[Federal Register Volume 72, Number 215 (Wednesday, November 7, 2007)]
[Rules and Regulations]
[Pages 62910-62990]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 07-5349]
[[Page 62909]]
-----------------------------------------------------------------------
Part II
Department of the Treasury
Office of the Comptroller of the Currency
12 CFR Part 41
Federal Reserve System
12 CFR Part 222
Federal Deposit Insurance Corporation
12 CFR Part 334
Department of the Treasury
Office of Thrift Supervision
12 CFR Part 571
National Credit Union Administration
12 CFR Part 717
Fair Credit Reporting Affiliate Marketing Regulations; Final Rule
Federal Register / Vol. 72, No. 215 / Wednesday, November 7, 2007 /
Rules and Regulations
[[Page 62910]]
-----------------------------------------------------------------------
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the Currency
12 CFR Part 41
[Docket ID. OCC-2007-0010]
RIN 1557-AC88
FEDERAL RESERVE SYSTEM
12 CFR Part 222
[Regulation V; Docket No. R-1203]
FEDERAL DEPOSIT INSURANCE CORPORATION
12 CFR Part 334
RIN 3064-AC83
DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
12 CFR Part 571
[Docket ID. OTS-2007-0020]
RIN 1550-AB90
NATIONAL CREDIT UNION ADMINISTRATION
12 CFR Part 717
Fair Credit Reporting Affiliate Marketing Regulations
AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC);
Board of Governors of the Federal Reserve System (Board); Federal
Deposit Insurance Corporation (FDIC); Office of Thrift Supervision,
Treasury (OTS); and National Credit Union Administration (NCUA).
ACTION: Final rules.
-----------------------------------------------------------------------
SUMMARY: The OCC, Board, FDIC, OTS, and NCUA (Agencies) are publishing
final rules to implement the affiliate marketing provisions in section
214 of the Fair and Accurate Credit Transactions Act of 2003, which
amends the Fair Credit Reporting Act. The final rules generally
prohibit a person from using information received from an affiliate to
make a solicitation for marketing purposes to a consumer, unless the
consumer is given notice and a reasonable opportunity and a reasonable
and simple method to opt out of the making of such solicitations.
DATES: Effective Date: These rules are effective January 1, 2008.
Mandatory Compliance Date: October 1, 2008.
FOR FURTHER INFORMATION CONTACT: OCC: Amy Friend, Assistant Chief
Counsel, (202) 874-5200; Michael Bylsma, Director, or Stephen Van
Meter, Assistant Director, Community and Consumer Law, (202) 874-5750;
or Patrick T. Tierney, Senior Attorney, Legislative and Regulatory
Activities Division, (202) 874-5090, Office of the Comptroller of the
Currency, 250 E Street, SW., Washington, DC 20219.
Board: David A. Stein, Counsel; Ky Tran-Trong, Counsel; or Amy E.
Burke, Attorney, Division of Consumer and Community Affairs, (202) 452-
3667 or (202) 452-2412; or Kara Handzlik, Attorney, Legal Division,
(202) 452-3852, Board of Governors of the Federal Reserve System, 20th
and C Streets, NW., Washington, DC 20551. For users of a
Telecommunications Device for the Deaf (TDD) only, contact (202) 263-
4869.
FDIC: Ruth R. Amberg, Senior Counsel, (202) 898-3736, or Richard M.
Schwartz, Counsel, Legal Division, (202) 898-7424; April Breslaw,
Chief, Compliance Section, (202) 898-6609; David P. Lafleur, Policy
Analyst, Division of Supervision and Consumer Protection, (202) 898-
6569, Federal Deposit Insurance Corporation, 550 17th Street, NW.,
Washington, DC 20429.
OTS: Suzanne McQueen, Consumer Regulations Analyst, Compliance and
Consumer Protection Division, (202) 906-6459; or Richard Bennett,
Senior Compliance Counsel, (202) 906-7409, Office of Thrift
Supervision, 1700 G Street, NW., Washington, DC 20552.
NCUA: Linda Dent, Staff Attorney, Office of General Counsel, (703)
518-6540, National Credit Union Administration, 1775 Duke Street,
Alexandria, VA 22314-3428.
SUPPLEMENTARY INFORMATION:
I. Background
The Fair Credit Reporting Act
The Fair Credit Reporting Act (FCRA or Act), which was enacted in
1970, sets standards for the collection, communication, and use of
information bearing on a consumer's credit worthiness, credit standing,
credit capacity, character, general reputation, personal
characteristics, or mode of living. (15 U.S.C. 1681-1681x.) In 1996,
the Consumer Credit Reporting Reform Act extensively amended the FCRA.
(Pub. L. 104-208, 110 Stat. 3009.)
The FCRA, as amended, provides that a person may communicate to an
affiliate or a non-affiliated third party information solely as to
transactions or experiences between the consumer and the person without
becoming a consumer reporting agency.\1\ In addition, the communication
of such transaction or experience information among affiliates will not
result in any affiliate becoming a consumer reporting agency. See FCRA
Sec. Sec. 603(d)(2)(A)(i) and (ii).
---------------------------------------------------------------------------
\1\ The FCRA creates substantial obligations for a person that
meets the definition of a ``consumer reporting agency'' in section
603(f) of the statute.
---------------------------------------------------------------------------
Section 603(d)(2)(A)(iii) of the FCRA provides that a person may
communicate ``other'' information--that is, information that is not
transaction or experience information--among its affiliates without
becoming a consumer reporting agency if it is clearly and conspicuously
disclosed to the consumer that such information may be communicated
among affiliates and the consumer is given an opportunity, before the
information is communicated, to ``opt out'' or direct that the
information not be communicated among such affiliates, and the consumer
has not opted out.
The Fair and Accurate Credit Transactions Act of 2003
The President signed into law the Fair and Accurate Credit
Transactions Act of 2003 (FACT Act) on December 4, 2003. (Pub. L. 108-
159, 117 Stat. 1952.) In general, the FACT Act amends the FCRA to
enhance the ability of consumers to combat identity theft, increase the
accuracy of consumer reports, restrict the use of medical information
in credit eligibility determinations, and allow consumers to exercise
greater control regarding the type and number of solicitations they
receive.
Section 214 of the FACT Act added a new section 624 to the FCRA.
This provision gives consumers the right to restrict a person from
using certain information obtained from an affiliate to make
solicitations to that consumer. Section 624 generally provides that if
a person receives certain consumer eligibility information from an
affiliate, the person may not use that information to make
solicitations to the consumer about its products or services, unless
the consumer is given notice and an opportunity and a simple method to
opt out of such use of the information, and the consumer does not opt
out. The statute also provides that section 624 does not apply, for
example, to a person using eligibility information: (1) To make
solicitations to a consumer with whom the person has a pre-existing
business relationship; (2) to perform services for another affiliate
subject to certain conditions; (3) in response to a communication
initiated by the
[[Page 62911]]
consumer; or (4) to make a solicitation that has been authorized or
requested by the consumer. Unlike the FCRA affiliate sharing opt-out
and the Gramm-Leach-Bliley Act (GLBA) non-affiliate sharing opt-out,
which apply indefinitely, section 624 provides that a consumer's
affiliate marketing opt-out election must be effective for a period of
at least five years. Upon expiration of the opt-out period, the
consumer must be given a renewal notice and an opportunity to renew the
opt-out before information received from an affiliate may be used to
make solicitations to the consumer.
Section 624 governs the use of information by an affiliate, not the
sharing of information among affiliates, and thus is distinct from the
affiliate sharing opt-out under section 603(d)(2)(A)(iii) of the FCRA.
Nevertheless, the affiliate marketing and affiliate sharing opt-outs
and the information subject to the two opt-outs overlap to some extent.
As noted above, the FCRA allows transaction or experience information
to be shared among affiliates without giving the consumer notice and an
opportunity to opt out, but provides that ``other'' information, such
as information from credit reports and credit applications, may not be
shared among affiliates without giving the consumer notice and an
opportunity to opt out. The new affiliate marketing opt-out applies to
both transaction or experience information and ``other'' information.
Thus, certain information will be subject to two opt-outs, a sharing
opt-out and a marketing use opt-out.
Section 214(b) of the FACT Act requires the Agencies, the Federal
Trade Commission (FTC), and the Securities and Exchange Commission
(SEC) to prescribe regulations, in consultation and coordination with
each other, to implement the FCRA's affiliate marketing opt-out
provisions. In adopting regulations, each Agency must ensure that the
affiliate marketing notification methods provide a simple means for
consumers to make choices under section 624, consider the affiliate
sharing notification practices employed on the date of enactment by
persons subject to section 624, and ensure that notices may be
coordinated and consolidated with other notices required by law.
II. The Interagency Proposal
On July 15, 2004, the Agencies published a notice of proposed
rulemaking in the Federal Register (69 FR 42502) to implement section
214 of the FACT Act.\2\ The proposal defined the key terms ``pre-
existing business relationship'' and ``solicitation'' essentially as
defined in the statute. The Agencies did not propose to include
additional circumstances within the meaning of ``pre-existing business
relationship'' or other types of communications within the meaning of
``solicitation.''
---------------------------------------------------------------------------
\2\ The FTC published its proposed affiliate marketing rule in
the Federal Register on June 15, 2004 (69 FR 33324). The SEC
published its proposed affiliate marketing rule in the Federal
Register on July 14, 2004 (69 FR 42301).
---------------------------------------------------------------------------
To address the scope of the affiliate marketing opt-out, the
proposal defined ``eligibility information'' to mean any information
the communication of which would be a ``consumer report'' if the
statutory exclusions from the definition of ``consumer report'' in
section 603(d)(2)(A) of the FCRA for transaction or experience
information and for ``other'' information that is subject to the
affiliate-sharing opt-out did not apply. The Agencies substituted the
term ``eligibility information'' for the more complicated statutory
language regarding the communication of information that would be a
consumer report, but for clauses (i), (ii), and (iii) of section
603(d)(2)(A) of the FCRA.\3\ In addition, the proposal incorporated
each of the scope limitations contained in the statute, such as the
pre-existing business relationship exception.
---------------------------------------------------------------------------
\3\ Under section 603(d)(1) of the FCRA, a ``consumer report''
means any written, oral, or other communication of any information
by a consumer reporting agency bearing on a consumer's credit
worthiness, credit standing, credit capacity, character, general
reputation, personal characteristics, or mode of living which is
used or expected to be used or collected in whole or in part for the
purpose of serving as a factor in establishing the consumer's
eligibility for credit or insurance to be used primarily for
personal, family, or household purposes, employment purposes, or any
other purpose authorized in section 604 of the FCRA. 15 U.S.C.
1681a(d).
---------------------------------------------------------------------------
Section 624 does not state which affiliate must give the consumer
the affiliate marketing opt-out notice. The proposal provided that the
person communicating information about a consumer to its affiliate
would be responsible for satisfying the notice requirement, if
applicable. A rule of construction provided flexibility to allow the
notice to be given by the person that communicates information to its
affiliate, by the person's agent, or through a joint notice with one or
more other affiliates. The Agencies designed this approach to provide
flexibility and to facilitate the use of a single coordinated notice,
while taking into account existing affiliate sharing notification
practices. At the same time, the approach sought to ensure that the
notice would be effective because it generally would be provided by or
on behalf of an entity from which the consumer would expect to receive
important notices, and would not be provided along with solicitations.
The proposal also provided guidance on the contents of the opt-out
notice, what constitutes a reasonable opportunity to opt out,
reasonable and simple methods of opting out, and the delivery of opt-
out notices. Finally, the proposal provided guidance on the effect of
the limited duration of the opt-out and the requirement to provide an
extension notice upon expiration of the opt-out period.
III. Overview of Comments Received
Each agency received the following number of comment letters: OCC--
30, Board--42, FDIC--29, OTS--20, NCUA--18. Many commenters sent copies
of the same letter to more than one Agency. The Agencies received
comments from a variety of banks, thrifts, credit unions, credit card
companies, mortgage lenders, other non-bank creditors, and industry
trade associations. The Agencies also received comments from consumer
groups, the National Association of Attorneys General (``NAAG''), and
individual consumers. In addition, the Agencies considered comments
submitted to the FTC and the SEC.
Most industry commenters objected to several key aspects of the
proposal. The most significant areas of concern raised by industry
commenters related to which affiliate would be responsible for
providing the notice, the scope of certain exceptions to the notice and
opt-out requirement, and the content or the inclusion of definitions
for terms such as ``clear and conspicuous'' and ``pre-existing business
relationship.'' Consumer groups and NAAG generally supported the
proposal, although these commenters believed that the proposal could be
strengthened in certain respects. A more detailed discussion of the
comments is contained in the Section-by-Section Analysis below.
IV. Section-by-Section Analysis
Section --.1 Purpose, Scope, and Effective Dates
Section --.1 of the proposal set forth the purpose and scope of
each Agency's regulations. The Agencies received few comments on this
section. Some of the Agencies have revised this section in the final
rules for clarity and to reflect the fact that the institutions subject
to the FCRA regulation will vary in different subparts of the Agencies'
FCRA rules. The coverage provision for
[[Page 62912]]
each Agency's affiliate marketing rule is set forth in Subpart C, Sec.
--.20(a).
Section --.2 Examples
Proposed Sec. ----.2 described the scope and effect of the
examples included in the proposed rule. Most commenters supported the
proposed use of non-exclusive examples to illustrate the operation of
the rules. One commenter, concerned that the use of examples would
increase the risk of litigation, urged the Agencies to delete all
examples.
The Agencies adopted Sec. --.2 as part of the final medical
information rules. See 70 FR 70664 (Nov. 22, 2005). The comments
received in this rulemaking do not warrant any revisions to Sec. --.2.
The Agencies do not believe the use of illustrative examples will
materially increase the risk of litigation, but rather will provide
useful guidance for compliance purposes, which may alleviate litigation
risks for institutions. Therefore, it is unnecessary to re-publish
Sec. --.2 in these final rules.
As Sec. --.2 states, examples in a paragraph illustrate only the
issue described in the paragraph and do not illustrate any other issue
that may arise in the part. Similarly, the examples do not illustrate
any issues that may arise under other laws or regulations.\4\
---------------------------------------------------------------------------
\4\ NCUA has modified examples in its final rule text where the
original example referenced products or services impermissible for
federal credit unions.
---------------------------------------------------------------------------
Section --.3 Definitions
Section --.3 of the proposal contained definitions for the
following terms: ``Act,'' ``affiliate'' (as well as the related terms
``company'' and ``control''); ``clear and conspicuous''; ``consumer'';
``eligibility information''; ``person''; ``pre-existing business
relationship''; ``solicitation''; and, except for the OCC's proposal,
``you.''
The Agencies have previously defined the terms ``Act,''
``affiliate,'' ``company,'' ``consumer,'' and ``person,'' along with a
definition of ``common ownership or common corporate control'' as a
substitute for the definition of ``control,'' as part of the final
medical information rules. See 70 FR 70664 (Nov. 22, 2005). Those
definitions that elicited comment are discussed below. However, it is
unnecessary to re-publish Sec. --.3 in these final rules because the
Agencies have not revised these definitions.
The Agencies have moved the definitions of ``clear and
conspicuous,'' ``eligibility information,'' ``pre-existing business
relationship,'' ``solicitation,'' and ``you'' or ``bank'' to Subpart C,
Sec. --.20(b). Three of these terms relate solely to the affiliate
marketing provisions and, thus, are more appropriately defined in
Subpart C. For the reasons discussed below, the Agencies also believe
that it is more appropriate to define ``clear and conspicuous'' for the
limited purpose of the affiliate marketing rules. Each of these
definitions is discussed in detail below.
Affiliate, Common Ownership or Common Corporate Control, and Company
Several FCRA provisions apply to information sharing with persons
``related by common ownership or affiliated by corporate control,''
``related by common ownership or affiliated by common corporate
control,'' or ``affiliated by common ownership or common corporate
control.'' E.g., FCRA, sections 603(d)(2), 615(b)(2), and 625(b)(2).
Each of these provisions was enacted as part of the 1996 amendments to
the FCRA. Similarly, section 2 of the FACT Act defines the term
``affiliate'' to mean ``persons that are related by common ownership or
affiliated by corporate control.'' In contrast, the GLBA defines
``affiliate'' to mean ``any company that controls, is controlled by, or
is under common control with another company.'' See 15 U.S.C. 6809(6).
In the proposal, the Agencies sought to harmonize the various FCRA
and FACT Act formulations by defining ``affiliate'' to mean ``any
person that is related by common ownership or common corporate control
with another person.'' Industry commenters generally supported the
Agencies' goal of harmonizing the various FCRA definitions of
``affiliate'' for consistency. Many of these commenters, however,
believed that the most effective way to do this was for the Agencies to
incorporate into the FCRA the definition of ``affiliate'' used in the
GLBA privacy regulations. In addition, a few industry commenters urged
the Agencies to incorporate into the definition of ``affiliate''
certain concepts from California's Financial Information Privacy Act so
as to exempt certain classes of corporate affiliates from the
restrictions on affiliate sharing or marketing.\5\
---------------------------------------------------------------------------
\5\ These commenters noted that the California law places no
restriction on information sharing among affiliates if they: (1) Are
regulated by the same or similar functional regulators; (2) are
involved in the same broad line of business, such as banking,
insurance, or securities; and (3) share a common brand identity.
---------------------------------------------------------------------------
In the final medical information rules, the Agencies defined the
term ``affiliate'' to mean a company that is related by common
ownership or common corporate control with another company. See 70 FR
70,664 (Nov. 22, 2005).\6\ The Agencies substituted the term
``company'' for ``person'' in the definition because they did not
believe that certain types of persons, such as individuals, could be
related by common ownership or common corporate control.
---------------------------------------------------------------------------
\6\ For purposes of the regulation, an ``affiliate'' includes an
operating subsidiary of a bank or savings association, and a credit
union service organization that is controlled by a federal credit
union.
---------------------------------------------------------------------------
The Agencies do not believe there is a substantive difference
between the FACT Act definition of ``affiliate'' and the definition of
``affiliate'' in section 509 of the GLBA. The Agencies are not aware of
any circumstances in which two entities would be affiliates for
purposes of the FCRA but not for purposes of the GLBA privacy rules, or
vice versa. Also, even though affiliated entities have had to comply
with different FCRA and GLBA formulations of the ``affiliate''
definition since 1999, commenters did not identify any specific
compliance difficulties or uncertainty resulting from the fact that the
two statutes use somewhat different wording to describe what
constitutes an affiliate.
As explained in the supplementary information to the final medical
information rules, the Agencies declined to incorporate into the
definition of ``affiliate'' exceptions for entities regulated by the
same or similar functional regulators, entities in the same line of
business, or entities that share a common brand or identity. See 70 FR
70,665 (Nov. 22, 2005). These exceptions were incorporated into the
California Financial Information Privacy Act in August 2003.\7\
Congress, however, did not incorporate these exceptions from California
law into the definition of ``affiliate'' when it enacted the FACT Act
at the end of 2003. Accordingly, the Agencies believe that the approach
followed in the final medical information rules best effectuates the
intent of Congress.
---------------------------------------------------------------------------
\7\ See Cal. Financial Code Sec. 4053(c).
---------------------------------------------------------------------------
Under the GLBA privacy rules, the definition of ``control''
determines whether two or more entities meet the definition of
``affiliate.'' \8\ The Agencies included the same definition of
``control'' in the proposal and received no comments on the proposed
definition. The Agencies interpret the phrase ``related by common
ownership or common corporate control'' used in the FACT Act to have
the same meaning
[[Page 62913]]
as ``control'' in the GLBA privacy rules. For example, if an individual
owns 25 percent of two companies, the companies would be affiliates
under both the GLBA and FCRA definitions. However, the individual would
not be considered an affiliate of the companies because the definition
of ``affiliate'' is limited to companies. For purposes of clarity, the
final medical information rules defined the term ``control'' to mean
``common ownership or common corporate control'' in order to track more
closely the terminology used in the FACT Act. See 70 FR 70,664 (Nov.
22, 2005).\9\
---------------------------------------------------------------------------
\8\ See 12 CFR 40.3(g), 216.3(g), 332.3(g), 573.3(g), and
716(g).
\9\ For purposes of the regulation, NCUA presumes that a federal
credit union has a controlling influence over the management or
policies of a credit union service organization if it is 67 percent
owned by credit unions.
---------------------------------------------------------------------------
The proposal also defined the term ``company'' to mean any
corporation, limited liability company, business trust, general or
limited partnership, association, or similar organization. The proposed
definition of ``company'' excluded some entities that are ``persons''
under the FCRA, including estates, cooperatives, and governments or
governmental subdivisions or agencies, as well as individuals. The
Agencies received no comments on the proposed definition of
``company,'' which was adopted in the final medical information rules.
The Agencies adopted definitions of ``affiliate,'' ``common
ownership and common corporate control,'' and ``company'' in the final
FCRA medical information rules. See 70 FR 70,664 (Nov. 22, 2005). It is
unnecessary to re-publish those definitions in these rules.
Consumer
Proposed paragraph (e) defined the term ``consumer'' to mean an
individual. This definition is identical to the definition of
``consumer'' in section 603(c) of the FCRA.
Several commenters asked the Agencies to narrow the proposed
definition to apply only to individuals who obtain financial products
or services primarily for personal, family, or household purposes, in
part to achieve consistency with the definition of ``consumer'' in the
GLBA. The FCRA's definition of ``consumer,'' however, differs from, and
is broader than, the definition of that term in the GLBA. The Agencies
believe that the use of distinct definitions of ``consumer'' in the two
statutes reflects differences in the scope and objectives of each
statute. Therefore, the Agencies adopted the FCRA's statutory
definition of ``consumer'' in the final medical information rules. See
70 FR 70,664 (Nov. 22, 2005). It is unnecessary to re-publish the
definition in these rules. For purposes of this definition, an
individual acting through a legal representative would qualify as a
consumer.
Person
Proposed paragraph (l) defined the term ``person'' to mean any
individual, partnership, corporation, trust, estate, cooperative,
association, government or governmental subdivision or agency, or other
entity. This definition is identical to the definition of ``person'' in
section 603(b) of the FCRA.
One commenter requested clarification of how the proposed
definition of ``person'' would affect other provisions of the affiliate
marketing rules. Specifically, this commenter asked how the
supplementary information's discussion of agents might affect the scope
provisions of the rule.
The supplementary information to the proposal stated that a person
may act through an agent, including but not limited to a licensed agent
(in the case of an insurance company) or a trustee. The supplementary
information also provided that actions taken by an agent on behalf of a
person that are within the scope of the agency relationship would be
treated as actions of that person. The Agencies included these
statements to address comprehensively the status of agents and to
eliminate the need to refer specifically to licensed agents in the
proposed definition of ``pre-existing business relationship.'' As
discussed below, many commenters believed that licensed agents should
be expressly included in the definition of ``pre-existing business
relationship.'' The Agencies have revised the final rules in response
to those comments. By specifically addressing licensed agents, the
final rules do not alter the general principles of principal-agent
relationships that apply to all agents, not just licensed agents. The
Agencies will treat actions taken by an agent on behalf of a person
that are within the scope of the agency relationship as actions of that
person, regardless of whether the agent is a licensed agent or not.
The Agencies adopted the FCRA's statutory definition of ``person''
in the final medical information rules. See 70 FR 70664 (Nov. 22,
2005). Therefore, it is unnecessary to re-publish the definition in
these rules.
Section --.20 Coverage and definitions
Coverage
Section --.20(a) of the final rules identifies the persons covered
by Subpart C of each Agency's rule. Section --.20(a) thus describes the
scope of each Agency's rule.
Definitions
Section --.20(b) of the final rules contains the definitions of six
terms for purposes of Subpart C.
Clear and Conspicuous
Proposed Sec. --.3(c) defined the term ``clear and conspicuous''
to mean reasonably understandable and designed to call attention to the
nature and significance of the information presented. Under this
definition, institutions would retain flexibility in determining how
best to meet the clear and conspicuous standard. The supplementary
information to the proposal provided guidance regarding a number of
practices that institutions might wish to consider in making their
notices clear and conspicuous. These practices were derived largely
from guidance included in the GLBA privacy rules.
Industry commenters urged the Agencies not to define ``clear and
conspicuous'' in the final rules. The principal objection these
commenters raised was that this definition would significantly increase
the risk of litigation and civil liability. Although these commenters
recognized that the proposed definition was derived from the GLBA
privacy regulations, they noted that compliance with the GLBA privacy
regulations is enforced exclusively through administrative action, not
through private litigation. These commenters also stated that the Board
had withdrawn a similar proposal to define ``clear and conspicuous''
for purposes of Regulations B, E, M, Z, and DD, in part because of
concerns about civil liability. Some industry commenters believed that
it was not necessary to define the term in order for consumers to
receive clear and conspicuous disclosures based on industry's
experience in providing clear and conspicuous affiliate sharing opt-out
notices. Consumer groups believed that incorporation of the standard
and examples from the GLBA privacy regulations was not adequate because
they did not believe that the existing standard has proven sufficient
to ensure effective privacy notices.
In the final rules, the Agencies have relocated the definition of
``clear and conspicuous'' to Sec. --.20(b)(1) in order to limit its
applicability to the affiliate
[[Page 62914]]
marketing opt-out notice and renewal notice. Except for certain non-
substantive changes made for purposes of clarity, the definition of
``clear and conspicuous'' is the same as in the proposal and is
substantively the same as the definition used in the GLBA privacy
rules. The Agencies believe that the clear and conspicuous standard for
the affiliate marketing opt-out notices should be substantially similar
to the standard that applies to GLBA privacy notices because the
affiliate marketing opt-out notice may be provided on or with the GLBA
privacy notice.
In defining ``clear and conspicuous,'' the Agencies believe it is
more appropriate to focus on the affiliate marketing opt-out notices
that are the subject of this rulemaking, rather than adopting a
generally applicable definition governing all consumer disclosures
under the FCRA. This approach gives the Agencies the flexibility to
refine or clarify the clear and conspicuous requirement for different
disclosures, if necessary. In addition, this approach is consistent
with the approach the Board indicated it would take when it withdrew
its proposed clear and conspicuous rules. The Board noted that it
intended ``to focus on individual disclosures and to consider ways to
make specific improvements to the effectiveness of each disclosure.''
See 69 FR 35541, 35543 (June 25, 2004).
The statute directs the Agencies to provide specific guidance
regarding how to comply with the clear and conspicuous standard. See 15
U.S.C. 1681s-3(a)(2)(B). For that reason, the Agencies do not agree
with commenters that requested the elimination of the definition of
``clear and conspicuous'' and related guidance. Rather, the Agencies
believe it is necessary to define ``clear and conspicuous'' in the
final rules and provide specific guidance for how to satisfy that
standard in connection with this notice.
Accordingly, the final rules contain two types of specific guidance
on satisfying the requirement to provide a clear and conspicuous opt-
out notice. First, as in the proposal, the supplementary information to
the final rules describes certain techniques that may be used to make
notices clear and conspicuous. These techniques are described below.
Second, the Agencies have adopted model forms that may, but are not
required to, be used to facilitate compliance with the affiliate
marketing notice requirements. The requirement for clear and
conspicuous notices would be satisfied by the appropriate use of one of
the model forms.
As noted in the supplementary information to the proposal,
institutions may wish to consider a number of methods to make their
notices clear and conspicuous. The various methods described below for
making a notice clear and conspicuous are suggestions that institutions
may wish to consider in designing their notices. Use of any of these
methods alone or in combination is voluntary. Institutions are not
required to use any particular method or combination of methods to make
their disclosures clear and conspicuous. Rather, the particular facts
and circumstances will determine whether a disclosure is clear and
conspicuous.
A notice or disclosure may be made reasonably understandable
through various methods that include: Using clear and concise
sentences, paragraphs, and sections; using short explanatory sentences;
using bullet lists; using definite, concrete, everyday words; using
active voice; avoiding multiple negatives; avoiding legal and highly
technical business terminology; and avoiding explanations that are
imprecise and are readily subject to different interpretations. In
addition, a notice or disclosure may be designed to call attention to
the nature and significance of the information in it through various
methods that include: Using a plain-language heading; using a typeface
and type size that are easy to read; using wide margins and ample line
spacing; and using boldface or italics for key words. Further,
institutions that provide the notice on a Web page may use text or
visual cues to encourage scrolling down the page, if necessary, to view
the entire notice and may take steps to ensure that other elements on
the Web site (such as text, graphics, hyperlinks, or sound) do not
distract attention from the notice. When a notice or disclosure is
combined with other information, methods for designing the notice or
disclosure to call attention to the nature and significance of the
information in it may include using distinctive type sizes, styles,
fonts, paragraphs, headings, graphic devices, and appropriate groupings
of information. However, there is no need to use distinctive features,
such as distinctive type sizes, styles, or fonts, to differentiate an
affiliate marketing opt-out notice from other components of a required
disclosure, for example, where a GLBA privacy notice combines several
opt-out disclosures in a single notice. Moreover, nothing in the clear
and conspicuous standard requires segregation of the affiliate
marketing opt-out notice when it is combined with a GLBA privacy notice
or other required disclosures.
The Agencies recognize that it will not be feasible or appropriate
to incorporate all of the methods described above all the time. The
Agencies recommend, but do not require, that institutions consider the
methods described above in designing their opt-out notices. The
Agencies also encourage the use of consumer or other readability
testing to devise notices that are understandable to consumers.
Finally, although the Agencies understand the concerns of some
industry commenters about the potential for civil liability, the
Agencies believe that these concerns are mitigated by the safe harbors
afforded by the model forms in Appendix C. The Agencies note that the
affiliate sharing opt-out notice under section 603(d)(2)(A)(iii) of the
FCRA, which may be enforced through private rights of action, must be
included in the GLBA privacy notice. Therefore, the affiliate sharing
opt-out notice generally is disclosed in a manner consistent with the
clear and conspicuous standard set forth in the GLBA privacy
regulations. Commenters did not identify any litigation that has
resulted from the requirement to provide a clear and conspicuous
affiliate sharing opt-out notice. The Agencies believe that compliance
with the examples and use of the model forms, although optional, should
minimize the risk of litigation.
Concise
Proposed Sec. --.21(b) defined the term ``concise'' to mean a
reasonably brief expression or statement. The proposal also provided
that a notice required by Subpart C may be concise even if it is
combined with other disclosures required or authorized by federal or
state law. Such disclosures include, but are not limited to, a GLBA
privacy notice, an affiliate-sharing notice under section
603(d)(2)(A)(iii) of the FCRA, and other consumer disclosures. Finally,
the proposal clarified that the requirement for a concise notice would
be satisfied by the appropriate use of one of the model forms contained
in proposed Appendix C to each Agency's FCRA rule, although use of the
model forms is not required. The Agencies received no comments on the
proposed definition of ``concise.'' The final rules renumber the
definition of ``concise'' as Sec. --.20(b)(2). The reference to the
model forms has been moved to Appendix C, but otherwise the definition
is adopted as proposed.
[[Page 62915]]
Eligibility Information
Proposed Sec. --.3(j) defined the term ``eligibility information''
to mean any information the communication of which would be a consumer
report if the exclusions from the definition of ``consumer report'' in
section 603(d)(2)(A) of the FCRA did not apply. As proposed,
eligibility information would include a person's own transaction or
experience information, such as information about a consumer's account
history with that person, and ``other'' information under section
603(d)(2)(A)(iii), such as information from consumer reports or
applications.
Most commenters generally supported the proposed definition of
``eligibility information'' as an appropriate means of simplifying the
statutory terminology without changing the scope of the information
covered by the rule. A number of commenters requested that the Agencies
clarify that certain types of information do not constitute eligibility
information, such as name, address, telephone number, Social Security
number, and other identifying information. One commenter requested the
exclusion of publicly available information from the definition.
Another commenter requested additional clarification regarding the term
``transaction or experience information.'' A few commenters suggested
that the Agencies include examples of what is and is not included
within ``eligibility information.'' Finally, one commenter urged the
Agencies to revise the definition to restate much of the statutory
definition of ``consumer report'' to eliminate the need for cross-
references.
The final rules renumber the definition of ``eligibility
information'' as --.20(b)(3). The Agencies have revised the definition
to clarify that the term ``eligibility information'' does not include
aggregate or blind data that does not contain personal identifiers.
Examples of personal identifiers include account numbers, names, or
addresses, as indicated in the definition, as well as Social Security
numbers, driver's license numbers, telephone numbers, or other types of
information that, depending on the circumstances or when used in
combination, could identify the individual.
The Agencies also believe that further clarification of, or
exclusions from, the term ``eligibility information,'' such as the
categorical exclusion of names, addresses, telephone numbers, other
identifying information, or publicly available information, would
directly implicate the definitions of ``consumer report'' and
``consumer reporting agency'' in sections 603(d) and (f), respectively,
of the FCRA. The Agencies decided not to define the terms ``consumer
report'' and ``consumer reporting agency'' in this rulemaking and not
to interpret the meaning of terms used in those definitions, such as
``transaction or experience'' information. The Agencies anticipate
addressing the definitions of ``consumer report'' and ``consumer
reporting agency'' in a separate rulemaking after the required FACT Act
rules have been completed. The Agencies also note that financial
institutions have relied on these statutory definitions for many years.
Pre-Existing Business Relationship
Proposed Sec. --.3(m) defined the term ``pre-existing business
relationship'' to mean a relationship between a person and a consumer
based on the following:
(1) A financial contract between the person and the consumer that
is in force;
(2) The purchase, rental, or lease by the consumer of that person's
goods or services, or a financial transaction (including holding an
active account or a policy in force or having another continuing
relationship) between the consumer and that person, during the 18-month
period immediately preceding the date on which a solicitation covered
by Subpart C is sent to the consumer; or
(3) An inquiry or application by the consumer regarding a product
or service offered by that person during the three-month period
immediately preceding the date on which a solicitation covered by
Subpart C is sent to the consumer.
The proposed definition generally tracked the statutory definition
contained in section 624 of the FCRA, with certain revisions for
clarity. Although the statute gave the Agencies the authority to
identify by regulation other circumstances that qualify as a pre-
existing business relationship, the Agencies did not propose to
exercise this authority. In the final rules, the definition of ``pre-
existing business relationship'' has been renumbered as Sec.
--.20(b)(4).
Industry commenters suggested certain revisions to the proposed
definition of ``pre-existing business relationship.'' Many industry
commenters asked the Agencies to include in the definition statutory
language relating to ``a person's licensed agent.'' A number of these
commenters noted that this concept was particularly important to the
insurance industry where independent, licensed agents frequently act as
the main point of contact between the consumer and the insurance
company.
In the final rules, the phrase ``or a person's licensed agent'' has
been added to the definition of ``pre-existing business relationship''
to track the statutory language. For example, assume that a person is a
licensed agent for the affiliated ABC life, auto, and homeowners'
insurance companies. A consumer purchases an ABC auto insurance policy
through the licensed agent. The licensed agent may use eligibility
information about the consumer obtained in connection with the ABC auto
policy it sold to the consumer to market ABC life and homeowner's
insurance policies to the consumer for the duration of the pre-existing
business relationship without offering the consumer the opportunity to
opt out of that use.
Regarding the first basis for a pre-existing business relationship
(a financial contract in force), several industry commenters asked the
Agencies to clarify that a financial contract includes any in-force
contract that relates to a financial product or service covered by
title V of the GLBA. One commenter objected to the requirement that the
contract be in force on the date of the solicitation. This commenter
believed that the Agencies should interpret the statute to permit the
exception to apply if a contract is in force at the time the affiliate
uses the information, rather than when the solicitation is sent, noting
that there may be a delay between the use and the solicitation.
The Agencies have revised the first prong of the definition of
``pre-existing business relationship'' to reflect the definition's
relocation to Subpart C, but have otherwise adopted it as proposed.
Although a comprehensive definition of the term ``financial contract''
has not been included in the final rules, the Agencies construe the
statutory term ``financial contract'' at least to include a contract
that relates to a consumer's purchase or lease of a financial product
or service that a financial holding company could offer under section
4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). In
addition, a financial contract which is in force will, in virtually all
instances, qualify as a ``financial transaction,'' as that term is used
in the second prong of the definition of ``pre-existing business
relationship.'' The Agencies do not agree with the suggestion that the
financial contract should be in force on the date of use rather than on
the date the solicitation is sent. The approach taken in the proposed
and final rules is consistent with the approach used in the other two
prongs of the statutory definition.
[[Page 62916]]
Industry commenters also suggested certain clarifications to the
second basis for a pre-existing business relationship--a purchase,
rental, or lease by the consumer of the person's goods or services, or
a financial transaction between the consumer and the person during the
preceding 18 months. Several industry commenters noted that,
notwithstanding the example in the proposal regarding a lapsed
insurance policy, it was not clear from what point in time the 18-month
period begins to run in the case of many purchase, rental, lease, or
financial transactions. These commenters asked the Agencies to clarify
that the 18-month period begins to run at the time all contractual
responsibilities of either party under the purchase, rental, lease, or
financial transaction expire. In addition, some commenters indicated
that the term ``active account'' should be clarified to mean any
account with outstanding contractual responsibilities on either side of
an account relationship, regardless of whether specific transactions do
or do not occur on that account.
The Agencies have revised the second prong of the definition of
``pre-existing business relationship'' to reflect the definition's
relocation to Subpart C, but have otherwise adopted it as proposed. The
Agencies decline to interpret the term ``active account'' as requested
by some commenters. The Agencies note that section 603(r) of the FCRA
defines the term ``account'' to have the same meaning as in section 903
of the Electronic Fund Transfer Act (EFTA). Under the EFTA, the term
``account'' means a demand deposit, savings deposit, or other asset
account established primarily for personal, family, or household
purposes. Some commenters, however, apparently believed that the term
``active account'' included extensions of credit. Credit extensions
presumably would qualify as ``another continuing relationship,'' as
used in the definition of ``pre-existing business relationship.''
More generally, however, even though a ``financial transaction''
would include in virtually all cases a financial contract which is in
force, as noted above, the Agencies do not believe it is appropriate to
state that the 18-month period begins to run when all outstanding
contractual responsibilities of both parties expire, regardless of
whether specific transactions occur. Such a clarification would not
appropriately address circumstances such as charge-offs, bankruptcies,
early terminations, or extended periods of credit inactivity that could
trigger commencement of the 18 month period. In addition, some contract
provisions, such as arbitration clauses and choice of law provisions,
may continue to have legal effect after all contractual performance has
ended. The Agencies do not believe that the continued effectiveness of
such provisions should delay commencement of the 18-month period.
Nevertheless, the Agencies believe that a few examples may provide
useful guidance to facilitate compliance. For example, in the case of a
closed-end mortgage or auto loan, the 18-month period generally would
begin to run when the consumer pays off the outstanding balance on the
loan. In a lease or rental transaction, the 18-month period generally
would begin to run when the lease or rental agreement expires or is
terminated by mutual agreement. In the case of general purpose credit
cards that are issued with an expiration date, the 18-month period
generally would begin to run when the consumer pays off the outstanding
balance on the card and the card is either cancelled or expires without
being renewed.
Commenters also made certain suggestions regarding the third basis
for a pre-existing business relationship--an inquiry or application by
the consumer regarding a product or service offered by the person
during the preceding three months. Consumer groups urged the Agencies
to clarify that an inquiry must be made of the specific affiliate,
rather than a general inquiry about a product or service. Industry
commenters expressed concern about certain statements in the
supplementary information that explained the meaning of an inquiry.
The Agencies do not agree that an inquiry must be made of a
specific affiliate. Many affiliated institutions use a central call
center to handle consumer inquiries. The clarification urged by
consumer groups could preclude the establishment of a pre-existing
business relationship based on a consumer's call to a central call
center about a specific product or service offered by an affiliate.
In the supplementary information to the proposal, the Agencies
noted that certain elements of the definition of ``pre-existing
business relationship'' were substantially similar to the definition of
``established business relationship'' under the amended Telemarketing
Sales Rule (TSR) (16 CFR 310.2(n)). The TSR definition was informed by
Congress's intent that the ``established business relationship''
exemption to the ``do not call'' provisions of the Telephone Consumer
Protection Act (47 U.S.C. 227 et seq.) should be grounded on the
reasonable expectations of the consumer.\10\ The Agencies observed that
Congress's incorporation of similar language in the definition of
``pre-existing business relationship'' \11\ suggested that it would be
appropriate to consider the reasonable expectations of the consumer in
determining the scope of this exception. Thus, the Agencies explained
that, for purposes of this regulation, an inquiry would include any
affirmative request by a consumer for information after which the
consumer would reasonably expect to receive information from the
affiliate about its products or services.\12\ Moreover, a consumer
would not reasonably expect to receive information from the affiliate
if the consumer did not request information or did not provide contact
information to the affiliate.
---------------------------------------------------------------------------
\10\ H.R. Rep. No. 102-317, at 14-15 (1991). See also 68 FR
4,580, 4,591-94 (Jan. 29, 2003).
\11\ 149 Cong. Rec. S13,980 (daily ed. Nov. 5, 2003) (statement
of Senator Feinstein) (noting that the ``pre-existing business
relationship'' definition ``is the same definition developed by the
Federal Trade Commission in creating a national `Do Not Call'
registry for telemarketers'').
\12\ See 68 FR at 4,594.
---------------------------------------------------------------------------
Industry commenters objected to the discussion in the supplementary
information. Some of these commenters believed that looking to the
reasonable expectations of the consumer would narrow the scope of the
exception and impose on institutions a subjective standard that
depended upon the consumer's state of mind. These commenters also
maintained that the availability of the exception should not depend
upon the consumer both requesting information and providing contact
information to the affiliate. Some commenters noted that either
requesting information or providing contact information should suffice
to establish an expectation of receiving solicitations. Other
commenters noted that consumers would not provide contact information
if they believed that the affiliate would already have the consumer's
contact information or would obtain it from the consumer's financial
institution. Some commenters believed that the consumer should not have
to make an affirmative request for information in order to have an
inquiry. Commenters also expressed concern that the discussion in the
supplementary information would require consumers to use specific words
to trigger the exception.
The Agencies have revised the third prong of the definition of
``pre-existing business relationship'' to reflect the definition's
relocation to Subpart C, but have otherwise adopted it as proposed. The
Agencies continue to believe that it
[[Page 62917]]
is appropriate to consider what the consumer says in determining
whether the consumer has made an inquiry about a product or service. It
may not be necessary, however, for the consumer to provide contact
information in all cases. As discussed below, the Agencies have revised
the examples of inquiries to illustrate different circumstances.
Consumer groups and NAAG urged the Agencies not to expand the
definition of ``pre-existing business relationship'' to include any
additional types of relationships. Industry commenters suggested a
number of additional bases for establishing a pre-existing business
relationship. Several industry commenters believed that the term ``pre-
existing business relationship'' should be defined to include
relationships arising out of the ownership of servicing rights, a
participation interest in lending transactions, and similar
relationships. These commenters provided no further explanation for why
such an expansion was necessary. One commenter urged the Agencies to
expand the definition of ``pre-existing business relationship'' to
apply to affiliates that share a common trade name, share the same
employees or representatives, operate out of the same physical location
or locations, and offer similar products.
In addition, a number of industry commenters requested
clarification of the term ``pre-existing business relationship'' as
applied to manufacturers that make sales through dealers. These
commenters explained that automobile manufacturers do not sell vehicles
directly to consumers, but through franchised dealers. Vehicle
financing may be arranged through a manufacturer's captive finance
company or independent sources of financing. These commenters noted
that manufacturers often provide consumers with information about
warranty coverage, recall notices, and other product information.
According to these commenters, manufacturers also send solicitations to
consumers about their products and services, drawing in part on
transaction or experience information from the captive finance company.
These commenters asked the Agencies to clarify that the relationship
between a manufacturer and a consumer qualifies as a pre-existing
business relationship based on the purchase, rental, or lease of the
manufacturer's goods, or, alternatively, to exercise their authority to
add this relationship as an additional basis for a pre-existing
business relationship. One commenter asked the Agencies to clarify that
a pre-existing business relationship could be established even if the
person provides a product or service to the consumer without charging a
fee.
The Agencies do not believe it is necessary to add any additional
bases for a pre-existing business relationship. The Agencies
acknowledge that a pre-existing business relationship exists where a
person owns the servicing rights to a consumer's loan and such person
collects payments from, or otherwise deals directly with, the consumer.
In the Agencies' view, however, that situation qualifies as a financial
transaction and thus falls within the second prong of the definition of
``pre-existing business relationship.'' The Agencies have included an
example, discussed below, to illustrate how the ownership of servicing
rights can create a pre-existing business relationship.
A pre-existing business relationship does not arise, however,
solely from a participation interest in a lending transaction because
such an interest does not result in a financial contract or a financial
transaction between the consumer and the participating party. The
Agencies decline to add a specific provision for franchised dealers.
The statute contains no special provision addressing franchised
dealers, as it does for licensed agents. Moreover, a franchised dealer
and a manufacturer generally are not affiliates and thus are subject to
the GLBA privacy rules relating to information sharing with non-
affiliated third parties. The Agencies also find no basis for including
within the meaning of ``pre-existing business relationship'' any
affiliate that shares a common trade name or representatives, or that
operates from the same location or offers similar products. Finally,
the Agencies decline to add a provision that would create a pre-
existing business relationship when a consumer obtains a product or
service without charge from a person. Such a provision would be overly
broad, is not necessary given the breadth of the statutory definition
of ``pre-existing business relationship,'' and could result in
circumvention of the notice requirement.
Proposed Sec. --.20(d)(1) provided four examples of the pre-
existing business relationship exception. In the final rules, these
examples have been renumbered as Sec. --.20(b)(4)(ii) and (iii), and
revised to illustrate the definition of ``pre-existing business
relationship,'' rather than the corresponding exception.
The two examples relating to the first and second prongs of the
definition of ``pre-existing business relationship'' have been revised
in Sec. --.20(b)(4)(ii)(A) and (B) to focus on a depository
institution as the person with the pre-existing business relationship,
but are otherwise substantively similar to the proposal. One commenter
recommended expanding the example now contained in Sec.
--.20(b)(4)(ii)(A) to refer to the licensed agent that wrote the policy
or services the relationship. The Agencies believe that adding the term
``licensed agent'' to the definition is sufficient and see no reason to
further complicate this example to illustrate how the definition
applies to licensed agents.
Section --.20(b)(4)(ii)(C) is new and illustrates when a pre-
existing business relationship is created in the context of a mortgage
loan. This example specifically addresses circumstances where either
the loan or ownership of the servicing rights to the loan is sold to a
third party. As this example illustrates, sale of the entire loan by
the original lender terminates the financial transaction between the
consumer and that lender and creates a new financial transaction
between the consumer and the purchaser of the loan. However, the
original lender's sale of a fractional interest in the loan to an
investor does not create a new financial transaction between the
consumer and the investor. When the original lender sells a fractional
interest in the consumer's loan to an investor but also retains an
ownership interest in the loan, however, the original lender continues
to have a pre-existing business relationship with the consumer because
the consumer obtained a loan from the lender and the lender continues
to own an interest in the loan. In addition, the ownership of servicing
rights coupled with direct dealings with the consumer results in a
financial transaction between the consumer and the owner of the
servicing rights, thereby creating a pre-existing business relationship
between the consumer and the owner of the servicing rights. The
Agencies note that a financial institution that owns servicing rights
generally has a customer relationship with the consumer and an
obligation to provide a GLBA privacy notice to the consumer.
The example in proposed Sec. --.20(d)(1)(iii) regarding
applications and inquiries elicited comment. Some industry commenters
urged the Agencies to revise this example so that it does not depend
upon the consumer's expectations or the consumer providing contact
information. These commenters noted, for example, that the contact
information would be self-evident if the consumer makes an e-mail
request or provides a return address on an envelope. These commenters
also believed that in the case of a telephone
[[Page 62918]]
call initiated by a consumer, a captured telephone number should be
sufficient to create an inquiry if the consumer requests information
about products or services.
In the final rules, the Agencies have crafted three separate
examples from proposed Sec. --.20(d)(1)(iii). Section
--.20(b)(4)(ii)(D) provides an example where a consumer applies for a
product or service, but does not obtain the product or service for
which she applied. Contact information is not mentioned in this example
because the consumer presumably would have supplied it on the
application.
Section --.20(b)(4)(ii)(E) provides an example where a consumer
makes a telephone inquiry about a product or service offered by a
depository institution and provides contact information to the
institution, but does not obtain a product or service from or enter
into a financial transaction with the institution. The Agencies do not
believe that an institution's capture of a consumer's telephone number
during a telephone conversation with the consumer about the
institution's products or services is sufficient to create an inquiry.
In that circumstance, to ensure that an inquiry has been made, the
institution should ask the consumer to provide his or her contact
information, or confirm with the consumer that the consumer has a pre-
existing business relationship with an affiliate.
Section --.20(b)(4)(ii)(F) provides an example where the consumer
makes an e-mail inquiry about a product or service offered by a
depository institution, but does not separately provide contact
information. In that case, the consumer provides the financial
institution with contact information in the form of the consumer's e-
mail address. In addition, e-mail communications, unlike telephone
communications, do not provide institutions with the same opportunity
to ask for the consumer's contact information.
Industry commenters recommended deleting the example in proposed
Sec. --.20(d)(1)(iv) illustrating a call center scenario where a
consumer would not reasonably expect to receive information from an
affiliate. In the final rules, the Agencies have included a positive
example of an inquiry made by a consumer through a call center in Sec.
--.20(b)(4)(ii)(G), while retaining the negative example from the
proposal in Sec. --.20(b)(4)(iii)(A). In addition, the Agencies have
included in Sec. --.20(b)(4)(iii)(B) an example of a consumer call to
ask about retail locations and hours, which does not create a pre-
existing business relationship. This example is substantively similar
to the example from proposed Sec. --.20(d)(2)(iii).
A new example in Sec. --.20(b)(4)(iii)(C) illustrates a case where
a consumer responds to an advertisement that offers a free promotional
item, but the advertisement does not indicate that an affiliate's
products or services will be marketed to consumers who respond to the
advertisement. The example illustrates that the consumer's response
does not create a pre-existing business relationship because the
consumer has not made an inquiry about a product or service, but has
merely responded to an offer for a free promotional item. Similarly, if
a consumer is directed by a company with which the consumer has a pre-
existing business relationship to contact the company's affiliate to
receive a promotional item but the company does not mention the
affiliate's products or services, the consumer's contact with the
affiliate about the promotional item does not create a pre-existing
business relationship between the consumer and the affiliate.
Solicitation
Proposed Sec. --.3(n) defined the term ``solicitation'' to mean
marketing initiated by a person to a particular consumer that is based
on eligibility information communicated to that person by its affiliate
and is intended to encourage the consumer to purchase a product or
service. The proposed definition further clarified that a
communication, such as a telemarketing solicitation, direct mail, or e-
mail, would be a solicitation if it is directed to a specific consumer
based on eligibility information. The proposed definition did not,
however, include communications that were directed at the general
public without regard to eligibility information, even if those
communications were intended to encourage consumers to purchase
products and services from the person initiating the communications.
Congress gave the Agencies the authority to determine by regulation
that other communications do not constitute a solicitation. The
Agencies did not propose to exercise this authority. The Agencies
solicited comment on whether, and to what extent, various tools used in
Internet marketing, such as pop-up ads, may constitute solicitations as
opposed to communications directed at the general public, and whether
further guidance was needed to address Internet marketing.
Most commenters believed that the proposed definition tracked the
statutory definition contained in section 624 of the FCRA. A number of
industry commenters, however, believed that the proposed definition
misstated the types of marketing that would not qualify as a
solicitation. Specifically, the first sentence of proposed Sec.
--.3(n)(2) provided that ``[a] solicitation does not include
communications that are directed at the general public and distributed
without the use of eligibility information communicated by an
affiliate.'' These commenters believed that a solicitation should not
include either marketing directed at the general public or marketing
distributed without the use of eligibility information communicated by
an affiliate. Several industry commenters also requested that the
Agencies include the phrase ``of a product or service'' in the
introductory language for consistency with the statutory definition.
Some industry commenters sought clarification that certain types of
communications would not constitute solicitations, for example,
marketing announcements delivered via pre-recorded call center
messages, automated teller machine screens, or Internet sites, or
product information provided at or through educational seminars,
customer appreciation events, or newsletters.
NAAG urged the Agencies to clarify the portion of the definition
that refers to ``a particular consumer.'' NAAG believed that mass
mailings of the same or similar marketing materials to a large group of
consumers could fall within the definition of ``solicitation,'' so long
as the marketing is based on eligibility information received from an
affiliate. NAAG expressed concern that some might construe the term
``particular'' to narrow the meaning of a ``solicitation.''
With regard to Internet marketing, industry commenters urged the
Agencies not to address such practices in this rulemaking. These
commenters believed that the definition of ``solicitation'' should
provide specific guidance that ``pop-up'' ads and other forms of
Internet marketing generally were directed to the general public and
not based on eligibility information received from an affiliate, or
that such marketing would fall within an exception. NAAG believed that
such advertisements should be treated as solicitations if they were
based on any eligibility information received from an affiliate.
Consumer groups believed that if an affiliate's pop-up ads and other
Internet marketing were the result of specific actions by the consumer
or information collected based upon a consumer's experience on the
Internet,
[[Page 62919]]
then such marketing should be considered solicitations. These
commenters also believed that pop-up ads and other Internet marketing
targeted to all customers of a company should be treated as
solicitations if based on the consumer's experience on the Internet.
Section --.20(b)(5) of the final rules contains the definition of
``solicitation.'' The definition has been revised to track the
statutory language more closely. The phrase ``of a product or service''
has been added to the definition, as requested by some commenters. To
ensure consistency with the definition of ``pre-existing business
relationship,'' the phrase ``or obtain'' has been retained so that the
definition of ``solicitation'' will include marketing for the rental or
lease of goods or services, financial transactions, and financial
contracts. The Agencies have also deleted as unnecessary the reference
to communications ``distributed without the use of eligibility
information communicated by an affiliate.'' Marketing that is
undertaken without the use of eligibility information received from an
affiliate is not covered by the affiliate marketing rules. Moreover,
there is no restriction on using eligibility information received from
an affiliate in marketing directed at the general public, such as
radio, television, or billboard advertisements. The phrase ``to a
particular consumer'' has been retained because it is part of the
statutory definition. The Agencies do not believe that the phrase ``to
a particular consumer'' excludes large-scale marketing campaigns from
the definition of ``solicitation'' because, within such campaigns,
eligibility information received from an affiliate may be used to
target individual consumers.
The definition of ``solicitation'' does not distinguish between
different mediums. A determination of whether a marketing communication
constitutes a solicitation depends upon the facts and circumstances.
The Agencies have decided not to make those determinations in this
rulemaking. Thus, the Agencies are not adopting special rules or
guidance regarding Internet-based marketing; whether Internet-based
marketing is a solicitation in a particular case will be determined
according to the same criteria that apply to other means of marketing.
The Agencies also decline to exclude categorically from the definition
of ``solicitation'' marketing messages on voice response units, ATM
screens, or other forms of media. Marketing delivered via such media
may be solicitations if such marketing is targeted to a particular
consumer based on eligibility information received from an affiliate.
For example, a marketing message on an ATM screen would be a
solicitation if it is targeted to a particular consumer based on
eligibility information received from an affiliate, but would not be a
solicitation if it is delivered to all consumers that use the ATM.
Similarly, the Agencies decline to exclude educational seminars,
customer appreciation events, focus group invitations, and similar
forms of communication from the definition of ``solicitation.'' The
Agencies believe that such activities must be evaluated according to
the facts and circumstances and some of those activities may be coupled
with, or a prelude to, a solicitation. For example, an invitation to a
financial educational seminar where the invitees are selected based on
eligibility information received from an affiliate may be a
solicitation if the seminar is used to solicit the consumer to purchase
investment products or services.
You or Bank
Section --.20(b)(6) of each Agency's rule defines either ``you'' or
``bank'' to include persons covered by Subpart C of the Agency's rule,
as described in Sec. --.20(a).
Section --.21 Affiliate Marketing Opt-out and Exceptions
Initial Notice and Opt-out Requirement
The Agencies proposed to establish certain rules relating to the
requirement to provide the consumer with notice and a reasonable
opportunity and a simple method to opt out of a person's use of
eligibility information that it obtained from an affiliate for the
purpose of making or sending solicitations to the consumer. The
Agencies noted that the statute is ambiguous because it does not
specify which affiliate must provide the opt-out notice to the
consumer. The Agencies addressed this ambiguity by proposing to place
certain responsibilities on the communicating affiliate and other
responsibilities on the receiving affiliate.
Proposed Sec. --.20(a) set forth the duties of a communicating
affiliate. That section required the communicating affiliate to provide
a notice to the consumer before a receiving affiliate could use
eligibility information to make or send solicitations to the consumer.
Under the proposal, the opt-out notice would state that eligibility
information may be communicated to and used by the receiving affiliate
to make or send solicitations to the consumer regarding the affiliate's
products and services, and would give the consumer a reasonable
opportunity and a simple method to opt out.
Proposed Sec. --.20(a) also contained two rules of construction
relating to the communicating affiliate's duty to provide the notice.
The first rule of construction would have allowed the notice to be
provided either in the name of a person with which the consumer
currently does or previously has done business or in one or more common
corporate names shared by members of an affiliated group of companies
that includes the common corporate name used by that person. The rule
of construction also would have provided alternatives regarding the
manner in which the notice could be given, such as by allowing the
communicating affiliate to provide the notice either directly to the
consumer, through an agent, or through a joint notice with one or more
of its affiliates. The second rule of construction would have clarified
that, to avoid duplicate notices, it would not be necessary for each
affiliate that communicates the same eligibility information to provide
an opt-out notice to the consumer, so long as the notice provided by
the affiliate that initially communicated the information was broad
enough to cover use of that information by each affiliate that received
and used it to make solicitations. The proposal included examples to
illustrate how each of these rules of construction would work.
Proposed Sec. --.20(b) set forth the general duties of a receiving
affiliate. That section would have prohibited the receiving affiliate
from using eligibility information it received from an affiliate to
make solicitations to the consumer unless, prior to such use, the
consumer was provided an opt-out notice that applied to that
affiliate's use of eligibility information to make solicitations and a
reasonable opportunity and simple method to opt out, and the consumer
did not opt out of that use.
Most industry commenters maintained that the final rules should not
require any specific entity to provide the opt-out notice, but should
only require that the consumer be provided an opt-out notice covering
an affiliate's use of eligibility information before a solicitation is
made to the consumer. These commenters believed the final rules should
provide flexibility and allow either the receiving affiliate, the
communicating affiliate, or any other affiliate to provide the opt-out
notice. These commenters maintained that the statute is not ambiguous
and
[[Page 62920]]
does not impose any obligations on a specific entity, such as the
communicating affiliate, to provide the opt-out notice. Some of these
commenters acknowledged, however, that the communicating affiliate
would, as a practical matter, most likely give the opt-out notice.
A number of industry commenters expressed concern that the proposed
rules would create a basis for civil liability against the
communicating affiliate under section 624 because that section is
covered by the FCRA's private right of action provisions in sections
616 and 617. Some commenters noted that, to avoid exposure to civil
liability, a communicating affiliate would have to require receiving
affiliates to commit to not using the information to make
solicitations, give an opt-out notice whenever they share eligibility
information with affiliates, or never share eligibility information
with affiliates. These commenters maintained that, in many cases, none
of these solutions would be practical, for example, where a receiving
affiliate negligently failed to comply with a commitment not to make
solicitations unless notice has been given to the consumer.
Several industry commenters noted that the language in section
624(a)(1)(A) that ``information may be communicated'' could be included
in an opt-out notice provided by the receiving affiliate. These
commenters also believed that the statutory requirement that the
Agencies consider existing affiliate sharing notification practices and
permit coordinated and consolidated notices did not imply that the
communicating affiliate should be responsible for providing the opt-out
notice.
Industry commenters made several suggestions for revising the
language of the proposal. Some suggested revising proposed Sec.
--.20(a) to omit any reference to the communicating affiliate and to
incorporate the passive voice used in the statute. Others suggested
various ways of merging proposed Sec. --.20(b) into proposed Sec.
--.20(a) to focus exclusively on the responsibilities of the receiving
affiliate. One commenter identified certain drafting problems it
believed arose from the fact that the proposal focused alternately on
the communicating affiliate and the receiving affiliate and that those
two entities may be regulated by different regulatory agencies.
A few industry commenters acknowledged that the Agencies had raised
legitimate concerns in the supplementary information to the proposal
about how meaningful a notice could be when provided by a receiving
affiliate that the consumer may not recognize. These commenters
believed that this concern could be addressed through other means. One
commenter, for example, suggested the following introductory language
in paragraph (a)(2): ``The notice required by this paragraph (a) may be
provided either in the name of the bank receiving the information
(provided that such bank also identifies the affiliate which provided
such information), in the name of the affiliate which provided such
information, or in one or more common corporate names shared by such
bank and the affiliate which provided the information, and may be
provided in the following manner * * * '' Another industry commenter
expressed support for the rules of construction with revisions to allow
the use of brand names and trade names, as well as the actual
``corporate'' name, and to allow an agent or affiliate to send a common
notice that uses more than one common name in a non-deceptive manner.
Consumer group commenters supported making the communicating
affiliate responsible for providing the notice and opportunity to opt
out. These commenters believed that allowing the receiving affiliate to
send the opt-out notice would invite consumer confusion as to whether
or not the opt-out notice itself is a solicitation. These commenters
also believed that the Agencies should require the names of the
receiving affiliates to be clearly disclosed to the consumer. Consumer
groups also believed that the proposed rules of construction struck a
reasonable balance by allowing commonly named affiliates to share a
notice while making clear that a notice from an affiliate with whom the
consumer is not familiar will not be effective. They also suggested
that the company with the pre-existing business relationship should be
clearly marked on the opt-out notice.
NAAG believed that a receiving affiliate should not be permitted to
give the opt-out notice solely on its own behalf because a receiving
affiliate is unlikely to be an entity from which the consumer would
expect to receive important communications. NAAG also requested that
the Agencies revise certain portions of the proposed rules of
construction, for example, by deleting from proposed Sec.
--.20(a)(2)(i) the phrase ``or previously has done business'' based on
concerns that it would render the notice partially ineffective because,
even without this phrase, the notice would not be required for 18
months after a customer relationship ends. NAAG also requested that the
Agencies revise proposed Sec. Sec. --.20(a)(2)(B)(2) and (a)(2)(C) to
clarify that the common name used must be one that includes the name
used by the person providing the opt-out notice.
In the proposal, the Agencies did not require the opt-out notice to
be provided in writing. The Agencies noted, however, that they
contemplated that the opt-out notice would be provided to the consumer
in writing or, if the consumer agrees, electronically. The proposal
solicited comment on whether there were circumstances in which it would
be necessary and appropriate to allow oral notice and opt out and how
an oral notice could satisfy the clear and conspicuous standard in the
statute.
Industry commenters believed that the final rules should permit
oral notices. These commenters identified circumstances in which a
relationship is established by telephone as an example of when oral
notice would be appropriate. Some industry commenters also noted that
an oral notice should be permitted because the affiliate sharing opt-
out notice under section 603(d)(2)(A)(iii) may be given orally, as well
as in writing or electronically. Several industry commenters noted that
the FTC in the Telemarketing Sales Rule and the OCC in regulations
relating to debt cancellation contracts and debt suspension agreements
have permitted clear and conspicuous oral notices. These commenters did
not believe that allowing oral notice in these circumstances had
created any enforcement difficulties for the FTC or OCC. Other industry
commenters noted that institutions could demonstrate compliance through
the use of scripts or by monitoring or recording calls.
Consumer groups believed that a written opt-out notice should be
required in all cases. These commenters believed that, with an oral
notice, it is impossible to ensure that a consumer receives the
appropriate notice or information on the right to opt out. They
believed that allowing oral notices would create enforcement barriers
for regulators. Consumer groups also believed that institutions have
strong economic incentives to prevent consumers from opting out and
would engage in misrepresentations or otherwise use language in their
scripts that is designed to discourage consumers from opting out. NAAG
believed that oral notices would not meet the statutory requirement for
a clear, conspicuous, and concise notice, that consumers would be less
likely to comprehend oral notices, and enforcement would be more
difficult if oral opt-out notices were allowed.
Section --.21(a) of the final rules contains the revised provisions
[[Page 62921]]
regarding the initial notice and opt out requirement. Although the
language of this section has been revised and simplified, the substance
of this provision is substantially similar to the proposal.
Section --.21(a)(1) sets forth the general rule. This section
contains the three conditions that must be met before a person may use
eligibility information about a consumer that it receives from an
affiliate to make a solicitation for marketing purposes to the
consumer. First, it must be clearly and conspicuously disclosed to the
consumer in writing or, if the consumer agrees, electronically, in a
concise notice that the person may use shared eligibility information
to make solicitations to the consumer. Second, the consumer must be
provided a reasonable opportunity and a reasonable and simple method to
opt out of the use of that eligibility information to make
solicitations to the consumer. Third, the consumer must not have opted
out. Section --.21(a)(2) of the final rules provides an example of the
general rule.
The Agencies have concluded that the opt-out notice may not be
provided orally, but must be provided in writing or, if the consumer
agrees, electronically. The statute requires the Agencies to consider
the affiliate sharing notification practices employed on the date of
enactment and to ensure that notices and disclosures may be coordinated
and consolidated in promulgating regulations. The affiliate sharing
notice under section 603(d)(2)(A)(iii) of the FCRA generally must be
included in the GLBA privacy notice, which must be provided in writing,
or if the consumer agrees, electronically. Requiring the affiliate
marketing opt-out notice to be provided in writing, or if the consumer
agrees, electronically, is thus consistent with existing affiliate
sharing notification practices and promotes coordination and
consolidation of the three privacy-related opt-out notices. The
Agencies are not persuaded that there are any circumstances where it
would be necessary to provide an oral opt-out notice. A number of key
exceptions to the initial notice and opt-out requirement, such as the
pre-existing business relationship exception, consumer-initiated
communication exception, and consumer authorization or request
exception, may be triggered by an oral communication with the consumer.
It also could be more difficult for the Agencies to monitor and enforce
compliance with the final rules if oral opt-out notices were allowed.
Accordingly, the final rules require the opt-out notice to be provided
in writing or, if the consumer agrees, electronically.
Section --.21(a)(3) identifies those affiliates who may provide the
initial opt-out notice. This section provides that the initial opt-out
notice must be provided either by an affiliate that has or has
previously had a pre-existing business relationship with the consumer,
or as part of a joint notice from two or more members of an affiliated
group of companies, provided that at least one of the affiliates on the
joint notice has or has previously had a pre-existing business
relationship with the consumer. The final rules follow the general
approach taken in the proposal to ensure that the notice is provided by
an entity known to the consumer, while eliminating potentially
ambiguous and confusing terms like ``communicating affiliate'' and
``receiving affiliate.''
The Agencies also have eliminated as unnecessary the rules of
construction. Joint notices are now addressed directly in Sec.
--.21(a)(3). The Agencies also have concluded that the provisions from
the proposal relating to notice provided by an agent are unnecessary.
General agency principles, however, continue to apply. An affiliate
that has or has previously had a pre-existing business relationship
with the consumer may direct its agent to provide the opt-out notice on
its behalf.
The Agencies have concluded that the statute's silence with regard
to which affiliates may provide the opt-out notice makes the statute
ambiguous on this point, despite industry comments to the contrary. The
Agencies also continue to believe that consumers are more likely to pay
attention to a notice provided by a person known to the consumer. The
Agencies remain concerned that a notice provided by an entity unknown
to the consumer may not provide meaningful or effective notice, and
that consumers may ignore or discard notices provided by unknown
entities. Industry comments on the proposal did little to address those
concerns. For practical reasons, the Agencies believe that affiliate
marketing opt-out notices typically would be provided by an affiliate
that has or has previously had a pre-existing business relationship
with the consumer, or as part of a joint notice, whether or not
required by the rule.
The Agencies appreciate industry concerns about civil liability and
have revised the final rules to address those concerns. Specifically,
in contrast to the proposal, the final rules do not impose duties on
any affiliate other than the affiliate that intends to use shared
eligibility information to make solicitations to the consumer. Although
an opt-out notice must be provided by an affiliate that has or has
previously had a pre-existing business relationship with the consumer
(or as part of a joint notice), that affiliate has no duty to provide
such a notice. Instead, the final rule provides that absent such a
notice, an affiliate must not use shared eligibility information to
make solicitations to the consumer. Industry concerns about civil
liability also may be mitigated to some extent by the Supreme Court's
recent decision in Safeco Ins. Co. of America v. Burr, 127 S. Ct. 2201
(June 4, 2007).
Finally, many institutions currently require consumers to provide
their Social Security numbers when exercising their existing GLBA and
FCRA opt-out rights. The Agencies believe that institutions likely
would follow their existing practice with regard to affiliate marketing
opt-outs. To combat identity theft and prevent ``phishing,'' however,
the Agencies, along with many institutions, have been educating
consumers not to provide their Social Security numbers to unknown
entities. Furthermore, as participants in the President's Identity
Theft Task Force, the Agencies have made a commitment to examine and
recommend ways to limit the private sector's use of Social Security
numbers.
The approach recommended by industry commenters would allow an
unknown entity not only to provide an affiliate marketing opt-out
notice to the consumer, but also to require the consumer to reveal his
or her Social Security number to that unknown entity in order to
exercise the opt-out right. Such an approach would send conflicting
messages to consumers about providing Social Security numbers to
unknown entities. This approach also would be inconsistent with the
Agencies' current efforts to develop a comprehensive record on the uses
of the Social Security number in the private sector and evaluate their
necessity, as recommended by the President's Identity Theft Task
Force.\13\
---------------------------------------------------------------------------
\13\ See Combating Identity Theft: A Strategic Plan at 26-27
(April 2007) (available at www.idtheft.gov).
---------------------------------------------------------------------------
Making Solicitations
The proposal repeatedly referred to ``making or sending''
solicitations. Several commenters suggested revising the regulations to
eliminate all references to ``sending'' solicitations. These commenters
believed that the statute only concerns the use of eligibility
information to ``make'' solicitations and does not address ``sending''
solicitations. Commenters expressed concern that by referring to
[[Page 62922]]
``sending'' solicitations, the proposal would apply the notice and opt-
out requirements to servicers that send solicitations on behalf of
another entity.
The Agencies have revised the final rules to eliminate all combined
references to ``making or sending'' solicitations. The general rule in
section 624(a)(1), along with the duration provisions in section
624(a)(3) and the pre-existing business relationship exception in
section 624(a)(4)(A), refer to ``making'' or ``to make'' a
solicitation. Other provisions of the statute, such as the consumer
choice provision in section 624(a)(2)(A), the service provider
exception in section 624(a)(4)(C), the non-retroactivity provision in
section 624(a)(5), and the definition of ``pre-existing business
relationship'' in section 624(d)(1), refer to ``sending'' or ``to
send'' a solicitation. The verb ``to send,'' as used in the statute,
refers to a ministerial act that a service provider, such as a mail
house, performs for the person making the solicitation, (see 15 U.S.C.
1681s-3(a)(4)(C)), or indicates the point in time after which
solicitations are no longer permitted. See 15 U.S.C. 1681s-3(d)(1)(B)
and (C).
The Agencies conclude that ``making'' and ``sending'' solicitations
are different activities and that the focus of the statute is primarily
on the ``making'' of solicitations. For example, a service provider may
send a solicitation on behalf of another entity, but it is the entity
on whose behalf the solicitation is sent that is making the
solicitation and thus is subject to the general prohibition on making a
solicitation, unless the consumer is given notice and an opportunity to
opt out. Accordingly, the Agencies have revised the final rules to
refer to ``making'' a solicitation, except where the statute
specifically refers to ``sending'' solicitations.
The statute, however, does not describe what a person must do in
order ``to make'' a solicitation. Similarly, the legislative history
does not contain guidance as to the meaning of ``making'' a
solicitation. Nevertheless, the Agencies believe it is important to
provide clear guidance regarding what activities result in making a
solicitation.
One commenter suggested that the test for making a solicitation
should turn on whether an affiliate having a pre-existing business
relationship with the consumer retains the discretion to determine
whether or not to send the solicitation. This commenter provided an
example where a financial institution obtains a list of an affiliate's
customers from a common shared database, applies its own criteria to
this list, and then requests the affiliate with an existing business
relationship to solicit the affiliate's own customers to purchase the
financial institution's products or services. (Thus, the financial
institution would be using eligibility information to select a list of
its affiliate's customers to receive the financial institution's
marketing materials.) This commenter believed that section 624 should
not apply so long as the affiliate with the existing business
relationship has discretion to determine whether or not to send the
solicitations. This commenter also maintained that the applicability of
section 624's notice and opt-out requirement should depend on who
markets the product and not on what the product is or whose product it
is.
Nothing in the statute indicates that the discretion of the
affiliate providing the eligibility information to determine whether or
not to send a solicitation on behalf of a person who has received
eligibility information from that affiliate is the test for what
constitutes making a solicitation. Rather, the statute focuses on
whether the person receiving eligibility information from an affiliate
uses that information to market its products or services to consumers.
A ``discretion to send'' test would also inappropriately link the terms
``making'' and ``sending'' in a manner that would promote confusion and
undercut arguments made by commenters urging the Agencies to
disassociate the two terms. Finally, a ``discretion to send'' test
could foster circumvention of the notice and opt-out requirement,
restrict the ability of consumers to prohibit solicitations in a manner
not contemplated by the statute, and make it difficult for the Agencies
to administer and enforce the statute.
Section --.21(b) of the final rules clarifies what constitutes
``making'' a solicitation for purposes of Subpart C. Section
--.21(b)(1) provides that a person makes a solicitation for marketing
purposes to a consumer if: (a) The person receives eligibility
information from an affiliate; (b) the person uses that eligibility
information to do one of the following--identify the consumer or type
of consumer to receive a solicitation, establish the criteria used to
select the consumer to receive a solicitation, or decide which of its
products or services to market to the consumer or tailor its
solicitation to that consumer; and (c) as a result of the person's use
of the eligibility information, the consumer is provided a solicitation
about the person's products or services.
The Agencies recognize that several common industry practices may
complicate application of the rule outlined in Sec. --.21(b)(1).
First, affiliated groups often use a common database as the repository
for eligibility information obtained by various affiliates, and
information in that database may be accessible to multiple affiliates.
Second, affiliated companies often use service providers to perform
marketing activities, and some of those service providers may provide
services for a number of different affiliates. Third, an affiliate may
use its own eligibility information to market the products or services
of another affiliate. Sections --.21(b)(2)-(5) address these issues.
Section --.21(b)(2) clarifies that a person may receive eligibility
information from an affiliate in various ways, including when the
affiliate places that information into a common database that the
person may access. Of course, receipt of eligibility information from
an affiliate is only one element of the rule outlined in Sec.
--.21(b)(1). In the case of a common database, use of the eligibility
information will be the key element in determining whether a person has
made a solicitation.
Section --.21(b)(3) provides that a person receives or uses an
affiliate's eligibility information if a service provider acting on
behalf of the person receives or uses that information in the manner
described in Sec. Sec. --.21(b)(1)(i) or (b)(1)(ii), except as
provided in Sec. --.21(b)(5), which is discussed below. Section
--.21(b)(3) also provides that all relevant facts and circumstances
will determine whether a service provider is acting on behalf of a
person when it receives or uses an affiliate's eligibility information
in connection with marketing that person's products or services.
Section --.21(b)(4) addresses constructive sharing. In the
supplementary information to the proposal, the Agencies solicited
comment on whether the notice and opt-out requirements of these rules
should apply to circumstances that involve a ``constructive sharing''
of eligibility information to conduct marketing, given the policy
objectives of section 214 of the FACT Act. By way of example, in a
``constructive sharing'' scenario, a consumer has a relationship with a
financial institution, and the financial institution is affiliated with
an insurance company. The insurance company develops specific
eligibility criteria, such as consumers having combined deposit
balances in excess of $50,000 or average monthly demand account
deposits in excess of $10,000, without the use of eligibility
information received from the financial institution. The insurance
company provides its criteria to the financial
[[Page 62923]]
institution and asks the institution to identify financial institution
consumers that meet the eligibility criteria and send insurance company
marketing materials to those consumers. The financial institution sends
the marketing materials to those consumers who meet the insurance
company's eligibility criteria. A consumer who meets the eligibility
criteria contacts the insurance company after receiving the insurance
company marketing materials in the manner specified in those materials.
The consumer's response provides the insurance company with discernible
eligibility information, such as through a response form that is coded
to identify the consumer as an individual who meets the specific
eligibility criteria.\14\
---------------------------------------------------------------------------
\14\ The supplementary information to the proposal noted that
the notice and opt-out requirement would not apply if, for example,
an insurance company asked its affiliated financial institution to
include insurance company marketing material in periodic statements
sent to consumers by the financial institution without regard to
eligibility information.
---------------------------------------------------------------------------
Industry commenters urged the Agencies not to apply the notice and
opt-out requirement to ``constructive sharing'' situations. The
principal arguments made by these commenters in support of their
position were as follows. First, in a constructive sharing scenario,
there is no sharing of eligibility information among affiliates.
Rather, the consumer provides information to an affiliate when
responding. Second, section 624 applies when a person uses eligibility
information furnished by its affiliate to make a solicitation for its
own products or services to the consumer. In constructive sharing,
however, the person does not use eligibility information and does not
make a solicitation as defined in the statute. Third, the affiliate
that sends the marketing material has a pre-existing business
relationship with the consumer and is thus exempt from the notice and
opt-out requirements. Fourth, if the consumer responds to the marketing
materials, for example, by returning a response card to an affiliate,
one or more of the exceptions to the notice and opt-out requirement
would apply, such as the consumer-initiated communication exception,
the pre-existing business relationship exception, or both.
Consumer groups believed that constructive sharing contravenes the
intent of Congress and amounts to a loophole that should be fixed.
Similarly, NAAG believed that the letter and spirit of section 624
required subjecting constructive sharing to the notice and opt-out
requirements and that to find otherwise would create a significant and
unwarranted exception.
After considering the constructive sharing issue, the Agencies
conclude that the statute only covers situations where a person uses
eligibility information that it received from an affiliate to make a
solicitation to the consumer about its products or services. In a
``constructive sharing'' scenario like that described above, a pre-
existing business relationship is established between the consumer and
the insurance company when the consumer contacts the insurance company
to inquire about or apply for insurance products as a result of the
consumer's receipt of the insurance marketing materials. This pre-
existing business relationship is established before the insurance
company uses any shared eligibility information to make solicitations
to the consumer. Because the insurance company does not use shared
eligibility information to make solicitations to the consumer before it
establishes a pre-existing business relationship with the consumer, the
statute does not apply.
The Agencies acknowledge the concerns expressed by consumer groups
and NAAG regarding the decision not to apply the notice and opt-out
requirements to constructive sharing situations. The statute's
affiliate marketing provisions, however, only limit the use of
eligibility information received from an affiliate to make
solicitations to a consumer. A separate provision of the FCRA, section
603(d)(2)(A)(iii), regulates the sharing of eligibility information
among affiliates and prohibits the sharing of non-transaction or
experience information, such as credit scores from a consumer report or
income from an application, among affiliates, unless the consumer is
given notice and an opportunity to opt out of such sharing. The FCRA
does not restrict the sharing of transaction or experience information
among affiliates unless that information is medical information.
Section 603(d)(2)(A)(iii) operates independent of the affiliate
marketing rules. Thus, the existence of a pre-existing business
relationship between a consumer and an affiliate that seeks to use
shared eligibility information, such as credit scores or income, to
market to that consumer (or the applicability of another exception to
these affiliate marketing rules) does not relieve the entity sharing
the credit score or income information of the requirement to comply
with the affiliate sharing notice and opt-out provisions of section
603(d)(2)(A)(iii) of the FCRA before it shares that non-transaction or
experience information with its affiliate.\15\
---------------------------------------------------------------------------
\15\ A sharing of information occurs if a reference code
included in marketing materials reveals one affiliate's information
about a consumer to another affiliate upon receipt of a consumer's
response.
---------------------------------------------------------------------------
Section --.21(b)(4) describes two situations where a person is
deemed not to have made a solicitation subject to Subpart C. Both
situations assume that the person has not used eligibility information
received from an affiliate in the manner described in Sec.
--.21(b)(1)(ii). First, a person does not make a solicitation subject
to Subpart C if that person's affiliate uses its own eligibility
information that it obtained in connection with a pre-existing business
relationship it has or had with the consumer to market the person's
products or services to the consumer. Second, if, in the situation just
described, the person's affiliate directs its service provider to use
the affiliate's own eligibility information to market the person's
products or services to the consumer, and the person does not
communicate directly with the service provider regarding that use of
the eligibility information, then the person has not made a
solicitation subject to Subpart C.
The core concept underlying the second prong of this provision is
that the affiliate that obtained the eligibility information in
connection with a pre-existing business relationship with the consumer
controls the actions of the service provider using that information.
Therefore, the service provider's use of the eligibility information
should not be attributed to the person whose products or services will
be marketed to consumers. In such circumstances, the service provider
is acting on behalf of the affiliate that obtained the eligibility
information in connection with a pre-existing business relationship
with the consumer, and not on behalf of the person whose products or
services will be marketed to that affiliate's consumers.
The Agencies also recognize that there may be situations where the
person whose products or services are being marketed does communicate
with the affiliate's service provider. This may be the case, for
example, where the service provider performs services for various
affiliates relying on information maintained in and accessed from a
common database. In certain circumstances, the person whose products or
services are being marketed may communicate with the affiliate's
service provider, yet the service provider is still acting on behalf of
the affiliate when it uses the affiliate's
[[Page 62924]]
eligibility information in connection with marketing the person's
products or services. Section --.21(b)(5) describes the conditions
under which a service provider would be deemed to be acting on behalf
of the affiliate with the pre-existing business relationship, rather
than the person whose products or services are being marketed,
notwithstanding direct communications between the person and the
service provider.
Section --.21(b)(5) builds upon the concept of control of a service
provider and thus is a natural outgrowth of Sec. --.21(b)(4). Under
the conditions set out in Sec. --.21(b)(5), the service provider is
acting on behalf of an affiliate that obtained the eligibility
information in connection with a pre-existing business relationship
with the consumer because, among other things, the affiliate controls
the actions of the service provider in connection with the service
provider's receipt and use of the eligibility information. This
provision is designed to minimize uncertainty that may arise from
application of the facts and circumstances test in Sec. --.21(b)(3) to
cases that involve direct communications between a service provider and
a person whose products and services will be marketed to consumers.
Section --.21(b)(5) provides that a person does not make a
solicitation subject to Subpart C if a service provider (including an
affiliated or third-party service provider that maintains or accesses a
common database that the person may access) receives eligibility
information from the person's affiliate that the person's affiliate
obtained in connection with a pre-existing business relationship it has
or had with the consumer and uses that eligibility information to
market the person's products or services to the consumer, so long as
the following five conditions are met.
First, the person's affiliate controls access to and use of its
eligibility information by the service provider (including the right to
establish specific terms and conditions under which the service
provider may use such information to market the person's products or
services). This requirement must be set forth in a written agreement
between the person's affiliate and the service provider. The person's
affiliate may demonstrate control by, for example, establishing and
implementing reasonable policies and procedures applicable to the
service provider's access to and use of its eligibility information.
Second, the person's affiliate establishes specific terms and
conditions under which the service provider may access and use that
eligibility information to market the person's products or services (or
those of affiliates generally) to the consumer, and periodically
evaluates the service provider's compliance with those terms and
conditions. These terms and conditions may include the identity of the
affiliated companies whose products or services may be marketed to the
consumer by the service provider, the types of products or services of
affiliated companies that may be marketed, and the number of times the
consumer may receive marketing materials. The specific terms and
conditions established by the person's affiliate must be set forth in
writing, but need not be set forth in a written agreement between the
person's affiliate and the service provider. If a periodic evaluation
by the person's affiliate reveals that the service provider is not
complying with those terms and conditions, the Agencies expect the
person's affiliate to take appropriate corrective action.
Third, the person's affiliate requires the service provider to
implement reasonable policies and procedures designed to ensure that
the service provider uses the affiliate's eligibility information in
accordance with the terms and conditions established by the affiliate
relating to the marketing of the person's products or services. This
requirement must be set forth in a written agreement between the
person's affiliate and the service provider.
Fourth, the person's affiliate is identified on or with the
marketing materials provided to the consumer. This requirement will be
construed flexibly. For example, the person's affiliate may be
identified directly on the marketing materials, on an introductory
cover letter, on other documents included with the marketing materials,
such as a periodic statement, or on the envelope which contains the
marketing materials.
Fifth, the person does not directly use the affiliate's eligibility
information in the manner described in Sec. --.21(b)(1)(ii).
These five conditions together ensure that the service provider is
acting on behalf of the affiliate that obtained the eligibility
information in connection with a pre-existing business relationship
with the consumer because that affiliate controls the service
provider's receipt and use of that affiliate's eligibility information.
Section --.21(b)(6) provides six illustrative examples of the rules
relating to making solicitations as set forth in Sec. Sec.
--.21(b)(1)-(5).
Exceptions
Proposed Sec. --.20(c) contained exceptions to the requirements of
Subpart C and incorporated each of the statutory exceptions to the
affiliate marketing notice and opt-out requirements that are set forth
in section 624(a)(4) of the FCRA. The Agencies have revised the preface
to the exceptions for clarity to provide that the provisions of Subpart
C do not apply to ``you'' or ``the bank'' if a person uses eligibility
information that it receives from an affiliate in certain
circumstances. In addition, each of the exceptions has been moved to
Sec. --.21(c) in the final rules and is discussed below.
Pre-Existing Business Relationship Exception
Proposed Sec. --.20(c)(1) provided that the provisions of Subpart
C would not apply to an affiliate using eligibility information to make
a solicitation to a consumer with whom the affiliate has a pre-existing
business relationship. As noted above, a pre-existing business
relationship exists when: (1) There is a financial contract in force
between the affiliate and the consumer; (2) the consumer and the
affiliate have engaged in a financial transaction (including holding an
active account or a policy in force or having another continuing
relationship) during the 18 months immediately preceding the date of
the solicitation; (3) the consumer has purchased, rented, or leased the
affiliate's goods or services during the 18 months immediately
preceding the date of the solicitation; or (4) the consumer has
inquired about or applied for a product or service offered by the
affiliate during the 3-month period immediately preceding the date of
the solicitation. Proposed Sec. --.20(d)(1) provided examples of the
pre-existing business relationship exception. As explained above, the
Agencies have revised the examples from proposed Sec. --.20(d)(1) in
the final rules and included them as examples of the definition of
``pre-existing business relationship'' rather than as examples of the
pre-existing business relationship exception.
Section --.21(c)(1) of the final rules revises the pre-existing
business relationship exception to delete the word ``send'' and to
eliminate as unnecessary the cross-reference to the location of the
definition of ``pre-existing business relationship.'' As discussed
above, commenters made a number of suggestions regarding the definition
of ``pre-existing business relationship.'' The Agencies have
[[Page 62925]]
addressed those comments elsewhere. Most commenters supported the
proposed text of the pre-existing business relationship exception,
which generally tracks the statutory language.
Some commenters, however, apparently believed that the pre-existing
business relationship exception is broader than it actually is. For
example, assume that an insurance company has a pre-existing business
relationship with a consumer and shares eligibility information about
the consumer with its affiliates by putting that information into a
common database that is accessible by all affiliates. The insurance
company's depository institution affiliate accesses the database,
reviews the data on the insurance company's consumers and, based on its
review, decides to market to some of the insurance company's consumers.
Rather than sending the solicitations itself, the depository
institution asks the insurance company with the pre-existing business
relationship to send solicitations on its behalf to the insurance
company's consumers. As noted above, one commenter believed that in
this circumstance the pre-existing business relationship exception
would apply so long as the insurance company retained the discretion to
decide whether or not to send the solicitations on behalf of the
depository institution. However, the Agencies conclude that this
situation does not fall within the pre-existing business relationship
exception. Instead, the depository institution makes the solicitation
because it used eligibility information received from an affiliate to
select the consumer to receive a solicitation about its products or
services and, as a result, the consumer is provided a solicitation. To
eliminate any confusion and clarify the scope of the exception, the
Agencies have added an example in Sec. --.21(d)(1) of the final rules
to illustrate a situation where the pre-existing business relationship
exception would apply.
Employee Benefit Plan Exception
Proposed Sec. --.20(c)(2) provided that the provisions of Subpart
C would not apply to an affiliate using the information to facilitate
communications to an individual for whose benefit the affiliate
provides employee benefit or other services under a contract with an
employer related to and arising out of a current employment
relationship or an individual's status as a participant or beneficiary
of an employee benefit plan. One commenter believed that the exception
should be revised to permit communications ``to an affiliate about an
individual for whose benefit an entity provides employee benefit or
other services pursuant to a contract with an employer related to and
arising out of the current employment relationship or status of the
individual as a participant or beneficiary of an employee benefit
plan.'' This commenter also suggested deleting the phrase ``you receive
from an affiliate'' in the introduction to proposed Sec. --.20(c).
This commenter believed that this exception should permit an employer
or plan sponsor to share information with its affiliates in order to
offer other financial services, such as brokerage accounts or IRAs, to
its employees. This commenter further requested clarification on
whether the exception applies only if related to products offered as an
employee benefit.
Section --.21(c)(2) of the final rules adopts the employee benefit
exception as proposed. The Agencies decline to adopt the changes
suggested by the one commenter. First, the suggestion to make the
exception applicable to communications ``to an affiliate about an
individual for whose benefit an entity provides employee benefit or
other services'' differs from the language of the statute. The language
of the proposed and final rules focuses on facilitating communications
``to an individual for whose benefit the person provides employee
benefit or other services,'' which tracks the statutory language better
than the alternative language proposed by the commenter.
Second, the only person to whom section 624 might apply is a person
that receives eligibility information from an affiliate. Specifically,
the statutory preface to the exceptions provides that ``[t]his section
shall not apply to a person'' using information to do certain things.
The language of the statute thus makes clear that the exceptions in
section 624(a)(4) of the FCRA were meant to apply to persons that
otherwise would be subject to section 624. In the case of the employee
benefit exception, the person using the information is also ``the
person provid[ing] employee benefit or other services pursuant to a
contract with an employer.'' Therefore, the Agencies conclude that this
exception, like the other provisions of Subpart C, should apply only to
a person that uses eligibility information it receives from an
affiliate to make solicitations to consumers about its products or
services.
Service Provider Exception
Proposed Sec. --.20(c)(3) provided that the provisions of Subpart
C would not apply to an affiliate using the information to perform
services for another affiliate, unless the services involve making or
sending solicitations on its own behalf or on behalf of an affiliate
and the service provider or such affiliate is not permitted to make or
send such solicitations as a result of the consumer's election to opt
out. Thus, under the proposal, when the notice has been provided to a
consumer and the consumer has opted out, an affiliate subject to the
consumer's opt-out election may not circumvent the opt-out by
instructing the person with the consumer relationship or another
affiliate to send solicitations to the consumer on its behalf.
Several industry commenters urged the Agencies to revise the
proposed exception to conform to the statutory language. Specifically,
with respect to the exclusion from the service provider exception,
these commenters recommended that the Agencies delete the references to
solicitations on behalf of the service provider. Some of these
commenters maintained that the references to solicitations on behalf of
the service provider itself would impose additional burdens and costs
on companies that use a single affiliate to provide various
administrative services to other affiliates and would make it more
difficult to provide general educational materials to consumers. Some
of these commenters also asked the Agencies to clarify that the
limitation in the service provider exception has no applicability to
any other exception.
Section --.21(c)(3) of the final rules revises the service provider
exception to delete as surplusage the references to solicitations by a
service provider on its own behalf. The Agencies note that the general
rule in Sec. --.21(a)(1) prohibits a service provider from using
eligibility information it received from an affiliate to make
solicitations to the consumer about its own products or services unless
the consumer is given notice and an opportunity to opt out or unless
one of the other exceptions applies. The service provider exception
simply allows a service provider to do what the affiliate on whose
behalf it is acting may do, such as using shared eligibility
information to make solicitations to consumers to whom the affiliate is
permitted to make such solicitations. The final rules also delete the
word ``make'' from the exception to the service provider exception
because, as discussed above, ``making'' and ``sending'' solicitations
are distinct activities and this provision of the statute uses the verb
``to send.'' The Agencies note that, although the statute contains
separate service provider and
[[Page 62926]]
pre-existing business relationship exceptions, nothing in those
exceptions prevents an affiliate that has a pre-existing business
relationship with the consumer from relying upon the service provider
exception, where appropriate. Section --.21(d)(2) of the final rules
provides examples of the service provider exception.
Consumer-Initiated Communication Exception
Proposed Sec. --.20(c)(4) provided that the provisions of Subpart
C would not apply to an affiliate using the information to make
solicitations in response to a communication initiated by the consumer.
The proposed rule further clarified that this exception may be
triggered by an oral, electronic, or written communication initiated by
the consumer.
The supplementary information noted that to be covered by the
proposed exception, the use of eligibility information must be
responsive to the communication initiated by the consumer. The
supplementary information also explained that the time period during
which solicitations remain responsive to the consumer's communication
would depend on the facts and circumstances. As illustrated in the
example in proposed Sec. --.20(d)(2)(iii), if a consumer were to call
an affiliate to ask about retail locations and hours, the affiliate
could not use eligibility information to make solicitations to the
consumer about specific products because those solicitations would not
be responsive to the consumer's communication. Conversely, the example
in proposed Sec. --.20(d)(2)(i) illustrated that if the consumer calls
an affiliate to ask about its products or services and provides contact
information, solicitations related to those products or services would
be responsive to the communication and thus permitted under the
exception. Finally, as illustrated by the example in proposed Sec.
--.20(d)(2)(ii), the Agencies also contemplated that a consumer would
not initiate a communication if an affiliate made the initial call and
left a message for the consumer to call back, and the consumer
responded.
Commenters generally supported the text of the proposed consumer-
initiated communication exception. Several commenters, however, urged
the Agencies to either delete the phrase ``orally, electronically, or
in writing'' from the regulation or modify the language to read
``whether orally, electronically, or in writing.'' These commenters
maintained that other means of communication may be used by consumers
in the future and should not be precluded by the regulations. Another
commenter welcomed the reference to oral communications and requested
that the Agencies clarify that electronic communications refers to both
e-mail and facsimile transmissions.
Many industry commenters objected to the statement in the
supplementary information that to qualify for this exception, the use
of eligibility information ``must be responsive'' to the communication
initiated by the consumer. These commenters believed that the concept
of ``responsiveness'' creates a vague, subjective, and narrow standard
that could subject institutions to compliance risk. These commenters
noted that the Agencies did not and could not provide a clear
definition of what would be ``responsive.'' Some of these commenters
noted that consumers may not be familiar with the various types of
products or services available to them and the different affiliates
that offer those products or services and may rely on the institution
to inform them about available options. For this reason, most of these
commenters maintained that the exception should not limit an affiliate
from responding with solicitations about any product or service. Some
of these commenters believed that it would be difficult to monitor
compliance with or to develop scripts for a ``responsiveness'' standard
by customer service representatives. One commenter noted that the
Senate bill used more restrictive language in this exception than the
final bill passed by Congress. Some commenters also objected to the
statement that the time period during which solicitations remain
responsive would depend on the facts and circumstances.
NAAG supported the statement in the supplementary information that,
to qualify for this exception, the use of eligibility information
``must be responsive'' to the communication initiated by the consumer.
NAAG believed this clarification was so important that it should be
incorporated into the rule itself. NAAG also suggested imposing a
specific time limit to allow solicitations to be made for no more than
30 days after the consumer-initiated communication under this
exception.
Industry commenters also objected to some of the examples. In
particular, industry commenters objected to the example in proposed
Sec. --.20(d)(2)(i) on two grounds. First, these commenters believed
that the consumer should not have to supply contact information in
order to trigger the exception. These commenters noted that such a
requirement would seem to preclude solicitations over the phone during
the same call by presuming that a solicitation would be made by mail or
e-mail. Some of these commenters also believed that consumers would
expect an affiliated company, especially a company with a common brand,
to have their contact information already and would not want to provide
it again. Second, as noted above, some commenters maintained that the
affiliate should be able to respond by making solicitations about any
product or service, not just those mentioned by the consumer.
Many industry commenters objected to the example in proposed Sec.
--.20(d)(2)(ii) about the consumer responding to a call back message.
These commenters believed that such a call back should qualify as a
consumer-initiated communication, noting that the consumer has the
option of not returning the call. Moreover, these commenters noted that
the customer service representative receiving the call would not know
what prompted the consumer's call. Several commenters acknowledged that
there may be concerns about calls made under false pretenses to prompt
consumers to return the call but suggested that those concerns should
be addressed by other means, such as enforcement of the laws dealing
with unfair or deceptive acts or practices.
Finally, some industry commenters expressed concerns about the
example in proposed Sec. --.20(d)(2)(iii) regarding the consumer who
calls to ask for retail locations and hours. These commenters noted
that it is impossible to know what will transpire on a particular
telephone call. One commenter noted, for example, that if a consumer
called to ask for directions to an office, the customer service
representative might ask why the consumer needed to go to that office.
This, in turn, could prompt the consumer to mention a product or
service that the consumer hoped to obtain and lead to a discussion of
specific products or services that might be appropriate for the
consumer.
Section --.21(c)(4) of the final rules revises the consumer-
initiated communications exception to delete the reference to oral,
electronic, or written communications. The Agencies believe that any
form of communication may come within the exception as long as the
consumer initiates the communication, whether in-person or by mail, e-
mail, telephone, facsimile, or through other means. New forms of
communication that may develop in the future could also come within the
exception.
Section --.21(c)(4) of the final rules also provides that the
communications
[[Page 62927]]
covered by the exception are consumer-initiated communications about a
person's products or services. For the exception to apply, the statute
requires that a person use eligibility information ``in response to'' a
communication initiated by a consumer. The Agencies believe this
statutory language contemplates that the consumer-initiated
communications will relate to a person's products or services and that
the solicitations covered by the exception will be those made in
response to that communication.
The Agencies also believe the exceptions should be construed
narrowly to avoid undermining the general rule requiring notice and opt
out. Thus, consistent with the purposes of the statute, the Agencies do
not believe that a consumer-initiated communication that is unrelated
to a product or service should trigger the exception. A rule that
allowed any consumer-initiated communication, no matter how unrelated
to a product or service, to trigger the exception would not to give
meaning to the phrase ``in response to'' and could produce incongruous
results. For example, if a consumer calls an affiliate solely to obtain
retail hours and directions or solely to opt out, the exception is not
triggered because the communication does not relate to the affiliate's
products or services and making a solicitation about products or
services to the consumer in those circumstances would not be a
reasonable response to that communication.
The Agencies recognize, however, that if the conversation shifts to
a discussion of products or services that the consumer may need,
solicitations may be responsive depending upon the facts and
circumstances. Likewise, if a consumer who has opted out of an
affiliate's use of eligibility information to make solicitations calls
the affiliate for information about a particular product or service,
for example, life insurance, solicitations regarding life insurance
could be made in response to that call, but solicitations regarding
other products or services would not be responsive. Finally, the
Agencies do not believe it is appropriate to adopt a specific time
limit for making solicitations following a consumer-initiated
communication about products or services because solicitations will
likely be made quickly and any time limit would be arbitrary.
In the final rules, the Agencies have renumbered the example in
proposed Sec. --.20(d)(2)(i) as Sec. --.21(d)(3)(i), and revised it
to delete the references to a telephone call as the specific form of
communication and the reference to providing contact information. As
discussed above and illustrated in the examples in Sec. Sec.
--.20(b)(4)(ii)(E) and (F), the need to provide contact information may
vary depending on the form of communication used by the consumer. The
new example in Sec. --.21(d)(3)(ii) responds to commenters' concerns
by illustrating a circumstance involving a consumer-initiated
communication in which a consumer does not know exactly what products
or services he or she wants, but initiates a communication to obtain
information about investing for a child's college education.
The Agencies have renumbered the call-back example in proposed
Sec. --.20(d)(2)(iii) as Sec. --.21(d)(3)(iii) and revised it. The
revised example provides that where the financial institution makes an
initial marketing call without using eligibility information received
from an affiliate and leaves a message that invites the consumer to
apply for the credit card by calling a toll-free number, the consumer's
response qualifies as a consumer-initiated communication about a
product or service. The revised example balances commenters' concerns
about tracking which calls are call backs and the Agencies' concerns
that consumers may be induced into triggering the consumer-initiated
communication exception as a result of inaccurate, incomplete, or
deceptive telephone messages. Moreover, the revised example is similar
to a provision in the Board's Regulation Z commentary, 12 CFR part 226,
supplement I, Sec. 226.5a(a)(3)-2.
For the reasons discussed above, the Agencies have renumbered the
retail hours example in proposed Sec. --.20(d)(2)(iv) as Sec.
--.21(d)(3)(iv), but otherwise adopted it as proposed. In addition, the
new example in Sec. --.21(d)(3)(v) responds to commenters' concerns by
illustrating a case where a consumer calls to ask about retail
locations and hours and the call center representative, after eliciting
information about the reason why the consumer wants to visit a retail
location, offers to provide information about products of interest to
the consumer by telephone and mail, thus demonstrating how the
conversation may develop to the point where making solicitations would
be responsive to the consumer's call.
Consumer Authorization or Request Exception
Proposed Sec. --.20(c)(5) clarified that the provisions of Subpart
C would not apply to an affiliate using the information to make
solicitations affirmatively authorized or requested by the consumer.
The proposal further provided that this exception may be triggered by
an oral, electronic, or written authorization or request by the
consumer. However, a pre-selected check box or boilerplate language in
a disclosure or contract would not constitute an affirmative
authorization or request under the proposal.
The proposal noted that the consumer authorization or request
exception could be triggered, for example, if a consumer obtains a
mortgage from a mortgage lender and authorizes or requests to receive
solicitations about homeowner's insurance from an insurance affiliate
of the mortgage lender. The consumer could provide the authorization or
make the request either through the person with whom the consumer has a
business relationship or directly to the affiliate that will make the
solicitation. Proposed Sec. --.20(d)(3) provided an example of the
affirmative authorization or request exception.
Most industry commenters argued that the proposed exception did not
track the language of the statute because the Agencies included the
word ``affirmative'' in the proposed exception. These commenters
believed that including the word ``affirmative'' in the proposed rules
narrowed the exception in a manner not intended by Congress. Several of
these commenters noted that the Agencies had declined to specify what
constitutes consumer consent under the GLBA privacy rules and indicated
that they were not aware of any policy considerations or compliance
issues that would warrant a departure from the Agencies' prior
position.
Some industry commenters believed that a pre-selected check box
should be sufficient to evidence a consumer's authorization or request
for solicitations. In other words, a consumer's decision not to
deselect a pre-selected check box should constitute a knowing act of
the consumer to authorize or request solicitations. Other industry
commenters believed that preprinted language in a disclosure or
contract should be sufficient to evidence a consumer's authorization or
request for solicitations. One commenter cited case law and FTC
informal staff opinion letters relating to a consumer's written
instructions to obtain a consumer report pursuant to section 604(a)(2)
of the FCRA as support for allowing boilerplate language to constitute
authorization or request.
A few industry commenters requested that the Agencies clarify that
a consumer's authorization or request does not have to refer to a
specific
[[Page 62928]]
product or service or to a specific provider of products or services in
order for the exception to apply. As discussed above, industry
commenters had differing views regarding the reference to oral,
written, or electronic means of triggering the exception.
NAAG suggested imposing a specific time limit to allow
solicitations to be made for no more than 30 days after the consumer's
authorization or request under this exception.
Section --.21(c)(5) of the final rules revises the consumer
authorization or request exception to delete the word ``affirmative''
as surplusage. The deletion of the word ``affirmative'' does not change
the meaning of the exception however. The consumer still must take
affirmative steps to ``authorize'' or ``request'' solicitations.
The Agencies construe this exception, like the other exceptions,
narrowly and in a manner that does not undermine the general notice and
opt-out requirement. For that reason, the Agencies believe that
affiliated companies cannot avoid use of the statute's notice and opt-
out provisions by including preprinted boilerplate language in the
disclosures or contracts they provide to consumers, such as language
stating that by applying to open an account, the consumer authorizes or
requests to receive solicitations from affiliates. Such an
interpretation would permit the exception to swallow the rule, a result
that cannot be squared with the intent of Congress to give consumers
notice and an opportunity to opt out of solicitations.
The comparison made by some commenters to the GLBA privacy rules is
misplaced. The GLBA and the privacy rules create an exception to permit
the disclosure of nonpublic personal information ``with the consent or
at the direction of the consumer.'' Section 624 of the FCRA creates an
exception to permit the use of shared eligibility information ``in
response to solicitations authorized or requested by the consumer.''
The Agencies interpret the ``authorized or requested'' language in the
FCRA exception to require the consumer to take affirmative steps in
order to trigger the exception.
The Agencies have made conforming changes to the example in
proposed Sec. --.20(d)(3), which has been renumbered as Sec.
--.21(d)(4)(i) in the final rules. In addition, the Agencies have added
three additional examples. The example in Sec. --.21(d)(4)(ii)
illustrates how a consumer can authorize or request solicitations by
checking a blank check box. The examples in Sec. Sec. --.21(d)(4)(iii)
and (iv) illustrate that preprinted boilerplate language and a pre-
selected check box would not meet the authorization or request
exception.
The Agencies do not believe it is appropriate to set a fixed time
period for an authorization or request. As noted in the proposal, the
duration of the authorization or request depends on what is reasonable
under the facts and circumstances. In addition, an authorization to
make solicitations to the consumer terminates if the consumer revokes
the authorization.
For the same reasons discussed above, the Agencies have deleted the
reference to oral, electronic, or written communications from this
exception to track the language of the statute. Further, the Agencies
do not believe it is necessary to clarify the elements of an
authorization or request. The statute clearly refers to ``solicitations
authorized or requested by the consumer.'' The facts and circumstances
will determine what solicitations have been authorized or requested by
the consumer.
Compliance With Applicable Laws Exception
Proposed Sec. --.20(c)(6) clarified that the provisions of Subpart
C would not apply to an affiliate if compliance with the requirements
of section 624 by the affiliate would prevent that affiliate from
complying with any provision of state insurance laws pertaining to
unfair discrimination in a state where the affiliate is lawfully doing
business. See FCRA, section 624(a)(4). The Agencies received no
comments on this provision. Section --.21(c)(6) of the final rules
adopts the state insurance law compliance exception as proposed.
One commenter requested the creation of an additional exception to
permit the sharing of eligibility information among affiliates that are
aligned under one line of business within an organization and that
share common management, branding, and regulatory oversight (i.e.,
banking, securities, and insurance companies). This commenter was
focused on private banking enterprises. As discussed above, the
Agencies find no statutory basis for creating such an exception to the
notice and opt-out requirement.
Relation to Affiliate-Sharing Notice and Opt-Out
Proposed Sec. --.20(f) clarified the relationship between the
affiliate sharing notice and opt-out under section 603(d)(2)(A)(iii) of
the FCRA and the affiliate marketing notice and opt out in new section
624 of the FCRA. Specifically, the proposal provided that nothing in
the affiliate marketing rules limits the responsibility of a company to
comply with the notice and opt-out provisions of section
603(d)(2)(A)(iii) of the FCRA before it shares information other than
transaction or experience information among affiliates to avoid
becoming a consumer reporting agency.
One commenter urged the Agencies to delete this provision as
unnecessary. In the alternative, this commenter requested that the
Agencies clarify that section 603(d)(2)(A)(iii) applies to the sharing
of information that would otherwise meet the definition of a ``consumer
report,'' and that the sharing affiliate does not automatically become
a consumer reporting agency, but risks becoming a consumer reporting
agency.
This provision has been renumbered as Sec. --.21(e) in the final
rules. Section --.21(e) has been revised to delete the clause that
referred to becoming a consumer reporting agency and to substitute in
its place the neutral phrase ``where applicable.''
Section --.22 Scope and Duration of Opt-Out
Scope of the Opt-Out
The Agencies addressed issues relating to the scope of the opt-out
in various sections of the proposal. In the supplementary information
to the proposal, the Agencies stated that the opt-out would be tied to
the consumer, rather than to the information. Some industry commenters
supported the approach of tying the opt-out to the consumer, rather
than to the information. Other industry commenters, however, believed
it was inappropriate to tie the opt-out to the consumer and requested
that institutions have the flexibility to implement the consumer's opt-
out at the account level, rather than at the consumer level. These
commenters believed that an account-by-account approach would be
consistent with the menu of opt-out choices provided in this rule and
the GLBA privacy rules. These commenters also noted that an account-
based approach would provide the consumer with a new notice and
opportunity to opt out when a former customer decides to re-establish a
new relationship with the institution.
Proposed Sec. --.21(c) provided that the notice could be designed
to allow a consumer to choose from a menu of alternatives when opting
out, such as by selecting certain types of affiliates, certain types of
information, or certain modes of delivery from which to opt out, so
long as one of the alternatives gave the consumer the opportunity to
opt out with respect to all affiliates, all
[[Page 62929]]
eligibility information, and all methods of delivering solicitations.
Several industry commenters objected to the requirement that the
institution provide a single universal opt-out option that would allow
consumers to opt out completely of all solicitations. In addition, one
commenter found the reference to all types of eligibility information
confusing, while another commenter noted that some institutions may
want to implement the opt-out on an account-by-account basis.
Section --.25(d) of the proposal provided that if a consumer's
relationship with an institution terminated for any reason when a
consumer's opt-out election was in force, the opt-out would continue to
apply indefinitely, unless revoked by the consumer. Most industry
commenters objected to having the opt-out period continue to apply
indefinitely upon termination of the consumer's relationship with the
institution. These commenters believed that this approach was not
supported by the statute, would prove costly and difficult to
administer, and would require the indefinite tracking of opt-outs.
These commenters also believed that the five-year opt-out period would
provide sufficient protection to consumers that terminate their
relationship. One commenter noted that the proposed rule would impose
particular hardships on mortgage lenders because those lenders often
have consumer relationships of very short duration on account of
selling the loans they originate into the secondary market. Consumer
groups supported the proposed treatment of opt-outs for terminated
consumer relationships.
Upon further examination, the Agencies believe that the scope of
the opt-out should be addressed comprehensively in a single section of
the final rules. The Agencies also conclude that tying the opt-out to
the consumer could have had unintended consequences. For example, if
the opt-out were tied to the consumer, an institution would have to
track the consumer indefinitely, even if the consumer's relationship
with the institution terminated and a new relationship were
subsequently established with that institution years later. The
Agencies do not believe that institutions should be required to track
consumers indefinitely following termination. In addition, an opt-out
tied to the consumer could apply to the use of all eligibility
information, not just to eligibility information about the consumer,
received from an affiliate and used to make solicitations to the
consumer. It is not clear from the statute or the legislative history
that Congress intended the opt-out provisions of section 624 to apply
to eligibility information about consumers other than the consumer to
whom a solicitation is made. Finally, the Agencies do not believe it is
necessary to make the opt-out effective in perpetuity upon termination
of the relationship.
Section --.22(a) of the final rules brings together these different
scope considerations to address comprehensively the scope of the opt-
out. Under the revised approach, the scope of the opt-out is derived
from language of section 624(a)(2)(A) of the FCRA and generally depends
upon the content of the opt-out notice. Section --.22(a)(1) provides
that, except as otherwise provided in that section, a consumer's
election to opt out prohibits any affiliate covered by the opt-out
notice from using the eligibility information received from another
affiliate as described in the notice to make solicitations for
marketing purposes to the consumer.
Section --.22(a)(2)(i) clarifies that, in the context of a
continuing relationship, an opt-out notice may apply to eligibility
information obtained in connection with a single continuing
relationship, multiple continuing relationships, continuing
relationships established subsequent to delivery of the opt-out notice,
or any other transaction with the consumer. Section --.22(a)(2)(ii)
provides examples of continuing relationships. These examples are
substantially similar to the examples used in the GLBA privacy rules
with added references to relationships between the consumer and an
affiliate.
Section --.22(a)(3)(i) limits the scope of an opt-out notice that
is not connected with a continuing relationship. This section provides
that if there is no continuing relationship between the consumer and a
person or its affiliate, and if the person or its affiliate provides an
opt-out notice to a consumer that relates to eligibility information
obtained in connection with a transaction with the consumer, such as an
isolated transaction or a credit application that is denied, the opt-
out notice only applies to eligibility information obtained in
connection with that transaction. The notice cannot apply to
eligibility information that may be obtained in connection with
subsequent transactions or a continuing relationship that may be
subsequently established by the consumer with the person or its
affiliate. Section --.22(a)(3)(ii) provides examples of isolated
transactions.
Section --.22(a)(4) provides that a consumer may be given the
opportunity to choose from a menu of alternatives when electing to
prohibit solicitations. An opt-out notice may give the consumer the
opportunity to elect to prohibit solicitations from certain types of
affiliates covered by the opt-out notice but not other types of
affiliates covered by the notice, solicitations based on certain types
of eligibility information but not other types of eligibility
information, or solicitations by certain methods of delivery but not
other methods of delivery, so long as one of the alternatives is the
opportunity to prohibit all solicitations from all of the affiliates
that are covered by the notice. The Agencies continue to believe that
the language of section 624(a)(2)(A) of the FCRA requires the opt-out
notice to contain a single opt-out option for all solicitations within
the scope of the notice.
The Agencies recognize that consumers could receive a number of
different opt-out notices, even from the same affiliate. The Agencies
will monitor industry notice practices and evaluate whether further
action is needed.
Section --.22(a)(5) contains a special rule for notice following
termination of a continuing relationship. This rule provides that a
consumer must be given a new opt-out notice if, after all continuing
relationships with a person or its affiliate have been terminated, the
consumer subsequently establishes a new continuing relationship with
that person or the same or a different affiliate and the consumer's
eligibility information is to be used to make a solicitation. This
special rule affords the consumer and the company a fresh start
following termination of all continuing relationships by requiring a
new opt-out notice if a new continuing relationship is subsequently
established.
The new opt-out notice must apply, at a minimum, to eligibility
information obtained in connection with the new continuing
relationship. The new opt-out notice may apply more broadly to
information obtained in connection with a terminated relationship and
give the consumer the opportunity to opt out with respect to
eligibility information obtained in connection with both the terminated
and the new continuing relationships. Further, the consumer's failure
to opt out does not override a prior opt-out election by the consumer
applicable to eligibility information obtained in connection with a
terminated relationship that is still in effect, regardless of whether
the new opt-out notice applies to eligibility information obtained in
connection
[[Page 62930]]
with the terminated relationship. The final rules also contain an
example of this special rule. The Agencies note, however, that where a
consumer was not given an opt-out notice in connection with the initial
continuing relationship because eligibility information obtained in
connection with that continuing relationship was not shared with
affiliates for use in making solicitations, an opt-out notice provided
in connection with a new continuing relationship would have to apply to
any eligibility information obtained in connection with the terminated
relationship that is to be shared with affiliates for use in making
future solicitations.
Duration and Timing of Opt-Out
Proposed Sec. --.25 addressed the duration and effect of the
consumer's opt-out election. Proposed Sec. --.25(a) provided that the
consumer's election to opt out would be effective for the opt-out
period, which is a period of at least five years beginning as soon as
reasonably practicable after the consumer's opt-out election is
received. The supplementary information noted that if a consumer
elected to opt out every year, a new opt-out period of at least five
years would begin upon receipt of each successive opt-out election.
Some industry commenters believed that the proposal was
inconsistent with the statute because it provided that the opt-out
period would begin as soon as reasonably practicable after the
consumer's opt-out election is received. These commenters believed that
the opt-out period should begin on the date the consumer's opt-out is
received and that the final rules also should allow institutions a
reasonable period of time to implement a consumer's initial or renewal
opt-out election before it becomes effective. Consumer groups believed
that the requirement to honor an opt-out ``beginning as soon as
reasonably practicable'' was too vague. These commenters believed that
a consumer's opt-out should be honored within a specific length of time
not to exceed 30 days after the consumer responds to the opt-out
notice.
A few industry commenters urged the Agencies to allow consumers to
revoke an opt-out election orally. Other industry commenters requested
that the final rules include a clear statement that an opt-out period
may be shortened to a period of less than five years by the consumer's
revocation of an opt-out election. Consumer groups approved of the
Agencies' statement that if a consumer opts out again during the five-
year opt-out period, then a new five-year period begins. Consumer
groups also supported allowing institutions to make the opt-out period
effective in perpetuity so long as this is clearly disclosed to the
consumer in the original notice.
The general provision regarding the duration of the opt-out has
been renumbered as Sec. --.22(b) in the final rules, consistent with
the Agencies' decision to address all scope issues in the same section.
The Agencies have revised the duration provision to clarify that the
opt-out period expires if the consumer revokes the opt-out in writing,
or if the consumer agrees, electronically. The requirement for a
written or electronic revocation is retained and is consistent with the
approach taken in the GLBA privacy rules. The Agencies do not believe
it is necessary or appropriate to permit oral revocation. The Agencies
note that many of the exceptions to the notice and opt-out requirements
may be triggered by oral communications, as discussed above, which
would enable the use of shared eligibility information to make
solicitations pending receipt of a written or electronic revocation.
Also, as noted in the proposal, nothing prohibits setting an opt-out
period longer than five years, including an opt-out period that does
not expire unless revoked by the consumer.
The Agencies do not agree that the opt-out period should begin on
the date the consumer's election to opt out is received. Commenters
generally recognized that institutions cannot instantaneously implement
a consumer's opt-out election but need time to do so. The Agencies
interpret the statutory language to mean that the consumer's opt-out
election must be honored for a period of at least five years from the
date such election is implemented. The Agencies believe that Congress
did not intend for the opt-out period to be shortened to a period of
less than the five years specified in the statute to reflect the time
between the date the consumer's opt-out election is received and the
date the consumer's opt-out election is implemented.
The Agencies also believe it is neither necessary nor desirable to
set a mandatory deadline for implementing the consumer's opt-out
election. A general standard is preferable because the time it will
reasonably take to implement a consumer's opt-out election may vary.
Consistent with the special rule for a notice following termination
of a continuing relationship, the duration of the opt-out is not
affected by the termination of a continuing relationship. When a
consumer opts out in the course of a continuing relationship and that
relationship is terminated during the opt-out period, the opt-out
remains in effect for the rest of the opt-out period. If the consumer
subsequently establishes a new continuing relationship while the opt-
out period remains in effect, the opt-out period may not be shortened
with respect to information obtained in connection with the terminated
relationship by sending a new opt-out notice to the consumer when the
new continuing relationship is established, even if the consumer does
not opt out upon receipt of the new opt-out notice. A person may track
the eligibility information obtained in connection with the terminated
relationship and provide a renewal notice to the consumer, or may
choose not to use eligibility information obtained in connection with
the terminated relationship to make solicitations to the consumer.
Proposed Sec. --.25(c) clarified that a consumer may opt out at
any time. As explained in the supplementary information to the
proposal, even if the consumer did not opt out in response to the
initial opt-out notice or if the consumer's election to opt out was not
prompted by an opt-out notice, a consumer may still opt out. Regardless
of when the consumer opts out, the opt-out must be effective for a
period of at least five years.
The Agencies received few comments on this provision. Consumer
groups urged the Agencies to reinforce the continuing nature of the
right to opt out by requiring institutions to give the opt-out notice
annually along with the annual GLBA privacy notice. These commenters
acknowledged that the FCRA does not specifically state that the notice
is required annually, but noted that the statute also does not say that
the consumer has only one opportunity to opt out.
The Agencies have renumbered the provision giving the consumer the
right to opt out at any time as Sec. --.22(c) in the final rules, but
otherwise adopted the provision as proposed. The Agencies find no
statutory basis for requiring the provision of an annual opt-out notice
to consumers along with the GLBA privacy notice.
Section --.23 Contents of Opt-Out Notice; Consolidated and Equivalent
Notices
Contents in General
Section --.21 of the proposal addressed the contents of the opt-out
notice. Proposed Sec. --.21(a) would have required that the opt-out
notice be clear,
[[Page 62931]]
conspicuous, and concise, and accurately disclose: (1) That the
consumer may elect to limit a person's affiliate from using eligibility
information about the consumer that it obtains from that person to make
or send solicitations to the consumer; (2) if applicable, that the
consumer's election will apply for a specified period of time and that
the consumer will be allowed to extend the election once that period
expires; and (3) a reasonable and simple method for the consumer to opt
out.
Some commenters expressed concern about requiring the notice to
specify the applicable time period and the consumer's right to extend
the election once the opt-out expires. One commenter believed this
would require institutions to determine in advance the length of the
opt-out period. Another commenter urged the Agencies to clarify that
institutions could subsequently increase the duration of the opt-out or
make it permanent without providing another notice to the consumer.
The Agencies have renumbered the provisions addressing the contents
of the opt-out notice as Sec. --.23(a) in the final rules and revised
them. Section --.23(a)(1) of the final rules requires additional
information in opt-out notices. Section --.23(a)(1)(i) provides that
all opt-out notices must identify, by name, the affiliate(s) that is
providing the notice. A group of affiliates may jointly provide the
notice. If the notice is provided jointly by multiple affiliates and
each affiliate shares a common name, such as ``ABC,'' then the notice
may indicate that it is being provided by multiple companies with the
ABC name or multiple companies in the ABC group or family of companies.
Acceptable ways of identifying the multiple affiliates providing the
notice include stating that the notice is provided by ``all of the ABC
companies,'' ``the ABC banking, credit card, insurance, and securities
companies,'' or by listing the name of each affiliate providing the
notice. A representation that the notice is provided by ``the ABC
banking, credit card, insurance, and securities companies'' applies to
all companies in those categories, not just some of those companies.
But if the affiliates providing the notice do not all share a common
name, then the notice must either separately identify each affiliate by
name or identify each of the common names used by those affiliates. For
example, if the affiliates providing the notice do business under both
the ABC name and the XYZ name, then the notice could list each
affiliate by name or indicate that the notice is being provided by
``all of the ABC and XYZ companies'' or by ``the ABC bank and credit
card companies and the XYZ insurance companies.''
Section --.23(a)(1)(ii) provides that an opt-out notice must
contain a list of the affiliates or types of affiliates covered by the
notice. The notice may apply to multiple affiliates and to companies
that become affiliates after the notice is provided to the consumer.
The rules for identifying the affiliates covered by the notice are
substantially similar to the rules for identifying the affiliates
providing the notice in Sec. --.23(a)(1)(i), as described in the
previous paragraph.
Sections --.23(a)(1)(iii)-(vii) respectively require the opt-out
notice to include the following: A general description of the types of
eligibility information that may be used to make solicitations to the
consumer; a statement that the consumer may elect to limit the use of
eligibility information to make solicitations to the consumer; a
statement that the consumer's election will apply for the specified
period of time stated in the notice and, if applicable, that the
consumer will be allowed to renew the election once that period
expires; if the notice is provided to consumers who may have previously
opted out, such as if a notice is provided to consumers annually, a
statement that the consumer who has chosen to limit marketing offers
does not need to act again until the consumer receives a renewal
notice; and a reasonable and simple method for the consumer to opt out.
The statement described in Sec. --.23(a)(1)(vi) regarding consumers
who may have previously opted out does not apply to the model privacy
form that the Agencies are developing in a separate rulemaking.
Appropriate use of the model forms in Appendix C will satisfy these
content requirements.
The Agencies continue to believe that the opt-out notice must
specify the length of the opt-out period, if one is provided. However,
an institution that subsequently chooses to increase the duration of
the opt-out period that it previously disclosed or honor the opt-out in
perpetuity has no obligation to provide a revised notice to the
consumer. In that case, the result is the same as if the institution
established a five-year opt-out period and then did not send a renewal
notice at the end of that period. A person receiving eligibility
information from an affiliate would be prohibited from using that
information to make solicitations to a consumer unless a renewal notice
is first provided to the consumer and the consumer does not renew the
opt-out. So long as no solicitations are made using eligibility
information received from an affiliate, there would be no violation of
the statute or regulation for failing to send a renewal notice in this
situation.
Joint Notice
Proposed Sec. --.24(c) permitted a person subject to this rule to
provide a joint opt-out notice with one or more of its affiliates that
are identified in the notice, so long as the notice was accurate with
respect to each affiliate jointly issuing the notice. Under the
proposal, a joint notice would not have to list each affiliate
participating in the joint notice by its name, but could state that it
applies to ``all institutions with the ABC name'' or ``all affiliates
in the ABC family of companies.''
One commenter believed that individually listing each company could
result in long and confusing notices. This commenter suggested revising
the rule to permit the generic identification of the types of
affiliates by whom eligibility information may be used to make
solicitations and to allow the notice to apply to entities that become
affiliates after the notice is sent.
In the final rules, the separate joint notice provision has been
eliminated. Instead, the final rules incorporate the joint notice
option into the provisions that address which affiliates may provide
the opt-out notice and the contents of the notice.
Joint Relationships
The proposal addressed joint relationships in the section dealing
with delivery of opt-out notices. Proposed Sec. --.24(d) set out rules
that would apply when two or more consumers jointly obtain a product or
service from a person subject to the rule (referred to in the proposed
regulation as ``joint consumers''), such as a joint checking account.
It also provided several examples. Under the proposal, a person subject
to this rule could provide a single opt-out notice to joint
accountholders. The notice would have had to indicate whether the
person would consider an opt-out by a joint accountholder as an opt-out
by all of the associated accountholders, or whether each accountholder
would have to opt out separately. The person could not require all
accountholders to opt out before honoring an opt-out direction by one
of the joint accountholders. Because section 624 of the FCRA deals with
the use of information for marketing by affiliates, rather than the
sharing of information among affiliates, comment was requested on
whether information about a joint account should be allowed to be used
for making solicitations to a joint consumer who has not opted out.
Some commenters supported the flexible approach proposed by the
[[Page 62932]]
Agencies for dealing with joint accounts and notice to joint
accountholders. One commenter suggested providing additional
flexibility to enable consumers to opt out in certain circumstances,
such as when eligibility information from a joint account is involved,
but not in others, such as when eligibility information from an
individual account is involved. Another commenter, however, believed
that the provisions regarding joint relationships may not be
appropriate for the affiliate marketing rule because section 624
relates to the use of information for marketing to a particular
consumer, not to the sharing of information among affiliates. Consumer
groups urged the Agencies to prohibit the use of eligibility
information about a joint account for making solicitations to a
consumer who has not opted out if the other joint consumer on the
account has opted out.
The Agencies have renumbered the provision addressing joint
relationships as Sec. --.23(a)(2) in the final rules. The Agencies
have deleted the example of joint relationships from the final rules
because it addressed, in part, the sharing of information, rather than
the use of information. The Agencies have made other revisions to
enhance the readability of this provision. The revised provision is
substantively similar to the joint relationships provision of the GLBA
privacy rules, except to the extent those rules refer to the sharing of
information among affiliates.
The Agencies believe that different issues may arise with regard to
providing a single opt-out notice to joint consumers in the context of
this rule, which focuses on the use of information, compared to issues
that may arise with regard to providing such a notice in the context of
other privacy rules that focus on the sharing of information. For
example, a consumer may opt out with respect to affiliate marketing in
connection with an individually-held account, but not opt out with
respect to affiliate marketing in connection with a joint relationship.
In that case, it could be challenging to identify which consumer
information may and may not be used by affiliates to make solicitations
to the consumer. Nevertheless, the final rules permit persons providing
opt-out notices to consumers to provide a single opt-out notice to
joint consumers.
Alternative Contents
Proposed Sec. --.21(d) provided that, where an institution elects
to give consumers a broader right to opt out of marketing than is
required by this subpart, the institution would have the ability to
modify the contents of the opt-out notice to reflect accurately the
scope of the opt-out right it provides to consumers. This section also
noted that proposed Appendix C provided a model form that may be
helpful for institutions that wish to allow consumers to opt out of all
marketing from the institution and its affiliates, but use of the model
form is not required. Commenters generally favored the flexibility
afforded by this provision. The Agencies have renumbered the provision
addressing alternative contents as Sec. --.23(a)(3) in the final
rules, but otherwise adopted it as proposed.
Model Notices
Section --.23(a)(4) states that model notices are provided in
Appendix C. The Agencies have provided these model notices to
facilitate compliance with the rule. However, the final rules do not
require use of the model notices.
Consolidated and Equivalent Notices
Proposed Sec. --.27 provided that an opt-out notice required by
Subpart C could be coordinated and consolidated with any other notice
or disclosure required to be issued under any other provision of law,
including but not limited to the notice described in section
603(d)(2)(A)(iii) of the FCRA and the notice required by title V of the
GLBA. In addition, a notice or other disclosure that was equivalent to
the notice required by this subpart, and that was provided to a
consumer together with disclosures required by any other provision of
law, would satisfy the requirements of Subpart C. The proposal
specifically requested comment on the consolidation of the affiliate
marketing notice with the GLBA privacy notice and the affiliate sharing
opt-out notice under section 603(d)(2)(A)(iii) of the FCRA.
Commenters generally supported the proposed provision. Several
commenters believed it was probable that most institutions would want
to provide the affiliate marketing opt-out notice with their existing
GLBA privacy notice to reduce compliance costs and minimize consumer
confusion. One commenter believed that institutions would be less
likely to include the opt-out notice as part of their annual GLBA
privacy notice because section 214 does not have an annual notice
requirement.
The Agencies have moved the provisions addressing consolidated and
equivalent notices to the section addressing the contents of the notice
and renumbered those provisions as Sec. Sec. --.23(b) and (c)
respectively in the final rules. Otherwise, those provisions have been
adopted as proposed with one exception. The provision on equivalent
notices clarifies that an equivalent notice satisfies the requirements
of Sec. --.23--not the entire subpart--because the subpart addresses
many issues besides the content of the notice, such as delivery and
renewal of opt-outs. The Agencies believe that these provisions are
related to the contents of the notice and should therefore be included
in this section.
The Agencies encourage consolidation of the affiliate marketing
opt-out notice with the GLBA privacy notice, including the affiliate
sharing opt-out notice under section 603(d)(2)(A)(iii) of the FCRA, so
that consumers receive a single notice they can use to review and
exercise all privacy opt-outs. Consolidation of these notices, however,
presents special issues. For example, the affiliate marketing opt-out
may be limited to a period of at least five years, subject to renewal,
whereas the GLBA privacy and FCRA section 603(d)(2)(A)(iii) opt-out
notices are not time-limited. This difference, if applicable, must be
made clear to the consumer. Thus, if a consolidated notice is used and
the affiliate marketing opt-out is limited in duration, the notice must
inform consumers that if they previously opted out, they do not need to
opt out again until they receive a renewal notice when the opt-out
expires or is about to expire. In addition, as discussed more fully
below, the Agencies have developed a model privacy form that includes
the affiliate marketing opt-out. The Agencies expect that once
published in final form, use of the model privacy form will satisfy the
requirement to provide an affiliate marketing opt-out notice.
Section --.24 Reasonable Opportunity To Opt Out
Section --.22(a) of the proposal provided that before a receiving
affiliate could use eligibility information to make or send
solicitations to the consumer, the communicating affiliate would have
to provide the consumer with a reasonable opportunity to opt out
following delivery of the opt-out notice. Given the variety of
circumstances in which institutions must provide a reasonable
opportunity to opt out, the proposal construed the requirement for a
reasonable opportunity to opt out as a general test that would avoid
setting a mandatory waiting period in all cases.
The proposed rules would not have required institutions subject to
the rule to disclose how long a consumer would have to respond to the
opt-out notice before eligibility information
[[Page 62933]]
communicated to affiliates could be used to make or send solicitations
to the consumer, although institutions would have the flexibility to
include such disclosures in their notices. In this respect, the
proposed rules were consistent with the GLBA privacy rules.
Industry commenters generally supported the Agencies' approach of
treating the requirement for a reasonable opportunity to opt out as a
general test that would avoid setting a mandatory waiting period. NAAG,
on the other hand, believed that the Agencies should set a mandatory
waiting period of at least 45 days from the date of mailing or other
transmission of the notice because consumers may be ill, away from
home, or otherwise unable to respond to correspondence promptly.
Industry commenters generally supported the Agencies' decision not
to require the disclosure of how long a consumer would have to respond
to the opt-out notice before eligibility information could be used to
make or send solicitations to the consumer. Consumer groups believed
that consumers should be told how long they have to respond to the
notice before eligibility information could be used by affiliates to
make or send solicitations and that they may exercise their right to
opt out at any time.
The Agencies have renumbered the section addressing a reasonable
opportunity to opt out as Sec. --.24 in the final rules, and revised
it. Section --.24(a) of the final rules retains the approach of
construing the requirement for a reasonable opportunity to opt out as a
general test that avoids setting a mandatory waiting period in all
cases. Given the variety of circumstances in which a reasonable
opportunity to opt out must be provided, the Agencies believe that the
appropriate time to permit solicitations may vary depending upon the
circumstances. A general standard provides flexibility to allow a
person to use eligibility information it receives from an affiliate to
make solicitations at an appropriate point in time that may vary
depending upon the circumstances, while assuring that the consumer is
given a realistic opportunity to prevent such use of this information.
In the final rules, the Agencies have retained the approach of not
requiring affiliate marketing opt-out notices to disclose how long a
consumer has to respond before eligibility information may be used to
make solicitations to the consumer or that consumers may exercise their
right to opt out at any time. However, an institution may, at its
option, add this information to its opt-out notice.
Section --.22(b) of the proposal provided examples to illustrate
what would constitute a reasonable opportunity to opt out. The proposed
examples would have provided a generally applicable safe harbor for
opt-out periods of 30 days. As explained in the supplementary
information to the proposal, although 30 days would be a safe harbor, a
person subject to this requirement could decide, at its option, to give
consumers more than 30 days in which to decide whether or not to opt
out. A shorter waiting period could be adequate in certain situations
depending on the circumstances.
Proposed Sec. --.22(b)(1) contained an example of a reasonable
opportunity to opt out when the notice was provided by mail. Proposed
Sec. --.22(b)(2) contained an example of a reasonable opportunity to
opt out when the notice was provided by electronic means. The proposed
examples were consistent with examples used in the GLBA privacy rules.
Proposed Sec. --.22(b)(3) contained an example of a reasonable
opportunity to opt out where, in a transaction conducted
electronically, the consumer was required to decide, as a necessary
part of proceeding with the transaction, whether or not to opt out
before completing the transaction, so long as the institution provided
a simple process at the Internet Web site that the consumer could use
at that time to opt out. In this example, the opt-out notice would
automatically be provided to the consumer, such as through a non-
bypassable link to an intermediate Web page, or ``speedbump.'' The
consumer would be given a choice of either opting out or not opting out
at that time through a simple process conducted at the Web site. For
example, the consumer could be required to check a box right at the
Internet Web site in order to opt out or decline to opt out before
continuing with the transaction. However, this example would not cover
a situation where the consumer was required to send a separate e-mail
or visit a different Internet Web site in order to opt out.
Proposed Sec. --.22(b)(4) illustrated that including the affiliate
marketing opt-out notice in a notice under the GLBA would satisfy the
reasonable opportunity standard. In such cases, the consumer would be
allowed to exercise the opt-out in the same manner and would be given
the same amount of time to exercise the opt-out as is provided for any
other opt-out provided in the GLBA privacy notice.
Proposed Sec. --.22(b)(5) illustrated how an ``opt-in'' could meet
the requirement to provide a reasonable opportunity to opt out.
Specifically, if an institution has a policy of not allowing its
affiliates to use eligibility information to market to consumers
without the consumer's affirmative consent, providing the consumer with
an opportunity to ``opt in'' or affirmatively consent to such use would
constitute a reasonable opportunity to opt out. The supplementary
information clarified that the consumer's affirmative consent must be
documented and that a pre-selected check box would not evidence the
consumer's affirmative consent.
Some industry commenters supported the proposed 30-day safe harbor
and the examples illustrating the safe harbor. Other industry
commenters, however, expressed concern that the 30-day safe harbor
would become the mandatory minimum waiting period in virtually all
cases, particularly because of the risk of civil liability. For this
reason, some industry commenters objected to the use of examples
altogether and urged that the Agencies delete the proposed examples.
Other industry commenters asked the Agencies to include only the
examples from the GLBA.
Consumer groups believed that the safe harbor should be 45 days,
rather than 30 days. These commenters believed that 45 days was
necessary in part to account for the time consumed in mail deliveries
and in part to avoid penalizing consumers who are away from home for
vacation or illness.
Regarding the specific examples, a few commenters objected to the
example in proposed Sec. --.22(b)(2), stating that the acknowledgement
of receipt requirement would be inconsistent with the Electronic
Signatures in Global and National Commerce Act (E-Sign Act). One of
these commenters believed this requirement amounted to an opt in for
electronic notices. Several commenters believed that the example in
proposed Sec. --.22(b)(3) for requesting the consumer to opt out as a
necessary step in proceeding with an electronic transaction should not
be limited to electronic transactions, but should be expanded to apply
to all transaction methods. A number of commenters believed that the
example in proposed Sec. --.22(b)(5) should either be deleted or,
alternatively, should not refer to ``affirmative'' consent. These
commenters noted that the example in proposed Sec. --.22(b)(4) allowed
a person to satisfy the reasonable opportunity standard by permitting
the consumer to exercise the opt-out in the same manner and giving the
consumer the same amount of time to exercise the opt-out as provided in
the GLBA privacy notice
[[Page 62934]]
and that the GLBA rules did not require ``affirmative'' consent.
The Agencies have renumbered the examples of a reasonable
opportunity to opt out as Sec. --.24(b) in the final rules, and
revised them as discussed below. The Agencies believe the examples are
helpful in illustrating what constitutes a reasonable opportunity to
opt out.
The generally applicable 30-day safe harbor is retained in the
final rules. The Agencies believe that providing a generally applicable
safe harbor of 30 days is helpful because it affords certainty to
entities that choose to follow the 30-day waiting period. Although 30
days is a safe harbor in all cases, a person providing an opt-out
notice may decide, at its option, to give consumers more than 30 days
in which to decide whether or not to opt out. A shorter waiting period
could be adequate in certain situations, depending on the
circumstances, in accordance with the general test for a reasonable
opportunity to opt out. The use of examples and a 30-day safe harbor is
consistent with the approach followed in the GLBA privacy rules.
However, the Agencies believe that the examples in these rules should
differ to some extent from the examples in the GLBA privacy rules
because the affiliate marketing opt-out requires a one-time, not an
annual, notice. Further, the affiliate marketing notice may, but need
not, be included in the GLBA privacy notice.
In the final rules, the Agencies have retained the example of a
reasonable opportunity to opt out by mail with revisions for clarity.
Commenters had no specific objections to this example.
The Agencies have revised the example of a reasonable opportunity
to opt out by electronic means and divided it into two subparts in the
final rules to illustrate the different means of delivering an
electronic notice. The example illustrates that for notices provided
electronically, such as by posting the notice at an Internet Web site
at which the consumer has obtained a product or service, a reasonable
opportunity to opt out would include giving the consumer 30 days after
the consumer acknowledges receipt of the electronic notice to opt out
by any reasonable means. The acknowledgement of receipt aspect of this
example is consistent with an example in the GLBA privacy regulations.
The example also illustrates that for notices provided by e-mail to a
consumer who had agreed to receive disclosures by e-mail from the
person sending the notice, a reasonable opportunity to opt out would
include giving the consumer 30 days after the e-mail is sent to elect
to opt out by any reasonable means. The Agencies do not believe that
consumer acknowledgement is necessary where the consumer has agreed to
receive disclosures by e-mail.
The Agencies have determined that the electronic delivery of
affiliate marketing opt-out notices does not require consumer consent
in accordance with the E-Sign Act because neither section 624 of the
FCRA nor these final rules require that the notice be provided in
writing. Thus, the Agencies do not believe that the acknowledgement of
receipt trigger is beyond the scope of their interpretive authority.
Persons that provide affiliate marketing opt-out notices under this
Subpart C electronically may do so pursuant to the agreement of the
consumer, as specified in these rules, or in accordance with the
requirements of the E-Sign Act.
The Agencies believe that the example of a consumer who is required
to opt out as a necessary part of proceeding with the transaction
should not be limited to electronic transactions. However, rather than
revising the electronic transactions example, the Agencies have
retained the electronic transactions example in Sec. --.24(b)(3) and
added a new example for in-person transactions in Sec. --.24(b)(4).
Together, these examples illustrate that an abbreviated opt-out period
is appropriate when the consumer is given a ``yes'' or ``no'' choice
and is not permitted to proceed with the transaction unless the
consumer makes a choice. For in-person transactions, consumers could be
provided a form with a question that requires the consumer to write a
``yes'' or ``no'' to indicate their opt-out preference or a form that
contains two blank check boxes: One that allows consumers to indicate
that they want to opt out and one that allows consumers to indicate
that they do not want to opt out.
In the final rules, the Agencies have retained the example of
including the opt-out notice in a privacy notice in Sec. --.24(b)(5)
as consistent with the statutory requirement that the Agencies consider
methods for coordinating and combining notices. The Agencies have
deleted the example of providing an opt-in as a form of opting out as
unnecessary and confusing.
Section --.25 Reasonable and Simple Methods of Opting Out
Section --.23 of the proposal set forth reasonable and simple
methods of opting out. This section generally tracked the examples of
reasonable opt-out means from Sec. --.7(a)(2)(ii) of the GLBA privacy
regulations with certain revisions to give effect to Congress's mandate
that methods of opting out be simple. For instance, proposed Sec.
--.23(a)(2) referred to including a self-addressed envelope with the
reply form and opt-out notice. The Agencies also contemplated that a
toll-free telephone number would be adequately designed and staffed to
enable consumers to opt out in a single phone call.
Proposed Sec. --.23(b) set forth methods of opting out that are
not reasonable and simple, such as requiring the consumer to write a
letter to the institution or to call or write to obtain an opt-out form
rather than including it with the notice. This section generally
tracked the examples of unreasonable opt-out means from Sec.
--.7(a)(2)(iii) of the GLBA privacy rules. In addition, the proposal
contained an example of a consumer who agrees to receive the opt-out
notice in electronic form only, such as by electronic mail or by using
a process at a Web site. Such a consumer should not be required to opt
out solely by telephone or paper mail.
Many industry commenters asked the Agencies to clarify that the
examples are not the only ways to comply with the rules. These
commenters believed that, as drafted, the proposal could be interpreted
as exclusive rules, rather than as examples. These commenters asked the
Agencies to make clear in the final rules that the methods set out in
the rules are examples and do not exclude other reasonable and simple
methods of opting out. A few industry commenters believed that the
final rules should not include any examples of methods of opting out
because of the potential for civil liability.
Many industry commenters also urged the Agencies to use the same
examples used in the GLBA privacy rules. These commenters did not
believe that Congress would allow coordinated and consolidated notices,
but require different methods of opting out. For instance, these
commenters recommended deleting the reference to a self-addressed
envelope because there is no such reference in the GLBA privacy rules.
One commenter noted that its experience with self-addressed envelopes
was negative because consumers often used the envelopes for other
purposes resulting in misdirected communications. Industry commenters
also objected to requiring institutions to provide an electronic opt-
out mechanism to a consumer who agrees to receive an opt-out notice in
electronic form. These commenters believed this example was unjustified
and inconsistent with the GLBA privacy rules. Commenters also indicated
that some institutions may not have the
[[Page 62935]]
technical capabilities to accept electronic opt-outs. Several
commenters recommended that the Agencies clarify that an institution is
not obligated to honor opt-outs submitted through means other than
those designated by the institution.
Consumer groups generally believed that the proposal appropriately
tracked the examples in the GLBA privacy regulations with revisions to
give effect to Congress's mandate that methods of opting out be simple.
These commenters believed, however, that the proposal was inadequate
because it provided examples instead of requiring the use of certain
methods. These commenters believed that the final rule should require
self-addressed envelopes and require that toll-free numbers be
adequately designed and staffed to enable consumers to opt out in a
single phone call. According to these commenters, inadequate and poorly
trained staff has been a shortcoming of the GLBA opt-out procedures.
These commenters also recommended that consumers be given the
opportunity to opt out by a simple check box on payment coupons.
Finally, these commenters asked the Agencies to clarify that the
federal standard is a floor and that if the notice is combined with
other choices made available under other federal and state laws, the
most consumer-friendly means for opting out should apply.
The Agencies have renumbered the section addressing reasonable and
simple methods of opting out as Sec. --.25 in the final rules, and
revised it as discussed below. The Agencies have restructured this
section to include a general rule and examples in separate paragraphs
(a) and (b) respectively. This revision clarifies that the specific
methods identified in the rule are examples, not an exhaustive list of
permissible methods.
The Agencies believe that including examples in Sec. --.25(b) is
helpful. However, the Agencies decline to adopt the GLBA examples
without change. Section 624 of the FCRA requires the Agencies to ensure
that the consumer is given reasonable and simple methods of opting out.
The GLBA did not require simple methods of opting out. The Agencies
believe that the methods of opting out can, in some instances, be
simpler than some of the reasonable methods illustrated in the GLBA
privacy rules. To effectuate the statutory mandate that consumers have
simple methods of opting out, the Agencies have modified, for purposes
of this rulemaking, some of the examples of reasonable methods of
opting out that were used in the GLBA privacy regulations.
Most of the examples in the final rules are substantially similar
to those in Sec. --.23(a) and (b) of the proposal with revisions for
clarity. The example in Sec. --.25(b)(1)(ii) has been revised to
reflect the Agencies' understanding that the reply form and self-
addressed envelope would be included together with the opt-out notice.
As in the proposal, the Agencies contemplate that a toll-free telephone
number that consumers may call to opt out, as illustrated by the
example in Sec. --.25(b)(1)(iv), would be adequately designed and
staffed to enable consumers to opt out in a single phone call. In
setting up a toll-free telephone number that consumers may use to
exercise their opt-out rights, institutions should minimize extraneous
messages directed to consumers who are in the process of opting out.
One new example in Sec. --.25(b)(1)(v) illustrates that reasonable
and simple methods include allowing consumers to exercise all of their
opt-out rights described in a consolidated opt-out notice that includes
the GLBA privacy, FCRA affiliate sharing, and FCRA affiliate marketing
opt-outs, by a single method, such as by calling a single toll-free
telephone number. This example furthers the statutory directive to the
Agencies to ensure that notices and disclosures may be coordinated and
consolidated. The final rules also clarify the example renumbered as
Sec. --.25(b)(2)(iii) to illustrate that it is not reasonable or
simple to require a consumer who receives the opt-out notice in
electronic form, such as through posting at an Internet Web site, to
opt out solely by paper mail or by visiting a different Web site
without providing a link to that site.
Section .25(c) has been added to clarify that each consumer may be
required to opt out through a specific means, as long as that means is
reasonable and simple for that consumer. This new section corresponds
to a provision in the GLBA privacy rules, Sec. --.7(a)(2)(iv).
Section --.26 Delivery of Opt-Out Notices
General Rule and Examples
Section --.24 of the proposal addressed the delivery of opt-out
notices. Proposed Sec. --.24(a) provided that an institution would
have to deliver an opt-out notice so that each consumer could
reasonably be expected to receive actual notice. This standard would
not have required actual notice. The supplementary information to the
proposal also clarified that, for opt-out notices delivered
electronically, the notices could be delivered either in accordance
with the electronic disclosure provisions in Subpart C or in accordance
with the E-Sign Act. For example, the institution could e-mail its
notice to a consumer who agreed to the electronic delivery of
information or provide the notice on its Internet Web site for a
consumer who obtained a product or service electronically from that Web
site. Commenters generally supported the reasonable expectation of
actual notice standard.
Proposed Sec. --.24(b) provided examples to illustrate what would
constitute delivery of an opt-out notice. Commenters expressed concern
about the electronic notice example in proposed paragraph (b)(1)(iii).
Consumer groups objected to this example by pointing to a growing trend
in which companies require consumers to agree to electronic notices if
they conduct business on an Internet Web site. These commenters
believed that there was nothing to ensure that the notice would be
clearly accessible to consumers on the Web site. These commenters
believed that, at a minimum, the Agencies should require the notice to
be sent to the consumer's e-mail address, rather than posted to an
Internet Web site, where the consumer has expressly opted in to the
electronic delivery of notices. Some industry commenters objected to
the acknowledgement of receipt requirement in this example as
inconsistent with the E-Sign Act. One of these commenters urged the
Agencies to explicitly incorporate the E-Sign Act into the requirements
for delivering opt-out notices.
The Agencies have renumbered the general rule regarding delivery of
opt-out notices as Sec. --.26(a) in the final rules and divided the
examples into positive and negative examples in Sec. Sec. --.26(b) and
(c) respectively. In the final rules, the Agencies have retained the
reasonable expectation of actual notice standard, which does not
require the institution to determine if the consumer actually received
the opt-out notice. For example, mailing a printed copy of the opt-out
notice to the last known mailing address of a consumer satisfies the
requirement to deliver the opt-out notice so that there is a reasonable
expectation that the consumer has received actual notice.
The Agencies have revised some of the examples of a reasonable
expectation of actual notice for electronic notices. The new example in
Sec. --.26(b)(3) illustrates that the reasonable expectation of actual
notice
[[Page 62936]]
standard would be satisfied by providing notice by e-mail to a consumer
who has agreed to receive disclosures by e-mail from the person
providing the notice. The Agencies reiterate that an acknowledgement of
receipt is not necessary for a notice provided by e-mail to such a
consumer. Conversely, the example in Sec. --.26(c)(2) illustrates that
the reasonable expectation of actual notice standard would not be
satisfied by providing notice by e-mail to a consumer who has not
agreed to receive disclosures by e-mail from the person providing the
notice.
The revised example in Sec. --.26(b)(4) illustrates that for a
consumer who obtains a product or service electronically, the
reasonable expectation standard would be satisfied by posting the
notice on the Internet Web site at which the consumer obtains such
product or services and requiring the consumer to acknowledge receipt
of the notice. Conversely, the new example in Sec. --.26(c)(3)
illustrates that the reasonable expectation standard would not be
satisfied by posting the notice on the Internet Web site without
requiring the consumer to acknowledge receipt of the notice. As
discussed above, the Agencies have determined that the electronic
delivery of opt-out notices does not require consumer consent in
accordance with the E-Sign Act because neither section 624 of the FCRA
nor the final rules require that the notice be provided in writing.
Thus, requiring an acknowledgement of receipt is within the scope of
the Agencies' interpretive authority. This example is also consistent
with an example in the GLBA privacy rules and seems appropriate where
the notice is posted at an Internet Web site.
The Agencies decline to require the delivery of electronic notices
by e-mail. Concerns about the security of e-mail, especially phishing,
make it inappropriate to require e-mail as the only permissible form of
electronic delivery for opt-out notices.
Section --.27 Renewal of Opt-Out
Proposed Sec. --.26 described the procedures for extension of an
opt-out. Proposed Sec. --.26(a) provided that a receiving affiliate
could not make or send solicitations to the consumer after the
expiration of the opt-out period based on eligibility information it
receives or has received from an affiliate, unless the person
responsible for providing the initial opt-out notice, or its successor,
has given the consumer an extension notice and a reasonable opportunity
to extend the opt-out, and the consumer does not extend the opt-out.
Thus, if an extension notice was not provided to the consumer, the opt-
out period would continue indefinitely. Proposed Sec. --.26(b) provided
that each opt-out extension would have to be effective for a period of
at least five years.
Proposed Sec. --.26(c) addressed the contents of a clear,
conspicuous, and concise extension notice and provided flexibility to
comply in either of two ways. Under one approach, the notice would
disclose the same items required to be disclosed in the initial opt-out
notice, along with a statement explaining that the consumer's prior
opt-out has expired or is about to expire, as applicable, and that if
the consumer wishes to keep the consumer's opt-out election in force,
the consumer must opt out again. Under a second approach, the extension
notice would provide: (1) That the consumer previously elected to limit
an affiliate from using eligibility information about the consumer that
it obtains from the communicating affiliate to make or send
solicitations to the consumer; (2) that the consumer's election has
expired or is about to expire, as applicable; (3) that the consumer may
elect to extend the consumer's previous election; and (4) a reasonable
and simple method for the consumer to opt out. The supplementary
information to the proposal clarified that institutions would not need
to provide extension notices if they treated the consumer's opt-out
election as valid in perpetuity, unless revoked by the consumer.
Proposed Sec. --.26(d) addressed the timing of the extension notice
and provided that an extension notice could be given to the consumer
either a reasonable period of time before the expiration of the opt-out
period, or any time after the expiration of the opt-out period but
before solicitations that would have been prohibited by the expired
opt-out are made to the consumer. The Agencies did not propose to set a
fixed time for what would constitute a reasonable period of time before
the expiration of the opt-out period to send an extension notice
because a reasonable period of time may depend upon the amount of time
afforded to the consumer for a reasonable opportunity to opt out, the
amount of time necessary to process opt-outs, and other factors.
Proposed Sec. --.26(e) made clear that sending an extension notice to
the consumer before the expiration of the opt-out period does not
shorten the five-year opt-out period.
A few industry commenters objected to the fact that the contents of
the extension notice would differ from the contents of the initial
notice by requiring that the extension notice inform the consumer that
the consumer's prior opt-out has expired or is about to expire, as
applicable, and that the consumer must opt out again to keep the opt-
out election in force. These commenters argued that the added
disclosure requirement would be costly and provide little benefit to
consumers. One commenter maintained that the added disclosure
requirement would make it difficult, if not impossible, to combine the
extension notice with the GLBA privacy notice. Commenters also
maintained that the language of the statute, particularly section
624(a)(1), contemplates that the same notice would satisfy the
requirements for the initial and extension notices. Consumer groups and
NAAG recommended that the Agencies define a ``reasonable opportunity''
to extend the opt-out as a period of at least 45 days before shared
eligibility information is used to make solicitations to the consumer.
The Agencies have renumbered the provisions addressing the
extension or renewal of opt-outs as Sec. --.27 in the final rules and
revised them. For purposes of clarity, the final rules refer to a
``renewal'' notice, rather than an ``extension'' notice.
Section--.27(a) contains the general rule, which provides that
after the opt-out period expires, a person may not make solicitations
based on eligibility information received from an affiliate to a
consumer who previously opted out unless the consumer has been given a
compliant renewal notice and a reasonable opportunity to opt out, and
the consumer does not renew the opt-out. This section also clarifies
that a person can make solicitations to a consumer after expiration of
the opt-out period if one of the exceptions in Sec. --.21(c) applies.
The Agencies decline to set a fixed minimum time period for a
reasonable opportunity to renew the opt-out as unnecessary and
inconsistent with the approach taken elsewhere in this rule and in the
GLBA privacy rules. The provision regarding the duration of the renewed
opt-out elicited no comment, and it has been retained in
Sec. --.27(a)(2) of the final rules.
Section--.27(a)(3) identifies the affiliates who may provide the
renewal notice. A renewal notice must be provided either by the
affiliate that provided the previous opt-out notice or its successor,
or as part of a joint renewal notice from two or more members of an
affiliated group of companies, or their successors, that jointly
provided the previous opt-out notice. This rule balances the Agencies'
goal of ensuring that the notice is
[[Page 62937]]
provided by an entity known to the consumer with a recognition that
flexibility is required to account for changes in the corporate
structure that may result from mergers and acquisitions, corporate name
changes, and other events.
The Agencies recognize that the content of the extension or renewal
notice differs from the content of the initial notice. Nothing in the
statute, however, requires identical content in the initial and renewal
notices. Moreover, the statute requires the Agencies to provide
specific guidance to ensure that opt-out notices are clear,
conspicuous, and concise. It is unreasonable to expect consumers, upon
receipt of a renewal notice, to remember that they previously opted out
five years ago (or longer) or, even if they do remember, to know that
they must opt out again in order to renew their opt-out decision.
Therefore, to ensure that the renewal notice is meaningful, the
Agencies conclude that the renewal notice must remind the consumer that
he or she previously opted out, inform the consumer that the opt-out
has expired or is about to expire, and advise the consumer that he or
she must opt out again to renew the opt-out and continue to limit
solicitations from affiliates. Under the final rules, the renewal
notice can state that ``the consumer's election has expired or is about
to expire.'' The Agencies have deleted the words ``as applicable'' so
that the notice does not have to be tailored to differentiate consumers
for whom the election ``has expired'' from those for whom the election
``is about to expire.''
The Agencies are not persuaded that the additional content of the
renewal notice will have any impact on the ability to combine the opt-
out notice with the GLBA privacy notice. Even if the language of the
renewal notice were identical to the initial notice, it still could be
difficult to avoid honoring a consumer's opt-out in perpetuity if the
affiliate marketing opt-out notice is incorporated into the GLBA
privacy notice. Privacy notices typically state that if a consumer has
previously opted out, it is not necessary for the consumer to opt out
again. This statement would be accurate with respect to the affiliate
marketing opt-out only if the consumer's opt-out is honored in
perpetuity. It would not be accurate, however, if the affiliate
marketing opt-out is effective only for a limited period of time,
subject to renewal by the consumer at intervals of five years or
longer. Thus, if the affiliate marketing opt-out notice was
consolidated with GLBA privacy notices and were effective for a limited
period of time, the privacy notices would have to be modified to make
clear that statements that the consumer does not have to opt out again
do not apply to the affiliate marketing renewal notice. Therefore, the
Agencies do not believe that requiring a renewal notice to contain
information not included in an initial notice will significantly affect
the ability to incorporate the affiliate marketing opt-out notices into
GLBA privacy notices because consolidation of the notices is most
likely to occur when the affiliate marketing opt-out will be honored in
perpetuity. Entities that prefer not to provide renewal notices may do
so by honoring the consumer's opt-out in perpetuity. The contents of
the renewal notice are adopted in Sec. --.27(b) with revisions that
incorporate the changes to Sec. --.23, as discussed above.
Section--.27(b) of the final rules also omits the alternative contents
set forth in the proposal, which the Agencies now believe would be
unnecessarily duplicative.
Proposed Sec. --.26(d) addressed the timing of the extension or
renewal notice and elicited no comment. The Agencies have renumbered
this provision as Sec. --.27(d) in the final rules, and adopted it with
technical revisions. As explained in the supplementary information to
the proposal, providing the renewal notice a reasonable period of time
before the expiration of the opt-out period would enable institutions
to begin marketing to consumers who do not renew their opt-out upon
expiration of the opt-out period. But giving a renewal notice too far
in advance of the expiration of the opt-out period may confuse
consumers. The Agencies will deem a renewal notice provided on or with
the last annual privacy notice required by the GLBA privacy provisions
sent to the consumer before the expiration of the opt-out period to be
reasonable in all cases.
Proposed Sec. --.26(e) regarding the effect of an extension or
renewal notice on the existing opt-out period elicited no comment. The
Agencies have renumbered this provision as Sec. --.27(d) in the final
rules, and adopted it with technical changes.
Section --.28 Effective Date, Compliance Date, and Prospective
Application
Effective Date and Compliance Date
Consistent with the requirements of section 624 of the FCRA, the
proposal indicated that the final rules would become effective six
months after the date on which they would be issued in final form. The
Agencies requested comment on whether there was any need to delay the
mandatory compliance date beyond the effective date specifically to
permit institutions to incorporate the affiliate marketing opt-out
notice into their next annual GLBA privacy notice.
Most industry commenters believed that the Agencies should delay
the mandatory compliance date until some time after the effective date
of the final rules. These commenters suggested various periods for
delaying the mandatory compliance date ranging from three months to
more than 24 months. Common recommendations were for a delayed
mandatory compliance date of six, 12, or 18 months.
Some of these commenters suggested a two-part mandatory compliance
date consisting of a delayed mandatory compliance date of either three
or six months for new accounts or for general application and a special
mandatory compliance date for institutions that intend to consolidate
their affiliate marketing opt-out notice with their GLBA privacy
notice. Under this special mandatory compliance date, institutions
would have to comply at the time they provide their next GLBA privacy
notice following the effective date of the final rules or a date
certain, whichever is earlier.
Industry commenters believed that a delayed mandatory compliance
date was necessary in order to make significant changes to business
practices and procedures, to implement necessary operational and
systems changes, and to design and provide opt-out notices. Industry
commenters also noted that many institutions would like to send the
affiliate marketing opt-out notice with their initial or annual GLBA
privacy notices, both to minimize costs and to avoid consumer
confusion. These commenters noted that many large institutions provide
GLBA privacy notices on a rolling basis and that a delayed mandatory
compliance date was necessary to enable institutions to introduce the
affiliate marketing opt-out notice into this cycle. One large
institution estimated that its first-year compliance costs would
increase by a minimum of $660,000 if it was not able to consolidate the
affiliate marketing opt-out notice with its GLBA privacy notice. A few
industry commenters believed that Congress knew that an effective date
is not necessarily the same as a mandatory compliance date because
banking regulations commonly have effective dates and mandatory
compliance dates that differ.
Consumer groups and NAAG believed that the effective date of the
final rules
[[Page 62938]]
should be the mandatory compliance date. These commenters believed that
institutions have had time to prepare for compliance since the FACT Act
became law in December 2003. Consumer groups believed that if
institutions need more time to comply, affiliates should cease using
eligibility information to make solicitations until the notice and
opportunity to opt out is provided.
The final rules will become effective January 1, 2008. Consistent
with the statute's directive that the Agencies ensure that notices may
be consolidated and coordinated, the mandatory compliance date is
delayed to give institutions a reasonable amount of time to include the
affiliate marketing opt-out notice with their initial and annual
privacy notices. Accordingly, compliance with Subpart C is required not
later than October 1, 2008. The Agencies believe that delaying the
mandatory compliance date for approximately one year will give all
institutions adequate time to develop and distribute opt-out notices
and give most institutions sufficient time to develop and distribute
consolidated notices if they choose to do so.
Prospective Application
Proposed Sec. --.20(e) provided that the provisions of Subpart C
would not apply to eligibility information that was received by a
receiving affiliate prior to the date on which compliance with these
regulations would be required. Some industry commenters supported this
provision. Other industry commenters, however, believed that the
proposed rule did not track the statutory language or reflect the
intent of Congress. These commenters believed that the final rules
should grandfather all information received by any financial
institution or affiliate in a holding company prior to the mandatory
compliance date, and not grandfather only that information received
prior to the mandatory compliance date by a person that intends to use
the information to make solicitations to the consumer. Some of these
commenters recommended, in the alternative, that the Agencies clarify
that any information placed into a common database by an affiliate
should be deemed to have been provided to an affiliated person if the
Agencies opt to retain the prospective application provision as
proposed. These commenters argued that without such a clarification,
affiliated companies would have to undertake the costly deconstruction
of existing databases to ensure compliance.
In the final rules, the provision addressing prospective
application has been renumbered as Sec. --.28(c), and revised. The
Agencies continue to believe that the better interpretation of the non-
retroactivity provision is that it is tied to receipt of eligibility
information by a person that intends to use the information to make
solicitations to the consumer. The final rules clarify, however, that a
person is deemed to receive eligibility information from its affiliate
when the affiliate places that information in a common database where
it is accessible by the person, even if the person has not accessed or
used that information as of the compliance date. For example, assume
that an affiliate obtains eligibility information about a consumer as a
result of having a pre-existing business relationship with that
consumer. The affiliate places that information into a common database
that is accessible to other affiliates before the mandatory compliance
date. The final rules do not apply to that information and other
affiliates may use that information for marketing to the consumer. On
the other hand, if the affiliate obtains eligibility information about
the consumer before the mandatory compliance date, but does not either
place that information into a common database that is accessible to
other affiliates or otherwise provide that information to another
affiliate before the mandatory compliance date, the final rules will
apply to that eligibility information. Further, if the database is
updated with new eligibility information after the mandatory compliance
date, the final rules will apply to the new or updated eligibility
information.
Appendix C
Appendix A of the proposal contained model forms to illustrate by
way of example how institutions could comply with the notice and opt-
out requirements of section 624 and the proposed regulations. Appendix
A included three proposed model forms. Model Form A-1 was a proposed
form of an initial opt-out notice. Model Form A-2 was a proposed form
of an extension notice. Model Form A-3 was a proposed form that
institutions may use if they offer consumers a broader right to opt out
of marketing than is required by law.
The proposed model forms were designed to convey the necessary
information to consumers as simply as possible. The Agencies tested the
proposed model forms using two widely available readability tests, the
Flesch reading ease test and the Flesch-Kincaid grade level test, each
of which generates a readability score.\16\ Proposed Model Form A-1 had
a Flesch reading ease score of 53.7 and a Flesch-Kincaid grade level
score of 9.9. Proposed Model Form A-2 had a Flesch reading ease score
of 57.5 and a Flesch-Kincaid grade level score of 9.6. Proposed Model
Form A-3 had a Flesch reading ease score of 69.9 and a Flesch-Kincaid
grade level score of 6.7.
---------------------------------------------------------------------------
\16\ The Flesch reading ease test generates a score between zero
and 100, where the higher score correlates with improved
readability. The Flesch-Kincaid grade level test generates a
numerical assessment of the grade-level at which the text is
written.
---------------------------------------------------------------------------
Commenters generally supported the proposed model forms. As noted
above, some commenters had concerns about the content of the initial
and renewal notices. Some industry commenters expressed concern about
requiring the notice to specify the applicable time period and the
consumer's right to renew the election once the opt-out expires.
Industry commenters also suggested revising the language of the notice
to refer either to ``financial'' information or ``credit eligibility''
information for clarity. One commenter suggested deleting the examples
of the types of information shared with affiliates. Another commenter
suggested rephrasing the model forms in the passive voice. One
commenter encouraged the Agencies to clarify that use of the model
forms provides a safe harbor. Another commenter believed that the
optional third paragraph of Model Form A-1 should be revised, or an
alternate paragraph added, to provide guidance on how to clearly
disclose to consumers that the opt-out may not limit the sharing of
contact information and other information that does not meet the
definition of ``consumer report.''
Consumer groups and NAAG commended the Agencies for reporting the
Flesch reading ease score and Flesch-Kincaid grade-level score for each
of the model forms. These commenters urged the Agencies to modify the
proposed rule to require that any person that does not use the model
forms must provide a notice that achieves readability scores at least
as good as the scores for the model forms. Consumer groups also
suggested adding a sentence about providing the form annually to
mitigate consumer confusion. These commenters also urged the Agencies
to adopt a short-form notice.
The Agencies have revised and expanded the number of model forms to
reflect changes made to the final rules. In addition, for ease of
reference, the model forms have been renumbered as
[[Page 62939]]
Appendix C to correspond with Subpart C to which they pertain. The
Agencies believe that model forms are helpful for entities that give
notices and beneficial for consumers. The model forms are provided as
stand-alone documents. However, some persons may choose to combine the
opt-out notice with other consumer disclosures, such as the GLBA
privacy notice. Creating a consolidated model form is beyond the scope
of this rulemaking, but, as discussed above, institutions can combine
the affiliate marketing opt-out notice with other disclosures,
including the GLBA privacy notice.
On March 31, 2006, the Board, FDIC, FTC, NCUA, OCC, and SEC
released a report entitled Evolution of a Prototype Financial Privacy
Notice prepared by Kleimann Communication Group, Inc., summarizing
research that led to the development of a prototype short-form GLBA
privacy notice. That prototype included an affiliate marketing opt-out
notice. The prototype assumed that the notice would be provided by the
affiliate that is sharing eligibility information. The Agencies believe
that providing model forms in this rule for stand-alone opt-out notices
that may be used in a more diverse set of circumstances than a model
privacy form is appropriate and consistent with efforts to develop a
model privacy form. On March 29, 2007, the Agencies, the FTC, SEC, and
Commodity Futures Trading Commission published for public comment in
the Federal Register (72 FR 14,940) a model privacy form that includes
the affiliate marketing opt-out. Once such a notice is published in
final form, use of the model privacy form will satisfy the requirement
to provide an initial affiliate marketing opt-out notice.
The final rules include five model forms. Model Form C-1 is the
model for an initial notice provided by a single affiliate. Model Form
C-2 is the model for an initial notice provided as a joint notice from
two or more affiliates. Model Form C-3 is the model for a renewal
notice provided by a single affiliate. Model Form C-4 is the model for
a renewal notice provided as a joint notice from two or more
affiliates. Model Form C-5 is a model for a voluntary ``no marketing''
opt-out.
The Agencies tested each of the model forms using two widely-
available readability tests, the Flesch reading ease test and the
Flesch-Kincaid grade level test. In conducting these tests, the
Agencies eliminated parenthetical text wherever possible, included the
optional clauses, and substituted the names of fictional entities, for
example, ABC Bank or the ABC group of companies, as the names of the
relevant entities to ensure that the test results were not skewed by
the inclusion of descriptive text that would not be included in actual
opt-out notices. The results of these tests are summarized for each of
the model forms in Table 1 below.
Although the Agencies encourage the use of these tests as well as
other types of consumer testing in designing opt-out notices, the
Agencies decline to adopt a prescriptive approach that requires notices
to achieve certain scores under the Flesch reading ease or Flesch-
Kincaid grade level tests. Some variation in readability scores is
inevitable and may be caused by minor differences in the language of
the notice, such as the name of the entity providing the notice or the
types of information that may be used for marketing.
Table 1
------------------------------------------------------------------------
Flesch-
Flesch Kincaid
reading grade level
ease score score
------------------------------------------------------------------------
Model Form C-1................................ 50.2 11.5
Model Form C-2................................ 51.7 11.5
Model Form C-3................................ 54.6 9.7
Model Form C-4................................ 54.2 9.8
Model Form C-5................................ 81.3 3.8
------------------------------------------------------------------------
As noted in the proposal, use of the model forms is not mandatory.
However, appropriate use of the model forms provides a safe harbor.
There is flexibility to use or not use the model forms, or to modify
the forms, so long as the requirements of the regulation are met. For
example, although several of the model forms use five years as the
duration of the opt-out period, an opt-out period of longer than five
years may be used and the longer time period substituted in the opt-out
notices. Alternatively, the consumer's opt-out may be treated as
effective in perpetuity and, if so, the opt-out notice should omit any
reference to the limited duration of the opt-out period or the right to
renew the opt-out.
The Agencies have revised the model forms so that the disclosure
regarding the duration of the opt-out may state that the opt-out
applies either for a fixed number of years or ``at least 5 years.''
This revision permits institutions that use a longer opt-out period or
that subsequently extend their opt-out period to rely on the model
language. The model form also contains a reference to the consumer's
right to revoke an opt-out. In addition, language has been added to the
model forms to clarify that, with an opt-out of limited duration, a
consumer does not have to opt out again until a renewal notice is sent.
V. Regulatory Analysis
Paperwork Reduction Act
In accordance with the requirements of the Paperwork Reduction Act
(PRA) of 1995 (44 U.S.C. 3506; 5 CFR part 1320 Appendix A.1), the
Agencies have reviewed the final rules and determined that they contain
collections of information subject to the PRA. The Board made this
determination under authority delegated to the Board by the Office of
Management and Budget (OMB). The collections of information required by
these rules are found in 12 CFR 41.21-41.27, 12 CFR 222.21-222.27, 12
CFR 334.21-334.27, 12 CFR 571.21-571.27, and 12 CFR 717.21-717.27. The
Agencies may not conduct or sponsor, and the respondent is not required
to respond to, an information collection unless it displays a currently
valid OMB control number. This collection is mandatory (15 U.S.C. 1693
et seq.). The respondents/recordkeepers are financial institutions that
share certain information for marketing purposes, and certain consumers
of their services.
The final rules impose disclosure requirements on certain
affiliated companies subject to each Agency's jurisdiction.
Specifically, the FACT Act and the final rules provide that when a
company communicates certain information about the consumer
(``eligibility information'') to an affiliate, the affiliate may not
use that information to make solicitations for marketing purposes to
the consumer unless the consumer is given a notice and an opportunity
to opt-out of that use of the information and the consumer does not
opt-out.
In the proposal, the Agencies estimated that the average amount of
time for a person to prepare an initial notice as required under the
proposal and distribute the notice to consumers would be approximately
18 hours. The Agencies recognized that the amount of time needed for
any particular person subject to the proposed requirements may be
higher or lower, but believed that this average figure was a reasonable
estimate. To minimize the compliance costs and burdens for persons,
particularly small entities, the proposed rule contained model
disclosures and opt-out notices that may be used to satisfy the
statutory requirements. The proposed rule gave covered persons
flexibility to satisfy the notice and opt-out requirement by sending
the consumer a free-standing opt-out notice or by adding the opt-out
notice to the
[[Page 62940]]
privacy notices already provided to consumers in accordance with the
provisions of Title V of the GLBA. For covered persons that choose to
prepare a free-standing opt-out notice, the time necessary to prepare a
free-standing opt-out notice would be minimal, because those persons
could simply copy the model disclosure, making minor adjustments as
indicated by the model disclosure. Similarly, for covered persons that
choose to incorporate the opt-out notice into their GLBA privacy
notices, the time necessary to integrate the model opt-out notice into
their privacy notices would be minimal. The Agencies estimated that the
average consumer would take approximately five minutes to respond to
the notice and opt-out.
The Agencies did not estimate the burden for preparing and
distributing extension notices by covered persons that choose to limit
the duration of the opt-out time period because the minimum effective
time period for the opt-out is five years. The Agencies proposed to
estimate the burden for this requirement when they conduct a subsequent
review of the information collection.
Information Collection
The Agencies, other than the Board and NCUA, are seeking OMB
approval to extend for three years, with revision, the information
collections in connection with this final rule. The Board, under its
delegated authority from OMB, has approved the implementation of this
information collection. The NCUA is seeking OMB approval for this new
collection of information.
OCC:
Title: Fair Credit Reporting Affiliate Marketing (12 CFR part 41).
OMB Number: 1557-0230
Frequency of Response: On occasion.
Affected Public: National banks, Federal branches and agencies of
foreign banks, and their respective operating subsidiaries that are not
functionally regulated within the meaning of section 5(c)(5) of the
Bank Holding Company Act of 1956, as amended (12 U.S.C. 1844(c)(5).
Number of Respondents: 770 National banks and 916,895 Consumers.
Estimated Time per Response: 18 hours, Prepare and distribute
notice to consumers, and employee training; 5 minutes, Consumer
response to opt-out notice.
Total Estimated Annual Burden: 90,265 hours.
Board:
Title: Information Collection Requirements in Connection with
Regulation V (Fair Credit Reporting Act) (Affiliate Marketing
Disclosures/Consumer Opt-Out Notices).
OMB Number: 7100-0308.\17\
---------------------------------------------------------------------------
\17\ The information collections (ICs) in this rule will be
incorporated with the Board's Disclosure Requirements Associated
with Regulation V (OMB No. 7100-0308). The burden estimates provided
in this rule pertain only to the ICs associated with this final
rulemaking. The current OMB inventory for Regulation V is available
at: http://www.reginfo.gov/public/do/PRAMain.
---------------------------------------------------------------------------
Frequency of Response: On occasion.
Affected Public: State member banks, branches and agencies of
foreign banks (other than federal branches, Federal agencies, and
insured State branches of foreign banks), commercial lending companies
owned or controlled by foreign banks, Edge and agreement corporations,
and bank holding companies and affiliates of such holding companies
(other than depository institutions and consumer reporting agencies).
Number of Respondents: 2,619 Financial institutions and 638,380
Consumers.
Estimated Time per Response: 18 hours, Prepare and distribute
notice to consumers, and employee training; 5 minutes, Consumer
response to opt-out notice.
Total Estimated Annual Burden: 100,423 hours.
FDIC:
Title: Affiliate Marketing Disclosures/Consumer Opt-Out Notices.
OMB Number: 3064-0149.
Frequency of Response: On occasion.
Affected Public: Insured state nonmember banks.
Number of Respondents: 978 Financial institutions and 198,450
Consumers.
Estimated Time per Response: 18 hours, Prepare and distribute
notice to consumers, and employee training; 5 minutes, Consumer
response to opt-out notice.
Total Estimated Annual Burden: 34,142 hours.
OTS:
Title: Fair Credit Reporting Affiliate Marketing Regulations.
OMB Number: 1550-0112.
Frequency of Response: On occasion.
Affected Public: Savings associations and Federal savings
association operating subsidiaries that are not functionally regulated
within the meaning of section 5(c)(5) of the Bank Holding Company Act
of 1956, as amended (12 U.S.C. 1844(c)(5)).
Number of Respondents: 609 Financial institutions and 216,783
Consumers.
Estimated Time per Response: 18 hours, Prepare and distribute
notice to consumers, and employee training; 5 minutes, Consumer
response to opt-out notice.
Total Estimated Annual Burden: 28,955 hours.
NCUA:
Title: Information Collection Requirements in Connection with Fair
Credit Reporting Act Regulations.
OMB Number: 3133-New.
Frequency of Response: On occasion.
Affected Public: Federal credit unions with CUSO affiliates.
Number of Respondents: 1,065 Financial institutions and 1,023,693
Consumers.
Estimated Time per Response: 18 hours, Prepare and distribute
notice to consumers, and employee training; 5 minutes, Consumer
response to opt-out notice.
Total Estimated Annual Burden: 104,137 hours.
The Agencies received one comment, from a trade association, in
response to the PRA section of the proposal. The commenter raised
concerns that the Agencies' PRA cost estimates conveyed a misleading
impression of the cost of complying with the affiliate marketing opt-
out rule. The commenter's principal objection was that the cost
estimates assume that the major cost is that of sending the
disclosures, rather than processing any opt-out requests and ensuring
that solicitations are not sent to consumers who have opted-out (or
have not yet had a reasonable opportunity to opt-out). The commenter
was concerned that the cost estimates did not reflect the costs
associated with building compliance systems, such as costs attributed
to significant database programming, coordination across business
entities, legal and managerial review, employee training, and business
process changes. The commenter stated that the PRA analysis did not
take into account the significant clerical effort needed to comply with
the proposed rule. The commenter also stated that companies that
currently provide GLBA privacy and Fair Credit Reporting Act (FCRA)
affiliate sharing opt-out notices would still incur significant costs
because (1) unlike under the GLBA opt-out right, the new affiliate
marketing opt-out right applies to affiliates, and (2) unlike under the
FCRA affiliate sharing opt-out, the new affiliate marketing opt-out
right applies to transaction or experience information. The commenter
objected to the Agencies' use of average figures which take into
account the fact that some companies may not need to provide affiliate
marketing opt-out notices to consumers, rather than focusing
exclusively on the costs to companies that must provide the notice.
Finally, the commenter stated that
[[Page 62941]]
compliance with the proposed rule would be particularly difficult
because software modifications and employee training would be required
to ensure that both bank and affiliate employees have access to
consumer's transaction or experience information in order to service
their accounts, but are prevented from using that information to
solicit business from consumers that have exercised their opt-out
rights.
In response, the Agencies continue to believe that 18 hours is a
reasonable estimate of the average amount of time to prepare and
distribute an initial notice to consumers and for employee training;
and five minutes is a reasonable estimate of the average consumer
response time. The Agencies continue to believe that institutions
should be able to modify existing database systems and employee
training programs, used to comply with the GLBA and FCRA notice and
opt-out requirements, to meet the requirements held in this final rule.
As required by the PRA, the Agencies' annual burden estimates take into
account the burden associated with the reporting, recordkeeping, and
third-party disclosure requirements of the final rules (see 44 U.S.C.
3502(2); 5 CFR 1320.3(b)). The Agencies also believe that the
availability of model disclosures and opt-out notices may significantly
reduce the cost of compliance. In addition, the final rules give
persons flexibility to provide a joint opt-out notice on behalf of
multiple affiliates and to define the scope and the duration of the
opt-out. This flexibility may reduce the cost of compliance by allowing
covered persons to make choices that are most appropriate for their
business. Moreover, since the notice is only required to be given once
for a minimum period of at least five years, the Agencies' estimates
assume a higher burden will be incurred during the first year of the
OMB clearance period with a lesser burden incurred during the
subsequent two years.
The Agencies have a continuing interest in the public's opinions of
our collections of information. At any time, comments regarding the
burden estimate, or any other aspect of this collection of information,
including suggestions for reducing the burden, may be sent to the
following:
OCC: Communications Division, Office of the Comptroller of the
Currency, Public Information Room, Mailstop 1-5, Attention: 1557-0230,
250 E Street, SW., Washington, DC 20219. In addition, comments may be
sent by fax to (202) 874-4448, or by electronic mail to
[email protected]. You can inspect and photocopy comments at
the OCC's Public Information Room, 250 E Street, SW., Washington, DC
20219. For security reasons, the OCC requires that visitors make an
appointment to inspect comments. You may do so by calling (202) 874-
5043. Upon arrival, visitors will be required to present valid
government-issued photo identification and submit to security screening
in order to inspect and photocopy comments.
Board: You may submit comments, which should refer to ``Information
Collection Requirements in Connection with Regulation V (Fair Credit
Reporting Act) (Affiliate Marketing Disclosures/Consumer Opt-Out
Notices), 7100-0308'' by any of the following methods:
Agency Web Site: http://www.federalreserve.gov. Follow the
instructions for submitting comments on the http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm.
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
E-mail: [email protected]. Include docket
number in the subject line of the message.
Fax: 202-452-3819 or 202-452-3102.
Mail: Jennifer J. Johnson, Secretary, Board of Governors
of the Federal Reserve System, 20th Street and Constitution Avenue,
NW., Washington, DC 20551.
All public comments are available from the Board's Web site at
www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as submitted,
unless modified for technical reasons. Accordingly, your comments will
not be edited to remove any identifying or contact information. Public
comments may also be viewed electronically or in paper in Room MP-500
of the Board's Martin Building (20th and C Streets, NW.) between 9 a.m.
and 5 p.m. on weekdays.
FDIC: You may submit comments, which should refer to ``Affiliate
Marketing Disclosures/Consumer Opt-Out Notices, 3064-0149,'' by any of
the following methods:
http://www.FDIC.gov/regulations/laws/federal/notices.html.
E-mail: [email protected]. Include ``Affiliate Marketing
Disclosures/Consumer Opt-Out Notices, 3064-0149,'' in the subject line
of the message.
Mail: Steven F. Hanft (202-898-3907), Clearance Officer,
Attn: Comments, Room MB-2088, Federal Deposit Insurance Corporation,
550 17th Street, NW., Washington, DC 20429.
Hand Delivery: Comments may be hand delivered to the guard
station at the rear of the 550 17th Street Building (located on F
Street) on business days between 7 a.m. and 5 p.m.
Public Inspection: All comments received will be posted without
change to http://www.fdic.gov/regulations/laws/federal/notices.html
including any personal information provided. Comments may be inspected
at the FDIC Public Information Center, Room E-1002, 3501 Fairfax Drive,
Arlington, VA 22226, between 9 a.m. and 5 p.m. on business days.
OTS: You may submit comments, identified by ``1550-0112 (Fair
Credit Reporting Affiliate Marketing Regulations),'' by any of the
following methods:
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
E-mail address: [email protected].
Please include ``1550-0112 (Fair Credit Reporting Affiliate Marketing
Regulations),'' in the subject line of the message and include your
name and telephone number in the message.
Fax: (202) 906-6518.
Mail: Information Collection Comments, Chief Counsel's
Office, Office of Thrift Supervision, 1700 G Street, NW, Washington, DC
20552, Attention: ``1550-0112 (Fair Credit Reporting Affiliate
Marketing Regulations).''
Hand Delivery/Courier: Guard's Desk, East Lobby Entrance,
1700 G Street, NW, from 9 a.m. to 4 p.m. on business days, Attention:
Information Collection Comments, Chief Counsel's Office, Attention:
``1550-0112 (Fair Credit Reporting Affiliate Marketing Regulations).''
Instructions: All submissions received must include the agency name
and OMB Control Number for this information collection. All comments
received will be posted without change to the OTS Internet Site at
http://www.ots.treas.gov/pagehtml.cfm?catNumber=67&an=1, including any
personal information provided.
Docket: For access to the docket to read background documents or
comments received, go to http://www.ots.treas.gov/pagehtml.cfm?catNumber=67&an=1.
In addition, you may inspect comments at the Public Reading Room,
1700 G Street, NW., by appointment. To make an appointment for access,
call (202) 906-5922, send an e-mail to public.info@ots.treas.gov">public.info@ots.treas.gov, or
send a facsimile transmission to (202) 906-7755. (Prior notice
identifying the materials you will be requesting will
[[Page 62942]]
assist us in serving you.) We schedule appointments on business days
between 10 a.m. and 4 p.m. In most cases, appointments will be
available the next business day following the date we receive a
request.
NCUA: You may submit comments by any of the following methods
(please send comments by one method only):
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
NCUA Web Site: http://www.ncua.gov/RegulationsOpinionsLaws/proposedregs/proposedregs.html. Follow the
instructions for submitting comments.
E-mail: Address to [email protected]. Include ``[Your
name] Comments on Information Collection Requirements in Connection
with Fair Credit,'' in the e-mail subject line.
Fax: (703) 518-6319. Use the subject line described above
for e-mail.
Mail: Address to Neil McNamara, Deputy Chief Information
Officer, National Credit Union Administration, 1775 Duke Street,
Alexandria, VA 22314-3428.
Hand Delivery/Courier: Same as mail address.
Additionally, you should send a copy of your comments to [Agency]
Desk Officer, [OMB No.], by mail to U.S. Office of Management and
Budget, 725 17th Street, NW., 10235, Washington, DC 20503, or
by fax to (202) 395-6974.
Regulatory Flexibility Act
OCC: OCC prepared an initial regulatory flexibility analysis as
required by the Regulatory Flexibility Act (RFA) (5 U.S.C. 601 et seq.)
in connection with the July 15, 2004 proposed rule. OCC received one
comment on its regulatory flexibility analysis.
Under Section 605(b) of the RFA, 5 U.S.C. 605(b), the regulatory
flexibility analysis otherwise required under Section 604 of the RFA is
not required if an agency certifies, along with a statement providing
the factual basis for such certification, that the rule will not have a
significant economic impact on a substantial number of small entities.
For purposes of the RFA and OCC-regulated entities, a ``small entity''
is a national bank with assets of $165 million or less (small national
bank). Based on its analysis and for the reasons stated below, OCC
certifies that this final rule will not have a significant economic
impact on a substantial number of small entities. OCC's final rule will
not impact a substantial number of small entities because OCC estimates
that the final rule will affect no more than 12 out of 948 small
national banks (approximately 1%) with assets of $165 million or less.
1. Statement of the Need for, and Objectives of, the Final Rule
The FACT Act amends the FCRA and was enacted, in part, for the
purpose of allowing consumers to limit the use of eligibility
information received from an affiliate to make solicitations to the
consumer. Section 214 of the FACT Act generally prohibits a person from
using certain information received from an affiliate to make a
solicitation for marketing purposes to a consumer, unless the consumer
is given notice and an opportunity and simple method to opt out of the
making of such solicitations. Section 214 requires the OCC, together
with the other Agencies, the FTC, and the SEC, to consult and
coordinate with each other and to prescribe regulations implementing
section 214 that, to the extent possible, are consistent and
comparable. OCC is adopting the final rule to implement section 214 of
the FACT Act. The Supplementary Information contains information on the
objectives of the final rule.
2. Summary of Issues Raised by Comments in Response to the Initial
Regulatory Flexibility Analysis
OCC conducted an initial regulatory flexibility analysis in
connection with the proposed rule as required by section 3(a) of the
RFA (5 U.S.C. 603(a)). One commenter, the Mortgage Bankers Association
(MBA), believed that the Agencies had underestimated compliance costs.
The issues raised by the MBA are described in the Paperwork Reduction
Act section of the SUPPLEMENTARY INFORMATION. The MBA's concerns
applied equally to small entities and larger entities. The MBA did not
raise any issues unique to small entities.
3. Description and Estimate of Small Entities Affected by the Final
Rule
The final rule applies to national banks, Federal branches and
agencies of foreign banks, and any of their operating subsidiaries that
are not functionally regulated within the meaning of section 5(c)(5) of
the Bank Holding Company Act of 1956, as amended (12 U.S.C. 1844(c)(5))
(national banks). However, the rule's requirements only affect those
entities with affiliates that choose to structure their marketing
activities in a manner that triggers the rule's requirements.
OCC estimates that its final rule could apply to as many as 1,806
national banks. The OCC also estimates that 1,036 of these national
banks do not have affiliates and, therefore, will not affected by the
requirements of the final rule. Of the estimated 770 national banks
that would be subject to the final rule's requirements, approximately
12 of these institutions are small national banks with assets of $165
million or less.
In addition, small entities that have affiliates may choose not to
engage in activities that would require compliance with the final rule.
For example, small entities may choose not to share eligibility
information with their affiliates for the purpose of making
solicitations. Alternatively, small entities and their affiliates may
structure their marketing activities in a way that does not trigger the
requirement to comply with the final rule, such as by relying upon the
exceptions to the notice requirement contained in the final rule.
4. Recordkeeping, Reporting, and Other Compliance Requirements
The final rule requires all national banks, including small
national banks, to provide opt-out notices and renewal notices to
consumers in certain circumstances, as discussed in the SUPPLEMENTARY
INFORMATION section above, and to implement consumers' opt-out
elections. The final rule contains no requirement to report information
to the Agencies.
Small entities that have affiliates, share eligibility information
with those affiliates, and use that information to make solicitations
for marketing purposes may be subject to the rule. Small entities that
do not have affiliates, do not share eligibility information with their
affiliates for marketing purposes, use shared eligibility information
for purposes of making solicitations only in accordance with one of the
exceptions set forth in the final rule, or structure their marketing
activities to eliminate the need to provide an opt-out notice would not
be subject to the final rule. The professional skills necessary for
preparation of the opt-out notice include compliance and/or privacy
specialists and computer programmers.
5. Steps Taken To Minimize the Economic Impact on Small Entities
OCC and the other Agencies have attempted to minimize the economic
impact on small entities by adopting consistent rules and by allowing
joint notices on behalf of multiple affiliates. In addition, OCC and
the other Agencies have provided model forms that small institutions
may, but are not required to, use to minimize the cost of compliance.
[[Page 62943]]
Board: The Board prepared an initial regulatory flexibility
analysis as required by the Regulatory Flexibility Act (RFA) (5 U.S.C.
601 et seq.) in connection with the July 15, 2004 proposed rule. The
Board received one comment on its regulatory flexibility analysis.
Under Section 605(b) of the RFA, 5 U.S.C. 605(b), the regulatory
flexibility analysis otherwise required under Section 604 of the RFA is
not required if an agency certifies, along with a statement providing
the factual basis for such certification, that the rule will not have a
significant economic impact on a substantial number of small entities.
Based on its analysis and for the reasons stated below, the Board
certifies that this final rule will not have a significant economic
impact on a substantial number of small entities.
1. Statement of the Need for, and Objectives of, the Final Rule
The FACT Act amends the FCRA and was enacted, in part, for the
purpose of allowing consumers to limit the use of eligibility
information received from an affiliate to make solicitations to the
consumer. Section 214 of the FACT Act generally prohibits a person from
using certain information received from an affiliate to make a
solicitation for marketing purposes to a consumer, unless the consumer
is given notice and an opportunity and simple method to opt out of the
making of such solicitations. Section 214 requires the Board, together
with the other Agencies, the FTC, and the SEC, to issue regulations
implementing the section in consultation and coordination with each
other. The Board received no comments on the reasons for the proposed
rule. The Board is adopting the final rule to implement Sec. 214 of
the FACT Act. The SUPPLEMENTARY INFORMATION above contains information
on the objectives of the final rule.
2. Summary of Issues Raised by Comments in Response to the Initial
Regulatory Flexibility Analysis
In accordance with Section 3(a) of the RFA, the Board conducted an
initial regulatory flexibility analysis in connection with the proposed
rule. One commenter, the Mortgage Bankers Association (MBA), believed
that the Board and the other Agencies had underestimated the costs of
compliance. The issues raised by the MBA are described in the Paperwork
Reduction Act section above. The MBA's concerns applied equally to
small entities and larger entities. The MBA did not raise any issues
unique to small entities.
3. Description and Estimate of Small Entities Affected by the Final
Rule
The final rule applies to all banks that are members of the Federal
Reserve System (other than national banks) and their respective
operating subsidiaries, branches and Agencies of foreign banks (other
than Federal branches, Federal Agencies, and insured State branches of
foreign banks), commercial lending companies owned or controlled by
foreign banks, and organizations operating under section 25 or 25A of
the Federal Reserve Act (12 U.S.C. 601 et seq., and 611 et seq.). The
Board's rule will apply to the following institutions (numbers
approximate): State member banks (881), operating subsidiaries that are
not functionally regulated with in the meaning of section 5(c)(5) of
the Bank Holding Company Act of 1956, as amended (877), U.S. branches
and agencies of foreign banks (219), commercial lending companies owned
or controlled by foreign banks (3), and Edge and agreement corporations
(64), for a total of approximately 2,044 institutions. The Board
estimates that more than 1,448 of these institutions could be
considered small entities with assets of $165 million or less.
All small entities covered by the Board's rule potentially could be
subject to the final rule. However, small entities that do not have
affiliates would not be subject to the final rule. In addition, small
entities that have affiliates may choose not to engage in activities
that would require compliance with the final rule. For example, small
entities may choose not to share eligibility information with their
affiliates for the purpose of making solicitations. Alternatively,
small entities and their affiliates may structure their marketing
activities in a way that does not trigger the requirement to comply
with the final rule, such as by relying upon the exceptions to the
notice requirement contained in the final rule.
4. Recordkeeping, Reporting, and Other Compliance Requirements
The final rule requires small entities to provide opt-out notices
and renewal notices to consumers in certain circumstances, as discussed
in the SUPPLEMENTARY INFORMATION above. The final rule also requires
small entities to implement consumers' opt-out elections. The final
rule contains no requirement to report information to the Agencies.
Small entities that have affiliates and that share eligibility
information with those affiliates for purposes of making solicitations
may be subject to the rule. Small entities that do not have affiliates,
do not share eligibility information with their affiliates for
marketing purposes, use shared eligibility information for purposes of
making solicitations only in accordance with one of the exceptions set
forth in the final rule, or structure their marketing activities to
eliminate the need to provide an opt-out notice would not be subject to
the final rule. The professional skills necessary for preparation of
the opt-out notice include compliance and/or privacy specialists and
computer programmers.
5. Steps Taken To Minimize the Economic Impact on Small Entities
The Board and the other Agencies have attempted to minimize the
economic impact on small entities by adopting consistent rules and by
allowing joint notices on behalf of multiple affiliates. In addition,
the Board and the other Agencies have provided model forms that small
institutions may, but are not required to, use to minimize the cost of
compliance.
FDIC: The FDIC prepared an initial regulatory flexibility analysis
as required by the Regulatory Flexibility Act (RFA) (5 U.S.C. 601 et
seq.) in connection with the July 15, 2004 proposed rule. The FDIC
received one comment on its regulatory flexibility analysis.
Under Section 605(b) of the RFA, 5 U.S.C. 605(b), the regulatory
flexibility analysis otherwise required under Section 604 of the RFA is
not required if an agency certifies, along with a statement providing
the factual basis for such certification, that the rule will not have a
significant economic impact on a substantial number of small entities.
Based on its analysis and for the reasons stated below, the FDIC
certifies that this final rule will not have a significant economic
impact on a substantial number of small entities.
1. Statement of the Need for, and Objectives of, the Final Rule
The FACT Act amends the FCRA and was enacted, in part, for the
purpose of allowing consumers to limit the use of eligibility
information received from an affiliate to make solicitations to the
consumer. Section 214 of the FACT Act generally prohibits a person from
using certain information received from an affiliate to make a
solicitation for marketing purposes to a consumer, unless the consumer
is given notice and an opportunity and simple method to opt out of the
making of such solicitations. Section 214 requires the FDIC, together
with the other Agencies, the FTC, and the SEC, to issue regulations
implementing the section in consultation and coordination with each
[[Page 62944]]
other. The FDIC received no comments on the reasons for the proposed
rule. The FDIC is adopting the final rule to implement Sec. 214 of the
FACT Act. The SUPPLEMENTARY INFORMATION above contains information on
the objectives of the final rule.
2. Summary of Issues Raised by Comments in Response to the Initial
Regulatory Flexibility Analysis
In accordance with Section 3(a) of the RFA, the FDIC conducted an
initial regulatory flexibility analysis in connection with the proposed
rule. One commenter, the Mortgage Bankers Association (MBA), believed
that the FDIC and the other Agencies had underestimated the costs of
compliance. The issues raised by the MBA are described in the Paperwork
Reduction Act section above. The MBA's concerns applied equally to
small entities and larger entities. The MBA did not raise any issues
unique to small entities.
3. Description and Estimate of Small Entities Affected by the Final
Rule
The final rule applies to insured state nonmember banks, insured
state licensed branches of foreign banks, and subsidiaries of such
entities (except brokers, dealers, persons providing insurance,
investment companies, and investment advisers). The FDIC's rule will
apply to a total of approximately 978 institutions. The FDIC estimates
that more than 542 of these institutions could be considered small
entities with assets of $165 million or less. All small entities
covered by the FDIC's rule potentially could be subject to the final
rule. However, small entities that do not have affiliates would not be
subject to the final rule. In addition, small entities that have
affiliates may choose not to engage in activities that would require
compliance with the final rule. For example, small entities may choose
not to share eligibility information with their affiliates for the
purpose of making solicitations. Alternatively, small entities and
their affiliates may structure their marketing activities in a way that
does not trigger the requirement to comply with the final rule, such as
by relying upon the exceptions to the notice requirement contained in
the final rule.
4. Recordkeeping, Reporting, and Other Compliance Requirements
The final rule requires small entities to provide opt-out notices
and renewal notices to consumers in certain circumstances, as discussed
in the SUPPLEMENTARY INFORMATION above. The final rule also requires
small entities to implement consumers' opt-out elections. The final
rule contains no requirement to report information to the Agencies.
Small entities that have affiliates and that share eligibility
information with those affiliates for purposes of making solicitations
may be subject to the rule. Small entities that do not have affiliates,
do not share eligibility information with their affiliates for
marketing purposes, use shared eligibility information for purposes of
making solicitations only in accordance with one of the exceptions set
forth in the final rule, or structure their marketing activities to
eliminate the need to provide an opt-out notice would not be subject to
the final rule. The professional skills necessary for preparation of
the opt-out notice include compliance and/or privacy specialists and
computer programmers.
5. Steps Taken To Minimize the Economic Impact on Small Entities
The FDIC and the other Agencies have attempted to minimize the
economic impact on small entities by adopting consistent rules and by
allowing joint notices on behalf of multiple affiliates. In addition,
the FDIC and the other Agencies have provided model forms that small
institutions may, but are not required to, use to minimize the cost of
compliance.
OTS: OTS prepared an initial regulatory flexibility analysis under
the Regulatory Flexibility Act (RFA) (5 U.S.C. 601 et seq.) in
connection with the July 15, 2004 proposed rule. OTS received one
comment on its regulatory flexibility analysis.
Under Section 605(b) of the RFA, 5 U.S.C. 605(b), the regulatory
flexibility analysis otherwise required under Section 604 of the RFA is
not required if an agency certifies, along with a statement providing
the factual basis for such certification, that the rule will not have a
significant economic impact on a substantial number of small entities.
Based on its analysis and for the reasons stated below, OTS certifies
that this final rule will not have a significant economic impact on a
substantial number of small entities.
1. Statement of the Need for, and Objectives of, the Final Rule
The FACT Act amends the FCRA and was enacted, in part, for the
purpose of allowing consumers to limit the use of eligibility
information received from an affiliate to make solicitations to the
consumer. Section 214 of the FACT Act generally prohibits a person from
using certain information received from an affiliate to make a
solicitation for marketing purposes to a consumer, unless the consumer
is given notice and an opportunity and simple method to opt out of the
making of such solicitations. Section 214 requires OTS, together with
the other Agencies, the FTC, and the SEC, to consult and coordinate
with each other and to prescribe regulations implementing the section
that, to the extent possible, are consistent and comparable. OTS is
adopting the final rule to implement section 214 of the FACT Act. The
SUPPLEMENTARY INFORMATION contains information on the objectives of the
final rule.
2. Summary of Issues Raised by Comments in Response to the Initial
Regulatory Flexibility Analysis
OTS conducted an initial regulatory flexibility analysis in
connection with the proposed rule under section 3(a) of the RFA (5
U.S.C. 603(a)). One commenter, the Mortgage Bankers Association (MBA),
believed that the Agencies had underestimated compliance costs. The
issues raised by the MBA are described in the Paperwork Reduction Act
section of the SUPPLEMENTARY INFORMATION. The MBA's concerns applied
equally to small entities and larger entities. The MBA did not raise
any issues unique to small entities.
3. Description and Estimate of Small Entities Affected by the Final
Rule
The final rule applies to all savings associations and federal
savings associations operating subsidiaries that are not functionally
regulated within the meaning of section 5(c)(5) of the Bank Holding
Company Act of 1956, as amended (12 U.S.C. 1844(c)(5). However, the
rule's requirements only affect those entities with affiliates and that
choose to structure their marketing activities in a manner that
triggers the rule's requirements.
OTS's estimates that its final rule could apply to as many as 609
savings associations, since that is the number of savings associations
with affiliates. OTS estimates that 230 of these savings associations
are small entities with assets of $165 million or less.
In addition, small entities that have affiliates may choose not to
engage in activities that would require compliance with the final rule.
For example, small entities may choose not to share eligibility
information with their affiliates for the purpose of making
solicitations. Alternatively, small entities and their affiliates may
structure their marketing activities in a way that does not trigger the
requirement to comply with the final rule, such as by relying upon the
exceptions to the
[[Page 62945]]
notice requirement contained in the final rule.
4. Recordkeeping, Reporting, and Other Compliance Requirements
The final rule requires all entities, including small savings
associations, to provide opt-out notices and renewal notices to
consumers in certain circumstances, as discussed in the SUPPLEMENTARY
INFORMATION, and to implement consumers' opt-out elections. The final
rule contains no requirement to report information to the Agencies.
Small entities that have affiliates, share eligibility information
with those affiliates, and use that information to make solicitations
for marketing purposes may be subject to the rule. Small entities that
do not have affiliates, do not share eligibility information with their
affiliates for marketing purposes, use shared eligibility information
for purposes of making solicitations only in accordance with one of the
exceptions set forth in the final rule, or structure their marketing
activities to eliminate the need to provide an opt-out notice would not
be subject to the final rule. The professional skills necessary for
preparation of the opt-out notice include compliance and/or privacy
specialists and computer programmers.
5. Steps Taken To Minimize the Economic Impact on Small Entities
OTS and the other Agencies have attempted to minimize the economic
impact on small entities by adopting consistent rules and by allowing
joint notices on behalf of multiple affiliates. In addition, OTS and
the other Agencies have provided model forms that small institutions
may, but are not required to, use to minimize the cost of compliance.
NCUA: The Regulatory Flexibility Act (RFA) requires NCUA to prepare
an analysis to describe any significant economic impact a proposed
regulation may have on a substantial number of small entities. 5 U.S.C.
601-612. NCUA considers credit unions having less than ten million
dollars in assets to be small for purposes of RFA. NCUA Interpretive
Ruling and Policy Statement (IRPS) 87-2 as amended by IRPS 03-2. In
connection with the July 15, 2004 proposed rule, NCUA certified that
the proposed rule would not have a significant economic impact on a
substantial number of small credit unions and therefore, a regulatory
flexibility analysis was not required. Upon further review, the NCUA
now certifies that the final rule also will not have a significant
economic impact on a substantial number of small credit unions. The
rule will apply to all federal credit unions regardless of asset size.
OCC and OTS Executive Order 12866 Determination
The OCC and OTS each has determined that its portion of the rule is
not a significant regulatory action under Executive Order 12866.
OCC Executive Order 13132 Determination
The OCC has determined that this rule does not have any Federalism
implications, as required by Executive Order 13132.
NCUA Executive Order 13132 Determination
Executive Order 13132 encourages independent regulatory agencies to
consider the impact of their actions on state and local interests. In
adherence to fundamental federalism principles, the NCUA, an
independent regulatory agency as defined in 44 U.S.C. 3502(5),
voluntarily complies with the executive order. The final rule applies
only to federally chartered credit unions and would not have
substantial direct effects on the states, on the connection between the
national government and the states, or on the distribution of power and
responsibilities among the various levels of government. The NCUA has
determined that this rule does not constitute a policy that has
federalism implications for purposes of the executive order.
OCC and OTS Unfunded Mandates Reform Act of 1995 Determination
Section 202 of the Unfunded Mandates Reform Act of 1995, Public Law
104-4 (Unfunded Mandates Act) requires that an agency prepare a
budgetary impact statement before promulgating a rule that includes a
Federal mandate that may result in expenditure by State, local, and
tribal governments, in the aggregate, or by the private sector, of $100
million or more in any one year. If a budgetary impact statement is
required, section 205 of the Unfunded Mandates Act also requires an
agency to identify and consider a reasonable number of regulatory
alternatives before promulgating a rule. The OCC and OTS each has
determined that this rule will not result in expenditures by State,
local, and tribal governments, or by the private sector, of $100
million or more. Accordingly, neither the OCC nor the OTS has prepared
a budgetary impact statement or specifically addressed the regulatory
alternatives considered.
NCUA: The Treasury and General Government Appropriations Act, 1999--
Assessment of Federal Regulations and Policies on Families
The NCUA has determined that this rule would not affect family
well-being within the meaning of section 654 of the Treasury and
General Government Appropriations Act, 1999, Pub. L. 105-277, 112 Stat.
2681 (1998).
NCUA: Small Business Regulatory Enforcement Fairness Act of 1996
(SBREFA)
An SBREFA (Pub. L. 104-121) reporting requirement is triggered in
instances where NCUA issues a final rule as defined by section 551 of
the Administrative Procedure Act, 5 U.S.C. 551. NCUA is submitting this
final rule to the Office of Management and Budget (OMB) for a
determination that this rule is not a major rule for purposes of
SBREFA.
List of Subjects
12 CFR Part 41
Banks, Banking, Consumer protection, National banks, Reporting and
recordkeeping requirements.
12 CFR Part 222
Banks, Banking, Consumer protection, Fair Credit Reporting Act,
Holding companies, Privacy, Reporting and recordkeeping requirements,
State member banks.
12 CFR Part 334
Administrative practice and procedure, Bank deposit insurance,
Banks, Banking, Reporting and recordkeeping requirements, Safety and
soundness.
12 CFR Part 571
Consumer protection, Credit, Fair Credit Reporting Act, Privacy,
Reporting and recordkeeping requirements, Savings associations.
12 CFR Part 717
Consumer protection, Credit unions, Fair credit reporting, Privacy,
Reporting and recordkeeping requirements.
Office of the Comptroller of the Currency
12 CFR Chapter I.
Authority and Issuance
0
For the reasons set forth in the preamble, the OCC amends part 41 of
chapter I of title 12 of the Code of Federal Regulations as follows:
[[Page 62946]]
PART 41--FAIR CREDIT REPORTING
0
1. The authority citation for part 41 is revised to read as follows:
Authority: 12 U.S.C. 1 et seq., 24 (Seventh), 93a, 481, 484, and
1818; 15 U.S.C. 1681a, 1681b, 1681c, 1681m, 1681s, 1681s-3, 1681t,
1681w, 6801, and 6805; Sec. 214, Pub. L. 108-159, 117 Stat. 1952.
0
2. A new Subpart C is added to part 41 to read as follows:
Subpart C--Affiliate Marketing
Sec.
41.20 Scope and definitions.
41.21 Affiliate marketing opt-out and exceptions.
41.22 Scope and duration of opt-out.
41.23 Contents of opt-out notice; consolidated and equivalent
notices.
41.24 Reasonable opportunity to opt out.
41.25 Reasonable and simple methods of opting out.
41.26 Delivery of opt-out notices.
41.27 Renewal of opt-out.
41.28 Effective date, compliance date, and prospective application.
Subpart C--Affiliate Marketing
Sec. 41.20 Scope and definitions.
(a) Scope. This subpart applies to national banks, Federal branches
and agencies of foreign banks, and any of their operating subsidiaries
that are not functionally regulated within the meaning of section
5(c)(5) of the Bank Holding Company Act of 1956, as amended (12 U.S.C.
1844(c)(5)). These entities are referred to in this subpart as
``banks.''
(b) Definitions. For purposes of this subpart:
(1) Clear and conspicuous. The term ``clear and conspicuous'' means
reasonably understandable and designed to call attention to the nature
and significance of the information presented.
(2) Concise. (i) In general. The term ``concise'' means a
reasonably brief expression or statement.
(ii) Combination with other required disclosures. A notice required
by this subpart may be concise even if it is combined with other
disclosures required or authorized by federal or state law.
(3) Eligibility information. The term ``eligibility information''
means any information the communication of which would be a consumer
report if the exclusions from the definition of ``consumer report'' in
section 603(d)(2)(A) of the Act did not apply. Eligibility information
does not include aggregate or blind data that does not contain personal
identifiers such as account numbers, names, or addresses.
(4) Pre-existing business relationship. (i) In general. The term
``pre-existing business relationship'' means a relationship between a
person, or a person's licensed agent, and a consumer based on--
(A) A financial contract between the person and the consumer which
is in force on the date on which the consumer is sent a solicitation
covered by this subpart;
(B) The purchase, rental, or lease by the consumer of the person's
goods or services, or a financial transaction (including holding an
active account or a policy in force or having another continuing
relationship) between the consumer and the person, during the 18-month
period immediately preceding the date on which the consumer is sent a
solicitation covered by this subpart; or
(C) An inquiry or application by the consumer regarding a product
or service offered by that person during the three-month period
immediately preceding the date on which the consumer is sent a
solicitation covered by this subpart.
(ii) Examples of pre-existing business relationships. (A) If a
consumer has a time deposit account, such as a certificate of deposit,
at a depository institution that is currently in force, the depository
institution has a pre-existing business relationship with the consumer
and can use eligibility information it receives from its affiliates to
make solicitations to the consumer about its products or services.
(B) If a consumer obtained a certificate of deposit from a
depository institution, but did not renew the certificate at maturity,
the depository institution has a pre-existing business relationship
with the consumer and can use eligibility information it receives from
its affiliates to make solicitations to the consumer about its products
or services for 18 months after the date of maturity of the certificate
of deposit.
(C) If a consumer obtains a mortgage, the mortgage lender has a
pre-existing business relationship with the consumer. If the mortgage
lender sells the consumer's entire loan to an investor, the mortgage
lender has a pre-existing business relationship with the consumer and
can use eligibility information it receives from its affiliates to make
solicitations to the consumer about its products or services for 18
months after the date it sells the loan, and the investor has a pre-
existing business relationship with the consumer upon purchasing the
loan. If, however, the mortgage lender sells a fractional interest in
the consumer's loan to an investor but also retains an ownership
interest in the loan, the mortgage lender continues to have a pre-
existing business relationship with the consumer, but the investor does
not have a pre-existing business relationship with the consumer. If the
mortgage lender retains ownership of the loan, but sells ownership of
the servicing rights to the consumer's loan, the mortgage lender
continues to have a pre-existing business relationship with the
consumer. The purchaser of the servicing rights also has a pre-existing
business relationship with the consumer as of the date it purchases
ownership of the servicing rights, but only if it collects payments
from or otherwise deals directly with the consumer on a continuing
basis.
(D) If a consumer applies to a depository institution for a product
or service that it offers, but does not obtain a product or service
from or enter into a financial contract or transaction with the
institution, the depository institution has a pre-existing business
relationship with the consumer and can therefore use eligibility
information it receives from an affiliate to make solicitations to the
consumer about its products or services for three months after the date
of the application.
(E) If a consumer makes a telephone inquiry to a depository
institution about its products or services and provides contact
information to the institution, but does not obtain a product or
service from or enter into a financial contract or transaction with the
institution, the depository institution has a pre-existing business
relationship with the consumer and can therefore use eligibility
information it receives from an affiliate to make solicitations to the
consumer about its products or services for three months after the date
of the inquiry.
(F) If a consumer makes an inquiry to a depository institution by
e-mail about its products or services, but does not obtain a product or
service from or enter into a financial contract or transaction with the
institution, the depository institution has a pre-existing business
relationship with the consumer and can therefore use eligibility
information it receives from an affiliate to make solicitations to the
consumer about its products or services for three months after the date
of the inquiry.
(G) If a consumer has an existing relationship with a depository
institution that is part of a group of affiliated companies, makes a
telephone call to the centralized call center for the group of
affiliated companies to inquire about products or services offered by
the insurance affiliate, and provides contact information to the call
center, the call constitutes an inquiry to the insurance affiliate that
offers those products or services. The insurance affiliate has a pre-
existing business relationship with the consumer and can therefore use
[[Page 62947]]
eligibility information it receives from its affiliated depository
institution to make solicitations to the consumer about its products or
services for three months after the date of the inquiry.
(iii) Examples where no pre-existing business relationship is
created. (A) If a consumer makes a telephone call to a centralized call
center for a group of affiliated companies to inquire about the
consumer's existing account at a depository institution, the call does
not constitute an inquiry to any affiliate other than the depository
institution that holds the consumer's account and does not establish a
pre-existing business relationship between the consumer and any
affiliate of the account-holding depository institution.
(B) If a consumer who has a deposit account with a depository
institution makes a telephone call to an affiliate of the institution
to ask about the affiliate's retail locations and hours, but does not
make an inquiry about the affiliate's products or services, the call
does not constitute an inquiry and does not establish a pre-existing
business relationship between the consumer and the affiliate. Also, the
affiliate's capture of the consumer's telephone number does not
constitute an inquiry and does not establish a pre-existing business
relationship between the consumer and the affiliate.
(C) If a consumer makes a telephone call to a depository
institution in response to an advertisement that offers a free
promotional item to consumers who call a toll-free number, but the
advertisement does not indicate that the depository institution's
products or services will be marketed to consumers who call in
response, the call does not create a pre-existing business relationship
between the consumer and the depository institution because the
consumer has not made an inquiry about a product or service offered by
the institution, but has merely responded to an offer for a free
promotional item.
(5) Solicitation. (i) In general. The term ``solicitation'' means
the marketing of a product or service initiated by a person to a
particular consumer that is--
(A) Based on eligibility information communicated to that person by
its affiliate as described in this subpart; and
(B) Intended to encourage the consumer to purchase or obtain such
product or service.
(ii) Exclusion of marketing directed at the general public. A
solicitation does not include marketing communications that are
directed at the general public. For example, television, general
circulation magazine, and billboard advertisements do not constitute
solicitations, even if those communications are intended to encourage
consumers to purchase products and services from the person initiating
the communications.
(iii) Examples of solicitations. A solicitation would include, for
example, a telemarketing call, direct mail, e-mail, or other form of
marketing communication directed to a particular consumer that is based
on eligibility information received from an affiliate.
Sec. 41.21 Affiliate marketing opt-out and exceptions.
(a) Initial notice and opt-out requirement. (1) In general. A bank
may not use eligibility information about a consumer that it receives
from an affiliate to make a solicitation for marketing purposes to the
consumer, unless--
(i) It is clearly and conspicuously disclosed to the consumer in
writing or, if the consumer agrees, electronically, in a concise notice
that the bank may use eligibility information about that consumer
received from an affiliate to make solicitations for marketing purposes
to the consumer;
(ii) The consumer is provided a reasonable opportunity and a
reasonable and simple method to ``opt out,'' or prohibit the bank from
using eligibility information to make solicitations for marketing
purposes to the consumer; and
(iii) The consumer has not opted out.
(2) Example. A consumer has a homeowner's insurance policy with an
insurance company. The insurance company furnishes eligibility
information about the consumer to its affiliated depository
institution. Based on that eligibility information, the depository
institution wants to make a solicitation to the consumer about its home
equity loan products. The depository institution does not have a pre-
existing business relationship with the consumer and none of the other
exceptions apply. The depository institution is prohibited from using
eligibility information received from its insurance affiliate to make
solicitations to the consumer about its home equity loan products
unless the consumer is given a notice and opportunity to opt out and
the consumer does not opt out.
(3) Affiliates who may provide the notice. The notice required by
this paragraph must be provided:
(i) By an affiliate that has or has previously had a pre-existing
business relationship with the consumer; or
(ii) As part of a joint notice from two or more members of an
affiliated group of companies, provided that at least one of the
affiliates on the joint notice has or has previously had a pre-existing
business relationship with the consumer.
(b) Making solicitations. (1) In general. For purposes of this
subpart, a bank makes a solicitation for marketing purposes if--
(i) The bank receives eligibility information from an affiliate;
(ii) The bank uses that eligibility information to do one or more
of the following:
(A) Identify the consumer or type of consumer to receive a
solicitation;
(B) Establish criteria used to select the consumer to receive a
solicitation; or
(C) Decide which of the bank's products or services to market to
the consumer or tailor the bank's solicitation to that consumer; and
(iii) As a result of the bank's use of the eligibility information,
the consumer is provided a solicitation.
(2) Receiving eligibility information from an affiliate, including
through a common database. A bank may receive eligibility information
from an affiliate in various ways, including when the affiliate places
that information into a common database that the bank may access.
(3) Receipt or use of eligibility information by a bank's service
provider. Except as provided in paragraph (b)(5) of this section, a
bank receives or uses an affiliate's eligibility information if a
service provider acting on the bank's behalf (whether an affiliate or a
nonaffiliated third party) receives or uses that information in the
manner described in paragraphs (b)(1)(i) or (b)(1)(ii) of this section.
All relevant facts and circumstances will determine whether a person is
acting as a bank's service provider when it receives or uses an
affiliate's eligibility information in connection with marketing the
bank's products and services.
(4) Use by an affiliate of its own eligibility information. Unless
a bank has used eligibility information that it receives from an
affiliate in the manner described in paragraph (b)(1)(ii) of this
section, the bank does not make a solicitation subject to this subpart
if the bank's affiliate:
(i) Uses its own eligibility information that it obtained in
connection with a pre-existing business relationship it has or had with
the consumer to market the bank's products or services to the consumer;
or
(ii) Directs its service provider to use the affiliate's own
eligibility information that it obtained in connection with a pre-
existing business relationship it has or had with the consumer to
market the bank's products or services to the consumer, and the bank
does not
[[Page 62948]]
communicate directly with the service provider regarding that use.
(5) Use of eligibility information by a service provider. (i) In
general. A bank does not make a solicitation subject to Subpart C of
this part if a service provider (including an affiliated or third-party
service provider that maintains or accesses a common database that the
bank may access) receives eligibility information from the bank's
affiliate that the bank's affiliate obtained in connection with a pre-
existing business relationship it has or had with the consumer and uses
that eligibility information to market the bank's products or services
to the consumer, so long as--
(A) The bank's affiliate controls access to and use of its
eligibility information by the service provider (including the right to
establish the specific terms and conditions under which the service
provider may use such information to market the bank's products or
services);
(B) The bank's affiliate establishes specific terms and conditions
under which the service provider may access and use the affiliate's
eligibility information to market the bank's products and services (or
those of affiliates generally) to the consumer, such as the identity of
the affiliated companies whose products or services may be marketed to
the consumer by the service provider, the types of products or services
of affiliated companies that may be marketed, and the number of times
the consumer may receive marketing materials, and periodically
evaluates the service provider's compliance with those terms and
conditions;
(C) The bank's affiliate requires the service provider to implement
reasonable policies and procedures designed to ensure that the service
provider uses the affiliate's eligibility information in accordance
with the terms and conditions established by the bank's affiliate
relating to the marketing of the bank's products or services;
(D) The bank's affiliate is identified on or with the marketing
materials provided to the consumer; and
(E) The bank does not directly use its affiliate's eligibility
information in the manner described in paragraph (b)(1)(ii) of this
section.
(ii) Writing requirements. (A) The requirements of paragraphs
(b)(5)(i)(A) and (C) of this section must be set forth in a written
agreement between the bank's affiliate and the service provider; and
(B) The specific terms and conditions established by the bank's
affiliate as provided in paragraph (b)(5)(i)(B) of this section must be
set forth in writing.
(6) Examples of making solicitations. (i) A consumer has a deposit
account with a depository institution, which is affiliated with an
insurance company. The insurance company receives eligibility
information about the consumer from the depository institution. The
insurance company uses that eligibility information to identify the
consumer to receive a solicitation about insurance products, and, as a
result, the insurance company provides a solicitation to the consumer
about its insurance products. Pursuant to paragraph (b)(1) of this
section, the insurance company has made a solicitation to the consumer.
(ii) The same facts as in the example in paragraph (b)(6)(i) of
this section, except that after using the eligibility information to
identify the consumer to receive a solicitation about insurance
products, the insurance company asks the depository institution to send
the solicitation to the consumer and the depository institution does
so. Pursuant to paragraph (b)(1) of this section, the insurance company
has made a solicitation to the consumer because it used eligibility
information about the consumer that it received from an affiliate to
identify the consumer to receive a solicitation about its products or
services, and, as a result, a solicitation was provided to the consumer
about the insurance company's products.
(iii) The same facts as in the example in paragraph (b)(6)(i) of
this section, except that eligibility information about consumers that
have deposit accounts with the depository institution is placed into a
common database that all members of the affiliated group of companies
may independently access and use. Without using the depository
institution's eligibility information, the insurance company develops
selection criteria and provides those criteria, marketing materials,
and related instructions to the depository institution. The depository
institution reviews eligibility information about its own consumers
using the selection criteria provided by the insurance company to
determine which consumers should receive the insurance company's
marketing materials and sends marketing materials about the insurance
company's products to those consumers. Even though the insurance
company has received eligibility information through the common
database as provided in paragraph (b)(2) of this section, it did not
use that information to identify consumers or establish selection
criteria; instead, the depository institution used its own eligibility
information. Therefore, pursuant to paragraph (b)(4)(i) of this
section, the insurance company has not made a solicitation to the
consumer.
(iv) The same facts as in the example in paragraph (b)(6)(iii) of
this section, except that the depository institution provides the
insurance company's criteria to the depository institution's service
provider and directs the service provider to use the depository
institution's eligibility information to identify depository
institution consumers who meet the criteria and to send the insurance
company's marketing materials to those consumers. The insurance company
does not communicate directly with the service provider regarding the
use of the depository institution's information to market its products
to the depository institution's consumers. Pursuant to paragraph
(b)(4)(ii) of this section, the insurance company has not made a
solicitation to the consumer.
(v) An affiliated group of companies includes a depository
institution, an insurance company, and a service provider. Each
affiliate in the group places information about its consumers into a
common database. The service provider has access to all information in
the common database. The depository institution controls access to and
use of its eligibility information by the service provider. This
control is set forth in a written agreement between the depository
institution and the service provider. The written agreement also
requires the service provider to establish reasonable policies and
procedures designed to ensure that the service provider uses the
depository institution's eligibility information in accordance with
specific terms and conditions established by the depository institution
relating to the marketing of the products and services of all
affiliates, including the insurance company. In a separate written
communication, the depository institution specifies the terms and
conditions under which the service provider may use the depository
institution's eligibility information to market the insurance company's
products and services to the depository institution's consumers. The
specific terms and conditions are: A list of affiliated companies
(including the insurance company) whose products or services may be
marketed to the depository institution's consumers by the service
provider; the specific products or types of products that may be
marketed to the depository institution's consumers by the service
provider; the categories of eligibility information that may be used by
the service provider in marketing products
[[Page 62949]]
or services to the depository institution's consumers; the types or
categories of the depository institution's consumers to whom the
service provider may market products or services of depository
institution affiliates; the number and/or types of marketing
communications that the service provider may send to the depository
institution's consumers; and the length of time during which the
service provider may market the products or services of the depository
institution's affiliates to its consumers. The depository institution
periodically evaluates the service provider's compliance with these
terms and conditions. The insurance company asks the service provider
to market insurance products to certain consumers who have deposit
accounts with the depository institution. Without using the depository
institution's eligibility information, the insurance company develops
selection criteria and provides those criteria, marketing materials,
and related instructions to the service provider. The service provider
uses the depository institution's eligibility information from the
common database to identify the depository institution's consumers to
whom insurance products will be marketed. When the insurance company's
marketing materials are provided to the identified consumers, the name
of the depository institution is displayed on the insurance marketing
materials, an introductory letter that accompanies the marketing
materials, an account statement that accompanies the marketing
materials, or the envelope containing the marketing materials. The
requirements of paragraph (b)(5) of this section have been satisfied,
and the insurance company has not made a solicitation to the consumer.
(vi) The same facts as in the example in paragraph (b)(6)(v) of
this section, except that the terms and conditions permit the service
provider to use the depository institution's eligibility information to
market the products and services of other affiliates to the depository
institution's consumers whenever the service provider deems it
appropriate to do so. The service provider uses the depository
institution's eligibility information in accordance with the discretion
afforded to it by the terms and conditions. Because the terms and
conditions are not specific, the requirements of paragraph (b)(5) of
this section have not been satisfied.
(c) Exceptions. The provisions of this subpart do not apply to a
bank if it uses eligibility information that it receives from an
affiliate:
(1) To make a solicitation for marketing purposes to a consumer
with whom the bank has a pre-existing business relationship;
(2) To facilitate communications to an individual for whose benefit
the bank provides employee benefit or other services pursuant to a
contract with an employer related to and arising out of the current
employment relationship or status of the individual as a participant or
beneficiary of an employee benefit plan;
(3) To perform services on behalf of an affiliate, except that this
subparagraph shall not be construed as permitting the bank to send
solicitations on behalf of an affiliate if the affiliate would not be
permitted to send the solicitation as a result of the election of the
consumer to opt out under this subpart;
(4) In response to a communication about the bank's products or
services initiated by the consumer;
(5) In response to an authorization or request by the consumer to
receive solicitations; or
(6) If the bank's compliance with this subpart would prevent it
from complying with any provision of State insurance laws pertaining to
unfair discrimination in any State in which the bank is lawfully doing
business.
(d) Examples of exceptions. (1) Example of the pre-existing
business relationship exception. A consumer has a deposit account with
a depository institution. The consumer also has a relationship with the
depository institution's securities affiliate for management of the
consumer's securities portfolio. The depository institution receives
eligibility information about the consumer from its securities
affiliate and uses that information to make a solicitation to the
consumer about the depository institution's wealth management services.
The depository institution may make this solicitation even if the
consumer has not been given a notice and opportunity to opt out because
the depository institution has a pre-existing business relationship
with the consumer.
(2) Examples of service provider exception. (i) A consumer has an
insurance policy issued by an insurance company. The insurance company
furnishes eligibility information about the consumer to its affiliated
depository institution. Based on that eligibility information, the
depository institution wants to make a solicitation to the consumer
about its deposit products. The depository institution does not have a
pre-existing business relationship with the consumer and none of the
other exceptions in paragraph (c) of this section apply. The consumer
has been given an opt-out notice and has elected to opt out of
receiving such solicitations. The depository institution asks a service
provider to send the solicitation to the consumer on its behalf. The
service provider may not send the solicitation on behalf of the
depository institution because, as a result of the consumer's opt-out
election, the depository institution is not permitted to make the
solicitation.
(ii) The same facts as in paragraph (d)(2)(i) of this section,
except the consumer has been given an opt-out notice, but has not
elected to opt out. The depository institution asks a service provider
to send the solicitation to the consumer on its behalf. The service
provider may send the solicitation on behalf of the depository
institution because, as a result of the consumer's not opting out, the
depository institution is permitted to make the solicitation.
(3) Examples of consumer-initiated communications. (i) A consumer
who has a deposit account with a depository institution initiates a
communication with the depository institution's credit card affiliate
to request information about a credit card. The credit card affiliate
may use eligibility information about the consumer it obtains from the
depository institution or any other affiliate to make solicitations
regarding credit card products in response to the consumer-initiated
communication.
(ii) A consumer who has a deposit account with a depository
institution contacts the institution to request information about how
to save and invest for a child's college education without specifying
the type of product in which the consumer may be interested.
Information about a range of different products or services offered by
the depository institution and one or more affiliates of the
institution may be responsive to that communication. Such products or
services may include the following: Mutual funds offered by the
institution's mutual fund affiliate; section 529 plans offered by the
institution, its mutual fund affiliate, or another securities
affiliate; or trust services offered by a different financial
institution in the affiliated group. Any affiliate offering investment
products or services that would be responsive to the consumer's request
for information about saving and investing for a child's college
education may use eligibility information to make solicitations to the
consumer in response to this communication.
(iii) A credit card issuer makes a marketing call to the consumer
without
[[Page 62950]]
using eligibility information received from an affiliate. The issuer
leaves a voice-mail message that invites the consumer to call a toll-
free number to apply for the issuer's credit card. If the consumer
calls the toll-free number to inquire about the credit card, the call
is a consumer-initiated communication about a product or service and
the credit card issuer may now use eligibility information it receives
from its affiliates to make solicitations to the consumer.
(iv) A consumer calls a depository institution to ask about retail
locations and hours, but does not request information about products or
services. The institution may not use eligibility information it
receives from an affiliate to make solicitations to the consumer about
its products or services because the consumer-initiated communication
does not relate to the depository institution's products or services.
Thus, the use of eligibility information received from an affiliate
would not be responsive to the communication and the exception does not
apply.
(v) A consumer calls a depository institution to ask about retail
locations and hours. The customer service representative asks the
consumer if there is a particular product or service about which the
consumer is seeking information. The consumer responds that the
consumer wants to stop in and find out about certificates of deposit.
The customer service representative offers to provide that information
by telephone and mail additional information and application materials
to the consumer. The consumer agrees and provides or confirms contact
information for receipt of the materials to be mailed. The depository
institution may use eligibility information it receives from an
affiliate to make solicitations to the consumer about certificates of
deposit because such solicitations would respond to the consumer-
initiated communication about products or services.
(4) Examples of consumer authorization or request for
solicitations. (i) A consumer who obtains a mortgage from a mortgage
lender authorizes or requests information about homeowner's insurance
offered by the mortgage lender's insurance affiliate. Such
authorization or request, whether given to the mortgage lender or to
the insurance affiliate, would permit the insurance affiliate to use
eligibility information about the consumer it obtains from the mortgage
lender or any other affiliate to make solicitations to the consumer
about homeowner's insurance.
(ii) A consumer completes an online application to apply for a
credit card from a credit card issuer. The issuer's online application
contains a blank check box that the consumer may check to authorize or
request information from the credit card issuer's affiliates. The
consumer checks the box. The consumer has authorized or requested
solicitations from the card issuer's affiliates.
(iii) A consumer completes an online application to apply for a
credit card from a credit card issuer. The issuer's online application
contains a pre-selected check box indicating that the consumer
authorizes or requests information from the issuer's affiliates. The
consumer does not deselect the check box. The consumer has not
authorized or requested solicitations from the card issuer's
affiliates.
(iv) The terms and conditions of a credit card account agreement
contain preprinted boilerplate language stating that by applying to
open an account the consumer authorizes or requests to receive
solicitations from the credit card issuer's affiliates. The consumer
has not authorized or requested solicitations from the card issuer's
affiliates.
(e) Relation to affiliate-sharing notice and opt-out. Nothing in
this subpart limits the responsibility of a person to comply with the
notice and opt-out provisions of section 603(d)(2)(A)(iii) of the Act
where applicable.
Sec. 41.22 Scope and duration of opt-out.
(a) Scope of opt-out. (1) In general. Except as otherwise provided
in this section, the consumer's election to opt out prohibits any
affiliate covered by the opt-out notice from using eligibility
information received from another affiliate as described in the notice
to make solicitations to the consumer.
(2) Continuing relationship. (i) In general. If the consumer
establishes a continuing relationship with a bank or its affiliate, an
opt-out notice may apply to eligibility information obtained in
connection with--
(A) A single continuing relationship or multiple continuing
relationships that the consumer establishes with the bank or its
affiliates, including continuing relationships established subsequent
to delivery of the opt-out notice, so long as the notice adequately
describes the continuing relationships covered by the opt-out; or
(B) Any other transaction between the consumer and the bank or its
affiliates as described in the notice.
(ii) Examples of continuing relationships. A consumer has a
continuing relationship with a bank or its affiliate if the consumer--
(A) Opens a deposit or investment account with the bank or its
affiliate;
(B) Obtains a loan for which the bank or its affiliate owns the
servicing rights;
(C) Purchases an insurance product from the bank or its affiliate;
(D) Holds an investment product through the bank or its affiliate,
such as when the bank acts or its affiliate acts as a custodian for
securities or for assets in an individual retirement arrangement;
(E) Enters into an agreement or understanding with the bank or its
affiliate whereby the bank or its affiliate undertakes to arrange or
broker a home mortgage loan for the consumer;
(F) Enters into a lease of personal property with the bank or its
affiliate; or
(G) Obtains financial, investment, or economic advisory services
from the bank or its affiliate for a fee.
(3) No continuing relationship. (i) In general. If there is no
continuing relationship between a consumer and a bank or its affiliate,
and the bank or its affiliate obtains eligibility information about the
consumer in connection with a transaction with the consumer, such as an
isolated transaction or a credit application that is denied, an opt-out
notice provided to the consumer only applies to eligibility information
obtained in connection with that transaction.
(ii) Examples of isolated transactions. An isolated transaction
occurs if--
(A) The consumer uses a bank's or its affiliate's ATM to withdraw
cash from an account at another financial institution; or
(B) A bank or its affiliate sells the consumer a cashier's check or
money order, airline tickets, travel insurance, or traveler's checks in
isolated transactions.
(4) Menu of alternatives. A consumer may be given the opportunity
to choose from a menu of alternatives when electing to prohibit
solicitations, such as by electing to prohibit solicitations from
certain types of affiliates covered by the opt-out notice but not other
types of affiliates covered by the notice, electing to prohibit
solicitations based on certain types of eligibility information but not
other types of eligibility information, or electing to prohibit
solicitations by certain methods of delivery but not other methods of
delivery. However, one of the alternatives must allow the consumer to
prohibit all solicitations from all of the affiliates that are covered
by the notice.
(5) Special rule for a notice following termination of all
continuing relationships. (i) In general. A consumer must be given a
new opt-out notice if, after all continuing relationships with a
[[Page 62951]]
bank or its affiliate(s) are terminated, the consumer subsequently
establishes another continuing relationship with the bank or its
affiliate(s) and the consumer's eligibility information is to be used
to make a solicitation. The new opt-out notice must apply, at a
minimum, to eligibility information obtained in connection with the new
continuing relationship. Consistent with paragraph (b) of this section,
the consumer's decision not to opt out after receiving the new opt-out
notice would not override a prior opt-out election by the consumer that
applies to eligibility information obtained in connection with a
terminated relationship, regardless of whether the new opt-out notice
applies to eligibility information obtained in connection with the
terminated relationship.
(ii) Example. A consumer has a checking account with a depository
institution that is part of an affiliated group. The consumer closes
the checking account. One year after closing the checking account, the
consumer opens a savings account with the same depository institution.
The consumer must be given a new notice and opportunity to opt out
before the depository institution's affiliates may make solicitations
to the consumer using eligibility information obtained by the
depository institution in connection with the new savings account
relationship, regardless of whether the consumer opted out in
connection with the checking account.
(b) Duration of opt-out. The election of a consumer to opt out must
be effective for a period of at least five years (the ``opt-out
period'') beginning when the consumer's opt-out election is received
and implemented, unless the consumer subsequently revokes the opt-out
in writing or, if the consumer agrees, electronically. An opt-out
period of more than five years may be established, including an opt-out
period that does not expire unless revoked by the consumer.
(c) Time of opt-out. A consumer may opt out at any time.
Sec. 41.23 Contents of opt-out notice; consolidated and equivalent
notices.
(a) Contents of opt-out notice. (1) In general. A notice must be
clear, conspicuous, and concise, and must accurately disclose:
(i) The name of the affiliate(s) providing the notice. If the
notice is provided jointly by multiple affiliates and each affiliate
shares a common name, such as ``ABC,'' then the notice may indicate
that it is being provided by multiple companies with the ABC name or
multiple companies in the ABC group or family of companies, for
example, by stating that the notice is provided by ``all of the ABC
companies,'' ``the ABC banking, credit card, insurance, and securities
companies,'' or by listing the name of each affiliate providing the
notice. But if the affiliates providing the joint notice do not all
share a common name, then the notice must either separately identify
each affiliate by name or identify each of the common names used by
those affiliates, for example, by stating that the notice is provided
by ``all of the ABC and XYZ companies'' or by ``the ABC banking and
credit card companies and the XYZ insurance companies'';
(ii) A list of the affiliates or types of affiliates whose use of
eligibility information is covered by the notice, which may include
companies that become affiliates after the notice is provided to the
consumer. If each affiliate covered by the notice shares a common name,
such as ``ABC,'' then the notice may indicate that it applies to
multiple companies with the ABC name or multiple companies in the ABC
group or family of companies, for example, by stating that the notice
is provided by ``all of the ABC companies,'' ``the ABC banking, credit
card, insurance, and securities companies,'' or by listing the name of
each affiliate providing the notice. But if the affiliates covered by
the notice do not all share a common name, then the notice must either
separately identify each covered affiliate by name or identify each of
the common names used by those affiliates, for example, by stating that
the notice applies to ``all of the ABC and XYZ companies'' or to ``the
ABC banking and credit card companies and the XYZ insurance
companies'';
(iii) A general description of the types of eligibility information
that may be used to make solicitations to the consumer;
(iv) That the consumer may elect to limit the use of eligibility
information to make solicitations to the consumer;
(v) That the consumer's election will apply for the specified
period of time stated in the notice and, if applicable, that the
consumer will be allowed to renew the election once that period
expires;
(vi) If the notice is provided to consumers who may have previously
opted out, such as if a notice is provided to consumers annually, that
the consumer who has chosen to limit solicitations does not need to act
again until the consumer receives a renewal notice; and
(vii) A reasonable and simple method for the consumer to opt out.
(2) Joint relationships. (i) If two or more consumers jointly
obtain a product or service, a single opt-out notice may be provided to
the joint consumers. Any of the joint consumers may exercise the right
to opt out.
(ii) The opt-out notice must explain how an opt-out direction by a
joint consumer will be treated. An opt-out direction by a joint
consumer may be treated as applying to all of the associated joint
consumers, or each joint consumer may be permitted to opt-out
separately. If each joint consumer is permitted to opt out separately,
one of the joint consumers must be permitted to opt out on behalf of
all of the joint consumers and the joint consumers must be permitted to
exercise their separate rights to opt out in a single response.
(iii) It is impermissible to require all joint consumers to opt out
before implementing any opt-out direction.
(3) Alternative contents. If the consumer is afforded a broader
right to opt out of receiving marketing than is required by this
subpart, the requirements of this section may be satisfied by providing
the consumer with a clear, conspicuous, and concise notice that
accurately discloses the consumer's opt-out rights.
(4) Model notices. Model notices are provided in Appendix C of this
part.
(b) Coordinated and consolidated notices. A notice required by this
subpart may be coordinated and consolidated with any other notice or
disclosure required to be issued under any other provision of law by
the entity providing the notice, including but not limited to the
notice described in section 603(d)(2)(A)(iii) of the Act and the Gramm-
Leach-Bliley Act privacy notice.
(c) Equivalent notices. A notice or other disclosure that is
equivalent to the notice required by this subpart, and that is provided
to a consumer together with disclosures required by any other provision
of law, satisfies the requirements of this section.
Sec. 41.24 Reasonable opportunity to opt out.
(a) In general. A bank must not use eligibility information about a
consumer that it receives from an affiliate to make a solicitation to
the consumer about the bank's products or services, unless the consumer
is provided a reasonable opportunity to opt out, as required by Sec.
41.21(a)(1)(ii) of this part.
(b) Examples of a reasonable opportunity to opt out. The consumer
is given a reasonable opportunity to opt out if:
(1) By mail. The opt-out notice is mailed to the consumer. The
consumer
[[Page 62952]]
is given 30 days from the date the notice is mailed to elect to opt out
by any reasonable means.
(2) By electronic means. (i) The opt-out notice is provided
electronically to the consumer, such as by posting the notice at an
Internet Web site at which the consumer has obtained a product or
service. The consumer acknowledges receipt of the electronic notice.
The consumer is given 30 days after the date the consumer acknowledges
receipt to elect to opt out by any reasonable means.
(ii) The opt-out notice is provided to the consumer by e-mail where
the consumer has agreed to receive disclosures by e-mail from the
person sending the notice. The consumer is given 30 days after the e-
mail is sent to elect to opt out by any reasonable means.
(3) At the time of an electronic transaction. The opt-out notice is
provided to the consumer at the time of an electronic transaction, such
as a transaction conducted on an Internet Web site. The consumer is
required to decide, as a necessary part of proceeding with the
transaction, whether to opt out before completing the transaction.
There is a simple process that the consumer may use to opt out at that
time using the same mechanism through which the transaction is
conducted.
(4) At the time of an in-person transaction. The opt-out notice is
provided to the consumer in writing at the time of an in-person
transaction. The consumer is required to decide, as a necessary part of
proceeding with the transaction, whether to opt out before completing
the transaction, and is not permitted to complete the transaction
without making a choice. There is a simple process that the consumer
may use during the course of the in-person transaction to opt out, such
as completing a form that requires consumers to write a ``yes'' or
``no'' to indicate their opt-out preference or that requires the
consumer to check one of two blank check boxes--one that allows
consumers to indicate that they want to opt out and one that allows
consumers to indicate that they do not want to opt out.
(5) By including in a privacy notice. The opt-out notice is
included in a Gramm-Leach-Bliley Act privacy notice. The consumer is
allowed to exercise the opt-out within a reasonable period of time and
in the same manner as the opt-out under that privacy notice.
Sec. 41.25 Reasonable and simple methods of opting out.
(a) In general. A bank must not use eligibility information about a
consumer that it receives from an affiliate to make a solicitation to
the consumer about its products or services, unless the consumer is
provided a reasonable and simple method to opt out, as required by
Sec. 41.21(a)(1)(ii) of this part.
(b) Examples. (1) Reasonable and simple opt-out methods. Reasonable
and simple methods for exercising the opt-out right include--
(i) Designating a check-off box in a prominent position on the opt-
out form;
(ii) Including a reply form and a self-addressed envelope together
with the opt-out notice;
(iii) Providing an electronic means to opt out, such as a form that
can be electronically mailed or processed at an Internet Web site, if
the consumer agrees to the electronic delivery of information;
(iv) Providing a toll-free telephone number that consumers may call
to opt out; or
(v) Allowing consumers to exercise all of their opt-out rights
described in a consolidated opt-out notice that includes the privacy
opt-out under the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., the
affiliate sharing opt-out under the Act, and the affiliate marketing
opt-out under the Act, by a single method, such as by calling a single
toll-free telephone number.
(2) Opt-out methods that are not reasonable and simple. Reasonable
and simple methods for exercising an opt-out right do not include--
(i) Requiring the consumer to write his or her own letter;
(ii) Requiring the consumer to call or write to obtain a form for
opting out, rather than including the form with the opt-out notice;
(iii) Requiring the consumer who receives the opt-out notice in
electronic form only, such as through posting at an Internet Web site,
to opt out solely by paper mail or by visiting a different Web site
without providing a link to that site.
(c) Specific opt-out means. Each consumer may be required to opt
out through a specific means, as long as that means is reasonable and
simple for that consumer.
Sec. 41.26 Delivery of opt-out notices.
(a) In general. The opt-out notice must be provided so that each
consumer can reasonably be expected to receive actual notice. For opt-
out notices provided electronically, the notice may be provided in
compliance with either the electronic disclosure provisions in this
subpart or the provisions in section 101 of the Electronic Signatures
in Global and National Commerce Act, 15 U.S.C. 7001 et seq.
(b) Examples of reasonable expectation of actual notice. A consumer
may reasonably be expected to receive actual notice if the affiliate
providing the notice:
(1) Hand-delivers a printed copy of the notice to the consumer;
(2) Mails a printed copy of the notice to the last known mailing
address of the consumer;
(3) Provides a notice by e-mail to a consumer who has agreed to
receive electronic disclosures by e-mail from the affiliate providing
the notice; or
(4) Posts the notice on the Internet Web site at which the consumer
obtained a product or service electronically and requires the consumer
to acknowledge receipt of the notice.
(c) Examples of no reasonable expectation of actual notice. A
consumer may not reasonably be expected to receive actual notice if the
affiliate providing the notice:
(1) Only posts the notice on a sign in a branch or office or
generally publishes the notice in a newspaper;
(2) Sends the notice via e-mail to a consumer who has not agreed to
receive electronic disclosures by e-mail from the affiliate providing
the notice; or
(3) Posts the notice on an Internet Web site without requiring the
consumer to acknowledge receipt of the notice.
Sec. 41.27 Renewal of opt-out.
(a) Renewal notice and opt-out requirement. (1) In general. After
the opt-out period expires, a bank may not make solicitations based on
eligibility information it receives from an affiliate to a consumer who
previously opted out, unless:
(i) The consumer has been given a renewal notice that complies with
the requirements of this section and Sec. Sec. 41.24 through 41.26 of
this part, and a reasonable opportunity and a reasonable and simple
method to renew the opt-out, and the consumer does not renew the opt-
out; or
(ii) An exception in Sec. 41.21(c) of this part applies.
(2) Renewal period. Each opt-out renewal must be effective for a
period of at least five years as provided in Sec. 41.22(b) of this
part.
(3) Affiliates who may provide the notice. The notice required by
this paragraph must be provided:
(i) By the affiliate that provided the previous opt-out notice, or
its successor; or (ii) As part of a joint renewal notice from two or
more members of an affiliated group of companies, or their
[[Page 62953]]
successors, that jointly provided the previous opt-out notice.
(b) Contents of renewal notice. The renewal notice must be clear,
conspicuous, and concise, and must accurately disclose:
(1) The name of the affiliate(s) providing the notice. If the
notice is provided jointly by multiple affiliates and each affiliate
shares a common name, such as ``ABC,'' then the notice may indicate
that it is being provided by multiple companies with the ABC name or
multiple companies in the ABC group or family of companies, for
example, by stating that the notice is provided by ``all of the ABC
companies,'' ``the ABC banking, credit card, insurance, and securities
companies,'' or by listing the name of each affiliate providing the
notice. But if the affiliates providing the joint notice do not all
share a common name, then the notice must either separately identify
each affiliate by name or identify each of the common names used by
those affiliates, for example, by stating that the notice is provided
by ``all of the ABC and XYZ companies'' or by ``the ABC banking and
credit card companies and the XYZ insurance companies'';
(2) A list of the affiliates or types of affiliates whose use of
eligibility information is covered by the notice, which may include
companies that become affiliates after the notice is provided to the
consumer. If each affiliate covered by the notice shares a common name,
such as ``ABC,'' then the notice may indicate that it applies to
multiple companies with the ABC name or multiple companies in the ABC
group or family of companies, for example, by stating that the notice
is provided by ``all of the ABC companies,'' ``the ABC banking, credit
card, insurance, and securities companies,'' or by listing the name of
each affiliate providing the notice. But if the affiliates covered by
the notice do not all share a common name, then the notice must either
separately identify each covered affiliate by name or identify each of
the common names used by those affiliates, for example, by stating that
the notice applies to ``all of the ABC and XYZ companies'' or to ``the
ABC banking and credit card companies and the XYZ insurance
companies'';
(3) A general description of the types of eligibility information
that may be used to make solicitations to the consumer;
(4) That the consumer previously elected to limit the use of
certain information to make solicitations to the consumer;
(5) That the consumer's election has expired or is about to expire;
(6) That the consumer may elect to renew the consumer's previous
election;
(7) If applicable, that the consumer's election to renew will apply
for the specified period of time stated in the notice and that the
consumer will be allowed to renew the election once that period
expires; and
(8) A reasonable and simple method for the consumer to opt out.
(c) Timing of the renewal notice. (1) In general. A renewal notice
may be provided to the consumer either--
(i) A reasonable period of time before the expiration of the opt-
out period; or
(ii) Any time after the expiration of the opt-out period but before
solicitations that would have been prohibited by the expired opt-out
are made to the consumer.
(2) Combination with annual privacy notice. If a bank provides an
annual privacy notice under the Gramm-Leach-Bliley Act, 15 U.S.C. 6801
et seq., providing a renewal notice with the last annual privacy notice
provided to the consumer before expiration of the opt-out period is a
reasonable period of time before expiration of the opt-out in all
cases.
(d) No effect on opt-out period. An opt-out period may not be
shortened by sending a renewal notice to the consumer before expiration
of the opt-out period, even if the consumer does not renew the opt out.
Sec. 41.28 Effective date, compliance date, and prospective
application.
(a) Effective date. This subpart is effective January 1, 2008.
(b) Mandatory compliance date. Compliance with this subpart is
required not later than October 1, 2008.
(c) Prospective application. The provisions of this subpart shall
not prohibit a bank from using eligibility information that it receives
from an affiliate to make solicitations to a consumer if the bank
receives such information prior to October 1, 2008. For purposes of
this section, a bank is deemed to receive eligibility information when
such information is placed into a common database and is accessible by
the bank.
3. Appendixes A and B to part 41 are added and reserved, and a new
Appendix C to part 41 is added to read as follows:
Appendix C To Part 41--Model Forms for Opt-Out Notices
a. Although use of the model forms is not required, use of the
model forms in this Appendix (as applicable) complies with the
requirement in section 624 of the Act for clear, conspicuous, and
concise notices.
b. Certain changes may be made to the language or format of the
model forms without losing the protection from liability afforded by
use of the model forms. These changes may not be so extensive as to
affect the substance, clarity, or meaningful sequence of the
language in the model forms. Persons making such extensive revisions
will lose the safe harbor that this Appendix provides. Acceptable
changes include, for example:
1. Rearranging the order of the references to ``your income,''
``your account history,'' and ``your credit score.''
2. Substituting other types of information for ``income,''
``account history,'' or ``credit score'' for accuracy, such as
``payment history,'' ``credit history,'' ``payoff status,'' or
``claims history.''
3. Substituting a clearer and more accurate description of the
affiliates providing or covered by the notice for phrases such as
``the [ABC] group of companies,'' including without limitation a
statement that the entity providing the notice recently purchased
the consumer's account.
4. Substituting other types of affiliates covered by the notice
for ``credit card,'' ``insurance,'' or ``securities'' affiliates.
5. Omitting items that are not accurate or applicable. For
example, if a person does not limit the duration of the opt-out
period, the notice may omit information about the renewal notice.
6. Adding a statement informing consumers how much time they
have to opt out before shared eligibility information may be used to
make solicitations to them.
7. Adding a statement that the consumer may exercise the right
to opt out at any time.
8. Adding the following statement, if accurate: ``If you
previously opted out, you do not need to do so again.''
9. Providing a place on the form for the consumer to fill in
identifying information, such as his or her name and address:
C-1 Model Form for Initial Opt-out Notice (Single-Affiliate Notice)
C-2 Model Form for Initial Opt-out Notice (Joint Notice)
C-3 Model Form for Renewal Notice (Single-Affiliate Notice)
C-4 Model Form for Renewal Notice (Joint Notice)
C-5 Model Form for Voluntary ``No Marketing'' Notice
C-1--Model Form for Initial Opt-out Notice (Single-Affiliate
Notice)--[Your Choice To Limit Marketing]/[Marketing Opt-out]
[Name of Affiliate] is providing this notice.
[Optional: Federal law gives you the right to limit
some but not all marketing from our affiliates. Federal law also
requires us to give you this notice to tell you about your choice to
limit marketing from our affiliates.]
You may limit our affiliates in the [ABC] group of
companies, such as our [credit card, insurance, and securities]
affiliates, from marketing their products or services to you based
on your personal information that we collect and share with them.
This information includes your [income], your [account history with
us], and your [credit score].
Your choice to limit marketing offers from our
affiliates will apply [until you tell
[[Page 62954]]
us to change your choice]/[for x years from when you tell us your
choice]/[for at least 5 years from when you tell us your choice].
[Include if the opt-out period expires.] Once that period expires,
you will receive a renewal notice that will allow you to continue to
limit marketing offers from our affiliates for [another x years]/[at
least another 5 years].
[Include, if applicable, in a subsequent notice,
including an annual notice, for consumers who may have previously
opted out.] If you have already made a choice to limit marketing
offers from our affiliates, you do not need to act again until you
receive the renewal notice.
To limit marketing offers, contact us [include all that apply]:
By telephone: 1-877--
On the Web: www.---.com
By mail: Check the box and complete the form below, and
send the form to:
[Company name]
[Company address]
--Do not allow your affiliates to use my personal information to
market to me.
C-2--Model Form for Initial Opt-out Notice (Joint Notice)--[Your
Choice To Limit Marketing]/[Marketing Opt-out]
The [ABC group of companies] is providing this notice.
[Optional: Federal law gives you the right to limit
some but not all marketing from the [ABC] companies. Federal law
also requires us to give you this notice to tell you about your
choice to limit marketing from the [ABC] companies.]
You may limit the [ABC] companies, such as the [ABC
credit card, insurance, and securities] affiliates, from marketing
their products or services to you based on your personal information
that they receive from other [ABC] companies. This information
includes your [income], your [account history], and your [credit
score].
Your choice to limit marketing offers from the [ABC]
companies will apply [until you tell us to change your choice]/[for
x years from when you tell us your choice]/[for at least 5 years
from when you tell us your choice]. [Include if the opt-out period
expires.] Once that period expires, you will receive a renewal
notice that will allow you to continue to limit marketing offers
from the [ABC] companies for [another x years]/[at least another 5
years].
[Include, if applicable, in a subsequent notice,
including an annual notice, for consumers who may have previously
opted out.] If you have already made a choice to limit marketing
offers from the [ABC] companies, you do not need to act again until
you receive the renewal notice.
To limit marketing offers, contact us [include all that apply]:
By telephone: 1-877--
On the Web: www.---.com
By mail: Check the box and complete the form below, and
send the form to:
[Company name]
[Company address]
--Do not allow any company [in the ABC group of companies] to
use my personal information to market to me.
C-3--Model Form for Renewal Notice (Single-Affiliate Notice)--
[Renewing Your Choice to Limit Marketing]/[Renewing Your Marketing
Opt-out]
[Name of Affiliate] is providing this notice.
[Optional: Federal law gives you the right to limit
some but not all marketing from our affiliates. Federal law also
requires us to give you this notice to tell you about your choice to
limit marketing from our affiliates.]
You previously chose to limit our affiliates in the
[ABC] group of companies, such as our [credit card, insurance, and
securities] affiliates, from marketing their products or services to
you based on your personal information that we share with them. This
information includes your [income], your [account history with us],
and your [credit score].
Your choice has expired or is about to expire.
To renew your choice to limit marketing for [x] more years,
contact us [include all that apply]:
By telephone: 1-877--
On the Web: www.---.com
By mail: Check the box and complete the form below, and
send the form to:
[Company name]
[Company address]
--Renew my choice to limit marketing for [x] more years.
C-4--Model Form for Renewal Notice (Joint Notice)--[Renewing Your
Choice To Limit Marketing]/[Renewing Your Marketing Opt-out]
The [ABC group of companies] is providing this notice.
[Optional: Federal law gives you the right to limit
some but not all marketing from the [ABC] companies. Federal law
also requires us to give you this notice to tell you about your
choice to limit marketing from the [ABC] companies.]
You previously chose to limit the [ABC] companies, such
as the [ABC credit card, insurance, and securities] affiliates, from
marketing their products or services to you based on your personal
information that they receive from other ABC companies. This
information includes your [income], your [account history], and your
[credit score].
Your choice has expired or is about to expire.
To renew your choice to limit marketing for [x] more years,
contact us [include all that apply]:
By telephone: 1-877--
On the Web: www.---.com
By mail: Check the box and complete the form below, and
send the form to:
[Company name]
[Company address]
--Renew my choice to limit marketing for [x] more years.
C-5--Model Form for Voluntary ``No Marketing'' Notice--Your Choice
to Stop Marketing
[Name of Affiliate] is providing this notice.
You may choose to stop all marketing from us and our
affiliates.
To stop all marketing, contact us [include all that apply]:
By telephone: 1-877---
On the Web: www.---.com
By mail: Check the box and complete the form below, and
send the form to:
[Company name]
[Company address]
--Do not market to me.
Board of Governors of the Federal Reserve System
12 CFR Chapter II.
Authority and Issuance
0
For the reasons set forth in the joint preamble, part 222 of title 12,
chapter II, of the Code of Federal Regulations is amended as follows:
PART 222--FAIR CREDIT REPORTING (REGULATION V)
0
1. The authority citation for part 222 is revised to read as follows:
Authority: 15 U.S.C. 1681a, 1681b, 1681c, 1681m, 1681s, 1681s-2,
1681s-3, 1681t, and 1681w; Secs. 3 and 214, Pub. L. 108-159, 117
Stat. 1952.
Subpart A--General Provisions
0
2. Section 222.1 is amended by adding a new paragraph (a) and revising
paragraph (b)(2)(i) to read as follows:
Sec. 222.1 Purpose, scope, and effective dates.
(a) Purpose. The purpose of this part is to implement the Fair
Credit Reporting Act. This part generally applies to persons that
obtain and use information about consumers to determine the consumer's
eligibility for products, services, or employment, share such
information among affiliates, and furnish information to consumer
reporting agencies.
(b) * * *
(2) Institutions covered. (i) Except as otherwise provided in this
part, the regulations in this part apply to banks that are members of
the Federal Reserve System (other than national banks) and their
respective operating subsidiaries that are not functionally regulated
within the meaning of section 5(c)(5) of the Bank Holding Company Act,
as amended (12 U.S.C. 1844(c)(5)), branches and Agencies of foreign
banks (other than Federal branches, Federal Agencies, and insured State
branches of foreign banks), commercial lending companies owned or
controlled by foreign banks, organizations operating under section 25
or 25A of the Federal Reserve Act (12 U.S.C. 601 et seq., and 611 et
seq.), and bank holding companies and affiliates of such holding
companies, but do not apply to affiliates
[[Page 62955]]
of bank holding companies that are depository institutions regulated by
another federal banking agency or to consumer reporting agencies.
* * * * *
0
3. A new Subpart C is added to part 222 to read as follows:
Subpart C--Affiliate Marketing
Sec.
222.20 Coverage and definitions.
222.21 Affiliate marketing opt-out and exceptions.
222.22 Scope and duration of opt-out.
222.23 Contents of opt-out notice; consolidated and equivalent
notices.
222.24 Reasonable opportunity to opt out.
222.25 Reasonable and simple methods of opting out.
222.26 Delivery of opt-out notices.
222.27 Renewal of opt-out.
222.28 Effective date, compliance date, and prospective application.
Subpart C--Affiliate Marketing
Sec. 222.20 Coverage and definitions.
(a) Coverage. Subpart C of this part applies to member banks of the
Federal Reserve System (other than national banks) and their respective
operating subsidiaries that are not functionally regulated within the
meaning of section 5(c)(5) of the Bank Holding Company Act, as amended
(12 U.S.C. 1844(c)(5)), branches and Agencies of foreign banks (other
than Federal branches, Federal Agencies, and insured State branches of
foreign banks), commercial lending companies owned or controlled by
foreign banks, and organizations operating under section 25 or 25A of
the Federal Reserve Act (12 U.S.C. 601 et seq., and 611 et seq.).
(b) Definitions. For purposes of this subpart:
(1) Clear and conspicuous. The term ``clear and conspicuous'' means
reasonably understandable and designed to call attention to the nature
and significance of the information presented.
(2) Concise. (i) In general. The term ``concise'' means a
reasonably brief expression or statement.
(ii) Combination with other required disclosures. A notice required
by this subpart may be concise even if it is combined with other
disclosures required or authorized by federal or state law.
(3) Eligibility information. The term ``eligibility information''
means any information the communication of which would be a consumer
report if the exclusions from the definition of ``consumer report'' in
section 603(d)(2)(A) of the Act did not apply. Eligibility information
does not include aggregate or blind data that does not contain personal
identifiers such as account numbers, names, or addresses.
(4) Pre-existing business relationship. (i) In general. The term
``pre-existing business relationship'' means a relationship between a
person, or a person's licensed agent, and a consumer based on--
(A) A financial contract between the person and the consumer which
is in force on the date on which the consumer is sent a solicitation
covered by this subpart;
(B) The purchase, rental, or lease by the consumer of the person's
goods or services, or a financial transaction (including holding an
active account or a policy in force or having another continuing
relationship) between the consumer and the person, during the 18-month
period immediately preceding the date on which the consumer is sent a
solicitation covered by this subpart; or
(C) An inquiry or application by the consumer regarding a product
or service offered by that person during the three-month period
immediately preceding the date on which the consumer is sent a
solicitation covered by this subpart.
(ii) Examples of pre-existing business relationships. (A) If a
consumer has a time deposit account, such as a certificate of deposit,
at a depository institution that is currently in force, the depository
institution has a pre-existing business relationship with the consumer
and can use eligibility information it receives from its affiliates to
make solicitations to the consumer about its products or services.
(B) If a consumer obtained a certificate of deposit from a
depository institution, but did not renew the certificate at maturity,
the depository institution has a pre-existing business relationship
with the consumer and can use eligibility information it receives from
its affiliates to make solicitations to the consumer about its products
or services for 18 months after the date of maturity of the certificate
of deposit.
(C) If a consumer obtains a mortgage, the mortgage lender has a
pre-existing business relationship with the consumer. If the mortgage
lender sells the consumer's entire loan to an investor, the mortgage
lender has a pre-existing business relationship with the consumer and
can use eligibility information it receives from its affiliates to make
solicitations to the consumer about its products or services for 18
months after the date it sells the loan, and the investor has a pre-
existing business relationship with the consumer upon purchasing the
loan. If, however, the mortgage lender sells a fractional interest in
the consumer's loan to an investor but also retains an ownership
interest in the loan, the mortgage lender continues to have a pre-
existing business relationship with the consumer, but the investor does
not have a pre-existing business relationship with the consumer. If the
mortgage lender retains ownership of the loan, but sells ownership of
the servicing rights to the consumer's loan, the mortgage lender
continues to have a pre-existing business relationship with the
consumer. The purchaser of the servicing rights also has a pre-existing
business relationship with the consumer as of the date it purchases
ownership of the servicing rights, but only if it collects payments
from or otherwise deals directly with the consumer on a continuing
basis.
(D) If a consumer applies to a depository institution for a product
or service that it offers, but does not obtain a product or service
from or enter into a financial contract or transaction with the
institution, the depository institution has a pre-existing business
relationship with the consumer and can therefore use eligibility
information it receives from an affiliate to make solicitations to the
consumer about its products or services for three months after the date
of the application.
(E) If a consumer makes a telephone inquiry to a depository
institution about its products or services and provides contact
information to the institution, but does not obtain a product or
service from or enter into a financial contract or transaction with the
institution, the depository institution has a pre-existing business
relationship with the consumer and can therefore use eligibility
information it receives from an affiliate to make solicitations to the
consumer about its products or services for three months after the date
of the inquiry.
(F) If a consumer makes an inquiry to a depository institution by
e-mail about its products or services, but does not obtain a product or
service from or enter into a financial contract or transaction with the
institution, the depository institution has a pre-existing business
relationship with the consumer and can therefore use eligibility
information it receives from an affiliate to make solicitations to the
consumer about its products or services for three months after the date
of the inquiry.
(G) If a consumer has an existing relationship with a depository
institution that is part of a group of affiliated companies, makes a
telephone call to the centralized call center for the group of
affiliated companies to inquire about products or services offered by
the insurance affiliate, and provides contact information to the call
center, the call constitutes an inquiry to the insurance
[[Page 62956]]
affiliate that offers those products or services. The insurance
affiliate has a pre-existing business relationship with the consumer
and can therefore use eligibility information it receives from its
affiliated depository institution to make solicitations to the consumer
about its products or services for three months after the date of the
inquiry.
(iii) Examples where no pre-existing business relationship is
created. (A) If a consumer makes a telephone call to a centralized call
center for a group of affiliated companies to inquire about the
consumer's existing account at a depository institution, the call does
not constitute an inquiry to any affiliate other than the depository
institution that holds the consumer's account and does not establish a
pre-existing business relationship between the consumer and any
affiliate of the account-holding depository institution.
(B) If a consumer who has a deposit account with a depository
institution makes a telephone call to an affiliate of the institution
to ask about the affiliate's retail locations and hours, but does not
make an inquiry about the affiliate's products or services, the call
does not constitute an inquiry and does not establish a pre-existing
business relationship between the consumer and the affiliate. Also, the
affiliate's capture of the consumer's telephone number does not
constitute an inquiry and does not establish a pre-existing business
relationship between the consumer and the affiliate.
(C) If a consumer makes a telephone call to a depository
institution in response to an advertisement that offers a free
promotional item to consumers who call a toll-free number, but the
advertisement does not indicate that the depository institution's
products or services will be marketed to consumers who call in
response, the call does not create a pre-existing business relationship
between the consumer and the depository institution because the
consumer has not made an inquiry about a product or service offered by
the institution, but has merely responded to an offer for a free
promotional item.
(5) Solicitation. (i) In general. The term ``solicitation'' means
the marketing of a product or service initiated by a person to a
particular consumer that is--
(A) Based on eligibility information communicated to that person by
its affiliate as described in this subpart; and
(B) Intended to encourage the consumer to purchase or obtain such
product or service.
(ii) Exclusion of marketing directed at the general public. A
solicitation does not include marketing communications that are
directed at the general public. For example, television, general
circulation magazine, and billboard advertisements do not constitute
solicitations, even if those communications are intended to encourage
consumers to purchase products and services from the person initiating
the communications.
(iii) Examples of solicitations. A solicitation would include, for
example, a telemarketing call, direct mail, e-mail, or other form of
marketing communication directed to a particular consumer that is based
on eligibility information received from an affiliate.
(6) You means a person described in paragraph (a) of this section.
Sec. 222.21 Affiliate marketing opt-out and exceptions.
(a) Initial notice and opt-out requirement. (1) In general. You may
not use eligibility information about a consumer that you receive from
an affiliate to make a solicitation for marketing purposes to the
consumer, unless--
(i) It is clearly and conspicuously disclosed to the consumer in
writing or, if the consumer agrees, electronically, in a concise notice
that you may use eligibility information about that consumer received
from an affiliate to make solicitations for marketing purposes to the
consumer;
(ii) The consumer is provided a reasonable opportunity and a
reasonable and simple method to ``opt out,'' or prohibit you from using
eligibility information to make solicitations for marketing purposes to
the consumer; and
(iii) The consumer has not opted out.
(2) Example. A consumer has a homeowner's insurance policy with an
insurance company. The insurance company furnishes eligibility
information about the consumer to its affiliated depository
institution. Based on that eligibility information, the depository
institution wants to make a solicitation to the consumer about its home
equity loan products. The depository institution does not have a pre-
existing business relationship with the consumer and none of the other
exceptions apply. The depository institution is prohibited from using
eligibility information received from its insurance affiliate to make
solicitations to the consumer about its home equity loan products
unless the consumer is given a notice and opportunity to opt out and
the consumer does not opt out.
(3) Affiliates who may provide the notice. The notice required by
this paragraph must be provided:
(i) By an affiliate that has or has previously had a pre-existing
business relationship with the consumer; or
(ii) As part of a joint notice from two or more members of an
affiliated group of companies, provided that at least one of the
affiliates on the joint notice has or has previously had a pre-existing
business relationship with the consumer.
(b) Making solicitations. (1) In general. For purposes of this
subpart, you make a solicitation for marketing purposes if--
(i) You receive eligibility information from an affiliate;
(ii) You use that eligibility information to do one or more of the
following:
(A) Identify the consumer or type of consumer to receive a
solicitation;
(B) Establish criteria used to select the consumer to receive a
solicitation; or
(C) Decide which of your products or services to market to the
consumer or tailor your solicitation to that consumer; and
(iii) As a result of your use of the eligibility information, the
consumer is provided a solicitation.
(2) Receiving eligibility information from an affiliate, including
through a common database. You may receive eligibility information from
an affiliate in various ways, including when the affiliate places that
information into a common database that you may access.
(3) Receipt or use of eligibility information by your service
provider. Except as provided in paragraph (b)(5) of this section, you
receive or use an affiliate's eligibility information if a service
provider acting on your behalf (whether an affiliate or a nonaffiliated
third party) receives or uses that information in the manner described
in paragraphs (b)(1)(i) or (b)(1)(ii) of this section. All relevant
facts and circumstances will determine whether a person is acting as
your service provider when it receives or uses an affiliate's
eligibility information in connection with marketing your products and
services.
(4) Use by an affiliate of its own eligibility information. Unless
you have used eligibility information that you receive from an
affiliate in the manner described in paragraph (b)(1)(ii) of this
section, you do not make a solicitation subject to this subpart if your
affiliate:
(i) Uses its own eligibility information that it obtained in
connection with a pre-existing business relationship it has or had with
the consumer to market your products or services to the consumer; or
(ii) Directs its service provider to use the affiliate's own
eligibility information
[[Page 62957]]
that it obtained in connection with a pre-existing business
relationship it has or had with the consumer to market your products or
services to the consumer, and you do not communicate directly with the
service provider regarding that use.
(5) Use of eligibility information by a service provider. (i) In
general. You do not make a solicitation subject to Subpart C of this
part if a service provider (including an affiliated or third-party
service provider that maintains or accesses a common database that you
may access) receives eligibility information from your affiliate that
your affiliate obtained in connection with a pre-existing business
relationship it has or had with the consumer and uses that eligibility
information to market your products or services to the consumer, so
long as--
(A) Your affiliate controls access to and use of its eligibility
information by the service provider (including the right to establish
the specific terms and conditions under which the service provider may
use such information to market your products or services);
(B) Your affiliate establishes specific terms and conditions under
which the service provider may access and use the affiliate's
eligibility information to market your products and services (or those
of affiliates generally) to the consumer, such as the identity of the
affiliated companies whose products or services may be marketed to the
consumer by the service provider, the types of products or services of
affiliated companies that may be marketed, and the number of times the
consumer may receive marketing materials, and periodically evaluates
the service provider's compliance with those terms and conditions;
(C) Your affiliate requires the service provider to implement
reasonable policies and procedures designed to ensure that the service
provider uses the affiliate's eligibility information in accordance
with the terms and conditions established by the affiliate relating to
the marketing of your products or services;
(D) Your affiliate is identified on or with the marketing materials
provided to the consumer; and
(E) You do not directly use your affiliate's eligibility
information in the manner described in paragraph (b)(1)(ii) of this
section.
(ii) Writing requirements. (A) The requirements of paragraphs
(b)(5)(i)(A) and (C) of this section must be set forth in a written
agreement between your affiliate and the service provider; and
(B) The specific terms and conditions established by your affiliate
as provided in paragraph (b)(5)(i)(B) of this section must be set forth
in writing.
(6) Examples of making solicitations. (i) A consumer has a deposit
account with a depository institution, which is affiliated with an
insurance company. The insurance company receives eligibility
information about the consumer from the depository institution. The
insurance company uses that eligibility information to identify the
consumer to receive a solicitation about insurance products, and, as a
result, the insurance company provides a solicitation to the consumer
about its insurance products. Pursuant to paragraph (b)(1) of this
section, the insurance company has made a solicitation to the consumer.
(ii) The same facts as in the example in paragraph (b)(6)(i) of
this section, except that after using the eligibility information to
identify the consumer to receive a solicitation about insurance
products, the insurance company asks the depository institution to send
the solicitation to the consumer and the depository institution does
so. Pursuant to paragraph (b)(1) of this section, the insurance company
has made a solicitation to the consumer because it used eligibility
information about the consumer that it received from an affiliate to
identify the consumer to receive a solicitation about its products or
services, and, as a result, a solicitation was provided to the consumer
about the insurance company's products.
(iii) The same facts as in the example in paragraph (b)(6)(i) of
this section, except that eligibility information about consumers that
have deposit accounts with the depository institution is placed into a
common database that all members of the affiliated group of companies
may independently access and use. Without using the depository
institution's eligibility information, the insurance company develops
selection criteria and provides those criteria, marketing materials,
and related instructions to the depository institution. The depository
institution reviews eligibility information about its own consumers
using the selection criteria provided by the insurance company to
determine which consumers should receive the insurance company's
marketing materials and sends marketing materials about the insurance
company's products to those consumers. Even though the insurance
company has received eligibility information through the common
database as provided in paragraph (b)(2) of this section, it did not
use that information to identify consumers or establish selection
criteria; instead, the depository institution used its own eligibility
information. Therefore, pursuant to paragraph (b)(4)(i) of this
section, the insurance company has not made a solicitation to the
consumer.
(iv) The same facts as in the example in paragraph (b)(6)(iii) of
this section, except that the depository institution provides the
insurance company's criteria to the depository institution's service
provider and directs the service provider to use the depository
institution's eligibility information to identify depository
institution consumers who meet the criteria and to send the insurance
company's marketing materials to those consumers. The insurance company
does not communicate directly with the service provider regarding the
use of the depository institution's information to market its products
to the depository institution's consumers. Pursuant to paragraph
(b)(4)(ii) of this section, the insurance company has not made a
solicitation to the consumer.
(v) An affiliated group of companies includes a depository
institution, an insurance company, and a service provider. Each
affiliate in the group places information about its consumers into a
common database. The service provider has access to all information in
the common database. The depository institution controls access to and
use of its eligibility information by the service provider. This
control is set forth in a written agreement between the depository
institution and the service provider. The written agreement also
requires the service provider to establish reasonable policies and
procedures designed to ensure that the service provider uses the
depository institution's eligibility information in accordance with
specific terms and conditions established by the depository institution
relating to the marketing of the products and services of all
affiliates, including the insurance company. In a separate written
communication, the depository institution specifies the terms and
conditions under which the service provider may use the depository
institution's eligibility information to market the insurance company's
products and services to the depository institution's consumers. The
specific terms and conditions are: A list of affiliated companies
(including the insurance company) whose products or services may be
marketed to the depository institution's consumers by the service
provider; the specific products or types of products that may be
marketed to the depository institution's consumers by the service
provider; the categories of eligibility
[[Page 62958]]
information that may be used by the service provider in marketing
products or services to the depository institution's consumers; the
types or categories of the depository institution's consumers to whom
the service provider may market products or services of depository
institution affiliates; the number and/or types of marketing
communications that the service provider may send to the depository
institution's consumers; and the length of time during which the
service provider may market the products or services of the depository
institution's affiliates to its consumers. The depository institution
periodically evaluates the service provider's compliance with these
terms and conditions. The insurance company asks the service provider
to market insurance products to certain consumers who have deposit
accounts with the depository institution. Without using the depository
institution's eligibility information, the insurance company develops
selection criteria and provides those criteria, marketing materials,
and related instructions to the service provider. The service provider
uses the depository institution's eligibility information from the
common database to identify the depository institution's consumers to
whom insurance products will be marketed. When the insurance company's
marketing materials are provided to the identified consumers, the name
of the depository institution is displayed on the insurance marketing
materials, an introductory letter that accompanies the marketing
materials, an account statement that accompanies the marketing
materials, or the envelope containing the marketing materials. The
requirements of paragraph (b)(5) of this section have been satisfied,
and the insurance company has not made a solicitation to the consumer.
(vi) The same facts as in the example in paragraph (b)(6)(v) of
this section, except that the terms and conditions permit the service
provider to use the depository institution's eligibility information to
market the products and services of other affiliates to the depository
institution's consumers whenever the service provider deems it
appropriate to do so. The service provider uses the depository
institution's eligibility information in accordance with the discretion
afforded to it by the terms and conditions. Because the terms and
conditions are not specific, the requirements of paragraph (b)(5) of
this section have not been satisfied.
(c) Exceptions. The provisions of this subpart do not apply to you
if you use eligibility information that you receive from an affiliate:
(1) To make a solicitation for marketing purposes to a consumer
with whom you have a pre-existing business relationship;
(2) To facilitate communications to an individual for whose benefit
you provide employee benefit or other services pursuant to a contract
with an employer related to and arising out of the current employment
relationship or status of the individual as a participant or
beneficiary of an employee benefit plan;
(3) To perform services on behalf of an affiliate, except that this
subparagraph shall not be construed as permitting you to send
solicitations on behalf of an affiliate if the affiliate would not be
permitted to send the solicitation as a result of the election of the
consumer to opt out under this subpart;
(4) In response to a communication about your products or services
initiated by the consumer;
(5) In response to an authorization or request by the consumer to
receive solicitations; or
(6) If your compliance with this subpart would prevent you from
complying with any provision of State insurance laws pertaining to
unfair discrimination in any State in which you are lawfully doing
business.
(d) Examples of exceptions. (1) Example of the pre-existing
business relationship exception. A consumer has a deposit account with
a depository institution. The consumer also has a relationship with the
depository institution's securities affiliate for management of the
consumer's securities portfolio. The depository institution receives
eligibility information about the consumer from its securities
affiliate and uses that information to make a solicitation to the
consumer about the depository institution's wealth management services.
The depository institution may make this solicitation even if the
consumer has not been given a notice and opportunity to opt out because
the depository institution has a pre-existing business relationship
with the consumer.
(2) Examples of service provider exception. (i) A consumer has an
insurance policy issued by an insurance company. The insurance company
furnishes eligibility information about the consumer to its affiliated
depository institution. Based on that eligibility information, the
depository institution wants to make a solicitation to the consumer
about its deposit products. The depository institution does not have a
pre-existing business relationship with the consumer and none of the
other exceptions in paragraph (c) of this section apply. The consumer
has been given an opt-out notice and has elected to opt out of
receiving such solicitations. The depository institution asks a service
provider to send the solicitation to the consumer on its behalf. The
service provider may not send the solicitation on behalf of the
depository institution because, as a result of the consumer's opt-out
election, the depository institution is not permitted to make the
solicitation.
(ii) The same facts as in paragraph (d)(2)(i) of this section,
except the consumer has been given an opt-out notice, but has not
elected to opt out. The depository institution asks a service provider
to send the solicitation to the consumer on its behalf. The service
provider may send the solicitation on behalf of the depository
institution because, as a result of the consumer's not opting out, the
depository institution is permitted to make the solicitation.
(3) Examples of consumer-initiated communications. (i) A consumer
who has a deposit account with a depository institution initiates a
communication with the depository institution's credit card affiliate
to request information about a credit card. The credit card affiliate
may use eligibility information about the consumer it obtains from the
depository institution or any other affiliate to make solicitations
regarding credit card products in response to the consumer-initiated
communication.
(ii) A consumer who has a deposit account with a depository
institution contacts the institution to request information about how
to save and invest for a child's college education without specifying
the type of product in which the consumer may be interested.
Information about a range of different products or services offered by
the depository institution and one or more affiliates of the
institution may be responsive to that communication. Such products or
services may include the following: Mutual funds offered by the
institution's mutual fund affiliate; section 529 plans offered by the
institution, its mutual fund affiliate, or another securities
affiliate; or trust services offered by a different financial
institution in the affiliated group. Any affiliate offering investment
products or services that would be responsive to the consumer's request
for information about saving and investing for a child's college
education may use eligibility information to make solicitations to the
consumer in response to this communication.
[[Page 62959]]
(iii) A credit card issuer makes a marketing call to the consumer
without using eligibility information received from an affiliate. The
issuer leaves a voice-mail message that invites the consumer to call a
toll-free number to apply for the issuer's credit card. If the consumer
calls the toll-free number to inquire about the credit card, the call
is a consumer-initiated communication about a product or service and
the credit card issuer may now use eligibility information it receives
from its affiliates to make solicitations to the consumer.
(iv) A consumer calls a depository institution to ask about retail
locations and hours, but does not request information about products or
services. The institution may not use eligibility information it
receives from an affiliate to make solicitations to the consumer about
its products or services because the consumer-initiated communication
does not relate to the depository institution's products or services.
Thus, the use of eligibility information received from an affiliate
would not be responsive to the communication and the exception does not
apply.
(v) A consumer calls a depository institution to ask about retail
locations and hours. The customer service representative asks the
consumer if there is a particular product or service about which the
consumer is seeking information. The consumer responds that the
consumer wants to stop in and find out about certificates of deposit.
The customer service representative offers to provide that information
by telephone and mail additional information and application materials
to the consumer. The consumer agrees and provides or confirms contact
information for receipt of the materials to be mailed. The depository
institution may use eligibility information it receives from an
affiliate to make solicitations to the consumer about certificates of
deposit because such solicitations would respond to the consumer-
initiated communication about products or services.
(4) Examples of consumer authorization or request for
solicitations. (i) A consumer who obtains a mortgage from a mortgage
lender authorizes or requests information about homeowner's insurance
offered by the mortgage lender's insurance affiliate. Such
authorization or request, whether given to the mortgage lender or to
the insurance affiliate, would permit the insurance affiliate to use
eligibility information about the consumer it obtains from the mortgage
lender or any other affiliate to make solicitations to the consumer
about homeowner's insurance.
(ii) A consumer completes an online application to apply for a
credit card from a credit card issuer. The issuer's online application
contains a blank check box that the consumer may check to authorize or
request information from the credit card issuer's affiliates. The
consumer checks the box. The consumer has authorized or requested
solicitations from the card issuer's affiliates.
(iii) A consumer completes an online application to apply for a
credit card from a credit card issuer. The issuer's online application
contains a pre-selected check box indicating that the consumer
authorizes or requests information from the issuer's affiliates. The
consumer does not deselect the check box. The consumer has not
authorized or requested solicitations from the card issuer's
affiliates.
(iv) The terms and conditions of a credit card account agreement
contain preprinted boilerplate language stating that by applying to
open an account the consumer authorizes or requests to receive
solicitations from the credit card issuer's affiliates. The consumer
has not authorized or requested solicitations from the card issuer's
affiliates.
(e) Relation to affiliate-sharing notice and opt-out. Nothing in
this subpart limits the responsibility of a person to comply with the
notice and opt-out provisions of section 603(d)(2)(A)(iii) of the Act
where applicable.
Sec. 222.22 Scope and duration of opt-out.
(a) Scope of opt-out. (1) In general. Except as otherwise provided
in this section, the consumer's election to opt out prohibits any
affiliate covered by the opt-out notice from using eligibility
information received from another affiliate as described in the notice
to make solicitations to the consumer.
(2) Continuing relationship. (i) In general. If the consumer
establishes a continuing relationship with you or your affiliate, an
opt-out notice may apply to eligibility information obtained in
connection with--
(A) A single continuing relationship or multiple continuing
relationships that the consumer establishes with you or your
affiliates, including continuing relationships established subsequent
to delivery of the opt-out notice, so long as the notice adequately
describes the continuing relationships covered by the opt-out; or
(B) Any other transaction between the consumer and you or your
affiliates as described in the notice.
(ii) Examples of continuing relationships. A consumer has a
continuing relationship with you or your affiliate if the consumer--
(A) Opens a deposit or investment account with you or your
affiliate;
(B) Obtains a loan for which you or your affiliate owns the
servicing rights;
(C) Purchases an insurance product from you or your affiliate;
(D) Holds an investment product through you or your affiliate, such
as when you act or your affiliate acts as a custodian for securities or
for assets in an individual retirement arrangement;
(E) Enters into an agreement or understanding with you or your
affiliate whereby you or your affiliate undertakes to arrange or broker
a home mortgage loan for the consumer;
(F) Enters into a lease of personal property with you or your
affiliate; or
(G) Obtains financial, investment, or economic advisory services
from you or your affiliate for a fee.
(3) No continuing relationship. (i) In general. If there is no
continuing relationship between a consumer and you or your affiliate,
and you or your affiliate obtain eligibility information about a
consumer in connection with a transaction with the consumer, such as an
isolated transaction or a credit application that is denied, an opt-out
notice provided to the consumer only applies to eligibility information
obtained in connection with that transaction.
(ii) Examples of isolated transactions. An isolated transaction
occurs if-
(A) The consumer uses your or your affiliate's ATM to withdraw cash
from an account at another financial institution; or
(B) You or your affiliate sells the consumer a cashier's check or
money order, airline tickets, travel insurance, or traveler's checks in
isolated transactions.
(4) Menu of alternatives. A consumer may be given the opportunity
to choose from a menu of alternatives when electing to prohibit
solicitations, such as by electing to prohibit solicitations from
certain types of affiliates covered by the opt-out notice but not other
types of affiliates covered by the notice, electing to prohibit
solicitations based on certain types of eligibility information but not
other types of eligibility information, or electing to prohibit
solicitations by certain methods of delivery but not other methods of
delivery. However, one of the alternatives must allow the consumer to
prohibit all solicitations from all of the affiliates that are covered
by the notice.
(5) Special rule for a notice following termination of all
continuing relationships. (i) In general. A consumer must be given a
new opt-out notice if,
[[Page 62960]]
after all continuing relationships with you or your affiliate(s) are
terminated, the consumer subsequently establishes another continuing
relationship with you or your affiliate(s) and the consumer's
eligibility information is to be used to make a solicitation. The new
opt-out notice must apply, at a minimum, to eligibility information
obtained in connection with the new continuing relationship. Consistent
with paragraph (b) of this section, the consumer's decision not to opt
out after receiving the new opt-out notice would not override a prior
opt-out election by the consumer that applies to eligibility
information obtained in connection with a terminated relationship,
regardless of whether the new opt-out notice applies to eligibility
information obtained in connection with the terminated relationship.
(ii) Example. A consumer has a checking account with a depository
institution that is part of an affiliated group. The consumer closes
the checking account. One year after closing the checking account, the
consumer opens a savings account with the same depository institution.
The consumer must be given a new notice and opportunity to opt out
before the depository institution's affiliates may make solicitations
to the consumer using eligibility information obtained by the
depository institution in connection with the new savings account
relationship, regardless of whether the consumer opted out in
connection with the checking account.
(b) Duration of opt-out. The election of a consumer to opt out must
be effective for a period of at least five years (the ``opt-out
period'') beginning when the consumer's opt-out election is received
and implemented, unless the consumer subsequently revokes the opt-out
in writing or, if the consumer agrees, electronically. An opt-out
period of more than five years may be established, including an opt-out
period that does not expire unless revoked by the consumer.
(c) Time of opt-out. A consumer may opt out at any time.
Sec. 222.23 Contents of opt-out notice; consolidated and equivalent
notices.
(a) Contents of opt-out notice. (1) In general. A notice must be
clear, conspicuous, and concise, and must accurately disclose:
(i) The name of the affiliate(s) providing the notice. If the
notice is provided jointly by multiple affiliates and each affiliate
shares a common name, such as ``ABC,'' then the notice may indicate
that it is being provided by multiple companies with the ABC name or
multiple companies in the ABC group or family of companies, for
example, by stating that the notice is provided by ``all of the ABC
companies,'' ``the ABC banking, credit card, insurance, and securities
companies,'' or by listing the name of each affiliate providing the
notice. But if the affiliates providing the joint notice do not all
share a common name, then the notice must either separately identify
each affiliate by name or identify each of the common names used by
those affiliates, for example, by stating that the notice is provided
by ``all of the ABC and XYZ companies'' or by ``the ABC banking and
credit card companies and the XYZ insurance companies'';
(ii) A list of the affiliates or types of affiliates whose use of
eligibility information is covered by the notice, which may include
companies that become affiliates after the notice is provided to the
consumer. If each affiliate covered by the notice shares a common name,
such as ``ABC,'' then the notice may indicate that it applies to
multiple companies with the ABC name or multiple companies in the ABC
group or family of companies, for example, by stating that the notice
is provided by ``all of the ABC companies,'' ``the ABC banking, credit
card, insurance, and securities companies,'' or by listing the name of
each affiliate providing the notice. But if the affiliates covered by
the notice do not all share a common name, then the notice must either
separately identify each covered affiliate by name or identify each of
the common names used by those affiliates, for example, by stating that
the notice applies to ``all of the ABC and XYZ companies'' or to ``the
ABC banking and credit card companies and the XYZ insurance
companies'';
(iii) A general description of the types of eligibility information
that may be used to make solicitations to the consumer;
(iv) That the consumer may elect to limit the use of eligibility
information to make solicitations to the consumer;
(v) That the consumer's election will apply for the specified
period of time stated in the notice and, if applicable, that the
consumer will be allowed to renew the election once that period
expires;
(vi) If the notice is provided to consumers who may have previously
opted out, such as if a notice is provided to consumers annually, that
the consumer who has chosen to limit solicitations does not need to act
again until the consumer receives a renewal notice; and
(vii) A reasonable and simple method for the consumer to opt out.
(2) Joint relationships. (i) If two or more consumers jointly
obtain a product or service, a single opt-out notice may be provided to
the joint consumers. Any of the joint consumers may exercise the right
to opt out.
(ii) The opt-out notice must explain how an opt-out direction by a
joint consumer will be treated. An opt-out direction by a joint
consumer may be treated as applying to all of the associated joint
consumers, or each joint consumer may be permitted to opt out
separately. If each joint consumer is permitted to opt out separately,
one of the joint consumers must be permitted to opt out on behalf of
all of the joint consumers and the joint consumers must be permitted to
exercise their separate rights to opt out in a single response.
(iii) It is impermissible to require all joint consumers to opt out
before implementing any opt-out direction.
(3) Alternative contents. If the consumer is afforded a broader
right to opt out of receiving marketing than is required by this
subpart, the requirements of this section may be satisfied by providing
the consumer with a clear, conspicuous, and concise notice that
accurately discloses the consumer's opt-out rights.
(4) Model notices. Model notices are provided in Appendix C of this
part.
(b) Coordinated and consolidated notices. A notice required by this
subpart may be coordinated and consolidated with any other notice or
disclosure required to be issued under any other provision of law by
the entity providing the notice, including but not limited to the
notice described in section 603(d)(2)(A)(iii) of the Act and the Gramm-
Leach-Bliley Act privacy notice.
(c) Equivalent notices. A notice or other disclosure that is
equivalent to the notice required by this subpart, and that is provided
to a consumer together with disclosures required by any other provision
of law, satisfies the requirements of this section.
Sec. 222.24 Reasonable opportunity to opt out.
(a) In general. You must not use eligibility information about a
consumer that you receive from an affiliate to make a solicitation to
the consumer about your products or services, unless the consumer is
provided a reasonable opportunity to opt out, as required by Sec.
222.21(a)(1)(ii) of this part.
(b) Examples of a reasonable opportunity to opt out. The consumer
is given a reasonable opportunity to opt out if:
[[Page 62961]]
(1) By mail. The opt-out notice is mailed to the consumer. The
consumer is given 30 days from the date the notice is mailed to elect
to opt out by any reasonable means.
(2) By electronic means. (i) The opt-out notice is provided
electronically to the consumer, such as by posting the notice at an
Internet Web site at which the consumer has obtained a product or
service. The consumer acknowledges receipt of the electronic notice.
The consumer is given 30 days after the date the consumer acknowledges
receipt to elect to opt out by any reasonable means.
(ii) The opt-out notice is provided to the consumer by e-mail where
the consumer has agreed to receive disclosures by e-mail from the
person sending the notice. The consumer is given 30 days after the e-
mail is sent to elect to opt out by any reasonable means.
(3) At the time of an electronic transaction. The opt-out notice is
provided to the consumer at the time of an electronic transaction, such
as a transaction conducted on an Internet Web site. The consumer is
required to decide, as a necessary part of proceeding with the
transaction, whether to opt out before completing the transaction.
There is a simple process that the consumer may use to opt out at that
time using the same mechanism through which the transaction is
conducted.
(4) At the time of an in-person transaction. The opt-out notice is
provided to the consumer in writing at the time of an in-person
transaction. The consumer is required to decide, as a necessary part of
proceeding with the transaction, whether to opt out before completing
the transaction, and is not permitted to complete the transaction
without making a choice. There is a simple process that the consumer
may use during the course of the in-person transaction to opt out, such
as completing a form that requires consumers to write a ``yes'' or
``no'' to indicate their opt-out preference or that requires the
consumer to check one of two blank check boxes--one that allows
consumers to indicate that they want to opt out and one that allows
consumers to indicate that they do not want to opt out.
(5) By including in a privacy notice. The opt-out notice is
included in a Gramm-Leach-Bliley Act privacy notice. The consumer is
allowed to exercise the opt-out within a reasonable period of time and
in the same manner as the opt-out under that privacy notice.
Sec. 222.25 Reasonable and simple methods of opting out.
(a) In general. You must not use eligibility information about a
consumer that you receive from an affiliate to make a solicitation to
the consumer about your products or services, unless the consumer is
provided a reasonable and simple method to opt out, as required by
Sec. 222.21(a)(1)(ii) of this part.
(b) Examples. (1) Reasonable and simple opt-out methods. Reasonable
and simple methods for exercising the opt-out right include--
(i) Designating a check-off box in a prominent position on the opt-
out form;
(ii) Including a reply form and a self-addressed envelope together
with the opt-out notice;
(iii) Providing an electronic means to opt out, such as a form that
can be electronically mailed or processed at an Internet Web site, if
the consumer agrees to the electronic delivery of information;
(iv) Providing a toll-free telephone number that consumers may call
to opt out; or
(v) Allowing consumers to exercise all of their opt-out rights
described in a consolidated opt-out notice that includes the privacy
opt-out under the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., the
affiliate sharing opt-out under the Act, and the affiliate marketing
opt-out under the Act, by a single method, such as by calling a single
toll-free telephone number.
(2) Opt-out methods that are not reasonable and simple. Reasonable
and simple methods for exercising an opt-out right do not include--
(i) Requiring the consumer to write his or her own letter;
(ii) Requiring the consumer to call or write to obtain a form for
opting out, rather than including the form with the opt-out notice;
(iii) Requiring the consumer who receives the opt-out notice in
electronic form only, such as through posting at an Internet Web site,
to opt out solely by paper mail or by visiting a different Web site
without providing a link to that site.
(c) Specific opt-out means. Each consumer may be required to opt
out through a specific means, as long as that means is reasonable and
simple for that consumer.
Sec. 222.26 Delivery of opt-out notices.
(a) In general. The opt-out notice must be provided so that each
consumer can reasonably be expected to receive actual notice. For opt-
out notices provided electronically, the notice may be provided in
compliance with either the electronic disclosure provisions in this
subpart or the provisions in section 101 of the Electronic Signatures
in Global and National Commerce Act, 15 U.S.C. 7001 et seq.
(b) Examples of reasonable expectation of actual notice. A consumer
may reasonably be expected to receive actual notice if the affiliate
providing the notice:
(1) Hand-delivers a printed copy of the notice to the consumer;
(2) Mails a printed copy of the notice to the last known mailing
address of the consumer;
(3) Provides a notice by e-mail to a consumer who has agreed to
receive electronic disclosures by e-mail from the affiliate providing
the notice; or
(4) Posts the notice on the Internet Web site at which the consumer
obtained a product or service electronically and requires the consumer
to acknowledge receipt of the notice.
(c) Examples of no reasonable expectation of actual notice. A
consumer may not reasonably be expected to receive actual notice if the
affiliate providing the notice:
(1) Only posts the notice on a sign in a branch or office or
generally publishes the notice in a newspaper;
(2) Sends the notice via e-mail to a consumer who has not agreed to
receive electronic disclosures by e-mail from the affiliate providing
the notice; or
(3) Posts the notice on an Internet Web site without requiring the
consumer to acknowledge receipt of the notice.
Sec. 222.27 Renewal of opt-out.
(a) Renewal notice and opt-out requirement. (1) In general. After
the opt-out period expires, you may not make solicitations based on
eligibility information you receive from an affiliate to a consumer who
previously opted out, unless:
(i) The consumer has been given a renewal notice that complies with
the requirements of this section and Sec. Sec. 222.24 through 222.26
of this part, and a reasonable opportunity and a reasonable and simple
method to renew the opt-out, and the consumer does not renew the opt-
out; or
(ii) An exception in Sec. 222.21(c) of this part applies.
(2) Renewal period. Each opt-out renewal must be effective for a
period of at least five years as provided in Sec. 222.22(b) of this
part.
(3) Affiliates who may provide the notice. The notice required by
this paragraph must be provided:
(i) By the affiliate that provided the previous opt-out notice, or
its successor; or
(ii) As part of a joint renewal notice from two or more members of
an
[[Page 62962]]
affiliated group of companies, or their successors, that jointly
provided the previous opt-out notice.
(b) Contents of renewal notice. The renewal notice must be clear,
conspicuous, and concise, and must accurately disclose:
(1) The name of the affiliate(s) providing the notice. If the
notice is provided jointly by multiple affiliates and each affiliate
shares a common name, such as ``ABC,'' then the notice may indicate
that it is being provided by multiple companies with the ABC name or
multiple companies in the ABC group or family of companies, for
example, by stating that the notice is provided by ``all of the ABC
companies,'' ``the ABC banking, credit card, insurance, and securities
companies,'' or by listing the name of each affiliate providing the
notice. But if the affiliates providing the joint notice do not all
share a common name, then the notice must either separately identify
each affiliate by name or identify each of the common names used by
those affiliates, for example, by stating that the notice is provided
by ``all of the ABC and XYZ companies'' or by ``the ABC banking and
credit card companies and the XYZ insurance companies'';
(2) A list of the affiliates or types of affiliates whose use of
eligibility information is covered by the notice, which may include
companies that become affiliates after the notice is provided to the
consumer. If each affiliate covered by the notice shares a common name,
such as ``ABC,'' then the notice may indicate that it applies to
multiple companies with the ABC name or multiple companies in the ABC
group or family of companies, for example, by stating that the notice
is provided by ``all of the ABC companies,'' ``the ABC banking, credit
card, insurance, and securities companies,'' or by listing the name of
each affiliate providing the notice. But if the affiliates covered by
the notice do not all share a common name, then the notice must either
separately identify each covered affiliate by name or identify each of
the common names used by those affiliates, for example, by stating that
the notice applies to ``all of the ABC and XYZ companies'' or to ``the
ABC banking and credit card companies and the XYZ insurance
companies'';
(3) A general description of the types of eligibility information
that may be used to make solicitations to the consumer;
(4) That the consumer previously elected to limit the use of
certain information to make solicitations to the consumer;
(5) That the consumer's election has expired or is about to expire;
(6) That the consumer may elect to renew the consumer's previous
election;
(7) If applicable, that the consumer's election to renew will apply
for the specified period of time stated in the notice and that the
consumer will be allowed to renew the election once that period
expires; and
(8) A reasonable and simple method for the consumer to opt out.
(c) Timing of the renewal notice. (1) In general. A renewal notice
may be provided to the consumer either--
(i) A reasonable period of time before the expiration of the opt-
out period; or
(ii) Any time after the expiration of the opt-out period but before
solicitations that would have been prohibited by the expired opt-out
are made to the consumer.
(2) Combination with annual privacy notice. If you provide an
annual privacy notice under the Gramm-Leach-Bliley Act, 15 U.S.C. 6801
et seq., providing a renewal notice with the last annual privacy notice
provided to the consumer before expiration of the opt-out period is a
reasonable period of time before expiration of the opt-out in all
cases.
(d) No effect on opt-out period. An opt-out period may not be
shortened by sending a renewal notice to the consumer before expiration
of the opt-out period, even if the consumer does not renew the opt out.
Sec. 222.28 Effective date, compliance date, and prospective
application.
(a) Effective date. This subpart is effective January 1, 2008.
(b) Mandatory compliance date. Compliance with this subpart is
required not later than October 1, 2008.
(c) Prospective application. The provisions of this subpart shall
not prohibit you from using eligibility information that you receive
from an affiliate to make solicitations to a consumer if you receive
such information prior to October 1, 2008. For purposes of this
section, you are deemed to receive eligibility information when such
information is placed into a common database and is accessible by you.
0
4. A new Appendix C to part 222 is added to read as follows:
Appendix C to Part 222--Model Forms for Opt-Out Notices
a. Although use of the model forms is not required, use of the
model forms in this Appendix (as applicable) complies with the
requirement in section 624 of the Act for clear, conspicuous, and
concise notices.
b. Certain changes may be made to the language or format of the
model forms without losing the protection from liability afforded by
use of the model forms. These changes may not be so extensive as to
affect the substance, clarity, or meaningful sequence of the
language in the model forms. Persons making such extensive revisions
will lose the safe harbor that this Appendix provides. Acceptable
changes include, for example:
1. Rearranging the order of the references to ``your income,''
``your account history,'' and ``your credit score.''
2. Substituting other types of information for ``income,''
``account history,'' or ``credit score'' for accuracy, such as
``payment history,'' ``credit history,'' ``payoff status,'' or
``claims history.''
3. Substituting a clearer and more accurate description of the
affiliates providing or covered by the notice for phrases such as
``the [ABC] group of companies,'' including without limitation a
statement that the entity providing the notice recently purchased
the consumer's account.
4. Substituting other types of affiliates covered by the notice
for ``credit card,'' ``insurance,'' or ``securities'' affiliates.
5. Omitting items that are not accurate or applicable. For
example, if a person does not limit the duration of the opt-out
period, the notice may omit information about the renewal notice.
6. Adding a statement informing consumers how much time they
have to opt out before shared eligibility information may be used to
make solicitations to them.
7. Adding a statement that the consumer may exercise the right
to opt out at any time.
8. Adding the following statement, if accurate: ``If you
previously opted out, you do not need to do so again.''
9. Providing a place on the form for the consumer to fill in
identifying information, such as his or her name and address
C-1 Model Form for Initial Opt-out Notice (Single-Affiliate Notice)
C-2 Model Form for Initial Opt-out Notice (Joint Notice)
C-3 Model Form for Renewal Notice (Single-Affiliate Notice)
C-4 Model Form for Renewal Notice (Joint Notice)
C-5 Model Form for Voluntary ``No Marketing'' Notice
C-1--Model Form for Initial Opt-out Notice (Single-Affiliate
Notice)--[Your Choice To Limit Marketing]/[Marketing Opt-out]
[Name of Affiliate] is providing this notice.
[Optional: Federal law gives you the right to limit
some but not all marketing from our affiliates. Federal law also
requires us to give you this notice to tell you about your choice to
limit marketing from our affiliates.]
You may limit our affiliates in the [ABC] group of
companies, such as our [credit card, insurance, and securities]
affiliates, from marketing their products or services to you based
on your personal information that we collect and share with them.
This information includes your [income], your [account history with
us], and your [credit score].
Your choice to limit marketing offers from our
affiliates will apply [until you tell
[[Page 62963]]
us to change your choice]/[for x years from when you tell us your
choice]/[for at least 5 years from when you tell us your choice].
[Include if the opt-out period expires.] Once that period expires,
you will receive a renewal notice that will allow you to continue to
limit marketing offers from our affiliates for [another x years]/[at
least another 5 years].
[Include, if applicable, in a subsequent notice,
including an annual notice, for consumers who may have previously
opted out.] If you have already made a choice to limit marketing
offers from our affiliates, you do not need to act again until you
receive the renewal notice.
To limit marketing offers, contact us [include all that apply]:
By telephone: 1-877--
On the Web: www.---.com
By mail: Check the box and complete the form below, and
send the form to:
[Company name]
[Company address]
--Do not allow your affiliates to use my personal information to
market to me.
C-2--Model Form for Initial Opt-out Notice (Joint Notice)--[Your
Choice To Limit Marketing]/[Marketing Opt-out]
The [ABC group of companies] is providing this notice.
[Optional: Federal law gives you the right to limit
some but not all marketing from the [ABC] companies. Federal law
also requires us to give you this notice to tell you about your
choice to limit marketing from the [ABC] companies.]
You may limit the [ABC] companies, such as the [ABC
credit card, insurance, and securities] affiliates, from marketing
their products or services to you based on your personal information
that they receive from other [ABC] companies. This information
includes your [income], your [account history], and your [credit
score].
Your choice to limit marketing offers from the [ABC]
companies will apply [until you tell us to change your choice]/[for
x years from when you tell us your choice]/[for at least 5 years
from when you tell us your choice]. [Include if the opt-out period
expires.] Once that period expires, you will receive a renewal
notice that will allow you to continue to limit marketing offers
from the [ABC] companies for [another x years]/[at least another 5
years].
[Include, if applicable, in a subsequent notice,
including an annual notice, for consumers who may have previously
opted out.] If you have already made a choice to limit marketing
offers from the [ABC] companies, you do not need to act again until
you receive the renewal notice.
To limit marketing offers, contact us [include all that apply]:
By telephone: 1-877--
On the Web: www.---.com
By mail: Check the box and complete the form below, and
send the form to:
[Company name]
[Company address]
--Do not allow any company [in the ABC group of companies] to
use my personal information to market to me.
C-3--Model Form for Renewal Notice (Single-Affiliate Notice)--
[Renewing Your Choice To Limit Marketing]/[Renewing Your Marketing
Opt-Out]
[Name of Affiliate] is providing this notice.
[Optional: Federal law gives you the right to limit
some but not all marketing from our affiliates. Federal law also
requires us to give you this notice to tell you about your choice to
limit marketing from our affiliates.]
You previously chose to limit our affiliates in the
[ABC] group of companies, such as our [credit card, insurance, and
securities] affiliates, from marketing their products or services to
you based on your personal information that we share with them. This
information includes your [income], your [account history with us],
and your [credit score].
Your choice has expired or is about to expire.
To renew your choice to limit marketing for [x] more years,
contact us [include all that apply]:
By telephone: 1-877--
On the Web: www.---.com
By mail: Check the box and complete the form below, and
send the form to:
[Company name]
[Company address]
--Renew my choice to limit marketing for [x] more years.
C-4--Model Form for Renewal Notice (Joint Notice)--[Renewing Your
Choice To Limit Marketing]/[Renewing Your Marketing Opt-Out]
The [ABC group of companies] is providing this notice.
[Optional: Federal law gives you the right to limit
some but not all marketing from the [ABC] companies. Federal law
also requires us to give you this notice to tell you about your
choice to limit marketing from the [ABC] companies.]
You previously chose to limit the [ABC] companies, such
as the [ABC credit card, insurance, and securities] affiliates, from
marketing their products or services to you based on your personal
information that they receive from other ABC companies. This
information includes your [income], your [account history], and your
[credit score].
Your choice has expired or is about to expire.
To renew your choice to limit marketing for [x] more years,
contact us [include all that apply]:
By telephone: 1-877--
On the Web: www.---.com
By mail: Check the box and complete the form below, and
send the form to:
[Company name]
[Company address]
--Renew my choice to limit marketing for [x] more years.
C-5--Model Form for Voluntary ``No Marketing'' Notice--Your Choice
To Stop Marketing
[Name of Affiliate] is providing this notice.
You may choose to stop all marketing from us and our
affiliates.
To stop all marketing, contact us [include all that apply]:
By telephone: 1-877--
On the Web: www.---.com
By mail: Check the box and complete the form below, and
send the form to:
[Company name]
[Company address]
--Do not market to me.
Federal Deposit Insurance Corporation
12 CFR Chapter III.
Authority and Issuance
0
For the reasons set forth in the joint preamble, part 334 of title 12,
chapter III, of the Code of Federal Regulations is amended as follows:
PART 334--FAIR CREDIT REPORTING
0
1. The authority citation for part 334 is revised to read as follows:
Authority: 12 U.S.C. 1818 and 1819 (Tenth); 15 U.S.C. 1681b,
1681c, 1681m, 1681s, 1681w, 6801 and 6805.
Subpart A--General Provisions
0
2. A new Sec. 334.1 is added to part 334 to read as follows:
Sec. 334.1 Purpose and scope.
(a) Purpose. The purpose of this part is to implement the Fair
Credit Reporting Act. This part generally applies to persons that
obtain and use information about consumers to determine the consumer's
eligibility for products, services, or employment, share such
information among affiliates, and furnish information to consumer
reporting agencies.
(b) Scope. Except as otherwise provided in this part, the
regulations in this part apply to insured state nonmember banks,
insured state licensed branches of foreign banks, and subsidiaries of
such entities (except brokers, dealers, persons providing insurance,
investment companies, and investment advisers).
0
3. A new Subpart C is added to part 334 to read as follows:
Subpart C--Affiliate Marketing
Sec.
334.20 Coverage and definitions.
334.21 Affiliate marketing opt-out and exceptions.
334.22 Scope and duration of opt-out.
334.23 Contents of opt-out notice; consolidated and equivalent
notices.
334.24 Reasonable opportunity to opt out.
334.25 Reasonable and simple methods of opting out.
334.26 Delivery of opt-out notices.
334.27 Renewal of opt-out.
334.28 Effective date, compliance date, and prospective application.
[[Page 62964]]
Subpart C--Affiliate Marketing
Sec. 334.20 Coverage and definitions.
(a) Coverage. Subpart C of this part applies to insured state
nonmember banks, insured state licensed branches of foreign banks, and
subsidiaries of such entities (except brokers, dealers, persons
providing insurance, investment companies, and investment advisers).
(b) Definitions. For purposes of this subpart:
(1) Clear and conspicuous. The term ``clear and conspicuous'' means
reasonably understandable and designed to call attention to the nature
and significance of the information presented.
(2) Concise. (i) In general. The term ``concise'' means a
reasonably brief expression or statement.
(ii) Combination with other required disclosures. A notice required
by this subpart may be concise even if it is combined with other
disclosures required or authorized by federal or state law.
(3) Eligibility information. The term ``eligibility information''
means any information the communication of which would be a consumer
report if the exclusions from the definition of ``consumer report'' in
section 603(d)(2)(A) of the Act did not apply. Eligibility information
does not include aggregate or blind data that does not contain personal
identifiers such as account numbers, names, or addresses.
(4) Pre-existing business relationship. (i) In general. The term
``pre-existing business relationship'' means a relationship between a
person, or a person's licensed agent, and a consumer based on--
(A) A financial contract between the person and the consumer which
is in force on the date on which the consumer is sent a solicitation
covered by this subpart;
(B) The purchase, rental, or lease by the consumer of the person's
goods or services, or a financial transaction (including holding an
active account or a policy in force or having another continuing
relationship) between the consumer and the person, during the 18-month
period immediately preceding the date on which the consumer is sent a
solicitation covered by this subpart; or
(C) An inquiry or application by the consumer regarding a product
or service offered by that person during the three-month period
immediately preceding the date on which the consumer is sent a
solicitation covered by this subpart.
(ii) Examples of pre-existing business relationships. (A) If a
consumer has a time deposit account, such as a certificate of deposit,
at a depository institution that is currently in force, the depository
institution has a pre-existing business relationship with the consumer
and can use eligibility information it receives from its affiliates to
make solicitations to the consumer about its products or services.
(B) If a consumer obtained a certificate of deposit from a
depository institution, but did not renew the certificate at maturity,
the depository institution has a pre-existing business relationship
with the consumer and can use eligibility information it receives from
its affiliates to make solicitations to the consumer about its products
or services for 18 months after the date of maturity of the certificate
of deposit.
(C) If a consumer obtains a mortgage, the mortgage lender has a
pre-existing business relationship with the consumer. If the mortgage
lender sells the consumer's entire loan to an investor, the mortgage
lender has a pre-existing business relationship with the consumer and
can use eligibility information it receives from its affiliates to make
solicitations to the consumer about its products or services for 18
months after the date it sells the loan, and the investor has a pre-
existing business relationship with the consumer upon purchasing the
loan. If, however, the mortgage lender sells a fractional interest in
the consumer's loan to an investor but also retains an ownership
interest in the loan, the mortgage lender continues to have a pre-
existing business relationship with the consumer, but the investor does
not have a pre-existing business relationship with the consumer. If the
mortgage lender retains ownership of the loan, but sells ownership of
the servicing rights to the consumer's loan, the mortgage lender
continues to have a pre-existing business relationship with the
consumer. The purchaser of the servicing rights also has a pre-existing
business relationship with the consumer as of the date it purchases
ownership of the servicing rights, but only if it collects payments
from or otherwise deals directly with the consumer on a continuing
basis.
(D) If a consumer applies to a depository institution for a product
or service that it offers, but does not obtain a product or service
from or enter into a financial contract or transaction with the
institution, the depository institution has a pre-existing business
relationship with the consumer and can therefore use eligibility
information it receives from an affiliate to make solicitations to the
consumer about its products or services for three months after the date
of the application.
(E) If a consumer makes a telephone inquiry to a depository
institution about its products or services and provides contact
information to the institution, but does not obtain a product or
service from or enter into a financial contract or transaction with the
institution, the depository institution has a pre-existing business
relationship with the consumer and can therefore use eligibility
information it receives from an affiliate to make solicitations to the
consumer about its products or services for three months after the date
of the inquiry.
(F) If a consumer makes an inquiry to a depository institution by
e-mail about its products or services, but does not obtain a product or
service from or enter into a financial contract or transaction with the
institution, the depository institution has a pre-existing business
relationship with the consumer and can therefore use eligibility
information it receives from an affiliate to make solicitations to the
consumer about its products or services for three months after the date
of the inquiry.
(G) If a consumer has an existing relationship with a depository
institution that is part of a group of affiliated companies, makes a
telephone call to the centralized call center for the group of
affiliated companies to inquire about products or services offered by
the insurance affiliate, and provides contact information to the call
center, the call constitutes an inquiry to the insurance affiliate that
offers those products or services. The insurance affiliate has a pre-
existing business relationship with the consumer and can therefore use
eligibility information it receives from its affiliated depository
institution to make solicitations to the consumer about its products or
services for three months after the date of the inquiry.
(iii) Examples where no pre-existing business relationship is
created. (A) If a consumer makes a telephone call to a centralized call
center for a group of affiliated companies to inquire about the
consumer's existing account at a depository institution, the call does
not constitute an inquiry to any affiliate other than the depository
institution that holds the consumer's account and does not establish a
pre-existing business relationship between the consumer and any
affiliate of the account-holding depository institution.
(B) If a consumer who has a deposit account with a depository
institution makes a telephone call to an affiliate of the institution
to ask about the affiliate's retail locations and hours, but does not
make an inquiry about the affiliate's products or services, the call
does not constitute an inquiry and does not establish a pre-existing
business
[[Page 62965]]
relationship between the consumer and the affiliate. Also, the
affiliate's capture of the consumer's telephone number does not
constitute an inquiry and does not establish a pre-existing business
relationship between the consumer and the affiliate.
(C) If a consumer makes a telephone call to a depository
institution in response to an advertisement that offers a free
promotional item to consumers who call a toll-free number, but the
advertisement does not indicate that the depository institution's
products or services will be marketed to consumers who call in
response, the call does not create a pre-existing business relationship
between the consumer and the depository institution because the
consumer has not made an inquiry about a product or service offered by
the institution, but has merely responded to an offer for a free
promotional item.
(5) Solicitation. (i) In general. The term ``solicitation'' means
the marketing of a product or service initiated by a person to a
particular consumer that is--
(A) Based on eligibility information communicated to that person by
its affiliate as described in this subpart; and
(B) Intended to encourage the consumer to purchase or obtain such
product or service.
(ii) Exclusion of marketing directed at the general public. A
solicitation does not include marketing communications that are
directed at the general public. For example, television, general
circulation magazine, and billboard advertisements do not constitute
solicitations, even if those communications are intended to encourage
consumers to purchase products and services from the person initiating
the communications.
(iii) Examples of solicitations. A solicitation would include, for
example, a telemarketing call, direct mail, e-mail, or other form of
marketing communication directed to a particular consumer that is based
on eligibility information received from an affiliate.
(6) You means a person described in paragraph (a) of this section.
Sec. 334.21 Affiliate marketing opt-out and exceptions.
(a) Initial notice and opt-out requirement. (1) In general. You may
not use eligibility information about a consumer that you receive from
an affiliate to make a solicitation for marketing purposes to the
consumer, unless--
(i) It is clearly and conspicuously disclosed to the consumer in
writing or, if the consumer agrees, electronically, in a concise notice
that you may use eligibility information about that consumer received
from an affiliate to make solicitations for marketing purposes to the
consumer;
(ii) The consumer is provided a reasonable opportunity and a
reasonable and simple method to ``opt out,'' or prohibit you from using
eligibility information to make solicitations for marketing purposes to
the consumer; and
(iii) The consumer has not opted out.
(2) Example. A consumer has a homeowner's insurance policy with an
insurance company. The insurance company furnishes eligibility
information about the consumer to its affiliated depository
institution. Based on that eligibility information, the depository
institution wants to make a solicitation to the consumer about its home
equity loan products. The depository institution does not have a pre-
existing business relationship with the consumer and none of the other
exceptions apply. The depository institution is prohibited from using
eligibility information received from its insurance affiliate to make
solicitations to the consumer about its home equity loan products
unless the consumer is given a notice and opportunity to opt out and
the consumer does not opt out.
(3) Affiliates who may provide the notice. The notice required by
this paragraph must be provided:
(i) By an affiliate that has or has previously had a pre-existing
business relationship with the consumer; or
(ii) As part of a joint notice from two or more members of an
affiliated group of companies, provided that at least one of the
affiliates on the joint notice has or has previously had a pre-existing
business relationship with the consumer.
(b) Making solicitations. (1) In general. For purposes of this
subpart, you make a solicitation for marketing purposes if--
(i) You receive eligibility information from an affiliate;
(ii) You use that eligibility information to do one or more of the
following:
(A) Identify the consumer or type of consumer to receive a
solicitation;
(B) Establish criteria used to select the consumer to receive a
solicitation; or
(C) Decide which of your products or services to market to the
consumer or tailor your solicitation to that consumer; and
(iii) As a result of your use of the eligibility information, the
consumer is provided a solicitation.
(2) Receiving eligibility information from an affiliate, including
through a common database. You may receive eligibility information from
an affiliate in various ways, including when the affiliate places that
information into a common database that you may access.
(3) Receipt or use of eligibility information by your service
provider. Except as provided in paragraph (b)(5) of this section, you
receive or use an affiliate's eligibility information if a service
provider acting on your behalf (whether an affiliate or a nonaffiliated
third party) receives or uses that information in the manner described
in paragraphs (b)(1)(i) or (b)(1)(ii) of this section. All relevant
facts and circumstances will determine whether a person is acting as
your service provider when it receives or uses an affiliate's
eligibility information in connection with marketing your products and
services.
(4) Use by an affiliate of its own eligibility information. Unless
you have used eligibility information that you receive from an
affiliate in the manner described in paragraph (b)(1)(ii) of this
section, you do not make a solicitation subject to this subpart if your
affiliate:
(i) Uses its own eligibility information that it obtained in
connection with a pre-existing business relationship it has or had with
the consumer to market your products or services to the consumer; or
(ii) Directs its service provider to use the affiliate's own
eligibility information that it obtained in connection with a pre-
existing business relationship it has or had with the consumer to
market your products or services to the consumer, and you do not
communicate directly with the service provider regarding that use.
(5) Use of eligibility information by a service provider. (i) In
general. You do not make a solicitation subject to Subpart C of this
part if a service provider (including an affiliated or third-party
service provider that maintains or accesses a common database that you
may access) receives eligibility information from your affiliate that
your affiliate obtained in connection with a pre-existing business
relationship it has or had with the consumer and uses that eligibility
information to market your products or services to the consumer, so
long as--
(A) Your affiliate controls access to and use of its eligibility
information by the service provider (including the right to establish
the specific terms and conditions under which the service provider may
use such information to market your products or services);
(B) Your affiliate establishes specific terms and conditions under
which the service provider may access and use the affiliate's
eligibility information to
[[Page 62966]]
market your products and services (or those of affiliates generally) to
the consumer, such as the identity of the affiliated companies whose
products or services may be marketed to the consumer by the service
provider, the types of products or services of affiliated companies
that may be marketed, and the number of times the consumer may receive
marketing materials, and periodically evaluates the service provider's
compliance with those terms and conditions;
(C) Your affiliate requires the service provider to implement
reasonable policies and procedures designed to ensure that the service
provider uses the affiliate's eligibility information in accordance
with the terms and conditions established by the affiliate relating to
the marketing of your products or services;
(D) Your affiliate is identified on or with the marketing materials
provided to the consumer; and
(E) You do not directly use your affiliate's eligibility
information in the manner described in paragraph (b)(1)(ii) of this
section.
(ii) Writing requirements. (A) The requirements of paragraphs
(b)(5)(i)(A) and (C) of this section must be set forth in a written
agreement between your affiliate and the service provider; and
(B) The specific terms and conditions established by your affiliate
as provided in paragraph (b)(5)(i)(B) of this section must be set forth
in writing.
(6) Examples of making solicitations. (i) A consumer has a deposit
account with a depository institution, which is affiliated with an
insurance company. The insurance company receives eligibility
information about the consumer from the depository institution. The
insurance company uses that eligibility information to identify the
consumer to receive a solicitation about insurance products, and, as a
result, the insurance company provides a solicitation to the consumer
about its insurance products. Pursuant to paragraph (b)(1) of this
section, the insurance company has made a solicitation to the consumer.
(ii) The same facts as in the example in paragraph (b)(6)(i) of
this section, except that after using the eligibility information to
identify the consumer to receive a solicitation about insurance
products, the insurance company asks the depository institution to send
the solicitation to the consumer and the depository institution does
so. Pursuant to paragraph (b)(1) of this section, the insurance company
has made a solicitation to the consumer because it used eligibility
information about the consumer that it received from an affiliate to
identify the consumer to receive a solicitation about its products or
services, and, as a result, a solicitation was provided to the consumer
about the insurance company's products.
(iii) The same facts as in the example in paragraph (b)(6)(i) of
this section, except that eligibility information about consumers that
have deposit accounts with the depository institution is placed into a
common database that all members of the affiliated group of companies
may independently access and use. Without using the depository
institution's eligibility information, the insurance company develops
selection criteria and provides those criteria, marketing materials,
and related instructions to the depository institution. The depository
institution reviews eligibility information about its own consumers
using the selection criteria provided by the insurance company to
determine which consumers should receive the insurance company's
marketing materials and sends marketing materials about the insurance
company's products to those consumers. Even though the insurance
company has received eligibility information through the common
database as provided in paragraph (b)(2) of this section, it did not
use that information to identify consumers or establish selection
criteria; instead, the depository institution used its own eligibility
information. Therefore, pursuant to paragraph (b)(4)(i) of this
section, the insurance company has not made a solicitation to the
consumer.
(iv) The same facts as in the example in paragraph (b)(6)(iii) of
this section, except that the depository institution provides the
insurance company's criteria to the depository institution's service
provider and directs the service provider to use the depository
institution's eligibility information to identify depository
institution consumers who meet the criteria and to send the insurance
company's marketing materials to those consumers. The insurance company
does not communicate directly with the service provider regarding the
use of the depository institution's information to market its products
to the depository institution's consumers. Pursuant to paragraph
(b)(4)(ii) of this section, the insurance company has not made a
solicitation to the consumer.
(v) An affiliated group of companies includes a depository
institution, an insurance company, and a service provider. Each
affiliate in the group places information about its consumers into a
common database. The service provider has access to all information in
the common database. The depository institution controls access to and
use of its eligibility information by the service provider. This
control is set forth in a written agreement between the depository
institution and the service provider. The written agreement also
requires the service provider to establish reasonable policies and
procedures designed to ensure that the service provider uses the
depository institution's eligibility information in accordance with
specific terms and conditions established by the depository institution
relating to the marketing of the products and services of all
affiliates, including the insurance company. In a separate written
communication, the depository institution specifies the terms and
conditions under which the service provider may use the depository
institution's eligibility information to market the insurance company's
products and services to the depository institution's consumers. The
specific terms and conditions are: a list of affiliated companies
(including the insurance company) whose products or services may be
marketed to the depository institution's consumers by the service
provider; the specific products or types of products that may be
marketed to the depository institution's consumers by the service
provider; the categories of eligibility information that may be used by
the service provider in marketing products or services to the
depository institution's consumers; the types or categories of the
depository institution's consumers to whom the service provider may
market products or services of depository institution affiliates; the
number and/or types of marketing communications that the service
provider may send to the depository institution's consumers; and the
length of time during which the service provider may market the
products or services of the depository institution's affiliates to its
consumers. The depository institution periodically evaluates the
service provider's compliance with these terms and conditions. The
insurance company asks the service provider to market insurance
products to certain consumers who have deposit accounts with the
depository institution. Without using the depository institution's
eligibility information, the insurance company develops selection
criteria and provides those criteria, marketing materials, and related
instructions to the service provider. The service provider uses the
depository institution's eligibility information from the common
database
[[Page 62967]]
to identify the depository institution's consumers to whom insurance
products will be marketed. When the insurance company's marketing
materials are provided to the identified consumers, the name of the
depository institution is displayed on the insurance marketing
materials, an introductory letter that accompanies the marketing
materials, an account statement that accompanies the marketing
materials, or the envelope containing the marketing materials. The
requirements of paragraph (b)(5) of this section have been satisfied,
and the insurance company has not made a solicitation to the consumer.
(vi) The same facts as in the example in paragraph (b)(6)(v) of
this section, except that the terms and conditions permit the service
provider to use the depository institution's eligibility information to
market the products and services of other affiliates to the depository
institution's consumers whenever the service provider deems it
appropriate to do so. The service provider uses the depository
institution's eligibility information in accordance with the discretion
afforded to it by the terms and conditions. Because the terms and
conditions are not specific, the requirements of paragraph (b)(5) of
this section have not been satisfied.
(c) Exceptions. The provisions of this subpart do not apply to you
if you use eligibility information that you receive from an affiliate:
(1) To make a solicitation for marketing purposes to a consumer
with whom you have a pre-existing business relationship;
(2) To facilitate communications to an individual for whose benefit
you provide employee benefit or other services pursuant to a contract
with an employer related to and arising out of the current employment
relationship or status of the individual as a participant or
beneficiary of an employee benefit plan;
(3) To perform services on behalf of an affiliate, except that this
subparagraph shall not be construed as permitting you to send
solicitations on behalf of an affiliate if the affiliate would not be
permitted to send the solicitation as a result of the election of the
consumer to opt out under this subpart;
(4) In response to a communication about your products or services
initiated by the consumer;
(5) In response to an authorization or request by the consumer to
receive solicitations; or
(6) If your compliance with this subpart would prevent you from
complying with any provision of State insurance laws pertaining to
unfair discrimination in any State in which you are lawfully doing
business.
(d) Examples of exceptions. (1) Example of the pre-existing
business relationship exception. A consumer has a deposit account with
a depository institution. The consumer also has a relationship with the
depository institution's securities affiliate for management of the
consumer's securities portfolio. The depository institution receives
eligibility information about the consumer from its securities
affiliate and uses that information to make a solicitation to the
consumer about the depository institution's wealth management services.
The depository institution may make this solicitation even if the
consumer has not been given a notice and opportunity to opt out because
the depository institution has a pre-existing business relationship
with the consumer.
(2) Examples of service provider exception. (i) A consumer has an
insurance policy issued by an insurance company. The insurance company
furnishes eligibility information about the consumer to its affiliated
depository institution. Based on that eligibility information, the
depository institution wants to make a solicitation to the consumer
about its deposit products. The depository institution does not have a
pre-existing business relationship with the consumer and none of the
other exceptions in paragraph (c) of this section apply. The consumer
has been given an opt-out notice and has elected to opt out of
receiving such solicitations. The depository institution asks a service
provider to send the solicitation to the consumer on its behalf. The
service provider may not send the solicitation on behalf of the
depository institution because, as a result of the consumer's opt-out
election, the depository institution is not permitted to make the
solicitation.
(ii) The same facts as in paragraph (d)(2)(i) of this section,
except the consumer has been given an opt-out notice, but has not
elected to opt out. The depository institution asks a service provider
to send the solicitation to the consumer on its behalf. The service
provider may send the solicitation on behalf of the depository
institution because, as a result of the consumer's not opting out, the
depository institution is permitted to make the solicitation.
(3) Examples of consumer-initiated communications. (i) A consumer
who has a deposit account with a depository institution initiates a
communication with the depository institution's credit card affiliate
to request information about a credit card. The credit card affiliate
may use eligibility information about the consumer it obtains from the
depository institution or any other affiliate to make solicitations
regarding credit card products in response to the consumer-initiated
communication.
(ii) A consumer who has a deposit account with a depository
institution contacts the institution to request information about how
to save and invest for a child's college education without specifying
the type of product in which the consumer may be interested.
Information about a range of different products or services offered by
the depository institution and one or more affiliates of the
institution may be responsive to that communication. Such products or
services may include the following: Mutual funds offered by the
institution's mutual fund affiliate; section 529 plans offered by the
institution, its mutual fund affiliate, or another securities
affiliate; or trust services offered by a different financial
institution in the affiliated group. Any affiliate offering investment
products or services that would be responsive to the consumer's request
for information about saving and investing for a child's college
education may use eligibility information to make solicitations to the
consumer in response to this communication.
(iii) A credit card issuer makes a marketing call to the consumer
without using eligibility information received from an affiliate. The
issuer leaves a voice-mail message that invites the consumer to call a
toll-free number to apply for the issuer's credit card. If the consumer
calls the toll-free number to inquire about the credit card, the call
is a consumer-initiated communication about a product or service and
the credit card issuer may now use eligibility information it receives
from its affiliates to make solicitations to the consumer.
(iv) A consumer calls a depository institution to ask about retail
locations and hours, but does not request information about products or
services. The institution may not use eligibility information it
receives from an affiliate to make solicitations to the consumer about
its products or services because the consumer-initiated communication
does not relate to the depository institution's products or services.
Thus, the use of eligibility information received from an affiliate
would not be responsive to the communication and the exception does not
apply.
(v) A consumer calls a depository institution to ask about retail
locations and hours. The customer service representative asks the
consumer if
[[Page 62968]]
there is a particular product or service about which the consumer is
seeking information. The consumer responds that the consumer wants to
stop in and find out about certificates of deposit. The customer
service representative offers to provide that information by telephone
and mail additional information and application materials to the
consumer. The consumer agrees and provides or confirms contact
information for receipt of the materials to be mailed. The depository
institution may use eligibility information it receives from an
affiliate to make solicitations to the consumer about certificates of
deposit because such solicitations would respond to the consumer-
initiated communication about products or services.
(4) Examples of consumer authorization or request for
solicitations. (i) A consumer who obtains a mortgage from a mortgage
lender authorizes or requests information about homeowner's insurance
offered by the mortgage lender's insurance affiliate. Such
authorization or request, whether given to the mortgage lender or to
the insurance affiliate, would permit the insurance affiliate to use
eligibility information about the consumer it obtains from the mortgage
lender or any other affiliate to make solicitations to the consumer
about homeowner's insurance.
(ii) A consumer completes an online application to apply for a
credit card from a credit card issuer. The issuer's online application
contains a blank check box that the consumer may check to authorize or
request information from the credit card issuer's affiliates. The
consumer checks the box. The consumer has authorized or requested
solicitations from the card issuer's affiliates.
(iii) A consumer completes an online application to apply for a
credit card from a credit card issuer. The issuer's online application
contains a pre-selected check box indicating that the consumer
authorizes or requests information from the issuer's affiliates. The
consumer does not deselect the check box. The consumer has not
authorized or requested solicitations from the card issuer's
affiliates.
(iv) The terms and conditions of a credit card account agreement
contain preprinted boilerplate language stating that by applying to
open an account the consumer authorizes or requests to receive
solicitations from the credit card issuer's affiliates. The consumer
has not authorized or requested solicitations from the card issuer's
affiliates.
(e) Relation to affiliate-sharing notice and opt-out. Nothing in
this subpart limits the responsibility of a person to comply with the
notice and opt-out provisions of section 603(d)(2)(A)(iii) of the Act
where applicable.
Sec. 334.22 Scope and duration of opt-out.
(a) Scope of opt-out. (1) In general. Except as otherwise provided
in this section, the consumer's election to opt out prohibits any
affiliate covered by the opt-out notice from using eligibility
information received from another affiliate as described in the notice
to make solicitations to the consumer.
(2) Continuing relationship. (i) In general. If the consumer
establishes a continuing relationship with you or your affiliate, an
opt-out notice may apply to eligibility information obtained in
connection with--
(A) A single continuing relationship or multiple continuing
relationships that the consumer establishes with you or your
affiliates, including continuing relationships established subsequent
to delivery of the opt-out notice, so long as the notice adequately
describes the continuing relationships covered by the opt-out; or
(B) Any other transaction between the consumer and you or your
affiliates as described in the notice.
(ii) Examples of continuing relationships. A consumer has a
continuing relationship with you or your affiliate if the consumer--
(A) Opens a deposit or investment account with you or your
affiliate;
(B) Obtains a loan for which you or your affiliate owns the
servicing rights;
(C) Purchases an insurance product from you or your affiliate;
(D) Holds an investment product through you or your affiliate, such
as when you act or your affiliate acts as a custodian for securities or
for assets in an individual retirement arrangement;
(E) Enters into an agreement or understanding with you or your
affiliate whereby you or your affiliate undertakes to arrange or broker
a home mortgage loan for the consumer;
(F) Enters into a lease of personal property with you or your
affiliate; or
(G) Obtains financial, investment, or economic advisory services
from you or your affiliate for a fee.
(3) No continuing relationship. (i) In general. If there is no
continuing relationship between a consumer and you or your affiliate,
and you or your affiliate obtain eligibility information about a
consumer in connection with a transaction with the consumer, such as an
isolated transaction or a credit application that is denied, an opt-out
notice provided to the consumer only applies to eligibility information
obtained in connection with that transaction.
(ii) Examples of isolated transactions. An isolated transaction
occurs if--
(A) The consumer uses your or your affiliate's ATM to withdraw cash
from an account at another financial institution; or
(B) You or your affiliate sells the consumer a cashier's check or
money order, airline tickets, travel insurance, or traveler's checks in
isolated transactions.
(4) Menu of alternatives. A consumer may be given the opportunity
to choose from a menu of alternatives when electing to prohibit
solicitations, such as by electing to prohibit solicitations from
certain types of affiliates covered by the opt-out notice but not other
types of affiliates covered by the notice, electing to prohibit
solicitations based on certain types of eligibility information but not
other types of eligibility information, or electing to prohibit
solicitations by certain methods of delivery but not other methods of
delivery. However, one of the alternatives must allow the consumer to
prohibit all solicitations from all of the affiliates that are covered
by the notice.
(5) Special rule for a notice following termination of all
continuing relationships. (i) In general. A consumer must be given a
new opt-out notice if, after all continuing relationships with you or
your affiliate(s) are terminated, the consumer subsequently establishes
another continuing relationship with you or your affiliate(s) and the
consumer's eligibility information is to be used to make a
solicitation. The new opt-out notice must apply, at a minimum, to
eligibility information obtained in connection with the new continuing
relationship. Consistent with paragraph (b) of this section, the
consumer's decision not to opt out after receiving the new opt-out
notice would not override a prior opt-out election by the consumer that
applies to eligibility information obtained in connection with a
terminated relationship, regardless of whether the new opt-out notice
applies to eligibility information obtained in connection with the
terminated relationship.
(ii) Example. A consumer has a checking account with a depository
institution that is part of an affiliated group. The consumer closes
the checking account. One year after closing the checking account, the
consumer opens a savings account with the same depository institution.
The consumer must be given a new notice and opportunity to opt out
before the depository institution's affiliates may make solicitations
to the consumer using eligibility information obtained by the
depository institution in connection
[[Page 62969]]
with the new savings account relationship, regardless of whether the
consumer opted out in connection with the checking account.
(b) Duration of opt-out. The election of a consumer to opt out must
be effective for a period of at least five years (the ``opt-out
period'') beginning when the consumer's opt-out election is received
and implemented, unless the consumer subsequently revokes the opt-out
in writing or, if the consumer agrees, electronically. An opt-out
period of more than five years may be established, including an opt-out
period that does not expire unless revoked by the consumer.
(c) Time of opt-out. A consumer may opt out at any time.
Sec. 334.23 Contents of opt-out notice; consolidated and equivalent
notices.
(a) Contents of opt-out notice. (1) In general. A notice must be
clear, conspicuous, and concise, and must accurately disclose:
(i) The name of the affiliate(s) providing the notice. If the
notice is provided jointly by multiple affiliates and each affiliate
shares a common name, such as ``ABC,'' then the notice may indicate
that it is being provided by multiple companies with the ABC name or
multiple companies in the ABC group or family of companies, for
example, by stating that the notice is provided by ``all of the ABC
companies,'' ``the ABC banking, credit card, insurance, and securities
companies,'' or by listing the name of each affiliate providing the
notice. But if the affiliates providing the joint notice do not all
share a common name, then the notice must either separately identify
each affiliate by name or identify each of the common names used by
those affiliates, for example, by stating that the notice is provided
by ``all of the ABC and XYZ companies'' or by ``the ABC banking and
credit card companies and the XYZ insurance companies'';
(ii) A list of the affiliates or types of affiliates whose use of
eligibility information is covered by the notice, which may include
companies that become affiliates after the notice is provided to the
consumer. If each affiliate covered by the notice shares a common name,
such as ``ABC,'' then the notice may indicate that it applies to
multiple companies with the ABC name or multiple companies in the ABC
group or family of companies, for example, by stating that the notice
is provided by ``all of the ABC companies,'' ``the ABC banking, credit
card, insurance, and securities companies,'' or by listing the name of
each affiliate providing the notice. But if the affiliates covered by
the notice do not all share a common name, then the notice must either
separately identify each covered affiliate by name or identify each of
the common names used by those affiliates, for example, by stating that
the notice applies to ``all of the ABC and XYZ companies'' or to ``the
ABC banking and credit card companies and the XYZ insurance
companies'';
(iii) A general description of the types of eligibility information
that may be used to make solicitations to the consumer;
(iv) That the consumer may elect to limit the use of eligibility
information to make solicitations to the consumer;
(v) That the consumer's election will apply for the specified
period of time stated in the notice and, if applicable, that the
consumer will be allowed to renew the election once that period
expires;
(vi) If the notice is provided to consumers who may have previously
opted out, such as if a notice is provided to consumers annually, that
the consumer who has chosen to limit solicitations does not need to act
again until the consumer receives a renewal notice; and
(vii) A reasonable and simple method for the consumer to opt out.
(2) Joint relationships. (i) If two or more consumers jointly
obtain a product or service, a single opt-out notice may be provided to
the joint consumers. Any of the joint consumers may exercise the right
to opt out.
(ii) The opt-out notice must explain how an opt-out direction by a
joint consumer will be treated. An opt-out direction by a joint
consumer may be treated as applying to all of the associated joint
consumers, or each joint consumer may be permitted to opt-out
separately. If each joint consumer is permitted to opt out separately,
one of the joint consumers must be permitted to opt out on behalf of
all of the joint consumers and the joint consumers must be permitted to
exercise their separate rights to opt out in a single response.
(iii) It is impermissible to require all joint consumers to opt out
before implementing any opt-out direction.
(3) Alternative contents. If the consumer is afforded a broader
right to opt out of receiving marketing than is required by this
subpart, the requirements of this section may be satisfied by providing
the consumer with a clear, conspicuous, and concise notice that
accurately discloses the consumer's opt-out rights.
(4) Model notices. Model notices are provided in Appendix C of this
part.
(b) Coordinated and consolidated notices. A notice required by this
subpart may be coordinated and consolidated with any other notice or
disclosure required to be issued under any other provision of law by
the entity providing the notice, including but not limited to the
notice described in section 603(d)(2)(A)(iii) of the Act and the Gramm-
Leach-Bliley Act privacy notice.
(c) Equivalent notices. A notice or other disclosure that is
equivalent to the notice required by this subpart, and that is provided
to a consumer together with disclosures required by any other provision
of law, satisfies the requirements of this section.
Sec. 334.24 Reasonable opportunity to opt out.
(a) In general. You must not use eligibility information about a
consumer that you receive from an affiliate to make a solicitation to
the consumer about your products or services, unless the consumer is
provided a reasonable opportunity to opt out, as required by Sec.
334.21(a)(1)(ii) of this part.
(b) Examples of a reasonable opportunity to opt out. The consumer
is given a reasonable opportunity to opt out if:
(1) By mail. The opt-out notice is mailed to the consumer. The
consumer is given 30 days from the date the notice is mailed to elect
to opt out by any reasonable means.
(2) By electronic means. (i) The opt-out notice is provided
electronically to the consumer, such as by posting the notice at an
Internet Web site at which the consumer has obtained a product or
service. The consumer acknowledges receipt of the electronic notice.
The consumer is given 30 days after the date the consumer acknowledges
receipt to elect to opt out by any reasonable means.
(ii) The opt-out notice is provided to the consumer by e-mail where
the consumer has agreed to receive disclosures by e-mail from the
person sending the notice. The consumer is given 30 days after the e-
mail is sent to elect to opt out by any reasonable means.
(3) At the time of an electronic transaction. The opt-out notice is
provided to the consumer at the time of an electronic transaction, such
as a transaction conducted on an Internet Web site. The consumer is
required to decide, as a necessary part of proceeding with the
transaction, whether to opt out before completing the transaction.
There is a simple process that the consumer may use to opt out at that
time using the same
[[Page 62970]]
mechanism through which the transaction is conducted.
(4) At the time of an in-person transaction. The opt-out notice is
provided to the consumer in writing at the time of an in-person
transaction. The consumer is required to decide, as a necessary part of
proceeding with the transaction, whether to opt out before completing
the transaction, and is not permitted to complete the transaction
without making a choice. There is a simple process that the consumer
may use during the course of the in-person transaction to opt out, such
as completing a form that requires consumers to write a ``yes'' or
``no'' to indicate their opt-out preference or that requires the
consumer to check one of two blank check boxes--one that allows
consumers to indicate that they want to opt out and one that allows
consumers to indicate that they do not want to opt out.
(5) By including in a privacy notice. The opt-out notice is
included in a Gramm-Leach-Bliley Act privacy notice. The consumer is
allowed to exercise the opt-out within a reasonable period of time and
in the same manner as the opt-out under that privacy notice.
Sec. 334.25 Reasonable and simple methods of opting out.
(a) In general. You must not use eligibility information about a
consumer that you receive from an affiliate to make a solicitation to
the consumer about your products or services, unless the consumer is
provided a reasonable and simple method to opt out, as required by
Sec. 334.21(a)(1)(ii) of this part.
(b) Examples. (1) Reasonable and simple opt-out methods. Reasonable
and simple methods for exercising the opt-out right include--
(i) Designating a check-off box in a prominent position on the opt-
out form;
(ii) Including a reply form and a self-addressed envelope together
with the opt-out notice;
(iii) Providing an electronic means to opt out, such as a form that
can be electronically mailed or processed at an Internet Web site, if
the consumer agrees to the electronic delivery of information;
(iv) Providing a toll-free telephone number that consumers may call
to opt out; or
(v) Allowing consumers to exercise all of their opt-out rights
described in a consolidated opt-out notice that includes the privacy
opt-out under the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., the
affiliate sharing opt-out under the Act, and the affiliate marketing
opt-out under the Act, by a single method, such as by calling a single
toll-free telephone number.
(2) Opt-out methods that are not reasonable and simple. Reasonable
and simple methods for exercising an opt-out right do not include--
(i) Requiring the consumer to write his or her own letter;
(ii) Requiring the consumer to call or write to obtain a form for
opting out, rather than including the form with the opt-out notice;
(iii) Requiring the consumer who receives the opt-out notice in
electronic form only, such as through posting at an Internet Web site,
to opt out solely by paper mail or by visiting a different Web site
without providing a link to that site.
(c) Specific opt-out means. Each consumer may be required to opt
out through a specific means, as long as that means is reasonable and
simple for that consumer.
Sec. 334.26 Delivery of opt-out notices.
(a) In general. The opt-out notice must be provided so that each
consumer can reasonably be expected to receive actual notice. For opt-
out notices provided electronically, the notice may be provided in
compliance with either the electronic disclosure provisions in this
subpart or the provisions in section 101 of the Electronic Signatures
in Global and National Commerce Act, 15 U.S.C. 7001 et seq.
(b) Examples of reasonable expectation of actual notice. A consumer
may reasonably be expected to receive actual notice if the affiliate
providing the notice:
(1) Hand-delivers a printed copy of the notice to the consumer;
(2) Mails a printed copy of the notice to the last known mailing
address of the consumer;
(3) Provides a notice by e-mail to a consumer who has agreed to
receive electronic disclosures by e-mail from the affiliate providing
the notice; or
(4) Posts the notice on the Internet Web site at which the consumer
obtained a product or service electronically and requires the consumer
to acknowledge receipt of the notice.
(c) Examples of no reasonable expectation of actual notice. A
consumer may not reasonably be expected to receive actual notice if the
affiliate providing the notice:
(1) Only posts the notice on a sign in a branch or office or
generally publishes the notice in a newspaper;
(2) Sends the notice via e-mail to a consumer who has not agreed to
receive electronic disclosures by e-mail from the affiliate providing
the notice; or
(3) Posts the notice on an Internet Web site without requiring the
consumer to acknowledge receipt of the notice.
Sec. 334.27 Renewal of opt-out.
(a) Renewal notice and opt-out requirement. (1) In general. After
the opt-out period expires, you may not make solicitations based on
eligibility information you receive from an affiliate to a consumer who
previously opted out, unless:
(i) The consumer has been given a renewal notice that complies with
the requirements of this section and Sec. Sec. 334.24 through 334.26
of this part, and a reasonable opportunity and a reasonable and simple
method to renew the opt-out, and the consumer does not renew the opt-
out; or
(ii) An exception in Sec. 334.21(c) of this part applies.
(2) Renewal period. Each opt-out renewal must be effective for a
period of at least five years as provided in Sec. 334.22(b) of this
part.
(3) Affiliates who may provide the notice. The notice required by
this paragraph must be provided:
(i) By the affiliate that provided the previous opt-out notice, or
its successor; or
(ii) As part of a joint renewal notice from two or more members of
an affiliated group of companies, or their successors, that jointly
provided the previous opt-out notice.
(b) Contents of renewal notice. The renewal notice must be clear,
conspicuous, and concise, and must accurately disclose:
(1) The name of the affiliate(s) providing the notice. If the
notice is provided jointly by multiple affiliates and each affiliate
shares a common name, such as ``ABC,'' then the notice may indicate
that it is being provided by multiple companies with the ABC name or
multiple companies in the ABC group or family of companies, for
example, by stating that the notice is provided by ``all of the ABC
companies,'' ``the ABC banking, credit card, insurance, and securities
companies,'' or by listing the name of each affiliate providing the
notice. But if the affiliates providing the joint notice do not all
share a common name, then the notice must either separately identify
each affiliate by name or identify each of the common names used by
those affiliates, for example, by stating that the notice is provided
by ``all of the ABC and XYZ companies'' or by ``the ABC banking and
credit card companies and the XYZ insurance companies;''
(2) A list of the affiliates or types of affiliates whose use of
eligibility information is covered by the notice, which may include
companies that become affiliates after the notice is provided to the
consumer. If each affiliate covered by the notice shares a
[[Page 62971]]
common name, such as ``ABC,'' then the notice may indicate that it
applies to multiple companies with the ABC name or multiple companies
in the ABC group or family of companies, for example, by stating that
the notice is provided by ``all of the ABC companies,'' ``the ABC
banking, credit card, insurance, and securities companies,'' or by
listing the name of each affiliate providing the notice. But if the
affiliates covered by the notice do not all share a common name, then
the notice must either separately identify each covered affiliate by
name or identify each of the common names used by those affiliates, for
example, by stating that the notice applies to ``all of the ABC and XYZ
companies'' or to ``the ABC banking and credit card companies and the
XYZ insurance companies;''
(3) A general description of the types of eligibility information
that may be used to make solicitations to the consumer;
(4) That the consumer previously elected to limit the use of
certain information to make solicitations to the consumer;
(5) That the consumer's election has expired or is about to expire;
(6) That the consumer may elect to renew the consumer's previous
election;
(7) If applicable, that the consumer's election to renew will apply
for the specified period of time stated in the notice and that the
consumer will be allowed to renew the election once that period
expires; and
(8) A reasonable and simple method for the consumer to opt out.
(c) Timing of the renewal notice. (1) In general. A renewal notice
may be provided to the consumer either--
(i) A reasonable period of time before the expiration of the opt-
out period; or
(ii) Any time after the expiration of the opt-out period but before
solicitations that would have been prohibited by the expired opt-out
are made to the consumer.
(2) Combination with annual privacy notice. If you provide an
annual privacy notice under the Gramm-Leach-Bliley Act, 15 U.S.C. 6801
et seq., providing a renewal notice with the last annual privacy notice
provided to the consumer before expiration of the opt-out period is a
reasonable period of time before expiration of the opt-out in all
cases.
(d) No effect on opt-out period. An opt-out period may not be
shortened by sending a renewal notice to the consumer before expiration
of the opt-out period, even if the consumer does not renew the opt-out.
Sec. 334.28 Effective date, compliance date, and prospective
application.
(a) Effective date. This subpart is effective January 1, 2008.
(b) Mandatory compliance date. Compliance with this subpart is
required not later than October 1, 2008.
(c) Prospective application. The provisions of this subpart shall
not prohibit you from using eligibility information that you receive
from an affiliate to make solicitations to a consumer if you receive
such information prior to October 1, 2008. For purposes of this
section, you are deemed to receive eligibility information when such
information is placed into a common database and is accessible by you.
0
4. Appendixes A and B to part 334 are added and reserved, and a new
Appendix C to part 334 is added to read as follows:
Appendix C To Part 334--Model Forms for Opt-Out Notices
a. Although use of the model forms is not required, use of the
model forms in this Appendix (as applicable) complies with the
requirement in section 624 of the Act for clear, conspicuous, and
concise notices.
b. Certain changes may be made to the language or format of the
model forms without losing the protection from liability afforded by
use of the model forms. These changes may not be so extensive as to
affect the substance, clarity, or meaningful sequence of the
language in the model forms. Persons making such extensive revisions
will lose the safe harbor that this Appendix provides. Acceptable
changes include, for example:
1. Rearranging the order of the references to ``your income,''
``your account history,'' and ``your credit score.''
2. Substituting other types of information for ``income,''
``account history,'' or ``credit score'' for accuracy, such as
``payment history,'' ``credit history,'' ``payoff status,'' or
``claims history.''
3. Substituting a clearer and more accurate description of the
affiliates providing or covered by the notice for phrases such as
``the [ABC] group of companies,'' including without limitation a
statement that the entity providing the notice recently purchased
the consumer's account.
4. Substituting other types of affiliates covered by the notice
for ``credit card,'' ``insurance,'' or ``securities'' affiliates.
5. Omitting items that are not accurate or applicable. For
example, if a person does not limit the duration of the opt-out
period, the notice may omit information about the renewal notice.
6. Adding a statement informing consumers how much time they
have to opt out before shared eligibility information may be used to
make solicitations to them.
7. Adding a statement that the consumer may exercise the right
to opt out at any time.
8. Adding the following statement, if accurate: ``If you
previously opted out, you do not need to do so again.''
9. Providing a place on the form for the consumer to fill in
identifying information, such as his or her name and address:
C-1 Model Form for Initial Opt-out Notice (Single-Affiliate Notice)
C-2 Model Form for Initial Opt-out Notice (Joint Notice)
C-3 Model Form for Renewal Notice (Single-Affiliate Notice)
C-4 Model Form for Renewal Notice (Joint Notice)
C-5 Model Form for Voluntary ``No Marketing'' Notice
C-1--Model Form for Initial Opt-out Notice (Single-Affiliate
Notice)--[Your Choice To Limit Marketing]/[Marketing Opt-out]
[Name of Affiliate] is providing this notice.
[Optional: Federal law gives you the right to limit
some but not all marketing from our affiliates. Federal law also
requires us to give you this notice to tell you about your choice to
limit marketing from our affiliates.]
You may limit our affiliates in the [ABC] group of
companies, such as our [credit card, insurance, and securities]
affiliates, from marketing their products or services to you based
on your personal information that we collect and share with them.
This information includes your [income], your [account history with
us], and your [credit score].
Your choice to limit marketing offers from our
affiliates will apply [until you tell us to change your choice]/[for
x years from when you tell us your choice]/[for at least 5 years
from when you tell us your choice]. [Include if the opt-out period
expires.] Once that period expires, you will receive a renewal
notice that will allow you to continue to limit marketing offers
from our affiliates for [another x years]/[at least another 5
years].
[Include, if applicable, in a subsequent notice,
including an annual notice, for consumers who may have previously
opted out.] If you have already made a choice to limit marketing
offers from our affiliates, you do not need to act again until you
receive the renewal notice.
To limit marketing offers, contact us [include all that apply]:
By telephone: 1-877--
On the Web: www.---.com
By mail: Check the box and complete the form below, and
send the form to:
[Company name]
[Company address]
--Do not allow your affiliates to use my personal information to
market to me.
C-2--Model Form for Initial Opt-out Notice (Joint Notice)--[Your
Choice To Limit Marketing]/[Marketing Opt-out]
The [ABC group of companies] is providing this notice.
[Optional: Federal law gives you the right to limit
some but not all marketing from the [ABC] companies. Federal law
also requires us to give you this notice to tell you about your
choice to limit marketing from the [ABC] companies.]
You may limit the [ABC] companies, such as the [ABC
credit card, insurance, and securities] affiliates, from marketing
their
[[Page 62972]]
products or services to you based on your personal information that
they receive from other [ABC] companies. This information includes
your [income], your [account history], and your [credit score].
Your choice to limit marketing offers from the [ABC]
companies will apply [until you tell us to change your choice]/[for
x years from when you tell us your choice]/[for at least 5 years
from when you tell us your choice]. [Include if the opt-out period
expires.] Once that period expires, you will receive a renewal
notice that will allow you to continue to limit marketing offers
from the [ABC] companies for [another x years]/[at least another 5
years].
[Include, if applicable, in a subsequent notice,
including an annual notice, for consumers who may have previously
opted out.] If you have already made a choice to limit marketing
offers from the [ABC] companies, you do not need to act again until
you receive the renewal notice.
To limit marketing offers, contact us [include all that apply]:
By telephone: 1-877--
On the Web: www.---.com
By mail: Check the box and complete the form below, and
send the form to:
[Company name]
[Company address]
--Do not allow any company [in the ABC group of companies] to
use my personal information to market to me.
C-3--Model Form for Renewal Notice (Single-Affiliate Notice)--
[Renewing Your Choice To Limit Marketing]/[Renewing Your Marketing
Opt-out]
[Name of Affiliate] is providing this notice.
[Optional: Federal law gives you the right to limit
some but not all marketing from our affiliates. Federal law also
requires us to give you this notice to tell you about your choice to
limit marketing from our affiliates.]
You previously chose to limit our affiliates in the
[ABC] group of companies, such as our [credit card, insurance, and
securities] affiliates, from marketing their products or services to
you based on your personal information that we share with them. This
information includes your [income], your [account history with us],
and your [credit score].
Your choice has expired or is about to expire.
To renew your choice to limit marketing for [x] more years,
contact us [include all that apply]:
By telephone: 1-877--
On the Web: www.---.com
By mail: Check the box and complete the form below, and
send the form to:
[Company name]
[Company address]
--Renew my choice to limit marketing for [x] more years.
C-4--Model Form for Renewal Notice (Joint Notice)--[Renewing Your
Choice To Limit Marketing]/[Renewing Your Marketing Opt-out]
The [ABC group of companies] is providing this notice.
[Optional: Federal law gives you the right to limit
some but not all marketing from the [ABC] companies. Federal law
also requires us to give you this notice to tell you about your
choice to limit marketing from the [ABC] companies.]
You previously chose to limit the [ABC] companies, such
as the [ABC credit card, insurance, and securities] affiliates, from
marketing their products or services to you based on your personal
information that they receive from other ABC companies. This
information includes your [income], your [account history], and your
[credit score].
Your choice has expired or is about to expire.
To renew your choice to limit marketing for [x] more years,
contact us [include all that apply]:
By telephone: 1-877--
On the Web: www.---.com
By mail: Check the box and complete the form below, and
send the form to:
[Company name]
[Company address]
--Renew my choice to limit marketing for [x] more years.
C-5--Model Form for Voluntary ``No Marketing'' Notice--Your Choice
To Stop Marketing
[Name of Affiliate] is providing this notice.
You may choose to stop all marketing from us and our
affiliates.
To stop all marketing, contact us [include all that apply]:
By telephone: 1-877--
On the Web: www.---.com
By mail: Check the box and complete the form below, and
send the form to:
[Company name]
[Company address]
--Do not market to me.
Department of the Treasury
Office of Thrift Supervision
12 CFR Chapter V.
Authority and Issuance
0
For the reasons discussed in the joint preamble, the Office of Thrift
Supervision is amending chapter V of title 12 of the Code of Federal
Regulations by amending 12 CFR part 571 as follows:
PART 571--FAIR CREDIT REPORTING
0
1. The authority citation for part 571 is revised to read as follows:
Authority: 12 U.S.C. 1462a, 1463, 1464, 1467a, 1828, 1831p-1,
and 1881-1884; 15 U.S.C. 1681b, 1681c, 1681m, 1681s, and 1681w; 15
U.S.C. 6801 and 6805; Sec. 214 Pub. L. 108-159, 117 Stat. 1952.
Subpart A--General Provisions
0
2. Amend Sec. 571.1 by adding a new paragraph (b)(3) to read as
follows:
Sec. 571.1 Purpose and scope.
* * * * *
(b) * * *
(3) The scope of Subpart C of this part is stated in Sec.
571.20(a) of this part.
* * * * *
0
3. Add a new Subpart C to part 571 to read as follows:
Subpart C--Affiliate Marketing
Sec.
571.20 Coverage and definitions.
571.21 Affiliate marketing opt-out and exceptions.
571.22 Scope and duration of opt-out.
571.23 Contents of opt-out notice; consolidated and equivalent
notices.
571.24 Reasonable opportunity to opt out.
571.25 Reasonable and simple methods of opting out.
571.26 Delivery of opt-out notices.
571.27 Renewal of opt-out.
571.28 Effective date, compliance date, and prospective application.
Subpart C--Affiliate Marketing
Sec. 571.20 Coverage and definitions.
(a) Coverage. Subpart C of this part applies to savings
associations whose deposits are insured by the Federal Deposit
Insurance Corporation or, in accordance with Sec. 559.3(h)(1) of this
chapter, federal savings association operating subsidiaries that are
not functionally regulated within the meaning of section 5(c)(5) of the
Bank Holding Company Act of 1956, as amended (12 U.S.C. 1844(c)(5)).
(b) Definitions. For purposes of this subpart:
(1) Clear and conspicuous. The term ``clear and conspicuous'' means
reasonably understandable and designed to call attention to the nature
and significance of the information presented.
(2) Concise. (i) In general. The term ``concise'' means a
reasonably brief expression or statement.
(ii) Combination with other required disclosures. A notice required
by this subpart may be concise even if it is combined with other
disclosures required or authorized by federal or state law.
(3) Eligibility information. The term ``eligibility information''
means any information the communication of which would be a consumer
report if the exclusions from the definition of ``consumer report'' in
section 603(d)(2)(A) of the Act did not apply. Eligibility information
does not include aggregate or blind data that does not contain personal
identifiers such as account numbers, names, or addresses.
(4) Pre-existing business relationship. (i) In general. The term
``pre-existing business relationship'' means a relationship between a
person, or a person's licensed agent, and a consumer based on--
[[Page 62973]]
(A) A financial contract between the person and the consumer which
is in force on the date on which the consumer is sent a solicitation
covered by this subpart;
(B) The purchase, rental, or lease by the consumer of the person's
goods or services, or a financial transaction (including holding an
active account or a policy in force or having another continuing
relationship) between the consumer and the person, during the 18-month
period immediately preceding the date on which the consumer is sent a
solicitation covered by this subpart; or
(C) An inquiry or application by the consumer regarding a product
or service offered by that person during the three-month period
immediately preceding the date on which the consumer is sent a
solicitation covered by this subpart.
(ii) Examples of pre-existing business relationships. (A) If a
consumer has a time deposit account, such as a certificate of deposit,
at a depository institution that is currently in force, the depository
institution has a pre-existing business relationship with the consumer
and can use eligibility information it receives from its affiliates to
make solicitations to the consumer about its products or services.
(B) If a consumer obtained a certificate of deposit from a
depository institution, but did not renew the certificate at maturity,
the depository institution has a pre-existing business relationship
with the consumer and can use eligibility information it receives from
its affiliates to make solicitations to the consumer about its products
or services for 18 months after the date of maturity of the certificate
of deposit.
(C) If a consumer obtains a mortgage, the mortgage lender has a
pre-existing business relationship with the consumer. If the mortgage
lender sells the consumer's entire loan to an investor, the mortgage
lender has a pre-existing business relationship with the consumer and
can use eligibility information it receives from its affiliates to make
solicitations to the consumer about its products or services for 18
months after the date it sells the loan, and the investor has a pre-
existing business relationship with the consumer upon purchasing the
loan. If, however, the mortgage lender sells a fractional interest in
the consumer's loan to an investor but also retains an ownership
interest in the loan, the mortgage lender continues to have a pre-
existing business relationship with the consumer, but the investor does
not have a pre-existing business relationship with the consumer. If the
mortgage lender retains ownership of the loan, but sells ownership of
the servicing rights to the consumer's loan, the mortgage lender
continues to have a pre-existing business relationship with the
consumer. The purchaser of the servicing rights also has a pre-existing
business relationship with the consumer as of the date it purchases
ownership of the servicing rights, but only if it collects payments
from or otherwise deals directly with the consumer on a continuing
basis.
(D) If a consumer applies to a depository institution for a product
or service that it offers, but does not obtain a product or service
from or enter into a financial contract or transaction with the
institution, the depository institution has a pre-existing business
relationship with the consumer and can therefore use eligibility
information it receives from an affiliate to make solicitations to the
consumer about its products or services for three months after the date
of the application.
(E) If a consumer makes a telephone inquiry to a depository
institution about its products or services and provides contact
information to the institution, but does not obtain a product or
service from or enter into a financial contract or transaction with the
institution, the depository institution has a pre-existing business
relationship with the consumer and can therefore use eligibility
information it receives from an affiliate to make solicitations to the
consumer about its products or services for three months after the date
of the inquiry.
(F) If a consumer makes an inquiry to a depository institution by
e-mail about its products or services, but does not obtain a product or
service from or enter into a financial contract or transaction with the
institution, the depository institution has a pre-existing business
relationship with the consumer and can therefore use eligibility
information it receives from an affiliate to make solicitations to the
consumer about its products or services for three months after the date
of the inquiry.
(G) If a consumer has an existing relationship with a depository
institution that is part of a group of affiliated companies, makes a
telephone call to the centralized call center for the group of
affiliated companies to inquire about products or services offered by
the insurance affiliate, and provides contact information to the call
center, the call constitutes an inquiry to the insurance affiliate that
offers those products or services. The insurance affiliate has a pre-
existing business relationship with the consumer and can therefore use
eligibility information it receives from its affiliated depository
institution to make solicitations to the consumer about its products or
services for three months after the date of the inquiry.
(iii) Examples where no pre-existing business relationship is
created. (A) If a consumer makes a telephone call to a centralized call
center for a group of affiliated companies to inquire about the
consumer's existing account at a depository institution, the call does
not constitute an inquiry to any affiliate other than the depository
institution that holds the consumer's account and does not establish a
pre-existing business relationship between the consumer and any
affiliate of the account-holding depository institution.
(B) If a consumer who has a deposit account with a depository
institution makes a telephone call to an affiliate of the institution
to ask about the affiliate's retail locations and hours, but does not
make an inquiry about the affiliate's products or services, the call
does not constitute an inquiry and does not establish a pre-existing
business relationship between the consumer and the affiliate. Also, the
affiliate's capture of the consumer's telephone number does not
constitute an inquiry and does not establish a pre-existing business
relationship between the consumer and the affiliate.
(C) If a consumer makes a telephone call to a depository
institution in response to an advertisement that offers a free
promotional item to consumers who call a toll-free number, but the
advertisement does not indicate that the depository institution's
products or services will be marketed to consumers who call in
response, the call does not create a pre-existing business relationship
between the consumer and the depository institution because the
consumer has not made an inquiry about a product or service offered by
the institution, but has merely responded to an offer for a free
promotional item.
(5) Solicitation. (i) In general. The term ``solicitation'' means
the marketing of a product or service initiated by a person to a
particular consumer that is--
(A) Based on eligibility information communicated to that person by
its affiliate as described in this subpart; and
(B) Intended to encourage the consumer to purchase or obtain such
product or service.
(ii) Exclusion of marketing directed at the general public. A
solicitation does not include marketing communications that are
directed at the general public. For example, television, general
circulation magazine, and billboard advertisements do not constitute
solicitations, even if those communications are intended to encourage
consumers to purchase
[[Page 62974]]
products and services from the person initiating the communications.
(iii) Examples of solicitations. A solicitation would include, for
example, a telemarketing call, direct mail, e-mail, or other form of
marketing communication directed to a particular consumer that is based
on eligibility information received from an affiliate.
(6) You means a person described in paragraph (a) of this section.
Sec. 571.21 Affiliate marketing opt-out and exceptions.
(a) Initial notice and opt-out requirement. (1) In general. You may
not use eligibility information about a consumer that you receive from
an affiliate to make a solicitation for marketing purposes to the
consumer, unless--
(i) It is clearly and conspicuously disclosed to the consumer in
writing or, if the consumer agrees, electronically, in a concise notice
that you may use eligibility information about that consumer received
from an affiliate to make solicitations for marketing purposes to the
consumer;
(ii) The consumer is provided a reasonable opportunity and a
reasonable and simple method to ``opt out,'' or prohibit you from using
eligibility information to make solicitations for marketing purposes to
the consumer; and
(iii) The consumer has not opted out.
(2) Example. A consumer has a homeowner's insurance policy with an
insurance company. The insurance company furnishes eligibility
information about the consumer to its affiliated depository
institution. Based on that eligibility information, the depository
institution wants to make a solicitation to the consumer about its home
equity loan products. The depository institution does not have a pre-
existing business relationship with the consumer and none of the other
exceptions apply. The depository institution is prohibited from using
eligibility information received from its insurance affiliate to make
solicitations to the consumer about its home equity loan products
unless the consumer is given a notice and opportunity to opt out and
the consumer does not opt out.
(3) Affiliates who may provide the notice. The notice required by
this paragraph must be provided:
(i) By an affiliate that has or has previously had a pre-existing
business relationship with the consumer; or
(ii) As part of a joint notice from two or more members of an
affiliated group of companies, provided that at least one of the
affiliates on the joint notice has or has previously had a pre-existing
business relationship with the consumer.
(b) Making solicitations. (1) In general. For purposes of this
subpart, you make a solicitation for marketing purposes if--
(i) You receive eligibility information from an affiliate;
(ii) You use that eligibility information to do one or more of the
following:
(A) Identify the consumer or type of consumer to receive a
solicitation;
(B) Establish criteria used to select the consumer to receive a
solicitation; or
(C) Decide which of your products or services to market to the
consumer or tailor your solicitation to that consumer; and
(iii) As a result of your use of the eligibility information, the
consumer is provided a solicitation.
(2) Receiving eligibility information from an affiliate, including
through a common database. You may receive eligibility information from
an affiliate in various ways, including when the affiliate places that
information into a common database that you may access.
(3) Receipt or use of eligibility information by your service
provider. Except as provided in paragraph (b)(5) of this section, you
receive or use an affiliate's eligibility information if a service
provider acting on your behalf (whether an affiliate or a nonaffiliated
third party) receives or uses that information in the manner described
in paragraphs (b)(1)(i) or (b)(1)(ii) of this section. All relevant
facts and circumstances will determine whether a person is acting as
your service provider when it receives or uses an affiliate's
eligibility information in connection with marketing your products and
services.
(4) Use by an affiliate of its own eligibility information. Unless
you have used eligibility information that you receive from an
affiliate in the manner described in paragraph (b)(1)(ii) of this
section, you do not make a solicitation subject to this subpart if your
affiliate:
(i) Uses its own eligibility information that it obtained in
connection with a pre-existing business relationship it has or had with
the consumer to market your products or services to the consumer; or
(ii) Directs its service provider to use the affiliate's own
eligibility information that it obtained in connection with a pre-
existing business relationship it has or had with the consumer to
market your products or services to the consumer, and you do not
communicate directly with the service provider regarding that use.
(5) Use of eligibility information by a service provider. (i) In
general. You do not make a solicitation subject to Subpart C of this
part if a service provider (including an affiliated or third-party
service provider that maintains or accesses a common database that you
may access) receives eligibility information from your affiliate that
your affiliate obtained in connection with a pre-existing business
relationship it has or had with the consumer and uses that eligibility
information to market your products or services to the consumer, so
long as--
(A) Your affiliate controls access to and use of its eligibility
information by the service provider (including the right to establish
the specific terms and conditions under which the service provider may
use such information to market your products or services);
(B) Your affiliate establishes specific terms and conditions under
which the service provider may access and use the affiliate's
eligibility information to market your products and services (or those
of affiliates generally) to the consumer, such as the identity of the
affiliated companies whose products or services may be marketed to the
consumer by the service provider, the types of products or services of
affiliated companies that may be marketed, and the number of times the
consumer may receive marketing materials, and periodically evaluates
the service provider's compliance with those terms and conditions;
(C) Your affiliate requires the service provider to implement
reasonable policies and procedures designed to ensure that the service
provider uses the affiliate's eligibility information in accordance
with the terms and conditions established by the affiliate relating to
the marketing of your products or services;
(D) Your affiliate is identified on or with the marketing materials
provided to the consumer; and
(E) You do not directly use your affiliate's eligibility
information in the manner described in paragraph (b)(1)(ii) of this
section.
(ii) Writing requirements. (A) The requirements of paragraphs
(b)(5)(i)(A) and (C) of this section must be set forth in a written
agreement between your affiliate and the service provider; and
(B) The specific terms and conditions established by your affiliate
as provided in paragraph (b)(5)(i)(B) of this section must be set forth
in writing.
(6) Examples of making solicitations. (i) A consumer has a deposit
account with a depository institution, which is affiliated with an
insurance company. The insurance company receives
[[Page 62975]]
eligibility information about the consumer from the depository
institution. The insurance company uses that eligibility information to
identify the consumer to receive a solicitation about insurance
products, and, as a result, the insurance company provides a
solicitation to the consumer about its insurance products. Pursuant to
paragraph (b)(1) of this section, the insurance company has made a
solicitation to the consumer.
(ii) The same facts as in the example in paragraph (b)(6)(i) of
this section, except that after using the eligibility information to
identify the consumer to receive a solicitation about insurance
products, the insurance company asks the depository institution to send
the solicitation to the consumer and the depository institution does
so. Pursuant to paragraph (b)(1) of this section, the insurance company
has made a solicitation to the consumer because it used eligibility
information about the consumer that it received from an affiliate to
identify the consumer to receive a solicitation about its products or
services, and, as a result, a solicitation was provided to the consumer
about the insurance company's products.
(iii) The same facts as in the example in paragraph (b)(6)(i) of
this section, except that eligibility information about consumers that
have deposit accounts with the depository institution is placed into a
common database that all members of the affiliated group of companies
may independently access and use. Without using the depository
institution's eligibility information, the insurance company develops
selection criteria and provides those criteria, marketing materials,
and related instructions to the depository institution. The depository
institution reviews eligibility information about its own consumers
using the selection criteria provided by the insurance company to
determine which consumers should receive the insurance company's
marketing materials and sends marketing materials about the insurance
company's products to those consumers. Even though the insurance
company has received eligibility information through the common
database as provided in paragraph (b)(2) of this section, it did not
use that information to identify consumers or establish selection
criteria; instead, the depository institution used its own eligibility
information. Therefore, pursuant to paragraph (b)(4)(i) of this
section, the insurance company has not made a solicitation to the
consumer.
(iv) The same facts as in the example in paragraph (b)(6)(iii) of
this section, except that the depository institution provides the
insurance company's criteria to the depository institution's service
provider and directs the service provider to use the depository
institution's eligibility information to identify depository
institution consumers who meet the criteria and to send the insurance
company's marketing materials to those consumers. The insurance company
does not communicate directly with the service provider regarding the
use of the depository institution's information to market its products
to the depository institution's consumers. Pursuant to paragraph
(b)(4)(ii) of this section, the insurance company has not made a
solicitation to the consumer.
(v) An affiliated group of companies includes a depository
institution, an insurance company, and a service provider. Each
affiliate in the group places information about its consumers into a
common database. The service provider has access to all information in
the common database. The depository institution controls access to and
use of its eligibility information by the service provider. This
control is set forth in a written agreement between the depository
institution and the service provider. The written agreement also
requires the service provider to establish reasonable policies and
procedures designed to ensure that the service provider uses the
depository institution's eligibility information in accordance with
specific terms and conditions established by the depository institution
relating to the marketing of the products and services of all
affiliates, including the insurance company. In a separate written
communication, the depository institution specifies the terms and
conditions under which the service provider may use the depository
institution's eligibility information to market the insurance company's
products and services to the depository institution's consumers. The
specific terms and conditions are: A list of affiliated companies
(including the insurance company) whose products or services may be
marketed to the depository institution's consumers by the service
provider; the specific products or types of products that may be
marketed to the depository institution's consumers by the service
provider; the categories of eligibility information that may be used by
the service provider in marketing products or services to the
depository institution's consumers; the types or categories of the
depository institution's consumers to whom the service provider may
market products or services of depository institution affiliates; the
number and/or types of marketing communications that the service
provider may send to the depository institution's consumers; and the
length of time during which the service provider may market the
products or services of the depository institution's affiliates to its
consumers. The depository institution periodically evaluates the
service provider's compliance with these terms and conditions. The
insurance company asks the service provider to market insurance
products to certain consumers who have deposit accounts with the
depository institution. Without using the depository institution's
eligibility information, the insurance company develops selection
criteria and provides those criteria, marketing materials, and related
instructions to the service provider. The service provider uses the
depository institution's eligibility information from the common
database to identify the depository institution's consumers to whom
insurance products will be marketed. When the insurance company's
marketing materials are provided to the identified consumers, the name
of the depository institution is displayed on the insurance marketing
materials, an introductory letter that accompanies the marketing
materials, an account statement that accompanies the marketing
materials, or the envelope containing the marketing materials. The
requirements of paragraph (b)(5) of this section have been satisfied,
and the insurance company has not made a solicitation to the consumer.
(vi) The same facts as in the example in paragraph (b)(6)(v) of
this section, except that the terms and conditions permit the service
provider to use the depository institution's eligibility information to
market the products and services of other affiliates to the depository
institution's consumers whenever the service provider deems it
appropriate to do so. The service provider uses the depository
institution's eligibility information in accordance with the discretion
afforded to it by the terms and conditions. Because the terms and
conditions are not specific, the requirements of paragraph (b)(5) of
this section have not been satisfied.
(c) Exceptions. The provisions of this subpart do not apply to you
if you use eligibility information that you receive from an affiliate:
(1) To make a solicitation for marketing purposes to a consumer
with whom you have a pre-existing business relationship;
[[Page 62976]]
(2) To facilitate communications to an individual for whose benefit
you provide employee benefit or other services pursuant to a contract
with an employer related to and arising out of the current employment
relationship or status of the individual as a participant or
beneficiary of an employee benefit plan;
(3) To perform services on behalf of an affiliate, except that this
subparagraph shall not be construed as permitting you to send
solicitations on behalf of an affiliate if the affiliate would not be
permitted to send the solicitation as a result of the election of the
consumer to opt out under this subpart;
(4) In response to a communication about your products or services
initiated by the consumer;
(5) In response to an authorization or request by the consumer to
receive solicitations; or
(6) If your compliance with this subpart would prevent you from
complying with any provision of State insurance laws pertaining to
unfair discrimination in any State in which you are lawfully doing
business.
(d) Examples of exceptions. (1) Example of the pre-existing
business relationship exception. A consumer has a deposit account with
a depository institution. The consumer also has a relationship with the
depository institution's securities affiliate for management of the
consumer's securities portfolio. The depository institution receives
eligibility information about the consumer from its securities
affiliate and uses that information to make a solicitation to the
consumer about the depository institution's wealth management services.
The depository institution may make this solicitation even if the
consumer has not been given a notice and opportunity to opt out because
the depository institution has a pre-existing business relationship
with the consumer.
(2) Examples of service provider exception. (i) A consumer has an
insurance policy issued by an insurance company. The insurance company
furnishes eligibility information about the consumer to its affiliated
depository institution. Based on that eligibility information, the
depository institution wants to make a solicitation to the consumer
about its deposit products. The depository institution does not have a
pre-existing business relationship with the consumer and none of the
other exceptions in paragraph (c) of this section apply. The consumer
has been given an opt-out notice and has elected to opt out of
receiving such solicitations. The depository institution asks a service
provider to send the solicitation to the consumer on its behalf. The
service provider may not send the solicitation on behalf of the
depository institution because, as a result of the consumer's opt-out
election, the depository institution is not permitted to make the
solicitation.
(ii) The same facts as in paragraph (d)(2)(i) of this section,
except the consumer has been given an opt-out notice, but has not
elected to opt out. The depository institution asks a service provider
to send the solicitation to the consumer on its behalf. The service
provider may send the solicitation on behalf of the depository
institution because, as a result of the consumer's not opting out, the
depository institution is permitted to make the solicitation.
(3) Examples of consumer-initiated communications. (i) A consumer
who has a deposit account with a depository institution initiates a
communication with the depository institution's credit card affiliate
to request information about a credit card. The credit card affiliate
may use eligibility information about the consumer it obtains from the
depository institution or any other affiliate to make solicitations
regarding credit card products in response to the consumer-initiated
communication.
(ii) A consumer who has a deposit account with a depository
institution contacts the institution to request information about how
to save and invest for a child's college education without specifying
the type of product in which the consumer may be interested.
Information about a range of different products or services offered by
the depository institution and one or more affiliates of the
institution may be responsive to that communication. Such products or
services may include the following: Mutual funds offered by the
institution's mutual fund affiliate; section 529 plans offered by the
institution, its mutual fund affiliate, or another securities
affiliate; or trust services offered by a different financial
institution in the affiliated group. Any affiliate offering investment
products or services that would be responsive to the consumer's request
for information about saving and investing for a child's college
education may use eligibility information to make solicitations to the
consumer in response to this communication.
(iii) A credit card issuer makes a marketing call to the consumer
without using eligibility information received from an affiliate. The
issuer leaves a voice-mail message that invites the consumer to call a
toll-free number to apply for the issuer's credit card. If the consumer
calls the toll-free number to inquire about the credit card, the call
is a consumer-initiated communication about a product or service and
the credit card issuer may now use eligibility information it receives
from its affiliates to make solicitations to the consumer.
(iv) A consumer calls a depository institution to ask about retail
locations and hours, but does not request information about products or
services. The institution may not use eligibility information it
receives from an affiliate to make solicitations to the consumer about
its products or services because the consumer-initiated communication
does not relate to the depository institution's products or services.
Thus, the use of eligibility information received from an affiliate
would not be responsive to the communication and the exception does not
apply.
(v) A consumer calls a depository institution to ask about retail
locations and hours. The customer service representative asks the
consumer if there is a particular product or service about which the
consumer is seeking information. The consumer responds that the
consumer wants to stop in and find out about certificates of deposit.
The customer service representative offers to provide that information
by telephone and mail additional information and application materials
to the consumer. The consumer agrees and provides or confirms contact
information for receipt of the materials to be mailed. The depository
institution may use eligibility information it receives from an
affiliate to make solicitations to the consumer about certificates of
deposit because such solicitations would respond to the consumer-
initiated communication about products or services.
(4) Examples of consumer authorization or request for
solicitations. (i) A consumer who obtains a mortgage from a mortgage
lender authorizes or requests information about homeowner's insurance
offered by the mortgage lender's insurance affiliate. Such
authorization or request, whether given to the mortgage lender or to
the insurance affiliate, would permit the insurance affiliate to use
eligibility information about the consumer it obtains from the mortgage
lender or any other affiliate to make solicitations to the consumer
about homeowner's insurance.
(ii) A consumer completes an online application to apply for a
credit card from a credit card issuer. The issuer's online application
contains a blank check box that the consumer may check
[[Page 62977]]
to authorize or request information from the credit card issuer's
affiliates. The consumer checks the box. The consumer has authorized or
requested solicitations from the card issuer's affiliates.
(iii) A consumer completes an online application to apply for a
credit card from a credit card issuer. The issuer's online application
contains a pre-selected check box indicating that the consumer
authorizes or requests information from the issuer's affiliates. The
consumer does not deselect the check box. The consumer has not
authorized or requested solicitations from the card issuer's
affiliates.
(iv) The terms and conditions of a credit card account agreement
contain preprinted boilerplate language stating that by applying to
open an account the consumer authorizes or requests to receive
solicitations from the credit card issuer's affiliates. The consumer
has not authorized or requested solicitations from the card issuer's
affiliates.
(e) Relation to affiliate-sharing notice and opt-out. Nothing in
this subpart limits the responsibility of a person to comply with the
notice and opt-out provisions of section 603(d)(2)(A)(iii) of the Act
where applicable.
Sec. 571.22 Scope and duration of opt-out.
(a) Scope of opt-out. (1) In general. Except as otherwise provided
in this section, the consumer's election to opt out prohibits any
affiliate covered by the opt-out notice from using eligibility
information received from another affiliate as described in the notice
to make solicitations to the consumer.
(2) Continuing relationship. (i) In general. If the consumer
establishes a continuing relationship with you or your affiliate, an
opt-out notice may apply to eligibility information obtained in
connection with--
(A) A single continuing relationship or multiple continuing
relationships that the consumer establishes with you or your
affiliates, including continuing relationships established subsequent
to delivery of the opt-out notice, so long as the notice adequately
describes the continuing relationships covered by the opt-out; or
(B) Any other transaction between the consumer and you or your
affiliates as described in the notice.
(ii) Examples of continuing relationships. A consumer has a
continuing relationship with you or your affiliate if the consumer--
(A) Opens a deposit or investment account with you or your
affiliate;
(B) Obtains a loan for which you or your affiliate owns the
servicing rights;
(C) Purchases an insurance product from you or your affiliate;
(D) Holds an investment product through you or your affiliate, such
as when you act or your affiliate acts as a custodian for securities or
for assets in an individual retirement arrangement;
(E) Enters into an agreement or understanding with you or your
affiliate whereby you or your affiliate undertakes to arrange or broker
a home mortgage loan for the consumer;
(F) Enters into a lease of personal property with you or your
affiliate; or
(G) Obtains financial, investment, or economic advisory services
from you or your affiliate for a fee.
(3) No continuing relationship. (i) In general. If there is no
continuing relationship between a consumer and you or your affiliate,
and you or your affiliate obtain eligibility information about a
consumer in connection with a transaction with the consumer, such as an
isolated transaction or a credit application that is denied, an opt-out
notice provided to the consumer only applies to eligibility information
obtained in connection with that transaction.
(ii) Examples of isolated transactions. An isolated transaction
occurs if--
(A) The consumer uses your or your affiliate's ATM to withdraw cash
from an account at another financial institution; or
(B) You or your affiliate sells the consumer a cashier's check or
money order, airline tickets, travel insurance, or traveler's checks in
isolated transactions.
(4) Menu of alternatives. A consumer may be given the opportunity
to choose from a menu of alternatives when electing to prohibit
solicitations, such as by electing to prohibit solicitations from
certain types of affiliates covered by the opt-out notice but not other
types of affiliates covered by the notice, electing to prohibit
solicitations based on certain types of eligibility information but not
other types of eligibility information, or electing to prohibit
solicitations by certain methods of delivery but not other methods of
delivery. However, one of the alternatives must allow the consumer to
prohibit all solicitations from all of the affiliates that are covered
by the notice.
(5) Special rule for a notice following termination of all
continuing relationships. (i) In general. A consumer must be given a
new opt-out notice if, after all continuing relationships with you or
your affiliate(s) are terminated, the consumer subsequently establishes
another continuing relationship with you or your affiliate(s) and the
consumer's eligibility information is to be used to make a
solicitation. The new opt-out notice must apply, at a minimum, to
eligibility information obtained in connection with the new continuing
relationship. Consistent with paragraph (b) of this section, the
consumer's decision not to opt out after receiving the new opt-out
notice would not override a prior opt-out election by the consumer that
applies to eligibility information obtained in connection with a
terminated relationship, regardless of whether the new opt-out notice
applies to eligibility information obtained in connection with the
terminated relationship.
(ii) Example. A consumer has a checking account with a depository
institution that is part of an affiliated group. The consumer closes
the checking account. One year after closing the checking account, the
consumer opens a savings account with the same depository institution.
The consumer must be given a new notice and opportunity to opt out
before the depository institution's affiliates may make solicitations
to the consumer using eligibility information obtained by the
depository institution in connection with the new savings account
relationship, regardless of whether the consumer opted out in
connection with the checking account.
(b) Duration of opt-out. The election of a consumer to opt out must
be effective for a period of at least five years (the ``opt-out
period'') beginning when the consumer's opt-out election is received
and implemented, unless the consumer subsequently revokes the opt-out
in writing or, if the consumer agrees, electronically. An opt-out
period of more than five years may be established, including an opt-out
period that does not expire unless revoked by the consumer.
(c) Time of opt-out. A consumer may opt out at any time.
Sec. 571.23 Contents of opt-out notice; consolidated and equivalent
notices.
(a) Contents of opt-out notice. (1) In general. A notice must be
clear, conspicuous, and concise, and must accurately disclose:
(i) The name of the affiliate(s) providing the notice. If the
notice is provided jointly by multiple affiliates and each affiliate
shares a common name, such as ``ABC,'' then the notice may indicate
that it is being provided by multiple companies with the ABC name or
multiple companies in the ABC group or family of companies, for
example, by stating that the notice is provided by ``all of the ABC
companies,'' ``the ABC banking, credit card, insurance, and securities
companies,'' or by listing the name of each affiliate providing the
notice. But if the affiliates providing the
[[Page 62978]]
joint notice do not all share a common name, then the notice must
either separately identify each affiliate by name or identify each of
the common names used by those affiliates, for example, by stating that
the notice is provided by ``all of the ABC and XYZ companies'' or by
``the ABC banking and credit card companies and the XYZ insurance
companies'';
(ii) A list of the affiliates or types of affiliates whose use of
eligibility information is covered by the notice, which may include
companies that become affiliates after the notice is provided to the
consumer. If each affiliate covered by the notice shares a common name,
such as ``ABC,'' then the notice may indicate that it applies to
multiple companies with the ABC name or multiple companies in the ABC
group or family of companies, for example, by stating that the notice
is provided by ``all of the ABC companies,'' ``the ABC banking, credit
card, insurance, and securities companies,'' or by listing the name of
each affiliate providing the notice. But if the affiliates covered by
the notice do not all share a common name, then the notice must either
separately identify each covered affiliate by name or identify each of
the common names used by those affiliates, for example, by stating that
the notice applies to ``all of the ABC and XYZ companies'' or to ``the
ABC banking and credit card companies and the XYZ insurance
companies'';
(iii) A general description of the types of eligibility information
that may be used to make solicitations to the consumer;
(iv) That the consumer may elect to limit the use of eligibility
information to make solicitations to the consumer;
(v) That the consumer's election will apply for the specified
period of time stated in the notice and, if applicable, that the
consumer will be allowed to renew the election once that period
expires;
(vi) If the notice is provided to consumers who may have previously
opted out, such as if a notice is provided to consumers annually, that
the consumer who has chosen to limit solicitations does not need to act
again until the consumer receives a renewal notice; and
(vii) A reasonable and simple method for the consumer to opt out.
(2) Joint relationships. (i) If two or more consumers jointly
obtain a product or service, a single opt-out notice may be provided to
the joint consumers. Any of the joint consumers may exercise the right
to opt out.
(ii) The opt-out notice must explain how an opt-out direction by a
joint consumer will be treated. An opt-out direction by a joint
consumer may be treated as applying to all of the associated joint
consumers, or each joint consumer may be permitted to opt-out
separately. If each joint consumer is permitted to opt out separately,
one of the joint consumers must be permitted to opt out on behalf of
all of the joint consumers and the joint consumers must be permitted to
exercise their separate rights to opt out in a single response.
(iii) It is impermissible to require all joint consumers to opt out
before implementing any opt-out direction.
(3) Alternative contents. If the consumer is afforded a broader
right to opt out of receiving marketing than is required by this
subpart, the requirements of this section may be satisfied by providing
the consumer with a clear, conspicuous, and concise notice that
accurately discloses the consumer's opt-out rights.
(4) Model notices. Model notices are provided in Appendix C of this
part.
(b) Coordinated and consolidated notices. A notice required by this
subpart may be coordinated and consolidated with any other notice or
disclosure required to be issued under any other provision of law by
the entity providing the notice, including but not limited to the
notice described in section 603(d)(2)(A)(iii) of the Act and the Gramm-
Leach-Bliley Act privacy notice.
(c) Equivalent notices. A notice or other disclosure that is
equivalent to the notice required by this subpart, and that is provided
to a consumer together with disclosures required by any other provision
of law, satisfies the requirements of this section.
Sec. 571.24 Reasonable opportunity to opt out.
(a) In general. You must not use eligibility information about a
consumer that you receive from an affiliate to make a solicitation to
the consumer about your products or services, unless the consumer is
provided a reasonable opportunity to opt out, as required by Sec.
571.21(a)(1)(ii) of this part.
(b) Examples of a reasonable opportunity to opt out. The consumer
is given a reasonable opportunity to opt out if:
(1) By mail. The opt-out notice is mailed to the consumer. The
consumer is given 30 days from the date the notice is mailed to elect
to opt out by any reasonable means.
(2) By electronic means. (i) The opt-out notice is provided
electronically to the consumer, such as by posting the notice at an
Internet Web site at which the consumer has obtained a product or
service. The consumer acknowledges receipt of the electronic notice.
The consumer is given 30 days after the date the consumer acknowledges
receipt to elect to opt out by any reasonable means.
(ii) The opt-out notice is provided to the consumer by e-mail where
the consumer has agreed to receive disclosures by e-mail from the
person sending the notice. The consumer is given 30 days after the e-
mail is sent to elect to opt out by any reasonable means.
(3) At the time of an electronic transaction. The opt-out notice is
provided to the consumer at the time of an electronic transaction, such
as a transaction conducted on an Internet Web site. The consumer is
required to decide, as a necessary part of proceeding with the
transaction, whether to opt out before completing the transaction.
There is a simple process that the consumer may use to opt out at that
time using the same mechanism through which the transaction is
conducted.
(4) At the time of an in-person transaction. The opt-out notice is
provided to the consumer in writing at the time of an in-person
transaction. The consumer is required to decide, as a necessary part of
proceeding with the transaction, whether to opt out before completing
the transaction, and is not permitted to complete the transaction
without making a choice. There is a simple process that the consumer
may use during the course of the in-person transaction to opt out, such
as completing a form that requires consumers to write a ``yes'' or
``no'' to indicate their opt-out preference or that requires the
consumer to check one of two blank check boxes--one that allows
consumers to indicate that they want to opt out and one that allows
consumers to indicate that they do not want to opt out.
(5) By including in a privacy notice. The opt-out notice is
included in a Gramm-Leach-Bliley Act privacy notice. The consumer is
allowed to exercise the opt-out within a reasonable period of time and
in the same manner as the opt-out under that privacy notice.
Sec. 571.25 Reasonable and simple methods of opting out.
(a) In general. You must not use eligibility information about a
consumer that you receive from an affiliate to make a solicitation to
the consumer about your products or services, unless the consumer is
provided a reasonable and simple method to opt out, as required by
Sec. 571.21(a)(1)(ii) of this part.
[[Page 62979]]
(b) Examples. (1) Reasonable and simple opt-out methods. Reasonable
and simple methods for exercising the opt-out right include--
(i) Designating a check-off box in a prominent position on the opt-
out form;
(ii) Including a reply form and a self-addressed envelope together
with the opt-out notice;
(iii) Providing an electronic means to opt out, such as a form that
can be electronically mailed or processed at an Internet Web site, if
the consumer agrees to the electronic delivery of information;
(iv) Providing a toll-free telephone number that consumers may call
to opt out; or
(v) Allowing consumers to exercise all of their opt-out rights
described in a consolidated opt-out notice that includes the privacy
opt-out under the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.), the
affiliate sharing opt-out under the Act, and the affiliate marketing
opt-out under the Act, by a single method, such as by calling a single
toll-free telephone number.
(2) Opt-out methods that are not reasonable and simple. Reasonable
and simple methods for exercising an opt-out right do not include--
(i) Requiring the consumer to write his or her own letter;
(ii) Requiring the consumer to call or write to obtain a form for
opting out, rather than including the form with the opt-out notice;
(iii) Requiring the consumer who receives the opt-out notice in
electronic form only, such as through posting at an Internet Web site,
to opt out solely by paper mail or by visiting a different Web site
without providing a link to that site.
(c) Specific opt-out means. Each consumer may be required to opt
out through a specific means, as long as that means is reasonable and
simple for that consumer.
Sec. 571.26 Delivery of opt-out notices.
(a) In general. The opt-out notice must be provided so that each
consumer can reasonably be expected to receive actual notice. For opt-
out notices provided electronically, the notice may be provided in
compliance with either the electronic disclosure provisions in this
subpart or the provisions in section 101 of the Electronic Signatures
in Global and National Commerce Act, 15 U.S.C. 7001 et seq.
(b) Examples of reasonable expectation of actual notice. A consumer
may reasonably be expected to receive actual notice if the affiliate
providing the notice:
(1) Hand-delivers a printed copy of the notice to the consumer;
(2) Mails a printed copy of the notice to the last known mailing
address of the consumer;
(3) Provides a notice by e-mail to a consumer who has agreed to
receive electronic disclosures by e-mail from the affiliate providing
the notice; or
(4) Posts the notice on the Internet Web site at which the consumer
obtained a product or service electronically and requires the consumer
to acknowledge receipt of the notice.
(c) Examples of no reasonable expectation of actual notice. A
consumer may not reasonably be expected to receive actual notice if the
affiliate providing the notice:
(1) Only posts the notice on a sign in a branch or office or
generally publishes the notice in a newspaper;
(2) Sends the notice via e-mail to a consumer who has not agreed to
receive electronic disclosures by e-mail from the affiliate providing
the notice; or
(3) Posts the notice on an Internet Web site without requiring the
consumer to acknowledge receipt of the notice.
Sec. 571.27 Renewal of opt-out.
(a) Renewal notice and opt-out requirement. (1) In general. After
the opt-out period expires, you may not make solicitations based on
eligibility information you receive from an affiliate to a consumer who
previously opted out, unless:
(i) The consumer has been given a renewal notice that complies with
the requirements of this section and Sec. Sec. 571.24 through 571.26
of this part, and a reasonable opportunity and a reasonable and simple
method to renew the opt-out, and the consumer does not renew the opt-
out; or
(ii) An exception in Sec. 571.21(c) of this part applies.
(2) Renewal period. Each opt-out renewal must be effective for a
period of at least five years as provided in Sec. 571.22(b) of this
part.
(3) Affiliates who may provide the notice. The notice required by
this paragraph must be provided:
(i) By the affiliate that provided the previous opt-out notice, or
its successor; or
(ii) As part of a joint renewal notice from two or more members of
an affiliated group of companies, or their successors, that jointly
provided the previous opt-out notice.
(b) Contents of renewal notice. The renewal notice must be clear,
conspicuous, and concise, and must accurately disclose:
(1) The name of the affiliate(s) providing the notice. If the
notice is provided jointly by multiple affiliates and each affiliate
shares a common name, such as ``ABC,'' then the notice may indicate
that it is being provided by multiple companies with the ABC name or
multiple companies in the ABC group or family of companies, for
example, by stating that the notice is provided by ``all of the ABC
companies,'' ``the ABC banking, credit card, insurance, and securities
companies,'' or by listing the name of each affiliate providing the
notice. But if the affiliates providing the joint notice do not all
share a common name, then the notice must either separately identify
each affiliate by name or identify each of the common names used by
those affiliates, for example, by stating that the notice is provided
by ``all of the ABC and XYZ companies'' or by ``the ABC banking and
credit card companies and the XYZ insurance companies'';
(2) A list of the affiliates or types of affiliates whose use of
eligibility information is covered by the notice, which may include
companies that become affiliates after the notice is provided to the
consumer. If each affiliate covered by the notice shares a common name,
such as ``ABC,'' then the notice may indicate that it applies to
multiple companies with the ABC name or multiple companies in the ABC
group or family of companies, for example, by stating that the notice
is provided by ``all of the ABC companies,'' ``the ABC banking, credit
card, insurance, and securities companies,'' or by listing the name of
each affiliate providing the notice. But if the affiliates covered by
the notice do not all share a common name, then the notice must either
separately identify each covered affiliate by name or identify each of
the common names used by those affiliates, for example, by stating that
the notice applies to ``all of the ABC and XYZ companies'' or to ``the
ABC banking and credit card companies and the XYZ insurance
companies'';
(3) A general description of the types of eligibility information
that may be used to make solicitations to the consumer;
(4) That the consumer previously elected to limit the use of
certain information to make solicitations to the consumer;
(5) That the consumer's election has expired or is about to expire;
(6) That the consumer may elect to renew the consumer's previous
election;
(7) If applicable, that the consumer's election to renew will apply
for the specified period of time stated in the notice and that the
consumer will be allowed to renew the election once that period
expires; and
[[Page 62980]]
(8) A reasonable and simple method for the consumer to opt out.
(c) Timing of the renewal notice. (1) In general. A renewal notice
may be provided to the consumer either--
(i) A reasonable period of time before the expiration of the opt-
out period; or
(ii) Any time after the expiration of the opt-out period but before
solicitations that would have been prohibited by the expired opt-out
are made to the consumer.
(2) Combination with annual privacy notice. If you provide an
annual privacy notice under the Gramm-Leach-Bliley Act, 15 U.S.C. 6801
et seq., providing a renewal notice with the last annual privacy notice
provided to the consumer before expiration of the opt-out period is a
reasonable period of time before expiration of the opt-out in all
cases.
(d) No effect on opt-out period. An opt-out period may not be
shortened by sending a renewal notice to the consumer before expiration
of the opt-out period, even if the consumer does not renew the opt-out.
Sec. 571.28 Effective date, compliance date, and prospective
application.
(a) Effective date. This subpart is effective January 1, 2008.
(b) Mandatory compliance date. Compliance with this subpart is
required not later than October 1, 2008.
(c) Prospective application. The provisions of this subpart shall
not prohibit you from using eligibility information that you receive
from an affiliate to make solicitations to a consumer if you receive
such information prior to October 1, 2008. For purposes of this
section, you are deemed to receive eligibility information when such
information is placed into a common database and is accessible by you.
0
4. Add and reserve Appendixes A and B to part 571, and add a new
Appendix C to part 571 to read as follows:
Appendix C To Part 571--Model Forms for Opt-Out Notices
a. Although use of the model forms is not required, use of the
model forms in this Appendix (as applicable) complies with the
requirement in section 624 of the Act for clear, conspicuous, and
concise notices.
b. Certain changes may be made to the language or format of the
model forms without losing the protection from liability afforded by
use of the model forms. These changes may not be so extensive as to
affect the substance, clarity, or meaningful sequence of the
language in the model forms. Persons making such extensive revisions
will lose the safe harbor that this Appendix provides. Acceptable
changes include, for example:
1. Rearranging the order of the references to ``your income,''
``your account history,'' and ``your credit score.''
2. Substituting other types of information for ``income,''
``account history,'' or ``credit score'' for accuracy, such as
``payment history,'' ``credit history,'' ``payoff status,'' or
``claims history.''
3. Substituting a clearer and more accurate description of the
affiliates providing or covered by the notice for phrases such as
``the [ABC] group of companies,'' including without limitation a
statement that the entity providing the notice recently purchased
the consumer's account.
4. Substituting other types of affiliates covered by the notice
for ``credit card,'' ``insurance,'' or ``securities'' affiliates.
5. Omitting items that are not accurate or applicable. For
example, if a person does not limit the duration of the opt-out
period, the notice may omit information about the renewal notice.
6. Adding a statement informing consumers how much time they
have to opt out before shared eligibility information may be used to
make solicitations to them.
7. Adding a statement that the consumer may exercise the right
to opt out at any time.
8. Adding the following statement, if accurate: ``If you
previously opted out, you do not need to do so again.''
9. Providing a place on the form for the consumer to fill in
identifying information, such as his or her name and address:
C-1 Model Form for Initial Opt-out Notice (Single-Affiliate Notice)
C-2 Model Form for Initial Opt-out Notice (Joint Notice)
C-3 Model Form for Renewal Notice (Single-Affiliate Notice)
C-4 Model Form for Renewal Notice (Joint Notice)
C-5 Model Form for Voluntary ``No Marketing'' Notice
C-1--Model Form for Initial Opt-out Notice (Single-Affiliate
Notice)--[Your Choice To Limit Marketing]/[Marketing Opt-out]
[Name of Affiliate] is providing this notice.
[Optional: Federal law gives you the right to limit
some but not all marketing from our affiliates. Federal law also
requires us to give you this notice to tell you about your choice to
limit marketing from our affiliates.]
You may limit our affiliates in the [ABC] group of
companies, such as our [credit card, insurance, and securities]
affiliates, from marketing their products or services to you based
on your personal information that we collect and share with them.
This information includes your [income], your [account history with
us], and your [credit score].
Your choice to limit marketing offers from our
affiliates will apply [until you tell us to change your choice]/[for
x years from when you tell us your choice]/[for at least 5 years
from when you tell us your choice]. [Include if the opt-out period
expires.] Once that period expires, you will receive a renewal
notice that will allow you to continue to limit marketing offers
from our affiliates for [another x years]/[at least another 5
years].
[Include, if applicable, in a subsequent notice,
including an annual notice, for consumers who may have previously
opted out.] If you have already made a choice to limit marketing
offers from our affiliates, you do not need to act again until you
receive the renewal notice.
To limit marketing offers, contact us [include all that apply]:
By telephone: 1-877--
On the Web: www.---.com
By mail: Check the box and complete the form below, and
send the form to:
[Company name]
[Company address]
--Do not allow your affiliates to use my personal information to
market to me.
C-2--Model Form for Initial Opt-out Notice (Joint Notice)--[Your
Choice To Limit Marketing]/[Marketing Opt-out]
The [ABC group of companies] is providing this notice.
[Optional: Federal law gives you the right to limit
some but not all marketing from the [ABC] companies. Federal law
also requires us to give you this notice to tell you about your
choice to limit marketing from the [ABC] companies.]
You may limit the [ABC] companies, such as the [ABC
credit card, insurance, and securities] affiliates, from marketing
their products or services to you based on your personal information
that they receive from other [ABC] companies. This information
includes your [income], your [account history], and your [credit
score].
Your choice to limit marketing offers from the [ABC]
companies will apply [until you tell us to change your choice]/[for
x years from when you tell us your choice]/[for at least 5 years
from when you tell us your choice]. [Include if the opt-out period
expires.] Once that period expires, you will receive a renewal
notice that will allow you to continue to limit marketing offers
from the [ABC] companies for [another x years]/[at least another 5
years].
[Include, if applicable, in a subsequent notice,
including an annual notice, for consumers who may have previously
opted out.] If you have already made a choice to limit marketing
offers from the [ABC] companies, you do not need to act again until
you receive the renewal notice.
To limit marketing offers, contact us [include all that apply]:
By telephone: 1-877-