On May 20, 2009, the period for public comment closed on a proposal for a model privacy form for financial institutions under the Gramm- Leach-Bliley Act (GLBA). If enacted, the form would provide a safe harbor that financial institutions could adopt to satisfy their obligations under GLBA.
The proposal addresses concerns that arise out of the diversity of forms on which financial institutions currently rely to satisfy disclosure obligations under GLBA. Financial institutions are generally required to provide privacy notices when a relationship is first established with a customer and on an annual basis thereafter.
The notice can take any form, and is sufficient as long as it provides a “clear and conspicuous notice to customers that accurately reflects [the institutions'] privacy policies.” The result has been long and complex notices that are difficult to understand and difficult to compare across institutions.
Under the Financial Services Regulatory Relief Act of 2006, a group of eight federal agencies were tasked with addressing these concerns through a uniform model form for disclosures under GLBA. Congress's stated goal was to have the agencies develop a notice that would be “(A) [c]omprehensible to consumers, with a clear format and design; (B) [p]rovide for clear and conspicuous disclosures; (C) [e]nable consumers easily to identify the sharing practices of a financial institution and to compare privacy practices among financial institutions; and (D) [b]e succinct, and use an easily readable type font.”
Following a notice of proposed rulemaking on March 29, 2009, the agencies collectively proposed a three-page model privacy form. The form consists of a standardized disclosure page containing common practices with corresponding boxes where an individual institution can indicate whether it shares personal information in the circumstances described and whether a consumer can opt out of the institution’s practices. The form also includes a second page listing frequently asked questions and an optional third page for institutions offering optout rights.
The most recent round of public comment follows quantitative testing of the effectiveness of the proposal. The study, conducted by an outside consultant, was designed to evaluate whether the model privacy form would better enable (1) comparisons across institutions; (2) the evaluation of opt-out choices; and (3) informed decision making. The results of the testing were made available to the public on April 15, 2009, at which point the period for public comment reopened until May 20.
The FTC, one of the agencies involved in developing the model privacy form, has predicted that a final version of the form will be released in August 2009.