WSR 17-20-113
PERMANENT RULES
OFFICE OF THE
INSURANCE COMMISSIONER
[Filed October 4, 2017, 10:28 a.m., effective November 4, 2017]
Effective Date of Rule: Thirty-one days after filing.
Purpose: The rule creates a safe harbor of compliance for licensees who use the federal model privacy form.
Citation of Rules Affected by this Order: New WAC 284-04-910; and amending WAC 284-04-210.
Statutory Authority for Adoption: RCW 48.02.060, 48.43.505.
Other Authority: Gramm-Leach-Bliley Act, Public Law 102-106, sec. 501(b), sec. 505 (b)(2), Financial Services Regulatory Relief Act of 2006, Public Law 109-351, sec. 728.
Adopted under notice filed as WSR 17-16-158 on August 1, 2017.
Number of Sections Adopted in Order to Comply with Federal Statute: New 1, Amended 1, Repealed 0; Federal Rules or Standards: New 0, Amended 0, Repealed 0; or Recently Enacted State Statutes: New 0, Amended 0, Repealed 0.
Number of Sections Adopted at the Request of a Nongovernmental Entity: New 0, Amended 0, Repealed 0.
Number of Sections Adopted on the Agency's own Initiative: New 0, Amended 0, Repealed 0.
Number of Sections Adopted in Order to Clarify, Streamline, or Reform Agency Procedures: New 0, Amended 0, Repealed 0.
Number of Sections Adopted using Negotiated Rule Making: New 0, Amended 0, Repealed 0; Pilot Rule Making: New 0, Amended 0, Repealed 0; or Other Alternative Rule Making: New 1, Amended 1, Repealed 0.
Date Adopted: October 4, 2017.
Mike Kreidler
Insurance Commissioner
AMENDATORY SECTION (Amending WSR 01-03-034, filed 1/9/01, effective 2/9/01)
WAC 284-04-210 Information to be included in privacy notices.
(1) General rule. The initial, annual and revised privacy notices that a licensee provides under WAC 284-04-200, 284-04-205, and 284-04-220 shall include each of the following items of information, in addition to any other information the licensee wishes to provide, that applies to the licensee and to the consumers to whom the licensee sends its privacy notice:
(a) The categories of nonpublic personal financial information that the licensee collects;
(b) The categories of nonpublic personal financial information that the licensee discloses;
(c) The categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information, other than those parties to whom the licensee discloses information under WAC 284-04-405 and 284-04-410;
(d) The categories of nonpublic personal financial information about the licensee's former customers that the licensee discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information about the licensee's former customers, other than those parties to whom the licensee discloses information under WAC 284-04-405 and 284-04-410;
(e) If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under WAC 284-04-400 (and no other exception in WAC 284-04-405 and 284-04-410 applies to that disclosure), a separate description of the categories of information the licensee discloses and the categories of third parties with whom the licensee has contracted;
(f) An explanation of the consumer's right under WAC 284-04-300(1) to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the methods by which the consumer may exercise that right at that time;
(g) Any disclosures that the licensee makes under section 603 (d)(2)(A)(iii) of the Federal Fair Credit Reporting Act (15 U.S.C. 1681a (d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosures of information among affiliates);
(h) The licensee's policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; and
(i) Any disclosure that the licensee makes under subsection (2) of this section.
(2) Description of parties subject to exceptions. If a licensee discloses nonpublic personal financial information as authorized under WAC 284-04-405 and 284-04-410, the licensee is not required to list those exceptions in the initial or annual privacy notices required by WAC 284-04-200 and 284-04-205. When describing the categories of parties to whom disclosure is made, the licensee is required to state only that it makes disclosures to other affiliated or nonaffiliated third parties, as applicable, as permitted by law.
(3) Examples.
(a) Categories of nonpublic personal financial information that the licensee collects. A licensee satisfies the requirement to categorize the nonpublic personal financial information it collects if the licensee categorizes it according to the source of the information, as applicable:
(i) Information from the consumer;
(ii) Information about the consumer's transactions with the licensee or its affiliates;
(iii) Information about the consumer's transactions with nonaffiliated third parties; and
(iv) Information from a consumer reporting agency.
(b) Categories of nonpublic personal financial information a licensee discloses.
(i) A licensee satisfies the requirement to categorize nonpublic personal financial information it discloses if the licensee categorizes the information according to source, as described in (a) of this subsection, as applicable, and provides a few examples to illustrate the types of information in each category. These might include:
(A) Information from the consumer, including application information, such as assets and income and identifying information, such as name, address, and Social Security number;
(B) Transaction information, such as information about balances, payment history, and parties to the transaction; and
(C) Information from consumer reports, such as a consumer's creditworthiness and credit history.
(ii) A licensee does not adequately categorize the information that it discloses if the licensee uses only general terms, such as transaction information about the consumer.
(iii) If a licensee reserves the right to disclose all of the nonpublic personal financial information about consumers that it collects, the licensee may simply state that fact without describing the categories or examples of nonpublic personal information that the licensee discloses.
(c) Categories of affiliates and nonaffiliated third parties to whom the licensee discloses.
(i) A licensee satisfies the requirement to categorize the affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information about consumers if the licensee identifies the types of businesses in which they engage.
(ii) Types of businesses may be described by general terms only if the licensee uses a few illustrative examples of significant lines of business. For example, a licensee may use the term financial products or services if it includes appropriate examples of significant lines of businesses, such as life insurer, automobile insurer, consumer banking or securities brokerage.
(iii) A licensee also may categorize the affiliates and nonaffiliated third parties to whom it discloses nonpublic personal financial information about consumers using more detailed categories.
(d) Disclosures under exception for service providers and joint marketers. If a licensee discloses nonpublic personal financial information under the exception in WAC 284-04-400 to a nonaffiliated third party to market products or services that it offers alone or jointly with another financial institution, the licensee satisfies the disclosure requirement of subsection (1)(e) of this section if it:
(i) Lists the categories of nonpublic personal financial information it discloses, using the same categories and examples the licensee used to meet the requirements of subsection (1)(b) of this section, as applicable; and
(ii) States whether the third party is:
(A) A service provider that performs marketing services on the licensee's behalf or on behalf of the licensee and another financial institution; or
(B) A financial institution with whom the licensee has a joint marketing agreement.
(e) Simplified notices. If a licensee does not disclose, and does not wish to reserve the right to disclose, nonpublic personal financial information about customers or former customers to affiliates or nonaffiliated third parties except as authorized under WAC 284-04-405 and 284-04-410, the licensee may simply state that fact, in addition to the information it shall provide under subsections (1)(h), (i) and (2) of this section.
(f) Confidentiality and security. A licensee describes its policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information if it does both of the following:
(i) Describes in general terms who is authorized to have access to the information; and
(ii) States whether the licensee has security practices and procedures in place to ensure the confidentiality of the information in accordance with the licensee's policy. The licensee is not required to describe technical information about the safeguards it uses.
(4) Short-form initial notice with opt out notice for noncustomers.
(a) A licensee may satisfy the initial notice requirements in WAC 284-04-200 (1)(b) for a consumer who is not a customer by providing a short-form initial notice at the same time as the licensee delivers an opt out notice as required in WAC 284-04-215.
(b) A short-form initial notice shall:
(i) Be clear and conspicuous;
(ii) State that the licensee's privacy notice is available upon request; and
(iii) Explain a reasonable means by which the consumer may obtain that notice.
(c) The licensee shall deliver its short-form initial notice according to WAC 284-04-225. The licensee is not required to deliver its privacy notice with its short-form initial notice. The licensee instead may simply provide the consumer a reasonable means to obtain its privacy notice. If a consumer who receives the licensee's short-form notice requests the licensee's privacy notice, the licensee shall deliver its privacy notice according to WAC 284-04-225.
(d) Examples of obtaining privacy notice. The licensee provides a reasonable means by which a consumer may obtain a copy of its privacy notice if the licensee:
(i) Provides a toll-free telephone number that the consumer may call to request the notice; or
(ii) For a consumer who conducts business in person at the licensee's office, maintain copies of the notice on hand that the licensee provides to the consumer immediately upon request.
(5) Future disclosures. The licensee's notice may include:
(a) Categories of nonpublic personal financial information that the licensee reserves the right to disclose in the future, but do not currently disclose; and
(b) Categories of affiliates or nonaffiliated third parties to whom the licensee reserves the right in the future to disclose, but to whom the licensee does not currently disclose, nonpublic personal financial information.
(6) Sample Clauses and Federal Model Privacy Form. Sample clauses illustrating some of the notice content required by this section and the Federal Model Privacy Form are included in Appendix A and Appendix B of this regulation.
NEW SECTION
WAC 284-04-910 Appendix BFederal Model Privacy Form.
Licensees, including a group of financial holding company affiliates that use a common privacy notice, may use the federal Model Privacy Form, if the form is accurate for each institution that uses the form. (Note that disclosure of certain information, such as assets, income and information from a consumer reporting agency, may give rise to obligations under the federal Fair Credit Reporting Act, such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.)
(1) General instructions.
(a) How the Model Privacy Form is used.
(i) The model form may be used, (at the option of a "licensee"), including a group of licensees or other financial institutions that use a common privacy notice, to meet the content requirements of the privacy notice and opt-out notice set forth in WAC 284-04-210 and 284-04-215.
(ii) The model form is a standardized form, including page layout, content, format, style, pagination, and shading. Licensees seeking to obtain the safe harbor through use of the model form may modify it only as described in these instructions.
(iii) Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the federal Fair Credit Reporting Act (FCRA), codified at 15 U.S.C. §§ 1681-1681x, such as a requirement to permit a consumer to opt out of disclosures to affiliates, or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.
(iv) The word "customer" may be replaced by the word "member," whenever it appears in the model form, as appropriate.
(b) The contents of the Model Privacy Form. The model form consists of two pages, which may be printed on both sides of a single sheet of paper or may appear on two separate pages. Where a licensee provides a long list of licensees or financial institutions at the end of the model form in accordance with subsection (2)(c)(i)(A) of this instruction, or provides additional information in accordance with subsection (2)(c)(iii) of this instruction and such list or additional information exceeds the space available on page two of the model form, such list or additional information may extend to a third page.
(i) Page one. The first page consists of the following components:
(A) Date last revised (upper right-hand corner)
(B) Title
(C) Key frame (Why? What? How?)
(D) Disclosure table ("Reasons we can share your personal information")
(E) "To limit our sharing" box, as needed, for the licensee's opt-out information
(F) "Questions" box, for customer service contact information
(G) Mail-in opt-out form, as needed
(ii) Page two. The second page consists of the following components:
(A) Heading (Page two)
(B) Frequently asked questions ("Who we are" and "What we do")
(C) Definitions
(D) "Other important information" box, as needed
(c) The format of the Model Privacy Form. The format of the model form may be modified only as described below.
(i) Easily readable type font. Licensees that use the model form must use an easily readable type font. While a number of factors together produce easily readable font, licensees are required to use a minimum of 10-point font (unless otherwise expressly permitted in these instructions) and sufficient spacing between lines.
(ii) Logo. A licensee may include a corporate logo on any page of the notice, so long as it does not interfere with the readability of the model form or the space constraints of each page.
(iii) Page size and orientation. Each page of the model form must be printed in portrait orientation, the size of which must be sufficient to meet the layout and minimum font size requirements, with sufficient white space on the top, bottom, and sides of the content.
(iv) Color. The model form must be printed on white or light color paper (such as cream) with black or other contrasting ink color. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract from the readability of the model form. Logos may also be printed in color.
(v) Languages. The model form may be translated into languages other than English.
(2) Information required in the Model Privacy Form. The information in the model form may be modified only as described below:
(a) Name of licensee or group of affiliated licensees or institutions providing the notice: Insert the name of the licensee providing the notice, or a common identity of the affiliated licensees or financial institutions jointly providing the notice on the form, wherever [name of licensee] appears.
(b) Page one
(i) Last revised date. The licensee must insert in the upper right-hand corner the date on which the notice was last revised. The information shall appear in minimum eight-point font as "rev. [month/year]" using either the name or number of the month, such as "rev. July 2016" or "rev. 7/16."
(ii) General instructions for the "What?" box
(A) The bulleted list identifies the types of personal information that the licensee collects and shares. All licensees must use the term "Social Security number" in the first bullet.
(B) A licensee must use five of the following terms, to complete the bulleted list: Income; account balances; payment history; transaction history; transaction or loss history; credit history; credit scores; assets; investment experience; credit-based insurance scores; insurance claim history; medical information; overdraft history; purchase history; account transactions; risk tolerance; medical-related debts; credit card or other debt; mortgage rates and payments; retirement assets; checking account information; employment information; wire transfer instructions.
(iii) General instructions for the disclosure table. The left column lists reasons for sharing or using personal information. Each reason correlates to a specific legal provision described in subsection (2)(b)(iv) of this instruction. In the middle column, each licensee must provide a "Yes" or "No" response that accurately reflects its information-sharing policies and practices with respect to the reason listed on the left. In the right column, each licensee must provide in each box one of the following three responses, as applicable, that reflects whether a consumer can limit such sharing: "Yes," if it is required to or voluntarily provides an opt-out; "No," if it does not provide an opt-out; or "We don't share," if it answers "No" in the middle column. Only the sixth row ("For our affiliates to market to you") may be omitted at the option of the licensee. See subsection (2)(b)(iv)(F) of this instruction.
(iv) Specific disclosures and corresponding legal provisions.
(A) For our everyday business purposes. This reason incorporates sharing information under WAC 284-04-405 and 284-04-410 and with service providers pursuant to WAC 284-04-400 other than the disclosures described in subsection (2)(b)(iv)(B) or (C) of this instruction.
(B) For our marketing purposes. This reason incorporates sharing information with service providers by a licensee for its own marketing pursuant to WAC 284-04-400. A licensee that shares for this reason may choose to provide an opt-out.
(C) For joint marketing with other financial companies. This reason incorporates sharing information under joint marketing agreements between two or more licensees or financial institutions and with any service provider used in conjunction with such agreement pursuant to WAC 284-04-400. A licensee that shares for this reason may choose to provide an opt-out.
(D) For our affiliates' everyday business purposes - Information about transactions and experiences. This reason incorporates sharing information specified in sections 603 (d)(2)(A)(i) and (ii) of the FCRA. A licensee that shares information for this reason may choose to provide an opt-out.
(E) For our affiliates' everyday business purposes - Information about creditworthiness. This reason incorporates sharing information pursuant to section 603 (d)(2)(A)(iii) of the FCRA. A licensee that shares information for this reason must provide an opt-out.
(F) For our affiliates to market to you. This reason incorporates sharing information specified in section 624 of the FCRA. This reason may be omitted from the disclosure table when: The licensee does not have affiliates (or does not disclose personal information to its affiliates); the licensee's affiliates do not use personal information in a manner that requires an opt-out; or the licensee provides the affiliate marketing notice separately. Licensees that include this reason must provide an opt-out of indefinite duration. A licensee that is required to provide an affiliate marketing opt-out, but does not include that opt-out in the model form under this part, must comply with section 624 of the FCRA and WAC 284-04-200 and 284-04-215, with respect to the initial notice and opt-out and any subsequent renewal notice and opt-out. A licensee not required to provide an opt-out under this subparagraph may elect to include this reason in the model form.
(G) For nonaffiliates to market to you. This reason incorporates sharing described in WAC 284-04-215 and 284-04-300. A licensee that shares personal information for this reason must provide an opt-out.
(v) To limit our sharing. A licensee must include this section of the model form only if it provides an opt-out. The word "choice" may be written in either the singular or plural, as appropriate. Licensees must select one or more of the applicable opt-out methods described: Telephone, such as by a toll-free number; a web site; or use of a mail-in opt-out form. Licensees may include the word "toll-free" before telephone, as appropriate. A licensee that allows consumers to opt out online must provide either a specific web address that takes consumers directly to the opt out page or a general web address that provides a clear and conspicuous direct link to the opt-out page. The opt-out choices made available to the consumer who contacts the licensee through these methods must correspond accurately to the "Yes" responses in the third column of the disclosure table. In the part entitled "Please note," licensees may insert a number that is thirty days or greater in the space marked "[30]." Instructions on voluntary or state privacy law opt-out information are in subsection (2)(b)(vii)(E) of these instructions.
(vi) Questions box. Customer service contact information must be inserted as appropriate where [phone number] or [web site] appear. Licensees may elect to provide either a phone number, such as a toll-free number, or a web address, or both. Licensees may include the words "toll-free" before the telephone number, as appropriate.
(vii) Mail-in opt-out form. Licensees must include this mail-in form only if they state in the "To limit our sharing" box that consumers can opt out by mail. The mail-in form must provide opt-out options that correspond accurately to the "Yes" responses in the third column of the disclosure table. Licensees that require consumers to provide only name and address may omit the section identified as "[account #]." Licensees that require additional or different information, such as a random opt-out number or a truncated account number to implement an opt-out election should modify the "[account #]" reference accordingly. This includes licensees that require customers with multiple accounts to identify each account to which the opt-out should apply. A licensee must enter its opt-out mailing address in the far right of this form (see version three); or below the form (see version four). The reverse side of the mail-in opt-out form must not include any content of the model form.
(A) Joint accountholder. Only licensees that provide their joint accountholders the choice to opt out for only one accountholder, in accordance with subsection (2)(c)(i)(E) of these instructions, must include in the far left column of the mail-in form the following statement:
"If you have a joint account, your choice(s) will apply to everyone on your account unless you mark below.
Apply my choice(s) only to me."
The word "choice" may be written in either the singular or plural, as appropriate. Licensees that provide insurance products or services, provide this option, and elect to use the model form may substitute the word "policy" for "account" in this statement. Licensees that do not provide this option may eliminate this left column from the mail-in form.
(B) FCRA section 603 (d)(2)(A)(iii) opt-out. If the licensee shares personal information pursuant to section 603 (d)(2)(A)(iii) of the FCRA, it must include in the mail-in opt-out form the following statement:
"Do not share information about my creditworthiness with your affiliates for their everyday business purposes."
(C) FCRA section 624 opt-out. If the licensee uses section 624 of the FCRA, in accord with subsection (2)(b)(iv)(F) of these instructions, it must include in the mail-in opt-out form the following statement:
"Do not allow your affiliates to use my personal information to market to me."
(D) Nonaffiliate opt-out. If the licensee shares personal information pursuant to WAC 284-04-300, it must include in the mail-in opt-out form the following statement:
"Do not share my personal information with nonaffiliates to market their products and services to me."
(E) Additional opt-outs. Licensees that use the disclosure table to provide opt-out options beyond those required by federal law must provide those opt-outs in this section of the model form. A licensee that chooses to offer an opt-out for its own marketing in the mail-in opt-out form must include one of the two following statements:
"Do not share my personal information to market to me."; or
"Do not use my personal information to market to me."
A licensee that chooses to offer an opt-out for joint marketing must include the following statement:
"Do not share my personal information with other financial institutions to jointly market to me."
(viii) Barcodes. A licensee may elect to include a barcode and/or "tagline" (an internal identifier) in six-point type at the bottom of page one, as needed for information internal to the licensee, so long as these do not interfere with the clarity or text of the form.
(c) Page two
(i) General instructions for the questions. Certain questions on the model form may be customized as follows:
(A) "Who is providing this notice?" This question may be omitted where only one licensee provides the model form and that licensee is clearly identified in the title on page one. Two or more licensees or financial institutions that jointly provide the model form must use this question to identify themselves as required by WAC 284-04-225. Where the list of licensees or financial institutions exceeds four lines, the licensee must describe in the response to this question the general types of licensees or financial institutions jointly providing the notice and must separately identify those licensees or financial institutions, in minimum 8-point font, directly following the "Other important information" box, or, if that box is not included in the licensee's form, directly following the "Definitions." The list may appear in a multi- column format.
(B) "How does [name of licensee] protect my personal information?" The licensee may only provide additional information pertaining to its safeguards practices following the designated response to this question. Such information may include information about the licensee's use of cookies or other measures it uses to safeguard personal information. Licensees are limited to a maximum of thirty additional words.
(C) "How does [name of licensee] collect my personal information?" Licensees must use five of the following terms to complete the bulleted list for this question: Open an account; deposit money; pay your bills; apply for a loan; use your credit or debit card; seek financial or tax advice; apply for insurance; pay insurance premiums; file an insurance claim; seek advice about your investments; buy securities from us; sell securities to us; direct us to buy securities; direct us to sell your securities; make deposits or withdrawals from your account; enter into an investment advisory contract; give us your income information; provide employment information; give us your employment history; tell us about your investment or retirement portfolio; tell us about your investment or retirement earnings; apply for financing; apply for a lease; provide account information; give us your contact information; pay us by check; give us your wage statements; provide your mortgage information; make a wire transfer; tell us who receives the money; tell us where to send the money; show your government-issued ID; show your driver's license; order a commodity futures or option trade. Licensees that collect personal information from their affiliates and/or credit bureaus must include the following statement after the bulleted list: "We also collect your personal information from others, such as credit bureaus, affiliates, or other companies." Licensees that do not collect personal information from their affiliates or credit bureaus but do collect information from other companies must include the following statement instead: "We also collect your personal information from other companies." Only licensees that do not collect any personal information from affiliates, credit bureaus, or other companies can omit both statements.
(D) "Why can't I limit all sharing?" Licensees that describe state privacy law provisions in the "Other important information" box must use the bracketed sentence: "See below for more on your rights under state law." Other licensees must omit this sentence.
(E) "What happens when I limit sharing for an account I hold jointly with someone else?" Only licensees that provide opt-out options must use this question. Other licensees must omit this question. Licensees must choose one of the following two statements to respond to this question:
"Your choices will apply to everyone on your account."; or
"Your choices will apply to everyone on your accountunless you tell us otherwise." Licensees may substitute the word "policy" for "account" in these statements.
(ii) General instructions for the definitions. The licensee must customize the space below the responses to the three definitions in this section. This specific information must be in italicized lettering to set off the information from the standardized definitions.
(A) Affiliates. As required by WAC 284-04-210, where [affiliate information] appears, the licensee must:
(I) If it has no affiliates, state: "[name of licensee] has no affiliates";
(II) If it has affiliates but does not share personal information with them, state: "[name of licensee] does not share with our affiliates"; or
(III) If it shares with its affiliates, state, as applicable: "Our affiliates include companies with a [common corporate identity of licensee] name; financial companies such as [insert illustrative list of companies]; nonfinancial companies, such as [insert illustrative list of companies]; and others, such as [insert illustrative list]."
(B) Nonaffiliates. As required by WAC 284-04-210, where [nonaffiliate information] appears, the licensee must:
(I) If it does not share with nonaffiliated third parties, state: "[name of licensee] does not share with nonaffiliates so they can market to you"; or
(II) If it shares with nonaffiliated third parties, state, as applicable: "Nonaffiliates we share with can include [list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations]."
(C) Joint marketing. As required by WAC 284-04-400, where [joint marketing] appears, the licensee must:
(I) If it does not engage in joint marketing, state: "[name of licensee] doesn't jointly market"; or
(II) If it shares personal information for joint marketing, state, as applicable:
"Our joint marketing partners include [list categories of companies such as credit card companies]."
(iii) General instructions for the "Other important information" box. This box is optional. The space provided for information in this box is not limited, and an additional page may be used if necessary. Only the following types of information can appear in this box:
(A) State and/or international privacy law information; and/or
(B) A form by which the consumer may acknowledge receipt of the notice.
Reviser's note: The brackets and enclosed material in the text of the above section occurred in the copy filed by the agency and appear in the Register pursuant to the requirements of RCW 34.08.040.