On January 12, 2011, the Office of Thrift Supervision (OTS) published information intended to help small thrifts comply with the obligation to send initial and annual privacy notices to their customers. The agency's Small Entity Compliance Guide for the Model Privacy Notice is aimed at helping small thrifts use the model privacy notice form established by the bank and thrift regulatory agencies in December 2009. Proper use of the model forms provides a safe harbor for compliance with the privacy notice duties.
On December 1, 2009, the agencies published the final rule relating to the model privacy notice. Financial institutions that elect to use the model privacy form may rely on the model privacy form as a safe harbor to comply with the GLBA disclosure requirements.
The effective date of the amendments was December 31, 2009, except for the amendments eliminating the sample clauses and associated guidance, which become effective for notices sent after December 31, 2010.
Timing and Safe Harbor
A model privacy form that meets the privacy regulations' notice content requirements, which institutions may voluntarily rely on as a safe harbor in providing privacy notices as of December 31, 2009, appears in Appendix A to the regulations.
[Sample clauses also relating to the privacy regulations' notice content requirements, applicable in connection with privacy notices provided on or before December 31, 2010, appear in Appendix B to the regulation through December 31, 2011 (and thereafter will be deleted).]
The regulatory agencies have created an on-line form builder that thrifts can use to develop customized versions of the model notices. Although all financial institutions may model forms, they are not required to do so. Other forms, including those that rely on the sample clauses that will be replaced by the model forms, can be used if they comply with the notice requirements. However, only using the model forms will provide a safe harbor after December 31, 2010.
Privacy Notice - Form Requirements
The model privacy form has several versions:
1. If opt out is provided and include affiliate marketing.
2. If opt out is provided and do not include affiliate marketing.
3. If opt out is not provided and include affiliate marketing.
4. If opt out is not provided and do not include affiliate marketing.
5. If opt out is provided and include affiliate marketing, and mail-back form.
6. If opt out is provided and do not include affiliate marketing, and mail-back form.
To prevent identity theft, institutions should use a truncated form of an account number other than a Social Security Number on privacy notices.
Specific disclosure requirements are mandatory, if a financial institution wants to customize the privacy notice. However, the following features are permitted:
- Print the form on both sides of a single sheet of paper (or on two pages)
- Incorporate the form in another document or with other notices, and include additional documents or information so long as the form is presented in a clear and conspicuous manner
- Provide a single form jointly with other affiliated institutions (including affiliated institutions regulated by different agencies), as long as each institution is clearly identified in the correct space of the form
- Include color and logos to create visual interest, provided they do not interfere with the readability of the form
- Use different sizes of paper, provided the paper is large enough to meet the minimum 10-point font size and provide sufficient white space around the model form text
- Include certain information on state and international privacy law in the blank spaces provided
- Include a mail-in version of the opt-out form as described in the rule
- Translate the form into languages other than English
Online Form Builder - Quick Links
On April 15, 2010, the Agencies released an Online Form Builder that financial institutions can download and use to develop and print customized versions of the model consumer privacy notice.
The Online Form Builder, based on the model form regulation published in the Federal Register on December 1, 2009, under the GLB Act, is available with several options. Easy-to-follow instructions for the form builder guide an institution to select the version of the model form that fits its practices.