Federal Agencies' Joint Request for Comment: Alternative Forms of Privacy Notices
Comments Submitted by:
Privacy Rights Clearinghouse
Consumers Union of U.S., Inc.
Identity Theft Resource Center
World Privacy Forum
Office of Comptroller of the Currency, Docket No. 03-27, email@example.com
Office of Thrift Supervision, Docket No. 2003-62, firstname.lastname@example.org
Federal Reserve, Docket No. R-1173, email@example.com
Federal Deposit Insurance Corporation, RIN 3064-AC77, firstname.lastname@example.org
National Credit Union Administration, email@example.com
Federal Trade Commission, RIN 3084-AA94, Project No. 034815, GLBnotices@ftc.gov
Commodity Futures Trading Commission, RIN 3038-AC04, firstname.lastname@example.org
Securities and Exchange Commission, File No. S7-30-03, email@example.com
RE: Interagency Proposal to Consider Alternative Forms of Privacy Notices under the Gramm-Leach-Bliley (GLB) Act http://www.ftc.gov/os/2003/12/031223anprfinalglbnotices.pdf
- About the Commenting Organizations
- Continued Consumer Interest in Financial Privacy
- Agency Approach to Short-form Notice
- Goals of a Privacy Notice
- Elements of a Privacy Notice
- Language of a Privacy Notice
- Format of a Privacy Notice
- Mandatory or Permissible Aspects of a Privacy Notice
- Costs and Benefits of a Short Notice
- Additional Information - Consumer Testing and Education
- Conclusions and List of Individuals Who Have Signed on to
Attachment A. Sample Short Form Notice from 2002 California
Legislative Session for SB 773 (California State Senator Jackie Speier)
Attachment B. Privacy Notice Stipulated in California Senate Bill 1 (California State Senator Jackie Speier, 2003)
The Privacy Rights Clearinghouse, Consumers Union, Consumer Action, Identity Theft Resource Center, the World Privacy Forum, and PrivacyActivism submit these comments on the advanced notice of proposed rulemaking (ANPR) published jointly by the Office of Comptroller of Currency (OCC), Board of Governors of the Federal Reserve (Board), Office of Thrift Supervision (OTS), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Federal Trade Commission (FTC), Securities and Exchange Commission (SEC), and the Commodity Futures Trade Commission (CFTC) (the Agencies). (68 FR 75164, December 30, 2003)
Because the ANPR indicates the Agencies will jointly review all submissions, these comments are directed to the FTC under that agency's project number. The organizations understand these comments will be shared among all the Agencies participating in the ANPR.
The Gramm-Leach-Bliley Act (GLB) requires financial institutions to give customers annual notice of how personal information is collected and disclosed, and, under limited circumstances, a means for customers to control information flow. The notices delivered to consumers, beginning with the effective date of July 1, 2001, until now have generated substantial criticism from all interested parties. As the ANPR notes, there have been broad-based concerns expressed by representatives of financial institutions, consumers, privacy advocates, and Members of Congress.
In response to numerous concerns expressed by all stakeholders about privacy notices, the FTC convened a workshop in December 2001, just five months after financial institutions were required to send the initial privacy notice to customers. To further address these continuing concerns, the Agencies have published the ANPR. That the Agencies are willing to revisit the issue of clear notice to consumers by considering a short-form notice is an encouraging sign for consumer privacy interests.
The organizations offering these comments in response to the ANPR have consistently held that effective notice and meaningful choice are available to consumers only through an opt-in procedure. We understand that the Agencies are bound by the limitations of the statute which directs that consumers be provided only with a limited opt-out choice.
However, the Agencies, even without the authority to adopt the consumer-favored opt-in standard, have wide latitude through rulemaking to address the failures of the current notice procedures. Through the rulemaking process, the Agencies can do much to make the required notices more useful and understandable to consumers.
It has now been over three years since Congress directed "clear and conspicuous" notice for consumers. Two and a half years have passed since the effective date of the federal Privacy Rule adopted to carry out Congress' mandate. The simple message the privacy notices were supposed to deliver to consumers has been buried in legalese and marketing language designed to convince the consumer of the benefits of not opting out - in short, language that masks the true purpose of the notice. A mandatory short-form notice is a needed move toward Congress' intended goal of effective notice for consumers.
The Privacy Rights Clearinghouse (PRC) is a nonprofit consumer education and advocacy organization based in San Diego, CA, and established in 1992. The PRC advises consumers on a variety of informational privacy issues, including financial privacy and identity theft, through a series of fact sheets as well as individual counseling available via telephone and e-mail. It represents consumers' interests in legislative and regulatory proceedings on the state and federal levels. www.privacyrights.org
Consumers Union is a nonprofit membership organization chartered in 1936 under the laws of the State of New York to provide consumers with information, education, and counsel about goods, services, health and personal finance; and to initiate and cooperate with individual and group efforts to maintain and enhance the quality of life for consumers. Consumers Union has actively supported a wide variety of state consumer protection laws, including in the areas of credit, finance, and disclosure, including identity theft prevention laws and anti-predatory lending laws. www.consumer.org
Consumer Action is a non-profit consumer education and advocacy organization serving consumers since 1971. It provides consumers with information and education on matters of telecommunications, privacy, predatory lending and banking/credit issue through its national network of 7,000 community based organizations. Consumer Action advocates at the state and federal legislative levels for consumer rights in the policy areas of banking and credit, product safety, privacy and identity theft and other issues affecting the quality of life of California consumers. www.consumer-action.org
The Identity Theft Resource Center is a national nonprofit organization that focuses exclusively on identity theft. It was established in 1999. ITRC's mission is to research, analyze and distribute information about the growing crime of identity theft. It serves as a resource and advisory center of identity theft information for consumers, victims, law enforcement, the business and financial sectors, legislators, media and governmental agencies. www.idtheftcenter.org
The World Privacy Forum is a nonprofit, non partisan organization focused on conducting in-depth research on societal issues, particularly those intersecting the areas of technology and privacy. The Forum focuses its research efforts on a broad range of emerging and maturing technologies and issues with an eye to informing and educating the public and policymakers about the key pluses and minuses resulting from the use and adoption of these technologies. Specific areas for research include: consumer data privacy, workplace privacy, job applicant rights and privacy, background checks and public records, Internet fraud, and large technological infrastructures, including multi-national commercial databases. www.worldprivacyforum.org
PrivacyActivism is a nonprofit organization that informs and empowers individuals about consumer privacy issues. Through a mixture of education (using graphics such as posters and video games), activism, and the law, we strive to make complex issues of privacy law, policy, and technology accessible to all. www.privacyactivism.org
Before turning to the key questions posed by the Agencies, we would like to briefly recap the PRC experience from consumer inquiries about privacy notices. In December 2001 at the Get Noticed Workshop, the PRC reported contact with about 2,500 consumers in the months prior to the July 1, 2001, deadline. The PRC observed that consumers showed a low level of consumer knowledge and understanding of the privacy notices. One thing that stood out - and something worth repeating here - was that most consumers who contacted the PRC learned about the privacy notices as a result of a media report, not as a result of having seen a privacy notice sent by a financial institution. (The PRC report can be read at www.privacyrights.org/ar/fp-glb-ftc.htm.)
The PRC no longer keeps a close count of consumers who e-mail or call with questions about financial institutions' privacy notices. The numbers today do not come close to the 2,500 contacts reported in 2001. Still, PRC records of web site visitors indicate financial privacy continues to be a major area of consumer inquiry. In 2003, about 2,500 visitors each month looked at the PRC site for information about financial privacy. Most visitors looked at the GLB materials, particularly those items that provided information on opting out, like the opt-out address list.Between January '03 and the end of October of '03, the most frequently downloaded file on the PRC web site was the sample opt-out letter. The suggested opt-out letter was the second most downloaded file in November and December of '03.
The e-mail message that surfaces around July 1 of every year, the one that confuses the GLB opt-out with the pre-approved credit offer opt-out allowed by the FCRA, prompted over 16,000 visits to the PRC site just before and just after July 1. This erroneous message generated numerous e-mails and telephone calls to the PRC from consumers. The lesson to be learned from these figures -- one we want to pass along to the Agencies - is that consumers are looking for ways to opt-out. (The PRC "alert" on the confusing e-mail message can be read at www.privacyrights.org/ar/optout_truth.htm.)
The California experience also shows strong consumer interest in financial privacy. A poll of California citizens taken during the time the California financial privacy bill (SB1) was being debated, showed an overwhelming number of consumers strongly favor strong privacy legislation. (www.privacyrights.org/ar/CFCsurvey.htm)
The Agencies seek comment on the approach to be taken should the Agencies decide to develop a short-form notice. The ANPR suggests three possible approaches:
- An interagency interpretation of the Privacy Rule, perhaps with model forms or language.
- A set of guidelines or best practices for financial institutions.
- Amendments to the Privacy Rule.
The Agencies should amend the Privacy Rule to require financial institutions to provide a short-form notice. The existing Privacy Rule gives considerable discretion to companies in ways to fashion privacy notices. A set of best practices or an interpretation of the existing Privacy Rule would simply continue to allow financial institutions too much discretion in how to inform consumers about company practices.
In the absence of a mandatory framework, companies have been left to speculate about what compliance really means under the Privacy Rule. Many companies seem to have adopted the notion that more is better, that the annual privacy notice is an opportunity to speak to customers, or worse, an opportunity to market customers. Such practices have all but obscured the core purpose of the notices: to give a clear statement about the company's information disclosure practices and to give a clear choice about any opportunity to opt-out.
For consumers, we see three primary goals: (1) recognition, (2) understanding, and (3) a simple means for consumers to exercise their choices.
Recognition. Consumers should be able to immediately identify a privacy notice tucked among account statements, advertisements, or other required notices. Better yet, the notice should be mailed in its own envelope, although we realize that is not required by GLB.
Understanding. Once identified, the message must be presented in simple, straightforward language. An example of the kinds of statements consumers can understand was offered in the July 2001 petition for revised rulemaking filed with the GLB Agencies by a number of consumer organizations.
Exercising choice. Finally, consumers should be able to exercise their choices in an easy way. A simple mail-in form or a toll-free number are appropriate options. Complicated options for consumers will result in fewer consumers responding to the notices.
For business, the goal should be not only to provide a notice that satisfies the legal requirement, but one that consumers can easily understand. Although practices may vary from company to company, the bottom line is always the same: Companies either disclose customer information with affiliates and third parties or not. Customers either have the right to opt-out or they don't.
The goal should not be, as many financial companies seem to have adopted, to use the required notice to market customers on the benefits of not opting out. Our ear to the ground tells us this approach has backfired, creating consumer distrust and skepticism about the true motives of information sharing.
The elements of a short-form privacy notice should follow the core elements required by GLB and the Privacy Rule. The core elements as stated by GLB are:
- An explanation of how the consumer can exercise the nondisclosure option.
- A "clear and conspicuous" notice of policies and practices with respect to:
- Disclosing nonpublic personal information to affiliates and nonaffiliates, including the categories of information that may be disclosed.
- Disclosing information of persons who have ceased to be customers.
- Protecting the nonpublic personal information of consumers.
- The categories of persons to whom the information is or may be disclosed.
- The categories of information collected.
Consumers want to know how to opt-out as well as what the opt-out means for them. Under the format now followed by most financial institutions, opt-out information comes at the end of the notice. Consumers become discouraged or even bored trying to wade through lengthy, undecipherable text, often failing to see the opt-out choice.
The principles for a short-form notice created by the Center for Democracy and Technology and other consumer groups, the sample notices attached to the Agencies' ANPR, and the notice now required in California under Senate Bill 1 (SB1) all represent great improvement over the current system. The sample notice required by California's SB1 is provided in Attachment B.
Within limited space a short-form notice could go far in carrying out Congress' dictate that consumers be given an explanation of how to exercise nondisclosure options. This explanation of choice should take a prominent place in a short-form notice. For example, the short-form notice should include:
- The ways information is disclosed and the opt-out choices for each kind of disclosure. This should come directly under the caption. Other elements such as data collected should come later in the notice.
- A checkbox to indicate whether the consumer does or does not have an opt-out choice for each category of data disclosure.
- Reduce all statements about choice to "opt-out." The phrase is sufficiently entrenched into the "privacy" vocabulary that an explanatory statement is not required.
- The consumer's ability to opt-out or not should be reinforced throughout the short-form notice.
- For example, in Appendix A of the ANPR the section captioned "We share information about you with" includes a statement "if you wish us to stop sharing this information, follow the instruction in the attached opt-out form." This statement can be reduced to "To opt-out, return the attached form." Disclosures such as joint marketing where the consumer has no opt, should clearly state "You cannot opt out." (Please note: We do not condone the use of the word "share" because it is too ambiguous. See further discussion about "share" below. Also, we include the two sample privacy notices from California as examples of how such notices can easily be reduced to a single page, not necessarily as the ultimate ideal examples of short-form notices.)
Careful selection of language is one of the most important considerations for the Agencies as short-form notices are developed. Aiming for an economy of words, it is absolutely necessary that the words included in a short-form notice clearly convey the proper message.
Before adopting a short-form notice, the Agencies should consult language experts skilled in developing messages directed at the average consumer. The Agencies with the help of language experts should develop sample notices and then determine, based on consumer testing, the selection of words that best delivers the intended message.
One area that warrants particular study of descriptive language is the ways in which financial institutions characterize policies and practices of disclosure. A privacy notice that states "We share information within our family of companies," and "We share information with outside companies," does not adequately describe that company's policies and practices.
Use of the word "share" to describe all manner of information flow does not give consumers "clear and conspicuous" disclosure. To remedy this, the Agencies should look to language experts to select simple words that more accurately describe a company's practices. Some examples of this may be that the company "sells," leases," "trades," "rents," "contracts," or "swaps," customer data. The short-form notice should include a simple statement to describe the company's practice. The company may then describe its practice further in a long-form notice. In essence, the Agencies should decide that the consumer's right to notice of a company's information disclosure practices includes the right to know whether the company profits from the disclosure.
In the ANPR, the Agencies also seek comment of whether particular "privacy" terms are readily understood by consumers. "Opt out" is such a term, and should be used in short-form as well as long-form notices to replace cumbersome phrases such as "You may stop us from sharing your information."As previously stated, the Agencies should adopt a mandatory standardized short-form notice. This includes standard language required for notices. In this way, consumers will become familiar with the common meaning of words and phrases. Standardization should help to reduce the existing consumer confusion about company practices and the consumer's choice to either accept or reject the practice.
Attached is a sample short notice developed during the 2002 legislative debate over California State Senator Jackie Speier's SB 773 (replaced in 2003 with SB1). See Attachment A. The attached notice was not inserted into the legislative bill, but was the simplest of the many versions of the notice that was considered that year. Also provided in Attachment B is the sample notice required by SB1, passed into law in 2003.
The Agencies should adopt the following mandatory standards to effect adequate consumer notice:
- Standardized format for all financial institutions.
- Format for long-form notice should conform to short-form notice.
- Forms that are used by financial institutions should meet an established readability standard. The law in California requires that the forms sent to consumers meet a minimum Flesch reading ease score of 50. (See Attachment B.) A similar requirement should be placed on short-form notices under federal regulations.
The Agencies should also take the following additional steps to ensure consumers recognize the notice and understand the choices available:
- The envelope that contains the notice should be marked on the outside with a phrase such as "Important Privacy Notice Enclosed."
- The input of people who specialize in simple consumer disclosures (readability experts) should be sought in this process.
- A statement should be placed directly under the caption that the notice is required by federal law. Such a statement tells the consumer not only why the notice is being sent but also points out of the significance of the information contained in the notice.
The Agencies would also further the goal of consumer recognition of the privacy notice by adopting a specific month in the year when privacy notices should be delivered to consumers. Currently under the Privacy Rule, financial institutions have discretion to select any consecutive twelve-month period in which to the deliver the notice. For consumers this has meant that notices are being received throughout the year. This requires the consumer to be on continuous alert for inserts in account statements, advertising, postcards or other mail.
The short-form notice should be no more than one page, including the opt-out selection form.
The Agencies seek comment on privacy notices that must conform to state as well as federal law (Part D, Question 6). In the instance when a state law includes provisions that are not required under federal law, states should have the authority to adjust the federal notice to include these additional provisions. Federal law should defer to state law if the state notice is found to be less complex than the federal law and if state law provides consumers more rights than those provided in federal law. At a minimum, state forms must meet all of the requirements outlined in this section.
Distribution of a short-form notice should be mandatory for all financial institutions. This includes a specified, standardized format and mandatory language. With standardized short-form notices, consumers will be able to easily compare policies from company to company and thus make informed choices about which company's policy best suits the individual's preference.
The short-form notice should be required through revisions to the Privacy Rule rather than agency interpretations of the existing rule or best practice guidelines. The current system that allows financial institutions discretion to independently develop privacy notices has resulted in widespread confusion for consumers. Some companies have used this discretion as merely an opportunity to market customers, thus blurring the intended purpose of informed notice.
By adopting a mandatory format and mandatory language, the Agencies, in effect, eliminate financial institutions' discretion to fill privacy notices with extraneous marketing messages. Blurring the message required to be provided to consumers and using the required privacy notice as an opportunity to market has been a major cause of consumer confusion.
Once implemented, a mandatory short-form notice should prove cost effective with benefits for both consumers and financial institutions. Millions have now been spent to develop and print the current privacy notices, all without concrete results. The experience of the last few years, in effect, has been a costly experiment for business and for consumers. The cost has almost certainly been absorbed by increased fees.
Adoption of mandatory short-form notices should cut the costs for business significantly. Companies will not have to hire teams of lawyers and consultants to advise on compliance. A one-page standardized notice will certainly be cheaper to produce than the multi-page notices now distributed to consumers. And, as more and more people have Internet access, a company may want to supplement the short-form notice by providing the long-form notice through its web site. A multi-page long-form notice would only be necessary for the decreasing number of people without Internet access.
A standardized short-form notice should also benefit the Agencies in compliance review and enforcement. A prescribed format and mandatory language will eliminate the difficulty, for Agencies and all other stakeholders, in comparing privacy notices.
The organizations submitting these comments strongly recommend that the Agencies seek the input of language, communications, and readability experts before establishing a short-form privacy notice. With the assistance of such experts, the Agencies should develop several variations of a short-form notice and use consumer testing to assess which notice best meets the core goals of GLB. In addition to focus groups, the Agencies can also use reading comprehension tests and other methods to determine effectiveness.
The Agencies' ANPR to consider short-form privacy notices is an important step forward in making privacy notices more recognizable and useful to consumers. We commend you for initiating the ANPR. Feel free to contact us for clarification of our comments and for other aspects of your deliberations in which we can assist.
Beth Givens, Director, Privacy Rights Clearinghouse, firstname.lastname@example.org
Tena Friery, Resarch Director, Privacy Rights Clearinghouse,email@example.com
3100 5th Ave., Suite B, San Diego, CA 92103
Shelley Curran, Policy Analyst, Consumers Union, firstname.lastname@example.org
1535 Mission St., San Francisco, CA 94103
Ken McEldowney, Executive Director, Consumer Action,
717 Market St., Suite 310, San Francisco, CA 94103
Linda Foley, Executive Director, Identity Theft Resources Center, email@example.com
P.O. Box 26833, San Diego, CA 92196
Pam Dixon, Executive Director, World Privacy Forum, firstname.lastname@example.org
PO Box 849, Cardiff by the Sea, CA 92007
Deborah Pierce, Executive Director, PrivacyActivism, email@example.com
454 Shotwell St., San Francisco, CA 94110
for SB 773 (not codified into law)
Important Privacy Choices for Californians
California law gives you more rights and choices than federal law about how financial institutions can share your personal and financial information. Please read the following information carefully and make your choices below.
What if I do not want to share my information?
Check below that says what you want.
__ Do not share my personal and financial information with companies you own or control (affiliates).
__ Do not share my personal and financial information with outside financial companies you contract with to provide financial products and services.
What if I want as much privacy as the law allows?
Check below to get the maximum privacy the law allows:
__ Do not share my personal and financial information with other companies you own or control (affiliates), with outside financial companies you contract with, or with any other companies.
What if I want to share my information?
If you want to share your information with other companies, check below:
__ You can share my personal and financial information with other companies.
Are there other cases when you will share my information?
We can still share your information if needed to manage your account or policy or if state or federal law requires us to. We can still send you information about other companies' products and services. But we cannot share your personal and financial information with them.
Is there a deadline?
You can make your choice at any time. Unless you change your mind in the future, we will continue to follow your instructions on this form. If we do not hear from you [within 45 days of the date on this notice] we may share some of your personal and financial information with other companies.
How do I let you know what I want?
You have 3 choices:
1 Call us: (800) xxx-xxxx or (xxx) xxx-xxxx 2 Send us email: Go to: www.xxxxxxxx and click on abcdef. 3 By Mail Fill out this form and mail it to us in the envelope provided.
Keep a copy for your records.
Your Name: __________________ Signature: _______________
Your account/policy #'s: _________________________
Attachment B. Privacy Notice Stipulated in California Senate Bill 1
(Sen. Jackie Speier, 2003, codified as Calif. Financial Code 4050 et seq., www.leginfo.ca.gov)
Important Privacy Choices for Consumers
You have the right to control whether we share some of your personal information.
Please read the following information carefully before you make your choices below.
You have the following rights to restrict the sharing of personal and financial information with our affiliates (companies we own or control) and outside companies that we do business with. Nothing in this form prohibits the sharing of information necessary for us to follow the law, as permitted by law, or to give you the best service on your accounts with us. This includes sending you information about some other products or services.
Restrict Information Sharing With Companies We Own or Control (Affiliates): Unless you say "No," we may share personal and financial information about you with our affiliated companies.
(_) NO, please do not share personal and financial information with your affiliated companies.
Restrict Information Sharing With Other Companies We Do Business With To Provide Financial Products And Services: Unless you say "No," we may share personal and financial information about you with outside companies we contract with to provide financial products and services to you.
(_) NO, please do not share personal and financial information with outside companies you contract with to provide financial products and services.
Time Sensitive Reply
You may make your privacy choice(s) at any time. Your choice(s) marked here will remain unless you state otherwise. However, if we do not hear from you we may share some of your information with affiliated companies and other companies with whom we have contracts to provide products and services.
Account or Policy Number(s): _______________________[to be filled in by consumer]
To exercise your choices do [one of] the following:
1) Fill out, sign and send back this form to us using the envelope provided (you may want to make a copy for your records); [#1 is mandatory]
(2) Call this toll-free number (800) xxx-xxxx or (xxx) xxx-xxxx; [optional]
(3) Reply electronically by contacting us through the following Internet option: xxxxx.com]
California Financial Information Privacy Act
California Financial Code 4050.
This division shall be known and may be cited as the California Financial Information Privacy Act.
4053 (d) (1) A financial institution shall be conclusively presumed to have satisfied the notice requirements of subdivision (b) if it uses the form set forth in this subdivision.
The form set forth in this subdivision or a form that complies with subparagraphs (A) to (L), inclusive, of this paragraph shall be sent by the financial institution to the consumer so that the consumer may make a decision and provide direction to the financial institution regarding the sharing of his or her nonpublic personal information.
If a financial institution does not use the form set forth in this subdivision, the financial institution shall use a form that meets all of the following requirements:
(A) The form uses the same title ("IMPORTANT PRIVACY CHOICES FOR CONSUMERS") and the headers, if applicable, as follows: "Restrict Information Sharing With Companies We Own Or Control (Affiliates)" and "Restrict Information Sharing With Other Companies We Do Business With To Provide Financial Products And Services."
(B) The titles and headers in the form are clearly and conspicuously displayed, and no text in the form is smaller than 10-point type.
(C) The form is a separate document, except as provided by subparagraph (D) of paragraph (2), and Sections 4054 and 4058.7.
(D) The choice or choices pursuant to subdivision (b) and Section 4054.6, if applicable, provided in the form are stated separately and may be selected by checking a box.
(E) The form is designed to call attention to the nature and significance of the information in the document.
(F) The form presents information in clear and concise sentences, paragraphs, and sections.
(G) The form uses short explanatory sentences (an average of 15-20 words) or bullet lists whenever possible.
(H) The form avoids multiple negatives, legal terminology, and highly technical terminology whenever possible.
(I) The form avoids explanations that are imprecise and readily subject to different interpretations.
(J) The form achieves a minimum Flesch reading ease score of 50, as defined in Section 2689.4(a)(7) of Title 10 of the California Code of Regulations, in effect on March 24, 2003, except that the information in the form included to comply with subparagraph (A) shall not be included in the calculation of the Flesch reading ease score, and the information used to describe the choice or choices pursuant to subparagraph (D) shall score no lower than the information describing the comparable choice or choices set forth in the form in this subdivision.
(K) The form provides wide margins, ample line spacing and uses boldface or italics for key words.
(L) The form is not more than one page.
(2) (A) None of the instructional items appearing in brackets in the form set forth in this subdivision shall appear in the form provided to the consumer, as those items are for explanation purposes only. If a financial institution does not disclose or share nonpublic personal information as described in a header of the form, the financial institution may omit the applicable header or headers, and the accompanying information and box, in the form it provides pursuant to this subdivision. The form with those omissions shall be conclusively presumed to satisfy the notice requirements of this subdivision.
(B) If a financial institution uses a form other than that set forth in this subdivision, the financial institution may submit that form to its functional regulator for approval, and for forms filed with the Office of Privacy Protection prior to July 1, 2007, that approval shall constitute a rebuttable presumption that the form complies with this section.
(C) A financial institution shall not be in violation of this subdivision solely because it includes in the form one or more brief examples or explanations of the purpose or purposes, or context, within which information will be shared, as long as those examples meet the clarity and readability standards set forth in paragraph (1).
(D) The outside of the envelope in which the form is sent to the consumer shall clearly state in 16-point boldface type "IMPORTANT PRIVACY CHOICES," except that a financial institution sending the form to a consumer in the same envelope as a bill, account statement, or application requested by the consumer does not have to include the wording "IMPORTANT PRIVACY CHOICES" on that envelope.
The form shall be sent in any of the following ways:
(i) With a bill, other statement of account, or application requested by the consumer, in which case the information required by Title V of the Gramm-Leach-Bliley Act may also be included in the same envelope.
(ii) As a separate notice or with the information required by Title V of the Gramm-Leach-Bliley Act, and including only information related to privacy.
(iii) With any other mailing, in which case it shall be the first page of the mailing.
(E) If a financial institution uses a form other than that set forth in this subdivision, that form shall be filed with the Office of Privacy Protection within 30 days after it is first used.
(3) The consumer shall be provided a reasonable opportunity prior to disclosure of nonpublic personal information to direct that nonpublic personal information not be disclosed. A consumer may direct at any time that his or her nonpublic personal information not be disclosed. A financial institution shall comply with a consumer' s directions concerning the sharing of his or her nonpublic personal information within 45 days of receipt by the financial institution. When a consumer directs that nonpublic personal information not be disclosed, that direction is in effect until otherwise stated by the consumer. A financial institution that has not provided a consumer with annual notice pursuant to subdivision (b) shall provide the consumer with a form that meets the requirements of this subdivision, and shall allow 45 days to lapse from the date of providing the form in person or the postmark or other postal verification of mailing before disclosing nonpublic personal information pertaining to the consumer. Nothing in this subdivision shall prohibit the disclosure of nonpublic personal information as allowed by subdivision (c) or Section 4056.
(4) A financial institution may elect to comply with the requirements of subdivision (a) with respect to disclosure of nonpublic personal information to an affiliate or with respect to nonpublic personal information disclosed pursuant to paragraph (2) of subdivision (b), or subdivision (c) of Section 4054.6.
(5) If a financial institution does not have a continuing relationship with a consumer other than the initial transaction in which the product or service is provided, no annual disclosure requirement exists pursuant to this section as long as the financial institution provides the consumer with the form required by this section at the time of the initial transaction. As used in this section, "annually" means at least once in any period of 12 consecutive months during which that relationship exists. The financial institution may define the 12-consecutive-month period, but shall apply it to the consumer on a consistent basis. If, for example, a financial institution defines the 12-consecutive-month period as a calendar year and provides the annual notice to the consumer once in each calendar year, it complies with the requirement to send the notice annually.
(6) A financial institution with assets in excess of twenty-five million dollars ($25,000,000) shall include a self-addressed first class business reply return envelope with the notice. A financial institution with assets of up to and including twenty-five million dollars ($25,000,000) shall include a self-addressed return envelope with the notice. In lieu of the first class business reply return envelope required by this paragraph, a financial institution may offer a self-addressed return envelope with the notice and at least two alternative cost-free means for consumers to communicate their privacy choices, such as calling a toll-free number, sending a facsimile to a toll-free telephone number, or using electronic means. A financial institution shall clearly and conspicuously disclose in the form required by this subdivision the information necessary to direct the consumer on how to communicate his or her choices, including the toll-free or facsimile number or Web site address that may be used, if those means of communication are offered by the financial institution.
(7) A financial institution may provide a joint notice from it and one or more of its affiliates or other financial institutions, as identified in the notice, so long as the notice is accurate with respect to the financial institution and the affiliates and other financial institutions.
(e) Nothing in this division shall prohibit a financial institution from marketing its own products and services or the products and services of affiliates or nonaffiliated third parties to customers of the financial institution as long as (1) nonpublic personal information is not disclosed in connection with the delivery of the applicable marketing materials to those customers except as permitted by Section 4056 and
(2) in cases in which the applicable nonaffiliated third party may extrapolate nonpublic personal information about the consumer responding to those marketing materials, the applicable nonaffiliated third party has signed a contract with the financial institution under the terms of which (A) the nonaffiliated third party is prohibited from using that information for any purpose other than the purpose for which it was provided, as set forth in the contract, and (B) the financial institution has the right by audit, inspections, or other means to verify the nonaffiliated third party's compliance with that contract.