Federal Agencies Release Model Privacy Notice for Financial Institutions

On Nov. 17, 2009, eight federal regulatory agencies announced the release of a final model privacy notice they jointly developed to help companies make it easier for consumers to understand how financial institutions collect and share information about them.

The agencies—the Federal Trade Commission (FTC), the Board of Governors of the Federal Reserve System, the Commodity Futures Trading Commission, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, and the Securities and Exchange Commission—issued the model under the Financial Services Regulatory Relief Act of 2006 amendments to the Gramm-Leach-Bliley Act’s ("the Act") requirements for financial institutions to notify consumers of their information-sharing practices, and to inform them of their right to opt out of certain sharing practices.

Financial institutions and other businesses should consider adopting some version of the agencies’ notice. They should also view this action by the federal government as a reminder to review their privacy policies thoroughly.

In issuing the model form, the agencies provided that financial institutions that choose to use it will obtain a “safe harbor” and will satisfy the Act’s disclosure requirements for notices. The rule also removes, after a transition period, sample clauses now included in the appendices of the agencies’ respective privacy rules. The final form reflects research by the agencies and public comment on the model, which was issued in two versions, one for instances where opt-outs are allowed, and one where they are not.

It seems obvious the agencies expect widespread adoption of the model form or something like it. On release of the model form, a statement by the Director of the FTC’s Bureau of Consumer Protection, David Vladek, indicated that the agencies view the model form as enabling consumers to better understand and compare how companies handle their personal information without having to wade through the “pages of legal mumbo-jumbo” they currently receive. He characterized the new model form as “unlike many of the privacy notices that consumers have received over the years” in that it uses “plain language in a user-friendly format.”

The statement provides fairly clear insight into what federal regulators think of current practices and existing forms in this area, and this new “standard,” like others before it, is likely to influence the formation of privacy policies outside the financial sector.

Release of the new model privacy notice also signifies that all companies conducting business online should periodically review their privacy policies to ensure they are up to date. The review should include a frank internal assessment of whether actual business practices are aligned with what the privacy policy promises.

Please let us know if you would like further information about the model privacy notice and its implications or if you need assistance developing a notice or reviewing your privacy policy.