[Federal Register: October 30, 2007 (Volume 72, Number 209)]
[Rules and Regulations]
[Page 61423-61464]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr30oc07-14]
[[Page 61423]]
-----------------------------------------------------------------------
Part II
Federal Trade Commission
-----------------------------------------------------------------------
16 CFR Parts 680 and 698
Affiliate Marketing Rule; Final Rule
[[Page 61424]]
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
16 CFR Parts 680 and 698
[Regulation No. 411006]
RIN 3084-AA94
Affiliate Marketing Rule
AGENCY: Federal Trade Commission
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Federal Trade Commission (FTC or Commission) is publishing
a final rule to implement the affiliate marketing provisions in section
214 of the Fair and Accurate Credit Transactions Act of 2003, which
amends the Fair Credit Reporting Act. The final rule generally
prohibits a person from using information received from an affiliate to
make a solicitation for marketing purposes to a consumer, unless the
consumer is given notice and a reasonable opportunity and a reasonable
and simple method to opt out of the making of such solicitations. The
FACT Act requires certain other federal agencies to publish similar
rules, and mandates that the FTC and other agencies consult and
cooperate so that their regulations implementing this provision are
consistent and comparable with one another.
DATES: This rule is effective on January 1, 2008. The mandatory
compliance date for this rule is October 1, 2008.
FOR FURTHER INFORMATION CONTACT: Loretta Garrison and Anthony
Rodriguez, Attorneys, Federal Trade Commission, (202) 326-2252,
Division of Privacy and Identity Protection, Federal Trade Commission,
601 New Jersey Avenue, NW, Washington, DC 20580.
SUPPLEMENTARY INFORMATION:
I. Background
The Fair Credit Reporting Act
The Fair Credit Reporting Act (FCRA or Act), which was enacted in
1970, sets standards for the collection, communication, and use of
information bearing on a consumer's credit worthiness, credit standing,
credit capacity, character, general reputation, personal
characteristics, or mode of living. 15 U.S.C. 1681-1681x. In 1996, the
Consumer Credit Reporting Reform Act extensively amended the FCRA. Pub.
L. 104-208, 110 Stat. 3009.
The FCRA, as amended, provides that a person may communicate to an
affiliate or a non-affiliated third party information solely as to
transactions or experiences between the consumer and the person without
becoming a consumer reporting agency.\1\ In addition, the communication
of such transaction or experience information among affiliates will not
result in any affiliate becoming a consumer reporting agency. See FCRA
Sec. Sec. 603(d)(2)(A)(i) and (ii).
---------------------------------------------------------------------------
\1\ The FCRA creates substantial obligations for a person that
meets the definition of a ``consumer reporting agency'' in section
603(f) of the statute.
---------------------------------------------------------------------------
Section 603(d)(2)(A)(iii) of the FCRA provides that a person may
communicate ``other'' information--that is, information that is not
transaction or experience information--among its affiliates without
becoming a consumer reporting agency if it is clearly and conspicuously
disclosed to the consumer that such information may be communicated
among affiliates and the consumer is given an opportunity, before the
information is communicated, to ``opt out'' or direct that the
information not be communicated among such affiliates, and the consumer
has not opted out.
The Fair and Accurate Credit Transactions Act of 2003
The President signed into law the Fair and Accurate Credit
Transactions Act of 2003 (FACT Act) on December 4, 2003. Pub. L. 108-
159, 117 Stat. 1952. In general, the FACT Act amends the FCRA to
enhance the ability of consumers to combat identity theft, increase the
accuracy of consumer reports, restrict the use of medical information
in credit eligibility determinations, and allow consumers to exercise
greater control regarding the type and number of solicitations they
receive.
Section 214 of the FACT Act added a new section 624 to the FCRA.
This provision gives consumers the right to restrict a person from
using certain information obtained from an affiliate to make
solicitations to that consumer. Section 624 generally provides that if
a person receives certain consumer eligibility information from an
affiliate, the person may not use that information to make
solicitations to the consumer about its products or services, unless
the consumer is given notice and an opportunity and a simple method to
opt out of such use of the information, and the consumer does not opt
out. The statute also provides that section 624 does not apply, for
example, to a person using eligibility information: (1) to make
solicitations to a consumer with whom the person has a pre-existing
business relationship; (2) to perform services for another affiliate
subject to certain conditions; (3) in response to a communication
initiated by the consumer; or (4) to make a solicitation that has been
authorized or requested by the consumer. Unlike the FCRA affiliate
sharing opt-out and the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq.,
(GLBA) non-affiliate sharing opt-out, which apply indefinitely, section
624 provides that a consumer's affiliate marketing opt-out election
must be effective for a period of at least five years. Upon expiration
of the opt-out period, the consumer must be given a renewal notice and
an opportunity to renew the opt-out before information received from an
affiliate may be used to make solicitations to the consumer.
Section 624 governs the use of information by an affiliate, not the
sharing of information among affiliates, and thus is distinct from the
affiliate sharing opt-out under section 603(d)(2)(A)(iii) of the FCRA.
Nevertheless, the affiliate marketing and affiliate sharing opt-outs
and the information subject to the two opt-outs overlap to some extent.
As noted above, the FCRA allows transaction or experience information
to be shared among affiliates without giving the consumer notice and an
opportunity to opt out, but provides that ``other'' information, such
as information from credit reports and credit applications, may not be
shared among affiliates without giving the consumer notice and an
opportunity to opt out. The new affiliate marketing opt-out applies to
both transaction or experience information and ``other'' information.
Thus, certain information will be subject to two opt-outs, a sharing
opt-out and a marketing use opt-out.
Section 214(b) of the FACT Act requires the FTC, the Federal
banking agencies,\2\ the Securities and Exchange Commission (SEC), and
the National Credit Union Administration (NCUA) to prescribe
regulations, in consultation and coordination with each other, to
implement the FCRA's affiliate marketing opt-out provisions. In
adopting its regulation, the Commission must ensure that the affiliate
marketing notification methods provide a simple means for consumers to
make choices under section 624, consider the affiliate sharing
notification practices employed on the date of enactment by persons
subject to section 624, and ensure that notices may be coordinated and
consolidated with other notices required by law.
---------------------------------------------------------------------------
\2\ The Federal banking agencies are the Board of Governors of
the Federal Reserve System (Board), the Office of the Comptroller of
the Currency (OCC), the Federal Deposit Insurance Corporation
(FDIC), and the Office of Thrift Supervision (OTS).
---------------------------------------------------------------------------
[[Page 61425]]
II. The Proposed Regulation
The Commission published its notice of proposed rulemaking in the
Federal Register on June 15, 2004 (69 FR 33324) to implement section
214 of the FACT Act.\3\
---------------------------------------------------------------------------
\3\ On July 15, 2004, the Federal banking agencies and the NCUA
published their proposed affiliate marketing rule in the Federal
Register (69 FR 42502). The SEC published its proposed affiliate
marketing rule in the Federal Register on July 14, 2004 (69 FR
42301).
---------------------------------------------------------------------------
The proposal defined the key terms ``pre-existing business
relationship'' and ``solicitation'' essentially as defined in the
statute. The Commission did not propose to include additional
circumstances within the meaning of ``pre-existing business
relationship'' or other types of communications within the meaning of
``solicitation.''
To address the scope of the affiliate marketing opt-out, the
proposal defined ``eligibility information'' to mean any information
the communication of which would be a ``consumer report'' if the
statutory exclusions from the definition of ``consumer report'' in
section 603(d)(2)(A) of the FCRA for transaction or experience
information and for ``other'' information that is subject to the
affiliate-sharing opt-out did not apply. The Commission substituted the
term ``eligibility information'' for the more complicated statutory
language regarding the communication of information that would be a
consumer report, but for clauses (i), (ii), and (iii) of section
603(d)(2)(A) of the FCRA.\4\ In addition, the proposal incorporated
each of the scope limitations contained in the statute, such as the
pre-existing business relationship exception.
---------------------------------------------------------------------------
\4\ Under section 603(d)(1) of the FCRA, a ``consumer report''
means any written, oral, or other communication of any information
by a consumer reporting agency bearing on a consumer's credit
worthiness, credit standing, credit capacity, character, general
reputation, personal characteristics, or mode of living which is
used or expected to be used or collected in whole or in part for the
purpose of serving as a factor in establishing the consumer's
eligibility for credit or insurance to be used primarily for
personal, family, or household purposes, employment purposes, or any
other purpose authorized in section 604 of the FCRA. 15 U.S.C.
1681a(d).
---------------------------------------------------------------------------
Section 624 does not state which affiliate must give the consumer
the affiliate marketing opt-out notice. The proposal provided that the
person communicating information about a consumer to its affiliate
would be responsible for satisfying the notice requirement, if
applicable. A rule of construction provided flexibility to allow the
notice to be given by the person that communicates information to its
affiliate, by the person's agent, or through a joint notice with one or
more other affiliates. The Commission designed this approach to provide
flexibility and to facilitate the use of a single coordinated notice,
while taking into account existing affiliate sharing notification
practices. At the same time, the approach sought to ensure that the
notice would be effective because it generally would be provided by or
on behalf of an entity from which the consumer would expect to receive
important notices, and would not be provided along with solicitations.
The proposal also provided guidance on the contents of the opt-out
notice, what constitutes a reasonable opportunity to opt out,
reasonable and simple methods of opting out, and the delivery of opt-
out notices. Finally, the proposal provided guidance on the effect of
the limited duration of the opt-out and the requirement to provide an
extension notice upon expiration of the opt-out period.
III. Overview of Comments Received
The Commission received 49 comments. In addition, the Commission
considered the comments submitted to the Federal banking agencies, the
NCUA, and the SEC. Many commenters sent copies of the same letter to
more than one agency. The Commission received comments from a variety
of banks, thrifts, credit unions, credit card companies, mortgage
lenders, other non-bank creditors, and industry trade associations. The
Commission also received comments from consumer groups, the National
Association of Attorneys General (``NAAG''), and individual consumers.
Most industry commenters objected to several key aspects of the
proposal. The most significant areas of concern raised by industry
commenters related to which affiliate would be responsible for
providing the notice, the scope of certain exceptions to the notice and
opt-out requirement, and the content or the inclusion of definitions
for terms such as ``clear and conspicuous'' and ``pre-existing business
relationship.'' Consumer groups and NAAG generally supported the
proposal, although these commenters believed that the proposal could be
strengthened in certain respects. A more detailed discussion of the
comments is contained in the Section-by-Section Analysis below.
IV. Section-by-Section Analysis
Section 680.1 Purpose and Scope
Section 680.1 of the proposal set forth the purpose and scope of
the regulation. The Commission received few comments on this section.
Section 680.1(b) of the final rule identifies the persons covered by
this part of the Commission's rule.
Section 680.2 Examples
Proposed Sec. 680.2 described the scope and effect of the examples
included in the proposed rule. Most commenters supported the proposed
use of non-exclusive examples to illustrate the operation of the rule.
One commenter, concerned that the use of examples would increase the
risk of litigation, urged the Commission to delete all examples.
The Commission does not believe the use of illustrative examples
will materially increase the risk of litigation, but rather will
provide useful guidance for compliance purposes, which may alleviate
litigation risks for institutions.
As Sec. 680.2 states, examples in a paragraph illustrate only the
issue described in the paragraph and do not illustrate any other issue
that may arise in the part. Similarly, the examples do not illustrate
any issues that may arise under other laws or regulations.
Section 680.3 Definitions
Section 680.3 of the proposal contained definitions for the
following terms: ``Act,'' ``affiliate'' (as well as the related terms
``company'' and ``control''); ``clear and conspicuous''; ``consumer'';
``eligibility information''; ``person''; ``pre-existing business
relationship''; ``solicitation''; and, ``you.''
Those definitions that elicited comment are discussed below.
Affiliate, Common Ownership or Common Corporate Control, and Company
The proposed rule included definitions for ``affiliate'' as well as
for the related terms ``control'' and ``company.'' For the reasons
discussed below, the final rule substituted ``common ownership or
common corporate control'' as a substitute for the definition of
``control,'' and renumbered it as Sec. 680.3(d). The term ``company''
is renumbered as Sec. 680.3(e).
Several FCRA provisions apply to information sharing with persons
``related by common ownership or affiliated by corporate control,''
``related by common ownership or affiliated by common corporate
control,'' or ``affiliated by common ownership or common corporate
control.'' E.g., FCRA, sections 603(d)(2), 615(b)(2), and 625(b)(2).
Each of these provisions was enacted as part of the 1996 amendments to
the FCRA. Similarly, section 2 of the FACT Act defines the term
``affiliate'' to mean ``persons that are related by common ownership or
affiliated by
[[Page 61426]]
corporate control.'' In contrast, the GLBA defines ``affiliate'' to
mean ``any company that controls, is controlled by, or is under common
control with another company.'' See 15 U.S.C. 6809(6).
In the proposal, the Commission sought to harmonize the various
FCRA and FACT Act formulations by defining ``affiliate'' to mean ``any
person that is related by common ownership or common corporate control
with another person.'' Industry commenters generally supported the
Commission's goal of harmonizing the various FCRA definitions of
``affiliate'' for consistency. Many of these commenters, however,
believed that the most effective way to do this was for the Commission
to incorporate into the FCRA the definition of ``affiliate'' used in
the GLBA privacy regulations. In addition, a few industry commenters
urged the Commission to incorporate into the definition of
``affiliate'' certain concepts from California's Financial Information
Privacy Act so as to exempt certain classes of corporate affiliates
from the restrictions on affiliate sharing or marketing.\5\
---------------------------------------------------------------------------
\5\ These commenters noted that the California law places no
restriction on information sharing among affiliates if they: (1) are
regulated by the same or similar functional regulators; (2) are
involved in the same broad line of business, such as banking,
insurance, or securities; and (3) share a common brand identity.
---------------------------------------------------------------------------
The Commission does not believe there is a substantive difference
between the FACT Act definition of ``affiliate'' and the definition of
``affiliate'' in section 509 of the GLBA. The Commission is not aware
of any circumstances in which two entities would be affiliates for
purposes of the FCRA but not for purposes of the GLBA privacy rule, or
vice versa. Also, even though affiliated entities have had to comply
with different FCRA and GLBA formulations of the ``affiliate''
definition since 1999, commenters did not identify any specific
compliance difficulties or uncertainty resulting from the fact that the
two statutes use somewhat different wording to describe what
constitutes an affiliate.
Consistent with the definition of ``affiliate'' adopted by the
Federal banking agencies in the final medical information rules, the
Commission declines to incorporate into the definition of ``affiliate''
exceptions for entities regulated by the same or similar functional
regulators, entities in the same line of business, or entities that
share a common brand or identity. See 70 FR 70664-70665 (Nov. 22,
2005). These exceptions were incorporated into the California Financial
Information Privacy Act in August 2003.\6\ Congress, however, did not
incorporate these exceptions from California law into the definition of
``affiliate'' when it enacted the FACT Act at the end of 2003.
Accordingly, the Commission believes that the approach adopted here
best effectuates the intent of Congress.
---------------------------------------------------------------------------
\6\ See Cal. Financial Code Sec. 4053(c).
---------------------------------------------------------------------------
Under the GLBA privacy rule, the definition of ``control''
determines whether two or more entities meet the definition of
``affiliate.''\7\ The Commission included the same definition of
``control'' in the proposal and received no comments on the proposed
definition. The Commission interprets the phrase ``related by common
ownership or common corporate control'' used in the FACT Act to have
the same meaning as ``control'' in the GLBA privacy rule. For example,
if an individual owns 25 percent of two companies, the companies would
be affiliates under both the GLBA and FCRA definitions. However, the
individual would not be considered an affiliate of the companies
because the definition of ``affiliate'' is limited to companies.
---------------------------------------------------------------------------
\7\ See 16 C.F.R. 313.3(g).
---------------------------------------------------------------------------
The proposal also defined the term ``company'' to mean any
corporation, limited liability company, business trust, general or
limited partnership, association, or similar organization. The proposed
definition of ``company'' excluded some entities that are ``persons''
under the FCRA, including estates, cooperatives, and governments or
governmental subdivisions or agencies, as well as individuals.
Clear and Conspicuous
Proposed Sec. 680.3(c) defined the term ``clear and conspicuous''
to mean reasonably understandable and designed to call attention to the
nature and significance of the information presented. Under this
definition, institutions would retain flexibility in determining how
best to meet the clear and conspicuous standard. The supplementary
information to the proposal provided guidance regarding a number of
practices that institutions might wish to consider in making their
notices clear and conspicuous. These practices were derived largely
from guidance included in the GLBA privacy rule.
Industry commenters urged the Commission not to define ``clear and
conspicuous'' in the final rule. The principal objection these
commenters raised was that this definition would significantly increase
the risk of litigation and civil liability. Although these commenters
recognized that the proposed definition was derived from the GLBA
privacy regulations, they noted that compliance with the GLBA privacy
regulations is enforced exclusively through administrative action, not
through private litigation. These commenters also stated that the
Federal Reserve Board had withdrawn a similar proposal to define
``clear and conspicuous'' for purposes of Regulations B, E, M, Z, and
DD, in part because of concerns about civil liability. Some industry
commenters believed that it was not necessary to define the term in
order for consumers to receive clear and conspicuous disclosures based
on industry's experience in providing clear and conspicuous affiliate
sharing opt-out notices. Consumer groups believed that incorporation of
the standard and examples from the GLBA privacy regulations was not
adequate because they did not believe that the existing standard has
proven sufficient to ensure effective privacy notices.
Except for certain non-substantive changes made for purposes of
clarity, the definition of ``clear and conspicuous'' is the same as in
the proposal and is substantively the same as the definition used in
the GLBA privacy rule. The Commission believes that the clear and
conspicuous standard for the affiliate marketing opt-out notices should
be substantially similar to the standard that applies to GLBA privacy
notices because the affiliate marketing opt-out notice may be provided
on or with the GLBA privacy notice.
In defining ``clear and conspicuous,'' the Commission believes it
is more appropriate to focus on the affiliate marketing opt-out notices
that are the subject of this rulemaking, rather than adopting a
generally applicable definition governing all consumer disclosures
under the FCRA. This approach gives the Commission the flexibility to
refine or clarify the clear and conspicuous requirement for different
disclosures, if necessary.
The statute directs the Commission to provide specific guidance
regarding how to comply with the clear and conspicuous standard. See 15
U.S.C. 1681s-3(a)(2)(B). For that reason, the Commission does not agree
with commenters that requested the elimination of the definition of
``clear and conspicuous'' and related guidance. Rather, the Commission
believes it is necessary to define ``clear and conspicuous'' in the
final rule and provide specific guidance for how to satisfy that
standard in connection with this notice.
[[Page 61427]]
Accordingly, the final rule contains two types of specific guidance
on satisfying the requirement to provide a clear and conspicuous opt-
out notice. First, as in the proposal, the supplementary information to
the final rule describes certain techniques that may be used to make
notices clear and conspicuous. These techniques are described below.
Second, the Commission has adopted model forms that may, but are not
required to, be used to facilitate compliance with the affiliate
marketing notice requirements. The requirement for clear and
conspicuous notices would be satisfied by the appropriate use of one of
the model forms.
As noted in the supplementary information to the proposal,
institutions may wish to consider a number of methods to make their
notices clear and conspicuous. The various methods described below for
making a notice clear and conspicuous are suggestions that institutions
may wish to consider in designing their notices. Use of any of these
methods alone or in combination is voluntary. Institutions are not
required to use any particular method or combination of methods to make
their disclosures clear and conspicuous. Rather, the particular facts
and circumstances will determine whether a disclosure is clear and
conspicuous.
A notice or disclosure may be made reasonably understandable
through various methods that include: using clear and concise
sentences, paragraphs, and sections; using short explanatory sentences;
using bullet lists; using definite, concrete, everyday words; using
active voice; avoiding multiple negatives; avoiding legal and highly
technical business terminology; and avoiding explanations that are
imprecise and are readily subject to different interpretations. In
addition, a notice or disclosure may be designed to call attention to
the nature and significance of the information in it through various
methods that include: using a plain-language heading; using a typeface
and type size that are easy to read; using wide margins and ample line
spacing; and using boldface or italics for key words. Further,
institutions that provide the notice on a Web page may use text or
visual cues to encourage scrolling down the page, if necessary, to view
the entire notice and may take steps to ensure that other elements on
the Web site (such as text, graphics, hyperlinks, or sound) do not
distract attention from the notice. When a notice or disclosure is
combined with other information, methods for designing the notice or
disclosure to call attention to the nature and significance of the
information in it may include using distinctive type sizes, styles,
fonts, paragraphs, headings, graphic devices, and appropriate groupings
of information. However, there is no need to use distinctive features,
such as distinctive type sizes, styles, or fonts, to differentiate an
affiliate marketing opt-out notice from other components of a required
disclosure, for example, where a GLBA privacy notice combines several
opt-out disclosures in a single notice. Moreover, nothing in the clear
and conspicuous standard requires segregation of the affiliate
marketing opt-out notice when it is combined with a GLBA privacy notice
or other required disclosures.
The Commission recognizes that it will not be feasible or
appropriate to incorporate all of the methods described above all the
time. The Commission recommends, but does not require, that
institutions consider the methods described above in designing their
opt-out notices. The Commission also encourages the use of consumer or
other readability testing to devise notices that are understandable to
consumers.
Finally, although the Commission understands the concerns of some
industry commenters about the potential for civil liability, the
Commission believes that these concerns are mitigated by the safe
harbors afforded by the model forms in Appendix C to Part 698. The
Commission notes that the affiliate sharing opt-out notice under
section 603(d)(2)(A)(iii) of the FCRA, which may be enforced through
private rights of action, must be included in the GLBA privacy notice.
Therefore, the affiliate sharing opt-out notice generally is disclosed
in a manner consistent with the clear and conspicuous standard set
forth in the GLBA privacy regulations. Commenters did not identify any
litigation that has resulted from the requirement to provide a clear
and conspicuous affiliate sharing opt-out notice. The Commission
believes that compliance with the examples and use of the model forms,
although optional, should minimize the risk of litigation.
Concise
Proposed Sec. 680.21(b) defined the term ``concise'' to mean a
reasonably brief expression or statement. The proposal also provided
that a notice required by this part may be concise even if it is
combined with other disclosures required or authorized by federal or
state law. Such disclosures include, but are not limited to, a GLBA
privacy notice, an affiliate sharing notice under section
603(d)(2)(A)(iii) of the FCRA, and other consumer disclosures. Finally,
the proposal clarified that the requirement for a concise notice would
be satisfied by the appropriate use of one of the model forms contained
in proposed Appendix A to the Commission's rule, although use of the
model forms is not required. The Commission received no comments on the
proposed definition of ``concise.'' The final rule renumbers the
definition of ``concise'' as Sec. 680.3(f). The reference to the model
forms has been moved to Appendix C to Part 698, but otherwise the
definition is adopted as proposed.
Consumer
Proposed paragraph (e) defined the term ``consumer'' to mean an
individual. This definition is identical to the definition of
``consumer'' in section 603(c) of the FCRA.
Several commenters asked the Commission to narrow the proposed
definition to apply only to individuals who obtain financial products
or services primarily for personal, family, or household purposes, in
part to achieve consistency with the definition of ``consumer'' in the
GLBA. The FCRA's definition of ``consumer,'' however, differs from, and
is broader than, the definition of that term in the GLBA. The
Commission believes that the use of distinct definitions of
``consumer'' in the two statutes reflects differences in the scope and
objectives of each statute. For purposes of this definition, an
individual acting through a legal representative would qualify as a
consumer. The final rule renumbers ``consumer'' as Sec. 680.3(g) but
otherwise adopts it without change.
Eligibility Information
Proposed Sec. 680.3(g) defined the term ``eligibility
information'' to mean any information the communication of which would
be a consumer report if the exclusions from the definition of
``consumer report'' in section 603(d)(2)(A) of the FCRA did not apply.
As proposed, eligibility information would include a person's own
transaction or experience information, such as information about a
consumer's account history with that person, and ``other'' information
under section 603(d)(2)(A)(iii), such as information from consumer
reports or applications.
Most commenters generally supported the proposed definition of
``eligibility information'' as an appropriate means of simplifying the
statutory terminology without changing the scope of the information
covered by the rule. A number of commenters requested that the
Commission clarify that certain types of information do not constitute
eligibility information, such as name,
[[Page 61428]]
address, telephone number, Social Security number, and other
identifying information. One commenter requested the exclusion of
publicly available information from the definition. Another commenter
requested additional clarification regarding the term ``transaction or
experience information.'' A few commenters suggested that the
Commission include examples of what is and is not included within
``eligibility information.'' Finally, one commenter urged the
Commission to revise the definition to restate much of the statutory
definition of ``consumer report'' to eliminate the need for cross-
references.
The final rule renumbers the definition of ``eligibility
information'' as 680.3(h). The Commission has revised the definition to
clarify that the term ``eligibility information'' does not include
aggregate or blind data that does not contain personal identifiers.
Examples of personal identifiers include account numbers, names, or
addresses, as indicated in the definition, as well as Social Security
numbers, driver's license numbers, telephone numbers, or other types of
information that, depending on the circumstances or when used in
combination, could identify the individual.
The Commission also believes that further clarification of, or
exclusions from, the term ``eligibility information,'' such as the
categorical exclusion of names, addresses, telephone numbers, other
identifying information, or publicly available information, would
directly implicate the definitions of ``consumer report'' and
``consumer reporting agency'' in sections 603(d) and (f), respectively,
of the FCRA. The Commission decided not to define the terms ``consumer
report'' and ``consumer reporting agency'' in this rulemaking and not
to interpret the meaning of terms used in those definitions, such as
``transaction or experience'' information. The Commission also notes
that financial institutions have relied on these statutory definitions
for many years.
Person
Proposed paragraph (h) defined the term ``person'' to mean any
individual, partnership, corporation, trust, estate, cooperative,
association, government or governmental subdivision or agency, or other
entity. This definition is identical to the definition of ``person'' in
section 603(b) of the FCRA.
One commenter requested clarification of how the proposed
definition of ``person'' would affect other provisions of the affiliate
marketing rule. Specifically, this commenter asked how the
supplementary information's discussion of agents might affect the scope
provisions of the rule.
The supplementary information to the proposal stated that a person
may act through an agent, including but not limited to a licensed agent
(in the case of an insurance company) or a trustee. The supplementary
information also provided that actions taken by an agent on behalf of a
person that are within the scope of the agency relationship would be
treated as actions of that person. The Commission included these
statements to address comprehensively the status of agents and to
eliminate the need to refer specifically to licensed agents in the
proposed definition of ``pre-existing business relationship.'' As
discussed below, many commenters believed that licensed agents should
be expressly included in the definition of ``pre-existing business
relationship.'' The Commission has revised the final rule in response
to those comments. By specifically addressing licensed agents, the
final rule does not alter the general principles of principal-agent
relationships that apply to all agents, not just licensed agents. The
Commission will treat actions taken by an agent on behalf of a person
that are within the scope of the agency relationship as actions of that
person, regardless of whether the agent is a licensed agent or not. The
final rule renumbers the definition of ``person'' as Sec. 680.3(i).
Pre-Existing Business Relationship
Proposed Sec. 680.3(i) defined the term ``pre-existing business
relationship'' to mean a relationship between a person and a consumer
based on the following: (1) a financial contract between the person and
the consumer that is in force; (2) the purchase, rental, or lease by
the consumer of that person's goods or services, or a financial
transaction (including holding an active account or a policy in force
or having another continuing relationship) between the consumer and
that person, during the 18-month period immediately preceding the date
on which a solicitation covered by this part is sent to the consumer;
or (3) an inquiry or application by the consumer regarding a product or
service offered by that person during the three-month period
immediately preceding the date on which a solicitation covered by this
part is sent to the consumer.
The proposed definition generally tracked the statutory definition
contained in section 624 of the FCRA, with certain revisions for
clarity. Although the statute gave the Commission the authority to
identify by regulation other circumstances that qualify as a pre-
existing business relationship, the Commission did not propose to
exercise this authority. In the final rule, the definition of ``pre-
existing business relationship'' has been renumbered as Sec. 680.3(j).
Industry commenters suggested certain revisions to the proposed
definition of ``pre-existing business relationship.'' Many industry
commenters asked the Commission to include in the definition statutory
language relating to ``a person's licensed agent.'' A number of these
commenters noted that this concept was particularly important to the
insurance industry where independent, licensed agents frequently act as
the main point of contact between the consumer and the insurance
company.
In the final rule, the phrase ``or a person's licensed agent'' has
been added to the definition of ``pre-existing business relationship''
to track the statutory language. For example, assume that a person is a
licensed agent for the affiliated ABC life, auto, and homeowners'
insurance companies. A consumer purchases an ABC auto insurance policy
through the licensed agent. The licensed agent may use eligibility
information about the consumer obtained in connection with the ABC auto
policy it sold to the consumer to market ABC life and homeowner's
insurance policies to the consumer for the duration of the pre-existing
business relationship without offering the consumer the opportunity to
opt out of that use.
Regarding the first basis for a pre-existing business relationship
(a financial contract in force), several industry commenters asked the
Commission to clarify that a financial contract includes any in-force
contract that relates to a financial product or service covered by
title V of the GLBA. One commenter objected to the requirement that the
contract be in force on the date of the solicitation. This commenter
believed that the Commission should interpret the statute to permit the
exception to apply if a contract is in force at the time the affiliate
uses the information, rather than when the solicitation is sent, noting
that there may be a delay between the use and the solicitation.
The Commission has adopted the first prong of the definition of
``pre-existing business relationship'' as proposed. Although a
comprehensive definition of the term ``financial contract'' has not
been included in the final rule, the Commission construes the statutory
term ``financial contract'' at least to include a contract that relates
to a
[[Page 61429]]
consumer's purchase or lease of a financial product or service that a
financial holding company could offer under section 4(k) of the Bank
Holding Company Act of 1956 (12 U.S.C. 1843(k)). In addition, a
financial contract which is in force will, in virtually all instances,
qualify as a ``financial transaction,'' as that term is used in the
second prong of the definition of ``pre-existing business
relationship.'' The Commission does not agree with the suggestion that
the financial contract should be in force on the date of use rather
than on the date the solicitation is sent. The approach taken in the
proposed and final rule is consistent with the approach used in the
other two prongs of the statutory definition.
Industry commenters also suggested certain clarifications to the
second basis for a pre-existing business relationship--a purchase,
rental, or lease by the consumer of the person's goods or services, or
a financial transaction between the consumer and the person during the
preceding 18 months. Several industry commenters noted that,
notwithstanding the example in the proposal regarding a lapsed
insurance policy, it was not clear from what point in time the 18-month
period begins to run in the case of many purchase, rental, lease, or
financial transactions. These commenters asked the Commission to
clarify that the 18-month period begins to run at the time all
contractual responsibilities of either party under the purchase,
rental, lease, or financial transaction expire. In addition, some
commenters indicated that the term ``active account'' should be
clarified to mean any account with outstanding contractual
responsibilities on either side of an account relationship, regardless
of whether specific transactions do or do not occur on that account.
The Commission has adopted the second prong of the definition of
``pre-existing business relationship'' as proposed. The Commission
declines to interpret the term ``active account'' as requested by some
commenters. The Commission notes that section 603(r)(4) of the FCRA
defines the term ``account'' to have the same meaning as in section 903
of the Electronic Fund Transfer Act (EFTA). Under the EFTA, the term
``account'' means a demand deposit, savings deposit, or other asset
account established primarily for personal, family, or household
purposes. Some commenters, however, apparently believed that the term
``active account'' included extensions of credit. Credit extensions
presumably would qualify as ``another continuing relationship,'' as
used in the definition of ``pre-existing business relationship.''
More generally, however, even though a ``financial transaction''
would include in virtually all cases a financial contract which is in
force, as noted above, the Commission does not believe it is
appropriate to state that the 18-month period begins to run when all
outstanding contractual responsibilities of both parties expire,
regardless of whether specific transactions occur. Such a clarification
would not appropriately address circumstances such as charge-offs,
bankruptcies, early terminations, or extended periods of credit
inactivity that could trigger commencement of the 18-month period. In
addition, some contract provisions, such as arbitration clauses and
choice of law provisions, may continue to have legal effect after all
contractual performance has ended. The Commission does not believe that
the continued effectiveness of such provisions should delay
commencement of the 18-month period.
Nevertheless, the Commission believes that a few examples may
provide useful guidance to facilitate compliance. For example, in the
case of a closed-end mortgage or auto loan, the 18-month period
generally would begin to run when the consumer pays off the outstanding
balance on the loan. In a lease or rental transaction, the 18-month
period generally would begin to run when the lease or rental agreement
expires or is terminated by mutual agreement. In the case of general
purpose credit cards that are issued with an expiration date, the 18-
month period generally would begin to run when the consumer pays off
the outstanding balance on the card and the card is either cancelled or
expires without being renewed.
Commenters also made certain suggestions regarding the third basis
for a pre-existing business relationship--an inquiry or application by
the consumer regarding a product or service offered by the person
during the preceding three months. Consumer groups urged the Commission
to clarify that an inquiry must be made of the specific affiliate,
rather than a general inquiry about a product or service. Industry
commenters expressed concern about certain statements in the
supplementary information that explained the meaning of an inquiry.
The Commission does not agree that an inquiry must be made of a
specific affiliate. Many affiliated institutions use a central call
center to handle consumer inquiries. The clarification urged by
consumer groups could preclude the establishment of a pre-existing
business relationship based on a consumer's call to a central call
center about a specific product or service offered by an affiliate.
In the supplementary information to the proposal, the Commission
noted that certain elements of the definition of ``pre-existing
business relationship'' were substantially similar to the definition of
``established business relationship'' under the amended Telemarketing
Sales Rule (TSR) (16 CFR 310.2(n)). The TSR definition was informed by
Congress' intent that the ``established business relationship''
exemption to the ``do not call'' provisions of the Telephone Consumer
Protection Act (47 U.S.C. 227 et seq.) should be grounded on the
reasonable expectations of the consumer.\8\ The Commission observed
that Congress' incorporation of similar language in the definition of
``pre-existing business relationship''\9\ suggested that it would be
appropriate to consider the reasonable expectations of the consumer in
determining the scope of this exception. Thus, the Commission explained
that, for purposes of this regulation, an inquiry would include any
affirmative request by a consumer for information after which the
consumer would reasonably expect to receive information from the
affiliate about its products or services.\10\ Moreover, a consumer
would not reasonably expect to receive information from the affiliate
if the consumer did not request information or did not provide contact
information to the affiliate.
---------------------------------------------------------------------------
\8\ H.R. Rep. No. 102-317, at 14-15 (1991). See also 68 FR 4580,
4591-94 (Jan. 29, 2003).
\9\ 149 Cong. Rec. S13,980 (daily ed. Nov. 5, 2003) (statement
of Senator Feinstein) (noting that the ``pre-existing business
relationship'' definition ``is the same definition developed by the
Federal Trade Commission in creating a national `Do Not Call'
registry for telemarketers.'')
\10\See 68 FR at 4594.
---------------------------------------------------------------------------
Industry commenters objected to the discussion in the supplementary
information. Some of these commenters believed that looking to the
reasonable expectations of the consumer would narrow the scope of the
exception and impose on institutions a subjective standard that
depended upon the consumer's state of mind. These commenters also
maintained that the availability of the exception should not depend
upon the consumer both requesting information and providing contact
information to the affiliate. Some commenters noted that either
requesting information or providing contact information should suffice
to establish an expectation of receiving solicitations. Other
commenters noted that consumers would not provide
[[Page 61430]]
contact information if they believed that the affiliate would already
have the consumer's contact information or would obtain it from the
consumer's financial institution. Some commenters believed that the
consumer should not have to make an affirmative request for information
in order to have an inquiry. Commenters also expressed concern that the
discussion in the supplementary information would require consumers to
use specific words to trigger the exception.
The Commission has adopted the third prong of the definition of
``pre-existing business relationship'' as proposed. The Commission
continues to believe that it is appropriate to consider what the
consumer says in determining whether the consumer has made an inquiry
about a product or service. It may not be necessary, however, for the
consumer to provide contact information in all cases. As discussed
below, the Commission has revised the examples of inquiries to
illustrate different circumstances.
Consumer groups and NAAG urged the Commission not to expand the
definition of ``pre-existing business relationship'' to include any
additional types of relationships. Industry commenters suggested a
number of additional bases for establishing a pre-existing business
relationship. Several industry commenters believed that the term ``pre-
existing business relationship'' should be defined to include
relationships arising out of the ownership of servicing rights, a
participation interest in lending transactions, and similar
relationships. These commenters provided no further explanation for why
such an expansion was necessary. One commenter urged the Commission to
expand the definition of ``pre-existing business relationship'' to
apply to affiliates that share a common trade name, share the same
employees or representatives, operate out of the same physical location
or locations, and offer similar products.
In addition, a number of industry commenters requested
clarification of the term ``pre-existing business relationship'' as
applied to manufacturers that make sales through dealers. These
commenters explained that automobile manufacturers do not sell vehicles
directly to consumers, but through franchised dealers. Vehicle
financing may be arranged through a manufacturer's captive finance
company or independent sources of financing. These commenters noted
that manufacturers often provide consumers with information about
warranty coverage, recall notices, and other product information.
According to these commenters, manufacturers also send solicitations to
consumers about their products and services, drawing in part on
transaction or experience information from the captive finance company.
These commenters asked the Commission to clarify that the relationship
between a manufacturer and a consumer qualifies as a pre-existing
business relationship based on the purchase, rental, or lease of the
manufacturer's goods, or, alternatively, to exercise its authority to
add this relationship as an additional basis for a pre-existing
business relationship. One commenter asked the Commission to clarify
that a pre-existing business relationship could be established even if
the person provides a product or service to the consumer without
charging a fee.
The Commission does not believe it is necessary to add any
additional bases for a pre-existing business relationship. The
Commission acknowledges that a pre-existing business relationship
exists where a person owns the servicing rights to a consumer's loan
and such person collects payments from, or otherwise deals directly
with, the consumer. In the Commission's view, however, that situation
qualifies as a financial transaction and thus falls within the second
prong of the definition of ``pre-existing business relationship.'' The
Commission has included an example, discussed below, to illustrate how
the ownership of servicing rights can create a pre-existing business
relationship.
A pre-existing business relationship does not arise solely from a
participation interest in a lending transaction because such an
interest does not result in a financial contract or a financial
transaction between the consumer and the participating party. The
Commission declines to add a specific provision for franchised dealers.
The statute contains no special provision addressing franchised
dealers, as it does for licensed agents. Moreover, a franchised dealer
and a manufacturer generally are not affiliates and thus are subject to
the GLBA privacy rule relating to information sharing with non-
affiliated third parties. The Commission also finds no basis for
including within the meaning of ``pre-existing business relationship''
any affiliate that shares a common trade name or representatives, or
that operates from the same location or offers similar products.
Finally, the Commission declines to add a provision that would create a
pre-existing business relationship when a consumer obtains a product or
service without charge from a person. Such a provision would be overly
broad, is not necessary given the breadth of the statutory definition
of ``pre-existing business relationship,'' and could result in
circumvention of the notice requirement.
Proposed Sec. 680.20(d)(1) provided four examples of the pre-
existing business relationship exception. In the final rule, these
examples have been renumbered as Sec. 680.3(j)(2)(i)-(iv), and revised
to illustrate the definition of ``pre-existing business relationship,''
rather than the corresponding exception.
The two examples relating to the first and second prongs of the
definition of ``pre-existing business relationship'' have been revised
in Sec. 680.3(j)(2)(i) and (ii) to focus on a loan account creditor as
the person with the pre-existing business relationship, but are
otherwise substantively similar to the proposal. One commenter
recommended expanding the example now contained in Sec. 680.3(j)(2)(i)
to refer to the licensed agent that wrote the policy or services the
relationship. The Commission believes that adding the term ``licensed
agent'' to the definition is sufficient and sees no reason to further
complicate this example to illustrate how the definition applies to
licensed agents.
Section 680.3(j)(2)(iii) is new and illustrates when a pre-existing
business relationship is created in the context of a mortgage loan.
This example specifically addresses circumstances where either the loan
or ownership of the servicing rights to the loan is sold to a third
party. As this example illustrates, sale of the entire loan by the
original lender terminates the financial transaction between the
consumer and that lender and creates a new financial transaction
between the consumer and the purchaser of the loan. However, the
original lender's sale of a fractional interest in the loan to an
investor does not create a new financial transaction between the
consumer and the investor. When the original lender sells a fractional
interest in the consumer's loan to an investor but also retains an
ownership interest in the loan, however, the original lender continues
to have a pre-existing business relationship with the consumer because
the consumer obtained a loan from the lender and the lender continues
to own an interest in the loan. In addition, the ownership of servicing
rights coupled with direct dealings with the consumer results in a
financial transaction between the consumer and the owner of the
servicing rights, thereby creating a pre-existing business relationship
between the consumer and the owner of the servicing rights. The
Commission notes that a financial institution that owns servicing
rights generally has a customer
[[Page 61431]]
relationship with the consumer and an obligation to provide a GLBA
privacy notice to the consumer.
The example in proposed Sec. 680.20(d)(1)(iii) regarding
applications and inquiries elicited comment. Some industry commenters
urged the Commission to revise this example so that it does not depend
upon the consumer's expectations or the consumer providing contact
information. These commenters noted, for example, that the contact
information would be self-evident if the consumer makes an e-mail
request or provides a return address on an envelope. These commenters
also believed that in the case of a telephone call initiated by a
consumer, a captured telephone number should be sufficient to create an
inquiry if the consumer requests information about products or
services.
In the final rule, the Commission has crafted three separate
examples from proposed Sec. 680.20(d)(1)(iii). Section 680.3(j)(2)(iv)
provides an example where a consumer applies for a product or service,
but does not obtain the product or service for which she applied.
Contact information is not mentioned in this example because the
consumer presumably would have supplied it on the application.
Section 680.3(j)(2)(v) provides an example where a consumer makes a
telephone inquiry about a product or service offered by a depository
institution and provides contact information to the institution, but
does not obtain a product or service from or enter into a financial
transaction with the institution. The Commission does not believe that
an institution's capture of a consumer's telephone number during a
telephone conversation with the consumer about the institution's
products or services is sufficient to create an inquiry. In that
circumstance, to ensure that an inquiry has been made, the institution
should ask the consumer to provide his or her contact information, or
confirm with the consumer that the consumer has a pre-existing business
relationship with an affiliate.
Section 680.3(j)(2)(vi) provides an example where the consumer
makes an e-mail inquiry about a product or service offered by a
creditor, but does not separately provide contact information. In that
case, the consumer provides the creditor with contact information in
the form of the consumer's e-mail address. In addition, e-mail
communications, unlike telephone communications, do not provide
institutions with the same opportunity to ask for the consumer's
contact information.
Industry commenters recommended deleting the example in proposed
Sec. 680.20(d)(1)(iv) illustrating a call center scenario where a
consumer would not reasonably expect to receive information from an
affiliate. In the final rule, the Commission has included a positive
example of an inquiry made by a consumer through a call center in Sec.
680.3(j)(2)(vii), while retaining the negative example from the
proposal in Sec. 680.3(j)(3)(i). In addition, the Commission has
included in Sec. 680.3(j)(3)(ii) an example of a consumer call to ask
about retail locations and hours, which does not create a pre-existing
business relationship. This example is substantively similar to the
example from proposed Sec. 680.20(d)(2)(iii).
A new example in Sec. 680.3(j)(3)(iii) illustrates a case where a
consumer responds to an advertisement that offers a free promotional
item, but the advertisement does not indicate that an affiliate's
products or services will be marketed to consumers who respond to the
advertisement. The example illustrates that the consumer's response
does not create a pre-existing business relationship because the
consumer has not made an inquiry about a product or service, but has
merely responded to an offer for a free promotional item. Similarly, if
a consumer is directed by a company with which the consumer has a pre-
existing business relationship to contact the company's affiliate to
receive a promotional item but the company does not mention the
affiliate's products or services, the consumer's contact with the
affiliate about the promotional item does not create a pre-existing
business relationship between the consumer and the affiliate.
Solicitation
Proposed Sec. 680.3(j) defined the term ``solicitation'' to mean
marketing initiated by a person to a particular consumer that is based
on eligibility information communicated to that person by its affiliate
and is intended to encourage the consumer to purchase a product or
service. The proposed definition further clarified that a
communication, such as a telemarketing solicitation, direct mail, or e-
mail, would be a solicitation if it is directed to a specific consumer
based on eligibility information. The proposed definition did not,
however, include communications that were directed at the general
public without regard to eligibility information, even if those
communications were intended to encourage consumers to purchase
products and services from the person initiating the communications.
Congress gave the Commission the authority to determine by
regulation that other communications do not constitute a solicitation.
The Commission does not propose to exercise this authority. The
Commission solicited comment on whether, and to what extent, various
tools used in Internet marketing, such as pop-up ads, may constitute
solicitations as opposed to communications directed at the general
public, and whether further guidance was needed to address Internet
marketing.
Most commenters believed that the proposed definition tracked the
statutory definition contained in section 624 of the FCRA. A number of
industry commenters, however, believed that the proposed definition
misstated the types of marketing that would not qualify as a
solicitation. Specifically, the first sentence of proposed Sec.
680.3(j)(2) provided that ``[a] solicitation does not include
communications that are directed at the general public and distributed
without the use of eligibility information communicated by an
affiliate.'' These commenters believed that a solicitation should not
include either marketing directed at the general public or marketing
distributed without the use of eligibility information communicated by
an affiliate. Several industry commenters also requested that the
Commission include the phrase ``of a product or service'' in the
introductory language for consistency with the statutory definition.
Some industry commenters sought clarification that certain types of
communications would not constitute solicitations, for example,
marketing announcements delivered via pre-recorded call center
messages, automated teller machine screens, or Internet sites, or
product information provided at or through educational seminars,
customer appreciation events, or newsletters.
NAAG urged the Commission to clarify the portion of the definition
that refers to ``a particular consumer.'' NAAG believed that mass
mailings of the same or similar marketing materials to a large group of
consumers could fall within the definition of ``solicitation,'' so long
as the marketing is based on eligibility information received from an
affiliate. NAAG expressed concern that some might construe the term
``particular'' to narrow the meaning of a ``solicitation.''
With regard to Internet marketing, industry commenters urged the
Commission not to address such practices in this rulemaking. These
[[Page 61432]]
commenters believed that the definition of ``solicitation'' should
provide specific guidance that ``pop-up'' ads and other forms of
Internet marketing generally were directed to the general public and
not based on eligibility information received from an affiliate, or
that such marketing would fall within an exception. NAAG believed that
such advertisements should be treated as solicitations if they were
based on any eligibility information received from an affiliate.
Consumer groups believed that if an affiliate's pop-up ads and other
Internet marketing were the result of specific actions by the consumer
or information collected based upon a consumer's experience on the
Internet, then such marketing should be considered solicitations. These
commenters also believed that pop-up ads and other Internet marketing
targeted to all customers of a company should be treated as
solicitations if based on the consumer's experience on the Internet.
Section 680.3(k) of the final rule contains the definition of
``solicitation.'' The definition has been revised to track the
statutory language more closely. The phrase ``of a product or service''
has been added to the definition, as requested by some commenters. To
ensure consistency with the definition of ``pre-existing business
relationship,'' the phrase ``or obtain'' has been retained so that the
definition of ``solicitation'' will include marketing for the rental or
lease of goods or services, financial transactions, and financial
contracts. The Commission has also deleted as unnecessary the reference
to communications ``distributed without the use of eligibility
information communicated by an affiliate.'' Marketing that is
undertaken without the use of eligibility information received from an
affiliate is not covered by the affiliate marketing rule. Moreover,
there is no restriction on using eligibility information received from
an affiliate in marketing directed at the general public, such as
radio, television, or billboard advertisements. The phrase ``to a
particular consumer'' has been retained because it is part of the
statutory definition. The Commission does not believe that the phrase
``to a particular consumer'' excludes large-scale marketing campaigns
from the definition of ``solicitation'' because, within such campaigns,
eligibility information received from an affiliate may be used to
target individual consumers.
The definition of ``solicitation'' does not distinguish between
different mediums. A determination of whether a marketing communication
constitutes a solicitation depends upon the facts and circumstances.
The Commission has decided not to make those determinations in this
rulemaking. Thus, the Commission is not adopting special rules or
guidance regarding Internet-based marketing; whether Internet-based
marketing is a solicitation in a particular case will be determined
according to the same criteria that apply to other means of marketing.
The Commission also declines to exclude categorically from the
definition of ``solicitation'' marketing messages on voice response
units, ATM screens, or other forms of media. Marketing delivered via
such media may be solicitations if such marketing is targeted to a
particular consumer based on eligibility information received from an
affiliate. For example, a marketing message on an ATM screen would be a
solicitation if it is targeted to a particular consumer based on
eligibility information received from an affiliate, but would not be a
solicitation if it is delivered to all consumers that use the ATM.
Similarly, the Commission declines to exclude educational seminars,
customer appreciation events, focus group invitations, and similar
forms of communication from the definition of ``solicitation.'' The
Commission believes that such activities must be evaluated according to
the facts and circumstances and some of those activities may be coupled
with, or a prelude to, a solicitation. For example, an invitation to a
financial educational seminar where the invitees are selected based on
eligibility information received from an affiliate may be a
solicitation if the seminar is used to solicit the consumer to purchase
investment products or services.
You
The term ``you'' is defined as persons described in Sec. 680.1(a)
and the definition has been renumbered as Sec. 680.3(l).
Section 680.21 Affiliate Marketing Opt-out and Exceptions
The Commission proposed to establish certain rules relating to the
requirement to provide the consumer with notice and a reasonable
opportunity and a simple method to opt out of a person's use of
eligibility information that it obtained from an affiliate for the
purpose of making or sending solicitations to the consumer. The
Commission noted that the statute is ambiguous because it does not
specify which affiliate must provide the opt-out notice to the
consumer. The Commission addressed this ambiguity by proposing to place
certain responsibilities on the ``communicating affiliate'' and other
responsibilities on the ``receiving affiliate.''
Proposed Sec. 680.20(a) set forth the duties of a communicating
affiliate. That section required the communicating affiliate to provide
a notice to the consumer before a receiving affiliate could use
eligibility information to make or send solicitations to the consumer.
Under the proposal, the opt-out notice would state that eligibility
information may be communicated to and used by the receiving affiliate
to make or send solicitations to the consumer regarding the affiliate's
products and services, and would give the consumer a reasonable
opportunity and a simple method to opt out.
Proposed Sec. 680.20(a) also contained two rules of construction
relating to the communicating affiliate's duty to provide the notice.
The first rule of construction would have allowed the notice to be
provided either in the name of a person with which the consumer
currently does or previously has done business or in one or more common
corporate names shared by members of an affiliated group of companies
that includes the common corporate name used by that person. The rule
of construction also would have provided alternatives regarding the
manner in which the notice could be given, such as by allowing the
communicating affiliate to provide the notice either directly to the
consumer, through an agent, or through a joint notice with one or more
of its affiliates. The second rule of construction would have clarified
that, to avoid duplicate notices, it would not be necessary for each
affiliate that communicates the same eligibility information to provide
an opt-out notice to the consumer, so long as the notice provided by
the affiliate that initially communicated the information was broad
enough to cover use of that information by each affiliate that received
and used it to make solicitations. The proposal included examples to
illustrate how each of these rules of construction would work.
Proposed Sec. 680.20(b) set forth the general duties of a
receiving affiliate. That section would have prohibited the receiving
affiliate from using eligibility information it received from an
affiliate to make solicitations to the consumer unless, prior to such
use, the consumer was provided an opt-out notice that applied to that
affiliate's use of eligibility information to make solicitations and a
reasonable opportunity and simple method to opt out, and the consumer
did not opt out of that use.
[[Page 61433]]
Most industry commenters maintained that the final rule should not
require any specific entity to provide the opt-out notice, but should
only require that the consumer be provided an opt-out notice covering
an affiliate's use of eligibility information before a solicitation is
made to the consumer. These commenters believed the final rule should
provide flexibility and allow either the receiving affiliate, the
communicating affiliate, or any other affiliate to provide the opt-out
notice. These commenters maintained that the statute is not ambiguous
and does not impose any obligations on a specific entity, such as the
communicating affiliate, to provide the opt-out notice. Some of these
commenters acknowledged, however, that the communicating affiliate
would, as a practical matter, most likely give the opt-out notice.
A number of industry commenters expressed concern that the proposed
rule would create a basis for civil liability against the communicating
affiliate under section 624 because that section is covered by the
FCRA's private right of action provisions in sections 616 and 617. Some
commenters noted that, to avoid exposure to civil liability, a
communicating affiliate would have to require receiving affiliates to
commit to not using the information to make solicitations, give an opt-
out notice whenever they share eligibility information with affiliates,
or never share eligibility information with affiliates. These
commenters maintained that, in many cases, none of these solutions
would be practical, for example, where a receiving affiliate
negligently failed to comply with a commitment not to make
solicitations unless notice has been given to the consumer.
Several industry commenters noted that the language in section
624(a)(1)(A) that ``information may be communicated'' could be included
in an opt-out notice provided by the receiving affiliate. These
commenters also believed that the statutory requirement that the
Commission consider existing affiliate sharing notification practices
and permit coordinated and consolidated notices did not imply that the
communicating affiliate should be responsible for providing the opt-out
notice.
Industry commenters made several suggestions for revising the
language of the proposal. Some suggested revising proposed Sec.
680.20(a) to omit any reference to the communicating affiliate and to
incorporate the passive voice used in the statute. Others suggested
various ways of merging proposed Sec. 680.20(b) into proposed Sec.
680.20(a) to focus exclusively on the responsibilities of the receiving
affiliate. One commenter identified certain drafting problems it
believed arose from the fact that the proposal focused alternately on
the communicating affiliate and the receiving affiliate and that those
two entities may be regulated by different regulatory agencies.
A few industry commenters acknowledged that the Commission had
raised legitimate concerns in the supplementary information to the
proposal about how meaningful a notice could be when provided by a
receiving affiliate that the consumer may not recognize. These
commenters believed that this concern could be addressed through other
means. One commenter, for example, suggested the following introductory
language in paragraph (a)(2): ``The notice required by this paragraph
(a) may be provided either in the name of the bank receiving the
information (provided that such bank also identifies the affiliate
which provided such information), in the name of the affiliate which
provided such information, or in one or more common corporate names
shared by such bank and the affiliate which provided the information,
and may be provided in the following manner . . .'' Another industry
commenter expressed support for the rules of construction with
revisions to allow the use of brand names and trade names, as well as
the actual ``corporate'' name, and to allow an agent or affiliate to
send a common notice that uses more than one common name in a non-
deceptive manner.
Consumer group commenters supported making the communicating
affiliate responsible for providing the notice and opportunity to opt
out. These commenters believed that allowing the receiving affiliate to
send the opt-out notice would invite consumer confusion as to whether
or not the opt-out notice itself is a solicitation. These commenters
also believed that the Commission should require the names of the
receiving affiliates to be clearly disclosed to the consumer. Consumer
groups also believed that the proposed rules of construction struck a
reasonable balance by allowing commonly named affiliates to share a
notice while making clear that a notice from an affiliate with whom the
consumer is not familiar will not be effective. They also suggested
that the company with the pre-existing business relationship should be
clearly marked on the opt-out notice.
NAAG believed that a receiving affiliate should not be permitted to
give the opt-out notice solely on its own behalf because a receiving
affiliate is unlikely to be an entity from which the consumer would
expect to receive important communications. NAAG also requested that
the Commission revise certain portions of the proposed rules of
construction, for example, by deleting from proposed Sec.
680.20(a)(2)(i) the phrase ``or previously has done business'' based on
concerns that it would render the notice partially ineffective because,
even without this phrase, the notice would not be required for 18
months after a customer relationship ends. NAAG also requested that the
Commission revise proposed Sec. Sec. 680.20(a)(2)(B)(2) and (a)(2)(C)
to clarify that the common name used must be one that includes the name
used by the person providing the opt-out notice.
In the proposal, the Commission did not require the opt-out notice
to be provided in writing. The Commission noted, however, that it
contemplated that the opt-out notice would be provided to the consumer
in writing or, if the consumer agrees, electronically. The proposal
solicited comment on whether there were circumstances in which it would
be necessary and appropriate to allow oral notice and opt out and how
an oral notice could satisfy the clear and conspicuous standard in the
statute.
Industry commenters believed that the final rule should permit oral
notices. These commenters identified circumstances in which a
relationship is established by telephone as an example of when oral
notice would be appropriate. Some industry commenters also noted that
an oral notice should be permitted because the affiliate sharing opt-
out notice under section 603(d)(2)(A)(iii) may be given orally, as well
as in writing or electronically. Several industry commenters noted that
the Commission in the Telemarketing Sales Rule and the OCC in
regulations relating to debt cancellation contracts and debt suspension
agreements have permitted clear and conspicuous oral notices. These
commenters did not believe that allowing oral notice in these
circumstances had created any enforcement difficulties for the
Commission or OCC. Other industry commenters noted that institutions
could demonstrate compliance through the use of scripts or by
monitoring or recording calls.
Consumer groups believed that a written opt-out notice should be
required in all cases. These commenters believed that, with an oral
notice, it is impossible to ensure that a consumer receives the
appropriate notice or information on the right to opt out. They
believed that allowing oral notices
[[Page 61434]]
would create enforcement barriers for regulators. Consumer groups also
believed that institutions have strong economic incentives to prevent
consumers from opting out and would engage in misrepresentations or
otherwise use language in their scripts that is designed to discourage
consumers from opting out. NAAG believed that oral notices would not
meet the statutory requirement for a clear, conspicuous, and concise
notice, that consumers would be less likely to comprehend oral notices,
and enforcement would be more difficult if oral opt-out notices were
allowed.
Section 680.21(a) of the final rule contains the revised provisions
regarding the initial notice and opt-out requirement. Although the
language of this section has been revised and simplified, the substance
of this provision is substantially similar to the proposal.
Section 680.21(a)(1) sets forth the general rule. This section
contains the three conditions that must be met before a person may use
eligibility information about a consumer that it receives from an
affiliate to make a solicitation for marketing purposes to the
consumer. First, it must be clearly and conspicuously disclosed to the
consumer in writing or, if the consumer agrees, electronically, in a
concise notice that the person may use shared eligibility information
to make solicitations to the consumer. Second, the consumer must be
provided a reasonable opportunity and a reasonable and simple method to
opt out of the use of that eligibility information to make
solicitations to the consumer. Third, the consumer must not have opted
out. Section 680.21(a)(2) of the final rule provides an example of the
general rule.
The Commission has concluded that the opt-out notice may not be
provided orally, but must be provided in writing or, if the consumer
agrees, electronically. The statute requires the Commission to consider
the affiliate sharing notification practices employed on the date of
enactment and to ensure that notices and disclosures may be coordinated
and consolidated in promulgating regulations. The affiliate sharing
notice under section 603(d)(2)(A)(iii) of the FCRA generally must be
included in the GLBA privacy notice, which must be provided in writing,
or if the consumer agrees, electronically. Requiring the affiliate
marketing opt-out notice to be provided in writing, or if the consumer
agrees, electronically, is thus consistent with existing affiliate
sharing notification practices and promotes coordination and
consolidation of the three privacy-related opt-out notices. The
Commission is not persuaded that there are any circumstances where it
would be necessary to provide an oral opt-out notice. A number of key
exceptions to the initial notice and opt-out requirement, such as the
pre-existing business relationship exception, consumer-initiated
communication exception, and consumer authorization or request
exception, may be triggered by an oral communication with the consumer.
It also could be more difficult for the Commission to monitor and
enforce compliance with the final rule if oral opt-out notices were
allowed. Accordingly, the final rule requires the opt-out notice to be
provided in writing or, if the consumer agrees, electronically.
Section 680.21(a)(3) identifies those affiliates who may provide
the initial opt-out notice. This section provides that the initial opt-
out notice must be provided either by an affiliate that has or has
previously had a pre-existing business relationship with the consumer,
or as part of a joint notice from two or more members of an affiliated
group of companies, provided that at least one of the affiliates on the
joint notice has or has previously had a pre-existing business
relationship with the consumer. The final rule follows the general
approach taken in the proposal to ensure that the notice is provided by
an entity known to the consumer, while eliminating potentially
ambiguous and confusing terms like ``communicating affiliate'' and
``receiving affiliate.''
The Commission also has eliminated as unnecessary the rules of
construction. Joint notices are now addressed directly in Sec.
680.21(a)(3). The Commission also has concluded that the provisions
from the proposal relating to notice provided by an agent are
unnecessary. General agency principles, however, continue to apply. An
affiliate that has or has previously had a pre-existing business
relationship with the consumer may direct its agent to provide the opt-
out notice on its behalf.
The Commission has concluded that the statute's silence with regard
to which affiliates may provide the opt-out notice makes the statute
ambiguous on this point, despite industry comments to the contrary. The
Commission also continues to believe that consumers are more likely to
pay attention to a notice provided by a person known to the consumer.
The Commission remains concerned that a notice provided by an entity
unknown to the consumer may not provide meaningful or effective notice,
and that consumers may ignore or discard notices provided by unknown
entities. Industry comments on the proposal did little to address those
concerns. For practical reasons, the Commission believes that affiliate
marketing opt-out notices typically would be provided by an affiliate
that has or has previously had a pre-existing business relationship
with the consumer, or as part of a joint notice, whether or not
required by the rule.
The Commission appreciates industry concerns about civil liability
and has revised the final rule to address those concerns. Specifically,
in contrast to the proposal, the final rule does not impose duties on
any affiliate other than the affiliate that intends to use shared
eligibility information to make solicitations to the consumer. Although
an opt-out notice must be provided by an affiliate that has or has
previously had a pre-existing business relationship with the consumer
(or as part of a joint notice), that affiliate has no duty to provide
such a notice. Instead, the final rule provides that absent such a
notice, an affiliate must not use shared eligibility information to
make solicitations to the consumer. Industry concerns about civil
liability also may be mitigated to some extent by the Supreme Court's
recent decision in Safeco Ins. Co. of America v. Burr, 127 S. Ct. 2201
(June 4, 2007).
Finally, many institutions currently require consumers to provide
their Social Security numbers when exercising their existing GLBA and
FCRA opt-out rights. The Commission believes that institutions likely
would follow their existing practice with regard to affiliate marketing
opt-outs. To combat identity theft and prevent ``phishing,'' however,
the Commission, along with many institutions, has been educating
consumers not to provide their Social Security numbers to unknown
entities. Furthermore, as co-Chair of the President's Identity Theft
Task Force, the Commission has made a commitment to examine and
recommend ways to limit the private sector's use of Social Security
numbers.
The approach recommended by industry commenters would allow an
unknown entity not only to provide an affiliate marketing opt-out
notice to the consumer, but also to require the consumer to reveal his
or her Social Security number to that unknown entity in order to
exercise the opt-out right. Such an approach would send conflicting
messages to consumers about providing Social Security numbers to
unknown entities. This approach also would be inconsistent with the
Commission's current efforts to develop a comprehensive record on the
uses of the Social Security number in the private sector and evaluate
their
[[Page 61435]]
necessity, as recommended by the President's Identity Theft Task
Force.\11\
---------------------------------------------------------------------------
\11\See Combatting Identity Theft: A Strategic Plan, at 26-27
(April 2007) (available at http://www.idtheft.gov).
---------------------------------------------------------------------------
Making Solicitations
The proposal repeatedly referred to ``making or sending''
solicitations. Several commenters suggested revising the regulation to
eliminate all references to ``sending'' solicitations. These commenters
believed that the statute only concerns the use of eligibility
information to ``make'' solicitations and does not address ``sending''
solicitations. Commenters expressed concern that by referring to
``sending'' solicitations, the proposal would apply the notice and opt-
out requirements to servicers that send solicitations on behalf of
another entity.
The Commission has revised the final rule to eliminate all combined
references to ``making or sending'' solicitations. The general rule in
section 624(a)(1), along with the duration provisions in section
624(a)(3) and the pre-existing business relationship exception in
section 624(a)(4)(A), refer to ``making'' or ``to make'' a
solicitation. Other provisions of the statute, such as the consumer
choice provision in section 624(a)(2)(A), the service provider
exception in section 624(a)(4)(C), the non-retroactivity provision in
section 624(a)(5), and the definition of ``pre-existing business
relationship'' in section 624(d)(1), refer to ``sending'' or ``to
send'' a solicitation. The verb ``to send,'' as used in the statute,
refers to a ministerial act that a service provider, such as a mail
house, performs for the person making the solicitation, (see 15 U.S.C.
1681s-3(a)(4)(C)), or indicates the point in time after which
solicitations are no longer permitted. See 15 U.S.C. 1681s-3(d)(1)(B)
and (C).
The Commission concludes that ``making'' and ``sending''
solicitations are different activities and that the focus of the
statute is primarily on the ``making'' of solicitations. For example, a
service provider may send a solicitation on behalf of another entity,
but it is the entity on whose behalf the solicitation is sent that is
making the solicitation and thus is subject to the general prohibition
on making a solicitation, unless the consumer is given notice and an
opportunity to opt out. Accordingly, the Commission has revised the
final rule to refer to ``making'' a solicitation, except where the
statute specifically refers to ``sending'' solicitations.
The statute, however, does not describe what a person must do in
order ``to make'' a solicitation. Similarly, the legislative history
does not contain guidance as to the meaning of ``making'' a
solicitation. Nevertheless, the Commission believes it is important to
provide clear guidance regarding what activities result in making a
solicitation.
One commenter suggested that the test for making a solicitation
should turn on whether an affiliate having a pre-existing business
relationship with the consumer retains the discretion to determine
whether or not to send the solicitation. This commenter provided an
example where a financial institution obtains a list of an affiliate's
customers from a common shared database, applies its own criteria to
this list, and then requests the affiliate with an existing business
relationship to solicit the affiliate's own customers to purchase the
financial institution's products or services. (Thus, the financial
institution would be using eligibility information to select a list of
its affiliate's customers to receive the financial institution's
marketing materials.) This commenter believed that section 624 should
not apply so long as the affiliate with the existing business
relationship has discretion to determine whether or not to send the
solicitations. This commenter also maintained that the applicability of
section 624's notice and opt-out requirement should depend on who
markets the product and not on what the product is or whose product it
is.
Nothing in the statute indicates that the discretion of the
affiliate providing the eligibility information to determine whether or
not to send a solicitation on behalf of a person who has received
eligibility information from that affiliate is the test for what
constitutes making a solicitation. Rather, the statute focuses on
whether the person receiving eligibility information from an affiliate
uses that information to market its products or services to consumers.
A ``discretion to send'' test would also inappropriately link the terms
``making'' and ``sending'' in a manner that would promote confusion and
undercut arguments made by commenters urging the Commission to
disassociate the two terms. Finally, a ``discretion to send'' test
could foster circumvention of the notice and opt-out requirement,
restrict the ability of consumers to prohibit solicitations in a manner
not contemplated by the statute, and make it difficult for the
Commission to administer and enforce the statute.
Section 680.21(b) of the final rule clarifies what constitutes
``making'' a solicitation for purposes of this part. Section
680.21(b)(1) provides that a person makes a solicitation for marketing
purposes to a consumer if: (a) the person receives eligibility
information from an affiliate; (b) the person uses that eligibility
information to do one of the following--identify the consumer or type
of consumer to receive a solicitation, establish the criteria used to
select the consumer to receive a solicitation, or decide which of its
products or services to market to the consumer or tailor its
solicitation to that consumer; and (c) as a result of the person's use
of the eligibility information, the consumer is provided a solicitation
about the person's products or services.
The Commission recognizes that several common industry practices
may complicate application of the rule outlined in Sec. 680.21(b)(1).
First, affiliated groups often use a common database as the repository
for eligibility information obtained by various affiliates, and
information in that database may be accessible to multiple affiliates.
Second, affiliated companies often use service providers to perform
marketing activities, and some of those service providers may provide
services for a number of different affiliates. Third, an affiliate may
use its own eligibility information to market the products or services
of another affiliate. Sections 680.21(b)(2)-(5) address these issues.
Section 680.21(b)(2) clarifies that a person may receive
eligibility information from an affiliate in various ways, including
when the affiliate places that information into a common database that
the person may access. Of course, receipt of eligibility information
from an affiliate is only one element of the rule outlined in Sec.
680.21(b)(1). In the case of a common database, use of the eligibility
information will be the key element in determining whether a person has
made a solicitation.
Section 680.21(b)(3) provides that a person receives or uses an
affiliate's eligibility information if a service provider acting on
behalf of the person receives or uses that information in the manner
described in Sec. Sec. 680.21(b)(1)(i) or (b)(1)(ii), except as
provided in Sec. 680.21(b)(5), which is discussed below. Section
680.21(b)(3) also provides that all relevant facts and circumstances
will determine whether a service provider is acting on behalf of a
person when it receives or uses an affiliate's eligibility information
in connection with marketing that person's products or services.
Section 680.21(b)(4) addresses constructive sharing. In the
supplementary information to the proposal, the Commission solicited
comment on whether the notice and
[[Page 61436]]
opt-out requirements of this rule should apply to circumstances that
involve a ``constructive sharing'' of eligibility information to
conduct marketing, given the policy objectives of section 214 of the
FACT Act. By way of example, in a ``constructive sharing'' scenario, a
consumer has a relationship with a financial institution, and the
financial institution is affiliated with an insurance company. The
insurance company develops specific eligibility criteria, such as
consumers having combined deposit balances in excess of $50,000 or
average monthly demand account deposits in excess of $10,000, without
the use of eligibility information received from the financial
institution. The insurance company provides its criteria to the
financial institution and asks the institution to identify financial
institution consumers that meet the eligibility criteria and send
insurance company marketing materials to those consumers. The financial
institution sends the marketing materials to those consumers who meet
the insurance company's eligibility criteria. A consumer who meets the
eligibility criteria contacts the insurance company after receiving the
insurance company marketing materials in the manner specified in those
materials. The consumer's response provides the insurance company with
discernible eligibility information, such as through a response form
that is coded to identify the consumer as an individual who meets the
specific eligibility criteria.\12\
---------------------------------------------------------------------------
\12\ The supplementary information to the proposal noted that
the notice and opt-out requirement would not apply if, for example,
an insurance company asked its affiliated financial institution to
include insurance company marketing material in periodic statements
sent to consumers by the financial institution without regard to
eligibility information.
---------------------------------------------------------------------------
Industry commenters urged the Commission not to apply the notice
and opt-out requirement to ``constructive sharing'' situations. The
principal arguments made by these commenters in support of their
position were as follows. First, in a constructive sharing scenario,
there is no sharing of eligibility information among affiliates.
Rather, the consumer provides information to an affiliate when
responding. Second, section 624 applies when a person uses eligibility
information furnished by its affiliate to make a solicitation for its
own products or services to the consumer. In constructive sharing,
however, the person does not use eligibility information and does not
make a solicitation as defined in the statute. Third, the affiliate
that sends the marketing material has a pre-existing business
relationship with the consumer and is thus exempt from the notice and
opt-out requirements. Fourth, if the consumer responds to the marketing
materials, for example, by returning a response card to an affiliate,
one or more of the exceptions to the notice and opt-out requirement
would apply, such as the consumer-initiated communication exception,
the pre-existing business relationship exception, or both.
Consumer groups believed that constructive sharing contravenes the
intent of Congress and amounts to a loophole that should be fixed.
Similarly, NAAG believed that the letter and spirit of section 624
required subjecting constructive sharing to the notice and opt-out
requirements and that to find otherwise would create a significant and
unwarranted exception.
After considering the constructive sharing issue, the Commission
concludes that the statute only covers situations where a person uses
eligibility information that it received from an affiliate to make a
solicitation to the consumer about its products or services. In a
``constructive sharing'' scenario like that described above, a pre-
existing business relationship is established between the consumer and
the insurance company when the consumer contacts the insurance company
to inquire about or apply for insurance products as a result of the
consumer's receipt of the insurance marketing materials. This pre-
existing business relationship is established before the insurance
company uses any shared eligibility information to make solicitations
to the consumer. Because the insurance company does not use shared
eligibility information to make solicitations to the consumer before it
establishes a pre-existing business relationship with the consumer, the
statute does not apply.
The Commission acknowledges the concerns expressed by consumer
groups and NAAG regarding the decision not to apply the notice and opt-
out requirements to constructive sharing situations. The statute's
affiliate marketing provisions, however, only limit the use of
eligibility information received from an affiliate to make
solicitations to a consumer. A separate provision of the FCRA, section
603(d)(2)(A)(iii), regulates the sharing of eligibility information
among affiliates and prohibits the sharing of non-transaction or
experience information, such as credit scores from a consumer report or
income from an application, among affiliates, unless the consumer is
given notice and an opportunity to opt out of such sharing. The FCRA
does not restrict the sharing of transaction or experience information
among affiliates unless that information is medical information.
Section 603(d)(2)(A)(iii) operates independent of the affiliate
marketing rule. Thus, the existence of a pre-existing business
relationship between a consumer and an affiliate that seeks to use
shared eligibility information, such as credit scores or income, to
market to that consumer (or the applicability of another exception to
this affiliate marketing rule) does not relieve the entity sharing the
credit score or income information of the requirement to comply with
the affiliate sharing notice and opt-out provisions of section
603(d)(2)(A)(iii) of the FCRA before it shares that non-transaction or
experience information with its affiliate.\13\
---------------------------------------------------------------------------
\13\ A sharing of information occurs if a reference code
included in marketing materials reveals one affiliate's information
about a consumer to another affiliate upon receipt of a consumer's
response.
---------------------------------------------------------------------------
Section 680.21(b)(4) describes two situations where a person is
deemed not to have made a solicitation subject to this part. Both
situations assume that the person has not used eligibility information
received from an affiliate in the manner described in Sec.
680.21(b)(1)(ii). First, a person does not make a solicitation subject
to this part if that person's affiliate uses its own eligibility
information that it obtained in connection with a pre-existing business
relationship it has or had with the consumer to market the person's
products or services to the consumer. Second, if, in the situation just
described, the person's affiliate directs its service provider to use
the affiliate's own eligibility information to market the person's
products or services to the consumer, and the person does not
communicate directly with the service provider regarding that use of
the eligibility information, then the person has not made a
solicitation subject to this part.
The core concept underlying the second prong of this provision is
that the affiliate that obtained the eligibility information in
connection with a pre-existing business relationship with the consumer
controls the actions of the service provider using that information.
Therefore, the service provider's use of the eligibility information
should not be attributed to the person whose products or services will
be marketed to consumers. In such circumstances, the service provider
is acting on behalf of the affiliate that obtained the eligibility
information in connection with a pre-existing business relationship
with the consumer, and not on behalf of the
[[Page 61437]]
person whose products or services will be marketed to that affiliate's
consumers.
The Commission also recognizes that there may be situations where
the person whose products or services are being marketed does
communicate with the affiliate's service provider. This may be the
case, for example, where the service provider performs services for
various affiliates relying on information maintained in and accessed
from a common database. In certain circumstances, the person whose
products or services are being marketed may communicate with the
affiliate's service provider, yet the service provider is still acting
on behalf of the affiliate when it uses the affiliate's eligibility
information in connection with marketing the person's products or
services. Section 680.21(b)(5) describes the conditions under which a
service provider would be deemed to be acting on behalf of the
affiliate with the pre-existing business relationship, rather than the
person whose products or services are being marketed, notwithstanding
direct communications between the person and the service provider.
Section 680.21(b)(5) builds upon the concept of control of a
service provider and thus is a natural outgrowth of Sec. 680.21(b)(4).
Under the conditions set out in Sec. 680.21(b)(5), the service
provider is acting on behalf of an affiliate that obtained the
eligibility information in connection with a pre-existing business
relationship with the consumer because, among other things, the
affiliate controls the actions of the service provider in connection
with the service provider's receipt and use of the eligibility
information. This provision is designed to minimize uncertainty that
may arise from application of the facts and circumstances test in Sec.
680.21(b)(3) to cases that involve direct communications between a
service provider and a person whose products and services will be
marketed to consumers.
Section 680.21(b)(5) provides that a person does not make a
solicitation subject to this part if a service provider (including an
affiliated or third-party service provider that maintains or accesses a
common database that the person may access) receives eligibility
information from the person's affiliate that the person's affiliate
obtained in connection with a pre-existing business relationship it has
or had with the consumer and uses that eligibility information to
market the person's products or services to the consumer, so long as
the following five conditions are met.
First, the person's affiliate controls access to and use of its
eligibility information by the service provider (including the right to
establish specific terms and conditions under which the service
provider may use such information to market the person's products or
services). This requirement must be set forth in a written agreement
between the person's affiliate and the service provider. The person's
affiliate may demonstrate control by, for example, establishing and
implementing reasonable policies and procedures applicable to the
service provider's access to and use of its eligibility information.
Second, the person's affiliate establishes specific terms and
conditions under which the service provider may access and use that
eligibility information to market the person's products or services (or
those of affiliates generally) to the consumer, and periodically
evaluates the service provider's compliance with those terms and
conditions. These terms and conditions may include the identity of the
affiliated companies whose products or services may be marketed to the
consumer by the service provider, the types of products or services of
affiliated companies that may be marketed, and the number of times the
consumer may receive marketing materials. The specific terms and
conditions established by the person's affiliate must be set forth in
writing, but need not be set forth in a written agreement between the
person's affiliate and the service provider. If a periodic evaluation
by the person's affiliate reveals that the service provider is not
complying with those terms and conditions, the Commission expects the
person's affiliate to take appropriate corrective action.
Third, the person's affiliate requires the service provider to
implement reasonable policies and procedures designed to ensure that
the service provider uses the affiliate's eligibility information in
accordance with the terms and conditions established by the affiliate
relating to the marketing of the person's products or services. This
requirement must be set forth in a written agreement between the
person's affiliate and the service provider.
Fourth, the person's affiliate is identified on or with the
marketing materials provided to the consumer. This requirement will be
construed flexibly. For example, the person's affiliate may be
identified directly on the marketing materials, on an introductory
cover letter, on other documents included with the marketing materials,
such as a periodic statement, or on the envelope which contains the
marketing materials.
Fifth, the person does not directly use the affiliate's eligibility
information in the manner described in Sec. 680.21(b)(1)(ii).
These five conditions together ensure that the service provider is
acting on behalf of the affiliate that obtained the eligibility
information in connection with a pre-existing business relationship
with the consumer because that affiliate controls the service
provider's receipt and use of that affiliate's eligibility information.
Section 680.21(b)(6) provides six illustrative examples of the rule
relating to making solicitations as set forth in Sec. Sec.
680.21(b)(1)-(5).
Exceptions
Proposed Sec. 680.20(c) contained exceptions to the requirements
of this part and incorporated each of the statutory exceptions to the
affiliate marketing notice and opt-out requirements that are set forth
in section 624(a)(4) of the FCRA. The Commission has revised the
preface to the exceptions for clarity to provide that the provisions of
this part do not apply to ``you'' if a person uses eligibility
information that it receives from an affiliate in certain
circumstances. In addition, each of the exceptions has been moved to
Sec. 680.21(c) in the final rule and is discussed below.
Pre-existing Business Relationship Exception
Proposed Sec. 680.20(c)(1) provided that the provisions of this
part would not apply to an affiliate using eligibility information to
make a solicitation to a consumer with whom the affiliate has a pre-
existing business relationship. As noted above, a pre-existing business
relationship exists when: (1) there is a financial contract in force
between the affiliate and the consumer; (2) the consumer and the
affiliate have engaged in a financial transaction (including holding an
active account or a policy in force or having another continuing
relationship) during the 18 months immediately preceding the date of
the solicitation; (3) the consumer has purchased, rented, or leased the
affiliate's goods or services during the 18 months immediately
preceding the date of the solicitation; or (4) the consumer has
inquired about or applied for a product or service offered by the
affiliate during the 3-month period immediately preceding the date of
the solicitation. Proposed Sec. 680.20(d)(1) provided examples of the
pre-existing business relationship exception. As explained above, the
Commission has
[[Page 61438]]
revised the examples from proposed Sec. 680.20(d)(1) in the final rule
and included them as examples of the definition of ``pre-existing
business relationship'' rather than as examples of the pre-existing
business relationship exception.
Section 680.21(c)(1) of the final rule revises the pre-existing
business relationship exception to delete the word ``send'' and to
eliminate as unnecessary the cross-reference to the location of the
definition of ``pre-existing business relationship.'' As discussed
above, commenters made a number of suggestions regarding the definition
of ``pre-existing business relationship.'' The Commission has addressed
those comments elsewhere. Most commenters supported the proposed text
of the pre-existing business relationship exception, which generally
tracks the statutory language.
Some commenters, however, apparently believed that the pre-existing
business relationship exception is broader than it actually is. For
example, assume that an insurance company has a pre-existing business
relationship with a consumer and shares eligibility information about
the consumer with its affiliates by putting that information into a
common database that is accessible by all affiliates. The insurance
company's lending affiliate accesses the database, reviews the data on
the insurance company's consumers and, based on its review, decides to
market to some of the insurance company's consumers. Rather than
sending the solicitations itself, the lender asks the insurance company
with the pre-existing business relationship to send solicitations on
its behalf to the insurance company's consumers. As noted above, one
commenter believed that in this circumstance the pre-existing business
relationship exception would apply so long as the insurance company
retained the discretion to decide whether or not to send the
solicitations on behalf of the lender. However, the Commission
concludes that this situation does not fall within the pre-existing
business relationship exception. Instead, the lender makes the
solicitation because it used eligibility information received from an
affiliate to select the consumer to receive a solicitation about its
products or services and, as a result, the consumer is provided a
solicitation. To eliminate any confusion and clarify the scope of the
exception, the Commission has added an example in Sec. 680.21(d)(1) of
the final rule to illustrate a situation where the pre-existing
business relationship exception would apply.
Employee Benefit Plan Exception
Proposed Sec. 680.20(c)(2) provided that the provisions of this
part would not apply to an affiliate using the information to
facilitate communications to an individual for whose benefit the
affiliate provides employee benefit or other services under a contract
with an employer related to and arising out of a current employment
relationship or an individual's status as a participant or beneficiary
of an employee benefit plan. One commenter believed that the exception
should be revised to permit communications ``to an affiliate about an
individual for whose benefit an entity provides employee benefit or
other services pursuant to a contract with an employer related to and
arising out of the current employment relationship or status of the
individual as a participant or beneficiary of an employee benefit
plan.'' This commenter also suggested deleting the phrase ``you receive
from an affiliate'' in the introduction to proposed Sec. 680.20(c).
This commenter believed that this exception should permit an employer
or plan sponsor to share information with its affiliates in order to
offer other financial services, such as brokerage accounts or IRAs, to
its employees. This commenter further requested clarification on
whether the exception applies only if related to products offered as an
employee benefit.
Section 680.21(c)(2) of the final rule adopts the employee benefit
exception as proposed. The Commission declined to adopt the changes
suggested by the one commenter. First, the suggestion to make the
exception applicable to communications ``to an affiliate about an
individual for whose benefit an entity provides employee benefit or
other services'' differs from the language of the statute. The language
of the proposed and final rule focuses on facilitating communications
``to an individual for whose benefit the person provides employee
benefit or other services,'' which tracks the statutory language better
than the alternative language proposed by the commenter.
Second, the only person to whom section 624 might apply is a person
that receives eligibility information from an affiliate. Specifically,
the statutory preface to the exceptions provides that ``[t]his section
shall not apply to a person'' using information to do certain things.
The language of the statute thus makes clear that the exceptions in
section 624(a)(4) of the FCRA were meant to apply to persons that
otherwise would be subject to section 624. In the case of the employee
benefit exception, the person using the information is also ``the
person provid[ing] employee benefit or other services pursuant to a
contract with an employer.'' Therefore, the Commission concludes that
this exception, like the other provisions of this part, should apply
only to a person that uses eligibility information it receives from an
affiliate to make solicitations to consumers about its products or
services.
Service Provider Exception
Proposed Sec. 680.20(c)(3) provided that the provisions of this
part would not apply to an affiliate using the information to perform
services for another affiliate, unless the services involve making or
sending solicitations on its own behalf or on behalf of an affiliate
and the service provider or such affiliate is not permitted to make or
send such solicitations as a result of the consumer's election to opt
out. Thus, under the proposal, when the notice has been provided to a
consumer and the consumer has opted out, an affiliate subject to the
consumer's opt-out election may not circumvent the opt-out by
instructing the person with the consumer relationship or another
affiliate to send solicitations to the consumer on its behalf.
Several industry commenters urged the Commission to revise the
proposed exception to conform to the statutory language. Specifically,
with respect to the exclusion from the service provider exception,
these commenters recommended that the Commission delete the references
to solicitations on behalf of the service provider. Some of these
commenters maintained that the references to solicitations on behalf of
the service provider itself would impose additional burdens and costs
on companies that use a single affiliate to provide various
administrative services to other affiliates and would make it more
difficult to provide general educational materials to consumers. Some
of these commenters also asked the Commission to clarify that the
limitation in the service provider exception has no applicability to
any other exception.
Section 680.21(c)(3) of the final rule revises the service provider
exception to delete as surplusage the references to solicitations by a
service provider on its own behalf. The Commission notes that the
general rule in Sec. 680.21(a)(1) prohibits a service provider from
using eligibility information it received from an affiliate to make
solicitations to the consumer about its own products or services unless
the consumer is given notice and an opportunity to opt out or
[[Page 61439]]
unless one of the other exceptions applies. The service provider
exception simply allows a service provider to do what the affiliate on
whose behalf it is acting may do, such as using shared eligibility
information to make solicitations to consumers to whom the affiliate is
permitted to make such solicitations. The final rule also deletes the
word ``make'' from the exception to the service provider exception
because, as discussed above, ``making'' and ``sending'' solicitations
are distinct activities and this provision of the statute uses the verb
``to send.'' The Commission notes that, although the statute contains
separate service provider and pre-existing business relationship
exceptions, nothing in those exceptions prevents an affiliate that has
a pre-existing business relationship with the consumer from relying
upon the service provider exception, where appropriate. Section
680.21(d)(2) of the final rule provides examples of the service
provider exception.
Consumer-Initiated Communication Exception
Proposed Sec. 680.20(c)(4) provided that the provisions of this
part would not apply to an affiliate using the information to make
solicitations in response to a communication initiated by the consumer.
The proposed rule further clarified that this exception may be
triggered by an oral, electronic, or written communication initiated by
the consumer.
The supplementary information noted that to be covered by the
proposed exception, the use of eligibility information must be
responsive to the communication initiated by the consumer. The
supplementary information also explained that the time period during
which solicitations remain responsive to the consumer's communication
would depend on the facts and circumstances. As illustrated in the
example in proposed Sec. 680.20(d)(2)(iii), if a consumer were to call
an affiliate to ask about retail locations and hours, the affiliate
could not use eligibility information to make solicitations to the
consumer about specific products because those solicitations would not
be responsive to the consumer's communication. Conversely, the example
in proposed Sec. 680.20(d)(2)(i) illustrated that if the consumer
calls an affiliate to ask about its products or services and provides
contact information, solicitations related to those products or
services would be responsive to the communication and thus permitted
under the exception. Finally, as illustrated by the example in proposed
Sec. 680.20(d)(2)(ii), the Commission also contemplated that a
consumer would not initiate a communication if an affiliate made the
initial call and left a message for the consumer to call back, and the
consumer responded.
Commenters generally supported the text of the proposed consumer-
initiated communication exception. Several commenters, however, urged
the Commission to either delete the phrase ``orally, electronically, or
in writing'' from the regulation or modify the language to read
``whether orally, electronically, or in writing.'' These commenters
maintained that other means of communication may be used by consumers
in the future and should not be precluded by the regulations. Another
commenter welcomed the reference to oral communications and requested
that the Commission clarify that electronic communications refers to
both e-mail and facsimile transmissions.
Many industry commenters objected to the statement in the
supplementary information that to qualify for this exception, the use
of eligibility information ``must be responsive'' to the communication
initiated by the consumer. These commenters believed that the concept
of ``responsiveness'' creates a vague, subjective, and narrow standard
that could subject institutions to compliance risk. These commenters
noted that the Commission did not and could not provide a clear
definition of what would be ``responsive.'' Some of these commenters
noted that consumers may not be familiar with the various types of
products or services available to them and the different affiliates
that offer those products or services and may rely on the institution
to inform them about available options. For this reason, most of these
commenters maintained that the exception should not limit an affiliate
from responding with solicitations about any product or service. Some
of these commenters believed that it would be difficult to monitor
compliance with or to develop scripts for a ``responsiveness'' standard
by customer service representatives. One commenter noted that the
Senate bill used more restrictive language in this exception than the
final bill passed by Congress. Some commenters also objected to the
statement that the time period during which solicitations remain
responsive would depend on the facts and circumstances.
NAAG supported the statement in the supplementary information that,
to qualify for this exception, the use of eligibility information
``must be responsive'' to the communication initiated by the consumer.
NAAG believed this clarification was so important that it should be
incorporated into the rule itself. NAAG also suggested imposing a
specific time limit to allow solicitations to be made for no more than
30 days after the consumer-initiated communication under this
exception.
Industry commenters also objected to some of the examples. In
particular, industry commenters objected to the example in proposed
Sec. 680.20(d)(2)(i) on two grounds. First, these commenters believed
that the consumer should not have to supply contact information in
order to trigger the exception. These commenters noted that such a
requirement would seem to preclude solicitations over the phone during
the same call by presuming that a solicitation would be made by mail or
e-mail. Some of these commenters also believed that consumers would
expect an affiliated company, especially a company with a common brand,
to have their contact information already and would not want to provide
it again. Second, as noted above, some commenters maintained that the
affiliate should be able to respond by making solicitations about any
product or service, not just those mentioned by the consumer.
Many industry commenters objected to the example in proposed Sec.
680.20(d)(2)(ii) about the consumer responding to a call back message.
These commenters believed that such a call back should qualify as a
consumer-initiated communication, noting that the consumer has the
option of not returning the call. Moreover, these commenters noted that
the customer service representative receiving the call would not know
what prompted the consumer's call. Several commenters acknowledged that
there may be concerns about calls made under false pretenses to prompt
consumers to return the call, but suggested that those concerns should
be addressed by other means, such as enforcement of the laws dealing
with unfair or deceptive acts or practices.
Finally, some industry commenters expressed concerns about the
example in proposed Sec. 680.20(d)(2)(iii) regarding the consumer who
calls to ask for retail locations and hours. These commenters noted
that it is impossible to know what will transpire on a particular
telephone call. One commenter noted, for example, that if a consumer
called to ask for directions to an office, the customer service
representative might ask why the consumer needed to go to that office.
This, in turn, could prompt the consumer to mention a product or
service that the consumer hoped to
[[Page 61440]]
obtain and lead to a discussion of specific products or services that
might be appropriate for the consumer.
Section 680.21(c)(4) of the final rule revises the consumer-
initiated communications exception to delete the reference to oral,
electronic, or written communications. The Commission believes that any
form of communication may come within the exception as long as the
consumer initiates the communication, whether in-person or by mail, e-
mail, telephone, facsimile, or through other means. New forms of
communication that may develop in the future could also come within the
exception.
Section 680.21(c)(4) of the final rule also provides that the
communications covered by the exception are consumer-initiated
communications about a person's products or services. For the exception
to apply, the statute requires that a person use eligibility
information ``in response to'' a communication initiated by a consumer.
The Commission believes this statutory language contemplates that the
consumer-initiated communications will relate to a person's products or
services and that the solicitations covered by the exception will be
those made in response to that communication.
The Commission also believes the exceptions should be construed
narrowly to avoid undermining the general rule requiring notice and
opt-out. Thus, consistent with the purposes of the statute, the
Commission does not believe that a consumer-initiated communication
that is unrelated to a product or service should trigger the exception.
A rule that allowed any consumer-initiated communication, no matter how
unrelated to a product or service, to trigger the exception would not
to give meaning to the phrase ``in response to'' and could produce
incongruous results. For example, if a consumer calls an affiliate
solely to obtain retail hours and directions or solely to opt out, the
exception is not triggered because the communication does not relate to
the affiliate's products or services and making a solicitation about
products or services to the consumer in those circumstances would not
be a reasonable response to that communication.
The Commission recognizes, however, that if the conversation shifts
to a discussion of products or services that the consumer may need,
solicitations may be responsive depending upon the facts and
circumstances. Likewise, if a consumer who has opted out of an
affiliate's use of eligibility information to make solicitations calls
the affiliate for information about a particular product or service,
for example, life insurance, solicitations regarding life insurance
could be made in response to that call, but solicitations regarding
other products or services would not be responsive. Finally, the
Commission does not believe it is appropriate to adopt a specific time
limit for making solicitations following a consumer-initiated
communication about products or services because solicitations will
likely be made quickly and any time limit would be arbitrary.
In the final rule, the Commission has renumbered the example in
proposed Sec. 680.20(d)(2)(i) as Sec. 680.21(d)(3)(i), and revised it
to delete the references to a telephone call as the specific form of
communication and the reference to providing contact information. As
discussed above and illustrated in the examples in Sec. Sec.
680.20(j)(2)(ii)(E) and (F), the need to provide contact information
may vary depending on the form of communication used by the consumer.
The new example in Sec. 680.21(d)(3)(ii) responds to commenters'
concerns by illustrating a circumstance involving a consumer-initiated
communication in which a consumer does not know exactly what products
or services he or she wants, but initiates a communication to obtain
information about investing for a child's college education.
The Commission has renumbered the call-back example in proposed
Sec. 680.20(d)(2)(iii) as Sec. 680.21(d)(3)(iii) and revised it. The
revised example provides that where the financial institution makes an
initial marketing call without using eligibility information received
from an affiliate and leaves a message that invites the consumer to
apply for the credit by calling a toll-free number, the consumer's
response qualifies as a consumer-initiated communication about a
product or service. The revised example balances commenters' concerns
about tracking which calls are call backs and the Commission's concern
that consumers may be induced into triggering the consumer-initiated
communication exception as a result of inaccurate, incomplete, or
deceptive telephone messages.
For the reasons discussed above, the Commission has renumbered the
retail hours example in proposed Sec. 680.20(d)(2)(iii) as Sec.
680.21(d)(3)(iv), but otherwise adopted it as proposed. In addition,
the new example in Sec. 680.21(d)(3)(v) responds to commenters'
concerns by illustrating a case where a consumer calls to ask about
retail locations and hours and the call center representative, after
eliciting information about the reason why the consumer wants to visit
a retail location, offers to provide information about products of
interest to the consumer by telephone and mail, thus demonstrating how
the conversation may develop to the point where making solicitations
would be responsive to the consumer's call.
Consumer Authorization or Request Exception
Proposed Sec. 680.20(c)(5) clarified that the provisions of this
part would not apply to an affiliate using the information to make
solicitations affirmatively authorized or requested by the consumer.
The proposal further provided that this exception may be triggered by
an oral, electronic, or written authorization or request by the
consumer. However, a pre-selected check box or boilerplate language in
a disclosure or contract would not constitute an affirmative
authorization or request under the proposal.
The proposal noted that the consumer authorization or request
exception could be triggered, for example, if a consumer obtains a
mortgage from a mortgage lender and authorizes or requests to receive
solicitations about homeowner's insurance from an insurance affiliate
of the mortgage lender. The consumer could provide the authorization or
make the request either through the person with whom the consumer has a
business relationship or directly to the affiliate that will make the
solicitation. Proposed Sec. 680.20(d)(3) provided an example of the
affirmative authorization or request exception.
Most industry commenters argued that the proposed exception did not
track the language of the statute because the Commission included the
word ``affirmative'' in the proposed exception. These commenters
believed that including the word ``affirmative'' in the proposed rule
narrowed the exception in a manner not intended by Congress. Several of
these commenters noted that the Commission has declined to specify what
constitutes consumer consent under the GLBA privacy rule and indicated
that they were not aware of any policy considerations or compliance
issues that would warrant a departure from the Commission's prior
position.
Some industry commenters believed that a pre-selected check box
should be sufficient to evidence a consumer's authorization or request
for solicitations. In other words, a consumer's decision not to
deselect a pre-selected check box should constitute a knowing act of
the consumer to authorize or request solicitations. Other industry
[[Page 61441]]
commenters believed that preprinted language in a disclosure or
contract should be sufficient to evidence a consumer's authorization or
request for solicitations. One commenter cited case law and Commission
informal staff opinion letters relating to a consumer's written
instructions to obtain a consumer report pursuant to section 604(a)(2)
of the FCRA as support for allowing boilerplate language to constitute
authorization or request.
A few industry commenters requested that the Commission clarify
that a consumer's authorization or request does not have to refer to a
specific product or service or to a specific provider of products or
services in order for the exception to apply. As discussed above,
industry commenters had differing views regarding the reference to
oral, written, or electronic means of triggering the exception.
NAAG suggested imposing a specific time limit to allow
solicitations to be made for no more than 30 days after the consumer's
authorization or request under this exception.
Section 680.21(c)(5) of the final rule revises the consumer
authorization or request exception to delete the word ``affirmative''
as surplusage. The deletion of the word ``affirmative'' does not change
the meaning of the exception however. The consumer still must take
affirmative steps to ``authorize'' or ``request'' solicitations.
The Commission construes this exception, like the other exceptions,
narrowly and in a manner that does not undermine the general notice and
opt-out requirement. For that reason, the Commission believes that
affiliated companies cannot avoid use of the statute's notice and opt-
out provisions by including preprinted boilerplate language in the
disclosures or contracts they provide to consumers, such as language
stating that by applying to open an account, the consumer authorizes or
requests to receive solicitations from affiliates. Such an
interpretation would permit the exception to swallow the rule, a result
that cannot be squared with the intent of Congress to give consumers
notice and an opportunity to opt out of solicitations.
The comparison made by some commenters to the GLBA privacy rule is
misplaced. The GLBA and the privacy rule create an exception to permit
the disclosure of nonpublic personal information ``with the consent or
at the direction of the consumer.'' Section 624 of the FCRA creates an
exception to permit the use of shared eligibility information ``in
response to solicitations authorized or requested by the consumer.''
The Commission interprets the ``authorized or requested'' language in
the FCRA exception to require the consumer to take affirmative steps in
order to trigger the exception.
The Commission has made conforming changes to the example in
proposed Sec. 680.20(d)(3), which has been renumbered as Sec.
680.21(d)(4)(i) in the final rule. In addition, the Commission has
added three additional examples. The example in Sec. 680.21(d)(4)(ii)
illustrates how a consumer can authorize or request solicitations by
checking a blank check box. The examples in Sec. Sec.
680.21(d)(4)(iii) and (iv) illustrate that preprinted boilerplate
language and a pre-selected check box would not meet the authorization
or request exception.
The Commission does not believe it is appropriate to set a fixed
time period for an authorization or request. As noted in the proposal,
the duration of the authorization or request depends on what is
reasonable under the facts and circumstances. In addition, an
authorization to make solicitations to the consumer terminates if the
consumer revokes the authorization.
For the same reasons discussed above, the Commission has deleted
the reference to oral, electronic, or written communications from this
exception to track the language of the statute. Further, the Commission
does not believe it is necessary to clarify the elements of an
authorization or request. The statute clearly refers to ``solicitations
authorized or requested by the consumer.'' The facts and circumstances
will determine what solicitations have been authorized or requested by
the consumer.
Compliance with Applicable Laws Exception
Proposed Sec. 680.20(c)(6) clarified that the provisions of this
part would not apply to an affiliate if compliance with the
requirements of section 624 by the affiliate would prevent that
affiliate from complying with any provision of state insurance laws
pertaining to unfair discrimination in a state where the affiliate is
lawfully doing business. See FCRA, section 624(a)(4). The Commission
received no comments on this provision. Section 680.21(c)(6) of the
final rule adopts the state insurance law compliance exception as
proposed.
One commenter requested the creation of an additional exception to
permit the sharing of eligibility information among affiliates that are
aligned under one line of business within an organization and that
share common management, branding, and regulatory oversight (i.e.,
banking, securities, and insurance companies). This commenter was
focused on private banking enterprises. As discussed above, the
Commission finds no statutory basis for creating such an exception to
the notice and opt-out requirement.
Relation to Affiliate-Sharing Notice and Opt-out
Proposed Sec. 680.20(f) clarified the relationship between the
affiliate sharing notice and opt-out under section 603(d)(2)(A)(iii) of
the FCRA and the affiliate marketing notice and opt-out in new section
624 of the FCRA. Specifically, the proposal provided that nothing in
the affiliate marketing rule limits the responsibility of a company to
comply with the notice and opt-out provisions of section
603(d)(2)(A)(iii) of the FCRA before it shares information other than
transaction or experience information among affiliates to avoid
becoming a consumer reporting agency.
One commenter urged the Commission to delete this provision as
unnecessary. In the alternative, this commenter requested that the
Commission clarify that section 603(d)(2)(A)(iii) applies to the
sharing of information that would otherwise meet the definition of a
``consumer report,'' and that the sharing affiliate does not
automatically become a consumer reporting agency, but risks becoming a
consumer reporting agency.
This provision has been renumbered as Sec. 680.21(e) in the final
rule. Section 680.21(e) has been revised to delete the clause that
referred to becoming a consumer reporting agency and to substitute in
its place the neutral phrase ``where applicable.''
Section 680.22 Scope and Duration of Opt-Out
Scope of the Opt-out
The Commission addressed issues relating to the scope of the opt-
out in various sections of the proposal. In the supplementary
information to the proposal, the Commission stated that the opt-out
would be tied to the consumer, rather than to the information. Some
industry commenters supported the approach of tying the opt-out to the
consumer, rather than to the information. Other industry commenters,
however, believed it was inappropriate to tie the opt-out to the
consumer and requested that institutions have the flexibility to
implement the consumer's opt-out at the account level, rather than at
the consumer level. These commenters believed that an account-by-
account approach would be consistent with the
[[Page 61442]]
menu of opt-out choices provided in this rule and the GLBA privacy
rule. These commenters also noted that an account-based approach would
provide the consumer with a new notice and opportunity to opt out when
a former customer decides to re-establish a new relationship with the
institution.
Proposed Sec. 680.21(c) provided that the notice could be designed
to allow a consumer to choose from a menu of alternatives when opting
out, such as by selecting certain types of affiliates, certain types of
information, or certain modes of delivery from which to opt out, so
long as one of the alternatives gave the consumer the opportunity to
opt out with respect to all affiliates, all eligibility information,
and all methods of delivering solicitations. Several industry
commenters objected to the requirement that the institution provide a
single universal opt-out option that would allow consumers to opt out
completely of all solicitations. In addition, one commenter found the
reference to all types of eligibility information confusing, while
another commenter noted that some institutions may want to implement
the opt-out on an account-by-account basis.
Section 680.25(d) of the proposal provided that if a consumer's
relationship with an institution terminated for any reason when a
consumer's opt-out election was in force, the opt-out would continue to
apply indefinitely, unless revoked by the consumer. Most industry
commenters objected to having the opt-out period continue to apply
indefinitely upon termination of the consumer's relationship with the
institution. These commenters believed that this approach was not
supported by the statute, would prove costly and difficult to
administer, and would require the indefinite tracking of opt-outs.
These commenters also believed that the five-year opt-out period would
provide sufficient protection to consumers that terminate their
relationship. One commenter noted that the proposed rule would impose
particular hardships on mortgage lenders because those lenders often
have consumer relationships of very short duration on account of
selling the loans they originate into the secondary market. Consumer
groups supported the proposed treatment of opt-outs for terminated
consumer relationships.
Upon further examination, the Commission believes that the scope of
the opt-out should be addressed comprehensively in a single section of
the final rule. The Commission also concludes that tying the opt-out to
the consumer could have had unintended consequences. For example, if
the opt-out were tied to the consumer, an institution would have to
track the consumer indefinitely, even if the consumer's relationship
with the institution terminated and a new relationship were
subsequently established with that institution years later. The
Commission does not believe that institutions should be required to
track consumers indefinitely following termination. In addition, an
opt-out tied to the consumer could apply to the use of all eligibility
information, not just to eligibility information about the consumer,
received from an affiliate and used to make solicitations to the
consumer. It is not clear from the statute or the legislative history
that Congress intended the opt-out provisions of section 624 to apply
to eligibility information about consumers other than the consumer to
whom a solicitation is made. Finally, the Commission does not believe
it is necessary to make the opt-out effective in perpetuity upon
termination of the relationship.
Section 680.22(a) of the final rule brings together these different
scope considerations to address comprehensively the scope of the opt-
out. Under the revised approach, the scope of the opt-out is derived
from language of section 624(a)(2)(A) of the FCRA and generally depends
upon the content of the opt-out notice. Section 680.22(a)(1) provides
that, except as otherwise provided in that section, a consumer's
election to opt out prohibits any affiliate covered by the opt-out
notice from using the eligibility information received from another
affiliate as described in the notice to make solicitations for
marketing purposes to the consumer.
Section 680.22(a)(2)(i) clarifies that, in the context of a
continuing relationship, an opt-out notice may apply to eligibility
information obtained in connection with a single continuing
relationship, multiple continuing relationships, continuing
relationships established subsequent to delivery of the opt-out notice,
or any other transaction with the consumer. Section 680.22(a)(2)(ii)
provides examples of continuing relationships. These examples are
substantially similar to the examples used in the GLBA privacy rule
with added references to relationships between the consumer and an
affiliate.
Section 680.22(a)(3)(i) limits the scope of an opt-out notice that
is not connected with a continuing relationship. This section provides
that if there is no continuing relationship between the consumer and a
person or its affiliate, and if the person or its affiliate provides an
opt-out notice to a consumer that relates to eligibility information
obtained in connection with a transaction with the consumer, such as an
isolated transaction or a credit application that is denied, the opt-
out notice only applies to eligibility information obtained in
connection with that transaction. The notice cannot apply to
eligibility information that may be obtained in connection with
subsequent transactions or a continuing relationship that may be
subsequently established by the consumer with the person or its
affiliate. Section 680.22(a)(3)(ii) provides examples of isolated
transactions.
Section 680.22(a)(4) provides that a consumer may be given the
opportunity to choose from a menu of alternatives when electing to
prohibit solicitations. An opt-out notice may give the consumer the
opportunity to elect to prohibit solicitations from certain types of
affiliates covered by the opt-out notice but not other types of
affiliates covered by the notice, solicitations based on certain types
of eligibility information but not other types of eligibility
information, or solicitations by certain methods of delivery but not
other methods of delivery, so long as one of the alternatives is the
opportunity to prohibit all solicitations from all of the affiliates
that are covered by the notice. The Commission continues to believe
that the language of section 624(a)(2)(A) of the FCRA requires the opt-
out notice to contain a single opt-out option for all solicitations
within the scope of the notice.
The Commission recognizes that consumers could receive a number of
different opt-out notices, even from the same affiliate. The Commission
will monitor industry notice practices and evaluate whether further
action is needed.
Section 680.22(a)(5) contains a special rule for notice following
termination of a continuing relationship. This rule provides that a
consumer must be given a new opt-out notice if, after all continuing
relationships with a person or its affiliate have been terminated, the
consumer subsequently establishes a new continuing relationship with
that person or the same or a different affiliate and the consumer's
eligibility information is to be used to make a solicitation. This
special rule affords the consumer and the company a fresh start
following termination of all continuing relationships by requiring a
new opt-out notice if a new continuing relationship is subsequently
established.
The new opt-out notice must apply, at a minimum, to eligibility
information obtained in connection with the new continuing
relationship. The new opt-
[[Page 61443]]
out notice may apply more broadly to information obtained in connection
with a terminated relationship and give the consumer the opportunity to
opt out with respect to eligibility information obtained in connection
with both the terminated and the new continuing relationships. Further,
the consumer's failure to opt out does not override a prior opt-out
election by the consumer applicable to eligibility information obtained
in connection with a terminated relationship that is still in effect,
regardless of whether the new opt-out notice applies to eligibility
information obtained in connection with the terminated relationship.
The final rule also contains an example of this special rule. The
Commission notes, however, that where a consumer was not given an opt-
out notice in connection with the initial continuing relationship
because eligibility information obtained in connection with that
continuing relationship was not shared with affiliates for use in
making solicitations, an opt-out notice provided in connection with a
new continuing relationship would have to apply to any eligibility
information obtained in connection with the terminated relationship
that is to be shared with affiliates for use in making future
solicitations.
Duration and Timing of Opt-Out
Proposed Sec. 680.25 addressed the duration and effect of the
consumer's opt-out election. Proposed Sec. 680.25(a) provided that the
consumer's election to opt out would be effective for the opt-out
period, which is a period of at least five years beginning as soon as
reasonably practicable after the consumer's opt-out election is
received. The supplementary information noted that if a consumer
elected to opt out every year, a new opt-out period of at least five
years would begin upon receipt of each successive opt-out election.
Some industry commenters believed that the proposal was
inconsistent with the statute because it provided that the opt-out
period would begin as soon as reasonably practicable after the
consumer's opt-out election is received. These commenters believed that
the opt-out period should begin on the date the consumer's opt-out is
received and that the final rule also should allow institutions a
reasonable period of time to implement a consumer's initial or renewal
opt-out election before it becomes effective. Consumer groups believed
that the requirement to honor an opt-out ``beginning as soon as
reasonably practicable'' was too vague. These commenters believed that
a consumer's opt-out should be honored within a specific length of time
not to exceed 30 days after the consumer responds to the opt-out
notice.
A few industry commenters urged the Commission to allow consumers
to revoke an opt-out election orally. Other industry commenters
requested that the final rule include a clear statement that an opt-out
period may be shortened to a period of less than five years by the
consumer's revocation of an opt-out election. Consumer groups approved
of the Commission's statement that if a consumer opts out again during
the five-year opt-out period, then a new five-year period begins.
Consumer groups also supported allowing institutions to make the opt-
out period effective in perpetuity so long as this is clearly disclosed
to the consumer in the original notice.
The general provision regarding the duration of the opt-out has
been renumbered as Sec. 680.22(b) in the final rule, consistent with
the Commission's decision to address all scope issues in the same
section. The Commission has revised the duration provision to clarify
that the opt-out period expires if the consumer revokes the opt-out in
writing or, if the consumer agrees, electronically. The requirement for
a written or electronic revocation is retained and is consistent with
the approach taken in the GLBA privacy rule. The Commission does not
believe it is necessary or appropriate to permit oral revocation. The
Commission notes that many of the exceptions to the notice and opt-out
requirements may be triggered by oral communications, as discussed
above, which would enable the use of shared eligibility information to
make solicitations pending receipt of a written or electronic
revocation. Also, as noted in the proposal, nothing prohibits setting
an opt-out period longer than five years, including an opt-out period
that does not expire unless revoked by the consumer.
The Commission does not agree that the opt-out period should begin
on the date the consumer's election to opt out is received. Commenters
generally recognized that institutions cannot instantaneously implement
a consumer's opt-out election but need time to do so. The Commission
interprets the statutory language to mean that the consumer's opt-out
election must be honored for a period of at least five years from the
date such election is implemented. The Commission believes that
Congress did not intend for the opt-out period to be shortened to a
period of less than the five years specified in the statute to reflect
the time between the date the consumer's opt-out election is received
and the date the consumer's opt-out election is implemented.
The Commission also believes it is neither necessary nor desirable
to set a mandatory deadline for implementing the consumer's opt-out
election. A general standard is preferable because the time it will
reasonably take to implement a consumer's opt-out election may vary.
Consistent with the special rule for a notice following termination
of a continuing relationship, the duration of the opt-out is not
affected by the termination of a continuing relationship. When a
consumer opts out in the course of a continuing relationship and that
relationship is terminated during the opt-out period, the opt-out
remains in effect for the rest of the opt-out period. If the consumer
subsequently establishes a new continuing relationship while the opt-
out period remains in effect, the opt-out period may not be shortened
with respect to information obtained in connection with the terminated
relationship by sending a new opt-out notice to the consumer when the
new continuing relationship is established, even if the consumer does
not opt out upon receipt of the new opt-out notice. A person may track
the eligibility information obtained in connection with the terminated
relationship and provide a renewal notice to the consumer, or may
choose not to use eligibility information obtained in connection with
the terminated relationship to make solicitations to the consumer.
Proposed Sec. 680.25(c) clarified that a consumer may opt out at
any time. As explained in the supplementary information to the
proposal, even if the consumer did not opt out in response to the
initial opt-out notice or if the consumer's election to opt out was not
prompted by an opt-out notice, a consumer may still opt out. Regardless
of when the consumer opts out, the opt-out must be effective for a
period of at least five years.
The Commission received few comments on this provision. Consumer
groups urged the Commission to reinforce the continuing nature of the
right to opt out by requiring institutions to give the opt-out notice
annually along with the annual GLBA privacy notice. These commenters
acknowledged that the FCRA does not specifically state that the notice
is required annually, but noted that the statute also does not say that
the consumer has only one opportunity to opt out.
The Commission has renumbered the provision giving the consumer the
right
[[Page 61444]]
to opt out at any time as Sec. 680.22(c) in the final rule, but
otherwise adopted the provision as proposed. The Commission finds no
statutory basis for requiring the provision of an annual opt-out notice
to consumers along with the GLBA privacy notice.
Section 680.23 Contents of Opt-out Notice; Consolidated and Equivalent
Notices
Contents in General
Section 680.21 of the proposal addressed the contents of the opt-
out notice. Proposed Sec. 680.21(a) would have required that the opt-
out notice be clear, conspicuous, and concise, and accurately disclose:
(1) that the consumer may elect to limit a person's affiliate from
using eligibility information about the consumer that it obtains from
that person to make or send solicitations to the consumer; (2) if
applicable, that the consumer's election will apply for a specified
period of time and that the consumer will be allowed to extend the
election once that period expires; and (3) a reasonable and simple
method for the consumer to opt out.
Some commenters expressed concern about requiring the notice to
specify the applicable time period and the consumer's right to extend
the election once the opt-out expires. One commenter believed this
would require institutions to determine in advance the length of the
opt-out period. Another commenter urged the Commission to clarify that
institutions could subsequently increase the duration of the opt-out or
make it permanent without providing another notice to the consumer.
The Commission has renumbered the provisions addressing the
contents of the opt-out notice as Sec. 680.23(a) in the final rule and
revised them. Section 680.23(a)(1) of the final rule requires
additional information in opt-out notices. Section 680.23(a)(1)(i)
provides that all opt-out notices must identify, by name, the
affiliate(s) that is providing the notice. A group of affiliates may
jointly provide the notice. If the notice is provided jointly by
multiple affiliates and each affiliate shares a common name, such as
``ABC,'' then the notice may indicate that it is being provided by
multiple companies with the ABC name or multiple companies in the ABC
group or family of companies. Acceptable ways of identifying the
multiple affiliates providing the notice include stating that the
notice is provided by ``all of the ABC companies,'' ``the ABC banking,
credit card, insurance, and securities companies,'' or by listing the
name of each affiliate providing the notice. A representation that the
notice is provided by ``the ABC banking, credit card, insurance, and
securities companies'' applies to all companies in those categories,
not just some of those companies. But if the affiliates providing the
notice do not all share a common name, then the notice must either
separately identify each affiliate by name or identify each of the
common names used by those affiliates. For example, if the affiliates
providing the notice do business under both the ABC name and the XYZ
name, then the notice could list each affiliate by name or indicate
that the notice is being provided by ``all of the ABC and XYZ
companies'' or by ``the ABC banking and credit card companies and the
XYZ insurance companies.''
Section 680.23(a)(1)(ii) provides that an opt-out notice must
contain a list of the affiliates or types of affiliates covered by the
notice. The notice may apply to multiple affiliates and to companies
that become affiliates after the notice is provided to the consumer.
The rule for identifying the affiliates covered by the notice is
substantially similar to the rule for identifying the affiliates
providing the notice in Sec. 680.23(a)(1)(i), as described in the
previous paragraph.
Sections 680.23(a)(1)(iii)-(vii) respectively require the opt-out
notice to include the following: a general description of the types of
eligibility information that may be used to make solicitations to the
consumer; a statement that the consumer may elect to limit the use of
eligibility information to make solicitations to the consumer; a
statement that the consumer's election will apply for the specified
period of time stated in the notice and, if applicable, that the
consumer will be allowed to renew the election once that period
expires; if the notice is provided to consumers who may have previously
opted out, such as if a notice is provided to consumers annually, a
statement that the consumer who has chosen to limit marketing offers
does not need to act again until the consumer receives a renewal
notice; and a reasonable and simple method for the consumer to opt out.
The statement described in Sec. 680.23(a)(1)(vi) regarding consumers
who may have previously opted out does not apply to the model privacy
form that the Commission is developing in a separate rulemaking.
Appropriate use of the model forms in Appendix C will satisfy these
content requirements.
The Commission continues to believe that the opt-out notice must
specify the length of the opt-out period, if one is provided. However,
an institution that subsequently chooses to increase the duration of
the opt-out period that it previously disclosed or honor the opt-out in
perpetuity has no obligation to provide a revised notice to the
consumer. In that case, the result is the same as if the institution
established a five-year opt-out period and then did not send a renewal
notice at the end of that period. A person receiving eligibility
information from an affiliate would be prohibited from using that
information to make solicitations to a consumer unless a renewal notice
is first provided to the consumer and the consumer does not renew the
opt-out. So long as no solicitations are made using eligibility
information received from an affiliate, there would be no violation of
the statute or regulation for failing to send a renewal notice in this
situation.
Joint Notice
Proposed Sec. 680.24(c) permitted a person subject to this rule to
provide a joint opt-out notice with one or more of its affiliates that
are identified in the notice, so long as the notice was accurate with
respect to each affiliate jointly issuing the notice. Under the
proposal, a joint notice would not have to list each affiliate
participating in the joint notice by its name, but could state that it
applies to ``all institutions with the ABC name'' or ``all affiliates
in the ABC family of companies.''
One commenter believed that individually listing each company could
result in long and confusing notices. This commenter suggested revising
the rule to permit the generic identification of the types of
affiliates by whom eligibility information may be used to make
solicitations and to allow the notice to apply to entities that become
affiliates after the notice is sent.
In the final rule, the separate joint notice provision has been
eliminated. Instead, the final rule incorporates the joint notice
option into the provisions that address which affiliates may provide
the opt-out notice and the contents of the notice.
Joint relationships
The proposal addressed joint relationships in the section dealing
with delivery of opt-out notices. Proposed Sec. 680.24(d) set out a
rule that would apply when two or more consumers jointly obtain a
product or service from a person subject to the rule (referred to in
the proposed regulation as ``joint consumers''), such as a joint credit
card account. It also provided several examples. Under the proposal, a
person subject to this rule could provide a single opt-out notice to
joint accountholders. The notice would have
[[Page 61445]]
had to indicate whether the person would consider an opt-out by a joint
accountholder as an opt-out by all of the associated accountholders, or
whether each accountholder would have to opt out separately. The person
could not require all accountholders to opt out before honoring an opt-
out direction by one of the joint accountholders. Because section 624
of the FCRA deals with the use of information for marketing by
affiliates, rather than the sharing of information among affiliates,
comment was requested on whether information about a joint account
should be allowed to be used for making solicitations to a joint
consumer who has not opted out.
Some commenters supported the flexible approach proposed by the
Commission for dealing with joint accounts and notice to joint
accountholders. One commenter suggested providing additional
flexibility to enable consumers to opt out in certain circumstances,
such as when eligibility information from a joint account is involved,
but not in others, such as when eligibility information from an
individual account is involved. Another commenter, however, believed
that the provisions regarding joint relationships may not be
appropriate for the affiliate marketing rule because section 624
relates to the use of information for marketing to a particular
consumer, not to the sharing of information among affiliates. Consumer
groups urged the Commission to prohibit the use of eligibility
information about a joint account for making solicitations to a
consumer who has not opted out if the other joint consumer on the
account has opted out.
The Commission has renumbered the provision addressing joint
relationships as Sec. 680.23(a)(2) in the final rule. The Commission
has deleted the example of joint relationships from the final rule
because it addressed, in part, the sharing of information, rather than
the use of information. The Commission has made other revisions to
enhance the readability of this provision. The revised provision is
substantively similar to the joint relationships provision of the GLBA
privacy rule, except to the extent that rule refers to the sharing of
information among affiliates.
The Commission believes that different issues may arise with regard
to providing a single opt-out notice to joint consumers in the context
of this rule, which focuses on the use of information, compared to
issues that may arise with regard to providing such a notice in the
context of other privacy rules that focus on the sharing of
information. For example, a consumer may opt out with respect to
affiliate marketing in connection with an individually-held account,
but not opt out with respect to affiliate marketing in connection with
a joint relationship. In that case, it could be challenging to identify
which consumer information may and may not be used by affiliates to
make solicitations to the consumer. Nevertheless, the final rule
permits persons providing opt-out notices to consumers to provide a
single opt-out notice to joint consumers.
Alternative Contents
Proposed Sec. 680.21(d) provided that, where an institution elects
to give consumers a broader right to opt out of marketing than is
required by this part, the institution would have the ability to modify
the contents of the opt-out notice to reflect accurately the scope of
the opt-out right it provides to consumers. This section also noted
that proposed Appendix A provided a model form that may be helpful for
institutions that wish to allow consumers to opt out of all marketing
from the institution and its affiliates, but use of the model form is
not required. Commenters generally favored the flexibility afforded by
this provision. The Commission has renumbered the provision addressing
alternative contents as Sec. 680.23(a)(3) in the final rule, but
otherwise adopted it as proposed.
Model Notices
Section 680.23(a)(4) in the final rule states that model notices
are provided in Appendix C of Part 698, renumbered from Appendix A of
Part 680. The Commission has provided these model notices to facilitate
compliance with the rule. However, the final rule does not require use
of the model notices.
Consolidated and Equivalent Notices
Proposed Sec. 680.27 provided that an opt-out notice required by
this part could be coordinated and consolidated with any other notice
or disclosure required to be issued under any other provision of law,
including but not limited to the notice described in section
603(d)(2)(A)(iii) of the FCRA and the notice required by title V of the
GLBA. In addition, a notice or other disclosure that was equivalent to
the notice required by this part, and that was provided to a consumer
together with disclosures required by any other provision of law, would
satisfy the requirements of this part. The proposal specifically
requested comment on the consolidation of the affiliate marketing
notice with the GLBA privacy notice and the affiliate sharing opt-out
notice under section 603(d)(2)(A)(iii) of the FCRA.
Commenters generally supported the proposed provision. Several
commenters believed it was probable that most institutions would want
to provide the affiliate marketing opt-out notice with their existing
GLBA privacy notice to reduce compliance costs and minimize consumer
confusion. One commenter believed that institutions would be less
likely to include the opt-out notice as part of their annual GLBA
privacy notice because section 214 does not have an annual notice
requirement.
The Commission has moved the provisions addressing consolidated and
equivalent notices to the section addressing the contents of the notice
and renumbered those provisions as Sec. Sec. 680.23(b) and (c)
respectively in the final rule. Otherwise, those provisions have been
adopted as proposed with one exception. The provision on equivalent
notices clarifies that an equivalent notice satisfies the requirements
of Sec. 680.23--not the entire part--because the part addresses many
issues besides the content of the notice, such as delivery and renewal
of opt-outs. The Commission believes that these provisions are related
to the contents of the notice and should therefore be included in this
section.
The Commission encourages consolidation of the affiliate marketing
opt-out notice with the GLBA privacy notice, including the affiliate
sharing opt-out notice under section 603(d)(2)(A)(iii) of the FCRA, so
that consumers receive a single notice they can use to review and
exercise all privacy opt-outs. Consolidation of these notices, however,
presents special issues. For example, the affiliate marketing opt-out
may be limited to a period of at least five years, subject to renewal,
whereas the GLBA privacy and FCRA section 603(d)(2)(A)(iii) opt-out
notices are not time-limited. This difference, if applicable, must be
made clear to the consumer. Thus, if a consolidated notice is used and
the affiliate marketing opt-out is limited in duration, the notice must
inform consumers that if they previously opted out, they do not need to
opt out again until they receive a renewal notice when the opt-out
expires or is about to expire. In addition, as discussed more fully
below, the Commission has developed a model privacy form that includes
the affiliate marketing opt-out. The Commission expects that once
published in final form, use of the model privacy form will satisfy the
requirement to provide an affiliate marketing opt-out notice.
[[Page 61446]]
Section 680.24 Reasonable Opportunity to Opt Out
Section 680.22(a) of the proposal provided that before a receiving
affiliate could use eligibility information to make or send
solicitations to the consumer, the communicating affiliate would have
to provide the consumer with a reasonable opportunity to opt out
following delivery of the opt-out notice. Given the variety of
circumstances in which institutions must provide a reasonable
opportunity to opt out, the proposal construed the requirement for a
reasonable opportunity to opt out as a general test that would avoid
setting a mandatory waiting period in all cases.
The proposed rule would not have required institutions subject to
the rule to disclose how long a consumer would have to respond to the
opt-out notice before eligibility information communicated to
affiliates could be used to make or send solicitations to the consumer,
although institutions would have the flexibility to include such
disclosures in their notices. In this respect, the proposed rule was
consistent with the GLBA privacy rule.
Industry commenters generally supported the Commission's approach
of treating the requirement for a reasonable opportunity to opt out as
a general test that would avoid setting a mandatory waiting period.
NAAG, on the other hand, believed that the Commission should set a
mandatory waiting period of at least 45 days from the date of mailing
or other transmission of the notice because consumers may be ill, away
from home, or otherwise unable to respond to correspondence promptly.
Industry commenters generally supported the Commission's decision
not to require the disclosure of how long a consumer would have to
respond to the opt-out notice before eligibility information could be
used to make or send solicitations to the consumer. Consumer groups
believed that consumers should be told how long they have to respond to
the notice before eligibility information could be used by affiliates
to make or send solicitations and that they may exercise their right to
opt out at any time.
The Commission has renumbered the section addressing a reasonable
opportunity to opt out as Sec. 680.24 in the final rule and revised
it. Section 680.24(a) of the final rule retains the approach of
construing the requirement for a reasonable opportunity to opt out as a
general test that avoids setting a mandatory waiting period in all
cases. Given the variety of circumstances in which a reasonable
opportunity to opt out must be provided, the Commission believes that
the appropriate time to permit solicitations may vary depending upon
the circumstances. A general standard provides flexibility to allow a
person to use eligibility information it receives from an affiliate to
make solicitations at an appropriate point in time that may vary
depending upon the circumstances, while assuring that the consumer is
given a realistic opportunity to prevent such use of this information.
In the final rule, the Commission has retained the approach of not
requiring affiliate marketing opt-out notices to disclose how long a
consumer has to respond before eligibility information may be used to
make solicitations to the consumer or that consumers may exercise their
right to opt out at any time. However, an institution may, at its
option, add this information to its opt-out notice.
Section 680.22(b) of the proposal provided examples to illustrate
what would constitute a reasonable opportunity to opt out. The proposed
examples would have provided a generally applicable safe harbor for
opt-out periods of 30 days. As explained in the supplementary
information to the proposal, although 30 days would be a safe harbor, a
person subject to this requirement could decide, at its option, to give
consumers more than 30 days in which to decide whether or not to opt
out. A shorter waiting period could be adequate in certain situations
depending on the circumstances.
Proposed Sec. 680.22(b)(1) contained an example of a reasonable
opportunity to opt out when the notice was provided by mail. Proposed
Sec. 680.22(b)(2) contained an example of a reasonable opportunity to
opt out when the notice was provided by electronic means. The proposed
examples were consistent with examples used in the GLBA privacy rule.
Proposed Sec. 680.22(b)(3) contained an example of a reasonable
opportunity to opt out where, in a transaction conducted
electronically, the consumer was required to decide, as a necessary
part of proceeding with the transaction, whether or not to opt out
before completing the transaction, so long as the institution provided
a simple process at the Internet Web site that the consumer could use
at that time to opt out. In this example, the opt-out notice would
automatically be provided to the consumer, such as through a non-
bypassable link to an intermediate Web page, or ``speedbump.'' The
consumer would be given a choice of either opting out or not opting out
at that time through a simple process conducted at the Web site. For
example, the consumer could be required to check a box right at the
Internet Web site in order to opt out or decline to opt out before
continuing with the transaction. However, this example would not cover
a situation where the consumer was required to send a separate e-mail
or visit a different Internet Web site in order to opt out.
Proposed Sec. 680.22(b)(4) illustrated that including the
affiliate marketing opt-out notice in a notice under the GLBA would
satisfy the reasonable opportunity standard. In such cases, the
consumer would be allowed to exercise the opt-out in the same manner
and would be given the same amount of time to exercise the opt-out as
is provided for any other opt-out provided in the GLBA privacy notice.
Proposed Sec. 680.22(b)(5) illustrated how an ``opt-in'' could
meet the requirement to provide a reasonable opportunity to opt out.
Specifically, if an institution has a policy of not allowing its
affiliates to use eligibility information to market to consumers
without the consumer's affirmative consent, providing the consumer with
an opportunity to ``opt in'' or affirmatively consent to such use would
constitute a reasonable opportunity to opt out. The supplementary
information clarified that the consumer's affirmative consent must be
documented and that a pre-selected check box would not evidence the
consumer's affirmative consent.
Some industry commenters supported the proposed 30-day safe harbor
and the examples illustrating the safe harbor. Other industry
commenters, however, expressed concern that the 30-day safe harbor
would become the mandatory minimum waiting period in virtually all
cases, particularly because of the risk of civil liability. For this
reason, some industry commenters objected to the use of examples
altogether and urged that the Commission delete the proposed examples.
Other industry commenters asked the Commission to include only the
examples from the GLBA.
Consumer groups believed that the safe harbor should be 45 days,
rather than 30 days. These commenters believed that 45 days was
necessary in part to account for the time consumed in mail deliveries
and in part to avoid penalizing consumers who are away from home for
vacation or illness.
Regarding the specific examples, a few commenters objected to the
example in proposed Sec. 680.22(b)(2), stating that the acknowledgment
of receipt requirement would be inconsistent with the Electronic
Signatures in Global and National Commerce Act (E-Sign Act). One of
[[Page 61447]]
these commenters believed this requirement amounted to an opt-in for
electronic notices. Several commenters believed that the example in
proposed Sec. 680.22(b)(3) for requesting the consumer to opt out as a
necessary step in proceeding with an electronic transaction should not
be limited to electronic transactions, but should be expanded to apply
to all transaction methods. A number of commenters believed that the
example in proposed Sec. 680.22(b)(5) should either be deleted or,
alternatively, should not refer to ``affirmative'' consent. These
commenters noted that the example in proposed Sec. 680.22(b)(4)
allowed a person to satisfy the reasonable opportunity standard by
permitting the consumer to exercise the opt-out in the same manner and
giving the consumer the same amount of time to exercise the opt-out as
provided in the GLBA privacy notice and that the GLBA rule did not
require ``affirmative'' consent.
The Commission has renumbered the examples of a reasonable
opportunity to opt out as Sec. 680.24(b) in the final rule, and
revised them as discussed below. The Commission believes the examples
are helpful in illustrating what constitutes a reasonable opportunity
to opt out.
The generally applicable 30-day safe harbor is retained in the
final rule. The Commission believes that providing a generally
applicable safe harbor of 30 days is helpful because it affords
certainty to entities that choose to follow the 30-day waiting period.
Although 30 days is a safe harbor in all cases, a person providing an
opt-out notice may decide, at its option, to give consumers more than
30 days in which to decide whether or not to opt out. A shorter waiting
period could be adequate in certain situations, depending on the
circumstances, in accordance with the general test for a reasonable
opportunity to opt out. The use of examples and a 30-day safe harbor is
consistent with the approach followed in the GLBA privacy rule.
However, the Commission believes that the examples in this rule should
differ to some extent from the examples in the GLBA privacy rule
because the affiliate marketing opt-out requires a one-time, not an
annual, notice. Further, the affiliate marketing notice may, but need
not, be included in the GLBA privacy notice.
In the final rule, the Commission has retained the example of a
reasonable opportunity to opt out by mail with revisions for clarity.
Commenters had no specific objections to this example.
The Commission has revised the example of a reasonable opportunity
to opt out by electronic means and divided it into two subparts in the
final rule to illustrate the different means of delivering an
electronic notice. The example illustrates that for notices provided
electronically, such as by posting the notice at an Internet Web site
at which the consumer has obtained a product or service, a reasonable
opportunity to opt out would include giving the consumer 30 days after
the consumer acknowledges receipt of the electronic notice to opt out
by any reasonable means. The acknowledgment of receipt aspect of this
example is consistent with an example in the GLBA privacy regulation.
The example also illustrates that for notices provided by e-mail to a
consumer who had agreed to receive disclosures by e-mail from the
person sending the notice, a reasonable opportunity to opt out would
include giving the consumer 30 days after the e-mail is sent to elect
to opt out by any reasonable means. The Commission does not believe
that consumer acknowledgment is necessary where the consumer has agreed
to receive disclosures by e-mail.
The Commission has determined that the electronic delivery of
affiliate marketing opt-out notices does not require consumer consent
in accordance with the E-Sign Act because neither section 624 of the
FCRA nor this final rule requires that the notice be provided in
writing. Thus, the Commission does not believe that the acknowledgment
of receipt trigger is beyond the scope of their interpretive authority.
Persons that provide affiliate marketing opt-out notices under this
part electronically may do so pursuant to the agreement of the
consumer, as specified in this rule, or in accordance with the
requirements of the E-Sign Act.
The Commission believes that the example of a consumer who is
required to opt out as a necessary part of proceeding with the
transaction should not be limited to electronic transactions. However,
rather than revising the electronic transactions example, the
Commission has retained the electronic transactions example in Sec.
680.24(b)(3) and added a new example for in-person transactions in
Sec. 680.24(b)(4). Together, these examples illustrate that an
abbreviated opt-out period is appropriate when the consumer is given a
``yes'' or ``no'' choice and is not permitted to proceed with the
transaction unless the consumer makes a choice. For in-person
transactions, consumers could be provided a form with a question that
requires the consumer to write a ``yes'' or ``no'' to indicate their
opt-out preference or a form that contains two blank check boxes: one
that allows consumers to indicate that they want to opt out and one
that allows consumers to indicate that they do not want to opt out.
In the final rule, the Commission has retained the example of
including the opt-out notice in a privacy notice in Sec. 680.24(b)(5)
as consistent with the statutory requirement that the Commission
consider methods for coordinating and combining notices. The Commission
has deleted the example of providing an opt-in as a form of opting out
as unnecessary and confusing.
Section 680.25 Reasonable and Simple Methods of Opting Out
Section 680.23 of the proposal set forth reasonable and simple
methods of opting out. This section generally tracked the examples of
reasonable opt-out means from Sec. 313.7(a)(2)(ii) of the GLBA privacy
regulation with certain revisions to give effect to Congress' mandate
that methods of opting out be simple. For instance, proposed Sec.
680.23(a)(2) referred to including a self-addressed envelope with the
reply form and opt-out notice. The Commission also contemplated that a
toll-free telephone number would be adequately designed and staffed to
enable consumers to opt out in a single phone call.
Proposed Sec. 680.23(b) set forth methods of opting out that are
not reasonable and simple, such as requiring the consumer to write a
letter to the institution or to call or write to obtain an opt-out form
rather than including it with the notice. This section generally
tracked the examples of unreasonable opt-out means from Sec.
313.7(a)(2)(iii) of the GLBA privacy rule. In addition, the proposal
contained an example of a consumer who agrees to receive the opt-out
notice in electronic form only, such as by electronic mail or by using
a process at a Web site. Such a consumer should not be required to opt
out solely by telephone or paper mail.
Many industry commenters asked the Commission to clarify that the
examples are not the only ways to comply with the rule. These
commenters believed that, as drafted, the proposal could be interpreted
as an exclusive rule, rather than as examples. These commenters asked
the Commission to make clear in the final rule that the methods set out
in the rule are examples and do not exclude other reasonable and simple
methods of opting out. A few industry commenters believed that the
final rule should not include any examples of methods of opting out
because of the potential for civil liability.
[[Page 61448]]
Many industry commenters also urged the Commission to use the same
examples used in the GLBA privacy rule. These commenters did not
believe that Congress would allow coordinated and consolidated notices,
but require different methods of opting out. For instance, these
commenters recommended deleting the reference to a self-addressed
envelope because there is no such reference in the GLBA privacy rule.
One commenter noted that its experience with self-addressed envelopes
was negative because consumers often used the envelopes for other
purposes resulting in misdirected communications. Industry commenters
also objected to requiring institutions to provide an electronic opt-
out mechanism to a consumer who agrees to receive an opt-out notice in
electronic form. These commenters believed this example was unjustified
and inconsistent with the GLBA privacy rule. Commenters also indicated
that some institutions may not have the technical capabilities to
accept electronic opt-outs. Several commenters recommended that the
Commission clarify that an institution is not obligated to honor opt-
outs submitted through means other than those designated by the
institution.
Consumer groups generally believed that the proposal appropriately
tracked the examples in the GLBA privacy regulation with revisions to
give effect to Congress' mandate that methods of opting out be simple.
These commenters believed, however, that the proposal was inadequate
because it provided examples instead of requiring the use of certain
methods. These commenters believed that the final rule should require
self-addressed envelopes and require that toll-free numbers be
adequately designed and staffed to enable consumers to opt out in a
single phone call. According to these commenters, inadequate and poorly
trained staff has been a shortcoming of the GLBA opt-out procedures.
These commenters also recommended that consumers be given the
opportunity to opt out by a simple check box on payment coupons.
Finally, these commenters asked the Commission to clarify that the
federal standard is a floor and that if the notice is combined with
other choices made available under other federal and state laws, the
most consumer-friendly means for opting out should apply.
The Commission has renumbered the section addressing reasonable and
simple methods of opting out as Sec. 680.25 in the final rule, and
revised it as discussed below. The Commission has restructured this
section to include a general rule and examples in separate paragraphs
(a) and (b) respectively. This revision clarifies that the specific
methods identified in the rule are examples, not an exhaustive list of
permissible methods.
The Commission believes that including examples in Sec. 680.25(b)
is helpful. However, the Commission declines to adopt the GLBA examples
without change. Section 624 of the FCRA requires the Commission to
ensure that the consumer is given reasonable and simple methods of
opting out. The GLBA did not require simple methods of opting out. The
Commission believes that the methods of opting out can, in some
instances, be simpler than some of the reasonable methods illustrated
in the GLBA privacy rule. To effectuate the statutory mandate that
consumers have simple methods of opting out, the Commission has
modified, for purposes of this rulemaking, some of the examples of
reasonable methods of opting out that were used in the GLBA privacy
regulation.
Most of the examples in the final rule are substantially similar to
those in Sec. 680.23(a) and (b) of the proposal with revisions for
clarity. The example in Sec. 680.25(b)(1)(ii) has been revised to
reflect the Commission's understanding that the reply form and self-
addressed envelope would be included together with the opt-out notice.
As in the proposal, the Commission contemplates that a toll-free
telephone number that consumers may call to opt out, as illustrated by
the example in Sec. 680.25(b)(1)(iv), would be adequately designed and
staffed to enable consumers to opt out in a single phone call. In
setting up a toll-free telephone number that consumers may use to
exercise their opt-out rights, institutions should minimize extraneous
messages directed to consumers who are in the process of opting out.
One new example in Sec. 680.25(b)(1)(v) illustrates that
reasonable and simple methods include allowing consumers to exercise
all of their opt-out rights described in a consolidated opt-out notice
that includes the GLBA privacy, FCRA affiliate sharing, and FCRA
affiliate marketing opt-outs, by a single method, such as by calling a
single toll-free telephone number. This example furthers the statutory
directive to the Commission to ensure that notices and disclosures may
be coordinated and consolidated. The final rule also clarifies the
example renumbered as Sec. 680.25(b)(2)(iii) to illustrate that it is
not reasonable or simple to require a consumer who receives the opt-out
notice in electronic form, such as through posting at an Internet Web
site, to opt out solely by paper mail or by visiting a different Web
site without providing a link to that site.
Section 680.25(c) has been added to clarify that each consumer may
be required to opt out through a specific means, as long as that means
is reasonable and simple for that consumer. This new section
corresponds to a provision in the GLBA privacy rule, 16 CFR Sec.
313.7(a)(2)(iv).
Section 680.26 Delivery of Opt-out Notices
General rule and examples
Section 680.24 of the proposal addressed the delivery of opt-out
notices. Proposed Sec. 680.24(a) provided that an institution would
have to deliver an opt-out notice so that each consumer could
reasonably be expected to receive actual notice. This standard would
not have required actual notice. The supplementary information to the
proposal also clarified that, for opt-out notices delivered
electronically, the notices could be delivered either in accordance
with the electronic disclosure provisions in this part or in accordance
with the E-Sign Act. For example, the institution could e-mail its
notice to a consumer who agreed to the electronic delivery of
information or provide the notice on its Internet Web site for a
consumer who obtained a product or service electronically from that Web
site. Commenters generally supported the reasonable expectation of
actual notice standard.
Proposed Sec. 680.24(b) provided examples to illustrate what would
constitute delivery of an opt-out notice. Commenters expressed concern
about the electronic notice example in proposed paragraph (b)(1)(iii).
Consumer groups objected to this example by pointing to a growing trend
in which companies require consumers to agree to electronic notices if
they conduct business on an Internet Web site. These commenters
believed that there was nothing to ensure that the notice would be
clearly accessible to consumers on the Web site. These commenters
believed that, at a minimum, the Commission should require the notice
to be sent to the consumer's e-mail address, rather than posted to an
Internet Web site, where the consumer has expressly opted in to the
electronic delivery of notices. Some industry commenters objected to
the acknowledgment of receipt requirement in this example as
inconsistent with the E-Sign Act. One of these commenters urged the
Commission to explicitly incorporate the E-Sign Act into the
[[Page 61449]]
requirements for delivering opt-out notices.
The Commission has renumbered the general rule regarding delivery
of opt-out notices as Sec. 680.26(a) in the final rule and divided the
examples into positive and negative examples in Sec. Sec. 680.26(b)
and (c) respectively. In the final rule, the Commission has retained
the reasonable expectation of actual notice standard, which does not
require the institution to determine if the consumer actually received
the opt-out notice. For example, mailing a printed copy of the opt-out
notice to the last known mailing address of a consumer satisfies the
requirement to deliver the opt-out notice so that there is a reasonable
expectation that the consumer has received actual notice.
The Commission has revised some of the examples of a reasonable
expectation of actual notice for electronic notices. The new example in
Sec. 680.26(b)(3) illustrates that the reasonable expectation of
actual notice standard would be satisfied by providing notice by e-mail
to a consumer who has agreed to receive disclosures by e-mail from the
person providing the notice. The Commission reiterates that an
acknowledgment of receipt is not necessary for a notice provided by e-
mail to such a consumer. Conversely, the example in Sec. 680.26(c)(2)
illustrates that the reasonable expectation of actual notice standard
would not be satisfied by providing notice by e-mail to a consumer who
has not agreed to receive disclosures by e-mail from the person
providing the notice.
The revised example in Sec. 680.26(b)(4) illustrates that for a
consumer who obtains a product or service electronically, the
reasonable expectation standard would be satisfied by posting the
notice on the Internet Web site at which the consumer obtains such
product or services and requiring the consumer to acknowledge receipt
of the notice. Conversely, the new example in Sec. 680.26(c)(3)
illustrates that the reasonable expectation standard would not be
satisfied by posting the notice on the Internet Web site without
requiring the consumer to acknowledge receipt of the notice. As
discussed above, the Commission has determined that the electronic
delivery of opt-out notices does not require consumer consent in
accordance with the E-Sign Act because neither section 624 of the FCRA
nor the final rule require that the notice be provided in writing.
Thus, requiring an acknowledgment of receipt is within the scope of the
Commission's interpretive authority. This example is also consistent
with an example in the GLBA privacy rule and seems appropriate where
the notice is posted at an Internet Web site.
The Commission declines to require the delivery of electronic
notices by e-mail. Concerns about the security of e-mail, especially
phishing, make it inappropriate to require e-mail as the only
permissible form of electronic delivery for opt-out notices.
Section 680 .27 Renewal of Opt-out
Proposed Sec. 680.26 described the procedures for extension of an
opt-out. Proposed Sec. 680.26(a) provided that a receiving affiliate
could not make or send solicitations to the consumer after the
expiration of the opt-out period based on eligibility information it
receives or has received from an affiliate, unless the person
responsible for providing the initial opt-out notice, or its successor,
has given the consumer an extension notice and a reasonable opportunity
to extend the opt-out, and the consumer does not extend the opt-out.
Thus, if an extension notice was not provided to the consumer, the opt-
out period would continue indefinitely. Proposed Sec. 680.26(b)
provided that each opt-out extension would have to be effective for a
period of at least five years.
Proposed Sec. 680.26(c) addressed the contents of a clear,
conspicuous, and concise extension notice and provided flexibility to
comply in either of two ways. Under one approach, the notice would
disclose the same items required to be disclosed in the initial opt-out
notice, along with a statement explaining that the consumer's prior
opt-out has expired or is about to expire, as applicable, and that if
the consumer wishes to keep the consumer's opt-out election in force,
the consumer must opt out again. Under a second approach, the extension
notice would provide: (1) that the consumer previously elected to limit
an affiliate from using eligibility information about the consumer that
it obtains from the communicating affiliate to make or send
solicitations to the consumer; (2) that the consumer's election has
expired or is about to expire, as applicable; (3) that the consumer may
elect to extend the consumer's previous election; and (4) a reasonable
and simple method for the consumer to opt out. The supplementary
information to the proposal clarified that institutions would not need
to provide extension notices if they treated the consumer's opt-out
election as valid in perpetuity, unless revoked by the consumer.
Proposed Sec. 680.26(d) addressed the timing of the extension
notice and provided that an extension notice could be given to the
consumer either a reasonable period of time before the expiration of
the opt-out period, or any time after the expiration of the opt-out
period but before solicitations that would have been prohibited by the
expired opt-out are made to the consumer. The Commission did not
propose to set a fixed time for what would constitute a reasonable
period of time before the expiration of the opt-out period to send an
extension notice because a reasonable period of time may depend upon
the amount of time afforded to the consumer for a reasonable
opportunity to opt out, the amount of time necessary to process opt-
outs, and other factors. Proposed Sec. 680.26(e) made clear that
sending an extension notice to the consumer before the expiration of
the opt-out period does not shorten the five-year opt-out period.
A few industry commenters objected to the fact that the contents of
the extension notice would differ from the contents of the initial
notice by requiring that the extension notice inform the consumer that
the consumer's prior opt-out has expired or is about to expire, as
applicable, and that the consumer must opt out again to keep the opt-
out election in force. These commenters argued that the added
disclosure requirement would be costly and provide little benefit to
consumers. One commenter maintained that the added disclosure
requirement would make it difficult, if not impossible, to combine the
extension notice with the GLBA privacy notice. Commenters also
maintained that the language of the statute, particularly section
624(a)(1), contemplates that the same notice would satisfy the
requirements for the initial and extension notices. Consumer groups and
NAAG recommended that the Commission define a ``reasonable
opportunity'' to extend the opt-out as a period of at least 45 days
before shared eligibility information is used to make solicitations to
the consumer.
The Commission has renumbered the provisions addressing the
extension or renewal of opt-outs as Sec. 680.27 in the final rule and
revised them. For purposes of clarity, the final rule refers to a
``renewal'' notice, rather than an ``extension'' notice.
Section 680.27(a) contains the general rule, which provides that
after the opt-out period expires, a person may not make solicitations
based on eligibility information received from an affiliate to a
consumer who previously opted out unless the consumer has been given a
compliant renewal notice and a reasonable opportunity to opt out, and
the consumer does not renew the opt-out. This section also clarifies
that a
[[Page 61450]]
person can make solicitations to a consumer after expiration of the
opt-out period if one of the exceptions in Sec. 680.21(c) applies.
The Commission declines to set a fixed minimum time period for a
reasonable opportunity to renew the opt-out as unnecessary and
inconsistent with the approach taken elsewhere in this rule and in the
GLBA privacy rule. The provision regarding the duration of the renewed
opt-out elicited no comment, and it has been retained in Sec.
680.27(a)(2) of the final rule.
Section 680.27(a)(3) identifies the affiliates who may provide the
renewal notice. A renewal notice must be provided either by the
affiliate that provided the previous opt-out notice or its successor,
or as part of a joint renewal notice from two or more members of an
affiliated group of companies, or their successors, that jointly
provided the previous opt-out notice. This rule balances the
Commission's goal of ensuring that the notice is provided by an entity
known to the consumer with a recognition that flexibility is required
to account for changes in the corporate structure that may result from
mergers and acquisitions, corporate name changes, and other events.
The Commission recognizes that the content of the extension or
renewal notice differs from the content of the initial notice. Nothing
in the statute, however, requires identical content in the initial and
renewal notices. Moreover, the statute requires the Commission to
provide specific guidance to ensure that opt-out notices are clear,
conspicuous, and concise. It is unreasonable to expect consumers, upon
receipt of a renewal notice, to remember that they previously opted out
five years ago (or longer) or, even if they do remember, to know that
they must opt out again in order to renew their opt-out decision.
Therefore, to ensure that the renewal notice is meaningful, the
Commission concludes that the renewal notice must remind the consumer
that he or she previously opted out, inform the consumer that the opt-
out has expired or is about to expire, and advise the consumer that he
or she must opt out again to renew the opt-out and continue to limit
solicitations from affiliates. Under the final rule, the renewal notice
can state that ``the consumer's election has expired or is about to
expire.'' The Commission has deleted the words ``as applicable'' so
that the notice does not have to be tailored to differentiate consumers
for whom the election ``has expired'' from those for whom the election
``is about to expire.''
The Commission is not persuaded that the additional content of the
renewal notice will have any impact on the ability to combine the opt-
out notice with the GLBA privacy notice. Even if the language of the
renewal notice were identical to the initial notice, it still could be
difficult to avoid honoring a consumer's opt-out in perpetuity if the
affiliate marketing opt-out notice is incorporated into the GLBA
privacy notice. Privacy notices typically state that if a consumer has
previously opted out, it is not necessary for the consumer to opt out
again. This statement would be accurate with respect to the affiliate
marketing opt-out only if the consumer's opt-out is honored in
perpetuity. It would not be accurate, however, if the affiliate
marketing opt-out is effective only for a limited period of time,
subject to renewal by the consumer at intervals of five years or
longer. Thus, if the affiliate marketing opt-out notice was
consolidated with GLBA privacy notices and was effective for a limited
period of time, the privacy notices would have to be modified to make
clear that statements that the consumer does not have to opt out again
do not apply to the affiliate marketing renewal notice. Therefore, the
Commission does not believe that requiring a renewal notice to contain
information not included in an initial notice will significantly affect
the ability to incorporate the affiliate marketing opt-out notice into
GLBA privacy notices because consolidation of the notices is most
likely to occur when the affiliate marketing opt-out will be honored in
perpetuity. Entities that prefer not to provide renewal notices may do
so by honoring the consumer's opt-out in perpetuity. The contents of
the renewal notice are adopted in Sec. 680.27(b) with revisions that
incorporate the changes to Sec. 680.23, as discussed above. Section
680.27(b) of the final rule also omits the alternative contents set
forth in the proposal, which the Commission now believes would be
unnecessarily duplicative.
Proposed Sec. 680.26(d) addressed the timing of the extension or
renewal notice and elicited no comment. The Commission has renumbered
this provision as Sec. 680.27(c) in the final rule and adopted it with
technical revisions. As explained in the supplementary information to
the proposal, providing the renewal notice a reasonable period of time
before the expiration of the opt-out period would enable institutions
to begin marketing to consumers who do not renew their opt-out upon
expiration of the opt-out period. But giving a renewal notice too far
in advance of the expiration of the opt-out period may confuse
consumers. The Commission will deem a renewal notice provided on or
with the last annual privacy notice required by the GLBA privacy
provisions sent to the consumer before the expiration of the opt-out
period to be reasonable in all cases.
Proposed Sec. 680.26(e) regarding the effect of an extension or
renewal notice on the existing opt-out period elicited no comment. The
Commission has renumbered this provision as Sec. 680.27(d) in the
final rule, and adopted it with technical changes.
Section 680.28 Effective Date, Compliance Date, and Prospective
Application
Effective Date and Compliance Date
Consistent with the requirements of section 624 of the FCRA, the
proposal indicated that the final rule would become effective six
months after the date on which it would be issued in final form. The
Commission requested comment on whether there was any need to delay the
mandatory compliance date beyond the effective date specifically to
permit institutions to incorporate the affiliate marketing opt-out
notice into their next annual GLBA privacy notice.
Most industry commenters believed that the Commission should delay
the mandatory compliance date until some time after the effective date
of the final rule. These commenters suggested various periods for
delaying the mandatory compliance date ranging from three months to
more than 24 months. Common recommendations were for a delayed
mandatory compliance date of six, 12, or 18 months.
Some of these commenters suggested a two-part mandatory compliance
date consisting of a delayed mandatory compliance date of either three
or six months for new accounts or for general application and a special
mandatory compliance date for institutions that intend to consolidate
their affiliate marketing opt-out notice with their GLBA privacy
notice. Under this special mandatory compliance date, institutions
would have to comply at the time they provide their next GLBA privacy
notice following the effective date of the final rule or a date
certain, whichever is earlier.
Industry commenters believed that a delayed mandatory compliance
date was necessary in order to make significant changes to business
practices and procedures, to implement necessary operational and
systems changes, and to design and provide opt-out notices.
[[Page 61451]]
Industry commenters also noted that many institutions would like to
send the affiliate marketing opt-out notice with their initial or
annual GLBA privacy notices, both to minimize costs and to avoid
consumer confusion. These commenters noted that many large institutions
provide GLBA privacy notices on a rolling basis and that a delayed
mandatory compliance date was necessary to enable institutions to
introduce the affiliate marketing opt-out notice into this cycle. One
large institution estimated that its first-year compliance costs would
increase by a minimum of $660,000 if it was not able to consolidate the
affiliate marketing opt-out notice with its GLBA privacy notice. A few
industry commenters believed that Congress knew that an effective date
is not necessarily the same as a mandatory compliance date because
banking regulations commonly have effective dates and mandatory
compliance dates that differ.
Consumer groups and NAAG believed that the effective date of the
final rule should be the mandatory compliance date. These commenters
believed that institutions have had time to prepare for compliance
since the FACT Act became law in December 2003. Consumer groups
believed that if institutions need more time to comply, affiliates
should cease using eligibility information to make solicitations until
the notice and opportunity to opt out is provided.
The final rule will become effective January 1, 2008. Consistent
with the statute's directive that the Commission ensure that notices
may be consolidated and coordinated, the mandatory compliance date is
delayed to give institutions a reasonable amount of time to include the
affiliate marketing opt-out notice with their initial and annual
privacy notices. Accordingly, compliance with this part is required not
later than October 1, 2008. The Commission believes that delaying the
mandatory compliance date for approximately one year will give all
institutions adequate time to develop and distribute opt-out notices
and give most institutions sufficient time to develop and distribute
consolidated notices if they choose to do so.
Prospective Application
Proposed Sec. 680.20(e) provided that the provisions of this part
would not apply to eligibility information that was received by a
receiving affiliate prior to the date on which compliance with these
regulations would be required. Some industry commenters supported this
provision. Other industry commenters, however, believed that the
proposed rule did not track the statutory language or reflect the
intent of Congress. These commenters believed that the final rule
should grandfather all information received by any financial
institution or affiliate in a holding company prior to the mandatory
compliance date, and not grandfather only that information received
prior to the mandatory compliance date by a person that intends to use
the information to make solicitations to the consumer. Some of these
commenters recommended, in the alternative, that the Commission clarify
that any information placed into a common database by an affiliate
should be deemed to have been provided to an affiliated person if the
Commission opts to retain the prospective application provision as
proposed. These commenters argued that without such a clarification,
affiliated companies would have to undertake the costly deconstruction
of existing databases to ensure compliance.
In the final rule, the provision addressing prospective application
has been renumbered as Sec. 680.28(c), and revised. The Commission
continues to believe that the better interpretation of the non-
retroactivity provision is that it is tied to receipt of eligibility
information by a person that intends to use the information to make
solicitations to the consumer. The final rule clarifies, however, that
a person is deemed to receive eligibility information from its
affiliate when the affiliate places that information in a common
database where it is accessible by the person, even if the person has
not accessed or used that information as of the compliance date. For
example, assume that an affiliate obtains eligibility information about
a consumer as a result of having a pre-existing business relationship
with that consumer. The affiliate places that information into a common
database that is accessible to other affiliates before the mandatory
compliance date. The final rule does not apply to that information, and
other affiliates may use that information for marketing to the
consumer. On the other hand, if the affiliate obtains eligibility
information about the consumer before the mandatory compliance date,
but does not either place that information into a common database that
is accessible to other affiliates or otherwise provide that information
to another affiliate before the mandatory compliance date, the final
rule will apply to that eligibility information. Further, if the
database is updated with new eligibility information after the
mandatory compliance date, the final rule will apply to the new or
updated eligibility information.
Appendix C
Appendix A of the proposal contained model forms to illustrate by
way of example how institutions could comply with the notice and opt-
out requirements of section 624 and the proposed regulations. Appendix
A included three proposed model forms. Model Form A-1 was a proposed
form of an initial opt-out notice. Model Form A-2 was a proposed form
of an extension notice. Model Form A-3 was a proposed form that
institutions may use if they offer consumers a broader right to opt out
of marketing than is required by law.
The proposed model forms were designed to convey the necessary
information to consumers as simply as possible. The Commission tested
the proposed model forms using two widely available readability tests,
the Flesch reading ease test and the Flesch-Kincaid grade level test,
each of which generates a readability score.\14\ Proposed Model Form A-
1 had a Flesch reading ease score of 53.7 and a Flesch-Kincaid grade
level score of 9.9. Proposed Model Form A-2 had a Flesch reading ease
score of 57.5 and a Flesch-Kincaid grade level score of 9.6. Proposed
Model Form A-3 had a Flesch reading ease score of 69.9 and a Flesch-
Kincaid grade level score of 6.7.
---------------------------------------------------------------------------
\14\ The Flesch reading ease test generates a score between zero
and 100, where the higher score correlates with improved
readability. The Flesch-Kincaid grade level test generates a
numerical assessment of the grade-level at which the text is
written.
---------------------------------------------------------------------------
Commenters generally supported the proposed model forms. As noted
above, some commenters had concerns about the content of the initial
and renewal notices. Some industry commenters expressed concern about
requiring the notice to specify the applicable time period and the
consumer's right to renew the election once the opt-out expires.
Industry commenters also suggested revising the language of the notice
to refer either to ``financial'' information or ``credit eligibility''
information for clarity. One commenter suggested deleting the examples
of the types of information shared with affiliates. Another commenter
suggested rephrasing the model forms in the passive voice. One
commenter encouraged the Commission to clarify that use of the model
forms provides a safe harbor. Another commenter believed that the
optional third paragraph of Model Form A-1 should be revised, or an
alternate paragraph added, to provide guidance on how to
[[Page 61452]]
clearly disclose to consumers that the opt-out may not limit the
sharing of contact information and other information that does not meet
the definition of ``consumer report.''
Consumer groups and NAAG commended the Commission for reporting the
Flesch reading ease score and Flesch-Kincaid grade-level score for each
of the model forms. These commenters urged the Commission to modify the
proposed rule to require that any person that does not use the model
forms must provide a notice that achieves readability scores at least
as good as the scores for the model forms. Consumer groups also
suggested adding a sentence about providing the form annually to
mitigate consumer confusion. These commenters also urged the Commission
to adopt a short-form notice.
The Commission has revised and expanded the number of model forms
to reflect changes made to the final rule. In addition, the model forms
have been renumbered as Appendix C to Part 698. The Commission believes
that model forms are helpful for entities that give notices and
beneficial for consumers. The model forms are provided as stand-alone
documents. However, some persons may choose to combine the opt-out
notice with other consumer disclosures, such as the GLBA privacy
notice. Creating a consolidated model form is beyond the scope of this
rulemaking, but, as discussed above, institutions can combine the
affiliate marketing opt-out notice with other disclosures, including
the GLBA privacy notice.
On March 31, 2006, the FTC, Board, FDIC, NCUA, OCC, and SEC
released a report entitled Evolution of a Prototype Financial Privacy
Notice, prepared by Kleimann Communication Group, Inc., summarizing
research that led to the development of a prototype short-form GLBA
privacy notice. That prototype included an affiliate marketing opt-out
notice. The prototype assumed that the notice would be provided by the
affiliate that is sharing eligibility information. The Commission
believes that providing model forms in this rule for stand-alone opt-
out notices that may be used in a more diverse set of circumstances
than a model privacy form is appropriate and consistent with efforts to
develop a model privacy form. On March 29, 2007, the FTC, Board, FDIC,
NCUA, OCC, OTS, SEC, and the Commodity Futures Trading Commission
published for public comment in the Federal Register (72 FR 14940) a
model privacy form that includes the affiliate marketing opt-out. Once
such a notice is published in final form, use of the model privacy form
will satisfy the requirement to provide an initial affiliate marketing
opt-out notice.
The final rule includes five model forms. Model Form C-1 is the
model for an initial notice provided by a single affiliate. Model Form
C-2 is the model for an initial notice provided as a joint notice from
two or more affiliates. Model Form C-3 is the model for a renewal
notice provided by a single affiliate. Model Form C-4 is the model for
a renewal notice provided as a joint notice from two or more
affiliates. Model Form C-5 is a model for a voluntary ``no marketing''
opt-out.
The Commission tested each of the model forms using two widely-
available readability tests, the Flesch reading ease test and the
Flesch-Kincaid grade level test. In conducting these tests, the
Commission eliminated parenthetical text wherever possible, included
the optional clauses, and substituted the names of fictional entities,
for example, ABC Lender or the ABC group of companies, as the names of
the relevant entities to ensure that the test results were not skewed
by the inclusion of descriptive text that would not be included in
actual opt-out notices. The results of these tests are summarized for
each of the model forms in Table 1 below.
Although the Commission encourages the use of these tests as well
as other types of consumer testing in designing opt-out notices, the
Commission declines to adopt a prescriptive approach that requires
notices to achieve certain scores under the Flesch reading ease or
Flesch-Kincaid grade level tests. Some variation in readability scores
is inevitable and may be caused by minor differences in the language of
the notice, such as the name of the entity providing the notice or the
types of information that may be used for marketing.
Table 1
------------------------------------------------------------------------
Flesch-
Flesch Kincaid
reading grade
ease level
score score
------------------------------------------------------------------------
Model Form C-1........................................ 50.2 11.5
Model Form C-2........................................ 51.7 11.5
Model Form C-3........................................ 54.6 9.7
Model Form C-4........................................ 54.2 9.8
Model Form C-5........................................ 81.3 3.8
------------------------------------------------------------------------
As noted in the proposal, use of the model forms is not mandatory.
However, appropriate use of the model forms provides a safe harbor.
There is flexibility to use or not use the model forms, or to modify
the forms, so long as the requirements of the regulation are met. For
example, although several of the model forms use five years as the
duration of the opt-out period, an opt-out period of longer than five
years may be used and the longer time period substituted in the opt-out
notices. Alternatively, the consumer's opt-out may be treated as
effective in perpetuity and, if so, the opt-out notice should omit any
reference to the limited duration of the opt-out period or the right to
renew the opt-out.
The Commission has revised the model forms so that the disclosure
regarding the duration of the opt-out may state that the opt-out
applies either for a fixed number of years or ``at least 5 years.''
This revision permits institutions that use a longer opt-out period or
that subsequently extend their opt-out period to rely on the model
language. The model form also contains a reference to the consumer's
right to revoke an opt-out. In addition, language has been added to the
model forms to clarify that, with an opt-out of limited duration, a
consumer does not have to opt out again until a renewal notice is sent.
V. Paperwork Reduction Act
In accordance with the Paperwork Reduction Act (PRA), as amended,
44 U.S.C. 3501-3521, the Commission staff has submitted the final rule
and a PRA Supporting Statement to the Office of Management and Budget
(OMB) for review. As required by the PRA, the staff's annual burden
estimates take into account the burden associated with the rule's
reporting, recordkeeping, and third-party disclosure requirements.\15\
---------------------------------------------------------------------------
\15\ 44 U.S.C. 3502(2); 5 CFR 1320.3(b)
---------------------------------------------------------------------------
As set forth in the notice of proposed rulemaking (NPRM), the final
rule likewise imposes disclosure requirements on certain affiliated
companies subject to the Commission's jurisdiction. The final rule
provides that if a company communicates certain information about a
consumer (``eligibility information'') to an affiliate, the affiliate
may not use that information to send solicitations to the consumer
unless the consumer is given notice and an opportunity and a simple
method to opt out of such use of the information and the consumer does
not opt out. The final rule also contains model disclosures that
companies may use to comply with the final rule's requirements.
The staff's estimates reflect the average amount of burden incurred
by entities subject to the final rule, taking into account that some
entities may not share eligibility information with
[[Page 61453]]
affiliates for the purpose of making solicitations and other entities
may choose to rely on the exceptions to the final rule's notice and
opt-out requirements. In either of these cases, the notice would not be
required, and the resulting burden would be zero. Moreover, the burden
estimates take into account that a number of non-GLBA companies
currently provide notices and opt-out choices voluntarily as a service
to their customers. Since these entities already have systems and
processes in place for providing the notice and implementing the opt-
out, the resulting PRA burden under the final rule for such entities
would be de minimis.
The staff's estimates assume a higher burden will be incurred
during the first year of the OMB clearance period with a lesser burden
incurred during the subsequent two years, since the notice is only
required to be given once for a minimum period of at least five (5)
years. The staff did not estimate the burden for preparing and
distributing extension notices by persons that limit the duration of
the opt-out time period because the minimum effective time period for
the opt-out is five years while the relevant PRA clearance period is no
more than three years. Moreover, entities providing the notice and opt-
out may elect to have a longer opt-out period, for example, ten years,
or to make the opt-out election effective in perpetuity.
The staff's labor cost estimates take into account: managerial and
professional time for reviewing internal policies and determining
compliance obligations; technical time for creating the notice and opt-
out, in either paper or electronic form; incremental training; and
clerical time for disseminating the notice and opt-out.\16\ In
addition, the staff's cost estimates presume that the availability of
model disclosures and opt-out notices will simplify the compliance
review and implementation processes, thereby significantly reducing the
cost of compliance. Further, the final rule gives entities flexibility
to provide a single joint notice on behalf of some or all of its
affiliates, which should further reduce the cost of compliance.
---------------------------------------------------------------------------
\16\ No clerical time was included in staff's burden analysis
for GLBA entities as the notice would likely be combined with
existing GLBA notices.
---------------------------------------------------------------------------
The Commission staff previously estimated in the NPRM that the
total paperwork burden for the proposed rule over a standard three-year
OMB grant of clearance would be 2,715,000 hours and $63,144,000 in
labor costs for both GLBA and non-GLBA entities, cumulatively.\17\ In
preparation for this publication, staff has revisited those estimates,
refining its analysis. There are no program changes from the NPRM that
impact staff's prior PRA analysis. Rather, staff has adjusted its
previously stated estimate of burden hours and the number of non-GLBA
entities that may send the proposed affiliate marketing notice based
on: (1) a refined numerical estimate of non-GLBA entities with
affiliates under the Commission's jurisdiction and thus subject to the
final rule; and (2) recognition that an entity need only give a notice
once during the three-year clearance period. Thus, staff now estimates
the total average annual burden hours and labor costs over the three-
year clearance period to be 1,105,000 and $31,302,000, respectively, as
further explained below.
---------------------------------------------------------------------------
\17\ 69 FR at 33335.
---------------------------------------------------------------------------
The staff estimates that approximately 1.17 million (rounded) non-
GLBA entities under the jurisdiction of the Commission have affiliates
and would be affected by the final rule.\18\ As in the NPRM, staff
further estimates that there are an average of 5 businesses per family
or affiliated relationship, and that the affiliated entities will
choose to send a joint notice, as permitted by the final rule. Thus an
estimated 233,400 (rounded) non-GLBA entities may send the new
affiliate marketing notice. The staff estimates that the cumulative
burden per non-GLBA entity will total 14 hours\19\ over a three-year
PRA clearance cycle, not per year, as previously set forth in the NPRM.
Based on updated population data, the Commission staff estimates that
the total burden for non-GLBA entities during the prospective three-
year clearance period would be approximately 3,268,000 hours and
associated labor costs would be approximately $92,247,000.\20\ However,
non-GLBA entities will give notice only once during a three-year
clearance period. Thus, averaged annually over that span, estimated
burden for non-GLBA entities is 1,089,000 hours and $30,749,000 in
labor costs, rounded.\21\
---------------------------------------------------------------------------
\18\ This estimate is derived from an analysis of a database of
U.S. businesses based on SIC codes for businesses that market goods
or services to consumers, which included the following industries:
transportation services; communication; electric, gas, and sanitary
services; retail trade; finance, insurance, and real estate; and
services (excluding business services and engineering, management
services). This estimate excludes businesses not subject to the
Commission's jurisdiction as well as businesses that do not use data
or information subject to the rule.
\19\ This estimate, as in the NPRM, is based on a projected
apportionment of 7 hours managerial time, 2 hours technical time,
and 5 hours of clerical assistance.
\20\ The hourly rates are based on average annual Bureau of
Labor Statistics National Compensation Survey data, June 2005 (with
2005 as the most recent whole year information available at the BLS
Web site). http://www.bls.gov/ncs/ocs/sp/ncbl0832.pdf (Table 1.1),
and further adjusted by a multiplier of 1.06426, a compounding for
approximate wage inflation for 2005 and 2006, based on the BLS
Employment Cost Index. The dollar total above is derived from the
estimated 7 hours of managerial labor at $34.21 per hour; 2 hours of
technical labor at $29.80 per hour; and 5 hours of clerical labor at
$14.44 per hour--a combined $371.27--multiplied by 1.06426 (a
combined $395.13)--for the estimated 233,400+ non-GLBA business
families subject to the Rule.
\21\ 3,268,000 hours / 3 = 1,089,000; $92,247,000 / 3 =
$30,749,000.
---------------------------------------------------------------------------
As stated in the NPRM, the number of GLBA entities under the
Commission's jurisdiction is 3,350.\22\ As before, staff estimates that
GLBA entities would incur 6 hours of paperwork burden during the first
year of the clearance period,\23\ given that the final rule provides
model notices. This would thus approximate 20,000 hours, cumulatively,
during the first year of a three-year OMB clearance period. Labor
costs, as adjusted, would approximate $716,000.\24\ Allowing for
increased familiarity with procedure, the paperwork burden in ensuing
years would decline, with GLBA entities each incurring 4 hours of
annual burden\25\ during the remaining two years of the clearance
period. At an estimated 3,350 GLBA entities under the Commission's
jurisdiction, this amounts to 13,400 hours and $472,000 in labor
costs\26\ in each of the ensuing two years. Thus, averaged over the
three-year clearance period, the estimated annual burden for GLBA
entities is 15,600 hours and $533,000 in labor costs.
---------------------------------------------------------------------------
\22\See 69 FR at 33334.
\23\ This estimate is based on 5 hours of managerial time and 1
hour of technical time to execute the notice. As in the NPRM, staff
excludes clerical time from the estimate because the notice likely
would be combined with existing GLBA notices.
\24\ 3,350 GLBA entities x ($34.21 x 5 hours) + ($29.80 x 1
hour)] x 1.06426 wage inflation multiplier. See note 20.
\25\ This estimate, carried over from the NPRM, is based on 3
hours of managerial time and 1 hour of technical time.
\26\ 3,350 GLBA entities x [($34.21 x 3 hours) + ($29.80 x 1
hour)] x 1.06426 wage inflation multiplier. See note 20.
---------------------------------------------------------------------------
Combining estimates for GLBA and non-GLBA entities, total average
annual burden over a prospective three-year clearance period, is
approximately 1,105,000 hours and $31,302,000 in labor costs, rounded.
As noted in the NPRM, GLBA entities are already providing notices to
their customers so there are no new capital or other non-labor costs,
as this notice may be consolidated into their current notices. For non-
GLBA entities, the final rule provides for simple and concise model
forms that institutions may use to
[[Page 61454]]
comply. Thus, any capital or non-labor costs associated with compliance
for these entities are negligible.
The Commission staff recognized that the amount of time needed for
any particular entity subject to the proposed requirements may be
higher or lower, but believes that the above stated averages are
reasonable estimates. In arriving at these estimates, staff determined
that many entities do not have affiliates and are not covered by
section 214 of the FACT Act or the rule. Entities that have affiliates
may choose not to engage in the sharing of certain information or
marketing to consumers covered by section 214 of the FACT Act or the
rule. Moreover, to minimize the compliance costs and burdens for
entities, particularly small businesses, the final rule contains model
disclosures and opt-out notices that may be used to satisfy the
statutory requirements. Finally, the final rule gives covered entities
flexibility to satisfy the notice and opt-out requirement by sending
the consumer a free-standing opt-out notice or by adding the opt-out
notice to the privacy notices already provided to consumers, such as
those provided in accordance with the provisions of Title V of the
GLBA. For covered persons that choose to prepare a free-standing opt-
out notice, the time necessary to prepare it would be minimal because
those persons could simply copy the model disclosure, making minor
adjustments as indicated by it. Similarly, for covered persons that
choose to incorporate the opt-out notice into their GLBA privacy
notices, the time necessary to integrate them would be minimal.
In response to the PRA section of the NPRM, the Commission received
one comment, from the Mortgage Bankers Association (``MBA''). The MBA
expressed concern that the NPRM's burden estimates convey a misleading
impression of the cost of compliance with the final rule.\27\ The MBA's
principal objection was that the cost estimates assume that the major
cost is sending the disclosures, rather than processing any opt-out
requests and ensuring that solicitations are not sent to consumers who
have opted out or have not yet had a reasonable opportunity to do so.
The MBA added that the NPRM's cost estimates did not reflect the costs
associated with building compliance systems, such as costs attributed
to significant database programming, coordination across business
entities, legal and managerial review, employee training, and business
process changes. As an example, the MBA stated that one of its members,
a medium-sized mortgage banker, estimated that it would cost at least
$5 million in direct costs to modify its data warehouse computer system
to accommodate the opt-outs and to send disclosures to all of its
customers, plus hundreds of thousands of dollars for indirect costs.
The MBA stated that the NPRM did not consider the significant clerical
effort needed to comply with the then-proposed rule. The MBA also
stated that companies that currently provide GLBA privacy and FCRA
affiliate sharing opt-out notices would still incur significant costs
because: (1) in contrast to the GLBA, the new opt-out right applies to
the sharing of information with affiliates; and (2) in contrast to the
FCRA, the new opt-out right applies to transaction and experience
information. Finally, the MBA stated that compliance with the then-
proposed rule would be particularly difficult because software
modifications and employee training will be required to ensure that
both bank and mortgage company employees have access to consumers'
transaction and experience information in order to service their
accounts, but they are prevented from using such information to solicit
business from consumers who have exercised their opt-out rights.
---------------------------------------------------------------------------
\27\ The MBA's comment is available at http://www.ftc.gov/os/comments/affiliate_marketing/04-13481-0033.pdf.
No other comments
relating to paperwork burden were received.
---------------------------------------------------------------------------
The Commission staff continues to believe that its estimate of the
average amount of time to prepare and distribute an initial notice to
consumers is reasonable. As a preliminary matter, the Commission staff
notes that the PRA does not require an estimate all of the costs that
may be associated with implementing the opt-out, but only the
information collection costs. The annual burden estimates take into
account the requisite burden associated with the reporting,
recordkeeping, and third-party disclosure requirements, including any
incremental training costs that may be associated with implementing the
final rule's requirements. Further, the Commission's staff estimates
are over-inclusive with respect to the number of entities that must
comply with the rule. As stated earlier, many entities voluntarily
provide consumers with the right to opt out of advertising by
affiliates, and thus will not be subject to the final rule's
requirements and attendant costs. The Commission continues to believe
that institutions should be able to modify existing database systems
and employee training programs, used to comply with the GLBA and FCRA
notice and opt-out requirements, to meet the requirements of this final
rule. The Commission also believes that use of an average amount of
time is appropriate because some persons may not share eligibility
information with affiliates for the purpose of making solicitations or
may choose to rely on the exceptions to the notice and opt-out
requirement. In either of these cases, the notice would not be
required, and the resulting burden would be zero.
The Commission also believes that the availability of model
disclosures and opt-out notices may significantly reduce the cost of
compliance. In addition, as stated earlier the final rule gives persons
considerable flexibility to provide a joint opt-out notice on behalf of
multiple affiliates and to define the scope and the duration of the
opt-out. This flexibility may reduce the cost of compliance by allowing
covered persons to make choices that are most appropriate for their
business. Moreover, because the notice is only required to be given
once for a minimum period of at least five years, the Commission's
estimates assume a higher burden will be incurred during the first year
of the OMB clearance period with a lesser burden incurred during the
subsequent two years.
VI. Final Regulatory Flexibility Analysis
The Regulatory Flexibility Act (``RFA''), 5 U.S.C. 601-612,
requires that the Commission provide an Initial Regulatory Flexibility
Analysis (``IRFA'') with a proposed rule and a Final Regulatory
Flexibility Analysis (``FRFA''), with the final rule, unless the
Commission certifies that the rule will not have a significant economic
impact on a substantial number of small business entities. See 5 U.S.C.
603-605. For the majority of entities subject to the final rule, a
small business entity is defined by the Small Business Administration
as one whose average annual receipts do not exceed $6 million or that
has fewer than 500 employees. See http://www.sba.gov/size/indextableofsize.html
.
1. Statement of the need for, and objectives of, the final rule.
The FACT Act amends the FCRA and was enacted, in part, for the
purpose of allowing consumers to limit the use of eligibility
information received from an affiliate to make solicitations to the
consumer. Section 214 of the FACT Act generally prohibits a person from
using certain information received from an affiliate to make a
solicitation for marketing purposes to a consumer,
[[Page 61455]]
unless the consumer is given notice and an opportunity and simple
method to opt out of the making of such solicitations. Section 214
requires the Commission, together with the other agencies, to issue
regulations implementing the section in consultation and coordination
with each other. The Commission received no comments on the reasons for
the proposed rule. The Commission is adopting the final rule to
implement Sec. 214 of the FACT Act. The Supplementary Information
above contains information on the objectives of the final rule.
2. Summary of issues raised by comments in response to the initial
regulatory flexibility analysis.
In accordance with Section 3(a) of the RFA, the Commission
conducted an initial regulatory flexibility analysis in connection with
the proposed rule. One commenter, the Mortgage Bankers Association
(MBA), believed that the Commission and the other agencies had
underestimated the costs of compliance. The issues raised by the MBA
are described in the Paperwork Reduction Act section above. The MBA's
concerns applied equally to small entities and larger entities. The MBA
did not raise any issues unique to small entities.
3. Description and estimate of small entities affected by the final
rule.
The affiliate marketing rule, which closely tracks the language of
section 214 of the FACT ACT, would apply to ``[a]ny person that
receives from another person related to it by common ownership or
affiliated by corporate control a communication of information that
would be a consumer report, but for clauses (i), (ii), and (iii) of
section 603(d)(2)(A).'' In short, section 214 applies to any entity
that (1) is under the Commission's jurisdiction pursuant to the FCRA
and (2) receives consumer report information from an affiliate and uses
that information to make a marketing solicitation to the consumer. The
entities covered by the Commission's rule would include non-bank
lenders, insurers, retailers, landlords, mortgage brokers, automobile
dealers, telecommunication firms, and any other business that shares
eligibility information with its affiliates. It is not readily feasible
to determine a precise number of small entities that will be subject to
the rule, but it is not likely that many of the entities covered by
this new rule are small as defined by the Small Business Administration
since most of the entities with affiliates are likely to be above the
$6 million level. See http://www.sba.gov/size/indextableofsize.html.
Although all small entities covered by the Commission's rule
potentially could be subject to the final rule, small entities that do
not have affiliates would not be subject to the final rule. In
addition, small entities that have affiliates may choose not to engage
in activities that would require compliance with the final rule. For
example, small entities may choose not to share eligibility information
with their affiliates for the purpose of making solicitations.
Alternatively, small entities and their affiliates may structure their
marketing activities in a way that does not trigger the requirement to
comply with the final rule, such as by relying upon the exceptions to
the notice requirement contained in the final rule.
4. Recordkeeping, reporting, and other compliance requirements.
The final rule requires small entities to provide opt-out notices
and renewal notices to consumers in certain circumstances, as discussed
in the Supplementary Information above. The final rule also requires
small entities to implement consumers' opt-out elections. The final
rule contains no requirement to report information to the Commission.
Small entities that have affiliates and that share eligibility
information with those affiliates for purposes of making solicitations
may be subject to the rule. Small entities that do not have affiliates,
do not share eligibility information with their affiliates for
marketing purposes, use shared eligibility information for purposes of
making solicitations only in accordance with one of the exceptions set
forth in the final rule, or structure their marketing activities to
eliminate the need to provide an opt-out notice would not be subject to
the final rule. The professional skills necessary for preparation of
the opt-out notice include compliance and/or privacy specialists and
computer programmers.
5. Steps taken to minimize the economic impact on small entities.
The Commission has attempted to minimize the economic impact on
small entities by adopting a rule that is consistent with the other
federal agencies and choosing alternatives that provide for joint
notices and model forms small institutions may, but are not required
to, use to minimize the cost of compliance.
Some commenters suggested an alternative that would allow any
affiliate to provide the opt-out notice to consumers instead of
requiring the affiliate the consumer has a relationship with to provide
the notice. The Commission chose the alternative that requires the
affiliate with the relationship with the consumer to provide the
notice. See section IV, supra. This alternative is not expected to have
a significant impact on small businesses since, as stated earlier, many
small businesses are not likely to be subject to the rule or they may
opt not to engage in practices that would subject them to the rule's
requirements.
List of Subjects
16 CFR Part 680
Consumer reports, Consumer reporting agencies, Credit, Fair Credit
Reporting Act, Trade practices.
16 CFR Part 698
Consumer reports, Consumer reporting agencies, Credit, Fair Credit
Reporting Act, Trade practices.
0
The Federal Trade Commission amends chapter I, title 16, Code of
Federal Regulations, as follows:
0
1. Add new part 680 as follows:
PART 680--AFFILIATE MARKETING
Sec.
680.1 Purpose and scope.
680.2 Examples.
680.3 Definitions.
680.4-680.20 [Reserved]
680.21 Affiliate marketing opt-out and exceptions.
680.22 Scope and duration of opt-out.
680.23 Contents of opt-out notice; consolidated and equivalent
notices.
680.24 Reasonable opportunity to opt out.
680.25 Reasonable and simple methods of opting out.
680.26 Delivery of opt-out notices
680.27 Renewal of opt-out.
680.28 Effective date, compliance date, and prospective application.
Authority: Sec. 214(b), Pub. L. 108-159; 15 U.S.C. 1681s-3
Sec. 680.1 Purpose and scope.
(a) Purpose. The purpose of this part is to implement section 214
of the Fair and Accu-rate Credit Transactions Act of 2003, which (by
adding section 624 to Fair Credit Reporting Act) regulates the use, for
marketing solicitation purposes, of consumer information provided by
persons affiliated with the person making the solicitation.
(b) Scope. This part applies to any person over which the Federal
Trade Commission has jurisdiction that uses information from its
affiliates for the purpose of marketing solicitations, or provides
information to its affiliates for that purpose.
Sec. 680.2 Examples.
The examples in this part are not exclusive. Compliance with an
example,
[[Page 61456]]
to the extent applicable, constitutes compliance with this part.
Examples in a paragraph illustrate only the issue described in the
paragraph and do not illustrate any other issue that may arise in this
part.
Sec. 680.3 Definitions.
As used in this part:
(a) Act. The term ``Act'' means the Fair Credit Reporting Act (15
U.S.C. 1681 et seq.).
(b) Affiliate. The term ``affiliate'' means any company that is
related by common ownership or common corporate control with another
company.
(c) Clear and conspicuous. The term ``clear and conspicuous'' means
reasonably under-standable and designed to call attention to the nature
and significance of the information presented.
(d) Common ownership or common corporate control. The term ``common
ownership or common corporate control'' means a relationship between
two companies under which:
(1) One company has, with respect to the other company:
(i) Ownership, control, or the power to vote 25 percent or more of
the outstanding shares of any class of voting security of a company,
directly or indirectly, or acting through one or more other persons;
(ii) Control in any manner over the election of a majority of the
directors, trustees, or general partners (or individuals exercising
similar functions) of a company; or
(iii) The power to exercise, directly or indirectly, a controlling
influence over the management or policies of a company, as the
Commission determines; or
(2) Any person has, with respect to both companies, a relationship
described in paragraphs (d)(1)(i) through (d)(1)(iii) of this section.
(e) Company. The term ``company'' means any corporation, limited
liability company, business trust, general or limited partnership,
association, or similar organization.
(f) Concise--(1) In general. The term ``concise'' means a
reasonably brief expression or statement.
(2) Combination with other required disclosures. A notice required
by this part may be concise even if it is combined with other
disclosures required or authorized by federal or state law.
(g) Consumer. The term ``consumer'' means an individual.
(h) Eligibility information. The term ``eligibility information''
means any information the communication of which would be a consumer
report if the exclusions from the definition of ``consumer report'' in
section 603(d)(2)(A) of the Act did not apply. Eligibility information
does not include aggregate or blind data that does not contain personal
identifiers such as account numbers, names, or addresses.
(i) Person. The term ``person'' means any individual, partnership,
corporation, trust, estate, cooperative, association, government or
governmental subdivision or agency, or other entity.
(j) Pre-existing business relationship--(1) In general. The term
``pre-existing business relationship'' means a relationship between a
person, or a person's licensed agent, and a consumer based on--
(i) A financial contract between the person and the consumer which
is in force on the date on which the consumer is sent a solicitation
covered by this part;
(ii) The purchase, rental, or lease by the consumer of the persons'
goods or services, or a financial transaction (including holding an
active account or a policy in force or having another continuing
relationship) between the consumer and the person, during the 18-month
period immediately preceding the date on which the consumer is sent a
solicitation covered by this part; or
(iii) An inquiry or application by the consumer regarding a product
or service offered by that person during the three-month period
immediately preceding the date on which the consumer is sent a
solicitation covered by this part.
(2) Examples of pre-existing business relationships. (i) If a
consumer has an existing loan account with a creditor, the creditor has
a pre-existing business relationship with the consumer and can use
eligibility information it receives from its affiliates to make
solicitations to the consumer about its products or services.
(ii) If a consumer obtained a mortgage from a mortgage lender, but
refinanced the mortgage loan with a different lender when the mortgage
loan came due, the first mortgage lender has a pre-existing business
relationship with the consumer and can use eligibility information it
receives from its affiliates to make solicitations to the consumer
about its products or services for 18 months after the date the
outstanding balance of the loan is paid and the loan is closed.
(iii) If a consumer obtains a mortgage, the mortgage lender has a
pre-existing business relationship with the consumer. If the mortgage
lender sells the consumer's entire loan to an investor, the mortgage
lender has a pre-existing business relationship with the consumer and
can use eligibility information it receives from its affiliates to make
solicitations to the consumer about its products or services for 18
months after the date it sells the loan, and the investor has a pre-
existing business relationship with the consumer upon purchasing the
loan. If, however, the mortgage lender sells a fractional interest in
the consumer's loan to an investor but also retains an ownership
interest in the loan, the mortgage lender continues to have a pre-
existing business relationship with the consumer, but the investor does
not have a pre-existing business relationship with the consumer. If the
mortgage lender retains ownership of the loan, but sells ownership of
the servicing rights to the consumer's loan, the mortgage lender
continues to have a pre-existing business relationship with the
consumer. The purchaser of the servicing rights also has a pre-existing
business relationship with the consumer as of the date it purchases
ownership of the servicing rights, but only if it collects payments
from or otherwise deals directly with the consumer on a continuing
basis.
(iv) If a consumer applies to a creditor for a product or service
that it offers, but does not obtain a product or service from or enter
into a financial contract or transaction with the creditor, the
creditor has a pre-existing business relationship with the consumer and
can therefore use eligibility information it receives from an affiliate
to make solicitations to the consumer about its products or services
for three months after the date of the application.
(v) If a consumer makes a telephone inquiry to a creditor about its
products or services and provides contact information to the creditor,
but does not obtain a product or service from or enter into a financial
contract or transaction with the creditor, the creditor has a pre-
existing business relationship with the consumer and can therefore use
eligibility information it receives from an affiliate to make
solicitations to the consumer about its products or services for three
months after the date of the inquiry.
(vi) If a consumer makes an inquiry to a creditor by e-mail about
its products or services, but does not obtain a product or service from
or enter into a financial contract or transaction with the creditor,
the creditor has a pre-existing business relationship with the consumer
and can therefore use eligibility information it receives from an
affiliate to make solicitations to the consumer about its products or
services
[[Page 61457]]
for three months after the date of the inquiry.
(vii) If a consumer has an existing relationship with a creditor
that is part of a group of affiliated companies, makes a telephone call
to the centralized call center for the group of affiliated companies to
inquire about products or services offered by the insurance affiliate,
and provides contact information to the call center, the call
constitutes an inquiry to the insurance affiliate that offers those
products or services. The insurance affiliate has a pre-existing
business relationship with the consumer and can therefore use
eligibility information it receives from its affiliated creditor to
make solicitations to the consumer about its products or services for
three months after the date of the inquiry.
(3) Examples where no pre-existing business relationship is
created. (i) If a consumer makes a telephone call to a centralized call
center for a group of affiliated companies to inquire about the
consumer's existing account with a creditor, the call does not
constitute an inquiry to any affiliate other than the creditor that
holds the consumer's account and does not establish a pre-existing
business relationship between the consumer and any affiliate of the
account-holding creditor.
(ii) If a consumer who has a loan account with a creditor makes a
telephone call to an af-filiate of the creditor to ask about the
affiliate's retail locations and hours, but does not make an inquiry
about the affiliate's products or services, the call does not
constitute an inquiry and does not establish a pre-existing business
relationship between the consumer and the affiliate. Also, the
affiliate's capture of the consumer's telephone number does not
constitute an inquiry and does not establish a pre-existing business
relationship between the consumer and the affiliate.
(iii) If a consumer makes a telephone call to a creditor in
response to an advertisement that offers a free promotional item to
consumers who call a toll-free number, but the advertisement does not
indicate that creditor's products or services will be marketed to
consumers who call in response, the call does not create a pre-existing
business relationship between the consumer and the creditor because the
consumer has not made an inquiry about a product or service offered by
the creditor, but has merely responded to an offer for a free
promotional item.
(k) Solicitation--(1) In general. The term ``solicitation'' means
the marketing of a product or service initiated by a person to a
particular consumer that is--
(i) Based on eligibility information communicated to that person by
its affiliate as described in this part; and
(ii) Intended to encourage the consumer to purchase or obtain such
product or service.
(2) Exclusion of marketing directed at the general public. A
solicitation does not include marketing communications that are
directed at the general public. For example, television, general
circulation magazine, and billboard advertisements do not constitute
solicitations, even if those communications are intended to encourage
consumers to purchase products and services from the person initiating
the communications.
(3) Examples of solicitations. A solicitation would include, for
example, a telemarketing call, direct mail, e-mail, or other form of
marketing communication directed to a particular consumer that is based
on eligibility information received from an affiliate.
(l) You means a person described in Sec. 680.1(b).
Sec. Sec. 680.4-680.20 [Reserved]
Sec. 680.21 Affiliate marketing opt-out and exceptions.
(a) Initial notice and opt-out requirement--(1) In general. You may
not use eligibility information about a consumer that you receive from
an affiliate to make a solicitation for marketing purposes to the
consumer, unless--
(i) It is clearly and conspicuously disclosed to the consumer in
writing or, if the consumer agrees, electronically, in a concise notice
that you may use eligibility information about that consumer received
from an affiliate to make solicitations for marketing purposes to the
consumer;
(ii) The consumer is provided a reasonable opportunity and a
reasonable and simple method to ``opt out,'' or prohibit you from using
eligibility information to make solicitations for marketing purposes to
the consumer; and
(iii) The consumer has not opted out.
(2) Example. A consumer has a homeowner's insurance policy with an
insurance company. The insurance company furnishes eligibility
information about the consumer to its affiliated creditor. Based on
that eligibility information, the creditor wants to make a solicitation
to the consumer about its home equity loan products. The creditor does
not have a pre-existing business relationship with the consumer and
none of the other exceptions apply. The creditor is prohibited from
using eligibility information received from its insurance affiliate to
make solicitations to the consumer about its home equity loan products
unless the consumer is given a notice and opportunity to opt out and
the consumer does not opt out.
(3) Affiliates who may provide the notice. The notice required by
this paragraph (a) must be provided:
(i) By an affiliate that has or has previously had a pre-existing
business relationship with the consumer; or
(ii) As part of a joint notice from two or more members of an
affiliated group of companies, provided that at least one of the
affiliates on the joint notice has or has previously had a pre-existing
business relationship with the consumer.
(b) Making solicitations--(1) In general. For purposes of this
part, you make a solicitation for marketing purposes if--
(i) You receive eligibility information from an affiliate;
(ii) You use that eligibility information to do one or more of the
following:
(A) Identify the consumer or type of consumer to receive a
solicitation;
(B) Establish criteria used to select the consumer to receive a
solicitation; or
(C) Decide which of your products or services to market to the
consumer or tailor your solicitation to that consumer; and
(iii) As a result of your use of the eligibility information, the
consumer is provided a solicitation.
(2) Receiving eligibility information from an affiliate, including
through a common database. You may receive eligibility information from
an affiliate in various ways, including when the affiliate places that
information into a common database that you may access.
(3) Receipt or use of eligibility information by your service
provider. Except as provided in paragraph (b)(5) of this section, you
receive or use an affiliate's eligibility information if a service
provider acting on your behalf (whether an affiliate or a nonaffiliated
third party) receives or uses that information in the manner described
in paragraphs (b)(1)(i) or (b)(1)(ii) of this section. All relevant
facts and circumstances will determine whether a person is acting as
your service provider when it receives or uses an affiliate's
eligibility information in connection with marketing your products and
services.
(4) Use by an affiliate of its own eligibility information. Unless
you have used eligibility information that you receive from an
affiliate in the manner described in paragraph (b)(1)(ii) of this
[[Page 61458]]
section, you do not make a solicitation subject to this part if your
affiliate:
(i) Uses its own eligibility information that it obtained in
connection with a pre-existing business relationship it has or had with
the consumer to market your products or services to the consumer; or
(ii) Directs its service provider to use the affiliate's own
eligibility information that it obtained in connection with a pre-
existing business relationship it has or had with the consumer to
market your products or services to the consumer, and you do not
communicate directly with the service provider regarding that use.
(5) Use of eligibility information by a service provider. (i) In
general. You do not make a solicitation subject to this part if a
service provider (including an affiliated or third-party service
provider that maintains or accesses a common database that you may
access) receives eligibility information from your affiliate that your
affiliate obtained in connection with a pre-existing business
relationship it has or had with the consumer and uses that eligibility
information to market your products or services to the consumer, so
long as--
(A) Your affiliate controls access to and use of its eligibility
information by the service provider (including the right to establish
the specific terms and conditions under which the service provider may
use such information to market your products or services);
(B) Your affiliate establishes specific terms and conditions under
which the service provider may access and use the affiliate's
eligibility information to market your products and services (or those
of affiliates generally) to the consumer, such as the identity of the
affiliated companies whose products or services may be marketed to the
consumer by the service provider, the types of products or services of
affiliated companies that may be marketed, and the number of times the
consumer may receive marketing materials, and periodically evaluates
the service provider's compliance with those terms and conditions;
(C) Your affiliate requires the service provider to implement
reasonable policies and procedures designed to ensure that the service
provider uses the affiliate's eligibility information in accordance
with the terms and conditions established by the affiliate relating to
the marketing of your products or services;
(D) Your affiliate is identified on or with the marketing materials
provided to the consumer; and
(E) You do not directly use your affiliate's eligibility
information in the manner described in paragraph (b)(1)(ii) of this
section.
(ii) Writing requirements. (A) The requirements of paragraphs
(b)(5)(i)(A) and (C) of this section must be set forth in a written
agreement between your affiliate and the service provider; and
(B) The specific terms and conditions established by your affiliate
as provided in paragraph (b)(5)(i)(B) of this section must be set forth
in writing.
(6) Examples of making solicitations. (i) A consumer has a loan
account with a creditor, which is affiliated with an insurance company.
The insurance company receives eligibility information about the
consumer from the creditor. The insurance company uses that eligibility
information to identify the consumer to receive a solicitation about
insurance products, and, as a result, the insurance company provides a
solicitation to the consumer about its insurance products. Pursuant to
paragraph (b)(1) of this section, the insurance company has made a
solicitation to the consumer.
(ii) The same facts as in the example in paragraph (b)(6)(i) of
this section, except that after using the eligibility information to
identify the consumer to receive a solicitation about insurance
products, the insurance company asks the creditor to send the
solicitation to the consumer and the creditor does so. Pursuant to
paragraph (b)(1) of this section, the insurance company has made a
solicitation to the consumer because it used eligibility information
about the consumer that it received from an affiliate to identify the
consumer to receive a solicitation about its products or services, and,
as a result, a solicitation was provided to the consumer about the
insurance company's products.
(iii) The same facts as in the example in paragraph (b)(6)(i) of
this section, except that eligibility information about consumers that
have loan accounts with the creditor is placed into a common database
that all members of the affiliated group of companies may independently
access and use. Without using the creditor's eligibility information,
the insurance company develops selection criteria and provides those
criteria, marketing materials, and related instructions to the
creditor. The creditor reviews eligibility information about its own
consumers using the selection criteria provided by the insurance
company to determine which consumers should receive the insurance
company's marketing materials and sends marketing materials about the
insurance company's products to those consumers. Even though the
insurance company has received eligibility information through the
common database as provided in paragraph (b)(2) of this section, it did
not use that information to identify consumers or establish selection
criteria; instead, the creditor used its own eligibility information.
Therefore, pursuant to paragraph (b)(4)(i) of this section, the
insurance company has not made a solicitation to the consumer.
(iv) The same facts as in the example in paragraph (b)(6)(iii) of
this section, except that the creditor provides the insurance company's
criteria to the creditor's service provider and directs the service
provider to use the creditor's eligibility information to identify
creditor consumers who meet the criteria and to send the insurance
company's marketing materials to those consumers. The insurance company
does not communicate directly with the service provider regarding the
use of the creditor's information to market its products to the
creditor's consumers. Pursuant to paragraph (b)(4)(ii) of this section,
the insurance company has not made a solicitation to the consumer.
(v) An affiliated group of companies includes a creditor, an
insurance company, and a service provider. Each affiliate in the group
places information about its consumers into a common database. The
service provider has access to all information in the common database.
The creditor controls access to and use of its eligibility information
by the service provider. This control is set forth in a written
agreement between the creditor and the service provider. The written
agreement also requires the service provider to establish reasonable
policies and procedures designed to ensure that the service provider
uses the creditor's eligibility information in accordance with specific
terms and conditions established by the creditor relating to the
marketing of the products and services of all affiliates, including the
insurance company. In a separate written communication, the creditor
specifies the terms and conditions under which the service provider may
use the creditor's eligibility information to market the insurance
company's products and services to the creditor's consumers. The
specific terms and conditions are: a list of affiliated companies
(including the insurance company) whose products or services may be
marketed to the creditor's consumers by the service provider; the
specific products or types of products that may be marketed to the
creditor's consumers by the service provider; the categories of
eligibility information that may be used by the service provider in
marketing products or services to the creditor's consumers; the types
or
[[Page 61459]]
categories of the creditor's consumers to whom the service provider may
market products or services of creditor affiliates; the number and/or
types of marketing communications that the service provider may send to
the creditor's consumers; and the length of time during which the
service provider may market the prod-ucts or services of the creditor's
affiliates to its consumers. The creditor periodically evaluates the
service provider's compliance with these terms and conditions. The
insurance company asks the service provider to market insurance
products to certain consumers who have loan accounts with the creditor.
Without using the creditor's eligibility information, the insurance
company develops selection criteria and provides those criteria,
marketing materials, and related instructions to the service provider.
The service provider uses the creditor's eligibility information from
the common database to identify the creditor's consumers to whom
insurance products will be marketed. When the insurance company's
marketing materials are provided to the identified consumers, the name
of the creditor is displayed on the insurance marketing materials, an
introductory letter that accompanies the marketing materials, an
account statement that accompanies the marketing materials, or the
envelope containing the marketing materials. The re-quirements of
paragraph (b)(5) of this section have been satisfied, and the insurance
company has not made a solicitation to the consumer.
(vi) The same facts as in the example in paragraph (b)(6)(v) of
this section, except that the terms and conditions permit the service
provider to use the creditor's eligibility information to market the
products and services of other affiliates to the creditor's consumers
whenever the service provider deems it appropriate to do so. The
service provider uses the creditor's eligibility information in
accordance with the discretion af-forded to it by the terms and
conditions. Because the terms and conditions are not specific, the
requirements of paragraph (b)(5) of this section have not been
satisfied.
(c) Exceptions. The provisions of this part do not apply to you if
you use eligibility information that you receive from an affiliate:
(1) To make a solicitation for marketing purposes to a consumer
with whom you have a pre-existing business relationship;
(2) To facilitate communications to an individual for whose benefit
you provide employee benefit or other services pursuant to a contract
with an employer related to and arising out of the current employment
relationship or status of the individual as a participant or
beneficiary of an employee benefit plan;
(3) To perform services on behalf of an affiliate, except that this
paragraph shall not be construed as permitting you to send
solicitations on behalf of an affiliate if the affiliate would not be
permitted to send the solicitation as a result of the election of the
consumer to opt out under this part;
(4) In response to a communication about your products or services
initiated by the consumer;
(5) In response to an authorization or request by the consumer to
receive solicitations; or
(6) If your compliance with this part would prevent you from
complying with any provision of State insurance laws pertaining to
unfair discrimination in any State in which you are lawfully doing
business.
(d) Examples of exceptions--(1) Example of the pre-existing
business relationship exception. A consumer has a loan account with a
creditor. The consumer also has a relationship with the creditor's
securities affiliate for management of the consumer's securities
portfolio. The creditor receives eligibility information about the
consumer from its securities affiliate and uses that information to
make a solicitation to the consumer about the creditor's wealth
management services. The creditor may make this solicitation even if
the consumer has not been given a notice and opportunity to opt out
because the creditor has a pre-existing business relationship with the
consumer.
(2) Examples of service provider exception. (i) A consumer has an
insurance policy issued by an insurance company. The insurance company
furnishes eligibility information about the consumer to an affiliated
creditor. Based on that eligibility information, the creditor wants to
make a solicitation to the consumer about its credit products. The
creditor does not have a pre-existing business relationship with the
consumer and none of the other exceptions in para-graph (c) of this
section apply. The consumer has been given an opt-out notice and has
elected to opt out of receiving such solicitations. The creditor asks a
service provider to send the solicitation to the consumer on its
behalf. The service provider may not send the solicitation on behalf of
the creditor because, as a result of the consumer's opt-out election,
the creditor is not permitted to make the solicitation.
(ii) The same facts as in paragraph (d)(2)(i) of this section,
except the consumer has been given an opt-out notice, but has not
elected to opt out. The creditor asks a service provider to send the
solicitation to the consumer on its behalf. The service provider may
send the solicitation on behalf of the creditor because, as a result of
the consumer's not opting out, the creditor is permitted to make the
solicitation.
(3) Examples of consumer-initiated communications. (i) A consumer
who has a consumer loan account with a finance company initiates a
communication with the creditor's mortgage lending affiliate to request
information about a mortgage. The mortgage lender affiliate may use
eligibility information about the consumer it obtains from the finance
company or any other affiliate to make solicitations regarding mortgage
products in response to the consumer-initiated communication.
(ii) A consumer who has a loan account with a creditor contacts the
creditor to request information about how to save and invest for a
child's college education without specifying the type of product in
which the consumer may be interested. Information about a range of
different products or services offered by the creditor and one or more
affiliates of the creditor may be responsive to that communication.
Such products or services may include the following: mutual funds
offered by the creditor's mutual fund affil-iate; section 529 plans
offered by the creditor, its mutual fund affiliate, or another
securities affiliate; or trust services offered by a different creditor
in the affiliated group. Any affiliate offering investment products or
services that would be responsive to the consumer's request for
information about saving and investing for a child's college education
may use eligibility information to make solicitations to the consumer
in response to this communication.
(iii) A credit card issuer makes a marketing call to the consumer
without using eligibility information received from an affiliate. The
issuer leaves a voice-mail message that invites the consumer to call a
toll-free number to apply for the issuer's credit card. If the consumer
calls the toll-free number to inquire about the credit card, the call
is a consumer-initiated communication about a product or service and
the credit card issuer may now use eligibility information it receives
from its affiliates to make solicitations to the consumer.
(iv) A consumer calls a creditor to ask about retail locations and
hours, but does not request information about products or services. The
creditor may not use eligibility information it receives from an
affiliate to make
[[Page 61460]]
solicitations to the consumer about its products or services because
the consumer-initiated communication does not relate to the creditor's
products or services. Thus, the use of eligibility information received
from an affiliate would not be responsive to the communication and the
exception does not apply.
(v) A consumer calls a creditor to ask about office locations and
hours. The customer service representative asks the consumer if there
is a particular product or service about which the consumer is seeking
information. The consumer responds that the consumer wants to stop in
and find out about second mortgage loans. The customer service
representative offers to provide that information by telephone and mail
additional information and application materials to the consumer. The
consumer agrees and provides or confirms contact information for
receipt of the materials to be mailed. The creditor may use eligibility
information it receives from an affiliate to make solicitations to the
consumer about mortgage loan products because such solicitations
respond to the consumer-initiated communication about products or
services.
(4) Examples of consumer authorization or request for
solicitations. (i) A consumer who obtains a mortgage from a mortgage
lender authorizes or requests information about homeowner's insurance
offered by the mortgage lender's insurance affiliate. Such
authorization or request, whether given to the mortgage lender or to
the insurance affiliate, would permit the insurance affiliate to use
eligibility information about the consumer it obtains from the mortgage
lender or any other affiliate to make solicitations to the consumer
about homeowner's insurance.
(ii) A consumer completes an online application to apply for a
credit card from a department store. The store's online application
contains a blank check box that the consumer may check to authorize or
request information from the store's affiliates. The consumer checks
the box. The consumer has authorized or requested solicitations from
store's affiliates.
(iii) A consumer completes an online application to apply for a
credit card from a department store. The store's online application
contains a pre-selected check box indicating that the consumer
authorizes or requests information from the store's affiliates. The
consumer does not deselect the check box. The consumer has not
authorized or requested solicitations from the store's affiliates.
(iv) The terms and conditions of a credit account agreement contain
preprinted boilerplate language stating that by applying to open an
account the consumer authorizes or requests to receive solicitations
from the creditor's affiliates. The consumer has not authorized or
requested solicitations from the creditor's affiliates.
(e) Relation to affiliate-sharing notice and opt-out. Nothing in
this part limits the responsibility of a person to comply with the
notice and opt-out provisions of section 603(d)(2)(A)(iii) of the Act
where applicable.
Sec. 680.22 Scope and duration of opt-out.
(a) Scope of opt-out--(1) In general. Except as otherwise provided
in this section, the consumer's election to opt out prohibits any
affiliate covered by the opt-out notice from using eligibility
information received from another affiliate as described in the notice
to make solicitations to the consumer.
(2) Continuing relationship--(i) In general. If the consumer
establishes a continuing relationship with you or your affiliate, an
opt-out notice may apply to eligibility information obtained in
connection with--
(A) A single continuing relationship or multiple continuing
relationships that the consumer establishes with you or your
affiliates, including continuing relationships established subsequent
to delivery of the opt-out notice, so long as the notice adequately
describes the continuing relationships covered by the opt-out; or
(B) Any other transaction between the consumer and you or your
affiliates as described in the notice.
(ii) Examples of continuing relationships. A consumer has a
continuing relationship with you or your affiliate if the consumer--
(A) Opens a credit account with you or your affiliate;
(B) Obtains a loan for which you or your affiliate owns the
servicing rights;
(C) Purchases an insurance product from you or your affiliate;
(D) Holds an investment product through you or your affiliate, such
as when you act or your affiliate acts as a custodian for securities or
for assets in an individual retirement arrangement;
(E) Enters into an agreement or understanding with you or your
affiliate whereby you or your affiliate undertakes to arrange or broker
a home mortgage loan for the consumer;
(F) Enters into a lease of personal property with you or your
affiliate; or
(G) Obtains financial, investment, or economic advisory services
from you or your affiliate for a fee.
(3) No continuing relationship--(i) In general. If there is no
continuing relationship between a consumer and you or your affiliate,
and you or your affiliate obtain eligibility information about a
consumer in connection with a transaction with the consumer, such as an
isolated transaction or a credit application that is denied, an opt-out
notice provided to the consumer only applies to eligibility information
obtained in connection with that transaction.
(ii) Examples of isolated transactions. An isolated transaction
occurs if--
(A) The consumer uses your or your affiliate's ATM to withdraw cash
from an account at a financial institution; or
(B) You or your affiliate sells the consumer a money order, airline
tickets, travel insurance, or traveler's checks in isolated
transactions.
(4) Menu of alternatives. A consumer may be given the opportunity
to choose from a menu of alternatives when electing to prohibit
solicitations, such as by electing to prohibit solicitations from
certain types of affiliates covered by the opt-out notice but not other
types of affiliates covered by the notice, electing to prohibit
solicitations based on certain types of eligibility information but not
other types of eligibility information, or electing to prohibit
solicitations by certain methods of delivery but not other methods of
delivery. However, one of the alternatives must allow the consumer to
prohibit all solicitations from all of the affiliates that are covered
by the notice.
(5) Special rule for a notice following termination of all
continuing relationships--(i) In general. A consumer must be given a
new opt-out notice if, after all continuing relationships with you or
your affiliate(s) are terminated, the consumer subsequently establishes
another continuing relationship with you or your affiliate(s) and the
consumer's eligibility information is to be used to make a
solicitation. The new opt-out notice must apply, at a minimum, to
eligibility information obtained in connection with the new continuing
relationship. Consistent with paragraph (b) of this section, the
consumer's decision not to opt out after receiving the new opt-out
notice would not override a prior opt-out election by the consumer that
applies to eligibility information obtained in connection with a
terminated relationship, regardless of whether the new opt-out notice
applies to eligibility information obtained in connection with the
terminated relationship.
(ii) Example. A consumer has an automobile loan account with a
creditor
[[Page 61461]]
that is part of an affiliated group. The consumer pays off the loan.
After paying off the loan, the consumer subsequently obtains a second
mortgage loan from the creditor. The consumer must be given a new
notice and opportunity to opt out before the creditor's affiliates may
make solicitations to the consumer using eligibility information
obtained by the creditor in connection with the new mortgage
relationship, regardless of whether the consumer opted out in
connection with the automobile loan account.
(b) Duration of opt-out. The election of a consumer to opt out must
be effective for a period of at least five years (the ``opt-out
period'') beginning when the consumer's opt-out election is received
and implemented, unless the consumer subsequently revokes the opt-out
in writing or, if the consumer agrees, electronically. An opt-out
period of more than five years may be established, including an opt-out
period that does not expire unless revoked by the consumer.
(c) Time of opt-out. A consumer may opt out at any time.
Sec. 680.23 Contents of opt-out notice; consolidated and equivalent
notices.
(a) Contents of opt-out notice--(1) In general. A notice must be
clear, conspicuous, and concise, and must accurately disclose:
(i) The name of the affiliate(s) providing the notice. If the
notice is provided jointly by multiple affiliates and each affiliate
shares a common name, such as ``ABC,'' then the notice may indicate
that it is being provided by multiple companies with the ABC name or
multiple companies in the ABC group or family of companies, for
example, by stating that the notice is provided by ``all of the ABC
companies,'' ``the ABC banking, credit card, insurance, and securities
companies,'' or by listing the name of each affiliate providing the
notice. But if the affiliates providing the joint notice do not all
share a common name, then the notice must either separately identify
each affiliate by name or identify each of the common names used by
those affiliates, for example, by stating that the notice is provided
by ``all of the ABC and XYZ companies'' or by ``the ABC banking and
credit card companies and the XYZ insurance companies;''
(ii) A list of the affiliates or types of affiliates whose use of
eligibility information is covered by the notice, which may include
companies that become affiliates after the notice is provided to the
consumer. If each affiliate covered by the notice shares a common name,
such as ``ABC,'' then the notice may indicate that it applies to
multiple companies with the ABC name or multiple companies in the ABC
group or family of companies, for example, by stating that the notice
is provided by ``all of the ABC companies,'' ``the ABC banking, credit
card, insurance, and securities companies,'' or by listing the name of
each affiliate providing the notice. But if the affiliates covered by
the notice do not all share a common name, then the notice must either
separately identify each covered affiliate by name or identify each of
the common names used by those affiliates, for example, by stating that
the notice applies to ``all of the ABC and XYZ companies'' or to ``the
ABC banking and credit card companies and the XYZ insurance
companies;''
(iii) A general description of the types of eligibility information
that may be used to make solicitations to the consumer;
(iv) That the consumer may elect to limit the use of eligibility
information to make solicitations to the consumer;
(v) That the consumer's election will apply for the specified
period of time stated in the notice and, if applicable, that the
consumer will be allowed to renew the election once that period
expires;
(vi) If the notice is provided to consumers who may have previously
opted out, such as if a notice is provided to consumers annually, that
the consumer who has chosen to limit solicitations does not need to act
again until the consumer receives a renewal notice; and
(vii) A reasonable and simple method for the consumer to opt out.
(2) Joint relationships. (i) If two or more consumers jointly
obtain a product or service, a single opt-out notice may be provided to
the joint consumers. Any of the joint consumers may exercise the right
to opt out.
(ii) The opt-out notice must explain how an opt-out direction by a
joint consumer will be treated. An opt-out direction by a joint
consumer may be treated as applying to all of the associated joint
consumers, or each joint consumer may be permitted to opt out
separately. If each joint consumer is permitted to opt out separately,
one of the joint consumers must be permitted to opt out on behalf of
all of the joint consumers and the joint consumers must be permitted to
exercise their separate rights to opt out in a single response.
(iii) It is impermissible to require all joint consumers to opt out
before implementing any opt-out direction.
(3) Alternative contents. If the consumer is afforded a broader
right to opt out of receiving marketing than is required by this part,
the requirements of this section may be satisfied by providing the
consumer with a clear, conspicuous, and concise notice that accurately
discloses the consumer's opt-out rights.
(4) Model notices. Model notices are provided in Appendix C of Part
698 of this chapter.
(b) Coordinated and consolidated notices. A notice required by this
part may be coordinated and consolidated with any other notice or
disclosure required to be issued under any other provision of law by
the entity providing the notice, including but not limited to the
notice de-scribed in section 603(d)(2)(A)(iii) of the Act and the
Gramm-Leach-Bliley Act privacy notice.
(c) Equivalent notices. A notice or other disclosure that is
equivalent to the notice required by this part, and that is provided to
a consumer together with disclosures required by any other provision of
law, satisfies the requirements of this section.
Sec. 680.24 Reasonable opportunity to opt out.
(a) In general. You must not use eligibility information about a
consumer that you receive from an affiliate to make a solicitation to
the consumer about your products or services, unless the consumer is
provided a reasonable opportunity to opt out, as required by
Sec. 680.21(a)(1)(ii) of this part.
(b) Examples of a reasonable opportunity to opt out. The consumer
is given a reasonable opportunity to opt out if:
(1) By mail. The opt-out notice is mailed to the consumer. The
consumer is given 30 days from the date the notice is mailed to elect
to opt out by any reasonable means.
(2) By electronic means. (i) The opt-out notice is provided
electronically to the consumer, such as by posting the notice at an
Internet Web site at which the consumer has obtained a product or
service. The consumer acknowledges receipt of the electronic notice.
The consumer is given 30 days after the date the consumer acknowledges
receipt to elect to opt out by any reasonable means.
(ii) The opt-out notice is provided to the consumer by e-mail where
the consumer has agreed to receive disclosures by e-mail from the
person sending the notice. The consumer is given 30 days after the e-
mail is sent to elect to opt out by any reasonable means.
(3) At the time of an electronic transaction. The opt-out notice is
provided to the consumer at the time of
[[Page 61462]]
an electronic transaction, such as a transaction conducted on an
Internet Web site. The consumer is required to decide, as a necessary
part of proceeding with the transaction, whether to opt out before
completing the transaction. There is a simple process that the consumer
may use to opt out at that time using the same mechanism through which
the transaction is conducted.
(4) At the time of an in-person transaction. The opt-out notice is
provided to the consumer in writing at the time of an in-person
transaction. The consumer is required to decide, as a necessary part of
proceeding with the transaction, whether to opt out before completing
the transaction, and is not permitted to complete the transaction
without making a choice. There is a simple process that the consumer
may use during the course of the in-person transaction to opt out, such
as completing a form that requires consumers to write a ``yes'' or
``no'' to indicate their opt-out preference or that requires the
consumer to check one of two blank check boxes--one that allows
consumers to indicate that they want to opt out and one that allows
consumers to indicate that they do not want to opt out.
(5) By including in a privacy notice. The opt-out notice is
included in a Gramm-Leach-Bliley Act privacy notice. The consumer is
allowed to exercise the opt-out within a reasonable period of time and
in the same manner as the opt-out under that privacy notice.
Sec. 680.25 Reasonable and simple methods of opting out.
(a) In general. You must not use eligibility information about a
consumer that you receive from an affiliate to make a solicitation to
the consumer about your products or services, unless the consumer is
provided a reasonable and simple method to opt out, as required by
Sec. 680.21(a)(1)(ii) of this part.
(b) Examples--(1) Reasonable and simple opt-out methods. Reasonable
and simple methods for exercising the opt-out right include--
(i) Designating a check-off box in a prominent position on the opt-
out form;
(ii) Including a reply form and a self-addressed envelope together
with the opt-out notice;
(iii) Providing an electronic means to opt out, such as a form that
can be electronically mailed or processed at an Internet Web site, if
the consumer agrees to the electronic delivery of information;
(iv) Providing a toll-free telephone number that consumers may call
to opt out; or
(v) Allowing consumers to exercise all of their opt-out rights
described in a consolidated opt-out notice that includes the privacy
opt-out under the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., the
affiliate sharing opt-out under the Act, and the affiliate marketing
opt-out under the Act, by a single method, such as by calling a single
toll-free telephone number.
(2) Opt-out methods that are not reasonable and simple. Reasonable
and simple methods for exercising an opt-out right do not include--
(i) Requiring the consumer to write his or her own letter;
(ii) Requiring the consumer to call or write to obtain a form for
opting out, rather than including the form with the opt-out notice;
(iii) Requiring the consumer who receives the opt-out notice in
electronic form only, such as through posting at an Internet Web site,
to opt out solely by paper mail or by visiting a different Web site
without providing a link to that site.
(c) Specific opt-out means. Each consumer may be required to opt
out through a specific means, as long as that means is reasonable and
simple for that consumer.
Sec. 680.26 Delivery of opt-out notices.
(a) In general. The opt-out notice must be provided so that each
consumer can reasonably be expected to receive actual notice. For opt-
out notices provided electronically, the notice may be provided in
compliance with either the electronic disclosure provisions in this
part or the provisions in section 101 of the Electronic Signatures in
Global and National Commerce Act, 15 U.S.C. 7001 et seq.
(b) Examples of reasonable expectation of actual notice. A consumer
may reasonably be expected to receive actual notice if the affiliate
providing the notice:
(1) Hand-delivers a printed copy of the notice to the consumer;
(2) Mails a printed copy of the notice to the last known mailing
address of the consumer;
(3) Provides a notice by e-mail to a consumer who has agreed to
receive electronic disclosures by e-mail from the affiliate providing
the notice; or
(4) Posts the notice on the Internet Web site at which the consumer
obtained a product or service electronically and requires the consumer
to acknowledge receipt of the notice.
(c) Examples of no reasonable expectation of actual notice. A
consumer may not reasonably be expected to receive actual notice if the
affiliate providing the notice:
(1) Only posts the notice on a sign in a branch or office or
generally publishes the notice in a newspaper;
(2) Sends the notice via e-mail to a consumer who has not agreed to
receive electronic disclosures by e-mail from the affiliate providing
the notice; or
(3) Posts the notice on an Internet Web site without requiring the
consumer to acknowledge receipt of the notice.
Sec. 680.27 Renewal of opt-out.
(a) Renewal notice and opt-out requirement--(1) In general. After
the opt-out period expires, you may not make solicitations based on
eligibility information you receive from an affiliate to a consumer who
previously opted out, unless:
(i) The consumer has been given a renewal notice that complies with
the requirements of this section and Sec. Sec. 680.24 through 680.26
of this part, and a reasonable opportunity and a reasonable and simple
method to renew the opt-out, and the consumer does not renew the opt-
out; or
(ii) An exception in Sec. 680.21(c) of this part applies.
(2) Renewal period. Each opt-out renewal must be effective for a
period of at least five years as provided in Sec. 680.22(b) of this
part.
(3) Affiliates who may provide the notice. The notice required by
this paragraph must be provided:
(i) By the affiliate that provided the previous opt-out notice, or
its successor; or
(ii) As part of a joint renewal notice from two or more members of
an affiliated group of companies, or their successors, that jointly
provided the previous opt-out notice.
(b) Contents of renewal notice. The renewal notice must be clear,
conspicuous, and concise, and must accurately disclose:
(1) The name of the affiliate(s) providing the notice. If the
notice is provided jointly by multiple affiliates and each affiliate
shares a common name, such as ``ABC,'' then the notice may indicate
that it is being provided by multiple companies with the ABC name or
multiple companies in the ABC group or family of companies, for
example, by stating that the notice is provided by ``all of the ABC
companies,'' ``the ABC banking, credit card, insurance, and securities
companies,'' or by listing the name of each affiliate providing the
notice. But if the affiliates providing the joint notice do not all
share a common name, then the notice must either separately identify
each affiliate by name or identify each of the common names used by
those affiliates, for
[[Page 61463]]
example, by stating that the notice is provided by ``all of the ABC and
XYZ companies'' or by ``the ABC banking and credit card companies and
the XYZ insurance companies;''
(2) A list of the affiliates or types of affiliates whose use of
eligibility information is covered by the notice, which may include
companies that become affiliates after the notice is provided to the
consumer. If each affiliate covered by the notice shares a common name,
such as ``ABC,'' then the notice may indicate that it applies to
multiple companies with the ABC name or multiple companies in the ABC
group or family of companies, for example, by stating that the notice
is provided by ``all of the ABC companies,'' ``the ABC banking, credit
card, insurance, and securities companies,'' or by listing the name of
each affiliate providing the notice. But if the affiliates covered by
the notice do not all share a common name, then the notice must either
separately identify each covered affiliate by name or identify each of
the common names used by those affiliates, for example, by stating that
the notice applies to ``all of the ABC and XYZ companies'' or to ``the
ABC banking and credit card companies and the XYZ insurance
companies;''
(3) A general description of the types of eligibility information
that may be used to make solicitations to the consumer;
(4) That the consumer previously elected to limit the use of
certain information to make solicitations to the consumer;
(5) That the consumer's election has expired or is about to expire;
(6) That the consumer may elect to renew the consumer's previous
election;
(7) If applicable, that the consumer's election to renew will apply
for the specified period of time stated in the notice and that the
consumer will be allowed to renew the election once that period
expires; and
(8) A reasonable and simple method for the consumer to opt out.
(c) Timing of the renewal notice--(1) In general. A renewal notice
may be provided to the consumer either--
(i) A reasonable period of time before the expiration of the opt-
out period; or
(ii) Any time after the expiration of the opt-out period but before
solicitations that would have been prohibited by the expired opt-out
are made to the consumer.
(2) Combination with annual privacy notice. If you provide an
annual privacy notice under the Gramm-Leach-Bliley Act, 15 U.S.C. 6801
et seq., providing a renewal notice with the last annual privacy notice
provided to the consumer before expiration of the opt-out period is a
reasonable period of time before expiration of the opt-out in all
cases.
(d) No effect on opt-out period. An opt-out period may not be
shortened by sending a renewal notice to the consumer before expiration
of the opt-out period, even if the consumer does not renew the opt out.
Sec. 680.28 Effective date, compliance date, and prospective
application.
(a) Effective date. This part is effective January 1, 2008.
(b) Mandatory compliance date. Compliance with this part is
required not later than October 1, 2008.
(c) Prospective application. The provisions of this part shall not
prohibit you from using eligibility information that you receive from
an affiliate to make solicitations to a consumer if you receive such
information prior to October 1, 2008. For purposes of this section, you
are deemed to receive eligibility information when such information is
placed into a common database and is accessible by you.
PART 698--AMENDED
0
2. Revise the authority citation for Part 698 to read as follows:
Authority: 15 U.S.C. 1681e, 1681g, 1681j, 1681m, 1681s, and
1681s-3; sections 211(d) and 214(b), Pub. L. 108-159, 117 Stat.1952.
0
3. Amend Sec. 698.1 by revising paragraph (b) to read as follows:
Sec. 698.1 Authority and purpose.
* * * * *
(b) Purpose. The purpose of this part is to comply with sections
607(d), 609(c), 609(d), 612(a), 615(d), and 624 of the Fair Credit
Reporting Act, as amended by the Fair and Accurate Credit Transactions
Act of 2003, and sections 211(d) and 214(b) of the Fair and Accurate
Credit Transactions Act of 2003.
0
4. Add Appendix C to Part 698 as follows:
APPENDIX C TO PART 698--MODEL FORMS FOR AFFILIATE MARKETING OPT-OUT
NOTICES
A. Although use of the model forms is not required, use of the
model forms in this Appendix (as applicable) complies with the
requirement in section 624 of the Act for clear, conspicuous, and
concise notices.
B. Certain changes may be made to the language or format of the
model forms without losing the protection from liability afforded by
use of the model forms. These changes may not be so extensive as to
affect the substance, clarity, or meaningful sequence of the
language in the model forms. Persons making such extensive revisions
will lose the safe harbor that this Appendix provides. Acceptable
changes include, for example:
1. Rearranging the order of the references to ``your income,''
``your account history,'' and ``your credit score.''
2. Substituting other types of information for ``income,''
``account history,'' or ``credit score'' for accuracy, such as
``payment history,'' ``credit history,'' ``payoff status,'' or
``claims history.''
3. Substituting a clearer and more accurate description of the
affiliates providing or covered by the notice for phrases such as
``the [ABC] group of companies,'' including without limitation a
statement that the entity providing the notice recently purchased
the consumer's account.
4. Substituting other types of affiliates covered by the notice
for ``credit card,'' ``insurance,'' or ``securities'' affiliates.
5. Omitting items that are not accurate or applicable. For
example, if a person does not limit the duration of the opt-out
period, the notice may omit information about the renewal notice.
6. Adding a statement informing consumers how much time they
have to opt out before shared eligibility information may be used to
make solicitations to them.
7. Adding a statement that the consumer may exercise the right
to opt out at any time.
8. Adding the following statement, if accurate: ``If you
previously opted out, you do not need to do so again.''
9. Providing a place on the form for the consumer to fill in
identifying information, such as his or her name and address.
C-1 Model Form for Initial Opt-out notice (Single-Affiliate Notice)
C-2 Model Form for Initial Opt-out notice (Joint Notice)
C-3 Model Form for Renewal Notice (Single-Affiliate Notice)
C-4 Model Form for Renewal Notice (Joint Notice)
C-5 Model Form for Voluntary ``No Marketing'' Notice
C-1 Model Form for Initial Opt-out Notice (Single-Affiliate Notice)
[Your Choice to Limit Marketing]/[Marketing Opt-out]
-- [Name of Affiliate] is providing this notice.
-- [Optional: Federal law gives you the right to limit some but not
all marketing from our affiliates. Federal law also requires us to
give you this notice to tell you about your choice to limit
marketing from our affiliates.]
-- You may limit our affiliates in the [ABC] group of companies,
such as our [credit card, insurance, and securities] affiliates,
from marketing their products or services to you based on your
personal information that we collect and share with them. This
information includes your [income], your [account history with us],
and your [credit score].
-- Your choice to limit marketing offers from our affiliates will
apply [until you tell us to change your choice]/[for x years from
when you tell us your choice]/[for at least 5 years from when you
tell us your choice]. [Include if the opt-out period
[[Page 61464]]
expires.] Once that period expires, you will receive a renewal
notice that will allow you to continue to limit marketing offers
from our affiliates for [another x years]/[at least another 5
years].
-- [Include, if applicable, in a subsequent notice, including an
annual notice, for consumers who may have previously opted out.] If
you have already made a choice to limit marketing offers from our
affiliates, you do not need to act again until you receive the
renewal notice.
To limit marketing offers, contact us [include all that apply]:
-- By telephone: 1-877--
-- On the Web: http://www._.com_
By mail: check the box and complete the form below, and send the
form to:
[Company name]
[Company address]
---- Do not allow your affiliates to use my personal information
to market to me.
C-2 Model Form for Initial Opt-out Notice (Joint Notice)
[Your Choice to Limit Marketing]/[Marketing Opt-out]
-- The [ABC group of companies] is providing this notice.
-- [Optional: Federal law gives you the right to limit some but not
all marketing from the [ABC] companies. Federal law also requires us
to give you this notice to tell you about your choice to limit
marketing from the [ABC] companies.]
-- You may limit the [ABC companies], such as the [ABC credit card,
insurance, and securities] affiliates, from marketing their products
or services to you based on your personal information that they
receive from other [ABC] companies. This information includes your
[income], your [account history], and your [credit score].
-- Your choice to limit marketing offers from the [ABC] companies
will apply [until you tell us to change your choice]/[for x years
from when you tell us your choice]/[for at least 5 years from when
you tell us your choice]. [Include if the opt-out period expires.]
Once that period expires, you will receive a renewal notice that
will allow you to continue to limit marketing offers from the [ABC]
companies for [another x years]/[at least another 5 years].
-- [Include, if applicable, in a subsequent notice, including an
annual notice, for consumers who may have previously opted out.] If
you have already made a choice to limit marketing offers from the
[ABC] companies, you do not need to act again until you receive the
renewal notice.
To limit marketing offers, contact us [include all that apply]:
-- By telephone: 1-877--
-- On the Web: http://www._.com_
By mail: check the box and complete the form below, and send the
form to:
[Company name]
[Company address]
---- Do not allow any company [in the ABC group of companies] to
use my personal information to market to me.
C-3 Model Form for Renewal Notice (Single-Affiliate Notice)
[Renewing Your Choice to Limit Marketing]/[Renewing Your
Marketing Opt-out]
-- [Name of Affiliate] is providing this notice.
-- [Optional: Federal law gives you the right to limit some but not
all marketing from our affiliates. Federal law also requires us to
give you this notice to tell you about your choice to limit
marketing from our affiliates.]
-- You previously chose to limit our affiliates in the [ABC] group
of companies, such as our [credit card, insurance, and securities]
affiliates, from marketing their products or services to you based
on your personal information that we share with them. This
information includes your [income], your [account history with us],
and your [credit score].
-- Your choice has expired or is about to expire.
To renew your choice to limit marketing for [x] more years, contact
us [include all that apply]:
-- By telephone: 1-877--
-- On the Web: http://www._.com_
By mail: check the box and complete the form below, and send the
form to:
[Company name]
[Company address]
---- Renew my choice to limit marketing for [x] more years.
C-4 Model Form for Renewal Notice (Joint Notice)
[Renewing Your Choice to Limit Marketing]/[Renewing Your
Marketing Opt-out]
-- The [ABC group of companies] is providing this notice.
-- [Optional: Federal law gives you the right to limit some but not
all marketing from the [ABC] companies. Federal law also requires us
to give you this notice to tell you about your choice to limit
marketing from the [ABC] companies.]
-- You previously chose to limit the [ABC companies], such as the
[ABC credit card, insurance, and securities] affiliates, from
marketing their products or services to you based on your personal
information that they receive from other [ABC] companies. This
information includes your [income], your [account history], and your
[credit score].
-- Your choice has expired or is about to expire.
To renew your choice to limit marketing for [x] more years,
contact us [include all that apply]:
-- By telephone: 1-877--
-- On the Web: http://www._.com_
By mail: check the box and complete the form below, and send the
form to:
[Company name]
[Company address]
---- Renew my choice to limit marketing for [x] more years.
C-5 Model Form for Voluntary ``No Marketing'' Notice
Your Choice to Stop Marketing
-- [Name of Affiliate] is providing this notice.
-- You may choose to stop all marketing from us and our affiliates.
To stop all marketing offers, contact us [include all that apply]:
-- By telephone: 1-877--
-- On the Web: http://www._.com_
By mail: check the box and complete the form below, and send the
form to:
[Company name]
[Company address]
---- Do not market to me.
The Federal Trade Commission.
Dated: October 22, 2007.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. E7-21348 Filed 10-29-07: 8:45 am]
BILLING CODE 6750-01-S