On March 29, 2007, the six federal agencies (“Agencies”) responsible for implementing the privacy provisions of the Gramm-Leach-Bliley Act (“GLB Act”) published a proposed rule to implement a new safe harbor model privacy form for financial institutions to provide disclosure under the GLB privacy rules and phase out the current model language (“Sample Clause”) and safe harbor. The Agencies invite comments, due May 29, 2007, on several specific issues regarding the model privacy form including the content and format of the model form, the transition period from the Sample Clause to the new form, and authentication and opt-out practices.
The GLB Act requires financial institutions to provide an annual notice to customers regarding their privacy policies and practices. The notice must disclose the types of nonpublic personal information collected about customers, disclose how it is shared with affiliated and nonaffiliated third parties, and instruct customers on how they may opt out from certain information sharing. A financial institution may create its own privacy notice incorporating notice-content requirements or model its notice after the Sample Clause, and thereby avail itself of a safe harbor indicating that the financial institution has complied with the privacy content requirements. The proposed model privacy form would replace the existing model language and substitute a new safe harbor.
The need for a new model privacy form was identified through a consumer research initiative by which the Agencies found privacy notices to be incomprehensible or unclear and inconspicuous. The Agencies developed the proposed model privacy form to aide consumers’ comprehension of privacy disclosures through clear and conspicuous notice. The Agencies’ proposal would allow institutions to continue to use the Sample Clause, or develop an alternative notice that includes the required privacy-related content, but a financial institution would not be able to take advantage of the safe harbor unless it adopts the new privacy model form exactly as provided by the new rules. The new safe harbor would become effective upon the publication of the final rule. Financial institutions would have one year to transition to the new privacy model form, after which time the safe harbor associated with the Sample Clause would no longer be available.
The proposed new form would have either two or three pages depending on whether the financial institution provides an opt out. Page one would be comprised of four main sections: 1) the title; 2) the “key frame,” which describes the required disclosures; 3) an explanation of the types of information sharing permitted by federal law, which of these types of sharing the financial institution actually does, and whether consumers may elect to opt out of each type (regardless of whether a particular financial institution shares information, it must still describe the practice); and 4) the financial institution’s contact information.
Page two would provide supplemental information and a definition section to more thoroughly explain a financial institution’s information sharing practices. Page three would be the opt-out form, which is required only if the financial institution uses or shares information in a way that triggers an opt-out notice under federal law, or if it has adopted an opt-out policy beyond what is required by federal law.
To qualify for the safe harbor, financial institutions must not vary from the content or form of the privacy model form. A financial institution, however, may add corporate information in the appropriate fields of the notice. For instance, company name, contact information or names of affiliates may be added to the form. Financial institutions also would be permitted to include a corporate logo, provided that the logo does not interfere with the readability of the notice.