APPENDIX to Part 1016—Model Privacy Form

(1) Date last revised (upper right-hand corner).

(2) Title.

(3) Key frame (Why?, What?, How?).

(4) Disclosure table (“Reasons we can share your personal information”).

(5) “To limit our sharing” box, as needed, for the financial institution’s opt-out information.

(6) “Questions” box, for customer service contact information.

(7) Mail-in opt-out form, as needed.

(1) Heading (Page 2).

(2) Frequently Asked Questions (“Who we are” and “What we do”).

(3) Definitions.

(4) “Other important information” box, as needed.

(1) The bulleted list identifies the types of personal information that the institution collects and shares. All institutions must use the term “Social Security number” in the first bullet.

(2) Institutions must use five (5) of the following terms to complete the bulleted list: Income; account balances; payment history; transaction history; transaction or loss history; credit history; credit scores; assets; investment experience; credit-based insurance scores; insurance claim history; medical information; overdraft history; purchase history; account transactions; risk tolerance; medical-related debts; credit card or other debt; mortgage rates and payments; retirement assets; checking account information; employment information; wire transfer instructions.

(1) For our everyday business purposes. This reason incorporates sharing information under sections 1016.14 and 1016.15 and with service providers pursuant to section 1016.13 of this part other than the purposes specified in paragraphs C.2(d)(2) or C.2(d)(3) of these Instructions.

(2) For our marketing purposes. This reason incorporates sharing information with service providers by an institution for its own marketing pursuant to section 1016.13 of this part. An institution that shares for this reason may choose to provide an opt-out.

(3) For joint marketing with other financial companies. This reason incorporates sharing information under joint marketing agreements between two or more financial institutions and with any service provider used in connection with such agreements pursuant to section 1016.13 of this part. An institution that shares for this reason may choose to provide an opt-out.

(4) For our affiliates’ everyday business purposes—information about transactions and experiences. This reason incorporates sharing information specified in section 603(d)(2)(A)(i) and (ii) of the FCRA. An institution that shares for this reason may choose to provide an opt-out.

(5) For our affiliates’ everyday business purposes—information about creditworthiness. This reason incorporates sharing information pursuant to section 603(d)(2)(A)(iii) of the FCRA. An institution that shares for this reason must provide an opt-out.

(6) For our affiliates to market to you. This reason incorporates sharing information specified in section 624 of the FCRA. This reason may be omitted from the disclosure table when: the institution does not have affiliates (or does not disclose personal information to its affiliates); the institution’s affiliates do not use personal information in a manner that requires an opt-out; or the institution provides the affiliate marketing notice separately. Institutions that include this reason must provide an opt-out of indefinite duration. An institution that is required to provide an affiliate marketing opt-out, but does not include that opt-out in the model form under this part, must comply with section 624 of the FCRA and 12 CFR part 1022, subpart C, with respect to the initial notice and opt-out and any subsequent renewal notice and opt-out. An institution not required to provide an opt-out under this subparagraph may elect to include this reason in the model form.

(7) For nonaffiliates to market to you. This reason incorporates sharing described in sections 1016.7 and 1016.10(a) of this part. An institution that shares personal information for this reason must provide an opt-out.

(1) Joint accountholder. Only institutions that provide their joint accountholders the choice to opt-out for only one accountholder, in accordance with paragraph C.3(a)(5) of these Instructions, must include in the far left column of the mail-in form the following statement: “If you have a joint account, your choice(s) will apply to everyone on your account unless you mark below. *Apply my choice(s) only to me.” The word “choice” may be written in either the singular or plural, as appropriate. Financial institutions that provide insurance products or services, provide this option, and elect to use the model form may substitute the word “policy” for “account” in this statement. Institutions that do not provide this option may eliminate this left column from the mail-in form.

(2) FCRA section 603(d)(2)(A)(iii) opt-out. If the institution shares personal information pursuant to section 603(d)(2)(A)(iii) of the FCRA, it must include in the mail-in opt-out form the following statement: “*Do not share information about my creditworthiness with your affiliates for their everyday business purposes.”

(3) FCRA section 624 opt-out. If the institution incorporates section 624 of the FCRA in accord with paragraph C.2(d)(6) of these Instructions, it must include in the mail-in opt-out form the following statement: “*Do not allow your affiliates to use my personal information to market to me.”

(4) Nonaffiliate opt-out. If the financial institution shares personal information pursuant to section 1016.10(a) of this part, it must include in the mail-in opt-out form the following statement: “*Do not share my personal information with nonaffiliates to market their products and services to me.”

(5) Additional opt-outs. Financial institutions that use the disclosure table to provide opt-out options beyond those required by Federal law must provide those opt-outs in this section of the model form. A financial institution that chooses to offer an opt-out for its own marketing in the mail-in opt-out form must include one of the two following statements: “*Do not share my personal information to market to me.” or “*Do not use my personal information to market to me.” A financial institution that chooses to offer an opt-out for joint marketing must include the following statement: “*Do not share my personal information with other financial institutions to jointly market to me.”

(1) “Who is providing this notice?” This question may be omitted where only one financial institution provides the model form and that institution is clearly identified in the title on page one. Two or more financial institutions that jointly provide the model form must use this question to identify themselves as required by section 1016.9(f) of this part. Where the list of institutions exceeds four (4) lines, the institution must describe in the response to this question the general types of institutions jointly providing the notice and must separately identify those institutions, in minimum 8-point font, directly following the “Other important information” box, or, if that box is not included in the institution’s form, directly following the “Definitions.” The list may appear in a multi-column format.

(2) “How does [name of financial institution] protect my personal information?” The financial institution may only provide additional information pertaining to its safeguards practices following the designated response to this question. Such information may include information about the institution’s use of cookies or other measures it uses to safeguard personal information. Institutions are limited to a maximum of 30 additional words.

(3) “How does [name of financial institution] collect my personal information?” Institutions must use five (5) of the following terms to complete the bulleted list for this question: Open an account; deposit money; pay your bills; apply for a loan; use your credit or debit card; seek financial or tax advice; apply for insurance; pay insurance premiums; file an insurance claim; seek advice about your investments; buy securities from us; sell securities to us; direct us to buy securities; direct us to sell your securities; make deposits or withdrawals from your account; enter into an investment advisory contract; give us your income information; provide employment information; give us your employment history; tell us about your investment or retirement portfolio; tell us about your investment or retirement earnings; apply for financing; apply for a lease; provide account information; give us your contact information; pay us by check; give us your wage statements; provide your mortgage information; make a wire transfer; tell us who receives the money; tell us where to send the money; show your government-issued ID; show your driver’s license; order a commodity futures or option trade. Institutions that collect personal information from their affiliates and/or credit bureaus must include after the bulleted list the following statement: “We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.” Institutions that do not collect personal information from their affiliates or credit bureaus but do collect information from other companies must include the following statement instead: “We also collect your personal information from other companies.” Only institutions that do not collect any personal information from affiliates, credit bureaus, or other companies can omit both statements.

(4) “Why can’t I limit all sharing?” Institutions that describe state privacy law provisions in the “Other important information” box must use the bracketed sentence: “See below for more on your rights under state law.” Other institutions must omit this sentence.

(5) “What happens when I limit sharing for an account I hold jointly with someone else?” Only financial institutions that provide opt-out options must use this question. Other institutions must omit this question. Institutions must choose one of the following two statements to respond to this question: “Your choices will apply to everyone on your account.” or “Your choices will apply to everyone on your account—unless you tell us otherwise.” Financial institutions that provide insurance products or services and elect to use the model form may substitute the word “policy” for “account” in these statements.

(1) Affiliates. As required by section 1016.6(a)(3) of this part, where [affiliate information] appears, the financial institution must:

(2) Nonaffiliates. As required by section 1016.6(c)(3) of this part, where [nonaffiliate information] appears, the financial institution must:

(3) Joint Marketing. As required by section 1016.13 of this part, where [joint marketing] appears, the financial institution must:

(1) State and/or international privacy law information; and/or

(2) Acknowledgment of receipt form.