Skip Header

Federal Deposit
Insurance Corporation

Each depositor insured to at least $250,000 per insured bank



 Home > Regulation & Examinations > Laws & Regulations > FDIC Federal Register Citations



FDIC Federal Register Citations




American Insurance Association

Public Information Room
Office of the Comptroller of the Currency
250 E Street, SW
Mail Stop 1-5
Washington, DC 20219
Attention: Docket No. 03-27

Becky Baker, Secretary of the Board
National Credit Union Administration
1775 Duke Street
Alexandria, VA 22314-3428

Regulation Comments
Chief Counsel’s Office
Office of Thrift Supervision
1700 G Street, NW
Washington, DC 20552
Attention: No. 2003-62

Federal Trade Commission
Office of the Secretary
Room 159-H
600 Pennsylvania Avenue, NW
Washington, DC 20580

Jennifer J. Johnson, Secretary
Board of Governors of the Federal Reserve System
20th Street and Constitution Avenue, NW
Washington, DC 20551
Re: Docket No. R-1173

Jean A. Webb, Secretary
Commodity Futures Trading Commission
Three Lafayette Centre
1155 21st Street, NW
Washington, DC 20581

Robert E. Feldman, Executive Secretary
Attention: Comments/Executive Secretary Section
Federal Deposit Insurance Corporation
550 17th Street, NW
Washington, DC 20429

Jonathan G. Katz, Secretary
Securities and Exchange Commission
450 5th Street, NW
Washington, DC 20549-0609
Attention: File No. S7-30-03


Re: Advance Notice of Proposed Rulemaking (68 Fed. Reg. 75164, Dec. 30, 2003) – Interagency Proposal to Consider Alternative Forms of Privacy Notices Under the Gramm-Leach-Bliley Act

Dear Sir or Madam:

The American Insurance Association (“AIA”) appreciates the opportunity to provide comments in response to the advance notice of proposed rulemaking (“ANPR”) in the December 30, 2003 Federal Register. The ANPR sets forth a joint proposal by the Office of the Comptroller of the Currency, Treasury (“OCC”), the Office of Thrift Supervision, Treasury (“OTS”), the Board of Governors of the Federal Reserve System Board (“Board”), the Federal Deposit Insurance Corporation (“FDIC”), the National Credit Union Administration (“NCUA”), the Federal Trade Commission (“FTC”), the Commodity Futures Trading Commission (“CFTC”), and the Securities and Exchange Commission (“SEC”) (collectively, “Joint Agencies”), to amend existing regulations for sections 502 and 503 of the Gramm-Leach-Bliley Act of 1999 (“GLBA”) to allow financial institutions to provide “consumer-friendly” alternatives to the privacy notices sent to consumers currently under GLBA. AIA is a national trade association of major property and casualty insurance companies, representing over 400 insurers that provide all lines of property and casualty insurance throughout the United States and that wrote more than $109 billion in annual premiums in 2002. As discussed in more detail below, AIA supports the ANPR proposal to provide simpler alternatives to GLBA notices, as long as the proposal (a) is permissive, not mandatory, (b) where utilized, provides insurers with “safe harbor” protection, (c) incorporates flexibility to allow individual insurers to properly explain their individual information sharing practices, (d) leads to regulatory revisions that align with GLBA standards, and (e) can be implemented uniformly and consistently across insurance regulatory jurisdictions.

A. Federal Preemption Keyed To GLBA Privacy Standards Is Critical

This last point – uniformity and consistency of privacy regulation – turns on federal preemption of state privacy laws and regulations that differ from those in GLBA. As an association whose members are regulated by the 50 states and the District of Columbia, AIA has a significant interest in ensuring that privacy regulation is uniform and consistent. For AIA member companies, many of which operate regionally and nationally, uniformity and consistency are necessary for three overriding reasons: (1) compliance implementation; (2) reduction in cost burden; and (3) leveling the competitive playing field. The costs of ensuring compliance increase with differing regulation. Those costs will inevitably increase where a company implements an enterprise-wide privacy compliance program based on federal standards, only to be forced to re-tool that program because of deviations at the state level. In addition, an uneven insurance regulatory playing field in the area of privacy may tip the competitive balance in favor of federally regulated financial institutions (which are regulated by one standard instead of by 51 standards).

Our experience with GLBA implementation (and that of our member companies) at the state level is that failure to provide strong federal preemption of state insurance privacy regulation has perpetuated a patchwork of differing privacy laws and regulations. Prior to GLBA’s enactment, more than a dozen states had state insurance privacy laws patterned after the National Association of Insurance Commissioners (“NAIC”) Model Insurance Information and Privacy Protection Act adopted in 1982 (“1982 NAIC Model”). The 1982 NAIC Model required insurers to provide insurance applicants and customers with privacy notices that differ from the GLBA privacy notices. None of the 1982 NAIC Model states repealed their existing insurance privacy laws. Instead, some states integrated GLBA standards into their existing insurance privacy frameworks. Other states adopted GLBA privacy regulations in addition to their existing insurance privacy laws. Still other states did nothing.

The situation in the remaining states is not much better. Despite the NAIC’s unanimous adoption of a model insurance privacy regulation following enactment of GLBA, many states chose not to adopt the model exactly, but instead adopted portions of the model or modified certain provisions of the model. The result is an uneven patchwork of insurance privacy laws and regulations that defies attempts at uniformity and consistency.

Equally important, the state privacy patchwork keeps shifting. In 2003, the California legislature enacted Senate Bill 1, which changes the GLBA third-party marketing disclosure standard from “opt-out” to “opt-in,” and imposes new and different notice requirements. For insurance consumers, the potential result in California – a 1982 NAIC Model state – may be the receipt of 3 separate, different privacy notices (one under California’s existing insurance privacy law, a second under GLBA, and a third under Senate Bill 1) from their insurers. This is the antithesis of the process that the ANPR attempts to promote, and the result is consumer confusion and frustration directed at the insurers that must comply with this complex maze of privacy standards. As a result, AIA strongly favors federal preemption based on existing GLBA standards. For our industry, preemption will lead to greater consumer understanding and more streamlined notices of insurer privacy practices.

B. Regulatory Revisions Will Simplify Privacy Notices

There are several areas where the GLBA regulations (those adopted by the federal agencies, as well as the NAIC model privacy regulation) could be revised to align more closely with GLBA itself. This, in turn, would simplify privacy notices. First, the regulations require GLBA privacy notices to describe categories of affiliates and the information that is shared with them. See, e.g., NAIC Privacy of Consumer Financial and Health Information Model Regulation, Model #672-1, §§ 7A(3), (4) (Sept. 2000) (“NAIC Privacy Model Regulation”). Neither GLBA nor the Fair Credit Reporting Act (“FCRA”) requires such a description. Deletion of this requirement would make the regulations consistent with the underlying statute and would shorten the content of privacy notices. Second, the regulations require financial institutions to describe categories of third party service providers and the categories of information that are disclosed to them. See, e.g., NAIC Privacy Model Regulation at § 7A(5). Again, this requirement does not appear in GLBA, and consumers have no ability to opt-out of these disclosures. Inclusion of this information in the content of GLBA privacy notices makes the notices unnecessarily complex. This regulatory requirement should be removed.

Finally, and perhaps most importantly, the notice contents provisions of the regulations (see NAIC Privacy Model Regulation at § 7A(6) contain an “explanation of the consumer’s right ... to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties.” While it may appear self-evident that insurers that do not share nonpublic personal financial information in this context should not include an “opt-out” explanation in order to avoid confusion, the regulations should be revised to make this clear. Indeed, the sample notices in Appendices A, B, and D to the ANPR do not allow flexibility to delete the “opt-out” language where that language is not needed.

These regulatory revisions would eliminate unnecessary content and make GLBA privacy notices more understandable to consumers. Consumers are not well-served by privacy notices that include language that is not in the underlying statute.

C. The Regulations Should Provide Flexibility

Many of the questions for comment contained in the ANPR ask the fundamental question whether simplified privacy notices should be mandatory or permissive. AIA urges the Joint Agencies to provide flexibility for companies by creating a short-notice “safe harbor.” As we have noted, insurers spent significant resources developing and implementing privacy compliance programs based on the GLBA privacy standards. If simplified notices were mandatory, those companies would have to spend additional resources to conform their current notices to the short-form standards. Alternatively, if simplified notices were optional, but use of those notices provided insurers with a regulatory “safe harbor” against private or regulatory enforcement actions, the Joint Agencies’ objective of developing simplified privacy notices would be achieved without penalizing insurers that complied with GLBA and the current privacy regulations.


D. The Joint Agencies Should Urge State Insurance Regulators To Adopt Federal Regulatory Revisions Without Amendment

Assuming arguendo that federal preemption cannot be achieved, AIA strongly recommends that the Joint Agencies work with the NAIC and individual state insurance regulators to promote uniformity and consistency by adopting any federal regulatory revisions verbatim at the state level. As previously mentioned, the NAIC has been able to develop model laws and regulations that are adopted unanimously by its membership. However, difficulties arise when those models are introduced in the various insurance regulatory jurisdictions. We have documented some of those difficulties with respect to the NAIC’s GLBA model privacy regulation.

The proclivity of some state insurance regulators to go in a different direction should not preclude the Joint Agencies from laying the foundation for uniform adoption of regulatory revisions. If successful, the Joint Agencies will have addressed one of AIA’s primary concerns – that federal standards will become “lost in translation” at the state level, resulting in higher costs of doing business in those jurisdictions and increased consumer confusion.

E. The Joint Agencies Should Consider Another Alternative to Simplified Notices

AIA has reviewed the short notices contained in the appendices and cannot endorse Appendix A, B, or D as currently worded. Because the notice in Appendix C provides the most flexibility for individual insurers to properly convey their information sharing practices, it has the most potential for success as a “safe harbor.”

But, AIA urges the Joint Agencies to consider another alternative. A couple of years ago, the NAIC formed a Privacy Notice Content Subgroup to examine growing confusion with the understandability and readability of GLBA privacy notices. AIA was a key contributor to that Subgroup. When the Subgroup issued its final report in March 2003, it highlighted a number of areas where GLBA privacy notices might be shortened or simplified to the benefit of consumers, including (a) the placement and ordering of items in notices, (b) the use of “terms of art” that might not be commonly understood, (c) the extent to which different items in notices could be combined, (d) explaining information sharing “permitted by law”, and (e) notice format. We have attached the final report for your consideration. We believe that it might prove helpful should this notice proposal go forward.

The report also discussed the possible inclusion of a preamble or introductory statement that would accompany the GLBA notice designed to educate insurance consumers about the privacy protections available under GLBA. The preamble could be used for electronic and written versions of GLBA notices. The preamble discussion used the following example of an introductory statement:


• Privacy policy. Licensees must have privacy policies describing their personal information collection practices, and the extent to which they share that information with third parties for purposes other than normal business operations.

• Privacy notice. Licensees must provide privacy notices to customers, reflecting their privacy policies, when the relationship is established and annually thereafter. A privacy notice must also be provided to applicants and certain other non-customers when their personal information is shared with a third party for marketing purposes, or other purposes for which disclosure without consent is not expressly permitted or required by law.

• Marketing “opt-out.” Licensees must provide their customers, applicants, and other consumers with the opportunity to “opt-out” from having their personal financial information shared with third parties for marketing purposes. The only exceptions are for financial information shared with a corporate affiliate, with the licensee’s own service providers or under a joint marketing agreement with another financial institution.

• Medical information authorization. Licensees may not share personal health information for marketing purposes with anyone, including affiliates, unless the licensee has received affirmative authorization to do so.

• Business operations and legal disclosures. Licensees may share personal information for non-marketing business operations and for legal purposes without consent.

• Affiliates. Except for health information, the restrictions on sharing personal information with third parties do not apply if the third party is under common ownership with the licensee.

NAIC Privacy Notice Subgroup Report on Improving Privacy Notices at 9-10 (Mar. 10, 2003). If the proposal moves forward, AIA would recommend inclusion of a preamble or introductory statement as another alternative. We believe that much of the confusion arises because consumers are unaware of GLBA’s privacy standards. A simple one-page introductory statement, like the one set forth above, would better inform consumers about privacy protections afforded under GLBA.


F. The Recent Enactment of FACTA Must Be Taken Into Account

Any proposal to simplify GLBA privacy notices must also account for the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”), which established new standards for information sharing among affiliated companies and amended certain provisions of the Fair Credit Reporting Act (“FCRA”). For insurers, those amendments should not appreciably alter privacy notices, but new and continued preemption provisions will probably pave the way for more uniform and consistent notices when used in the states. While consideration of FACTA and FCRA may delay the proposal, that consideration is necessary to ensuring that financial institution privacy notices clearly and accurately convey information sharing and privacy choices available to consumers.

* * *

AIA welcomes the opportunity to help shape the process for generating privacy notices that are easier for consumers to understand. We hope that the proposal will allow that to occur, while producing uniformity and consistency of privacy notice regulation in a flexible format.



Respectfully submitted,
John J. Byrne
American Insurance Association
Washington, DC

NAIC Privacy Notice Subgroup

Report on Improving Privacy Notices

As Adopted by the NAIC Privacy Issues Working Group
March 10, 2003


NAIC Privacy Notice Subgroup
Report on Improving Privacy Notices


Title V of the Gramm-Leach-Bliley Act (GLBA) calls on state insurance regulators to promulgate rules enforcing the privacy protections embedded in the Act. All states have taken action to comply with that mandate.1

A key element of GLBA’s privacy protections – and by far the most visible to consumers - is the privacy notice. The purpose of the privacy notice is to explain the licensee’s privacy policies to its customers, and to other consumers whose nonpublic personal information may be subject to disclosure to third parties. The notices are intended to assist consumers in making informed decisions about how to exercise their legal and contractual rights with regard to their personal information, and in comparing licensees’ information practices when shopping for insurance and other financial services.

Privacy notices must contain specific information about a licensee’s privacy policies, such as the types of protected information the insurer collects, the types of protected information the insurer discloses, and the categories of entities to which the insurer discloses such information.

Financial institutions, including licensees, were first required to send privacy notices to customers by July 1, 2001. After that date, financial institutions are required to provide notices annually to customers, and to certain other consumers as well. Since the first privacy notices were sent in mid-2001, there has been a great deal of discussion and debate over the effectiveness of the notices. Did the notices really do what Congress and the regulators intended? Did they explain the financial institution’s privacy policy in a way that clearly informs customers as to what information is protected and when/where/how such protected information is disclosed?

Many notices have been described as confusing, complicated and overly legalistic. That is not to say that financial institutions are not in compliance with GLBA and applicable regulations, or that they did not make great efforts to draft notices to be clear and understandable. The problem is that it is a very difficult task.

Throughout its discussions, the NAIC Privacy Notice Subgroup (the Subgroup) focused on finding ways to help licensees craft GLBA privacy notices that are simpler, shorter, and more understandable to insurance consumers. Avenues for improving privacy notices are described in this Report. The Report focuses on general themes – such as formatting text, and the placement and merging of the various required elements of the notice – and offers specific suggestions for improving the terminology used in privacy notices. This report focuses on GLBA’s privacy requirements. It does not address HIPAA, FCRA or any other state or federal requirements, which are beyond the scope of this report.

The Subgroup believes that notices drafted using the ideas outlined below can comply with GLBA’s original intent – educating consumers about the disclosure of their information in a manner that they can understand – and still comply with the letter of the law. These suggestions are not mandatory or “best practices.” Rather, they are recommendations, drafted by regulators, industry and consumer representatives, that the Subgroup believes licensees could use as a guide for improving their notices.


1. Placement and Ordering of Items in the Notice

Anecdotal evidence suggests that the itemization of the required topics in most licensees’ privacy notices is similar and generally follows the same order, which is the order found in Appendix A of the NAIC Privacy of Consumer Financial and Health Information Model Regulation (the Model Regulation) and tracks the order in which those topics are addressed in Section 7 of the Model Regulation, which prescribes the required minimum content of privacy notices.2

The Privacy Notice Subgroup believes that the order in which the sample clauses are presented in Appendix A is not necessarily the optimal placement of information in a licensee’s privacy notice. Indeed, any strict requirement as to the placement of information in a nonstandardized notice could impede the notice’s effectiveness. Mandating a “one size fits all” order of presentation could cause the notice to be “front loaded” with a great deal of information that may not be the most important information for that licensee’s customers. The Subgroup encourages licensees to determine the most effective order for the material in their privacy notices, based on the importance of the information to their customers. Licensees should consider placing the more meaningful information and information about any action items (such as opt out instructions) up front.

2. Combining Items in the Notice

The Subgroup discussed the possibility of combining the various required sections of the notice. The Subgroup agreed that combining sections would have the potential to reduce redundancy and length, and improve clarity. The general consensus of the Subgroup was that when many customers received the initial notice, they did not bother to read the notice because it was long and difficult to read. Therefore, the notice was not serving the purpose for which it was intended: to notify the customers of the licensee’s privacy policy. For that reason, the Subgroup suggests that companies consider combining sections where possible and taking other steps to create a shorter notice without sacrificing the content of the notice.

One combination of sections could be the blending of the “Categories of information the licensee collects” with the “Categories of information a licensee discloses.” If a former customer’s information is handled in the same way that information about current customers is handled, the “Categories of nonpublic personal financial information about the licensee’s former customers that the licensee discloses” can be combined, as well. An example of such a combination is:

We collect and may share information about you, some of which is not publicly available. We may share this information now or in the future. We do this to enable us to serve you and to help us to identify you as our customer or our former customer, to process your policy and requests quickly, to pay your claim or tell you about products or services we believe you may want and use.

Information from youWhen submitting your application or requesting an insurance quote, you may give us information such as your name, address, and Social Security number.
Information about your transactionsWe may keep information about your transactions with us or our family of companies, for example, the products you purchase from us, the amount you paid for the insurance, your account balances, or payment history.
Information from outside our family of companiesWe also may collect other information. This may include information from consumer reporting agencies such as your credit history, credit scores, driving record or employment.

If applicable, companies can also consider listing the categories of nonaffiliated third parties to which they disclose information outside the exceptions in the same section of their notice. An example of this combination could be:

We may share your name, address, telephone number and demographics, now or in the future, with companies outside of our family of companies such as banks, motor vehicle manufacturers or dealers, parts suppliers, health clubs, travel agencies, car rental agencies, hotels, airlines, or publishers. These companies may offer other financial or non-financial products and services, such as travel programs, magazine subscriptions, dental or legal services, exercise programs, diet programs, credit cards, or mortgages. You will have the opportunity to request that we do not share this information.3


If the licensee does not disclose outside of the exceptions, that licensee could combine the “Categories of nonpublic personal financial information that the licensee discloses” with the “Disclosure that the licensee makes under the exceptions” (as opposed to exercising the licensee’s prerogative “to state only that it makes disclosures to other affiliated or nonaffiliated third parties, as applicable, as permitted by law.”) An example of the combination could be:

We may occasionally convey the information we collect – such as your name, address, e-mail, product information or transaction information – to companies outside of our family of companies in order to:

• Perform services for us, such as printing payment coupons, preparing or mailing account statements, processing customer transactions or software programming, or helping us market our own products.
• Offer you financial products that we currently don’t offer, like credit cards or specialized programs.

By combining sections, the licensee may be able to provide a shorter notice in length, while not sacrificing the content of the notice. The Subgroup believes this will result in clearer, more concise notices that are fully read by customers.


3. Use of “Terms of Art”

The Subgroup recognized that the use of “terms of art” in notices could be confusing to customers who are not familiar with insurance and privacy terminology. In order to help consumers better understand the terms in the notices, licensees may wish to define the terms or use common words with the same meanings. A non-exhaustive list of words and phrases synonymous with selected privacy notice terms are listed below. Note that the many words synonymous with “share” illustrate the vast array of meanings this term can possess. As they draft their notices, licensees should be mindful of the requirement in the Model Regulation (and in the various laws and regulations tracking the Model Regulation) that notices be clear and conspicuous, and may refer for guidance to the examples in the definition of “clear and conspicuous” in the model regulation. Licensees should be as precise as possible when using synonyms to avoid further confusing or inadvertently misleading consumers.

Opt-out:

• Stop
• Exercising the right to confidentiality/privacy
• As a customer you have the right, with limited exceptions, to choose whether your information remains confidential or is given out to other companies/ firms/ enterprises/ businesses.
• Prohibit
• With certain exceptions, you may choose not to let companies:
    o Reveal information
    o Give away…
    o Disclose…
    o Exchange…
    o Offer…
• You may choose to limit information given to others
• You have the choice of allowing our company to offer your information to other companies for their use/ viewing
• You can choose to keep information:
    o Confidential
    o Private
    o Protected

Disclose:

• Share
• Give
• Distribute
• Make known
• Release
• Display
• Make public

Affiliates:

• Companies within our “family” of companies
• Partners / copartners
• Sister companies
• Companies related to our company
• Companies under common ownership

Non-affiliated Third Parties:

• Companies outside our “family” of companies
• Not associated with our company
• Not related to our company
• Not legally linked with/to our company

Non-Public Personal Financial Information:

• Information that is not publicly available
• Protected information
• Private information

Companies should consider whether the simple phrase “customer information” could substitute for the more technical “non-public personal information” or any of the synonyms above. This would likely depend in large part on how they handle disclosures of information.

Publicly Available Information:

• Information that is unprotected
• Open records information
• Commonly available information
• Information freely available through the media
• Information available through public records
• Information in the public domain

Share:

• Sell
• Provide
• Trade
• Furnish
• Exchange
• Give
• Offer
• Make available to
• Deliver
• Market
• Supply


4. Explaining Disclosures “Permitted by Law”

The Model Regulation permits licensees to simply state, “we disclose information as permitted by law” to explain all disclosures made pursuant to sections 15 and 16. These exceptions are generally for legal and “doing business” purposes.

Anecdotal evidence suggests that some consumers are suspicious when they see “permitted by law,” thinking their information will be widely distributed no matter what the rest of the privacy notice says. The Subgroup believes a better approach for consumers and licensees alike is to more fully explain these disclosures with examples or a more complete description. A fuller explanation gives consumers – who are not likely to know what is “permitted by law” – a better understanding of how their information is disclosed, and may promote better customer relations.

In addition to explaining the legal and business exceptions that are “permitted by law,” the Subgroup believes that it would be helpful to consumers for licensees to explain that they are also permitted to share information freely with their affiliates. Although neither GLBA nor the model regulation mandates any disclosure by a licensee regarding the licensee’s right to share information with its affiliates, the Subgroup believes it would be consumer-friendly to include a clear discussion of this point. This would also offer licensees the opportunity to inform their consumers if they voluntarily limit their power to share information with some or all affiliates.

The following provisions are examples of language that could be incorporated into notices to improve the description of disclosures “permitted by law.”

• We may also share personal information about you with companies or other organizations outside of the [INSURER] family as required by or permitted by law. For example, we may share personal information to:
    o Protect against fraud;
    o Respond to a subpoena; or
    o Service your account.

We Share Information for Legal and Routine Business Reasons. We may disclose information we have about you as permitted by law. For example, we may share information with government regulators and law enforcement agencies. We may provide information to protect against fraud. We may report account activity to credit bureaus. We may share information with your consent. We may give account information such as [list examples] to service providers who work for us.

Other Circumstances Where We May Share Your Information: We may share customer information in other circumstances. Some examples are:
    o When you specifically request it or give us permission to do so;
    o When we are required by law. For example, we may be required to share information     with insurance regulators;
    o When we share information with consumer reporting agencies;
    o When we suspect fraud or criminal activity;
    o When we receive a subpoena;
    o When we are ordered by a court to do so; and
    o When we sell a particular line of business or function.

• In certain circumstances, [INSURER] may share your customer information with trusted service providers that need access to your information to provide operational or other support services. To ensure the confidentiality and security of your information, service providers must agree to safeguard your information in strict compliance with our policy. Additionally, when you apply for a [INSURER] policy, [INSURER] may share information about your application with credit bureaus. We also may provide information to regulatory authorities and law enforcement officials in accordance with applicable law or when we otherwise believe in good faith that the law requires it. In the event of a sale of all or part of one of our businesses, we may share customer information related to that business as part of the transaction.

• We may share information as permitted by law. For example, providing information to industry regulators, to law enforcement agencies, for fraud prevention, to credit bureaus and to third parties that assist us in processing the transactions you authorize and in mailing statements to you.

• Sometimes we may share your information with other companies affiliated with us or our parent company [NAME], particularly if they support our efforts to provide you with services and product information.

Sometimes we may also share your information with a company or business not officially connected to us but who may do work on our behalf.

And sometimes we may disclose information about you to an insurance regulatory authority, a government agency or a law enforcement official.

Various industry and professional organizations may also ask us for customer information in order to conduct research studies. These studies are purely scientific in nature and never identify individuals.

Finally, if we do provide your information to any party outside our company we require them to abide by the same privacy standards as indicated here.


5. Brief Introduction/Notice Preamble

Anecdotal evidence suggests that many consumers do not know why they are receiving privacy notices. Therefore, the Subgroup believes it may be helpful for a licensee to explain to consumers why it is sending the notice, even though neither GLBA nor the NAIC model requires such an explanation. If the explanation were a brief introduction to the privacy notice, it could also offer licensees the opportunity to highlight key issues in the notice, for example items in the notice that address marketing disclosures, opt out rights, etc.

There are a number of benefits that flow from use of an introductory statement. First, it is necessarily generic, so it can be used uniformly by insurance licensees without regard to their unique information handling practices and without changing individual GLBA privacy notices. Second, it is adaptable, so licensees can incorporate the statement into existing privacy notices relatively easily. Third, and most importantly, it is informative, allowing insurance consumers to see at a glance the privacy protections afforded by GLBA and directing those consumers to the more detailed description of a licensee’s information handling practices outlined in the individual privacy notices.

The brief introduction could contain statements about the following basic GLBA provisions (as augmented by the Model Regulation):

Privacy policy. Licensees must have privacy policies describing their personal information collection practices, and the extent to which they share that information with third parties for purposes other than normal business operations.

Privacy notice. Licensees must provide privacy notices to customers, reflecting their privacy policies, when the relationship is established and annually thereafter. A privacy notice must also be provided to applicants and certain other non-customers when their personal information is shared with a third party for marketing purposes, or other purposes for which disclosure without consent is not expressly permitted or required by law.

Marketing “opt-out.” Licensees must provide their customers, applicants, and other consumers with the opportunity to “opt-out” from having their personal financial information shared with third parties for marketing purposes. The only exceptions are for financial information shared with a corporate affiliate, with the licensee’s own service providers or under a joint marketing agreement with another financial institution.

Medical information authorization. Licensees may not share personal health information for marketing purposes with anyone, including affiliates, unless the licensee has received affirmative authorization to do so.

Business operations and legal disclosures. Licensees may share personal information for non-marketing business operations and for legal purposes without consent.

Affiliates. Except for health information, the restrictions on sharing personal information with third parties do not apply if the third party is under common ownership with the licensee.


6. Formatting Notices

Dynamic formatting is another way to make notices more inviting and easier to read, while still taking care to include all the required elements in the notice.

Incorporating the themes and suggested language changes outlined in this Report with improved visual appeal may also increase the effectiveness of privacy notices. Again, it may be helpful to refer to the examples in the definition of “clear and conspicuous” in the Model Regulation and in the various laws and regulations tracking the Model Regulation. In addition, a licensee may wish to consider the following to increase readability:

• Use of readable typefaces, including size (10 to 12-point type suggested) and fonts (easy to read fonts like Times and Arial; consider different fonts for text and headings);
• Use of bold and italics to make words and phrases stand out;
• DON’T OVERUSE ALL CAPITAL LETTERS BECAUSE IT’S DIFFICULT TO READ;
• Use of informative headings (“Our Security Practices Protect Your Information,” “We Don’t Share Your Information with Companies Outside Our Corporate Family,” “We Share Your Information for Legal and Routine Business Reasons”);
• Use of bulleted or numbered lists; and
• Use of short sentences and short paragraphs.


7. Conclusion

Drafting GLBA privacy notices is a difficult process, made more difficult by the need to comply with specific legal requirements and the desire to draft a readable, consumer-friendly notice that effectively presents the licensee’s privacy policy. The Subgroup recognizes the difficulty of this task. In consultation with industry and consumer representatives, the Subgroup has identified methods that may improve notices so that they are both GLBA-compliant and consumer-friendly

• re-ordering and combining required elements;
• explaining phrases and terms of art;
• adding a short preamble describing why the notice is being sent; and
• dynamic formatting.

Licensees are encouraged to regularly review their notices with these suggestions in mind, remembering that the goal is to make the notices simple, readable and effective.
Last Updated 03/31/2004 regs@fdic.gov

Skip Footer back to content