Starting on January 1, 2011, “financial institutions” subject to the federal Gramm-Leach-Bliley Act (the “GLB Act”) will have to use new model privacy forms if they want to take advantage of a “safe harbor” for compliance with requirements for providing initial and annual privacy notices to customers. The model privacy forms will replace the sample clauses associated with an existing safe harbor that expires at the end of 2010. As a result, organizations – ranging from banks to credit counseling agencies to payday lenders to travel agencies to debt collectors – will need to update their privacy notices in order to rely on the safe harbor.
The privacy rules under Title V of the GLB Act, which became effective July 1, 2001, require “financial institutions,” including banks and nonbank companies that engage in “financial activities” such as lending, brokering, consumer loans, money transmission, providing financial advice or credit counseling, and other various activities, to provide initial and annual privacy notices to their customers.
These privacy notices must describe the “financial institution’s” policies and practices with regard to disclosing nonpublic personal information to both affiliated and nonaffiliated third parties. Privacy notices also must include relevant opt-outs under the Fair Credit Reporting Act (the “FCRA”).
The privacy rules do not require that the notice be in a particular format. Rather, “financial institutions” can design their own notices based on their own practices, provided they comply with the standards in the GLB Act and privacy rules. The privacy rules had contained sample clauses that many institutions have used to comply with the privacy rule as a safe harbor set to expire on December 31, 2010.
New Model Privacy Forms
In 2009, the Board of Governors of the Federal Reserve System, Commodity Futures Trading Commission, Federal Deposit Insurance Corporation, Federal Trade Commission, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision, and Securities and Exchange Commission published final regulations amending their respective privacy rules implementing the GLB Act to issue model privacy notices.
The new model privacy notices are intended to be more comprehensible to consumers, with a clear format and design, provide clear and conspicuous disclosures, allow consumers to easily compare the privacy practices of different financial institutions, and have an easy-to-read font. The model privacy form also addresses opt-outs under the FCRA.
One of the advantages of using the model form is that if fully implemented and prepared pursuant to the directions, the adoption of the model notice by a “financial institution” is considered a legal safe harbor, fully satisfying the disclosure requirements for privacy notices. Also, the federal agencies eliminated the safe harbor under the prior regulations based on the sample clauses for privacy notices; this change is effective on January 1, 2011. “Financial institutions” may continue to use their existing privacy notices, based on the sample clauses or otherwise, but there would be no safe harbor under the rules unless they adopt the new format exactly as provided for in the rules.
There are three versions of the model privacy form: (1) a model form with no opt-out; (2) a model form with opt-out by telephone and/or online; and (3) a model form with opt-out by mail.
Finally, the agencies each amended their privacy rule to allow an alternative statement when an institution shares information in a manner that does not require providing an opt-out notice. This language would replace the commonly used phrase, “as permitted by law.” Moreover, the FTC revised its rule to require more specific disclosures in place of that now ubiquitous phrase when a “financial institution” under its jurisdiction does not use or share information in a way that requires an opt-out notice.
* * * * * * *
“Financial intuitions” have been obligated to provide privacy notices for almost 10 years now. Covered entities should evaluate their consumer information data collection practices and privacy notices to ensure that these practices are disclosed sufficiently on an ongoing basis. Entities that have been using the previous safe harbor language likely will want to revise the text and format of their initial and annual privacy notices in order to take advantage of the new safe harbor to satisfy the GLB Act’s disclosure requirements.