Privacy, Data Protection and
Information Management Alert
April 2007
Authors:
www.klgates.com
New Safe Harbor Privacy Notice Proposed
Melanie Brody
+1.202.778.9203
melanie.brody@klgates.com
+1.202.778.9032
henry.judy@klgates.com
Eight federal regulatory agencies1 (the “Agencies”) are trying to alleviate over six years of
widespread consumer confusion by proposing a model privacy notice form that financial
institutions could use to satisfy their disclosure obligations under Title V of the GrammLeach-Bliley Act2 (“GLBA”). On March 29, the Agencies jointly published an interagency
proposal3 (the “proposal” or “proposed rule”) that, if adopted, would:
Holly K. Towle
„
Establish an optional model form that financial institutions could use to provide initial
and annual privacy notices;
„
Provide a safe harbor under GLBA’s notice requirements for institutions that use the
form; and
„
Replace and sunset the safe harbor currently available under the sample clauses set
forth in most of the Agencies’ GLBA privacy regulations.
Henry L. Judy
+1.206.370.8334
holly.towle@klgates.com
K&L Gates comprises approximately
1,400 lawyers in 22 offices located in
North America, Europe and Asia, and
represents capital markets participants,
entrepreneurs, growth and middle market
companies, leading FORTUNE 100 and
FTSE 100 global corporations and public
sector entities. For more information,
please visit www.klgates.com.
Comments on the proposal are due on or before May 29, 2007. A brief summary of the
proposal and its background follow.
Background
The GLBA requires financial institutions to provide consumers with notices describing
the institutions’ privacy practices and policies. The notices must describe the institutions’
practices with respect to disclosing consumers’ nonpublic personal information to affiliates
and nonaffiliates. The notices also must provide consumers with an opportunity to opt out
of disclosures to third parties that are not authorized by the GLBA’s exceptions (the GLBA’s
exceptions permit disclosures for purposes such as processing transactions, maintaining a
customer’s account and responding to governmental requests). The new proposal refers to
these exceptions as “everyday business purposes”.
Most financial institutions were required to begin issuing privacy notices in July 2001.
Although the implementing regulations4 issued by the Agencies (collectively, the “privacy
rule”) contain sample clauses that financial institutions can use to comply with the privacy
rule’s content requirements,5 the attempt by institutions to comply the GLBA and, in some
states, additional state laws, resulted in long and complex notices. Furthermore, consumers,
privacy advocates and regulators found the notices difficult to understand, even when the
notices used the sample clauses.
1
The eight agencies are the Office of the Comptroller of the Currency (“OCC”), the Board of Governors
of the Federal Reserve System (“Board”), Federal Deposit Insurance Corporation (“FDIC”), Office of Thrift
Supervision (“OTS”), National Credit Union Association (“NCUA”), Federal Trade Commission (“FTC”),
Commodity Futures Trading Commission (“CFTC”) and Securities and Exchange Commission (“SEC”).
2
15 U.S.C. § 6801, et seq.
3
72 Fed. Reg. 14940, et seq .(March 29, 2007).
4
The GLBA directed various federal agencies to issue regulations implementing the GLBA’s requirements.
The various agencies’ respective privacy rules are substantially similar.
5
See Appendix A to the Agencies’ privacy rules.
Privacy, Data Protection and
Information Management Alert
In December 2003, the Agencies published an
Advanced Notice of Proposed Rulemaking to solicit
comments on efforts to improve the GLBA privacy
notices. In 2004, a number of the Agencies hired
an outside contractor to conduct consumer research
for the development of an improved notice. The
Agencies sought to design a notice that is easy to
use and understand, facilitates comparison of sharing
practices across institutions and addresses the notice
requirements of both the GLBA and Fair Credit
Reporting Act6 (“FCRA”). In October 2006, Congress
passed the Regulatory Relief Act7, which directs the
Agencies to jointly develop an optional GLBA privacy
notice disclosure form by April 11, 2007. The act
requires that the form be comprehensive to consumers
with a clear format and design; provide for clear and
conspicuous disclosures; enable consumers easily to
identify the sharing practices of a financial institution
and to compare privacy practices among financial
institutions; be succinct; and use an easily readable
type font. The Regulatory Relief Act stipulates that
the model form shall be a safe harbor for financial
institutions that elect to use it.
In response to the foregoing, the Agencies published
their joint proposal in the Federal Register on
March 29, 2007.
Summary of the Proposal
The proposed rule consists of a model form and a
detailed set of instructions for using the form. The
proposal states that use of the model form consistent
with the related instructions constitutes compliance
with the notice content requirements of the privacy
rule. Whether that can be accomplished in fact is a
different question. For example, the FTC version of
the proposed rule expressly provides that “Compliance
with a provided example, to the extent applicable,
constitutes compliance….” In contrast, the SEC
proposed rule gives a greater idea of the complexity
that may result from trying to use the model form in
fact. The SEC notes that the examples only provide
“guidance” in ordinary circumstances, and that “facts
and circumstances of each individual situation,
however, will determine whether compliance with
an example, to the extent practicable, constitutes
6
7
15 U.S.C. § 1681 et seq.
Pub. L. 109-351 (Oct 13, 2006); 120 Stat. 1966.
compliance….” Coupled with the fact that instructions
for the model form preclude modification except as
described in the rule, and also preclude insertion of
additional information, institutions may ultimately
discover that the model will not work for their more
nuanced circumstances. One way to avoid that
outcome, however, is to review the proposed rule
now and provide comments on any deficiencies. The
Agencies are seeking exactly such comments.
Structure
The proposed model form consists of two or three
pages, depending on whether the financial institution
will offer an opt-out. Each page is to be printed on
its own side of 8.5 x 11 inch paper, so consumers
can view the pages side by side. The opt-out options
and instructions also are on their own page so that
consumers can detach and mail-in the opt-out form
without removing text from the privacy notice. Among
many questions commenters may wish to pursue, and,
indeed, on which the Agencies have invited comment,
is how these rules can be translated for an electronic
environment such as for notices provided on a website.
The existing privacy rules allow website notices8
and the federal Electronic Signatures in Global and
National Commerce Act precludes the Agencies from
adopting regulations or guidance that is inconsistent
with provisions of the Act facilitating electronic
commerce.
The first page of the model form contains background
information, a disclosure table and contact information
for the financial institution issuing the notice. The
background information tells the consumer that
federal law requires the financial institution to
send the notice, generically explains the types of
information financial institutions collect and share,
and tells the consumer that some information sharing
is necessary for all institutions. The disclosure table
—which the proposal describes as the “heart” of the
form—purports to allow provision of information
about the particular financial institution’s own sharing
practices. The table contains boxes for the financial
institution to fill in with information reflecting
whether the institution engages in various types of
sharing and whether the consumer can opt out of
them. According to the proposal, research showed that
8
See e.g., 16 C.F.R. § 313.3 of the FTC’s rule.
April 2007 | 2
Privacy, Data Protection and
Information Management Alert
the table format greatly increased consumers’ ability
to understand an institution’s sharing practices and
any choices the consumer has to limit sharing. It also
allowed consumers to easily compare practices and
choices among institutions. Of course, the question
for institutions is whether the preset choices will meet
their individual needs? If not, comments should be
submitted to the Agencies so that more institutions
will actually be able to use the form.
The opt-out choices presented in the disclosure
table are those that are required under (1) GLBA for
sharing with nonaffiliates outside of the everyday
business purposes and joint marketing exceptions,
(2) FCRA for sharing information other than
experience information (e.g., credit reports) among
affiliates, and (3) FCRA, as amended by the Fair and
Accurate Credit Transactions Act9 (“FACT Act”),
for use of information received from an affiliate for
marketing purposes.10 The first page of the form also
contains space for the financial institution to fill in its
contact information.
The second page of the model form provides
supplemental information presented in the form of
Frequently Asked Questions and Definitions. This
information is designed to ensure that the model
form includes all elements required by GLBA and the
privacy rule. Financial institutions would be required
to customize various portions of page two with specific
information, presented in italics, about their affiliates
and information sharing practices.
The third page of the model consists of an opt-out form
for use by those institutions that share information in
a manner that triggers opt-out rights under GLBA or
FCRA, or that choose to provide opt-outs beyond
9
Pub. L. 108-159.
Section 624 of the FCRA, as amended by the FACT Act,
provides that information shared among affiliates may not be
used by the recipient affiliate for marketing purposes unless
the consumer has received notice and an opportunity to opt
out, and has not opted out. This requirement has not yet been
implemented by regulation, but the Agencies have included
relevant language in the model privacy notice proposal and
are coordinating their efforts with the FACT Act affiliate
marketing rulemaking. The affiliate marketing opt-out will not
be required to be included in the model form until the FCRA
affiliate marketing regulation is finalized and effective. At
that time, compliance with the model privacy notice language
will be deemed compliance with the FCRA affiliate marketing
regulation. 72 Fed. Reg. 14940, 14952, note 29.
10
what is required by law.11 The model form provides
for three methods of opting out—by telephone, on the
Web and by mail. Because GLBA does not require
financial institutions to offer all three choices, the
proposal indicates that institutions can tailor that
part of the form to reflect their actual practices. The
proposed rule contains detailed instructions describing
permissible variations to the form.
Appearance
The Agencies included very specific guidelines on
the type size, leading (i.e., the spacing between lines
of type), type style and x-height (i.e., the height of
the lower case x in relation to full height letters), The
proposal specifically permits a financial institution to
include its corporate logo on any of the pages of the
model form, so long as it does not interfere with the
readability of the model form or the space constraints
of each page. The Agencies propose printing each
page of the model form on one side of an 8.5 x 11 inch
paper, and that the form use white or light color (e.g.,
cream) paper with black or suitable contrasting ink
color. Again, some of these concepts do not necessarily
translate to electronic media so institutions desiring to
provide electronic disclosures may wish to accept the
Agencies’ invitation to comment on what would be an
appropriate translation.
Sample Clauses and Transition Period
As noted above, the privacy rule currently contains
sample clauses that financial institutions can use to
comply with the privacy rule’s content requirements.
Research showed, however, that the sample clauses are
confusing, so the Agencies are proposing to eliminate
them. To ease the compliance burden on those financial
institutions that currently use the sample clauses, the
Agencies are proposing a one year transition period
during which use of the sample clauses will continue
to provide a safe harbor.12
11
For example, institutions may offer consumers an
opportunity to opt out of information sharing for joint marketing
or to opt out of the institution’s own marketing, neither of which
is required under GLBA.
12
Note that the sample clauses do not provide a safe harbor
under the SEC’s privacy rule. Rather, under the SEC’s rule, the
sample clauses provide guidance concerning the application
of the SEC’s privacy rule in ordinary circumstances. Thus,
for institutions subject to the SEC’s privacy rule, the sample
clauses will provide guidance—vs. a safe harbor—during the
transition period.
April 2007 | 3
Privacy, Data Protection and
Information Management Alert
Effective Date
If adopted, the proposal would become effective on
the date of its publication, subject to the one year
transition period, during which use of the sample
clauses will continue to serve as a safe harbor (or, in
the case of SEC-regulated institutions, continue to
provide guidance on the rule’s application).
Web Notices
Note that the proposal focuses on paper versions of
financial institutions’ privacy notices. The Agencies
contemplate that institutions that post an electronic
version of their privacy notices could obtain a safe
harbor under the proposal, but request comment on
whether they should develop a Web-based design for
institutions to use on their Internet sites.
Request for Comments
The Agencies are requesting comments on numerous
aspects of the proposal, including the model form’s
content and format. Comments are due on or before
May 29, 2007. We expect that many comments will
focus on permissible variations. For example, the
model form states that “Federal law also requires us
to tell you how we collect, share, and protect your
personal information.” (Emphasis supplied) However,
the form does not provide a vehicle or an indication
of the wording of possible disclosure variations
whereby disclosure concerning information security
can be made. Recent experience is that information
security is a critical concern for consumers. As an
additional example, the model form appears to give
the consumer only an all-or-none option with respect
to sharing information with affiliates, that is, there
does not appear to be a permissible variation whereby
the consumer can elect to share with some affiliates
and not with others.
Other possibilities for comments abound. For example,
the GLBA allows states to enact consistent, but more
protective, legislation. How can an institution use
the model form in such states given the Agencies’
mandate not to change the form or include additional
information? Do the Agencies view all the existing and
future state laws as already addressed by the model
form and if not, how can an institution use the model
and also address state law? Similarly, if the standard
form language does not accommodate a nuance that
an institution would ordinarily make to avoid possible
claims of noncompliance or unfair or deceptive acts
or practices, must the institution forego use of the
model form? A “yes” answer will be ironic given that
a significant reason current privacy notices are long
and complex is the legal need of institutions to avoid
such claims, i.e., the goals of short, simple forms and
absolutely accurate disclosures are not compatible.
Accordingly, it will be important for the Agencies
to explain the role the model form will serve when
institutions are required to satisfy these competing,
but conflicting goals.
Institutions should carefully compare their current
practices to see whether they can be accommodated
within the structures of the model form. If you would
like assistance with commenting on the proposal,
please let us know.
K&L Gates comprises multiple affiliated partnerships: a limited liability partnership with the full name Kirkpatrick & Lockhart Preston Gates Ellis
LLP qualified in Delaware and maintaining offices throughout the U.S., in Berlin, and in Beijing (Kirkpatrick & Lockhart Preston Gates Ellis LLP
Beijing Representative Office); a limited liability partnership (also named Kirkpatrick & Lockhart Preston Gates Ellis LLP) incorporated in England
and maintaining our London office; a Taiwan general partnership (Kirkpatrick & Lockhart Preston Gates Ellis) which practices from our Taipei
office; and a Hong Kong general partnership (Kirkpatrick & Lockhart Preston Gates Ellis, Solicitors) which practices from our Hong Kong office.
K&L Gates maintains appropriate registrations in the jurisdictions in which its offices are located. A list of the partners in each entity is available
for inspection at any K&L Gates office.
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used
or relied upon in regard to any particular facts or circumstances without first consulting a lawyer.
Data Protection Act 1998—We may contact you from time to time with information on Kirkpatrick & Lockhart Preston Gates Ellis LLP seminars
and with our regular newsletters, which may be of interest to you. We will not provide your details to any third parties. Please e-mail london@
klgates.com if you would prefer not to receive this information.
©1996-2007 Kirkpatrick & Lockhart Preston Gates Ellis LLP. All Rights Reserved.
April 2007 | 4