Affiliate Sharing Rules Pierce Atwood Client Alert November 2, 2007
Introduction A.
This presentation briefly summarizes the implementing regulation for the Fair Credit Reporting Act (FCRA) affiliate marketing rules in FCRA § 624.
B.
We will briefly discuss the relationship of these rules with other information sharing rules found in FCRA and GLBA/Reg P.
C.
Finally, we will provide some pointers for complying with the new rules.
FCRA § 603(d)(2)(A) A.
General affiliate sharing requirements are found in the definition of “consumer report”.
B.
This section specifically excludes from the definition of a “consumer report” any:
1.
Reports containing information solely regarding transactions or experiences between the party making the report and the consumer. This information may be shared without regard to affiliation and without being subject to an opt out right under FCRA.
2.
Communication of information other than transaction and experience information (“other information”) with an affiliate, but only after the consumer is given notice and an opportunity to opt out of such sharing.
FCRA § 624 A.
Inserted by FACT Act § 214(a)(2).
B.
Adds to the requirements found in § 603(d)(2)(A). Prohibits the affiliate receiving such data (the “Receiving Affiliate”) from using it to make a solicitation for marketing purposes unless: 1.
It is clearly and conspicuously disclosed to the consumer that the information may be shared among such persons for purposes of making such solicitations; and
2.
Consumer is provided an opportunity and simple method to prohibit the making of such solicitation (i.e. to “opt-out”).
FCRA § 624 C.
“Opt-out” is good for 5 years. Must provide notice and opportunity to extend opt out at end of this period prior to using the information for marketing solicitation purposes.
D.
There are several exclusions to the rule, including one for the use of information by a person that has a preexisting business relationship with the consumer.
Rulemaking History A.
Although FCRA § 624 has been on the books since the passage of the FACT Act, its effective date was tied to passage of implementing regulations.
B.
Proposed version of affiliate marketing rules were published in Summer of 2004.
C.
Final rule was released by the regulatory agencies on October 24th, and will become effective January 1st.
D.
Mandatory compliance date: October 1, 2008.
General Rule A.
Definitions 1.
Affiliate: any person related by common ownership or common corporate control with another person.
2.
Consumer: an individual.
3.
Eligibility Information: information that would be a consumer report if not for the (a) the transaction/experience and (b) other information exceptions in FCRA § 603(d)(2)(A). Does not include aggregate or blind data that does not contain personal identifiers (e.g. account numbers, name, address).
General Rule 4.
Solicitation: the “marketing of a product or service initiated by a person to a particular consumer that is (A) Based on eligibility information communicated to that person by its affiliate…and (B) Intended to encourage the consumer to purchase or obtain a product or service.” a.
Includes marketing communications directed at a particular consumer (such as telemarketing, e-mail, direct mail, etc.) based on eligibility information received from an affiliate.
b.
Excludes marketing communications directed to the general public (such as TV, radio, magazine or billboard ads).
General Rule B.
General Rule: May not use eligibility information about a consumer received from an affiliate to make a solicitation for marketing purposes to the consumer unless: 1.
It is clearly and conspicuously disclosed to the consumer in a concise notice (the “Opt-Out Notice”) that his/her eligibility information may be used for that purpose;
2.
Consumer is provided with a reasonable opportunity and reasonable and simple method to opt out; and
3.
Consumer has not opted out.
General Rule C.
Making a Solicitation: For purposes of this rule, a solicitation for marketing purposes is made when: 1.
Eligibility information is received from an affiliate;
2.
It is used by the recipient to do one or more of the following: a. b. c.
3.
Identify the consumer (or type of consumer) to receive a solicitation; Establish criteria to select the consumer to receive the solicitation; or Decide which product or service to market to the consumer or tailor the solicitation to the consumer; and
As a result of this use of the eligibility information, the consumer is provided with a solicitation.
General Rule D.
Examples: The following illustrate situations that would trigger the General Rule requiring notice and opt out before the solicitation may be made: 1.
A consumer has a deposit account with a bank. Bank is affiliated with an insurance company. The insurance company receives eligibility information about the consumer from the bank, and uses that information to identify the consumer to receive a solicitation about insurance products. The insurance company provides a solicitation to the consumer about its insurance products.
2.
Assume the same facts as in 1. However, after receiving the eligibility information from the bank the insurance company asks the bank to send the solicitation about insurance products available from the insurance company, and the bank does so.
General Rule E.
Closer Look: There are several industry practices that require further explanation in light of these rules: 1.
Common Databases: The Receiving Affiliate receives eligibility information via the “Sharing Affiliate” placing such information in a database accessible by the Receiving Affiliate.
2.
Service Providers: The Receiving Affiliate receives and/or uses eligibility information if a service provider acting on its behalf receives or uses such information in connection with marketing the Receiving Affiliate’s products or services. However, there is an exception to the General Rule if all of the following apply: a.
In the terms of its written agreement with the service provider the Sharing Affiliate controls access to and use of its eligibility information by the service provider;
General Rule b.
c.
d.
e.
The Sharing Affiliate establishes specific written terms and conditions under which the service provider may access and use the eligibility information to market the Receiving Affiliate’s products and services; The Sharing Affiliate requires in the terms of its written agreement with the service provider that the service provider implement reasonable policies and procedures to ensure compliance with such terms and conditions; The Sharing Affiliate is identified on or with the marketing materials provided to the consumer by or on behalf of the Receiving Affiliate; and The Receiving Affiliate does not directly use the eligibility information to identify the consumer to receive the solicitation, establish criteria to select the consumer to receive the solicitation, or to decide which products or services the consumer should receive.
General Rule 3.
An Affiliate Using Its Own Eligibility Information: As a general matter, a party may use eligibility information received in a “pre-existing business relationship” (defined in the next section) with a consumer to market the products and services of its affiliates. a.
This exception to the General Rule does not apply if the affiliate whose products/services are marketed uses the eligibility information to identify the consumer or type of consumer to be solicited, establish criteria to select the consumer to be solicited, or decide which products or services to market.
b.
A party may direct its service provider such eligibility information to market the product so long as the affiliate whose products/services are marketed does (i) not use the eligibility information as described in a, above, and (ii) not contact the service provider regarding that use.
Exceptions to General Rule A.
Definitions 1.
Pre-Existing Business Relationship: A relationship between a person (or the person’s licensed agent) and a consumer that is based on: a.
A financial contract between the person and the consumer that is in force on the date the consumer is sent a solicitation covered by the General Rule;
b.
The purchase, rental, or lease by the consumer of the person’s goods or services, or a financial transaction (including holding an active account or policy in force or having another continuing relationship) between the consumer and the person during the 18-month period prior to the date a solicitation covered by the General Rule is sent; or
c.
An inquiry or application by the consumer regarding a product or service offered by the person during the threemonth period immediately preceding the date the consumer is sent a solicitation covered by the General Rule.
Exceptions to General Rule B.
Exceptions: There are six (6) situations where use of eligibility information received from an affiliate will not trigger the General Rule. They are: 1.
Pre-Existing Business Relationship Exception: The General Rule does not apply to the Receiving Affiliate’s use of eligibility information received from an affiliate to make a solicitation for marketing purposes to a consumer with whom the Receiving Affiliate has a pre-existing business relationship. a.
Example: A consumer has a deposit account with a bank, as well as a relationship with the bank’s securities affiliate. The bank receives eligibility information from the securities affiliate and uses it to make a solicitation to the consumer about the bank’s wealth management services. The bank may make such solicitation even if the consumer has not received the Opt-Out Notice from the securities affiliate.
Exceptions to General Rule 2.
Employee Benefit Services Exception: The General Rule does not apply to the use of eligibility information received from an affiliate to facilitate communications to an individual for whose benefit the Receiving Affiliate provides employee benefit or other services.
3.
Service Provider Exception: The General Rule does not apply to the use of eligibility information received from an affiliate to perform services on behalf of that affiliate. However, this exception does not allow the service provider to send solicitations that the hiring party cannot. a.
Example: A consumer has an insurance policy from an insurance company. The insurance company provides eligibility information to its affiliated bank. Based on this eligibility information the bank wants to make a solicitation to the consumer about its deposit products, but the consumer has received an Opt-Out Notice and has opted out. The bank does not have an pre-existing business relationship, and no other exceptions apply. The bank cannot hire a service provider to send the solicitations on its behalf.
Exceptions to General Rule 4.
Consumer-Initiated Communication Exception: The General Rule does not apply to the use of eligibility information in response to a communication about products and services initiated by a consumer. However, the response must be related to the consumer communication, and reasonable in its scope and content. a.
Example: A consumer, who has a deposit account with a bank, initiates a communication with the bank’s credit card affiliate to request information about a credit card. The credit card affiliate may use eligibility information about that consumer that it obtains from the bank (or any other affiliate) for the purpose of making solicitations regarding credit card products to the consumer.
b.
Example: A consumer calls a bank to ask about branch locations and hours, but does not request information about products or services. The bank may not use eligibility information it receives from its affiliates to make solicitations to the consumer.
Exceptions to General Rule 5.
Consumer Authorization Exception: The General Rule does not apply to the use of eligibility information in response to an authorization or request by the consumer to receive solicitations. The consumer must take affirmative steps to trigger this exception. Negative option consents (preselected check boxes, boilerplate language, etc.) are ineffective. a.
6.
Example: A consumer completes an online application to apply for a credit card. The application contains a blank check box that the consumer may check to authorize or request information from the credit card issuer’s affiliates. If the consumer checks the box s/he has authorized or requested solicitations from the credit card issuer’s affiliates.
Compliance With State Insurance Law Exception: The General Rule does not apply if compliance with it prevents compliance with any provision of State insurance laws pertaining to unfair discrimination in any State where you are lawfully doing business.
Opt-Out Notice A.
Definitions 1.
Clear and Conspicuous: Reasonably understandable and designed to call attention to the nature and significance of the information in question. Preamble to the final rule notes that this is intended to be “substantially similar” to the standard applicable to the privacy notices under the GLBA/ Reg P privacy rules.
2.
Concise: A “reasonably brief” statement.
Opt-Out Notice B.
Generally: The Opt-Out Notice must be clear, conspicuous, and concise.
C.
Who Sends the Opt-Out Notice?: The Opt-Out Notice must be sent by a party with a pre-existing business relationship with the consumer. It may also be sent by two or more members of an affiliated group so long as at least one of them has a pre-existing business relationship with the consumer.
Opt-Out Notice D.
Contents: The Opt-Out Notice must include: 1.
Name(s) of the affiliate(s) providing the Opt-Out Notice;
2.
List of affiliates (or types of affiliates) whose use of eligibility information is covered by the Opt-Out Notice;
3.
General description of the types of eligibility information that may be used to make solicitations to the consumer;
4.
A statement that the consumer may elect to limit the use of his/her eligibility information to make solicitations to him/her;
5.
A statement that the consumer’s election will apply for the period of time stated in the Opt-Out Notice, along with a statement that (if applicable) consumer may renew;
Opt-Out Notice 6.
If the Opt-Out Notice is provided to consumers who may have previously opted-out (for example, if the Opt-Out Notice is included in your annual GLBA/Reg P privacy policy) then it must also include a statement that if the consumer has already opted out that s/he does not need to act again until s/he receives a “Renewal Notice”; and
7.
A reasonable and simple method for the consumer to optout.
Opt-Out Notice D.
Joint Accounts: If two (2) or more consumers jointly obtain a product or service, a single Opt-Out Notice may be provided. The opt-out may be exercised individually by each consumer or you may allow one consumer to opt-out on behalf of everyone. The optout may not require all joint account holders to opt-out before applying the opt-out to any one individually.
E.
Model Notice: The final rule includes several forms of model notice.
F.
Combined Notices: The Opt-Out Notice may be combined with GLBA/Reg P privacy notice.
Opt-Out Notice G.
Delivery: The Opt-Out Notice must be provided so that each consumer can be reasonably expected to receive actual notice. This standard is met if: 1.
The Opt-Out Notice is hand-delivered to the consumer;
2.
A printed copy of the Opt-Out Notice is mailed to the consumer’s last known address;
3.
The Opt-Out Notice is provided by e-mail to a consumer who agreed to receive it electronically; or
4.
The consumer obtains a product or service electronically, then the Opt-Out Notice may be posted on the Internet site where the consumer obtained such product, but only if the consumer is required to acknowledge its receipt.
Opt-Out Process A.
Scope of Opt-Out: The scope of the opt-out is driven by the contents of the Opt-Out Notice. 1.
In the context of a continuing relationship (e.g., opening a deposit account, obtaining a loan, purchasing an insurance product, etc.) the Opt-Out Notice may apply to eligibility information obtained in connection with a single or multiple continuing relationships, so long as the Opt-Out Notice adequately describes what is covered. In this scenario the Opt-Out Notice may also apply to any other transaction with the consumer as described in the Opt-Out Notice.
2.
If there is no continuing relationship (e.g., a denied credit application) or only isolated transactions exist (e.g., using your ATM, or purchasing a cashier’s check, money order or traveler’s check) and eligibility information is obtained as part of that transaction, then the Opt-Out Notice provided only applies to the eligibility information obtained in connection with that transaction.
Opt-Out Process 3.
B.
The Opt-Out Notice may (but is not required to) provide a menu of alternatives. These alternatives could allow the consumer to opt-out of receiving solicitations from certain affiliates, that are based on certain types of eligibility information, or that are sent via certain methods of delivery. If this menu approach is used, one selection must be to allow the consumer to prohibit all solicitations from all affiliates covered by the notice.
Duration: Opt-out elections must be effective for a minimum of five (5) years, beginning when the opt-out election is received and implemented. Longer periods may be provided in the Opt-Out Notice. The consumer may revoke his/her opt-out election in writing (or electronically if the consumer agrees).
Opt-Out Process 1.
An opt-out election is not terminated by the termination of a continuing relationship by the consumer.
2.
If the consumer establishes a new continuing relationship after have terminated a prior one, and an affiliate wishes to use eligibility information from the new relationship to make a solicitation, then a new Opt-Out Notice must be provided. At a minimum, this new Opt-Out Notice must apply to the eligibility information obtained in connection with the new relationship. If the consumer does not opt-out in response to this notice, it does not undo any prior opt-out elections. a.
Example: A consumer has a checking account with a bank that is part of an affiliated group. The consumer closes the checking account. A year later, the consumer opens a savings account with the bank. The consumer must be given a new Opt-Out Notice and opportunity to opt-out before the bank’s affiliates may make solicitations to the consumer using eligibility information obtained by the bank in connection with the savings account (regardless of whether the consumer opted-out in connection with the checking account).
Opt-Out Process C.
Opt-Out Right Is Evergreen: The consumer may exercise his/her opt-out right at any time.
D.
Reasonable Opportunity to Opt-Out: The consumer must have a reasonable opportunity to opt-out. What is reasonable will depend on facts and circumstances. However, some more common examples of what would constitute reasonable opportunity are:
Opt-Out Process
Opt-Out Notice Is Provided
Reasonable Opportunity Means
By Mail
30 days from mailing date
By Posting On Web Site
30 days from acknowledgment
(Receipt Acknowledged)
date
By E-Mail (Consumer Agreed
30 days after e-mail is sent
to Electronic Receipt) In GLBA/Reg P privacy notice
Within reasonable period of time and in same manner as Reg P opt-out
Opt-Out Process D.
Reasonable and Simple Methods to Opt-Out: The consumer must have a reasonable and simple method to opt-out. This would include: 1.
Providing a check-off box in a prominent position on the optout form;
2.
Including a reply form and a self-addressed envelope together with the Opt-Out Notice;
3.
Providing an electronic means to opt-out, if consumer agrees to electronic delivery of information;
4.
Providing a toll-free number to call; or
5.
Allowing consumers to use a “universal opt-out” for affiliate marketing, affiliate sharing, and Reg P opt-outs.
Renewals A.
At End of Initial Opt-Out: No solicitations based on eligibility information received from an affiliate may be made to a consumer who previously opted-out unless an exception to the General Rule applies or: 1.
Consumer receives a “Renewal Notice”;
2.
Consumer is provided with a reasonable opportunity and a reasonable and simple method to renew his/her opt out; and
3.
Consumer does not renew his/her opt-out.
Renewals B.
Who Sends the Renewal Notice?: The affiliate that sent the initial Opt-Out Notice must send the Renewal Notice. If the initial Opt-Out Notice was sent jointly, the Renewal Notice may be as well.
C.
Content: The required content of the Renewal Notice differs slightly from the initial Opt-Out Notice. The Renewal Notice be clear, conspicuous, and concise and must include: 1.
Name(s) of the affiliate(s) sending the Renewal Notice;
2.
List of affiliates (or types of affiliates) covered by the Renewal Notice;
Renewals 3.
A general description of the types of eligibility information that may be used to make solicitations to the consumer;
4.
A statement that the consumer previously elected to limit the use of certain information to make solicitations;
5.
A statement that the consumer’s election has (or is about to) expire;
6.
A statement that the consumer may elect to renew his/her prior election;
7.
If applicable, a statement that the consumer’s election to renew will apply for the period of time specified in the Renewal Notice, and that the consumer will be able to renew again once that period expires; and
8.
A reasonable and simple method to opt-out.
Renewals D.
Timing: The Renewal Notice may be provided to the consumer either a reasonable period of time before the expiration of the opt-out period, or after expiration of the original opt-out. However, if the Renewal Notice is sent after the expiration of the initial opt-out then no solicitations may be sent that would have been prevented by the prior opt-out.
E.
Combination With Annual Privacy Notice: Renewal Notices may be combined with the annual GLBA/Reg P privacy notice.
Compliance Pointers A.
Do You Have Affiliates?: Since this rule applies to the sharing and use of eligibility information between affiliates, first question should be whether you have any affiliates.
B.
Talk to Your Marketing Department: If the answer is “yes”, next stop should be your Marketing Department. Since the General Rule is triggered by the use of eligibility information, determine if any is used for the purpose of making solicitations for marketing purposes.
Compliance Pointers C.
What is Your Current “Sharing Profile”?: Review your current GLBA/Reg P privacy notice. Do you share “other information” under FCRA and offer an opt-out? Do you share NPPI with non-affiliated third parties outside of an exception and offer an opt out?
D.
What is Your Current Marketing Preference System?: Is there any interface between your current sharing profile and any marketing preferences that you may have (such as a company-specific do-not-call, a CAN SPAM unsubscribe list, a “no snail mail” list, etc.)? Should there be?
Compliance Pointers E.
Talk To Your IT Department or Vendors: Based on the foregoing, if you need to build an opt-out system to comply with this new rule, how long will it take?
F.
Will Your Opt-Out Notice Stand Alone?: Do logistics allow for you to combine your Opt-Out Notice with your initial privacy notice? Will that cover all of the scenarios where you may currently be using eligibility information?
LEGAL STUFF: Because of its generality, the information provided in this program may not be applicable to all situations and should not be acted upon without specific advice from your compliance officer or legal counsel. If you have any questions regarding this material please contact: Rick Hackett
(207) 291-1280 (Portland) (857) 277-6902 (Boston)
[email protected]
Ryan Stinneford
(207) 791-1154
[email protected]
Lori Desjardins
(207)291-1276
[email protected]
© 2007 Pierce Atwood LLP
