Annual Privacy Notices

by Mary Beth Guard, BOL Guru

Once every twelve months until Congress changes its mind, you'll be confronted with the task of sending an annual privacy notices to individuals who meet the definition of "customer" under the Gramm-Leach-Bliley privacy provisions. In 2001, financial institutions were scrambling to merely get something compliant out by the deadline. Now, it is time to focus on refining the notices and taking them to the next level.

Get It Right
Your first mission is to ensure your notices are in compliance.

Go beyond the sample clauses. If you used language found in the sample clauses, does your notice adequately define or explain the special terms used in those clauses, such as "nonpublic personal information"? If not, you need to add clear definitions in order for your notice to pass muster. Section 216.6(f) says "Sample clauses illustrating some of the notice content required by this section are included in Appendix A of this part." The regulators intended for the sample clauses to demonstrate the level of detail expected in the privacy notices. They never intended the sample clauses to be used by themselves to constitute an entire privacy notice. By themselves, they are simply not sufficient to communicate everything you are required to communicate.

Address former customers. Does your privacy notice state how your privacy policy applies to former customers? It needs to, and from what we're hearing, this is the most common violation examiners are finding with the first round notices. The regulation requires your notice to include the categories of nonpublic personal information about your former customers that you disclose and the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information about your former customers, other than those parties to whom you disclose information under ?? 216.14 and 216.15. If you do not share any information about former customers except within the exceptions, your notice needs to reflect that. You can address this requirement several different ways:

1. If you don't share information about former customers, you could include a sentence that states that you do not share information about former customers with nonaffiliated third parties except as permitted by law; or




2. You could include a sentence in your privacy policy that says the privacy policy applies to consumers who are current or former customers of your institution; or




3. You could include a sentence that says the same privacy policy and practices will continue to apply to the customer's information even after the customer relationship has been terminated.

Make it clear and conspicuous. Perhaps the most frequent complaint about the first set of privacy notices was that they were confusing. Consumer advocates have claimed that institutions deliberately wrote them that way in order to obfuscate the facts. My view is that most financial institutions were so concerned about meeting the legal requirements and including everything that needed to be included that they gave short shrift to assessing readability.

The regulation requires privacy notices to be "clear and conspicuous", and it defines that term to mean the notice is "reasonably understandable and designed to call attention to the nature and significance of the information in the notice." Materials from the financial privacy workshop sponsored by the Federal Trade Commission and other financial institution regulatory agencies provide practical tips you can employ to make your notices more user-friendly.

Dr. Deborah S. Bosley, Director of University Writing with UNC Charlotte, detailed a five-step strategy for designing more readable privacy notices.

Step 1. Plan, test, revise
Step 2. Consider consumers' needs/ questions
Step 3. Establish "big picture"
Step 4. Focus on visual appeal
Step 5. Use plain language >
To increase readability, use:

• white space
• readable typefaces
• informative headings
• bulleted or numbered lists
• short sentences, paragraphs

Dr. Bosley says the primary principle to keep in mind is:
"Less (text) is More (readable)"

Or, as another presenter at the workshop (readability consultant Mark Hochhauser), put it, "Sometimes Less Information = More Understanding."

Typeface choices count. Bosley recommends using a minimum of 10 point type, using Serif fonts (such as Times) for tex,t and Sans serif fonts (such as Helvetica) for headings. Keep in mind that USING ALL CAPITAL LETTERS DECREASES READABILITY. Color can be employed effectively to make certain text stand out. If there are particular points you want to call the reader's attention to, consider the use of color. One notice I received had seven main points, with bulleted items under several individual points. Four sentences used blue text. Those sentences immediately caught my eye. Which ones were they? The ones that reassured customers that the entity would not sell personal information, that it protected the confidentiality and security of personal information, and that information collected is used to serve customers better. Smart.

When assessing what, if any changes, should be made to your privacy notices:

• Look at the feedback you received on your prior notices. Were there particular questions that were raised?
• What are the main points you wish to communicate to your customers?
• Did you have customers who misunderstood when an opt out right must be given?

Using these questions as a guide, determine how you can provide answers to those customer inquiries, stress your most important points, and straighten out misconceptions about opt out rights.

One way to handle the opt out misconceptions is to address them directly. Rather than leaving the customer to wonder why your privacy notice doesn't mention an opt out right, consider including language similar to the following:

"If a financial institution shares certain types of information with third parties, it must provide an opt out right. We have decided not to share your information in those ways. This means we have OPTED OUT ON YOUR BEHALF and you don't need to take further action. We only share information . . ." [You would then detail the ways you do share, such as "as permitted by law", or "under a joint marketing agreement with another financial institution".]

Do you have to write a new notice? Depends upon what your goals are. If you're simply interested in complying with the regulatory requirement to send out the annual notice, the answer is "no". If your privacy practices have not changed, and your original notice met the requirements, you can simply send out the same notice you sent originally. If your goal is to truly inform customers, you may find your document could use a little tweaking.

The original version appeared in the April 2002 edition of the Oklahoma Bankers Association Compliance Informer.

First published on BankersOnline.com 8/19/02