News

Federal Regulators seek public comment on ways to improve privacy notices

The federal banking regulators have announced a joint advance notice of proposed rulemaking requesting public comment on ways to improve the privacy notices financial institutions provide to consumers under the Gramm-Leach-Bliley Act (the "GLB Act").

The GLB Act requires financial institutions to provide a notice to each customer that describes the institution's policies and practices regarding the disclosure to third parties of non public personal information, and (if the information is to be shared with non-exempt third parties) to provide customers with an opportunity to opt out of having such information shared with third parties. The notices must be provided to each new customer and must be sent out annually to all customers. In 2000, the agencies published final regulations that implemented the customer privacy provisions of the GLB Act, including sample clauses that institutions may use in privacy notices.

The advance notice of proposed rulemaking responds to concerns that the notices are so difficult to understand that many who otherwise would not want to permit the sharing of their personal information simply fail to understand the rules sufficiently to exercise their right to opt out. For example, Comptroller of the Currency John D. Hawke Jr. has been quoted as saying that the privacy notices are "not only difficult to understand, they are virtually impenetrable. The privacy notices just went off on a tangent that makes [the process] utterly useless." Opt out rates have been low, reportedly in the range of five percent or less.

The proposal seeks public comment on ways to improve the notification process without unduly burdening the institutions that must provide the notices. It requests comment on whether to pursue the development of a short privacy notice, and identifies four possible alternative approaches to simplifying the notices, including an example of each potential approach as an appendix to the proposal.

The first approach would be for the regulatory agencies to develop a specific format and standardized language for a short notice that highlights key elements of an institution's privacy policy. This type of form could include a description of how the customer could obtain a longer, detailed privacy notice.

In a second and similar approach, the regulatory agencies could develop a short notice with a specific format and standardized language that would be designed to address all of the relevant elements listed in the GLB Act and the privacy rules. The notice expressed concern that this approach might not work for those financial institutions that require flexibility in describing the categories of affiliated and nonaffiliated parties to whom they disclose nonpublic personal information.

The third approach would involve establishing a standardized format for privacy notices, but allowing financial institutions to provide their own descriptions of their privacy policies and practices.

The fourth suggested approach would be to focus on the customer's right to opt out.

The notice indicates that the regulatory agencies are willing to consider additional alternatives, and also requested a response to a series of questions relating to various aspects of the privacy notice.