On April 15, 2009, the Securities and Exchange Commission ("SEC") reopened the period for public comment on proposed amendments to Regulation S-P, which implements the privacy provisions of the Gramm-Leach-Bliley Act ("GLB Act") that were originally proposed March 20, 2007 (the "Original Proposal"). In the Original Proposal, the SEC and several other agencies issued a joint proposal for a "model privacy form" that financial institutions may use to meet the agencies' requirements for delivery of privacy notices to consumers. Use of the model form ("Form S-P" under the SEC's rules) would be optional. However, if Form S-P is adopted, institutions adhering to the model form (which includes detailed requirements for the content and format of the notices) would enjoy a "safe harbor" with respect to compliance with relevant privacy notice requirements. The SEC reopened the comment period mainly to allow public review and comment on the results of an outside consultant`s "quantitative testing to evaluate the effectiveness of four different types of privacy notices."
While the model form would provide a safe harbor, institutions could continue to use other types of notices that vary from the model form so long as these notices comply with the relevant agency privacy rule. However, if the model is adopted, institutions that now use notices based on the "Sample Clauses" currently contained in the agencies' privacy rules would no longer be able to rely on the Sample Clauses for more than one year following publication of a final rule adopting the model form. SEC Release Nos. 34-59769, IA-2866, IC-28697 ("Release"). The Original Proposal is contained in Release Nos. 34-34-55497; IA-2598; IC-27755 (the "Original Release"), which is available at www.sec.gov/rules/proposed/2007/34-55497.pdf.
Under the reopened comment period, comments on the proposal are due on or before May 20, 2009. Certain highlights of the Release (and the Original Release) are summarized below.
The privacy provisions of the GLB Act (captioned Disclosure of Nonpublic Personal Information) require each financial institution to provide a notice of its privacy policies and practices to its "customers" who are "consumers." In general, the privacy notices must describe a financial institution's policies and practices with respect to disclosing nonpublic personal information about a consumer to both affiliated and nonaffiliated third parties. The notices also must provide a consumer with a reasonable opportunity to direct the institution generally not to share nonpublic personal information about the consumer (that is, to "opt out") with non-affiliated third parties, other than as permitted by the statute. The privacy notices must also provide, where applicable under the Fair Credit Reporting Act ("FCRA"), a notice and an opportunity for a consumer to opt out of certain information-sharing among affiliates.
The various agencies charged with regulating financial institutions adopted rules to implement these provisions, which require (among many other things) financial institutions to provide a privacy notice to their customers no later than when a customer relationship is formed, and annually for as long as the relationship continues. The relevant agencies are the Office of the Comptroller of the Currency, Treasury; Board of Governors of the Federal Reserve System; Federal Deposit Insurance Corporation; Office of Thrift Supervision, Treasury; National Credit Union Administration; Federal Trade Commission; Commodity Futures Trading Commission; and the SEC (collectively, the "Agencies"), and financial institutions were first required, pursuant to the rules, to distribute privacy notices to their customers by July 1, 2001. These notices, which must accurately reflect the institution's information collection and disclosure practices, are required to contain specific information, including:
- The categories of nonpublic personal information that the institution collects
- With respect to both current and former customers, the categories of nonpublic personal information that it discloses and the categories of affiliates and nonaffiliated third parties to whom it discloses such information, other than as permitted by certain specified exceptions
- Where the institution relies on an exception to share nonpublic personal information relating to joint marketing, the categories of information disclosed, and the categories of third parties with which the institution has contracted
- Where applicable, an explanation of the consumer's right to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, and the methods by which the consumer may opt out
- Disclosures made under the FCRA pertaining to the ability to opt out of certain sharing with affiliates and the applicable opt-out notice
- The institution's policies and practices with respect to protecting the confidentiality and security of nonpublic personal information
- Where applicable, a statement that the institution discloses nonpublic personal information to nonaffiliated third parties pursuant to specified exceptions
Currently, the Agencies' privacy rules do not prescribe any specific format or standardized wording for these notices. Instead, institutions may design their own notices based on their individual practices, provided they comply with the law and meet the "clear and conspicuous" standard in the statute and the privacy rules. However, there is currently an Appendix to the privacy rules that contains model language (Sample Clauses) that institutions may use in privacy notices to satisfy the privacy rule. As noted above, if the model form is adopted, institutions would no longer be able to rely on use of the Sample Clauses to comply with privacy rule requirements.
Noting that the initial privacy notices of financial institutions were long and complex, and were the subject of "broad-based concerns expressed by representatives of financial institutions, consumers, privacy advocates, and members of Congress," the Original Release goes on to describe the Agencies' multi-year efforts to consider how financial institutions could provide more useful privacy notices to consumers. Those efforts included, among others, a consumer research project (the "Notice Project"), the goals of which were to identify barriers to consumer understanding of privacy notices and develop an alternative privacy notice, or elements of a notice, that consumers could more easily use and understand. In the midst of these efforts, on Oct. 13, 2006, the Financial Services Regulatory Relief Act of 2006 ("Act") became law. The Act directs the Agencies to "jointly develop a model form which may be used, at the option of the financial institution, for the provision of disclosures under [section 503 of the GLB Act]." The Act stipulates that the model form shall be a "safe harbor" for financial institutions that elect to use it, and directs that the model form shall:
- Be comprehensible to consumers, with a clear format and design
- Provide for clear and conspicuous disclosures
- Enable consumers easily to identify the sharing practices of a financial institution and to compare privacy practices among financial institutions
- Be succinct, and use an easily readable type font
The Agencies were required to propose a model form for public comment by April 11, 2007, which they did through the Original Proposal.
The Proposed Model Form
Based on the directives in the Act, as well as the research conducted as part of the Notice Project, the Agencies proposed in the Original Proposal to adopt a model privacy notice, which they believe "meets all the requirements of the Act and is easier to understand than most privacy notices currently being disseminated." The Original Release includes samples of completed model notices.
The model notice would be a standardized form, not only with respect to content and wording, but also with respect to such matters as page layout, format, style, pagination, and shading. No other information may be included in the model form, and it could only be modified to the limited extent specifically permitted in the Instructions to the form. Thus, the ability to customize the model form will be very limited. (For example, a financial institution may include a corporate logo on any page of the notice, but only "so long as it does not interfere with the readability of the model form or the space constraints of each page.")
The proposed model form has either two or three pages, depending on whether the financial institution provides an opt-out, each page being set up in a table-like format. Each page of the model form would have to be printed separately on (and only on one side of) an 8.5 by 11 inch piece of paper. The Agencies acknowledged that "The laws governing the disclosure of consumers' personal information are not easily translated into short, comprehensible phrases that are also legally precise. Thus, the table in some cases uses more easily understandable short-hand terms to describe sharing practices required to be in the notice." The language used in the disclosure table is based on findings of a private research report commissioned by the Agencies (which took the contractor approximately 18 months to complete). According to the Original Release, "The simplified phrases describing information sharing practices were continually refined through the consumer testing process to allow consumers to better understand the information sharing and use possibilities."
- Page 1 of the proposed model form has four parts:
- The title
- An introductory section called the "key frame," which provides context to help the consumer better understand the required disclosures
- A table that describes the types of sharing that federal law allows, which of those types of sharing the institution actually does, and whether the consumer can opt out of any type of the institution's sharing
- The institution's contact information
- Page 2 of the proposed model form provides additional explanatory information that, in combination with page 1, ensures that the notice includes all elements described in the GLB Act as implemented in the privacy rules. There is supplemental information in the form of Frequently Asked Questions at the top and definitions below.
- Page 3 of the proposed model form provides an opt-out form, for use by those financial institutions that share in a manner that triggers consumer opt-out rights under the GLB Act or FCRA. Institutions that use the proposed model form must include page 3 in their notices only if they:
- Share or use information that triggers an opt-out; or
- Choose to provide opt-outs beyond what is required by law
Aside from requirements applicable to content and wording, the model form would have requirements with respect to format. These would include:
- Easily readable type font. "Financial institutions that use the model form must use an easily readable type font. Easily readable type font includes a minimum of 10-point font and sufficient spacing between the lines of type [i.e., "leading"]."
- Page size and orientation. "Each page of the model form must be printed on one side of an 8.5 by 11 inch paper in portrait orientation."
- Color. "The model form may be printed on white or light color paper (such as cream) with black or suitable contrasting color ink. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract from the readability of the model form."
Even on elements of format where the proposal does not include specific requirements, the Original Release sets out particular recommendations. Thus, the Original Release includes the following statements regarding these matters:
The Agencies are not mandating a particular type style or x-height in order for a financial institution to obtain a safe harbor. Nevertheless, based on the research, the Agencies are providing these general guidelines for type style in the model form: For typefaces with a smaller x-height, 11- or 12-point font should be used; for typefaces with a larger x-height, a 10-point font would be sufficient. Fonts that satisfy the type style and x-height guidelines for the proposed model form include sans serif fonts such as Tahoma, Century Gothic, Myriad, Avant Garde, BK Avenir Book, ITS Franklin Gothic, Arial, and Gill Sans, and serif fonts such as the Chaparral Pro Family, Minion Pro, Garamond, Monotype Bodoni, and Monotype Century.