Model Privacy Form Adopted Under Gramm-Leach-Bliley Act
In November 2009, the SEC, along with seven other agencies1, adopted amendments to the rules implementing certain privacy provisions of the Gramm-Leach-Bliley Act (the “GLBA”) and adopted a model privacy form (the “Model Form”). In order for financial institutions (including investment advisors) to fall within the safe harbor for satisfying their initial and annual privacy notice delivery requirements, financial institutions must start using the Model Form for notices provided after December 31, 2010.
In 1999, Congress enacted the GLBA, which governs financial institutions’ handling of their customers’ nonpublic, personal information.
Any broker, dealer, SEC registered investment advisor or SEC registered investment company must provide initial and annual privacy notices to its customers. In addition, in compliance with CFTC regulations, any futures commission merchant, introducing broker, commodity trading advisor or commodity pool operator subject to the jurisdiction of the CFTC with respect to any financial activity, must provide privacy notices to its customers, regardless of the institution’s size and exemption from CFTC registration requirements. These notices describe the Company’s information sharing practices and inform customers of their right to opt out of certain of these sharing practices. Over the years, complaints surfaced that complying with the GLBA had led to privacy notices that were too dense, too lengthy and difficult for customers to understand. In the Financial Services Regulatory Relief Act of 2006, Congress called for a jointly developed model privacy form.
Phase-Out of the Old Sample Clauses
Regulation S-P, which was adopted by the SEC pursuant to the GLBA, currently contains sample clauses which provide a safe harbor for the necessary privacy disclosures. Financial institutions may continue to use privacy notices that employ these sample clauses for any privacy notices delivered before December 31, 2010. These privacy notices will be covered under the safe harbor for one year after delivery or posting. Any notices delivered or posted after that time must use the new Model Form in order to be within the safe harbor.
The Model Form
The Model Form is intended to enable customers to more easily understand how financial institutions collect and share their personal information, and compare this information among different institutions.
There are six versions of the Model Form for institutions to select from based upon whether they (1) provide an opt-out, (2) include affiliate marketing, or (3) use a mail-in form. Click here to access The Model Form builder online.
Use of the Model Form is voluntary, and the form functions as a safe harbor for compliance with the privacy disclosure regulations of the GLBA and Regulation S-P. Importantly, however, the safe harbor applies only to the form itself. The safe harbor does not extend to any modifications to the Model Form made by a financial institution, or to any institution specific information entered into the form.
Format and Content
If institutions decide to use the Model Form to take advantage of the safe harbor they must use it in a manner that is clear, conspicuous and intact. There are strict rules about how the Model Form must look and what may be included.
The Model Form is composed of two pages. Each page contains specific information in a set order.
Page 1: Page 1 of the Model Form includes a basic explanation of why privacy notices are provided, what type of personal information the institution may collect and share, and with whom such information may be shared. The disclosure table with the heading “Reasons we can share your personal information” is a critical component of the form. Each institution must indicate that it does or does not share certain kinds of information, and whether the customer has the ability to limit the institution from sharing. If an institution does not currently share certain information, but would like to reserve the right to share such information at a later date, it must mark that “yes” it currently does share such information to be in compliance with the rule. If the institution chooses to provide opt out information, or shares information in any way that triggers an opt-out, such section is generally included at the bottom of this page. Most private investment fund managers that are not affiliated with larger financial institutions will generally not be required to offer an opt-out.
Page 2: Page 2 of the Model Form contains more explanatory information, such as, how the institution collects and protects personal information. This page also provides some definitions to make it easier for customers to understand key words, and a section titled “Other Important Information” where, for example, institutions may include international law or state law details as needed. Page 2 also includes information about the third parties (including affiliates) with which the institution may share information, as well as information regarding joint marketing.
1The other agencies are: the Office of the Comptroller of the Currency, the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, the National Credit Union Administration, the Federal Trade Commission, and the Commodities Futures Trading Commission (“CFTC”).