CUNA Regulatory Comment Call


April 4, 2007

Agencies Propose Model Privacy Notices

EXECUTIVE SUMMARY

Please feel free to fax your responses to CUNA at 202-638-7052; e-mail them to Senior Vice President and Deputy General Counsel Mary Dunn at mdunn@cuna.coop and to Senior Assistant General Counsel Jeff Bloch at jbloch@cuna.coop; or mail them to Mary and Jeff in c/o CUNA’s Regulatory Advocacy Department, 601 Pennsylvania Avenue, NW, South Building, Suite 600, Washington, DC 20004-2601. You may also contact us at 800-356-9655, ext. 6732, if you would like a copy of the proposal, or you may access it here.

BACKGROUND

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to provide a notice of its privacy policies and practices to consumers at the time the consumer enters into a relationship with the institution and annually after that, as long as the relationship continues. These notices must describe the institution’s polices and practices with respect to disclosing nonpublic personal information about a consumer to both affiliated and nonaffiliated third parties and provide consumers with an opportunity to request that the institution not share nonpublic personal information about the consumer with certain nonaffiliated third parties. The notices must also provide consumers with an opportunity to opt out of the sharing of certain information among affiliates, as required under the Fair Credit Reporting Act.

NCUA and the other financial institution regulators published final rules in 2000 to implement the GLBA privacy provisions. The rules outline specific items of information that must be included in the privacy notices, along with sample clauses that institutions may use. No specific format or wording is required. Institutions may design their own notices based on their individual privacy practices, as long as the notices are “clear and conspicuous” and otherwise comply with the rules.

The financial institutions industry, consumers, privacy advocates, Congress, and the regulators all recognize that many of the privacy notices that have been issued have been long and complex. There is also recognition that the privacy notices are very difficult to compare with those of other financial institutions, even those with identical privacy policies, since the rules allow significant flexibility with regard to designing the notices.

In December 2003, the financial institution regulators issued a request for comment on ways in which these privacy notices can be improved. Click here for CUNA’s comments in response to this request.

In September 2004, the regulators initiated a project and hired a consultant to develop an alternative privacy notice. The regulatory relief law that was enacted in October 2006 directed the regulators to develop a model form that financial institutions may use to make the required privacy disclosures and which would also guarantee compliance with the privacy notice requirements. The goal of the model form is to provide the information in a standardized manner that is easily understood and which also allows consumers to compare privacy practices among financial institutions.

DESCRIPTION OF THE PROPOSAL

The proposal incorporates the model privacy notice that was developed as a result of the project that was initiated in September 2004, which the regulators believe meets the goals and requirements of the recently enacted regulatory relief law. Institutions that want to guarantee compliance with the privacy notice requirements must use the model form and, unless otherwise noted in the proposal, cannot vary the content and format or include additional information. Institutions may also not incorporate this model into any other document.

While the model form guarantees compliance, institutions can continue to use other types of notices that vary from the model, as long as they comply with the 2000 privacy rules. This may include the notices that institutions currently use, although the regulators believe that the notices currently used by the larger institutions are complex and not easily understood by consumers. However, these criticisms are not necessarily directed at the shorter notices that credit unions and others use, especially the simplified notices used by institutions that do not have affiliates, or credit union service corporations, and that do not share nonpublic personal information with nonaffiliated third parties in situations in which the consumer has the ability to opt-out of the information-sharing.

The proposed model form has either two or three pages, depending on whether the institution is required to provide consumers with the ability to opt-out of certain of its information-sharing practices. The model form is to be completed by the institution by providing the relevant information to reflect its information-sharing practices. Click here and see pages 16-21 for examples of the model form that are completed for two types of institutions, one in which the institution is required to provide consumers with the right to opt-out of certain information-sharing, and one in which the institution is not required to provide this right.

Institutions using the model form to guarantee compliance must closely follow the format. This includes the following:

Institutions are permitted to modify the page of the model form that provides the choices regarding the consumer’s ability to opt-out of certain information-sharing practices. Here are some examples of possible modifications:

The proposal will also require a 10-point font, or type size, as the minimum type size for these privacy notices and will also require that there be sufficient space between the lines, which is commonly referred to as “leading.” Although there will not be a specific requirement regarding this space, the regulators are recommending that 10 or 11-point type size should have between 1 and 3 points of “leading” and 12-point type size should have between 2 and 4 points of “leading.”

As for type style, the regulators caution that institutions should not use idiosyncratic fonts or highly stylized typefaces. Institutions should also use a large “x-height” ratio, which refers to the height of the lower case “x” in relation to full height letters, such as a capital “G.” An “x-height” ratio of .66 is considered easy-to-read. Although there will be no specific requirements, the regulators are advising that an 11 or 12-point font should be used for smaller “x-height” ratios, while a 10-point type size should be sufficient for larger “x-height” ratios. Fonts that will satisfy the type style and “x-height” ratios include Tahoma, Century Gothic, Myriad, Avant Garde, Bk Avenir Book, ITS Franking Gothic, Arial, Gill Sans, Chapparral Pro Family, Minion Pro, Garamond, Monotype Bodoni, and Monotype Century.

Financial institutions using the model form may include its logo on any of the pages, as long as the logo design does not interfere with the readability or space constraints of each page. The proposal will require printing each page of the model form on one side of an 8.5 by 11 inch piece of paper so that the pages may be viewed simultaneously. The proposal will also require the use of white or light color paper, such as cream, with black or suitable contrasting color ink.

The model form will replace the model language, or sample clauses, that are currently included as an appendix to the privacy rules. The proposed rule includes a one-year transition period for those institutions that currently use privacy notices based on the sample clauses. This means that notices delivered within one year after the effective date of the rule implementing the new model form can still be based on the sample clauses, but the notices delivered after that time must be based on the new model form in order to guarantee compliance with the privacy rules. For consumers who agree to receive notices electronically, the current privacy notices based on the sample clauses can continue to be posted on the institutions’ website for one year, at which time it will have to be revised in order to ensure compliance with the privacy rules.

QUESTIONS TO CONSIDER REGARDING THE INTERAGENCY PROPOSAL ON PRIVACY NOTICES (THE REGULATORS ARE SPECIFICALLY INTERESTED IN RECEIVING COMMENTS ON THE FOLLOWING QUESTIONS)

A. Content of the Model Form

B. Format of the Model Form

C .Additional Information

Eric Richard • General Counsel • (202) 508-6742 • erichard@cuna.com
Mary Mitchell Dunn • SVP & Deputy General Counsel • (202) 508-6736 • mdunn@cuna.com
Jeffrey Bloch • Assistant General Counsel • (202) 508-6732 • jbloch@cuna.com
Lilly Thomas • Assistant General Counsel • (202) 508-6733 • lthomas@cuna.com
Catherine Orr • Senior Regulatory Counsel • (202) 508-6743 • corr@cuna.com