Emergency Info

Morrison | Foerster
Japan
Japan		 China
China		 Europe Israel
Hebrew
SEARCH

About the Firm Practices and Industries Attorneys & Professionals Careers Legal Updates and News Events
Legal Updates and News
Overview
Legal Updates
Press Releases
In The News


Related Practices:

The Rapidly Changing World of Privacy
February 2001
by   L. Richard Fischer
The Gramm-Leach-Bliley Act
Regulation to Implement Title V of the GLB Act
Relationship of the Privacy Rule With the FCRA
Proposal on FCRA Affiliate Opt-Out Notices
Guidelines Implementing Section 501 Security Standards

I. The Gramm-Leach-Bliley Act.

  1. On November 12, 1999, President Clinton signed into law the Gramm-Leach- Bliley Act ("GLB Act"), Pub. L. No. 102-106 (1999), which contains comprehensive financial privacy provisions. The GLB Act imposes a number of new requirements on financial institutions, including the following:
  1. A financial institution is required to provide each individual customer with a clear statement of its policies and practices for protecting the privacy of "nonpublic personal information."
  1. The term "nonpublic personal information" is defined broadly to include any personally identifiable financial information regarding a consumer obtained by the institution, with limited exceptions. This disclosure must be provided to each customer "[a]t the time of establishing a customer relationship," and thereafter must be re-disclosed at least annually "during the continuation of such relationship."
  2. Among other things, the disclosure must include the institution's policies and practices with respect to: disclosures to nonaffiliated third parties, including the categories of information that may be disclosed; disclosures of nonpublic personal information of former customers; and protecting the nonpublic personal information of customers.
  1. A financial institution may not disclose a consumer's nonpublic personal information to nonaffiliated third parties, unless the consumer is given a clear and conspicuous notice of this possibility, and an opportunity to opt out of such disclosures before the first time they occur.
  1. A number of exceptions to this requirement are provided, including information sharing with nonaffiliated third parties that is: necessary to effect, administer or enforce a transaction; conducted with the consent or at the direction of the consumer; undertaken for fraud or risk control; conducted for purposes of resolving customer disputes or inquiries; between two or more financial institutions under a "joint marketing agreement"; or to perform services for or functions on behalf of the financial institution, under specified circumstances.
  1. The GLB Act prohibits a financial institution from disclosing "an account number or similar form of access number or access code" for a consumer credit card, deposit or transaction account to nonaffiliated third parties for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.
  1. There are no specific statutory exceptions to this prohibition, except for providing an account number to a credit bureau.
  1. The GLB Act also provides that a state law, regulation, order or interpretation regarding the subject matter of the privacy provisions (i.e., the disclosure of information to nonaffiliated third parties) is not superceded by the privacy provisions if it provides greater protection to consumers than the privacy provisions, so long as it is not otherwise inconsistent with the privacy provisions.
  2. The GLB Act states that it is Congress' policy that each financial institution has an "affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality" of nonpublic personal information.
  1. The GLB Act directs the federal banking agencies to establish, for regulated depository institutions, appropriate standards relating to administrative, technical and physical safeguards to, among other things, insure the security and confidentiality of customer information and protect against unauthorized access or use of such information which could result in substantial harm or "inconvenience" to any customer.
  2. The federal banking agencies proposed security guidelines for comment on June 21, 2000. The Federal Trade Commission ("FTC") has issued an advance notice of proposed rulemaking on this matter. As discussed below, on December 21, 2000, the Federal Deposit Insurance Corporation adopted final security guidelines.
  1. The GLB Act amends the Fair Credit Reporting Act ("FCRA") to direct the federal bank regulatory agencies to issue jointly FCRA regulations that will apply to federally regulated depository institutions and to their affiliates and holding companies. As discussed below, proposed regulations were issued on October 20, 2000.
  1. The GLB Act also deletes provisions of the FCRA that formerly restricted the ability of the federal banking agencies to conduct examinations for FCRA compliance except in certain circumstances.
  1. Compliance with the privacy provisions is enforced by the federal banking agencies for federally regulated depository institutions and their holding companies and certain affiliates. In addition, the federal banking agencies, the Secretary of the Treasury, the Securities and Exchange Commission ("SEC"), and the FTC are directed to each prescribe, in consultation with state insurance representatives, "such regulations as may be necessary to carry out the purposes" of the GLB Act's privacy provisions. The final regulations issued by the federal banking agencies are discussed below.
  2. The GLB Act also requires the Secretary of the Treasury, in conjunction with the federal banking agencies, the FTC and the SEC, to conduct a comprehensive study of information sharing practices among financial institutions and their affiliates, including both the risks and benefits of information sharing.
  1. The study, including recommendations for possible legislative or administrative actions, must be submitted to Congress by January 1, 2002.
  1. Except for the FCRA provisions which became effective on the date of enactment, the privacy provisions became effective one year from the date of enactment (that is, on November 13, 2000), with a mandatory full compliance date of July 1, 2001.

II. Regulation to Implement Title V of the GLB Act.

  1. On June 1, 2000, the Office of the Comptroller of the Currency ("OCC"), the Federal Reserve Board ("FRB"), the Federal Deposit Insurance Corporation ("FDIC") and the Office of Thrift Supervision ("OTS") (collectively, the "Banking Agencies") adopted final regulations implementing the privacy provisions of the GLB Act ("Privacy Rule"). The SEC and the FTC have issued comparable regulations. Major provisions of the Privacy Rule are described below.
  2. Scope.
  1. The Banking Agencies have indicated that the Privacy Rule also applies to accounts held by foreign consumers when those accounts are maintained at a U.S. financial institution.
  1. Rule of Construction.
  1. The Banking Agencies expanded the number of examples for compliance and included sample disclosure clauses.
  2. Also, the Banking Agencies included a statement that the examples included in the Privacy Rule are not intended to be exhaustive and that compliance with an example or use of a sample clause, as applicable, would be deemed compliance with the regulation.
  1. Definitions.
  1. Clear and Conspicuous.
  1. The Banking Agencies included in the Privacy Rule a special definition of "clear and conspicuous." -- a privacy notice must be reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice.
  2. In the joint supplemental information, the Banking Agencies recognized that this definition of "clear and conspicuous" differs from ones contained in other consumer protection regulations (e.g., Regulation Z) and indicated that the standard for clear and conspicuous contained in the Privacy Rule applies solely to disclosures required under the Privacy Rule.
  3. The Banking Agencies added an example to the final Privacy Rule illustrating the application of this clear and conspicuous standard to notices provided on Web sites.
  1. Consumer.
  1. The Privacy Rule states that the term "consumer" includes an individual who submits an application, a response form or otherwise provides information to a financial institution in an effort to obtain a loan or account, even if the individual never actually obtains a financial product or service from that institution.
  2. The Banking Agencies explained that an individual is not a "consumer" of a financial institution solely because the institution is acting as an agent for, or providing processing or other services to, another financial institution in servicing that other institution's customers or consumers.
  3. The Banking Agencies also made it clear that an individual will be a "consumer" of any entity that holds ownership or servicing rights to the individual's loan. As such, the institution will have no privacy notice obligation with respect to that individual unless he or she becomes a customer of the institution, or the institution wants to disclose information on that individual to a nonaffiliated third party.
  1. Customer Relationship.
  1. The Banking Agencies stated that a customer relationship will be established as a general rule with the financial institution that makes a loan to an individual. This customer relationship then will attach to the entity owning the servicing rights for that loan.
  2. Thus, if the originating lender retains the servicing, it will continue to have the customer relationship with the borrower. If the servicing is sold, the purchaser of the servicing rights will establish a customer relationship with the borrower and the originating lender will have a consumer relationship with the borrower.
  3. The Banking Agencies made it clear that repeated isolated transactions do not establish a customer relationship (i.e., periodic use of an institution's ATMs, or repeated purchase of traveler's checks or money orders).
  1. Financial Institution.
  1. The GLB Act defines "financial institution" as "any institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company Act ("BHCA") of 1956."
  2. Activities that are "financial in nature" include lending activities, insurance activities, securities activities, activities "closely related to banking" under the FRB's Regulation Y and activities the FRB has determined under Regulation K to be usual in connection with the transaction of banking or other financial operations abroad.
  3. In the supplemental information to its final rule, the FTC states that the GLB Act "clearly covers more than parties in the credit, insurance or securities industries. An entity is a 'financial institution' if that entity "engages in any activity that the [FRB] has determined to be a 'financial activity.'"
  4. According to the FTC, Section 4(k) of the BHCA refers to three types of activities that the FRB "may determine permissible for financial holding companies: those that are financial in nature, those that are incidental to such financial activity, and those that are complementary to financial activities. The [FTC] interprets the GLB Act to refer to those activities in Section 4(k) that are described as financial in nature at present, and not to include automatically those activities that the [FRB] later determines are incidental or complementary to financial activities."
  5. The FTC has indicated, however, that some businesses that are technically "financial institutions" will not have disclosure obligations because not all financial institutions have "consumers" or establish "customer relationships" within the meaning of the GLB Act.
  1. Nonpublic Personal Information.
  1. Under the Privacy Rule:

(1) The mere fact of a customer relationship is considered "nonpublic personal information," unless that information is "publicly available information" as defined by the Privacy Rule.

(2) Mere identification information (e.g., name, address, telephone number) is considered "financial information."

  1. But the term "nonpublic personal information" does not include "publicly available information," so long as the publicly available information is not derived using nonpublic personal information and is not disclosed in a manner that indicates the existence of a customer relationship (unless that customer relationship is a matter of public record).
  2. The term "nonpublic personal information" does not include information that does not identify a consumer, such as aggregate information or blind data without personal identifiers, such as account numbers, names or addresses.
  3. The term "nonpublic personal information" includes information collected through an Internet "cookie" placed on a consumer's computer.
  1. The Banking Agencies explained that information will be deemed "publicly available" if a financial institution has a reasonable basis to believe that the information is lawfully made available to the general public from a publicly available source (i.e., government records, widely distributed media or government-mandated disclosures).
  1. The Privacy Rule provides that a financial institution has a reasonable basis to believe that information is publicly available if the institution has taken steps to determine:

(1) That the information is of the type that is available to the general public; and

(2) Whether an individual can direct that the information not be made available to the general public and, if so, that a consumer has not done so.

  1. With respect to the "reasonable basis" standard, the Privacy Rule contains two examples -- one dealing with mortgage information and another dealing with telephone numbers.

c. The Banking Agencies also have revised the example pertaining to "widely distributed information" to provide that information on a Web site is widely distributed information if the Web site is available to the general public on an unrestricted basis. (Thus, a Web site is not restricted merely because an Internet service provider or a site operator requires a fee or a password, so long as access is available to the general public).

E. Section 503 Privacy Notice -- Initial Notice.

  1. Timing of Initial Notice to Customers.
  1. General Rule:

(1) The Privacy Rule specifies that the Section 503 privacy notice must be provided to an individual "not later than when" a financial institution establishes a customer relationship. A "prior to" statement was included in the proposed rule.

(2) In the joint supplemental information, the Banking Agencies stated that the Section 503 privacy notice may be provided at the same time a financial institution is required to give other required notices (e.g., TILA "initial disclosures").

  1. Exceptions to General Rule:

(1) The Banking Agencies identified two situations where a financial institution may provide the Section 503 privacy notice at a point after the customer relationship is established.

(2) A financial institution may provide the Section 503 privacy notice within a reasonable time after establishing a customer relationship if the establishment of the customer relationship is not at the customer's election. (To illustrate this situation, the Privacy Rule contains an example dealing with the sale of deposit accounts).

(3) A financial institution also may provide the Section 503 privacy notice within a reasonable time after establishing a customer relationship when to do otherwise would substantially delay completion of the transaction and the customer agrees to receive the notice at a later time. (To illustrate this situation, the Privacy Rule contains two examples -- one dealing with telephone orders and one dealing with student loan programs).

(4) The Privacy Rule specifies that the "substantial delay" exception would not apply when the relationship is initiated in person at a financial institution's office or through other means by which the customer may view the notice, such as on a Web site.

  1. Joint Accounts.
  1. The Privacy Rule specifies that a financial institution is required to provide a Section 503 privacy notice to only one party in connection with a joint account. The Banking Agencies expect institutions that do so will honor an opt-out request from any account party.
  1. Notice Not Required for Subsequent Product.
  1. The Privacy Rule makes it clear that if a financial institution delivers its Section 503 privacy notice when a customer enters into a relationship with the institution, the institution is not required to deliver an additional privacy policy notice when the customer later enters into another relationship with the institution, so long as the privacy notice previously provided to that customer is accurate with respect to the new financial product or service.
  1. Mergers.
  1. In the joint supplemental information, the Banking Agencies provide guidance on what notices are required in the event of a merger of two financial institutions or an acquisition of one financial institution by another.
  2. The Banking Agencies provide that in such situations, the need to provide new initial (and opt-out) notices to customers of the entity that ceases to exist will depend on whether the notices previously given to those customers accurately reflect the policies and practices of the surviving entity. If so, the surviving entity will not be required under the Privacy Rule to provide new notices.
  3. Section 503 Privacy Notice -- Annual Notice.
  1. How to Provide Notice.
  1. The Privacy Rule clarifies that a financial institution satisfies the annual notice requirement if the institution defines the twelve-consecutive-month period as a calendar year and provides the annual notice to the customer once in each calendar year following the calendar year in which the institution provided the initial notice (e.g., if a customer opens an account on any day of year 2001, the institution must provide an annual notice to the customer by December 31 of year 2002, and timing for subsequent annual notices should be consistent).
  1. Termination of Customer Relationship.
  1. The Privacy Rule makes it clear that a financial institution is not required to provide the Section 503 notice annually to a customer with whom it no longer has a continuing relationship.
  2. The Banking Agencies also specified that there is no longer a continuing relationship with respect to deposit accounts that are "inactive" under the institution's policies.
  3. Information to Be Included in Section 503 Privacy Notice.
  1. Example of Categories of Information Collected: The Privacy Rule provides that an institution satisfies the requirement to categorize the nonpublic personal information that the institution collects if the institution lists in its privacy notice the following four categories, as applicable:
  1. Information from the consumer;
  2. Information about the consumer's transactions with the institution or the institution's affiliates;
  3. Information about the consumer's transactions with nonaffiliated third parties; and
  4. Information from a consumer reporting agency.
  1. Example of Categories of Information Disclosed: The Privacy Rule provides that an institution satisfies the requirement to categorize the nonpublic personal information that the institution discloses if the institution lists in its privacy notice the categories described above, as applicable, and a few examples to illustrate the types of information in each category.
  1. If the institution reserves the right to disclose all of the nonpublic personal information about the consumer that the institution collects, the institution may simply state that fact without describing the categories or examples of the nonpublic personal information the institution discloses.
  1. Affiliate Sharing: The Privacy Rule provides that a financial institution must disclose in its Section 503 privacy notice the categories of affiliates to whom the institution discloses nonpublic personal information.
  2. Example of Categories of Affiliates and Nonaffiliated Third Parties to Whom Information is Disclosed:
  1. The Privacy Rule provides that a financial institution satisfies the requirement to categorize the affiliates and nonaffiliated third parties to whom the institution discloses nonpublic personal information if the institution lists in its privacy notice the following three categories, as applicable, and a few examples to illustrate the types of third parties in each category:

(1) Financial services providers;

(2) Non-financial companies; and

(3) Others.

  1. Section 502(e) Exceptions.
  1. The Privacy Rule provides that with respect to third-party information recipients covered by the exceptions in Section 502(e), a financial institution is required only to inform consumers that "we may also disclose nonpublic personal information about you to nonaffiliated third parties as permitted by law."
  1. Right to Opt Out.
  1. The Privacy Rule provides that the Section 503 privacy notice must explain a consumer's right to opt out under Section 502, including the method(s) by which the consumer may exercise that right.
  1. Disclosure under Exception for Service Providers and Joint Marketers:
  1. The Privacy Rule provides that if an institution discloses nonpublic personal information under the "service providers and joint marketing" exception, the institution must include in its Section 503 privacy notice a separate statement of the categories of nonaffiliated third parties with whom the institution has contracted under the "service providers and joint marketing" exception and the categories of information that the institution discloses to such parties.
  2. An institution can satisfy this disclosure requirement if it:

(1) Lists the categories and examples of nonpublic personal information the institution discloses under the "service providers and joint marketing" exception, using the same categories listed above under the example relating to information disclosed, as applicable; and

(2) States whether the third party to whom the information is disclosed is a service provider or is a financial institution with whom the institution has a joint marketing agreement.

  1. Confidentiality, Security and Integrity.
  1. The example regarding confidentiality and security provides that an institution describes its policies and practices with respect to confidentiality and security if the institution:

(1) Describes in general terms who is authorized to have access to the information; and

(2) States whether the institution has security practices and procedures in place to ensure the confidentiality of the information in accordance with the institution's privacy policy. The institution is not required to describe technical information about the safeguards the institution uses.

  1. Sample Clauses.
  1. The Banking Agencies added an Appendix A to the final Privacy Rule which contains sample clauses that are intended to illustrate the level of detail the Banking Agencies believe is appropriate in the Section 503 privacy notice.
  2. The final Privacy Rule also provides that compliance with a sample clause, as applicable, constitutes compliance with the Privacy Rule.
  1. Short-Form Initial Notice with Opt-Out Notice for Non-Customers.
  1. A financial institution must provide an initial Section 503 privacy notice to a consumer who is not a customer before the institution makes a disclosure of that consumer's nonpublic personal information outside of the Section 502(e) exceptions.
  2. Under the Privacy Rule, a financial institution may satisfy this requirement for consumers by providing clearly and conspicuously a short-form initial notice that states that the institution's privacy notice is available upon request and explains a reasonable means by which the consumer may obtain a copy of that notice. Thus, a financial institution is not required to deliver its privacy notice with its opt-out notice, but instead is only required to provide the consumer a copy of the short-form initial notice and a reasonable means to obtain the institution's privacy notice.
  1. The Privacy Rule specifies that a financial institution provides a reasonable means by which a consumer may obtain a copy of the institution's privacy notice if the institution:
  1. Provides a toll-free telephone number; or
  2. Maintains copies of the notice on hand for a consumer who conducts business in person at the institution's office.
  3. Section 502 Opt-Out Notice.
  1. Joint Account.
  1. Under the Privacy Rule, a financial institution has the option of providing only one opt-out notice per account in connection with a joint account.
  2. Nonetheless, any of the accountholders may exercise the right to opt out. In addition, a financial institution is required to state in the opt-out notice provided to a joint accountholder whether the institution will consider an opt out by a joint accountholder as an opt out by all of the associated accountholders or whether each accountholder is permitted to opt out separately.
  1. Reasonable Opportunity to Opt Out.
  1. The Privacy Rule includes an example specifying that a toll-free telephone number is a reasonable means by which financial institutions may allow consumers to opt out.
  2. The Privacy Rule also contains a statement that a financial institution does not provide a reasonable means to opt out by requiring consumers to send their own letter to the institution to exercise their right, although an institution may honor such a letter if received.
  3. The Privacy Rule further provides that a financial institution does not provide a reasonable means to opt out if the only means of opting out is to use a check-off box that the institution provided with the initial notice, but does not include with subsequent annual notices.
  1. Means of Opting Out.
  1. The Privacy Rule provides that a financial institution may require each consumer to opt out through the specific means identified by the financial institution, as long as that means is reasonable for the consumer.
  2. In the joint supplemental information, the Banking Agencies explain that if a financial institution offers a reasonable means of opting out, and indicates that consumers must opt out in accordance with that means, the institution may choose not to honor opt-out elections communicated to the institution through alternative means.
  1. Duration of Consumer's Opt-Out Direction.
  1. The Privacy Rule specifies that a consumer's direction to opt out is effective until the consumer revokes it in writing or, if the consumer agrees, electronically.
  2. The Privacy Rule also specifies that when a customer relationship terminates, the customer's opt-out direction still continues to apply to the nonpublic personal information that the institution collected during or related to that relationship.
  3. If the individual subsequently establishes a new customer relationship with the institution, however, the opt-out direction that applied to the former relationship does not apply to the new relationship.
  4. Delivering Privacy and Opt-out Notices.
  1. Delivery of Annual Privacy Notices.
  1. The Privacy Rule specifies that where a customer uses the institution's Web site to access financial products or services and has agreed to accept notices at the institution's Web site, a financial institution may meet its obligation to provide such customer an annual privacy notice by posting continuously a current notice of the institution's Section 503 privacy notice on the Web site in a clear and conspicuous manner.
  1. Disclosures to Customers Requesting No Communication.
  1. The Privacy Rule also specifies that a financial institution need not send annual privacy notices to a customer that has requested that the institution not send any information regarding the customer relationship, provided that a copy of the institution's privacy notice is available upon request.
  1. Joint Notice.
  1. The Privacy Rule makes it clear that affiliated financial institutions are permitted to use a common initial or annual Section 503 privacy notice, so long as the notice identifies each of the institutions by name and the notice is accurate with respect to all institutions using the notice.
  2. Limits on Disclosure of Nonpublic Personal Information to Nonaffiliated Third Parties.
  1. Example for Isolated Transactions.
  1. The Privacy Rule includes an example that specifies that for isolated transactions with consumers, a financial institution provides a reasonable opportunity to opt out if the institution provides the consumer with the opt-out notice at the time of the transaction and requests that the consumer decide, as a necessary part of the transaction, whether to opt out before completing the transaction.
  1. Electronic Transactions.
  1. The Privacy Rule provides that where a customer has opened an on-line account with the institution and has agreed to receive the opt-out notice electronically, a financial institution provides a reasonable opportunity to opt out if the institution allows the customer to opt out by any reasonable means within 30 days after the date that the customer acknowledges receipt of the opt-out notice in conjunction with opening the account.
  2. Limits on Redisclosure and Reuse of Information.
  1. Information Disclosed Under a Section 502(e) Exception.
  1. The Privacy Rule specifies that a nonaffiliated third party that receives nonpublic personal information from a financial institution under a Section 502(e) exception may only disclose and use that information as follows:

(1) It may disclose the information to the affiliates of the financial institution from which the nonaffiliated third party received the information;

(2) It may disclose the information to the affiliates of the nonaffiliated third party, but the third party's affiliates may use and disclose the information only to the extent that the third party may disclose and use the information; and

(3) It may disclose and use the information pursuant to a Section 502(e) exception in the ordinary course of business to carry out the activity covered by the exception under which it received the information.

  1. These reuse and redisclosure provisions also apply to a financial institution that receives nonpublic personal information from another financial institution under a Section 502(e) exception.
  2. The Privacy Rule also contains several examples pertaining to these reuse and redisclosure provisions.
  1. Information Disclosed Outside a Section 502(e) Exception.
  1. The Privacy Rule specifies that a nonaffiliated third party that receives nonpublic personal information from a financial institution other than under a Section 502(e) exception only may disclose that information as follows:

(1) It may disclose the information to the affiliates of the financial institution from which the nonaffiliated third party received the information;

(2) It may disclose the information to the affiliates of the nonaffiliated third party, but the third party's affiliates may disclose the information only to the extent that the third party may disclose the information; and

(3) It may disclose the information to some other third party, if the disclosure would be lawful if the institution made it directly to that person.

  1. These redisclosure provisions also apply to a financial institution that receives nonpublic personal information from another financial institution other than under a Section 502(e) exception.
  2. The Privacy Rule contains several examples pertaining to these redisclosure provisions as well.
  1. Monitoring Third Parties.
  1. In the Privacy Rule, the Banking Agencies determined not to impose a specific duty on financial institutions to monitor the use by nonaffiliated third parties of nonpublic personal information provided by the institutions.
  2. Limits on Sharing of Account Numbers for Marketing Purposes.
  1. The Privacy Rule specifies that the Section 502(d) prohibition would not restrict disclosure of account numbers by a financial institution to:
  1. An agent or service provider of the institution solely for the purpose of marketing the financial institution's own financial products or services, provided that the agent or service provider is not authorized to directly initiate charges to the account.
  2. A participant in a private label credit card program or an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program.
  1. The Privacy Rule also clarifies that the term "account number, or similar form of access number or access code" does not include a number or code in an encrypted form, so long as the institution does not provide the recipient with a means to decode the number or code.
  2. The Privacy Rule further states that the term "transaction account" does not include an account (such as a mortgage loan account) to which third parties cannot initiate charges.
  1. Exceptions Relating to Service Providers and Joint Marketing Agreements.
  1. The Privacy Rule provides that the statutory conditions of full disclosure and contractual agreement apply to disclosures to agents, processors or service providers unless those disclosures come within one of the Section 502(e) exceptions.
  2. The Privacy Rule also provides that the confidentiality agreement must prohibit the nonaffiliated third party from disclosing or using the information other than to carry out the purposes for which the institution disclosed the information, including use under a Section 502(e) exception in the ordinary course of business to carry out those purposes.
  3. The Privacy Rule includes a "grandfathering" provision for existing contracts which provides that contracts in effect as of July 1, 2000, must be brought into compliance with the provisions of this section by July 1, 2002.
  1. Exceptions Relating to Transaction Processing.
  1. The Privacy Rule includes the phrase "in connection with" at the end of the first paragraph in Section 14(a), so that the regulation is consistent with the language of the statute.
  2. This "in connection with" language is intended to clarify that the opt-out exceptions relating to processing transactions and servicing accounts include activities that relate to servicing or processing a financial product or service or maintaining or servicing the consumer's account, even where these activities are not absolutely necessary to service or process the financial product or service or to maintain or service the consumer's account.
  1. Other Exceptions.
  1. In the Privacy Rule, the Banking Agencies declined to elaborate on the requirements for obtaining consent or the consumer safeguards that should be in place when a consumer consents.
  1. Effective Date.
  1. The Privacy Rule became effective November 13, 2000, but provides that full compliance with the Privacy Rule is not required until July 1, 2001.

III. Relationship of the Privacy Rule With the FCRA.

  1. Companies must keep in mind that the Privacy Rule does not override the existing requirements of the FCRA. Therefore, just because the Privacy Rule does not prohibit sharing of certain information with nonaffiliated third parties, it does not mean that the sharing of that information is permissible under the FCRA.
  2. Under the FCRA, information on a consumer can be divided into four categories:
  1. "Identification" information, such as a consumer's name and address. Companies are not prohibited under the FCRA from sharing identification information with affiliates.
  2. "Experience" information, which is information that relates solely to transactions or experiences between the consumer and the company. Companies are not prohibited under the FCRA from sharing "experience" information with affiliates or with nonaffiliated third parties, but the sharing of such information is covered under the Privacy Rule.
  3. "Eligibility" information is non-experience information, such as information obtained from an application form or from a consumer credit report, that is used to determine someone's eligibility for credit, insurance and the like. Banks are not permitted under the FCRA to share such "eligibility" information with any nonaffiliated third parties other than under certain narrow exceptions, but banks may share this information with affiliates, as long as the consumer has not opted out.
  4. Other information, such as demographic information, public record information, marketing information and the like, which is not used or collected for eligibility purposes.
  5. The Privacy Rule does not distinguish between "experience" information and "eligibility" information, so the sharing of this information with affiliates or nonaffiliated third parties may not be prohibited under the Privacy Rule but may be prohibited under the FCRA.
  1. This is a complicated situation that is likely to cause unexpected surprises for many companies.

IV. Proposal on FCRA Affiliate Opt-Out Notices.

  1. On October 20, 2000, the FRB, OCC, FDIC and OTS released a Joint Notice of Proposed Rulemaking ("Proposal") implementing the affiliate sharing opt-out provisions of the FCRA. Under the Privacy Rule which implements the GLB Act, a financial institution must include the FCRA affiliate sharing opt-out notice as part of its GLB Act privacy notice. The comment period on the Proposal ended December 4, 2000.
  2. The Proposal identifies a type of information called "opt out information" (which should be consistent in scope with eligibility information described above) and provides that "opt out information" may be communicated among affiliates without the communication being considered a consumer report if:
  1. The financial institution has provided an opt-out notice;
  2. The financial institution has provided reasonable opportunity and means for the consumer, prior to the initial time it communicates the information, to opt out; and
  3. The consumer has not opted out.
  1. Under the Proposal, the term "opt out information," is defined as information that bears on:
  1. A consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics and
  1. Is used or collected for one or more permissible purposes under the FCRA; and
  2. Is not solely transaction or experience information.
  3. The Proposal provides that the FCRA opt-out notice must accurately explain:
  1. The categories of "opt out information" about the consumer that the institution communicates;
  2. The categories of affiliates to which the institution communicates the information;
  3. The consumer's ability to opt out; and
  4. The means to opt out.
  1. The Proposal then asks whether financial institutions should have to disclose the following in their FCRA opt-out notices :