The final amendments to the GLBA privacy rules ("Amendments"), promulgated jointly by the Board of Governors of the Federal Reserve System, the Commodity Futures Trading Commission, the Federal Deposit Insurance Corporation, the Federal Trade Commission (“FTC”), the National Credit Union Administration, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, and the Securities and Exchange Commission (“SEC”) under the Financial Services Regulatory Relief Act of 2006, do not change a company's substantive disclosure obligations under Section 503 of GLBA, but instead provide a new means for accomplishing the same objectives in a manner intended to be more accessible to consumers. As before, a regulated entity must, when an account is opened and then annually, notify customers of its privacy policies and practices, in particular regarding its disclosure of customers’ nonpublic personal information to third parties.  

Through the end of this year, as in the past, the Agencies (except the SEC, as discussed below) will deem use of the Model Clauses a safe harbor, meaning that, so long as the clauses are used exactly as prescribed, all notice content requirements under GLBA are considered met. Since a financial institution has many other obligations to fulfill under GLBA, the ability to rely on a safe harbor for this important duty removes an element of uncertainty from an otherwise complex regulatory scheme.  

As of December 31, 2010, the end of the transition period, the safe harbor provided by the Model Clauses will be terminated and the Form (completed properly, in accordance with published instructions) will serve as the only safe harbor for notice content. (Note that the SEC has accepted the Form as a safe harbor, although it, unlike the other Agencies, had never provided a safe harbor for using the Model Clauses.) During 2010, a financial institution may rely on either safe harbor (Model Clauses or Form). As of January 2011, although the original safe harbor terminates, a company is neither prohibited from using Model Clauses nor obligated to use the Form. (If an institution posts or delivers a notice using the Model Clauses at any point during the transition year, it will be protected under the safe harbor for the full year until the next annual notice deadline.) Financial institutions must now evaluate whether the benefits of a safe harbor outweigh the potential risks and costs of this significant update. 

Most of the Form’s positive attributes are readily apparent. With its tabular format, boxes labeled “Why?,” “What?,” and “How?” and plain English options for filling in the blanks, the Form is undoubtedly more customer-friendly and straightforward than the Model Clauses. In addition, the standardization allows consumers to actually compare financial service products. The benefits are not limited to consumers, however. For financial institutions subject to the SEC's version of the privacy rule, Regulation S-P, the Form represents a new opportunity to make use of a safe harbor that previously was unavailable. It is likely that many institutions new to the process of privacy disclosures will benefit from the simplicity of the new format. But, despite the obvious benefit of serving as a safe harbor (and, as of 2012, the only safe harbor), for a financial institution that has already sunk resources into Model Clauses compliance, expenditures associated with the transition process and certain weaknesses of the Form must be evaluated before making a hasty decision to switch.  

Rewriting privacy notices is a burdensome task for any large and/or complex organization and may disproportionally strain a small organization. An institution that engages in very limited disclosures of personal information, for example, and had previously relied on simple Model Clauses is left with the unpleasant choice of foregoing the safe harbor or expending significant resources to properly complete the Form. While the Amendment’s explanatory notes posit that only "small, incremental developmental costs" will be incurred in making the transition, each financial institution should nonetheless evaluate not only the costs of preparing the Form but also of training its customer service and other personnel in using and explaining it. 

Likewise, the inflexible nature of the Form could be detrimental to an institution, regardless of size. Although it includes blanks for customization, the Form cannot otherwise be modified in any way, and cannot be supplemented with any other information from the institution. Concepts that may be inapplicable to a small company are permanent fixtures of the Form. Complex entities are faced with different headaches, particularly where their subsidiaries and divisions have different information-sharing practices from one another. The explanatory notes of the Amendments, responding to concerns submitted during the official comment period, do little to alleviate this burden, stating: "If an institution elects to use the [Form] it must either harmonize its practices so one notice applies to all its products, or it must provide separate notices for products subject to different information sharing practices." Because either choice is impractical, the safe harbor loses its luster in some scenarios.  

Inconsistency between the Form and other regulatory schemes poses another potential problem. Companies which are governed at both the federal and state levels (e.g., insurers) are likely to face a challenge in that, at present, state disclosure procedures are inconsistent with use of the Form. Thus, such companies will have the choice of either issuing two separate sets of notices or not taking advantage of the protections of the new safe harbor. 

For financial institutions that previously limited disclosures of personal information to the categories that were and continue to be permissible under GLBA (e.g., for law enforcement purposes and credit reporting), the Amendment includes an important substantive change. In the past, instead of extensive disclosures, such institutions could simply inform customers that they share such information “as permitted by law.” Under the Amendment (as adopted by all Agencies except the FTC, as discussed below) the safe harbor terminology (which can be used in lieu of the Form) is changed to sharing such information for “everyday business purposes” and now must be accompanied by a list of applicable examples. The FTC, however, has prescribed a longer notification, stating specifically that disclosures are made for “everyday business purposes, such as to process transactions, maintain account(s), respond to court orders and legal investigations, or report to credit bureaus.” As this is only one example of a number of changes that may apply, analysis of an individual institution’s disclosure practices is necessary to ensure proper compliance with the Amendments. 

Selecting the safe harbor approach does not guarantee a legal shield. The new safe harbor applies only to the skeleton of the Form and not the company-specific information inserted into the Form. Such information, of course, must be accurate and provide the appropriate opt-out choices. Financial institutions are also faced with using the right version of the Form, based on the level and nature of information sharing in which they engage. This determination impacts the need for and type of opt-out language required, decisions which should be made in conjunction with legal counsel. 

Like any major change, overhauling privacy notices is a substantial task for financial institutions of all sizes. All else being equal, institutions are best served by taking advantage of any safe harbors that are available. However, before making the decision to revamp its disclosures, an institution already using the Model Clauses should consider the costs of a rewrite and seek appropriate legal guidance in order to maximize the likelihood that the safe harbor has been properly invoked and can safely be relied upon. 

The Form is available at http://ftc.gov/privacy/privacyinitiatives/PrivacyModelForm.pdf. Feel free to contact one of the attorneys listed on this Alert for more information about the Form. 

FULL TEXT/PRINTABLE VERSION