Model Privacy Forms Under The Gramm-Leach-Bliley Act

May 14, 2007

Background

The Gramm-Leach-Bliley Act (the “GLB Act”) requires that broker-dealers, investment advisers, mutual funds, hedge funds and other financial institutions provide each of their customers with a notice describing how they protect customers’ non-public personal information; the kinds of non-public personal information they collect; the affiliates and non-affiliated third parties to whom they disclose such information; and the customer’s right, if any, to “opt-out” of (i.e., prevent) some kinds of disclosure.  See 15 USC, Subchapter I, §§ 6801-6809, “Disclosure of Nonpublic Personal Information.” Financial institutions must provide such a notice at the outset of each customer relationship, annually as long as the relationship endures and upon any change to the existing policy. 

The GLB Act vests the Securities Exchange Commission and seven other federal regulators (collectively, the “Regulators”1) with responsibility for developing a regulatory framework to administer and enforce the GLB Act’s financial privacy requirements.  Pursuant to those Regulators’ privacy rules, there is currently no standard format or required wording for privacy notices.  However, each Regulator provides guidance.  For example, the privacy rule adopted by the Federal Trade Commission (“FTC”) includes an Appendix with a form setting forth model language that is presumed to satisfy privacy notice requirements (the “Sample Clauses,” see 16 CFR Part 313 (the “Privacy Rule”), Appendix A).

On October 13, 2006, President Bush signed the Financial Services Regulatory Relief Act of 2006 (Public Law No: 109-351, the “Regulatory Relief Act”).  Section 728 of the Regulatory Relief Act amended Section 503 of the GLB Act (15 U.S.C. § 1603).  In light of research suggesting that privacy notices based on guidelines such as the Sample Clauses are confusing to consumers, and in furtherance of the principle that privacy notices should be “comprehensible, clear and conspicuous,” § 728 requires that the Regulators propound a Model Form for improved privacy notices.  While the amendment does not require financial institutions to use the Model Form, those that do will be deemed compliant with Section 503 of the GLB Act — i.e., will enjoy the benefit of a safe harbor for satisfying the relevant privacy rule’s requirement for proper form and content of privacy notices.

On March 29, 2007, the Regulators issued the Interagency Proposal for Model Privacy Form under the GLB Act.  In it, the Regulators propose amendments to their rules implementing the GLB Act privacy provisions and propound a Model Form for privacy notices.  At this time, the Regulators’ continue to receive commentary on the Model Form and the related amendments, which have not yet been finalized or adopted.  Once it is finalized, the Model Form is intended first to coexist with — but eventually to supersede and supplant — recommendations such as those in the Sample Clauses, becoming financial institutions’ surest route to any available compliance safe harbors.

Impact

Nearly All Financial Institutions Are Incentivized to Change Their Privacy Notices to the Model Form. The Model Form is being propounded in light of findings that existing notices are inadequate.  Once recommendations such as the Sample Clauses have been phased out entirely, financial institutions that use privacy notices based on them will likely be unable credibly to argue that their privacy notices are “clear and conspicuous,” as is required.  Although financial institutions currently can use such notices to invoke a compliance safe harbor and favorable presumptions, after the upcoming transitional period, those benefits will not be guaranteed.  Indeed, in light of the Regulators’ findings that notices based on the Sample Clauses and similar guidelines are inadequate, continued use of such notices may preclude such benefits.

Format and Content Requirements Will Be Strict. The Regulators’ current privacy rules do not prescribe any specific format or standardized language for notices.  Financial institutions have designed their notices based on examples such as the Sample Clauses, as well as their own policies and procedures.  By contrast, under the proposed amended rules, financial institutions will not able to vary the content or format of their privacy notices, except as narrowly indicated.  Although use of the Model Form will be entirely voluntary, to qualify for safe harbor treatment and to benefit from a presumption that notice was proper, the Model Form must be used and its requirements strictly observed.  Significantly, financial institutions that include in their notices any information that is not set forth in the Model Form will be non-compliant under the amended rules.  With their increased rigidity, the amendments provide clearer guidance as to what is required, but may compromise a financial institution’s ability to describe its privacy practices and procedures in the framework of a simplified form with uniform, generic language.

Limitations. Financial institutions such as broker-dealers, investment advisors and mutual funds that provide privacy notices pursuant to the Securities and Exchange Commission’s privacy rule, Regulation S-P, (and only those financial institutions) have never had a safe harbor available to them; the Sample Clauses have merely functioned to provide guidance regarding the GLB Act’s application to financial institutions subject to Regulation S-P.  This absence of a safe harbor persists under the amended rules, which continue to provide that following the Model Form consistent with its instructions “constitutes compliance with the notice and content requirements … [t]he facts and circumstances of each individual situation … will determine whether compliance with an example constitutes compliance” with Regulation S-P.  See id., § 248.2(b).

Transition Period. Upon publication of the final version of the amendments, the safe harbor for financial institutions using the new Model Form (other than those subject to Regulation S-P) will immediately become available.  However, to ease the compliance burden for financial institutions that have been relying on examples such as the Sample Clauses, the Regulators plan a one-year transition period, during which notices compliant with those guidelines will continue to trigger the safe harbor and continue to be regarded as proper form.  Thus, for example, annual notices provided during the one-year transition period commencing upon publication of the final version of the rule amendments will continue to qualify for safe harbor treatment until the next annual notice is due one year later.  At the end of that year, such notices will no longer enjoy the presumption of compliance.

The Model Form

In General. The Regulators’ examples of the Model Form are appended.  The proposed Model Form is intended to foster consumers’ comprehension of the handling of their personal information; their ability to compare privacy policies; and financial institutions’ compliance with consumers’ requests.  Example 1 sets forth a Model Privacy Notice properly completed by Neptune — an institution that has a privacy policy that includes broad information sharing in a manner that triggers opt-out rights. (See our Hedge Fund and Investment Managers Advisory, dated August 23, 2000, entitled “Privacy Rules are Adopted for Investment Advisers,” for information regarding opt-out rights.) Example 2 sets forth a Model Privacy Notice properly completed by Mars — an institution that has a privacy policy that limits information sharing and thus does not trigger opt-out rights.

Format. The proposed Model Form must use easily readable type font (no smaller than 10-point, varying according to the importance of the content).  The Form must be printed on two (if no opt-out is required) or three (if an opt-out is required) separate sheets of 8.5” x 11” paper; and must be printed on only one side of each page.  A financial institution that places its logo on the Model Form must not allow the logo to interfere with space constraints or with the clarity of the information provided.  Notices must be printed on white or light-colored paper with black or suitable contrasting-colored ink, with spot color only, and only to the extent the color does not detract from the required content. 

The Model Form was developed as a hard-copy document, but the Regulators recognize that notices currently are and will likely continue to be posted on web sites or distributed by e-mail.  The Regulators intend the safe harbor to be available for electronic notices that are reproduced as PDF files that adhere to the same requirements that apply to hard-copy notices.  The Regulators are seeking and considering comments as to whether it is advisable to develop a design for any notice that is distributed electronically in a format other than PDF.

Content.  The Model Form is divided into three pages:

The first page contains a title bar, the institution’s contact information and the “key frame”— an introductory section with standardized language setting forth categories of personal information generally collected by financial institutions and a description of reasons why an institution may share that information.  A financial institution may not customize these fields (except to insert its name and contact information).  The first page also contains a disclosure table describing the types of sharing federal law allows; whether the financial institution participates in that type of sharing; and whether the consumer has a right to opt out of each type of sharing. The table description of the types of sharing permitted under federal law is standardized and may not be customized by the financial institution (except to add any additional opt-outs it allows beyond those required under federal law — e.g., any opt-out regarding the financial institution’s own marketing materials).

The second page consists entirely of a title, frequently asked questions on the financial institution’s sharing practices and a set of definitions of key terms.  Again, a financial institution may not customize these fields (except to insert the financial institution’s name and descriptions of the financial institution’s affiliates, categories of non-affiliates with which the institution shares information and categories of joint marketing partners, if any).  The frequently asked questions themselves are standardized and may not be altered, even if they do not accurately describe the institution’s actual practices.

The third page, if any, is the opt-out notice.  Only financial institutions that provide such a notice — whether because they are required to do so by law because of their privacy practices or because they provide non-required opt-outs to their customers — need to provide this page of the Model Form.

[1] The Regulators and their respective privacy rules are the (1) Securities and Exchange Commission (17 CFR Part 248); (2) Federal Trade Commission (16 CFR Part 313); (3) Commodity Futures Trading Commission (17 CFR Part 160); (4) Department of the Treasury — Office of the Comptroller of the Currency (12 CFR Part 40); (5) Department of the Treasury — Office of Thrift Supervision (12 CFR Part 573); (6) Federal Reserve System (12 CFR Part 216); (7) Federal Deposit Insurance Corporation (12 CFR Part 332); and (8) National Credit Union Administration (12 CFR Part 716).

For additional information on this topic, you may contact Howard A. Neuman or Carol Spawn Desmond.