PRIVACY AND IDENTITY THEFT “TO DO” LIST FOR 2008
REVIEW PRIVACY NOTICE IN LIGHT OF NEW AFFILIATE MARKETING REGULATIONS
Companies that may use information received from an affiliate for marketing purposes need to be familiar with the new affiliate marketing regulations adopted under the Fair Credit Reporting Act. Previously, under the FCRA “transaction or experience information” was permitted to be shared among affiliates without giving the consumer notice and an opportunity to opt out. “Other” information, such as information from credit reports and credit applications, could be shared among affiliates if the consumer was given notice and an opportunity to opt out and the consumer did not opt out. The new affiliate marketing provision applies to both “transaction or experience information” and “other” information, referred to as “eligibility information,” when such information is used for marketing purposes. The regulations prohibit the use of “eligibility information” about a consumer received from an affiliate for marketing purposes unless written notice and opt out are provided, subject to certain exceptions. This notice and opt out are permitted to be included with the company’s privacy notice.
The new regulations regarding affiliate marketing are effective January 1, 2008 with a mandatory compliance date of October 1, 2008.
To comply with these new requirements companies will need to review their existing and future practices and determine what revisions should be made to their privacy notice. This provides a good opportunity to re-evaluate a company’s privacy notice and privacy policies and make any necessary revisions to the privacy notice based on changes in practices and policies in addition to changes required by the new affiliate marketing regulations.
DEVELOP AND IMPLEMENT WRITTEN IDENTITY THEFT PREVENTION PROGRAM
Under the new regulations regarding identity theft, red flags and address discrepancies adopted under the FCRA, financial institutions or creditors that offer or maintain “covered accounts” must develop and implement a written Identity Theft Prevention Program. The Program must be designed to detect, prevent and mitigate identity theft in connection with newly opened or existing covered accounts. The Program must include reasonable policies and procedures to identify, detect and respond to “Red Flags” (i.e., patterns, practices or specific activities that indicate the possible existence of identity theft). The regulations contain guidance to assist in developing the required Identity Theft Program.
“Covered account” includes a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account or savings account and any other account that a company offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft.
The regulations also require companies to develop and implement policies and procedures to follow upon receipt of a notice of address discrepancy from a consumer reporting agency.
The new regulations regarding identity theft, red flags and address discrepancy are effective January 1, 2008 with a mandatory compliance date of November 1, 2008.
We have an outline of a written Identity Theft Program that we can work with you to revise to reflect your company’s policies and
- Elizabeth Anstaett and Darrell Dreher