After years of discussion, the federal agencies[i] charged with enforcement of the privacy provisions under the Gramm-Leach-Bliley Act (GLBA) have completed a proposed rule setting forth a new safe harbor model privacy form that financial institutions could use to provide disclosures under the GLBA. The Agencies seek comment on all aspects of the proposed model form in addition to comment on specific questions.
As discussed in more detail below, the proposed model form is a radical departure from the privacy notices that most financial institutions have been providing and would likely result in added delivery costs, as well as the potential for increased consumer opt-outs and higher risk exposure. The information contained in the model form is highly standardized, permitting very little variation and little to no explanation regarding the institution’s own privacy practices that might inform a consumer’s choice regarding information sharing. At the same time, there would be a strong countervailing incentive to adopt use of the model form to achieve safe harbor protection because the safe harbor for use of the sample clauses in the existing privacy regulations would be phased out and the sample clauses themselves would eventually be eliminated.
Comments will be due on May 29, 2007.
Since nearly the inception of the requirement to provide privacy notices under the GLBA regulations, the Agencies, financial institutions and consumer groups alike have voiced concerns that privacy notices were too long and complex, and that consumers neither read nor understood them.[ii] To address these concerns, on December 30, 2003, the Agencies published an Advance Notice of Proposed Rulemaking to consider alternative forms of privacy notices and sought comment on the appropriate format, elements and language that would make privacy notices more accessible, readable and useful.[iii] Following the close of the comment period, six of the Agencies launched a two-phase consumer research project aimed at identifying barriers to consumer understanding of current privacy notices and developing an alternative privacy notice or elements of a notice that consumers could more easily use and understand. The Agencies retained Kleimann Communication Group, Inc. (Kleimann), a consumer research firm, to conduct the first phase of the project—qualitative research to develop a proposed model form. That research consisted of focus groups and individual consumer interviews aimed at testing variations in vocabulary, ordering of content and format in order to develop a more comprehensible and usable privacy notice. In March 2006, the Agencies released a report by Kleimann detailing the methodology and results of its research and setting forth a privacy notice prototype.[iv]
On October 13, 2006, Congress enacted the Financial Services Regulatory Relief Act, which required the Agencies, among other things, to “jointly develop a model form which may be used, at the option of the financial institution, for the provision of [GLBA] disclosures.”[v] Congress charged the Agencies with releasing a proposed model privacy form by April 11, 2007, that would (1) be comprehensible to consumers, with a clear format and design; (2) provide for clear and conspicuous disclosures; (3) enable consumers to easily identify the sharing practices of a financial institution and to compare privacy practices among financial institutions; and (4) be succinct and use an easily readable type font.[vi]
The Proposed Model Form
The proposed model form reflects the research findings set forth in the Kleimann report and is intended to achieve the goals of comprehension, comparison and compliance. Use of the model form would be entirely voluntary, and achievement of safe harbor status would depend on vigorous adherence to the content and format requirements discussed below and set forth in the proposed rule.
Content.The content of the model form is highly standardized, providing very little room for individual variation based on an institution’s actual information collection and disclosure practices. The form is divided into three pages:
- The first page contains a title bar, the institution’s contact information and the “key frame”—an introductory section with standardized, generic language regarding the categories of personal information generally collected by financial institutions and a description of reasons why an institution may share that information. Other than to insert its name and contact information, an institution may not customize these parts of the notice. In addition, the first page contains a disclosure table that generically describes the types of sharing federal law allows, lists in yes/no format whether the particular institution participates in that type of sharing, and, in yes/no format, whether the individual has a right to opt out of that type of sharing. The description of the types of sharing permitted under federal law is also standardized and may not be customized by the financial institution except to add additional opt-outs beyond those required under federal law (for example, an opt-out for the institution’s own marketing). The customization is otherwise limited to filling in the appropriate yes/no responses in the table. The disclosure table is considered by the Agencies to be the critical feature of the notice for comprehension and comparability, and one of the most important elements of the model form.
- The second page of the notice consists entirely of a title, frequently asked questions on sharing practices and a set of layman’s definitions of key terms. Very little customization is again permitted on this page, with the exception of the insertion of the financial institution’s name and the insertion into relevant definitions of descriptions of the financial institution’s affiliates, categories of nonaffiliates with which the institution shares information and categories of joint marketing partners. The FAQs are not customizable even if the generic description of information collection practices and information safeguards that they contain do not accurately describe the institution’s actual practices.
- The third page contains the opt-out notice. Only institutions that provide an opt-out notice (either because they are required to do so by virtue of their privacy practices or because they voluntarily choose to provide an opt-out choice to consumers) are required to provide this page of the model form. As with the first two pages, only extremely limited customization is permitted.
Because of this rigidity, the model form may not accurately reflect the information practices of an individual financial institution. For example, the description of information collection practices in the model form is standardized and does not permit variation; however, it may not include the full range of information collected by a particular financial institution. If the financial institution then shares information that is not described accurately in the model notice pursuant to a consumer opt-out or otherwise, there is some risk that it could expose itself to liability under state law, including unfair and deceptive trade practices statutes, for the disclosure.
Additionally, because the model form does not permit an institution to provide an explanation of its particular reasons for sharing information or the benefits that consumers may receive as a result of information disclosure, it may result in a higher opt-out rate than currently experienced.
The Agencies seek comment on the content of the model notice. In addition, they seek comment regarding whether financial institutions should be required to alert consumers to changes in an institution’s privacy practices as part of the proposed model form.
Format.The proposed rule includes a number of formatting requirements and guidelines. The Agencies propose a requirement that the model notice be printed on two (if no opt-out is required) or three (if an opt-out is required) separate sheets of 8.5” x 11” paper. This requirement is intended to facilitate easy comparison among privacy notices, but it is likely to increase delivery costs for institutions that currently provide privacy notices in a more condensed form. The Agencies specifically seek comment on other formats that could achieve the goals of readability and ease of use.
Additionally, the proposed rule would limit the color of the paper and ink used for privacy notices, specifying that notices be printed on white or light-colored paper with black or suitable contrasting-colored ink, with only spot color included to the extent that it does not detract from readability. The institutions may, however, include a corporate logo, provided that the logo does not interfere with the readability of the model form or space constraints of each page.
The model form was developed in hard-copy format, but the Agencies specify that safe harbor coverage may be available for electronic privacy notices as well. Recognizing that a number of financial institutions currently provide privacy notices electronically, the Agencies stated that they contemplate the posting of a downloadable PDF version of the model form “may obtain a safe harbor,” but request comment on whether a separate web-based design should be developed.
Optional Use and Effective Dates.It is important to reiterate that use of the model form would not be mandatory for GLBA compliance. Rather, institutions would have the option of using the model form (and coming within the safe harbor) or electing to use other types of notices that vary from the model form but are otherwise in compliance with the privacy regulations. However, at the same time, the Agencies are proposing to eliminate not only the safe harbor associated with the sample clauses currently in the privacy regulations, but also the very clauses themselves. In fact, the Agencies declare that “[r]esearch to date indicates the language in the Sample Clauses is confusing.” In light of this declaration, financial institutions currently using the sample clauses would likely face a steep uphill battle that their privacy notices are “clear and conspicuous” as required under the regulation.
Although the proposed rule provides that the safe harbor for financial institutions using the model form would be effective upon publication of the final rule, it also provides for a one-year transition period during which the safe harbor for use of the sample clauses in the existing regulations would continue to apply. The sample clauses themselves would not be rescinded until one year after the transition period ends, and hard-copy annual notices provided during that period would continue to fall within the safe harbor until the next annual notice was due one year later. The effect of the various dates is illustrated in an example set forth by the Agencies:
[I]f an institution provides a notice using the Sample Clauses on day 361 after the effective date of the rule, it would continue to have the safe harbor for one year until its next annual notice is due. If an institution provides a notice using the Sample Clauses on day 369 after the effective date of the rule, it would not obtain the safe harbor.
However, if an institution provides web-based annual notices, its use of the sample clauses would not be eligible for the safe harbor beginning one year after the final rule becomes effective.
As a practical matter, the Agencies are unlikely to issue a final rule at any time in the near future. The Agencies have indicated their expectation to conduct the second phase of consumer testing after receipt of comments in response to the proposed rule and prior to releasing a final rule. Nevertheless, in light of the rigidity of the current proposal, the elimination of the safe harbor upon which most institutions have been basing their privacy notices, and the added costs entailed by the proposed model form, financial institutions may wish to submit comments in response to the proposed rule.
For more information on this or other financial privacy matters, please contact:
[i] The federal agencies charged with enforcement of the GLBA include: the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, the National Credit Union Administration, the Securities and Exchange Commission, and the Federal Trade Commission (collectively referred to as the Agencies).
[ii] The GLBA privacy regulations went into effect in November 2000 and, by the very next year, the Agencies held a workshop to address concerns regarding the effectiveness and clarity of privacy notices. See Interagency Public Workshop, Get Noticed: Effective Financial Privacy Notices (Dec. 4, 2001), available at http://www.ftc.gov/bcp/workshops/glb/index.html.
[iii] Interagency Proposal to Consider Alternative Forms of Privacy Notices Under the Gramm-Leach-Bliley Act, 68 FR 75164 (Dec. 30, 2003).