Browse: Departments Dates Agencies
DEPARTMENT OF THE TREASURY
Thrift Supervision Office
CFR Citation: 12 CFR Part 40
Docket ID: [Docket No. 03-27]
NOTICE: PROPOSED RULES
ACTION: Consumer financial information privacy:
DOCUMENT ACTION: Advance notice of proposed rulemaking.
SUBJECT CATEGORY: FEDERAL RESERVE SYSTEM
DATES: Comments must be submitted on or before March 29, 2004.
DOCUMENT SUMMARY: The OCC, OTS, Board, FDIC, NCUA, FTC, CFTC, and SEC (the Agencies) are requesting comment on whether the Agencies should consider amending the regulations that implement sections 502 and 503 of the GrammLeachBliley Act (GLB Act) to allow or require financial institutions to provide alternative types of privacy notices, such as a short privacy notice, that would be easier for consumers to understand.
SUMMARY: Gramm-Leach-Bliley Act—; Privacy notices, alternative forms; interagency consideration,
DOCUMENT BODY 2: 12 CFR Part 216
[Docket No. R1173]
FEDERAL DEPOSIT INSURANCE CORPORATION
12 CFR Part 332
RIN 3064AC77
DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
12 CFR Part 573
[Docket No. 200362]
RIN 1550AB86
NATIONAL CREDIT UNION ADMINISTRATION
12 CFR Part 716
FEDERAL TRADE COMMISSION
16 CFR Part 313
RIN 3084AA94 Project No. 034815
COMMODITY FUTURES TRADING COMMISSION
17 CFR Part 160
RIN 3038AC04
SECURITIES AND EXCHANGE COMMISSION
17 CFR Part 248
[Release Nos. 3448966, IA2206, IC26316; File No. S73003]
RIN 3235AJ06
Interagency Proposal to Consider Alternative Forms of Privacy
Notices Under the GrammLeachBliley Act
SUPPLEMENTAL INFORMATION
I. Background Subtitle A of title V of the GLB Act, captioned Disclosure of Nonpublic
[[Page 75166]]
Personal Information (codified at 15 U.S.C. 6801 et seq.), requires
each financial institution to provide a notice of its privacy policies
and practices to its consumer customers. In general, the privacy
notices must describe a financial institution's policies and practices
with respect to disclosing nonpublic personal information about a
consumer to both affiliated and nonaffiliated third parties and provide
a consumer a reasonable opportunity to direct the institution not to
share nonpublic personal information about the consumer with
nonaffiliated third parties. The privacy notice must also provide,
where applicable under the Fair Credit Reporting Act (FCRA), a notice
and an opportunity for a consumer to opt out of the sharing of certain information among affiliates.\3\
\3\ 15 U.S.C. 1681a(d)(2)(A)(iii) (FCRA); 15 U.S.C. 6803(b)(4) (GLB Act).
The Agencies have published consistent final regulations that
implement the privacy provisions of the GLB Act (collectively referred
to as ``the privacy rule'').\4\ The privacy rule requires a financial
institution to include in its privacy notices specific items of
information, such as the categories of nonpublic personal information
that the institution collects and the categories of third parties to
which the institution may disclose the information. The rule contains
sample clauses that institutions may use in privacy notices. The rule
does not, however, prescribe any specific format or standardized
wording for these notices. Instead, institutions may design their own
notices based on their individual practices provided they are
consistent with the law and meet the ``clear and conspicuous'' standard in the rule.
\4\ 12 CFR part 40 (OCC); 12 CFR part 216 (Board); 12 CFR part
332 (FDIC); 12 CFR part 573 (OTS); 12 CFR part 716 (NCUA); 16 CFR
part 313 (FTC); 17 CFR part 160 (CFTC); and 17 CFR part 248 (SEC).
Financial institutions first were required to distribute privacy notices to their customers by July 1, 2001. Many privacy notices in this initial effort were long and complex. Moreover, because the privacy rule allows institutions flexibility in designing their privacy notices, notices have been difficult to compare, even among financial institutions with identical privacy policies.
In response to broadbased concerns expressed by representatives of financial institutions, consumers, privacy advocates, and Members of Congress, the Agencies conducted a workshop in December 2001 to provide a forum to consider how financial institutions could provide more useful privacy notices to consumers. The workshop featured panel presentations by financial institutions, consumer advocates, and communications experts, and highlighted key communication principles to improve the notices. A number of institutions, particularly those with complex informationsharing practices, described the challenges they faced in explaining their practices and the choices available to consumers in a simple fashion while meeting all of the legal requirements for notice. Some institutions described results of consumer testing and efforts to make their privacy notices clearer and more useful to consumers.
A number of financial institutions have since sought to improve their notices. Additionally, some industry groups have been working to formulate short, consumerfriendly notices that could accompany the longer, legally mandated notices under the rule. The Agencies applaud the efforts by consumer advocates and industry to improve privacy notices to make them more readable and useful to consumers.
To encourage and facilitate the efforts already underway, the
Agencies are considering proposing amendments to the privacy rule to
provide for privacy notices that are more understandable and useful to
consumers. The Agencies believe that this effort could benefit
significantly from the breadth and depth of experience that many
institutions have gained over the past two years in designing privacy
notices, as well as the expertise of communications experts and the
input of consumer organizations and comments from the public.
Accordingly, the Agencies seek comment on a wide range of issues
associated with the format, elements, and language used in privacy
notices that would make the notices more accessible, readable, and
useful. The Agencies also solicit examples of forms, model clauses, and
other information, such as applicable research that has been conducted
in this area, that may provide concrete illustrations or evidence to
assist the Agencies in considering whether and how to develop various proposals.\5\
\5\ As stated above, the Agencies will jointly review all of the
comments submitted, including those comments submitted to only one
agency. Commenters may request confidential treatment of any trade
secrets and commercial or financial information that is privileged
or confidential information provided to the Agencies in accordance
with the Freedom of Information Act (5 U.S.C. 552) and the Agencies'
respective regulations regarding availability of information. 12 CFR
part 4, subparts B and C (OCC); 12 CFR part 505 (OTS); 12 CFR part
261, subparts A and B (Board); 12 CFR part 309 (FDIC); 12 CFR 792.29
(NCUA); 16 CFR 4.10 (FTC); 17 CFR 145.9 (Petition for Confidential Treatment) (CFTC); 17 CFR part 200, subpart D (SEC).
Some of the terms and examples used in this Advance Notice of Proposed Rulemaking (ANPR) and sample notices are not suitable for credit unions, which have an organizational and operational structure that is different than other financial institutions. For example, the term customer, in the context of credit unions, generally will mean member, and while credit unions may form subsidiaries, they do not establish corporate affiliations like other financial institutions. Nevertheless, because of the predominance of issues that are common to all types of financial institutions, the NCUA believes its participation is important at this ANPR stage, whether or not it ultimately determines to publish a separate, but consistent and comparable, rule for credit unions.
Based on the information collected for this ANPR, including information collected through independent research conducted by the Agencies, the Agencies will determine whether to propose changes to the privacy rule and, if so, will seek further public comment on specific proposals. The Agencies expect that consumer testing would be a key component in the development of any specific proposals.
II. General Considerations for Improving Privacy Notices
The Agencies are considering developing a range of alternative
proposals for public comment to improve the privacy notices that
financial institutions must provide to consumers under the GLB Act. The
primary matter the Agencies are now considering is whether to develop a
model privacy notice that would be short and simple. In order to
illustrate, generally, this type of short notice and to spur specific
suggestions for additional ideas that the Agencies should consider, a
few of the potential alternative approaches are summarized below. These
alternatives are also intended to help frame a number of important
questions beyond the design of a short notice, such as whether all
financial institutions should be required to use the same form of
notice and whether a short notice could be a substitute for or should
be a supplement to a longer, more detailed notice. The sample notices
included in the appendices do not reflect a determination by the
Agencies that any of these notices would be satisfactory under the
privacy rule or for any particular financial institution. The Agencies
note that these alternatives have not been developed as a result of
specific research or consumer testing and are not being proposed for [[Page 75167]]
adoption. The Agencies specifically invite suggestions for other
approaches to improve the readability and usefulness of privacy notices as set out in section III.
As an initial matter, the Agencies request comment on whether to pursue the development of a short privacy notice. The Agencies note that, should they do so, there are several ways the Agencies could exercise their authority for developing a short notice, and the Agencies have not settled on any single approach. The Agencies could, for example, explore whether an interagency interpretation of the privacy rule, perhaps with model forms or language, would promote the development of privacy notices that are more understandable and useful to consumers. Similarly, the Agencies could develop a set of guidelines or best practices that would enable financial institutions to improve their privacy notices, or the Agencies could propose amendments to the privacy rule. The Agencies request comment on what approaches would be most useful to consumers while taking into consideration the burden on financial institutions.
The Agencies have identified the following approaches to simplify the privacy notices for consideration by commenters. One approach would be for the Agencies to develop a specific format and standardized language for a short notice that highlights key elements of an institution's privacy policy. For instance, a short notice could describe the types of nonpublic personal information an institution collects, the institution's policies for sharing that information with third parties, and a description of how consumers can opt out of information sharing. Like a nutrition label, a standardized notice would permit consumers easily to compare these elements of the privacy policies of different institutions and to become familiar with the standardized format and text. This type of form could include a description of how the consumer could obtain a longer, detailed privacy notice or be provided in combination with a longer, detailed privacy notice. An example illustrating this kind of format and language for a short notice appears in Appendix A.
In a similar approach, the Agencies could develop a short notice with a specific format and standardized language that would be designed to address all of the relevant elements listed in the GLB Act and the privacy rule. Such a notice would permit consumers to compare all relevant elements listed under federal law of the privacy policies of different institutions. However, since information sharing practices may vary, a financial institution may need flexibility in describing the categories of affiliated and nonaffiliated parties to whom it discloses nonpublic personal information. An example illustrating this kind of format and language appears in Appendix B and the categories of parties that may be modified by a financial institution appear in brackets.
Another approach to simplifying privacy notices would involve establishing a standardized format for privacy notices, but allowing financial institutions to provide their own descriptions of their privacy policies and practices. This potential approach may simplify privacy notices and make them more accessible for consumers, yet would permit each financial institution to tailor the language in the notice to suit its own privacy policies and practices. An example of a standardized format is included in Appendix C. Alternatively, the Agencies could prescribe standardized language that a financial institution would use to design its own notice without a format specified by the privacy rule. Standardized language may facilitate comparisons among financial institutions' policies and describe key consumer rights so that consumers could become familiar with circumstances under which information about them may be disclosed to third parties.
Another approach would be to focus attention on the consumer's right to opt out of disclosures available under the institution's privacy policies. For example, the optout notice could be provided by itself, with a statement that the institution's privacy policy is available on request. Alternatively, a description of the consumer's opt out right and how it could be exercised could be provided on the first page of a financial institution's privacy notice. The Agencies could prescribe the language, and its placement so as to ensure prominence and readability, but not require any further standardization of privacy notices. An example of this type of notice is included in Appendix D.
Detailed descriptions of ways to improve privacy notices, such as examples of language that may be used, illustrations of formats, and references to the particular requirements of the privacy rule that may need to be amended, will assist the Agencies in learning about and evaluating particular proposals. This ANPR outlines several potential approaches. The Agencies invite comment on the advantages and disadvantages of these approaches. Also, the Agencies request comment on any other approach the Agencies should consider.
III. Request for Comments
Any change in the privacy rule to provide for short notices raises a number of issues. In addition to comment on the various approaches discussed above or illustrated in the appendices, the Agencies request comment and supporting research and documentation on other matters that may be raised by the implementation of a short privacy notice. In particular, the Agencies invite comment on the following questions and supporting documentation where available:
A. Goals of a Privacy Notice
1. What should be the goals of a privacy notice? What goals are most important?
2. Should the Agencies pursue the development of a short notice to achieve these goals?
3. Are there any special issues for the Agencies to consider in developing a short privacy notice that may arise from potential differences between federal and state law requirements?
4. In what ways should a privacy notice be useful to a consumer? Please identify those ways that are the most or least important.
a. To permit ready comparison among different institutions' privacy policies?
b. To provide sufficient information to make an informed decision about whether to opt out?
c. To highlight the consumer's right to opt out?
d. To provide convenient mechanisms for the consumer to opt out?
e. To provide a mechanism for the consumer to opt out in the same medium used to provide the privacy notice?
f. Other ways?
B. Elements of a Privacy Notice
1. What are the key elements of a privacy policy that a short notice should contain?
2. Are these key elements the same from the perspective of institutions and consumers? If not, explain the differences and why.
3. Is there an optimal number of elements (beyond which would be too many) to include in a short notice?
4. Should a short privacy notice contain, at a minimum, all of the relevant elements listed in the GLB Act and the privacy rule? If not, should it include a statement advising the consumer that an institution's complete privacy policy will be provided upon request? [[Page 75168]]
5. Should certain elements, such as a description of a consumer's optout rights (if applicable), be given prominence or be presented in a certain order?
6. Should statements describing information sharing practices not subject to a consumer's right to optout, such as whether a financial institution discloses information to nonaffiliated financial institutions under joint marketing agreements for financial products or services, be highlighted in the short notice?
C. Language of a Privacy Notice
1. Are there particular ``privacy'' terms or words that consumers readily understand that should be included in a short notice? Should any terms or language currently used in notices be avoided?
2. Should a financial institution be required to use standardized clauses in a short notice?
3. Rather than using standardized language, should a financial institution be permitted to develop its own language in a short notice so long as the short notice incorporates specified items of information?
D. Format of a Privacy Notice
1. Should the Agencies develop a standardized graphic design for a short notice that financial institutions would use? If so, what graphic design would be most suitable for the format of a short notice?
2. Based on experiences with the current privacy notices or tests that have been conducted in this area, what alternative forms of notice are likely to be useful to consumers and/or to financial institutions?
3. Is there a suggested length for a short privacy notice? Is there a suggested length for phrases or sentences within a short notice?
4. Are there suggestions for overall design of the notice, including layout, use of color, graphic devices, font(s), and size(s) of the text in the notice?
5. If a financial institution does not disclose information to third parties that would be subject to a consumer's right to opt out (under either the FCRA or the GLB Act), what form should the privacy notice take?
6. Should an institution be allowed to modify its short privacy notice to include elements that may be required under state laws? If so, then how can a short notice be designed to include those elements? E. Mandatory or Permissible Aspects of a Privacy Notice
1. Should use of a short notice be mandatory for all financial institutions?
2. Should use of standardized language and/or format for a short notice be mandatory for all financial institutions? Or should each institution be permitted to create its own short notice following agency guidelines?
3. If a short notice is standardized, should only part(s) of the notice be mandatory, and, if so, what part(s)? Or should all of a standardized short notice be mandatory?
4. If use of standardized part(s), such as standardized clauses, is not required, should the Agencies create a safe harbor from administrative enforcement for financial institutions that use the standardized parts in their notices (or a whole, standardized notice)?
5. Should an institution be required or permitted to deliver both a short notice and a long notice?
6. Financial institutions that generally do not share information with third partiessuch as those that do not have any affiliates and do not share information in a manner that is subject to a consumer's right to opt out under the FCRA or the GLB Act and do not engage in joint marketing agreementscurrently may have abbreviated and simple notices. If a short notice is mandated, should the Agencies make an exception to allow these institutions to continue to use the simple, abbreviated notices they currently use? Alternatively, should the Agencies prescribe a special short notice for these institutions to use?
7. Some financial institutions offer consumers choices to opt out of informationsharing arrangements that are not mandated by either the FCRA or the GLB Act, such as the ability to opt out of an institution's own marketing or joint marketing arrangements with nonaffiliated financial institutions for financial products or services. If a short notice is mandated, should the Agencies allow these institutions to include in the short notice information about these additional choices to opt out?
8. Should the Agencies allow financial institutions to include other information that relates to their privacy policies and practices in their short notices? For instance, should a financial institution that shares information with affiliates for marketing purposes only if a customer opts in to the sharing be permitted to include this information in a short notice?
F. Costs and Benefits of a Short Notice
With respect to consumers or financial institutions, or both:
1. What are the costs and benefits of providing a short notice and how do they compare with the requirements under the current privacy rule?
2. How, if at all, do the costs and benefits of a short notice depend on:
a. Whether the notice is mandatory or permissible?
b. Whether the format of the notice is standardized? On whether the language is standardized?
c. Whether the use of a short notice requires financial institutions to make supplemental privacy information available upon request?
G. Additional Information
1. Are there any models or samples of notices that work particularly well with consumers that the Agencies should consider? Provide any samples and research or supporting documentation.
2. Provide the results and supporting research or documentation of any consumer testing that has been conducted in this area.
3. What processes or types of consumer testing should the Agencies use to evaluate standardized terms or language, formats for notices, and short notices?
4. If the Agencies adopt an alternative form of notice, should consumer education accompany introduction of the new type of notice? If so, what type of consumer education would be effective?
IV. Conclusion
In the event that the Agencies decide to proceed, the Agencies
expect to do so through proposed rulemaking. In addition to evaluating
the comments submitted in response to this ANPR, the Agencies
contemplate that consumer testing would be an important element of the development of any alternative type of privacy notice.
By Order of the Board of Directors.
Dated at Washington, DC, this 2nd day of December, 2003. Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.
By the National Credit Union Administration Board on December 18, 2003.
Becky Baker,
Secretary of the Board.
[[Page 75169]]
Dated: December 22, 2003.
By the Securities and Exchange Commission.
Margaret H. McFarland,
Deputy Secretary.
Dated: December 8, 2003.
By the Office of Thrift Supervision,
James E. Gilleran,
Director.
Dated: December 18, 2003.
Jean A. Webb,
Secretary of the Commodity Futures Trading Commission.
Dated: November 14, 2003.
John D. Hawke, Jr.,
Comptroller of the Currency.
Dated: December 17, 2003.
By Direction of the Commission.
Donald S. Clark,
Secretary.
By order of the Board of Governors of the Federal Reserve System, December 22, 2003.
Jennifer J. Johnson,
Secretary of the Board.
BILLING CODE 481033P; 621001P; 671401P; 672001P; 753501P;
675001P; 635101P; 801001P
[[Page 75170]]
[GRAPHIC] [TIFF OMITTED] TP30DE03.000
[[Page 75171]]
[GRAPHIC] [TIFF OMITTED] TP30DE03.001
[[Page 75172]]
[GRAPHIC] [TIFF OMITTED] TP30DE03.002
[[Page 75173]]
[GRAPHIC] [TIFF OMITTED] TP30DE03.003
[[Page 75174]]
[GRAPHIC] [TIFF OMITTED] TP30DE03.004
[FR Doc. 0331992 Filed 122903; 8:45 am]
BILLING CODE 481033C
Common CFR Searches
14 CFR Part 39 40 CFR Part 52 14 CFR Part 71 33 CFR Part 165 50 CFR Part 679 47 CFR Part 73 26 CFR Part 1 40 CFR Part 180 33 CFR Part 117 50 CFR Part 17 44 CFR Part 67 50 CFR Part 648 14 CFR Part 97 33 CFR Part 100 40 CFR Part 63 50 CFR Part 622 44 CFR Part 65 50 CFR Part 660 26 CFR Part 301 39 CFR Part 111 40 CFR Part 300 6 CFR Part 5 40 CFR Part 271 47 CFR Part 64 40 CFR Parts 52 and 81 50 CFR Part 665 44 CFR Part 64 10 CFR Part 50 49 CFR Part 571 47 CFR Part 76