The federal banking agencies, consisting of the Office of the Comptroller of the Currency, the Office of Thrift Supervision, the Federal Reserve Board, the Federal Deposit Insurance Corporation and the National Credit Union Administration (the “Banking Agencies”), and the Federal Trade Commission (“FTC”) have issued final regulations (the “Marketing Regulations”) to implement the affiliate marketing provisions added to the Fair Credit Reporting Act (“FCRA”) in 2003 by the Fair and Accurate Credit Transactions Act. Effective Jan. 1, 2008, with a mandatory compliance date of Oct. 1, 2008, financial institutions regulated by the Banking Agencies and persons subject to the jurisdiction of the FTC (collectively, “Covered Persons”) will be required to provide consumers with notice and an opportunity to opt out before using certain information received from an affiliate to make a solicitation. A similar final rule is also expected to be issued soon by the Securities and Exchange Commission.
Given the complexity of the Marketing Regulations, our discussion below will consider how the Marketing Regulations would apply in the context of a typical affiliate marketing scenario. That scenario is one in which a consumer has a car loan from a bank and the bank is affiliated with a mortgage company.
Notice Requirement. Under the Marketing Regulations, a Covered Person is prohibited from using “eligibility information” received from an affiliate to make a solicitation for marketing purposes to a consumer, unless the consumer is given notice and a reasonable opportunity to opt out of such use (the “Marketing Opt-Out Notice”). “Eligibility information” includes any information, the communication of which would be a “consumer report” under the FCRA if certain FCRA exclusions did not apply. More specifically, the FCRA generally excludes from the definition of a “consumer report” a person’s own transaction or experience information, such as account history information. It also generally excludes non-transaction or non-experience information from the definition of a “consumer report,” such as a credit score from a credit report or income information from an application, that is shared in compliance with the affiliate information sharing provision added to the FCRA in 1996. That provision allows non-transaction and non-experience information to be shared among affiliates without being deemed a “consumer report,” if the consumer is given notice and an opportunity to opt out of such sharing (the “Sharing Opt-Out Notice”). (A company that shares such information with an affiliate without providing the Sharing Opt-Out Notice risks becoming a “consumer reporting agency” under the FCRA.)
It is important to note that the Marketing Regulations only restrict the use of eligibility information shared among affiliates and operate independently of the Sharing Opt-Out Notice requirement. Indeed, the Marketing Regulations specifically provide that they do not relieve a Covered Person of the responsibility of complying with the Sharing Opt-Out Notice requirement. Turning to our affiliated bank and mortgage company example, the bank may share information about the consumer’s car loan account (such as date of loan, type of loan, loan amount) with the mortgage company without the need for a Sharing Opt-Out Notice to prevent such information from being deemed a “consumer report.” If the bank had given the consumer a Sharing Opt-Out Notice and the consumer had not opted out, the bank could also share with the mortgage company information from the consumer’s credit report, such as a credit score, and information from the consumer’s loan application, such as income and asset information, without such information being deemed a “consumer report.” Absent the Marketing Regulations, the mortgage company would be permitted to use either category of eligibility information received from the bank to solicit the consumer for a mortgage loan. However, as a result of the Marketing Regulations, the bank will be required to send the consumer a Marketing Opt-Out Notice before the mortgage company can use any of such information to solicit the consumer, including any transaction and experience information.
As this example illustrates, the result of the Marketing Regulations is that the bank will need to comply with two separate opt-out requirements: with the Sharing Opt-Out Notice requirement to allow its car loan customer's non-transaction and non-experience information to be shared with the mortgage company, and with the Marketing Opt-Out Notice requirement to allow the mortgage company to use such information once shared to solicit the car loan customer for a mortgage loan (as well as to use any shared transaction or experience information for which a Sharing Opt-Out Notice was not required). Thus, it seems that it would be possible for the bank's car loan customer to elect not to opt-out of having any of his or her eligibility information shared with the mortgage company but to opt-out of having that information used by the mortgage company to solicit the customer for its mortgage loan products (unless one of the exceptions from the Marketing Opt-Out Notice discussed below applies, such as where the car loan customer is also a customer of the mortgage company).
Who Makes a Solicitation. A Covered Person will be considered to have made a solicitation for marketing purposes (i) if it has received eligibility information from an affiliate, (ii) if it uses that information to identify consumers to receive a solicitation, establish criteria to select consumers to receive a solicitation, or decide which products or services to market to the consumer or tailor a solicitation to that consumer, and (iii) if, as a result of such use, a solicitation is made to the consumer. Under the Marketing Regulations, among the ways in which a Covered Person can receive eligibility information from an affiliate is when the affiliate places information into a common database that the Covered Person can access.
In general, a Covered Person will be considered to have used an affiliate’s eligibility information to make a solicitation if the Covered Person or a service provider acting on its behalf (whether an affiliate or an unaffiliated third party) uses that information to make a solicitation for marketing purposes. However, a Covered Person whose products or services are marketed by an affiliate or a service provider will not be deemed to have made a solicitation using an affiliate's eligibility information if the affiliate only uses its own eligibility information to solicit the consumer or directs a service provider with whom the Covered Person does not communicate to use that information to make the solicitation. In addition, where a Covered Person does communicate with a service provider using an affiliate’s eligibility information to market the Covered Person’s products or services, the service provider’s use of the information will not be attributed to the Covered Person if certain conditions set forth in the Marketing Regulation are met.
Using our example, the mortgage company would not be deemed to have used the bank’s eligibility information to make a solicitation if the mortgage company gives the bank criteria to use to select car loan customers to receive solicitations for a mortgage loan, and the bank sends the mortgage company’s marketing materials to those customers. This situation is often referred to as “constructive sharing” because the consumer’s response to the bank’s solicitation may reveal to the mortgage company that the consumer met the criteria used to select the consumer for the offer. While constructive sharing would not trigger the need for a Marketing Opt-Out Notice, it could trigger the need for the bank to send a Sharing Opt-Out Notice.
Exceptions to Marketing Opt-Out Notice. The Marketing Regulations include a number of important exceptions to the Marketing Opt-Out Notice requirement. Perhaps the most important is the exception for solicitations to a consumer with whom a Covered Person has a pre-existing business relationship. The Marketing Regulations define the term “pre-existing business relationship” to include (i) a relationship based on a financial contract that is in force at the time of the solicitation, (ii) a purchase, rental or lease by the consumer of a Covered Person’s goods or services or a financial transaction between the consumer and a Covered Person during the 18-month period immediately preceding the date of the solicitation, and (iii) an inquiry or application by the consumer regarding a Covered Person’s products or services during the three-month period immediately preceding the date of the solicitation. Using our example again, if the consumer who has a car loan from the bank also has a first mortgage loan from the mortgage company that the mortgage company continues to own, the mortgage company could use any of the consumer’s eligibility information it receives from the bank to solicit the consumer for its other mortgage loan products, such as a home equity loan to finance the consumer’s next car purchase, without the need for the bank to send a Marketing Opt-Out Notice.
Other exceptions to the Marketing Opt-Out Notice requirement include (i) the facilitation of communications to an individual for whose benefit a Covered Person provides employee benefit or other services pursuant to a contract with an employer related to and arising out of the current employment relationship or the individual’s status as a participant or beneficiary of an employee benefit plan, (ii) to perform services on behalf of an affiliate (unless the services involve making a solicitation that the affiliate was not permitted to make as a result of an opt out election), (iii) in response to a consumerinitiated communication about a Covered Person’s products or services or to an authorization or request by the consumer to receive solicitations, and (iv) where compliance would prevent a Covered Person from complying with unfair discrimination provisions in state insurance laws. The Marketing Regulations include examples to illustrate the application of most of the exceptions.
Scope and Duration of Opt-Out. Where a consumer has a continuing relationship with a Covered Person or its affiliate, a Marketing Opt-Out Notice can apply to eligibility information obtained in connection with a single continuing relationship or multiple continuing relationships, including continuing relationships established subsequent to delivery of the Marketing Opt-Out Notice. A Marketing Opt-Out Notice can also apply to any other transaction between the consumer and a Covered Person or its affiliate that is described in the Notice. However, after all continuing relationships with a Covered Person or its affiliate have been terminated, a new Marketing Opt-Out Notice must be provided if the consumer subsequently establishes a new continuing relationship with the Covered Person or the same or a different affiliate and the consumer’s eligibility information will be used to make solicitations.
If there is no continuing relationship with a Covered Person or its affiliate and the Covered Person or its affiliate obtain eligibility information in connection with a transaction with the consumer, such as in an isolated transaction or a denied credit application, a Marketing Opt-Out Notice can only apply to eligibility information obtained in connection with that transaction. A Marketing Opt-Out Notice can give the consumer the opportunity to choose from various alternatives when electing to prohibit solicitations, such as an option to only prohibit solicitations from certain types of affiliates; but the consumer must have the option of prohibiting all solicitations from all affiliates covered by the Notice. It is important to note that the new Marketing Opt-Out Notice requirement will not apply to eligibility information that a Covered Person has received from an affiliate before the Marketing Regulations’mandatory compliance date, including information that was placed into a common database before that date.
In our affiliated bank and mortgage company example, the bank has a continuing relationship with the consumer based on the consumer’s existing car loan account. This means a Marketing Opt-Out Notice sent by the bank could apply to eligibility information about the consumer that the bank obtains in connection with the car loan, as well as to eligibility information that the bank obtains in connection with any new continuing relationships with the consumer that are established after delivery of the Marketing Opt-Out Notice, such as if the consumer were to open a deposit account at the bank. However, if the car loan is paid off before the consumer opens the deposit account, the bank must give the consumer a new Marketing Opt-Out Notice before the mortgage company could make solicitations for a mortgage loan using eligibility information that the bank obtains in connection with the deposit account relationship.
A consumer can opt out at any time and a consumer’s election to opt out must be effective for at least five years from receipt and implementation of the election, unless subsequently revoked by the consumer. After expiration of the opt-out period, a Covered Person may not make a solicitation based on eligibility information received from an affiliate to a consumer who has previously opted out, unless the consumer has been given a renewal notice that provides a new opportunity to opt out and does not renew the opt-out, or one of the exceptions from the Marketing Opt-Out Notice requirement applies.
Content, Timing and Delivery of Notice. The Marketing Opt-Out Notice must be sent by an affiliate that has or previously had a pre-existing business relationship with the consumer. A joint notice from an affiliated group of companies may be used if at least one of the affiliates in the joint notice has or previously had a pre-existing business relationship with the consumer. The information that must be in a Marketing Opt-Out Notice includes (i) a disclosure of the names of the affiliates providing the notice, which can be done without separately identifying each company if a common name is shared, (ii) a list of the affiliates or types of affiliates whose use of eligibility information is covered by the notice, which can include subsequently added affiliates and which can also be done without separately identifying each company if a common name is shared, (iii) a general description of the types of eligibility information that may be used to make solicitations, (iv) certain information about the consumer’s optout right, and (v) a reasonable and simple method for the consumer to opt out. A Marketing Opt-Out Notice can be consolidated and coordinated with any other required notice, including the privacy notice required under the Gramm-Leach-Bliley Act (“GLBA”). The GLBA notice must, in turn, include the Sharing Opt-Out Notice.
A consumer must be given a “reasonable opportunity” to opt out before eligibility information received from an affiliate is used to make a solicitation, which the Marketing Regulations provide must be at least 30 days where the Marketing Opt-Out Notice is mailed or delivered electronically. The Marketing Opt- Out Notice must be provided so that the consumer can reasonably be expected to receive actual notice. The Marketing Regulations provide examples of “reasonable and simple” opt-out methods and when a consumer “can reasonably be expected to receive actual notice” and include model forms of the Marketing Opt-Out Notice.
Compliance Date. As noted above, the Marketing Regulations will become effective Jan. 1, 2008 and compliance will be required no later than Oct. 1, 2008. Covered Persons who intend to consolidate the Marketing Opt-Out Notice with their annual GLBA privacy notices may need to send the GLBA notices at an earlier date than they otherwise would be sent to meet the mandatory compliance date. In addition, Covered Persons sending consolidated notices may need to modify the wording of their GLBA notices to accommodate differences between the GLBA opt-out requirements and those in the Marketing Regulations.