• Federal Regulators Finalize FCRA Affiliate-Marketing Rules Mandatory Compliance Date Looms
  • February 28, 2008
  • Law Firm: Blank Rome LLP - Philadelphia Office
  • If your marketing programs today rely on information about consumers that you receive from your affiliates, new federal regulations could have a significant impact on your marketing efforts. Read on to find out why.

    I. Introduction

    Late last year, the Federal Trade Commission and the federal banking agencies (i.e., the Office of the Comptroller of the Currency, Federal Reserve Board, Federal Deposit Insurance Corporation, Office of Thrift Supervision, and National Credit Union Administration) published final regulations (collectively, the “Final Rule”) implementing the affiliate-marketing provisions of the Fair and Accurate Credit Transactions Act (“FACTA”).1 While the Securities and Exchange Commission is also required to publish implementing regulations for entities subject to its jurisdiction, as of this writing, the SEC’s regulations have not been finalized.

    FACTA’s affiliate-marketing provisions are part of comprehensive amendments made to the federal Fair Credit Reporting Act (“FCRA”) in December 2003. Specifically, Section 624 of FCRA (15 U.S.C. § 1681s-3) and the implementing regulations provide that, subject to some important exceptions, an entity may not use “eligibility information” received from its affiliate to market a consumer unless the consumer has been given notice that such marketing may occur, is given an opportunity to prevent such marketing (i.e., “opt out”), and has not opted out.

    The purpose of this report is to help explain how the Final Rule relates to existing FCRA provisions on the sharing of certain types of information among affiliates; how lenders and other businesses can comply with the marketing notice and opt-out requirements; and to identify the very important and broadly drafted exceptions to the notice and opt-out requirements. While the Final Rule was effective on January 1, 2008, compliance becomes mandatory on October 1, 2008.

    II. Civil Liability and Preemption

    As with most other FCRA provisions, a violation of the affiliate-marketing rules can subject a company to civil liability. That includes potential liability for a “willful” violation of FCRA, which can result in penalties of up to $1,000 per violation, as well as punitive damages and attorneys’ fees.2 Each solicitation (e.g., letter, telephone call, e-mail, etc.) that violates Section 624 would likely be considered a separate violation with a separate penalty. When pursued as a class action, the potential for enormous damage awards is apparent.

    On the “bright side,” however, Congress has preempted any state laws that purport to regulate the marketing activities covered by Section 624.3

    III. Pre-FACTA Affiliate Information-Sharing Rules

    FCRA contains rules on when information is and is not considered a “consumer report,” including when information is shared among affiliated companies. These rules are very important in helping to delineate when the sharing of certain kinds of information may result in the sharing party being deemed a “consumer reporting agency,” and thereby subject to a variety of additional requirements.

    In particular, FCRA excludes from the definition of a consumer report information about a person’s transactions or experiences with a consumer (e.g., a consumer’s account balance with a bank or the amount of a consumer’s loan with a mortgage company).4 Thus, this kind of information can be freely shared under FCRA with both affiliates and nonaffiliated companies.5

    In addition, “other” information may be shared among affiliates without being considered a consumer report or the sharing party a consumer reporting agency, provided that the consumer is notified that such sharing may occur, is given the opportunity before the sharing occurs to opt out of the sharing, and has not opted out.6 “Other” information is basically information that is not transactional or experience information, and which would otherwise be considered a consumer report under FCRA (e.g., information contained in a consumer’s credit application, credit report information, etc.).

    The affiliate-marketing Final Rule focuses on both transactional information and “other” information by collectively defining the two types of information as “eligibility information.” In this regard, it is important to keep in mind that the affiliate-marketing rules are separate and additional requirements that focus on an affiliate’s use of information for marketing purposes, and do not alter FCRA’s existing framework for the sharing of the information among affiliates. Thus, for instance, if Affiliate A shares “other” information with Affiliate B without providing a proper affiliate-sharing notice or in derogation of a consumer’s opt-out election, Affiliate A runs the risk of being deemed a consumer reporting agency even though the affiliates may have complied with the affiliate-marketing notice requirements. Similarly, if Affiliate A properly shares its information with Affiliate B, Affiliate B’s use of the information for purposes other than making a marketing solicitation to an individual consumer is not covered by the affiliate-marketing rules.

    In short, it is important to keep in mind the distinction between the sharing of information among affiliates and the use of properly shared information by an affiliate for marketing purposes, and that nothing in the affiliate-marketing Final Rule limits the responsibility of a person to comply with FCRA’s affiliate-sharing provisions.7

    IV. Key Definitions8

    The Final Rule addresses the use by one affiliate of a consumer’s eligibility information that it has received from another affiliate to make a marketing solicitation to the consumer. First, an explanation of some key definitions is in order.

    • “Affiliate”–any company that is related by common ownership or common corporate control with another company.9
    • “Common ownership or common corporate control”–one company has with respect to the other company: (a) ownership, control, or the power to vote 25% or more of the outstanding shares of any class of voting security; (b) control over the election of a majority of the directors or similar individuals; or (c) the power to exercise a controlling influence over the management or policies of a company. In addition, “common ownership or common corporate control” will be found where any person has one or more of these relationships with both companies.10 The term “person” includes not just individuals, but also corporations, associations, trusts, etc.11
    • “Eligibility information”–As discussed above, this term means both transactional/experience information and “other” information that would normally be considered a “consumer report” but for the exclusions in 15 U.S.C. § 1681a(d)(2)(A). Importantly, eligibility information does not include aggregate or blind data that does not identify the consumer.12 In a similar vein, a list of names, addresses, telephone numbers, etc., may or may not be considered eligibility information, depending upon whether it is linked to other information that bears on one or more of the “seven factors” that can make information a consumer report (i.e., credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living).13
    • “Solicitation”–means the marketing of a product or service by a person to a particular consumer where the marketing is: (a) based on eligibility information communicated to that person by its affiliate, and (b) is intended to encourage a person to purchase or obtain a product or service (but marketing communications to the general public are not considered solicitations).14 Significantly, information need not be directly communicated between affiliates in order to be covered. It is enough that eligibility information is placed in a common database to which the affiliates have access.15

    V. Making a Solicitation for Marketing Purposes

    In recognition of the multitude of ways in which affiliated companies currently share information with and market products on behalf of each other, the Final Rule attempts (with mixed success) to establish some basic “rules of the road” for when there is the making of a solicitation for marketing purposes, with the corresponding requirement to provide an affiliate-marketing notice and opt-out opportunity (absent the existence of an available exception).

    A. In General

    A company makes a solicitation for marketing purposes where: (a) it receives eligibility information from an affiliate; (b) it uses that eligibility information to either (i) identify the consumer or type of consumer to receive a solicitation, (ii) establish criteria used to select a consumer to receive a solicitation, or (iii) decide which of its products or services to market to the consumer or tailor its solicitation to that consumer; and (c) as a result of the company’s use of the eligibility information, the consumer is provided a solicitation.16 All three requirements must be met in order for the affiliate-marketing rule to be triggered.

    Note the breadth of this provision. As discussed above, a company can receive eligibility information from an affiliate merely by placement of the information in a common database to which the company has access. In addition, there is no requirement that the company receiving the eligibility information from its affiliate directly make the solicitation to the consumer. Rather, simply analyzing the information to establish the criteria used to select the consumer can suffice to establish that a company has made use of an affiliate’s eligibility information for solicitation purposes.17

    B. Constructive Sharing

    The regulators have also clarified, however, that a company will not be deemed to have made a solicitation for marketing purposes when it engages in “constructive sharing” of an affiliate’s eligibility information.18 This issue received much attention from the regulators in the supplemental information accompanying the Final Rule, with consumer groups taking the position that constructive sharing represents an end-run around the affiliate-marketing rule.19

    To illustrate constructive sharing, the Final Rule uses the example of a creditor and its affiliated insurance company. The insurance company provides its marketing criteria to the creditor which has a pre-existing business relationship with the consumer. The creditor then applies that criteria to the eligibility information it has on its consumers and sends selected consumers the insurance company’s marketing material. Under the Final Rule, the insurance company would not be considered to have made a solicitation for marketing purposes because it did not use the creditor’s eligibility information in any way. Instead, it simply gave criteria to the creditor, which then evaluated the eligibility information of its own consumers against the criteria.20

    A similar result obtains where the creditor’s service provider, at the direction of the creditor, compares the insurance company’s criteria against the eligibility information of the creditor’s consumers, provided that the insurance company does not communicate directly with the service provider regarding use of the creditor’s eligibility information.21 The caveat is intended to ensure that the service provider is really acting on behalf of the creditor and not the insurance company.

    C. Service Providers

    The use of service providers receives further treatment in the Final Rule by identifying a narrow set of circumstances where, using the above example, the insurance company may communicate with the creditor’s service provider without triggering the affiliate-marketing requirements. This additional provision, which is rather cumbersome, is intended to delineate instances where the service provider should properly be seen as acting for the creditor (and thus a permissible example of constructive sharing), and those cases where the service provider should be viewed as really acting for the insurance company (i.e., making a solicitation for marketing purposes for the insurance company by using the creditor’s eligibility information).22

    Again using the example of a creditor with a pre-existing business relationship with consumers and the creditor’s affiliated insurance company that has no such relationship, the Final Rule provides that there is no solicitation for marketing purposes by the insurance company where the creditor’s service provider receives eligibility information from the creditor and uses that information to market the insurance company’s products or services to the creditor’s consumers, so long as: (a) the creditor controls access to and use of its eligibility information by the service provider under the terms of a written agreement with the service provider; (b) the creditor establishes specific terms and conditions under which the service provider can access and use the creditor’s eligibility information to market the insurance company’s products and services, and periodically audits the service provider’s compliance with those terms and conditions; (c) the creditor requires the service provider to implement reasonable policies and procedures to ensure that the service provider uses the creditor’s eligibility information in accordance with the creditor’s terms and conditions; (d) the creditor is identified in the insurance company’s marketing materials that are provided to the creditor’s consumers; and (e) the insurance company has not used the creditor’s eligibility information to identify the consumers to be solicited, establish the criteria used to select the consumers, or decide which products or services to offer (i.e., any such activity is done only by the creditor or its service provider).23

    VI. Affiliate-Marketing Notice and Opt-Out

    The foregoing discussion was intended to help identify when a company would be considered to be using its affiliate’s eligibility information to make a solicitation for marketing purposes. In such a case, and assuming that none of the exceptions discussed below are available, the Final Rule provides that the solicitation cannot occur unless the consumer receives a clear and conspicuous disclosure in writing, or (if the consumer agrees) electronically, that such marketing activities may occur; the consumer is given a reasonable opportunity to opt out and a simple means of doing so; and the consumer has not opted out.24

    Note first that there is no general, blanket obligation to provide an affiliate-marketing notice and opt-out. Instead, the obligation is only triggered when there will be a solicitation for marketing purposes and an exception does not apply. Thus, companies will need to consider their particular information-sharing and marketing practices (both current and expected in the future) to determine whether and under what circumstances the notice and opt-out must be given.

    While the regulators are encouraging those companies subject to GLBA to consolidate the affiliate-marketing notice with the GLBA privacy notice,25 companies must think very carefully about such an approach. Unlike GLBA, there is no requirement in the Final Rule or the statute that the affiliate-marketing notice and opt-out be given annually.

    Further, if the marketing opt-out will not be honored in perpetuity, any effort to combine the affiliate-marketing notice with the annual GLBA privacy notice will likely require changes to the form of a company’s existing privacy notice. In particular, privacy notices typically state that if a consumer has opted out he need not do so again. However, as discussed below, companies only need to honor an affiliate-marketing opt-out for five years, and then must give the consumer the opportunity to renew the opt-out election.

    Thus, if a company chooses to set a time limit on the affiliate-marketing opt-out and combine the notice with the privacy notice, the privacy policy would need to make clear that any statement to the effect that a consumer need not opt out again does not apply to the affiliate-marketing notice. Indeed, the regulators have acknowledged that consolidation of the GLBA privacy notice and the affiliate-marketing notice is most likely to occur where an affiliate-marketing opt-out will be honored in perpetuity.26

    When a notice is provided, a company must also track those consumers who opt out of affiliate marketing; but, again, if an exception applies or the particular marketing activity is not considered a solicitation for marketing purposes under the Final Rule, the marketing could occur notwithstanding a consumer’s opt-out. Following are some additional issues to consider in connection with the notice and opt-out requirements.

    A. Content of the Opt-Out Notice

    The opt-out notice must identify the name of the affiliate providing the notice (or each of the affiliates if it is provided on behalf of multiple affiliates). If the notice is provided on behalf of affiliates identified by a common name, the notice need not identify the full name of each affiliate, but instead can state that it is provided by the multiple companies with the common name (e.g., the “ABC companies”). The notice must also identify the affiliates or types of affiliates whose use of eligibility information is covered by the notice.

    In addition, the notice must describe the types of eligibility information that may be used to make solicitations; that the consumer may elect to limit the use of eligibility information for solicitations; that the consumer’s election will apply for a specified period of time, and, if applicable, that the consumer will be able to renew the election once that period expires; if the notice is provided to a consumer who may have previously opted out (for instance, where the company elects to provide the notice annually as part of its GLBA privacy notice) that the consumer need not opt out again until he or she receives a renewal notice; and, finally, the notice must provide a reasonable and simple method to opt out.27

    The Final Rule includes model notices that companies can use.28 In addition, an interagency proposed rule for a model safe-harbor GLBA privacy notice addresses how institutions can incorporate the affiliate-marketing notice into the GLBA privacy notice (but please note that this is only a proposed rule).29

    B. Who Must Provide the Notice?

    The notice must be provided by an affiliate that had or has a pre-existing business relationship with the consumer, or as part of a joint notice from two or more affiliated companies, so long as at least one of the affiliates had or has a pre-existing business relationship with the consumer.30 The point (or hope) is that consumers will be more likely to pay attention to notices received from companies with whom they have or had pre-existing business relationships. What constitutes a “pre-existing business relationship” is discussed below.

    C. Delivery of Opt-Out Notices

    An opt-out notice must be delivered to a consumer so that the consumer can reasonably be expected to receive actual notice. Examples include physical delivery, by mailing, by e-mail to a consumer who has agreed to receive electronic disclosures, or by posting on a Web site where the consumer obtained a product or service, so long as the consumer acknowledges receipt of the notice from the Web site.31

    D. Opportunity to Opt Out

    The consumer must be provided with both a reasonable opportunity to opt out and a simple means of doing so. While there is no mandatory waiting period once an opt-out notice is delivered to the consumer, the Final Rule provides a safe harbor if 30 days has passed with no opt-out election from the consumer.32 A consumer may also be deemed to have had a reasonable opportunity to opt out when the consumer must decide whether to opt out as a necessary part of proceeding with the transaction.33

    Examples of a simple means to opt out include designating a check-off box on an opt-out form, providing an electronic means to opt out if the consumer has agreed to electronic delivery of information, and providing a toll-free telephone number that consumers can use.34

    E. Scope and Duration of an Opt-Out

    The Final Rule provides for flexibility in determining the scope of the opt-out, with a key factor being the adequacy of disclosure in the opt-out notice. In particular, a consumer’s opt-out can apply to a single continuing relationship, multiple continuing relationships, a relationship with just one affiliate, or a relationship with several affiliates. If a consumer elects to opt out (which the consumer may do at any time), the election must be honored for at least five years from the date the consumer’s opt-out election is received and implemented, unless the consumer subsequently revokes the opt-out election in writing or electronically. Companies also have the option of honoring an opt-out election in perpetuity. Importantly, the duration of an opt-out election is not affected by the termination of a customer relationship. Even after terminating a relationship with a consumer, an opt-out election remains in force.35 Similarly, if a consumer has not opted out, subsequently terminates his relationship with the company, and then later establishes a new relationship, a new opt-out notice will need to be provided, at least with respect to eligibility information obtained from the new relationship.36

    F. Renewal Notices

    For those companies that choose not to honor an opt-out election in perpetuity, the Final Rule requires them to send to a consumer who has opted out a renewal notice before the expiration of the opt-out period (which must be at least five years) and to allow the consumer an opportunity to renew his opt-out election for at least another five years. The renewal notice cannot simply be another copy of the initial notice provided to the consumer. Instead, the renewal notice must, among other things, specifically advise the consumer that his opt-out election has or is about to expire and that the consumer may elect to renew his previous opt-out election.37

    Note that, by its terms, the “renewal” notice need only be given to those consumers that have exercised their opt-out rights. Further, while a consumer may opt out at any time, and while the Final Rule permits (but does not require) the affiliate-marketing notice to be combined with the initial and annual GLBA privacy notices, there is no requirement that consumers be periodically reminded of their opt-out rights.

    VII. Exceptions

    FACTA provides several important exceptions to the affiliate-marketing requirements, which are restated and amplified in the Final Rule.38 Close attention must be paid to these exceptions because they can have a significant impact on your affiliate-marketing activities. For instance, even if there is the “making of a solicitation for marketing purposes,” if an exception is available, an affiliate-marketing notice and opt-out opportunity is not required. Similarly, if a consumer has received notice and exercised his opt-out rights, a marketing solicitation that is covered by an exception may occur, notwithstanding the opt-out election.39 Discussed below are some of the more significant exceptions that companies may be able to utilize.

    A. Pre-existing Business Relationship

    The affiliate-marketing notice and opt-out does not apply where a company has a pre-existing business relationship with the consumer. There are two important points to make about this exception. First, the pre-existing business relationship must be between the consumer and the company whose products or services are being marketed to the consumer. Thus, using the example of the creditor and its affiliated insurance company, the fact that the creditor has a pre-existing business relationship with a consumer would not allow the insurance company to use eligibility information received from the creditor to make an insurance solicitation to the consumer (even where the solicitation was made by the creditor on behalf of the insurance company). In contrast, the pre-existing business relationship exception would apply where the insurance company also has a pre-existing business relationship with the consumer.

    Second, the definition of “pre-existing business relationship” is very specific. There must be either: (a) a financial contract between the person and the consumer which is in effect on the date the consumer is sent a solicitation; (b) a purchase, rental, or lease by the consumer of the person’s goods or services or a financial transaction during the 18-month period immediately preceding the date on which the consumer is sent a solicitation; or (c) an inquiry or application by the consumer regarding a product or service offered by that person in the three-month period immediately preceding the date on which the consumer is sent a solicitation.40

    B. Consumer-Initiated Communications

    Under this exception, the notice and opt-out provisions do not apply where a solicitation is in response to a communication that is initiated by the consumer, whether in writing, orally, electronically, or otherwise. The Final Rule gives the example of a consumer contacting his lender to inquire about how to save and invest in a child’s education, without identifying a particular product in which the consumer may be interested. In such a case, the lender’s eligibility information about the consumer may be used by any of the lender’s affiliates that offer products responsive to the consumer’s request.41

    C. Consumer Authorization or Request

    Similarly, the notice and opt-out provisions do not apply where the consumer specifically authorizes or requests a solicitation. Note that the authorization can be given to either the company with whom the consumer has a relationship or to the affiliate from whom the consumer would like to receive a solicitation.42 As with the consumer-initiated communication exception, the request or authorization need not be in writing, but must still be a specific request or authorization. In addition, the solicitation must be responsive to the request (i.e., the consumer’s authorization cannot be used to market products that are unrelated to the consumer’s request).

    VIII. Application of Effective Date

    As discussed above, the Final Rule has a mandatory compliance date of October 1, 2008. In a significant concession to the industry, FACTA provides that the affiliate-marketing provisions do not apply to information that a company receives prior to the date on which the company is required to comply with the affiliate-marketing regulations.43 In other words, eligibility information that a company has received from its affiliate prior to October 1, 2008, may be used for marketing solicitations without regard to the affiliate-marketing rules. Further, the Final Rule clarifies that information is considered received by a company for this purpose when it is placed in a common database to which the company has access (even though the company in fact may not have accessed the information).44

    IX. Conclusion

    As this report illustrates, the affiliate-marketing rules are very fact-specific and whether and how they apply will depend upon the particular circumsances. Careful attention must be paid to the definitions in the Final Rule (including what is and is not “eligibility information”); whether there exists the making of a solicitation for marketing purposes; the manner and timing in which the affiliate-marketing notice and opt-out is provided; the content of the affiliate-marketing notice; and the exceptions that may take certain marketing activities outside the affiliate-marketing rules.


    1. See 72 Fed. Reg. 61424 (Oct. 31, 2007); 72 Fed. Reg. 62910 (Nov. 7, 2007).
    2. 15 U.S.C. § 1681n.
    3. 15 U.S.C. § 1681s-3(c); 15 U.S.C. § 1681t(b)(1)(H), (c)(2).
    4. 15 U.S.C. § 1681a(d)(2)(A)(i), (ii).
    5. However, when shared with nonaffiliated companies, such information may be subject to the privacy provisions of the Gramm-Leach-Bliley Act ("GLBA").
    6. 15 U.S.C. § 1681a(d)(2)A(iii).
    7. See 16 C.F.R. § 680.21(e).
    8. The remaining discussion of the Final Rule will cite to the Federal Trade Commission’s final rule, which can be found at 16 C.F.R. Part 680 and Appendix C to Part 698. The largely identical regulations for banks can be found in the appropriate parts of Title 12 of the Code of Federal Regulations. See 72 Fed. Reg. 62910 (Nov. 7, 2007).
    9. 16 C.F.R. § 680.3(b).
    10. 16 C.F.R. § 680.3(d).
    11. 16 C.F.R. § 680.3(i).
    12. 16 C.F.R. § 680.3(h).
    13. See 15 U.S.C. § 1681a(d)(1).
    14. 16 C.F.R. § 680.3(k)(1); 16 C.F.R. § 680.3(k)(2).
    15. 16 C.F.R. § 680.21(b)(2).
    16. 16 C.F.R. § 680.21(b)(1).
    17. See 16 C.F.R. § 680.21(b)(6)(ii).
    18. 6 C.F.R. § 680.21(b)(4).
    19. See, e.g., 72 Fed. Reg. at 61436-37.
    20. 16 C.F.R. § 680.21(b)(4)(i), (6)(iii). However, the regulators were careful to note that constructive sharing must still comply with FCRA’s affiliate sharing rules. See 72 Fed. Reg. at 61436 and n.13.
    21. 16 C.F.R. § 680.21(b)(4)(ii), (b)(6)(iv).
    22. See 72 Fed. Reg. at 61436-37.
    23. 16 C.F.R. § 680.21(b)(5), (b)(6)(v).
    24. 16 C.F.R. § 680.21(a)(1).
    25. See, e.g., 72 Fed. Reg. at 61445.
    26. See 72 Fed. Reg. at 61450.
    27. 16 C.F.R. § 680.23(a)(1).
    28. See 16 C.F.R. Part 698, Appendix C.
    29. See 72 Fed. Reg. 14940 (Mar. 29, 2007).
    30. 16 C.F.R. § 680.21(a)(3).
    31. 16 C.F.R. § 680.26(a), (b).
    32. 16 C.F.R. § 680.24(b).
    33. Id.
    34. 16 C.F.R. § 680.25.
    35. 16 C.F.R. § 680.22(b), (c).
    36. 16 C.F.R. § 680.22(a)(5).
    37. 16 C.F.R. § 680.27(b).
    38. See 16 C.F.R. § 680.21(c)(1)-(6), (d).
    39. However, this would not apply to one particular exception dealing with the use of service providers, which states that service providers may be used to perform services for an affiliate, but cannot send solicitations on behalf of the affiliate where the affiliate is prohibited from doing so because of the consumer's opt-out election. See 16 C.F.R. § 680.21(c)(3).
    40. The Final Rule provides several examples of what is and is not a pre-existing business relationship. See 16 C.F.R. 680.3(j)(2), (3). These examples must be studied carefully before relying on this exception.
    41. See 16 C.F.R. § 608.21(d)(3)(ii).
    42. 16 C.F.R. § 608.21(d)(4)(i).
    43. 15 U.S.C. § 1681s-3(a)(5).
    44. 16 C.F.R. § 608.28(c).