Skip Header

Federal Deposit
Insurance Corporation

Each depositor insured to at least $250,000 per insured bank



Home > Regulation & Examinations > Laws & Regulations > FDIC Federal Register Citations




FDIC Federal Register Citations



CONSUMERS UNION

August 16, 2004

Federal Deposit Insurance Corporation
www.regulations.gov

Re: FACT Act Affiliate Marketing Rule, 12 CFR Part 41 [Docket No. 04-16] RIN 1557-AC88

Comments of: Consumers Union, Consumer Action, Consumer Federation of America, Consumer Federation of California, Electronic Privacy Information Center, Privacy Rights Clearinghouse, Privacy Times, and U.S. PIRG.

Summary of Comments:

Section 624 gives consumers the right to opt-out of marketing by affiliates of a company when shared information is used for the purpose of making a solicitation. Many of the questions posed by the regulators elicit comment regarding the notices and the interplay among other notices required by other laws. In order to mitigate consumer confusion and maximize consumer understanding and choice, we urge the regulators to move forward swiftly on the Short Notice and to do its best to incorporate into a single notice the rights that consumers have under Section 603 of the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley (GLB) Act, other state laws similar in nature, and these new rights under Section 624 of the FACT Act.

Such a notice must:

• Be clear, conspicuous, simple and concise. The notices under GLB are evidence that without clear direction, the notices sent to consumers are confusing and altogether ineffective.
• Be sent annually to the consumer by the company with whom the consumer has a preexisting business relationship.
• Provide consumers at least 45 days to exercise their rights.
• Require companies to honor the choices of consumers within 30 days of receiving the information from the consumer.
• Provide consumers simple means to exercise their choices including a toll-free number and self-addressed envelope.
• Meet the same Flesch reading ease score and Flesch-Kincaid grade level score as the model included in Appendix A.
• Be in writing. If the notice is provided electronically, it must meet the requirements of E-SIGN, be sent directly to the consumer and only if the consumer has explicitly agreed to such electronic receipt.

In addition to the notice requirements we also have other substantive concerns with the possible regulations. These include:

• The potential loophole regarding “constructive sharing,” which eviscerates the entire purpose of Section 624, should be closed.
• The definition of “preexisting business relationship” should not be expanded nor should the definition of “solicitation” be narrowed.
• The entity with whom the consumer has a business relationship should be responsible for sending all notices.

We commend the regulators for many of the proposals set forth in the proposed rules and have commented on particulars throughout our comments. We encourage you to ensure that the proposed rules are not weakened in any way.

The regulators invite comments on:

Responsibility for Providing Notice and an Opportunity to Opt Out
Should the affiliate receiving the information be permitted to give the notice solely on its own behalf? Could a receiving affiliate provide notice without making or sending any solicitations at the time of the notice and would such a notice be effective?

The regulators propose that the person communicating the information about the consumer to its affiliate be responsible for providing the notice. We agree with this suggestion and urge the regulators to require that the names of the receiving entities be clearly disclosed to the consumer. This allows consumers to make informed decisions regarding whether or not to exercise their opt-out rights under this proposal. Furthermore, as discussed below, this enables to entity holding the information to provide consumers a complete description of all of their rights including control of information sharing (under GLB, Section 603 of FCRA and applicable state law) and the newly provided rights under Section 624 of the FACT Act regarding limitations on marketing.

Allowing the receiving entity to send the disclosure will simply invite consumer confusion as to whether or not the disclosure itself is a solicitation. At a minimum, the receiving entity should have a duty to confirm that the communicating entity has met its obligations.

Scope of the Coverage
Does the term “eligibility information,” as defined, appropriately reflect the scope of coverage, or should the regulation track the more complicated language of the statute regarding the communication of information that would be a consumer report, but for clauses (i), (ii), and (iii) of section 603 (d)(2)(A) of the FCRA?

The regulators suggest using the term “eligibility information” in order to describe the information covered by section 624. It is our understanding that this suggestion is not intended to change the scope of the information, but rather to simplify the terminology. We agree with this suggestion as long as the information subject to the rights afforded consumers under section 624 is not interpreted otherwise.

Duration of the Opt-Out
The regulators suggest that if a company chooses to prolong the opt-out beyond the mandated 5 years they are not in violation of this statute. We agree with the suggestion by the regulators to allow an opt-out to extend in perpetuity as long as this is clearly disclosed to the consumer in the original notice.

Additionally, we are concerned with the language stating that companies must honor the opt-out “beginning as soon as reasonably practicable.” This standard is too vague. The regulators should require that companies honor the consumer’s choice within a specific length of time and we suggest that the time should be no greater than 30 after the consumer responds to the notice.

Key Definitions
Are there additional circumstances that should be deemed a “pre-existing business relationship” or other types of communications that should not be deemed a “solicitation?”

We do not believe that the definition of pre-existing business relationship should be broadened and commend the regulators for not suggesting that such an expansion of the definition occur as it would only expand the opportunity for marketing solicitations. Furthermore, the definition of pre-existing business relationship includes any inquiry by a consumer in the prior 3 months to the date of the solicitation. The regulators should clarify that such an inquiry must be made of the specific affiliate rather than a general inquiry about a product or service. For example, a consumer inquiry about Mortgage Bank Z would trigger a pre-existing business relationship but a general inquiry about mortgage banks would not.

We do not believe that the definition of “solicitation” should be narrowed and commend the regulators for this decision. Narrowing this definition would only expand the opportunity for marketing solicitations, which most consumers do not want,1 and, if wanted, the consumer has the choice to accept or not. Narrowing the definition allows additional communications that are considered outside of the scope of the consumer rights under section 624.

Are there other communications that the regulators should determine do not meet the definition of “solicitation?” Comment is also requested on whether, and to what extent, various tools used in Internet marketing, such as pop-up ads, may constitute solicitations as opposed to communications directed at the general public, and whether further guidance is needed to address Internet marketing.

The regulators seek information regarding pop-up ads and other Internet marketing. If an affiliate’s pop-up ads and other marketing (ads that may appear next to text or as headers, for example) are the result of specific actions by the consumer or information collected based upon a consumer’s experience on the Internet then such ads should be considered solicitations. For example, if an affiliate’s pop-up ads are targeted to consumers because they clicked on links, provided information to websites, go to particular websites, or are based upon the content of a consumer’s email then such ads should be considered solicitations. Furthermore, pop-up ads and other internet marketing targeted to all customers of a company should be treated as solicitations.

Is there any meaningful difference between the FCRA, FACT Act, and GLB definitions (of the term “affiliate,”)?

The proposal seems to reconcile the potential differences and we do not have any comment on this.

Definition of “clear and conspicuous”

The regulators’ definition of clear and conspicuous disregards the additional language of §624(2)(B) that the notice required be “clear, conspicuous, and concise….” This section of FACT Act goes on to say that the method must be “simple.” Inclusion of such terms indicates Congress’ intent that notices be short and to the point, a signal that the current long notice procedures are not acceptable. “Concise” should be seen as a necessary element of clear and conspicuous. Note that the proposed Section 680.21 “Contents of Opt-Out Notice” includes concise along with clear and conspicuous. To accomplish goals of clear and conspicuous as well as “concise” and a “simple” means to opt-out, the regulators should move forward with its consideration of short form notices. This is discussed at greater length below.

Furthermore, the standards proposed by the regulators seem to be the same as examples of clear and conspicuous given in GLB rules. This standard has not proved sufficient to give effective notice. Given the words of the statute, Congress directed agencies to do more than adopt the definition of clear and conspicuous included in the regulations implementing GLB.

Section 680.20 – Use of Eligibility Information by Affiliates for Marketing
Given the policy objectives of Section 214 of the FACT Act, should proposed paragraph (a) apply if affiliated companies seek to avoid providing notice and opt-out by engaging the “constructive sharing” of eligibility information to conduct marketing?

Proposed paragraph (a) addresses the duties of the company that communicates information to their affiliates. Before the receiving affiliate may send a solicitation based upon information from the communicating company, consumers must be given the right to opt-out of such solicitations. The Supplementary Information notes that some companies may share consumer information but the information may not necessarily be used by the affiliate for solicitation purposes; there may be another reason that the information is shared. In this event, the company does not have to provide the consumer the opportunity to opt-out.

The regulators seek comment as to whether or not a company can avoid the requirements of sending the notice by engaging in “constructive sharing.” “Constructive sharing” begins when company A with whom the consumer has a business relationship sends a solicitation on behalf of their affiliate B to customers that meet certain criteria. Because the solicitation is sent only to customers that meet the specific criteria, B would know that those who responded to the solicitation met the criteria. In this example, A has not shared customer information that will be used for marketing with B which would have triggered the notice requirement.

The example provided illustrates that companies might sidestep the protections in Section 624 by indirectly sharing information that will be used for marketing. If information for marketing is shared directly and the consumer has opted-out, then the other company may not solicit the consumer. But, if the information comes from “constructive sharing,” then there is potential for a significant loophole.

Constructive sharing directly contravenes Congress' intent in passing § 214 of the FACTA. The FACTA does not address information sharing among affiliates but gives consumers the right to limit marketing based on that sharing. Under this possible loophole, institutions could reorganize their marketing efforts and easily evade the new protections created by Congress. Consumers deserve some respite from the number of solicitations they receive. It is estimated that 5 billion pre-screened offers of credit were sent in 2003, enough to send fifty to each household in America.2 With the merger permitted by the GLBA, the number of credit offers may be eclipsed by other unwanted solicitations.

If a consumer states that he or she does not want solicitations, the consumer does not care what the source of the solicitations might be; the consumer is opting-out of the solicitation itself. This loophole must be fixed; consumers who opt-out are opting out of the marketing regardless of how the marketing company obtained the information which is used to market.

The regulators also suggest 2 rules of construction for paragraph (a). We agree with the suggestions as they strike a reasonable balance in that they allow commonly named affiliates to share notices but make it clear that a notice from an affiliate with whom the consumer is not familiar will not be effective. We do suggest that the company with whom the consumer has a preexisting business relationship be clearly marked.

Are there circumstances in which it is necessary and appropriate to allow an oral notice, and is there any practical method for meeting the “clear and conspicuous” standard in the oral notices?

It is not appropriate for oral notice to be given. Written notice should be mandated in all circumstances. The reason for the written notice requirement is to ensure the consumer receives the notice required by law. An oral notice leaves no way to ensure consumers will receive the appropriate notice or information on the right to opt-out.

Furthermore, institutions have strong economic incentives to prevent customers from exercising opt-out. These incentives are so strong that companies have actually engaged in market research to design language that will result in a customer not taking action on important rights.3 It has been our experience in the legislative advocacy realm that the financial services industry will suggest that exercising choice will frustrate basic, consumer-requested information flows, such as an inquiry for an account balance. Similar subtle and direct misrepresentations may be made to the consumer when notice is given orally, and consumers will not be able to document these representations, creating enforcement barriers for the regulators.

Because the right to privacy is fundamental, and because consumers see privacy as an important, material aspect of a relationship with a business, we believe that written notice is appropriate.

Are there other means of circumvention that the final rule should address?
We urge the regulators to ensure that all rights consumers have under federal and state laws regarding information sharing and marketing are in place regardless of whether or not a consumer exercises his or her rights under one statute and not another. In order to reduce consumer confusion, we urge the regulators and other regulators to consider all the rights consumers have and craft a simple means for consumers to act.

What should the mandatory compliance date be and should it be different from the effective date of the final regulations?
Companies have been on notice of this requirement since December 2003. The regulations are required nine months after FACT Act with a six month compliance date after final rules. This gives companies until early 2005 to comply. More than a year is long enough for a company to get its systems and business practices ready for compliance.

Therefore the effective date should be the date of the final regulations. Any additional time would extend the compliance date beyond what is intended by the statute. If the company is not able to send a notice and give the reasonable opt-out before the compliance date, marketing by affiliates using shared information should cease until the notices are sent to consumers and consumers have time to comply.

Section 680.21 – Contents of the Opt-Out Notice
Appendix A includes the necessary elements to comply with §624. The added disclosure and opt-out required by this section illustrates the urgent need for the regulators and the banking agencies to adopt a short form notice. The statute says the notice required by §624 may be consolidated and coordinated with other notices required. The regulators should move forward with the short notice project so that the §624 notice might be combined with the GLB notice, notices required under state laws and other opt-out rights under FCRA.

We are concerned that consumers who receive multiple notices at varying times during the year will become confused. A consumer who exercises his/her right in response to a notice that combines the third-party opt-out under GLB, a state mandated notice and the “other” or “creditworthiness” opt-out under FCRA §603(d)(2) may consider it unnecessary to respond to a separate notice required by §624, the affiliate sharing opt-out. A single notice will mitigate consumer confusion.

In order to avoid consumer confusion companies should include the following disclosure on the form: “The law requires us to provide this form to you annually. You may have already exercised some or all of your rights. If you do not recall whether or not you have opted out and want to be certain that you receive these protections, you may use this form.”

Section 680.22 – Reasonable Opportunity to Opt-Out
What is a reasonable opportunity to opt out, and are additional protections or clarifications needed?

The regulators have not set a mandatory standard for what would be considered a “reasonable opportunity” to opt-out, but has indicated a safe harbor period of 30 days, allowing for the option of more than 30 days. The proposal also suggests that a waiting period of less than 30 days would be adequate in certain situations.

Furthermore, the safe harbor period should be 45 days instead of 30 days, and a short period should not be allowed. If consumers are given only 30 days to respond to the notice required under §624, the consumer has in effect only 20 days to respond to the opt-out when mail delivery of up to 5 days is factored on both ends of the delivery. A consumer who does not respond to a notice because of vacation or absence from home because of an illness, for example, should not be penalized.

Should companies subject to the proposed rule be required to disclose in the opt-out notices how long a consumer has to respond to the opt-out notice. If so, why? If not, why not?

Consumers should be told how long they have to respond to the notice before their information may be used by affiliates for marketing purposes. They should also be informed that they may exercise this right at any time. Unless a consumer is informed that such a choice may be made at any time, the consumer might be under the impression that the choice is only available for the limited amount of time that the consumer initially has to exercise his or her right before information can be used by an affiliate for marketing purposes.

Section 680.23 - Reasonable and Simple Methods of Opting Out
The proposal generally tracks the examples of reasonable opt-out from the GLB privacy regulations with revisions to give effect to Congress’ mandate that methods of opting out be “simple.” The proposed rules fall short in this as they give examples for simple means of opting out rather than requiring certain methods. For example self-addressed envelopes should be required rather than an example of what would be reasonable. To include this only as an example means that companies have the discretion to set their own standards about what is reasonable and simple. The same is true for toll-free numbers. The regulation should require that toll-free numbers be adequately designed and staffed, to enable consumers to opt out in a single phone call. Inadequate and poorly trained staff has been a short coming in the current opt-out procedures in effect under GLB. Unless this is made mandatory rather than discretionary, consumers will continue to experience difficulties in opting out by telephone. Finally, we recommend that consumers be provided the opportunity to opt-out by a simple check-box means on payment coupons.

Furthermore, the regulators should contemplate instances where states may require certain means for consumers to exercise their rights. If the opt-out under this section is combined with other choices consumers may have under other federal and state laws, the regulators should clarify that this is a floor for the means outlined for consumers to exercise their rights. Therefore, if the standards for opting out are more friendly to consumers under a state law, those means should not be taken away under federal law. The federal provisions should be incorporated so that they allow the state provisions to be considered additions, not contradictions, to the federal standards.

Section 680.24 - Delivery of Opt-Out Notices
The regulators suggests in paragraph (b)(1)(iii) that a company may email its notice to consumers who have agreed to the electronic delivery of notices or to provide the policy on its website for consumers who receive products and services electronically on the website. We strongly disagree with these suggestions. First, there is a growing trend in which companies require consumers to agree to electronic notices if they conduct any business on a website (balance inquiries, for example). Furthermore, there is nothing to ensure that the notice is clearly accessible to consumers on the site. At a minimum, the notice must be sent to the consumer’s email address rather than merely posted and this is only under circumstances in which the consumer expressly opted-in to the electronic receipt of legal and contractual notices, such as those that change the terms of the account.

Should information about a joint account be allowed to be used for making solicitations to a joint consumer who has not opted out?

This solicitation for comment seems to be contrary to what the proposed regulations include in the previous paragraph: “The person may not require both consumers to opt out before honoring an opt-out direction by one of them.” We urge the regulators to adopt this standard: information about a joint account should not be allowed to be used for making solicitations to a consumer who has not opted out if the other account holder has opted out.

Section 680.25 - Duration and Effect of the Opt-Out
We commend the suggestion that if a consumer elects to opt-out during the 5 year period of an existing opt-out period, then it is considered successive and a new 5 year period begins. We further commend the regulators’ proposal that if a consumer’s relationship with a company ends the opt-out extends indefinitely. We suggest that the regulations clarify that if a company continues to use shared information for marketing purposes after the termination of the relationship, then they must send the opt-out notice.

To reinforce the consumer’s continuing right to opt-out, the regulations should make it clear that companies must give the opt-out notice annually, along with any other notices required by GLB, state laws or FCRA §603. As written, the regulations could be construed by companies as relief from notice if the consumer does not opt-out after the first notice. The statute does not say that the §624 notice is required annually like the GLB notice. However, it does not say that the consumer has only one opportunity to opt-out.

Furthermore, the creation of a single notice necessarily results in an annual notice since some of the disclosures covered in the single notice require annual notices. This is unclear in the statute, but the continuing nature should be clarified in the regulations.

Section 680.26 – Extension of the Opt-out
We commend the regulators’ proposal that a receiving affiliate may not use consumer information to make solicitations after the expiration date of the opt-out unless the consumer has been given a reasonable opportunity to extend the opt out. We suggest that “reasonable opportunity” be defined as at least 45 days before the date the company wishes to use the information for marketing purposes.

Section 680.27 – Consolidated and Equivalent Notices/Effective Date
Is there any need to delay the compliance date beyond the effective date, to permit financial institutions to incorporate the affiliate marketing notice into their next annual GLB Act notice?
While we agree that the notice should be consolidated, we strongly disagree with extending the effective date. If companies want to wait to send the notices with their annual GLB notices then they should wait to use the shared information for marketing purposes. Such a decision would provide companies the flexibility to combine notices and provide consumers the protections afforded them under section 624.

Combined Notices/Appendix A
We commend the regulators on their inclusion of the Flesch reading ease score as well as the Flesch-Kincaid grade level score. We suggest that if a company does not use the model form proposed in Appendix A that they must meet the same readability levels as the model.

As noted above we suggest a simple form that combines all consumer protections under both state and federal law so long as the notices meet basic requirements. Any combined notices, whether under state or federal law must meet basic requirements outlined in our comments in this correspondence and the Federal Agencies’ Joint Request for Comment: Alternative Forms of Privacy Notices. These are available at http://www.privacyrights.org/ar/ftc-noticeANPR.htm

We look forward to FACT Act regulations that will clearly disclose to consumers their rights to opt-out of marketing by affiliates when shared information is used for such purposes. We urge the regulators to ensure that the notices are simple for consumers to understand and consumers have a simple means to exercise rights.

Sincerely,

Shelley Curran, Policy Analyst
Consumers Union

Beth Givens, Director
Tena Friery, Research Director
Privacy Rights Clearinghouse

Ken McEldowney, Executive Director
Consumer Action

Travis B. Plunkett
Legislative Director
Consumer Federation of America

Richard Holober, Executive Director
Consumer Federation of California

Chris Jay Hoofnagle, Associate Director
Electronic Privacy Information Center

Evan Hendricks, Editor/Publisher
Privacy Times

Ed Mierzwinski, Consumer Program Director
US PIRG

 

Last Updated 08/17/2004 regs@fdic.gov

Skip Footer back to content