Interagency Proposal for Model Privacy Form under the Gramm-Leach Bliley Act
Submitted to the Federal Trade Commission
by the Privacy Rights Clearinghouse
May 16, 2007
Federal Trade Commission
Office of the Secretary, Room 135 (Annex C)
600 Pennsylvania Ave, NW
Washington, DC 20580
Filed electronically at: https://secure.commentworks.com/ftc-modelform
RE: Comments on FTC File No. PO34815, Docket ID OCC-2007-0003
Interagency Proposal for Model Privacy Form under the Gramm-Leach Bliley Act
The Privacy Rights Clearinghouse (PRC)1 is pleased to comment on the Federal Trade Commission (FTC or Commission) notice of proposed rulemaking (NPR)2 to simplify the consumer disclosures required by the Gramm-Leach-Bliley Act (“GLB”). With only a few minor suggestions, the PRC endorses and fully supports the model form adopted by the agencies. We direct our comments as follows:
The NPR was issued to meet the requirement of the Financial Services Regulatory Relief Act of 2006 (Regulatory Relief Act),3 which directs the eight federal GLB regulators to finalize earlier proposals to meet GLB’s standard that consumer privacy notices be “clear and conspicuous.” As a result the agencies have proposed a short form model privacy form.The PRC along with other consumer and privacy advocates have been highly critical of the privacy notices sent to consumers. Starting in July of 2001, when the first GLB privacy notices first appeared in consumers’ mailboxes, it was apparent that notices, when recognized at all, did not provide consumers with a clear understanding of their financial institution’s information sharing practices. Consequently, the notices did not give consumers a reasonable opportunity to exercise any available opt-out opportunities. Significantly, the criticism voiced by consumer and privacy advocates was shared by members of Congress and the financial services industry as well. The agencies’ response to these concerns are outlined in the NPR, beginning with the Interagency Workshop held in 2001 through the report on consumer testing issued in March 2006.
Absent the preferred, true consumer choice of an opt-in, the privacy notices sent by financial institutions represent the only information consumers have about how information is shared with affiliates and third-party non-affiliates. We are encouraged to see that the model privacy notices proposed by the agencies incorporate many of the suggestions privacy organizations have long advocated.
Namely, the proposed model form:
- Is a standardized format that allows consumers to compare information sharing practices of multiple financial institutions.
- Includes a checklist approach that alerts consumers to when they can or cannot opt-out.
- Requires a statement at the top that tells consumers the notice is required by federal law.
- Prohibits the inclusion of extraneous, marketing-type information.
Some simple changes would make the model forms more clear and provide added information. The NPR includes two model privacy forms. The three-page “Neptune” model is used when companies share information and the consumer has opt-out choices. The two-page “Mars” model form is used when the company does not share information. We offer the following suggestions and comments:
- Mars Model Form
The Mars model form is used when the customer has no opt-out option. Under other circumstances, a company that used the Mars form could have additional “yes” answers under the question, “Does Mars Share?” This would be the case, for example, if Mars shared information with joint marketers or shared transaction and experience information with affiliates.
In the PRC’s experience, consumers often become confused when they see that a financial company says it shares information. Consumers’ general attitude is that information should not be shared at all, and, if it is, there should be an opt-out right. The PRC has been contacted by consumers frustrated because a privacy notice says the company “shares” information, but the consumer cannot find that the notice gives information necessary to opt out.
Consumer confusion should be less likely when model forms are adopted. However, to make the consumer’s rights perfectly clear, page two of a Mars-type form should clearly state at the bottom: You have no opt-out opportunity, or a similar statement.
- Neptune Model Form
The Neptune form should explain the consequences of not opting out. We believe most consumers are unaware that their information may flow endlessly unless they opt out. The following, taken from the FTC’s consumer guide, illustrates this point:
[Information may be re-disclosed]…when a company receives nonpublic personal information from a financial institution that provided an opt-out notice -- and the consumer didn't opt out. In this case, the recipient steps into the shoes of the disclosing financial institution, and may use the information for its own purposes or re-disclose it to a third party, consistent with the financial institution's privacy notice. That is, if the privacy notice of the financial institution allows for disclosure to other unaffiliated financial institutions - like insurance providers - the recipient may re-disclose the information to an unaffiliated insurance provider. /www.ftc.gov/bcp/conline/pubs/buspubs/glbshort.htm
Continuing disclosure is important information and should be clearly conveyed to consumers. Notice could be given by a simple statement at the end of the opt-out section on page 3 of the Neptune form, such as: If you choose not to opt out, the company that receives your information from us may, in turn, share your information as described in this notice.
- Information Needed to Opt Out
The agencies have solicited comment on whether it is necessary for customers to give their Social Security number or account number to opt out. Financial institutions should make every effort to process an opt-out request without collecting unnecessary information.
In today’s atmosphere of identity-theft anxiety and daily news of data breaches, most consumers are extremely reluctant to disclose personal information. For some, the necessity to disclose the Social Security number may keep them from exercising the right to opt out. This should not happen.The customer’s name and address should be sufficient to opt out. If additional information is necessary, it should be limited to a truncated version of the account number.
Privacy notices, no matter how streamlined, give only the barest details about information sharing practices within the financial services industry. In adopting GLB, Congress directed the agencies to study sharing practices. (“GLB Study”) (15 USC §6808) Significantly, the GLB Study, among many other things, called for an examination of the purposes for sharing confidential customer information with affiliates and with nonaffiliated third parties. (15 USC §6808(a)(1).
The GLB Study was also to include an assessment of the
... feasibility of different approaches, including opt-out and opt-in to permit customers to direct that confidential information not be shared with affiliates and nonaffiliated third parties. (15 USC §6808(a)(8))
On February 15, 2002, the agencies solicited public comment for the GLB Study.4 Although Congress directed that the GLB Study be submitted by January 1, 2002, we can find no indication that the GLB Study was ever submitted to Congress or that the agencies ever published public comments received in response to the Federal Register Notice.
Section 214(e) of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) also calls for a study of information sharing practices (FACT Act Study). On August 31, 2006, the agencies solicited public comment on certain aspects of the FACT Act Study,5 and the Federal Reserve Board has a draft of questions to be used in reporting to Congress on the FACT Act Study.6
We continue to believe that consumers can only have a meaningful choice in information sharing through an opt in. Once made public, the GLB Study together with the FACT Act Study will shed much needed light on information sharing practices. We are also confident that the studies will reveal that only a very small percentage of consumers opt out. From this, the agencies and Congress should conclude that consumer privacy is not adequately addressed in an opt-out scheme.Today, information sharing practices within the financial services industry, with both affiliates and nonaffiliated third parties, remains largely a mystery to the public. We urge the agencies to move forward, to make these Studies available to the public.
The model privacy notices proposed by the agencies are a major improvement over existing notices. We endorse the agencies’ continuing efforts to refine the notices through the final phase of consumer testing. The agencies should also complete and make public the studies on information sharing practices.
We appreciate the opportunity to comment.
Sincerely,Beth Givens, Director
1 The Privacy Rights Clearinghouse is a nonprofit consumer education and advocacy organization based in San Diego, CA, and established in 1992. The PRC advises consumers on a variety of informational privacy issues, including financial privacy, medical privacy and identity theft, through a series of fact sheets as well as individual counseling available via telephone and e-mail. It represents consumers’ interests in legislative and regulatory proceedings on the state and federal levels. www.privacyrights.org
2 The proposal is made jointly by the FTC and seven other federal agencies with authority to implement the notice requirements of the GLB. The FTC is joined in this NPR by the Federal Deposit Insurance Corporation (FDIC), Department of Treasury, Office of Comptroller of Currency (OCC), and Office of Thrift Supervision (OTS); Federal Reserve Board (FRB or Board); National Credit Union Administration (NCUA); Securities and Exchange Commission (SEC); and Commodity Futures Trading Commission (CFTC) (collectively, “the agencies.) The PRC directs these comments to the FTC with the understanding that our comments will be shared with the other agencies involved in this rule proposal.
3 The Regulatory Relief Act, P.L. 109-351 (October 13, 2006), 120 Stat 1966, directed the agencies to propose a model short form notice by April 11, 2007.
4 67 Fed Reg 7213 (February 15, 2002). www.occ.treas.gov/ftp/bulletin/2002-11a.pdf
5 71 Fed Reg 51888 (August 31, 2006), www.ftc.gov/opa/2006/08/fyi0656.htm