CUNA Regulatory Comment Call
April 4, 2007
Agencies Propose Model Privacy Notices
- The National Credit Union Administration (NCUA), along with the other federal financial institution regulators, have issued a proposed model form that may be used for complying with the current requirement of sending initial and annual privacy notices. The proposed form has either two or three pages, depending on whether the consumer has the opportunity to opt-out of certain information-sharing.
- The regulatory relief law that was enacted in October 2006 directed the regulators to develop a model form that financial institutions may use to make the required privacy disclosures. The goal of the model form is to provide the information in a standardized manner that is easily understood and also allows consumers to compare privacy practices among financial institutions.
- Use of the model form will guarantee compliance with the privacy notice requirements. Financial institutions, including credit unions, will still be able to use their current privacy notices for one year after the effective date of the final version of this rule. Financial institutions will have to use the model form after that if they want to guarantee compliance with these requirements.
- Comments are due by May 29, 2007. Please submit your comments to CUNA by May 17, 2007.
Please feel free to fax your responses to CUNA at 202-638-7052; e-mail them to Senior Vice President and Deputy General Counsel Mary Dunn at firstname.lastname@example.org and to Senior Assistant General Counsel Jeff Bloch at email@example.com; or mail them to Mary and Jeff in c/o CUNAs Regulatory Advocacy Department, 601 Pennsylvania Avenue, NW, South Building, Suite 600, Washington, DC 20004-2601. You may also contact us at 800-356-9655, ext. 6732, if you would like a copy of the proposal, or you may access it here.
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to provide a notice of its privacy policies and practices to consumers at the time the consumer enters into a relationship with the institution and annually after that, as long as the relationship continues. These notices must describe the institutions polices and practices with respect to disclosing nonpublic personal information about a consumer to both affiliated and nonaffiliated third parties and provide consumers with an opportunity to request that the institution not share nonpublic personal information about the consumer with certain nonaffiliated third parties. The notices must also provide consumers with an opportunity to opt out of the sharing of certain information among affiliates, as required under the Fair Credit Reporting Act.
NCUA and the other financial institution regulators published final rules in 2000 to implement the GLBA privacy provisions. The rules outline specific items of information that must be included in the privacy notices, along with sample clauses that institutions may use. No specific format or wording is required. Institutions may design their own notices based on their individual privacy practices, as long as the notices are clear and conspicuous and otherwise comply with the rules.
The financial institutions industry, consumers, privacy advocates, Congress, and the regulators all recognize that many of the privacy notices that have been issued have been long and complex. There is also recognition that the privacy notices are very difficult to compare with those of other financial institutions, even those with identical privacy policies, since the rules allow significant flexibility with regard to designing the notices.
In December 2003, the financial institution regulators issued a request for comment on ways in which these privacy notices can be improved. Click here for CUNAs comments in response to this request.
In September 2004, the regulators initiated a project and hired a consultant to develop an alternative privacy notice. The regulatory relief law that was enacted in October 2006 directed the regulators to develop a model form that financial institutions may use to make the required privacy disclosures and which would also guarantee compliance with the privacy notice requirements. The goal of the model form is to provide the information in a standardized manner that is easily understood and which also allows consumers to compare privacy practices among financial institutions.
DESCRIPTION OF THE PROPOSAL
The proposal incorporates the model privacy notice that was developed as a result of the project that was initiated in September 2004, which the regulators believe meets the goals and requirements of the recently enacted regulatory relief law. Institutions that want to guarantee compliance with the privacy notice requirements must use the model form and, unless otherwise noted in the proposal, cannot vary the content and format or include additional information. Institutions may also not incorporate this model into any other document.
While the model form guarantees compliance, institutions can continue to use other types of notices that vary from the model, as long as they comply with the 2000 privacy rules. This may include the notices that institutions currently use, although the regulators believe that the notices currently used by the larger institutions are complex and not easily understood by consumers. However, these criticisms are not necessarily directed at the shorter notices that credit unions and others use, especially the simplified notices used by institutions that do not have affiliates, or credit union service corporations, and that do not share nonpublic personal information with nonaffiliated third parties in situations in which the consumer has the ability to opt-out of the information-sharing.
The proposed model form has either two or three pages, depending on whether the institution is required to provide consumers with the ability to opt-out of certain of its information-sharing practices. The model form is to be completed by the institution by providing the relevant information to reflect its information-sharing practices. Click here and see pages 16-21 for examples of the model form that are completed for two types of institutions, one in which the institution is required to provide consumers with the right to opt-out of certain information-sharing, and one in which the institution is not required to provide this right.
Institutions using the model form to guarantee compliance must closely follow the format. This includes the following:
- Indicating yes or no in the chart on page 1 of the form.
- Using the term we dont share on this chart, as applicable.
- Using italics for the institutions responses to the definition of affiliates, nonaffiliates, and joint marketing on page 2 of the model form and using the same format and phrasing for these responses as indicated in the examples on pages 16-21 of the proposal.
Institutions are permitted to modify the page of the model form that provides the choices regarding the consumers ability to opt-out of certain information-sharing practices. Here are some examples of possible modifications:
- The institution may allow consumers to opt-out by telephone, mail, or the Internet, but is not required to provide all three methods.
- Requiring consumers to identify each account for which the opt-out applies.
- Modifying this page if the institution provides consumers with the ability to opt-out of information-sharing practices beyond what is required under the law
- Modifying this page if the institution provides more than 30 days before sharing if an opt-out is not received.
- Indicating that the opt-out period for affiliate marketing will extend beyond the required five years.
The proposal will also require a 10-point font, or type size, as the minimum type size for these privacy notices and will also require that there be sufficient space between the lines, which is commonly referred to as leading. Although there will not be a specific requirement regarding this space, the regulators are recommending that 10 or 11-point type size should have between 1 and 3 points of leading and 12-point type size should have between 2 and 4 points of leading.
As for type style, the regulators caution that institutions should not use idiosyncratic fonts or highly stylized typefaces. Institutions should also use a large x-height ratio, which refers to the height of the lower case x in relation to full height letters, such as a capital G. An x-height ratio of .66 is considered easy-to-read. Although there will be no specific requirements, the regulators are advising that an 11 or 12-point font should be used for smaller x-height ratios, while a 10-point type size should be sufficient for larger x-height ratios. Fonts that will satisfy the type style and x-height ratios include Tahoma, Century Gothic, Myriad, Avant Garde, Bk Avenir Book, ITS Franking Gothic, Arial, Gill Sans, Chapparral Pro Family, Minion Pro, Garamond, Monotype Bodoni, and Monotype Century.
Financial institutions using the model form may include its logo on any of the pages, as long as the logo design does not interfere with the readability or space constraints of each page. The proposal will require printing each page of the model form on one side of an 8.5 by 11 inch piece of paper so that the pages may be viewed simultaneously. The proposal will also require the use of white or light color paper, such as cream, with black or suitable contrasting color ink.
The model form will replace the model language, or sample clauses, that are currently included as an appendix to the privacy rules. The proposed rule includes a one-year transition period for those institutions that currently use privacy notices based on the sample clauses. This means that notices delivered within one year after the effective date of the rule implementing the new model form can still be based on the sample clauses, but the notices delivered after that time must be based on the new model form in order to guarantee compliance with the privacy rules. For consumers who agree to receive notices electronically, the current privacy notices based on the sample clauses can continue to be posted on the institutions website for one year, at which time it will have to be revised in order to ensure compliance with the privacy rules.
QUESTIONS TO CONSIDER REGARDING THE INTERAGENCY PROPOSAL ON PRIVACY NOTICES (THE REGULATORS ARE SPECIFICALLY INTERESTED IN RECEIVING COMMENTS ON THE FOLLOWING QUESTIONS)
A. Content of the Model Form
- Are there any aspects of the model form that are not clear and conspicuous or
comprehensible? If so, please identify those aspects and explain why it is not
- Will you be able to accurately disclose your information-sharing practices by using
the standardized provisions and vocabulary used in the model form? Does the proposed
disclosure table provide sufficient flexibility to disclose information-sharing practices,
or any opt-outs? Please explain your response.
- To what extent are modifications to the opt-out form necessary in order to describe
your information-sharing practices accurately, facilitate consumer use of the opt-out form,
or offer additional opt-outs? Please explain how the modifications can be made on page 1
and/or page 3 of the model form, in accordance with the requirements and the intent to keep
the table on the first page of the form.
- Do you intend to incorporate into the model form the Fair Credit Reporting Act
requirements regarding disclosure and the ability of consumers to opt-out of certain
information-sharing with affiliates? Will you limit the opt-out period to five years,
as permitted under the statute?
- Should financial institutions be required to alert consumers to changes in the
institutions privacy practices and should this be reflected in the model form?
B. Format of the Model Form
- Should each page of the model form be required to be on a separate piece of paper or is there another format which could also allow consumers to readily see all the information on the model form at the same time?
- Is the guidance on the easily readable type font helpful and/or sufficient?
- What size paper would be appropriate for the model form, while conforming to the guidance for easily readable type font and layout?
- Would you want to use color and/or logos on the model form and in what manner
and to what extent would you use them, without conflicting with the readability of
the form and the space requirements?
C .Additional Information
- Are you likely to use the model form? Why or why would you not use the model form?
- Are there other approaches with regard to consumer testing that the agencies should
- Do you support replacing the current sample clauses with this new model form,
along with the one-year transition period in which current notices may be provided for
one year after the effective date of the model form? Should the regulators retain the
current sample clauses for institutions that currently use the simplified notices?
(These sample clauses would be the clause describing the information that is collected;
the clause stating that nonpublic personal information is not disclosed, except as
permitted by law; and the clause stating that access to this information is restricted
and that safeguards are used to protect this information).
- Should the regulators develop a web-based design for those financial institutions
that want to use an electronic version of the proposed model form? If so, do you have
specific design and/or technical suggestions?
- Should the regulators develop and make available on their websites a readily
accessible and downloadable model form that institutions can use to create their
own notices by filling in the required information? Would you use such a form and
would it be useful in general, especially for smaller financial institutions?
- Many financial institutions request that the consumer provide the account number,
Social Security number, or other personal information when opting out of certain
information-sharing. Is this information necessary or is the consumers name, address,
and possibly a truncated account number sufficient? Should the opt-out page of the
model form omit the request for the account number, Social Security number, or other
personal information or should there instead be a request for a truncated number or
other type of identifying information?
Eric Richard General Counsel (202) 508-6742 firstname.lastname@example.org |
Mary Mitchell Dunn SVP & Deputy General Counsel (202) 508-6736 email@example.com
Jeffrey Bloch Assistant General Counsel (202) 508-6732 firstname.lastname@example.org
Lilly Thomas Assistant General Counsel (202) 508-6733 email@example.com
Catherine Orr Senior Regulatory Counsel (202) 508-6743 firstname.lastname@example.org