28 Tex. Admin. Code § 22.27

Current through Reg. 49, No. 49; December 6, 2024
Section 22.27 - General Instructions
(a) A covered entity, including a group of covered entities or financial institutions that use a common privacy notice, may use the model form, at its option, to meet the content requirements of the privacy notice and opt out notice set out in § 22.10 and § 22.11 of this title (relating to Information to be Included in Privacy Notices and Form of Opt Out Notice to Consumers and Opt Out Methods).
(b) The model form is a standardized form, including page layout, content, format, style, pagination, and shading. Covered entities seeking to obtain legal safe harbor through use of the model form may modify it only as described in these instructions.
(c) Disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act (15 U.S.C. §§1681 - 1681x) (FCRA), for example, a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.
(d) The word "customer" may be replaced by the word "member" whenever it appears in the model form, as appropriate. A covered entity may replace the term "customer" with another appropriate term as provided under 28 TAC § 22.4(c) - (e).
(e) The model form consists of two pages, which may appear on both sides of a single sheet of paper, or may appear on two separate pages. Where a covered entity provides a long list of covered entities or financial institutions at the end of the model form in accord with the instructions in subsection (g)(3)(A)(i) of this section, or provides additional information in accord with the instructions in subsection (g)(3)(C) of this section, and the list or additional information exceeds the space available on page two of the model form, the list or additional information may extend to a third page.
(1) Page one contents. The first page consists of the following components:
(A) date last revised in the upper right-hand corner;
(B) title;
(C) key frame (Why?, What?, How?);
(D) disclosure table (Reasons we can share your personal information);
(E) "To limit our sharing" box, as needed, for the covered entity's opt out information;
(F) "Questions" box, for customer service contact information; and
(G) mail-in opt out form, as needed.
(2) Page two contents. The second page consists of the following components:
(A) heading (page 2);
(B) frequently asked questions("Who we are" and "What we do";
(C) definitions; and
(D) "Other important information" box, as needed.
(f) The format of the model privacy form may be modified only as described in paragraphs (1) - (5) of this subsection.
(1) Easily readable type font. Covered entities that use the model form must use an easily readable type font. While a number of factors together produce easily readable type font, covered entities must use a minimum of 10-point font, unless otherwise expressly permitted in these instructions, and sufficient spacing between the lines of type.
(2) Logo. A covered entity may include a corporate logo on any page of the notice, so long as it does not interfere with the readability of the model form or the space constraints of each page.
(3) Page size and orientation. Each page of the model form must appear on paper in portrait orientation, the size of which must meet the layout and minimum font size requirements.
(4) Color. The model form must appear on white or light color paper, for example, cream, with black or other contrasting ink color. Spot color may be used to achieve visual interest, so long as the color contrast is distinctive and the color does not detract from the readability of the model form. Logos may also appear in color.
(5) Languages. The model form may be translated into languages other than English.
(g) The information required in the model form may be modified only as described in this subsection.
(1) Name of the covered entity or group of affiliated covered entities or institutions providing the notice. Insert the name of the covered entity providing the notice or a common identity of affiliated covered entities or institutions jointly providing the notice on the form wherever name of covered entity appears.
(2) Page one instruction.
(A) Last revised date. The covered entity must insert in the upper right-hand corner the date on which it last revised the notice. The information must appear in minimum 8-point font as "rev. (month/year)" using either the name or number of the month, for example "rev. July 2009" or "rev. 7/09."
(B) General instructions for the "What?" box.
(i) The bulleted list identifies the types of personal information the covered entity collects and shares. All covered entities must use the term "Social Security number" in the first bullet.
(ii) Covered entities must use at least five of the following terms to complete the bulleted list: income, account balances, payment history, transaction history, transaction or loss history, credit history, credit scores, assets, investment experience, credit-based insurance scores, insurance claim history, medical information, overdraft history, purchase history, account transactions, risk tolerance, medical-related debts, credit card or other debt, mortgage rates and payments, retirement assets, checking account information, employment information, and wire transfer instructions.
(C) General instructions for the disclosure table. The left column lists reasons for sharing or using personal information. Each reason correlates to a specific legal provision described in the instructions in subparagraph (D) of this paragraph. In the middle column, each covered entity must provide a "Yes" or "No" response that accurately reflects its information-sharing policies and practices with respect to the reason listed on the left. In the right column, each covered entity must provide in each box one of the following three responses, as applicable, that reflects whether a consumer can limit such sharing:
(i) "Yes" if it is required to or voluntarily provides an opt out;
(ii) "No" if it does not provide an opt out; or
(iii) "We don't share" if it answers "No" in the middle column. Only the sixth row, "For our affiliates to market to you," may be omitted at the option of the covered entity as described in the instructions in subparagraph (D)(vi) of this paragraph.
(D) Specific disclosures and corresponding legal provisions.
(i) For our everyday business purposes. This reason incorporates sharing information under § 22.18 and § 22.19 of this title (relating to Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial information for Processing and Servicing Transactions and Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information) and with service providers under § 22.17 of this title (relating to Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing), other than the purposes specified in the instructions in clause (ii) or (iii) of this subparagraph.
(ii) For our marketing purposes. This reason incorporates sharing information with service providers by a covered entity for its own marketing under § 22.17 of this title. A covered entity that shares for this reason may choose to provide an opt out.
(iii) For joint marketing with other financial companies. This reason incorporates sharing information under joint marketing agreements between two or more covered entities or financial institutions and with any service provider used in connection with such agreements under § 22.17 of this title. A covered entity that shares for this reason may choose to provide an opt out.
(iv) For our affiliates' everyday business purposes - information about transactions and experiences. This reason incorporates sharing information specified in §603(d)(2)(A)(i) and §603(d)(2)(A)(ii) of the FCRA. A covered entity that shares for this reason may choose to provide an opt out.
(v) For our affiliates' everyday business purposes - information about creditworthiness. This reason incorporates sharing information under §603(d)(2)(A)(iii) of the FCRA. A covered entity that shares for this reason must provide an opt out.
(vi) For our affiliates to market to you. This reason incorporates sharing information specified in §624 of the FCRA. This reason may be omitted from the disclosure table when the covered entity does not have affiliates, or does not disclose personal information to its affiliates; the covered entity's affiliates do not use personal information in a manner that requires an opt out; or the covered entity provides the affiliate marketing notice separately. Covered entities that include this reason must provide an opt out of indefinite duration. A covered entity that must provide an affiliate marketing opt out, but does not include that opt out in the model form under this clause, must comply with §624 of the FCRA and Insurance Code Chapter 601 and 28 TAC Subchapter A, including §§ 22.8- 22.12 of this title (relating to Initial Privacy Notice, Annual Privacy Notice, Information to be Included in Privacy Notices, Form of Opt Out Notice to Consumers and Opt Out Methods, and Revised Privacy Notices, respectively), with respect to the initial notice and opt out and any subsequent renewal notice and opt out. A covered entity not required to provide an opt out under this subparagraph may elect to include this reason in the model form.
(vii) For nonaffiliates to market to you. This reason incorporates sharing described in §22.11 and §22.12(a)(1) - (4) of this title. A covered entity that shares personal information for this reason must provide an opt out.
(E) To limit our sharing. A covered entity must include this section of the model form only if it provides an opt out. The word "choice" may be written in either the singular or plural, as appropriate. Covered entities must select one or more of the applicable opt out methods described: telephone, for example, by a toll-free number; a website; or use of a mail-in opt out form. Covered entities may include the words "toll-free" before telephone, as appropriate. A covered entity that allows consumers to opt out online must provide either a specific web address that takes consumers directly to the opt out page or a general web address that provides a clear and conspicuous direct link to the opt out page. The opt out choices made available to the consumer who contacts the covered entity through these methods must correspond accurately to the "Yes" responses in the third column of the disclosure table. In the part titled "Please note," covered entities may insert a number that is 30 or greater in the space marked "(30)." Instructions on voluntary or state privacy law opt out information are in the instructions in subparagraph (G)(v) of this paragraph.
(F) Questions box. Customer service contact information must appear, as appropriate, where "phone number" or "website" appears. Covered entities may elect to provide either a phone number, such as a toll-free number, or a web address, or both. Covered entities may include the words "toll-free" before the telephone number, as appropriate.
(G) Mail-in opt out form. Covered entities must include this mail-in form only if they state in the "To limit our sharing" box that consumers can opt out by mail. The mail-in form must provide opt out options that correspond accurately to the "Yes" responses in the third column in the disclosure table. Covered entities that require customers to provide only name and address may omit the section identified as "account #." Covered entities that require additional or different information, for example, a random opt out number or a truncated account number, to implement an opt out election should modify the "account #" reference accordingly. This includes covered entities that require customers with multiple accounts to identify each account to which the opt out should apply. A covered entity must enter its opt out mailing address in the far right of the Version 3: Model Form with Mail-In Opt Out Form. A covered entity must enter its opt out mailing address below the Version 4: Optional Mail-In Form. The reverse side of the mail-in opt out form must not include any content of the model form.
(i) Joint accountholder. Only covered entities that provide their joint accountholders the choice to opt out for only one accountholder, in accord with the instructions in paragraph (3)(A)(v) of this subsection, must include in the far left column of the mail-in form the following statement: "If you have a joint account, your choice(s) will apply to everyone on your account unless you mark below. Apply my choice(s) only to me." The word "choice" may appear in either the singular or plural, as appropriate. Covered entities that provide insurance products or services, provide this option, and elect to use the model form may substitute the word "policy" for "account" in this statement. Covered entities that do not provide this option may eliminate this left column from the mail-in form.
(ii) FCRA §603(d)(2)(A)(iii) opt out. If the covered entity shares personal information under §603(d)(2)(A)(iii) of the FCRA, it must include in the mail-in opt out form the following statement: "Do not share information about my creditworthiness with your affiliates for their everyday business purposes."
(iii) FCRA §624 opt out. If the covered entity incorporates §624 of the FCRA in accord with the instructions in subparagraph (D)(vi) of this paragraph, it must include in the mail-in opt out form the following statement: "Do not allow your affiliates to use my personal information to market to me."
(iv) Nonaffiliate opt out. If the covered entity shares personal information under §22.14(a)(1) - (4) of this title (relating to Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties), it must include in the mail-in opt out form the following statement: "Do not share my personal information with nonaffiliates to market their products and services to me."
(v) Additional opt outs. Covered entities that use the disclosure table to provide opt out options beyond those required by federal law must provide those opt outs in this section of the model form. A covered entity that chooses to offer an opt out for its own marketing in the mail-in opt out form must include one of the two following statements: "Do not share my personal information to market to me." or "Do not use my personal information to market to me." A covered entity that chooses to offer an opt out for joint marketing must include the following statement: "Do not share my personal information with other financial institutions to jointly market to me."
(H) Barcodes. A covered entity may elect to include a barcode, a tagline, or both as an internal identifier in 6-point font at the bottom of page one, as needed for information internal to the institution, so long as these do not interfere with the clarity or text of the form.
(3) Page two instructions.
(A) General instructions for the questions. Certain of the questions may be customized as follows:
(i) "Who is providing this notice?" A covered entity may omit this question where only one covered entity provides the model form and that covered entity's name clearly appears in the title on page one. Two or more covered entities or financial institutions that jointly provide the model form must use this question to identify themselves as required by § 22.13(g) of this title (relating to Delivery). Where the list of covered entities or financial institutions exceeds four lines, the covered entity must describe in the response to this question the general types of covered entities or financial institutions jointly providing the notice and must separately identify those covered entities or financial institutions, in minimum 8-point font, directly following the "Other important information" box, or, if that box is not included in the covered entity's form, directly following the "Definitions." The list may appear in a multi-column format.
(ii) "How does (name of covered entity) protect my personal information?" The covered entity may only provide additional information about its safeguarding practices following the designated response to this question. This may include information about the covered entity's use of "cookies" or other measures it uses to safeguard personal information. Covered entities are limited to a maximum of 30 additional words.
(iii) "How does (name of covered entity) collect my personal information?" Covered entities must use at least five of the following terms to complete the bulleted list for this question: open an account, deposit money, pay your bills, apply for a loan, use your credit or debit card, seek financial or tax advice, apply for insurance, pay insurance premiums, file an insurance claim, seek advice about your investments, buy securities from us, sell securities to us, direct us to buy securities, direct us to sell your securities, make deposits or withdrawals from your account, enter into an investment advisory contract, give us your income information, provide employment information, give us your employment history, tell us about your investment or retirement portfolio, tell us about your investment or retirement earnings, apply for financing, apply for a lease, provide account information, give us your contact information, pay us by check, give us your wage statements, provide your mortgage information, make a wire transfer, tell us who receives the money, tell us where to send the money, show your government-issued ID, show us your driver's license, or order a commodity futures or option trade. Covered entities that collect personal information from their affiliates, credit bureaus, or both, must include after the bulleted list the following statement: "We also collect your personal information from others, such as credit bureaus, affiliates, or other companies." Covered entities that do not collect personal information from their affiliates or credit bureaus but do collect information from other companies must include the following statement instead: "We also collect your personal information from other companies." Only covered entities that do not collect any personal information from affiliates, credit bureaus, or other companies can omit both statements.
(iv) "Why can't I limit all sharing?" Covered entities that describe state privacy law provisions in the "Other important information" box must use the bracketed sentence: "See below for more on your rights under state law." Other covered entities must omit this sentence.
(v) "What happens when I limit sharing for an account I hold jointly with someone else?" Only covered entities that provide opt out options must use this question. Other covered entities must omit this question. Covered entities must choose one of the following two statements to respond to this question: "Your choices will apply to everyone on your account," or "Your choices will apply to everyone on your account-unless you tell us otherwise." Covered entities that provide insurance products or services and elect to use the model form may substitute the word "policy" for "account" in these statements.
(B) General instructions for the definitions. The covered entity must customize the space below the responses to the three definitions in this area of the form. This specific information must be in italicized lettering to set off the information from the standardized definitions.
(i) Affiliates. As required by § 22.10(b)(3) of this title, where (affiliate information) appears, the covered entity must:
(I) if it has no affiliates, state: "(name of covered entity) has no affiliates";
(II) if it has affiliates but does not share personal information, state: "(name of covered entity) does not share with our affiliates"; or
(III) if it shares with its affiliates, state, as applicable: "Our affiliates include companies with a (common corporate identity of covered entity) name; financial companies such as (insert illustrative list of companies); nonfinancial companies, such as (insert illustrative list of companies); and others, such as insert illustrative list."
(ii) Nonaffiliates. As required by § 22.10(d) of this title, where (nonaffiliate information) appears, the covered entity must:
(I) if it does not share with nonaffiliated third parties, state: "(name of covered entity) does not share with nonaffiliates so they can market to you"; or
(II) if it shares with nonaffiliated third parties, state, as applicable: ''Nonaffiliates we share with can include (list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations)."
(iii) Joint marketing. As required by § 22.17 of this title, where (joint marketing) appears, the covered entity must:
(I) if it does not engage in joint marketing, state: "(name of covered entity) doesn't jointly market"; or
(II) if it shares personal information for joint marketing, state, as applicable: "Our joint marketing partners include (list categories of companies, such as credit card companies)."
(C) General instructions for the "Other important information" box. This box is optional. The space provided for information in this box is not limited. Only the following types of information may appear in this box:
(i) State, international privacy law information, or both; or
(ii) Acknowledgment of receipt form; or
(iii) Both (i) and (ii).

28 Tex. Admin. Code § 22.27

Adopted by Texas Register, Volume 39, Number 49, December 5, 2014, TexReg 9566, eff. 12/7/2014