Inside 1to1:Privacy

Model Privacy Notices: A New Era

May 1, 2007

By Larry Dobrow

When model privacy notices started appearing in consumers' mailboxes about eight years ago, consumers were unsure what to make of them. Mandated by the Gramm-Leach-Bliley Act, the annual notices were intended to inform consumers what financial institutions were doing with their financial and/or personal data and apprise them of their rights to limit any information-sharing. Thick with legalese and printed in two-point fonts, the notices were often swiftly deposited into the trash.

In the years that followed, model privacy notices became more prevalent, but in most cases no more clear. Realizing this, eight federal agencies took matters into their own hands. Starting in 2003, the agencies began to formulate an easier-to-parse model privacy notice, conducting extensive consumer research (including one-on-one interviews that lasted 90 minutes) about vocabulary, length and presentation, among other things.

"We started with a blank slate," recalls Loretta Garrison, Senior Attorney in the Federal Trade Commission's Division of Privacy and Identity Protection.

The process posed its share of surprises. Going in, most of the agency participants assumed that consumers wanted the shortest possible privacy notice, which proved false.

"They wanted something that's relatively brief, but they also wanted enough information to put things in context," says April Breslaw, the acting Associate Director of the Federal Deposit Insurance Corporation's Division of Supervision and Consumer Protection.

After Congress accelerated the timetable via the passage of the Financial Regulatory Relief Act of 2006 -- which required the agencies to propose a model form within six months -- they delivered the prototype on March 21.

As the agencies wait for the end of the formal comment period on May 29, after which the form will undergo final revisions and further testing, financial institutions have started to wonder how much they'll be affected by the changes. The preliminary answer? Not much, for a single reason: Nobody will be required to use the new form, so long as their own form meets the existing requirements laid out under the law. Those companies that choose not to avail themselves of the model privacy notice, of course, forfeit the safe-harbor provisions that come with its use.

None of the changes appear to be particularly radical. In fact, comparing the proposed notice with the text-heavy privacy notices that consumers have come to expect is like comparing a garage band with a 300-piece orchestra. As opposed to older, longer, more complicated privacy notices, the proposed new one is three pages in length, with information presented in a table format. It places a premium on simplicity: the language is free of technicalities and convoluted syntax.

"That was hard to come by in the privacy notices you used to see. Companies' general counsels were concerned about potential liability, so the notices always had eight layers of protective language," notes Paula Bruening, Deputy Executive Director of law firm Hunton & Williams' Center For Information Policy Leadership.

Another potential benefit, especially for those companies hoping to use their information-sharing practices as a competitive differentiator, is the ease with which one organization's notice can be compared with another's.

"In consumers' minds, privacy notices were all the same," Garrison explains. "Now, if company A and company B use the same standardized form, consumers can see exactly what they're doing differently."

Adds a spokesperson for the Securities and Exchange Commission: "What you forget is that some companies want this information out there. The fact that they have limited sharing of information is something they believe consumers will respond to, and this [notice] helps them do that."

As for drawbacks, some businesses have quietly grumped about potential costs associated with the new notice. Adopting and customizing the new form, they claim, will force them to dig into their wallets.

"We hope that the costs would not be prohibitive, but they have to provide notices anyway. Either way, there's going to be some expense," Breslaw says.

Bruening, on the other hand, worries about this privacy-notice template eventually being adopted for environments where it might not be appropriate, or even by entities, such as online-only banks, that don't necessarily resemble the traditional conception of a financial institution.

"[The model notice] won't be easily portable," she says. "What about dynamic information-sharing and -collecting environments -- RFID and sensor-based technologies that can collect information? Everything we've learned through this process has been good, but I'm not certain how useful [the notice] will be going forward."