Jump to Navigation

Dreher Tomkies LLP
Attorneys at Law
2750 Huntington Center
41 South High Street
Columbus, Ohio 43215
Telephone (614) 628-8000
Fax (614) 628-1600



Law Digests Online!
Home
Firm Overview
Practice Areas
Attorney Profiles
Alerts
Multistate Digests
Articles
Representative Clients
Resource Links
Firm Brochure
Contact Us
Save to My Favorites
Print this page
Alerts Contextual Image

MODEL PRIVACY FORMS ADOPTED

Final model privacy forms were adopted by the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System (FRB), Office of Thrift Supervision (OTS), National Credit Union Administration (NCUA), Federal Trade Commission (FTC), Commodity Futures Trading Commission (CFTC) and Securities and Exchange Commission (SEC) (collectively referred to as "the Agencies"). The model privacy forms may be relied on by financial institutions as a safe harbor to provide the disclosures required by Title V of the Gramm-Leach-Bliley Act (GLB Act). The Agencies' rules incorporating the model forms and related amendments to the rules will be effective 30 days after publication in the Federal Register, except for the amendments regarding the sample clauses discussed below.

In December 2003, the Agencies published an advance notice of proposed rulemaking soliciting public comment on a wide range of issues related to improving privacy notices. The Agencies hired a contractor who used qualitative testing methods to conduct a series of consumer interviews to help in the development of a new model privacy notice. The format of the final model form is standardized and consists of two pages that may be printed on a single piece of paper.

The first page of the final model form has five parts: (1) a title; (2) an introductory section intended to help the consumer understand the purpose of the notice; (3) a disclosure table that describes the types of sharing possible for all financial institutions, which of those types of sharing the institution providing the notice actually engages in, and whether the consumer can opt out of any of the institution's sharing; (4) if applicable, information for the consumer on how to opt out; and (5) the institution's customer service contact information.

The second page provides additional explanatory information required by the GLB Act. Supplemental information about the financial institution and what it does with personal information is found at the top of the second page, with key definitions below. Space is provided at the bottom of the second page for financial institutions to discuss state and/or international privacy laws and include an acknowledgement of receipt.

The Agencies are eliminating the sample clauses and related safe harbor from the current privacy rules following a transition period. Financial institutions will not be able to rely on the sample clause safe harbor for notices that are delivered to consumers on or after January 1, 2011. The sample clauses will be removed entirely from the Agencies' rules on January 1, 2012. Financial institutions seeking to rely on the safe harbor through use of the model form may modify it only as described in the instructions in the rules. In addition, institutions may continue to use other types of notices that vary from the model form, including notices that consist of the sample clauses, so long as these notices comply with GLBA and the Agencies' privacy rules.

The Agencies are also amending the section of their privacy rules concerning the information that financial institutions that choose not to use the model form must include in their privacy notices. The rules currently provide that if a financial institution shares information with nonaffiliated third parties in a manner that does not require an opt-out, the institution is only required to include a statement in its privacy notice that it engages in sharing "as permitted by law." The FDIC, OCC, FRB, OTS, NCUA, CFTC and SEC are revising their rules to allow, as an alternative, a statement that the institution shares such information for its "everyday business purposes," including a list of applicable examples. The FTC is amending its rule to allow a statement that the institution shares such information for its "everyday business purposes, such as to process transactions, maintain account(s), respond to court orders and legal investigations, and report to credit bureaus."

Please let us know if you have any question regarding the new model privacy notice or other privacy issues.

  • Elizabeth Anstaett and