Posted on October 28, 2010 by Elizabeth Khalil

CFTC Proposes Rules on Affiliate Marketing, Data Disposal, and GLBA Privacy

On October 27, the Commodity Futures Trading Commission (CFTC) published two Notices of Proposed Rulemaking (NPRMs) proposing privacy rules under the Gramm-Leach-Bliley Act (GLBA) and affiliate marketing and data disposal rules under the Fair Credit Reporting Act (FCRA)

The rulemakings were prompted by the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act).

The CFTC, an independent federal agency, maintains oversight over the commodity and financial futures and options markets.  The Dodd-Frank Act creates two new categories of entities that are subject to CFTC jurisdiction:  “swap dealers” and “major swap participants.”  Thus, the CFTC has proposed that those two types of entities would explicitly be subject to the CFTC’s existing GLBA privacy rules, first issued in 2001. Those rules impose certain obligations regarding the treatment of consumers' nonpublic personal information - in particular, restricting the ability of a covered entity to disclose such information to a party not affiliated with that entity. 

The CFTC’s second NPRM proposes to implement sections of FCRA dealing with affiliate marketing and data disposal.  The CFTC's proposed affiliate marketing rule would closely resemble the affiliate marketing rules issued by the Federal Trade Commission and the federal banking agencies in late 2007. While the CFTC has joined those agencies in other rulemakings, it did not join that particular rulemaking.  However, the Dodd-Frank Act specifically authorizes the CFTC to issue rules implementing the affiliate marketing and data disposal provisions of FCRA.

As with the other agencies' affiliate marketing rules, under the proposed rule an entity generally could not use a consumer's "eligibility information" received from an affiliate to make marketing solicitations to that consumer unless the consumer had first been given notice that such marketing may occur, a reasonable opportunity to opt-out of such use, and had not opted out. 

The disposal rule would require entities subject to CFTC jurisdiction that possess or maintain consumer information to develop and implement written policies and procedures for the proper safeguarding and disposal of such information.  The policies and procedures would be required to address, among other things, administrative, technical, and physical safeguards for consumer information, including protections against unauthorized access to or use of such information in connection with its disposal.  Such requirements are similar to the disposal rules issued by the FTC and federal banking agencies in 2004.

The CFTC is proposing to make the rules effective on July 21, 2011, the planned "transfer date" on which certain authority over consumer protection matters is to be transferred from other federal agencies to the Consumer Financial Protection Bureau created by Dodd-Frank. 

Public comments are due on each proposal by December 27, 2010.

Tags: , , , , , , , ,
Posted on April 16, 2010 by Bret Cohen

Federal Regulators Release Customizable Version of Model Privacy Notice

Thanks to Elizabeth Khalil in the Hogan & Hartson privacy group for providing this report:

April 15 marked the release of the long-awaited customizable version of the Model Privacy Notice, a form that provides a safe harbor for compliance with the notice requirements of the Gramm-Leach-Bliley Act (GLBA).

The GLBA statute and the privacy rules issued thereunder by the above agencies impose obligations on “financial institutions” with regard to “nonpublic personal information.” Institutions subject to GLBA are required to provide initial and annual notices regarding their privacy policies to customers, and must allow their customers to opt out of having their nonpublic personal information shared in certain ways. Financial institutions are also required to provide the notice and opt-out opportunity to “consumers” who are not their customers before sharing their nonpublic personal information.

The customizable form, called the Online Form Builder, was issued jointly by the Board of Governors of the Federal Reserve System (FRB), Commodity Futures Trading Commission (CFTC), Federal Deposit Insurance Corporation (FDIC), Federal Trade Commission (FTC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), and Securities and Exchange Commission (SEC). The agencies had first issued the Model Privacy Notice regulation on November 17, 2009, culminating a rulemaking process initiated more than six years earlier However, until April 15, no fillable PDF or other customizable version of the Model Privacy Notice was available. The Online Form Builder was developed by the FRB and is available on the FRB’s website.

The Online Form Builder allows a user to choose the version of the Model Privacy Notice that fits its particular information collection and sharing practices. To obtain the safe harbor, institutions must follow the instructions in the Model Privacy Notice regulation when using the Online Form Builder.

Tags: , , , , , , , , , , , ,