U.S. Securities & Exchange Commission Seal
Home | Previous Page

Final Model Privacy Form Under the Gramm-Leach-Bliley Act

A Small Entity Compliance Guide1


On December 1, 2009, the Securities and Exchange Commission ("Commission"), together with seven other federal agencies, published in the Federal Register amendments to the rules implementing certain privacy provisions of the Gramm-Leach-Bliley Act ("GLB Act") and adopting a model privacy form. The GLB Act and the Commission's Regulation S-P require brokers, dealers, investment advisers registered with the Commission, and investment companies ("SEC entities") to provide initial and annual privacy notices to their customers. These notices must describe the entities' information-sharing practices and inform customers of their right to opt out of certain of these practices. The model privacy form is designed to make it easier for consumers to understand how financial institutions collect and share their personal financial information and to compare different institutions' information practices.

SEC entities may rely on the model privacy form as a safe harbor to comply with these disclosure requirements. The Commission also is eliminating the guidance associated with the use of notices that incorporate the sample clauses in Regulation S-P.

The amendments became effective on December 31, 2009, except for the amendments eliminating the sample clauses and associated guidance, those become effective for notices sent after December 31, 2010.

The Model Privacy Form

The model privacy form is a two-page disclosure form. It is designed to be succinct and comprehensible and allow consumers to easily compare the privacy practices of different financial institutions. Use of the model privacy form is voluntary. An SEC entity that chooses to use the model privacy form consistent with the instructions to the form will satisfy the disclosure requirements for privacy notices under the GLB Act and Regulation S P (i.e., will obtain a "safe harbor").

To rely on the safe harbor, SEC entities must, among other requirements, present the model privacy form in a way that is clear, conspicuous, and intact, so that a customer can retain the content of the model form. In addition, they must provide the model form to customers using the same page orientation (portrait), format, and order of elements as provided in the rule amendments (and shown in the form). SEC entities may not change the content of the form or add any information, except as specifically permitted in the instructions to the form. SEC entities may customize the form only where terms or spaces are shown in brackets, by either selecting from the menu of terms provided in the instructions to the form, or inserting the relevant information, as indicated in the instructions to the form.

Provided that an SEC entity's use of the model privacy form meets these standards, it may:

  • Print the form on both sides of a single sheet of paper (or on two pages);
  • Incorporate the form into another document or with other notices, and include additional documents or information so long as the form is presented in a clear and conspicuous manner;
  • Provide a single form jointly with other affiliated institutions (including affiliated institutions regulated by different agencies), as long as each institution is clearly identified in the correct space of the form;
  • Include color and logos to create visual interest, provided they do not interfere with the readability of the form;
  • Use different sizes of paper, provided the paper is large enough to meet the layout and minimum 10-point font size requirements and provides sufficient white space around the model form text;
  • Include certain information on state and international privacy law in the blank spaces provided;
  • Include a mail-in version of the opt-out form as described in the rule; and
  • Translate the form into languages other than English.

Online Form Builder

The Commission is also providing a link on its website to an online model privacy form builder that any SEC entity may download and complete to create a customized privacy notice.

Elimination of Sample Clauses and Associated Guidance

Regulation S-P currently contains an appendix with sample clauses that SEC entities can use as guidance in designing their privacy notices. The amendments remove the sample clauses from Regulation S-P effective January 1, 2012, and SEC entities may no longer use them as guidance for privacy notices they provide after December 31, 2010. Although only the final model privacy form provides a safe harbor for compliance with the privacy disclosure provisions under the GLB Act and Regulation S-P, SEC entities may continue to use other types of notices that vary from the model privacy form, including notices that use the sample clauses, so long as these notices comply with the GLB Act and Regulation S-P.

Other Resources

The adopting release can be found on the Commission's web site at http://www.sec.gov/rules/final/2009/34-61003.pdf. The text of the rule amendments can be accessed through the "Investment Management" section of the Commission's website.

Contacting the Securities and Exchange Commission

Staff in the Commission's Divisions of Investment Management and Trading and Markets are available to answer questions about the model privacy form. The Office of Chief Counsel in each division answers questions submitted by email and telephone. You can submit a question by e-mail to the Division of Investment Management at imocc@sec.gov and a staff member of the office will call you to discuss your question. You can also contact the Division of Investment Management's Office of Chief Counsel at (202) 551-6825 or the Division of Trading and Markets' Office of Chief Counsel at (202) 551-5550.

1 This guide was prepared by the staff of the U.S. Securities and Exchange Commission as a "small entity compliance guide" under Section 212 of the Small Business Regulatory Enforcement Fairness Act of 1996, as amended. The guide summarizes and explains rule amendments adopted by the Commission, but is not a substitute for any rule. Only Regulation S-P can provide complete and definitive information regarding its requirements.



Modified: 04/15/2010