These documents are not legal documents but are placed here for reference purposes only. For a legal copy please contact the department.

Privacy Notices – Regulation IH-2001-01 Use of Federal Model Privacy Form

Bulletin
Tuesday, January 19, 2016
Insurance Bulletin #188

 

Note: Please see printer-friendly version for Attachments A, B, and C.

 

INSURANCE BULLETIN #188

Privacy Notices – Regulation IH-2001-01 Use of Federal Model Privacy Form

The purpose of this bulletin is to set forth the views of the Vermont Department of Financial Regulation regarding use of the Federal Model Privacy Form for compliance with the privacy notice requirements in Department Regulation IH-2001-01, Privacy of Consumer Financial and Health Information Regulation (“Vermont Privacy Regulation”).

The Financial Services Regulatory Relief Act of 2006 directed eight federal agencies1 to adopt a simplified Federal Model Privacy Form. The new Federal Model Privacy Form was developed to increase consumers’ understanding and ability to make informed decisions regarding the sharing of personal information, as required by the Gramm Leach Bliley Act (“GLBA”). Federally regulated financial institutions that use the new Federal Model Privacy Form may rely on it as a safe harbor to provide the notices required under the GLBA privacy rules.

This Bulletin describes how Licensees, as defined in the Vermont Privacy Regulation, may use the new Federal Model Privacy Form to meet the notice and content requirements of the Vermont Privacy Regulation.

Use of the Federal Model Privacy Form

A Licensee’s use of the Federal Model Privacy Form set forth in Attachment A, consistent with the Instructions set forth in Attachments B and C as modified by this Bulletin, constitutes compliance with the notice content requirements of Sections 7 and 8 of the Vermont Privacy Regulation

Licensees may rely on the Federal Model Privacy Form, consistent with this Bulletin and the attached Instructions, as a safe harbor for compliance with the privacy notice content requirements of the Vermont Privacy Regulation.

Licensees are reminded that Vermont statutes and regulations relating to consumer privacy contain content requirements with significant differences from many other states. Significantly, Vermont is an “opt-in” state rather than an “opt-out” state. As more specifically set forth in the Vermont Privacy Regulation, a Licensee may not share nonpublic personal information without the consumer’s consent, other than as permitted by Vermont law.

Both the Federal Model Privacy Form and the Instructions were designed for use by “opt- out” states. To maintain consistency with other states, the Instructions set forth in Attachments B and C include the Instructions for “opt-out” states. This Bulletin and the notes in Attachments B and C describe how to use the Federal Model Privacy Forms and Instructions, otherwise designed for “opt-out” states, in a manner consistent with Vermont’s “opt-in” requirements.

Vermont laws and the Vermont Privacy Regulation require that Licensees obtain “opt-in” consent from a consumer prior to sharing nonpublic personal information with an affiliate or with a nonaffiliated third party, except as otherwise specifically permitted by Vermont laws and regulations. A Licensee may use the Federal Model Privacy Form to comply with the Vermont Privacy Regulation in either of the following ways:

Option 1. A Licensee may provide a generalized notice to its Vermont consumers that answers “no” to each of the questions about whether it shares information: (i) “For our affiliates’ everyday business purposes – information about your creditworthiness;” and (ii) “for nonaffiliates to market to you;” OR

Option 2. A Licensee can provide a generalized notice to consumers across a number of states, including Vermont, and answer “yes” to the questions in Option 1 above, provided it includes a discussion on the application of Vermont law in the “Other Important Information” box on page 2 of the Federal Model Privacy Form and complies with the requirements below.

A Licensee that chooses to use the Federal Model Privacy Form as provided in Option 2 above shall provide the following information:

(a) The “Other Important Information” box on the Federal Model Privacy Form contains statements that convey the following information:

Other Important Information

For Vermont Members/Customers.

We will not disclose information about your creditworthiness to our affiliates and will not disclose your personal information, financial information, credit report, or health information to nonaffiliated third parties to market to you, other than as permitted by Vermont law, unless you authorize us to make those disclosures.

Additional information concerning our privacy policies can be found at [website link] or call [telephone number].

AND

(b) The additional information provided on the Licensee’s website contains the information required by the Vermont Privacy Regulation; to the extent such information is not already included in the Licensee’s privacy notice.

Use of Other Types of Privacy Notices

Use of the attached Federal Model Privacy Form is not required. Licensees may continue to use other types of privacy notices to meet the requirements of Sections 7 and 8 of the Vermont Privacy Regulation so long as the notices accurately describe the Licensee’s privacy practices and otherwise meet the requirements of Sections 7 and 8 of the Vermont Privacy Regulation.