Complaints about the complexity and ineffectiveness of privacy notices required by the Gramm-Leach-Bliley Act (GLB) have been prevalent since the notices were first required in July 2001. In response to these complaints, and legislation directing them to do so, the eight federal agencies charged with enforcing GLB1 began a long-running effort to develop a notice format that businesses could use and consumers could easily read and understand. After years of research and consumer testing, the agencies released a new proposed model form today.
The model forms will not be mandatory, but will provide a safe harbor for companies that need to comply with the GLB notice and opt-out provisions. The GLB privacy provisions cover any company that is significantly engaged in “financial activities,” a term that is broadly defined in the act. These companies must notify consumers of certain information practices and allow consumers to prohibit the companies from sharing their personal information with nonaffiliated third parties for marketing purposes.
The proposed notice departs significantly from the model clauses in the existing rule. The proposed model notice includes an initial page summarizing the company’s information practices in a standardized dashboard format. Page two of the proposed notice provides additional details on information sharing practices required by GLB along with several definitions of key terms. Page three provides consumers with information on opt-outs and a way for consumers to exercise those rights. Companies that do not share any information that requires offering an opt-out will not have to include the third page of the notice.
Significantly, the model form will also allow companies to meet their notice and opt-out requirements for sharing data with affiliates under the Fair Credit Reporting Act (FCRA). Under the FCRA, companies must notify consumers of any intention to share certain information with affiliates for marketing purposes. Companies must also provide consumers with the ability to opt-out of this use of the information. The agencies are developing rules that would more fully address the affiliate sharing restrictions, but intend for this model form to be one way to meet those notice and opt-out requirements.
Under the proposed rule, the notice will need to be printed on three single-sided pieces of 8.5 x 11 paper and be printed in an easily readable type font to qualify for the safe harbor. The introduction to the rule contains specific recommendations for typefaces and font size.
Once the proposed rule is published in the Federal Register, which should happen in the next two weeks, interested parties will have 60 days to comment on the model notice forms. Companies covered by GLB should review the proposed rule and determine whether adoption of the new form raises concerns. In particular, the agencies are seeking comments on whether:
- companies are likely to use the proposed model form;
- companies can accurately disclose their information sharing practice on the form;
- the opt-out portion of the form requires modification;
- companies will incorporate the disclosures and opt-outs they may be required to make under the FCRA into the form;
- companies should be required to alert consumers to changes in their privacy practices as part of the model form; and
- the form must be printed on three separate pieces of 8.5 x 11paper.
The agencies intend for the rule to go into effect as soon as it is published in final form, which will allow companies to immediately switch to the new format. The safe harbor for companies using the current model clauses will remain in effect for one year following the publication of the final rule, after which those companies can no longer be assured of compliance with GLB unless they switch to the new model form.