[Federal Register Volume 65, Number 41 (Wednesday, March 1, 2000)] [Proposed Rules] [Pages 11174-11195] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 00-4881] [[Page 11173]] ----------------------------------------------------------------------- Part III Federal Trade Commission ----------------------------------------------------------------------- 16 CFR 313 Privacy of Consumer Financial Information; Proposed Rule ��Federal Register / Vol. 65, No. 41 / Wednesday, March 1, 2000 / Proposed Rules�� [[Page 11174]] ----------------------------------------------------------------------- FEDERAL TRADE COMMISSION 16 CFR Part 313 Privacy of Consumer Financial Information AGENCY: Federal Trade Commission. ACTION: Notice of proposed rulemaking. ----------------------------------------------------------------------- SUMMARY: In this document, the Federal Trade Commission (the ``Commission'' or ``FTC'') issues a Notice of Proposed Rulemaking that is required by Section 504(a) of the Gramm-Leach-Bliley Act, (the ``G- L-B Act'' or ``Act'') with respect to financial institutions and other persons under the Commission's jurisdiction, as set forth in Section 505(a)(7) of the Act. The Commission requests comment on this proposed privacy Rule. Section 504 of the Act requires the Commission and other federal agencies to issue regulations implementing notice requirements and restrictions on a financial institution's ability to disclose nonpublic personal information about consumers to nonaffiliated third parties. Pursuant to Section 503 of the G-L-B Act, a financial institution must provide its customers with a notice of its privacy policies and practices. Section 502 of the Act prohibits a financial institution from disclosing nonpublic personal information about a consumer to nonaffiliated third parties unless the institution satisfies various disclosure requirements and the consumer has not elected to opt out of the disclosure. This proposed Rule would implement the requirements outlined above. DATES: Comments must be received on or before March 31, 2000. ADDRESSES: Written comments should be addressed to: Secretary, Federal Trade Commission, Room H-159, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The Commission requests that commenters submit the original plus five copies, if feasible. Comments should also be submitted if possible, in electronic form, on either a 5\1/4\ or a 3\1/ 2\ inch computer disk, with a disk label stating the name of the commenter and the name and version of the word processing program used to create the document. (Programs based on DOS or Windows are preferred. Files from other operating systems should be submitted in ASCII format.) Alternatively, the Commission will accept comments submitted to the following E-mail address: [email protected]. Those commenters submitting comments by e-mail are advised to confirm receipt by consulting the postings on the Commission's website at www.ftc.gov. Individual members of the public filing comments need not submit multiple copies or comments in electronic form. All submissions should be captioned: ``Gramm-Leach-Bliley Act Privacy Rule, 16 CFR Part 313-- Comment.'' Comments related to the Paperwork Reduction Act should also be submitted to the Office of Information and Regulatory Affairs, Office of Management and Budget, Room 10235, New Executive Office Building, Washington, DC 20503, Attention: Desk Officer for FTC. FOR FURTHER INFORMATION CONTACT: Kellie A. Cosgrove or Clarke Brinckerhoff, Attorneys, Division of Financial Practices, Federal Trade Commission, Washington, DC 20580, 202-326-3224. SUPPLEMENTARY INFORMATION: Section A. Background On November 12, 1999, President Clinton signed the G-L-B Act (Public Law 106-102, codified at 15 U.S.C. 6801 et seq.) into law. Subtitle A of Title V of the Act, captioned Disclosure of Nonpublic Personal Information, limits the instances in which a financial institution may disclose nonpublic personal information about a consumer to nonaffiliated third parties, and requires a financial institution to disclose to all of its customers the institution's privacy policies and practices with respect to information sharing with both affiliates and nonaffiliated third parties. Title V also requires the Commission, along with the Federal banking agencies and other authorities (Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of Thrift Supervision, National Credit Union Administration, Secretary of the Treasury, and Securities and Exchange Commission (hereinafter referred to collectively as ``the Agencies'')), after consulting with representatives of State insurance authorities designated by the National Association of Insurance Commissioners, to prescribe such regulations as may be necessary to carry out the purposes of the provisions in Title V, Subtitle A, that govern disclosure of nonpublic personal information. The Commission and the Agencies have prepared proposed rules to implement Subtitle A that are consistent and comparable to the extent possible, as is required by the statute. The Commission requests comment on all aspects of its proposed Rule, as well as comment on the specific provisions and issues highlighted in the Section-by-Section Analysis of the Proposed Rule, below. Section B. Section-by-Section Analysis of the Proposed Rule The discussion that follows explains in detail each section of the Commission's proposed Rule. Section 313.1 Purpose and Scope Proposed paragraph (a) of this section identifies three purposes of the Rule. First, the Rule requires a financial institution to provide notice in specified circumstances to consumers about the institution's privacy policies and practices. Second, the Rule describes the conditions under which a financial institution may disclose nonpublic personal information about a consumer to a nonaffiliated third party. Third, the Rule provides a method for a consumer to ``opt out'' of the disclosure of that information to nonaffiliated third parties, subject to the exceptions in proposed Secs. 313.9, 313.10, and 313.11, as discussed below. Proposed paragraph (b) sets out the scope of the Commission's proposed Rule, and tracks the scope of enforcement set out in section 505(a)(7) of the G-L-B Act. This paragraph states that the Rule applies only to information about individuals who obtain a financial product or service from a financial institution to be used for personal, family, or household purposes. The principal type of entity subject to the Rule is a ``financial institution,'' a term which is very broad under the Act. Section 509(3) defines the term to mean ``any institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956'' (12 U.S.C. 1843(k)). Those ``financial activities'' include not only a number of traditional financial activities specified in Section 4(k) itself,\1\ but also those activities that the Federal Reserve Board has found to be closely related to banking,\2\ or usual [[Page 11175]] in connection with the transaction of banking or other financial operations abroad.\3\ The Commission invites comment on whether the activities as set forth in the Board regulations (many of which are listed in notes 2-3 below) may be interpreted narrowly under the language of those regulations.\4\ Issues relating to the scope of the Act are also discussed in the Section-by-Section Analysis of the definition of the term ``financial institution'' in Sec. 313.3(j). --------------------------------------------------------------------------- \1\ Section 4(k)(4)(A-E) states ``the following activities shall be considered to be financial in nature: (A) Lending, exchanging, transferring, investing for others, or safeguarding money or securities. (B) Insuring, guaranteeing, or indemnifying against loss, harm, damage, illness, disability, or death, or providing and issuing annuities, and acting as principal, agent, or broker for purposes of the foregoing, in any State. (C) Providing financial, investment, or economic advisory services, including advising an investment company (as defined in section 3 of the Investment Company Act of 1940). (D) Issuing or selling instruments representing interests in pools of assets permissible for a bank to hold directly. (E) Underwriting, dealing in, or making a market in securities.'' \2\ Section 4(k)(4)(F). The Board's list of such activities is set forth in 12 CFR 225.28. They include in certain circumstances: brokering or servicing loans; leasing real or personal property (or acting as agent, broker, or advisor in such leasing) without operating, maintaining or repairing the property; appraising real or personal property; check guaranty, collection agency, credit bureau, and real estate settlement services; providing financial or investment advisory activities including tax planning, tax preparation, and instruction on individual financial management; management consulting and counseling activities (including providing financial career counseling); courier services for banking instruments; printing and selling checks and related documents; community development or advisory activities; selling money orders, savings bonds, or traveler's checks; and providing financial data processing and transmission services, facilities (including hardware, software, documentation or operating personnel), data bases, advice, or access to these by technological means. \3\ Section 4(k)(4)(G). The scope of the Act is not limited to activities abroad, because the text of Section 4(k)(4)(G) is ``Engaging, in the United States, in any activity that (i) a bank holding company may engage in outside of the United States; and (ii) the Board has determined [by regulation in effect on November 11, 1999] to be usual in connection with the transaction of banking and financial operations abroad.'' (Emphasis added.) The Board has provided a list of such activities in 12 CFR 211.5(d). They include leasing real or personal property (or acting as agent, broker, or advisor in such leasing) where the lease is functionally equivalent to an extension of credit; acting as fiduciary; providing investment, financial, or economic advisory services; and operating a travel agency in connection with financial services. \4\ For example, 12 CFR 225.28(b)(1) and (b)(2) includes ``Extending credit and servicing loans'' and ``Activities related to extending credit'' as activities that are closely related to banking. Subsection (b)(2) delineates activities related to extending credit: real estate and personal property appraising; check guaranty services; collection agency services; credit bureau services; and real estate settlement servicing. The Commission requests comment on whether an entity engaged in (for example) real estate settlement servicing is a ``financial institution'' only if it also extends credit or services loans, or whether real estate settlement servicing alone constitutes a financial activity that results in an entity that engages in that activity being classified as a ``financial institution.'' Similarly, 12 CFR 211.5(d)(15) includes operating a travel agency ``in connection with financial services * * *'' The Commission requests comment on how the quoted language limits the activity of operating a travel agency, and the extent to which travel agencies are in fact operated in connection with financial services. --------------------------------------------------------------------------- Paragraph (b) lists some examples of ``financial institutions'' subject to Commission jurisdiction under the Act. The Commission is also authorized to enforce the Act against ``other persons'' who are not financial institutions, but receive protected information from a financial institution and are subject to the Act's restrictions on reuse of the information set forth in proposed Sec. 313.12. Section 313.2 Rule of Construction Proposed Sec. 313.2 of the Rule sets out a rule of construction intended to clarify the effect of the examples used in the Rule. Given the wide variety of transactions that Title V, Subtitle A, of the G-L-B Act covers, the Commission and Agencies propose to adopt rules of general applicability and provide examples of conduct that would, and would not, comply with the Rule. While the general rules are consistent among the Commission's and Agencies' proposals to the extent possible, the examples used by the Commission and individual agencies differ on occasion from those used by the other agencies in order to provide guidance that may be most meaningful to entities within a given agency's jurisdiction. These examples are not intended to be exhaustive; rather they are intended to provide guidance about how the Rule would apply in specific circumstances. The Commission invites comment on whether including examples in the Rule is useful and suggestions on additional or different examples that may be helpful in illustrating compliance with the Rule. Section 313.3 Definitions a. Affiliate. The proposed Rule adopts the definition of ``affiliate'' that is used in section 509(6) of the G-L-B Act. An affiliation will be found when one company ``controls'' (which is defined in Sec. 313.3(g)), is controlled by, or is under common control with another company. The definition includes both financial institutions and entities that are not financial institutions. b. Clear and conspicuous. Title V, Subtitle A, of the G-L-B Act and the proposed Rule require that various notices be ``clear and conspicuous.'' The proposed Rule defines this term to mean that the notice is reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice. The proposed Rule does not mandate the use of any particular technique for making the notices clear and conspicuous, but instead allows each financial institution the flexibility to decide for itself how best to comply with this requirement. Ways in which a notice may satisfy the clear and conspicuous standard would include, for instance, using a plain-language caption, in a type set easily seen, that is designed to call attention to the information contained in the notice. Other plain language principles are provided in the examples that follow the general rule. c. Collect. The proposed Rule defines ``collect'' to mean obtaining any information that is organized or retrievable on a personally identifiable basis, irrespective of the source of the underlying information. Several sections of the proposed Rule (see, e.g., Secs. 313.6 and 313.7) impose obligations that arise when a financial institution collects information about a consumer. This proposed definition clarifies that these obligations arise when the information enables the user to identify a particular consumer. It also clarifies that the obligations arise regardless of whether a financial institution obtains the information from a consumer or from some other source. d. Company. The proposed Rule defines ``company,'' which is used in the definition of ``affiliate,'' as any corporation, limited liability company, business trust, general or limited partnership, association, or similar organization. e. Consumer. The proposed Rule defines ``consumer'' to mean an individual who obtains, from a financial institution, financial products or services that are to be used primarily for personal, family, or household purposes. An individual also will be deemed to be a consumer of a financial institution if that institution purchases the individual's account from some other institution. The definition also includes the legal representative of an individual. The G-L-B Act distinguishes ``consumers'' from ``customers'' for purposes of the notice requirements imposed by the Act. As explained more fully in the discussion of proposed Sec. 313.4, below, a financial institution is required to give a ``consumer'' the notices required under Title V, Subtitle A, only if the institution intends to disclose nonpublic personal information about the consumer to a nonaffiliated third party for a purpose that is not authorized by one of several exceptions set out in proposed Secs. 313.10 and 313.11. By contrast, a financial institution must give all ``customers'' a notice of the institution's privacy policy at the time of establishing a customer relationship and annually thereafter during the continuation of the customer relationship. A person is a ``consumer'' under the proposed Rule if he or she obtains a financial product or service from a financial institution. The definition of ``financial product or service'' in proposed Sec. 313.3(k), below, includes, [[Page 11176]] among other things, the evaluation by a financial institution of an application that a person submits to obtain a financial product or service. Thus, a financial institution that intends to share nonpublic personal information about a consumer with nonaffiliated third parties, outside of the exceptions described in Secs. 313.10 and 313.11, will have to give the requisite notices, even if the consumer does not enter into a customer relationship with the institution. The examples that follow the definition of ``consumer'' clarify when someone is a consumer. They include situations where someone applies for credit or provides information for the purpose of determining whether he or she prequalifies for a loan, or a person provides information in connection with seeking to obtain financial advisory services. The examples also clarify the status of someone whose credit account has been sold. f. Consumer reporting agency. The proposed Rule adopts the definition of ``consumer reporting agency'' that is used in section 603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f)). This term is used in proposed Secs. 313.11 and 313.13. g. Control. The proposed Rule defines ``control'' using the tests applied in section 23A of the Federal Reserve Act (12 U.S.C. 371c). This definition is used to determine when companies are affiliated (see discussion of proposed Sec. 313.3(a) above), and would result in financial institutions being considered affiliates regardless of whether the control is by a company or individual. The Commission invites comment on whether ``control'' should be defined by a more flexible standard than the percentage test set forth in proposed Sec. 313.3(g)(1). h. Customer. The proposed Rule defines ``customer'' as any consumer who has a ``customer relationship'' with a particular financial institution. As is explained more fully in the discussion of proposed Sec. 313.4 below, a consumer becomes a customer of a financial institution at the time of entering into a continuing relationship with the institution. Thus, for instance, a consumer would become a customer at the time the consumer executes the documents needed to borrow money from a financial institution, or agrees to employ a broker to obtain (or try to obtain) a mortgage loan. The distinction between consumers and customers determines what notices a financial institution must provide. If a consumer never becomes a customer, the institution is not required to provide any notices to the consumer unless the institution intends to disclose nonpublic personal information about that consumer to nonaffiliated third parties outside of the exceptions as set out in proposed Secs. 313.10 and 313.11. By contrast, if a consumer becomes a customer, the institution must provide a copy of its privacy policy prior to the time it establishes the customer relationship and at least annually thereafter during the continuation of the customer relationship even if the institution is not going to share the consumer's information with nonaffiliated third parties. i. Customer relationship. The proposed Rule defines ``customer relationship'' as a continuing relationship between a consumer and a financial institution whereby the institution provides a financial product or service to a consumer that is to be used primarily for personal, family, or household purposes. The Commission has interpreted the Act as requiring more than isolated transactions between a financial institution and a consumer to establish a customer relationship. The proposed Rule defines ``customer relationship'' as being of a ``continuing'' nature in order to encompass those business dealings that are not isolated, including those that involve a consumer becoming a client of the institution. As noted in the examples that follow the definition, these would include, for instance, cases where an institution opens a credit account for the consumer, a loan broker undertakes to assist a consumer to obtain a home mortgage, or an automobile dealer helps a consumer arrange credit to purchase a vehicle. A one-time transaction may be sufficient to establish a customer relationship, depending on the nature of the transaction. The examples that follow the definition of ``customer relationship'' clarify, for instance, that the purchase of an insurance policy would be sufficient to establish a customer relationship, whereas using an automated teller machine at a bank at which a consumer transacts no other business, cashing a check, purchasing travelers checks or money orders, or making a wire transfer would not. Similarly, simply purchasing airline tickets would not establish a customer relationship.\5\ While a person engaging in one of these latter types of transactions would be a consumer under the regulation (thereby requiring the financial institution to provide notices if the institution intends to disclose nonpublic personal information about the consumer to nonaffiliated third parties outside of the exceptions), the consumer would not be a customer. A consumer would not necessarily become a customer simply by repeatedly engaging in isolated transactions, such as withdrawing funds at regular intervals from an ATM owned by an institution with whom the consumer has no account. --------------------------------------------------------------------------- \5\ Thus, an institution that operated a travel agency in connection with financial services would have a customer relationship with an individual for whom it plans a trip, but not with an individual to whom it simply sells tickets or traveler's checks (even on a repeated basis). The Commission specifically requests information on (1) the extent to which travel agencies are operated in connection with financial services and (2) the nature of specific business relationships that exist between consumers and such travel agents, as well as more general comments on the application of the proposed Rule to travel agents. --------------------------------------------------------------------------- The examples also clarify that a consumer will have a customer relationship with a financial institution that makes a loan to the consumer and then sells the loan but retains the servicing rights. In that case, the person will be a customer of both the institution that sold the loan and the institution that bought it. A consumer has a ``customer relationship'' with a debt collector that purchases an account from the original creditor (because he or she would have a credit account with the collector), but not with a debt collector that simply attempts to collect amounts owed to the creditor. However, the latter type of debt collector would still be generally bound by the limits on redisclosure and reuse of nonpublic personal information as set forth in proposed Sec. 313.12.\6\ --------------------------------------------------------------------------- \6\ This includes data obtained by the collector in collecting the debt because proposed Sec. 313.3(o)(2)(E) specifically includes information obtained by a creditor's ``agent in connection with collecting on a loan'' in the definition of ``personally identifiable financial information.'' The Commission specifically requests comment on the application of the proposed Rule to debt collectors. --------------------------------------------------------------------------- j. Financial institution. The proposed Rule adopts the definition of ``financial institution'' that is used in the G-L-B Act, namely, any institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). The exceptions to this definition contained in the G-L-B Act also are set out in the proposed Rule. As indicated by proposed Secs. 313.3(j)(2) and 313.3(j)(3)(iv), the Commission views an entity as a financial institution ``the business of which is engaging in financial activities'' only if it is significantly engaged in a financial activity. Thus, a retail business that issues its own credit card directly to consumers is a financial institution engaged in the extension of credit, but a retail business that merely establishes [[Page 11177]] layaway or deferred payment plans is not a financial institution. The Commission invites comment concerning whether ``significantly engaged'' should be specifically defined in the Rule and, if so, how such a definition should be drafted. The Commission also invites comment on whether an individual who otherwise meets the definition (for example the sole proprietor of a mortgage loan brokerage business) can be a financial institution. Due to the wide range of activities that are defined as financial in nature under Section 4(k) of the Bank Holding Company Act, the definition of ``financial institution'' encompasses a broad spectrum of businesses. (See discussion of the scope of the Act and the Rule at Sec. 313.1.) The Commission recognizes that the plain meaning of the Act mandates this broad scope and requests general comment on this interpretation as well as comment on the application of the Rule to what might be considered the nontraditional financial institutions included in its scope.\7\ --------------------------------------------------------------------------- \7\ These may include, but are not limited to: personal property appraisers; real estate appraisers; career counselors for employees in financial occupations; digital signature services; courier services; real estate settlement services; manufacturers of computer software and hardware; and travel agencies operated in connection with financial services. --------------------------------------------------------------------------- Many entities that come within the broad definition of financial institution will likely not be subject to the disclosure requirements of the Rule because not all financial institutions have ``consumers'' or establish ``customer relationships.'' For example, management consulting is a ``financial activity'' but it is not likely that any individual obtains management consulting services for personal, family or household purposes. Likewise, courier services and data processors who perform services for a financial institution, but do not provide financial products or services to individuals, will not be required to make the disclosures mandated by the Rule because they do not have ``consumers'' or ``customers'' as defined by the Rule.\8\ The Commission invites comment on these and other entities that may be ``financial institutions'' under the Act, but may not be subject to the disclosure requirements of the Rule because they have no ``consumers'' or ``customers'' under the Rule. --------------------------------------------------------------------------- \8\ If such financial institutions receive consumers' nonpublic personal information from nonaffiliated financial institutions pursuant to one of the exceptions set forth in Secs. 313.10 and 313.11, they would be required to observe the Sec. 313.12 limitations on reuse of that information. --------------------------------------------------------------------------- Proposed Sec. 313.3(j)(3)(iii) also incorporates the Act's exception for institutions chartered by Congress to engage in secondary market sales and similar transactions related to consumers, as long as the institution does not sell or transfer nonpublic personal information to a third party. The Commission interprets this exception in its proposed Rule to apply even if the chartered institution sells or transfers information as permitted by the exceptions to the notice and opt out requirements in proposed Secs. 313.10 and 313.11. The proposed Rule reflects this interpretation. The Commission invites comment on this interpretation and on whether those entities that receive consumers' nonpublic personal information from such chartered institutions are nonetheless subject to the Rule's limitations on reuse. The Commission also seeks comment on whether chartered institutions should be required to enter into a confidentiality agreement with those nonaffiliated third parties with whom they share information pursuant to Secs. 313.10 and 313.11 as a condition of their exemption. k. Financial product or service. The proposed Rule defines ``financial product or service'' as a product or service that a financial holding company could offer by engaging in an activity that is financial in nature under section 4(k) of the Bank Holding Company Act of 1956. It includes the financial institution's evaluation of information collected in connection with an application by a consumer for a financial product or service. The proposed Rule states that the definition includes the financial institution's evaluation of information collected in connection with an application by a consumer for a financial product or service even if the application ultimately is rejected or withdrawn. It also includes the distribution of information about a consumer for the purpose of assisting the consumer in obtaining a financial product or service (by, for example, a mortgage broker or automobile dealer). A product or service that does not result from a financial activity is not within the definition, even if the business is a financial institution; thus, a department store that issues its own credit card directly to consumers provides a financial service (credit) to consumers who utilize the card, but when it sells merchandise, it provides a nonfinancial product or service (retail sale of merchandise). l. Government regulator. The proposed Rule adopts the definition of ``government regulator'' that includes the Commission, the Agencies, and state insurance authorities under the circumstances identified in the definition. This term is used in the exception set out in proposed Sec. 313.11(a)(4) for disclosures to law enforcement agencies, ``including government regulators.'' m. Nonaffiliated third party. The proposed Rule defines ``nonaffiliated third party'' as any person (which includes natural persons as well as business entities such as corporations, partnerships, trusts, and so on) except (1) an affiliate of a financial institution, and (2) a joint employee of a financial institution and a third party. This definition is intended to be substantively the same as the definition used in Section 509(5) of the G-L-B Act. n. Nonpublic personal information. Section 509(4) of the G-L-B Act defines ``nonpublic personal information'' to mean ``personally identifiable financial information'' (which term is not defined in the Act) that is provided by a consumer to a financial institution, results from any transaction with the consumer or any service performed for the consumer, or is otherwise obtained by the financial institution. The definition of ``nonpublic personal information'' also includes any list, description, or other grouping of consumers--and ``publicly available information'' (which also is undefined in the G-L-B Act) pertaining to them--that is derived using any nonpublic personal information other than publicly available information.'' The proposed Rule implements this provision of the G-L-B Act by restating, in paragraph (1) of proposed Sec. 313.3(n), the categories of information described above. However, the proposed Rule presents two alternatives (labeled Alternative A and Alternative B) concerning the treatment, for purposes of the definition of ``nonpublic personal information,'' of information that can be obtained from sources available to the general public. The alternatives are based on differences in the definitions of ``personally identifiable financial information'' and ``publicly available information,'' which, when read together, result in more information being treated as ``nonpublic personal information'' under Alternative A than would be the case under Alternative B. The primary difference arises in the two definitions of ``publicly available information.'' Under Alternative A, information is ``publicly available information'' only if the financial [[Page 11178]] institution actually obtains the information from a public source. Under Alternative B, information is ``publicly available information'' if it could be obtained from a public source, regardless of its actual source. The Commission invites comment on both Alternatives. The Commission also invites comment on whether a variation of Alternative A and Alternative B should be adopted that would require a financial institution to undertake reasonable procedures to establish that information is, in fact, available from public sources before the financial institution may disclose it without restriction as ``publicly available information.'' The two Alternatives are substantially similar when viewed in the context of a list, but differ considerably in what information a financial institution can disclose about an individual who is not included on a list. Based on the definitions of ``publicly available information'' and ``personally identifiable financial information'' under Alternative A, any information that a financial institution obtains from an individual consumer is ``nonpublic personal information'' and cannot be disclosed by the financial institution without first providing notice and opt out to the consumer. Under Alternative B, however, if that same information could be obtained from public sources, the definitions dictate that the information is not ``nonpublic personal information'' and the financial institution may disclose it without restriction as ``publicly available information.'' Thus, if a consumer provided name and address as part of an application for a financial product or service, a financial institution could not, under Alternative A, disclose the consumer's name and address without providing notice and opt out. Under Alternative B, however, if that same individual consumer's name and address could otherwise be obtained from a public source, the financial institution could disclose it without restriction. While an individual consumer's information may be treated differently under the two Alternatives, a list of consumers receives virtually identical protection. Both alternatives include in the definition of ``nonpublic personal information'' any list, description, or other grouping of consumers that is derived using ``personally identifiable financial information.'' The proposed Rule makes clear that ``personally identifiable financial information'' includes the fact that an individual is a consumer or customer of a financial institution. Therefore, any list of a financial institution's customers is nonpublic personal information because it is necessarily derived from the fact of the customer relationship.\9\ Thus, under Alternative B, even if the names and addresses of the financial institution's customers could have been obtained from a public source (and are, therefore, publicly available), the financial institution cannot reveal them as part of a customer list because that list was derived using personally identifiable financial information (the fact of the customer relationship).\10\ --------------------------------------------------------------------------- \9\ If the fact of the customer relationship could be obtained from the public record, under Alternative B the list is not derived from ``personally identifiable financial information'' and the notice and opt out requirements are not implicated (as long as the names and addresses could be obtained from the public record). Thus, under Alternative B, a list of a financial institution's mortgage customers is not ``nonpublic personal information'' if all of the information on the list could be obtained from public sources. \10\ Under Alternative A, the names and addresses themselves are ``personally identifiable financial information'' if the financial institution did not actually obtain them from the public record. --------------------------------------------------------------------------- o. Personally identifiable financial information. As discussed above, the G-L-B Act defines ``nonpublic personal information'' to include, among other things, ``personally identifiable financial information'' but does not define the latter term. As a general matter, the proposed Rule treats any personally identifiable information as financial if it is obtained by a financial institution in connection with providing a financial product or service to a consumer. The Commission believes that this approach reasonably interprets the word ``financial'' and creates a workable and clear standard for distinguishing information that is financial from other personal information. The Commission recognizes that this interpretation may result in certain information being covered by the rules that may not be considered intrinsically financial, such as health status, and specifically invites comment on the proposed definition of ``personally identifiable financial information.'' The proposed Rule defines ``personally identifiable financial information'' to include three categories of information. While the three categories are for the most part identical in both Alternatives (see discussion concerning differences in the third category, below), the differences in how Alternatives A and B treat publicly available information result in different applications of what ``personally identifiable financial information'' is included within the definition of ``nonpublic personal information.'' The first category of information considered to be ``personally identifiable financial information'' is any information that a consumer provides to a financial institution in order to obtain a financial product or service. As noted in the examples that follow the definition, this would include information provided on an application to obtain a loan, credit card, or other financial product or service. If, for instance, medical information is provided on an application to obtain a financial product or service (such as would be the case if a consumer applies for a life insurance policy), that information would be considered ``personally identifiable financial information'' for purposes of the proposed Rule. The second category of information covered by the proposed definition of ``personally identifiable financial information'' includes any information resulting from any transaction between the consumer and the financial institution involving a financial product or service. This would include, as noted in the examples following the definition, account balance information, payment or overdraft history, and credit or debit card purchase information. The third category includes any financial information about a consumer otherwise obtained by the financial institution in connection with providing a financial product or service. This would include, for example, information obtained from a consumer report or from an outside source to verify information a consumer provides on an application to obtain a financial product or service. There is a difference in the statement of this third category between Alternatives A and B. Alternative A expressly excludes from this category ``publicly available information,'' while Alternative B does not. However, given the definitions of ``nonpublic personal information'' and ``publicly available information'' in Alternative B, the result is that any of the three categories of personally identifiable financial information in Alternative B will exclude publicly available information from the personally identifiable financial information that is considered ``nonpublic personal information.'' The examples clarify that the definition of ``personally identifiable information'' does not include a list of names and addresses of people who are customers of an entity that is not a financial institution. Thus, the names and addresses of people who subscribe, for instance, to a particular magazine fall outside the definition. If, however, a financial institution discloses those [[Page 11179]] names and addresses as part of a list of the institution's customers, then the names and addresses become nonpublic personal information. The Commission notes that there are other laws that may impose limitations on disclosures of nonpublic personal information in addition to those imposed by the G-L-B Act and this proposed Rule. For instance, the Fair Credit Reporting Act imposes conditions on the sharing of application information and credit report information between affiliates and nonaffiliated third parties.\11\ The recently proposed Department of Health and Human Services regulations \12\ that implement the Health Insurance Portability and Accountability Act of 1996 would, if adopted in final, limit the circumstances under which medical information may be disclosed. There may be State laws that affect a financial institution's ability to disclose information. Thus, financial institutions will need to comply with relevant laws and monitor legislative and regulatory developments that affect the disclosure of consumer information. --------------------------------------------------------------------------- \11\ The Fair Credit Reporting Act (FCRA), 15 U.S.C. 1681 et seq, provides no limitation at all on communication by an entity of its own ``transactions or experiences'' with the consumer (e.g., the individual's account history). However, it strictly limits the reporting of information obtained from other sources, such as consumer applications or credit reports. An institution may normally share such data with its affiliates only if it has complied with the notice and opt-out procedures set forth in FCRA Sec. 603(d)(2)(A)(iii), which are very similar to those set forth in Section 502(b)(1) of the Act. Sharing such data with nonaffiliates may be effectively prohibited in most cases by the FCRA, because the institution would become a consumer reporting agency subject to its restrictions on reporting of information to third parties. \12\ 64 FR 59918 (Nov. 3, 1999). --------------------------------------------------------------------------- The Commission seeks comment on whether further definition of ``personally identifiable'' would be helpful. p. Publicly available information. The proposed Rule contains two versions of the definition of ``publicly available information.'' The definitions differ in that Alternative A does not treat information as publicly available unless it is obtained from one of the public sources listed in the proposed Rule. Alternative B, by contrast, treats information as publicly available if it could be obtained from one of the public sources listed in the rules, even if it was obtained from a source not listed in the definition. The Commission invites comment on which alternative is more appropriate. The remaining parts of the two alternative versions are identical. Thus, under either alternative, the definition of ``publicly available information'' includes information from official public records, such as real estate recordations or security interest filings. It also includes information from widely distributed media (such as a telephone book, television or radio program, or newspaper) and information that is required to be disclosed to the general public by Federal, State, or local law (such as securities disclosure documents). The proposed Rule states that information obtained over the Internet will be considered publicly available information if the information is obtainable from a site available to the general public without requiring a password or similar restriction. The Commission invites comment on what information is appropriately considered publicly available, particularly in the context of information available over the Internet. (q) You includes each ``financial institution'' (but excludes any ``other person'') over which the Commission has enforcement jurisdiction pursuant to Section 505(a)(7) of the Act. Sec. 313.4 Initial Notice to Customers and Consumers of Privacy Policies and Practices Required. Initial notice required. The G-L-B Act requires a financial institution to provide an initial notice of its privacy policies and practices in two circumstances. For customers, the notice must be provided at the time of establishing a customer relationship. For consumers who do not become customers, the notice must be provided prior to disclosing nonpublic personal information about the consumer to a nonaffiliated third party. In addition, as discussed more fully in Sec. 313.8(c) below, a revised notice must be provided to such consumers prior to disclosing nonpublic personal information to nonaffiliated third parties if a financial institution's policies or practices have changed and previous notices do not accurately describe the financial institution's policies or practices. Paragraph (a) of proposed Sec. 313.4 states the general rule regarding these notices. Pursuant to that paragraph, a financial institution must provide a clear and conspicuous notice (i.e., a notice that is reasonably understandable and designed to call attention to the nature and significance of the information it provides) that accurately reflects the institution's privacy policies and practices. Thus, a financial institution may not fail to maintain the protections that it represents in the notice that it will provide. The Commission expects that financial institutions will take appropriate measures to adhere to their stated privacy policies. The proposed Rule does not prohibit affiliated institutions from using a common initial, annual, or opt out notice, so long as the notice is delivered in accordance with the Rule and is accurate for all recipients. Similarly, the Rule does not prohibit an institution from establishing different privacy policies and practices for different categories of consumers, customers, or products, so long as each customer or consumer receive a notice that is accurate with respect to him or her. Notice to customers. The proposed Rule requires that a financial institution provide a privacy notice to the consumer prior to the time that it has established a customer relationship. Thus, the notices may be provided at the same time a financial institution is required to give other notices, such as those required by the Board's regulations implementing the Truth-in-Lending Act. (12 CFR Sec. 226.6) This approach is intended to strike a balance between (1) ensuring that consumers will receive privacy notices at a meaningful point along the continuum of ``establishing a customer relationship'' and (2) minimizing unnecessary burdens on financial institutions that may result if a financial institution is required to provide a consumer with a series of notices at different times in a transaction. Nothing in the proposed Rule is intended to discourage a financial institution from providing an individual with a privacy notice at an earlier point in the relationship if the institution wishes to do so in order to make it easier for the consumer to compare its privacy policies and practices with those of other financial institutions in advance of conducting transactions. Paragraph (c) of proposed Sec. 313.4 identifies the time a customer relationship is established as the point at which a financial institution and a consumer enter into a continuing relationship. The examples that are provided after the statement of the general rule inform the reader that, for customer relationships that are contractual in nature (including, for example, loans), a customer relationship is established upon the execution by the consumer of the contract that is necessary to conduct the transaction in question. In the case of a credit card account, the customer relationship is established when the consumer opens the account. A consumer opens a credit card account when he or she becomes obligated on the account, such as when he or she makes the first purchase, receives the first advance, or becomes [[Page 11180]] obligated for any fee or charge under the account other than an application fee or refundable membership fee. For transactions that may not involve a contract (including, for instance, providing investment advisory, loan brokerage, or tax preparation services), a customer relationship will be established when the consumer pays or agrees to pay a fee or commission for the service, and/or becomes a client of the business. Notice to consumers. For consumers who do not establish a customer relationship, the initial notice may be provided at any point before the financial institution discloses nonpublic personal information to nonaffiliated third parties. An initial notice is not required, as provided in paragraph (b) of the proposed Rule, if the institution does not intend to disclose the information in question or intends to make only those disclosures that are authorized by one of the exceptions set out in Secs. 313.10 and 313.11 of the proposed Rule. How to provide notice. Paragraph (d) of proposed Sec. 313.4 sets out the rules governing how financial institutions must provide the initial notices. The general rule requires that the initial notice be provided so that each recipient can reasonably be expected to receive actual notice. The Commission invites comment on whether, when there is more than one party to an account, there are instances where all parties to the account need not receive the notice. The notice may be delivered in writing or, if the consumer agrees, electronically. Oral notices alone are insufficient. In the case of customers, the notice must be given in a way so that the customer may either retain it or access it at a later time. This requirement that the notice be given in a manner permitting access at a later time does not preclude a financial institution from changing its privacy policy. See proposed Sec. 313.8(c), below. Rather, the Rule is intended only to require that a customer be able to access the most recently adopted privacy policy. Examples of acceptable ways the notice may be delivered include hand-delivering a copy of the notice, mailing a copy to the consumer's last known address, or sending it via electronic mail to a consumer who obtains a financial product or service from the institution electronically. It would not be sufficient to provide only a posted copy of the notice in a lobby. Similarly, it would not be sufficient to provide the initial notice only on a Web page, unless the consumer is required to access that page to obtain the product or service in question. Electronic delivery generally should be in the form of electronic mail so as to ensure that a consumer actually receives the notice. In those circumstances where a consumer is in the process of conducting a transaction over the Internet, electronic delivery also may include posting on a Web page as described above. If a financial institution and consumer orally agree to enter into a contract for a financial product or service over the telephone, the institution may provide the consumer with the option of receiving the initial notice after providing the product or service so as not to delay the transaction. The Commission invites comment on the regulatory burden of providing the initial notices and on the methods financial institutions anticipate using to provide the notices. The Commission recognizes that in some circumstances a customer does not have a choice as to the institution with which he or she has a customer relationship, such as when an institution purchases the customer's loan in the secondary market. In these situations, it may not be practicable for the institution to provide a notice prior to the time the customer relationship is established. The proposed Rule provides that if a financial institution purchases a loan or assumes a deposit liability from another financial institution or in the secondary market and the customer does not have a choice about the purchase or assumption, the acquiring financial institution may provide the initial notice within a reasonable time thereafter. The Commission invites comment on whether there are other similar situations for which an exception is necessary. The Commission also recognizes that certain consumers may have requested that a financial institution not send statements, notices, or other communications to them, such as in certain private banking relationships. The Commission requests comment on whether and how the Rule should address these situations with respect to the notices required by this Rule. The Commission also requests comment on whether there are other situations where providing notice by mail is impracticable. Section 313.5 Annual Notice to Customers of Privacy Policies and Practices Required Section 503 of the G-L-B Act requires a financial institution to provide notices of its privacy policies and practices at least annually to its customers. The proposed Rule implements this requirement by requiring a clear and conspicuous notice that accurately reflects the privacy policies and practices then in effect to be provided at least once during any period of twelve consecutive months. The rules governing how to provide an initial notice also apply to annual notices. Section 503(a) of the G-L-B Act requires that the annual notices be provided ``during the continuation'' of a customer relationship. To implement this requirement, the proposed Rule states that a financial institution is not required to provide annual notices to a customer with whom it no longer has a continuing relationship. The examples that follow this general rule provide guidance on when there no longer is a continuing relationship for purposes of the Rule. These include, for instance, loans that are paid in full or charged off, or accounts sold without retaining servicing rights. There will be certain customer relationships (such as obtaining investment advice from a stock broker) that do not present a clear event after which there is no longer a customer relationship. The proposed Rule contains an example intended to cover these situations, stating that a relationship will no longer be deemed continuing for purposes of the proposed Rule if the financial institution has not communicated with a customer, other than providing an annual privacy policy notice, for a period of 12 consecutive months. The Commission invites comment generally on whether the examples provided in proposed Sec. 313.5 are adequate and on whether the proposed standard deeming an account relationship to have terminated after 12 months of no communication is appropriate. The Commission also invites comment on the regulatory burden of providing the annual notices and on the methods financial institutions anticipate using to provide the notices. Section 313.6 Information to be Included in Initial and Annual Notices of Privacy Policies and Practices Section 503 of the G-L-B Act identifies the items of information that must be included in a financial institution's initial and annual notices. Section 503(a) of the G-L-B Act sets out the general requirement that a financial institution must provide customers with a notice describing the institution's policies and practices with respect to, among other things, disclosing nonpublic personal information to affiliates and nonaffiliated third parties. Section 503(b) of the Act identifies [[Page 11181]] certain elements that must be addressed in that notice. The required content is the same for both the initial and annual notices of privacy policies and practices. While the information contained in the notices must be accurate as of the time the notices are provided, a financial institution may prepare its notices based on current and anticipated policies and practices. The information to be included is as follows: 1. Categories of nonpublic personal information that a financial institution may collect. Section 503(b) requires a financial institution to inform its customers about the categories of nonpublic personal information that the institution collects. The proposed Rule implements this requirement in proposed Sec. 313.6(a)(1) and provides an example of how to comply with this requirement that focuses the notice on the source of the information collected. As noted in the example, a financial institution will satisfy this requirement if it categorizes the information according to the sources, such as application information, transaction information, and credit report information. Financial institutions may provide more detail about the categories of information collected but are not required to do so by the proposed Rule. 2. Categories of nonpublic personal information that a financial institution may disclose. Section 503(a)(1) of the G-L-B Act requires the financial institution's initial and annual notice to provide information about the categories of nonpublic personal information that may be disclosed either to affiliates or nonaffiliated third parties. The proposed Rule implements this requirement in proposed Sec. 313.6(a)(2). The examples of how to comply with this rule focus on the content of the information to be disclosed. As stated in the relevant examples, a financial institution may satisfy this requirement by categorizing information according to source and providing illustrative examples of the content of the information. These categories might include application information (such as assets and income), identifying information (such as name, address, and social security number), transaction information (such as information about account activity, account balances, and purchases), and information from credit reports (such as credit history). Financial institutions are free to provide more detailed information in the initial and annual notices if they choose to do so. Conversely, if a financial institution does not disclose, and does not intend to disclose, nonpublic personal information to affiliates or nonaffiliated third parties, its initial and annual notices may simply state this fact without further elaboration about categories of information disclosed. 3. Categories of affiliates and nonaffiliated third parties to whom a financial institution discloses nonpublic personal information. As previously noted, section 503(a) includes a general requirement that a financial institution provide a notice to its customers of the institution's policies and practices with respect to disclosing nonpublic personal information to affiliates and nonaffiliated third parties. Section 503(b) states that the notice required by section 503(a) shall include certain specified items. Among those is the requirement, set out in section 503(b)(1), that a financial institution inform its consumers about its policies and practices with respect to disclosing nonpublic personal information to nonaffiliated third parties. The Commission believes that, when read together, Sections 503(a) and 503(b) of the G-L-B Act require a financial institution's notice to address disclosures of nonpublic personal information to both affiliates and nonaffiliated third parties. The proposed Rule implements this requirement in Sec. 313.6(a)(3). The example illustrating how a financial institution may comply with the Rule states that a financial institution will adequately categorize the affiliates and nonaffiliated third parties to whom it discloses nonpublic personal information about consumers if it identifies the types of businesses in which they engage. Types of businesses may be described by general terms only if the financial institution provides illustrative examples of the significant lines of businesses of the recipient. The Commission's intent is that any illustrations must be reasonably designed to be meaningful to consumers. Proposed Sec. 313.6 includes examples of general types of businesses and appropriate corresponding illustrative examples for each. Other appropriate examples include an institution that referred to ``retail stores'' and explained that this includes grocery stores and drug stores, or to ``manufacturers of consumer products'' and provided meaningful examples such as pharmaceutical products and children's toys. The G-L-B Act does not require a financial institution to list the categories of persons to whom information may be disclosed pursuant to one of the exceptions set out in proposed Secs. 313.10 and 313.11. The proposed Rule states that a financial institution is required only to inform customers that it makes disclosures as permitted by law to nonaffiliated third parties in addition to those described in the notice. The Commission invites comment on whether such a notice would be adequate. If a financial institution does not disclose, and does not intend to disclose, nonpublic personal information to affiliates or nonaffiliated third parties, its initial and annual notices may simply state this fact without further elaboration about categories of third parties. 4. Information about former customers. Section 503(a)(2) of the Act requires the financial institution's initial and annual privacy notices to include the institution's policies and practices with respect to disclosing the nonpublic personal information of persons who have ceased to be customers of the institution. Section 503(b)(1)(B) requires that this information be provided with respect to information disclosed to nonaffiliated third parties. The Commission has concluded that, when read together, Sections 503(a)(2) and 503(b)(1)(B) require a financial institution to include in the initial and annual notices the institution's policies and practices with respect to sharing information about former customers with all affiliates and nonaffiliated third parties. This requirement is set out in the proposed Rule at Sec. 313.6(a)(4). This requirement does not require a financial institution to provide a notice and opportunity to opt out to a former customer before sharing nonpublic personal information about that former customer with an affiliate. 5. Information disclosed to service providers. Section 502(b)(2) of the G-L-B Act permits a financial institution to disclose nonpublic personal information about a consumer to a nonaffiliated third party for the purpose of the third party performing services for the institution, including marketing financial products or services under a joint agreement between the financial institution and at least one other financial institution. In this case, a consumer has no right to opt out. However, the financial institution must inform the consumer that it will be disclosing the information in question, unless the service falls within one of the exceptions listed in Section 502(e) of the Act. Proposed Sec. 313.6(a)(5) implements these provisions by requiring that, if a financial institution discloses nonpublic personal information to a nonaffiliated third party pursuant to the exception for service providers and joint marketing, [[Page 11182]] the institution is to include in the initial and annual notices a separate description of the categories of information that are disclosed and the categories of third parties providing the services. However, proposed Secs. 313.6(a)(3) and (a)(4) specify that no disclosure is required if a financial institution discloses nonpublic personal information to a nonaffiliated third party service provider pursuant to proposed Secs. 313.10 or 313.11. A financial institution may comply with these requirements by providing the same level of detail in the notice as is required to satisfy the requirements in proposed Secs. 313.6(a)(2) and (3). 6. Right to opt out. As previously noted, Sections 503(a)(1) and 503(b)(1) of the G-L-B Act require a financial institution to provide customers with a notice of its privacy policies and practices concerning, among other things, disclosing nonpublic personal information consistent with Section 502 of the Act. Proposed Sec. 313.6(a)(6) implements this requirement by requiring the initial and annual notices to explain the right to opt out of disclosures of nonpublic personal information to nonaffiliated third parties, including the methods available to exercise that right. 7. Disclosures made under the FCRA. Section 503(b)(4) of the G-L-B Act requires a financial institution's initial and annual notice to include the disclosures required, if any, under Section 603(d)(2)(A)(iii) of the FCRA. Section 603(d)(2)(A)(iii) excludes from the definition of ``consumer report'' the communication of certain consumer information among affiliated entities if the consumer is notified about the disclosure of such information and given an opportunity to opt out of that information sharing. The information that can be shared among affiliates under this provision includes, for instance, information from consumer reports and applications for financial products or services. In general, this information represents personal information provided directly by the consumer to the institution, such as income and social security number, in addition to information contained within credit bureau reports. The proposed Rule implements Section 503(b)(4) of the G-L-B Act by including the requirement that a financial institution's initial and annual notice include any disclosures a financial institution is required to make under Section 603(d)(2)(A)(iii) of the FCRA. 8. Confidentiality, security, and integrity. Section 503(a)(3) of the G-L-B Act requires the initial and annual notices to provide information about a financial institution's policies and practices with respect to protecting the nonpublic personal information of consumers. Section 503(b)(3) of the Act requires the notices to include the policies that the institution maintains to protect the confidentiality and security of nonpublic personal information, in accordance with section 501 (which requires the Commission and the Agencies to establish standards governing the administrative, technical, and physical safeguards of customer information). The proposed Rule implements these provisions by requiring a financial institution to include in the initial and annual notices the institution's policies and practices with respect to protecting the confidentiality, security, and integrity of nonpublic personal information. The relevant example in the proposed Rule states that a financial institution may comply with the requirement as it concerns confidentiality and security if the institution explains matters such as who has access to the information and the circumstances under which the information may be accessed. The information about integrity should focus on the measures the institution takes to protect against reasonably anticipated threats or hazards. The proposed Rule does not require a financial institution to provide technical or proprietary information about how it safeguards consumer information. The Commission is in the process of preparing the section 501 standards, and will publish a separate notice of proposed rulemaking concerning them as soon as practicable. Sec. 313.7 Limitation on Disclosure of Nonpublic Personal Information About Consumers to Nonaffiliated Third Parties Section 502(a) of the G-L-B Act generally prohibits a financial institution from sharing nonpublic personal information about a consumer with a nonaffiliated third party unless the institution provides the consumer with a notice of the institution's privacy policies and practices. Section 502(b) further requires that the financial institution provide the consumer with a clear and conspicuous notice that the consumer's nonpublic personal information may be disclosed to nonaffiliated third parties, that the consumer be given an opportunity to opt out of that disclosure, and that the consumer be informed of how to opt out. Section 313.7 of the proposed Rule implements these provisions. Paragraph (a)(1) of Sec. 313.7 sets out the criteria that a financial institution must satisfy before disclosing nonpublic personal information to nonaffiliated third parties. As stated in the text of the proposed Rule, these criteria apply to direct and indirect disclosures through an affiliate. The Commission invites comment on how the right to opt out should apply in the case of joint accounts. Should, for instance, a financial institution require all parties to an account to opt out before the opt out becomes effective? If not, and only one of the parties opts out, should the opt out apply only to information about the party opting out or should it apply to all parties to the account? Paragraph (a)(2) defines ``opt out'' in a way that incorporates the exceptions to the right to opt out stated in proposed Secs. 313.9, 313.10, and 313.11. The proposed Rule implements the requirement that a consumer be given an opportunity to opt out before information is disclosed by requiring that the opportunity be reasonable. The examples that follow the general rule provide guidance in situations involving notices that are mailed and notices that are provided in connection with isolated transactions. In the former case, a consumer will have a reasonable opportunity to opt out if the financial institution provides 30 days in which to opt out. In the latter case, an opportunity will be reasonable if the consumer must decide as part of the transaction whether to opt out before completing the transaction. The Commission invites comment on whether 30 days is a reasonable opportunity to opt out in the case of notices sent by mail, and on whether an example in the context of transactions conducted using an electronic medium would be helpful. The requirement that a consumer have a reasonable opportunity to opt out does not mean that a consumer forfeits that right once the opportunity lapses. The consumer always has the right to opt out (as discussed further in proposed Sec. 313.8, below). However, if an individual does not exercise that opt out right when first presented with an opportunity, the financial institution would be permitted to disclose nonpublic personal information to nonaffiliated third parties for some period of time necessary to implement the consumer's opt out direction. Paragraph (b) of proposed Sec. 313.7 clarifies that the right to opt out applies regardless of whether a consumer has established a customer relationship with a financial institution. As noted above, all customers are consumers under the proposed Rule. Thus, the fact that a [[Page 11183]] consumer establishes a customer relationship with a financial institution does not change the institution's obligations to comply with the requirements of proposed Sec. 313.7(a) before sharing nonpublic personal information about that consumer with nonaffiliated third parties. This also applies in the context of a consumer who had a customer relationship with a financial institution but then terminated that relationship. Paragraph (b) also clarifies that the consumer protections afforded by paragraph (a) of proposed Sec. 313.7 apply to all nonpublic personal information collected by a financial institution, regardless of when collected. Thus, if a consumer elects to opt out of information sharing with nonaffiliated third parties, that election applies to all nonpublic personal information about that consumer in the financial institution's possession, regardless of when the information is obtained. Paragraph (c) of proposed Sec. 313.7 states that a financial institution may, but is not required to, provide consumers with the option of a partial opt out in addition to the opt out required by this section. This could enable a consumer to limit, for instance, the types of information disclosed to nonaffiliated third parties or the types of recipients of the nonpublic personal information about that consumer. If the partial opt out option is provided, a financial institution must state this option in a way that clearly informs the consumer about the choices available and consequences thereof. Section 313.8 Form and Method of Providing Opt Out Notice to Consumer Paragraph (a) of proposed Sec. 313.8 requires that any opt out notice provided by a financial institution pursuant to proposed Sec. 313.7 be clear and conspicuous and accurately explain the right to opt out. The notice must inform the consumer that the institution may disclose nonpublic personal information to nonaffiliated third parties, state that the consumer has a right to opt out, and provide the consumer with a reasonable means by which to opt out. The examples that follow the general rule state that a financial institution will adequately provide notice of the right to opt out if it identifies the categories of information that may be disclosed and the categories of nonaffiliated third parties to whom the information may be disclosed and that the consumer may opt out of those disclosures. A financial institution that plans to disclose only limited types of information, or to only a specific type of nonaffiliated third party, may provide a correspondingly narrow notice to consumers. However, to minimize the number of opt out notices a financial institution must provide, the institution may wish to base its notices on current and anticipated information sharing plans. A new opt out notice is required if the financial institution discloses information to different types of nonaffiliated third parties, or discloses different types of information, unless the most recent opt out notice is sufficiently broad to cover the entities or information in question. Nor is a financial institution required to provide a subsequent opt-out notice when a consumer establishes a new type of customer relationship with that financial institution, unless the institution's opt out policies differ depending on the type of customer relationship. The examples also suggest several ways in which a financial institution may provide reasonable means to opt out, including check- off boxes, reply forms, self-addressed stamped envelopes, toll-free phone numbers, and electronic mail addresses. A financial institution does not provide a reasonable means to opt out if the only means provided is for a consumer to write his or her own letter to the institution to exercise the right, although an institution may honor such a letter if received. The Commission invites comment on whether financial institutions should be required to accept opt outs through any means the institution has already established to communicate with consumers. For example, if a financial institution has established a toll free telephone number for its customer service department, should the institution be required to accept opt outs at that number? Similarly, if a financial institution has established a Web site, should it be required to accept opt outs at that site? Paragraph (b) applies the same rules to delivery of the opt out notice that apply to delivery of the initial and annual notices. In addition, paragraph (b) clarifies that the opt out notice may be provided together with, or on the same form as, the initial and annual notices. However, if the opt out notice is provided after the initial notice, a financial institution must provide a copy of the initial notice along with the opt out notice. If a financial institution and consumer orally agree to enter into a customer relationship, the institution may provide the opt out notice within a reasonable time thereafter if the consumer agrees. The Commission invites comment on whether a more specific time by which the notice must be given would be appropriate. Paragraph (c) sets out the rules governing a financial institution's obligations in the event the institution changes its disclosure policies. As stated in that paragraph, a financial institution may not disclose nonpublic personal information to a nonaffiliated third party unless the institution first provides a revised notice and new opportunity to opt out. The institution must wait a reasonable period of time before disclosing information according to the terms of the revised notice in order to afford the consumer a reasonable opportunity to opt out. A financial institution must provide the revised notice of its policies and practices and opt out notice to a consumer using the means permitted for providing the initial notice and opt out notice to that consumer under Secs. 313.4(c) and 313.8(b), respectively, which require that the notices be given in a manner so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, in electronic form. Paragraph (d) states that a consumer has the right to opt out at any time. The Commission considered whether to include a time limit by which financial institutions must effectuate a consumer's opt out election, but decided that the wide variety of practices of financial institutions made one limit inappropriate. Instead, the Commission's proposed Rule requires that the disclosures stop as soon as reasonably practicable. The Commission solicits comment on whether it would be more appropriate to require a specific time to implement these opt- outs. Paragraph (e) states that an opt out will continue until a consumer revokes it. The proposed Rule requires that such revocation be in writing, or, if the consumer has agreed, electronically. The Commission invites comment on the likely burden of complying with the requirement to provide opt out notices, the methods financial institutions anticipate using to deliver the opt out notices, and the approximate number of opt out notices they expect to deliver and process. Section 313.9 Exception to opt out Requirements for Service Providers and Joint Marketing Section 502(b) of the G-L-B Act creates an exception to the opt-out rules for the disclosure of information to a nonaffiliated third party for use by the third party to perform services for, or functions on behalf of, the financial institution, including the marketing of the financial institution's own products [[Page 11184]] or services or financial products or services offered pursuant to a joint agreement between two or more financial institutions.\13\ A consumer will not have the right to opt out of disclosing nonpublic personal information about the consumer to nonaffiliated third parties under these circumstances, if the financial institution satisfies certain requirements. --------------------------------------------------------------------------- \13\ Section 502(e) also sets forth some exceptions for transmitting information to third parties for servicing and processing purposes, and exempts them from the notice, as well as the opt-out, provisions of the Act. These are discussed in more detail in Secs. 313.10 and 313.11. In those cases, the consumer has no disclosure or opt-out rights. --------------------------------------------------------------------------- First, the institution must, as stated in section 502(b), ``fully disclose'' to the consumer that it will provide this information to the nonaffiliated third party before the information is shared. This disclosure should be provided as part of the initial notice that is required by Sec. 313.4. The Commission invites comment on whether the proposed Rule appropriately implements the ``fully disclose'' requirement in section 502(b)(2). Second, the financial institution must enter into a contract with the third party that requires the third party to maintain the confidentiality of the information. This contract should be designed to ensure that the third party (a) will maintain the confidentiality of the information at least to the same extent as is required for the financial institution that discloses it, and (b) will use the information solely for the purposes for which the information is disclosed or as otherwise permitted by Secs. 313.10 and 313.11 of the proposed Rule. The Commission invites comment on whether third party contractors should be permitted to use information received pursuant to proposed Sec. 313.9 to improve credit scoring models or analyze marketing trends, as long as the third parties do not maintain the information in a way that would permit identification of a particular consumer. Section 502(b)(2) of the G-L-B Act allows the Commission to impose requirements on the disclosure of information pursuant to the exception for service providers beyond those imposed in the statute. The Commission has not done so in the proposed Rule, but invites comment on whether additional requirements should be imposed, and, if so, what those requirements should address. The Commission also invites comments on any other requirements that would be appropriate to protect a consumer's financial privacy, and on whether the Rule should provide examples of the types of joint agreements that are covered. Section 313.10 Exceptions for Processing and Servicing Transactions Section 502(e) of the G-L-B Act creates exceptions to the requirements that apply to the disclosure of nonpublic personal information to nonaffiliated third parties. Paragraph (1) of that section sets out certain exceptions for disclosures made, generally speaking, in connection with the administration, processing, servicing, and sale of a consumer's account. Paragraph (a) of proposed Sec. 313.10 sets out those exceptions, making only stylistic changes to the statutory text that are intended to make the exceptions easier to read. Paragraph (b) sets out the definition of ``necessary to effect, administer, or enforce'' that is contained in section 509(7) of the G-L-B Act, making only stylistic changes intended to clarify the definition. The exceptions set out in proposed Sec. 313.10, and the exceptions discussed in proposed Sec. 313.11, below, do not affect a financial institution's obligation to provide initial notices of its privacy policies and practices prior to the time it establishes a customer relationship and annual notices thereafter. Those notices must be provided to all customers, regardless of whether the institution intends to disclose the nonpublic personal information. Section 313.11 Other Exceptions to opt out Requirements As noted above, section 502(e) contains several exceptions to the requirements that otherwise would apply to the disclosures of nonpublic personal information to nonaffiliated third parties. Proposed Sec. 313.11 sets out those exceptions that are not made in connection with the administration, processing, servicing, and sale of a consumer's account, and makes stylistic changes intended to clarify the exceptions. One of the exceptions stated in proposed Sec. 313.11 is for disclosures made with the consent or at the direction of the consumer, provided the consumer has not revoked the consent. Following the list of exceptions is an example of consent in which a financial institution that has received an application from a consumer for a mortgage loan informs a nonaffiliated insurance company that the consumer has applied for a loan so that the insurance company can contact the person about homeowner's insurance. Consent in such a situation would enable the financial institution to make the disclosure to the third party without first providing the initial notice required by Sec. 313.4 or the opt out notice required by Sec. 313.7, but the disclosure must not exceed the purposes for which consent was given. The example also states that consent may be revoked by a consumer at any time by the consumer exercising the right to opt out of future disclosures. The Commission intends that a ``consent'' that was not clearly made by a consumer (for example, one in the form of a line buried in a document or a negative option not clearly explained to the consumer) would not provide an effective exception to the opt-out right. The Commission invites comment on whether specific safeguards should be added to the exception for consent in order to minimize the potential for consumer confusion. Such safeguards might include, for instance, a requirement that consent be written or that it be indicated on a separate signature line in a relevant document or on a distinct Web page, or that it may be effective for only a limited period of time. Section 313.12 Limits on Redisclosure and Reuse of Information Section 313.12 of the proposed Rule implements the Act's limitations on redisclosure and reuse of nonpublic personal information about consumers. Section 502(c) of the Act provides that a nonaffiliated third party that receives nonpublic personal information from a financial institution shall not, directly or indirectly through an affiliate, disclose the information to any person that is not affiliated with either the financial institution or the third party, unless the disclosure would be lawful if made directly by the financial institution. Paragraph (a)(1) sets out the Act's redisclosure limitation as it applies to a financial institution that receives information from another nonaffiliated financial institution. Paragraph (b)(1) mirrors the provisions of paragraph (a)(1), but applies the redisclosure limits to any nonaffiliated third party that receives nonpublic personal information from a financial institution. The Act appears to place the institution that receives the information into the shoes of the institution that disclosed the information for purposes of determining whether redisclosures by the receiving institution are ``lawful.'' Thus, the Act appears to permit the receiving institution to redisclose the information only to: (1) An entity to whom the original transferring institution could disclose the information pursuant to one of the exceptions in Sec. 313.9, 313.10, or 313.11; [[Page 11185]] or (2) an entity to whom the original transferring institution could have disclosed the information as described under its notice of privacy policies and practices, unless the consumer has exercised the right to opt out of that disclosure. Because a consumer can exercise the right to opt out of a disclosure at any time, the Act may effectively preclude third parties that receive information to which the opt out right applies from redisclosing the information, except pursuant to one of the exceptions in Secs. 313.9, 313.10, or 313.11. The Commission invites comment on whether the Rule should require a financial institution that discloses nonpublic personal information to a nonaffiliated third party to develop policies and procedures to ensure that the third party complies with the limits on redisclosure of that information. Sections 502(b)(2) and 502(e) (as implemented by Secs. 313.9, 313.10, and 313.11 of the proposed Rule) describe when a financial institution may disclose nonpublic personal information without providing the consumer with initial privacy notice and an opportunity to opt out, but those exceptions apply only when the information is used for the specific purposes set out in those sections. Paragraph (a)(2) of proposed Sec. 313.12 clarifies this limitation on reuse as it applies to financial institutions. Paragraph (a)(2) provides that a financial institution may use nonpublic personal information about a consumer that it receives from a nonaffiliated financial institution in accordance with an exception under Secs. 313.9, 313.10, or 313.11 only for the purpose of that exception. Paragraph (b)(2) applies the same limits on reuse to any nonaffiliated third party that receives nonpublic personal information from a financial institution. The Commission requests comment on whether proposed Secs. 313.12(a)(2) and 313.12(b)(2) would restrict a nonaffiliated third party from using information obtained in accordance with the exceptions in Secs. 313.9, 313.10, and 313.11 for purposes beyond the scope of those exceptions if the information is not used in a personally identifiable form. This might occur, for example, in the case of a credit scoring vendor using information to improve its scoring models. The Commission invites comments on the meaning of the word ``lawful'' as that term is used in section 502(c). The Commission specifically solicits comment on whether it would be lawful for a nonaffiliated third party to disclose information pursuant to the exception provided in proposed Sec. 313.9 of the Rule. Under that exception, a financial institution must comply with certain requirements before disclosing information to a nonaffiliated third party. Given that the statute and proposed Rule impose those requirements on the financial institution making the initial disclosure, the Commission invites comment on whether subsequent disclosures by the third party could satisfy the requirement that those disclosures be lawful when the financial institution is not party to the subsequent disclosure. Section 313.13 Limits on Sharing of Account Number Information for Marketing Purposes Section 502(d) of the G-L-B Act prohibits a financial institution from disclosing, other than to a consumer reporting agency, account numbers or similar form of access number or access code for a credit card account, deposit account, or transaction account of a consumer to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer. Proposed Sec. 313.13 applies this statutory prohibition to disclosures made directly or indirectly by a financial institution. The Commission notes that there is no exception in Title V, Subtitle A, to the flat prohibition established by section 502(d). The Statement of Managers contained in the Conference Report to S. 900 encourages the Commission and Agencies to adopt an exception to section 502(d) to permit disclosures of account numbers in limited instances. It states: In exercising their authority under section 504(b) [which vests the Commission and Agencies with authority to grant exceptions to section 502(a)-(d) beyond those set out in the statute], the agencies and authorities described in section 504(a)(1) may consider it consistent with the purposes of this subtitle to permit the disclosure of customer account numbers or similar forms of access numbers or access codes in an encrypted, scrambled, or similarly coded form, where the disclosure is expressly authorized by the customer and is necessary to service or process a transaction expressly requested or authorized by the customer. Managers' Statement at 18. The Commission has not proposed an exception to the prohibition of section 502(d) because of the risks associated with third parties' direct access to a consumer's account. The Commission seeks comment on whether an exception to the section 502(d) prohibition that permits third parties access to account numbers is appropriate, the circumstances under which an exception would be appropriate, and how such an exception should be formulated to provide consumers with adequate protection. The Commission also seeks comment on whether a flat prohibition as set out in section 502(d) might unintentionally disrupt certain routine practices, such as the disclosure of account numbers to a service provider who handles the preparation and distribution of monthly account statements for a financial institution coupled with a request by the institution that the service provider include marketing literature with the statement about a product. In addition, the Commission invites comment on whether a consumer ought to be able to consent to the disclosure of his or her account number, notwithstanding the general prohibition in section 502(d) and, if so, what standards should apply. The Commission also seeks comment on whether section 502(d) prohibits the disclosure by a financial institution to a marketing firm of encrypted account numbers if the financial institution does not provide the marketer the key to decrypt the number. Section 313.14 Protection of Fair Credit Reporting Act Section 506 makes several amendments to the FCRA to vest rulemaking authority in various agencies and to restore the Agencies' regular examination authority. Paragraph (c) of section 506 states that, except for the amendments noted regarding rulemaking authority, nothing in Title V, Subtitle A is to be construed to modify, limit, or supersede the operation of the FCRA, and no inference is to be drawn on the basis of the provisions of Title V, Subtitle A as to whether information is transaction or experience information under section 603 of the FCRA. Proposed Sec. 313.14 implements section 506(c) of the G-L-B Act by restating the statute, making only minor stylistic changes intended to make the Rule clearer. Section 313.15 Relation to State Laws Section 507 of the G-L-B Act states, in essence, that Subtitle A of Title V does not preempt any state law that provides greater protections than are provided by that Subtitle of the Act. Determinations of whether a State law or Subtitle A of Title V provides greater protections are to be made by the Commission after consultation with the agency that regulates either the party filing a complaint or the financial institution about whom the complaint was filed. Determinations of whether [[Page 11186]] State or Federal law afford greater protections may be initiated by any interested party or on the Commission's own motion. Proposed Sec. 313.15 is substantively identical to section 507, noting that the proposed Rule (as opposed to the statute) does not preempt state laws that provide greater protection for consumers than does the Rule. Section 313.16 Effective Date; Transition Rule Section 510 of the G-L-B Act states that, as a general rule, the relevant provisions of Subtitle A of Title V take effect 6 months after the date on which rules are required to be prescribed. However, section 510(1) authorizes the Commission and the Agencies to prescribe a later date in the rules enacted pursuant to section 504. Proposed Sec. 313.16 states, in paragraph (a), an effective date of November 13, 2000. This assumes that a final Rule will be enacted within the time frame prescribed by section 504(a)(3). The Commission intends to provide at least six months following the adoption of a final Rule for financial institutions to bring their policies and procedures into compliance with the requirements of the final Rule. The Commission invites comment on whether six months following adoption of a final Rule is sufficient to enable financial institutions to comply with the Rule. Paragraph (b) of proposed Sec. 313.16 provides a transition rule for consumers who were customers as of the effective date of the Rule. Since those customer relationships already will have been established as of the Rule's effective date (thereby making it inappropriate to require a financial institution to provide those customers with a copy of the institution's initial notice at the time of establishing a customer relationship), the Rule requires instead that the initial notice be provided within 30 days of the effective date. The Commission invites comment on whether 30 days is enough time to permit a financial institution to deliver the required notices, bearing in mind that the G-L-B Act contemplates at least a six-month delayed effective date from the date the Rule is adopted. If a financial institution intends to disclose nonpublic personal information about someone who was a consumer before the effective date, the institution must provide the notices required by Secs. 313.4 and 313.7 and provide a reasonable opportunity to opt out before the effective date. If, in this instance, the institution already is disclosing information about such a consumer, it may continue to do so without interruption until the consumer opts out, in which case the institution must stop disclosing nonpublic personal information about that consumer to nonaffiliated third parties as soon as reasonably practicable. Section C. Invitation to Comment Before adopting this Rule as final, the Commission will give consideration to any written comments submitted to the Secretary of the Commission on or before March 31, 2000. Comments submitted will be available for public inspection in accordance with the Freedom of Information Act (5 U.S.C. 552) and Commission regulations, on normal business days between the hours of 8:30 a.m. and 5 p.m. at the Public Reference Section, Room 130, Federal Trade Commission, 600 Pennsylvania Avenue NW., Washington, DC 20580. Comments will also be posted on the Commission website; www.ftc.gov>. Section D. Communications by Outside Parties to Commissioners or Their Advisors Written communications and summaries or transcripts of oral communications respecting the merits of this proceeding from any outside party to any Commissioner or Commissioner's advisor will be placed on the public record. See 16 CFR. Sec. 1.26(b)(5) (1998). Section E. Regulatory Flexibility Act The Commission believes that the proposed Rule's requirements are expressly mandated by the G-L-B Act, and the Act's requirements account for most, if not all, of the economic impact of the proposed Rule. While the Commission believes that it could certify that the proposed Rule will not have a significant impact on a substantial number of small entities, the Commission has decided, nonetheless, to publish the following initial regulatory flexibility analysis pursuant to the Regulatory Flexibility Act, 5 U.S.C. 601-612, as amended, and request public comment on the impact on small businesses of its proposed Rule implementing the G-L-B Act. Description of the Reasons That Action by the Agency is Being Considered Section 504 of the G-L-B Act requires the Commission to promulgate this Rule not later than six months after the date of enactment of the Act, or May 12, 2000. Succinct Statement of the Objectives of, and Legal Basis for, the Proposed Rule To implement the disclosure requirements and restrictions on certain financial institutions' abilities to disclose nonpublic personal information about consumers to nonaffiliated third parties. The legal basis for the proposed Rule is Section 504 of the G-L-B Act. Description of and, Where Feasible, an Estimate of the Number of Small Entities to Which the Proposed Rule Will Apply In general, the Rule will apply to any financial institution subject to the Commission's jurisdiction that shares nonpublic personal information with nonaffiliated third parties or that establishes customer relationships with consumers. The definition of ``financial institution'' includes any institution the business of which is engaging in a financial activity, as defined under Section 4(k) of the Bank Holding Company Act, which incorporates by reference the activities listed in 12 CFR 225.28 and 12 CFR 211.5(d). (G-L-B Act Sec. 509(3)(A).) A precise estimate of the number of small entities that are financial institutions within the meaning of the proposed Rule is not currently feasible. In addition, of those small entities that are financial institutions, there is no way to precisely estimate the number that share consumers' nonpublic personal information with nonaffiliated third parties or that establish customer relationships with consumers. The Commission seeks any information or comment on these issues, as noted below. Description of the Projected Reporting, Recordkeeping and Other Compliance Requirements of the Proposed Rule, Including an Estimate of the Classes of Small Entities That Will be Subject to the Requirement and the Type of Professional Skills Necessary for Preparation of the Report or Record The statute and proposed Rule do not directly impose any ``reporting'' or ``recordkeeping'' requirements on financial institutions within the meaning of the Paperwork Reduction Act, but would require that financial institutions, in specified circumstances, make certain third party disclosures to the public. These disclosures include: notice of the financial institution's privacy policy to consumers at the time of establishing a customer relationship with a consumer (Proposed Rule Sec. 313.4); annual notice of the financial institution's privacy policy to those consumers with whom it continues to have a customer relationship (Proposed Rule Sec. 313.5); notice to consumers, regardless of whether a customer relationship has been established, of a financial institution's privacy policy and notice and opportunity to opt-out [[Page 11187]] prior to the financial institution's sharing of a consumer's nonpublic personal information with nonaffiliated third parties (Proposed Rule Sec. 313.8(a)); and notice to customers of any changes that the financial institution makes in its policies concerning sharing nonpublic personal information with nonaffiliated third parties (Proposed Rule Sec. 313.8(c)). The Commission is seeking clearance from the Office of Management and Budget (``OMB'') for these requirements and the Commission's Supporting Statement submitted as part of that process will be made available on the public record of this rulemaking. Because the proposed Rule does not directly mandate ``reporting'' or ``recordkeeping'' within the meaning of the Paperwork Reduction Act, the Rule does not require professional skills for the preparation of ``reports'' or ``records'' under the Act. The disclosures and other burdens referenced above likely will require some amount of managerial and/or professional (including attorney), clerical, and in some instances, skilled technical time to develop and disseminate the required disclosures. For purposes of its Supporting Statement to OMB under the Paperwork Reduction Act, the Commission estimated that the average yearly burden over the three-year period of clearance is 4.03 million hours and $87.3 million. The Commission, as noted below, seeks further comment on the costs and burdens of small entities in complying with the requirements of the proposed Rule. Identification, to the Extent Practicable, of all Relevant Federal Rules That May Duplicate, Overlap or Conflict With the Proposed Rule While the scope of the proposed Rule is unique, there may be some overlap in certain circumstances with other Federal laws. Because there is a relationship between the proposed requirements and the notice requirements under the Fair Credit Reporting Act (``FCRA''), 15 U.S.C. 1681-1681u, the proposed Rule requires that the financial institution's initial and annual notices shall also include any disclosure that it is required to make under the FCRA. (Rule Sec. 313.6(a)(7).) Also, at the time a consumer contracts for an electronic fund transfer service, the Electronic Funds Transfer Act requires the terms and conditions of such transfer to be disclosed, including under what circumstances the entity will in the ordinary course of business disclose information concerning the consumer's account to third persons. Finally, the Children's Online Privacy Protection Act generally requires online service operators collecting personal information from a child to obtain parental consent and post a privacy notice on the Website. As noted below, the Commission seeks comment and information on any other rules that may be duplicative, overlapping, or in conflict with this proposed rule. Description of any significant alternatives to the proposed Rule that accomplish the stated objectives of applicable statutes and that minimize any significant economic impact of the proposed Rule on small entities, including alternatives considered, such as: (1) Establishment of differing compliance or reporting requirements or timetables that take into account resources available to small entities; (2) clarification, consolidation, or simplification of compliance and reporting requirements under the rule for such small entities; (3) use of performance rather than design standards; (4) any exemption from coverage of the rule, or any part thereof, for such small entities. In drafting the proposed Rule, the Commission has made every effort to avoid unduly burdensome requirements for financial institutions of all sizes. In a number of respects the proposed Rule is flexible and allows financial institutions to select methods of compliance that are reasonable, taking into account the financial institution's business practices and capabilities. For example, financial institutions that are required to provide disclosures to consumers must provide the notice so that the consumer can reasonably be expected to actually receive it. (Proposed Rule Sec. 313.4(d).) The proposed Rule allows the financial institutions to choose a delivery method that imposes the least burden on the financial institution while also complying with the statutory mandate that the consumer be provided with the appropriate disclosures. Regarding the law's clear and conspicuous requirements, the proposed Rule does not mandate the use of any particular technique for making the notices clear and conspicuous, but instead allows each financial institution the flexibility to decide for itself how best to comply with this requirement. (Proposed Rule Sec. 313.4(b).) In addition, the proposed Rule requires that a financial institution provide the opportunity to opt-out directly to a consumer but provides alternate means of providing that notice--a small entity, or any entity, can choose a means that is reasonable taking into account its circumstances. (Proposed Rule Sec. 313.8(b).) No recordkeeping requirement has been included in the proposed Rule. Thus, no entity, regardless of size, is unnecessarily burdened by recordkeeping requirements. The Commission has made every effort to minimize the burden on small entities--and all entities--and to be reasonable in its rulemaking. To that end, the Commission has clarified the breadth of the statutory term ``financial institution'' to include an institution significantly engaged in a financial activity. (Proposed Rule Sec. 313.3(j).) The effect of this definition is twofold: it encompasses and subjects to its requirements those institutions that are not solely in the business of a financial activity but that are significantly engaged in such an activity as part of their business; and excludes from coverage those entities, large or small, that may engage in financial activities as some small, insignificant portion of their business. The proposed Rule also provides for a streamlined version of the content of an institution's privacy policy for any entity that does not share nonpublic personal information with third parties. (Proposed Rule Sec. 313.4(b).) Thus, entities of any size that do not share information are not unduly burdened. Moreover, those financial institutions, regardless of size, that engage in only one-time isolated transactions with consumers are not required to provide a privacy policy to consumers unless they intend to share the consumer's nonpublic personal information with a nonaffiliated third party. (Proposed Rule Sec. 313.4(b).) Questions for Comment To Assist Regulatory Flexibility Analysis 1. Please provide information or comment on the number and type of small entities affected by the proposed Rule. Include in your comments the number of small entities that share consumers' nonpublic personal information with nonaffiliated third parties or that establish customer relationships with consumers. 2. Please provide comment on any or all of the provisions in the proposed Rule with regard to (a) the impact of the provision(s) (including any benefits and costs), if any, the Commission should consider, as well as the costs and benefits of those alternatives, paying specific attention to the effect of the Rule on small entities in light of the above analysis. Costs to implement and comply with the Rule include expenditures of time and money for: any employee training; attorney or other [[Page 11188]] professional time; preparing relevant materials; and processing materials. 3. Please describe ways in which the Rule could be modified to reduce any costs or burdens for small entities consistent with the G-L- B Act's mandated requirements. 4. Please provide any information quantifying the economic benefits to financial institutions of sharing consumers' nonpublic personal information. 5. Please identify all relevant Federal, state or local rules that may duplicate, overlap or conflict with the proposed Rule. In addition, please identify any industry rules or policies that require financial institutions to implement business practices (e.g., disclosure of privacy policy and right to opt-out, etc.) that would already comply with the requirements of the Commission's proposed Rule. Section F. Paperwork Reduction Act The Commission has submitted this proposed Rule to the Office of Management and Budget for review under the Paperwork Reduction Act (``PRA'') (44 U.S.C. 3501-3517). As required by the G-L-B Act, the proposed Rule specifies disclosure requirements for financial institutions subject to the Commission's jurisdiction that are subject to the requirements of PRA. The required disclosures include: (1) Initial notice of the financial institution's privacy policy at the time it establishes a customer relationship with a consumer and/or prior to its sharing a consumer's nonpublic personal information with nonaffiliated third parties; (2) notice of the consumer's right to opt- out of information sharing with nonaffiliated third parties; (3) annual notice of the financial institution's privacy policy to any continuing customer; and (4) notice to consumers when the financial institution changes its practices on information sharing with nonaffiliated third parties. Although the proposed Rule's disclosure requirements are expressly required by the G-L-B Act, the Commission has adopted a performance standard to provide flexibility in implementing the requirements. The Commission has estimated the paperwork burden of the proposed Rule for financial institutions that are subject to the Commission's jurisdiction, based on staff's knowledge of the financial services industry. Under Section 505(a)(7) of the G-L-B Act, the Commission has jurisdiction over an estimated 100,000 businesses that are not subject to the jurisdiction of one of the other agencies responsible for enforcing the G-L-B Act. FTC staff considered many variables affecting the broad spectrum of covered businesses. Some covered businesses may already make the required disclosures in the ordinary course of business. Some may use highly automated means of providing the required disclosures. Others may use low-technology means. The burden estimate also acknowledges that significant start-up burden and attendant costs, such as for determining compliance obligations and developing necessary privacy policies, will be born in the first year that the Rule takes effect. The paperwork burden in subsequent years will be significantly lower. Factoring in start-up costs, the Commission has estimated that the average annual burden during the three year period for which OMB clearance is sought will be 4.03 million burden hours. The estimated annual labor cost associated with these paperwork burdens is $87.3 million. The estimate is also based on the determination that the time required for consumers to respond affirmatively to financial institutions' opt-out notices (be it manually or electronically) will be minimal. The Commission invites comment that will enable it to: 1. Evaluate whether the proposed collections of information are necessary for the proper performance of the functions of the Commission, including whether the information will have practical utility; 2. Evaluate the accuracy of the Commission's estimate of the burden of the proposed collections of information, including the validity of the methodology and assumptions used; 3. Enhance the quality, utility, and clarity of the information to be collected; and 4. Minimize the burden of the collections of information on those who are to respond, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology. Section G. Questions Concerning Comprehensibility of the Rule The Commission invites your comments on how to make this proposed Rule easier to understand. For example:Have we organized the material to suit your needs? If not, how could the material be better organized? Are the requirements in the Rule clearly stated? If not, how could the Rule be more clearly stated? Does the Rule contain technical language or jargon that is not clear? If not, which language requires clarification? Would a different format (grouping and order of sections, use of headings, paragraphing) make the Rule easier to understand? If so, what changes to the format would make the Rule easier to understand? Would more (but shorter) sections be better? Which ones? What else could we do to make the Rule easier to understand? Section H. Proposed Rule List of Subjects in 16 CFR Part 313 Consumer protection, Credit, Data protection, Privacy, Trade practices. Accordingly, the Commission proposes to amend 16 CFR Ch. I, Subchapter C, by adding a new Part 313 to read as follows: PART 313--PRIVACY OF CONSUMER FINANCIAL INFORMATION Sec. 313.1 Purpose and scope. 313.2 Rule of construction. 313.3 Definitions. 313.4 Initial notice to consumers of privacy policies and practices required. 313.5 Annual notice to customers required. 313.6 Information to be included in initial and annual notices of privacy policies and practices. 313.7 Limitation on disclosure of nonpublic personal information about consumers to nonaffiliated third parties. 313.8 Form and method of providing opt out notice to consumer. 313.9 Exception to opt out requirements for service providers and joint marketing. 313.10 Exceptions to notice and opt out requirements for processing and servicing transactions. 313.11 Other exceptions to notice and opt out requirements. 313.12 Limits on redisclosure and reuse of information. 313.13 Limits on sharing of account number information for marketing purposes. 313.14 Protection of Fair Credit Reporting Act. 313.15 Relation to state laws. 313.16 Effective date; transition rule. Authority: 15 U.S.C. 6804(a). Sec. 313.1 Purpose and scope. (a) Purpose. This part governs the treatment of nonpublic personal information about consumers by the financial institutions listed in paragraph (b) of this section. This part: (1) Requires a financial institution in specified circumstances to provide notice to consumers about its privacy policies and practices; (2) Describes the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties; and [[Page 11189]] (3) Provides a method for consumers to prevent a financial institution from disclosing that information to most nonaffiliated third parties by ``opting out'' of that disclosure, subject to the exceptions in Secs. 313.9, 313.10, and 313.11. (b) Scope. The rules established by this part apply only to nonpublic personal information about individuals who obtain financial products or services for personal, family or household purposes from the institutions listed in this paragraph. This part does not apply to information about companies or about individuals who obtain financial products or services for business purposes. This part applies to those ``financial institutions'' and ``other persons'' over which the Federal Trade Commission (``Commission'') has enforcement authority pursuant to Section 505(a)(7) of the Gramm-Leach-Bliley Act. An entity is a ``financial institution'' if it is engaged in a financial activity described in Section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k), which incorporates by reference activities enumerated by the Federal Reserve Board in 12 CFR 211.5(d) and 12 CFR 225.28. The ``financial institutions'' subject to the Commission's enforcement authority are those that are not otherwise subject to the enforcement authority of another regulator under Section 505 of the Gramm-Leach- Bliley Act. More specifically, those entities include, but are not limited to, mortgage lenders, ``pay day'' lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, debt collectors, credit counselors and other financial advisors, and tax preparation firms. They are referred to in this part as ``You.'' The ``other persons'' to whom this part applies are third parties that are not financial institutions, but that receive nonpublic personal information from financial institutions with whom they are not affiliated. Sec. 313.2 Rule of construction. The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part. Sec. 313.3 Definitions. As used in this part, unless the context requires otherwise: (a) Affiliate means any company that controls, is controlled by, or is under common control with another company. (b)(1) Clear and conspicuous means that a notice is reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice. (2) Examples. (i) You make your notice reasonably understandable if, to the extent applicable, you: (A) Present the information contained in the notice in clear, concise sentences, paragraphs and sections; (B) Use short explanatory sentences and bullet lists, whenever possible; (C) Use definite, concrete, everyday words and active voice, whenever possible; (D) Avoid multiple negatives; (E) Avoid legal and highly technical business terminology; and (F) Avoid boilerplate explanations that are imprecise and readily subject to different interpretations. (ii) You design your notice to call attention to the nature and significance of the information contained in it if, to the extent applicable, you: (A) Use a plain-language heading to call attention to the notice; (B) Use a typeface and type size that are easy to read; and (C) Provide wide margins and ample line spacing. (iii) If you provide a notice on the same form as another notice or other document, you design your notice to call attention to the nature and significance of the information contained in the notice if you use: (A) Larger type size(s), boldface or italics in the text; (B) Wider margins and line spacing in the notice; or (C) Shading or sidebars to highlight the notice, whenever possible. (c) Collect means to obtain information that is organized or retrievable on a personally identifiable basis, irrespective of the source of the underlying information. (d) Company means any corporation, limited liability company, business trust, general or limited partnership, association or similar organization. (e)(1) Consumer means an individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family or household purposes, and that individual's legal representative. (2) Examples. (i) An individual who applies to you for credit for personal, family or household purposes is a consumer of a financial service, regardless of whether the credit is extended. (ii) An individual who provides nonpublic personal information to you in order to obtain a determination about whether he or she may qualify for a loan to be used primarily for personal, family or household purposes is a consumer of a financial service, regardless of whether the loan is extended by you or another financial institution. (iii) An individual who provides nonpublic personal information to you in connection with obtaining or seeking to obtain financial, investment or economic advisory services is a consumer of a financial service, regardless of whether you establish a customer relationship. (iv) An individual who has a credit account with you is a consumer even if you: (A) Hire an agent to collect on the account; (B) Sell the rights to service the account; or (C) Bought the account from the financial institution that originally extended credit. (v) An individual who makes payments to you on a loan where you own the servicing rights is a consumer. An individual is not your consumer, however, solely because you service the individual's loan on behalf of a financial institution that made the loan to the individual. (f) Consumer reporting agency has the same meaning as in section 603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f)). (g) Control of a company means: (1) Ownership, control, or power to vote 25 percent or more of the outstanding shares of any class of voting security of the company, directly or indirectly, or acting through one or more other persons; (2) Control in any manner over the election of a majority of the directors, trustees or general partners (or individuals exercising similar functions) of the company; or (3) The power to exercise, directly or indirectly, a controlling influence over the management or policies of the company. (h) Customer means a consumer who has a customer relationship with you. (i)(1) Customer relationship means a continuing relationship between a consumer and you under which you provide one or more financial products or services to the consumer that are to be used primarily for personal, family or household purposes. (2) Examples. (i) A consumer has a continuing relationship with you if the consumer: (A) Has a deposit, credit, trust or investment account with you; (B) Purchases an insurance product from you; (C) Holds an investment product through you; (D) Enters into an agreement or understanding with you whereby you [[Page 11190]] undertake to arrange or broker a home mortgage loan, or credit to purchase a vehicle, for the consumer; (E) Has a loan that you service where you own the servicing rights; (F) Enters into a lease of personal property with you; (G) Obtains financial, investment or economic advisory services from you for a fee; (H) Becomes your client for the purpose of obtaining tax preparation or credit counseling services from you; or (I) Obtains career counseling while seeking employment with a financial institution or the finance, accounting, or audit department of any company (or while employed by such a company or financial institution). (ii) A consumer does not, however, have a continuing relationship with you if: (A) The consumer only obtains a financial product or service in an isolated transaction such as: withdrawing cash from your ATM; purchasing a cashier's check or money order from you; cashing a check with you; or making a wire transfer through you; (B) You sell the consumer's loan and do not retain the rights to service that loan; or (C) You sell the consumer airline tickets, travel insurance or traveler's checks in an isolated transaction. (j)(1) Financial institution means any institution the business of which is engaging in activities that are financial in nature as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). (2) Example. An entity is a financial institution if it is significantly engaged in financial activities, such as a retailer that extends credit by issuing its own credit card directly to consumers. (3) Financial institution does not include: (i) Any person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act (7 U.S.C. 1 et seq.); (ii) The Federal Agricultural Mortgage Corporation or any entity chartered and operating under the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.); or (iii) Institutions chartered by Congress specifically to engage in securitizations, secondary market sales (including sales of servicing rights) or similar transactions related to a transaction of a consumer, as long as such institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party other than as permitted by Secs. 313.10 and 313.11. (iv) A business that only accepts payment by check or cash, or through credit cards issued by others, or through deferred payment or ``lay-away'' plans. (k)(1) Financial product or service means any product or service that a financial holding company could offer by engaging in an activity that is financial in nature under section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). (2) Financial service includes your evaluation, brokerage or distribution of information that you collect in connection with a request or an application from a consumer for a financial product or service. (l) Government regulator means-- (1) The Board of Governors of the Federal Reserve System; (2) The Office of the Comptroller of the Currency; (3) The Board of Directors of the Federal Deposit Insurance Corporation; (4) The Director of the Office of Thrift Supervision; (5) The National Credit Union Administration Board; (6) The Securities and Exchange Commission; (7) The Secretary of the Treasury, with respect to 31 U.S.C. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping); (8) A State insurance authority, with respect to any person domiciled in that insurance authority's State that is engaged in providing insurance; and (9) The Federal Trade Commission. (m) Nonaffiliated third party means any person except: (1) Your affiliate; or (2) A person employed jointly by you and any company that is not your affiliate (but nonaffiliated third party includes the other company that jointly employs the person). [Sec. 313.3(n-o-p)] Alternative A. (n)(1) Nonpublic personal information means: (i) Personally identifiable financial information; and (ii) Any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information. (2) Nonpublic personal information does not include any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information. (3) Example. Nonpublic personal information includes any list of individuals' street addresses and telephone numbers that is derived using any information consumers provide to you on an application for a financial product or service. (o)(1) Personally identifiable financial information means any information: (i) Provided by a consumer to you to obtain a financial product or service from you; (ii) Resulting from any transaction involving a financial product or service between you and a consumer; or (iii) You otherwise obtain about a consumer in connection with providing a financial product or service to that consumer, other than publicly available information. (2) Examples. (i) Personally identifiable financial information includes: (A) Information a consumer provides to you on an application to obtain a loan, credit card, insurance or other financial product or service, including, among other things, medical information; (B) Account balance information, payment history, overdraft history, and credit or debit card purchase information; (C) The fact that an individual is or has been one of your customers or has obtained a financial product or service from you, unless that fact is derived using only publicly available information, such as government real estate records or bankruptcy records; (D) Other information about your consumer if it is disclosed in a manner that indicates the individual is or has been your consumer; (E) Any information provided by a consumer or otherwise obtained by you or your agent in connection with collecting on a loan or servicing a loan; and (F) Information from a consumer report. (ii) Personally identifiable financial information does not include: (A) A list of names and addresses of customers of an entity that is not a financial institution; or (B) A list of names and addresses of consumers to whom you provided a nonfinancial product or service. (p)(1) Publicly available information means any information that is lawfully made available to the general public that is obtained from: (i) Federal, State or local government records; (ii) Widely distributed media; or (iii) Disclosures to the general public that are required to be made by Federal, State or local law. (2) Examples. (i) Government records. Publicly available information [[Page 11191]] contained in government records includes information contained in government real estate records and security interest filings. (ii) Widely distributed media. Publicly available information from widely distributed media includes information from a telephone book, a television or radio program, a newspaper or an Internet site that is available to the general public without requiring a password or similar restriction. [Sec. 313.3(n-o-p)] Alternative B. (n)(1) Nonpublic personal information means: (i) Personally identifiable financial information; and (ii) Any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information. (2) Nonpublic personal information does not include: (i) Publicly available information, except as provided in paragraph (n)(1)(ii) of this section; or (ii) Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information. (3) Example. Nonpublic personal information includes any list of individuals' street addresses and telephone numbers that is derived using personally identifiable financial information, such as account numbers. (o)(1) Personally identifiable financial information means any information: (i) Provided by a consumer to you to obtain a financial product or service from you; (ii) About a consumer resulting from any transaction involving a financial product or service between you and a consumer; or (iii) You otherwise obtain about a consumer in connection with providing a financial product or service to that consumer. (2) Examples. (i) Personally identifiable financial information includes: (A) Information a consumer provides to you on an application to obtain a loan, credit card, insurance or other financial product or service, including, among other things, medical information; (B) Account balance information, payment history, overdraft history, and credit or debit card purchase information; (C) The fact that an individual is or has been one of your customers or has obtained a financial product or service from you, unless that fact is derived using only publicly available information, such as government real estate records or bankruptcy records; (D) Other information about your consumer if it is disclosed in a manner that indicates the individual is or has been your consumer; (E) Any information provided by a consumer or otherwise obtained by you or your agent in connection with collecting on a loan or servicing a loan; and (F) Information from a consumer report. (ii) Personally identifiable financial information does not include a list of names and addresses of customers of an entity that is not a financial institution. (p)(1) Publicly available information means any information that is lawfully made available to the general public from: (i) Federal, State or local government records; (ii) Widely distributed media; or (iii) Disclosures to the general public that are required to be made by Federal, State or local law. (2) Examples. (i) Government records. Publicly available information contained in government records includes information contained in government real estate records and security interest filings. (ii) Widely distributed media. Publicly available information from widely distributed media includes information from a telephone book, a television or radio program, a newspaper or an Internet site that is available to the general public without requiring a password or similar restriction. (q) You means those financial institutions over which the Commission has enforcement jurisdiction pursuant to section 505(a)(7) of the Gramm-Leach-Bliley Act. Sec. 313.4 Initial notice to consumers of privacy policies and practices required. (a) When initial notice is required. You must provide a clear and conspicuous notice that accurately reflects your privacy policies and practices to: (1) An individual who becomes your customer, prior to the time that you establish a customer relationship, except as provided in paragraph (d)(2) of this section; and (2) A consumer, prior to the time that you disclose any nonpublic personal information about the consumer to any nonaffiliated third party, if you make such a disclosure other than as authorized by Secs. 313.10 and 313.11. (b) When initial notice to a consumer is not required. You are not required to provide an initial notice to a consumer under paragraph (a)(1) of this section if: (1) You do not disclose any nonpublic personal financial information about the consumer to any nonaffiliated third party, other than as authorized by Secs. 313.10 and 313.11; and (2) You do not have a customer relationship with the consumer. (c) When you establish a customer relationship. (1) General rule. You establish a customer relationship at the time you and the consumer enter into a continuing relationship. (2) Examples. You establish a customer relationship when the consumer: (i) Opens a credit card account with you; (ii) Executes the contract to obtain credit from you, or purchase insurance from you; (iii) Agrees to obtain financial, economic or investment advisory services from you for a fee; (iv) Becomes your client for the purpose of your providing credit counseling or tax preparation services, or to obtain career counseling while seeking employment with a financial institution or the finance, accounting, or audit department of any company (or while employed by such a company or financial institution); (v) Provides any personally identifiable financial information to you in an effort to obtain a mortgage loan through you; or (vi) Makes his or her first payment to you on a loan account for which you have obtained the servicing rights. (d) How to provide notice. (1) General rule. You must provide the privacy notice required by paragraph (a) of this section so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, in electronic form. (2) Exceptions to allow subsequent delivery of notice. You may provide the initial notice required by paragraph (a)(1) of this section within a reasonable time after you establish a customer relationship if: (i) You purchase a loan from another financial institution and the customer of that loan does not have a choice about your purchase; or (ii) You and the consumer orally agree to enter into a customer relationship and the consumer agrees to receive the notice thereafter. (3) Oral description of notice insufficient. You may not provide the initial notice required by paragraph (a) of this section solely by orally explaining, either in person or over the telephone, your privacy policies and practices. [[Page 11192]] (4) Retention or accessibility of initial notice for customers. For customers only, you must provide the initial notice required by paragraph (a)(1) of this section so that it can be retained or obtained at a later time by the customer, in a written form or, if the customer agrees, in electronic form. (5) Examples. (i) You may reasonably expect that a consumer will receive actual notice of your privacy policies and practices if you: (A) Hand-deliver a printed copy of the notice to the consumer; (B) Mail a printed copy of the notice to the last known address of the consumer; (C) For the consumer who conducts transactions electronically, post the notice on the electronic site and require the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular financial product or service; or (D) For an isolated transaction with the consumer, such as an ATM transaction, post the notice on the ATM screen and require the consumer to acknowledge receipt of the notice as a necessary step to obtaining the particular financial product or service. (ii) You may not, however, reasonably expect that a consumer will receive actual notice of your privacy policies and practices if you: (A) Only post a sign in your office or generally publish advertisements of your privacy policies and practices; or (B) Send the notice via electronic mail to a consumer who obtains a financial product or service with you in person or through the mail and who does not agree to receive the notice electronically. (iii) You provide the initial privacy notice to the customer so that it can be retained or obtained at a later time if you: (A) Hand-deliver a printed copy of the notice to the customer; (B) Mail a printed copy of the notice to the last known address of the customer upon request of the customer; or (C) Maintain the notice on a web site (or a link to another web site) for the customer who obtains a financial product or service electronically and who agrees to receive the notice electronically. Sec. 313.5 Annual notice to customers required. (a) General rule. You must provide a clear and conspicuous notice to customers that accurately reflects your privacy policies and practices not less than annually during the continuation of the customer relationship. Annually means at least once in any period of twelve consecutive months during which that relationship exists. (b) How to provide notice. You must provide the annual notice required by paragraph (a) of this section to a customer using a means permitted for providing the initial notice to that customer under Sec. 313.4(d). (c) (1) Termination of customer relationship. You are not required to provide an annual notice to a customer with whom you no longer have a continuing relationship. (2) Examples. You no longer have a continuing relationship with an individual if: (i) In the case of a closed-end loan, the consumer pays the loan in full, you charge off the loan, or you sell the loan without retaining servicing rights; (ii) In the case of a credit card relationship or other open-end credit relationship, you no longer provide any statements or notices to the consumer concerning that relationship or you sell the credit card receivables without retaining servicing rights; or (iii) For other types of relationships, you have not communicated with the consumer about the relationship for a period of twelve consecutive months, other than to provide annual notices of privacy policies and practices. Sec. 313.6 Information to be included in initial and annual notices of privacy policies and practices. (a) General rule. The initial and annual notices that you provide about your privacy policies and practices under Secs. 313.4 and 313.5 must include each of the following items of information: (1) The categories of nonpublic personal information about your consumers that you collect; (2) The categories of nonpublic personal information about your consumers that you disclose; (3) The categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information about your consumers, other than those parties to whom you disclose information under Secs. 313.10 and 313.11; (4) The categories of nonpublic personal information about your former customers that you disclose and the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information about your former customers, other than those parties to whom you disclose information under Secs. 313.10 and 313.11; (5) If you disclose nonpublic personal information to a nonaffiliated third party under Sec. 313.9 (and no other exception applies to that disclosure), a separate description of the categories of information you disclose and the categories of third parties with whom you have contracted; (6) An explanation of the right under Sec. 313.8(a) of the consumer to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the methods by which the consumer may exercise that right; (7) Any disclosures that you make under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosures of information among affiliates); and (8) Your policies and practices with respect to protecting the confidentiality, security and integrity of nonpublic personal information. (b) Description of nonaffiliated third parties subject to exceptions. If you disclose nonpublic personal information about a consumer to third parties as authorized under Secs. 313.10 and 313.11, you are not required to list those exceptions in the initial or annual privacy notices required by Secs. 313.4 and 313.5. When describing the categories with respect to those parties, you are only required to state that you make disclosures to other nonaffiliated third parties as permitted by law. (c) Future disclosures. Your notice may include: (1) Categories of nonpublic personal information that you reserve the right to disclose in the future, but do not currently disclose; and (2) Categories of affiliates or nonaffiliated third parties to whom you reserve the right in the future to disclose, but to whom you do not currently disclose, nonpublic personal information. (d) Examples. (1) Categories of nonpublic personal information that you collect. You adequately categorize the nonpublic personal information you collect if you categorize it according to the source of the information, such as application information, information about transactions (such as information regarding your deposit, loan, or credit card account), and consumer reports. (2) Categories of nonpublic personal information you disclose. You adequately categorize nonpublic personal information you disclose if you categorize it according to source, and provide illustrative examples of the content of the information. These might include application information, such as assets and income; identifying information, such as name, address, and social security number; and transaction information, such as information about account balance, payment history, [[Page 11193]] parties to the transaction, and credit card usage; and information from consumer reports, such as a consumer's creditworthiness and credit history. You do not adequately categorize the information that you disclose if you use only general terms, such as transaction information about the consumer. (3) Categories of affiliates and nonaffiliated third parties to whom you disclose. You adequately categorize the affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information about consumers if you identify the types of businesses that they engage in. Types of businesses may be described by general terms only if you use illustrative examples of significant lines of business. For example, you may use the term ``financial products or services'' if you include appropriate examples of significant lines of businesses, such as consumer banking, mortgage lending, life insurance or securities brokerage. Likewise, you may refer to ``retail products'' if you include examples such as clothing. household furnishings, and health-related items, or to ``magazine subscription products'' if you include such examples as health-related or investment-related publications. You also may categorize the affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information about consumers using more detailed categories. (4) Simplified notices. If you do not disclose, and do not intend to disclose, nonpublic personal information to affiliates or nonaffiliated third parties, you may simply state that fact, in addition to the information you must provide under paragraphs (a)(1), (a)(8), and (b) of this section. (5) Confidentiality, security and integrity. You describe your policies and practices with respect to protecting the confidentiality and security of nonpublic personal information if you explain who has access to the information and the circumstances under which the information may be accessed. You describe your policies and practices with respect to protecting the integrity of nonpublic personal information if you explain measures you take to protect against reasonably anticipated threats or hazards. You are not required to describe technical information about the safeguards you use. Sec. 313.7 Limitation on disclosure of nonpublic personal information about consumers to nonaffiliated third parties. (a)(1) Conditions for disclosure. Except as otherwise authorized in this part, you may not, directly or through any affiliate, disclose any nonpublic personal information about a consumer to a nonaffiliated third party unless: (i) You have provided to the consumer an initial notice as required under Sec. 313.4; (ii) You have provided to the consumer an opt out notice as required in Sec. 313.8; (iii) You have given the consumer a reasonable opportunity, before the time that you disclose the information to the nonaffiliated third party, to opt out of the disclosure; and (iv) The consumer does not opt out. (2) Opt out definition. Opt out means a direction by the consumer that you not disclose nonpublic personal information about that consumer to a nonaffiliated third party, other than as permitted by Secs. 313.9, 313.10 and 313.11. (3) Examples of reasonable opportunity to opt out. (i) By mail. You provide a consumer with whom you have a customer relationship with a reasonable opportunity to opt out if you mail the notices required in paragraph (a)(1) of this section to the consumer and allow the consumer a reasonable period of time, such as 30 days, to opt out. (ii) Isolated transaction with consumer. For an isolated transaction, such as the purchase of a cashier's check by a consumer, you provide a reasonable opportunity to opt out if you provide the consumer with the required notices at the time of the transaction and request that the consumer decide, as a necessary part of the transaction, whether to opt out before completing the transaction. (b) Application of opt out to all consumers and all nonpublic personal information. (1) This section applies regardless of whether you and the consumer have established a customer relationship. (2) Unless you comply with this section, you may not, directly or through any affiliate, disclose any nonpublic personal information about a consumer that you have collected, regardless of whether you collected it before or after receiving the direction to opt out from the consumer. (c) Partial opt out. You may allow a consumer to select certain nonpublic personal information or certain nonaffiliated third parties with respect to which the consumer wishes to opt out. Sec. 313.8 Form and method of providing opt out notice to consumer. (a)(1) Form of opt out notice. You must provide a clear and conspicuous notice to each of your consumers that accurately explains the right to opt out under Sec. 313.7(a)(1). The notice must state: (i) That you disclose or reserve the right to disclose nonpublic personal information about your consumer to a nonaffiliated third party; (ii) That the consumer has the right to opt out of that disclosure; and (iii) A reasonable means by which the consumer may exercise the opt out right. (2) Examples. (i) You provide adequate notice that the consumer can opt out of the disclosure of nonpublic personal information to a nonaffiliated third party if you identify all of the categories of nonpublic personal information that you disclose or reserve the right to disclose to nonaffiliated third parties as described in Sec. 313.6 and state that the consumer can opt out of the disclosure of that information. (ii) You provide a reasonable means to exercise an opt out right if you: (A) Designate check-off boxes in a prominent position on the relevant forms with the opt out notice and clearly identify where to send the notice; (B) Include a detachable form and self-addressed stamped envelope together with the opt out notice; (C) Provide an electronic means to opt out, such as a form that can be sent via electronic mail or a process at your Web site, if the consumer agrees to the electronic delivery of information; or (D) Designate a toll-free number that the consumer can call to opt out. (b) How to provide opt out notice. (1) Delivery of notice. You must provide the opt out notice required by paragraph (a) of this section in a manner so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, in electronic form. If you and the consumer orally agree to enter into a customer relationship, you may provide the opt out notice required by paragraph (a) of this section within a reasonable time thereafter if the consumer agrees. (2) Oral description of opt out right insufficient. You may not provide the opt out notice solely by orally explaining, either in person or over the telephone, the right of the consumer to opt out. (3) Same form as initial notice permitted. You may provide the opt out notice together with or on the same written or electronic form as the initial notice you provide in accordance with Sec. 313.4. (4) Initial notice required when opt out notice delivered subsequent to initial notice. If you provide the opt out notice at a later time than required for the initial notice in accordance with [[Page 11194]] Sec. 313.4, you must also include a copy of the initial notice in writing or, if the consumer agrees, in an electronic form with the opt out notice. (c) Notice of change in terms. (1) General rule. Except as otherwise authorized in this part, you must not, directly or through any affiliate, disclose any nonpublic personal information about a consumer to a nonaffiliated third party other than as described in the initial notice that you provided to the consumer under Sec. 313.4, unless-- (i) You have provided to the consumer a revised notice that accurately describes your policies and practices; (ii) You have provided to the consumer a new opt out notice; (iii) You have given the consumer a reasonable opportunity, before the time that you disclose the information to the nonaffiliated third party, to opt out of the disclosure; and (iv) The consumer does not opt out. (2) How to provide notice of change in terms. You must provide the revised notice of your policies and practices and opt out notice to a consumer using the means permitted for providing the initial notice and opt out notice to that consumer under Sec. 313.4(d) or paragraph (b) of this section, respectively. (3) Examples. (i) Except as otherwise permitted by Secs. 313.9, 313.10 and 313.11, a change-in-terms notice is required if you-- (A) Disclose a new category of nonpublic personal information to any nonaffiliated third party; or (B) Disclose nonpublic personal information to a new category of nonaffiliated third party. (ii) A change-in-terms notice is not required if you disclose nonpublic personal information to a new nonaffiliated third party that is adequately described by your prior notice. (d) Continuing right to opt out. A consumer may exercise the right to opt out at any time, and you must comply with the consumer's direction as soon as reasonably practicable. (e) Duration of consumer's opt out direction. A consumer's direction to opt out under this section is effective until revoked by the consumer in writing or, if the consumer agrees, in electronic form. Sec. 313.9 Exception to opt out requirements for service providers and joint marketing. (a) General rule. The opt out requirements in Secs. 313.7 and 313.8 do not apply when you provide nonpublic personal information about a consumer to a nonaffiliated third party to perform services for you or functions on your behalf, if you: (1) Provide the initial notice in accordance with Sec. 313.4; and (2) Enter into a contractual agreement with the third party that: (i) Requires the third party to maintain the confidentiality of the information to at least the same extent that you must maintain that confidentiality under this part; and (ii) Limits the third party's use of information you disclose solely to the purposes for which the information is disclosed or as otherwise permitted by Secs. 313.10 and 313.11. (b) Service may include joint marketing. The services performed for you by a nonaffiliated third party under paragraph (a) of this section may include marketing of your own products or services or marketing of financial products or services offered pursuant to joint agreements between you and one or more financial institutions. (c) Definition of joint agreement. For purposes of this section, joint agreement means a written contract pursuant to which you and one or more financial institutions jointly offer, endorse, or sponsor a financial product or service. Secs. 313.9 313.10 Exceptions to notice and opt out requirements for processing and servicing transactions. (a) Exceptions for processing transactions at consumer's request. The requirements for initial notice in Sec. 313.4(a)(2), the opt out in Secs. 313.7 and 313.8, and service providers and joint marketing in Sec. 313.9 do not apply if you disclose nonpublic personal information: (1) As necessary to effect, administer, or enforce a transaction requested or authorized by the consumer; (2) To service or process a financial product or service requested or authorized by the consumer; (3) To maintain or service the consumer's account with you, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity; or (4) In connection with a proposed or actual securitization, secondary market sale (including sales of servicing rights) or similar transaction related to a transaction of the consumer. (b) Necessary to effect, administer, or enforce a transaction means that the disclosure is: (1) Required, or is one of the lawful or appropriate methods, to enforce your rights or the rights of other persons engaged in carrying out the financial transaction or providing the product or service; or (2) Required, or is a usual, appropriate or acceptable method: (i) To carry out the transaction or the product or service business of which the transaction is a part, and record, service or maintain the consumer's account in the ordinary course of providing the financial service or financial product; (ii) To administer or service benefits or claims relating to the transaction or the product or service business of which it is a part; (iii) To provide a confirmation, statement or other record of the transaction, or information on the status or value of the financial service or financial product to the consumer or the consumer's agent or broker; (iv) To accrue or recognize incentives or bonuses associated with the transaction that are provided by you or any other party; (v) To underwrite insurance at the consumer's request or for reinsurance purposes, or for any of the following purposes as they relate to a consumer's insurance: account administration, reporting, investigating, or preventing fraud or material misrepresentation, processing premium payments, processing insurance claims, administering insurance benefits (including utilization review activities), participating in research projects, or as otherwise required or specifically permitted by Federal or State law; (vi) In connection with settling a transaction, including: (A) The authorization, billing, processing, clearing, transferring, reconciling or collection of amounts charged, debited, or otherwise paid using a debit, credit or other payment card, check or account number, or by other payment means; (B) The transfer of receivables, accounts or interests therein; or (C) The audit of debit, credit or other payment information. Sec. 313.11 Other exceptions to notice and opt out requirements. (a) Exceptions to opt out requirements. The requirements for initial notice to consumers in Sec. 313.4(a)(2), the opt out in Secs. 313.7 and 313.8, and service providers and joint marketing in Sec. 313.9 do not apply when you disclose nonpublic personal information: (1) With the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction; (2)(i) To protect the confidentiality or security of your records pertaining to the consumer, service, product or transaction; [[Page 11195]] (ii) To protect against or prevent actual or potential fraud, unauthorized transactions, claims or other liability; (iii) For required institutional risk control or for resolving consumer disputes or inquiries; (iv) To persons holding a legal or beneficial interest relating to the consumer; or (v) To persons acting in a fiduciary or representative capacity on behalf of the consumer; (3) To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating you, persons that are assessing your compliance with industry standards, and your attorneys, accountants and auditors; (4) To the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcement agencies (including government regulators), self-regulatory organizations, or for an investigation on a matter related to public safety; (5)(i) To a consumer reporting agency in accordance with the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), or (ii) From a consumer report reported by a consumer reporting agency; (6) In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal information concerns solely consumers of such business or unit; or (7)(i) To comply with Federal, State or local laws, rules and other applicable legal requirements; (ii) To comply with a properly authorized civil, criminal or regulatory investigation, or subpoena or summons by Federal, State or local authorities; or (iii) To respond to judicial process or government regulatory authorities having jurisdiction over you for examination, compliance or other purposes as authorized by law. (b) Examples of consent and revocation of consent. (1) A consumer may specifically consent to your disclosure to a nonaffiliated insurance company of the fact that the consumer has applied to you for a mortgage so that the insurance company can offer homeowner's insurance to the consumer. (2) A consumer may revoke consent by subsequently exercising the right to opt out of future disclosures of nonpublic personal information as permitted under Sec. 313.8(d). Sec. 313.12 Limits on redisclosure and reuse of information. (a) Limits on your redisclosure and reuse. (1) Except as otherwise provided in this part, if you receive nonpublic personal information about a consumer from a nonaffiliated financial institution, you must not, directly or through an affiliate, disclose the information to any other person that is not affiliated with either the financial institution or you, unless the disclosure would be lawful if the financial institution made it directly to such other person. (2) You may use nonpublic personal information about a consumer that you receive from a nonaffiliated financial institution in accordance with an exception under Secs. 313.9, 313.10 or 313.11 only for the purpose of that exception. (b) Limits on redisclosure and the reuse by other persons. (1) Except as otherwise provided in this part, if you disclose nonpublic personal information about a consumer to a nonaffiliated third party, that party must not, directly or through an affiliate, disclose the information to any other person that is a nonaffiliated third party of both you and that party, unless the disclosure would be lawful if you made it directly to such other person. (2) A nonaffiliated third party may use nonpublic personal information about a consumer that it receives from you in accordance with an exception under Secs. 313.9, 313.10 or 313.11 only for the purpose of that exception. Sec. 313.13 Limits on sharing of account number information for marketing purposes. You must not, directly or through an affiliate, disclose, other than to a consumer reporting agency, an account number or similar form of access number or access code for a credit card account, deposit account or transaction account of a consumer to any nonaffiliated third party for use in telemarketing, direct mail marketing or other marketing through electronic mail to the consumer. Sec. 313.14 Protection of Fair Credit Reporting Act. Nothing in this part shall be construed to modify, limit, or supersede the operation of the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), and no inference shall be drawn on the basis of the provisions of this part regarding whether information is transaction or experience information under section 603 of that Act. Sec. 313.15 Relation to state laws. (a) In general. This part shall not be construed as superseding, altering, or affecting any statute, regulation, order or interpretation in effect in any State, except to the extent that such state statute, regulation, order or interpretation is inconsistent with the provisions of this part, and then only to the extent of the inconsistency. (b) Greater protection under state law. For purposes of this section, a State statute, regulation, order or interpretation is not inconsistent with the provisions of this part if the protection such statute, regulation, order or interpretation affords any consumer is greater than the protection provided under this part, as determined by the Commission on its own motion or upon the petition of any interested party, after consultation with the applicable government regulator or other authority. Sec. 313.16 Effective date; transition rule. (a) Effective date. This part is effective November 13, 2000. (b) Notice requirement for consumers who were your customers on the effective date. No later than thirty days after the effective date of this part, you must provide an initial notice, as required by Sec. 313.4, to consumers who were your customers on the effective date of this part. By direction of the Commission. Donald S. Clark, Secretary. [FR Doc. 00-4881 Filed 2-29-00; 8:45 am] BILLING CODE 6750-01-P