On November 17, 2009, the Federal Trade Commission (“FTC”) and seven other federal regulatory agencies jointly released the Final Model Privacy Form Under The Gramm-Leach- Bliley Act (the “Final Rule”)1, which became effective on December 31, 2009. The Final Rule (i) adopts a new optional model privacy form (the “Model Form”) that provides a legal safe harbor to financial institutions (including private funds) electing to use it and (ii) amends the Privacy of Consumer Financial Information (“Privacy Rule”)2 issued by the FTC which governs the privacy notice obligations of private funds.
Since many private funds deliver their annual privacy notices with their annual reports, private funds should take this time to review and update their privacy notices to make sure they are in compliance with the Privacy Rule in light of the Final Rule and relevant state data privacy regulations.3
The Model Form
Background. Private funds are required under the Privacy Rule to provide their individual investors (i.e., investors who are natural persons) with initial and annual notices disclosing the funds’ privacy policies and practices. To ease the compliance burden, Section 728 of the Financial Services Regulatory Relief Act of 20064 directed the FTC and other federal regulatory agencies to jointly develop a model privacy form that financial institutions may rely on as a safe harbor. Such efforts culminated in the Model Form adopted by the Final Rule.
Limitations of Model Form. While the Model Form provides a legal safe harbor, its standardized format5 may limit a fund’s ability to accurately reflect its privacy policies and practices. For example, fund-specific information may not be inserted into the Model Form and funds must choose from a limited set of examples with respect to the types of nonpublic personal information they collect and share. Furthermore, while the disclosure table in the Model Form may more clearly display a fund’s information sharing practices, it requires a fund to list all categories of disclosure rather than only those that are applicable to it. Private funds should carefully consider whether the adoption of the Model Form is appropriate for their circumstances.
Adoption of Model Form is Optional. The Final Rule affirms that the use of the Model Form is optional. Private funds may continue to use other types of notices, such as “simplified notices,”6 that vary from the Model Form as long as the notices comply with the Privacy Rule, the amendments to which are discussed below.
Do You Need to Update Your Existing Privacy Notice?
Elimination of Sample Clauses. Many privacy notices are currently based on the language provided in the Sample Clauses.7 With the introduction of the Model Form, (i) the safe harbor currently given to notices based on Sample Clauses will no longer be available to notices delivered after December 31, 2010 and (ii) the Sample Clauses will be removed from the Privacy Rule altogether, effective as of January 1, 2012. The Privacy Rule further states that compliance with the examples provided therein, to the extent applicable, constitutes compliance with the Privacy Rule. As such, private funds that decide not to adopt the Model Form should consider updating their privacy notices so that the language is more aligned with the language in the examples provided in the Privacy Rule rather than in the Sample Clauses.
Other Amendments. Under the Privacy Rule, privacy notices delivered after December 31, 2010 can no longer rely on the language “as permitted by law” when describing disclosures made to nonaffiliated third parties as authorized under §§ 313.14 and 313.15 of the Privacy Rule. Rather, the Privacy Rule states that “it is sufficient to state that you make disclosures to other nonaffiliated companies for everyday business purposes, such as to process transactions, maintain accounts, respond to court orders and legal investigations, or report to credit bureaus.”
Grace Period for Delivery of the Updated Privacy Notice
Grace Period. If a private fund delivers a privacy notice on or before December 31, 2010 that (i) is based on the Sample Clauses and/or (ii) contains the “as permitted by law” language, it will receive a one-year grace period (i.e., the fund does not need to deliver an updated privacy notice reflecting the Privacy Rule until its next annual notice is due in 2011).
Nevertheless, private funds should review and update their privacy notices as soon as practicable.