whether financial institutions can accurately disclose their
information sharing practices by using the standardized provisions and
vocabulary in the proposed model form, including whether the proposed
disclosure table provides a financial institution with sufficient
flexibility to disclose its sharing practices, or any additional opt-
outs it offers, including a detailed explanation of why or why not.
3. The extent to which modifications to the opt-out form are
necessary for a financial institution to describe its information
practices accurately, facilitate consumer use of the opt-out form, or
offer additional opt-outs, including an explanation of the
modifications that could be made to page one and/or page three in
accordance with legal requirements and the intent to keep the table on
the first page of the form.
4. The extent to which financial institutions intend to incorporate
the FCRA section 624 disclosure and opt-out for affiliate marketing in
the model form, with an explanation of why or why not, and the time
period they may offer to consumers for the opt-out period.
5. Whether financial institutions should be required to alert
consumers to changes in an institution's privacy practices as part of
the model form.
B. Format of the Model Form
1. Whether each page of the proposed model form should be required
to be on a separate piece of paper or whether another format could also
allow consumers to readily see all the information in the model form at
the same time.
2. Whether the guidance on easily readable type font in the
instructions is helpful and/or sufficient for institutions that use the
proposed model form.
3. What size paper would be appropriate for the model form while
conforming to the guidance for easily readable type font and layout.
4. Whether financial institutions want to use color and/or logos on
the proposed model form, and the manner and extent to which they would
use them without conflicting with readability of the form and space
requirements.
C. Additional Information
1. The extent to which financial institutions subject to the GLB
Act are likely to use the proposed model form, including a detailed
explanation of why the commenter does or does not expect financial
institutions to use the form.
2. Particular approaches to additional consumer testing of the
model form that the Agencies should consider.
3. The proposal to replace the Sample Clauses with the proposed
model form, including--(1) the transition period after which use of
these clauses no longer qualifies for a safe harbor, or, for
institutions subject to the SEC's privacy rule, guidance concerning the
rule's application and (2) whether the Agencies should retain Sample
Clauses A-1, A-3, and A-7, or develop model clauses to replace those
sample clauses, for use as a safe harbor only by those institutions
that provide the simplified notice described in section --.6(c)(5)
(NCUA 716.6(e)(5)) of the privacy rule.
4. Whether the Agencies should develop a Web-based design for those
[[Page 14956]]
financial institutions that would like to use an electronic version of
the proposed model form, and if so, whether institutions have
suggestions for particular design and/or technical considerations.
5. Whether the Agencies should develop and make available on their
Web sites a readily accessible and downloadable model form with
"fillable" fields for institutions that wish to use the model form to
create their own privacy notices; if so, whether institutions would use
this downloadable model form; and whether it would be useful,
particularly for smaller institutions that want to obtain the safe
harbor.
6. Whether an SEC-regulated entity and an affiliated institution
regulated by another Agency that intend to provide a joint privacy
notice should be able to choose to rely on either the SEC model privacy
form or the model privacy form proposed by the other Agency.\48\
---------------------------------------------------------------------------
\48\ As noted above, see supra notes 26, 33, the SEC model
privacy form provides slightly modified terms on pages one and two
of the model form, which include the range of information typically
collected by brokers, dealers, investment advisers registered with
the SEC, and investment companies.
---------------------------------------------------------------------------
7. The Agencies are aware that many institutions, but not all,
currently request the customer to provide his or her account number or
Social Security number (or other personal information, separately or in
conjunction with such information) in order to opt out, whether by
toll-free telephone, by electronic means such as e-mail, or by regular
mail. Do institutions need that information in order to process opt-out
requests, or would the customer's name and address alone, or the
customer's name, address, and a truncated account number for a single
account, be sufficient to process opt-out requests, including for
customers with multiple accounts at the same institution? Should the
Agencies consider omitting a line for such information on the opt-out
page for the model privacy form in order to better protect customers
and make it easier to opt out? Alternatively, should the opt-out page
on the model form contain a line for a truncated account number or
other identifying information?
The SEC specifically requests the following additional comment from
its regulated entities:
1. Whether the standardized provisions and vocabulary in the
proposed model form for SEC-regulated financial institutions are
sufficient to allow these financial institutions accurately to disclose
their information sharing practices, and specifically on the terms used
in: (a) the description of the types of personal information that may
be collected (in the key frame on page one), and (b) the examples of
sources of information collection (in the FAQ on sharing practices on
page two). The SEC requests that commenters who believe the proposed
terms are not sufficient suggest alternative or additional terms that
would be more accurate and explain why those terms would more
accurately reflect typical information collection and sharing practices
for brokers, dealers, investment advisers registered with the SEC, and
investment companies.
2. Whether institutions should be able to omit certain terms that
may not apply to their information collection practices or their
sources of information.
VI. Regulatory Flexibility Act
The Regulatory Flexibility Act ("RFA"), 5 U.S.C. 601-612,
requires an agency to provide an Initial Regulatory Flexibility
Analysis ("IRFA") with a proposed rule and a Final Regulatory
Flexibility Analysis ("FRFA") with the final rule, if any, unless the
agency certifies that the rule would not have a significant economic
impact on a substantial number of small entities. See 5 U.S.C. 603-605.
Because the use of the model form issued in this proposal is optional,
the Agencies do not expect that the rule will have a significant
economic impact on a substantial number of small entities. However,
because the statute creates a new safe harbor for institutions by
replacing the Sample Clauses in the current rule, with a model form, we
have determined that it is appropriate to publish the following IRFA in
order to inquire into the impact of the proposed rule on small
entities.
A. Reasons for the Proposed Action
The Agencies are issuing this proposed rule for comment because the
Regulatory Relief Act specifically requires them, no later than April
11, 2007, to publish for comment a model form that financial
institutions may use as a safe harbor to satisfy their notice
requirements under the Agencies' existing privacy rule.
B. Objectives of, and Legal Basis for, the Proposed Action
The goal of the proposed amendments is to satisfy the requirements
of section 728 of the Regulatory Relief Act, which requires that the
Agencies propose a model form that is comprehensible, clear and
conspicuous