|(a) A covered entity, including a group of covered
entities or financial institutions that use a common privacy notice,
may use the model form, at its option, to meet the content requirements
of the privacy notice and opt out notice set out in §22.10 and §22.11
of this title (relating to Information to be Included in Privacy Notices
and Form of Opt Out Notice to Consumers and Opt Out Methods).
(b) The model form is a standardized form, including
page layout, content, format, style, pagination, and shading. Covered
entities seeking to obtain legal safe harbor through use of the model
form may modify it only as described in these instructions.
(c) Disclosure of certain information, such as assets,
income, and information from a consumer reporting agency, may give
rise to obligations under the Fair Credit Reporting Act (15 U.S.C. §§1681
- 1681x) (FCRA), for example, a requirement to permit a consumer to
opt out of disclosures to affiliates or designation as a consumer
reporting agency if disclosures are made to nonaffiliated third parties.
(d) The word "customer" may be replaced by the word
"member" whenever it appears in the model form, as appropriate. A
covered entity may replace the term "customer" with another appropriate
term as provided under 28 TAC §22.4(c) - (e).
(e) The model form consists of two pages, which may
appear on both sides of a single sheet of paper, or may appear on
two separate pages. Where a covered entity provides a long list of
covered entities or financial institutions at the end of the model
form in accord with the instructions in subsection (g)(3)(A)(i) of
this section, or provides additional information in accord with the
instructions in subsection (g)(3)(C) of this section, and the list
or additional information exceeds the space available on page two
of the model form, the list or additional information may extend to
a third page.
(1) Page one contents. The first page consists of the
(A) date last revised in the upper right-hand corner;
(C) key frame (Why?, What?, How?);
(D) disclosure table (Reasons we can share your personal
(E) "To limit our sharing" box, as needed, for the
covered entity's opt out information;
(F) "Questions" box, for customer service contact information;
(G) mail-in opt out form, as needed.
(2) Page two contents. The second page consists of
the following components:
(A) heading (page 2);
(B) frequently asked questions("Who we are" and "What
(C) definitions; and
(D) "Other important information" box, as needed.
(f) The format of the model privacy form may be modified
only as described in paragraphs (1) - (5) of this subsection.
(1) Easily readable type font. Covered entities that
use the model form must use an easily readable type font. While a
number of factors together produce easily readable type font, covered
entities must use a minimum of 10-point font, unless otherwise expressly
permitted in these instructions, and sufficient spacing between the
lines of type.
(2) Logo. A covered entity may include a corporate
logo on any page of the notice, so long as it does not interfere with
the readability of the model form or the space constraints of each
(3) Page size and orientation. Each page of the model
form must appear on paper in portrait orientation, the size of which
must meet the layout and minimum font size requirements.
(4) Color. The model form must appear on white or light
color paper, for example, cream, with black or other contrasting ink
color. Spot color may be used to achieve visual interest, so long
as the color contrast is distinctive and the color does not detract
from the readability of the model form. Logos may also appear in color.
(5) Languages. The model form may be translated into
languages other than English.
(g) The information required in the model form may
be modified only as described in this subsection.
(1) Name of the covered entity or group of affiliated
covered entities or institutions providing the notice. Insert the
name of the covered entity providing the notice or a common identity
of affiliated covered entities or institutions jointly providing the
notice on the form wherever name of covered entity appears.
(2) Page one instruction.
(A) Last revised date. The covered entity must insert
in the upper right-hand corner the date on which it last revised the
notice. The information must appear in minimum 8-point font as "rev.
(month/year)" using either the name or number of the month, for example
"rev. July 2009" or "rev. 7/09."
(B) General instructions for the "What?" box.
(i) The bulleted list identifies the types of personal
information the covered entity collects and shares. All covered entities
must use the term "Social Security number" in the first bullet.
(ii) Covered entities must use at least five of the
following terms to complete the bulleted list: income, account balances,
payment history, transaction history, transaction or loss history,
credit history, credit scores, assets, investment experience, credit-based
insurance scores, insurance claim history, medical information, overdraft
history, purchase history, account transactions, risk tolerance, medical-related
debts, credit card or other debt, mortgage rates and payments, retirement
assets, checking account information, employment information, and
wire transfer instructions.
(C) General instructions for the disclosure table.
The left column lists reasons for sharing or using personal information.
Each reason correlates to a specific legal provision described in
the instructions in subparagraph (D) of this paragraph. In the middle
column, each covered entity must provide a "Yes" or "No" response
that accurately reflects its information-sharing policies and practices
with respect to the reason listed on the left. In the right column,
each covered entity must provide in each box one of the following
three responses, as applicable, that reflects whether a consumer can
limit such sharing:
(i) "Yes" if it is required to or voluntarily provides
an opt out;
(ii) "No" if it does not provide an opt out; or
(iii) "We don't share" if it answers "No" in the middle
column. Only the sixth row, "For our affiliates to market to you,"
may be omitted at the option of the covered entity as described in
the instructions in subparagraph (D)(vi) of this paragraph.
(D) Specific disclosures and corresponding legal provisions.
(i) For our everyday business purposes. This reason
incorporates sharing information under §22.18 and §22.19
of this title (relating to Exceptions to Notice and Opt Out Requirements
for Disclosure of Nonpublic Personal Financial information for Processing
and Servicing Transactions and Other Exceptions to Notice and Opt
Out Requirements for Disclosure of Nonpublic Personal Financial Information)
and with service providers under §22.17 of this title (relating
to Exception to Opt Out Requirements for Disclosure of Nonpublic Personal
Financial Information for Service Providers and Joint Marketing),
other than the purposes specified in the instructions in clause (ii)
or (iii) of this subparagraph.
(ii) For our marketing purposes. This reason incorporates
sharing information with service providers by a covered entity for
its own marketing under §22.17 of this title. A covered entity
that shares for this reason may choose to provide an opt out.
(iii) For joint marketing with other financial companies.
This reason incorporates sharing information under joint marketing
agreements between two or more covered entities or financial institutions
and with any service provider used in connection with such agreements
under §22.17 of this title. A covered entity that shares for
this reason may choose to provide an opt out.
(iv) For our affiliates' everyday business purposes
- information about transactions and experiences. This reason incorporates
sharing information specified in §603(d)(2)(A)(i) and §603(d)(2)(A)(ii)
of the FCRA. A covered entity that shares for this reason may choose
to provide an opt out.
(v) For our affiliates' everyday business purposes
- information about creditworthiness. This reason incorporates sharing
information under §603(d)(2)(A)(iii) of the FCRA. A covered entity
that shares for this reason must provide an opt out.
(vi) For our affiliates to market to you. This reason
incorporates sharing information specified in §624 of the FCRA.
This reason may be omitted from the disclosure table when the covered
entity does not have affiliates, or does not disclose personal information
to its affiliates; the covered entity's affiliates do not use personal
information in a manner that requires an opt out; or the covered entity
provides the affiliate marketing notice separately. Covered entities
that include this reason must provide an opt out of indefinite duration.
A covered entity that must provide an affiliate marketing opt out,
but does not include that opt out in the model form under this clause,
must comply with §624 of the FCRA and Insurance Code Chapter
601 and 28 TAC Subchapter A, including §§22.8 - 22.12 of
this title (relating to Initial Privacy Notice, Annual Privacy Notice,
Information to be Included in Privacy Notices, Form of Opt Out Notice
to Consumers and Opt Out Methods, and Revised Privacy Notices, respectively),
with respect to the initial notice and opt out and any subsequent
renewal notice and opt out. A covered entity not required to provide
an opt out under this subparagraph may elect to include this reason
in the model form.
(vii) For nonaffiliates to market to you. This reason
incorporates sharing described in §22.11 and §22.12(a)(1)
- (4) of this title. A covered entity that shares personal information
for this reason must provide an opt out.
(E) To limit our sharing. A covered entity must include
this section of the model form only if it provides an opt out. The
word "choice" may be written in either the singular or plural, as
appropriate. Covered entities must select one or more of the applicable
opt out methods described: telephone, for example, by a toll-free
number; a website; or use of a mail-in opt out form. Covered entities
may include the words "toll-free" before telephone, as appropriate.
A covered entity that allows consumers to opt out online must provide
either a specific web address that takes consumers directly to the
opt out page or a general web address that provides a clear and conspicuous
direct link to the opt out page. The opt out choices made available
to the consumer who contacts the covered entity through these methods
must correspond accurately to the "Yes" responses in the third column
of the disclosure table. In the part titled "Please note," covered
entities may insert a number that is 30 or greater in the space marked
"(30)." Instructions on voluntary or state privacy law opt out information
are in the instructions in subparagraph (G)(v) of this paragraph.
(F) Questions box. Customer service contact information
must appear, as appropriate, where "phone number" or "website" appears.
Covered entities may elect to provide either a phone number, such
as a toll-free number, or a web address, or both. Covered entities
may include the words "toll-free" before the telephone number, as
(G) Mail-in opt out form. Covered entities must include
this mail-in form only if they state in the "To limit our sharing"
box that consumers can opt out by mail. The mail-in form must provide
opt out options that correspond accurately to the "Yes" responses
in the third column in the disclosure table. Covered entities that
require customers to provide only name and address may omit the section
identified as "account #." Covered entities that require additional
or different information, for example, a random opt out number or
a truncated account number, to implement an opt out election should
modify the "account #" reference accordingly. This includes covered
entities that require customers with multiple accounts to identify
each account to which the opt out should apply. A covered entity must
enter its opt out mailing address in the far right of the Version
3: Model Form with Mail-In Opt Out Form. A covered entity must enter
its opt out mailing address below the Version 4: Optional Mail-In
Form. The reverse side of the mail-in opt out form must not include
any content of the model form.
(i) Joint accountholder. Only covered entities that
provide their joint accountholders the choice to opt out for only
one accountholder, in accord with the instructions in paragraph (3)(A)(v)
of this subsection, must include in the far left column of the mail-in
form the following statement: "If you have a joint account, your choice(s)
will apply to everyone on your account unless you mark below. Apply
my choice(s) only to me." The word "choice" may appear in either the
singular or plural, as appropriate. Covered entities that provide
insurance products or services, provide this option, and elect to
use the model form may substitute the word "policy" for "account"
in this statement. Covered entities that do not provide this option
may eliminate this left column from the mail-in form.