Skip to Content

Proposed Rule

Fair Credit Reporting Act Interpretations

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Federal Trade Commission.

ACTION:

Proposed interpretations of the Fair Credit Reporting Act.

SUMMARY:

The Federal Trade Commission (Commission) is publishing for comment proposed interpretations of the provisions of the Fair Credit Reporting Act (FCRA) that permit companies to communicate consumer information to their affiliates (affiliate information sharing) without incurring the obligations of consumer reporting agencies. These interpretations clarify that institutions may communicate among their affiliates: Information as to transactions or experiences between the consumer and the person making the communication (transaction or experience information); and “other” information (that is, information covered by the FCRA but not transaction or experience information), provided that the institution has given notice to the consumer that the other information may be communicated, the institution has provided the consumer an opportunity to “opt out” (i.e., to direct Start Printed Page 80803that the information not be communicated), and the consumer has not opted out. The proposed interpretations provide guidance on compliance with the affiliate information sharing provisions, addressing such matters as the content and delivery of the notice to consumers that “other” information may be communicated (opt out notice). The proposed interpretations are substantively parallel to the proposed regulations issued by the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, and Office of Thrift Supervision (collectively the “Federal banking agencies”), in a Notice of Proposed Rulemaking published in the Federal Register on October 20, 2000 (65 FR 63120). For the most part, these proposed interpretations allow companies to provide notices and process opt-out elections in a manner similar to the final regulations implementing the privacy provisions of the Gramm-Leach-Bliley Act.

DATES:

Comments must be received on or before January 31, 2001.

ADDRESSES:

Comments should be addressed to: Secretary, Federal Trade Commission, Room H-159, 600 Pennsylvania Avenue, NW., Washington, DC 20580.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Clarke Brinckerhoff or Christopher Keller, Attorneys, Division of Financial Practices, Federal Trade Commission, Washington, DC 20580, 202-326-3224.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

I. Background

A. The Fair Credit Reporting Act

The Fair Credit Reporting Act (“FCRA”) (15 U.S.C. 1681-1681u) sets forth legal standards governing the collection, use, and communication of credit and other information about consumers. The Consumer Credit Reporting Reform Act of 1996 (Pub. L. 104-208) amended the FCRA extensively (“1996 Amendments”). The 1996 Amendments gave consumers many new protections, such as a requirement that consumer reporting agencies (“CRAs”) such as credit bureaus complete reinvestigations of disputed file data within a thirty-day period, while also providing some greater flexibility to business in some areas.

The subject of these interpretation is one of the 1996 Amendments that allowed businesses to share information with affiliated companies without becoming CRAs, as long as they followed prescribed procedures to allow consumers to “opt out” of such information sharing. Specifically, it excluded specified types of information sharing with affiliates from the definition of “consumer report,” relieving companies making these communications (under certain circumstances) from the obligations of CRAs imposed by the FCRA.[1] It excluded from the definition of “consumer report” the sharing of “other information” among affiliates, so long as the consumer, having been given notice and an opportunity to opt out, did not opt out. “Other information” refers to information that is covered by the FCRA and that is not a report containing information solely as to transactions or experiences between the consumer and the person making the report.

From its original enactment in 1970 to the present, the FCRA has assigned enforcement authority to the Commission.[2] The only significant exception is for banks and similar financial institutions regulated by federal agencies.[3] The 1996 Amendments specifically prohibited all agencies, including the Commission, from issuing regulations implementing the FCRA.[4] The Gramm-Leach-Bliley Act (“GLBA”) repealed this prohibition in November 1999 and added a new section authorizing the Federal banking agencies to jointly prescribe such regulations as necessary to carry out the purposes of the FCRA as to the financial institutions under their jurisdiction.[5] However, the GLBA did not grant such regulatory authority to the Commission. Pursuant to their authority, the Federal banking agencies issued proposed FCRA regulations in a Notice of Proposed Rulemaking published in the Federal Register on October 20, 2000 (65 FR 63120).

B. The Gramm-Leach-Bliley Act, its privacy regulations, and financial institutions

The GLBA sets standards for financial institutions' disclosure of nonpublic personal information to nonaffiliated third parties (“privacy provisions”). Pub. L. 106-102, 15 U.S.C. 6802; see also 12 U.S.C. 6803. The Commission published timely final regulations implementing these privacy provisions (“privacy regulations”), 65 FR 33646, May 24, 2000, as did the Federal banking agencies. 65 FR 35162 June 1, 2000.

The GLBA privacy regulations do not “modify, limit, or supersede the operation of the Fair Credit Reporting Act.” 15 U.S.C. 6806. Thus, both the privacy regulations and the FCRA may apply to a financial institution's disclosure of certain consumer information. Moreover, if a financial institution provides an opt out notice under the FCRA, that notice must be included in certain notices mandated by the privacy regulations, including annual notices to customers. 15 U.S.C. 6803. Therefore, the Commission anticipates that financial institutions will design their information-sharing policies and practices taking into account both the GLBA (and its privacy regulations) and the FCRA. The Federal banking agencies have stated their intent to conform their privacy regulations and FCRA regulations where appropriate (65 FR 63120, 63121).

C. This proposal, and prior Commission interpretations of the FCRA

Some entities subject to the enforcement authority of the Commission, rather than the Federal banking agencies, also share information with their affiliates. The Commission believes it is important for such entities to be aware of the Commission's interpretations of the FCRA as to issues on which the Federal banking agencies propose to issue regulations, and to be afforded an opportunity to comment on them. The Commission encourages all such entities to submit comments to the Commission in response to this notice. Although Section 603(d)(2)(A)(iii) of the FCRA has been effective since September 30, 1997, the Commission plans to enforce that provision in accord with any interpretations it may issue in this proceeding only after any similar final regulations issued by the Federal banking agencies have become effective.

In 1990, the Commission issued a comprehensive Commentary on the FCRA. The Commentary does not address the extensive changes and additions made in the 1996 Start Printed Page 80804Amendments. However, the Commission believes the Commentary will continue to be of use to the public because of its guidance in areas not affected by the 1996 Amendments or not included in the proposed new interpretations. Therefore, the Commission does not plan to withdraw the Commentary at this time. The proposed interpretations would be added as Appendix B to 16 CFR part 600 following the Commentary, which would be re-designated as Appendix A. The Commission staff will continue to respond to requests for informal opinion letters interpreting FCRA provisions and make them available to the public on its web site (www.ftc.gov).

II. Questions for comment

The Commission solicits comment on all aspects of the proposed interpretations (16 CFR Part 600, Appendix B), including but not limited to those highlighted below.

A. Examples.

Should the interpretations include additional or different examples? More fundamentally, are examples appropriate and useful?

B. Defined terms

1. Affiliate. Several FCRA provisions apply to information sharing with persons “related by common ownership or affiliated by corporate control,” “related by common ownership or affiliated by common corporate control,” or “affiliated by common ownership or common corporate control.” E.g., FCRA, sections 603(d)(2), 615(b)(2), and 624(b)(2). Section 3(b) of the proposed interpretations uses the term “affiliate” to refer to all of these relationships between and among companies. It uses the phrase “related or affiliated by common ownership or affiliated by corporate control or common corporate control” to mean controlling, controlled by, or under common control with another company. As used in the proposed interpretations, is the term “affiliate” appropriate in scope?

Consistent with definitions in the privacy regulations, the proposed interpretation uses the term “control” to apply exclusively to the control of a “company.” Is the term “control” in proposed Section 3(i), including the proposed 25 percent ownership benchmark, useful or appropriate? Is the term “company” in proposed Section 3(e), which includes any corporation, limited liability company, business trust, general or limited partnership, association, or similar organization (but omits other entities such as individuals, estates, cooperatives, governments, and governmental subdivisions or agencies) useful or appropriate, in the context of these interpretations concerning sharing of consumer information by affiliates?

2. Clear and conspicuous. Section 3(c) states that “clear and conspicuous” refers to a notice that is reasonably understandable and designed to call attention to the nature and significance of the information it contains. Companies have flexibility in determining how to make their notices clear and conspicuous, consistent with the approach in the privacy regulations. Is this an appropriate interpretation of the term for FCRA compliance? How should the term be interpreted to ensure “clear and conspicuous” disclosures under both the GLBA and the FCRA for those entities sharing protected information with affiliates and third parties?

3. Opt out information. As described above, the 1996 Amendments to the FCRA excluded from the definition of “consumer report” the sharing of “other information” among affiliates, so long as the consumer, having been given notice and an opportunity to opt out, did not opt out. “Other information” refers to information that is covered by the FCRA, and that is not a report containing information solely as to transactions or experiences between the consumer and the person making the report. (The FCRA's definition of “consumer report,” reflected in proposed Section 3(g)(2)(i), has always excluded communication of information solely as to transactions or experiences between the consumer and the person making the report, regardless of whether the parties are affiliated.[6] )

Proposed Section 3(k) uses the term “opt out information” to describe this category of information. It describes it as information that (i) bears on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living, (ii) is used or expected to be used or collected for one of the permissible purposes listed in the FCRA (e.g., credit transaction, insurance underwriting, employment purposes), and (iii) is not solely transaction or experience information. Is “opt out information” a useful term in the proposed interpretations? Is the definition accurate in this context? In the event that consumer information is shared with both affiliates and third parties, subject to both GLBA and FCRA provisions, is the use of this term likely to result in confusion? If so, how might any such confusion be avoided? Would the term “FCRA opt-out information” be a better term for these interpretations? Is proposed Section 3(k)(2) that refers to the permissible purposes for which the information is used or expected to be used, which is part of the statutory definition of “consumer report” in Section 603(d) of the FCRA, useful in analyzing the affiliate information sharing exception?

C. Application of the exclusion—general

Section 603(d)(2)(A)(iii) of the FCRA excludes from the definition of “consumer report” the sharing of opt out information among affiliates if:

it is clearly and conspicuously disclosed to the consumer that the information may be communicated among such persons and the consumer is given the opportunity, before the time that the information is initially communicated, to direct that such information not be communicated among such persons. * * *

Proposed Section 4 states that opt out information may be communicated among affiliates without the communication being a consumer report if: (i) the company has provided an opt out notice; (ii) the company has given the consumer a reasonable opportunity and means, before the time that it communicates the information, to opt out; and (iii) the consumer has not opted out. Is this interpretation, when combined with others proposed in this publication, sufficient to encompass the opt out notice and procedure provided in Section 603(d)(2)(A)(iii)?

D. Application of the exclusion—mergers and acquisitions

Under proposed Section 4, in a merger or acquisition situation, the exclusion applies and the surviving company need not provide new notices, if the notices previously given to those customers accurately reflect the policies and practices of the surviving entity. Does that interpretation properly reflect Section 603(d)(2)(A)(iii) of the FCRA in these situations? Should this point be specifically included in the text of Section 4?

E. Contents of opt out notice

Proposed Section 5(a) states that an opt out notice must accurately explain (i) the categories of opt out information about the consumer that the company communicates, (ii) the categories of Start Printed Page 80805affiliates to which the company communicates the information, (iii) the consumer's ability to opt out, and (iv) a reasonable means to opt out. Section 5(d) sets forth four categories of information sources and six examples of types of information that a company may use to describe the information it may share with affiliates. Section 5(e) provides three categories of affiliates (financial service providers, non-financial companies, and others), with illustrative examples for each, that a company may use to describe the parties with which the company may share the information. Are these categories and examples appropriate and sufficient to guide compliance with the portion of section 603(d)(2)(A)(iii) that calls for a disclosure that “clearly” informs consumers of their “opportunity” to “direct that such information not be communicated among such persons” (emphasis added)? Is it clear from these interpretations that the Commission views as insufficient a very general notice that states that the company may share any information it obtains on the consumer with any of its affiliates?

The descriptions of the categories of information set out in proposed Section 5(d)(2) differ somewhat from those in the privacy regulations that appear at 16 CFR 313.6(c)(2). To what extent should the categories in (d)(2) be considered consistent with similar categories in the privacy regulations (such as disclosures of information from consumer reporting agencies) in order to reduce compliance burden and consumer confusion?

Should the interpretations also state that companies must also state in their FCRA notices how long a consumer has to respond to the opt out notice before the company may begin disclosing information about that consumer to its affiliates, as well as the fact that a consumer can opt out at any time? (These disclosures are not required in the privacy regulations.) Should the interpretations state that companies must disclose that they will wait a specified time (such as 30 days) in every instance before sharing consumer information with affiliates? (See proposed Section 6, below, for additional discussion on reasonable opportunity to opt out.) Is either or both of those disclosures, in an opt out notice, necessary for a company to have “clearly * * * disclosed” the consumer's “opportunity” to opt out Section 603(d)(2)(A)(iii) of the FCRA?

F. Reasonable opportunity to opt out

Proposed Section 6(a) states that companies must provide a reasonable period of time for the consumer to opt out from the time that the notice is delivered. Proposed Section 6(b) sets out examples of what is a reasonable period of time when notices are provided in person, by mail, or by electronic means. Are there other situations that would suggest a different reasonable period that the Commission should note by example? Is it clear, from Section 6(b) and other authorities, that a consumer must agree to receive notices electronically before a company can provide notices in that manner? Proposed Section 6(c) explains that a consumer may opt out at any time. Are the interpretations in proposed Section 6 appropriate descriptions of the opt out “opportunity” afforded by Section 603(d)(2)(A)(iii) to consumers?

Is the 30-day period cited in the examples in Section 6(b) appropriate? Should the period vary depending on the means of delivery or other factors? If so, what factors merit a different minimum “opportunity” for the consumer to opt out, and how long should it be in each case? Should Section 6(b) include an “isolated transaction” example similar to that set forth at 16 CFR 313.10(a)(3)(iii), the Commission rule implementing the GLBA, which states that it is reasonable for a company to provide an opt-out notice and request the consumer to decide, as a necessary part of the transaction, whether to opt out before completion of the transaction?

G. Reasonable methods of exercising opt out opportunity

Proposed Section 7 states that a company must provide a reasonably convenient method to the consumer to opt out, and sets forth examples of reasonable and unreasonable methods of opting out when notices are provided in person, by mail, or by electronic means. It states that a company may require each consumer to opt out through a specific means as long as that means is reasonable to the consumer. Are the situations and examples appropriate and sufficient for guidance as to opt out methods that the Commission views as providing or not providing the opt out “opportunity” afforded by Section 603(d)(2)(A)(iii) to consumers?

H. Delivery of opt out notices

Proposed Section 8(a) states that opt out notices must be delivered in a manner such that each consumer can reasonably be expected to receive actual notice. The company may give notice in writing or, if the consumer agrees, electronically. Proposed Section 8(b) sets forth examples of the types of notice that the Commission believes would meet the “reasonably be expected” standard. Are the examples appropriate and sufficient for this purpose? Is the proposed delivery standard, which does not require actual notice, faithful to the statutory exclusion that applies only if the opt out right is “disclosed to the consumer?” The Commission invites comment on how Section 603(d)(2)(A)(iii) of the FCRA, relating to the delivery of opt out notices by companies to consumers, should be applied to electronic communications in light of the Electronic Signatures in Global and National Commerce Act (the E-SIGN Act).[7]

Proposed Section 8(d) explains that a company must provide the notice so that the consumer can retain it or obtain it at a later time, and gives examples that would meet this standard. Is this a proper interpretation of the statutory requirement that the right to opt out right, which the Commission interprets as an ongoing right, must be “clearly * * * disclosed to the consumer?” Are the examples appropriate and sufficient for guidance as to what companies must do to ensure that the consumer can retain the notice, or obtain it at a later time? Is this interpretation inconsistent with or more burdensome than the GLBA, which requires financial institutions to provide notices in form that can be retained (or later accessed) only to those consumers with whom they have a customer relationship?

Proposed Section 8(f) sets out a range of appropriate methods for delivery of opt out notices and processing of opt out elections, in those situations where two or more consumers jointly obtain a product or service from a company. Does this section fairly apply Section 603(d)(2)(A)(iii) to those circumstances?

I. Time by which opt out must be honored

Proposed Section 10 explains that if a company provides a consumer with an opt out notice, and the consumer opts out, the company must comply as soon as reasonably practicable after receiving the consumer's direction. Is this general standard for compliance appropriate and sufficient, or should Section 603(d)(2)(A)(iii) of the FCRA be interpreted to require a fixed number of days to comply with a consumer's opt Start Printed Page 80806out direction? Is it clear that a company cannot share any opt out information with affiliates without first providing consumers with a reasonable period of time to opt out as described in Section 6 above, but that the standard described in Section 10 applies when a consumer elects to opt out after that time has expired?

J. Duration of opt out

Proposed Section 11 provides that an opt out continues to apply to the information and affiliates described in the applicable opt out notice until revoked by the consumer in writing, or if the consumer agrees, electronically, as long as the consumer continues to have a relationship with the institution. It states that if the consumer's relationship with the institution terminates, the opt out will continue to apply to this information. If that consumer subsequently establishes a new relationship with the company, a company may either treat the previous opt out as continuing in effect, or provide the consumer with a new notice and opportunity to opt out. Are these interpretations an accurate reflection of the duration of opt out elections (where consumers “direct that such information not be communicated”) provided in Section 603(d)(2)(A)(iii)? Should the Commission provide guidance as to what constitutes a “relationship” in the context of Section 11? If so, to what extent should that term parallel the definition of a “customer relationship” under the GLBA?

K. Sample form

Proposed Section 12 sets forth a sample notice, part or all of which may be used to facilitate the portion of Section 603(d)(2)(A)(iii) concerning clear and conspicuous disclosure to consumers that information may be shared among affiliates unless they “opt out” of such communications. Is the term “corporate family” or some other alternative more communicative to consumers than the term “affiliates” used in the statute and the sample notice?

Does this sample adequately convey to consumers that the company may continue to share certain information with its affiliates, even if a consumer exercises his or her opt out option? Specifically, should it specify that the company may continue to share information about its own transactions and experiences with the consumer, or any other type of information not subject to the definition of “consumer report” in Section 603(d) of the FCRA. Is it helpful as a guide to describing the information that may be shared among affiliates? Is it helpful as a guide to describing the affiliated companies with which the information may be shared? Is it helpful as a guide to describing to the consumer how to exercise the opt out right?

L. Costs and Benefits of the Proposal

What benefits and costs to consumers and businesses would result from the proposed interpretations? What compliance burdens are anticipated in providing the FCRA opt-out notice in the context of the GLBA notice and opt-out requirements? Would the proposal have a significant economic impact on a substantial number of small businesses? Can that impact be quantified? Would compliance with the proposal impose costs on any entities that are not financial institutions subject to the GLBA, but wish to share consumer information with affiliates without becoming consumer reporting agencies under the FCRA? If so, describe any likely costs and the entities on which they would be imposed. Would the proposal reduce the compliance costs of financial institutions that must comply with both the GLBA's financial privacy provisions and the FCRA's affiliate information sharing provisions in order to share consumer information with affiliates without becoming consumer reporting agencies? Would the proposal benefit consumers by using similar standards for opting out of information sharing among affiliates under the FCRA and opting out of disclosures of nonpublic personal information to unaffiliated third parties under the GLBA? Do these benefits and savings outweigh the costs that might be imposed on entities that are not financial institutions under the FCRA?

Start List of Subjects

List of Subjects in 16 CFR Part 600

End List of Subjects

Pursuant to 15 U.S.C. 1681s and 16 CFR 1.73, the Commission proposes to amend 16 CFR Part 600 as follows:

Start Part

PART 600—STATEMENTS OF GENERAL POLICY OR INTERPRETATIONS

1. The title of the existing Appendix is revised to read as follows:

Appendix A to Part 600—Commentary on the Fair Credit Reporting Act

2. A new Appendix B is added to read as follows:

Appendix B to Part 600—Commentary on the Amended Fair Credit Reporting Act (Affiliate Information Sharing)

Table of Contents Introduction

1. Purpose and scope

2. Examples

3. Definitions

4. Communication of opt out information to affiliates

5. Contents of opt out notice

6. Reasonable opportunity to opt out

7. Reasonable means of opting out

8. Delivery of opt out notices

9. Revised opt out notice

10. Time by which opt out must be honored

11. Duration of opt out

12. Sample notice

Introduction

Official status. This Appendix B has the same status as Appendix A. Comments issued in Appendix A continue to reflect the Commission's interpretations of the Fair Credit Reporting Act (FCRA) as it existed in 1990, whereas comments issued in Appendix B are the Commission's interpretations of affiliate information sharing resulting from the removal of such information from the definition of “consumer report” in Section 603(d)(2)(A) when the FCRA was amended by the Consumer Credit Reporting Reform Act of 1996.

Issuance of staff interpretations. The Commission staff's policy remains unchanged from that described in the preamble to Appendix A. Because of the 1996 amendments to the FCRA, the staff received a substantially increased volume of requests for informal staff opinions. Recent informal FCRA staff opinion letters have been placed on the Commission Web site at www.ftc.gov.

1. Purpose and scope

(a) Purpose. This Appendix applies to the collection, communication, and use of certain information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.

(b) Scope. This Appendix applies to information that is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing a consumer's eligibility for credit, insurance, employment, or any other purpose authorized under Section 604 of the FCRA (15 U.S.C. 1681b).

2. Examples

The examples used in these interpretations, and the sample notice in Section 12, are not exclusive. Conformity with an example or use of Start Printed Page 80807the sample notice, to the extent applicable, constitutes conformity with the Commission view expressed in an interpretation.

3. Definitions

As used in this Appendix, unless the context requires otherwise:

(a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).

(b) Affiliate. (1) In general. The term means any company that is related or affiliated by common ownership, or affiliated by corporate control or common corporate control, with another company.

(2) Related or affiliated by common ownership or affiliated by corporate control or common corporate control. The term means controlling, controlled by, or under common control with, another company.

(c) Clear and conspicuous. (1) In general. The term means that a notice is reasonably understandable and is designed to call attention to the nature and significance of the information it contains.

(2) Examples. (i) Reasonably understandable. A company makes its notice reasonably understandable if it:

(A) Presents the information in the notice in clear and concise sentences, paragraphs, and sections;

(B) Uses short explanatory sentences or bullet lists whenever possible;

(C) Uses definite, concrete, everyday words and active voice whenever possible;

(D) Avoids multiple negatives;

(E) Avoids legal and highly technical business terminology whenever possible; and (F) Avoids explanations that are imprecise and are readily subject to different interpretations.

(ii) Designed to call attention. A company designs its notice to call attention to the nature and significance of the information it contains if it:

(A) Uses a plain-language heading to call attention to the notice;

(B) Uses a typeface and type size that are easy to read;

(C) Provides wide margins and ample line spacing;

(D) Uses boldface or italics for key words; and

(E) In a form that combines the company's notice with other information, uses distinctive type sizes, styles, and graphic devices, such as shading or sidebars.

(iii) Notice on a web page. If a company provides a notice on a web page, the company designs its notice to call attention to the nature and significance of the information it contains if the company:

(A) Places either the notice, or a link that connects directly to the notice and that is labeled appropriately to convey the importance, nature, and relevance of the notice, on a page that consumers access often, such as a page on which transactions are conducted;

(B) Uses text or visual cues to encourage scrolling down the page if necessary to view the entire notice; and

(C) Ensures that other elements on the web page (such as text, graphics, links, or sound) do not detract attention from the notice.

(d) Communication includes any written and oral communication. It also includes an electronic communication to a consumer, if the consumer agrees to receive the communication electronically.

(e) Company means any corporation, limited liability company, business trust, general or limited partnership, association, or similar organization.

(f) Consumer means an individual.

(g) Consumer report. (1) In general. The term means any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for:

(i) Credit or insurance to be used primarily for personal, family, or household purposes;

(ii) Employment purposes; or

(iii) Any other purpose authorized under section 604 of the Act (15 U.S.C. 1681b).

(2) Exclusions. The term does not include:

(i) Any report containing information solely as to transactions or experiences between the consumer and the person making the report;

(ii) Any communication of transaction or experience information among affiliates;

(iii) Any communication among affiliates of opt out information if the conditions in sections 4 through 9 are satisfied;

(iv) Any authorization or approval of a specific extension of credit directly or indirectly by the issuer of a credit card or similar device;

(v) Any report in which a person who has been requested by a third party to make a specific extension of credit directly or indirectly to a consumer conveys his or her decision with respect to such request, if the third party advises the consumer of the name and address of the person to whom the request was made, and the person makes the disclosures to the consumer required under section 615 of the Act (15 U.S.C. 1681m); or

(vi) A communication described in section 603(o) of the Act (15 U.S.C. 1681a(o)).

(h) Consumer reporting agency means any person which, for monetary fees, dues or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.

(i) Control of a company means:

(1) Ownership, control, or power to vote 25 percent or more of the outstanding shares of any class of voting security of the company, directly or indirectly, or acting through one or more other persons;

(2) Control in any manner over the election of a majority of the directors, trustees, or general partners (or individuals exercising similar functions) of the company; or

(3) The power to exercise, directly or indirectly, a controlling influence over the management or policies of the company.

(j) Opt out means a direction by a consumer that a company not communicate opt out information about the consumer to one or more of its affiliates.

(k) Opt out information means information that:

(1) Bears on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living;

(2) Is used or expected to be used or collected in whole or in part to serve as a factor in establishing the consumer's eligibility for credit or another purpose listed in section 604 of the Act (15 U.S.C. 1681b); and

(3) Is not a report containing information solely as to transactions or experiences between the consumer and the person reporting or communicating the information.

(l) Person means any individual, partnership, corporation, trust, estate, cooperative, association, government or governmental subdivision or agency, or other entity.

4. Communication of opt out information to affiliates

A company's communication to its affiliates of opt out information about a consumer is not a consumer report if: Start Printed Page 80808

(a) The company has provided the consumer with an opt out notice;

(b) The company has given the consumer a reasonable opportunity and means, before the company communicates the information to its affiliates, to opt out; and

(c) The consumer has not opted out.

5. Contents of opt out notice

(a) In general. An opt out notice must be clear and conspicuous, and must accurately explain:

(1) The categories of opt out information about the consumer that a company communicates to its affiliates;

(2) The categories of affiliates to which the company communicates the information;

(3) The consumer's ability to opt out; and

(4) A reasonable means for the consumer to opt out.

(b) Future communications. A company's notice may describe:

(1) Categories of opt out information about the consumer that the company reserves the right to communicate to its affiliates in the future but does not currently communicate; and

(2) Categories of affiliates to which the company reserves the right in the future to communicate, but to which the company does not currently communicate, opt out information about the consumer.

(c) Partial opt out. A company may allow a consumer to select certain opt out information or certain affiliates, with respect to which the consumer wishes to opt out.

(d) Examples of categories of information that a company communicates. (1) A company satisfactorily explains the categories of opt out information that it communicates to affiliates if the company lists the categories in paragraph (d)(2) of this section, as applicable, and examples to illustrate the types of information in each category. These examples may include those in paragraph (d)(3) of this section, if applicable.

(2) Categories of opt out information may include information:

(i) From a consumer's application;

(ii) From a consumer credit report;

(iii) Obtained by verifying representations made by a consumer; or

(iv) Provided by another person regarding its employment, credit, or other relationship with a consumer.

(3) Examples of information within a category listed in paragraph (d)(2) include a consumer's:

(i) Income;

(ii) Credit score or credit history with others;

(iii) Open lines of credit with others;

(iv) Employment history with others;

(v) Marital status; and

(vi) Medical history.

(4) A company that communicates or reserves the right to communicate individually identifiable health information (as described in section 1171(6)(B) of the Social Security Act (42 U.S.C. 1320d(6)(B)) satisfactorily describes this type of information, if it provides illustrative examples of the health information it communicates or reserves the right to communicate.

(e) Examples of categories of affiliates. (1) A company satisfactorily categorizes the affiliates to which it communicates opt out information if it lists the categories in paragraph (e)(2) of this section, as applicable, and examples to illustrate the types of affiliates in each category.

(2) Categories of affiliates may include:

(i) Financial service providers, followed by illustrative examples such as mortgage bankers, securities broker-dealers, and insurance agents; and

(ii) Non-financial companies, followed by illustrative examples such as retailers, magazine publishers, airlines, and direct marketers; and

(iii) Others, followed by examples such as nonprofit organizations.

(f) Sample notice. A sample notice is included in section 12.

6. Reasonable opportunity to opt out

(a) In general. A company provides a reasonable opportunity to opt out if it provides a reasonable period of time following the delivery of the opt out notice for the consumer to opt out.

(b) Examples of reasonable periods of time for different means of delivery: (1) In person. A company hand-delivers an opt out notice to the consumer and provides at least 30 days from the date it delivered the notice.

(2) By mail. A company mails an opt out notice to a consumer and provides at least 30 days from the date it mailed the notice.

(3) By electronic means. A company notifies the consumer electronically and provides at least 30 days after the date that the consumer acknowledges receipt of the electronic notice.

(c) Continuing opportunity to opt out. A consumer may opt out at any time.

7. Reasonable means of opting out

(a) General rule. A company provides a consumer with a reasonable means of opting out if it provides a reasonably convenient method to opt out.

(b) Reasonably convenient methods. Examples of reasonably convenient methods include:

(1) Designating check-off boxes in a prominent position on the relevant forms included with the opt out notice;

(2) Including a reply form that includes the address to which the form should be mailed, together with the opt out notice;

(3) Providing an electronic means to opt out, such as a form that can be electronically mailed or a process at the company's web site, if the consumer agrees to the electronic delivery of information; or

(4) Providing a toll-free telephone number that consumers may call to opt out.

(c) Methods not reasonably convenient. Examples of methods that are not reasonably convenient include:

(1) Requiring a consumer to write his or her own letter to a company; or

(2) Referring in a revised notice to a check-off box that a company included with a previous notice but that the company does not include with the revised notice.

(d) Requiring specific means of opting out. A company may require each consumer to opt out through a specific means, as long as that means is reasonable for that consumer.

8. Delivery of opt out notices

(a) In general. A company must deliver an opt out notice so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically.

(b) Examples of expectation of actual notice. (1) A company may reasonably expect that a consumer will receive actual notice if it:

(i) Hand-delivers a printed copy of the notice to the consumer;

(ii) Mails a printed copy of the notice to the last known mailing address of the consumer; or

(iii) For the consumer who conducts transactions electronically, posts the notice on its electronic site and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular product or service;

(2) A company may not reasonably expect that a consumer will receive actual notice if it:

(i) Only posts a sign in its branch or office or generally publishes advertisements presenting its notice; or

(ii) Sends the notice via electronic mail to a consumer who does not obtain a product or service from the company electronically.

(c) Oral description insufficient. A company may not provide an opt out notice solely through an oral explanation of the notice, either in person or over the telephone. Start Printed Page 80809

(d) Retention or accessibility. (1) In general. A company clearly discloses the consumer's opportunity to opt out if it provides an opt out notice so that it can be retained or obtained at a later time by the consumer in writing or, if the consumer agrees, electronically.

(2) Examples of retention or accessibility. A company provides the notice so that it can be retained or obtained at a later time if the company:

(i) Hand-delivers a printed copy of the notice to the consumer;

(ii) Mails a printed copy of the notice to the last known address of the consumer upon request of the consumer; or

(iii) Makes the company's current notice available on a web site (or a link to another web site) for the consumer who obtains a product or service electronically and who agrees to receive the notice at the web site.

(e) Joint notice with affiliates. A company may provide a joint notice with one or more affiliates as long as the notice identifies each person providing it and is accurate with respect to each.

(f) Joint relationships. (1) In general. If two or more consumers jointly obtain a product or service from a creditor or other company (joint consumers), the following principles apply:

(i) The company may provide a single notice to all of the joint consumers.

(ii) Any of the joint consumers has the opportunity to opt out.

(iii) The company may treat an opt out direction by a joint consumer either as:

(A) Applying to all of the joint consumers; or

(B) Applying to that particular joint consumer.

(iv) The company must explain in its opt out notice which of the two policies set forth in paragraph (f)(1)(iii) of this section it will follow.

(v) If the company follows the policy set forth in paragraph (f)(1)(iii)(B) of this section, by treating the opt out of a joint consumer as applying to that particular joint consumer, the company must also permit:

(A) A joint consumer to opt out on behalf of other joint consumers; and

(B) One or more joint consumers to notify the company of their opt out directions in a single response.

(vi) A company may not require all joint consumers to opt out before it implements any opt out direction.

(vii) If a company receives an opt out by a particular joint consumer that does not apply to the others, the company may disclose information about the others as long as no information is disclosed about the consumer who opted out.

(2) Example. If consumers A and B, who have different addresses, have a joint account with a creditor and arrange for the creditor to send statements to A's address, the creditor may do any of the following, but it must explain in its opt out notice which opt out policy the creditor will follow. The creditor may send a single opt out notice to A's address and:

(i) Treat an opt out direction by A as applying to the entire account. If the creditor does so and A opts out, the creditor may not require B to opt out as well before implementing A's opt out direction.

(ii) Treat A's opt out direction as applying to A only. If the creditor does so, it must also permit:

(A) A and B to opt out for each other; and

(B) A and B to notify the creditor of their opt out directions in a single response (such as on a single form) if they choose to give separate opt out directions.

(iii) If A opts out only for A, and B does not opt out, the creditor may disclose opt out information only about B, and not about A and B jointly.

9. Revised opt out notice

If a company has provided a consumer with one or more opt out notices and plans to communicate opt out information to its affiliates about the consumer other than as described in those notices, the communication will not be a “consumer report” if the company provides the consumer with a revised opt out notice that complies with sections 4 through 8.

10. Time by which opt out must be honored

If a company provides a consumer with an opt out notice and the consumer opts out, the company must comply with the opt out as soon as reasonably practicable after the company receives it.

11. Duration of opt out

An opt out remains effective until revoked by the consumer in writing or electronically, as long as the consumer continues to have a relationship with the company. If the consumer's relationship with the company terminates, the opt out will continue to apply to this information. However, a new notice and opportunity to opt out must be provided if the consumer establishes a new relationship with the company.

12. Sample notice

This section contains a sample notice. A company may use applicable examples in this sample to provide disclosures to consumers about the sharing of information with its affiliates.

Notice of Your Opportunity To Opt Out of Information Sharing With Our Affiliates

Information we can share with our affiliates about you—unless you tell us not to

What Information: Unless you tell us not to, [Company] may share with our affiliated companies information about you, including:

  • Information we obtain from your application, such as [provide illustrative examples, such as “your income” or “your marital status”];
  • Information we obtain from a consumer report, such as [provide illustrative examples, such as “your credit score or credit history”];
  • Information we obtain to verify representations made by you, such as [provide illustrative examples, such as “your open lines of credit”]; and
  • Information we obtain from a person regarding its employment, credit, or other relationship with you, such as [provide illustrative examples, such as “your employment history”].

Shared With Whom: Our affiliated companies who may receive this information are:

  • Financial service providers, such as [provide illustrative examples, such as “mortgage lenders or brokers”];
  • Non-financial companies, such as [provide illustrative examples, such as “retailers, direct marketers, airlines, and publishers”]; and
  • Others [provide illustrative examples, such as “nonprofit organizations”].

How to tell us not to share this information with our affiliated companies

If you prefer that we not share this information with our affiliated companies, you may direct us not to share this information by doing the following [insert one or more of the reasonable means of opting out listed below*]: [call us toll free at {insert toll free number}]; or [visit our web site at {insert web site address} and {provide further instructions on how to use the web site option}]; or [e-mail us at {insert the e-mail address}]; or [fill out and tear off the bottom of this sheet and mail to the address shown there]; or [check the appropriate box on the attached form Start Printed Page 80810{attach form}; and mail to the following address: {insert address}].

Note:

Your direction in this paragraph covers certain information about you that we might otherwise share with our affiliated companies. We may share other information about you with our affiliated companies as permitted by law.

Start Signature

By direction of the Commission.

Donald S. Clark,

Secretary.

End Signature End Part End Supplemental Information

Footnotes

1.  The FCRA creates substantial obligations for CRAs. Most importantly, CRAs must make reports only to parties with permissible purposes listed in section 604, limit reporting negative information that is older than the times set out in section 605, maintain reasonable procedures to ensure accuracy of reports as required by section 607(b), make file disclosures to consumers required by section 609, and reinvestigate disputes using the procedures set forth in section 611.

Back to Citation

2.  Section 621(a), 15 U.S.C. 1681s(a).

Back to Citation

3.  Section 621(b)(1-3), 15 U.S.C. 1681s(b)(1-3). Also, Section 621(b)(4-6) assigns FCRA regulatory authority to the Departments of Transportation and Agriculture over entities under their jurisdiction.

Back to Citation

4.  15 U.S.C. 1681s(a)(4), repealed by section 506(b) of Pub. L. 106-102.

Back to Citation

5.  Section 621(e)(1), 15 U.S.C. 1681s(e)(1), added by section 506(a) of Pub. L. 106-102.

Back to Citation

6.  Prior to the 1996 amendments to the FCRA, each affiliate could disclose its own transaction or experience information directly to another affiliate, but could not pool such information in a common database, without being considered a consumer reporting agency. The 1996 amendments facilitated the disclosure of such information among affiliates. However, the affiliates will still become CRAs if they share pooled data outside the affiliate family.

Back to Citation

7.  The E-SIGN Act, Pub. L. 106-299, which became effective October 1, 2000, addresses the use of electronic records and signatures for interstate and foreign commerce. This Act contains general rules governing the use of electronic records for providing required information to consumers (such as disclosures and acknowledgments required by the GLBA). The legal requirement that consumer disclosures be in writing may be satisfied by an electronic record if the consumer affirmative by consents and certain other requirements of the E-SIGN Act are met.

Back to Citation

* If the company is using its web site or an e-mail address as the only method by which a consumer may opt out, the consumer must agree to the electronic delivery of information.

Back to Citation

[FR Doc. 00-32391 Filed 12-21-00; 8:45 am]

BILLING CODE 6750-01-P