Dear Mr. Clark:

On behalf of the New Hampshire Bankers Association (NHBA), a state banking trade organization, we are submitting the attached comments/responses to questions posed by certain Federal regulators in the September 24, 2001 Joint Notice Announcing Public Workshop and Requesting Public Comment regarding the challenges and strategies for providing effective notice under the Gramm-Leach-Bliley (GLB) Act.

By way of background, most of the NHBA’s 39 bank members are small community banks (having less than $500MM in assets). From a GLB perspective, all of these banks share customer information pursuant to §§14 and 15 of GLB, some share customer information pursuant to §13 with service providers or joint marketers (usually for credit cards, securities or insurance products), and almost all NHBA members do not share customer information outside of the GLB exceptions with nonaffiliated third parties. Most of the NHBA’s member banks find that the current privacy notice has no practical significance with customers because the banks often do not share outside of the GLB exceptions, and therefore, there are no opt-out procedures to be followed.

As regulated entities, we accept the regulatory burden of complying with GLB and we have an intense interest in ensuring that the process of privacy notices works well for customers and for banks. Financial institutions rely on trust for differentiation from other providers of services. We support the concept of the privacy notice, and we reject any idea that results in confusion among customers as being ineffective toward our ultimate trust goal.

Generally, we support four major concepts in the evolution towards effective GLB privacy notices:

• Notices to customers should be understandable and effective;
• Notices should include a component of uniform and comparable privacy elements;
• Notices should be provided using cost-effective delivery systems; and
• Notices should reconcile the varying state and federal privacy notice requirements so as not to undermine the basic objectives of GLB.

We have considered and responded to each of the questions posed in the Request for Comment in the attached materials.

Thank you for the opportunity to express our views.

Very truly yours,
/s/
Gerald H. Little, President
New Hampshire Bankers Association

1. What challenges are associated with providing effective privacy notices?

• The regulations, model clauses, and consumer advocate complaints do not appear to recognize that some banks do not share outside of the GLB exceptions and therefore are not required to (nor would it make any sense to) provide an opt-out procedure. Any suggestion that every financial institution should disclose that it "can share information unless the consumer tells it not to" does not address this concern because it assumes that all entit ies share outside of the exceptions and therefore must provide a GLB opt-out. We would like to see a positive or negative statement required that indicates that the financial institution either does or does not share outside of the GLB exceptions.
• For smaller banks especially, the relative cost of providing an annual mailing to all customers is excessive. There is no meaningful reason for a bank to provide a privacy notice to its customers every year if its privacy practices have not changed and the bank has no opt-out procedures. If the privacy notice is posted on a bank’s website and in a bank’s lobby, the option should be available for banks to avoid the required annual re-mailing. Furthermore, the option to email privacy notices (using E-SIGN procedures) to new and existing customers should be made available.
• While it is logical that the privacy notice provided to customers should address all privacy policies affecting customers, every bank must contend with the privacy laws of the state(s) in which it has branches because of the federal floor doctrine. Additionally, most banks have customers who are residents of other states, each with its own privacy laws. It becomes a confusing morass when trying to reconcile multiple state laws in which a bank has branches, or in which it currently has customers or may in the future have customers. Clear guidance is needed for this situation.

The practical effect on a bank that operates and has customers in many states is that it is inefficient to attempt to comply with various state notice requirements for opt-in, especially if the bank has a relatively small number of customers in that state. Rather than attempting to comply with various opt-in notice provisions, it is simply more efficient for the bank to not share customer information with the threshold entities (i.e., third parties, affiliates, etc.) as determined by that state’s laws and, therefore, not be required to provide opt-in notices to customers in that state. The bank, in effect, pre-sets an indicator for all customers in that particular state to "opt-out."

• "Shorter and clearer is better." We agree with many of the participants in the "Get Noticed" Workshop that the notices need to be shorter and more concise. We recognize that the GLB Act has specific notice requirements (such as all the elements listed at 12 CFR 40.6) that may run counter to that goal. However, we support a uniform, summary-style "disclosure block" that provides information that is comparable between financial institutions. We especially support this idea if one of the comparing statements is; "Does the financial institution share customer information outside the GLB exceptions?" The problem with using that exact language, though, is that customers do not know or care what the GLB exceptions include.
• We are still awaiting guidance from the FDIC and the other federal regulators on previously raised issues of incompatibility between GLB and the federal Fair Credit Reporting Act (FCRA) requirements as they relate to GLB §13 sharing with joint marketers. The resolution to this issue most likely will affect the language needed in the privacy notices.
• With respect to online privacy notices, more data gathering and sharing is possible in an online environment. Issues unique to the online environment should be addressed in an online privacy notice, such as: the use of cookies, the type of encryption used, the security features of the system to ensure that data is indeed kept private from third parties, etc. Guidance is needed from federal regulators with respect to whether a single privacy notice or supplemental online privacy notice can be used.
• Customers do not understand the highly defined terms used in privacy notices. Many customers believe that sharing with a joint marketer pursuant to the requirements set forth in GLB §13 is the same as sharing with a non-affiliated third party outside of the GLB exceptions. It is difficult for a bank to follow the law without appearing to mislead customers in this situation.
• When customers receive excessive privacy notices, the notices become irrelevant and customers do not read them. The process of providing notices and the contents of the notices must be relevant to customers or we have missed the goals of GLB and the Fair Information Practices.

2. What are some examples of privacy notices that are easy to read and understand and that can serve as models for effective communication to consumers? What formats are particularly effective?

• We support the idea of a shorter, easy-to-compare summary disclosure followed by fully descriptive text. The work product of entities such as The Center for Information Policy Leadership at Hunton & Williams seem to be on track for developing a good solution.
• We do not believe that the "P3P" format of Internet Explorer 6 will dovetail easily or appropriately with the GLB law.
• Although the idea of using the "food label" disclosure promoted by groups such as the Privacy Council is a step in the right direction concerning simplicity and uniformity, but we believe the Hunton & Williams-type disclosure will be better because it parallels the GLB Act and better addresses financial institution concerns. However, both disclosure types must address the small bank concern of highlighting banks that do not share outside the GLB exceptions.
• We generally encourage the work product of groups such as TRUSTe and its privacy symbols and labels initiative to date for web sites. However, we are concerned that many banks are not yet ready to provide access and modification services to customers yet. Since that is not required under GLB, the "access" section should be an optional piece of information in the format. We support the goal for banks to be able to provide access and modification of personal data to customers in the future.

3. What can we learn from readability and communications experts that will help financial institutions draft notices that are easy to read and easy to find?

• We support the idea of a short-summary, uniform "disclosure box" for easy location of the information and comparison between financial institutions’ privacy policies.

4. Are any industry groups developing self-regulatory guidelines or "best practices" regarding GLB privacy notices and reasonable opt-out methods? Are there useful models or guidelines from other contexts, such as online privacy, that could provide guidance here?

• The American Bankers Association has provided several helpful guidance documents:
  • Financial Privacy Toolbox;
  • ABA Privacy Communication Kit; and
  • Identity Theft Communication Kit.
• We support the ideas set forth in these documents and encourage integration of these concepts in all financial institutions.
• As stated above, we believe the privacy notices should be simplified from those based on the model language in the regulation as made available in the above-mentioned guidance documents.

5. Have individual financial institutions or industry, consumer, or privacy groups developed effective business and consumer education materials regarding GLB privacy policies? Would it be useful for the Agencies or others to develop additional consumer and business education materials regarding GLB privacy policies?

• We encourage the work of groups such as the Center for Information Policy Leadership at Hunton & Williams in developing a comparable short-form notice linked to a full text notice.
• We also encourage the use by financial institutions of the various additional consumer information materials available through, among others, the American Bankers Association, the Federal banking regulators, and the Federal Trade Commission in educating consumers about identity theft, credit report management, avoiding fraud and general consumer financial awareness and literacy.
• The federal banking regulator’s recently released Frequently Asked Questions for the Privacy Regulation document is very helpful and addresses many of our other concerns.