We do not believe this information should be added to Regulation P’s model privacy form in the “What?” box or “Other important information” box. We believe that the Regulation P privacy policy may be modified only in ways specified in the rule in order for the safe harbor to remain effective. Instead, we recommend adding this information to a mobile app privacy policy that is separate from your Regulation P privacy policy to satisfy your core processor and Google’s requirements. 

The general instructions for Regulation P’s model privacy form provide that institutions “seeking to obtain the safe harbor through use of the model form may modify it only as described” in the instructions. For the “What?” box on page 1, the instructions provide that the “bulleted list identifies the types of personal information that the institution collects and shares,” which “can include” the customer’s Social Security number and five additional terms from a list of specified examples, included in the resources below.

Since none of these terms include the location information, contacts, or camera on a customer’s mobile device, we do not believe you should add them to the “What?” box, which is intended to include no more than six examples that may be applicable to your collection and sharing practices. We note that while the instructions do not contain any character limits for this section, they do provide certain font and format requirements — and again, they limit the examples given to just six.

Additionally, the instructions for the “Other important information” box on page 2 of the model form provide that the only types of information that can appear in this box are “state and/or international privacy law information” and an “acknowledgment of receipt form.” As a result, we do not believe it would be appropriate to add language to this section regarding the information your bank may seek to access on a customer’s mobile device.

Consequently, we recommend adding Google’s requested additions to a separate privacy notice to avoid potentially losing the protections of Regulation P’s safe harbor.

For resources related to our guidance, please see:

• Regulation P, Appendix to Part 1016, A. Model Privacy Form, page 1 (“What? — The types of personal information we collect and share depend on the product or service you have with us. This information can include:

• Social Security number and [income]
• [account balances] and [payment history]
• [credit history] and [credit scores]

When you are no longer our customer, we continue to share your information as described in this notice.”)

• Regulation P, Appendix to Part 1016, A. Model Privacy Form, page 2 (“Other important information — [insert other important information]”)

• Regulation P, Appendix to Part 1016, B. General Instructions, 1(a) (“The model form may be used, at the option of a financial institution, including a group of financial institutions that use a common privacy notice, to meet the content requirements of the privacy notice and opt-out notice set forth in §§ 1016.6 and 1016.7 of this part.”)

• Regulation P, Appendix to Part 1016, B. General Instructions, 1(b) (“The model form is a standardized form, including page layout, content, format, style, pagination, and shading. Institutions seeking to obtain the safe harbor through use of the model form may modify it only as described in these Instructions.”)

• Regulation P, Appendix to Part 1016, C. Information Required in the Model Privacy Form, 2(b) (“The information in the model form may be modified only as described below: . . . General instructions for the ‘What?’ box.

(1) The bulleted list identifies the types of personal information that the institution collects and shares. All institutions must use the term ‘Social Security number’ in the first bullet.

(2) Institutions must use five (5) of the following terms to complete the bulleted list: Income; account balances; payment history; transaction history; transaction or loss history; credit history; credit scores; assets; investment experience; credit-based insurance scores; insurance claim history; medical information; overdraft history; purchase history; account transactions; risk tolerance; medical-related debts; credit card or other debt; mortgage rates and payments; retirement assets; checking account information; employment information; wire transfer instructions.”)

 

• Final Model Privacy Form under the Gramm-Leach-Bliley Act, 74 Fed. Reg. 62889, footnote 117 (December 1, 2009), (“See Instruction C.2(b)(2) to the Model Privacy Form. Similar to the proposal, the final model form requires institutions to provide examples that may be applicable to the institution's collection and sharing practices.”)

• Regulation P, Appendix to Part 1016, B. General Instructions, 3 (“The format of the model form may be modified only as described below.

(a)Easily readable type font. Financial institutions that use the model form must use an easily readable type font. While a number of factors together produce easily readable type font, institutions are required to use a minimum of 10-point font (unless otherwise expressly permitted in these Instructions) and sufficient spacing between the lines of type.

                                            *     *     *     *     *

(c) Page size and orientation. Each page of the model form must be printed on paper in portrait orientation, the size of which must be sufficient to meet the layout and minimum font size requirements, with sufficient white space on the top, bottom, and sides of the content.”)

• Regulation P, Appendix to Part 1016, C. Information Required in the Model Privacy Form, 3(c) (“General instructions for the ‘Other important information box.’ This box is optional. The space provided for information in this box is not limited. Only the following types of information can appear in this box.

(1) State and/or international privacy law information; and/or

(2) Acknowledgment of receipt form.”)