"Privacy Alert: January 1, 2011 – Safe Harbor 'Conversion Date' Under Gramm-Leach-Bliley"
January 1, 2011, marks the date on which financial institutions covered by the Gramm-Leach Bliley Act (GLBA) must convert to a new model form “privacy notice” in order to take advantage of the GLBA’s “safe harbor” protection for privacy notices. Reliance on the current “Sample Clauses” will no longer garner safe harbor protection. However, many institutions will find that the model form, and the manner in which it must be used, creates more risk than protection.
Since 2001, “financial institutions” — a term that sweeps in a wide variety of entities in the financial services field — have been required under the GLBA Privacy Rule to provide a privacy notice. Such notice must be provided when a new customer relationship is formed and annual notices must be sent in the ensuing years. In the main, these notices must describe the manner in which the financial institution uses and discloses nonpublic personal information.
The Privacy Rule did not mandate any specific language to be included in these privacy notices, merely stating that the privacy notice be clear and conspicuous and provide the requisite disclosures. Nonetheless, the Privacy Rule also included model provisions — called Sample Clauses — and stated that financial institutions that adopted these clauses would be deemed to have complied with the GLBA privacy notice requirements. Many financial institutions understandably took advantage of this “safe harbor.”
Over the last few years, however, there has been growing concern by consumer groups and others that GLBA privacy notices have become increasingly long and complex, thereby defeating the original purpose of clearly informing consumers how their nonpublic personal information may be used. On the other hand, such complexity was understandable given that financial institutions were wary of being accused of deceptive trade practices if their privacy notices did not explicitly detail how personal information might be used.
In October 2006, and in response to these concerns, Congress enacted the Financial Services Regulatory Relief Act of 2006 (the Relief Act). This act required the agencies that implement GLBA develop a model privacy notice that would be clear, in an easily readable format, and allow consumers to readily compare the privacy practices of different financial institutions. Financial institutions would be encouraged to use this model privacy notice by being provided the same type of safe harbor protection that the Sample Clauses had traditionally afforded. Three years later, in November 2009, eight GLBA regulators released this new model form.1
Starting January 1, 2011, financial institutions seeking to take advantage of the Privacy Rule’s safe harbor protection must use this new two-page model form; the old Sample Clauses will no longer be in effect. However, this does not mean that the new model form must be used. Financial institutions remain free to adopt their own privacy notices to comply with the Privacy Rule; these notices simply will not enjoy safe harbor protection.
Benefits and Pitfalls of The New Model Privacy Notice
From a consumer’s perspective, the new model privacy form seems to accomplish what was intended by the Relief Act. The form is set out in clear, large print with easy-to-understand categories that financial institutions must now complete. In addition, a consumer could take a form notice from two different financial institutions, and readily compare how these institutions handle the use and disclosure of nonpublic personal information.
Financial institutions should review the new model form carefully and adopt it only if they feel that the form accurately and completely captures how they use and disclose nonpublic personal information. Financial institutions that determine that the model form does not work should revisit their current privacy notices to make sure they comply with the Privacy Rule since there may be increased scrutiny in this area going forward. In addition, financial institutions should review their policies in light of certain pronouncements about the old Sample Clauses that were made in connection with the release of the model rule. For example, the final rule adopting the model form noted that the Sample Clauses are difficult to comprehend, and also critiqued the use of the term “as permitted by law” in privacy notices since it is unclear to many consumers.2
If you would like to discuss whether adopting the model form is appropriate or whether changes must be made to existing privacy policies, please contact Stuart Levi or Sigrid Neilson.
1 There are technically three model forms available: one with no opt-out right; one with an opt-out by telephone or online access; and one with opt-out through the mail. Click here to link to the model form with opt-out; and here to link to the model form without opt-out.
2 Section IV of the Final Rule. The Final Rule is available at http://www.ftc.gov/privacy/privacyinitiatives/PrivacyModelForm_FR.pdf.
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.