As we previously reported, last fall the Federal Trade Commission (FTC) and the Federal Banking Agencies (the Federal Reserve Board, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, Office of Thrift Supervision, and National Credit Union Administration) published a final rule that provides consumers with the opportunity to opt out of receiving marketing solicitations from one company using information provided by an affiliated company (the two companies are “affiliates”) to market its products and services to the consumer.1 The rule applies to any company or person that uses “eligibility information” from its affiliates for the purpose of marketing to consumers, or provides “eligibility information” to its affiliates for the purpose of marketing to a consumer. Therefore, the affiliate marketing rules apply to a much broader array of entities and persons than even the Gramm-Leach-Bliley Act (GLBA) privacy notice provisions, and can apply to many non-financial retailers and commercial companies if they use consumer information they received from their affiliates for marketing purposes.
The final rule implements the affiliate marketing provisions of Section 624 of the Fair Credit Reporting Act (FCRA).2 Section 214 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) amended the FCRA to include the Section 624 affiliate marketing provisions. Though there is substantial overlap with the affiliate sharing provisions of Section 603(d) of FCRA, the affiliate marketing provisions of Section 624 regulate the use of certain “eligibility information” received by an affiliate, rather than the sharing of certain information by or among affiliates. This rule and Section 624 do not amend a consumer’s existing right to opt out of the sharing of nontransaction or experience information under Section 603(d) of the FCRA. The final rule generally tracks the statutory limitations on the use of “eligibility information”, clarifies certain definitions and provides both examples and certain sample forms that covered entities may (but are not required to) rely upon.
“Eligibility information” is defined in the final rule as information that would normally be considered a “consumer report” but for the exclusions in Section 604(d)(2)(A) of the FCRA. That section excludes (1) information regarding transactions or experiences between the consumer and the person reporting the information; (2) such transaction or experience information communicated among affiliates; and (3) other information (such as third-party credit reports) communicated among affiliates if the consumer is first given notice and an opportunity to opt out of such sharing from the definition of consumer report. The final rule excludes aggregate or blind data that does not contain personal identifiers such as account numbers, names or addresses from the definition of eligibility information.
Section 604(a) of the FCRA defines a “consumer report” as “any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living (the so-called “seven characteristics”) which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for (A) credit or insurance to be used primarily for personal, family or household purposes; (B) employment purposes; or (C) any other purposes authorized under Section 604.”
Thus, in order to be defined as a “consumer report” the information must meet two elements: (1) be the type of information bearing on the seven characteristics, and (2) be used or expected to be used for determining eligibility for credit, insurance, employment, or certain government licenses or benefits. Courts have generally stated that almost all information about a consumer would meet the first element of the test, as “almost any information about consumers arguably bears on their personal characteristics or mode of living.” 3 Therefore, the question of whether information would have been “consumer report” information but for the exemption in section 604(d)(2)(A) of the FCRA and therefore meets the definition of “eligibility information” bears on whether the information is expected to be used in establishing eligibility for credit, insurance or other permitted purposes of a consumer report. Courts have found marketing lists to be consumer reports when collected by a credit reporting agency because the agency initially had the information for its credit reporting purposes and “re-tasked” the information for another purpose.4
Use of Eligibility Information Requires Notice and Opt-Out
The statute and the final affiliate marketing rule specifically prohibit an affiliate that receives eligibility information from using that information to make a solicitation for marketing purposes unless (1) the consumer receives notice, (2) has a reasonable opportunity and reasonable and simple method to opt out of such solicitations, and (3) the consumer does not opt out. Under the final rule, a solicitation is defined as a communication marketing a product or service initiated by a person to a particular consumer that is based on eligibility information and intended to encourage the consumer to purchase or obtain the marketed product or service.5 Under the final rule “making” a solicitation is broader than just sending a solicitation. The final rule states that a person “makes” a solicitation covered by the rule if the person (1) receives eligibility information from an affiliate; (2) uses that eligibility information to (a) identify the consumer or type of consumer to receive the solicitation, (b) establish criteria used to select the consumer to receive the solicitation, or (c) decide which products to market to the consumer or how to tailor the solicitation; and (3) the consumer is provided with a solicitation based on the use of eligibility information.6
Examples of solicitations under the rule include telemarketing calls, direct mail, or e-mails directed to a particular consumer based on eligibility information received from an affiliate. Marketing directed at the general public, such as television, billboard or general circulation magazine ads are not solicitations for purposes of the final rule.7 Though the FTC and the Federal Banking Agencies initially asked for comment about pop-up ads and other Internet specific marketing, they opted not to adopt special rules, and stated that whether Internet-based marketing is a solicitation will be determined based on the same criteria and facts and circumstances that apply to other marketing media.
The notice required under the rule must allow the consumer to opt out of all marketing solicitations within the scope of the rule, but may also allow the consumer to choose from different options (e.g., opting out of telemarketing calls, but allowing e-mails; or opting out of all solicitations from a lending affiliate, but permitting solicitations from an appliance affiliate). The initial notice must be provided by the affiliate that has or has previously had a pre-existing business relationship with the consumer, or part of a joint notice among multiple affiliates, so long as at least one of those affiliates has or had a pre-existing business relationship with the consumer. The final rule provides that a consumer’s opt out must be effective for at least five years, and the consumer must receive a renewal notice and reasonable opportunity to opt out prior to any covered solicitations being made after the expiration of the consumer’s opt out. Notices with a non-expiring, perpetual opt out need only be made once. The affiliate-marketing notice may be combined with GLBA privacy notices, but unlike the current FCRA affiliate sharing opt-out notices, are not required to be included with GLBA notices. The FTC and the Federal Banking Agencies also provided model forms for affiliate marketing notices. Use of the model forms is not required, but it does provide the user of the model form with a safe harbor that the notice complies with the clear and conspicuous requirements of FCRA.
Exceptions to Notice and Opt-Out Requirement
The final rule also implements the statutory exceptions to the affiliate marketing notice and opt-out requirement. A person or company may use eligibility information received from an affiliate
(1) to make a marketing solicitation to a consumer with whom the company has a pre-existing business relationship;
(2) to facilitate communications to a consumer for whose benefit the company provides employee benefit plan services;
(3) to provide services in connection with a marketing solicitation on behalf of an affiliate, as long as the affiliate would be permitted to make the solicitation itself without providing notice and an opportunity to opt-out;
(4) to respond to a consumer-initiated communication about the company’s products or services;
(5) in response to a consumer’s authorization or request to receive marketing solicitations; and
(6) if compliance with the rule would prevent the person or company from complying with any State insurance law concerning unfair discrimination in any state in which the company is authorized to do business. 8
For most businesses, the pre-existing business relationship exception is likely the most significant and useful exception to the requirement for providing notice and opt out. The final rule defines preexisting relationship as a relationship between a person and a consumer that is based on (1) a financial contract that is in force on the date a covered solicitation is sent to the consumer; (2) a purchase, rental or lease of the person’s good or services (which can include a “financial transaction” between the person and the consumer such as a loan or deposit relationship) within the 18-month period immediately preceding the date a covered solicitation is sent to the consumer; or (3) an inquiry or application by the consumer regarding a product or service offered by that person within the 3-month period immediately preceding the date a covered solicitation is sent to the consumer. 9
In addition, the FTC and Federal Banking Agencies clarified in the final rule that through the interplay between the pre-existing business relationship exception and other exceptions, a person or company can engage in certain forms of “constructive sharing” of eligibility information that would not require notice and opportunity to opt out before the affiliate with the pre-existing business relationship uses its own eligibility information to make a solicitation regarding another affiliate’s products and services. The final rule’s supplementary information gives the example of a consumer having an account at a bank that is affiliated with an insurance company. The insurance company, without seeing or using any of the bank’s eligibility information, develops specific criteria, such as consumers with deposit balances in excess of $50,000. The insurance affiliate may provide its criteria to the bank and ask the bank to use the bank’s own eligibility information to identify qualifying consumers and then the bank may send the solicitation regarding the insurance affiliate’s products and services. In such a constructive sharing scenario, the FTC and Federal Banking Agencies concluded there is no invasion of the consumer’s privacy as there is no actual sharing of the eligibility information with the affiliate. The bank is permitted to market services to its own customers based on the pre-existing business relationship exception, and the affiliate wouldn’t receive any information about the consumer unless the consumer responded to the solicitation, which would then be exempt from the prior notice and opt out requirements through the consumerinitiated communication exception.
The final rule also acknowledged that many affiliated companies store eligibility information in a central database, but confirmed that eligibility information gained from another affiliate through a central database is generally the same as if the affiliates shared the information directly. Therefore, the final rule generally requires notice and opportunity to opt-out when a person uses eligibility information from an affiliate gained through a central database to make marketing solicitations. However, the final rule does permit certain constructive sharing arrangements, even through a common database, if a service provider acting on behalf of the affiliate that originally held the eligibility information manages and controls access to the common database, and certain other conditions delineated in the rule that limit the other affiliate’s access to the eligibility information. The final rule also made clear that the rule will not be applied retroactively. Therefore, eligibility information that can be shown to have been received by an affiliate or placed into a common database before the October 1, 2008 mandatory compliance date may be used to make marketing solicitations without regard to the rule.10 On the other hand, if the affiliate obtains eligibility information about the consumer before the mandatory compliance date, but does not either place that information into a common database that is accessible to other affiliates or otherwise provide that information to another affiliate before the mandatory compliance date, the final rule will apply to that eligibility information. Further, if the database is updated with new eligibility information after the mandatory compliance date, the final rule will apply to the new or updated eligibility information.
Private Right of Action
As the mandatory compliance date approaches, the first feedback many institutions will get about whether they are meeting their obligations under the affiliate-marketing rule will be through exams from the appropriate banking agencies. In addition, the FTC has enforcement authority over any persons under its jurisdiction. However, like other portions of the FACT Act (such as credit card truncations) compliance with the affiliate marketing rule is also subject to the private right of action provisions in sections 616 and 617 of FCRA. As occurred with the credit card truncation cases, willful noncompliance, and even negligent noncompliance, could result in substantial class-action liability.
Though most of the FACT Act amendments to the FCRA apply to financial service providers or consumer reporting agencies, the affiliate marketing rule’s scope is quite broad and will apply to any person -- including retailers and other non-financial entities -- that uses eligibility information gained from an affiliate to make marketing solicitations for its products or services. Indeed, it is possible that a company that has never had to issue a GLBA privacy notice or FCRA affiliate sharing notice is covered by this rule through the use of affiliate transaction or experience information covered by the rule. While some of the exceptions to the rule can be read fairly broadly and the use of constructive sharing mechanisms specifically allowed by the rule can mitigate some of the disruption caused by the implementation of the final rule, it is likely that most companies will have to either make changes to their current marketing information sharing programs among affiliates, or be prepared to issue the notice and opportunity to opt out called for in the rule. As noted above, the affiliate marketing rule becomes effective October 1, 2008, therefore companies should review their data use practices with affiliated companies.