Section 214 of Fair and Accurate Credit Transactions Act (“FACTA") was enacted to amend the Fair Credit Reporting Act (the “Act”) to give consumers the right to restrict certain entities from using certain information received from their affiliates to make solicitations to that consumer unless the consumer has been provided (1) “clear and conspicuous” notice that the consumer’s information will be shared for such purposes, and (2) an opportunity to opt out of having such information shared for such purposes.
On November 7, 2007, the Federal Deposit Insurance Corporation, the Federal Reserve Board, the Office of the Comptroller of the Currency, the Office of Thrift Supervision and the National Credit Union Administration issued a joint final rule (along with the Federal Trade Commission (FTC) and the Securities and Exchange Commission(SEC), which separately adopted and proposed, respectively, similar regulations) under the amended Act (the “Affiliate Marketing Rule” or “Final Rule,” codified at 12 C.F.R. Parts 41, 222, 334, 571 and 717) governing the use of specific consumer information obtained by covered entities from their affiliates for certain marketing purposes.
The Affiliate Marketing Rule became effective on January 1, 2008, and compliance by covered entities is required by October 1, 2008.
Summary of the Final Rule’s Requirements
In general, the Affiliate Marketing Rule prohibits a “person” from using consumer “eligibility information” received from a corporate “affiliate” for making marketing “solicitations” to the consumer, unless:
- the consumer is first given a clear, conspicuous, concise and written notice explaining that the person may use eligibility information about that consumer received from an affiliate to make solicitations for marketing purposes;
- the consumer is first given a reasonable opportunity and a reasonable and simple method to “opt out,” or prohibit the use of the eligibility information to make solicitations for marketing purposes; and
- the consumer has not opted out thereof.
The opt-out notice must be delivered “so that each consumer can be reasonably expected to receive actual notice.” Examples of delivery methods that can be reasonably expected to provide actual notice include hand-delivery, mailing a printed copy of the notice to the consumer’s last known address, e-mail to consumers who have agreed to receive electronic disclosures from the affiliate providing notice, and posting the notice on a website at which the consumer obtained a product or service electronically and requires the consumer to acknowledge receipt of the notice.
Once notice has been delivered, a consumer must be given a reasonable opportunity to opt out, and the reasonable opportunity to opt out must be accompanied by a “reasonable and simple” method for exercising the opt-out right, such as a conspicuous check box, a reply form and a self-addressed envelope with the opt-out notice, a toll-free telephone number, and an electronic opt out.
Consumer opt outs must be honored for 5 years, and a renewal notice must be sent to the consumer before the expiration of the initial 5-year opt-out period, giving the consumer an opportunity to extend the opt-out for an additional 5 years. The Final Rule includes model forms that may be used to comply with the Final Rule’s requirements.
Under the Final Rule, “affiliates” are companies that are related by common ownership or common corporate control with one another. A “solicitation” means the marketing of a product or service initiated by a person to a particular consumer that is based on eligibility information communicated to that person by its affiliate and intended to encourage the consumer to purchase or obtain such product or service. (Communications aimed at the general public such as television or billboard advertisements are not “solicitations,” but marketing emails, telemarketing calls and direct mailings aimed at particular consumers are considered “solicitations.”)
“Eligibility information,” as defined by the Rule, encompasses any information that, if communicated, would constitute a “consumer report” (as such term is defined by the Act) but for specific statutory exclusions. “Eligibility information” might include, for example, a person’s own transaction or experience information and information from consumer reports or applications, but does not, however, include aggregate or blind data that does not contain personal identifiers.
The provisions of the Affiliate Marketing Rule do not apply to certain uses of eligibility information obtained from an affiliate in certain situations, including:
o to make a marketing solicitation to a consumer with whom the person has a “pre-existing business relationship” as that term is defined in the Rule;
o to facilitate certain communications to a consumer for whose benefit the company has provided employee benefits or other services;
o to perform services on behalf of an affiliate, except that this does not permit a person to send solicitations on behalf of an affiliate if the affiliate would not be permitted to send the solicitation on its own behalf due to the consumer’s opt-out election;
o in response to a communication initiated by the consumer;
o in response to a consumer’s authorization or request to receive a solicitation; and
o if compliance with the Final Rule would prevent the person from complying with state insurance laws relating to unfair discrimination.
As the compliance deadline quickly approaches, it is important for covered entities to understand that the potential consequences of non-compliance with the Final Rule’s requirements not only could include enforcement by the applicable federal banking agency or the FTC (if the FTC has jurisdiction over such covered entity), but also could result in civil liability to affected consumers (including punitive damages for certain willful actions, as well as attorneys’ fees).