[Federal Register Volume 74, Number 229 (Tuesday, December 1, 2009)]
[Rules and Regulations]
[Pages 62889-62994]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E9-27882]



[[Page 62889]]

-----------------------------------------------------------------------


Part II

Department of the Treasury



Office of the Comptroller of the Currency



12 CFR Part 40



-----------------------------------------------------------------------
Federal Reserve System

12 CFR Part 216



-----------------------------------------------------------------------
Federal Deposit Insurance Corporation

12 CFR Part 332



-----------------------------------------------------------------------
Department of the Treasury



Office of Thrift Supervision

12 CFR Part 573



-----------------------------------------------------------------------
National Credit Union Administration

12 CFR Part 716



-----------------------------------------------------------------------
Federal Trade Commission

16 CFR Part 313



-----------------------------------------------------------------------
Commodity Futures Trading Commission

17 CFR Part 160



-----------------------------------------------------------------------
Securities and Exchange Commission

17 CFR Part 248



-----------------------------------------------------------------------



Final Model Privacy Form Under the Gramm-Leach-Bliley Act; Final Rule

Federal Register / Vol. 74, No. 229 / Tuesday, December 1, 2009 / 
Rules and Regulations

[[Page 62890]]


-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Part 40

[Docket ID OCC-2009-0011]
RIN 1557-AC80

FEDERAL RESERVE SYSTEM

12 CFR Part 216

[Docket No. R-1280]

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Part 332

RIN 3064-AD16

DEPARTMENT OF THE TREASURY

Office of Thrift Supervision

12 CFR Part 573

[Docket ID OTS-2009-0014]
RIN 1550-AC12

NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Part 716

RIN 3133-AC84

FEDERAL TRADE COMMISSION

16 CFR Part 313

[Project No. 034815]
RIN 3084-AA94

COMMODITY FUTURES TRADING COMMISSION

17 CFR Part 160

RIN 3038-AC04

SECURITIES AND EXCHANGE COMMISSION

17 CFR Part 248

[Release Nos. 34-61003, IA-2950, IC-28997; File No. S7-09-07]
RIN 3235-AJO6


Final Model Privacy Form Under the Gramm-Leach-Bliley Act

AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC); 
Board of Governors of the Federal Reserve System (Board); Federal 
Deposit Insurance Corporation (FDIC); Office of Thrift Supervision, 
Treasury (OTS); National Credit Union Administration (NCUA); Federal 
Trade Commission (FTC); Commodity Futures Trading Commission (CFTC); 
and Securities and Exchange Commission (SEC).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The OCC, Board, FDIC, OTS, NCUA, FTC, CFTC, and SEC (the 
``Agencies'') are publishing final amendments to their rules that 
implement the privacy provisions of Subtitle A of Title V of the Gramm-
Leach-Bliley Act (``GLB Act''). These rules require financial 
institutions to provide initial and annual privacy notices to their 
customers. Pursuant to Section 728 of the Financial Services Regulatory 
Relief Act of 2006 (``Regulatory Relief Act'' or ``Act''), the Agencies 
are adopting a model privacy form that financial institutions may rely 
on as a safe harbor to provide disclosures under the privacy rules. In 
addition, the Agencies other than the SEC are eliminating the safe 
harbor permitted for notices based on the Sample Clauses currently 
contained in the privacy rules if the notice is provided after December 
31, 2010. Similarly, the SEC is eliminating the guidance associated 
with the use of notices based on the Sample Clauses in its privacy rule 
if the notice is provided after December 31, 2010.

DATES: This rule is effective on December 31, 2009, except for the 
following amendments, which are effective January 1, 2012:
    Instructions 3B, 10B, 17B, 24B, 31B, 38B, 45B, and 52B removing 
paragraphs (g) to 12 CFR 40.6, 216.6, 332.6, 573.6, and 716.6, 16 CFR 
313.6, and 17 CFR 160.6 and 248.6, respectively; and
    Instructions 7B, 14B, 21B, 28B, 35B, 42B, 49B, and 55B removing 
Appendixes B to 12 CFR parts 40, 216, 332, 573, and 716, 16 CFR part 
313, and 17 CFR parts 160 and 248, respectively.

FOR FURTHER INFORMATION CONTACT: OCC: Stephen Van Meter, Assistant 
Director, Community and Consumer Law Division, (202) 874-5750; Heidi 
Thomas, Special Counsel, Legislative and Regulatory Activities 
Division, (202) 874-5090; or David Nebhut, Director, Policy Analysis 
Division, (202) 874-5220, Office of the Comptroller of the Currency, 
250 E Street, SW., Washington, DC 20219.
    Board: Jeanne Hogarth, Consumer Policies Program Manager, Jelena 
McWilliams, Attorney, or Ky Tran-Trong, Counsel, Division of Consumer 
and Community Affairs, (202) 452-3667; Kara Handzlik, Attorney, Legal 
Division, (202) 452-3852; Board of Governors of the Federal Reserve 
System, 20th Street and Constitution Avenue, NW., Washington, DC 20551.
    FDIC: Samuel Frumkin, Senior Policy Analyst, Division of 
Supervision and Consumer Protection, (202) 898-6602; or Kimberly A. 
Stock, Counsel, (202) 898-3815, Legal Division; Federal Deposit 
Insurance Corporation, 550 17th Street, NW., Washington, DC 20429.
    OTS: Ekita Mitchell, Consumer Regulations Analyst, (202) 906-6451; 
or Richard Bennett, Senior Compliance Counsel, Regulations and 
Legislation Division, (202) 906-7409; 1700 G Street, NW., Washington, 
DC 20552.
    NCUA: Regina Metz, Staff Attorney, (703) 518-6561, Office of 
General Counsel, National Credit Union Administration, 1775 Duke 
Street, Alexandria, Virginia 22314-3428.
    FTC: Loretta Garrison, Senior Attorney, and Anthony Rodriguez, 
Attorney, Division of Privacy and Identity Protection, Bureau of 
Consumer Protection, (202) 326-2252, Federal Trade Commission, 600 
Pennsylvania Avenue, NW., Stop NJ-3158, Washington, DC 20580.
    CFTC: Laura Richards, Deputy General Counsel, (202) 418-5126, or 
Gail B. Scott, Counsel, Office of General Counsel, (202) 418-5139, 
Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st 
Street, NW., Washington, DC 20581.
    SEC: Paula Jenson, Deputy Chief Counsel, or Brice Prince, Special 
Counsel, Office of the Chief Counsel, Division of Trading and Markets, 
(202) 551-5550; or Penelope Saltzman, Assistant Director, Thoreau 
Bartmann, Senior Counsel, or Daniel Chang, Staff Attorney, Office of 
Regulatory Policy, Division of Investment Management, (202) 551-6792, 
Securities and Exchange Commission, 100 F Street, NE., Washington, DC 
20549.

SUPPLEMENTARY INFORMATION: The Agencies are publishing final amendments 
to each of their rules (which are consistent and comparable) that 
implement the privacy provisions of the GLB Act: 12 CFR part 40 (OCC); 
12 CFR part 216 (Board); 12 CFR part 332 (FDIC); 12 CFR part 573 (OTS); 
12 CFR part 716 (NCUA); 16 CFR part 313 (FTC); 17 CFR part 160 (CFTC); 
and 17 CFR part 248 (SEC) (collectively, the ``privacy rule'').\1\
---------------------------------------------------------------------------

    \1\ Because the Agencies' privacy rules generally use consistent 
section numbering, relevant sections will be cited, for example, as 
``section ----.6'' unless otherwise noted.

I. Introduction
    A. Statutory Authority and Overview
    B. Overview of the Final Model Privacy Form
II. Background
    A. The Gramm-Leach-Bliley Act Privacy Notices

[[Page 62891]]

    B. Development of Proposed Model Privacy Form
    C. Overview of Comments Received
    D. Quantitative Research
    E. Public Comments on the Quantitative Test Data
    F. Validation Testing
III. The Final Model Privacy Form
    A. Standardization
    B. Instructions for Use
    C. Format of the Notice
    D. Appearance of the Model Privacy Form
    E. Optional General Guidance for Easily Readable Type
    F. Printing, Color, and Logos
    G. Jointly-Provided Notices
    H. Use of the Form by Differently-Regulated Entities
    I. Page One of the Model Form
    J. Page Two of the Model Form
    K. Other Issues
IV. The Sample Clauses
V. Effective Date
VI. Final Regulatory Flexibility Analysis
VII. Paperwork Reduction Act
VIII. OCC and OTS Executive Order 12866 Determination
IX. OCC and OTS Executive Order 13132 Determination
X. OCC and OTS Unfunded Mandates Reform Act of 1995 Determination
XI. SEC Cost-Benefit Analysis
XII. SEC Consideration of Burden on Competition
XIII. NCUA: The Treasury And General Government Apropriations Act, 
1999-Assessment of Federal Regulations and Policies on Families
XIV. CFTC Cost-Benefit Analysis

I. Introduction

A. Statutory Authority and Overview

    The Regulatory Relief Act was enacted on October 13, 2006.\2\ 
Section 728 of the Act directs the Agencies to ``jointly develop a 
model form which may be used, at the option of the financial 
institution, for the provision of disclosures under [section 503 of the 
GLB Act].'' \3\ The Regulatory Relief Act stipulates that the model 
form shall be a safe harbor for financial institutions that elect to 
use it. Section 728 further directs that the model form shall:
---------------------------------------------------------------------------

    \2\ Public Law No. 109-351, 120 Stat. 1966 (2006).
    \3\ Id., adding 15 U.S.C. 6803(e). See also infra discussion at 
section II.A. on the GLB Act requirements for financial privacy 
notices. Section 728 of the Regulatory Relief Act directs the 
agencies named in Section 504(a)(1) of the GLB Act, 15 U.S.C. 
6804(a)(1), to develop a model form. The CFTC, which did not become 
subject to Title V of the GLB Act until 2000, is not named in that 
section. The Commodity Exchange Act (``CEA'') was amended in 2000 by 
the Commodity Futures Modernization Act of 2000 to make the CFTC a 
``Federal functional regulator'' subject to the GLB Act Title V. See 
Section 5g of the CEA, 7 U.S.C. 7b-2. The CFTC interprets Section 
728 of the Regulatory Relief Act as applying to it through Section 
5g.
---------------------------------------------------------------------------

    (A) Be comprehensible to consumers, with a clear format and design;
    (B) provide for clear and conspicuous disclosures;
    (C) enable consumers easily to identify the sharing practices of a 
financial institution and to compare privacy practices among financial 
institutions; and
    (D) be succinct, and use an easily readable type font.
On March 29, 2007, the Agencies published a proposed model privacy form 
(the ``proposed model form'') that financial institutions would be able 
to use to comply with certain disclosures under the privacy rule.\4\ On 
April 15, 2009, the SEC reopened the comment period on the proposed 
rulemaking to solicit comment on a research report and test data 
pertaining to additional consumer testing of the proposed model privacy 
form.\5\ Today, the Agencies are amending the privacy rule to include a 
model privacy form that institutions may use to provide required 
disclosures. The final model form is substantially as proposed with 
changes based on comments we received as well as additional consumer 
testing.
---------------------------------------------------------------------------

    \4\ See Interagency Proposal for Model Privacy Form under the 
Gramm-Leach-Bliley Act (``Proposed Rule''), 72 FR 14940 (Mar. 29, 
2007), available at http://www.ftc.gov/os/2007/03/CorrectedNeptuneMarsandGenericFormsfrn.pdf. A Correction Notice was 
published at 72 FR 16875 (Apr. 5, 2007).
    \5\ See Interagency Proposal for Model Privacy Form under the 
Gramm-Leach-Bliley Act, Securities Exchange Act Release No. 59769, 
Investment Company Act Release No. 28697 (Apr. 15, 2009) [74 FR 
17925 (Apr. 20, 2009)].
---------------------------------------------------------------------------

B. Overview of the Final Model Privacy Form

    As explained more fully in the Agencies' Proposed Rule, key 
elements of the final model form's structure and design, as well as 
vocabulary, reflect the research findings of the qualitative consumer 
testing.\6\ The Agencies believe that the final model form as revised 
meets all the requirements of the Act and, based on the qualitative 
research that led to the development of the proposed model form and the 
quantitative consumer testing described below, is easier to understand 
and use than most privacy notices currently being disseminated.
---------------------------------------------------------------------------

    \6\ The Agencies conducted the consumer research in two phases: 
the first was qualitative testing or form development; the second 
was quantitative testing. See infra section II.
---------------------------------------------------------------------------

    While the model form provides a legal safe harbor, institutions may 
continue to use other types of notices that vary from the model form so 
long as these notices comply with the privacy rule. For example, an 
institution could continue to use a simplified notice if it does not 
have affiliates and does not intend to share nonpublic personal 
information with nonaffiliated third parties outside of the exceptions 
provided in sections ----.14 and ----.15.\7\ Likewise, while the 
Agencies are eliminating the Sample Clauses and related safe harbor 
(or, for the SEC, guidance), institutions may continue to use notices 
containing these clauses, so long as these notices comply with the 
privacy rule.\8\
---------------------------------------------------------------------------

    \7\ See privacy rule, section ----.6(c)(5), NCUA section 
716.6(e)(5).
    \8\ See infra section IV.
---------------------------------------------------------------------------

    The following section briefly summarizes the key features of the 
final model form and the changes to the proposed form. A detailed 
discussion of the elements of the final model form appears in section 
III.
1. The Structure
    The final model form has two pages, rather than the three pages in 
the proposed form, and may be printed on a single piece of paper.\9\ 
Together, pages one and two address the legal requirements of 
applicable Federal financial privacy laws and are designed to increase 
consumer comprehension. The Agencies are not mandating a specific paper 
size in the final model form as long as the paper is in portrait 
orientation and sufficient to accommodate minimum font size, spacing, 
and content requirements.
---------------------------------------------------------------------------

    \9\ For ease, the Appendix provides three versions of the final 
model form: (1) Model form with no opt-out; (2) model form with 
telephone and Web opt-out only; and (3) model form that includes a 
mail-in opt-out form. An alternative mail-in form (version 4) may be 
substituted for the mail-in portion of the model form in version 3. 
For those institutions that use the model form and need to provide a 
mail-in opt-out form, the reverse side to that opt-out form must not 
include any content of the model form. See F.4 of the Frequently 
Asked Questions for the Privacy Regulation, available at http://www.ftc.gov/privacy/glbact/glb-faq.htm (Dec. 2001) (staff guidance 
issued by the Board, FDIC, FTC, OCC, OTS, and NCUA) (stating that a 
consumer generally should be able to detach a mail-in opt-out form 
from a privacy notice without removing text from the privacy 
policy).
---------------------------------------------------------------------------

2. Page One--Background Information, the Disclosure Table, and Opt-Out 
Information
    Page one of the final model form has five parts: (1) The title; (2) 
an introductory section called the ``key frame'' which provides context 
to help the consumer understand the required disclosures; (3) a 
disclosure table that describes the types of sharing used by financial 
institutions consistent with Federal law, which of those types of 
sharing the institution actually does, and whether the consumer can 
limit or opt out of any of the institution's sharing; (4) only if 
needed, a box titled ``To limit our sharing'' for opt-out information; 
and (5) the institution's customer service contact information. Where 
the institution provides a mail-in

[[Page 62892]]

opt-out form, that form appears at the bottom of page one.
    There are three significant changes on page one of the final model 
form.\10\ First, the ``What?'' box has been modified to permit 
institutions to select from a menu of terms the types of information 
collected and shared (other than Social Security number). Second, 
information (if needed) about how to limit sharing or opt out follows 
the disclosure table. If the institution provides a mail-in opt-out 
form, that form appears at the bottom of page one. Third, the final 
model form includes at the top of the page in the right-hand corner the 
date by month and year of the most recent version of the notice. 
Institutions may include at the bottom of page one a ``tagline'' (an 
internal identifier) or barcode for information internal to the 
company, so long as these do not interfere with the clarity or text of 
the form.\11\
---------------------------------------------------------------------------

    \10\ See infra section III.I.
    \11\ See, e.g., comment letters of T. Rowe Price Associates, 
Inc. (May 29, 2007); Wolters Kluwer Financial Services (May 24, 
2007).
---------------------------------------------------------------------------

3. Page Two--Supplemental Information
    As in the proposed model form, the second page of the final model 
form provides additional explanatory information that, in combination 
with page one, ensures that the notice includes all elements described 
in the GLB Act as implemented by the privacy rule. There is 
supplemental information in the form of Frequently Asked Questions 
(``FAQs'') \12\ at the top and definitions below. There are three 
significant changes to the disclosures on page two of the final 
form.\13\ First, a new FAQ appears at the top of page two that can be 
used to identify those institutions that jointly provide the notice. 
Second, the FAQ on the collection of information has been modified to 
allow institutions to select from a menu of terms. Third, a new box has 
been provided at the bottom of page two titled ``Other important 
information.'' This box can be used in only two ways: (1) to discuss 
state and/or international privacy law requirements; and (2) to provide 
an acknowledgment of receipt form.\14\
---------------------------------------------------------------------------

    \12\ Note that a financial institution must insert its name or a 
common corporate identity as indicated in the two questions in this 
section each time that ``[name of financial institution]'' appears. 
The revised form has eliminated the FAQ ``How does [name of 
financial institution] notify me about its practices.''
    \13\ See infra section III.J.
    \14\ This use was provided in response to a request by the 
National Automobile Dealers Ass'n, whose members routinely ask 
customers to sign an acknowledgment of receipt on a copy of the 
dealer's privacy notice and retain this record verifying delivery of 
the notice. Comment letter of the National Automobile Dealers Ass'n 
(May 29, 2007).
---------------------------------------------------------------------------

II. Background

A. The Gramm-Leach-Bliley Act Privacy Notices

    Subtitle A of title V of the GLB Act, captioned ``Disclosure of 
Nonpublic Personal Information,'' \15\ requires each financial 
institution to provide a notice of its privacy policies and practices 
to its customers who are consumers.\16\ In general, the privacy notice 
must describe a financial institution's policies and practices with 
respect to disclosing nonpublic personal information about a consumer 
to both affiliated and nonaffiliated third parties.\17\ The notice also 
must provide a consumer a reasonable opportunity to direct the 
institution generally not to share nonpublic personal information \18\ 
about the consumer (that is, to ``opt out'') with nonaffiliated third 
parties other than as permitted by the statute (for example, sharing 
for everyday business purposes, such as processing transactions and 
maintaining customers' accounts, and in response to properly executed 
governmental requests).\19\ The privacy notice must provide, where 
applicable under the Fair Credit Reporting Act (``FCRA''), a notice and 
an opportunity for a consumer to opt out of certain information sharing 
among affiliates.\20\
---------------------------------------------------------------------------

    \15\ Codified at 15 U.S.C. 6801-6809.
    \16\ 15 U.S.C. 6803(a). A ``customer'' means a consumer who has 
a ``customer relationship'' with a financial institution. Privacy 
rule, section ----.3(h), SEC section 248.3(j), CFTC section 
160.3(k), NCUA section 716.3(n). A ``consumer'' is ``an individual 
who obtains, from a financial institution, financial products or 
services which are to be used primarily for personal, family, or 
household purposes, and also means the legal representative of such 
an individual.'' 15 U.S.C. 6809(9); privacy rule, section ----.3(e), 
SEC section 248.3(g)(1), CFTC section 160.3(h)(1). Financial 
institutions are required to provide an initial notice to their 
customers and a notice annually thereafter for as long as the 
customer relationship continues. 15 U.S.C. 6803(a); Privacy rule, 
sections ----.4 and ----.5. Institutions are also required to 
provide to their non-customer consumers a notice if the institution 
discloses nonpublic personal information outside the exceptions in 
sections ----.14 and ----.15 before any such disclosure is made. 15 
U.S.C. 6802(a); privacy rule, sections ----.4.
    \17\ 15 U.S.C. 6803(a)-(c).
    \18\ ``Nonpublic personal information'' is generally defined as 
personally identifiable financial information provided by a consumer 
to a financial institution, resulting from any transaction or any 
service performed for the consumer, or otherwise obtained by the 
financial institution. See 15 U.S.C. 6809(4); privacy rule, sections 
----.3(n) and (o), SEC sections 248.3(t) and (u), CFTC sections 
160.3(t) and (u).
    \19\ 15 U.S.C. 6802; privacy rule, sections ----.14 and ----.15.
    \20\ 15 U.S.C. 1681a(d)(2)(A)(iii) (FCRA); 15 U.S.C. 6803(c)(4) 
(GLB Act).
---------------------------------------------------------------------------

    The privacy rule requires a financial institution to provide a 
privacy notice to its customers no later than when a customer 
relationship is formed and annually thereafter for as long as the 
relationship continues. The notice must accurately reflect the 
institution's information collection and disclosure practices and must 
include specific information.\21\
---------------------------------------------------------------------------

    \21\ See sections--.4,--.5, and --.6 of the privacy rule.
---------------------------------------------------------------------------

    The privacy rule does not prescribe any specific format or 
standardized wording for these notices. Instead, institutions may 
design their own notices based on their individual practices provided 
they comply with the law and meet the ``clear and conspicuous'' 
standard in the statute and the privacy rule.\22\ The Appendix to each 
privacy rule contains Sample Clauses that institutions may use in 
privacy notices to satisfy the privacy rule.
---------------------------------------------------------------------------

    \22\ 15 U.S.C. 6802, 6803; privacy rule, section --.3(b), SEC 
section 248.3(c), CFTC section 160.3(b)(1).
---------------------------------------------------------------------------

    Financial institutions were required to provide privacy notices to 
their customers by July 1, 2001.\23\ Many notices provided to consumers 
were long and complex. Because the privacy rule allows institutions 
flexibility in designing their privacy notices, notices have been 
formatted in various ways and as a result have been difficult to 
compare, even among financial institutions with identical 
practices.\24\ The Agencies first explored issues related to the 
complexity of privacy notices in a workshop held in December 2001.\25\
---------------------------------------------------------------------------

    \23\ See, e.g., Privacy of Consumer Financial Information, 65 FR 
35162 (June 1, 2000). The CFTC was added by Section 5g of the 
Commodity Exchange Act, 7 U.S.C. 7b-2 (as amended by the Commodity 
Futures Modernization Act of 2000), on December 21, 2000, and 
privacy notices were required to be delivered to consumers by March 
31, 2002. Privacy of Consumer Financial Information, 66 FR 21236 
(Apr. 27, 2001).
    \24\ See Rulemaking Petition from Public Citizen, et al., at 4 
(July 26, 2001) (available at http://www.ftc.gov/bcp/workshops/glb/comments/nader.pdf) (``Public Citizen Petition'') (stating that 
notices were ``dense,'' ``complicated,'' and written by those 
trained in obfuscation rather than to express ideas clearly).
    \25\ See Get Noticed: Writing Effective Financial Privacy 
Notices, Interagency Public Workshop (Dec. 4, 2001) (``Get Noticed 
Workshop''). Workshop transcripts and other supporting documents are 
available at http://www.ftc.gov/bcp/workshops/glb/index.html. The 
Get Noticed Workshop, discussed in the preamble to the Proposed 
Rule, supra note 4 at n.14, provided a public forum to consider how 
financial institutions could provide more useful privacy notices to 
consumers.
---------------------------------------------------------------------------

    On December 30, 2003, the Agencies published an Advance Notice of 
Proposed Rulemaking to Consider Alternative Forms of Privacy Notices 
Under the Gramm-Leach-Bliley Act (``ANPR'') to solicit public comment 
on

[[Page 62893]]

a wide range of issues related to improving privacy notices.\26\ The 
ANPR stated that the Agencies expected that consumer testing would be a 
key component in the development of any specific proposals.\27\
---------------------------------------------------------------------------

    \26\ See Interagency Proposal to Consider Alternative Forms of 
Privacy Notices Under the Gramm-Leach-Bliley Act, 68 FR 75164 (Dec. 
30, 2003), available at http://www.ftc.gov/os/2003/12/031223anprfinalglbnotices.pdf. The Agencies sought, for example, 
comment on issues associated with the format, elements, and language 
used in privacy notices that would make the notices more accessible, 
readable, and useful, and whether to develop a model privacy notice 
that would be short and simple.
    \27\ Id. at text following n.5.
---------------------------------------------------------------------------

    During January and February 2004, the Agencies met with a number of 
interested groups and individuals to discuss the issues raised in the 
ANPR and subsequently received forty-four comments in response to the 
ANPR.\28\ While commenters expressed a variety of views on the 
questions posed in the ANPR, many commenters agreed that the Agencies 
should conduct consumer testing before proposing any alternative 
privacy notice.
---------------------------------------------------------------------------

    \28\ Summaries of the outside meetings and public comments to 
the ANPR are available at http://www.ftc.gov/privacy/privacyinitiatives/financial_rule_inrp.html.
---------------------------------------------------------------------------

B. Development of the Proposed Model Privacy Form

    Over the years during which GLB Act privacy notices have been 
delivered to consumers, the Agencies have observed wide variations in 
these notices. Today, privacy notices vary considerably--not just in 
format, presentation, language, length, style, or tone--but also in how 
they inform consumers of their rights to limit certain sharing of 
personal information. For example, the Agencies have found the 
following variations in current privacy notices. Some institutions 
incorporate privacy notices into lengthy terms and conditions 
statements, making it harder for consumers to find information about 
the institution's privacy practices, and raising questions about 
whether such notices comply with the requirement that they be clear and 
conspicuous. Institutions also use messages in their notices' opening 
statements about how they value privacy and strive to ``protect'' 
personal information, thus providing assurances to consumers that imply 
their personal information is not shared broadly, while obscuring or 
directing attention away from the required disclosures of actual 
information sharing practices. Finally, the Agencies have seen a number 
of institutions employ the statement in their privacy policy ``We do 
not sell your information to third parties'' in a context that raises 
concerns about misrepresentations.\29\
---------------------------------------------------------------------------

    \29\ In some cases, the Agencies have identified notices that 
violate the privacy rule. For example, one institution's privacy 
notice did not include an opt-out form, but provided that consumers 
could only obtain an opt-out form by visiting a bank office, in 
violation of sections --.7(h), --.9(a), and --.10(a)(1) of the 
privacy rule. Another notice provided that consumers could only opt 
out by writing a letter to the institution, in violation of section 
--.7(a)(1) of the privacy rule. Offering only these very restrictive 
methods of obtaining an opt-out form and opting out also is not 
supported by the examples in the privacy rule. See sections 
--.7(a)(2), --.9(b), and --.10(a)(3) of the privacy rule.
---------------------------------------------------------------------------

    These examples illustrate the need to make disclosure of 
institutions' information sharing practices and consumer choices more 
transparent and underscore the Agencies' interest in initiating a joint 
consumer research project to develop an easy-to-read and understandable 
model privacy notice for consumers.
    In the summer of 2004, six of the Agencies \30\ launched a project 
to fund consumer research (``Notice Project''). Their goals were to 
identify barriers to consumer understanding of current privacy notices 
and to develop an alternative privacy notice, or elements of a notice, 
that consumers could more easily use and understand compared to current 
notices. The Agencies conducted the consumer research in two sequential 
phases.\31\
---------------------------------------------------------------------------

    \30\ The six agencies that initially sponsored the Notice 
Project were the Board, FDIC, FTC, NCUA, OCC, and SEC. The OTS 
joined the Notice Project for the phase two quantitative testing. 
Information related to the Notice Project is available at http://www.ftc.gov/privacy/privacyinitiatives/financial_rule_inrp.html.
    \31\ The first phase was designed as qualitative testing or form 
development research. This research involved a series of in-depth 
individual consumer interviews to develop an alternative privacy 
notice that would be easier for consumers to use and understand. The 
second phase was designed as quantitative testing, to test the 
effectiveness of the alternative privacy notice developed in phase 
one among a larger number of consumers.
---------------------------------------------------------------------------

    In September 2004, the Agencies selected Kleimann Communication 
Group, Inc. (``Kleimann'') as their contractor for the phase one form 
development research. The research objectives of the Notice Project 
included designing a privacy notice that consumers could understand and 
use, that facilitated comparison of sharing practices and policies 
across institutions, and that addressed all relevant legal requirements 
of the GLB Act and FCRA.
    The form development phase culminated in an extensive research 
report prepared by Kleimann and released by the Agencies in March 2006 
(the ``Kleimann Report'').\32\ The Kleimann Report details the process 
by which the Agencies and Kleimann developed an alternative privacy 
notice. The structure, content, ordering of the text information, and 
title of the proposed model form all reflect the research findings from 
the qualitative consumer testing.
---------------------------------------------------------------------------

    \32\ See Kleimann Communication Group, Inc., Evolution of a 
Prototype Financial Privacy Notice: A Report on the Form Development 
Project (Feb. 28, 2006) (``Kleimann Report''). For a copy of the 
full report, go to http://www.ftc.gov/privacy/privacyinitiatives/ftcfinalreport060228.pdf. For the executive summary, go to http://www.ftc.gov/privacy/privacyinitiatives/FTCFinalReportExecutiveSummary.pdf.
---------------------------------------------------------------------------

    In October 2006, Congress passed the Regulatory Relief Act, which 
directed the Agencies to propose a model form based on standards 
similar to the Notice Project research goals. On March 29, 2007, the 
Agencies issued for public comment the proposed model form as produced 
in the form development phase with some minor revisions.

C. Overview of Comments Received

    The Agencies collectively received approximately 110 unique 
comments from a variety of banks, thrifts, credit unions, credit card 
companies, securities firms, insurance companies, and industry trade 
associations, as well as from consumer and other advocacy groups, the 
National Association of Attorneys General (``NAAG''), the National 
Association of State Insurance Commissioners (``NAIC''), and individual 
consumers.\33\
---------------------------------------------------------------------------

    \33\ Comments received by all the Agencies are available at 
http://www.ftc.gov/privacy/privacyinitiatives/financial_rule_inrp.html. Many commenters sent copies of the same letter to more 
than one agency. Some association commenters sent several letters, 
both individually and jointly with other associations.
---------------------------------------------------------------------------

    A number of institutions expressed support for the model form. Some 
stated that they are either already using it (submitting copies of 
their notices) or intend to use it once it is finalized. One industry 
association conducted an informal poll of its community bank members 
and found that many are likely to use the model form and that most 
found the new form more consumer-friendly than the Sample Clauses. 
These commenters commended the Agencies for proposing simpler language 
and making the disclosure terms more understandable and accessible to 
consumers.
    Consumer and other advocacy groups, the NAIC, NAAG, and individual 
consumers generally supported the Agencies' proposal and the clearer 
language and omission of extraneous information in the proposed model 
form. These commenters stated that the proposal could be strengthened 
in certain respects, for example, by making

[[Page 62894]]

the default opt-in rather than opt-out and creating a one-stop opt-out 
repository similar to the National Do Not Call Registry.
    There was general support by many commenters for additional 
consumer research and testing. While some industry commenters provided 
substitute language or submitted alternate forms of the notice, none 
submitted other research findings. However, the NAIC submitted a 
consumer study on notices with research findings that the Agencies did 
consider.
    Most industry commenters, however, objected to several key aspects 
of the proposal. The most significant areas of concern raised by 
industry commenters related to: The standardized approach; the format 
of the proposed model form; the limited examples of types of personal 
information collected and shared; the disclosure table; incorporation 
of state law information; and revocation of the Sample Clauses. The 
thrust of many industry comments was that the proposed form was overly 
simplistic and not nuanced enough to describe precisely what the 
various laws permit or to allow accurate descriptions of more complex 
information sharing policies and practices. One commenter expressed 
concern that the form would lead to consumer confusion because of 
inaccurate disclosures on sharing practices and result in high opt-out 
rates, discouraging use of the form. Many industry commenters expressed 
concern about liability under state unfair or deceptive practice laws 
relating to privacy disclosures. At the same time, many institutions 
urged flexibility to allow inclusion of other information--such as 
describing the benefits of sharing, or providing marketing messages or 
privacy tips such as on identity theft and fraud prevention. One 
institution proposed allowing institutions to pick and choose which 
elements of the notice to use and still receive a safe harbor.

D. Quantitative Research

    Following publication of the model form proposal in March 2007 and 
subsequent review of the comments, the Agencies revised the proposed 
model form for further testing.\34\ In the fall of 2007, the Agencies 
turned their attention to developing the research protocol and 
methodology for conducting the second phase of the research: The 
quantitative consumer testing. In August 2006, prior to enactment of 
the Regulatory Relief Act, the Agencies had selected Macro 
International Inc. (``Macro'') to conduct the quantitative research 
study.
---------------------------------------------------------------------------

    \34\ See Mall Intercept Study of Consumer Understanding of 
Financial Privacy Notices: Methodological Report, submitted by Macro 
International Inc. (``Macro Report''), Appendix C, for copies of the 
test notices. The Macro Report is available at: http://www.ftc.gov/privacy/privacyinitiatives/Macro-Report-on-Privacy-Notice-Study.pdf. 
See also infra section III for a discussion about the changes made 
to the final model form since the Proposed Rule was issued for 
comment.
---------------------------------------------------------------------------

    In the spring of 2008, Macro conducted a survey of approximately 
1,000 consumers using a mall-intercept methodology. The selected 
participants for the study reflected a range of demographic 
characteristics for gender, age, and educational level. The testing was 
conducted in five shopping mall locations--Baltimore, MD; Dallas, TX; 
Detroit, MI; Los Angeles, CA; and Springfield, MA--over a period of 
five weeks during March and April 2008.\35\
---------------------------------------------------------------------------

    \35\ Macro provided the test data to the Agencies in the summer 
of 2008 and its research methodology report in September. The study 
data and codebook are available at: http://www.ftc.gov/privacy/privacyinitiatives/Privacy-Notice-Study-Dataset.pdf and http://www.ftc.gov/privacy/privacyinitiatives/Privacy-Notice-Study-Codebook.pdf.
---------------------------------------------------------------------------

    The test objectives were to evaluate the effectiveness of the 
revised proposed model form \36\ developed by Kleimann (``Table 
Notice'') for comprehension and usability as compared to three other 
styles or formats of notices. The other notice formats were: (1) The 
prose version of the prototype table notice also developed and tested 
by Kleimann (``Prose Notice''); (2) a current version of a common 
notice used by financial institutions (``Current Notice''); and (3) a 
notice comprised solely of the Sample Clauses found in the appendix to 
the privacy rule (``Sample Clause Notice''). Within each format, there 
were three different notices, each reflecting a different level of 
sharing. Each level of sharing had a common fictional bank name across 
the four notice formats: Mars Bank had a low level of sharing; Mercury 
Bank had a medium level of sharing; and Neptune Bank had the highest 
level of sharing. Both Mercury and Neptune Banks offered opt-out 
choices; however, the pattern of sharing was such that after exercising 
all available opt-outs, Neptune Bank continued to share more broadly 
than Mercury Bank and Mercury Bank continued to share more than Mars 
Bank. This design was intentional for the comparison testing.\37\
---------------------------------------------------------------------------

    \36\ The proposed model form was revised based on the comments 
received, and a version of that revised form was used in the 
quantitative testing.
    \37\ Study participants were randomly assigned to see one of the 
four notice formats. Each participant read three privacy notices in 
the same format and was asked a series of questions, first about one 
pair of notices, and next about a second pair of notices, with one 
of the three notices used twice in each round. The order and 
repetition of the notices were rotated among the participants so 
that the same notice was not always viewed twice. Participants 
answered additional questions about the notices and their attitudes 
on information sharing. The interview sought information about 
participants' choice of a bank based solely on the notice content; 
responses to factual questions, such as which of two banks shared 
more or whether any of the banks offered an opportunity to limit or 
opt out of sharing; performance of a task, such as determining which 
bank shared more after exercising all options to limit or opt out of 
sharing; and responses to questions about their attitudes toward the 
use and sharing of their information. See Macro Report, supra note 
34, Appendix A.
---------------------------------------------------------------------------

    On December 15, 2008, two expert advisors to the Agencies, Dr. Alan 
Levy and Dr. Manoj Hastak, submitted a report to the Agencies analyzing 
the research data provided by Macro (the ``Levy-Hastak Report'').\38\ 
The Levy-Hastak Report confirmed the overall effectiveness of the 
proposed model form (as modified) as against the three alternative 
notice formats. On April 15, 2009, the SEC published the Levy-Hastak 
Report, along with the Macro Report and test data, for public comment. 
The SEC received nine comments.\39\
---------------------------------------------------------------------------

    \38\ See http://www.ftc.gov/privacy/privacyinitiatives/Levy-Hastak-Report.pdf.
    \39\ See http://www.sec.gov/comments/s7-09-07/s70907.shtml.
---------------------------------------------------------------------------

    The Levy-Hastak Report examined two measures on how effectively the 
notices communicated information: (1) Judgment quality; and (2) 
perceptual accuracy.\40\ According to the Report, judgment quality 
focused on the extent to which study participants could provide 
logical, defensible reasons for choosing one bank over the other based 
solely on the notice. Perceptual accuracy focused on the ability of the 
participants to recognize accurately the differences between the banks 
in information collection and sharing practices, in opt-out choices, 
and in relative sharing after all opt-out choices were exercised.\41\
---------------------------------------------------------------------------

    \40\ Levy-Hastak Report at 7-14.
    \41\ Id. at 4-5.
---------------------------------------------------------------------------

    The Levy-Hastak Report concluded that, overall, the Table Notice 
outperformed the other notices.\42\ The Table Notice performed 
particularly well on difficult tasks \43\ while the Current Notice 
performed poorly on all measures. While the Sample Clause Notice 
performed well on simple tasks,

[[Page 62895]]

about equal to the Table and Prose notices, it performed significantly 
less well than the Table Notice on measures of judgment quality.\44\ 
The Report concluded that the table format is likely a key explanation 
for the improvement in comprehension demonstrated by the study 
participants who saw the Table Notice as compared to those who saw the 
other notice styles--especially for difficult perceptual accuracy 
tasks.\45\
---------------------------------------------------------------------------

    \42\ Id. at 16.
    \43\ Id. at 17. According to the Report, an example of a 
difficult task was: Participants were asked to assume that they had 
limited or opted out of all possible sharing for both banks; based 
on that assumption, respondents were asked whether one bank shared 
more personal information than the other or whether both banks 
shared information equally. An example of an easy task was: Using 
the notice, participants were asked to identify how they could tell 
the bank that they wanted to limit or opt out of sharing personal 
information.
    \44\ Levy-Hastak Report at 9-10.
    \45\ Levy-Hastak Report at 17.
---------------------------------------------------------------------------

    While the notice format significantly affected participants' 
ability to comprehend and compare the notices, the testing showed that 
participants' general attitudes about the sharing of their personal 
information were not affected by the notices they saw.\46\ Following 
the two rounds of questions on the content of, and comparison between, 
the notices, the study participants were asked to rate their attitudes 
in general toward information sharing, for example, sharing with 
affiliated banks and with nonaffiliated banks. The results showed that 
participants' attitudes were about the same across the four notice 
formats.\47\
---------------------------------------------------------------------------

    \46\ Id. at 15.
    \47\ Id. Study participants generally did not like their 
information being shared with either affiliates or with 
nonaffiliates.
---------------------------------------------------------------------------

    The Levy-Hastak Report analyzed two specific areas where the Table 
Notice seemed to perform less well than the other notices. First, the 
Report described an anomaly with respect to responses to the question 
[Q. 19/30]: ``Which of these two banks gives you the opportunity to 
limit or to opt out of the sharing of your personal information?'' \48\ 
Generally participants identified the bank or banks that provided an 
opt-out. However, some participants who saw the Table and Prose notices 
selected Mars Bank, the one that shared the least and offered no opt-
out option. Because answering ``Mars Bank'' was identified as an 
incorrect answer, the Current and Sample Clause notices out-performed 
the Table and Prose notices on this question.
---------------------------------------------------------------------------

    \48\ See id. at 12-14.
---------------------------------------------------------------------------

    In contrast, the Table and Prose notices out-performed the other 
two notices on the most difficult task in the test. In this task, 
participants were asked to assume that they had exercised all possible 
options to limit or to opt out of sharing and then to identify which 
bank shared more. Here, the Table and Prose notices significantly out-
performed the other notices. More participants who saw the Table and 
Prose notices correctly gave as their answer the higher sharing bank. 
This result suggests that participants who saw the Table and Prose 
notices did understand which bank(s) offered an opportunity to limit or 
to opt out of their sharing.
    In analyzing this discrepancy, the Levy-Hastak Report observed that 
the simpler question had two different, yet accurate, responses, 
depending on how participants interpreted the question. Some of the 
participants might have understood the question to apply at the point 
of choosing between the two bank notices; those participants selected 
the lower sharing bank. In contrast, other participants might have 
understood the question to mean: Which bank lets me opt out of sharing 
personal information once I am doing business with the bank. The second 
interpretation was the intended meaning of the question. Drs. Levy and 
Hastak hypothesized that some participants who saw the Table and Prose 
notices understood the question to have the first meaning, while other 
participants, particularly those who saw the Sample Clause and Current 
notices, understood the question to have the second meaning.\49\
---------------------------------------------------------------------------

    \49\ Significantly, unlike the Sample Clause and Current 
notices, neither the Table nor the Prose notice uses the word ``opt-
out'' in the model form; rather, these forms refer to ``limiting 
sharing.'' This word choice was intentional to help consumers 
understand that some sharing is necessary and that consumers cannot 
stop all sharing--a concept that consumers who knew the term equated 
with ``opt-out.'' See Kleimann Report, supra note 32, at 101-108. 
Because the Table and Prose notices did not use the word ``opt-
out,'' participants using these notices did not have that word as a 
visual ``cue'' when they were asked the question.
---------------------------------------------------------------------------

    To test this hypothesis, Drs. Levy and Hastak examined the pattern 
of factual mistakes that participants made when they answered a 
separate set of questions.\50\ There, study participants were asked in 
Q. 16/27 why they preferred one bank over the other, based solely on 
the notice. Some participants who selected a bank that shared 
relatively little information and did not offer an opt-out stated that 
this bank offered more opportunity to limit or to opt out of sharing 
than the higher sharing bank, which was labeled a ``false opt-out 
mistake'' in the Report. The Report found that participants who saw the 
Table and Prose notices were on average almost three times as likely to 
make the false opt-out mistake as those who saw the Current and Sample 
Clause notices.\51\
---------------------------------------------------------------------------

    \50\ The Report also examined a second mistake: Where 
participants selected the lower sharing bank when they were asked to 
identify which bank shared more (labeled a ``false sharing 
mistake''). See Levy-Hastak Report at 9. In that case, there was not 
an unusual pattern in the distribution of responses. Rather, the 
Report found that the study participants who made this mistake were 
equally distributed across all four notice styles. Id. at 13.
    \51\ Id.
---------------------------------------------------------------------------

    This finding supports the hypothesis that users of the Table and 
Prose notices who selected the lower sharing bank in response to Q. 19/
30 understood the question in its first meaning: They selected a bank 
that gave them an opportunity to limit or opt out of sharing at the 
time of choosing between the two bank notices. Under that 
interpretation, these participants could limit sharing by selecting the 
bank that shared less information. Thus the Levy-Hastak Report's 
analysis of the false opt-out mistake pattern in Q. 16/27 is consistent 
with their hypothesis regarding the responses to Q. 19/30. In addition, 
the Report found that the educational level of the study participants 
produced a significant effect only on the responses to the opt-out 
question, with better educated participants more likely to answer the 
question in the intended manner.\52\ This finding is also consistent 
with the Report hypothesis that participants who saw the Table and 
Prose notices understood the question in two different, yet equally 
correct ways, unlike those who saw the Sample Clause and Current 
notices.
---------------------------------------------------------------------------

    \52\ Id. at 13-14.
---------------------------------------------------------------------------

    The Table Notice also seemed to perform less well in a second, 
unrelated area. Specifically, all the test notices provided only two 
methods for consumers to opt out of or limit sharing: Use of a toll-
free telephone number or access to the opt-out on the institution's Web 
site. When study participants were asked to identify which contact 
modes were identified in the notice as ways to limit or opt out of 
sharing, they correctly identified the two modes more frequently when 
using the Sample Clause Notice than the Table, Prose, and Current 
notices.
    Noting that this type of question appears to invite skimming the 
notice to find the answer quickly and easily, the Levy-Hastak Report 
examined the great variability in notice length and found that the 
Sample Clause Notice was significantly shorter than any of the other 
notices. The Levy-Hastak Report observed that the shortness of the 
Sample Clause Notice may have made it easier for participants to scan 
the notice and find the answer to this question. The Report opined that 
notice length likely has an effect on scanability and reading ease.\53\
---------------------------------------------------------------------------

    \53\ Levy-Hastak Report at 14. In addition, the use of check 
boxes in the design of the opt-out section of the Table and Prose 
notices (a carry-over from the original mail-in format of the 
proposed model form) appeared to confuse some participants when they 
were asked this question. The responses recorded for these two 
notices reflected a somewhat higher number of ``other'' responses, 
even though all the notices offered the same two options. Macro 
reported anecdotally that a number of participants who viewed the 
Table and Prose notices reported ``check this box'' as one of the 
methods offered to opt out or limit sharing--a response that was 
recorded as ``other.''

---------------------------------------------------------------------------

[[Page 62896]]

    While the Levy-Hastak Report findings confirmed the overall 
effectiveness of the Table Notice,\54\ the Report's analysis prompted 
the Agencies to consider a further refinement to the proposed model 
form. The change, discussed in more detail later, was to modify the 
opt-out section of the model form to place the opt-out information on 
page one directly following the disclosure table so that all the key 
information appears on that page. \55\ The Agencies considered this 
change to facilitate quick scanning for important information without 
sacrificing the model form's performance in other respects. To ensure 
that locating the opt-out information on page one worked from a 
usability perspective, the Agencies decided to conduct validation 
testing which led to separate formats for the telephone and Internet 
opt-out and for the mail-in opt-out that the Agencies are adopting.
---------------------------------------------------------------------------

    \54\ Id. at 17.
    \55\ Some commenters had urged the Agencies to consolidate the 
model form on two sides of a single piece of paper, and a few 
suggested that the Agencies consider moving the opt-out to page one. 
See, e.g., comment letters of Securities Industry and Financial 
Markets Ass'n (May 29, 2007); World's Foremost Bank (May 25, 2007); 
World Financial Network National Bank (May 29, 2007); World 
Financial Capital Bank (May 25, 2007).
---------------------------------------------------------------------------

E. Public Comments on the Quantitative Test Data

    Nine commenters representing insurance, securities, and financial 
services associations, a bank, and two investment advisers submitted 
comments in response to the SEC's solicitation for public comments on 
the quantitative testing. Most of the commenters re-stated their 
earlier general objections to the proposed model form. These concerns 
are addressed in section III.
    All but one of these commenters made general observations about the 
quantitative test methodology and the Levy-Hastak Report. Five 
commenters observed that the test notices were designed for banks and 
not for insurance companies or securities firms (i.e., broker-dealers, 
investment companies, or SEC-registered investment advisers), thereby 
omitting a significant portion of the financial services industry that 
provide these notices.\56\ Two commenters opined that the study 
participants' demographic characteristics did not reflect those 
consumers who will receive financial privacy notices.\57\ One expressed 
concern about the demographic diversity in the mall selections and 
questioned whether there was consistent coding of the open-ended 
responses.\58\ One commented that the testing criteria ruled out non-
English speaking participants.\59\
---------------------------------------------------------------------------

    \56\ See comment letters of American Council of Life Insurers 
(May 20, 2009), National Ass'n of Mutual Insurance Cos. (May 20, 
2009), American Insurance Ass'n (May 20, 2009), Investment Adviser 
Ass'n (May 20, 2009), The Financial Services Roundtable and BITS 
(May 20, 2009).
    \57\ See comment letters of National Ass'n of Mutual Insurance 
Cos. (May 20, 2009); The Financial Services Roundtable and BITS (May 
20, 2009).
    \58\ See comment letter of The Financial Services Roundtable and 
BITS (May 20, 2009).
    \59\ See id. The Agencies used a single form, printed in 
English, for simplicity in conducting the testing. We recognize that 
institutions can and do provide notices in a variety of other 
languages when their customers are non-English speaking. We 
anticipate that those institutions that use the final model form 
will continue to provide their notices in other languages to ensure 
that their non-English speaking customers can read and use the form. 
See also Transcript of Get Noticed Workshop, available at http://www.ftc.gov/bcp/workshops/glb/GLBtranscripts.pdf, comments of Irene 
Etzkorn (recognizing that banks do provide financial privacy notices 
in languages other than English); comments of Tena Friery (noting 
that the Privacy Rights Clearinghouse promotes notices and 
educational materials in other languages and that 80-100 different 
languages are spoken in Los Angeles alone).
---------------------------------------------------------------------------

    Some of the commenters disagreed with the Levy-Hastak Report's 
conclusion that the Table Notice outperformed the other notice formats. 
They opined that the Report's conclusion is flawed because: (1) The 
Sample Clause Notice did better on simpler tasks than the Table Notice; 
\60\ (2) the anomalies discussed in the Levy-Hastak Report may be due 
to other explanations; \61\ and (3) while the Table Notice's overall 
performance was better than the other notices, actual performance 
accuracy was relatively low.\62\ Several commented that the overly 
simplified and inflexible format of the Table Notice is not a true test 
of consumers' understanding of institutions' actual collection and 
disclosure practices.\63\ In addition, all commenters on the 
quantitative testing urged retention of the Sample Clauses and related 
safe harbor.
---------------------------------------------------------------------------

    \60\ See comment letters of American Insurance Ass'n (May 20, 
2009); National Ass'n of Mutual Insurance Cos. (May 20, 2009). While 
some commenters find greater virtue in the better performance of the 
Sample Clause Notice on only the simpler tasks or disagree with the 
Levy-Hastak Report's analyses, the evidence is compelling that the 
Table Notice performed better overall across all comprehension and 
comparison measures. See Levy-Hastak Report at 6.
    \61\ See comment letter of American Council of Life Insurers 
(May 20, 2009).
    \62\ Id.
    \63\ See, e.g., comment letter of The Financial Services 
Roundtable and BITS (May 20, 2009).
---------------------------------------------------------------------------

    The test notices for the quantitative study were created for 
fictitious banks, even though the model form can be used by any 
financial institution subject to the GLB Act and the privacy rule. 
Because the vast majority of consumers are familiar with or have 
experience with a bank, the Agencies used a notice designed for a bank 
to increase the likelihood that most of the test participants could 
readily understand the terms in the notice, such as ``account 
balances,'' ``income,'' or ``credit history,'' which describe 
information collected and shared by many banks, as well as by many 
other financial institutions.
    The Macro Report presented data on the demographic characteristics 
of the study participants recruited for the study. Participants at each 
mall were pre-selected for a representative mix based on gender, age, 
and education levels, and information on participants' race/ethnicity, 
income, and household size was obtained at the end of each 
interview.\64\ Since a significant majority of consumers in America 
receive a financial privacy notice--including from banks, credit 
unions, securities firms, insurance companies, auto dealers, debt 
collectors, and payday lenders--the Agencies wanted to ensure that a 
representative cross-section of consumers be included in the study.
---------------------------------------------------------------------------

    \64\ Macro Report, supra note 34, at 3 & Appendix B; Levy-Hastak 
Report at 2.
---------------------------------------------------------------------------

    The Agencies hired Macro as an outside independent expert to handle 
all aspects of the collection and reporting of the study data. Macro 
conducted all training of field staff, implemented a series of checks 
to ensure greater accuracy of the study data, reviewed, on an ongoing 
basis, all daily downloads of data from the field, and coded all of the 
open-end responses.\65\
---------------------------------------------------------------------------

    \65\ Macro Report, supra note 34, at 3-4.
---------------------------------------------------------------------------

    With respect to the comment that the accuracy of the study 
participants' responses overall was relatively low, the commenter cited 
the judgment quality measure of the participants' fact-based reasons 
for choosing the lower sharing bank.\66\ While the results showed that 
most consumers likely have a limited

[[Page 62897]]

understanding of information sharing practices after a brief exposure 
to any of the notice styles, nevertheless the Levy-Hastak Report 
confirms that overall the Table Notice out-performed the other notices 
and is the most effective notice of all the privacy notices tested.
---------------------------------------------------------------------------

    \66\ The commenter looked to the Table Notice score of 40.6% in 
Table 1 of the Levy-Hastak Report. Levy-Hastak Report at 12. This 
data evaluated how well study participants could explain their 
reasons for preferring one bank notice over another where they 
selected, as their preferred bank, the lower sharing bank. While the 
commenter pointed to a single measure in the Levy-Hastak Report, the 
Report relied on a number of accuracy measures that varied in 
difficulty level. See, e.g., id., Table 3 at 12.
---------------------------------------------------------------------------

    Finally, two commenters requested that if both the model privacy 
form and the SEC's proposed amendments to its privacy rule, Regulation 
S-P, were adopted, the SEC should coordinate the compliance dates so as 
to minimize the compliance burden and the potential for multiple 
revisions of an institution's privacy notice.\67\ The SEC appreciates 
institutions' desire to minimize revisions to their privacy notices and 
reduce the costs of compliance with its rules. However, the model 
privacy form the Agencies are adopting today is just that--a model--and 
no institution is required to use the model form. A financial 
institution that intends to use the model privacy notice and minimize 
potential costs, if any, related to revising its privacy notices in 
light of amendments to Regulation S-P could begin to use the model form 
after the compliance date of any final amendments to Regulation S-P.
---------------------------------------------------------------------------

    \67\ See Part 248-Regulation S-P: Privacy of Consumer Financial 
Information and Safeguarding Personal Information, Securities 
Exchange Act Release No. 57427, Investment Company Act Release No. 
28718 (Mar. 4, 2008) [73 FR 13692 (Mar. 13, 2008)]. See also comment 
letters of American Council of Life Insurers (May 20, 2009) and 
Investment Advisers Ass'n (May 29, 2007).
---------------------------------------------------------------------------

F. Validation Testing

    In revising the model form based on public comments and findings 
from the Levy-Hastak Report, the Agencies streamlined the form to 
consolidate the information on the front and back sides of a single 
piece of paper and moved the opt-out information to the bottom of page 
one. In December 2008, the Agencies engaged Kleimann to conduct 
validation testing to confirm that these changes would not affect the 
comprehension, usability, and design integrity of the model form. In 
particular, Kleimann's new research focused on the placement of the 
opt-out information on page one. Kleimann conducted targeted in-depth 
interviews in January and February 2009 to test, revise, and re-test 
the model form. On February 12, 2009, Kleimann submitted a report to 
the Agencies, ``Financial Privacy Notice: A Report on Validation 
Testing Results,'' with a revised opt-out form recommendation 
(``Kleimann Validation Report'').\68\
---------------------------------------------------------------------------

    \68\ http://www.ftc.gov/privacy/privacyinitiatives/validation.pdf.
---------------------------------------------------------------------------

    The validation testing examined various formats for displaying opt-
out information where the opt-out methods are by toll-free telephone 
number,\69\ the Internet, or a mail-in form. The validation testing 
confirmed the usability of the following changes to the proposed model 
form: (1) inserting a new box titled ``To limit our sharing'' below the 
disclosure table to inform consumers how they can limit sharing, such 
as by a toll-free telephone number or online; (2) replacing the 
``Contact Us'' box with a box titled ``Questions'' following the ``To 
limit our sharing'' box; and (3) as applicable, inserting a mail-in 
form at the bottom of the page, which would require a longer piece of 
paper.\70\
---------------------------------------------------------------------------

    \69\ See section --.7(a)(2)(ii)(D) of the privacy rule.
    \70\ Kleimann Validation Report, Appendix E. The Kleimann 
Validation Report found that the information for telephone or 
Internet options could be readily displayed on a standard 8[frac12] 
x 11-inch page, but the addition of a mail-in form required a longer 
piece of paper.
---------------------------------------------------------------------------

III. The Final Model Privacy Form

A. Standardization

    Like the proposed model privacy form, the final model form uses a 
standardized format. Some industry commenters expressed support for the 
standardized format, with one noting that standardized notices would 
serve as an effective means of allowing consumers to understand in a 
simple manner companies' information practices.\71\ Another commenter 
pointed to the success of the ``Schumer box,'' a standardized format 
that makes the disclosure of credit card terms more accessible to 
consumers.\72\
---------------------------------------------------------------------------

    \71\ Comment letter of The Direct Marketing Ass'n (May 29, 2007) 
(commenting that it has an automated software program that allows 
companies to create a customized privacy notice in a standardized 
format).
    \72\ See comment letter of Capital One Financial Corporation 
(May 29, 2007); see also 12 CFR 226.5a(a)(2)(i)-(ii).
---------------------------------------------------------------------------

    Privacy and advocacy groups and NAAG supported the proposed 
standardized format, recognizing the important findings of the research 
and the model form's structure--in particular the elements on page 
one--as benefiting both consumers and companies by making the 
disclosure information accessible.\73\
---------------------------------------------------------------------------

    \73\ See, e.g., comment letters of Center for Democracy and 
Technology (May 29, 2007); National Ass'n of Attorneys General (June 
14, 2007); Privacy Rights Clearinghouse (May 16, 2007). See also The 
Center for Information Policy Leadership (May 29, 2007) (recognizing 
that the proposed model form addresses the requirements of the GLB 
Act and that the research provided insight into what effectively 
communicates to consumers, including ``important information about 
how people learn about privacy, about the use of tables to 
facilitate comparisons across companies, and about the need to 
inform consumers about why they are receiving a privacy notice'').
---------------------------------------------------------------------------

    A number of industry commenters, however, objected to the 
standardized form, asserting variously that: It causes confusion; 
because it is an abrupt change in the way information-sharing practices 
are disclosed, it could cause consumers to believe that the institution 
is changing its policies; because the model form has too much 
boilerplate, it detracts from the ability to compare policies; and it 
makes the notice less clear. Others stated that the standardized form 
is too inflexible and does not accurately reflect institutions' 
financial practices or accurately describe the scope of consumers' 
rights. Several stated that the model form language does not adequately 
capture the complex privacy policies and practices of many 
institutions.
    Based on the statutory requirement that the Agencies propose ``a 
model form,'' the final model privacy form utilizes a standardized 
format.\74\ Moreover, as more fully discussed in the preamble to the 
Proposed Rule, the Agencies' research supports uniform disclosures to 
help consumers better understand companies' information sharing 
practices.\75\ We reaffirm that use of the model form is voluntary; 
institutions are not required to use it.
---------------------------------------------------------------------------

    \74\ Cf. Press Release, U.S. House of Representatives, Committee 
on Financial Services, Financial Services Committee Democrats Call 
for Simplified Privacy Notices, (July 25, 2003) available at: http://financialservices.house.gov/pr062503.html.
    \75\ See Proposed Rule, supra note 4 at text accompanying n.30. 
See also Janice Tsai, Serge Egelman, Lorrie Cranor, and Alessandro 
Acquisti, ``The Effect of Online Privacy Information on Purchasing 
Behavior: An Experimental Study,'' The 6th Workshop on the Economics 
of Information Society (WEIS) (June 2007) http://weis2007.econinfosec.org/papers/57.pdf (more accessible privacy 
information reduces information asymmetry between the merchant and 
the consumer as to the use of consumers' personal information; aids 
consumers in making informed choices; and demonstrates that 
consumers tend to purchase from merchants offering more privacy 
protection, including paying a premium for such a purchase).
---------------------------------------------------------------------------

B. Instructions for Use

    The General Instructions to the Model Privacy Form require that no 
additional information--other than what is specifically permitted--may 
be included in the model form in order to obtain the benefit of the 
safe harbor.\76\
---------------------------------------------------------------------------

    \76\ See Instruction C to the Model Privacy Form.
---------------------------------------------------------------------------

    A number of industry commenters objected to the Agencies' statement 
in the preamble to the Proposed Rule that the model form should not be 
incorporated into any other document.\77\

[[Page 62898]]

Some expressed concern that this would require the notice to be mailed 
separately.\78\ Several commenters stated that a private label or co-
branded credit card application incorporates the lender's privacy 
policy into a brochure with a tear-off application to make it easier 
for the store clerks to provide all required information in a single 
document.\79\ Others observed that the privacy notice is typically 
included in a single document with other important reference 
information.
---------------------------------------------------------------------------

    \77\ See, e.g., comment letters of American Council of Life 
Insurers (May 29, 2007); Investment Company Institute (May 29, 
2007); National Business Coalition on E-Commerce and Privacy (May 
30, 2007).
    \78\ See, e.g., comment letters of American Bankers Ass'n (May 
25, 2007); American Insurance Ass'n (May 29, 2007) Visa U.S.A., Inc. 
(May 29, 2007).
    \79\ See, e.g., comment letters of Consumer Bankers Ass'n (May 
29, 2009); National Retail Federation (May 29, 2007).
---------------------------------------------------------------------------

    Recognizing these concerns, the Agencies agree that institutions 
may incorporate the model form into another document, but they must do 
so in a way that meets all the requirements of the privacy rule and the 
model form instructions, including that: The model form must be 
presented in a way that is clear and conspicuous; \80\ it must be 
intact so that the customer can retain the content of the model form; 
\81\ and it must retain the same page orientation, content, format, and 
order as provided for in this Rule.
---------------------------------------------------------------------------

    \80\ The term ``clear and conspicuous'' is defined in the 
privacy rule at section --.3(b), SEC section 248.3(c), and includes 
as a requirement that the notice be designed to call attention to 
the nature and significance of the information in the notice. In 
addition, the privacy rule requires that consumers should reasonably 
be expected to receive the notice. See section --.9 of the privacy 
rule.
    \81\ Institutions that incorporate the model privacy form into 
other documents must take care that the customer's execution of 
other forms in the document will leave the model form intact.
---------------------------------------------------------------------------

C. Format of the Notice

    In response to numerous comments relating to the format of the 
proposed model form, the Agencies have revised certain of the 
requirements relating to paper size, orientation, number of pages, type 
size, and color and logo placements, as discussed below.
    Paper Size: To allow institutions greater flexibility, the final 
model privacy form may be printed on paper the size of which must be 
sufficient to meet the layout and minimum font size requirements with 
sufficient white space on the top, bottom, and sides of the 
content.\82\ Many industry commenters objected to the proposed 
requirement that the model form appear on 8\1/2\ by 11-inch size 
paper.\83\ Commenters stated that the proposed model form would require 
significant materials, postage, and production costs. Industry 
commenters explained that institutions use a variety of sizes and 
styles to present their privacy notices. Some institutions--
particularly credit card institutions--enclose their privacy notices 
with a billing or periodic statement or a bankcard carrier. Envelopes 
for certain of these statements or for multi-panel formats are smaller 
than 8\1/2\ inches and may not accommodate the proposed size.
---------------------------------------------------------------------------

    \82\ See Instruction B to the Model Privacy Form. The Agencies 
understand that most privacy policies provide for opting out by 
toll-free telephone or on the Internet. The paper size for those 
policies will likely be about 8\1/2\ x 11 inches. However, for those 
institutions that provide a mail-in opt-out form, the paper size 
will likely need to be longer, around 8\1/2\ x 14 inches, in order 
to accommodate the mail-in form.
    \83\ See, e.g., comment letters of Consumer Bankers Ass'n (May 
29, 2007); American Bankers Ass'n (May 25, 2007); Bank of America 
Corporation (May 29, 2007); Independent Community Bankers of America 
(May 29, 2007); Securities Industry and Financial Markets Ass'n (May 
29, 2007); Investment Company Institute (May 29, 2007); National 
Retail Federation (May 29, 2007); National Ass'n of Mutual Insurance 
Cos. (May 29, 2007); Credit Union National Ass'n (May 29, 2007).
---------------------------------------------------------------------------

    The Agencies have reviewed numerous financial institution privacy 
notices over the past eight years, many of which are printed on 
smaller-sized paper in a multi-panel, multi-fold display. The density 
of the small-font text, in addition to the complex legal language, make 
these notices very difficult to read or understand.\84\ The final 
requirement for paper size is designed to provide financial 
institutions with some flexibility, while prohibiting a paper size that 
is too small to accommodate the font and orientation requirements in 
the model form set forth below.
---------------------------------------------------------------------------

    \84\ See supra notes 24-25 and infra note 95.
---------------------------------------------------------------------------

    Orientation: Like the proposed model form, the final model privacy 
form must be printed in ``portrait'' orientation. Some institutions 
objected to this orientation, suggesting instead that institutions be 
permitted to design their own model form in other orientations, such as 
the commonly-used multi-fold display.\85\ According to these 
commenters, this landscape format has three or more ``pages'' of text 
visible on each side of the paper when the notice is fully opened. The 
size of the paper varies considerably, with some as small as 
approximately 7 by 11 inches before it is folded. In such a display, 
each ``page'' is approximately 3\1/3\ by 7 inches--considerably smaller 
than can accommodate the model form.\86\
---------------------------------------------------------------------------

    \85\ See, e.g., comment letters of National Retail Federation 
(May 29, 2007); Investment Advisers Ass'n (May 20, 2009); American 
Bankers Ass'n (May 25, 2007); Credit Union National Ass'n (May 29, 
2007). Some of these commenters pointed to the preamble language in 
the final privacy rule which states: ``The Agencies believe that in 
most cases the initial and annual disclosure requirements can be 
satisfied by disclosures contained in a tri-fold brochure.'' 65 FR 
33646, 33662 (May 24, 2000) (FTC); 65 FR 35162, 35175 (June 1, 2000) 
(banking agencies); (Regulation S-P) 65 FR 40334, 40347 (June 29, 
2000) (SEC). This statement was written in 2000 before the Agencies 
or institutions had any experience with the GLB Act privacy notices. 
In the intervening period, both the Agencies and institutions have 
learned much through their own testing about improved notice design 
and consumer comprehension. The impetus for the Agencies' consumer 
research, borne out by the research findings, is that the current 
notices, including those utilizing multi-fold formats, are not 
effective. Moreover, the important information on page one of the 
model form--including the context information and disclosure table--
could not be appropriately displayed in such a cramped format and 
still comply with the minimum space and font requirements of the 
model form.
    \86\ Examples provided by commenters included: 3.5 x 7.5 inches, 
printed double sided; 3.5 x 8; 7 x10.812 inches folded to 7 x 3.625 
inches; 7 x 3.5 inches (finished folded size). See, e.g., comment 
letter of National Retail Federation (May 29, 2007).
---------------------------------------------------------------------------

    The design of the model form does not lend itself to a multi-panel 
display. The utility of the form's design for reading ease depends in 
large measure on both larger, more readable type size and how the 
content is presented. While one commenter objected to the ``significant 
empty space'' in the model form,\87\ the guidance from communications 
experts and form designers is that appropriate white space between the 
text and margins, as well as the use of headings and bullets, make a 
more effective, readable notice.\88\ The table--the heart of the model 
form--cannot be squeezed into a tighter space or so reduced in size as 
to make it virtually unreadable. For these reasons, the Agencies do not 
agree that the orientation of the model form should be altered to 
accommodate a multi-panel display.
---------------------------------------------------------------------------

    \87\ See comment letter of Consumer Bankers Ass'n (May 29, 
2007).
    \88\ See supra note 25.
---------------------------------------------------------------------------

    Number of Pages: In response to numerous commenters, the 
instructions to the final model privacy form permit the form to be 
printed on two sides of a single piece of paper or on two single-sided 
sheets.\89\ By incorporating the opt-out information on the bottom of 
page one, the revised model form may now appear on the front and back 
of a single piece of paper.
---------------------------------------------------------------------------

    \89\ See Instruction B.2 to the Model Privacy Form.
---------------------------------------------------------------------------

    Industry commenters generally objected to the proposed requirement 
that the model form be printed only on one side of a page.\90\ Many 
raised environmental concerns and the increased costs associated with 
printing the notice on multiple pages.
---------------------------------------------------------------------------

    \90\ See, e.g., comment letters of American Insurance Ass'n (May 
29, 2007); Bank of America Corporation (May 29, 2007); Citigroup 
Inc. (May 30, 2007); National Retail Federation (May 29, 2007); 
Securities Industry and Financial Markets Ass'n (May 29, 2007).
---------------------------------------------------------------------------

    While the proposed single-sided model form was based on the initial

[[Page 62899]]

consumer research and testing, the Agencies believe that the concerns 
expressed by commenters justify double-sided printing. Moreover, the 
Agencies used double-sided printed notices in the quantitative and 
validation testing, with no demonstrable loss in effectiveness relative 
to the single-sided notice.\91\
---------------------------------------------------------------------------

    \91\ See Levy-Hastak Report at 15.
---------------------------------------------------------------------------

D. Appearance of the Model Privacy Form

    The Regulatory Relief Act requires that the model form ``use an 
easily readable type font.'' While a number of factors affect the 
readability of a document, as in the proposal, the final model privacy 
form must use: (1) 10-point font as the minimum font size (unless 
otherwise specified in the Instructions) and (2) sufficient spacing 
between the lines of type (leading).\92\
---------------------------------------------------------------------------

    \92\ While a variety of type styles would be suitable for the 
model notice, the Agencies caution institutions that use of 
idiosyncratic fonts or highly stylized typefaces will not meet the 
model form safe harbor standard. See Instruction B.3(a) to the Model 
Privacy Form.
---------------------------------------------------------------------------

    The Agencies separately provided optional guidance in the preamble 
to the Proposed Rule on readable type styles and other formatting 
suggestions for institutions. This optional guidance is not required; 
it was to assist institutions that want to provide more readable and 
attractive privacy notices to consumers. The Agencies are republishing 
this optional guidance in section III.E to assist interested 
institutions.
    Type Size: A number of commenters expressed various concerns about 
the proposed 10-point minimum font requirement.\93\ A few commenters 
noted that the proposed model form included several different type 
sizes for various parts of the model form and were confused about what 
type size(s) the Agencies proposed as a requirement.\94\ Other 
commenters raised concerns that a minimum type size requirement for the 
model form would conflict with state law mandated requirements. A few 
stated that a minimum font size is not legally required for the model 
form.
---------------------------------------------------------------------------

    \93\ See, e.g., comment letters of American Council of Life 
Insurers (May 29, 2007); National Business Coalition on E-Commerce 
and Privacy (May 30, 2007); National Retail Federation (May 29, 
2007); Financial Services Roundtable and BITS (May 29, 2007).
    \94\ The type size information in Example 3 in the preamble to 
the Proposed Rule identified the five type sizes used in various 
elements of the proposed form. This example was intended solely to 
show how key features of the form--such as headings--can be 
distinguished by using different font sizes to make the form more 
visually appealing. Contrary to some commenters' assumption, the 
different sizes were not a proposed requirement for users of the 
model form.
---------------------------------------------------------------------------

    Many of the criticisms about current notices are, in part, about 
the tiny print that make these notices so difficult for consumers to 
read.\95\ Based on the statutory directive, as well as the findings 
elicited from the Agencies' consumer research and expert views, the 
Agencies believe that the model form should have a minimum 10-point 
font. Requiring a minimum 10-point font is consistent with state law 
mandates for consumer disclosures.\96\
---------------------------------------------------------------------------

    \95\ See Kleimann Report, supra note 32, at 33. See also, e.g., 
Public Citizen Petition, supra note 24 at 7 (``[S]mall font sizes * 
* * deprive consumers of their right to prevent financial 
institutions from sharing private information.''); ``UNDERSTANDING 
THE FINE PRINT: How to make sure the gotchas don't get you,'' 
Consumer Reports Money Adviser (Oct. 2008) (``Fine print is 
everywhere--contracts; retail Web sites; sales receipts; print, 
broadcast, and Internet offers; prospectuses; privacy notices; 
product manuals; and manufacturer warranties.''); David Colker, 
``Stopping junk mail for living and dead; Opt-outs can slow the 
torrent of solicitations to computer and postal mailboxes and 
phones;'' Los Angeles Times, July 22, 2007, at C3 (``[B]y law, 
financial institutions have to offer an opt-out if they are making 
this data available to non-affiliated businesses. The problem is 
that their guides to opting out are often contained in their privacy 
notices--in small print.'').
    \96\ See, e.g., Cal. Fin. Code div. 1.2 Sec.  4053(d)(1)(B) 
(requiring 10-point minimum font).
---------------------------------------------------------------------------

    Leading: Leading is the spacing between lines of type, measured in 
points. If the line spacing is too narrow, the type is hard to read. In 
these circumstances, the ascenders (such as the upward line in the 
letter ``h'') and descenders (such as the downward line in a ``g'') may 
touch, blending the lines of type and making it much harder to 
distinguish the letters on the page. The final instructions to the 
model form require only that the leading used allow for sufficient 
spacing between the lines, but do not mandate a specific amount.

E. Optional General Guidance for Easily Readable Type

    The Proposed Rule included optional guidance on readable type 
styles and other formatting suggestions for institutions that want to 
provide privacy notices that are more readable and attractive to 
consumers, as well as those that want to develop their own model 
privacy form.\97\ A number of commenters were concerned by this 
guidance for easily readable type, and in some cases, they assumed the 
guidance would be mandatory. The Agencies expressly state that the 
guidance in this section III.E. is not mandatory and is not a 
requirement for proper use of the model form.
---------------------------------------------------------------------------

    \97\ See Proposed Rule, supra note 4, at section II.F.
---------------------------------------------------------------------------

    In more closely examining the statutory directive for ``easily 
readable type,'' the Agencies determined that a number of type-related 
factors can greatly affect the readability of a form. Type size, type 
style, leading, x-height, serif versus sans serif,\98\ upper and lower 
case type, along with the page layout--together play an important role 
in designing a typeface that is highly readable. Therefore, in 
considering these various factors for the design of an easily readable 
type font, institutions that elect to use the model form may 
voluntarily consider this additional guidance for an easily readable 
appearance to the notice.
---------------------------------------------------------------------------

    \98\ Serif typeface has small strokes at the ends of the lines 
that form each letter. Sans serif typeface does not have those small 
strokes.
---------------------------------------------------------------------------

    Leading: Research on the legibility of typography indicates that 
people read faster when text is set with 1 to 4 points of leading.\99\ 
Institutions may, but are not required to, consider these general 
recommendations for use with the model form: 10- or 11-point type 
should have between 1 and 3 points of leading. Twelve-point type should 
have between 2 and 4 points of leading.\100\
---------------------------------------------------------------------------

    \99\ Karen A. Schriver, Dynamics In Document Design 
(``Schriver'') 274 (1997).
    \100\ Id. at 262; see also James Hartley, Designing 
Instructional Text (1994); and Barbara Chaparro et al., Reading 
Online Text: A Comparison of Four White Space Layouts 6(2) (2004).
---------------------------------------------------------------------------

    Type style and ``x''-height: The readability of type size is highly 
dependent on the selection of the type style. Some styles in 10-point 
font are more readable than others in 12-point font and appear larger 
because of their design.
    Experts differ on the question of the most desirable type style. 
The model form uses sans serif and ``monoweight'' type, and upper and 
lower case lettering in the body of the form.\101\
---------------------------------------------------------------------------

    \101\ While much of the printed material in the United States 
and western Europe uses serif styles, Web designers are increasingly 
using sans serif type, as they have found that serif type is harder 
to read online. These changes in Web design are also beginning to 
affect font styles in printed materials. Some typography designers 
are now using sans serif typefaces, as well as type with a uniform 
thickness throughout the letter (monoweight typeface), finding these 
typefaces easier to read than those with variable thickness.
---------------------------------------------------------------------------

    Larger x-height \102\ makes a font appear larger and thus more 
readable, and fonts with larger x-heights are better for smaller text. 
Research shows that our eyes ``scan the top of the letters' x-heights 
during the normal reading process, so that is where the primary 
identification of each letter takes place.'' \103\ Generally, a font 
with an

[[Page 62900]]

x-height ratio of around .66 is easier to read.\104\
---------------------------------------------------------------------------

    \102\ The ``x-height'' is the height of the lower-case ``x'' in 
relation to full height letters, such as a capital G. X-height is 
critical to type legibility.
    \103\ Erik Spiekermann & E.M. Ginger, Stop Stealing Sheep & Find 
Out How Type Works 93 (1993).
    \104\ See, e.g., Hewlett-Packard Corporation, Panose 
Classification Metrics Guide (2006), available at http://www.monotypeimaging.com/productsservices/pan2.aspx.
---------------------------------------------------------------------------

    While not mandating a particular type style or x-height, the 
Agencies are providing these general guidelines for type style in the 
model form: For typefaces with a smaller x-height, 11- or 12-point font 
should be used; for typefaces with a larger x-height, a 10-point font 
would be sufficient.\105\
---------------------------------------------------------------------------

    \105\ See Schriver, supra note 99, at 264; see also id. at 258-
59. Fonts that satisfy the type style and x-height recommendations 
include sans serif fonts such as Tahoma, Century Gothic, Myriad, 
Avant Garde, Bk Avenir Book, ITS Franklin Gothic, Arial-Helvetica, 
and Gill Sans, and serif fonts such as the Chaparral Pro Family, 
Minion Pro, Garamond, Monotype Bodoni, and Monotype Century. A 
number of these font styles, including Arial-Helvetica, Tahoma, 
Century Gothic, Garamond, and Bodoni, are preloaded in commonly used 
word processing applications with most new personal computers. The 
other font styles are commercially available as well.
---------------------------------------------------------------------------

    For ease of reference, the following table summarizes the optional 
guidance discussed here. None of the standards in the table below is 
mandatory; rather, the information in the table is offered only as 
suggestions for institutions that design their own forms.

----------------------------------------------------------------------------------------------------------------
                If                         Then use                  And use               And use font with
----------------------------------------------------------------------------------------------------------------
Font is 10-point..................  1-3 points leading....  Monoweight typeface......  Large x-height sans serif
                                                                                        (around .66 ratio).
Font is 11-point..................  1-3 points leading....  Monoweight typeface......  Smaller x-height is
                                                                                        acceptable; either serif
                                                                                        or sans serif (less than
                                                                                        .66 ratio is
                                                                                        acceptable).
Font is 12-point..................  2-4 points leading....  Monoweight or variable     Smaller x-height is
                                                             typeface.                  acceptable; either serif
                                                                                        or sans serif (less than
                                                                                        .66 ratio is
                                                                                        acceptable).
----------------------------------------------------------------------------------------------------------------

F. Printing, Color, and Logos

    We are adopting the requirements for printing, color, and logos in 
the final model form as proposed. Commenters generally commended the 
Agencies' support for the use of color and company logos on the model 
form.\106\ A few industry commenters expressed concern about the 
background shading in certain headers smudging in high-speed printing 
operations.\107\ Some commenters sought clarification as to whether 
logos can use more than one color.
---------------------------------------------------------------------------

    \106\ See, e.g., comment letters of American Insurance Ass'n 
(May 29, 2007); National Ass'n of Mutual Insurance Cos. (May 29, 
2007); Securities Industry and Financial Markets Ass'n (May 29, 
2007); Consumer Bankers Ass'n (May 29, 2007).
    \107\ See, e.g., comment letters of National Business Coalition 
on E-Commerce and Privacy (May 30, 2007). With the modern, high-
speed printing equipment readily available, the Agencies do not 
foresee problems with reproducing background shading, just as they 
see no difficulties with printing blocks of color for company logos 
or advertising materials. Moreover, the validation testing research 
found that consumers appreciated shading as a navigation guide. See 
Kleimann Validation Report at 9-10.
---------------------------------------------------------------------------

    The Agencies agree that the distinguishing features of company 
logos along with color are important to ensure that an institution's 
documents have a distinctive look that consumers may readily recognize. 
As the Agencies proposed, a financial institution that uses the model 
form may include its corporate logo on any of the pages, so long as the 
logo design does not interfere with the readability of the model form 
or space constraints of each page. Institutions using the model form 
should use white or light color paper (such as cream) with black or 
suitable contrasting color ink. Spot color is permitted to achieve 
visual interest to the model form, so long as the color contrast is 
distinctive and the color does not detract from the form's readability. 
The Agencies are not prohibiting the use of more than one color in a 
logo.
    Other commenters asked for greater flexibility to include 
``markings'' or ``graphics'' or other ``visual effects'' or to include 
a ``branding phrase'' or ``advertising slogan.'' \108\ The Agencies 
observe that few institutions' privacy policies include advertising 
slogans. We note that some include pictures or other large designs that 
occupy the front cover. The Agencies believe that these designs or 
slogans would distract from the content of the model form and that 
slogans would be inconsistent with the standardized language throughout 
the form. For these reasons, the final model form does not permit 
institutions to include slogans or images (other than logos) on the 
model form.
---------------------------------------------------------------------------

    \108\ See, e.g., comment letters of Consumer Bankers Ass'n (May 
29, 2007); National Business Coalition on E-Commerce and Privacy 
(May 30, 2007).
---------------------------------------------------------------------------

G. Jointly-Provided Notices

    The final model privacy form includes a new FAQ at the top of page 
two: ``Who is providing this notice?'' Many commenters representing 
larger institutions observed that the proposed model form did not 
provide sufficient space to identify multiple entities that jointly 
provide a privacy notice, as permitted by the privacy rule.\109\ Some 
suggested the Agencies provide extra space for this information either 
in the body of the notice or as a footnote. The new FAQ is not required 
where only a single financial institution is providing the notice and 
that institution is identified in the title. As discussed in section 
III.J.1, space is provided for the institution's response.
---------------------------------------------------------------------------

    \109\ See, e.g., comment letters of American Council of Life 
Insurers (May 29, 2007); Investment Advisers Ass'n (May 29, 2007).
---------------------------------------------------------------------------

H. Use of the Form by Differently-Regulated Entities

    A number of commenters sought clarification as to whether 
institutions regulated by different Agencies could together provide a 
single joint notice to consumers.\110\ Insurance companies and their 
associations in particular expressed concern that the form did not 
allow for insurance-specific terminology and potentially put these 
institutions--regulated by the states--at some risk.\111\
---------------------------------------------------------------------------

    \110\ See, e.g., comment letters of National Business Coalition 
on E-Commerce and Privacy (May 30, 2007); T. Rowe Price Associates, 
Inc. (May 29, 2007); Financial Services Roundtable and BITS (May 29, 
2007); National Ass'n of Mutual Insurance Cos. (May 29, 2007); 
Investment Company Institute (May 29, 2007).
    \111\ See, e.g., comment letters of National Ass'n of Mutual 
Insurance Cos. (May 29, 2007); American Insurance Ass'n (May 29, 
2007); Great-West Life & Annuity Insurance Company (May 29, 2007). 
In addition to including insurance-specific phrases in the menu of 
terms for the ``What?'' box on page one and the collection of 
information FAQ on page two, the Rule also recognizes that 
institutions that provide insurance products or services and elect 
to use this model form can use the word ``policy'' instead of 
``account'' for the joint accountholder description. See 
Instructions C.2(g)(1) and C.3(a)(5) to the Model Privacy Form. The 
Agencies have periodically consulted with the NAIC to ensure that 
the final model form is sufficiently flexible to address the 
insurance marketplace. The NAIC is continuing to evaluate how best 
to proceed regarding insurance company use and implementation of the 
form by individual jurisdictions. This effort may include the NAIC 
developing a model bulletin for regulatory use or amending its model 
Privacy of Consumer Financial and Health Information Regulation to 
replace the current sample clauses with the new model privacy form.

---------------------------------------------------------------------------

[[Page 62901]]

    The Agencies fully intend that differently-regulated entities can 
provide a single joint notice to consumers by using the final model 
form. The Agencies have consulted with the NAIC, which submitted a 
letter with proposed modifications to certain sections of the form. The 
Agencies have incorporated into the final model form two menus of terms 
adaptable to the wide range of financial institutions. The menus 
include both the SEC's and the NAIC's proposals, and enable a variety 
of institutions, including securities firms and insurance companies, to 
use the model form, either individually or jointly with other types of 
financial institutions.

I. Page One of the Model Form

1. Title
    The Agencies are adopting the title, ``What Does [Name of Financial 
Institution] Do With Your Personal Information?,'' as proposed. One 
commenter objected to the title, preferring instead to refer to it as a 
privacy notice.\112\ Other commenters who provided sample revised 
notices also used alternate headings, such as, ``our privacy notice for 
consumers,'' ``privacy information,'' ``privacy statement,'' and 
``keeping your information safe and secure.'' \113\ The research found 
that the terms ``privacy notice'' or ``privacy policy'' deterred 
consumers from reading the notice.\114\ Consumers understood these 
terms to mean that the institution does not share personal information. 
The validation testing confirmed the effectiveness of the title.\115\
---------------------------------------------------------------------------

    \112\ See, e.g., comment letter of MasterCard Worldwide (May 29, 
2007).
    \113\ See, e.g., comment letter of Citigroup Inc. (May 30, 
2007); Wells Fargo & Company (May 29, 2007); Wachovia Corporation 
(May 25, 2007); Sovereign Bank (May 21, 2007).
    \114\ See Kleimann Report, supra note 32, at 43, 66-67.
    \115\ Kleimann Validation Report at 8.
---------------------------------------------------------------------------

2. Key Frame
    The Agencies are adopting the basic structure of the key frame as 
proposed with some language changes to address comments received. 
Industry commenters raised several objections to the key frame--the 
``Why?,'' ``What?,'' and ``How?'' boxes. Their principal concern was 
the inflexible nature of the information in these boxes. Many 
commenters took particular issue with the list of information collected 
and shared, noting that not all institutions collect and share the 
information listed.\116\ These commenters asked for greater flexibility 
in identifying other types of information that may better relate to 
their practices. Commenters raised other issues about: vocabulary; the 
contents and number of the boxes; and the inclusion of certain 
information not required by the privacy rule. Some commenters proposed 
moving and deleting phrases--as well as using the phrase ``as permitted 
by law'' to describe the types of sharing they can do. Some commenters 
raised questions about the reference to former customers.
---------------------------------------------------------------------------

    \116\ See, e.g., comment letters of American Bankers Ass'n (May 
25, 2007); Investment Company Institute (May 29, 2007); Investment 
Advisers Ass'n (May 29, 2007).
---------------------------------------------------------------------------

    The Agencies appreciate the various suggestions provided--
particularly on vocabulary and the structure and contents of the 
boxes--but note that the model form was developed through consumer 
research with the goal of making it understandable to consumers. The 
Agencies have decided to retain the basic structure and content of the 
key frame but have made certain modifications.
    The Agencies recognize that financial institutions may collect and 
share types of information other than those listed on the proposed 
form, including institutions that provide insurance or investment 
advice or sell securities. The Agencies have, after consulting with the 
NAIC and based on consideration of the comments received, provided a 
menu of terms, including each of the terms that was proposed, from 
which institutions may select to fill in the bracketed boxes.\117\ 
Since all financial institutions collect Social Security numbers, this 
one term is required in all notices. The terms provided are designed to 
reflect the range of information typically collected by various types 
of institutions in language that consumers can more easily understand.
---------------------------------------------------------------------------

    \117\ See Instruction C.2(b)(2) to the Model Privacy Form. 
Similar to the proposal, the final model form requires institutions 
to provide examples that may be applicable to the institution's 
collection and sharing practices.
---------------------------------------------------------------------------

    Further, the Agencies have revised the statement about former 
customers to: ``When you are no longer our customer, we continue to 
share information about you as described in this notice.'' While some 
institutions objected in principle to the statement that former 
customers are subject to the same policy as current customers,\118\ no 
commenters asserted that institutions actually implement a different 
policy for former customers.\119\
---------------------------------------------------------------------------

    \118\ See, e.g., comment letters of Investment Advisers Ass'n 
(May 29, 2007); American Insurance Ass'n (May 29, 2007).
    \119\ This sentence continues to appear in the ``What?'' box in 
the model form without an opt-out. However, based on the validation 
testing, the opt-out versions of the model form place this sentence 
in the ``To limit our sharing'' box following the sentence 
describing sharing information about a new customer. See Kleimann 
Validation Report at 9-10.
---------------------------------------------------------------------------

3. Disclosure Table
    We are adopting the disclosure table substantially as proposed, 
with some minor changes. Consumer and other advocacy groups, the NAIC, 
NAAG, and some industry commenters appreciated the easily understood 
display of information in the disclosure table of the proposed model 
form. One commenter noted the strength of the Schumer box standardized 
format.\120\ Others lauded the use of a tabular format to display a 
company's sharing practices, noting that framing one institution's 
practices against the industry as a whole is a useful way to inform 
consumers of a company's relative sharing practices and facilitates the 
comparison of different institutions' practices.\121\
---------------------------------------------------------------------------

    \120\ Comment letter of Capital One Financial Corporation (May 
29, 2007).
    \121\ See comment letters of The Center for Information Policy 
Leadership (May 29, 2007); Independent Community Bankers of America 
(May 29, 2007).
---------------------------------------------------------------------------

    A number of industry commenters and associations, including many 
small community banks and a few larger banks, also expressed support 
for the clarity and consumer-friendly format of the disclosure 
table.\122\
---------------------------------------------------------------------------

    \122\ See, e.g., comment letters of Independent Community 
Bankers of America (May 29, 2007); Bank of Edison (May 21, 2007); 
Capital One Financial Corporation (May 29, 2007); Citrus & Chemical 
Bank (May 24, 2007); First National Bank (Edinburg, TX) (Apr. 9, 
2007); Florence Savings Bank (April 30, 2007); Iowa State Bank and 
Trust Company (May 22, 2007); ShoreBank (Apr. 6, 2007); Hometown 
Bank (May 8, 2007).
---------------------------------------------------------------------------

    However, many industry commenters sought flexibility in the table 
design for several reasons. Some reported that it is common for a 
financial institution to have multiple privacy policies for different 
products that they offer consumers.\123\ Others asserted that the table 
contains a bias against larger, more complex corporate structures 
because it is overly simplistic and may show that certain types of 
institutions engage in widespread sharing.\124\ One opined that the 
table structure made it appear that the entity was reckless in its 
sharing practices.\125\ These commenters expressed particular concern 
that the model form would lead to high opt-out

[[Page 62902]]

rates.\126\ Many particularly objected to listing all the categories of 
sharing--especially when a consumer cannot limit or opt out of certain 
types of sharing--and others wanted to limit the list only to those 
categories used by the institution.\127\ Some commenters wanted to use 
this space to explain the benefits of certain types of sharing.\128\ 
Others wanted to convey that, for example, they only shared information 
with certain types of affiliates but not others and asserted that the 
disclosure table did not permit them to make this distinction.\129\
---------------------------------------------------------------------------

    \123\ See, e.g., comment letters of Bank of America Corporation 
(May 29, 2007); Securities Industry and Financial Markets Ass'n (May 
29, 2007); MasterCard Worldwide (May 29, 2007).
    \124\ See, e.g., comment letters of Citigroup Inc. (May 30, 
2007); Consumer Bankers Ass'n (May 29, 2007).
    \125\ See comment letter of Consumer Bankers Ass'n (May 29, 
2007).
    \126\ See, e.g., comment letter of Johnson Financial Group (May 
14, 2007).
    \127\ See, e.g., comment letters of Huntington National Bank 
(May 25, 2007); National Business Coalition on E-Commerce and 
Privacy (May 30, 2007); Securities Industry and Financial Markets 
Ass'n (May 29, 2007).
    \128\ See, e.g., comment letter of Consumer Bankers Ass'n (May 
29, 2007).
    \129\ See, e.g., comment letters of American Council of Life 
Insurers (May 29, 2007); Securities Industry and Financial Markets 
Ass'n (May 29, 2007); American Insurance Ass'n (May 29, 2007); 
Consumer Mortgage Coalition (May 29, 2007).
---------------------------------------------------------------------------

    As the Agencies stated in the preamble to the Proposed Rule, based 
on the Kleimann Report and as confirmed by the quantitative research 
data and the Levy-Hastak Report, the disclosure table is the heart of 
the model form design and its most effective feature.\130\ The table 
provides for greater transparency of a company's sharing practices. It 
allows consumers to see at a glance the types of information sharing a 
company may engage in, whether that particular company shares in that 
way, and, if so, whether the consumer can limit such sharing.\131\ 
Based on the research, the Agencies have retained the disclosure table 
generally unchanged in the final model form.
---------------------------------------------------------------------------

    \130\ See Proposed Rule, supra note 4, at text preceding and 
accompanying n.27; see also Levy-Hastak Report at 17.
    \131\ The disclosure table in the model form provides 
information ``at-a-glance'' that facilitates the comparison of a 
company's information sharing practices, both as to the industry as 
a whole and with respect to any other specific companies. In this 
way, it meets the original legislative intent to easily compare 
companies' privacy practices. See H.R. Rep. No. 106-74, at 107 
(1999).
---------------------------------------------------------------------------

    Addressing industry concerns about bias against larger 
institutions, the Agencies appreciate these institutions' concern that 
some of their customers may react negatively to the sharing of their 
information. The purpose of the model form is not to direct consumer 
behavior, however, but rather to provide information effectively. While 
the Levy-Hastak Report found that a majority of survey participants 
objected to the sharing of their personal information with affiliated 
companies, and more so with nonaffiliated companies, these objections 
were consistent across all the survey participants and were not 
affected by any particular notice format.\132\ The research confirms 
that the notice design more clearly informs consumers about how each 
company shares or uses the personal information it collects.
---------------------------------------------------------------------------

    \132\ Levy-Hastak Report at 15.
---------------------------------------------------------------------------

    During the course of this project, the Agencies heard from smaller 
institutions that their customers wanted to stop all sharing and 
expressly asked for opt-outs even when the institution engaged in only 
limited sharing under the section ----.14 and ----.15 exceptions.\133\ 
The neutral design of the form, particularly through the table, 
explains that some sharing is necessary for an institution's ``everyday 
business purposes'' and makes clear what sharing occurs. In addition, 
the model form uses the term ``limiting'' sharing, rather than stopping 
sharing altogether. These small institutions commented that this more 
balanced presentation of sharing practices is a very important feature 
of the notice, and one that they welcome, as it makes all institutions' 
sharing practices more transparent.\134\
---------------------------------------------------------------------------

    \133\ This comment was made by some of the Agencies' regulated 
entities at various times during the course of this project and was 
also discussed by members of the Board's Consumer Advisory Council 
during its discussions in 2007 about the Notice Project and model 
form proposals.
    \134\ See, e.g., comment letter of Independent Community Bankers 
Ass'n (May 29, 2009).
---------------------------------------------------------------------------

    The strength of the table design is that it facilitates comparison 
by showing what a particular institution's sharing practices are as 
compared to what all financial institutions can legally do. For this 
reason, the final model form incorporates all seven reasons for 
sharing, with only the affiliate marketing provision--``For our 
affiliates to market to you''--optional for those companies that elect 
to incorporate that disclosure in their GLB notices.\135\
---------------------------------------------------------------------------

    \135\ See infra note 142.
---------------------------------------------------------------------------

    While the middle column requires institutions to answer ``yes'' or 
``no'' to whether it shares for each of the reasons, some commenters 
expressed concern that their information sharing practices were 
sufficiently complex that they could not answer ``yes'' or ``no,'' 
stating that they had different practices for different products. 
Institutions that elect to use the model form must answer the questions 
in the final model form as directed in the proposal. If an institution 
elects to use the model form, it must either harmonize its practices so 
one notice applies to all its products, or it must provide separate 
notices for products subject to different information sharing 
practices.
    A few commenters opined that they may not currently share but want 
to reserve the right to share in the future. In such a case, the 
correct response in the middle column is ``yes,'' consistent with the 
privacy rule.\136\
---------------------------------------------------------------------------

    \136\ See the privacy rule, section ----.6(e), NCUA section 
716.6(d) (notices can be based on current and anticipated policies 
and practices).
---------------------------------------------------------------------------

    Many institution commenters objected that the proposed terms to 
describe sharing practices were abbreviated or incomplete and asserted 
that the Agencies limited sharing that is lawfully permitted. For 
example, commenters objected that the definition of ``everyday business 
purposes'' excluded a long list of permissible disclosures designated 
in sections ----.14 and ----.15.\137\ However, as the Agencies stated 
in the proposal, the phrase ``everyday business purposes'' fully 
incorporates all the disclosures permitted by law under sections --
--.14 and ----.15 of the privacy rule.\138\ In addition, the Agencies 
have determined that service providers that do not fall under section 
----.14, but perform direct services to the institution such as opt-out 
scrubbing or market analysis or research under a section ----.13 
agreement, are included under this provision.\139\
---------------------------------------------------------------------------

    \137\ See, e.g., comment letters of American Insurance Ass'n 
(May 29, 2007); Consumer Bankers Ass'n (May 29, 2007); Citigroup 
Inc. (May 30, 2007); Securities and Financial Markets Ass'n (May 29, 
2007).
    \138\ See, e.g., comment letters of American Bankers Ass'n (May 
25, 2007); American Insurance Ass'n (May 29, 2007); Securities 
Industry and Financial Markets Ass'n (May 29, 2007). This language 
substantially replaces the ``as permitted by law'' phrase used in 
the Sample Clauses, covering all permitted disclosures--along with 
the attendant requirements on reuse and redisclosure--found under 
sections ----.14 and ----.15 of the privacy rule. Unlike that 
clause, ``everyday business purposes'' conveys more concrete 
information to consumers and, importantly, helps them understand 
that some sharing is necessary in order to obtain financial products 
or services.
    \139\ Joint marketing with other financial institutions and 
section ----.13 service providers contracted to do marketing for a 
financial institution are disclosed separately. See Instruction 
C.2(d)(3) to the Model Privacy Form.
---------------------------------------------------------------------------

    The cited examples of ``everyday business purposes'' \140\ are 
illustrative only, to enhance consumer understanding. While commenters 
urged us to include the phrase ``as permitted by law'' in this 
description, research has found that consumers are confused and 
concerned by this phrase; they do not know what it means or what

[[Page 62903]]

``laws'' it encompasses.\141\ Including that phrase would be 
inconsistent with consumers' need for clear language to understand what 
their financial institution does with their information.
---------------------------------------------------------------------------

    \140\ The final model form consolidates all references to 
``everyday business purposes'' in the first reason in the disclosure 
table, thereby eliminating the illustrative explanation in the 
``How?'' box on page one and the definition on page two.
    \141\ See Survey Research Center at the University of Georgia, 
National Ass'n of Insurance Commissioners Insurance Disclosure Focus 
Group Study (``NAIC Study''), available at http://www.ftc.gov/os/comments/modelprivacyform/528621-00012.pdf. See also infra 
discussion at text accompanying note 221.
---------------------------------------------------------------------------

    Because the laws governing disclosure of consumers' personal 
information are not easily translated into short, comprehensible 
phrases, the table uses more easily understandable short-hand terms to 
describe sharing practices. We do not believe that these short-hand 
terms diminish the laws' provisions, as some commenters asserted. If, 
as these commenters suggest, the Agencies add to the laundry list of 
descriptive terms to make the provisions in the table more ``precise,'' 
we believe it will defeat the purpose of making this information more 
understandable to consumers. Thus, the Agencies have chosen not to 
provide detailed descriptions for each of the reasons in the table; we 
re-affirm that institutions' ability to share information in accordance 
with the statutory provisions would not be limited or otherwise 
modified by using the model form language.
    The phrase ``For our marketing purposes'' captures the idea that 
nearly all, if not all, institutions share information to market their 
own products and services to their customers (for example, using a 
joint marketing agreement with a service provider such as a bulk mailer 
or data processor pursuant to section ----.13 of the privacy rule) in a 
manner that does not trigger an opt-out right. Likewise, the phrase 
``nonaffiliates to market to you'' does not diminish the information 
sharing permitted by the privacy rule, provided that institutions first 
provide an opportunity for consumers to opt out, as provided for in 
section ----.10 of the privacy rule.
    In all these instances, the lack of explicit references in the 
model form to certain of the exceptions does not mean that an 
institution cannot take advantage of all the exceptions provided for in 
the law.
4. FCRA Opt-Outs
    The FCRA provisions are adopted in the model privacy form as 
proposed.\142\ A number of industry commenters objected that the 
disclosure table did not provide a sufficiently complete or accurate 
description of the affiliate sharing provisions of the FCRA.\143\ They 
urged the Agencies to revise these provisions to more precisely 
distinguish between the different types of information that can be 
shared with affiliates (both with and without an opt-out), to describe 
the applicable exceptions, and to more accurately describe the opt-out 
pertaining to information that can be used by affiliates for marketing.
---------------------------------------------------------------------------

    \142\ The table includes, as an optional disclosure, the opt-out 
required by section 624 of the FCRA (reason 6 in the table), 15 
U.S.C. 1681s-3 (affiliate use of information for marketing), as 
added by section 214 of the Fair and Accurate Credit Transactions 
Act of 2003 (FACT Act), Public Law No. 108-159, 117 Stat. 1952. 
Section 624 generally provides that information that may be shared 
among affiliates--including transaction and experience information 
and certain creditworthiness information--cannot be used by an 
affiliate for marketing purposes unless the consumer has received a 
notice of such use and an opportunity to opt out, and the consumer 
does not opt out. Congress did not grant the CFTC rulemaking 
authority to implement section 624. The other Agencies have issued 
final regulations implementing the affiliate marketing provision of 
the FACT Act, 12 CFR part 41 (OCC), 12 CFR part 222 (Board), 12 CFR 
part 334 (FDIC), 12 CFR part 571 (OTS), 12 CFR part 717 (NCUA), 16 
CFR parts 680 and 698 (FTC), 17 CFR part 248, subpart B (SEC) 
(``affiliate marketing rule''). Because the Agencies' affiliate 
marketing rules generally use consistent section numbering, relevant 
sections will be cited, for example, as ``section --.23'' unless 
otherwise noted. The affiliate marketing rule included language 
stating that the section 624 disclosure as it appears in the model 
form will meet the requirements of that rule. See 72 FR 61424, 61452 
(Oct. 30, 2007) (FTC); 72 FR 62910, 62932 (Nov. 7, 2007) (banking 
agencies); 74 FR 40398, 40418 (Aug. 11, 2009) (SEC) (``use of the 
[GLB Act] model privacy form will satisfy the requirement to provide 
an initial affiliate marketing opt-out notice''). See also section 
----.23(b) of the affiliate marketing rule.
    \143\ See, e.g., comment letters of Citigroup Inc. (May 30, 
2007); American Bankers Ass'n (May 25, 2007); Consumer Bankers Ass'n 
(May 29, 2007); National Business Coalition on E-Commerce and 
Privacy (May 30, 2007); Visa U.S.A, Inc. (May 29, 2007).
---------------------------------------------------------------------------

    The FCRA statutory provisions are quite complex and their legal 
intricacies are difficult for consumers to understand. The Agencies 
found through the consumer testing conducted by Kleimann that the 
short-hand FCRA terms used in the model form describing the types of 
personal information that can be shared with affiliates are sufficient 
to enable consumers to make informed decisions about such sharing. 
Again, these short-hand terms do not in any way diminish or modify the 
affiliate sharing provisions of the FCRA.\144\ To give some meaning to 
the statutory term ``other information,'' the disclosure table uses 
``Information about your creditworthiness''--a short-hand phrase that 
consumers reasonably understood. Testing also found that consumers 
reasonably understood the phrase ``information about your transactions 
and experience'' without further embellishment.\145\
---------------------------------------------------------------------------

    \144\ See section 603(d)(2)(A) of the FCRA relating to the 
sharing of ``transaction and experience information'' and the 
sharing of ``other information'' which triggers an opt-out notice.
    \145\ Kleimann Report, supra note 32, at 63.
---------------------------------------------------------------------------

    Some institutions objected to the description of the optional 
affiliate marketing provision enacted under the FACT Act for which the 
Agencies have published final regulations.\146\ These commenters are 
correct that this provision, unlike the others, is about the use of 
shared information for marketing. While the Agencies and Kleimann 
worked to ensure accuracy in the model form, it was evident at the 
outset that this particular provision would be very difficult to 
explain in a simple and clear way to consumers and be precisely true to 
the statutory language.
---------------------------------------------------------------------------

    \146\ See supra note 142.
---------------------------------------------------------------------------

    The final formulation we proposed tested sufficiently well to show 
that consumers understand its basic meaning.\147\ Including the 
affiliate marketing notice and opt-out in the model form is optional. 
Institutions that are required to provide this notice, and elect not to 
include it in their GLB Act privacy notice, must separately send an 
affiliate marketing notice that complies fully with the affiliate 
marketing rule requirements.
---------------------------------------------------------------------------

    \147\ Levy-Hastak Report at 15.
---------------------------------------------------------------------------

    For those institutions that elect to incorporate this provision in 
the model form, the Agencies believe that it is simpler and less 
confusing to consumers for the affiliate marketing opt-out to be of 
indefinite duration, consistent with the opt-out required under the GLB 
Act. If an institution elects to limit the time period for which the 
opt-out is effective, as permitted under the affiliate marketing rule, 
it must not include the affiliate marketing opt-out in the model form. 
Instead, the institution must comply separately with the specific 
affiliate marketing rule requirements.
5. Limiting Sharing: Opt-Out Information
    In response to commenters and the results of the quantitative 
testing, the final model form includes opt-out information for those 
institutions that are required to provide an opt-out on the bottom of 
page one. The Agencies proposed that the information about limiting or 
opting out of certain sharing, as needed, would be provided on a 
separate third page. Many commenters objected to the use of a separate 
piece of paper for this information, particularly if the notice itself 
is quite short.\148\
---------------------------------------------------------------------------

    \148\ See, e.g., comment letters of American Council of Life 
Insurers (May 29, 2007); National Automobile Dealers Ass'n (May 29, 
2007); Securities Industry and Financial Markets Ass'n (May 29, 
2007).

---------------------------------------------------------------------------

[[Page 62904]]

    This change eliminates the extra page from the proposed model form 
and places this important information on the first page that the 
consumer sees. In addition to the model form with no opt-out, the 
Agencies are providing two alternate versions to be used, as 
appropriate, depending on whether the institution offers the option to 
limit information sharing by mail.\149\
---------------------------------------------------------------------------

    \149\ Some commenters asked about providing the opt-out in an 
in-person transaction so that the customer could execute the opt-out 
at that time or could deliver the completed opt-out form in person. 
The privacy rule does not preclude obtaining a consumer's opt-out 
election in person. However, while an institution may accept an opt-
out election from a consumer in person, requiring a consumer to 
obtain an opt-out form at a branch office as the only means to opt 
out violates the privacy rule. See sections --.7(h), --.9(a) and 
(b), and --.10(a)(1) and (a)(3) of the privacy rule.
---------------------------------------------------------------------------

    Institutions using the model form must include the opt-out section 
in their notices only if they (1) share or use information in a manner 
that triggers an opt-out, or (2) choose to provide opt-outs beyond what 
is required by law. Financial institutions that provide opt-outs are 
not required to provide all the opt-out choices and methods described 
in the model form; they should select those that accurately reflect 
their practices.\150\
---------------------------------------------------------------------------

    \150\ Institutions that do not include the affiliate marketing 
disclosure on the model privacy form must not include the affiliate 
marketing notice or opt-out on the model form mail-in form; that 
notice must be provided in accord with the affiliate marketing rule, 
outside the model form.
---------------------------------------------------------------------------

    A number of commenters objected to the statement describing the 
time period before information can first be shared according to an 
institution's privacy policy.\151\ Recognizing that institutions will 
provide this form both to new customers and annually to existing 
customers, the Agencies have modified the language accordingly.\152\ 
The revised model form allows institutions to insert a time period that 
is 30 days or longer from the date the notice was sent before it can 
begin sharing for new customers. Some commenters opined that in certain 
instances they should be able to require the consumer to make an opt-
out decision at the time of the in-person or electronic transaction 
rather than waiting 30 days. While the Agencies recognize that certain 
situations may warrant an immediate decision, the basic rule is to 
allow a ``reasonable'' opportunity to opt out.\153\
---------------------------------------------------------------------------

    \151\ See, e.g., comment letters of Bank of America Corporation 
(May 29, 2007); Wells Fargo & Company (May 29, 2007); Securities 
Industry and Financial Markets Ass'n (May 29, 2007); American 
Council of Life Insurers (May 29, 2007).
    \152\ The revised language states: ``If you are a new customer, 
we can begin sharing your information [30] days from the date we 
sent this notice.'' See also supra note 119.
    \153\ See, e.g., sections --.10(a)(1)(iii) and --.10(a)(3)(iii) 
of the privacy rule.
---------------------------------------------------------------------------

    Telephone and online opt-outs should closely match the options 
provided in the form. Consistent with the direction provided in the 
affiliate marketing rule,\154\ the Agencies also contemplate that a 
toll-free telephone number would be adequately designed and staffed to 
enable consumers to opt out in a single telephone call. In setting up a 
toll-free telephone number that consumers may use to exercise their 
opt-out rights, institutions should minimize extraneous messages 
directed to consumers who are in the process of opting out.
---------------------------------------------------------------------------

    \154\ See 72 FR 61424, 61448 (Oct. 30, 2007) (FTC); 72 FR 62910, 
62935 (Nov. 7, 2007) (banking agencies); 74 FR 40398, 40421 (August 
11, 2009) (SEC).
---------------------------------------------------------------------------

    A number of industry commenters requested clarification on how 
joint accountholders would be treated.\155\ The Agencies have addressed 
this question with a new FAQ, described below. Further, if an 
institution elects to provide a choice for the joint accountholder to 
apply the opt-out only to that joint accountholder, that option must be 
provided in the telephone or Web prompt, as well as presented in the 
left-hand box on the mail-in form.\156\
---------------------------------------------------------------------------

    \155\ See, e.g., comment letters of American Bankers Ass'n (May 
25, 2007); Discover Bank (May 29, 2007).
    \156\ See also privacy rule, section --.7(d), NCUA section 
716.7(d)(6).
---------------------------------------------------------------------------

    A number of commenters from both industry and advocacy groups 
addressed the question whether consumers need to provide personal 
information such as a Social Security number, account number, or other 
identification number in order to opt out. The consumer advocacy 
organizations, some industry commenters, and an industry association 
proposed omitting the account number field from the proposed form to 
reduce the risk of fraud.\157\ These commenters expressed concerns 
about phishing and identity theft, and were especially concerned about 
institutions' use of the Social Security number to confirm an opt-out 
request. These commenters argued that a name and address should be 
sufficient to effect an opt-out from an institution's information 
sharing.
---------------------------------------------------------------------------

    \157\ See, e.g., comment letters of Center for Democracy and 
Technology (May 29, 2007); Privacy Rights Clearinghouse (May 22, 
2007); National Automobile Dealers Ass'n (May 29, 2007.
---------------------------------------------------------------------------

    Many institutions argued that they needed a Social Security number 
or full account or policy number in order to authenticate the person 
who wanted to opt out or to apply the opt-out appropriately to all 
accounts held by the customer or only to specific accounts.\158\ Some 
industry commenters urged limiting the information to only the last 
four digits of an account number as both safe for the consumer and 
sufficient to implement the opt-out.\159\
---------------------------------------------------------------------------

    \158\ See, e.g., comment letters of National Retail Federation 
(May 29, 2007); Citicorp (May 29, 2007); National Business Coalition 
on E-Commerce and Privacy (May 30, 2007).
    \159\ See, e.g., comment letters of Sun Trust Banks, Inc. (May 
23, 2007); Central National Bank of Enid (May 24, 2007).
---------------------------------------------------------------------------

    Having considered these comments and the context in which such 
sensitive information is used--to implement an opt-out for information 
sharing--the Agencies strongly encourage institutions to use some other 
form of identifier, such as a randomly generated ``opt-out code'' 
provided in the notice that consumers can use to exercise their opt-
outs without jeopardizing the security of their most sensitive personal 
information. A random code--which some institutions currently use--both 
protects consumers' most sensitive information and at the same time can 
be used to link both the customer and account(s) to which the opt-out 
should apply. Such an approach would further simplify the opt-out 
process for consumers. If such an approach is not feasible, 
institutions could use a truncated account or policy number to protect 
sensitive information.\160\ Of course, any opt-out means provided--
including any information requirements imposed on consumers--must be 
reasonable under the privacy rule and reasonable and simple under the 
affiliate marketing rule.\161\ Institutions should keep these 
requirements in mind when requesting information beyond the consumer's 
name and address.
---------------------------------------------------------------------------

    \160\ See also The President's Identity Theft Task Force, 
Combating Identity Theft, at 13 (Apr. 2007) (``Consumer information 
is the currency of identity theft, and perhaps the most valuable 
piece of information for the thief is the SSN'').
    \161\ See section ----.7(a)(1)(iii) of the privacy rule and 
section --.25(a) of the affiliate marketing rule.
---------------------------------------------------------------------------

    A number of industry commenters objected to the inability of the 
model form to provide for partial opt-outs, as permitted by the privacy 
rule.\162\ The Agencies have observed that partial opt-outs are not 
widely employed. Trying to incorporate partial opt-outs in this model 
form would be unduly complicated and confusing for consumers, so the 
Agencies have determined to use the default provision of the privacy 
rule that provides for an opt-out that applies to all information.\163\ 
Institutions that want to

[[Page 62905]]

provide partial opt-outs cannot do so using the model form.
---------------------------------------------------------------------------

    \162\ See, e.g., comment letters of American Council of Life 
Insurers (May 29, 2007); Securities Industry and Financial Markets 
Ass'n (May 29, 2007).
    \163\ See section --.10(b) of the privacy rule.
---------------------------------------------------------------------------

    A number of commenters wanted to include in the model form the 
statement ``If you have already told us your choice(s), you do not have 
to tell us again.'' \164\ Because this statement would only be accurate 
if the institution has not changed its notice to include new opt-out 
options, the Agencies have decided not to include it in the model form. 
Institutions that choose to use this statement must do so outside the 
model form.
---------------------------------------------------------------------------

    \164\ See, e.g., comment letters of MasterCard Worldwide (May 
29, 2007); National Business Coalition on E-Commerce and Privacy 
(May 30, 2007); Wells Fargo & Company (May 29, 2007); Wolters Kluwer 
Financial Services (May 24, 2007).
---------------------------------------------------------------------------

6. Additional Opt-Outs in the Model Form
    Like the proposed form, the final model form permits institutions 
to provide for voluntary or state law-required opt-outs. For example, 
if an institution elects to offer its customers the opportunity to opt 
out of its marketing, it can do so by saying ``yes'' in the third 
column. Similarly, an institution can offer its customers a right to 
opt out of joint marketing, if it chooses.
    Institutions that must comply with various state law requirements, 
depending on their practices and the choices they offer, may be able to 
do so in one of two ways using the model form. For example, Vermont law 
requires institutions to obtain opt-in consent from Vermont consumers 
for affiliate sharing. The disclosure table permits institutions to do 
one of two things: (1) it can provide a notice directed to its Vermont 
customers that answers ``no'' to the question about whether it shares 
creditworthiness information with its affiliates, or (2) it can provide 
a generalized notice for consumers across a number of states including 
Vermont and answer ``yes'' to the question about sharing 
creditworthiness information with its affiliates and include a 
discussion on the application of Vermont law in the ``Other important 
information'' box on page two of the form.\165\
---------------------------------------------------------------------------

    \165\ California provides that a consumer can opt out of joint 
marketing. Cal. Fin. Code div. 1.2 Sec.  4053(b)(2). Thus, an 
institution can provide a generalized notice offering no opt-out, 
with California-specific information in the ``Other important 
information'' box. Alternatively, an institution can provide a 
separate notice to its California customers. Institutions cannot use 
the model form to offer opt-in consent. See Instruction C.2(g)(5) to 
the Model Privacy Form.
---------------------------------------------------------------------------

    To obtain the safe harbor for use of the proposed model form, an 
institution that uses the disclosure table to show any additional opt-
out choices (beyond what is required under Federal law) must make that 
opt-out available through the same opt-out options the institution 
provides in the notice, whether by telephone, Internet, or a mail-in 
opt-out form.\166\
---------------------------------------------------------------------------

    \166\ See Instruction C.2(g) to the Model Privacy Form.
---------------------------------------------------------------------------

7. Contact Information for Questions
    Like the proposed form, the final model form provides contact 
information at the bottom of page one. Some commenters objected that it 
would be confusing if an opt-out is offered or the institution wants to 
limit such contact to a mail option only.\167\ The Kleimann Report 
found that consumers want a way to contact their financial institution 
if they have any questions.\168\ The NAIC Study likewise found this to 
be one of the most important pieces of information that consumers want 
in a notice.\169\ In revising the proposed model form to include the 
opt-out information on page one, the Agencies have modified the 
``Contact Us'' box to label it ``Questions'' (to more clearly 
distinguish between the two) and clarified in the Instructions that 
this box is for customer service contact information, either by 
telephone or the Internet or both, at the institution's option.
---------------------------------------------------------------------------

    \167\ See, e.g., comment letters of Mastercard Worldwide (May 
29, 2007); American Insurance Ass'n (May 29, 2007); American Council 
of Life Insurers (May 29, 2007); Securities Industry and Financial 
Markets Ass'n (May 29, 2007).
    \168\ Kleimann Report, supra note 32, at 35, 226.
    \169\ NAIC Study, supra note 141.
---------------------------------------------------------------------------

    Customer service contact information is for consumers who may have 
questions about the institution's privacy policy and may be the same 
contact information for consumers' questions relating to the 
institution's products or services. The Agencies are not requiring a 
separate customer service number solely to answer questions about the 
institution's privacy policy. The customer service contact information 
is different from the opt-out contact information, unless the customer 
service number is made available for consumers to opt out. The contact 
information should give consumers a way to communicate directly with 
the institution.\170\
---------------------------------------------------------------------------

    \170\ See Instruction C.2(f) to the Model Privacy Form.
---------------------------------------------------------------------------

8. Mail-In Opt-Out Form
    The mail-in opt-out form for institutions that provide such a form 
is adopted with two modifications, with the changes based on comments, 
the quantitative testing, and the Levy-Hastak Report. The validation 
testing shaped the design for the opt-out information in the final 
model form.
    As discussed in section III.I.5, the final model form displays all 
opt-out information, including the mail-in form, on page one, for 
institutions that provide an opt-out. In response to commenters, the 
Agencies have added information on joint accountholders to the model 
form by providing a new FAQ on page two. Institutions must include the 
joint accountholder information in the mail-in form only when the 
institution allows a joint accountholder to choose whether to apply an 
opt-out election only to one accountholder.\171\ Otherwise, that space 
is blank or omitted from the mail-in form.
---------------------------------------------------------------------------

    \171\ See also infra section III.J.1. Section III.I.5 provides 
guidance on the use of sensitive personal information (such as a 
Social Security number or account number) to effect an opt-out. 
Section III.I.6 discusses how voluntary or state-required privacy 
law opt-outs should appear in the mail-in opt-out form. See also 
Instruction C.2(g) to the Model Privacy Form.
---------------------------------------------------------------------------

    Finally, institutions that use the mail-in opt-out form must insert 
the institution's mailing address either in the right-hand box or just 
below the mail-in form, as shown in version 3 and optional version 4 in 
the Appendix and as described in the Instructions to the Model Form.

J. Page Two of the Model Form

    The Agencies have modified page two of the model form to streamline 
the information on the page and to provide flexibility for institutions 
to insert certain institution-specific information.
1. Frequently Asked Questions
    To address the concerns about jointly-provided notices, the 
Agencies have added a new FAQ at the top of page two: ``Who is 
providing this notice?'' An institution may omit this FAQ only when one 
financial institution is providing the notice and that institution is 
identified in the title. The space to the right, which is limited (for 
reasons of space constraints) to a maximum of four (4) lines,\172\ 
allows institutions that are jointly providing the notice to be 
identified.\173\ This space must be used to:
---------------------------------------------------------------------------

    \172\ While the Agencies are limiting the space allotted for 
this FAQ, we do not intend that institutions will constrain the 
width of the left column (with the questions) so as to make this 
page difficult to read. We remind institutions that design experts 
recommend using sufficient white space to set off features such as 
headings, bullets, and key information used by consumers to quickly 
scan a document. We note further that the ratio of the column widths 
of the questions to the responses in the model form is approximately 
1:2.
    \173\ The option of creating a jointly provided notice is not 
limited only to financial holding companies, as one commenter 
observed. Instruction B.1 to the Model Privacy Form has been 
modified to clarify that point.

---------------------------------------------------------------------------

[[Page 62906]]

    1. State the common corporate name or other readily identifiable 
name that is also used for the title and various headings of the model 
form as the ``name of financial institution;'' and
    2. Either (a) identify the entities jointly providing the notice; 
or (b) for institutions with a lengthy list of entities jointly 
providing the notice, identify the general types of entities in the 
response and identify the entities \174\ at the end of the form 
following the ``Other important information'' box, or, if that box is 
not incorporated into the form, following the ``Definitions'' or on an 
additional page. The list at the end of the form must be printed in 
minimum 8-point font and may appear in a multi-column format.
---------------------------------------------------------------------------

    \174\ See section --.9(f) of the privacy rule.
---------------------------------------------------------------------------

    The Agencies have deleted the FAQ on how often consumers are 
provided notices on an institution's sharing practices due to space 
constraints.\175\
---------------------------------------------------------------------------

    \175\ While the testing found it to be helpful background, this 
information is not required by the privacy rule.
---------------------------------------------------------------------------

    A number of commenters objected to the response to the question 
about how personal information is protected. Some objected to the 
phrase ``comply with federal laws.'' \176\ The Agencies note that this 
phrase closely tracks current Sample Clause A-7 and is already widely 
used by many institutions. Several objected to the phrase ``secured 
buildings and files,'' preferring ``physical safeguards.'' \177\ As 
explained in the Kleimann Report, the Agencies developed this text to 
help consumers better understand the practical meaning of physical 
security.\178\ The Agencies have determined to retain the FAQ as 
proposed, with one modification. In response to commenters who asked to 
include more specific information,\179\ such as information about 
cookies or online practices or limiting employee access to personal 
information, the Agencies are allowing institutions to add more detail, 
limited to describing their safeguards practices, up to a maximum of 
thirty (30) additional words. This doubles the space allotted for the 
safeguards response and provides flexibility to institutions to 
customize the safeguards description. The optional information must 
appear after the standard response for this FAQ.
---------------------------------------------------------------------------

    \176\ See, e.g., comment letters of Consumer Bankers Ass'n (May 
29, 2007); MasterCard Worldwide (May 29, 2007).
    \177\ See comment letters of American Council of Life Insurers 
(May 29, 2007); American Insurance Ass'n (May 29, 2007).
    \178\ Kleimann Report, supra note 32, at 125-26.
    \179\ See, e.g., comment letters of Iowa State Bank and Trust 
(May 22, 2007); PayPal (May 29, 2007); Wachovia Corporation (May 25, 
2007).
---------------------------------------------------------------------------

    A number of industry commenters objected to the inflexible nature 
of the description of the sources from which personal information is 
collected, stating that in many cases the proposed descriptions do not 
correlate to their practices or the practices of their particular 
industry.\180\ As with the description of the types of information 
collected and shared on page one, the Agencies are providing a menu of 
terms from which institutions can select to fill in the bulleted 
lists.\181\ The list is designed to include the range of information 
sources typically used by a variety of institutions subject to the GLB 
Act and the FCRA, including those in the insurance, securities, and 
investment advisory businesses, as well as those companies subject to 
FTC jurisdiction. Finally, institutions that collect information from 
their affiliates and/or from credit bureaus must use as the last 
sentence of this response: ``We also collect your personal information 
from others, such as credit bureaus, affiliates, or other companies.'' 
Institutions that do not collect personal information from their 
affiliates or credit bureaus but do collect personal information from 
other companies must include the following statement: ``We also collect 
your personal information from other companies.'' Only institutions 
that do not collect any personal information from affiliates, credit 
bureaus, or other companies can omit both statements.
---------------------------------------------------------------------------

    \180\ See, e.g., comment letters of American Council of Life 
Insurers (May 29, 2007); American Bankers Ass'n (May 25, 2007); 
Consumer Bankers Ass'n (May 29, 2007); Mastercard Worldwide (May 29, 
2007); Wells Fargo & Company (May 29, 2007); National Ass'n of 
Mutual Insurance Cos. (May 29, 2007); National Automobile Dealers 
Ass'n (May 29, 2007).
    \181\ See Instruction C.3(a)(3) to the Model Privacy Form. See 
supra note 117.
---------------------------------------------------------------------------

    A number of industry commenters objected to the FAQ about limiting 
sharing, arguing variously that this is not required and that they 
should only have to include in the response those bullets that apply to 
their sharing practices.\182\ The Agencies have determined to retain 
this FAQ with a revision to the bulleted list, as it helps consumers 
better understand what rights they have under Federal law and 
reinforces the message that information sharing may be limited but not 
stopped completely. The second bullet was revised to more closely track 
the provisions of the affiliate marketing rule. Finally, the Agencies 
have provided an optional sentence for institutions to elect to include 
at the end, as applicable, ``See below for more on your rights under 
state law,'' a reference to the state-specific privacy law information 
that an institution may include in the ``Other important information'' 
box.
---------------------------------------------------------------------------

    \182\ See, e.g., comment letters of American Council of Life 
Insurers (May 25, 2007); National Ass'n of Mutual Insurance Cos. 
(May 29, 2007).
---------------------------------------------------------------------------

    As discussed earlier, a number of commenters asked how an opt-out 
election can be applied to joint accountholders.\183\ This is addressed 
by a new FAQ on page two. Two optional responses are provided for 
institutions to use: The first states that an opt-out election by any 
joint accountholder will be applied to everyone on the account. The 
second provides that the opt-out election will be applied to everyone 
on the account unless the customer elects to have the opt-out apply 
only to him. Institutions must select one or the other as the response 
to this question.\184\
---------------------------------------------------------------------------

    \183\ See, e.g., comment letters of American Bankers Ass'n (May 
29, 2007); Discover Bank (May 29, 2007); Mastercard Worldwide (May 
29, 2007); Huntington National Bank (May 25, 2007).
    \184\ See also supra discussion section III.I.8.
---------------------------------------------------------------------------

2. Definitions
    In the final model privacy form, the definition of ``everyday 
business purposes'' has been deleted as superfluous, and the 
description of everyday business purposes has been consolidated in the 
disclosure table on page one. The other three definitions remain as 
proposed, with one modification.
    The Agencies make the following further clarification in response 
to some commenters.\185\ First, if an institution has no affiliates or 
does not share with its affiliates, it does not have to describe the 
categories of affiliates in this definition. Applicable responses in 
such conditions are, respectively: ``[name of financial institution] 
has no affiliates'' or ``[name of financial institution] does not share 
with our affiliates.''
---------------------------------------------------------------------------

    \185\ See, e.g., comment letters of Mastercard Worldwide (May 
29, 2007); Huntington National Bank (May 25, 2007); Consumer Bankers 
Ass'n (May 29, 2007); Wells Fargo & Company (May 29, 2007).
---------------------------------------------------------------------------

    Similarly, if an institution does not share for joint marketing or 
with nonaffiliated third parties outside of the section ----.14 and --
--.15 exceptions, applicable responses are: ``[name of financial 
institution] doesn't jointly market'' or ``[name of financial 
institution] does not share with nonaffiliates so they can market to 
you.''
    The Instructions have been modified with respect to an 
institution's sharing with its affiliates so that an institution must 
provide only an illustrative list of affiliates with which it shares, 
and not

[[Page 62907]]

a complete list. As proposed, when an institution shares with 
nonaffiliates or with other financial institutions to do joint 
marketing, the institution must describe the categories of entities 
with which it shares.\186\ While the Instructions provide illustrative 
examples of categories, institutions must provide examples consistent 
with their practices. The Instructions provide guidance on these 
points.\187\
---------------------------------------------------------------------------

    \186\ See sections ----.6(a)(3), ----.6(a)(5), ----.6(c)(3), and 
----.6(c)(4) of the privacy rule. The joint marketing provisions 
apply to joint marketing agreements with other financial 
institutions, but not to other types of arrangements with section --
--.13 service providers.
    \187\ See Instruction C.3(b) to the Model Privacy Form.
---------------------------------------------------------------------------

3. State and International Law Provisions
    To accommodate commenters' requests to incorporate state and 
international law provisions in the notice,\188\ the Agencies have 
added a new optional box at the end of the final model form called 
``Other important information.'' The size of the box is not limited 
(except where space constraints apply in the Online Form Builder, 
described below), and institutions may use a third page, as necessary, 
for the information in this box. To qualify for the safe harbor,\189\ 
institutions that elect to use this box can only use it for the 
following: (1) information about state and/or international privacy law 
requirements, as applicable; or (2) an acknowledgment form to create a 
record of having provided the notice. Certain institutions, for 
example, are required to include specific affiliate sharing information 
for Vermont residents or to meet other requirements under California 
law. Some insurance commenters noted that approximately 16 states have 
privacy laws that require insurers to provide notice of ``access and 
correction'' rights.\190\ Commenters noted that other states require 
disclosures about medical information.\191\ Some large institutions 
noted that they are required to provide international law information. 
Such information may be included in this new box. In addition, one 
association commenter, representing automobile dealers, specifically 
requested a place on the form to allow its members to obtain signatures 
from customers acknowledging that they had received a copy of the 
notice.\192\
---------------------------------------------------------------------------

    \188\ See, e.g., comment letters of American Bankers Ass'n (May 
25, 2007); American Council of Life Insurers (May 29, 2007); Bank of 
America Corporation (May 29, 1007); Citigroup Inc. (May 30, 2007); 
Consumer Bankers Ass'n (May 29, 2007); Consumer Mortgage Coalition 
(May 29, 2007); Countrywide Home Loans, Inc. (May 29, 2007); 
Discover Bank (May 29, 2007); Financial Services Institute (May 29, 
2007); Iowa Student Loan (May 22, 2007); KeyCorp (May 25, 2007); 
National Business Coalition on E-Commerce and Privacy (May 30, 
2007); National Retail Federation (May 29, 2007); National Ass'n of 
Mutual Insurance Cos. (May 29, 2007); Sovereign Bank (May 21, 2007); 
Wells Fargo (May 29, 2007); World's Foremost Bank (May 25, 2007); 
Direct Marketing Ass'n (May 29, 2007); Securities Industry and 
Financial Markets Ass'n (May 29, 2007); World Financial Capital Bank 
(May 25, 2007); World Financial Network National Bank (May 29, 
2007).
    \189\ The 10-point minimum font size applies to the contents of 
the ``Other important information box.'' In addition, while the safe 
harbor extends to including this box at the end of the model form, 
it does not extend to the content of the box. Institutions are 
responsible for ensuring that any statements made in this box are 
accurate.
    \190\ See, e.g., comment letters of American Insurance Ass'n 
(May 29, 2007); Great-West Life & Annuity Insurance Co. (May 29, 
2007).
    \191\ See, e.g., comment letters of American Council of Life 
Insurers (May 29, 2007); American Insurance Ass'n (May 29, 2007); 
Huntington National Bank (May 25, 2007).
    \192\ See comment letter of National Automobile Dealers Ass'n 
(May 29, 2007).
---------------------------------------------------------------------------

K. Other Issues

1. Highlighting Material Changes in Privacy Practices
    We sought comment on whether the model privacy form should 
highlight material changes in the notice. A number of industry 
commenters opposed this suggestion, citing consumer confusion.\193\ 
Some stated that the GLB Act requires revised notices when the 
institution's policy has changed.\194\ One advocacy group supported 
adding an extra column to the notice table highlighting specific 
changes made since the previous notice.\195\
---------------------------------------------------------------------------

    \193\ See, e.g., comment letters of American Council of Life 
Insurers (May 29, 2007); Consumer Bankers Ass'n (May 29, 2007); 
Citigroup Inc. (May 30, 2007); Mastercard Worldwide (May 29, 2007); 
Securities Industry and Financial Markets Ass'n (May 29, 2007).
    \194\ See comment letters of American Council of Life Insurers 
(May 29, 2007); Citigroup Inc. (May 30, 2007).
    \195\ See, e.g., comment letters of Center for Democracy and 
Technology (May 29, 2007); see also New York State Consumer 
Protection Board (May 29, 2007).
---------------------------------------------------------------------------

    After considering these comments, the Agencies determined that the 
simplest way to help consumers identify how recently the notice was 
changed is to include a ``revised [month/year]'' notation in the upper 
right-hand corner of page one of the notice. The revised date, in 
minimum 8-point font, is the date the policy was last revised.\196\ Of 
course, institutions can signal material changes in their policies by, 
for example, use of a cover letter that describes any changes.
---------------------------------------------------------------------------

    \196\ Adoption of the model form, with no change in policies or 
practices, would not constitute a revised notice, although 
institutions may elect to consider the format change as a revision, 
at their option. However, inserting the new affiliate marketing opt-
out in the model form would be a revision of the institution's 
policies and practices.
---------------------------------------------------------------------------

2. Safe Harbor
    A number of industry commenters expressed concern that the safe 
harbor provisions do not fully extend to the GLB Act requirements or do 
not extend to FCRA disclosures.\197\ These commenters seek broader safe 
harbor treatment for the use of the model form, notwithstanding the 
statutory provision that use of the model form will satisfy the notice 
requirements of the GLB Act and the privacy rule.
---------------------------------------------------------------------------

    \197\ See, e.g., comment letters of American Bankers Ass'n (May 
25, 2007); California Bankers Ass'n (May 25, 2007); Consumer Bankers 
Ass'n (May 29, 2007).
---------------------------------------------------------------------------

    The Agencies agree that the model form satisfies the requirements 
for the content of the notice required by the GLB Act, including 
sections ----.6 and ----.7 of the privacy rule; FCRA section 603(d) as 
described in section ----.6 of the privacy rule; and section ----.23 of 
the affiliate marketing rule. The Agencies note that the safe harbor 
applies to use of the model form, but does not and cannot extend to the 
institution-specific information that is inserted in the model form. 
Proper use of the model form to comply with the privacy rule requires 
that institutions accurately answer the questions about their 
information collection and sharing practices, as well as provide to 
consumers, as applicable, a reasonable means and opportunity to limit 
sharing and honor any opt-out requests submitted.
3. Online Form Builder
    Commenters generally supported the Agencies' proposal to provide a 
downloadable, fillable version of the model form that institutions 
could use to create their own customized notice.\198\ Many smaller 
institutions were particularly supportive, noting that it simplifies 
adoption and reduces their development costs.
---------------------------------------------------------------------------

    \198\ See, e.g., comment letters of American Insurance Ass'n 
(May 29, 2007); Center for Democracy and Technology (May 29, 2007); 
Citrus and Chemical Bank (May 24, 2007); Credit Union National Ass'n 
(May 29, 2007); Independent Community Bankers of America (May 29, 
2007); PayPal (May 29, 2007); Portage National Bank (May 1, 2007); 
Sovereign Bank (May 21, 2007).
---------------------------------------------------------------------------

    In response, the Agencies will be providing on each of their 
Websites a link to an Online Form Builder accessible by any institution 
so that the institution can readily create a unique, customized privacy 
notice using the model form template. The Agencies anticipate that a 
temporary Online Form Builder will be available in late 2009

[[Page 62908]]

and that a more robust version will be available to institutions in 
late 2010.
4. Web-Based Design
    Many industry and advocacy group commenters supported development 
of an optional Web-based design, especially as more and more consumers 
are engaging in online activities such as online banking.\199\ Some 
commenters asked the Agencies to test a design for usability. Some 
industry commenters cautioned that the Agencies should leave this task 
to industry as institutions are more knowledgeable and better equipped 
to address such a task.\200\
---------------------------------------------------------------------------

    \199\ See, e.g., comment letters of Center for Democracy and 
Technology (May 29, 2007); Investment Company Institute (May 29, 
2007); MasterCard Worldwide (May 29, 2007); National Business 
Coalition on E-Commerce and Privacy (May 30, 2007); PayPal (May 29, 
2007); Target National Bank (May 24, 2007).
    \200\ See, e.g., comment letters of American Bankers Ass'n (May 
25, 2007); American Council of Life Insurers (May 29, 2007); The 
Financial Services Roundtable and BITS (May 29, 2007); Huntington 
National Bank (May 25, 2007); National Retail Federation (May 29, 
2007); Securities Industry and Financial Markets Ass'n (May 29, 
2007); Wachovia Corporation (May 25, 2007).
---------------------------------------------------------------------------

    The Board and FTC have agreed to jointly undertake the development 
through consumer research of a Web-based version of the final model 
form. That research work will proceed independent of this rulemaking, 
will be reviewed by all the other Agencies, and will be made publicly 
available for use by all institutions. It is anticipated that the work 
will be completed in late 2009.
5. Electronic Delivery
    A number of commenters objected to limiting the electronic posting 
of the model form to a PDF format.\201\ Those expressing a view stated 
that providing the form in HTML is more compatible with their systems 
and easier for consumers to download and view. The Agencies agree that 
institutions can provide the notice electronically in either PDF or 
HTML format. Where consumers agree to electronic receipt of the notice, 
institutions can send the notice by email either by attaching the 
notice or providing a link to the notice.
---------------------------------------------------------------------------

    \201\ See, e.g., comment letters of Huntington National Bank 
(May 25, 2007); MasterCard Worldwide (May 29, 2007); PayPal (May 29, 
2007); Securities Industry and Financial Markets Ass'n (May 29, 
2007); Wachovia Corporation (May 25, 2007).
---------------------------------------------------------------------------

6. Other Comments
    Some commenters asked if the model form can be adopted for other 
languages.\202\ The Agencies believe that this would be beneficial to 
an institution's non-English speaking customers and note that 
institutions currently provide such notices, consistent with the 
privacy rule.
---------------------------------------------------------------------------

    \202\ See, e.g., comment letters of First Bank Americano (May 2, 
2007); First Hawaiian Bank (May 29, 2007); National Retail 
Federation (May 29, 2007).
---------------------------------------------------------------------------

    Many industry commenters wanted the flexibility to add other 
information to the form. For example, they asked to include information 
on the benefits of sharing; privacy tips and identity theft 
information; information about fraud prevention; and marketing.\203\ 
Some commenters asked that additional information such as seal 
information be included in the model form.\204\
---------------------------------------------------------------------------

    \203\ See, e.g., comment letters of American Bankers Ass'n (May 
25, 2007); Bank of America Corporation (May 29, 2007); Comerica Bank 
(May 25, 2007); Consumer Bankers Ass'n (May 29, 2007); Citigroup 
Inc. (May 30, 2007); First Hawaiian Bank (May 29, 2007); California 
Bankers Ass'n (May, 2007); Farmers & Merchants Bank (May 29, 2007); 
Financial Services Roundtable and BITS (May 29, 2007); Huntington 
National Bank (May 25, 2007); KeyCorp (May 25, 2007); Target 
National Bank (May 24, 2007); Wachovia Corporation (May 25, 2007); 
Wells Fargo & Company (May 29, 2007).
    \204\ See comment letters of PayPal (May 29, 2007); TrustE (May 
30, 2007).
---------------------------------------------------------------------------

    The Agencies considered these suggestions and decided not to permit 
the inclusion of additional information in the final model form. While 
an institution may believe this information is useful or important, we 
believe that the addition of such information to the model form defeats 
the purpose of providing a clear and usable notice about information 
sharing practices and consumer rights. The Agencies do not preclude an 
institution from providing such information in other, supplemental 
materials, if the institution wishes to do so.
    One commenter proposed requiring institutions that use the model 
form to also have a longer notice that complies with the privacy 
rule.\205\ One notice is sufficient if that notice complies with the 
law and the privacy rule.
---------------------------------------------------------------------------

    \205\ See comment letter of TRUSTe (May 30, 2007).
---------------------------------------------------------------------------

    Commenters also raised a number of other issues that are beyond the 
scope of this rulemaking. These include making the default opt-in 
rather than opt-out; eliminating the annual notice requirement; 
preempting state law requirements; and establishing an opt-out 
repository similar to the FTC's National ``Do Not Call'' Registry.\206\
---------------------------------------------------------------------------

    \206\ See, e.g., comment letters of America's Community Bankers 
(May 29, 2007); Bank of Edison (March 21, 2007); Bank of Frankewing 
(May 18, 2007); Central National Bank of Enid (May 24, 2007); 
FamilyFirst Bank (May 8, 2007); Florence Savings Bank (April 30, 
2007); Glenview State Bank (May 2, 2007); Hometown Bank (May 8, 
2007); Portage National Bank (May 1, 2007).
---------------------------------------------------------------------------

IV. The Sample Clauses

    As proposed, the Agencies are eliminating the Sample Clauses 
appended to the privacy rule along with the safe harbor or for SEC-
regulated entities, guidance, currently afforded entities.\207\ Many 
industry commenters opposed the proposal.\208\ Some commenters asked 
that we retain certain of the Sample Clauses, such as A-1, A-3, and A-
7, the use of which does not implicate an opt-out.\209\ Institutions 
expressed concern that elimination of the Sample Clauses and 
corresponding safe harbor would expose them to liability.\210\ A few 
commenters asked the Agencies to improve the current Sample Clauses as 
an interim measure.\211\ Several institutions requested that the 
Agencies at a minimum provide for a transition period that is longer 
than one year, if the Agencies determine to eliminate the Sample 
Clauses.\212\
---------------------------------------------------------------------------

    \207\ The Sample Clauses were originally provided in the privacy 
rule to illustrate the level of detail for notices to meet the rule 
requirements and to minimize the compliance burden. See 65 FR 33646, 
33677 (May 24, 2000) (FTC); 65 FR 35162, 35185 (June 1, 2000) 
(banking agencies); 65 FR 40334, 40357 (June 29, 2000) (SEC); 66 FR 
21236, 21238 (Apr. 27, 2001) (CFTC).
    \208\ See, e.g., comment letters of American Bankers Ass'n (May 
25, 2007); American Council of Life Insurers (May 29, 2007); 
American Insurance Ass'n (May 29, 2007); Bank of America Corporation 
(May 29, 2007); Consumer Bankers Ass'n (May 29, 2007); Citigroup 
Inc. (May 30, 2007); Direct Marketing Ass'n (May 29, 2007); 
Investment Adviser Ass'n (May 29, 2007); National Ass'n of Mutual 
Insurance Cos. (May 29, 2007); National Automobile Dealers Ass'n 
(May 29, 2007); National Business Coalition on E-Commerce and 
Privacy (May 30, 2007); T. Rowe Price Associates, Inc. (May 29, 
2007); Visa U.S.A., Inc. (May 29, 2007); Wisconsin Bankers Ass'n 
(May 29, 2007).
    \209\ See, e.g., comment letter of National Automobile Dealers 
Ass'n (May 29, 2007). Sample Clause A-1 describes the categories of 
information that an institution collects. Sample Clause A-3 includes 
the phrase ``as permitted by law'' to describe the sharing that 
institutions are permitted to do under sections ----.14 and ----.15 
without triggering an opt-out. Sample Clause A-7 generally states 
that an institution uses safeguard measures to protect the handling 
of the personal information it obtains.
    \210\ See, e.g., comment letters of Visa U.S.A., Inc. (May 29, 
2007); Citigroup Inc. (May 30, 2007); Huntington National Bank (May 
25, 2009).
    \211\ See, e.g., comment letter of Capital One Financial 
Corporation (May 29, 2007).
    \212\ See, e.g., comment letters of Direct Marketing Ass'n (May 
29, 2007); Investment Adviser Ass'n (May 29, 2007).
---------------------------------------------------------------------------

    Notwithstanding these comments, the Agencies are eliminating the 
Sample Clauses and related safe harbor (or guidance) from the privacy 
rule, following a transition period of one year.\213\ The initial 
public and media complaints about the incomprehensibility of the 
privacy notices,\214\ the plain language experts' guidance at the Get 
Noticed Workshop,

[[Page 62909]]

and the launch of this Notice Project all examined the problems with 
institutions' privacy notices, including their extensive use of the 
Sample Clauses, and the need to develop a usable consumer notice. These 
same factors led the Agencies to propose eliminating the Sample 
Clauses. One commenter agreed that the research showed the clauses 
``were found wanting.'' \215\ An association whose members generally 
found the model form to be more consumer-friendly than the Sample 
Clauses asked only that the Agencies provide a sufficient transition 
period before eliminating the Sample Clauses.\216\
---------------------------------------------------------------------------

    \213\ The Agencies are also making conforming amendments to 
sections ----.2, ----.6, and ----.7 of the privacy rule and to the 
Appendix with one small change from the Proposed Rule.
    \214\ See, e.g., Public Citizen Petition, supra note 24 at 4-9; 
Press Release of House Committee on Financial Services, supra note 
74.
    \215\ See comment letter of Capital One Financial Corporation 
(May 29, 2007).
    \216\ See comment letter of Independent Community Bankers Ass'n 
(May 29, 2007).
---------------------------------------------------------------------------

    In addition, the quantitative testing supports the Agencies' 
proposal to eliminate the Sample Clauses and related safe harbor. The 
Levy-Hastak Report confirms that a notice composed solely of the Sample 
Clauses promotes ease of scanning to perform simple tasks--because the 
notice is short and not because it is understandable--but the Sample 
Clauses do not do well on comprehension measures. Moreover, the testing 
showed that current notices--in which the Sample Clauses are typically 
embedded--do poorly on all measures.
    The Levy-Hastak Report examined the results when study participants 
were asked to choose between two banks based solely on the content of 
the notice and to give reason(s) why they selected a particular bank. 
Participants who saw the Sample Clause Notice were more likely to 
select the higher sharing bank because it offered an opt-out.\217\ When 
these participants were matched with their general attitudinal 
preferences toward sharing, the Levy-Hastak Report found that they 
generally favored less sharing.\218\ According to the Levy-Hastak 
Report, the data suggested that study participants who gave as the 
reason for their choice the availability of opt-outs ``may have 
mistakenly believed that this would lead them to choosing a lower 
sharing bank.'' \219\ In other words, participants who saw the Sample 
Clause Notice and selected the higher sharing bank because it offered 
opt-outs did not understand that a bank offering no opt-out did so 
because it shared less. This finding confirmed reports by small 
institutions.\220\
---------------------------------------------------------------------------

    \217\ The Levy-Hastak Report also found that study participants 
who saw the Current Notice were significantly more likely to give 
reasons not based on any information in the notice, for example, 
that Bank X offered a lower interest rate. These same participants 
were also less likely than those who saw the other notices to give 
cogent reasons for choosing the lower sharing bank. Levy-Hastak 
Report at 9.
    \218\ Id. at 15.
    \219\ Id. at 10.
    \220\ See supra note 133 and related text.
---------------------------------------------------------------------------

    Further, the NAIC Study,\221\ conducted in March 2005, examined 
several different insurance disclosure forms with participants in three 
focus groups. One was a generic form based on the sample clauses 
adopted in the NAIC Model Privacy Rule and similar in content to the 
Sample Clause Notice used in the Agencies' quantitative testing. The 
NAIC Study highlighted a key finding that is consistent with the 
Agencies' research findings. Among the study participants, there was 
general misunderstanding of and concern about the language in the form, 
in particular the phrase ``as permitted by law'' found in Sample Clause 
A-3. Participants in all three focus groups asked: (1) What does this 
phrase mean?; (2) what is the law and what does it permit?; and (3) 
what if the law changes? Participants who viewed this form did not know 
what to do with it and wanted some way to contact the company to get 
answers to their questions.
---------------------------------------------------------------------------

    \221\ See NAIC Study, supra note 141.
---------------------------------------------------------------------------

    Also, in the development of the model form, Kleimann found that 
consumers did not understand the language in Sample Clause A-7 
regarding the safeguarding of personal information. Through consumer 
testing, the description was revised to improve consumer comprehension.
    Finally, while many smaller institutions are most likely to engage 
in limited sharing and so would rely on the three Sample Clauses, A-1, 
A-3, and A-7, many of these institutions support the model form. They 
have stated that such a form would make it easier for them to 
demonstrate that they are less likely to share personal information, 
and it would allow for easier comparison of their sharing practices 
with those of other institutions.\222\ One large association commented 
that an informal survey of its community bank members found that ``many 
are likely to use the model forms'' and that ``[m]ost found the new 
forms more consumer-friendly than the existing sample clauses.'' \223\
---------------------------------------------------------------------------

    \222\ See, e.g., comment letters of Florence Savings Bank (April 
30, 2007); Community Bankers of America (May 29, 2007), Iowa State 
Bank and Trust Co. (May 22, 2007), Credit Union National Ass'n (May 
29, 2007); see also supra note 133 and related text.
    \223\ See comment letter of Independent Community Bankers of 
America (May 29, 2007).
---------------------------------------------------------------------------

    To ease the compliance burden for those institutions that currently 
have privacy notices based on the Sample Clauses, the Agencies are 
implementing a transition period that begins thirty (30) days after the 
date of publication and ends on December 31, 2010. Financial 
institutions will not be able to rely on the safe harbor by using the 
Sample Clauses in notices delivered or posted on or after January 1, 
2011.\224\ Privacy notices using the Sample Clauses that are delivered 
to consumers (either in paper form or by electronic delivery such as e-
mail) or, alternatively, are posted electronically to meet the annual 
notice requirement of section --.9(c) during the transition period, 
will have a safe harbor for one year after delivery or posting. Privacy 
notices using the Sample Clauses that are delivered or posted 
electronically after the transition period will not be eligible for a 
safe harbor. Since institutions are required to send notices annually 
to their customers, they may continue to rely on the safe harbor for 
annual notices that are delivered to consumers (either in paper form or 
by electronic delivery such as e-mail) within the transition period 
until the next annual privacy notice is due one year later.\225\ The 
Sample Clauses will be removed from codification one year after the 
transition period ends. The SEC, whose privacy rule provides only 
guidance and not a safe harbor for financial institutions that use the 
Sample Clauses, will also remove the Sample Clauses from codification 
one year after the transition period ends.\226\
---------------------------------------------------------------------------

    \224\ Institutions relying on the Sample Clauses appended to the 
SEC's privacy rule will not be able to rely on them for guidance in 
notices delivered or posted on or after January 1, 2011.
    \225\ For example, if an institution provides a notice using the 
Sample Clauses on or before December 31, 2010, it could continue to 
rely on the safe harbor for one additional year until its next 
annual notice is due. If an institution provides a notice using the 
Sample Clauses on or after January 1, 2011, however, it could not 
rely on the safe harbor. Privacy notices using the Sample Clauses 
posted on an institution's Web site to meet the annual notice 
requirements of section --.9(c) of the privacy rule would no longer 
be able to rely on the safe harbor beginning on January 1, 2011.
    \226\ See SEC privacy rule, section 248.2(a). The facts and 
circumstances of each individual situation determine whether use of 
the Sample Clauses constitutes compliance with the SEC's privacy 
rule.
---------------------------------------------------------------------------

    While the final model form would provide a legal safe harbor, 
institutions could continue to use other types of notices that vary 
from the model form, including notices that use the Sample Clauses, so 
long as these notices comply with the privacy rule.
    The Agencies are also amending section --.6(b) of the privacy rule. 
The FTC is deleting the second sentence of section 313.6(b) and 
substituting the following new sentence, based on the model form 
research: ``When describing the categories with respect to those

[[Page 62910]]

parties, it is sufficient to state that you make disclosures to other 
nonaffiliated companies for your everyday business purposes, such as to 
process transactions, maintain account(s), respond to court orders and 
legal investigations, and report to credit bureaus.'' The remaining 
Agencies (Board, CFTC, FDIC, NCUA, OCC, OTS, and SEC) are revising the 
second sentence of section --.6(b) to read as follows, based in part on 
the model form research: ``When describing the categories with respect 
to those parties, it is sufficient to state that you make disclosures 
to other nonaffiliated companies: (1) For your everyday business 
purposes, such as [include all that apply] to process transactions, 
maintain account(s), respond to court orders and legal investigations, 
or report to credit bureaus; or (2) As permitted by law.'' \227\
---------------------------------------------------------------------------

    \227\ Institutions using option (1) in this revised sentence to 
section --.6(b) are required to include all applicable examples. See 
12 CFR 40.6(b) (OCC); 12 CFR 216.6(b) (Board); 12 CFR 322.6(b) 
(FDIC); 12 CFR 573.6(b) (OTS); 12 CFR 716.6(b) (NCUA); 17 CFR 
160.6(b) (CFTC); 17 CFR 248.6(b) (SEC).
---------------------------------------------------------------------------

V. Effective Date

    The Agencies proposed that most of the provisions of the final rule 
would take effect on the date of publication.\228\ That approach would 
have allowed institutions that chose to use the model privacy form to 
receive the safe harbor for doing so immediately upon its publication. 
The Agencies received no comments on providing an immediate effective 
date for this portion of the rule. The only comments the Agencies 
received concerning the effective date of the rule pertained to removal 
of the Sample Clauses and related Appendix, as discussed in section IV.
---------------------------------------------------------------------------

    \228\ Proposed Rule, supra note 4, at section IV.
---------------------------------------------------------------------------

    The final rule makes most of the provisions effective 30 days after 
publication. This approach allows institutions to receive, with only a 
minimal delay, a safe harbor for using the model privacy form and the 
additional, alternative language that may be used to comply with 
section --.6(b) of the privacy rule. The Agencies believe that few, if 
any, institutions would choose to implement those changes in fewer than 
30 days. The 30-day delay will give institutions and the Agencies time 
to implement the changes properly.

VI. Final Regulatory Flexibility Analysis

    The Regulatory Flexibility Act (``RFA'') \229\ requires the 
Agencies to provide an Initial Regulatory Flexibility Analysis 
(``IRFA'') with a proposed rule and a Final Regulatory Flexibility 
Analysis (``FRFA'') with a final rule, unless the agency certifies that 
the rule will not have a significant economic impact on a substantial 
number of small entities. See 5 U.S.C. 603-605. An IRFA was published 
by the Agencies in their March 20, 2007, Proposed Rule regarding 
amendments to the rules implementing the privacy provisions of the GLB 
Act. The Agencies have prepared the following FRFA in accordance with 5 
U.S.C. 604.
---------------------------------------------------------------------------

    \229\ 5 U.S.C. 601-612.
---------------------------------------------------------------------------

A. Need For and Objectives of Rule Amendments

    The goal of the rule amendments is to satisfy the requirements of 
section 728 of the Regulatory Relief Act, which requires that the 
Agencies develop a model form that is comprehensible, clear and 
conspicuous, and succinct. The Act also requires that the model form 
enable consumers to easily identify a financial institution's sharing 
practices and compare those practices with others. The model form that 
the Agencies are adopting today will, if properly used, serve as a safe 
harbor for satisfying the privacy rules' requirements regarding content 
of privacy notices.
    As indicated in section I of the preamble to this final rule, the 
amendments to Appendix A of the Agencies' privacy rules are adopted 
pursuant to the authority set forth in Sec.  503 (as amended by section 
728 of the Regulatory Relief Act) and Sec.  504 of the GLB Act.\230\
---------------------------------------------------------------------------

    \230\ The SEC is also adopting the amendments under section 23 
of the Securities Exchange Act of 1934 [15 U.S.C. 78w], section 
38(a) of the Investment Company Act of 1940 [15 U.S.C. 80a-37(a)], 
and section 211(a) of the Investment Advisers Act of 1940 [15 U.S.C. 
80b-11(a)].
     The CFTC also is adopting the amendments under Section 504 of 
the GLB Act [15 U.S.C. 6804], and Sections 5g and 8a(5) of the 
Commodity Exchange Act [7 U.S.C. 7b-2, 12a(5)].
---------------------------------------------------------------------------

B. Significant Issues Raised by Public Comment

    The Agencies requested comments on the IRFA. We specifically 
requested comments on the number of small entities that would be 
affected by the rules' amendments, the existence or nature of the 
impact of the amendments on small entities, how to quantify the impact 
of the amendments, and possible alternatives to the amendments. 
Commenters were also asked whether a downloadable version of the model 
form would be useful for financial institutions, particularly small 
entities that would like to take advantage of the proposed safe harbor.
    Only one commenter directly addressed the IRFA.\231\ That commenter 
disagreed with the Agencies' analysis that some financial institutions 
that may wish to transition to the proposed model form might incur some 
small incremental costs in making the transition, but did not provide 
any explanation of why the analysis is incorrect or estimates regarding 
logistical costs that the commenter asserted would be significant. 
Several associations whose members include small entities, however, 
expressed support for the objectives of the proposed model notice.\232\ 
In addition, one association (many of whose members are small entities) 
found that many of its members that participated in an informal survey 
are likely to use the model forms and most found the forms more 
consumer-friendly than the Sample Clauses.\233\ Some commenters 
suggested that the model form is oriented to large, multi-affiliate 
financial institutions and does not accommodate smaller 
institutions.\234\ These commenters stated that the information 
collection policies described in the model form accurately reflect the 
practices of certain large financial institutions but are misleading to 
the extent they are beyond the scope of smaller financial institutions 
that do not offer banking-related products and services. In response to 
these and similar comments, the Agencies have revised the model form to 
allow financial institutions to select from a menu of specific 
disclosures to customize the descriptions of their information 
collection policies.\235\
---------------------------------------------------------------------------

    \231\ Comment letter of National Business Coalition on E-
Commerce and Privacy (May 30, 2007).
    \232\ See, e.g., joint comment letter of American Bankers Ass'n, 
America's Community Bankers, Consumer Bankers Ass'n, and The 
Financial Services Roundtable (May 29, 2007).
    \233\ See comment letter of Independent Community Bankers of 
America (May 29, 2007).
    \234\ See, e.g., comment letters of Financial Services Institute 
(May 29, 2007); Financial Planning Ass'n (May 30, 2007).
    \235\ See supra sections III.I.2 and III.J.1; see also infra, 
Instructions C.2(b) and C.3(a)(3) and (4) to the Model Privacy Form.
---------------------------------------------------------------------------

    Several commenters also requested that the Agencies retain the safe 
harbor regarding the Sample Clauses, noting that many small entities' 
privacy notices currently incorporate the Sample Clauses. One commenter 
explained that it would be burdensome and unnecessary for small 
entities to change their privacy notices, especially small entities 
that do not share personal information other than to service their 
clients' accounts.\236\ Another

[[Page 62911]]

commenter argued that elimination of the safe harbor for the Sample 
Clauses would transform the model form from an optional elective to a 
burdensome regulatory requirement, particularly for small 
entities.\237\ We note, however, that the research found that there was 
general misunderstanding of and concern among consumers about language 
in the notice based on the Sample Clauses.\238\ Nevertheless, partly in 
response to these comments, the Agencies are allowing financial 
institutions one year in which they can continue to rely on the Sample 
Clauses for safe harbor or guidance when providing notices. In 
addition, as noted above, while the Agencies are eliminating the Sample 
Clauses and related safe harbor (or, for the SEC, guidance), 
institutions may continue to use notices containing these clauses, so 
long as these notices comply with the privacy rule.
---------------------------------------------------------------------------

    \236\ See, e.g., comment letter of Investment Adviser Ass'n (May 
29, 2007).
    \237\ See, e.g., comment letter of National Automobile Dealers 
Ass'n (May 29, 2007).
    \238\ See supra section IV and discussion at notes 217-219 and 
related text. See also Public Citizen Petition, supra note 24, at 9 
(``The paragraph employs ambiguous phrases such as `other 
information' (what other information?), `unless otherwise permitted 
by law' (in actuality, the law almost always permits disclosure) * * 
*'').
---------------------------------------------------------------------------

    Finally, we received a limited number of comments indicating that a 
downloadable fillable model form may be helpful, especially to small 
entities.\239\ In response to these comments, the Agencies will make 
available an Online Form Builder. We expect the availability of this 
form will, in part, minimize the burden on small businesses of 
developing, using, and customizing the model form for their individual 
needs.
---------------------------------------------------------------------------

    \239\ See, e.g., comment letters of Financial Planning Ass'n 
(May 30, 2007); Center for Democracy and Technology (May 29, 2007).
---------------------------------------------------------------------------

C. Small Entities Subject to the Rules

    The amendments to Appendix A and conforming amendments to sections 
----.2, ----.6, and ----.7 of the Agencies' privacy rules may 
potentially affect financial institutions, including financial 
institutions that are small businesses or small organizations, that 
choose to rely on the model privacy form as a safe harbor.
    1. OCC. The OCC estimates that 690 insured national banks, 
uninsured national banks and trust companies, and foreign branches and 
agencies are small entities for purpose of the RFA.
    2. Board. The Board estimates that 432 state member banks are small 
entities for purposes of the RFA.
    3. FDIC. The FDIC estimates that 3115 state nonmember banks are 
small entities for purposes of the RFA.
    4. OTS. The OTS estimates that 377 small savings associations are 
small entities for purposes of the RFA.
    5. NCUA. The RFA requires NCUA to prepare an analysis to describe 
any significant economic impact a regulation may have on a substantial 
number of small credit unions (primarily those under $10 million in 
assets). The NCUA estimates that 3,168 federally-insured, state-
chartered credit unions are small entities for purposes of the RFA.
    6. FTC. Determining a precise estimate of the number of small 
entities that are financial institutions within the meaning of the rule 
is not readily feasible. The GLB Act does not identify for purposes of 
the Commission's jurisdiction any specific category of financial 
institution. In the absence of such information, there is no way to 
estimate precisely the number of affected entities that share nonpublic 
personal information with nonaffiliated third parties or that establish 
customer relationships with consumers and therefore assume greater 
disclosure obligations.
    7. CFTC. Section 5g of the CEA, 7 U.S.C. 7b-2, provides that any 
futures commission merchant, commodity trading advisor, commodity pool 
operator, or introducing broker that is subject to the jurisdiction of 
the CFTC with respect to any financial activity, shall be treated as a 
financial institution for purposes of Title V of the GLB Act, 
regardless of size and including commodity trading advisors and 
commodity pool operators that are exempt from the CEA's registration 
requirements. The CFTC has previously established certain definitions 
of ``small entities'' and determined that futures commission merchants 
and commodity pool operators are not small for purposes of the 
Regulatory Flexibility Act. Policy Statement and Establishment of 
Definitions of ``Small Entities,'' 47 FR 18,618 (Apr. 30, 1982). This 
rule applies to commodity trading advisors and introducing brokers of 
all sizes. Because use of the model privacy form is voluntary, and 
because its use is a form of substituted compliance with Part 160 and 
not a new mandatory burden, CFTC believes that the rule will not have a 
significant economic impact on a substantial number of small entities.
    8. SEC. The SEC estimates that 915 broker-dealers, 212 investment 
companies registered with the Commission, and 781 investment advisers 
registered with the Commission are small entities for purposes of the 
RFA.\240\
---------------------------------------------------------------------------

    \240\ For purposes of the RFA, under the Securities Exchange Act 
of 1934 a small entity is a broker or dealer that (i) had total 
capital of less than $500,000 on the date in its prior fiscal year 
as of which its audited financial statements were prepared or, if 
not required to file audited financial statements, on the last 
business day of its prior fiscal year, and (ii) is not affiliated 
with any person that is not a small business or small organization. 
17 CFR 240.0-10(c). Under the Investment Company Act of 1940, a 
``small entity'' is an investment company that, together with other 
investment companies in the same group of related investment 
companies, has net assets of $50 million or less as of the end of 
its most recent fiscal year. 17 CFR 270.0-10(a). Under the 
Investment Advisers Act of 1940, a small entity is an investment 
adviser that (i) manages less than $25 million in assets, (ii) has 
total assets of less than $5 million on the last day of its most 
recent fiscal year, and (iii) does not control, is not controlled 
by, and is not under common control with another investment adviser 
that manages $25 million or more in assets, or any person that had 
total assets of $5 million or more on the last day of the most 
recent fiscal year. 17 CFR 275.0-7(a).
---------------------------------------------------------------------------

    Because use of the model privacy form will be entirely voluntary, 
the Agencies cannot estimate how many small financial institutions will 
use it. The Agencies expect, however, that small financial 
institutions, particularly those that do not have permanent staff 
available to address compliance matters associated with the privacy 
rules, will be relatively more likely to rely on the model privacy form 
than larger institutions. We believe that most financial institutions 
currently have legal counsel review their privacy notices for 
compliance with the GLB Act, the FCRA, and the privacy rules. We 
anticipate that a financial institution that uses the model form for 
its privacy notice will need little review by legal counsel because the 
rules do not permit institutions to vary the form if they wish to 
obtain the benefit of a safe harbor, except as necessary within narrow 
parameters to identify their information collection, sharing, and opt-
out policies. Finally, the Agencies are providing an Online Form 
Builder that will enable institutions to directly create a customized 
model form and thus will facilitate compliance.

D. Reporting, Recordkeeping, and Other Compliance Requirements

    The amendments to the privacy rules do not impose any additional 
recordkeeping, reporting, disclosure, or compliance requirements. 
Financial institutions, including small entities, have been required to 
provide notice to consumers about the institution's privacy policies 
and practices since July 1, 2001 (or March 31, 2002, in the case of the 
CFTC). The amendments adopted today will not affect these requirements 
and financial institutions will be under no obligation to modify their 
current

[[Page 62912]]

privacy notices as a result of the amendments. Instead, the amendments 
provide a specific model privacy form that a financial institution may 
use to comply with notice requirements under the GLB Act, the FCRA (as 
amended by the FACT Act), and the privacy rules.
    Nonetheless, some of the financial institutions that rely on the 
Sample Clauses in the current privacy rules' appendixes may wish to 
transition to the model form and may incur some additional costs in 
making this transition.\241\ The Agencies expect, however, that the 
availability of a standardized model form will minimize these costs 
because the form's standardized formatting and language will make it 
easier for institutions to prepare and revise their privacy notices.
---------------------------------------------------------------------------

    \241\ To the extent that institutions review their privacy 
policies annually for compliance, we estimate that the costs 
associated with this annual review, including professional costs, 
will be approximately the same as the costs to complete the model 
form.
---------------------------------------------------------------------------

E. Action by the Agencies To Minimize Effects on Small Entities

    The RFA directs the Agencies to consider significant alternatives 
that would accomplish the stated objectives, while minimizing any 
significant adverse impact on small entities. In connection with the 
amendments, we considered the following alternatives:
    1. Different reporting or compliance standards. As noted above, the 
Regulatory Relief Act requires the Agencies to develop ``a'' model form 
that, among other things, will facilitate comparison of the information 
sharing practices of different financial institutions. In light of 
these statutory requirements, the Agencies are adopting only one model 
form, which includes alternative language in some places that allows a 
financial institution to describe its particular information collection 
and sharing practices. The specific model form that the Agencies are 
adopting today was developed as part of a careful and thorough consumer 
testing process designed to produce a clear, comprehensible, and 
comparable notice. The model form emerged as the most effective of 
several notice formats considered as part of this testing.
    2. Clarification, consolidation, or simplification of reporting and 
compliance requirements. The Agencies believe that the model form will 
simplify the reporting requirements for all entities, including small 
entities, that choose to use the model form. We anticipate that 
financial institutions that choose to use the model form will spend 
less time preparing notices than if they had to draft one on their own. 
Because the model form was developed as part of a consumer testing 
process, further clarifying, consolidating, or simplifying the model 
notice would compromise the research findings.
    3. Performance rather than design standards. Section 728 of the 
Regulatory Relief Act specifically requires that the Agencies develop a 
model form. The model form is an alternative means of providing a 
privacy notice that institutions may choose to use. The privacy rules 
do not mandate the format of privacy notices; thus, neither the privacy 
rules nor the amendments impose a design standard.
    4. Exempting small entities. We believe that an exemption for small 
entities would not be appropriate or desirable. The Agencies note that 
the model form is available for use at the discretion of all financial 
institutions, including small institutions. Moreover, two key 
objectives of the model form are that (1) consumers can understand an 
institution's information sharing practices and (2) they may more 
easily compare financial institutions' sharing practices and policies 
across privacy notices. An exemption for small entities would directly 
conflict with both of these key objectives, particularly that of 
enabling comparison across notices.

VII. Paperwork Reduction Act

    The final privacy rules governing the privacy of consumer financial 
information contain disclosures that are considered collections of 
information under the Paperwork Reduction Act (PRA).\242\ Before the 
Agencies issued their privacy rules, they obtained approval from OMB 
for the collections. OMB control numbers for the collections appear 
below. The amendments adopted today do not introduce any new 
collections of information into the Agencies' privacy rules, nor do 
they amend the rules in a way that substantively modifies the 
collections of information that OMB has approved. Therefore, no PRA 
submissions to OMB are required.
---------------------------------------------------------------------------

    \242\ 44 U.S.C. 3501-3520.
---------------------------------------------------------------------------

    OCC: Control number 1557-0216.
    Board: Control number 7100-0294.
    FDIC: Control number 3064-0136.
    OTS: Control number 1550-0103.
    NCUA: Control number 3133-0163.
    FTC: Control number 3084-0121.
    SEC: Control number 3235-0537.
    CFTC: Control number 3038-0055.

VIII. OCC and OTS Executive Order 12866 Determination

    The OCC and OTS have determined that their respective portions of 
the final rule are not a significant regulatory action under Executive 
Order 12866. We have concluded that the changes made by this rule will 
not have an annual effect on the economy of $100 million or more, and 
does not meet any of the other standards for a significant action set 
forth in E.O. 12866.

IX. OCC and OTS Executive Order 13132 Determination

    The OCC and OTS have determined that their respective portions of 
the final rule do not have any federalism implications, as required by 
Executive Order 13132.

X. OCC and OTS Unfunded Mandates Reform Act of 1995 Determination

    Section 202 of the Unfunded Mandates Reform Act of 1995, Public Law 
104-4 (UMRA), requires that an agency prepare a budgetary impact 
statement before promulgating a rule that includes a Federal mandate 
that may result in the expenditure by State, local, and tribal 
governments, in the aggregate, or by the private sector of $100 million 
or more (adjusted annually for inflation) in any one year. The 
inflation adjusted threshold is $133 million or more. If a budgetary 
impact statement is required, section 205 of the UMRA also requires an 
agency to identify and consider a reasonable number of regulatory 
alternatives before promulgating a rule. The OCC and OTS have each 
determined that their respective portions of the final rule will not 
result in expenditures by State, local, and tribal governments, in the 
aggregate, or by the private sector, of $133 million or more in any one 
year. Accordingly, the final rule is not subject to section 202 of the 
UMRA.

XI. SEC Cost-Benefit Analysis

    The SEC is sensitive to the costs and benefits imposed by its 
rules. As discussed above, the amendments the Agencies are adopting 
today will replace the Sample Clauses included as guidance in 
Regulation S-P's Appendix A (17 CFR part 248, appendix A) with a model 
privacy form that financial institutions can choose to provide to 
consumers. The amendments are designed to implement section 728 of the 
Regulatory Relief Act. This Act directs the Agencies to ``jointly 
develop a model form which may be used, at the option of the financial 
institution, for the provision of disclosures under [section 503 of the 
GLB Act].''
    The SEC identified certain costs and benefits arising from these 
amendments and requested comments on all aspects of the associated 
cost-benefit analysis, including identification and assessment of any 
costs and benefits not discussed

[[Page 62913]]

in the analysis. The SEC also sought comments on the accuracy of its 
cost and benefit estimates and requested commenters to identify, 
discuss, analyze, and supply relevant data that would allow the SEC to 
improve its estimates. Finally, the SEC requested comments regarding 
the potential impact of the proposals on the U.S. economy on an annual 
basis.

A. Benefits

    The goal of the rules is to satisfy the requirements of section 728 
of the Regulatory Relief Act, which requires that the Agencies develop 
a model form that is comprehensible, clear and conspicuous, and 
succinct. The Act also requires that the model form enable consumers 
easily to identify a financial institution's sharing practices and 
compare those practices with others. The model form that the Agencies 
are adopting today will, if properly used, serve as a safe harbor for 
satisfying the privacy rule's requirements regarding the content of 
privacy notices.
    The SEC requested comments on all aspects of the benefits of the 
amendments as proposed. The SEC requested specific comments on 
available metrics to quantify these benefits and any other benefits 
commenters could identify, and requested commenters to identify sources 
of empirical data that could be used for such metrics. The SEC did not 
receive any comments in response to these requests.
    Use of the model form is voluntary, so a financial institution can 
determine for itself its costs and benefits in deciding whether using 
the model form would be suitable for its business and customers. 
However, new financial institutions will likely benefit from using the 
model privacy form because of the savings in time and resources that 
would otherwise be spent developing their own notices.
    The SEC also anticipates that financial institutions regulated by 
the SEC may benefit from the model privacy form's standardized 
formatting and language. The SEC believes that institutions currently 
review their Regulation S-P privacy policies annually. To the extent 
that these institutions are required to change their policies to 
reflect changes in their privacy practices, they may find it easier to 
use the model privacy form rather than revise their existing notices.
    Similarly, the SEC expects that revisions to an institution's 
privacy policies will be easier to record in the model form's 
standardized format. The SEC also anticipates that a financial 
institution that chooses to use the model notice will need little, if 
any, ongoing review by legal counsel because an institution cannot vary 
the form except within stated parameters as necessary to identify 
certain specific information collection, sharing, and opt-out policies.
    Before today's amendments, Appendix A of Regulation S-P contained 
Sample Clauses that the SEC interpreted as providing guidance, as 
opposed to a legal safe harbor. Institutions will therefore benefit 
from the certainty that proper use of the model notice entitles them to 
a safe harbor for disclosures required under the GLB Act and FCRA.\243\
---------------------------------------------------------------------------

    \243\ A number of commenters expressed concern that the safe 
harbor provisions might not fully extend to all GLB Act requirements 
or FCRA disclosures. See, e.g., comment letter of Citigroup Inc. 
(May 30, 2007). Several commenters further suggested the safe harbor 
should encompass state and private enforcement. See, e.g., comment 
letters of Consumer Bankers Ass'n (May 29, 2007); Financial Services 
Institute (May 29, 2007). In response to these comments, the 
Agencies have clarified the scope of the safe harbor. See supra 
section III.K.2.
---------------------------------------------------------------------------

    Consumers should also benefit from the model form through increased 
comprehension of and enhanced comparability among privacy policies. The 
model form was developed in an extensive consumer research testing 
process that sought to maximize consumers' ability to comprehend, use, 
and compare privacy notices. The model form emerged as the most 
effective of several notice formats considered as part of this testing. 
The SEC therefore anticipates that if financial institutions make 
widespread use of the model form, consumers' comprehension and their 
ability to use and compare privacy policies will be enhanced. 
Institutions also might benefit from consumers' enhanced ability to 
understand and use the notices to the extent that consumers have more 
trust and confidence in an institution's privacy policies because the 
consumers understand those policies.

B. Costs

    Since the model form is optional, the SEC cannot estimate the 
number of institutions that will adopt it. Accordingly, we cannot 
estimate total overall costs to use the model form by broker-dealers, 
investment advisers registered with the SEC, and investment companies 
that may use the model form. However, in the Proposed Rule, the SEC 
provided estimates of certain types of costs that could result from the 
proposed amendments.
    The SEC also sought comments on its cost estimates and the 
assumptions behind the estimates, as well as whether any of those costs 
would differ if the form were downloadable from a Web site. The 
majority of the comments we received predicted significant cost 
increases in preparation, distribution, and processing of privacy 
notices. Many commenters noted that the prohibition on double-sided 
printing and requirement of a separate third page for mail-in opt-outs, 
if any, would greatly increase printing costs and would result in 
significant environmental waste due to increased paper usage.\244\ 
Numerous commenters also raised concerns that the 8\1/2\; x 11-inch 
paper size requirement, coupled with the prohibition on incorporation 
of the model notice into other documents, essentially mandated a 
separate mailing for the model notice.\245\ Commenters concluded that 
separate mailing of privacy notices would result in significant postage 
costs and increase the likelihood that consumers would misplace or fail 
to read the notice because it no longer accompanied important 
documents.\246\ Several commenters suggested that these costs could 
result in lowered adoption rates for the model form.\247\ Based on 
these comments, the Agencies have revised the amendments to allow for 
double-sided printing and incorporation of the mail-in opt-out on the 
bottom of the first page, waiver of a mandatory 8\1/2\ x 11-inch paper 
size, and incorporation of the model notice into other documents. We 
believe these accommodations will result in greatly reducing the 
implementation costs commenters associated with adopting the model 
form.
---------------------------------------------------------------------------

    \244\ See, e.g., comment letters of Investment Adviser Ass'n 
(May 29, 2007) (estimating additional printing and mailing costs for 
larger investment advisory firms of $100,000 to more than $300,000 
per mailing); Securities Industry and Financial Markets Ass'n (May 
29, 2007) (estimating additional printing costs of $7.5 million per 
billion notices).
    \245\ See, e.g., comment letters of Investment Adviser Ass'n 
(May 29, 2007); Citigroup Inc. (May 30, 2007).
    \246\ See, e.g., comment letters of Financial Services 
Roundtable and BITS (May 29, 2007) (estimating cost to financial 
services industry of printing and mailing model form of 
approximately $400 million per billion notices); Citigroup Inc. (May 
30, 2007) (consumers ``are more likely to open and read mail that 
contains an `important' communication such as a billing statement 
than an unidentified standalone communication'').
    \247\ See, e.g., comment letter of Capital One Financial 
Corporation (May 29, 2007).
---------------------------------------------------------------------------

    We do not expect that financial institutions will incur additional 
disclosure costs in using the model privacy form because the notice 
requirements of Regulation S-P have been effective since July 1, 2001, 
and are not altered by the amendments. Moreover, financial institutions 
will be

[[Page 62914]]

under no obligation to adopt the model form or modify their current 
privacy notices. Presumably, financial institutions will not adopt the 
model form without first determining that associated costs are 
justified by the benefits.
    We anticipate that financial institutions that elect to use the 
model privacy form could incur some small, incremental developmental 
costs in making the transition from their current notices to the model 
form. These costs could include staff time to review the model form and 
its instructions and complete the model form. We expect these will be 
minimal because the language and format in the form are standardized 
and financial institutions can only customize very limited sections of 
the model privacy form. Institution-specific information is limited to 
contact information, selection from a menu of terms relating to 
information collection, ``yes'' or ``no'' answers and brief 
descriptions, as necessary, of the types of entities with which the 
institution shares personal information. Furthermore, the model form 
can be downloaded from a Web site so preparation costs should be 
minimal.
    Similarly, we believe that a financial institution that adopts the 
model privacy form would need little, if any, initial or annual review 
by legal counsel because almost all the disclosures in the form are 
already mandated under the current disclosure regime. One commenter 
disagreed and suggested that legal counsel at each financial 
institution will spend at least 50 hours initially and annually 
ensuring that the model form accurately reflects the institution's 
privacy practices.\248\ These estimates seem high because institutions 
already know their information collection and sharing practices and 
there is very little discretion the institution has in choosing from 
among a menu of terms to disclose that information on the model form. 
Even if those estimates are accurate, however, we believe that those 
legal costs would likely have been incurred with respect to any model 
form unless it conformed exactly to the institution's current form.
---------------------------------------------------------------------------

    \248\ See comment letter of Securities Industry and Financial 
Markets Ass'n (May 29, 2007).
---------------------------------------------------------------------------

    Transition costs may also include administrative, logistical, and 
training costs. For example, several commenters highlighted one-time 
costs stemming from rewriting notices, republishing brochures or 
notices, and revising or reprinting documents that incorporate current 
notices.\249\ We anticipate these costs will be minimal, if any, in 
part because the Agencies are allowing financial institutions a 
transition period of one year during which they can continue to rely on 
the Sample Clauses for safe harbor or guidance. Although an institution 
may choose to replace a current privacy notice with a model privacy 
notice, this should not require substantial rewriting because there are 
few drafting choices in the model form. In addition, the SEC believes 
it is unlikely that many financial institutions have stockpiles of more 
than one year's worth of privacy notices or documents that incorporate 
privacy notices on hand for distribution. Several commenters also 
raised concerns regarding increased customer service demands and the 
necessity for financial institutions to proactively take steps to 
address customer confusion. For example, one commenter noted that 
financial institutions would face one-time costs associated with 
revising or preparing explanatory material for training employees 
regarding the model form, such as scripts and responses for call 
centers.\250\ Since the amendments do not affect Regulation S-P's 
substantive requirements, we anticipate that any substantive questions 
about the institutions' privacy practices should already be addressed 
by existing explanatory materials. We anticipate any new explanatory 
material will be limited to questions regarding the revised format of 
the model form, which due to its standardized nature should be 
relatively simple to address.
---------------------------------------------------------------------------

    \249\ See comment letter of T. Rowe Price Associates, Inc. (May 
29, 2007).
    \250\ See comment letter of Investment Adviser Ass'n (May 29, 
2007).
---------------------------------------------------------------------------

    Insofar as the Sample Clauses in current Regulation S-P may have 
some value to some financial institutions, their phase-out under the 
amendments to the rules may create some costs to those institutions. 
However, we expect those costs to be minimal. As discussed above, the 
Agencies are giving financial institutions a transition period of one 
year during which they can continue to rely on the Sample Clauses for 
guidance or a safe harbor, which should allow time to minimize the 
transition costs for any institutions that adopt the model privacy 
form. Moreover, as noted above, elimination of the Sample Clauses as 
guidance does not mean that institutions that continue to use these 
clauses are in violation of the SEC's privacy rule. Institutions may 
continue to use notices containing these clauses so long as these 
notices comply with the privacy rule.
    Lastly, customers may experience certain costs associated with 
adoption of the model form. Several commenters suggested that the model 
form sacrifices greater consumer understanding about information 
sharing practices in exchange for a simplified notice format.\251\ 
Another commenter speculated that adoption of the model form would 
result in customer confusion and potential loss of customer trust due 
to the misimpression that financial institutions are changing their 
privacy policies.\252\ One commenter concluded that consumer confusion 
resulting from overly simplified disclosures would lead to unacceptably 
high opt-out rates and discourage use of the model form by financial 
institutions.\253\ As discussed above, the model form was developed in 
an extensive consumer research testing process that sought to maximize 
consumers' ability to comprehend, use, and compare privacy notices. The 
model form emerged as the most effective of several notice formats 
considered as part of this testing. Consequently, the SEC believes that 
any customer confusion that results from adoption of the model form 
will be minimal. Furthermore, we expect that any such confusion will be 
rapidly dissipated if financial institutions make widespread use of the 
model privacy form and consumers become more familiar with its 
contents.
---------------------------------------------------------------------------

    \251\ See, e.g., comment letter of Bank of America Corporation 
(May 29, 2007).
    \252\ See comment letter of Visa U.S.A. Inc. (May 29, 2007).
    \253\ See comment letter of Financial Services Institute (May 
29, 2007).
---------------------------------------------------------------------------

    Although the SEC cannot determine aggregate costs because of the 
unknown number of financial institutions that will adopt the model 
form, we expect each financial institution choosing to adopt the model 
form to incur minimal, if any, costs. As discussed above, we do not 
anticipate that financial institutions will incur additional disclosure 
costs in using the model privacy form because the substantive notice 
requirements of Regulation S-P have been effective since July 1, 2001, 
and are not altered by the amendments. We expect notice development and 
transition costs to be minimal because the language and format in the 
model form are standardized and financial institutions can only 
customize a few sections of the model form by selecting from among a 
menu of specific terms. Furthermore, the model form can be downloaded 
from a Web site so preparation costs should be minimal. Moreover, the 
Agencies are giving financial

[[Page 62915]]

institutions one year in which they can continue to rely on the Sample 
Clauses for safe harbor or guidance, which should allow time to 
minimize the transition costs for any institution that adopts the model 
privacy form.
    Similarly, the SEC expects any aggregate costs to consumers that 
may result from adoption of the model form to be minimal, if any. As 
discussed above, the model form emerged as the most effective of 
several notice formats in an extensive consumer research testing 
process that sought to maximize consumers' ability to comprehend, use, 
and compare privacy notices. We anticipate that any initial costs to 
consumers in the form of confusion or reduced understanding will be 
short-lived as increasing numbers of financial institutions use the 
model privacy form and consumers become more familiar with its contents 
and can use the form to compare notices more easily.

XII. SEC Consideration of Burden on Competition

    Securities Exchange Act Section 23(a)(2) requires the SEC, in 
adopting rules under that Act, to consider the impact that any such 
rule will have on competition.\254\ Section 23(a)(2) also prohibits the 
SEC from adopting any rule that will impose a burden on competition not 
necessary or appropriate in furtherance of the purposes of the 
Securities Exchange Act.
---------------------------------------------------------------------------

    \254\ See 15 U.S.C. 78w(a)(2).
---------------------------------------------------------------------------

    As discussed above, the amendments to Regulation S-P, including the 
model form, are designed to comply with section 728 of the Regulatory 
Relief Act, mandating that the Agencies develop a model form that is 
comprehensible, clear and conspicuous, and succinct. SEC-regulated 
institutions will be able to use the model form in order to comply with 
the notice requirements under the GLB Act, the FCRA, and Regulation S-
P.
    The SEC does not expect the amendments to have a significant impact 
on competition. Use of the model form will be voluntary, permitting a 
financial institution to determine whether using the model form will 
enhance its competitive position. All brokers and dealers, investment 
companies, and registered investment advisers will be able to use the 
model form and take advantage of the safe harbor. Other financial 
institutions will be able to use the form and take advantage of the 
safe harbor under comparable rules adopted by the other Agencies. Under 
the Regulatory Relief Act, the Agencies have worked in consultation in 
order to ensure the consistency and comparability of the amendments. 
Therefore, all financial institutions will have the same opportunity to 
use the model form and rely on the safe harbor.
    Further, if financial institutions choose to use the model form, 
the amendments could promote competition by enabling consumers more 
easily to understand and compare competing institutions' privacy 
policies. The SEC also anticipates that the model form's standardized 
formatting may reduce the relative burden of compliance on smaller 
financial institutions, allowing them to compete more effectively with 
larger institutions that are more likely to have a dedicated compliance 
staff. As such, the SEC expects any impact on competition caused by the 
amendments would not be significant.

XIII. NCUA: The Treasury and General Government Appropriations Act, 
1999-Assessment of Federal Regulations and Policies on Families

    The NCUA has determined that this rule will not affect family well-
being within the meaning of section 654 of the Treasury and General 
Government Appropriations Act, 1999, Public Law 105-277, 112 Stat. 2681 
(1998).

XIV. CFTC Cost-Benefit Analysis

    Section 15 of the Commodity Exchange Act requires the CFTC to 
consider the costs and benefits of its action before issuing a new 
regulation under the Act. The CFTC understands that, by its terms, 
section 15 does not require the CFTC to quantify the costs and benefits 
of a new regulation or to determine whether the benefits of the 
regulation outweigh its costs. Nor does it require that each rule be 
analyzed piecemeal or in isolation when that rule is a component of a 
larger package of rules or rule revisions. Rather, section 15 simply 
requires the CFTC to ``consider the costs and benefits'' of its action.
    Section 15 further specifies that costs and benefits shall be 
evaluated in light of five broad areas of market and public concern: 
Protection of market participants and the public; efficiency, 
competitiveness, and financial integrity of futures markets; price 
discovery; sound risk management practices; and other public interest 
considerations. Accordingly, the CFTC could in its discretion give 
greater weight to any one of the five enumerated areas of concern and 
could in its discretion determine that, notwithstanding its costs, a 
particular rule was necessary or appropriate to protect the public 
interest or to effectuate any of the provisions or to accomplish any of 
the purposes of the Act.
    The CFTC has considered the costs and benefits of the model form as 
a totality. The form provides a non-mandatory means of complying with 
existing requirements of the privacy provisions of the GLB Act and 
section 5g of the CEA, and thus imposes no mandatory new costs. The 
CFTC believes that the model form should benefit futures industry 
consumer customers in better understanding a financial institution's 
privacy policies, and may facilitate customers in comparing the privacy 
policies of financial institutions.

List of Subjects

12 CFR Part 40

    Banks, banking, Consumer protection, National banks, Privacy, 
Reporting and recordkeeping requirements.

12 CFR Part 216

    Banks, banking, Consumer protection, Foreign banking, Holding 
companies, Privacy, Reporting and recordkeeping requirements.

12 CFR Part 332

    Banks, banking, Consumer protection, Foreign banking, Privacy, 
Reporting and recordkeeping requirements.

12 CFR Part 573

    Consumer protection, Privacy, Reporting and recordkeeping 
requirements, Savings associations.

12 CFR Part 716

    Consumer protection, Credit unions, Privacy, Reporting and 
recordkeeping requirements.

16 CFR Part 313

    Consumer protection, Credit, Privacy, Reporting and recordkeeping 
requirements, Trade practices.

17 CFR Part 160

    Brokers, Consumer protection, Privacy, Reporting and recordkeeping 
requirements.

17 CFR Part 248

    Brokers, Consumer protection, Investment companies, Privacy, 
Reporting and recordkeeping requirements, Securities.

[[Page 62916]]

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Chapter I

Authority and Issuance

0
For the reasons set forth in the joint preamble, part 40 of chapter I 
of title 12 of the Code of Federal Regulations is amended as follows:

PART 40--PRIVACY OF CONSUMER FINANCIAL INFORMATION

0
1. The authority citation for part 40 continues to read as follows:

    Authority: 12 U.S.C. 93a; 15 U.S.C. 6801 et seq.


0
2. Revise Sec.  40.2 to read as follows:


Sec.  40.2  Model privacy form and examples.

    (a) Model privacy form. Use of the model privacy form in Appendix A 
of this part, consistent with the instructions in Appendix A, 
constitutes compliance with the notice content requirements of 
Sec. Sec.  40.6 and 40.7 of this part, although use of the model 
privacy form is not required.
    (b) Examples. The examples in this part are not exclusive. 
Compliance with an example, to the extent applicable, constitutes 
compliance with this part.

0
3. In Sec.  40.6:
0
A. Revise paragraphs (b) and (f), and add paragraph (g) to read as set 
forth below.
0
B. Effective January 1, 2012, remove paragraph (g).


Sec.  40.6  Information to be included in privacy notices.

* * * * *
    (b) Description of nonaffiliated third parties subject to 
exceptions. If you disclose nonpublic personal information to third 
parties as authorized under Sec. Sec.  40.14 and 40.15, you are not 
required to list those exceptions in the initial or annual privacy 
notices required by Sec. Sec.  40.4 and 40.5. When describing the 
categories with respect to those parties, it is sufficient to state 
that you make disclosures to other nonaffiliated companies:
    (1) For your everyday business purposes, such as [include all that 
apply] to process transactions, maintain account(s), respond to court 
orders and legal investigations, or report to credit bureaus; or
    (2) As permitted by law.
* * * * *
    (f) Model privacy form. Pursuant to Sec.  40.2(a) of this part, a 
model privacy form that meets the notice content requirements of this 
section is included in Appendix A of this part.
    (g) Sample clauses. Sample clauses illustrating some of the notice 
content required by this section are included in Appendix B of this 
part. Use of a sample clause in a privacy notice provided on or before 
December 31, 2010, to the extent applicable, constitutes compliance 
with this part.


0
4. In Sec.  40.7, add paragraph (i) to read as follows:


Sec.  40.7  Form of opt-out notice to consumers; opt-out methods.

* * * * *
    (i) Model privacy form. Pursuant to Sec.  40.2(a) of this part, a 
model privacy form that meets the notice content requirements of this 
section is included in Appendix A of this part.

Appendix A [Redesignated as Appendix B]

0
5. Redesignate Appendix A to part 40 as Appendix B to part 40.
0
6. Add new Appendix A to part 40 to read as follows:

Appendix A to Part 40--Model Privacy Form

A. The Model Privacy Form

BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-
01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-
P 12.5%

[[Page 62917]]

[GRAPHIC] [TIFF OMITTED] TR01DE09.000


[[Page 62918]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.001


[[Page 62919]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.002


[[Page 62920]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.003


[[Page 62921]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.004


[[Page 62922]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.005


[[Page 62923]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.006

BILLING CODE 6750-01-P 12.5%, 6351-01-C 12.5%, 6720-01-C 12.5%, 6714-
01-C 12.5%, 4810-33-C 12.5%, 6210-01-C 12.5%, 8011-01-C 12.5%, 7535-01-
C 12.5%

B. General Instructions

1. How the Model Privacy Form Is Used

    (a) The model form may be used, at the option of a financial 
institution, including a group of financial institutions that use a 
common privacy notice, to meet the content requirements of the 
privacy notice and opt-out notice set forth in Sec. Sec.  40.6 and 
40.7 of this part.
    (b) The model form is a standardized form, including page 
layout, content, format, style, pagination, and shading. 
Institutions seeking to obtain the safe harbor through use of the 
model form may modify it only as described in these Instructions.
    (c) Note that disclosure of certain information, such as assets, 
income, and information from a consumer reporting agency, may give 
rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 
1681-1681x] (FCRA), such as a requirement to permit a consumer to 
opt out of disclosures to affiliates or designation as a consumer 
reporting agency if disclosures are made to nonaffiliated third 
parties.
    (d) The word ``customer'' may be replaced by the word ``member'' 
whenever it appears in the model form, as appropriate.

2. The Contents of the Model Privacy Form

    The model form consists of two pages, which may be printed on 
both sides of a single sheet of paper, or may appear on two separate 
pages. Where an institution provides a long list of institutions at 
the end of the model form in accordance with Instruction C.3(a)(1), 
or provides additional information in accordance with Instruction 
C.3(c), and such list or additional information exceeds the space 
available on page two of the model form, such list or additional 
information may extend to a third page.
    (a) Page One. The first page consists of the following 
components:
    (1) Date last revised (upper right-hand corner).
    (2) Title.
    (3) Key frame (Why?, What?, How?).
    (4) Disclosure table (``Reasons we can share your personal 
information'').
    (5) ``To limit our sharing'' box, as needed, for the financial 
institution's opt-out information.
    (6) ``Questions'' box, for customer service contact information.
    (7) Mail-in opt-out form, as needed.
    (b) Page Two. The second page consists of the following 
components:
    (1) Heading (Page 2).
    (2) Frequently Asked Questions (``Who we are'' and ``What we 
do'').
    (3) Definitions.
    (4) ``Other important information'' box, as needed.

3. The Format of the Model Privacy Form

    The format of the model form may be modified only as described 
below.
    (a) Easily readable type font. Financial institutions that use 
the model form must use an easily readable type font. While a number 
of factors together produce easily readable type font, institutions 
are required to use a minimum of 10-point font (unless otherwise 
expressly permitted in these Instructions) and sufficient spacing 
between the lines of type.
    (b) Logo. A financial institution may include a corporate logo 
on any page of the notice, so long as it does not interfere with the 
readability of the model form or the space constraints of each page.
    (c) Page size and orientation. Each page of the model form must 
be printed on paper in portrait orientation, the size of which must 
be sufficient to meet the layout and minimum font size requirements, 
with sufficient white space on the top, bottom, and sides of the 
content.
    (d) Color. The model form must be printed on white or light 
color paper (such as cream) with black or other contrasting ink 
color. Spot color may be used to achieve visual interest, so long as 
the color contrast is distinctive and the color does not detract 
from the readability of the model form. Logos may also be printed in 
color.
    (e) Languages. The model form may be translated into languages 
other than English.

C. Information Required in the Model Privacy Form

    The information in the model form may be modified only as 
described below:

1. Name of the Institution or Group of Affiliated Institutions 
Providing the Notice

    Insert the name of the financial institution providing the 
notice or a common identity of affiliated institutions jointly 
providing the notice on the form wherever [name of financial 
institution] appears.

2. Page One

    (a) Last revised date. The financial institution must insert in 
the upper right-hand corner the date on which the notice was last 
revised. The information shall appear in minimum 8-point font as 
``rev. [month/year]'' using either the name or number of the month, 
such as ``rev. July 2009'' or ``rev. 7/09''.
    (b) General instructions for the ``What?'' box.
    (1) The bulleted list identifies the types of personal 
information that the institution collects and shares. All 
institutions must use the term ``Social Security number'' in the 
first bullet.
    (2) Institutions must use five (5) of the following terms to 
complete the bulleted list: income; account balances; payment 
history; transaction history; transaction or loss history; credit 
history; credit scores; assets; investment experience; credit-based 
insurance scores; insurance claim history; medical information; 
overdraft history; purchase history; account transactions; risk 
tolerance; medical-related debts; credit card or other debt; 
mortgage rates and payments; retirement assets; checking account 
information; employment information; wire transfer instructions.
    (c) General instructions for the disclosure table. The left 
column lists reasons for

[[Page 62924]]

sharing or using personal information. Each reason correlates to a 
specific legal provision described in paragraph C.2(d) of this 
Instruction. In the middle column, each institution must provide a 
``Yes'' or ``No'' response that accurately reflects its information 
sharing policies and practices with respect to the reason listed on 
the left. In the right column, each institution must provide in each 
box one of the following three (3) responses, as applicable, that 
reflects whether a consumer can limit such sharing: ``Yes'' if it is 
required to or voluntarily provides an opt-out; ``No'' if it does 
not provide an opt-out; or ``We don't share'' if it answers ``No'' 
in the middle column. Only the sixth row (``For our affiliates to 
market to you'') may be omitted at the option of the institution. 
See paragraph C.2(d)(6) of this Instruction.
    (d) Specific disclosures and corresponding legal provisions.
    (1) For our everyday business purposes. This reason incorporates 
sharing information under Sec. Sec.  40.14 and 40.15 and with 
service providers pursuant to Sec.  40.13 of this part other than 
the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these 
Instructions.
    (2) For our marketing purposes. This reason incorporates sharing 
information with service providers by an institution for its own 
marketing pursuant to Sec.  40.13 of this part. An institution that 
shares for this reason may choose to provide an opt-out.
    (3) For joint marketing with other financial companies. This 
reason incorporates sharing information under joint marketing 
agreements between two or more financial institutions and with any 
service provider used in connection with such agreements pursuant to 
Sec.  40.13 of this part. An institution that shares for this reason 
may choose to provide an opt-out.
    (4) For our affiliates' everyday business purposes--information 
about transactions and experiences. This reason incorporates sharing 
information specified in sections 603(d)(2)(A)(i) and (ii) of the 
FCRA. An institution that shares for this reason may choose to 
provide an opt-out.
    (5) For our affiliates' everyday business purposes--information 
about creditworthiness. This reason incorporates sharing information 
pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution 
that shares for this reason must provide an opt-out.
    (6) For our affiliates to market to you. This reason 
incorporates sharing information specified in section 624 of the 
FCRA. This reason may be omitted from the disclosure table when: the 
institution does not have affiliates (or does not disclose personal 
information to its affiliates); the institution's affiliates do not 
use personal information in a manner that requires an opt-out; or 
the institution provides the affiliate marketing notice separately. 
Institutions that include this reason must provide an opt-out of 
indefinite duration. An institution that is required to provide an 
affiliate marketing opt-out, but does not include that opt-out in 
the model form under this part, must comply with section 624 of the 
FCRA and 12 CFR part 41, subpart C, with respect to the initial 
notice and opt-out and any subsequent renewal notice and opt-out. An 
institution not required to provide an opt-out under this 
subparagraph may elect to include this reason in the model form.
    (7) For nonaffiliates to market to you. This reason incorporates 
sharing described in Sec. Sec.  40.7 and 40.10(a) of this part. An 
institution that shares personal information for this reason must 
provide an opt-out.
    (e) To limit our sharing: A financial institution must include 
this section of the model form only if it provides an opt-out. The 
word ``choice'' may be written in either the singular or plural, as 
appropriate. Institutions must select one or more of the applicable 
opt-out methods described: telephone, such as by a toll-free number; 
a Web site; or use of a mail-in opt-out form. Institutions may 
include the words ``toll-free'' before telephone, as appropriate. An 
institution that allows consumers to opt out online must provide 
either a specific Web address that takes consumers directly to the 
opt-out page or a general Web address that provides a clear and 
conspicuous direct link to the opt-out page. The opt-out choices 
made available to the consumer who contacts the institution through 
these methods must correspond accurately to the ``Yes'' responses in 
the third column of the disclosure table. In the part titled 
``Please note'' institutions may insert a number that is 30 or 
greater in the space marked ``[30].'' Instructions on voluntary or 
state privacy law opt-out information are in paragraph C.2(g)(5) of 
these Instructions.
    (f) Questions box. Customer service contact information must be 
inserted as appropriate, where [phone number] or [Web site] appear. 
Institutions may elect to provide either a phone number, such as a 
toll-free number, or a Web address, or both. Institutions may 
include the words ``toll-free'' before the telephone number, as 
appropriate.
    (g) Mail-in opt-out form. Financial institutions must include 
this mail-in form only if they state in the ``To limit our sharing'' 
box that consumers can opt out by mail. The mail-in form must 
provide opt-out options that correspond accurately to the ``Yes'' 
responses in the third column in the disclosure table. Institutions 
that require customers to provide only name and address may omit the 
section identified as ``[account ].'' Institutions that 
require additional or different information, such as a random opt-
out number or a truncated account number, to implement an opt-out 
election should modify the ``[account ]'' reference 
accordingly. This includes institutions that require customers with 
multiple accounts to identify each account to which the opt-out 
should apply. An institution must enter its opt-out mailing address: 
In the far right of this form (see version 3); or below the form 
(see version 4). The reverse side of the mail-in opt-out form must 
not include any content of the model form.
    (1) Joint accountholder. Only institutions that provide their 
joint accountholders the choice to opt out for only one 
accountholder, in accordance with paragraph C.3(a)(5) of these 
Instructions, must include in the far left column of the mail-in 
form the following statement: ``If you have a joint account, your 
choice(s) will apply to everyone on your account unless you mark 
below. [squ] Apply my choice(s) only to me.'' The word ``choice'' 
may be written in either the singular or plural, as appropriate. 
Financial institutions that provide insurance products or services, 
provide this option, and elect to use the model form may substitute 
the word ``policy'' for ``account'' in this statement. Institutions 
that do not provide this option may eliminate this left column from 
the mail-in form.
    (2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution 
shares personal information pursuant to section 603(d)(2)(A)(iii) of 
the FCRA, it must include in the mail-in opt-out form the following 
statement: ``[squ] Do not share information about my 
creditworthiness with your affiliates for their everyday business 
purposes.''
    (3) FCRA Section 624 opt-out. If the institution incorporates 
section 624 of the FCRA in accord with paragraph C.2(d)(6) of these 
Instructions, it must include in the mail-in opt-out form the 
following statement: ``[squ] Do not allow your affiliates to use my 
personal information to market to me.''
    (4) Nonaffiliate opt-out. If the financial institution shares 
personal information pursuant to Sec.  40.10(a) of this part, it 
must include in the mail-in opt-out form the following statement: 
``[squ] Do not share my personal information with nonaffiliates to 
market their products and services to me.''
    (5) Additional opt-outs. Financial institutions that use the 
disclosure table to provide opt-out options beyond those required by 
Federal law must provide those opt-outs in this section of the model 
form. A financial institution that chooses to offer an opt-out for 
its own marketing in the mail-in opt-out form must include one of 
the two following statements: ``[squ] Do not share my personal 
information to market to me.'' or ``[squ] Do not use my personal 
information to market to me.'' A financial institution that chooses 
to offer an opt-out for joint marketing must include the following 
statement: ``[squ] Do not share my personal information with other 
financial institutions to jointly market to me.''
    (h) Barcodes. A financial institution may elect to include a 
barcode and/or ``tagline'' (an internal identifier) in 6-point font 
at the bottom of page one, as needed for information internal to the 
institution, so long as these do not interfere with the clarity or 
text of the form.

3. Page Two

    (a) General Instructions for the Questions. Certain of the 
Questions may be customized as follows:
    (1) ``Who is providing this notice?'' This question may be 
omitted where only one financial institution provides the model form 
and that institution is clearly identified in the title on page one. 
Two or more financial institutions that jointly provide the model 
form must use this question to identify themselves as required by 
Sec.  40.9(f) of this part. Where the list of institutions exceeds 
four (4) lines, the institution must describe in the response to 
this question the general types of institutions jointly providing 
the notice and must separately identify those institutions, in 
minimum 8-point font, directly following the ``Other important

[[Page 62925]]

information'' box, or, if that box is not included in the 
institution's form, directly following the ``Definitions.'' The list 
may appear in a multi-column format.
    (2) ``How does [name of financial institution] protect my 
personal information?'' The financial institution may only provide 
additional information pertaining to its safeguards practices 
following the designated response to this question. Such information 
may include information about the institution's use of cookies or 
other measures it uses to safeguard personal information. 
Institutions are limited to a maximum of 30 additional words.
    (3) ``How does [name of financial institution] collect my 
personal information?'' Institutions must use five (5) of the 
following terms to complete the bulleted list for this question: 
Open an account; deposit money; pay your bills; apply for a loan; 
use your credit or debit card; seek financial or tax advice; apply 
for insurance; pay insurance premiums; file an insurance claim; seek 
advice about your investments; buy securities from us; sell 
securities to us; direct us to buy securities; direct us to sell 
your securities; make deposits or withdrawals from your account; 
enter into an investment advisory contract; give us your income 
information; provide employment information; give us your employment 
history; tell us about your investment or retirement portfolio; tell 
us about your investment or retirement earnings; apply for 
financing; apply for a lease; provide account information; give us 
your contact information; pay us by check; give us your wage 
statements; provide your mortgage information; make a wire transfer; 
tell us who receives the money; tell us where to send the money; 
show your government-issued ID; show your driver's license; order a 
commodity futures or option trade. Institutions that collect 
personal information from their affiliates and/or credit bureaus 
must include after the bulleted list the following statement: ``We 
also collect your personal information from others, such as credit 
bureaus, affiliates, or other companies.'' Institutions that do not 
collect personal information from their affiliates or credit bureaus 
but do collect information from other companies must include the 
following statement instead: ``We also collect your personal 
information from other companies.'' Only institutions that do not 
collect any personal information from affiliates, credit bureaus, or 
other companies can omit both statements.
    (4) ``Why can't I limit all sharing?'' Institutions that 
describe state privacy law provisions in the ``Other important 
information'' box must use the bracketed sentence: ``See below for 
more on your rights under state law.'' Other institutions must omit 
this sentence.
    (5) ``What happens when I limit sharing for an account I hold 
jointly with someone else?'' Only financial institutions that 
provide opt-out options must use this question. Other institutions 
must omit this question. Institutions must choose one of the 
following two statements to respond to this question: ``Your choices 
will apply to everyone on your account.'' or ``Your choices will 
apply to everyone on your account--unless you tell us otherwise.'' 
Financial institutions that provide insurance products or services 
and elect to use the model form may substitute the word ``policy'' 
for ``account'' in these statements.
    (b) General Instructions for the Definitions.
    The financial institution must customize the space below the 
responses to the three definitions in this section. This specific 
information must be in italicized lettering to set off the 
information from the standardized definitions.
    (1) Affiliates. As required by Sec.  40.6(a)(3) of this part, 
where [affiliate information] appears, the financial institution 
must:
    (i) If it has no affiliates, state: ``[name of financial 
institution] has no affiliates;''
    (ii) If it has affiliates but does not share personal 
information, state: ``[name of financial institution] does not share 
with our affiliates;'' or
    (iii) If it shares with its affiliates, state, as applicable: 
``Our affiliates include companies with a [common corporate identity 
of financial institution] name; financial companies such as [insert 
illustrative list of companies;] nonfinancial companies, such as 
[insert illustrative list of companies]; and others, such as [insert 
illustrative list].''
    (2) Nonaffiliates. As required by Sec.  40.6(c)(3) of this part, 
where [nonaffiliate information] appears, the financial institution 
must:
    (i) If it does not share with nonaffiliated third parties, 
state: ``[name of financial institution] does not share with 
nonaffiliates so they can market to you''; or
    (ii) If it shares with nonaffiliated third parties, state, as 
applicable: ``Nonaffiliates we share with can include [list 
categories of companies such as mortgage companies, insurance 
companies, direct marketing companies, and nonprofit 
organizations].''
    (3) Joint Marketing. As required by Sec.  40.13 of this part, 
where [joint marketing] appears, the financial institution must:
    (i) If it does not engage in joint marketing, state: ``[name of 
financial institution] doesn't jointly market''; or
    (ii) If it shares personal information for joint marketing, 
state, as applicable: ``Our joint marketing partners include [list 
categories of companies such as credit card companies].''
    (c) General instructions for the ``Other important information'' 
box. This box is optional. The space provided for information in 
this box is not limited. Only the following types of information can 
appear in this box.
    (1) State and/or international privacy law information; and/or
    (2) Acknowledgment of receipt form.


0
7. Amend newly redesignated Appendix B to part 40 as follows:
0
A. Add a new sentence to the beginning of the introductory text as set 
forth below.
0
B. Effective January 1, 2012, remove Appendix B to part 40.

Appendix B to Part 40--Sample Clauses

    This Appendix only applies to privacy notices provided before 
January 1, 2011. * * *
* * * * *

Federal Reserve System

12 CFR Chapter II

Authority and Issuance

0
For the reasons set forth in the joint preamble, the Board amends part 
216 of chapter II of title 12 of the Code of Federal Regulations as 
follows:

PART 216--PRIVACY OF CONSUMER FINANCIAL INFORMATION

0
8. The authority citation for part 216 continues to read as follows:

    Authority:  15 U.S.C. 6801 et seq.
0
9. Revise Sec.  216.2 to read as follows:


Sec.  216.2  Model privacy form and examples.

    (a) Model privacy form. Use of the model privacy form in Appendix A 
of this part, consistent with the instructions in Appendix A, 
constitutes compliance with the notice content requirements of 
Sec. Sec.  216.6 and 216.7 of this part, although use of the model 
privacy form is not required.
    (b) Examples. The examples in this part are not exclusive. 
Compliance with an example, to the extent applicable, constitutes 
compliance with this part.


0
10. In Sec.  216.6:
0
A. Revise paragraphs (b) and (f), and add paragraph (g) to read as set 
forth below.
0
B. Effective January 1, 2012, remove paragraph (g).


Sec.  216.6  Information to be included in privacy notices.

* * * * *
    (b) Description of nonaffiliated third parties subject to 
exceptions. If you disclose nonpublic personal information to third 
parties as authorized under Sec. Sec.  216.14 and 216.15, you are not 
required to list those exceptions in the initial or annual privacy 
notices required by Sec. Sec.  216.4 and 216.5. When describing the 
categories with respect to those parties, it is sufficient to state 
that you make disclosures to other nonaffiliated companies:
    (1) For your everyday business purposes, such as [include all that 
apply] to process transactions, maintain account(s), respond to court 
orders and legal investigations, or report to credit bureaus; or
    (2) As permitted by law.
* * * * *
    (f) Model privacy form. Pursuant to Sec.  216.2(a) of this part, a 
model privacy

[[Page 62926]]

form that meets the notice content requirements of this section is 
included in Appendix A of this part.
    (g) Sample clauses. Sample clauses illustrating some of the notice 
content required by this section are included in Appendix B of this 
part. Use of a sample clause in a privacy notice provided on or before 
December 31, 2010, to the extent applicable, constitutes compliance 
with this part.


0
11. In Sec.  216.7, add paragraph (i) to read as follows:


Sec.  216.7  Form of opt-out notice to consumers; opt-out methods.

* * * * *
    (i) Model privacy form. Pursuant to Sec.  216.2(a) of this part, a 
model privacy form that meets the notice content requirements of this 
section is included in Appendix A of this part.

Appendix A [Redesignated as Appendix B]

0
12. Redesignate Appendix A to part 216 as Appendix B to part 216.


0
13. Add new Appendix A to part 216 to read as follows:

Appendix A to Part 216--Model Privacy Form

A. The Model Privacy Form

BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-
01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-
P 12.5%

[[Page 62927]]

[GRAPHIC] [TIFF OMITTED] TR01DE09.007


[[Page 62928]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.008


[[Page 62929]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.009


[[Page 62930]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.010


[[Page 62931]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.011


[[Page 62932]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.012


[[Page 62933]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.013

BILLING CODE 6750-01-C 12.5%, 6351-01-C 12.5%, 6720-01-C 12.5%, 6714-
01-C 12.5%, 4810-33-C 12.5%, 6210-01-C 12.5%, 8011-01-C 12.5%, 7535-01-
C 12.5%

B. General Instructions

1. How the Model Privacy Form Is Used

    (a) The model form may be used, at the option of a financial 
institution, including a group of financial institutions that use a 
common privacy notice, to meet the content requirements of the 
privacy notice and opt-out notice set forth in Sec. Sec.  216.6 and 
216.7 of this part.
    (b) The model form is a standardized form, including page 
layout, content, format, style, pagination, and shading. 
Institutions seeking to obtain the safe harbor through use of the 
model form may modify it only as described in these Instructions.
    (c) Note that disclosure of certain information, such as assets, 
income, and information from a consumer reporting agency, may give 
rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 
1681-1681x] (FCRA), such as a requirement to permit a consumer to 
opt out of disclosures to affiliates or designation as a consumer 
reporting agency if disclosures are made to nonaffiliated third 
parties.
    (d) The word ``customer'' may be replaced by the word ``member'' 
whenever it appears in the model form, as appropriate.

2. The Contents of the Model Privacy Form

    The model form consists of two pages, which may be printed on 
both sides of a single sheet of paper, or may appear on two separate 
pages. Where an institution provides a long list of institutions at 
the end of the model form in accordance with Instruction C.3(a)(1), 
or provides additional information in accordance with Instruction 
C.3(c), and such list or additional information exceeds the space 
available on page two of the model form, such list or additional 
information may extend to a third page.
    (a) Page One. The first page consists of the following 
components:
    (1) Date last revised (upper right-hand corner).
    (2) Title.
    (3) Key frame (Why?, What?, How?).
    (4) Disclosure table (``Reasons we can share your personal 
information'').
    (5) ``To limit our sharing'' box, as needed, for the financial 
institution's opt-out information.
    (6) ``Questions'' box, for customer service contact information.
    (7) Mail-in opt-out form, as needed.
    (b) Page Two. The second page consists of the following 
components:
    (1) Heading (Page 2).
    (2) Frequently Asked Questions (``Who we are'' and ``What we 
do'').
    (3) Definitions.
    (4) ``Other important information'' box, as needed.

3. The Format of the Model Privacy Form

    The format of the model form may be modified only as described 
below.
    (a) Easily readable type font. Financial institutions that use 
the model form must use an easily readable type font. While a number 
of factors together produce easily readable type font, institutions 
are required to use a minimum of 10-point font (unless otherwise 
expressly permitted in these Instructions) and sufficient spacing 
between the lines of type.
    (b) Logo. A financial institution may include a corporate logo 
on any page of the notice, so long as it does not interfere with the 
readability of the model form or the space constraints of each page.
    (c) Page size and orientation. Each page of the model form must 
be printed on paper in portrait orientation, the size of which must 
be sufficient to meet the layout and minimum font size requirements, 
with sufficient white space on the top, bottom, and sides of the 
content.
    (d) Color. The model form must be printed on white or light 
color paper (such as cream) with black or other contrasting ink 
color. Spot color may be used to achieve visual interest, so long as 
the color contrast is distinctive and the color does not detract 
from the readability of the model form. Logos may also be printed in 
color.
    (e) Languages. The model form may be translated into languages 
other than English.

C. Information Required in the Model Privacy Form

    The information in the model form may be modified only as 
described below:

1. Name of the Institution or Group of Affiliated Institutions 
Providing the Notice

    Insert the name of the financial institution providing the 
notice or a common identity of affiliated institutions jointly 
providing the notice on the form wherever [name of financial 
institution] appears.

2. Page One

    (a) Last revised date. The financial institution must insert in 
the upper right-hand corner the date on which the notice was last 
revised. The information shall appear in minimum 8-point font as 
``rev. [month/year]'' using either the name or number of the month, 
such as ``rev. July 2009'' or ``rev. 7/09''.
    (b) General instructions for the ``What?'' box.
    (1) The bulleted list identifies the types of personal 
information that the institution collects and shares. All 
institutions must use the term ``Social Security number'' in the 
first bullet.
    (2) Institutions must use five (5) of the following terms to 
complete the bulleted list: income; account balances; payment 
history; transaction history; transaction or loss history; credit 
history; credit scores; assets; investment experience; credit-based 
insurance scores; insurance claim history; medical information; 
overdraft history; purchase history; account transactions; risk 
tolerance; medical-related debts; credit card or other debt; 
mortgage rates and payments; retirement assets; checking account 
information; employment information; wire transfer instructions.
    (c) General instructions for the disclosure table. The left 
column lists reasons for

[[Page 62934]]

sharing or using personal information. Each reason correlates to a 
specific legal provision described in paragraph C.2(d) of this 
Instruction. In the middle column, each institution must provide a 
``Yes'' or ``No'' response that accurately reflects its information 
sharing policies and practices with respect to the reason listed on 
the left. In the right column, each institution must provide in each 
box one of the following three (3) responses, as applicable, that 
reflects whether a consumer can limit such sharing: ``Yes'' if it is 
required to or voluntarily provides an opt-out; ``No'' if it does 
not provide an opt-out; or ``We don't share'' if it answers ``No'' 
in the middle column. Only the sixth row (``For our affiliates to 
market to you'') may be omitted at the option of the institution. 
See paragraph C.2(d)(6) of this Instruction.
    (d) Specific disclosures and corresponding legal provisions.
    (1) For our everyday business purposes. This reason incorporates 
sharing information under Sec. Sec.  216.14 and 216.15 and with 
service providers pursuant to Sec.  216.13 of this part other than 
the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these 
Instructions.
    (2) For our marketing purposes. This reason incorporates sharing 
information with service providers by an institution for its own 
marketing pursuant to Sec.  216.13 of this part. An institution that 
shares for this reason may choose to provide an opt-out.
    (3) For joint marketing with other financial companies. This 
reason incorporates sharing information under joint marketing 
agreements between two or more financial institutions and with any 
service provider used in connection with such agreements pursuant to 
Sec.  216.13 of this part. An institution that shares for this 
reason may choose to provide an opt-out.
    (4) For our affiliates' everyday business purposes--information 
about transactions and experiences. This reason incorporates sharing 
information specified in sections 603(d)(2)(A)(i) and (ii) of the 
FCRA. An institution that shares for this reason may choose to 
provide an opt-out.
    (5) For our affiliates' everyday business purposes--information 
about creditworthiness. This reason incorporates sharing information 
pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution 
that shares for this reason must provide an opt-out.
    (6) For our affiliates to market to you. This reason 
incorporates sharing information specified in section 624 of the 
FCRA. This reason may be omitted from the disclosure table when: the 
institution does not have affiliates (or does not disclose personal 
information to its affiliates); the institution's affiliates do not 
use personal information in a manner that requires an opt-out; or 
the institution provides the affiliate marketing notice separately. 
Institutions that include this reason must provide an opt-out of 
indefinite duration. An institution that is required to provide an 
affiliate marketing opt-out, but does not include that opt-out in 
the model form under this part, must comply with section 624 of the 
FCRA and 12 CFR part 222, subpart C, with respect to the initial 
notice and opt-out and any subsequent renewal notice and opt-out. An 
institution not required to provide an opt-out under this 
subparagraph may elect to include this reason in the model form.
    (7) For nonaffiliates to market to you. This reason incorporates 
sharing described in Sec. Sec.  216.7 and 216.10(a) of this part. An 
institution that shares personal information for this reason must 
provide an opt-out.
    (e) To limit our sharing: A financial institution must include 
this section of the model form only if it provides an opt-out. The 
word ``choice'' may be written in either the singular or plural, as 
appropriate. Institutions must select one or more of the applicable 
opt-out methods described: telephone, such as by a toll-free number; 
a Website; or use of a mail-in opt-out form. Institutions may 
include the words ``toll-free'' before telephone, as appropriate. An 
institution that allows consumers to opt out online must provide 
either a specific Web address that takes consumers directly to the 
opt-out page or a general Web address that provides a clear and 
conspicuous direct link to the opt-out page. The opt-out choices 
made available to the consumer who contacts the institution through 
these methods must correspond accurately to the ``Yes'' responses in 
the third column of the disclosure table. In the part titled 
``Please note'' institutions may insert a number that is 30 or 
greater in the space marked ``[30].'' Instructions on voluntary or 
state privacy law opt-out information are in paragraph C.2(g)(5) of 
these Instructions.
    (f) Questions box. Customer service contact information must be 
inserted as appropriate, where [phone number] or [website] appear. 
Institutions may elect to provide either a phone number, such as a 
toll-free number, or a Web address, or both. Institutions may 
include the words ``toll-free'' before the telephone number, as 
appropriate.
    (g) Mail-in opt-out form. Financial institutions must include 
this mail-in form only if they state in the ``To limit our sharing'' 
box that consumers can opt out by mail. The mail-in form must 
provide opt-out options that correspond accurately to the ``Yes'' 
responses in the third column in the disclosure table. Institutions 
that require customers to provide only name and address may omit the 
section identified as ``[account ].'' Institutions that 
require additional or different information, such as a random opt-
out number or a truncated account number, to implement an opt-out 
election should modify the ``[account ]'' reference 
accordingly. This includes institutions that require customers with 
multiple accounts to identify each account to which the opt-out 
should apply. An institution must enter its opt-out mailing address: 
In the far right of this form (see version 3); or below the form 
(see version 4). The reverse side of the mail-in opt-out form must 
not include any content of the model form.
    (1) Joint accountholder. Only institutions that provide their 
joint accountholders the choice to opt out for only one 
accountholder, in accordance with paragraph C.3(a)(5) of these 
Instructions, must include in the far left column of the mail-in 
form the following statement: ``If you have a joint account, your 
choice(s) will apply to everyone on your account unless you mark 
below. [square] Apply my choice(s) only to me.'' The word ``choice'' 
may be written in either the singular or plural, as appropriate. 
Financial institutions that provide insurance products or services, 
provide this option, and elect to use the model form may substitute 
the word ``policy'' for ``account'' in this statement. Institutions 
that do not provide this option may eliminate this left column from 
the mail-in form.
    (2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution 
shares personal information pursuant to section 603(d)(2)(A)(iii) of 
the FCRA, it must include in the mail-in opt-out form the following 
statement: ``[square] Do not share information about my 
creditworthiness with your affiliates for their everyday business 
purposes.''
    (3) FCRA Section 624 opt-out. If the institution incorporates 
section 624 of the FCRA in accord with paragraph C.2(d)(6) of these 
Instructions, it must include in the mail-in opt-out form the 
following statement: ``[square] Do not allow your affiliates to use 
my personal information to market to me.''
    (4) Nonaffiliate opt-out. If the financial institution shares 
personal information pursuant to Sec.  216.10(a) of this part, it 
must include in the mail-in opt-out form the following statement: 
``[square] Do not share my personal information with nonaffiliates 
to market their products and services to me.''
    (5) Additional opt-outs. Financial institutions that use the 
disclosure table to provide opt-out options beyond those required by 
Federal law must provide those opt-outs in this section of the model 
form. A financial institution that chooses to offer an opt-out for 
its own marketing in the mail-in opt-out form must include one of 
the two following statements: ``[square] Do not share my personal 
information to market to me.'' or ``[square] Do not use my personal 
information to market to me.'' A financial institution that chooses 
to offer an opt-out for joint marketing must include the following 
statement: ``[square] Do not share my personal information with 
other financial institutions to jointly market to me.''
    (h) Barcodes. A financial institution may elect to include a 
barcode and/or ``tagline'' (an internal identifier) in 6-point font 
at the bottom of page one, as needed for information internal to the 
institution, so long as these do not interfere with the clarity or 
text of the form.

3. Page Two

    (a) General Instructions for the Questions. Certain of the 
Questions may be customized as follows:
    (1) ``Who is providing this notice?'' This question may be 
omitted where only one financial institution provides the model form 
and that institution is clearly identified in the title on page one. 
Two or more financial institutions that jointly provide the model 
form must use this question to identify themselves as required by 
Sec.  216.9(f) of this part. Where the list of institutions exceeds 
four (4) lines, the institution must describe in the response to 
this question the general types of institutions jointly providing 
the notice and must separately identify those institutions, in 
minimum 8-point font, directly following the ``Other important

[[Page 62935]]

information'' box, or, if that box is not included in the 
institution's form, directly following the ``Definitions.'' The list 
may appear in a multi-column format.
    (2) ``How does [name of financial institution] protect my 
personal information?'' The financial institution may only provide 
additional information pertaining to its safeguards practices 
following the designated response to this question. Such information 
may include information about the institution's use of cookies or 
other measures it uses to safeguard personal information. 
Institutions are limited to a maximum of 30 additional words.
    (3) ``How does [name of financial institution] collect my 
personal information?'' Institutions must use five (5) of the 
following terms to complete the bulleted list for this question: 
Open an account; deposit money; pay your bills; apply for a loan; 
use your credit or debit card; seek financial or tax advice; apply 
for insurance; pay insurance premiums; file an insurance claim; seek 
advice about your investments; buy securities from us; sell 
securities to us; direct us to buy securities; direct us to sell 
your securities; make deposits or withdrawals from your account; 
enter into an investment advisory contract; give us your income 
information; provide employment information; give us your employment 
history; tell us about your investment or retirement portfolio; tell 
us about your investment or retirement earnings; apply for 
financing; apply for a lease; provide account information; give us 
your contact information; pay us by check; give us your wage 
statements; provide your mortgage information; make a wire transfer; 
tell us who receives the money; tell us where to send the money; 
show your government-issued ID; show your driver's license; order a 
commodity futures or option trade. Institutions that collect 
personal information from their affiliates and/or credit bureaus 
must include after the bulleted list the following statement: ``We 
also collect your personal information from others, such as credit 
bureaus, affiliates, or other companies.'' Institutions that do not 
collect personal information from their affiliates or credit bureaus 
but do collect information from other companies must include the 
following statement instead: ``We also collect your personal 
information from other companies.''
Only institutions that do not collect any personal information from 
affiliates, credit bureaus, or other companies can omit both 
statements.
    (4) ``Why can't I limit all sharing?'' Institutions that 
describe state privacy law provisions in the ``Other important 
information'' box must use the bracketed sentence: ``See below for 
more on your rights under state law.'' Other institutions must omit 
this sentence.
    (5) ``What happens when I limit sharing for an account I hold 
jointly with someone else?'' Only financial institutions that 
provide opt-out options must use this question. Other institutions 
must omit this question. Institutions must choose one of the 
following two statements to respond to this question: ``Your choices 
will apply to everyone on your account.'' or ``Your choices will 
apply to everyone on your account--unless you tell us otherwise.'' 
Financial institutions that provide insurance products or services 
and elect to use the model form may substitute the word ``policy'' 
for ``account'' in these statements.
    (b) General Instructions for the Definitions.
    The financial institution must customize the space below the 
responses to the three definitions in this section. This specific 
information must be in italicized lettering to set off the 
information from the standardized definitions.
    (1) Affiliates. As required by Sec.  216.6(a)(3) of this part, 
where [affiliate information] appears, the financial institution 
must:
    (i) If it has no affiliates, state: ``[name of financial 
institution] has no affiliates'';
    (ii) If it has affiliates but does not share personal 
information, state: ``[name of financial institution] does not share 
with our affiliates''; or
    (iii) If it shares with its affiliates, state, as applicable: 
``Our affiliates include companies with a [common corporate identity 
of financial institution] name; financial companies such as [insert 
illustrative list of companies]; nonfinancial companies, such as 
[insert illustrative list of companies;] and others, such as [insert 
illustrative list].''
    (2) Nonaffiliates. As required by Sec.  216.6(c)(3) of this 
part, where [nonaffiliate information] appears, the financial 
institution must:
    (i) If it does not share with nonaffiliated third parties, 
state: ``[name of financial institution] does not share with 
nonaffiliates so they can market to you''; or
    (ii) If it shares with nonaffiliated third parties, state, as 
applicable: ``Nonaffiliates we share with can include [list 
categories of companies such as mortgage companies, insurance 
companies, direct marketing companies, and nonprofit 
organizations].''
    (3) Joint Marketing. As required by Sec.  216.13 of this part, 
where [joint marketing] appears, the financial institution must:
    (i) If it does not engage in joint marketing, state: ``[name of 
financial institution] doesn't jointly market''; or
    (ii) If it shares personal information for joint marketing, 
state, as applicable: ``Our joint marketing partners include [list 
categories of companies such as credit card companies].''
    (c) General instructions for the ``Other important information'' 
box. This box is optional. The space provided for information in 
this box is not limited. Only the following types of information can 
appear in this box.
    (1) State and/or international privacy law information; and/or
    (2) Acknowledgment of receipt form.


0
14. Amend newly redesignated Appendix B to part 216 as follows:
0
A. Add a new sentence to the beginning of the introductory text as set 
forth below.
0
B. Effective January 1, 2012, remove Appendix B to part 216.

Appendix B to Part 216--Sample Clauses

    This Appendix only applies to privacy notices provided before 
January 1, 2011. * * *
* * * * *

Federal Deposit Insurance Corporation

12 CFR Chapter III

Authority and Issuance

0
For the reasons set forth in the joint preamble, part 332 of chapter 
III of title 12 of the Code of Federal Regulations is amended as 
follows:

PART 332--PRIVACY OF CONSUMER FINANCIAL INFORMATION


0
15. The authority citation for part 332 continues to read as follows:

    Authority:  12 U.S.C. 1819 (Seventh and Tenth); 15 U.S.C. 6801 
et seq.
0
16. Revise Sec.  332.2 to read as follows:


Sec.  332.2  Model privacy form and examples.

    (a) Model privacy form. Use of the model privacy form in Appendix A 
of this part, consistent with the instructions in Appendix A, 
constitutes compliance with the notice content requirements of 
Sec. Sec.  332.6 and 332.7 of this part, although use of the model 
privacy form is not required.
    (b) Examples. The examples in this part are not exclusive. 
Compliance with an example, to the extent applicable, constitutes 
compliance with this part.


0
17. In Sec.  332.6:
0
A. Revise paragraphs (b) and (f), and add paragraph (g) to read as set 
forth below.
0
B. Effective January 1, 2012, remove paragraph (g).


Sec.  332.6  Information to be included in privacy notices.

* * * * *
    (b) Description of nonaffiliated third parties subject to 
exceptions. If you disclose nonpublic personal information to third 
parties as authorized under Sec. Sec.  332.14 and 332.15, you are not 
required to list those exceptions in the initial or annual privacy 
notices required by Sec. Sec.  332.4 and 332.5. When describing the 
categories with respect to those parties, it is sufficient to state 
that you make disclosures to other nonaffiliated companies:
    (1) For your everyday business purposes, such as [include all that 
apply] to process transactions, maintain account(s), respond to court 
orders and legal investigations, or report to credit bureaus; or
    (2) As permitted by law.
* * * * *

[[Page 62936]]

    (f) Model privacy form. Pursuant to Sec.  332.2(a) of this part, a 
model privacy form that meets the notice content requirements of this 
section is included in Appendix A of this part.
    (g) Sample clauses. Sample clauses illustrating some of the notice 
content required by this section are included in Appendix B of this 
part. Use of a sample clause in a privacy notice provided on or before 
December 31, 2010, to the extent applicable, constitutes compliance 
with this part.


0
18. In Sec.  332.7, add paragraph (i) to read as follows:


Sec.  332.7  Form of opt-out notice to consumers; opt-out methods.

* * * * *
    (i) Model privacy form. Pursuant to Sec.  332.2(a) of this part, a 
model privacy form that meets the notice content requirements of this 
section is included in Appendix A of this part.

Appendix A [Redesignated as Appendix B]

0
19. Redesignate Appendix A to part 332 as Appendix B to part 332.
0
20. Add new Appendix A to part 332 to read as follows:

Appendix A to Part 332--Model Privacy Form

A. The Model Privacy Form

BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-
01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-
P 12.5%

[[Page 62937]]

[GRAPHIC] [TIFF OMITTED] TR01DE09.014


[[Page 62938]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.015


[[Page 62939]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.016


[[Page 62940]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.017


[[Page 62941]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.018


[[Page 62942]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.019


[[Page 62943]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.020

BILLING CODE 6750-01-C 12.5%, 6351-01-C 12.5%, 6720-01-C 12.5%, 6714-
01-C 12.5%, 4810-01-C 12.5%, 6210-01-C 12.5%, 8011-01-C 12.5%, 7535-01-
C 12.5%

B. General Instructions

1. How the Model Privacy Form Is Used

    (a) The model form may be used, at the option of a financial 
institution, including a group of financial institutions that use a 
common privacy notice, to meet the content requirements of the 
privacy notice and opt-out notice set forth in Sec. Sec.  332.6 and 
332.7 of this part.
    (b) The model form is a standardized form, including page 
layout, content, format, style, pagination, and shading. 
Institutions seeking to obtain the safe harbor through use of the 
model form may modify it only as described in these Instructions.
    (c) Note that disclosure of certain information, such as assets, 
income, and information from a consumer reporting agency, may give 
rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 
1681-1681x] (FCRA), such as a requirement to permit a consumer to 
opt out of disclosures to affiliates or designation as a consumer 
reporting agency if disclosures are made to nonaffiliated third 
parties.
    (d) The word ``customer'' may be replaced by the word ``member'' 
whenever it appears in the model form, as appropriate.

2. The Contents of the Model Privacy Form

    The model form consists of two pages, which may be printed on 
both sides of a single sheet of paper, or may appear on two separate 
pages. Where an institution provides a long list of institutions at 
the end of the model form in accordance with Instruction C.3(a)(1), 
or provides additional information in accordance with Instruction 
C.3(c), and such list or additional information exceeds the space 
available on page two of the model form, such list or additional 
information may extend to a third page.
    (a) Page One. The first page consists of the following 
components:
    (1) Date last revised (upper right-hand corner).
    (2) Title.
    (3) Key frame (Why?, What?, How?).
    (4) Disclosure table (``Reasons we can share your personal 
information'').
    (5) ``To limit our sharing'' box, as needed, for the financial 
institution's opt-out information.
    (6) ``Questions'' box, for customer service contact information.
    (7) Mail-in opt-out form, as needed.
    (b) Page Two. The second page consists of the following 
components:
    (1) Heading (Page 2).
    (2) Frequently Asked Questions (``Who we are'' and ``What we 
do'').
    (3) Definitions.
    (4) ``Other important information'' box, as needed.

3. The Format of the Model Privacy Form

    The format of the model form may be modified only as described 
below.
    (a) Easily readable type font. Financial institutions that use 
the model form must use an easily readable type font. While a number 
of factors together produce easily readable type font, institutions 
are required to use a minimum of 10-point font (unless otherwise 
expressly permitted in these Instructions) and sufficient spacing 
between the lines of type.
    (b) Logo. A financial institution may include a corporate logo 
on any page of the notice, so long as it does not interfere with the 
readability of the model form or the space constraints of each page.
    (c) Page size and orientation. Each page of the model form must 
be printed on paper in portrait orientation, the size of which must 
be sufficient to meet the layout and minimum font size requirements, 
with sufficient white space on the top, bottom, and sides of the 
content.
    (d) Color. The model form must be printed on white or light 
color paper (such as cream) with black or other contrasting ink 
color. Spot color may be used to achieve visual interest, so long as 
the color contrast is distinctive and the color does not detract 
from the readability of the model form. Logos may also be printed in 
color.
    (e) Languages. The model form may be translated into languages 
other than English.

C. Information Required in the Model Privacy Form

    The information in the model form may be modified only as 
described below:

1. Name of the Institution or Group of Affiliated Institutions 
Providing the Notice

    Insert the name of the financial institution providing the 
notice or a common identity of affiliated institutions jointly 
providing the notice on the form wherever [name of financial 
institution] appears.

2. Page One

    (a) Last revised date. The financial institution must insert in 
the upper right-hand corner the date on which the notice was last 
revised. The information shall appear in minimum 8-point font as 
``rev. [month/year]'' using either the name or number of the month, 
such as ``rev. July 2009'' or ``rev. 7/09''.
    (b) General instructions for the ``What?'' box.
    (1) The bulleted list identifies the types of personal 
information that the institution collects and shares. All 
institutions must use the term ``Social Security number'' in the 
first bullet.
    (2) Institutions must use five (5) of the following terms to 
complete the bulleted list: income; account balances; payment 
history; transaction history; transaction or loss history; credit 
history; credit scores; assets; investment experience; credit-based 
insurance scores; insurance claim history; medical information; 
overdraft history; purchase history; account transactions; risk 
tolerance; medical-related debts; credit card or other debt; 
mortgage rates and payments; retirement assets; checking account 
information; employment information; wire transfer instructions.
    (c) General instructions for the disclosure table. The left 
column lists reasons for

[[Page 62944]]

sharing or using personal information. Each reason correlates to a 
specific legal provision described in paragraph C.2(d) of this 
Instruction. In the middle column, each institution must provide a 
``Yes'' or ``No'' response that accurately reflects its information 
sharing policies and practices with respect to the reason listed on 
the left. In the right column, each institution must provide in each 
box one of the following three (3) responses, as applicable, that 
reflects whether a consumer can limit such sharing: ``Yes'' if it is 
required to or voluntarily provides an opt-out; ``No'' if it does 
not provide an opt-out; or ``We don't share'' if it answers ``No'' 
in the middle column. Only the sixth row (``For our affiliates to 
market to you'') may be omitted at the option of the institution. 
See paragraph C.2(d)(6) of this Instruction.
    (d) Specific disclosures and corresponding legal provisions.
    (1) For our everyday business purposes. This reason incorporates 
sharing information under Sec. Sec.  332.14 and 332.15 and with 
service providers pursuant to Sec.  332.13 of this part other than 
the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these 
Instructions.
    (2) For our marketing purposes. This reason incorporates sharing 
information with service providers by an institution for its own 
marketing pursuant to Sec.  332.13 of this part. An institution that 
shares for this reason may choose to provide an opt-out.
    (3) For joint marketing with other financial companies. This 
reason incorporates sharing information under joint marketing 
agreements between two or more financial institutions and with any 
service provider used in connection with such agreements pursuant to 
Sec.  332.13 of this part. An institution that shares for this 
reason may choose to provide an opt-out.
    (4) For our affiliates' everyday business purposes--information 
about transactions and experiences. This reason incorporates sharing 
information specified in sections 603(d)(2)(A)(i) and (ii) of the 
FCRA. An institution that shares for this reason may choose to 
provide an opt-out.
    (5) For our affiliates' everyday business purposes--information 
about creditworthiness. This reason incorporates sharing information 
pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution 
that shares for this reason must provide an opt-out.
    (6) For our affiliates to market to you. This reason 
incorporates sharing information specified in section 624 of the 
FCRA. This reason may be omitted from the disclosure table when: The 
institution does not have affiliates (or does not disclose personal 
information to its affiliates); the institution's affiliates do not 
use personal information in a manner that requires an opt-out; or 
the institution provides the affiliate marketing notice separately. 
Institutions that include this reason must provide an opt-out of 
indefinite duration. An institution that is required to provide an 
affiliate marketing opt-out, but does not include that opt-out in 
the model form under this part, must comply with section 624 of the 
FCRA and 12 CFR part 334, subpart C, with respect to the initial 
notice and opt-out and any subsequent renewal notice and opt-out. An 
institution not required to provide an opt-out under this 
subparagraph may elect to include this reason in the model form.
    (7) For nonaffiliates to market to you. This reason incorporates 
sharing described in Sec. Sec.  332.7 and 332.10(a) of this part. An 
institution that shares personal information for this reason must 
provide an opt-out.
    (e) To limit our sharing: A financial institution must include 
this section of the model form only if it provides an opt-out. The 
word ``choice'' may be written in either the singular or plural, as 
appropriate. Institutions must select one or more of the applicable 
opt-out methods described: Telephone, such as by a toll-free number; 
a Web site; or use of a mail-in opt-out form. Institutions may 
include the words ``toll-free'' before telephone, as appropriate. An 
institution that allows consumers to opt out online must provide 
either a specific Web address that takes consumers directly to the 
opt-out page or a general Web address that provides a clear and 
conspicuous direct link to the opt-out page. The opt-out choices 
made available to the consumer who contacts the institution through 
these methods must correspond accurately to the ``Yes'' responses in 
the third column of the disclosure table. In the part titled 
``Please note'' institutions may insert a number that is 30 or 
greater in the space marked ``[30].'' Instructions on voluntary or 
state privacy law opt-out information are in paragraph C.2(g)(5) of 
these Instructions.
    (f) Questions box. Customer service contact information must be 
inserted as appropriate, where [phone number] or [Web site] appear. 
Institutions may elect to provide either a phone number, such as a 
toll-free number, or a Web address, or both. Institutions may 
include the words ``toll-free'' before the telephone number, as 
appropriate.
    (g) Mail-in opt-out form. Financial institutions must include 
this mail-in form only if they state in the ``To limit our sharing'' 
box that consumers can opt out by mail. The mail-in form must 
provide opt-out options that correspond accurately to the ``Yes'' 
responses in the third column in the disclosure table. Institutions 
that require customers to provide only name and address may omit the 
section identified as ``[account ].'' Institutions that 
require additional or different information, such as a random opt-
out number or a truncated account number, to implement an opt-out 
election should modify the ``[account ]'' reference 
accordingly. This includes institutions that require customers with 
multiple accounts to identify each account to which the opt-out 
should apply. An institution must enter its opt-out mailing address: 
In the far right of this form (see version 3); or below the form 
(see version 4). The reverse side of the mail-in opt-out form must 
not include any content of the model form.
    (1) Joint accountholder. Only institutions that provide their 
joint accountholders the choice to opt out for only one 
accountholder, in accordance with paragraph C.3(a)(5) of these 
Instructions, must include in the far left column of the mail-in 
form the following statement: ``If you have a joint account, your 
choice(s) will apply to everyone on your account unless you mark 
below. [square] Apply my choice(s) only to me.'' The word ``choice'' 
may be written in either the singular or plural, as appropriate. 
Financial institutions that provide insurance products or services, 
provide this option, and elect to use the model form may substitute 
the word ``policy'' for ``account'' in this statement. Institutions 
that do not provide this option may eliminate this left column from 
the mail-in form.
    (2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution 
shares personal information pursuant to section 603(d)(2)(A)(iii) of 
the FCRA, it must include in the mail-in opt-out form the following 
statement: ``[square] Do not share information about my 
creditworthiness with your affiliates for their everyday business 
purposes.''
    (3) FCRA Section 624 opt-out. If the institution incorporates 
section 624 of the FCRA in accord with paragraph C.2(d)(6) of these 
Instructions, it must include in the mail-in opt-out form the 
following statement: ``[square] Do not allow your affiliates to use 
my personal information to market to me.''
    (4) Nonaffiliate opt-out. If the financial institution shares 
personal information pursuant to Sec.  332.10(a) of this part, it 
must include in the mail-in opt-out form the following statement: 
``[square] Do not share my personal information with nonaffiliates 
to market their products and services to me.''
    (5) Additional opt-outs. Financial institutions that use the 
disclosure table to provide opt-out options beyond those required by 
Federal law must provide those opt-outs in this section of the model 
form. A financial institution that chooses to offer an opt-out for 
its own marketing in the mail-in opt-out form must include one of 
the two following statements: ``[square] Do not share my personal 
information to market to me.'' or ``[square] Do not use my personal 
information to market to me.'' A financial institution that chooses 
to offer an opt-out for joint marketing must include the following 
statement: ``[square] Do not share my personal information with 
other financial institutions to jointly market to me.''
    (h) Barcodes. A financial institution may elect to include a 
barcode and/or ``tagline'' (an internal identifier) in 6-point font 
at the bottom of page one, as needed for information internal to the 
institution, so long as these do not interfere with the clarity or 
text of the form.

3. Page Two

    (a) General Instructions for the Questions. Certain of the 
Questions may be customized as follows:
    (1) ``Who is providing this notice?'' This question may be 
omitted where only one financial institution provides the model form 
and that institution is clearly identified in the title on page one. 
Two or more financial institutions that jointly provide the model 
form must use this question to identify themselves as required by 
Sec.  332.9(f) of this part. Where the list of institutions exceeds 
four (4) lines, the institution must describe in the response to 
this question the general types of institutions jointly providing 
the notice and must separately identify those institutions, in 
minimum 8-point font, directly following the ``Other important

[[Page 62945]]

information'' box, or, if that box is not included in the 
institution's form, directly following the ``Definitions.'' The list 
may appear in a multi-column format.
    (2) ``How does [name of financial institution] protect my 
personal information?'' The financial institution may only provide 
additional information pertaining to its safeguards practices 
following the designated response to this question. Such information 
may include information about the institution's use of cookies or 
other measures it uses to safeguard personal information. 
Institutions are limited to a maximum of 30 additional words.
    (3) ``How does [name of financial institution] collect my 
personal information?'' Institutions must use five (5) of the 
following terms to complete the bulleted list for this question: 
Open an account; deposit money; pay your bills; apply for a loan; 
use your credit or debit card; seek financial or tax advice; apply 
for insurance; pay insurance premiums; file an insurance claim; seek 
advice about your investments; buy securities from us; sell 
securities to us; direct us to buy securities; direct us to sell 
your securities; make deposits or withdrawals from your account; 
enter into an investment advisory contract; give us your income 
information; provide employment information; give us your employment 
history; tell us about your investment or retirement portfolio; tell 
us about your investment or retirement earnings; apply for 
financing; apply for a lease; provide account information; give us 
your contact information; pay us by check; give us your wage 
statements; provide your mortgage information; make a wire transfer; 
tell us who receives the money; tell us where to send the money; 
show your government-issued ID; show your driver's license; order a 
commodity futures or option trade. Institutions that collect 
personal information from their affiliates and/or credit bureaus 
must include after the bulleted list the following statement: ``We 
also collect your personal information from others, such as credit 
bureaus, affiliates, or other companies.'' Institutions that do not 
collect personal information from their affiliates or credit bureaus 
but do collect information from other companies must include the 
following statement instead: ``We also collect your personal 
information from other companies.'' Only institutions that do not 
collect any personal information from affiliates, credit bureaus, or 
other companies can omit both statements.
    (4) ``Why can't I limit all sharing?'' Institutions that 
describe state privacy law provisions in the ``Other important 
information'' box must use the bracketed sentence: ``See below for 
more on your rights under state law.'' Other institutions must omit 
this sentence.
    (5) ``What happens when I limit sharing for an account I hold 
jointly with someone else?'' Only financial institutions that 
provide opt-out options must use this question. Other institutions 
must omit this question. Institutions must choose one of the 
following two statements to respond to this question: ``Your choices 
will apply to everyone on your account.'' or ``Your choices will 
apply to everyone on your account-unless you tell us otherwise.'' 
Financial institutions that provide insurance products or services 
and elect to use the model form may substitute the word ``policy'' 
for ``account'' in these statements.
    (b) General Instructions for the Definitions.
    The financial institution must customize the space below the 
responses to the three definitions in this section. This specific 
information must be in italicized lettering to set off the 
information from the standardized definitions.
    (1) Affiliates. As required by Sec.  332.6(a)(3) of this part, 
where [affiliate information] appears, the financial institution 
must:
    (i) If it has no affiliates, state: ``[name of financial 
institution] has no affiliates'';
    (ii) If it has affiliates but does not share personal 
information, state: ``[name of financial institution] does not share 
with our affiliates''; or
    (iii) If it shares with its affiliates, state, as applicable: 
``Our affiliates include companies with a [common corporate identity 
of financial institution] name; financial companies such as [insert 
illustrative list of companies]; nonfinancial companies, such as 
[insert illustrative list of companies]; and others, such as [insert 
illustrative list].''
    (2) Nonaffiliates. As required by Sec.  332.6(c)(3) of this 
part, where [nonaffiliate information] appears, the financial 
institution must:
    (i) If it does not share with nonaffiliated third parties, 
state: ``[name of financial institution] does not share with 
nonaffiliates so they can market to you''; or
    (ii) If it shares with nonaffiliated third parties, state, as 
applicable: ``Nonaffiliates we share with can include [list 
categories of companies such as mortgage companies, insurance 
companies, direct marketing companies, and nonprofit 
organizations].''
    (3) Joint Marketing. As required by Sec.  332.13 of this part, 
where [joint marketing] appears, the financial institution must:
    (i) If it does not engage in joint marketing, state: ``[name of 
financial institution] doesn't jointly market''; or
    (ii) If it shares personal information for joint marketing, 
state, as applicable: ``Our joint marketing partners include [list 
categories of companies such as credit card companies].''
    (c) General instructions for the ``Other important information'' 
box. This box is optional. The space provided for information in 
this box is not limited. Only the following types of information can 
appear in this box.
    (1) State and/or international privacy law information; and/or
    (2) Acknowledgment of receipt form.


0
21. Amend newly redesignated Appendix B to part 332 as follows:
0
A. Add a new sentence to the beginning of the introductory text as set 
forth below.
0
B. Effective January 1, 2012, remove Appendix B to part 332.

Appendix B to Part 332--Sample Clauses

    This Appendix only applies to privacy notices provided before 
January 1, 2011.
* * * * *

DEPARTMENT OF THE TREASURY

Office of Thrift Supervision

12 CFR Chapter V

Authority and Issuance

0
For the reasons set forth in the joint preamble, part 573 of chapter V 
of title 12 of the Code of Federal Regulations is amended as follows:

PART 573--PRIVACY OF CONSUMER FINANCIAL INFORMATION

0
22. The authority citation for part 573 continues to read as follows:

    Authority:  12 U.S.C. 1462a, 1463, 1464, 1828; 15 U.S.C. 6801 et 
seq.

0
23. Revise Sec.  573.2 to read as follows:


Sec.  573.2  Model privacy form and examples.

    (a) Model privacy form. Use of the model privacy form in Appendix A 
of this part, consistent with the instructions in Appendix A, 
constitutes compliance with the notice content requirements of 
Sec. Sec.  573.6 and 573.7 of this part, although use of the model 
privacy form is not required.
    (b) Examples. The examples in this part are not exclusive. 
Compliance with an example, to the extent applicable, constitutes 
compliance with this part.

0
24. In Sec.  573.6:
0
A. Revise paragraphs (b) and (f), and add paragraph (g) to read as set 
forth below.
0
B. Effective January 1, 2012, remove paragraph (g).


Sec.  573.6  Information to be included in privacy notices.

* * * * *
    (b) Description of nonaffiliated third parties subject to 
exceptions. If you disclose nonpublic personal information to third 
parties as authorized under Sec. Sec.  573.14 and 573.15, you are not 
required to list those exceptions in the initial or annual privacy 
notices required by Sec. Sec.  573.4 and 573.5. When describing the 
categories with respect to those parties, it is sufficient to state 
that you make disclosures to other nonaffiliated companies:
    (1) For your everyday business purposes, such as [include all that 
apply] to process transactions, maintain account(s), respond to court 
orders and legal investigations, or report to credit bureaus; or
    (2) As permitted by law.
* * * * *

[[Page 62946]]

    (f) Model privacy form. Pursuant to Sec.  573.2(a) of this part, a 
model privacy form that meets the notice content requirements of this 
section is included in Appendix A of this part.
    (g) Sample clauses. Sample clauses illustrating some of the notice 
content required by this section are included in Appendix B of this 
part. Use of a sample clause in a privacy notice provided on or before 
December 31, 2010, to the extent applicable, constitutes compliance 
with this part.


0
25. In Sec.  573.7, add paragraph (i) to read as follows:


Sec.  573.7  Form of opt-out notice to consumers; opt-out methods.

* * * * *
    (i) Model privacy form. Pursuant to Sec.  573.2(a) of this part, a 
model privacy form that meets the notice content requirements of this 
section is included in Appendix A of this part.

Appendix A [Redesignated as Appendix B]


0
26. Redesignate Appendix A to part 573 as Appendix B to part 573.
0
27. Add new Appendix A to part 573 to read as follows:

Appendix A to Part 573--Model Privacy Form

A. The Model Privacy Form

BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-
01-P 12.5%, 4810-01-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-
P 12.5%

[[Page 62947]]

[GRAPHIC] [TIFF OMITTED] TR01DE09.021


[[Page 62948]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.022


[[Page 62949]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.023


[[Page 62950]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.024


[[Page 62951]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.025


[[Page 62952]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.026


[[Page 62953]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.027

BILLING CODE 6750-01-C 12.5%, 6351-01-C 12.5%, 6720-01-C 12.5%, 6714-
01-C 12.5%, 4810-01-C 12.5%, 6210-01-C 12.5%, 8011-01-C 12.5%, 7535-01-
C 12.5%

B. General Instructions

1. How the Model Privacy Form Is Used

    (a) The model form may be used, at the option of a financial 
institution, including a group of financial institutions that use a 
common privacy notice, to meet the content requirements of the 
privacy notice and opt-out notice set forth in Sec. Sec.  573.6 and 
573.7 of this part.
    (b) The model form is a standardized form, including page 
layout, content, format, style, pagination, and shading. 
Institutions seeking to obtain the safe harbor through use of the 
model form may modify it only as described in these Instructions.
    (c) Note that disclosure of certain information, such as assets, 
income, and information from a consumer reporting agency, may give 
rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 
1681-1681x] (FCRA), such as a requirement to permit a consumer to 
opt out of disclosures to affiliates or designation as a consumer 
reporting agency if disclosures are made to nonaffiliated third 
parties.
    (d) The word ``customer'' may be replaced by the word ``member'' 
whenever it appears in the model form, as appropriate.

2. The Contents of the Model Privacy Form

    The model form consists of two pages, which may be printed on 
both sides of a single sheet of paper, or may appear on two separate 
pages. Where an institution provides a long list of institutions at 
the end of the model form in accordance with Instruction C.3(a)(1), 
or provides additional information in accordance with Instruction 
C.3(c), and such list or additional information exceeds the space 
available on page two of the model form, such list or additional 
information may extend to a third page.
    (a) Page One. The first page consists of the following 
components:
    (1) Date last revised (upper right-hand corner).
    (2) Title.
    (3) Key frame (Why?, What?, How?).
    (4) Disclosure table (``Reasons we can share your personal 
information'').
    (5) ``To limit our sharing'' box, as needed, for the financial 
institution's opt-out information.
    (6) ``Questions'' box, for customer service contact information.
    (7) Mail-in opt-out form, as needed.
    (b) Page Two. The second page consists of the following 
components:
    (1) Heading (Page 2).
    (2) Frequently Asked Questions (``Who we are'' and ``What we 
do'').
    (3) Definitions.
    (4) ``Other important information'' box, as needed.

3. The Format of the Model Privacy Form

    The format of the model form may be modified only as described 
below.
    (a) Easily readable type font. Financial institutions that use 
the model form must use an easily readable type font. While a number 
of factors together produce easily readable type font, institutions 
are required to use a minimum of 10-point font (unless otherwise 
expressly permitted in these Instructions) and sufficient spacing 
between the lines of type.
    (b) Logo. A financial institution may include a corporate logo 
on any page of the notice, so long as it does not interfere with the 
readability of the model form or the space constraints of each page.
    (c) Page size and orientation. Each page of the model form must 
be printed on paper in portrait orientation, the size of which must 
be sufficient to meet the layout and minimum font size requirements, 
with sufficient white space on the top, bottom, and sides of the 
content.
    (d) Color. The model form must be printed on white or light 
color paper (such as cream) with black or other contrasting ink 
color. Spot color may be used to achieve visual interest, so long as 
the color contrast is distinctive and the color does not detract 
from the readability of the model form. Logos may also be printed in 
color.
    (e) Languages. The model form may be translated into languages 
other than English.

C. Information Required in the Model Privacy Form

    The information in the model form may be modified only as 
described below:

1. Name of the Institution or Group of Affiliated Institutions 
Providing the Notice

    Insert the name of the financial institution providing the 
notice or a common identity of affiliated institutions jointly 
providing the notice on the form wherever [name of financial 
institution] appears.

2. Page One

    (a) Last revised date. The financial institution must insert in 
the upper right-hand corner the date on which the notice was last 
revised. The information shall appear in minimum 8-point font as 
``rev. [month/year]'' using either the name or number of the month, 
such as ``rev. July 2009'' or ``rev. 7/09''.
    (b) General instructions for the ``What?'' box.
    (1) The bulleted list identifies the types of personal 
information that the institution collects and shares. All 
institutions must use the term ``Social Security number'' in the 
first bullet.
    (2) Institutions must use five (5) of the following terms to 
complete the bulleted list: Income; account balances; payment 
history; transaction history; transaction or loss history; credit 
history; credit scores; assets; investment experience; credit-based 
insurance scores; insurance claim history; medical information; 
overdraft history; purchase history; account transactions; risk 
tolerance; medical-related debts; credit card or other debt; 
mortgage rates and payments; retirement assets; checking account 
information; employment information; wire transfer instructions.
    (c) General instructions for the disclosure table. The left 
column lists reasons for

[[Page 62954]]

sharing or using personal information. Each reason correlates to a 
specific legal provision described in paragraph C.2(d) of this 
Instruction. In the middle column, each institution must provide a 
``Yes'' or ``No'' response that accurately reflects its information 
sharing policies and practices with respect to the reason listed on 
the left. In the right column, each institution must provide in each 
box one of the following three (3) responses, as applicable, that 
reflects whether a consumer can limit such sharing: ``Yes'' if it is 
required to or voluntarily provides an opt-out; ``No'' if it does 
not provide an opt-out; or ``We don't share'' if it answers ``No'' 
in the middle column. Only the sixth row (``For our affiliates to 
market to you'') may be omitted at the option of the institution. 
See paragraph C.2(d)(6) of this Instruction.
    (d) Specific disclosures and corresponding legal provisions.
    (1) For our everyday business purposes. This reason incorporates 
sharing information under Sec. Sec.  573.14 and 573.15 and with 
service providers pursuant to Sec.  573.13 of this part other than 
the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these 
Instructions.
    (2) For our marketing purposes. This reason incorporates sharing 
information with service providers by an institution for its own 
marketing pursuant to Sec.  573.13 of this part. An institution that 
shares for this reason may choose to provide an opt-out.
    (3) For joint marketing with other financial companies. This 
reason incorporates sharing information under joint marketing 
agreements between two or more financial institutions and with any 
service provider used in connection with such agreements pursuant to 
Sec.  573.13 of this part. An institution that shares for this 
reason may choose to provide an opt-out.
    (4) For our affiliates' everyday business purposes--information 
about transactions and experiences. This reason incorporates sharing 
information specified in sections 603(d)(2)(A)(i) and (ii) of the 
FCRA. An institution that shares for this reason may choose to 
provide an opt-out.
    (5) For our affiliates' everyday business purposes--information 
about creditworthiness. This reason incorporates sharing information 
pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution 
that shares for this reason must provide an opt-out.
    (6) For our affiliates to market to you. This reason 
incorporates sharing information specified in section 624 of the 
FCRA. This reason may be omitted from the disclosure table when: The 
institution does not have affiliates (or does not disclose personal 
information to its affiliates); the institution's affiliates do not 
use personal information in a manner that requires an opt-out; or 
the institution provides the affiliate marketing notice separately. 
Institutions that include this reason must provide an opt-out of 
indefinite duration. An institution that is required to provide an 
affiliate marketing opt-out, but does not include that opt-out in 
the model form under this part, must comply with section 624 of the 
FCRA and 12 CFR part 571, subpart C, with respect to the initial 
notice and opt-out and any subsequent renewal notice and opt-out. An 
institution not required to provide an opt-out under this 
subparagraph may elect to include this reason in the model form.
    (7) For nonaffiliates to market to you. This reason incorporates 
sharing described in Sec. Sec.  573.7 and 573.10(a) of this part. An 
institution that shares personal information for this reason must 
provide an opt-out.
    (e) To limit our sharing: A financial institution must include 
this section of the model form only if it provides an opt-out. The 
word ``choice'' may be written in either the singular or plural, as 
appropriate. Institutions must select one or more of the applicable 
opt-out methods described: Telephone, such as by a toll-free number; 
a Web site; or use of a mail-in opt-out form. Institutions may 
include the words ``toll-free'' before telephone, as appropriate. An 
institution that allows consumers to opt out online must provide 
either a specific Web address that takes consumers directly to the 
opt-out page or a general Web address that provides a clear and 
conspicuous direct link to the opt-out page. The opt-out choices 
made available to the consumer who contacts the institution through 
these methods must correspond accurately to the ``Yes'' responses in 
the third column of the disclosure table. In the part titled 
``Please note,'' institutions may insert a number that is 30 or 
greater in the space marked ``[30].'' Instructions on voluntary or 
state privacy law opt-out information are in paragraph C.2(g)(5) of 
these Instructions.
    (f) Questions box. Customer service contact information must be 
inserted as appropriate, where [phone number] or [Web site] appear. 
Institutions may elect to provide either a phone number, such as a 
toll-free number, or a Web address, or both. Institutions may 
include the words ``toll-free'' before the telephone number, as 
appropriate.
    (g) Mail-in opt-out form. Financial institutions must include 
this mail-in form only if they state in the ``To limit our sharing'' 
box that consumers can opt out by mail. The mail-in form must 
provide opt-out options that correspond accurately to the ``Yes'' 
responses in the third column in the disclosure table. Institutions 
that require customers to provide only name and address may omit the 
section identified as ``[account ].'' Institutions that 
require additional or different information, such as a random opt-
out number or a truncated account number, to implement an opt-out 
election should modify the ``[account ]'' reference 
accordingly. This includes institutions that require customers with 
multiple accounts to identify each account to which the opt-out 
should apply. An institution must enter its opt-out mailing address: 
in the far right of this form (see version 3); or below the form 
(see version 4). The reverse side of the mail-in opt-out form must 
not include any content of the model form.
    (1) Joint accountholder. Only institutions that provide their 
joint accountholders the choice to opt out for only one 
accountholder, in accordance with paragraph C.3(a)(5) of these 
Instructions, must include in the far left column of the mail-in 
form the following statement: ``If you have a joint account, your 
choice(s) will apply to everyone on your account unless you mark 
below. [square] Apply my choice(s) only to me.'' The word ``choice'' 
may be written in either the singular or plural, as appropriate. 
Financial institutions that provide insurance products or services, 
provide this option, and elect to use the model form may substitute 
the word ``policy'' for ``account'' in this statement. Institutions 
that do not provide this option may eliminate this left column from 
the mail-in form.
    (2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution 
shares personal information pursuant to section 603(d)(2)(A)(iii) of 
the FCRA, it must include in the mail-in opt-out form the following 
statement: ``[square] Do not share information about my 
creditworthiness with your affiliates for their everyday business 
purposes.''
    (3) FCRA Section 624 opt-out. If the institution incorporates 
section 624 of the FCRA in accord with paragraph C.2(d)(6) of these 
Instructions, it must include in the mail-in opt-out form the 
following statement: ``[square] Do not allow your affiliates to use 
my personal information to market to me.''
    (4) Nonaffiliate opt-out. If the financial institution shares 
personal information pursuant to Sec.  573.10(a) of this part, it 
must include in the mail-in opt-out form the following statement: 
``[square] Do not share my personal information with nonaffiliates 
to market their products and services to me.''
    (5) Additional opt-outs. Financial institutions that use the 
disclosure table to provide opt-out options beyond those required by 
Federal law must provide those opt-outs in this section of the model 
form. A financial institution that chooses to offer an opt-out for 
its own marketing in the mail-in opt-out form must include one of 
the two following statements: ``[square] Do not share my personal 
information to market to me.'' or ``[square] Do not use my personal 
information to market to me.'' A financial institution that chooses 
to offer an opt-out for joint marketing must include the following 
statement: ``[square] Do not share my personal information with 
other financial institutions to jointly market to me.''
    (h) Barcodes. A financial institution may elect to include a 
barcode and/or ``tagline'' (an internal identifier) in 6-point font 
at the bottom of page one, as needed for information internal to the 
institution, so long as these do not interfere with the clarity or 
text of the form.

3. Page Two

    (a) General Instructions for the Questions. Certain of the 
Questions may be customized as follows:
    (1) ``Who is providing this notice?'' This question may be 
omitted where only one financial institution provides the model form 
and that institution is clearly identified in the title on page one. 
Two or more financial institutions that jointly provide the model 
form must use this question to identify themselves as required by 
Sec.  573.9(f) of this part. Where the list of institutions exceeds 
four (4) lines, the institution must describe in the response to 
this question the general types of institutions jointly providing 
the notice and must separately identify those institutions, in 
minimum 8-point font, directly following the ``Other important

[[Page 62955]]

information'' box, or, if that box is not included in the 
institution's form, directly following the ``Definitions.'' The list 
may appear in a multi-column format.
    (2) ``How does [name of financial institution] protect my 
personal information?'' The financial institution may only provide 
additional information pertaining to its safeguards practices 
following the designated response to this question. Such information 
may include information about the institution's use of cookies or 
other measures it uses to safeguard personal information. 
Institutions are limited to a maximum of 30 additional words.
    (3) ``How does [name of financial institution] collect my 
personal information?'' Institutions must use five (5) of the 
following terms to complete the bulleted list for this question: 
Open an account; deposit money; pay your bills; apply for a loan; 
use your credit or debit card; seek financial or tax advice; apply 
for insurance; pay insurance premiums; file an insurance claim; seek 
advice about your investments; buy securities from us; sell 
securities to us; direct us to buy securities; direct us to sell 
your securities; make deposits or withdrawals from your account; 
enter into an investment advisory contract; give us your income 
information; provide employment information; give us your employment 
history; tell us about your investment or retirement portfolio; tell 
us about your investment or retirement earnings; apply for 
financing; apply for a lease; provide account information; give us 
your contact information; pay us by check; give us your wage 
statements; provide your mortgage information; make a wire transfer; 
tell us who receives the money; tell us where to send the money; 
show your government-issued ID; show your driver's license; order a 
commodity futures or option trade. Institutions that collect 
personal information from their affiliates and/or credit bureaus 
must include after the bulleted list the following statement: ``We 
also collect your personal information from others, such as credit 
bureaus, affiliates, or other companies.'' Institutions that do not 
collect personal information from their affiliates or credit bureaus 
but do collect information from other companies must include the 
following statement instead: ``We also collect your personal 
information from other companies.'' Only institutions that do not 
collect any personal information from affiliates, credit bureaus, or 
other companies can omit both statements.
    (4) ``Why can't I limit all sharing?'' Institutions that 
describe state privacy law provisions in the ``Other important 
information'' box must use the bracketed sentence: ``See below for 
more on your rights under state law.'' Other institutions must omit 
this sentence.
    (5) ``What happens when I limit sharing for an account I hold 
jointly with someone else?'' Only financial institutions that 
provide opt-out options must use this question. Other institutions 
must omit this question. Institutions must choose one of the 
following two statements to respond to this question: ``Your choices 
will apply to everyone on your account.'' or ``Your choices will 
apply to everyone on your account--unless you tell us otherwise.'' 
Financial institutions that provide insurance products or services 
and elect to use the model form may substitute the word ``policy'' 
for ``account'' in these statements.
    (b) General Instructions for the Definitions.
    The financial institution must customize the space below the 
responses to the three definitions in this section. This specific 
information must be in italicized lettering to set off the 
information from the standardized definitions.
    (1) Affiliates. As required by Sec.  573.6(a)(3) of this part, 
where [affiliate information] appears, the financial institution 
must:
    (i) If it has no affiliates, state: ``[name of financial 
institution] has no affiliates;''
    (ii) If it has affiliates but does not share personal 
information, state: ``[name of financial institution] does not share 
with our affiliates''; or
    (iii) If it shares with its affiliates, state, as applicable: 
``Our affiliates include companies with a [common corporate identity 
of financial institution] name; financial companies such as [insert 
illustrative list of companies]; nonfinancial companies, such as 
[insert illustrative list of companies]; and others, such as [insert 
illustrative list].''
    (2) Nonaffiliates. As required by Sec.  573.6(c)(3) of this 
part, where [nonaffiliate information] appears, the financial 
institution must:
    (i) If it does not share with nonaffiliated third parties, 
state: ``[name of financial institution] does not share with 
nonaffiliates so they can market to you''; or
    (ii) If it shares with nonaffiliated third parties, state, as 
applicable: ``Nonaffiliates we share with can include [list 
categories of companies such as mortgage companies, insurance 
companies, direct marketing companies, and nonprofit 
organizations].''
    (3) Joint Marketing. As required by Sec.  573.13 of this part, 
where [joint marketing] appears, the financial institution must:
    (i) If it does not engage in joint marketing, state: ``[name of 
financial institution] doesn't jointly market''; or
    (ii) If it shares personal information for joint marketing, 
state, as applicable: ``Our joint marketing partners include [list 
categories of companies such as credit card companies].''
    (c) General instructions for the ``Other important information'' 
box. This box is optional. The space provided for information in 
this box is not limited. Only the following types of information can 
appear in this box.
    (1) State and/or international privacy law information; and/or
    (2) Acknowledgment of receipt form.


0
28. Amend newly redesignated Appendix B to part 573 as follows:
0
A. Add a new sentence to the beginning of the introductory text as set 
forth below.
0
B. Effective January 1, 2012, remove Appendix B to part 573.

Appendix B to Part 573--Sample Clauses

    This Appendix only applies to privacy notices provided before 
January 1, 2011. * * *
* * * * *

National Credit Union Administration

12 CFR Chapter V

Authority and Issuance

0
For the reasons set forth in the joint preamble, part 716 of chapter V 
of title 12 of the Code of Federal Regulations is amended as follows:

PART 716--PRIVACY OF CONSUMER FINANCIAL INFORMATION

0
29. The authority citation for part 716 continues to read as follows:

    Authority: 12 U.S.C. 1751 et seq.; 15 U.S.C. 6801 et seq.

0
30. Revise Sec.  716.2 to read as follows:


Sec.  716.2  Model privacy form and examples.

    (a) Model privacy form. Use of the model privacy form in Appendix A 
of this part, consistent with the instructions in Appendix A, 
constitutes compliance with the notice content requirements of 
Sec. Sec.  716.6 and 716.7 of this part, although use of the model 
privacy form is not required.
    (b) Examples. The examples in this part are not exclusive. 
Compliance with an example, to the extent applicable, constitutes 
compliance with this part.


0
31. In Sec.  716.6:
0
A. Revise the section heading and paragraph (b), and add paragraphs (f) 
and (g) to read as set forth below.
0
B. Effective January 1, 2012, remove paragraph (g).


Sec.  716.6  Information to be included in privacy notices.

* * * * *
    (b) Description of nonaffiliated third parties subject to 
exceptions. If you disclose nonpublic personal information to third 
parties as authorized under Sec. Sec.  716.14 and 716.15, you are not 
required to list those exceptions in the initial or annual privacy 
notices required by Sec. Sec.  716.4 and 716.5. When describing the 
categories with respect to those parties, it is sufficient to state 
that you make disclosures to other nonaffiliated companies:
    (1) For your everyday business purposes, such as [include all that 
apply] to process transactions, maintain account(s), respond to court 
orders and legal investigations, or report to credit bureaus; or
    (2) As permitted by law.
* * * * *

[[Page 62956]]

    (f) Model privacy form. Pursuant to Sec.  716.2(a) of this part, a 
model privacy form that meets the notice content requirements of this 
section is included in Appendix A of this part.
    (g) Sample clauses. Sample clauses illustrating some of the notice 
content required by this section are included in Appendix B of this 
part. Use of a sample clause in a privacy notice provided on or before 
December 31, 2010, to the extent applicable, constitutes compliance 
with this part.


0
32. In Sec.  716.7, add paragraph (i) to read as follows:


Sec.  716.7  Form of opt-out notice to consumers; opt-out methods.

* * * * *
    (i) Model privacy form. Pursuant to Sec.  716.2(a) of this part, a 
model privacy form that meets the notice content requirements of this 
section is included in Appendix A of this part.

Appendix A [Redesignated as Appendix B]


0
33. Redesignate Appendix A to part 716 as Appendix B to part 716.
0
34. Add new Appendix A to part 716 to read as follows:

Appendix A to Part 716--Model Privacy Form

A. The Model Privacy Form

BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-
01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-
P 12.5%;

[[Page 62957]]

[GRAPHIC] [TIFF OMITTED] TR01DE09.028


[[Page 62958]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.029


[[Page 62959]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.030


[[Page 62960]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.031


[[Page 62961]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.032


[[Page 62962]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.033


[[Page 62963]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.034

BILLING CODE 6750-01-C 12.5%, 6351-01-C 12.5%, 6720-01-C 12.5%, 6714-
01-C 12.5%, 4810-33-C 12.5%, 6210-01-C 12.5%, 8011-01-C 12.5%, 7535-01-
C 12.5%;

B. General Instructions

1. How the Model Privacy Form Is Used

    (a) The model form may be used, at the option of a financial 
institution, including a group of financial institutions that use a 
common privacy notice, to meet the content requirements of the 
privacy notice and opt-out notice set forth in Sec. Sec.  716.6 and 
716.7 of this part.
    (b) The model form is a standardized form, including page 
layout, content, format, style, pagination, and shading. 
Institutions seeking to obtain the safe harbor through use of the 
model form may modify it only as described in these Instructions.
    (c) Note that disclosure of certain information, such as assets, 
income, and information from a consumer reporting agency, may give 
rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 
1681--1681x] (FCRA), such as a requirement to permit a consumer to 
opt out of disclosures to affiliates or designation as a consumer 
reporting agency if disclosures are made to nonaffiliated third 
parties.
    (d) The word ``customer'' may be replaced by the word ``member'' 
whenever it appears in the model form, as appropriate.

2. The Contents of the Model Privacy Form

    The model form consists of two pages, which may be printed on 
both sides of a single sheet of paper, or may appear on two separate 
pages. Where an institution provides a long list of institutions at 
the end of the model form in accordance with Instruction C.3(a)(1), 
or provides additional information in accordance with Instruction 
C.3(c), and such list or additional information exceeds the space 
available on page two of the model form, such list or additional 
information may extend to a third page.
    (a) Page One. The first page consists of the following 
components:
    (1) Date last revised (upper right-hand corner).
    (2) Title.
    (3) Key frame (Why?, What?, How?).
    (4) Disclosure table (``Reasons we can share your personal 
information'').
    (5) ``To limit our sharing'' box, as needed, for the financial 
institution's opt-out information.
    (6) ``Questions'' box, for customer service contact information.
    (7) Mail-in opt-out form, as needed.
    (b) Page Two. The second page consists of the following 
components:
    (1) Heading (Page 2).
    (2) Frequently Asked Questions (``Who we are'' and ``What we 
do'').
    (3) Definitions.
    (4) ``Other important information'' box, as needed.

3. The Format of the Model Privacy Form

    The format of the model form may be modified only as described 
below.
    (a) Easily readable type font. Financial institutions that use 
the model form must use an easily readable type font. While a number 
of factors together produce easily readable type font, institutions 
are required to use a minimum of 10-point font (unless otherwise 
expressly permitted in these Instructions) and sufficient spacing 
between the lines of type.
    (b) Logo. A financial institution may include a corporate logo 
on any page of the notice, so long as it does not interfere with the 
readability of the model form or the space constraints of each page.
    (c) Page size and orientation. Each page of the model form must 
be printed on paper in portrait orientation, the size of which must 
be sufficient to meet the layout and minimum font size requirements, 
with sufficient white space on the top, bottom, and sides of the 
content.
    (d) Color. The model form must be printed on white or light 
color paper (such as cream) with black or other contrasting ink 
color. Spot color may be used to achieve visual interest, so long as 
the color contrast is distinctive and the color does not detract 
from the readability of the model form. Logos may also be printed in 
color.
    (e) Languages. The model form may be translated into languages 
other than English.

C. Information Required in the Model Privacy Form

    The information in the model form may be modified only as 
described below:

1. Name of the Institution or Group of Affiliated Institutions 
Providing the Notice

    Insert the name of the financial institution providing the 
notice or a common identity of affiliated institutions jointly 
providing the notice on the form wherever [name of financial 
institution] appears.

2. Page One

    (a) Last revised date. The financial institution must insert in 
the upper right-hand corner the date on which the notice was last 
revised. The information shall appear in minimum 8-point font as 
``rev. [month/year]'' using either the name or number of the month, 
such as ``rev. July 2009'' or ``rev. 7/09''.
    (b) General instructions for the ``What?'' box.
    (1) The bulleted list identifies the types of personal 
information that the institution collects and shares. All 
institutions must use the term ``Social Security number'' in the 
first bullet.
    (2) Institutions must use five (5) of the following terms to 
complete the bulleted list: income; account balances; payment 
history; transaction history; transaction or loss history; credit 
history; credit scores; assets; investment experience; credit-based 
insurance scores; insurance claim history; medical information; 
overdraft history; purchase history; account transactions; risk 
tolerance; medical-related debts; credit card or other debt; 
mortgage rates and payments; retirement assets; checking account 
information; employment information; wire transfer instructions.
    (c) General instructions for the disclosure table. The left 
column lists reasons for

[[Page 62964]]

sharing or using personal information. Each reason correlates to a 
specific legal provision described in paragraph C.2(d) of this 
Instruction. In the middle column, each institution must provide a 
``Yes'' or ``No'' response that accurately reflects its information 
sharing policies and practices with respect to the reason listed on 
the left. In the right column, each institution must provide in each 
box one of the following three (3) responses, as applicable, that 
reflects whether a consumer can limit such sharing: ``Yes'' if it is 
required to or voluntarily provides an opt-out; ``No'' if it does 
not provide an opt-out; or ``We don't share'' if it answers ``No'' 
in the middle column. Only the sixth row (``For our affiliates to 
market to you'') may be omitted at the option of the institution. 
See paragraph C.2(d)(6) of this Instruction.
    (d) Specific disclosures and corresponding legal provisions.
    (1) For our everyday business purposes. This reason incorporates 
sharing information under Sec. Sec.  716.14 and 716.15 and with 
service providers pursuant to Sec.  716.13 of this part other than 
the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these 
Instructions.
    (2) For our marketing purposes. This reason incorporates sharing 
information with service providers by an institution for its own 
marketing pursuant to Sec.  716.13 of this part. An institution that 
shares for this reason may choose to provide an opt-out.
    (3) For joint marketing with other financial companies. This 
reason incorporates sharing information under joint marketing 
agreements between two or more financial institutions and with any 
service provider used in connection with such agreements pursuant to 
Sec.  716.13 of this part. An institution that shares for this 
reason may choose to provide an opt-out.
    (4) For our affiliates' everyday business purposes--information 
about transactions and experiences. This reason incorporates sharing 
information specified in sections 603(d)(2)(A)(i) and (ii) of the 
FCRA. An institution that shares for this reason may choose to 
provide an opt-out.
    (5) For our affiliates' everyday business purposes--information 
about creditworthiness. This reason incorporates sharing information 
pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution 
that shares for this reason must provide an opt-out.
    (6) For our affiliates to market to you. This reason 
incorporates sharing information specified in section 624 of the 
FCRA. This reason may be omitted from the disclosure table when: the 
institution does not have affiliates (or does not disclose personal 
information to its affiliates); the institution's affiliates do not 
use personal information in a manner that requires an opt-out; or 
the institution provides the affiliate marketing notice separately. 
Institutions that include this reason must provide an opt-out of 
indefinite duration. An institution that is required to provide an 
affiliate marketing opt-out, but does not include that opt-out in 
the model form under this part, must comply with section 624 of the 
FCRA and 12 CFR part 717, subpart C, with respect to the initial 
notice and opt-out and any subsequent renewal notice and opt-out. An 
institution not required to provide an opt-out under this 
subparagraph may elect to include this reason in the model form.
    (7) For nonaffiliates to market to you. This reason incorporates 
sharing described in Sec. Sec.  716.7 and 716.10(a) of this part. An 
institution that shares personal information for this reason must 
provide an opt-out.
    (e) To limit our sharing: A financial institution must include 
this section of the model form only if it provides an opt-out. The 
word ``choice'' may be written in either the singular or plural, as 
appropriate. Institutions must select one or more of the applicable 
opt-out methods described: telephone, such as by a toll-free number; 
a Web site; or use of a mail-in opt-out form. Institutions may 
include the words ``toll-free'' before telephone, as appropriate. An 
institution that allows consumers to opt out online must provide 
either a specific Web address that takes consumers directly to the 
opt-out page or a general Web address that provides a clear and 
conspicuous direct link to the opt-out page. The opt-out choices 
made available to the consumer who contacts the institution through 
these methods must correspond accurately to the ``Yes'' responses in 
the third column of the disclosure table. In the part titled 
``Please note'' institutions may insert a number that is 30 or 
greater in the space marked ``[30].'' Instructions on voluntary or 
state privacy law opt-out information are in paragraph C.2(g)(5) of 
these Instructions.
    (f) Questions box. Customer service contact information must be 
inserted as appropriate, where [phone number] or [Web site] appear. 
Institutions may elect to provide either a phone number, such as a 
toll-free number, or a Web address, or both. Institutions may 
include the words ``toll-free'' before the telephone number, as 
appropriate.
    (g) Mail-in opt-out form. Financial institutions must include 
this mail-in form only if they state in the ``To limit our sharing'' 
box that consumers can opt out by mail. The mail-in form must 
provide opt-out options that correspond accurately to the ``Yes'' 
responses in the third column in the disclosure table. Institutions 
that require customers to provide only name and address may omit the 
section identified as ``[account ].'' Institutions that 
require additional or different information, such as a random opt-
out number or a truncated account number, to implement an opt-out 
election should modify the ``[account ]'' reference 
accordingly. This includes institutions that require customers with 
multiple accounts to identify each account to which the opt-out 
should apply. An institution must enter its opt-out mailing address: 
in the far right of this form (see version 3); or below the form 
(see version 4). The reverse side of the mail-in opt-out form must 
not include any content of the model form.
    (1) Joint accountholder. Only institutions that provide their 
joint accountholders the choice to opt out for only one 
accountholder, in accordance with paragraph C.3(a)(5) of these 
Instructions, must include in the far left column of the mail-in 
form the following statement: ``If you have a joint account, your 
choice(s) will apply to everyone on your account unless you mark 
below. [square] Apply my choice(s) only to me.'' The word ``choice'' 
may be written in either the singular or plural, as appropriate. 
Financial institutions that provide insurance products or services, 
provide this option, and elect to use the model form may substitute 
the word ``policy'' for ``account'' in this statement. Institutions 
that do not provide this option may eliminate this left column from 
the mail-in form.
    (2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution 
shares personal information pursuant to section 603(d)(2)(A)(iii) of 
the FCRA, it must include in the mail-in opt-out form the following 
statement: ``[square] Do not share information about my 
creditworthiness with your affiliates for their everyday business 
purposes.''
    (3) FCRA Section 624 opt-out. If the institution incorporates 
section 624 of the FCRA in accord with paragraph C.2(d)(6) of these 
Instructions, it must include in the mail-in opt-out form the 
following statement: ``[square] Do not allow your affiliates to use 
my personal information to market to me.''
    (4) Nonaffiliate opt-out. If the financial institution shares 
personal information pursuant to Sec.  716.10(a) of this part, it 
must include in the mail-in opt-out form the following statement: 
``[square] Do not share my personal information with nonaffiliates 
to market their products and services to me.''
    (5) Additional opt-outs. Financial institutions that use the 
disclosure table to provide opt-out options beyond those required by 
Federal law must provide those opt-outs in this section of the model 
form. A financial institution that chooses to offer an opt-out for 
its own marketing in the mail-in opt-out form must include one of 
the two following statements: ``[square] Do not share my personal 
information to market to me.'' or ``[square] Do not use my personal 
information to market to me.'' A financial institution that chooses 
to offer an opt-out for joint marketing must include the following 
statement: ``[square] Do not share my personal information with 
other financial institutions to jointly market to me.''
    (h) Barcodes. A financial institution may elect to include a 
barcode and/or ``tagline'' (an internal identifier) in 6-point font 
at the bottom of page one, as needed for information internal to the 
institution, so long as these do not interfere with the clarity or 
text of the form.

3. Page Two

    (a) General Instructions for the Questions. Certain of the 
Questions may be customized as follows:
    (1) ``Who is providing this notice?'' This question may be 
omitted where only one financial institution provides the model form 
and that institution is clearly identified in the title on page one. 
Two or more financial institutions that jointly provide the model 
form must use this question to identify themselves as required by 
Sec.  716.9(f) of this part. Where the list of institutions exceeds 
four (4) lines, the institution must describe in the response to 
this question the general types of institutions jointly providing 
the notice and must separately identify those institutions, in 
minimum 8-point font, directly following the ``Other important

[[Page 62965]]

information'' box, or, if that box is not included in the 
institution's form, directly following the ``Definitions.'' The list 
may appear in a multi-column format.
    (2) ``How does [name of financial institution] protect my 
personal information?'' The financial institution may only provide 
additional information pertaining to its safeguards practices 
following the designated response to this question. Such information 
may include information about the institution's use of cookies or 
other measures it uses to safeguard personal information. 
Institutions are limited to a maximum of 30 additional words.
    (3) ``How does [name of financial institution] collect my 
personal information?'' Institutions must use five (5) of the 
following terms to complete the bulleted list for this question: 
open an account; deposit money; pay your bills; apply for a loan; 
use your credit or debit card; seek financial or tax advice; apply 
for insurance; pay insurance premiums; file an insurance claim; seek 
advice about your investments; buy securities from us; sell 
securities to us; direct us to buy securities; direct us to sell 
your securities; make deposits or withdrawals from your account; 
enter into an investment advisory contract; give us your income 
information; provide employment information; give us your employment 
history; tell us about your investment or retirement portfolio; tell 
us about your investment or retirement earnings; apply for 
financing; apply for a lease; provide account information; give us 
your contact information; pay us by check; give us your wage 
statements; provide your mortgage information; make a wire transfer; 
tell us who receives the money; tell us where to send the money; 
show your government-issued ID; show your driver's license; order a 
commodity futures or option trade. Institutions that collect 
personal information from their affiliates and/or credit bureaus 
must include after the bulleted list the following statement: ``We 
also collect your personal information from others, such as credit 
bureaus, affiliates, or other companies.'' Institutions that do not 
collect personal information from their affiliates or credit bureaus 
but do collect information from other companies must include the 
following statement instead: ``We also collect your personal 
information from other companies.'' Only institutions that do not 
collect any personal information from affiliates, credit bureaus, or 
other companies can omit both statements.
    (4) ``Why can't I limit all sharing?'' Institutions that 
describe state privacy law provisions in the ``Other important 
information'' box must use the bracketed sentence: ``See below for 
more on your rights under state law.'' Other institutions must omit 
this sentence.
    (5) ``What happens when I limit sharing for an account I hold 
jointly with someone else?'' Only financial institutions that 
provide opt-out options must use this question. Other institutions 
must omit this question. Institutions must choose one of the 
following two statements to respond to this question: ``Your choices 
will apply to everyone on your account.'' or ``Your choices will 
apply to everyone on your account--unless you tell us otherwise.'' 
Financial institutions that provide insurance products or services 
and elect to use the model form may substitute the word ``policy'' 
for ``account'' in these statements.
    (b) General Instructions for the Definitions.
    The financial institution must customize the space below the 
responses to the three definitions in this section. This specific 
information must be in italicized lettering to set off the 
information from the standardized definitions.
    (1) Affiliates. As required by Sec.  716.6(a)(3) of this part, 
where [affiliate information] appears, the financial institution 
must:
    (i) If it has no affiliates, state: ``[name of financial 
institution] has no affiliates'';
    (ii) If it has affiliates but does not share personal 
information, state: ``[name of financial institution] does not share 
with our affiliates; or
    (iii) If it shares with its affiliates, state, as applicable: 
``Our affiliates include companies with a [common corporate identity 
of financial institution] name; financial companies such as [insert 
illustrative list of companies]; nonfinancial companies, such as 
[insert illustrative list of companies;] and others, such as [insert 
illustrative list].''
    (2) Nonaffiliates. As required by Sec.  716.6(c)(3) of this 
part, where [nonaffiliate information] appears, the financial 
institution must:
    (i) If it does not share with nonaffiliated third parties, 
state: ``[name of financial institution] does not share with 
nonaffiliates so they can market to you''; or
    (ii) If it shares with nonaffiliated third parties, state, as 
applicable: ``Nonaffiliates we share with can include [list 
categories of companies such as mortgage companies, insurance 
companies, direct marketing companies, and nonprofit 
organizations].''
    (3) Joint Marketing. As required by Sec.  716.13 of this part, 
where [joint marketing] appears, the financial institution must:
    (i) If it does not engage in joint marketing, state: ``[name of 
financial institution] doesn't jointly market ''; or
    (ii) If it shares personal information for joint marketing, 
state, as applicable: ``Our joint marketing partners include [list 
categories of companies such as credit card companies].''
    (c) General instructions for the ``Other important information'' 
box. This box is optional. The space provided for information in 
this box is not limited. Only the following types of information can 
appear in this box.
    (1) State and/or international privacy law information; and/or
    (2) Acknowledgment of receipt form.



0
35. Amend newly redesignated Appendix B to part 716 as follows:
0
A. Add a new sentence to the beginning of the introductory text as set 
forth below.
0
B. Effective January 1, 2012, remove Appendix B to part 716.

Appendix B to Part 716--Sample Clauses

    This Appendix only applies to privacy notices provided before 
January 1, 2011. * * *
* * * * *

Federal Trade Commission

16 CFR Chapter I

0
For the reasons set forth in the joint preamble, the Federal Trade 
Commission amends part 313 of chapter I of title 16 of the Code of 
Federal Regulations as follows:

PART 313--PRIVACY OF CONSUMER FINANCIAL INFORMATION

0
36. The authority citation for part 313 continues to read as follows:

    Authority: 15 U.S.C. 6801 et seq.


0
37. Revise Sec.  313.2 to read as follows:


Sec.  313.2  Model privacy form and examples.

    (a) Model privacy form. Use of the model privacy form in Appendix A 
of this part, consistent with the instructions in Appendix A, 
constitutes compliance with the notice content requirements of 
Sec. Sec.  313.6 and 313.7 of this part, although use of the model 
privacy form is not required.
    (b) Examples. The examples in this part are not exclusive. 
Compliance with an example, to the extent applicable, constitutes 
compliance with this part.

0
38. In Sec.  313.6:
0
A. Revise paragraphs (b) and (f), and add paragraph (g) to read as set 
forth below.
0
B. Effective January 1, 2012, remove paragraph (g).


Sec.  313.6  Information to be included in privacy notices.

* * * * *
    (b) Description of nonaffiliated third parties subject to 
exceptions. If you disclose nonpublic personal information to third 
parties as authorized under Sec. Sec.  313.14 and 313.15, you are not 
required to list those exceptions in the initial or annual privacy 
notices required by Sec. Sec.  313.4 and 313.5. When describing the 
categories with respect to those parties, it is sufficient to state 
that you make disclosures to other nonaffiliated companies for your 
everyday business purposes, such as to process transactions, maintain 
account(s), respond to court orders and legal investigations, or report 
to credit bureaus.
* * * * *
    (f) Model privacy form. Pursuant to Sec.  313.2(a) of this part, a 
model privacy form that meets the notice content

[[Page 62966]]

requirements of this section is included in Appendix A of this part.
    (g) Sample clauses and description of nonaffiliated third parties 
subject to exceptions.
    (1) Sample clauses. Sample clauses illustrating some of the notice 
content required by this section are included in Appendix B of this 
part. Use of a sample clause in a privacy notice provided on or before 
December 31, 2010, to the extent applicable, constitutes compliance 
with this part.
    (2) Description of nonaffiliated third parties subject to 
exceptions. For a privacy notice provided on or before December 31, 
2010, if you disclose nonpublic personal information to third parties 
as authorized under Sec. Sec.  313.14 and 313.15, when describing the 
categories with respect to those parties, it is sufficient to state, as 
an alternative to the language in the second sentence of paragraph (b) 
of this section, that you make disclosures to other nonaffiliated third 
parties as permitted by law.


0
39. In Sec.  313.7, add paragraph (i) to read as follows:


Sec.  313.7  Form of opt-out notice to consumers; opt-out methods.

* * * * *
    (i) Model privacy form. Pursuant to Sec.  313.2(a) of this part, a 
model privacy form that meets the notice content requirements of this 
section is included in Appendix A of this part.

Appendix A [Redesignated as Appendix B]


0
40. Redesignate Appendix A to part 313 as Appendix B to part 313.
0
41. Add new Appendix A to part 313 to read as follows:

Appendix A to Part 313--Model Privacy Form

A. The Model Privacy Form

BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-
01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-
P 12.5%

[[Page 62967]]

[GRAPHIC] [TIFF OMITTED] TR01DE09.035


[[Page 62968]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.036


[[Page 62969]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.037


[[Page 62970]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.038


[[Page 62971]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.039


[[Page 62972]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.041

BILLING CODE 6750-01-C 12.5%, 6351-01-C 12.5%, 6720-01-C 12.5%, 6714-
01-C 12.5%, 4810-33-C 12.5%, 6210-01-C 12.5%, 8011-01-C 12.5%, 7535-01-
C 12.5%,

B. General Instructions

1. How the Model Privacy Form is Used

    (a) The model form may be used, at the option of a financial 
institution, including a group of financial institutions that use a 
common privacy notice, to meet the content requirements of the 
privacy notice and opt-out notice set forth in Sec. Sec.  313.6 and 
313.7 of this part.
    (b) The model form is a standardized form, including page 
layout, content, format, style, pagination, and shading. 
Institutions seeking to obtain the safe harbor through use of the 
model form may modify it only as described in these Instructions.
    (c) Note that disclosure of certain information, such as assets, 
income, and information from a consumer reporting agency, may give 
rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 
1681-1681x] (FCRA), such as a requirement to permit a consumer to 
opt out of disclosures to affiliates or designation as a consumer 
reporting agency if disclosures are made to nonaffiliated third 
parties.
    (d) The word ``customer'' may be replaced by the word ``member'' 
whenever it appears in the model form, as appropriate.

2. The Contents of the Model Privacy Form

    The model form consists of two pages, which may be printed on 
both sides of a single sheet of paper, or may appear on two separate 
pages. Where an institution provides a long list of institutions at 
the end of the model form in accordance with Instruction C.3(a)(1), 
or provides additional information in accordance with Instruction 
C.3(c), and such list or additional information exceeds the space 
available on page two of the model form, such list or additional 
information may extend to a third page.
    (a) Page One. The first page consists of the following 
components:
    (1) Date last revised (upper right-hand corner).
    (2) Title.
    (3) Key frame (Why?, What?, How?).
    (4) Disclosure table (``Reasons we can share your personal 
information'').
    (5) ``To limit our sharing'' box, as needed, for the financial 
institution's opt-out information.
    (6) ``Questions'' box, for customer service contact information.
    (7) Mail-in opt-out form, as needed.
    (b) Page Two. The second page consists of the following 
components:
    (1) Heading (Page 2).
    (2) Frequently Asked Questions (``Who we are'' and ``What we 
do'').
    (3) Definitions.
    (4) ``Other important information'' box, as needed.

3. The Format of the Model Privacy Form

    The format of the model form may be modified only as described 
below.
    (a) Easily readable type font. Financial institutions that use 
the model form must use an easily readable type font. While a number 
of factors together produce an easily readable type font, 
institutions are required to use a minimum of 10-point font (unless 
otherwise expressly permitted in these Instructions) and sufficient 
spacing between the lines of type.
    (b) Logo. A financial institution may include a corporate logo 
on any page of the notice, so long as it does not interfere with the 
readability of the model form or the space constraints of each page.
    (c) Page size and orientation. Each page of the model form must 
be printed on paper in portrait orientation, the size of which must 
be sufficient to meet the layout and minimum font size requirements, 
with sufficient white space on the top, bottom, and sides of the 
content.
    (d) Color. The model form must be printed on white or light 
color paper (such as cream) with black or other contrasting ink 
color. Spot color may be used to achieve visual interest, so long as 
the color contrast is distinctive and the color does not detract 
from the readability of the model form. Logos may also be printed in 
color.
    (e) Languages. The model form may be translated into languages 
other than English.

C. Information Required in the Model Privacy Form

    The information in the model form may be modified only as 
described below:

1. Name of the Institution or Group of Affiliated Institutions 
Providing the Notice

    Insert the name of the financial institution providing the 
notice or a common identity of affiliated institutions jointly 
providing the notice on the form wherever [name of financial 
institution] appears.

2. Page One

    (a) Last revised date. The financial institution must insert in 
the upper right-hand corner the date on which the notice was last 
revised. The information shall appear in minimum 8-point font as 
``rev. [month/year]'' using either the name or number of the month, 
such as ``rev. July 2009'' or ``rev. 7/09''.
    (b) General instructions for the ``What?'' box.
    (1) The bulleted list identifies the types of personal 
information that the institution collects and shares. All 
institutions must use the term ``Social Security number'' in the 
first bullet.
    (2) Institutions must use five (5) of the following terms to 
complete the bulleted list: income; account balances; payment 
history; transaction history; transaction or loss history; credit 
history; credit scores; assets; investment experience; credit-based 
insurance scores; insurance claim history; medical information; 
overdraft history; purchase history; account transactions; risk 
tolerance; medical-related debts; credit card or other debt; 
mortgage rates and payments; retirement assets; checking account 
information; employment information; wire transfer instructions.
    (c) General instructions for the disclosure table. The left 
column lists reasons for

[[Page 62973]]

sharing or using personal information. Each reason correlates to a 
specific legal provision described in paragraph C.2(d) of this 
Instruction. In the middle column, each institution must provide a 
``Yes'' or ``No'' response that accurately reflects its information 
sharing policies and practices with respect to the reason listed on 
the left. In the right column, each institution must provide in each 
box one of the following three (3) responses, as applicable, that 
reflects whether a consumer can limit such sharing: ``Yes'' if it is 
required to or voluntarily provides an opt-out; ``No'' if it does 
not provide an opt-out; or ``We don't share'' if it answers ``No'' 
in the middle column. Only the sixth row (``For our affiliates to 
market to you'') may be omitted at the option of the institution. 
See paragraph C.2(d)(6) of this Instruction.
    (d) Specific disclosures and corresponding legal provisions.
    (1) For our everyday business purposes. This reason incorporates 
sharing information under Sec. Sec.  313.14 and 313.15 and with 
service providers pursuant to Sec.  313.13 of this part other than 
the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these 
Instructions.
    (2) For our marketing purposes. This reason incorporates sharing 
information with service providers by an institution for its own 
marketing pursuant to Sec.  313.13 of this part. An institution that 
shares for this reason may choose to provide an opt-out.
    (3) For joint marketing with other financial companies. This 
reason incorporates sharing information under joint marketing 
agreements between two or more financial institutions and with any 
service provider used in connection with such agreements pursuant to 
Sec.  313.13 of this part. An institution that shares for this 
reason may choose to provide an opt-out.
    (4) For our affiliates' everyday business purposes--information 
about transactions and experiences. This reason incorporates sharing 
information specified in sections 603(d)(2)(A)(i) and (ii) of the 
FCRA. An institution that shares for this reason may choose to 
provide an opt-out.
    (5) For our affiliates' everyday business purposes--information 
about creditworthiness. This reason incorporates sharing information 
pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution 
that shares for this reason must provide an opt-out.
    (6) For our affiliates to market to you. This reason 
incorporates sharing information specified in section 624 of the 
FCRA. This reason may be omitted from the disclosure table when: the 
institution does not have affiliates (or does not disclose personal 
information to its affiliates); the institution's affiliates do not 
use personal information in a manner that requires an opt-out; or 
the institution provides the affiliate marketing notice separately. 
Institutions that include this reason must provide an opt-out of 
indefinite duration. An institution that is required to provide an 
affiliate marketing opt-out, but does not include that opt-out in 
the model form under this part, must comply with section 624 of the 
FCRA and 16 CFR parts 680 and 698 with respect to the initial notice 
and opt-out and any subsequent renewal notice and opt-out. An 
institution not required to provide an opt-out under this 
subparagraph may elect to include this reason in the model form.
    (7) For nonaffiliates to market to you. This reason incorporates 
sharing described in Sec. Sec.  313.7 and 313.10(a) of this part. An 
institution that shares personal information for this reason must 
provide an opt-out.
    (e) To limit our sharing: A financial institution must include 
this section of the model form only if it provides an opt-out. The 
word ``choice'' may be written in either the singular or plural, as 
appropriate. Institutions must select one or more of the applicable 
opt-out methods described: telephone, such as by a toll-free number; 
a Web site; or use of a mail-in opt-out form. Institutions may 
include the words ``toll-free'' before telephone, as appropriate. An 
institution that allows consumers to opt out online must provide 
either a specific Web address that takes consumers directly to the 
opt-out page or a general Web address that provides a clear and 
conspicuous direct link to the opt-out page. The opt-out choices 
made available to the consumer who contacts the institution through 
these methods must correspond accurately to the ``Yes'' responses in 
the third column of the disclosure table. In the part titled 
``Please note'' institutions may insert a number that is 30 or 
greater in the space marked ``[30].'' Instructions on voluntary or 
state privacy law opt-out information are in paragraph C.2(g)(5) of 
these Instructions.
    (f) Questions box. Customer service contact information must be 
inserted as appropriate, where [phone number] or [Web site] appear. 
Institutions may elect to provide either a phone number, such as a 
toll-free number, or a Web address, or both. Institutions may 
include the words ``toll-free'' before the telephone number, as 
appropriate.
    (g) Mail-in opt-out form. Financial institutions must include 
this mail-in form only if they state in the ``To limit our sharing'' 
box that consumers can opt out by mail. The mail-in form must 
provide opt-out options that correspond accurately to the ``Yes'' 
responses in the third column in the disclosure table. Institutions 
that require customers to provide only name and address may omit the 
section identified as ``[account ].'' Institutions that 
require additional or different information, such as a random opt-
out number or a truncated account number, to implement an opt-out 
election should modify the ``[account ]'' reference 
accordingly. This includes institutions that require customers with 
multiple accounts to identify each account to which the opt-out 
should apply. An institution must enter its opt-out mailing address: 
In the far right of this form (see version 3); or below the form 
(see version 4). The reverse side of the mail-in opt-out form must 
not include any content of the model form.
    (1) Joint accountholder. Only institutions that provide their 
joint accountholders the choice to opt out for only one 
accountholder, in accordance with paragraph C.3(a)(5) of these 
Instructions, must include in the far left column of the mail-in 
form the following statement: ``If you have a joint account, your 
choice(s) will apply to everyone on your account unless you mark 
below. [square] Apply my choice(s) only to me.'' The word ``choice'' 
may be written in either the singular or plural, as appropriate. 
Financial institutions that provide insurance products or services, 
provide this option, and elect to use the model form may substitute 
the word ``policy'' for ``account'' in this statement. Institutions 
that do not provide this option may eliminate this left column from 
the mail-in form.
    (2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution 
shares personal information pursuant to section 603(d)(2)(A)(iii) of 
the FCRA, it must include in the mail-in opt-out form the following 
statement: ``[square] Do not share information about my 
creditworthiness with your affiliates for their everyday business 
purposes.''
    (3) FCRA Section 624 opt-out. If the institution incorporates 
section 624 of the FCRA in accord with paragraph C.2(d)(6) of these 
Instructions, it must include in the mail-in opt-out form the 
following statement: ``[square] Do not allow your affiliates to use 
my personal information to market to me.''
    (4) Nonaffiliate opt-out. If the financial institution shares 
personal information pursuant to Sec.  313.10(a) of this part, it 
must include in the mail-in opt-out form the following statement: 
``[square] Do not share my personal information with nonaffiliates 
to market their products and services to me.''
    (5) Additional opt-outs. Financial institutions that use the 
disclosure table to provide opt-out options beyond those required by 
Federal law must provide those opt-outs in this section of the model 
form. A financial institution that chooses to offer an opt-out for 
its own marketing in the mail-in opt-out form must include one of 
the two following statements: ``[square] Do not share my personal 
information to market to me.'' or ``[square] Do not use my personal 
information to market to me.'' A financial institution that chooses 
to offer an opt-out for joint marketing must include the following 
statement: ``[square] Do not share my personal information with 
other financial institutions to jointly market to me.''
    (h) Barcodes. A financial institution may elect to include a 
barcode and/or ``tagline'' (an internal identifier) in 6-point font 
at the bottom of page one, as needed for information internal to the 
institution, so long as these do not interfere with the clarity or 
text of the form.

3. Page Two

    (a) General Instructions for the Questions. Certain of the 
Questions may be customized as follows:
    (1) ``Who is providing this notice?'' This question may be 
omitted where only one financial institution provides the model form 
and that institution is clearly identified in the title on page one. 
Two or more financial institutions that jointly provide the model 
form must use this question to identify themselves as required by 
Sec.  313.9(f) of this part. Where the list of institutions exceeds 
four (4) lines, the institution must describe in the response to 
this question the general types of institutions jointly providing 
the notice and must separately identify those institutions, in 
minimum 8-point font, directly following the ``Other important

[[Page 62974]]

information'' box, or, if that box is not included in the 
institution's form, directly following the ``Definitions.'' The list 
may appear in a multi-column format.
    (2) ``How does [name of financial institution] protect my 
personal information?'' The financial institution may only provide 
additional information pertaining to its safeguards practices 
following the designated response to this question. Such information 
may include information about the institution's use of cookies or 
other measures it uses to safeguard personal information. 
Institutions are limited to a maximum of 30 additional words.
    (3) ``How does [name of financial institution] collect my 
personal information?'' Institutions must use five (5) of the 
following terms to complete the bulleted list for this question: 
Open an account; deposit money; pay your bills; apply for a loan; 
use your credit or debit card; seek financial or tax advice; apply 
for insurance; pay insurance premiums; file an insurance claim; seek 
advice about your investments; buy securities from us; sell 
securities to us; direct us to buy securities; direct us to sell 
your securities; make deposits or withdrawals from your account; 
enter into an investment advisory contract; give us your income 
information; provide employment information; give us your employment 
history; tell us about your investment or retirement portfolio; tell 
us about your investment or retirement earnings; apply for 
financing; apply for a lease; provide account information; give us 
your contact information; pay us by check; give us your wage 
statements; provide your mortgage information; make a wire transfer; 
tell us who receives the money; tell us where to send the money; 
show your government-issued ID; show your driver's license; order a 
commodity futures or option trade. Institutions that collect 
personal information from their affiliates and/or credit bureaus 
must include after the bulleted list the following statement: ``We 
also collect your personal information from others, such as credit 
bureaus, affiliates, or other companies.'' Institutions that do not 
collect personal information from their affiliates or credit bureaus 
but do collect information from other companies must include the 
following statement instead: ``We also collect your personal 
information from other companies.'' Only institutions that do not 
collect any personal information from affiliates, credit bureaus, or 
other companies can omit both statements.
    (4) ``Why can't I limit all sharing?'' Institutions that 
describe state privacy law provisions in the ``Other important 
information'' box must use the bracketed sentence: ``See below for 
more on your rights under state law.'' Other institutions must omit 
this sentence.
    (5) ``What happens when I limit sharing for an account I hold 
jointly with someone else?'' Only financial institutions that 
provide opt-out options must use this question. Other institutions 
must omit this question. Institutions must choose one of the 
following two statements to respond to this question: ``Your choices 
will apply to everyone on your account.'' or ``Your choices will 
apply to everyone on your account--unless you tell us otherwise.'' 
Financial institutions that provide insurance products or services 
and elect to use the model form may substitute the word ``policy'' 
for ``account'' in these statements.
    (b) General Instructions for the Definitions.
    The financial institution must customize the space below the 
responses to the three definitions in this section. This specific 
information must be in italicized lettering to set off the 
information from the standardized definitions.
    (1) Affiliates. As required by Sec.  313.6(a)(3) of this part, 
where [affiliate information] appears, the financial institution 
must:
    (i) If it has no affiliates, state: ``[name of financial 
institution] has no affiliates'';
    (ii) If it has affiliates but does not share personal 
information, state: ``[name of financial institution] does not share 
with our affiliates''; or
    (iii) If it shares with its affiliates, state, as applicable: 
``Our affiliates include companies with a [common corporate identity 
of financial institution] name; financial companies such as [insert 
illustrative list of companies]; nonfinancial companies, such as 
[insert illustrative list of companies;] and others, such as [insert 
illustrative list].''
    (2) Nonaffiliates. As required by Sec.  313.6(c)(3) of this 
part, where [nonaffiliate information] appears, the financial 
institution must:
    (i) If it does not share with nonaffiliated third parties, 
state: ``[name of financial institution] does not share with 
nonaffiliates so they can market to you''; or
    (ii) If it shares with nonaffiliated third parties, state, as 
applicable: ``Nonaffiliates we share with can include [list 
categories of companies such as mortgage companies, insurance 
companies, direct marketing companies, and nonprofit 
organizations].''
    (3) Joint Marketing. As required by Sec.  313.13 of this part, 
where [joint marketing] appears, the financial institution must:
    (i) If it does not engage in joint marketing, state: ``[name of 
financial institution] doesn't jointly market''; or
    (ii) If it shares personal information for joint marketing, 
state, as applicable: ``Our joint marketing partners include [list 
categories of companies such as credit card companies].''
    (c) General instructions for the ``Other important information'' 
box. This box is optional. The space provided for information in 
this box is not limited. Only the following types of information can 
appear in this box.
    (1) State and/or international privacy law information; and/or
    (2) Acknowledgment of receipt form.


0
42. Amend newly redesignated Appendix B to part 313 as follows:
0
A. Add a new sentence to the beginning of the introductory text as set 
forth below.
0
B. Effective January 1, 2012, remove Appendix B to part 313.

Appendix B to Part 313--Sample Clauses

    This Appendix only applies to privacy notices provided before 
January 1, 2011. * * *
* * * * *

Commodity Futures Trading Commission

17 CFR Chapter I

Authority and Issuance


0
For the reasons set forth in the joint preamble, part 160 of chapter I 
of title 17 of the Code of Federal Regulations is amended as follows:

PART 160--PRIVACY OF CONSUMER FINANCIAL INFORMATION

0
43. The authority citation for part 160 continues to read as follows:

    Authority:  7 U.S.C. 7b-2 and 12a(5); 15 U.S.C. 6801 et seq.

0
44. Revise Sec.  160.2 to read as follows:


Sec.  160.2  Model privacy form and examples.

    (a) Model privacy form. Use of the model privacy form in Appendix A 
of this part, consistent with the instructions in Appendix A, 
constitutes compliance with the notice content requirements of 
Sec. Sec.  160.6 and 160.7 of this part, although use of the model 
privacy form is not required.
    (b) Examples. The examples in this part are not exclusive. 
Compliance with an example, to the extent applicable, constitutes 
compliance with this part.


0
45. In Sec.  160.6:
0
A. Revise paragraphs (b) and (f), and add paragraph (g) to read as set 
forth below.
0
B. Effective January 1, 2012, remove paragraph (g).


Sec.  160.6  Information to be included in privacy notices.

* * * * *
    (b) Description of nonaffiliated third parties subject to 
exceptions. If you disclose nonpublic personal information to third 
parties as authorized under Sec. Sec.  160.14 and 160.15, you are not 
required to list those exceptions in the initial or annual privacy 
notices required by Sec. Sec.  160.4 and 160.5. When describing the 
categories with respect to those parties, it is sufficient to state 
that you make disclosures to other nonaffiliated companies:
    (1) For your everyday business purposes, such as [include all that 
apply] to process transactions, maintain account(s), respond to court 
orders and legal investigations, or report to credit bureaus; or

[[Page 62975]]

    (2) As permitted by law.
* * * * *
    (f) Model privacy form. Pursuant to Sec.  160.2(a) of this part, a 
model privacy form that meets the notice content requirements of this 
section is included in Appendix A of this part.
    (g) Sample clauses. Sample clauses illustrating some of the notice 
content required by this section are included in Appendix B of this 
part. Use of a sample clause in a privacy notice provided on or before 
December 31, 2010, to the extent applicable, constitutes compliance 
with this part.


0
46. In Sec.  160.7, add paragraph (i) to read as follows:


Sec.  160.7  Form of opt-out notice to consumers; opt-out methods.

* * * * *
    (i) Model privacy form. Pursuant to Sec.  160.2(a) of this part, a 
model privacy form that meets the notice content requirements of this 
section is included in Appendix A of this part.

Appendix A [Redesignated as Appendix B]

0
47. Redesignate Appendix A to part 160 as Appendix B to part 160.

0
48. Add new Appendix A to part 160 to read as follows:

Appendix A to Part 160--Model Privacy Form

A. The Model Privacy Form

BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-
01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-
P 12.5%,

[[Page 62976]]

[GRAPHIC] [TIFF OMITTED] TR01DE09.042


[[Page 62977]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.043


[[Page 62978]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.044


[[Page 62979]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.045


[[Page 62980]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.046


[[Page 62981]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.047


[[Page 62982]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.048

B. General Instructions

1. How the Model Privacy Form Is Used

    (a) The model form may be used, at the option of a financial 
institution, including a group of financial institutions that use a 
common privacy notice, to meet the content requirements of the 
privacy notice and opt-out notice set forth in Sec. Sec.  160.6 and 
160.7 of this part.
    (b) The model form is a standardized form, including page 
layout, content, format, style, pagination, and shading. 
Institutions seeking to obtain the safe harbor through use of the 
model form may modify it only as described in these Instructions.
    (c) Note that disclosure of certain information, such as assets, 
income, and information from a consumer reporting agency, may give 
rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 
1681-1681x] (FCRA), such as a requirement to permit a consumer to 
opt out of disclosures to affiliates or designation as a consumer 
reporting agency if disclosures are made to nonaffiliated third 
parties.
    (d) The word ``customer'' may be replaced by the word ``member'' 
whenever it appears in the model form, as appropriate.
BILLING CODE 6750-01-C12.5%, 6351-01-C12.5%, 6720-01-C12.5%, 6714-01-
C12.5%, 4810-33-C12.5%, 6210-01-C12.5%, 8011-01-C12.5%, 7535-01-C12.5%,

2. The Contents of the Model Privacy Form

    The model form consists of two pages, which may be printed on 
both sides of a single sheet of paper, or may appear on two separate 
pages. Where an institution provides a long list of institutions at 
the end of the model form in accordance with Instruction C.3(a)(1), 
or provides additional information in accordance with Instruction 
C.3(c), and such list or additional information exceeds the space 
available on page two of the model form, such list or additional 
information may extend to a third page.
    (a) Page One. The first page consists of the following 
components:
    (1) Date last revised (upper right-hand corner).
    (2) Title.
    (3) Key frame (Why?, What?, How?).
    (4) Disclosure table (``Reasons we can share your personal 
information'').
    (5) ``To limit our sharing'' box, as needed, for the financial 
institution's opt-out information.
    (6) ``Questions'' box, for customer service contact information.
    (7) Mail-in opt-out form, as needed.
    (b) Page Two. The second page consists of the following 
components:
    (1) Heading (Page 2).
    (2) Frequently Asked Questions (``Who we are'' and ``What we 
do'').
    (3) Definitions.
    (4) ``Other important information'' box, as needed.

3. The Format of the Model Privacy Form

    The format of the model form may be modified only as described 
below.
    (a) Easily readable type font. Financial institutions that use 
the model form must use an easily readable type font. While a number 
of factors together produce easily readable type font, institutions 
are required to use a minimum of 10-point font (unless otherwise 
expressly permitted in these Instructions) and sufficient spacing 
between the lines of type.
    (b) Logo. A financial institution may include a corporate logo 
on any page of the notice, so long as it does not interfere with the 
readability of the model form or the space constraints of each page.
    (c) Page size and orientation. Each page of the model form must 
be printed on paper in portrait orientation, the size of which must 
be sufficient to meet the layout and minimum font size requirements, 
with sufficient white space on the top, bottom, and sides of the 
content.
    (d) Color. The model form must be printed on white or light 
color paper (such as cream) with black or other contrasting ink 
color. Spot color may be used to achieve visual interest, so long as 
the color contrast is distinctive and the color does not detract 
from the readability of the model form. Logos may also be printed in 
color.
    (e) Languages. The model form may be translated into languages 
other than English.

C. Information Required in the Model Privacy Form

    The information in the model form may be modified only as 
described below:

1. Name of the Institution or Group of Affiliated Institutions 
Providing the Notice

    Insert the name of the financial institution providing the 
notice or a common identity of affiliated institutions jointly 
providing the notice on the form wherever [name of financial 
institution] appears.

2. Page One

    (a) Last revised date. The financial institution must insert in 
the upper right-hand corner the date on which the notice was last 
revised. The information shall appear in minimum 8-point font as 
``rev. [month/year]'' using either the name or number of the month, 
such as ``rev. July 2009'' or ``rev. 7/09''.
    (b) General instructions for the ``What?'' box.
    (1) The bulleted list identifies the types of personal 
information that the institution collects and shares. All 
institutions must use the term ``Social Security number'' in the 
first bullet.
    (2) Institutions must use five (5) of the following terms to 
complete the bulleted list: income; account balances; payment 
history; transaction history; transaction or loss history; credit 
history; credit scores; assets; investment experience; credit-based 
insurance scores; insurance claim history; medical information; 
overdraft history; purchase history; account transactions; risk 
tolerance; medical-related debts; credit card or other debt; 
mortgage rates and payments; retirement assets; checking account 
information; employment information; wire transfer instructions.
    (c) General instructions for the disclosure table. The left 
column lists reasons for

[[Page 62983]]

sharing or using personal information. Each reason correlates to a 
specific legal provision described in paragraph C.2(d) of this 
Instruction. In the middle column, each institution must provide a 
``Yes'' or ``No'' response that accurately reflects its information 
sharing policies and practices with respect to the reason listed on 
the left. In the right column, each institution must provide in each 
box one of the following three (3) responses, as applicable, that 
reflects whether a consumer can limit such sharing: ``Yes'' if it is 
required to or voluntarily provides an opt-out; ``No'' if it does 
not provide an opt-out; or ``We don't share'' if it answers ``No'' 
in the middle column. Only the sixth row (``For our affiliates to 
market to you'') may be omitted at the option of the institution. 
See paragraph C.2(d)(6) of this Instruction.
    (d) Specific disclosures and corresponding legal provisions.
    (1) For our everyday business purposes. This reason incorporates 
sharing information under Sec. Sec.  160.14 and 160.15 and with 
service providers pursuant to Sec.  160.13 of this part other than 
the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these 
Instructions.
    (2) For our marketing purposes. This reason incorporates sharing 
information with service providers by an institution for its own 
marketing pursuant to Sec.  160.13 of this part. An institution that 
shares for this reason may choose to provide an opt-out.
    (3) For joint marketing with other financial companies. This 
reason incorporates sharing information under joint marketing 
agreements between two or more financial institutions and with any 
service provider used in connection with such agreements pursuant to 
Sec.  160.13 of this part. An institution that shares for this 
reason may choose to provide an opt-out.
    (4) For our affiliates' everyday business purposes--information 
about transactions and experiences. This reason incorporates sharing 
information specified in sections 603(d)(2)(A)(i) and (ii) of the 
FCRA. An institution that shares for this reason may choose to 
provide an opt-out.
    (5) For our affiliates' everyday business purposes--information 
about creditworthiness. This reason incorporates sharing information 
pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution 
that shares for this reason must provide an opt-out.
    (6) For our affiliates to market to you. This reason 
incorporates sharing information specified in section 624 of the 
FCRA. This reason may be omitted from the disclosure table when: the 
institution does not have affiliates (or does not disclose personal 
information to its affiliates); the institution's affiliates do not 
use personal information in a manner that requires an opt-out; or 
the institution provides the affiliate marketing notice separately. 
Institutions that include this reason must provide an opt-out of 
indefinite duration. An institution not required to provide an opt-
out under this subparagraph may elect to include this reason in the 
model form. Note: The CFTC's Regulations do not address the 
affiliate marketing rule.
    (7) For nonaffiliates to market to you. This reason incorporates 
sharing described in Sec. Sec.  160.7 and 160.10(a) of this part. An 
institution that shares personal information for this reason must 
provide an opt-out.
    (e) To limit our sharing: A financial institution must include 
this section of the model form only if it provides an opt-out. The 
word ``choice'' may be written in either the singular or plural, as 
appropriate. Institutions must select one or more of the applicable 
opt-out methods described: telephone, such as by a toll-free number; 
a Website; or use of a mail-in opt-out form. Institutions may 
include the words ``toll-free'' before telephone, as appropriate. An 
institution that allows consumers to opt out online must provide 
either a specific Web address that takes consumers directly to the 
opt-out page or a general Web address that provides a clear and 
conspicuous direct link to the opt-out page. The opt-out choices 
made available to the consumer who contacts the institution through 
these methods must correspond accurately to the ``Yes'' responses in 
the third column of the disclosure table. In the part titled 
``Please note'' institutions may insert a number that is 30 or 
greater in the space marked ``[30].'' Instructions on voluntary or 
state privacy law opt-out information are in paragraph C.2(g)(5) of 
these Instructions.
    (f) Questions box. Customer service contact information must be 
inserted as appropriate, where [phone number] or [website] appear. 
Institutions may elect to provide either a phone number, such as a 
toll-free number, or a Web address, or both. Institutions may 
include the words ``toll-free'' before the telephone number, as 
appropriate.
    (g) Mail-in opt-out form. Financial institutions must include 
this mail-in form only if they state in the ``To limit our sharing'' 
box that consumers can opt out by mail. The mail-in form must 
provide opt-out options that correspond accurately to the ``Yes'' 
responses in the third column in the disclosure table. Institutions 
that require customers to provide only name and address may omit the 
section identified as ``[account ].'' Institutions that 
require additional or different information, such as a random opt-
out number or a truncated account number, to implement an opt-out 
election should modify the ``[account ]'' reference 
accordingly. This includes institutions that require customers with 
multiple accounts to identify each account to which the opt-out 
should apply. An institution must enter its opt-out mailing address: 
in the far right of this form (see version 3); or below the form 
(see version 4). The reverse side of the mail-in opt-out form must 
not include any content of the model form.
    (1) Joint accountholder. Only institutions that provide their 
joint accountholders the choice to opt out for only one 
accountholder, in accordance with paragraph C.3(a)(5) of these 
Instructions, must include in the far left column of the mail-in 
form the following statement: ``If you have a joint account, your 
choice(s) will apply to everyone on your account unless you mark 
below. [squ] Apply my choice(s) only to me.'' The word 
``choice'' may be written in either the singular or plural, as 
appropriate. Financial institutions that provide insurance products 
or services, provide this option, and elect to use the model form 
may substitute the word ``policy'' for ``account'' in this 
statement. Institutions that do not provide this option may 
eliminate this left column from the mail-in form.
    (2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution 
shares personal information pursuant to section 603(d)(2)(A)(iii) of 
the FCRA, it must include in the mail-in opt-out form the following 
statement: ``[squ] Do not share information about my 
creditworthiness with your affiliates for their everyday business 
purposes.''
    (3) FCRA Section 624 opt-out. If the institution incorporates 
section 624 of the FCRA in accord with paragraph C.2(d)(6) of these 
Instructions, it must include in the mail-in opt-out form the 
following statement: ``[squ] Do not allow your affiliates 
to use my personal information to market to me.''
    (4) Nonaffiliate opt-out. If the financial institution shares 
personal information pursuant to Sec.  160.10(a) of this part, it 
must include in the mail-in opt-out form the following statement: 
``[squ] Do not share my personal information with 
nonaffiliates to market their products and services to me.''
    (5) Additional opt-outs. Financial institutions that use the 
disclosure table to provide opt-out options beyond those required by 
Federal law must provide those opt-outs in this section of the model 
form. A financial institution that chooses to offer an opt-out for 
its own marketing in the mail-in opt-out form must include one of 
the two following statements: ``[squ] Do not share my 
personal information to market to me.'' or ``[squ] Do not 
use my personal information to market to me.'' A financial 
institution that chooses to offer an opt-out for joint marketing 
must include the following statement: ``[squ] Do not 
share my personal information with other financial institutions to 
jointly market to me.''
    (h) Barcodes. A financial institution may elect to include a 
barcode and/or ``tagline'' (an internal identifier) in 6-point font 
at the bottom of page one, as needed for information internal to the 
institution, so long as these do not interfere with the clarity or 
text of the form.

3. Page Two

    (a) General Instructions for the Questions. Certain of the 
Questions may be customized as follows:
    (1) ``Who is providing this notice?'' This question may be 
omitted where only one financial institution provides the model form 
and that institution is clearly identified in the title on page one. 
Two or more financial institutions that jointly provide the model 
form must use this question to identify themselves as required by 
Sec.  160.9(f) of this part. Where the list of institutions exceeds 
four (4) lines, the institution must describe in the response to 
this question the general types of institutions jointly providing 
the notice and must separately identify those institutions, in 
minimum 8-point font, directly following the ``Other important 
information'' box, or, if that box is not included in the 
institution's form, directly following the ``Definitions.'' The list 
may appear in a multi-column format.

[[Page 62984]]

    (2) ``How does [name of financial institution] protect my 
personal information?'' The financial institution may only provide 
additional information pertaining to its safeguards practices 
following the designated response to this question. Such information 
may include information about the institution's use of cookies or 
other measures it uses to safeguard personal information. 
Institutions are limited to a maximum of 30 additional words.
    (3) ``How does [name of financial institution] collect my 
personal information?'' Institutions must use five (5) of the 
following terms to complete the bulleted list for this question: 
Open an account; deposit money; pay your bills; apply for a loan; 
use your credit or debit card; seek financial or tax advice; apply 
for insurance; pay insurance premiums; file an insurance claim; seek 
advice about your investments; buy securities from us; sell 
securities to us; direct us to buy securities; direct us to sell 
your securities; make deposits or withdrawals from your account; 
enter into an investment advisory contract; give us your income 
information; provide employment information; give us your employment 
history; tell us about your investment or retirement portfolio; tell 
us about your investment or retirement earnings; apply for 
financing; apply for a lease; provide account information; give us 
your contact information; pay us by check; give us your wage 
statements; provide your mortgage information; make a wire transfer; 
tell us who receives the money; tell us where to send the money; 
show your government-issued ID; show your driver's license; order a 
commodity futures or option trade. Institutions that collect 
personal information from their affiliates and/or credit bureaus 
must include after the bulleted list the following statement: ``We 
also collect your personal information from others, such as credit 
bureaus, affiliates, or other companies.'' Institutions that do not 
collect personal information from their affiliates or credit bureaus 
but do collect information from other companies must include the 
following statement instead: ``We also collect your personal 
information from other companies.'' Only institutions that do not 
collect any personal information from affiliates, credit bureaus, or 
other companies can omit both statements.
    (4) ``Why can't I limit all sharing?'' Institutions that 
describe state privacy law provisions in the ``Other important 
information'' box must use the bracketed sentence: ``See below for 
more on your rights under state law.'' Other institutions must omit 
this sentence.
    (5) ``What happens when I limit sharing for an account I hold 
jointly with someone else?'' Only financial institutions that 
provide opt-out options must use this question. Other institutions 
must omit this question. Institutions must choose one of the 
following two statements to respond to this question: ``Your choices 
will apply to everyone on your account.'' or ``Your choices will 
apply to everyone on your account--unless you tell us otherwise.'' 
Financial institutions that provide insurance products or services 
and elect to use the model form may substitute the word ``policy'' 
for ``account'' in these statements.
    (b) General Instructions for the Definitions.
    The financial institution must customize the space below the 
responses to the three definitions in this section. This specific 
information must be in italicized lettering to set off the 
information from the standardized definitions.
    (1) Affiliates. As required by Sec.  160.6(a)(3) of this part, 
where [affiliate information] appears, the financial institution 
must:
    (i) If it has no affiliates, state: ``[name of financial 
institution] has no affiliates'';
    (ii) If it has affiliates but does not share personal 
information, state: ``[name of financial institution] does not share 
with our affiliates''; or
    (iii) If it shares with its affiliates, state, as applicable: 
``Our affiliates include companies with a [common corporate identity 
of financial institution] name; financial companies such as [insert 
illustrative list of companies]; nonfinancial companies, such as 
[insert illustrative list of companies]; and others, such as [insert 
illustrative list].''
    (2) Nonaffiliates. As required by Sec.  160.6(c)(3) of this 
part, where [nonaffiliate information] appears, the financial 
institution must:
    (i) If it does not share with nonaffiliated third parties, 
state: ``[name of financial institution] does not share with 
nonaffiliates so they can market to you''; or
    (ii) If it shares with nonaffiliated third parties, state, as 
applicable: ``Nonaffiliates we share with can include [list 
categories of companies such as mortgage companies, insurance 
companies, direct marketing companies, and nonprofit 
organizations].''
    (3) Joint Marketing. As required by Sec.  160.13 of this part, 
where [joint marketing] appears, the financial institution must:
    (i) If it does not engage in joint marketing, state: ``[name of 
financial institution] doesn't jointly market''; or
    (ii) If it shares personal information for joint marketing, 
state, as applicable: ``Our joint marketing partners include [list 
categories of companies such as credit card companies].''
    (c) General instructions for the ``Other important information'' 
box. This box is optional. The space provided for information in 
this box is not limited. Only the following types of information can 
appear in this box.
    (1) State and/or international privacy law information; and/or
    (2) Acknowledgment of receipt form.


0
49. Amend newly redesignated Appendix B to part 160 as follows:
0
A. Add a new sentence to the beginning of the introductory text as set 
forth below.
0
B. Effective January 1, 2012, remove Appendix B to part 160.

Appendix B to Part 160--Sample Clauses

    This Appendix only applies to privacy notices provided before 
January 1, 2011. * * *
* * * * *

Securities and Exchange Commission

Statutory Authority

0
The Commission is amending Regulation S-P pursuant to authority set 
forth in section 728 of the Regulatory Relief Act [Pub. L. 109-351], 
section 504 of the GLB Act [15 U.S.C. 6804], section 23 of the 
Securities Exchange Act [15 U.S.C. 78w], section 38(a) of the 
Investment Company Act [15 U.S.C. 80a-37(a)], and section 211 of the 
Investment Advisers Act [15 U.S.C. 80b-11].

Text of Amendments

0
For the reasons set forth in the preamble, the Commission is amending 
Title 17, Chapter II of the Code of Federal Regulations as follows:

PART 248--REGULATIONS S-P AND S-AM


0
50. The authority citation for part 248 continues to read as follows:

    Authority:  15 U.S.C. 78q, 78q-1, 78w, 78mm, 80a-30, 80a-37, 
80b-4, 80b-11, 1681s-3 and note, 1681w(a)(1), 6801-6809, and 6825.

0
51. Revise Sec.  248.2 to read as follows:


Sec.  248.2  Model privacy form: rule of construction.

    (a) Model privacy form. Use of the model privacy form in Appendix A 
to Subpart A of this part, consistent with the instructions in Appendix 
A to Subpart A, constitutes compliance with the notice content 
requirements of Sec. Sec.  248.6 and 248.7 of this part, although use 
of the model privacy form is not required.
    (b) Examples. The examples in this part provide guidance concerning 
the rule's application in ordinary circumstances. The facts and 
circumstances of each individual situation, however, will determine 
whether compliance with an example, to the extent practicable, 
constitutes compliance with this part.
    (c) Substituted compliance with CFTC financial privacy rules by 
futures commission merchants and introducing brokers. Except with 
respect to Sec.  248.30(b), any futures commission merchant or 
introducing broker (as those terms are defined in the Commodity 
Exchange Act (7 U.S.C. 1, et seq.)) registered by notice with the 
Commission for the purpose of conducting business in security futures 
products pursuant to section 15(b)(11)(A) of the Securities Exchange 
Act of 1934 (15 U.S.C. 78o(b)(11)(A)) that is subject to and in 
compliance with the financial privacy rules of the Commodity Futures 
Trading

[[Page 62985]]

Commission (17 CFR part 160) will be deemed to be in compliance with 
this part.

0
52. In Sec.  248.6:
0
A. Revise paragraphs (b) and (f), and add paragraph (g) to read as set 
forth below.
0
B. Effective January 1, 2012, remove paragraph (g).


Sec.  248.6  Information to be included in privacy notices.

* * * * *
    (b) Description of nonaffiliated third parties subject to 
exceptions. If you disclose nonpublic personal information to third 
parties as authorized under Sec. Sec.  248.14 and 248.15, you are not 
required to list those exceptions in the initial or annual privacy 
notices required by Sec. Sec.  248.4 and 248.5. When describing the 
categories with respect to those parties, it is sufficient to state 
that you make disclosures to other nonaffiliated companies:
    (1) For your everyday business purposes such as [include all that 
apply] to process transactions, maintain account(s), respond to court 
orders and legal investigations, or report to credit bureaus; or
    (2) As permitted by law.
* * * * *
    (f) Model privacy form. Pursuant to Sec.  248.2(a) and Appendix A 
to Subpart A of this part, Form S-P meets the notice content 
requirements of this section.
    (g) Sample clauses. Sample clauses illustrating some of the notice 
content required by this section are included in Appendix B to Subpart 
A of this part. The sample clauses in Appendix B to Subpart A of this 
part provide guidance concerning the rule's application in ordinary 
circumstances in a privacy notice provided on or before December 31, 
2010. The facts and circumstances of each individual situation, 
however, will determine whether compliance with a sample clause 
constitutes compliance with this part.
0
53. In Sec.  248.7, add paragraph (i) to read as follows:


Sec.  248.7  Form of opt-out notice to consumers; opt-out methods.

* * * * *
    (i) Model privacy form. Pursuant to Sec.  248.2(a) and Appendix A 
to Subpart A of this part, Form S-P meets the notice content 
requirements of this section.


0
54. Add Appendix A to Subpart A to read as follows:

Appendix A to Subpart A--Forms

    A. Any person may view and print this form at: http://www.sec.gov/about/forms/secforms.htm.
    B. Use of Form S-P by brokers, dealers, and investment 
companies, and investment advisers registered with the Commission 
constitutes compliance with the notice content requirements of 
Sec. Sec.  248.6 and 248.7 of this part.

FORM S-P--Model Privacy Form

A. The Model Privacy Form

BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-
01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-
P 12.5%,

[[Page 62986]]

[GRAPHIC] [TIFF OMITTED] TR01DE09.049


[[Page 62987]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.050


[[Page 62988]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.051


[[Page 62989]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.052


[[Page 62990]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.053


[[Page 62991]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.054


[[Page 62992]]


[GRAPHIC] [TIFF OMITTED] TR01DE09.055

BILLING CODE 6750-01-C 12.5%, 6351-01-C 12.5%, 6720-01-C 12.5%, 6714-
01-C 12.5%, 4810-33-C 12.5%, 6210-01-C 12.5%, 8011-01-C 12.5%, 7535-01-
C 12.5%,

B. General Instructions

1. How the Model Privacy Form is Used

    (a) The model form may be used, at the option of a financial 
institution, including a group of financial institutions that use a 
common privacy notice, to meet the content requirements of the 
privacy notice and opt-out notice set forth in Sec. Sec.  248.6 and 
248.7 of this part.
    (b) The model form is a standardized form, including page 
layout, content, format, style, pagination, and shading. 
Institutions seeking to obtain the safe harbor through use of the 
model form may modify it only as described in these instructions.
    (c) Note that disclosure of certain information, such as assets, 
income, and information from a consumer reporting agency, may give 
rise to obligations under the Fair Credit Reporting Act [15 U.S.C. 
1681-1681x] (FCRA), such as a requirement to permit a consumer to 
opt out of disclosures to affiliates or designation as a consumer 
reporting agency if disclosures are made to nonaffiliated third 
parties.
    (d) The word ``customer'' may be replaced by the word ``member'' 
whenever it appears in the model form, as appropriate.

2. The Contents of the Model Privacy Form

    The model form consists of two pages, which may be printed on 
both sides of a single sheet of paper, or may appear on two separate 
pages. Where an institution provides a long list of institutions at 
the end of the model form in accordance with Instruction C.3(a)(1), 
or provides additional information in accordance with Instruction 
C.3(c), and such list or additional information exceeds the space 
available on page two of the model form, such list or additional 
information may extend to a third page.
    (a) Page One. The first page consists of the following 
components:
    (1) Date last revised (upper right-hand corner).
    (2) Title.
    (3) Key frame (Why?, What?, How?).
    (4) Disclosure table (``Reasons we can share your personal 
information'').
    (5) ``To limit our sharing'' box, as needed, for the financial 
institution's opt-out information.
    (6) ``Questions'' box, for customer service contact information.
    (7) Mail-in opt-out form, as needed.
    (b) Page Two. The second page consists of the following 
components:
    (1) Heading (Page 2).
    (2) Frequently Asked Questions (``Who we are'' and ``What we 
do'').
    (3) Definitions.
    (4) ``Other important information'' box, as needed.

3. The Format of the Model Privacy Form

    The format of the model form may be modified only as described 
below.
    (a) Easily readable type font. Financial institutions that use 
the model form must use an easily readable type font. While a number 
of factors together produce easily readable type font, institutions 
are required to use a minimum of 10-point font (unless otherwise 
expressly permitted in these Instructions) and sufficient spacing 
between the lines of type.
    (b) Logo. A financial institution may include a corporate logo 
on any page of the notice, so long as it does not interfere with the 
readability of the model form or the space constraints of each page.
    (c) Page size and orientation. Each page of the model form must 
be printed on paper in portrait orientation, the size of which must 
be sufficient to meet the layout and minimum font size requirements, 
with sufficient white space on the top, bottom, and sides of the 
content.
    (d) Color. The model form must be printed on white or light 
color paper (such as cream) with black or other contrasting ink 
color. Spot color may be used to achieve visual interest, so long as 
the color contrast is distinctive and the color does not detract 
from the readability of the model form. Logos may also be printed in 
color.
    (e) Languages. The model form may be translated into languages 
other than English.

C. Information Required in the Model Privacy Form

    The information in the model form may be modified only as 
described below:

1. Name of the Institution or Group of Affiliated Institutions 
Providing the Notice

    Insert the name of the financial institution providing the 
notice or a common identity of affiliated institutions jointly 
providing the notice on the form wherever [name of financial 
institution] appears.

2. Page One

    (a) Last revised date. The financial institution must insert in 
the upper right-hand corner the date on which the notice was last 
revised. The information shall appear in minimum 8-point font as 
``rev. [month/year]'' using either the name or number of the month, 
such as ``rev. July 2009'' or ``rev. 7/09''.
    (b) General instructions for the ``What?'' box.
    (1) The bulleted list identifies the types of personal 
information that the institution collects and shares. All 
institutions must use the term ``Social Security number'' in the 
first bullet.
    (2) Institutions must use five (5) of the following terms to 
complete the bulleted list: income; account balances; payment 
history; transaction history; transaction or loss history; credit 
history; credit scores; assets; investment experience; credit-based 
insurance scores; insurance claim history; medical information; 
overdraft history; purchase history; account transactions; risk 
tolerance; medical-related debts; credit card or other debt; 
mortgage rates and payments; retirement assets; checking account 
information; employment information; wire transfer instructions.
    (c) General instructions for the disclosure table. The left 
column lists reasons for

[[Page 62993]]

sharing or using personal information. Each reason correlates to a 
specific legal provision described in paragraph C.2(d) of this 
Instruction. In the middle column, each institution must provide a 
``Yes'' or ``No'' response that accurately reflects its information 
sharing policies and practices with respect to the reason listed on 
the left. In the right column, each institution must provide in each 
box one of the following three (3) responses, as applicable, that 
reflects whether a consumer can limit such sharing: ``Yes'' if it is 
required to or voluntarily provides an opt-out; ``No'' if it does 
not provide an opt-out; or ``We don't share'' if it answers ``No'' 
in the middle column. Only the sixth row (``For our affiliates to 
market to you'') may be omitted at the option of the institution. 
See paragraph C.2(d)(6) of this Instruction.
    (d) Specific disclosures and corresponding legal provisions.
    (1) For our everyday business purposes. This reason incorporates 
sharing information under Sec. Sec.  248.14 and 248.15 and with 
service providers pursuant to Sec.  248.13 of this part other than 
the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these 
Instructions.
    (2) For our marketing purposes. This reason incorporates sharing 
information with service providers by an institution for its own 
marketing pursuant to Sec.  248.13 of this part. An institution that 
shares for this reason may choose to provide an opt-out.
    (3) For joint marketing with other financial companies. This 
reason incorporates sharing information under joint marketing 
agreements between two or more financial institutions and with any 
service provider used in connection with such agreements pursuant to 
Sec.  248.13 of this part. An institution that shares for this 
reason may choose to provide an opt-out.
    (4) For our affiliates' everyday business purposes--information 
about transactions and experiences. This reason incorporates sharing 
information specified in sections 603(d)(2)(A)(i) and (ii) of the 
FCRA. An institution that shares for this reason may choose to 
provide an opt-out.
    (5) For our affiliates' everyday business purposes--information 
about creditworthiness. This reason incorporates sharing information 
pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution 
that shares for this reason must provide an opt-out.
    (6) For our affiliates to market to you. This reason 
incorporates sharing information specified in section 624 of the 
FCRA. This reason may be omitted from the disclosure table when: the 
institution does not have affiliates (or does not disclose personal 
information to its affiliates); the institution's affiliates do not 
use personal information in a manner that requires an opt-out; or 
the institution provides the affiliate marketing notice separately. 
Institutions that include this reason must provide an opt-out of 
indefinite duration. An institution that is required to provide an 
affiliate marketing opt-out, but does not include that opt-out in 
the model form under this part, must comply with section 624 of the 
FCRA and 17 CFR part 248, subpart B, with respect to the initial 
notice and opt-out and any subsequent renewal notice and opt-out. An 
institution not required to provide an opt-out under this 
subparagraph may elect to include this reason in the model form.
    (7) For nonaffiliates to market to you. This reason incorporates 
sharing described in Sec. Sec.  248.7 and 248.10(a) of this part. An 
institution that shares personal information for this reason must 
provide an opt-out.
    (e) To limit our sharing: A financial institution must include 
this section of the model form only if it provides an opt-out. The 
word ``choice'' may be written in either the singular or plural, as 
appropriate. Institutions must select one or more of the applicable 
opt-out methods described: telephone, such as by a toll-free number; 
a Web site; or use of a mail-in opt-out form. Institutions may 
include the words ``toll-free'' before telephone, as appropriate. An 
institution that allows consumers to opt out online must provide 
either a specific Web address that takes consumers directly to the 
opt-out page or a general Web address that provides a clear and 
conspicuous direct link to the opt-out page. The opt-out choices 
made available to the consumer who contacts the institution through 
these methods must correspond accurately to the ``Yes'' responses in 
the third column of the disclosure table. In the part titled 
``Please note'' institutions may insert a number that is 30 or 
greater in the space marked ``[30].'' Instructions on voluntary or 
state privacy law opt-out information are in paragraph C.2(g)(5) of 
these Instructions.
    (f) Questions box. Customer service contact information must be 
inserted as appropriate, where [phone number] or [Web site] appear. 
Institutions may elect to provide either a phone number, such as a 
toll-free number, or a Web address, or both. Institutions may 
include the words ``toll-free'' before the telephone number, as 
appropriate.
    (g) Mail-in opt-out form. Financial institutions must include 
this mail-in form only if they state in the ``To limit our sharing'' 
box that consumers can opt out by mail. The mail-in form must 
provide opt-out options that correspond accurately to the ``Yes'' 
responses in the third column in the disclosure table. Institutions 
that require customers to provide only name and address may omit the 
section identified as ``[account ].'' Institutions that 
require additional or different information, such as a random opt-
out number or a truncated account number, to implement an opt-out 
election should modify the ``[account ]'' reference 
accordingly. This includes institutions that require customers with 
multiple accounts to identify each account to which the opt-out 
should apply. An institution must enter its opt-out mailing address: 
in the far right of this form (see version 3); or below the form 
(see version 4). The reverse side of the mail-in opt-out form must 
not include any content of the model form.
    (1) Joint accountholder. Only institutions that provide their 
joint accountholders the choice to opt out for only one 
accountholder, in accordance with paragraph C.3(a)(5) of these 
Instructions, must include in the far left column of the mail-in 
form the following statement: ``If you have a joint account, your 
choice(s) will apply to everyone on your account unless you mark 
below. [square] Apply my choice(s) only to me.'' The word ``choice'' 
may be written in either the singular or plural, as appropriate. 
Financial institutions that provide insurance products or services, 
provide this option, and elect to use the model form may substitute 
the word ``policy'' for ``account'' in this statement. Institutions 
that do not provide this option may eliminate this left column from 
the mail-in form.
    (2) FCRA Section 603(d)(2)(A)(iii) opt-out. If the institution 
shares personal information pursuant to section 603(d)(2)(A)(iii) of 
the FCRA, it must include in the mail-in opt-out form the following 
statement: ``[square] Do not share information about my 
creditworthiness with your affiliates for their everyday business 
purposes.''
    (3) FCRA Section 624 opt-out. If the institution incorporates 
section 624 of the FCRA in accord with paragraph C.2(d)(6) of these 
Instructions, it must include in the mail-in opt-out form the 
following statement: ``[square] Do not allow your affiliates to use 
my personal information to market to me.''
    (4) Nonaffiliate opt-out. If the financial institution shares 
personal information pursuant to Sec.  248.10(a) of this part, it 
must include in the mail-in opt-out form the following statement: 
``[square] Do not share my personal information with nonaffiliates 
to market their products and services to me.''
    (5) Additional opt-outs. Financial institutions that use the 
disclosure table to provide opt-out options beyond those required by 
Federal law must provide those opt-outs in this section of the model 
form. A financial institution that chooses to offer an opt-out for 
its own marketing in the mail-in opt-out form must include one of 
the two following statements: ``[square] Do not share my personal 
information to market to me.'' or ``[square] Do not use my personal 
information to market to me.'' A financial institution that chooses 
to offer an opt-out for joint marketing must include the following 
statement: ``[square] Do not share my personal information with 
other financial institutions to jointly market to me.''
    (h) Barcodes. A financial institution may elect to include a 
barcode and/or ``tagline'' (an internal identifier) in 6-point font 
at the bottom of page one, as needed for information internal to the 
institution, so long as these do not interfere with the clarity or 
text of the form.

3. Page Two

    (a) General Instructions for the Questions. Certain of the 
Questions may be customized as follows:
    (1) ``Who is providing this notice?'' This question may be 
omitted where only one financial institution provides the model form 
and that institution is clearly identified in the title on page one. 
Two or more financial institutions that jointly provide the model 
form must use this question to identify themselves as required by 
Sec.  248.9(f) of this part. Where the list of institutions exceeds 
four (4) lines, the institution must describe in the response to 
this question the general types of institutions jointly providing 
the notice and must separately identify those institutions, in 
minimum 8-point font, directly following the ``Other important

[[Page 62994]]

information'' box, or, if that box is not included in the 
institution's form, directly following the ``Definitions.'' The list 
may appear in a multi-column format.
    (2) ``How does [name of financial institution] protect my 
personal information?'' The financial institution may only provide 
additional information pertaining to its safeguards practices 
following the designated response to this question. Such information 
may include information about the institution's use of cookies or 
other measures it uses to safeguard personal information. 
Institutions are limited to a maximum of 30 additional words.
    (3) ``How does [name of financial institution] collect my 
personal information?'' Institutions must use five (5) of the 
following terms to complete the bulleted list for this question: 
open an account; deposit money; pay your bills; apply for a loan; 
use your credit or debit card; seek financial or tax advice; apply 
for insurance; pay insurance premiums; file an insurance claim; seek 
advice about your investments; buy securities from us; sell 
securities to us; direct us to buy securities; direct us to sell 
your securities; make deposits or withdrawals from your account; 
enter into an investment advisory contract; give us your income 
information; provide employment information; give us your employment 
history; tell us about your investment or retirement portfolio; tell 
us about your investment or retirement earnings; apply for 
financing; apply for a lease; provide account information; give us 
your contact information; pay us by check; give us your wage 
statements; provide your mortgage information; make a wire transfer; 
tell us who receives the money; tell us where to send the money; 
show your government-issued ID; show your driver's license; order a 
commodity futures or option trade. Institutions that collect 
personal information from their affiliates and/or credit bureaus 
must include after the bulleted list the following statement: ``We 
also collect your personal information from others, such as credit 
bureaus, affiliates, or other companies.'' Institutions that do not 
collect personal information from their affiliates or credit bureaus 
but do collect information from other companies must include the 
following statement instead: ``We also collect your personal 
information from other companies.'' Only institutions that do not 
collect any personal information from affiliates, credit bureaus, or 
other companies can omit both statements.
    (4) ``Why can't I limit all sharing?'' Institutions that 
describe state privacy law provisions in the ``Other important 
information'' box must use the bracketed sentence: ``See below for 
more on your rights under state law.'' Other institutions must omit 
this sentence.
    (5) ``What happens when I limit sharing for an account I hold 
jointly with someone else?'' Only financial institutions that 
provide opt-out options must use this question. Other institutions 
must omit this question. Institutions must choose one of the 
following two statements to respond to this question: ``Your choices 
will apply to everyone on your account.'' or ``Your choices will 
apply to everyone on your account--unless you tell us otherwise.'' 
Financial institutions that provide insurance products or services 
and elect to use the model form may substitute the word ``policy'' 
for ``account'' in these statements.
    (b) General Instructions for the Definitions.
    The financial institution must customize the space below the 
responses to the three definitions in this section. This specific 
information must be in italicized lettering to set off the 
information from the standardized definitions.
    (1) Affiliates. As required by Sec.  248.6(a)(3) of this part, 
where [affiliate information] appears, the financial institution 
must:
    (i) If it has no affiliates, state: ``[name of financial 
institution] has no affiliates; ''
    (ii) If it has affiliates but does not share personal 
information, state: ``[name of financial institution] does not share 
with our affiliates; '' or
    (iii) If it shares with its affiliates, state, as applicable: 
``Our affiliates include companies with a [common corporate identity 
of financial institution] name; financial companies such as [insert 
illustrative list of companies]; nonfinancial companies, such as 
[insert illustrative list of companies;] and others, such as [insert 
illustrative list].''
    (2) Nonaffiliates. As required by Sec.  248.6(c)(3) of this 
part, where [nonaffiliate information] appears, the financial 
institution must:
    (i) If it does not share with nonaffiliated third parties, 
state: ``[name of financial institution] does not share with 
nonaffiliates so they can market to you; '' or
    (ii) If it shares with nonaffiliated third parties, state, as 
applicable: ``Nonaffiliates we share with can include [list 
categories of companies such as mortgage companies, insurance 
companies, direct marketing companies, and nonprofit 
organizations].''
    (3) Joint Marketing. As required by Sec.  248.13 of this part, 
where [joint marketing] appears, the financial institution must:
    (i) If it does not engage in joint marketing, state: ``[name of 
financial institution] doesn't jointly market; '' or
    (ii) If it shares personal information for joint marketing, 
state, as applicable: ``Our joint marketing partners include [list 
categories of companies such as credit card companies].''
    (c) General instructions for the ``Other important information'' 
box. This box is optional. The space provided for information in 
this box is not limited. Only the following types of information can 
appear in this box.
    (1) State and/or international privacy law information; and/or
    (2) Acknowledgment of receipt form.


0
55. Amend Appendix B to Subpart A of part 248 as follows:
0
A. Add a sentence to the beginning of the introductory text as set 
forth below.
0
B. Effective January 1, 2012, remove Appendix B to Subpart A of part 
248.

Appendix B to Subpart A of Part 248--Sample Clauses

    This Appendix only applies to privacy notices provided before 
January 1, 2011.
* * * * *

    Dated: October 1, 2009.
John C. Dugan,
Comptroller of the Currency.

    By order of the Board of Governors of the Federal Reserve 
System, October 27, 2009.
Robert deV. Frierson,
Secretary of the Board.
    By Order of the Board of Directors.

    Dated at Washington, DC, this 23rd day of October, 2009.

    Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.
    Dated: September 28, 2009.

    By the Office of Thrift Supervision.
John E. Bowman,
Acting Director.
    By the National Credit Union Administration Board on November 
10, 2009.
Mary Rupp,
Secretary of the Board.
    The Federal Trade Commission.

    Dated: September 25, 2009.

    By Direction of the Commission.
Donald S. Clark,
Secretary.
    Dated: September 21, 2009.
David A. Stawick,
Secretary of the Commodity Futures Trading Commission.
    Dated: November 16, 2009.

    By the Securities and Exchange Commission.
Elizabeth M. Murphy,
Secretary.
[FR Doc. E9-27882 Filed 11-30-09; 8:45 am]
BILLING CODE 6750-01-P 12.5%, 6351-01-P 12.5%, 6720-01-P 12.5%, 6714-
01-P 12.5%, 4810-33-P 12.5%, 6210-01-P 12.5%, 8011-01-P 12.5%, 7535-01-
P 12.5%