|
Creation of a Required Gramm-Leach-Bliley Privacy Disclosure Form
I. Introduction
On July 1, 2001, the consumer privacy provisions of the Gramm-Leach-Bliley Act ("Act") took effect. The Act requires certain businesses to make specified disclosures to consumers about how they collect and use nonpublic personal information about consumers. In general, those whose business activities involve providing a financial product or service, as defined in the Act, will be required to make the privacy disclosures. Providers of real estate brokerage and property management services are not covered by the Act and do not have to make such disclosures. Appraisers who contract with consumers directly to do appraisals, mortgage lenders, and parties providing real estate settlement services (not including brokerage) are covered and must provide the required disclosures. For more information about who the Act covers, click here to read the summary posted in The Letter of the Law. This article will attempt to offer some guidance as to the type of disclosure form required by the Act.
Unlike many other disclosures required by federal law, there is no standardized disclosure form. Instead, the regulations include sample clauses showing examples of disclosures required by the Act. Each business to which the Act applies, however, must make an independent determination of the disclosures it is required to make, depending on its particular business activities and practices. Consultation with counsel at all of the above stages is strongly recommended.
II. Information that Disclosure Form Must Address
Every business subject to the Act's requirements must create a form that reflects its disclosure practices. The Act states that there are potentially nine items that such disclosures must address, some of which must be included and others which must be included only if they are applicable to the business making the disclosure. Thus, the content of disclosures will vary, depending on the facts and circumstances of each business. The items to be disclosed are the following:
(1) the categories of nonpublic personal information you collect;
(2) the categories of nonpublic information you disclose;
(3) the categories of affiliated and nonaffiliated third parties to whom you disclose nonpublic personal information;
(4) the categories of nonpublic personal information you disclose about former customers and the affiliated and unaffiliated third parties to whom the information is disclosed;
(5) if you disclose nonpublic personal information to a nonaffiliated third party under the marketing services exemption (and no other exemption applies), the categories of information and the categories of third parties with whom you have contracted;
(6) an explanation of the consumer's right to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the method(s) of doing so;
(7) your policies and practices with respect to protecting the confidentiality, security and integrity of nonpublic personal information;
(8) any notices regarding the ability to opt out of disclosures of information among affiliates under the Fair Credit Reporting Act;
(9) disclosure if you are making any disclosure permitted by this law.
III. Sample Disclosure Clauses Provided in the Regulations
The regulations provide some sample clauses that may be used to satisfy the Act's disclosure requirements. The sample clauses contained in the regulations are listed in bold below. If these clauses are used they must, nevertheless, be revised and shaped as necessary to conform to the particular practices of the business making the disclosures, rather than simply being reproduced. Every disclosure form will need to address the sources of consumer information that is collected, the company's disclosure policies, and the practices used to protect the security of the collected information. When a business shares consumer's nonpublic personal information with third parties, the disclosures must also describe the business's sharing practices and an "opt-out" provision must be provided to the consumer.
Note that these sample clauses are offered for use in creating a disclosure form, and are not intended to serve as the disclosure form. Consultation with an attorney when preparing a disclosure form is strongly recommended.
IV. Sample Disclosure Form Provisions
A. Items of Information Included in the Disclosures of All Covered Businesses:
1. Source of Consumer Information
The source of consumer information must be identified in every required disclosure form. In most forms, this will describe the sources from which the business collects a consumer's nonpublic personal information. The form need not identify the specific sources, only the types or categories of sources. Below is the sample clause provided in the regulation:
We collect nonpublic personal information about you from the following sources:
Information we receive from you on applications or other forms;
Information about your transactions with us, our affiliates, or others; and
Information we receive from a consumer reporting agency.
2. Policy Protecting Consumer Information
All disclosure forms must include a description of the business's policies and practices regarding the protection of a consumer's nonpublic personal information. The below clause is the example used in the regulations:
We restrict access to nonpublic personal information about you to [provide an appropriate description, such as ``those employees who need to know that information to provide products or services to you'']. We maintain physical, electronic, and procedural safeguards that comply with federal regulations to guard your nonpublic personal information.
B. Businesses Who Do Not Share Consumer Information with Third Parties
The simplest situation is a business which is required to make consumer privacy disclosures under the Act but which does not disclose to any third parties nonpublic personal information about its current or former customers. In that instance, the business can satisfy the second, third and fourth elements of the disclosure requirements with a clause like the following:
We do not disclose any nonpublic personal information about our customers or former customers to anyone, except as permitted by law.
C. Businesses Who Share Consumer Nonpublic Personal Information with Third Parties
The following four items of information must be addressed in the disclosures of businesses that share consumer nonpublic personal information with third parties:
1. Disclosure of Type of Nonpublic Personal Information Being Shared
If a business shares nonpublic personal information regarding consumers or customers (other than as permitted by one of the exceptions), then it must identify both the type of information disclosed and the source of that information. Below are two alternatives contained in the regulations demonstrating how this might be accomplished:
Alternative 1
We may disclose the following kinds of nonpublic personal information about you:
Information we receive from you on applications or other forms, such as [provide illustrative examples, such as ``your name, address, social security number, assets, and income''];
Information about your transactions with us, our affiliates, or others, such as [provide illustrative examples, such as ``your account balance, payment history, parties to transactions, and credit card usage'']; and
Information we receive from a consumer reporting agency, such as [provide illustrative examples, such as ``your creditworthiness and credit history''].
Alternative 2
We may disclose all of the information that we collect, as described [describe location in the notice, such as ``above'' or ``below''].
2. Disclosure of Who Receives Nonpublic Personal Information
If a business shares nonpublic personal information (other than as permitted by one of the exceptions), identifying to whom the disclosure was made may be satisfied with the following:
We may disclose nonpublic personal information about you to the following types of third parties:
Financial service providers, such as [provide illustrative examples, such as ``mortgage bankers, securities broker-dealers, and insurance agents''];
Non-financial companies, such as [provide illustrative examples, such as ``retailers, direct marketers, airlines, and publishers'']; and
Others, such as [provide illustrative examples, such as ``non-profit organizations''].
We may also disclose nonpublic personal information about you to nonaffiliated third parties as permitted by law.
3. Disclosure Made Pursuant to an Exception
An exception exists for businesses that use third parties for marketing, or that have "joint marketing agreements" with third parties, must identify the categories of nonpublic personal information shared with these third parties and also the types of third parties with whom the business has contracted. Below are two sample clauses:
Alternative 1
We may disclose the following information to companies that perform marketing services on our behalf or to other financial institutions with whom we have joint marketing agreements:
Information we receive from you on applications or other forms, such as [provide illustrative examples, such as ``your name, address, social security number, assets, and income''];
Information about your transactions with us, our affiliates, or others, such as [provide illustrative examples, such as ``your account balance, payment history, parties to transactions, and credit card usage'']; and
Information we receive from a consumer reporting agency, such as [provide illustrative examples, such as ``your creditworthiness and credit history''].
Alternative 2
We may disclose all of the information we collect, as described [describe location in the notice, such as ``above'' or ``below''] to companies that perform marketing services on our behalf or to other financial institutions with whom we have joint marketing agreements.
4. Consumer "Opt-Out" Provision
Businesses that share consumer nonpublic personal information (other than as permitted by one of the exceptions) with third parties must give consumers the right to "opt-out" of the program. Below is the clause contained in the regulations to accomplish that result:
If you prefer that we not disclose nonpublic personal information about you to nonaffiliated third parties, you may opt out of those disclosures, that is, you may direct us not to make those disclosures (other than disclosures permitted by law). If you wish to opt out of disclosures to nonaffiliated third parties, you may [describe a reasonable means of opting out, such as ``call the following toll-free number: (insert number)''].
V. Conclusion
The foregoing is intended only to assist those businesses to which the Act applies in creating a required disclosure form. It will still be necessary for each business covered under the regulation to develop their own form that conforms to their particular information practices regarding the collection of consumer's nonpublic personal information. Consultation with an attorney is strongly recommended.
|
