Skip Maine state header navigation

Agencies | Online Services | Help

Skip All Navigation

BULLETIN 379

"Safe Harbor" Privacy Notice Forms

The purpose of this bulletin is to clarify how regulated insurance entities in Maine may use the simplified Federal Model Privacy Form (sometimes referred to as the "safe harbor" form) to comply with the federal privacy notice requirements under Title V of the Gramm-Leach-Bliley Act (GLBA),1 and to remind regulated insurance entities of their additional obligations under the Maine Insurance Information and Privacy Protection Act ("Maine Insurance Privacy Act").2 For additional discussion of regulated insurance entities' obligations under GLBA and the Maine Insurance Privacy Act, see Bulletin 308.

As required by the federal Financial Services Regulatory Relief Act of 2006,3 eight federal agencies4 adopted a simplified Federal Model Privacy Form for use by federally regulated financial institutions. The purpose of the new form is to give consumers a clearer description of their privacy rights and information-sharing options. Federally regulated financial institutions that elect to use the new Federal Model Privacy Form may rely on it as a safe harbor to provide the notices required under the federal GLBA privacy rules. Generally, regulated insurance entities licensed by the Superintendent are considered "financial institutions'' for purposes of GLBA.

Use of Model Privacy Form

The use of the Model Privacy Form set forth in Attachment A to this Bulletin, consistent with the Instructions set forth in Attachments B and C, constitutes compliance with the notice content requirements of GLBA. In order to comply with the requirements of the Maine Insurance Privacy Act, regulated insurance entities must also provide clear and sufficient notice of consumers' additional rights under Maine law as described in Bulletin 308. These additional rights include:

  • The right to obtain access to the consumer's recorded personal information in the possession or control of a regulated insurance entity, to request correction if the consumer believes the information to be inaccurate, and to add a rebuttal statement to the file if there is a dispute;
  • The right to know the reasons for an adverse underwriting decision. Previous adverse underwriting decisions may not be used as the basis for subsequent underwriting decisions unless the carrier makes an independent evaluation of the underlying facts; and
  • The right, with very narrow exceptions, not to be subjected to pretext interviews.

The state-specific notice may be provided in the "Other Important Information" section of the Model Privacy Form, or it may be provided in a separate notice. If a separate notice is provided, it must either be provided together with the Model Privacy Form or specifically referenced in the "Other Important Information" section of the Model Privacy Form.

Use of Other Types of Privacy Notices

Use of the attached Model Privacy Form is not required. Insurers may continue to use other types of privacy notices to meet the requirements of GLBA and the Maine Privacy Act as long as the notices accurately describe the insurer's privacy practices and otherwise meet the requirements of state and federal law, consistent with the guidance provided in Bulletin 308.

Attachments

Attachment A to this Bulletin consists of the three approved versions of the Model Privacy Form together with an optional separate Mail-In Form:

  • Version 1: Model Form with No Opt-Out (pages 3-4)
  • Version 2: Model Form with Opt-Out by Telephone and/or Online (pages 5-6)
  • Version 3: Model with Mail-In Opt-Out Form (pages 7-8)
  • Optional Separate Mail-In Form (page 9)

Attachment B provides general instructions for customizing the form, and Attachment C describes the information that must be included.

1 GLBA §§ 501-510 (substantive provisions codified at 15 U.S.C. §§ 6801-6809). The privacy notice requirement is set forth at GLBA § 503 (15 U.S.C. § 6803).

2 24-A M.R.S.A. chapter 24 (§§ 2201-2220). The privacy notice requirement is set forth at 24-A M.R.S.A. § 2206.

3 Public Law 109-351.

4 Office of the Comptroller of the Currency, Department of the Treasury; Board of Governors of the Federal Reserve System; Federal Deposit Insurance Corporation; Office of Thrift Supervision, Department of the Treasury; National Credit Union Administration; Federal Trade Commission; Commodity Futures Trading Commission; and Securities and Exchange Commission.

August 3, 2011

__________________________________
Eric A. Cioppa
Acting Superintendent of Insurance

NOTE: This bulletin is intended solely for informational purposes. It is not intended to set forth legal rights, duties, or privileges, nor is it intended to provide legal advice. Readers should consult applicable statutes and rules and contact the Bureau of Insurance if additional information is needed.

 

Attachment A - Federal Model Privacy Form

 

Attachment B - General Instructions

1. How the Model Privacy Form is used by regulated insurance entities in Maine

(a) The Model Form may be used, at the option of a regulated insurance entity (referred to in these Instructions as a "licensee"), including a group of licensees or other financial institutions that use a common privacy notice, to meet the content requirements of the privacy notice and opt-out notice required by the federal Gramm-Leach-Bliley Act. Notice of additional rights under Maine law must be provided to consumers in a manner consistent with the requirements of 24-A M.R.S.A. § 2206, as explained in Bureau of Insurance Bulletins 308 and 379.

(b) The Model Form is a standardized form, including page layout, content, format, style, pagination, and shading. Licensees seeking to obtain the safe harbor through use of the Model Form may modify it only as described in these Instructions.

(c) Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the federal Fair Credit Reporting Act (FCRA),5 such as a requirement to permit consumers to opt out of disclosures to affiliates, or the licensee's designation as a consumer reporting agency if disclosures of such information are made to nonaffiliated third parties.

(d) The word "customer" may be replaced by another word such as "consumer," "member," or "enrollee" whenever it appears in the Model Form, if appropriate.

2. Contents of the Model Privacy Form

The Model Form consists of two pages, which may be printed on both sides of a single sheet of paper or may appear on two separate pages. Where a licensee provides a long list of licensees or financial institutions at the end of the Model Form in accordance with Instruction 3(a)(1) of Attachment C, or provides additional information in accordance with Instruction 3(c) of Attachment C, and the list or additional information exceeds the space available on Page Two of the Model Form, it may extend to a third page.

(a) Page One. The first page consists of the following components:6

(1) Date last revised (upper right-hand corner)
(2) Title
(3) Key frame (Why? What? How?)
(4) Disclosure table ("Reasons we can share your personal information")
(5) "To limit our sharing" box, as needed, for the licensee's opt-out information
(6) "Questions" box, for customer service contact information
(7) Mail-in opt-out form, as needed

(b) Page Two. The second page consists of the following components:

(1) Heading (Page 2)
(2) Frequently Asked Questions ("Who we are" and "What we do")
(3) Definitions
(4) "Other important information" box, as needed

3. Format of the Model Privacy Form.

The format of the Model Form may be modified only as described below.

(a) Easily readable type font. Licensees that use the Model Form must use an easily readable typeface and styling. While a number of factors together produce easily readable font, licensees are required to use a minimum of 10-point type (unless otherwise expressly permitted in these Instructions) and sufficient spacing between lines.

(b) Logo. A licensee may include a corporate logo on any page of the notice, so long as it does not interfere with the readability of the Model Form or the space constraints of each page.

(c) Page size and orientation. Each page of the Model Form must be printed in portrait orientation. The size of the paper must be sufficient to meet the layout and minimum font size requirements, with sufficient white space on the top, bottom, and sides of the content.

(d) Color. The Model Form must be printed on white or light color paper (such as cream) with black or other contrasting ink color. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract from the readability of the Model Form. Logos may also be printed in color.

(e) Languages. The Model Form may be translated into languages other than English and made available in those languages at the consumer's request.

 

Attachment C - Information Required in the Model Privacy Form

The information in the Model Form may be modified only as described below:

1. Name of licensee or group of affiliated licensees or institutions providing the notice

Insert the name of the licensee providing the notice, or the common identity of the affiliated licensees or other financial institutions jointly providing the notice, wherever [name of financial institution] appears on the form.

2. Page One

(a) Last revised date. The licensee must insert the date on which the notice was last revised in the upper right-hand corner. The information shall appear in minimum 8-point type as "rev. [month/year]" using either the name or number of the month, such as "rev. July 2011" or "rev. 7/11."

(b) General instructions for the "What?" box

(1) The bulleted list identifies the types of personal information that the licensee collects and shares. All licensees must use the term "Social Security number" where shown in the first bullet, unless the licensee does not collect Social Security numbers.

(2) A licensee must use exactly five of the following terms, as appropriate to the licensee's business, to complete the bulleted list: income; account balances; payment history; transaction history; transaction or loss history; credit history; credit scores; assets; investment experience; credit-based insurance scores; insurance claim history; medical information; overdraft history; purchase history; account transactions; risk tolerance; medical-related debts; credit card or other debt; mortgage rates and payments; retirement assets; checking account information; employment information; wire transfer instructions.

(c) General instructions for the disclosure table. The left column lists reasons for sharing or using personal information. Each reason correlates to a specific legal provision described in Paragraph 2(d) of this Instruction. In the middle column, each licensee must provide a "Yes" or "No" response that accurately reflects its information-sharing policies and practices with respect to the reason listed on the left. In the right column, each licensee must provide in each box one of the following three responses, as applicable, that reflects whether a consumer can limit such sharing:

"Yes," if it is required to provide an opt-out or voluntarily provides an opt-out;
"No," if it does not provide an opt-out; or
"We don't share," if it answers "No" in the middle column.

Only the sixth row ("For our affiliates to market to you") may be omitted at the option of the licensee when permitted by Paragraph (d)(6) below.

(d) Specific disclosures and corresponding legal provisions

(1) For our everyday business purposes. This reason incorporates all disclosures permitted by 24-A M.R.S.A. § 2215(1), other than the disclosures described in Paragraphs (2) through (7) below.

(2) For our marketing purposes. This reason incorporates sharing information with service providers by a licensee for its own marketing. To the extent permitted by 24-A M.R.S.A. § 2215(1)(B), a licensee that shares information for this reason may do so without being required to provide an opt-out may choose to provide an opt-out.

(3) For joint marketing with other financial companies. This reason incorporates sharing information under joint marketing agreements in accordance with GLBA § 502(b)(2). Because Maine law does not distinguish between joint marketing partners and other nonaffiliated third parties, consumers have the right to opt out of information sharing under 24-A M.R.S.A. § 2215(1)(J)(2). If the licensee shares information under joint marketing agreements and does not voluntarily provide such an opt-out right in other states, the licensee must customize its Model Form for use in Maine, either by changing the "Can you limit this sharing?" column of the joint marketing line of the disclosure table to "Yes" or "We do not share," as applicable, or by using the "Other important information" box to apprise the consumer of his or her opt-out right in a manner that clearly explains that the "No" answer in the table is not accurate in every state.

(4) For our affiliates' everyday business purposes - information about transactions and experiences. This reason incorporates sharing information specified in FCRA §§ 603(d)(2)(A)(i) & (ii) (15 U.S.C. § 1681a(d)(2)(A)(i) & (ii)), other than information shared for marketing purposes. No opt-out is required under state or federal law, but a licensee that shares information for this reason may choose to provide an opt-out.

(5) For our affiliates' everyday business purposes - information about creditworthiness. This reason incorporates sharing information pursuant to section FCRA § 603(d)(2)(A)(iii) (15 U.S.C. § 1681a(d)(2)(A)(iii)), which requires the licensee to provide an opt-out.

(6) For our affiliates to market to you. This reason incorporates sharing information specified in FCRA § 624 (15 U.S.C. § 1681s-3), which requires the licensee to provide an opt-out. The licensee may elect to omit this reason from the disclosure table when: the licensee does not have affiliates (or does not disclose personal information to its affiliates); the licensee's affiliates do not use personal information in a manner that requires an opt-out; or the licensee provides the affiliate marketing notice separately. Licensees that include this reason must provide an opt-out of indefinite duration. A licensee that is required to provide an affiliate marketing opt-out, but does not include a mechanism for exercising that right in the Model Form, must separately provide a clear and conspicuous notice and opportunity to opt out in compliance with the requirements of FCRA and GLBA, including annual renewal notices.

(7) For nonaffiliates to market to you. This reason incorporates sharing permitted by 24-A M.R.S.A. § 2215(1)(J). Pursuant to 24-A M.R.S.A. § 2215(1)(J)(2) and GLBA § 502(b) (15 U.S.C. § 6802(b)), a licensee that shares personal information for this reason must provide an opt-out.

(e) To limit our sharing. A licensee must include this section of the Model Form if and only if it shares some classes of information subject to an opt-out. The word "choice" may be written in either the singular or plural, as appropriate. Licensees must select one or more of the applicable opt-out methods described: telephone, such as by a toll-free number; a Web site; or use of a mail-in opt-out form. Licensees may include the word "toll-free" before the telephone number, as appropriate. A licensee that allows consumers to opt out online must provide either a specific Web address that takes consumers directly to the opt-out page or a general Web address that provides a clear and conspicuous direct link to the opt-out page. The opt-out choices made available to the consumer who contacts the licensee through these methods must correspond accurately to the choices disclosed in the "Yes" responses in the third column of the disclosure table and any additional choices disclosed in the "Other important information" box. In the part entitled "Please note," licensees that voluntarily provide a waiting period longer than 30 days may substitute the applicable time period in the space marked "[30]."

(f) Questions box. Customer service contact information must be inserted as appropriate where [phone number] or [website] appear. Licensees may elect to provide either a phone number, such as a toll-free number, or a Web address, or both. Licensees may include the words "toll-free" before the telephone number, as appropriate.

(g) Mail-in opt-out form. Licensees must include this mail-in form if and only if they state in the "To limit our sharing" box that consumers can opt out by mail. The mail-in form must provide opt-out options that correspond accurately to the choices disclosed in the "Yes" responses in the third column of the disclosure table and any additional choices disclosed in the "Other important information" box. Licensees that require consumers to provide only name and address may omit the section identified as "[account #]." Licensees that require additional or different information to implement an opt-out election, such as a random identifying number or a truncated account number, should modify the "[account #]" reference accordingly. This includes licensees that require customers with multiple accounts to identify each account to which the opt-out should apply. A licensee must enter its opt-out mailing address in the far right of this form (if Version 3 is used); or below the form (if the optional separate form is used). None of the content of the Model Form may be placed on the reverse side of the mail-in portion of the form.

(1) Joint accountholder. Licensees that give their joint accountholders the choice to opt out for only one accountholder, in accordance with Paragraph 3(a)(5) of these Instructions, must include the following statement in the far left column of the mail-in form:

If you have a joint account, your choice(s) will apply to everyone on your account unless you mark below.

check box Apply my choice(s) only to me.

The word "choice" may be written in either the singular or plural, as appropriate. Licensees may substitute the word "policy" for "account" in this statement where applicable. Licensees that do not provide this option must either leave this left column blank or eliminate it from the mail-in form.

(2) FCRA creditworthiness opt-out. If the licensee shares personal information pursuant to FCRA § 603(d)(2)(A)(iii) (15 U.S.C. § 1681a(d)(2)(A)(iii)), it must include the following statement in the mail-in opt-out form:

check box Do not share information about my creditworthiness with your affiliates for their everyday business purposes.

(3) FCRA marketing opt-out. If the licensee uses the Model Form to comply with FCRA § 624 (15 U.S.C. § 1681s-3) in accordance with paragraph 2(d)(6) of these Instructions, it must include the following statement in the mail-in opt-out form:

check box Do not allow your affiliates to use my personal information to market to me.

(4) Nonaffiliate opt-out. If the licensee shares personal information with nonaffiliates for marketing purposes, other than sharing pursuant to joint marketing agreements, it must include the following statement in the mail-in opt-out form:

check box Do not share my personal information with nonaffiliates to market their products and services to me.

If a Maine consumer checks this option, the licensee may not share the consumer's personal information pursuant to joint marketing agreements unless the licensee has provided a separate opt-out process for joint marketing and the consumer has chosen to permit sharing.

(5) Additional opt-outs. Licensees that use the disclosure table to provide opt-out options beyond those required by Federal law must provide those opt-outs in this section of the Model Form. A licensee that chooses to offer an opt-out for its own marketing in the mail-in opt-out form must include one of the two following statements:

check box Do not share my personal information to market to me.

or check box Do not use my personal information to market to me.

A licensee that uses the Model Form to offer an opt-out for joint marketing must include the following statement:

check box Do not share my personal information with other financial institutions to jointly market to me.

(h) Barcodes. A licensee may elect to include a barcode and/or "tagline" (an internal identifier) in 6-point type at the bottom of page one, as needed for information internal to the licensee, so long as these do not interfere with the clarity or text of the form.

3. Page Two

(a) General Instructions for the Questions. Certain Questions on the Model Form may be customized as follows:

(1) "Who is providing this notice?" This question may be omitted when the Model Form is provided solely on the licensee's behalf and the licensee is clearly identified in the title on Page One. Two or more licensees or financial institutions that jointly provide the Model Form must use this question to identify themselves accurately in compliance with 24-A M.R.S.A. § 2206. If the list of licensees or financial institutions exceeds four (4) lines, the licensee must describe in the response to this question the general types of licensees or financial institutions jointly providing the notice and must separately identify those licensees or financial institutions, in minimum 8-point type, directly following the "Other important information" box, or, if that box is not included in the licensee's form, directly following the "Definitions." The list may appear in a multi-column format.

(2) "How does [name of financial institution] protect my personal information?"
The answer to this question must begin with the language specified in the form. The licensee may follow this with a supplemental response, no more than 30 words in length, providing additional information about its safeguards, such as the licensee's use of cookies.

(3) "How does [name of financial institution] collect my personal information?"
Licensees must use five (5) of the following terms to complete the bulleted list for this question: open an account; deposit money; pay your bills; apply for a loan; use your credit or debit card; seek financial or tax advice; apply for insurance; pay insurance premiums; file an insurance claim; seek advice about your investments; buy securities from us; sell securities to us; direct us to buy securities; direct us to sell your securities; make deposits or withdrawals from your account; enter into an investment advisory contract; give us your income information; provide employment information; give us your employment history; tell us about your investment or retirement portfolio; tell us about your investment or retirement earnings; apply for financing; apply for a lease; provide account information; give us your contact information; pay us by check; give us your wage statements; provide your mortgage information; make a wire transfer; tell us who receives the money; tell us where to send the money; show your government-issued ID; show your driver's license; order a commodity futures or option trade.

Licensees that collect personal information from their affiliates and/or credit bureaus must include the following statement after the bulleted list: "We also collect your personal information from others, such as credit bureaus, affiliates, or other companies." Licensees that do not collect personal information from their affiliates or credit bureaus but do collect information from other companies must include the following statement instead: "We also collect your personal information from other companies." Only licensees that do not collect any personal information from affiliates, credit bureaus, or other companies may omit both statements.

(4) "Why can't I limit all sharing?" Licensees that describe state privacy law provisions in the "Other important information" box must use the bracketed sentence: "See below for more on your rights under state law." Other licensees must omit this sentence.

(5) "What happens when I limit sharing for an account I hold jointly with someone else?" Licensees that provide opt-out options must use this question. Other licensees must omit this question. Licensees must choose one of the following two statements to respond to this question: "Your choices will apply to everyone on your account." or "Your choices will apply to everyone on your account - unless you tell us otherwise." Licensees may substitute the word "policy" for "account" in this question and answer where applicable.

(b) General Instructions for the Definitions. The licensee must customize the space below the responses to the three definitions in this section. This specific information must be in italicized lettering to set off the information from the standardized definitions.

(1) Affiliates. Where [affiliate information] appears, the licensee must:

(i) If it has no affiliates, state: "[name of licensee] has no affiliates";

(ii) If it has affiliates but does not share personal information with them, state: "[name of licensee] does not share with our affiliates"; or

(iii) If it shares with its affiliates, state, as applicable: "Our affiliates include companies with a [common corporate identity] name; financial companies such as [insert illustrative list of companies]; nonfinancial companies, such as [insert illustrative list of companies]; and others, such as [insert illustrative list]."

(2) Nonaffiliates. Where [nonaffiliate information] appears, the licensee must:

(i) If it does not share with nonaffiliated third parties, state: "[name of licensee] does not share with nonaffiliates so they can market to you"; or

(ii) If it shares with nonaffiliated third parties, state, as applicable: "Nonaffiliates we share with can include [list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations]."

(3) Joint Marketing. Where [joint marketing] appears, the licensee must:

(i) If it does not engage in joint marketing, state: "[name of licensee] doesn't jointly market"; or

(ii) If it shares personal information for joint marketing, state, as applicable: "Our joint marketing partners include [list categories of companies such as credit card companies]."

(c) General instructions for the "Other important information" box. This box is optional. The space provided for information in this box is not limited, and an additional page may be used if necessary. Only the following types of information can appear in this box:

(1) State and/or international privacy law information; and/or

(2) A form by which the consumer may acknowledge receipt of the notice.

 

5 Codified at 15 U.S.C. §§ 1681-1681x.

6 The identifying headings in this Bulletin with the legends "Attachment A" and the four version numbers are not part of the Model Form and should not be included in the forms sent to consumers.

 

Last Updated: September 27, 2010