On November 17, 2009, the federal banking agencies* and the other federal agencies with jurisdiction over "financial institutions" (the "Agencies") issued amendments to the rules that implement the privacy provisions of the Gramm-Leach-Bliley Act (the "GLB Act"). These amended rules, which are effective on December 31, 2009, announce the adoption by the Agencies of a model privacy form that financial institutions may rely on as a safe harbor to provide disclosures under the GLB Act privacy rules.
The amended rules were issued pursuant to the Financial Services Regulatory Relief Act of 2006 that directed the Agencies to "jointly develop a model form which may be used, at the option of the financial institution, for the provision of disclosures under the GLB Act."
GLB Act Privacy Notice Requirements
By way of background, the GLB Act requires each financial institution to provide an initial and annual notice of its privacy policies and practices to its customers who are consumers. In general, the privacy notice must describe a financial institution's policies and practices with respect to disclosing nonpublic personal information about a consumer to both affiliated and nonaffiliated third parties.
The notice also must provide a consumer a reasonable opportunity to "opt out," that is, to direct the institution not to share nonpublic personal information about the consumer with nonaffiliated third parties other than as permitted by the statute. Institutions are permitted to share personal information for everyday business purposes, such as processing transactions and maintaining customers' accounts, and in response to properly executed governmental requests, regardless of consumer elections to opt out.
The privacy notice further must provide a notice and an opportunity for a consumer to opt out of certain information sharing among affiliates.
The Amended Rules
The Agencies have adopted a model privacy form that financial institutions may rely on as a safe harbor to provide these disclosures under the privacy rules. In addition, the Agencies (other than the SEC) have eliminated the safe harbor previously permitted for notices based on the sample clauses contained in the earlier privacy rules if the notice is provided after December 31, 2010. Similarly, the SEC is eliminating the guidance associated with the use of notices based on the sample clauses in its earlier privacy rule if the notice is provided after December 31, 2010.
While the model form provides a legal safe harbor, institutions may continue to use other types of notices that vary from the model form so long as these notices comply with the privacy rule. For example, an institution could continue to use a simplified notice if it does not have affiliates and does not intend to share nonpublic personal information with nonaffiliated third parties outside of the exceptions provided in the GLB Act. Likewise, while the Agencies are eliminating the sample clauses and related safe harbor (or, for the SEC, the guidance), institutions may continue to use notices containing these clauses, so long as these notices comply with the privacy rules.
The Model Form
The model form has two pages, which may be printed on a single piece of paper.
Page one of the model form has five parts: (1) the title; (2) an introductory section called the "key frame" which provides context to help the consumer understand the required disclosures; (3) a disclosure table that describes the types of sharing used by financial institutions consistent with federal law, which of those types of sharing the institution actually does, and whether the consumer can limit or opt out of any of the institution's sharing; (4) if needed, a box titled "To limit our sharing" for opt-out information; and (5) the institution's customer service contact information. Where the institution provides a mail-in opt-out form, that form appears at the bottom of page one.
The second page of the model form provides additional explanatory information that, in combination with page one, ensures that the notice includes all elements described in the GLB Act as implemented by the privacy rule.
A link to the model form and new rules is provided at Final Model Privacy form under the Gramm-Leach-Bliley Act.
In light of these new rules, financial institutions will want to consider whether to take advantage of the revised "safe harbor" by adopting the new model form. After December 31, 2010, the new model form will be the only privacy notice safe harbor available to financial institutions.
The members of Day Pitney's Data Privacy and Protection Task Force are available to discuss the applicability for your organization of these amended rules and the possible benefits of the new "safe harbor."
* The "Agencies" issuing the new rules are the Office of the Comptroller of the Currency; Board of Governors of the Federal Reserve System; Federal Deposit Insurance Corporation; Office of Thrift Supervision; National Credit Union Administration; Federal Trade Commission; Commodity Futures Trading Commission; and Securities and Exchange Commission.