[Federal Register Volume 65, Number 247 (Friday, December 22, 2000)]
[Proposed Rules]
[Pages 80802-80810]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 00-32391]


-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 600


Fair Credit Reporting Act Interpretations

AGENCY: Federal Trade Commission.

ACTION: Proposed interpretations of the Fair Credit Reporting Act.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission (Commission) is publishing for 
comment proposed interpretations of the provisions of the Fair Credit 
Reporting Act (FCRA) that permit companies to communicate consumer 
information to their affiliates (affiliate information sharing) without 
incurring the obligations of consumer reporting agencies. These 
interpretations clarify that institutions may communicate among their 
affiliates: Information as to transactions or experiences between the 
consumer and the person making the communication (transaction or 
experience information); and ``other'' information (that is, 
information covered by the FCRA but not transaction or experience 
information), provided that the institution has given notice to the 
consumer that the other information may be communicated, the 
institution has provided the consumer an opportunity to ``opt out'' 
(i.e., to direct

[[Page 80803]]

that the information not be communicated), and the consumer has not 
opted out. The proposed interpretations provide guidance on compliance 
with the affiliate information sharing provisions, addressing such 
matters as the content and delivery of the notice to consumers that 
``other'' information may be communicated (opt out notice). The 
proposed interpretations are substantively parallel to the proposed 
regulations issued by the Board of Governors of the Federal Reserve 
System, Federal Deposit Insurance Corporation, Office of the 
Comptroller of the Currency, and Office of Thrift Supervision 
(collectively the ``Federal banking agencies''), in a Notice of 
Proposed Rulemaking published in the Federal Register on October 20, 
2000 (65 FR 63120). For the most part, these proposed interpretations 
allow companies to provide notices and process opt-out elections in a 
manner similar to the final regulations implementing the privacy 
provisions of the Gramm-Leach-Bliley Act.

DATES: Comments must be received on or before January 31, 2001.

ADDRESSES: Comments should be addressed to: Secretary, Federal Trade 
Commission, Room H-159, 600 Pennsylvania Avenue, NW., Washington, DC 
20580.

FOR FURTHER INFORMATION CONTACT: Clarke Brinckerhoff or Christopher 
Keller, Attorneys, Division of Financial Practices, Federal Trade 
Commission, Washington, DC 20580, 202-326-3224.

SUPPLEMENTARY INFORMATION:

I. Background

A. The Fair Credit Reporting Act

    The Fair Credit Reporting Act (``FCRA'') (15 U.S.C. 1681-1681u) 
sets forth legal standards governing the collection, use, and 
communication of credit and other information about consumers. The 
Consumer Credit Reporting Reform Act of 1996 (Pub. L. 104-208) amended 
the FCRA extensively (``1996 Amendments''). The 1996 Amendments gave 
consumers many new protections, such as a requirement that consumer 
reporting agencies (``CRAs'') such as credit bureaus complete 
reinvestigations of disputed file data within a thirty-day period, 
while also providing some greater flexibility to business in some 
areas.
    The subject of these interpretation is one of the 1996 Amendments 
that allowed businesses to share information with affiliated companies 
without becoming CRAs, as long as they followed prescribed procedures 
to allow consumers to ``opt out'' of such information sharing. 
Specifically, it excluded specified types of information sharing with 
affiliates from the definition of ``consumer report,'' relieving 
companies making these communications (under certain circumstances) 
from the obligations of CRAs imposed by the FCRA.\1\ It excluded from 
the definition of ``consumer report'' the sharing of ``other 
information'' among affiliates, so long as the consumer, having been 
given notice and an opportunity to opt out, did not opt out. ``Other 
information'' refers to information that is covered by the FCRA and 
that is not a report containing information solely as to transactions 
or experiences between the consumer and the person making the report.
---------------------------------------------------------------------------

    \1\ The FCRA creates substantial obligations for CRAs. Most 
importantly, CRAs must make reports only to parties with permissible 
purposes listed in section 604, limit reporting negative information 
that is older than the times set out in section 605, maintain 
reasonable procedures to ensure accuracy of reports as required by 
section 607(b), make file disclosures to consumers required by 
section 609, and reinvestigate disputes using the procedures set 
forth in section 611.
---------------------------------------------------------------------------

    From its original enactment in 1970 to the present, the FCRA has 
assigned enforcement authority to the Commission.\2\ The only 
significant exception is for banks and similar financial institutions 
regulated by federal agencies.\3\ The 1996 Amendments specifically 
prohibited all agencies, including the Commission, from issuing 
regulations implementing the FCRA.\4\ The Gramm-Leach-Bliley Act 
(``GLBA'') repealed this prohibition in November 1999 and added a new 
section authorizing the Federal banking agencies to jointly prescribe 
such regulations as necessary to carry out the purposes of the FCRA as 
to the financial institutions under their jurisdiction.\5\ However, the 
GLBA did not grant such regulatory authority to the Commission. 
Pursuant to their authority, the Federal banking agencies issued 
proposed FCRA regulations in a Notice of Proposed Rulemaking published 
in the Federal Register on October 20, 2000 (65 FR 63120).
---------------------------------------------------------------------------

    \2\ Section 621(a), 15 U.S.C. 1681s(a).
    \3\ Section 621(b)(1-3), 15 U.S.C. 1681s(b)(1-3). Also, Section 
621(b)(4-6) assigns FCRA regulatory authority to the Departments of 
Transportation and Agriculture over entities under their 
jurisdiction.
    \4\ 15 U.S.C. 1681s(a)(4), repealed by section 506(b) of Pub. L. 
106-102.
    \5\ Section 621(e)(1), 15 U.S.C. 1681s(e)(1), added by section 
506(a) of Pub. L. 106-102.
---------------------------------------------------------------------------

B. The Gramm-Leach-Bliley Act, its privacy regulations, and financial 
institutions

    The GLBA sets standards for financial institutions' disclosure of 
nonpublic personal information to nonaffiliated third parties 
(``privacy provisions''). Pub. L. 106-102, 15 U.S.C. 6802; see also 12 
U.S.C. 6803. The Commission published timely final regulations 
implementing these privacy provisions (``privacy regulations''), 65 FR 
33646, May 24, 2000, as did the Federal banking agencies. 65 FR 35162 
June 1, 2000.
    The GLBA privacy regulations do not ``modify, limit, or supersede 
the operation of the Fair Credit Reporting Act.'' 15 U.S.C. 6806. Thus, 
both the privacy regulations and the FCRA may apply to a financial 
institution's disclosure of certain consumer information. Moreover, if 
a financial institution provides an opt out notice under the FCRA, that 
notice must be included in certain notices mandated by the privacy 
regulations, including annual notices to customers. 15 U.S.C. 6803. 
Therefore, the Commission anticipates that financial institutions will 
design their information-sharing policies and practices taking into 
account both the GLBA (and its privacy regulations) and the FCRA. The 
Federal banking agencies have stated their intent to conform their 
privacy regulations and FCRA regulations where appropriate (65 FR 
63120, 63121).

C. This proposal, and prior Commission interpretations of the FCRA

    Some entities subject to the enforcement authority of the 
Commission, rather than the Federal banking agencies, also share 
information with their affiliates. The Commission believes it is 
important for such entities to be aware of the Commission's 
interpretations of the FCRA as to issues on which the Federal banking 
agencies propose to issue regulations, and to be afforded an 
opportunity to comment on them. The Commission encourages all such 
entities to submit comments to the Commission in response to this 
notice. Although Section 603(d)(2)(A)(iii) of the FCRA has been 
effective since September 30, 1997, the Commission plans to enforce 
that provision in accord with any interpretations it may issue in this 
proceeding only after any similar final regulations issued by the 
Federal banking agencies have become effective.
    In 1990, the Commission issued a comprehensive Commentary on the 
FCRA. The Commentary does not address the extensive changes and 
additions made in the 1996

[[Page 80804]]

Amendments. However, the Commission believes the Commentary will 
continue to be of use to the public because of its guidance in areas 
not affected by the 1996 Amendments or not included in the proposed new 
interpretations. Therefore, the Commission does not plan to withdraw 
the Commentary at this time. The proposed interpretations would be 
added as Appendix B to 16 CFR part 600 following the Commentary, which 
would be re-designated as Appendix A. The Commission staff will 
continue to respond to requests for informal opinion letters 
interpreting FCRA provisions and make them available to the public on 
its web site (www.ftc.gov).

II. Questions for comment

    The Commission solicits comment on all aspects of the proposed 
interpretations (16 CFR Part 600, Appendix B), including but not 
limited to those highlighted below.

A. Examples.

    Should the interpretations include additional or different 
examples? More fundamentally, are examples appropriate and useful?

B. Defined terms

    1. Affiliate. Several FCRA provisions apply to information sharing 
with persons ``related by common ownership or affiliated by corporate 
control,'' ``related by common ownership or affiliated by common 
corporate control,'' or ``affiliated by common ownership or common 
corporate control.'' E.g., FCRA, sections 603(d)(2), 615(b)(2), and 
624(b)(2). Section 3(b) of the proposed interpretations uses the term 
``affiliate'' to refer to all of these relationships between and among 
companies. It uses the phrase ``related or affiliated by common 
ownership or affiliated by corporate control or common corporate 
control'' to mean controlling, controlled by, or under common control 
with another company. As used in the proposed interpretations, is the 
term ``affiliate'' appropriate in scope?
    Consistent with definitions in the privacy regulations, the 
proposed interpretation uses the term ``control'' to apply exclusively 
to the control of a ``company.'' Is the term ``control'' in proposed 
Section 3(i), including the proposed 25 percent ownership benchmark, 
useful or appropriate? Is the term ``company'' in proposed Section 
3(e), which includes any corporation, limited liability company, 
business trust, general or limited partnership, association, or similar 
organization (but omits other entities such as individuals, estates, 
cooperatives, governments, and governmental subdivisions or agencies) 
useful or appropriate, in the context of these interpretations 
concerning sharing of consumer information by affiliates?
    2. Clear and conspicuous. Section 3(c) states that ``clear and 
conspicuous'' refers to a notice that is reasonably understandable and 
designed to call attention to the nature and significance of the 
information it contains. Companies have flexibility in determining how 
to make their notices clear and conspicuous, consistent with the 
approach in the privacy regulations. Is this an appropriate 
interpretation of the term for FCRA compliance? How should the term be 
interpreted to ensure ``clear and conspicuous'' disclosures under both 
the GLBA and the FCRA for those entities sharing protected information 
with affiliates and third parties?
    3. Opt out information. As described above, the 1996 Amendments to 
the FCRA excluded from the definition of ``consumer report'' the 
sharing of ``other information'' among affiliates, so long as the 
consumer, having been given notice and an opportunity to opt out, did 
not opt out. ``Other information'' refers to information that is 
covered by the FCRA, and that is not a report containing information 
solely as to transactions or experiences between the consumer and the 
person making the report. (The FCRA's definition of ``consumer 
report,'' reflected in proposed Section 3(g)(2)(i), has always excluded 
communication of information solely as to transactions or experiences 
between the consumer and the person making the report, regardless of 
whether the parties are affiliated.\6\)
---------------------------------------------------------------------------

    \6\ Prior to the 1996 amendments to the FCRA, each affiliate 
could disclose its own transaction or experience information 
directly to another affiliate, but could not pool such information 
in a common database, without being considered a consumer reporting 
agency. The 1996 amendments facilitated the disclosure of such 
information among affiliates. However, the affiliates will still 
become CRAs if they share pooled data outside the affiliate family.
---------------------------------------------------------------------------

    Proposed Section 3(k) uses the term ``opt out information'' to 
describe this category of information. It describes it as information 
that (i) bears on a consumer's credit worthiness, credit standing, 
credit capacity, character, general reputation, personal 
characteristics, or mode of living, (ii) is used or expected to be used 
or collected for one of the permissible purposes listed in the FCRA 
(e.g., credit transaction, insurance underwriting, employment 
purposes), and (iii) is not solely transaction or experience 
information. Is ``opt out information'' a useful term in the proposed 
interpretations? Is the definition accurate in this context? In the 
event that consumer information is shared with both affiliates and 
third parties, subject to both GLBA and FCRA provisions, is the use of 
this term likely to result in confusion? If so, how might any such 
confusion be avoided? Would the term ``FCRA opt-out information'' be a 
better term for these interpretations? Is proposed Section 3(k)(2) that 
refers to the permissible purposes for which the information is used or 
expected to be used, which is part of the statutory definition of 
``consumer report'' in Section 603(d) of the FCRA, useful in analyzing 
the affiliate information sharing exception?

C. Application of the exclusion--general

    Section 603(d)(2)(A)(iii) of the FCRA excludes from the definition 
of ``consumer report'' the sharing of opt out information among 
affiliates if:

    it is clearly and conspicuously disclosed to the consumer that 
the information may be communicated among such persons and the 
consumer is given the opportunity, before the time that the 
information is initially communicated, to direct that such 
information not be communicated among such persons. * * *

    Proposed Section 4 states that opt out information may be 
communicated among affiliates without the communication being a 
consumer report if: (i) the company has provided an opt out notice; 
(ii) the company has given the consumer a reasonable opportunity and 
means, before the time that it communicates the information, to opt 
out; and (iii) the consumer has not opted out. Is this interpretation, 
when combined with others proposed in this publication, sufficient to 
encompass the opt out notice and procedure provided in Section 
603(d)(2)(A)(iii)?

D. Application of the exclusion--mergers and acquisitions

    Under proposed Section 4, in a merger or acquisition situation, the 
exclusion applies and the surviving company need not provide new 
notices, if the notices previously given to those customers accurately 
reflect the policies and practices of the surviving entity. Does that 
interpretation properly reflect Section 603(d)(2)(A)(iii) of the FCRA 
in these situations? Should this point be specifically included in the 
text of Section 4?

E. Contents of opt out notice

    Proposed Section 5(a) states that an opt out notice must accurately 
explain (i) the categories of opt out information about the consumer 
that the company communicates, (ii) the categories of

[[Page 80805]]

affiliates to which the company communicates the information, (iii) the 
consumer's ability to opt out, and (iv) a reasonable means to opt out. 
Section 5(d) sets forth four categories of information sources and six 
examples of types of information that a company may use to describe the 
information it may share with affiliates. Section 5(e) provides three 
categories of affiliates (financial service providers, non-financial 
companies, and others), with illustrative examples for each, that a 
company may use to describe the parties with which the company may 
share the information. Are these categories and examples appropriate 
and sufficient to guide compliance with the portion of section 
603(d)(2)(A)(iii) that calls for a disclosure that ``clearly'' informs 
consumers of their ``opportunity'' to ``direct that such information 
not be communicated among such persons'' (emphasis added)? Is it clear 
from these interpretations that the Commission views as insufficient a 
very general notice that states that the company may share any 
information it obtains on the consumer with any of its affiliates?
    The descriptions of the categories of information set out in 
proposed Section 5(d)(2) differ somewhat from those in the privacy 
regulations that appear at 16 CFR 313.6(c)(2). To what extent should 
the categories in (d)(2) be considered consistent with similar 
categories in the privacy regulations (such as disclosures of 
information from consumer reporting agencies) in order to reduce 
compliance burden and consumer confusion?
    Should the interpretations also state that companies must also 
state in their FCRA notices how long a consumer has to respond to the 
opt out notice before the company may begin disclosing information 
about that consumer to its affiliates, as well as the fact that a 
consumer can opt out at any time? (These disclosures are not required 
in the privacy regulations.) Should the interpretations state that 
companies must disclose that they will wait a specified time (such as 
30 days) in every instance before sharing consumer information with 
affiliates? (See proposed Section 6, below, for additional discussion 
on reasonable opportunity to opt out.) Is either or both of those 
disclosures, in an opt out notice, necessary for a company to have 
``clearly * * * disclosed'' the consumer's ``opportunity'' to opt out 
Section 603(d)(2)(A)(iii) of the FCRA?

F. Reasonable opportunity to opt out

    Proposed Section 6(a) states that companies must provide a 
reasonable period of time for the consumer to opt out from the time 
that the notice is delivered. Proposed Section 6(b) sets out examples 
of what is a reasonable period of time when notices are provided in 
person, by mail, or by electronic means. Are there other situations 
that would suggest a different reasonable period that the Commission 
should note by example? Is it clear, from Section 6(b) and other 
authorities, that a consumer must agree to receive notices 
electronically before a company can provide notices in that manner? 
Proposed Section 6(c) explains that a consumer may opt out at any time. 
Are the interpretations in proposed Section 6 appropriate descriptions 
of the opt out ``opportunity'' afforded by Section 603(d)(2)(A)(iii) to 
consumers?
    Is the 30-day period cited in the examples in Section 6(b) 
appropriate? Should the period vary depending on the means of delivery 
or other factors? If so, what factors merit a different minimum 
``opportunity'' for the consumer to opt out, and how long should it be 
in each case? Should Section 6(b) include an ``isolated transaction'' 
example similar to that set forth at 16 CFR 313.10(a)(3)(iii), the 
Commission rule implementing the GLBA, which states that it is 
reasonable for a company to provide an opt-out notice and request the 
consumer to decide, as a necessary part of the transaction, whether to 
opt out before completion of the transaction?

G. Reasonable methods of exercising opt out opportunity

    Proposed Section 7 states that a company must provide a reasonably 
convenient method to the consumer to opt out, and sets forth examples 
of reasonable and unreasonable methods of opting out when notices are 
provided in person, by mail, or by electronic means. It states that a 
company may require each consumer to opt out through a specific means 
as long as that means is reasonable to the consumer. Are the situations 
and examples appropriate and sufficient for guidance as to opt out 
methods that the Commission views as providing or not providing the opt 
out ``opportunity'' afforded by Section 603(d)(2)(A)(iii) to consumers?

H. Delivery of opt out notices

    Proposed Section 8(a) states that opt out notices must be delivered 
in a manner such that each consumer can reasonably be expected to 
receive actual notice. The company may give notice in writing or, if 
the consumer agrees, electronically. Proposed Section 8(b) sets forth 
examples of the types of notice that the Commission believes would meet 
the ``reasonably be expected'' standard. Are the examples appropriate 
and sufficient for this purpose? Is the proposed delivery standard, 
which does not require actual notice, faithful to the statutory 
exclusion that applies only if the opt out right is ``disclosed to the 
consumer?'' The Commission invites comment on how Section 
603(d)(2)(A)(iii) of the FCRA, relating to the delivery of opt out 
notices by companies to consumers, should be applied to electronic 
communications in light of the Electronic Signatures in Global and 
National Commerce Act (the E-SIGN Act).\7\
---------------------------------------------------------------------------

    \7\ The E-SIGN Act, Pub. L. 106-299, which became effective 
October 1, 2000, addresses the use of electronic records and 
signatures for interstate and foreign commerce. This Act contains 
general rules governing the use of electronic records for providing 
required information to consumers (such as disclosures and 
acknowledgments required by the GLBA). The legal requirement that 
consumer disclosures be in writing may be satisfied by an electronic 
record if the consumer affirmative by consents and certain other 
requirements of the E-SIGN Act are met.
---------------------------------------------------------------------------

    Proposed Section 8(d) explains that a company must provide the 
notice so that the consumer can retain it or obtain it at a later time, 
and gives examples that would meet this standard. Is this a proper 
interpretation of the statutory requirement that the right to opt out 
right, which the Commission interprets as an ongoing right, must be 
``clearly * * * disclosed to the consumer?'' Are the examples 
appropriate and sufficient for guidance as to what companies must do to 
ensure that the consumer can retain the notice, or obtain it at a later 
time? Is this interpretation inconsistent with or more burdensome than 
the GLBA, which requires financial institutions to provide notices in 
form that can be retained (or later accessed) only to those consumers 
with whom they have a customer relationship?
    Proposed Section 8(f) sets out a range of appropriate methods for 
delivery of opt out notices and processing of opt out elections, in 
those situations where two or more consumers jointly obtain a product 
or service from a company. Does this section fairly apply Section 
603(d)(2)(A)(iii) to those circumstances?

I. Time by which opt out must be honored

    Proposed Section 10 explains that if a company provides a consumer 
with an opt out notice, and the consumer opts out, the company must 
comply as soon as reasonably practicable after receiving the consumer's 
direction. Is this general standard for compliance appropriate and 
sufficient, or should Section 603(d)(2)(A)(iii) of the FCRA be 
interpreted to require a fixed number of days to comply with a 
consumer's opt

[[Page 80806]]

out direction? Is it clear that a company cannot share any opt out 
information with affiliates without first providing consumers with a 
reasonable period of time to opt out as described in Section 6 above, 
but that the standard described in Section 10 applies when a consumer 
elects to opt out after that time has expired?

J. Duration of opt out

    Proposed Section 11 provides that an opt out continues to apply to 
the information and affiliates described in the applicable opt out 
notice until revoked by the consumer in writing, or if the consumer 
agrees, electronically, as long as the consumer continues to have a 
relationship with the institution. It states that if the consumer's 
relationship with the institution terminates, the opt out will continue 
to apply to this information. If that consumer subsequently establishes 
a new relationship with the company, a company may either treat the 
previous opt out as continuing in effect, or provide the consumer with 
a new notice and opportunity to opt out. Are these interpretations an 
accurate reflection of the duration of opt out elections (where 
consumers ``direct that such information not be communicated'') 
provided in Section 603(d)(2)(A)(iii)? Should the Commission provide 
guidance as to what constitutes a ``relationship'' in the context of 
Section 11? If so, to what extent should that term parallel the 
definition of a ``customer relationship'' under the GLBA?

K. Sample form

    Proposed Section 12 sets forth a sample notice, part or all of 
which may be used to facilitate the portion of Section 
603(d)(2)(A)(iii) concerning clear and conspicuous disclosure to 
consumers that information may be shared among affiliates unless they 
``opt out'' of such communications. Is the term ``corporate family'' or 
some other alternative more communicative to consumers than the term 
``affiliates'' used in the statute and the sample notice?
    Does this sample adequately convey to consumers that the company 
may continue to share certain information with its affiliates, even if 
a consumer exercises his or her opt out option? Specifically, should it 
specify that the company may continue to share information about its 
own transactions and experiences with the consumer, or any other type 
of information not subject to the definition of ``consumer report'' in 
Section 603(d) of the FCRA. Is it helpful as a guide to describing the 
information that may be shared among affiliates? Is it helpful as a 
guide to describing the affiliated companies with which the information 
may be shared? Is it helpful as a guide to describing to the consumer 
how to exercise the opt out right?

L. Costs and Benefits of the Proposal

    What benefits and costs to consumers and businesses would result 
from the proposed interpretations? What compliance burdens are 
anticipated in providing the FCRA opt-out notice in the context of the 
GLBA notice and opt-out requirements? Would the proposal have a 
significant economic impact on a substantial number of small 
businesses? Can that impact be quantified? Would compliance with the 
proposal impose costs on any entities that are not financial 
institutions subject to the GLBA, but wish to share consumer 
information with affiliates without becoming consumer reporting 
agencies under the FCRA? If so, describe any likely costs and the 
entities on which they would be imposed. Would the proposal reduce the 
compliance costs of financial institutions that must comply with both 
the GLBA's financial privacy provisions and the FCRA's affiliate 
information sharing provisions in order to share consumer information 
with affiliates without becoming consumer reporting agencies? Would the 
proposal benefit consumers by using similar standards for opting out of 
information sharing among affiliates under the FCRA and opting out of 
disclosures of nonpublic personal information to unaffiliated third 
parties under the GLBA? Do these benefits and savings outweigh the 
costs that might be imposed on entities that are not financial 
institutions under the FCRA?

List of Subjects in 16 CFR Part 600

    Credit, Trade practices.
    Pursuant to 15 U.S.C. 1681s and 16 CFR 1.73, the Commission 
proposes to amend 16 CFR Part 600 as follows:

PART 600--STATEMENTS OF GENERAL POLICY OR INTERPRETATIONS

    1. The title of the existing Appendix is revised to read as 
follows:

Appendix A to Part 600--Commentary on the Fair Credit Reporting Act

    2. A new Appendix B is added to read as follows:

Appendix B to Part 600--Commentary on the Amended Fair Credit Reporting 
Act (Affiliate Information Sharing)

Table of Contents

Introduction

    1. Purpose and scope
    2. Examples
    3. Definitions
    4. Communication of opt out information to affiliates
    5. Contents of opt out notice
    6. Reasonable opportunity to opt out
    7. Reasonable means of opting out
    8. Delivery of opt out notices
    9. Revised opt out notice
    10. Time by which opt out must be honored
    11. Duration of opt out
    12. Sample notice

Introduction

    Official status. This Appendix B has the same status as Appendix 
A. Comments issued in Appendix A continue to reflect the 
Commission's interpretations of the Fair Credit Reporting Act (FCRA) 
as it existed in 1990, whereas comments issued in Appendix B are the 
Commission's interpretations of affiliate information sharing 
resulting from the removal of such information from the definition 
of ``consumer report'' in Section 603(d)(2)(A) when the FCRA was 
amended by the Consumer Credit Reporting Reform Act of 1996.
    Issuance of staff interpretations. The Commission staff's policy 
remains unchanged from that described in the preamble to Appendix A. 
Because of the 1996 amendments to the FCRA, the staff received a 
substantially increased volume of requests for informal staff 
opinions. Recent informal FCRA staff opinion letters have been 
placed on the Commission Web site at www.ftc.gov.

1. Purpose and scope

    (a) Purpose. This Appendix applies to the collection, 
communication, and use of certain information bearing on a 
consumer's credit worthiness, credit standing, credit capacity, 
character, general reputation, personal characteristics, or mode of 
living.
    (b) Scope. This Appendix applies to information that is used or 
expected to be used or collected in whole or in part for the purpose 
of serving as a factor in establishing a consumer's eligibility for 
credit, insurance, employment, or any other purpose authorized under 
Section 604 of the FCRA (15 U.S.C. 1681b).

2. Examples

    The examples used in these interpretations, and the sample 
notice in Section 12, are not exclusive. Conformity with an example 
or use of

[[Page 80807]]

the sample notice, to the extent applicable, constitutes conformity 
with the Commission view expressed in an interpretation.

3. Definitions

    As used in this Appendix, unless the context requires otherwise:
    (a) Act means the Fair Credit Reporting Act (15 U.S.C. 1681 et 
seq.).
    (b) Affiliate. (1) In general. The term means any company that 
is related or affiliated by common ownership, or affiliated by 
corporate control or common corporate control, with another company.
    (2) Related or affiliated by common ownership or affiliated by 
corporate control or common corporate control. The term means 
controlling, controlled by, or under common control with, another 
company.
    (c) Clear and conspicuous. (1) In general. The term means that a 
notice is reasonably understandable and is designed to call 
attention to the nature and significance of the information it 
contains.
    (2) Examples. (i) Reasonably understandable. A company makes its 
notice reasonably understandable if it:
    (A) Presents the information in the notice in clear and concise 
sentences, paragraphs, and sections;
    (B) Uses short explanatory sentences or bullet lists whenever 
possible;
    (C) Uses definite, concrete, everyday words and active voice 
whenever possible;
    (D) Avoids multiple negatives;
    (E) Avoids legal and highly technical business terminology 
whenever possible; and (F) Avoids explanations that are imprecise 
and are readily subject to different interpretations.
    (ii) Designed to call attention. A company designs its notice to 
call attention to the nature and significance of the information it 
contains if it:
    (A) Uses a plain-language heading to call attention to the 
notice;
    (B) Uses a typeface and type size that are easy to read;
    (C) Provides wide margins and ample line spacing;
    (D) Uses boldface or italics for key words; and
    (E) In a form that combines the company's notice with other 
information, uses distinctive type sizes, styles, and graphic 
devices, such as shading or sidebars.
    (iii) Notice on a web page. If a company provides a notice on a 
web page, the company designs its notice to call attention to the 
nature and significance of the information it contains if the 
company:
    (A) Places either the notice, or a link that connects directly 
to the notice and that is labeled appropriately to convey the 
importance, nature, and relevance of the notice, on a page that 
consumers access often, such as a page on which transactions are 
conducted;
    (B) Uses text or visual cues to encourage scrolling down the 
page if necessary to view the entire notice; and
    (C) Ensures that other elements on the web page (such as text, 
graphics, links, or sound) do not detract attention from the notice.
    (d) Communication includes any written and oral communication. 
It also includes an electronic communication to a consumer, if the 
consumer agrees to receive the communication electronically.
    (e) Company means any corporation, limited liability company, 
business trust, general or limited partnership, association, or 
similar organization.
    (f) Consumer means an individual.
    (g) Consumer report. (1) In general. The term means any written, 
oral, or other communication of any information by a consumer 
reporting agency bearing on a consumer's credit worthiness, credit 
standing, credit capacity, character, general reputation, personal 
characteristics, or mode of living which is used or expected to be 
used or collected in whole or in part for the purpose of serving as 
a factor in establishing the consumer's eligibility for:
    (i) Credit or insurance to be used primarily for personal, 
family, or household purposes;
    (ii) Employment purposes; or
    (iii) Any other purpose authorized under section 604 of the Act 
(15 U.S.C. 1681b).
    (2) Exclusions. The term does not include:
    (i) Any report containing information solely as to transactions 
or experiences between the consumer and the person making the 
report;
    (ii) Any communication of transaction or experience information 
among affiliates;
    (iii) Any communication among affiliates of opt out information 
if the conditions in sections 4 through 9 are satisfied;
    (iv) Any authorization or approval of a specific extension of 
credit directly or indirectly by the issuer of a credit card or 
similar device;
    (v) Any report in which a person who has been requested by a 
third party to make a specific extension of credit directly or 
indirectly to a consumer conveys his or her decision with respect to 
such request, if the third party advises the consumer of the name 
and address of the person to whom the request was made, and the 
person makes the disclosures to the consumer required under section 
615 of the Act (15 U.S.C. 1681m); or
    (vi) A communication described in section 603(o) of the Act (15 
U.S.C. 1681a(o)).
    (h) Consumer reporting agency means any person which, for 
monetary fees, dues or on a cooperative nonprofit basis, regularly 
engages in whole or in part in the practice of assembling or 
evaluating consumer credit information or other information on 
consumers for the purpose of furnishing consumer reports to third 
parties, and which uses any means or facility of interstate commerce 
for the purpose of preparing or furnishing consumer reports.
    (i) Control of a company means:
    (1) Ownership, control, or power to vote 25 percent or more of 
the outstanding shares of any class of voting security of the 
company, directly or indirectly, or acting through one or more other 
persons;
    (2) Control in any manner over the election of a majority of the 
directors, trustees, or general partners (or individuals exercising 
similar functions) of the company; or
    (3) The power to exercise, directly or indirectly, a controlling 
influence over the management or policies of the company.
    (j) Opt out means a direction by a consumer that a company not 
communicate opt out information about the consumer to one or more of 
its affiliates.
    (k) Opt out information means information that:
    (1) Bears on a consumer's credit worthiness, credit standing, 
credit capacity, character, general reputation, personal 
characteristics, or mode of living;
    (2) Is used or expected to be used or collected in whole or in 
part to serve as a factor in establishing the consumer's eligibility 
for credit or another purpose listed in section 604 of the Act (15 
U.S.C. 1681b); and
    (3) Is not a report containing information solely as to 
transactions or experiences between the consumer and the person 
reporting or communicating the information.
    (l) Person means any individual, partnership, corporation, 
trust, estate, cooperative, association, government or governmental 
subdivision or agency, or other entity.

4. Communication of opt out information to affiliates

    A company's communication to its affiliates of opt out 
information about a consumer is not a consumer report if:

[[Page 80808]]

    (a) The company has provided the consumer with an opt out 
notice;
    (b) The company has given the consumer a reasonable opportunity 
and means, before the company communicates the information to its 
affiliates, to opt out; and
    (c) The consumer has not opted out.

5. Contents of opt out notice

    (a) In general. An opt out notice must be clear and conspicuous, 
and must accurately explain:
    (1) The categories of opt out information about the consumer 
that a company communicates to its affiliates;
    (2) The categories of affiliates to which the company 
communicates the information;
    (3) The consumer's ability to opt out; and
    (4) A reasonable means for the consumer to opt out.
    (b) Future communications. A company's notice may describe:
    (1) Categories of opt out information about the consumer that 
the company reserves the right to communicate to its affiliates in 
the future but does not currently communicate; and
    (2) Categories of affiliates to which the company reserves the 
right in the future to communicate, but to which the company does 
not currently communicate, opt out information about the consumer.
    (c) Partial opt out. A company may allow a consumer to select 
certain opt out information or certain affiliates, with respect to 
which the consumer wishes to opt out.
    (d) Examples of categories of information that a company 
communicates. (1) A company satisfactorily explains the categories 
of opt out information that it communicates to affiliates if the 
company lists the categories in paragraph (d)(2) of this section, as 
applicable, and examples to illustrate the types of information in 
each category. These examples may include those in paragraph (d)(3) 
of this section, if applicable.
    (2) Categories of opt out information may include information:
    (i) From a consumer's application;
    (ii) From a consumer credit report;
    (iii) Obtained by verifying representations made by a consumer; 
or
    (iv) Provided by another person regarding its employment, 
credit, or other relationship with a consumer.
    (3) Examples of information within a category listed in 
paragraph (d)(2) include a consumer's:
    (i) Income;
    (ii) Credit score or credit history with others;
    (iii) Open lines of credit with others;
    (iv) Employment history with others;
    (v) Marital status; and
    (vi) Medical history.
    (4) A company that communicates or reserves the right to 
communicate individually identifiable health information (as 
described in section 1171(6)(B) of the Social Security Act (42 
U.S.C. 1320d(6)(B)) satisfactorily describes this type of 
information, if it provides illustrative examples of the health 
information it communicates or reserves the right to communicate.
    (e) Examples of categories of affiliates. (1) A company 
satisfactorily categorizes the affiliates to which it communicates 
opt out information if it lists the categories in paragraph (e)(2) 
of this section, as applicable, and examples to illustrate the types 
of affiliates in each category.
    (2) Categories of affiliates may include:
    (i) Financial service providers, followed by illustrative 
examples such as mortgage bankers, securities broker-dealers, and 
insurance agents; and
    (ii) Non-financial companies, followed by illustrative examples 
such as retailers, magazine publishers, airlines, and direct 
marketers; and
    (iii) Others, followed by examples such as nonprofit 
organizations.
    (f) Sample notice. A sample notice is included in section 12.

6. Reasonable opportunity to opt out

    (a) In general. A company provides a reasonable opportunity to 
opt out if it provides a reasonable period of time following the 
delivery of the opt out notice for the consumer to opt out.
    (b) Examples of reasonable periods of time for different means 
of delivery: (1) In person. A company hand-delivers an opt out 
notice to the consumer and provides at least 30 days from the date 
it delivered the notice.
    (2) By mail. A company mails an opt out notice to a consumer and 
provides at least 30 days from the date it mailed the notice.
    (3) By electronic means. A company notifies the consumer 
electronically and provides at least 30 days after the date that the 
consumer acknowledges receipt of the electronic notice.
    (c) Continuing opportunity to opt out. A consumer may opt out at 
any time.

7. Reasonable means of opting out

    (a) General rule. A company provides a consumer with a 
reasonable means of opting out if it provides a reasonably 
convenient method to opt out.
    (b) Reasonably convenient methods. Examples of reasonably 
convenient methods include:
    (1) Designating check-off boxes in a prominent position on the 
relevant forms included with the opt out notice;
    (2) Including a reply form that includes the address to which 
the form should be mailed, together with the opt out notice;
    (3) Providing an electronic means to opt out, such as a form 
that can be electronically mailed or a process at the company's web 
site, if the consumer agrees to the electronic delivery of 
information; or
    (4) Providing a toll-free telephone number that consumers may 
call to opt out.
    (c) Methods not reasonably convenient. Examples of methods that 
are not reasonably convenient include:
    (1) Requiring a consumer to write his or her own letter to a 
company; or
    (2) Referring in a revised notice to a check-off box that a 
company included with a previous notice but that the company does 
not include with the revised notice.
    (d) Requiring specific means of opting out. A company may 
require each consumer to opt out through a specific means, as long 
as that means is reasonable for that consumer.

8. Delivery of opt out notices

    (a) In general. A company must deliver an opt out notice so that 
each consumer can reasonably be expected to receive actual notice in 
writing or, if the consumer agrees, electronically.
    (b) Examples of expectation of actual notice. (1) A company may 
reasonably expect that a consumer will receive actual notice if it:
    (i) Hand-delivers a printed copy of the notice to the consumer;
    (ii) Mails a printed copy of the notice to the last known 
mailing address of the consumer; or
    (iii) For the consumer who conducts transactions electronically, 
posts the notice on its electronic site and requires the consumer to 
acknowledge receipt of the notice as a necessary step to obtaining a 
particular product or service;
    (2) A company may not reasonably expect that a consumer will 
receive actual notice if it:
    (i) Only posts a sign in its branch or office or generally 
publishes advertisements presenting its notice; or
    (ii) Sends the notice via electronic mail to a consumer who does 
not obtain a product or service from the company electronically.
    (c) Oral description insufficient. A company may not provide an 
opt out notice solely through an oral explanation of the notice, 
either in person or over the telephone.

[[Page 80809]]

    (d) Retention or accessibility. (1) In general. A company 
clearly discloses the consumer's opportunity to opt out if it 
provides an opt out notice so that it can be retained or obtained at 
a later time by the consumer in writing or, if the consumer agrees, 
electronically.
    (2) Examples of retention or accessibility. A company provides 
the notice so that it can be retained or obtained at a later time if 
the company:
    (i) Hand-delivers a printed copy of the notice to the consumer;
    (ii) Mails a printed copy of the notice to the last known 
address of the consumer upon request of the consumer; or
    (iii) Makes the company's current notice available on a web site 
(or a link to another web site) for the consumer who obtains a 
product or service electronically and who agrees to receive the 
notice at the web site.
    (e) Joint notice with affiliates. A company may provide a joint 
notice with one or more affiliates as long as the notice identifies 
each person providing it and is accurate with respect to each.
    (f) Joint relationships. (1) In general. If two or more 
consumers jointly obtain a product or service from a creditor or 
other company (joint consumers), the following principles apply:
    (i) The company may provide a single notice to all of the joint 
consumers.
    (ii) Any of the joint consumers has the opportunity to opt out.
    (iii) The company may treat an opt out direction by a joint 
consumer either as:
    (A) Applying to all of the joint consumers; or
    (B) Applying to that particular joint consumer.
    (iv) The company must explain in its opt out notice which of the 
two policies set forth in paragraph (f)(1)(iii) of this section it 
will follow.
    (v) If the company follows the policy set forth in paragraph 
(f)(1)(iii)(B) of this section, by treating the opt out of a joint 
consumer as applying to that particular joint consumer, the company 
must also permit:
    (A) A joint consumer to opt out on behalf of other joint 
consumers; and
    (B) One or more joint consumers to notify the company of their 
opt out directions in a single response.
    (vi) A company may not require all joint consumers to opt out 
before it implements any opt out direction.
    (vii) If a company receives an opt out by a particular joint 
consumer that does not apply to the others, the company may disclose 
information about the others as long as no information is disclosed 
about the consumer who opted out.
    (2) Example. If consumers A and B, who have different addresses, 
have a joint account with a creditor and arrange for the creditor to 
send statements to A's address, the creditor may do any of the 
following, but it must explain in its opt out notice which opt out 
policy the creditor will follow. The creditor may send a single opt 
out notice to A's address and:
    (i) Treat an opt out direction by A as applying to the entire 
account. If the creditor does so and A opts out, the creditor may 
not require B to opt out as well before implementing A's opt out 
direction.
    (ii) Treat A's opt out direction as applying to A only. If the 
creditor does so, it must also permit:
    (A) A and B to opt out for each other; and
    (B) A and B to notify the creditor of their opt out directions 
in a single response (such as on a single form) if they choose to 
give separate opt out directions.
    (iii) If A opts out only for A, and B does not opt out, the 
creditor may disclose opt out information only about B, and not 
about A and B jointly.

9. Revised opt out notice

    If a company has provided a consumer with one or more opt out 
notices and plans to communicate opt out information to its 
affiliates about the consumer other than as described in those 
notices, the communication will not be a ``consumer report'' if the 
company provides the consumer with a revised opt out notice that 
complies with sections 4 through 8.

10. Time by which opt out must be honored

    If a company provides a consumer with an opt out notice and the 
consumer opts out, the company must comply with the opt out as soon 
as reasonably practicable after the company receives it.

11. Duration of opt out

    An opt out remains effective until revoked by the consumer in 
writing or electronically, as long as the consumer continues to have 
a relationship with the company. If the consumer's relationship with 
the company terminates, the opt out will continue to apply to this 
information. However, a new notice and opportunity to opt out must 
be provided if the consumer establishes a new relationship with the 
company.

12. Sample notice

    This section contains a sample notice. A company may use 
applicable examples in this sample to provide disclosures to 
consumers about the sharing of information with its affiliates.

Notice of Your Opportunity To Opt Out of Information Sharing With Our 
Affiliates

Information we can share with our affiliates about you--unless you 
tell us not to

    What Information: Unless you tell us not to, [Company] may share 
with our affiliated companies information about you, including:
     Information we obtain from your application, such as 
[provide illustrative examples, such as ``your income'' or ``your 
marital status''];
     Information we obtain from a consumer report, such as 
[provide illustrative examples, such as ``your credit score or 
credit history''];
     Information we obtain to verify representations made by 
you, such as [provide illustrative examples, such as ``your open 
lines of credit'']; and
     Information we obtain from a person regarding its 
employment, credit, or other relationship with you, such as [provide 
illustrative examples, such as ``your employment history''].
    Shared With Whom: Our affiliated companies who may receive this 
information are:
     Financial service providers, such as [provide 
illustrative examples, such as ``mortgage lenders or brokers''];
     Non-financial companies, such as [provide illustrative 
examples, such as ``retailers, direct marketers, airlines, and 
publishers'']; and
     Others [provide illustrative examples, such as 
``nonprofit organizations''].

How to tell us not to share this information with our affiliated 
companies

    If you prefer that we not share this information with our 
affiliated companies, you may direct us not to share this 
information by doing the following [insert one or more of the 
reasonable means of opting out listed below*]: [call us toll free at 
{insert toll free number}]; or [visit our web site at {insert web 
site address} and {provide further instructions on how to use the 
web site option}]; or [e-mail us at {insert the e-mail address}]; or 
[fill out and tear off the bottom of this sheet and mail to the 
address shown there]; or [check the appropriate box on the attached 
form

[[Page 80810]]

{attach form}; and mail to the following address: {insert address}].

    * If the company is using its web site or an e-mail address as 
the only method by which a consumer may opt out, the consumer must 
agree to the electronic delivery of information.

    Note: Your direction in this paragraph covers certain 
information about you that we might otherwise share with our 
affiliated companies. We may share other information about you with 
---------------------------------------------------------------------------
our affiliated companies as permitted by law.


    By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 00-32391 Filed 12-21-00; 8:45 am]
BILLING CODE 6750-01-P