[Story] Understand the CFPB's legal right to request information

[natalia-fitzgerald]

User story

As a filer, I want to understand the CFPB's legal right to request my information, why they are requesting it, and how the data will be used, so that I can trust that my requested compliance has legal standing.

Acceptance criteria

• Privacy Act Notice appears on the page prior to the collection of PII

Depends on

• https://github.com/cfpb/sbl-project/issues/7

Technical tasks

• [x] #41
• [x] #42
• [x] #43

Context

@natalia-fitzgerald notes from Hank Roser re: Privacy Act Notice. It should read as follows:

Privacy Act Notice

The information in this system is being collected to facilitate the supervision of companies under CFPB’s authority. The information will be used by and disclosed to employees, contractors, agents, and others authorized by the Consumer Financial Protection Bureau to:

• enforce statutory and regulatory purposes required under [rule citation to follow];
• support another federal or state agency or regulatory authority; and,
• to a member of Congress; to the Department of Justice, a court, an adjudicative body or administrative tribunal, or a party in litigation.

The collection of this information is authorized by Pub. L. No. 111-203, Title X, Section 1011, 1012, 1021, 1024, and 1025, codified at 12 U.S.C. §§ 5491, 5492, 5511, 5514, and 5515.

This Privacy Act Notice should be provided at the point in which an individual is prompted to provide PII. This can be at the beginning of a web form before the fields that are used to collect PII, or as a hyper-prompt that displays before individuals get to the field, or other technique. So long as the Notice is provided clearly before individuals are prompted to input PII, we are compliant.

[natalia-fitzgerald]

@chynnakeys @hkeeler I am working on accommodating the "Privacy Act Notice" on the Shared data filing platform landing page (unauthenticated). The block is quite long and imposing (it takes up 1/3 of the page vertically) when placed in the body of the page. I also tried placing it in the sidebar and it takes up even more vertical space there.

In the past we have sometimes linked to a separate page for this type of content. For example this is what we do with all of the email sign up forms, for example:

• https://www.consumerfinance.gov/owning-a-home/privacy-act-statement/
• https://www.consumerfinance.gov/privacy/email-privacy-act-statement/

SBL email sign up with link to "Privacy Act Statement"	Privacy Act Statement language (on separate page)

Another approach that I found is a modal/pop-up. I found this on the SBL help form and on iRegs. I would have to check with the Design System team as to whether modals are something that we can use for certain specific use cases. I know that we have avoided them in the past because of accessibility concerns.

SBL Help form with link to "Privacy Act Statement"	Privacy Act Statement language (in modal)

Are there other use cases, other than HMDA, that you can point me to where we put all of this content on the page (rather than linking to a separate page)? If not I can reach out to some others to see some sample implementations.

[hkeeler]

It does seem pretty standard to just have a link to the Privacy Act content. Here a couple more examples:

1. Submit a complaint: https://www.consumerfinance.gov/complaint/

   Interestingly, they also have a modal for what I think is their PRA (Paperwork Reduction Act) notice, which is a little different from HMDA where that is inline on the page. However, they do have what HMDA labels CFPB Notice and Consent Banner inline on the page.

   Complaint User Registration	Privacy Act modal	OMB (PRA?) modal

2. CFPB Collect: https://portal.consumerfinance.gov/CFPBCollect/s/login/

   It puts Privacy Act and PRA statements both behind a single link, but also has the CFPB Notice and Consent Banner-like info inline. Unfortunately, seems like that link 404s, so... 🤷.

   CFPB Collect	404ing Privacy/PRA link

So, going by these patterns, it seems like Privacy Act and Paperwork Reduction Act can both be put on separate pages, but maybe the notice and consent content cannot? I think that's a Cyber requirement, so we should reach out to them to find out more.

As for modal vs. separate page, I vote 🗳️ for separate page.

[natalia-fitzgerald]

Thanks @hkeeler. I actually haven't come across exactly this type of content. It is referred to as a "Privacy Act Notice" and seems like something different than the "Notice and consent" or the "Privacy Act and Paperwork Reduction Act" statements. I don't see this type of language on the HMDA filing home or once I enter the platform.

I tracked down the original email and here's what it said:

I believe the CFPB Notice and Consent Banner language is the standard login language is used on interfaces when any individual logs into a CFPB-owned system. This message typically appears at the login screen/prompt each time a user logs in. I am unsure whether the PRA Notice is required.

The Privacy Act Notice is different in that it informs individuals how PII will be used by CFPB when submitted. Placeholder language such as this would suffice for now:

“Privacy Act Notice

The information in this system is being collected to facilitate the supervision of companies under CFPB’s authority. The information will be used by and disclosed to employees, contractors, agents, and others authorized by the Consumer Financial Protection Bureau to:

• enforce statutory and regulatory purposes required under [rule citation to follow];
• support another federal or state agency or regulatory authority; and,
• to a member of Congress; to the Department of Justice, a court, an adjudicative body or administrative tribunal, or a party in litigation.

The collection of this information is authorized by Pub. L. No. 111-203, Title X, Section 1011, 1012, 1021, 1024, and 1025, codified at 12 U.S.C. §§ 5491, 5492, 5511, 5514, and 5515.”

This Privacy Act Notice should be provided at the point in which an individual is prompted to provide PII. This can be at the beginning of a web form before the fields that are used to collect PII, or as a hyper-prompt that displays before individuals get to the field, or other technique. So long as the Notice is provided clearly before individuals are prompted to input PII, we are compliant.

I’m happy to work with your team on the Privacy Act Notice language and location. Whether the Paperwork Reduction Act notice is required should be coordinated with the CDO, and the Notice and Consent Banner prior to logging into the system would be coordinated with the project’s Cyber liaison.

[natalia-fitzgerald]

@hkeeler @chynnakeys @kristenshaw4 Here's a mock-up of an approach where we include a link (and possibly a short blurb) to the "Privacy Act Notice" in the sidebar and link to a separate page.	Privacy Act Notice (link in sidebar)	Privacy Act Notice (separate page)

[hkeeler]

👋 @billhimmelsbach. Here's the issue I mentioned at sprint planning that seemed like a good candidate for your first user story. @natalia-fitzgerald is still working on the initial research and design, but I wanted to add you now so you could track and be part of that discussion.

[natalia-fitzgerald]

@billhimmelsbach This is the latest design for this page.

[chynnakeys]

@billhimmelsbach @natalia-fitzgerald

This is the Notice and Consent Banner. The CFPB warning banner must be configured to display whenever a user is attempting to access the system, and according to NIST standards, must be displayed before granting users access to the system.

This is a Consumer Financial Protection Bureau (CFPB) information system. The CFPB is an independent agency of the United States Government. CFPB information systems are provided for the processing of official information only. Unauthorized or improper use of this system may result in administrative action, as well as civil and criminal penalties. Because this is a CFPB information system, you have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system. All data contained on CFPB information systems is owned by CFPB and your use of the CFPB information system serves as your consent to your usage being monitored, intercepted, recorded, read, copied, captured or otherwise audited in any manner, by authorized personnel, including but not limited to employees, contractors and/or agents of the United States Government.

Still waiting for PRA guidance

[chynnakeys]

@billhimmelsbach @natalia-fitzgerald Received PRA content - Per OMB regulations, it is asked that it be placed "somewhere on the first page of the electronic form". Assuming this meaning the first page of the log in page, but if there are any questions around that, I can ask more.

Paperwork Reduction Act According to the Paperwork Reduction Act of 1995, an agency may not conduct or sponsor, and a person is not required to respond to a collection of information unless it displays a valid OMB control number. The OMB control number for this collection is 3170-0013. It expires on 08/31/2026. The time required to complete this information collection is estimated to be 3,098 hours annually per respondent. The obligation to respond to this collection of information is mandatory per the Equal Credit Opportunity Act (ECOA), 15 U.S.C. 1691 et seq., implemented by Regulation B, 12 CFR Part. Comments regarding this collection of information, including the estimated response time, suggestions for improving the usefulness of the information, or suggestions for reducing the burden to respond to this collection should be submitted to Bureau at the Consumer Financial Protection Bureau (Attention: PRA Office), 1700 G Street NW, Washington, DC 20552, or by email to PRA_comments@cfpb.gov

[billhimmelsbach]

Thanks! @chynnakeys

[natalia-fitzgerald]

@chynnakeys This is a whole lot of text to accommodate on a single page - namely the unauthenticated shared landing page. For the "Privacy Act Notice" we are linking out to a separate page to view the fill notice. Is there any flexibility to take that type of approach for the PRA content and the Notice and Consent content?

[natalia-fitzgerald]

@chynnakeys @hkeeler I'm working on some placement options for the various statements. I looked through the examples that @hkeeler posted here: https://github.com/cfpb/sbl-project/issues/29#issuecomment-1688933984. I see that there is quite a bit of variation in how this information is presented.

• HMDA Collect includes a single link: "Privacy and Paperwork Reduction Act Statements"
• Submit a complaint has two links (which open as modals):
  • Link: Privacy Act Notice
  • Link: OMB # + Number

I am exploring linking to a separate page wherever possible.

• If we link to a separate page for the OMB# can we have a link that just says the OMB# (like what is done in Submit a complaint) and then links to the full notice on a separate page? Is just the OMB control number enough context for the link text?
• Is just "Privacy Act Notice" enough context for the link to the separate page with the full notice?
• Does the full Notice and Consent banner have to appear on the page or can we link out to that too?

[chynnakeys]

I''ll reach out to these teams next week for guidance @natalia-fitzgerald

[chynnakeys]

@natalia-fitzgerald for PRA: "If you include a link to a separate page that has the full PRA Statement, but display the number on the main page, like they did in your example, that would satisfy the requirement as well."

[chynnakeys]

@natalia-fitzgerald Hank Roser is okay with us linking to a separate page "so long as the link itself is transparent and visible as an option for individuals to click on prior to moving forward in the user experience."

This refers to the Privacy Act Notice

[billhimmelsbach]

Heyo @natalia-fitzgerald! I put up a PR for the work I showed yesterday, but I marked it as requiring your design review first before the code review. Once we get your dev environment sorted, maybe we can look through what we have and decide on any changes?

[natalia-fitzgerald]

@billhimmelsbach I can do a general review of the page but the consents and disclosure UI/UX exploration has been stalled while I focus on other priorities. As soon as the exploration is completed I will post mock-ups to the Epic level issue. If you look at the Epic for this you will see an earlier mock-up. I can review what you've built so far against that but it won't include the disclosures/notice content.

[hkeeler]

Heyo @natalia-fitzgerald! I put up a PR for the work I showed yesterday, but I marked it as requiring your design review first before the code review. Once we get your dev environment sorted, maybe we can look through what we have and decide on any changes?

The frontend is now deployable to the dev env, so we could push your branch up there for review if it looks like @natalia-fitzgerald's local setup woes aren't going to be resolved soon. @gduncklee and I can help if you want to go that route.

[natalia-fitzgerald]

@chynnakeys There are a number of ways we could handle the "CFPB Notice and Consent" depending on what the requirements are. I'd like to confirm

Option 1: Show full text at desktop

• There are two options here. If we go with this one I'd probably recommend we do the summary at mobile.

Show full text on the page

• Full text is shown at all times.

Standard summary component

• Desktop view shows full text on the page
• At mobile user only sees a portion of the content.
• At mobile user can reveal the full text content by clicking "Read full CFPB Notice and Content"

Option 2: Show only header with option to show and hide full text

Expandable component

• Only the heading is shown with the "Show" control
• User can show and hide the full text content by clicking "Show" and "Hide"

Option 3: Show preview text on the page with option to show and hide full text

Minimal summary component

• Initial view shows a preview of the banner language with "Show" control
• User can show and hide the full text content by clicking "Show" and "Hide"
• This interaction is the same at desktop and mobile

[natalia-fitzgerald]

@chynnakeys @angelcardoz @hkeeler @dan-padgett @billhimmelsbach Here are mock-ups that reflects the following:

Disclosure content

• CFPB Notice and Consent is on the page in full at desktop and mobile
• Privacy Act Notice includes a heading and some preview text in the sidebar and a link that takes them to a separate page to read the full text
• Paperwork Reduction Act includes a heading and some preview text in the sidebar (including the OMB Control #) and a link that takes them to a separate page to read the full text

Sidebar links - Placeholder

I removed the "Additional resources link from the sidebar. If we want to include links they shouldn't skew toward SBL unless we want to have a set of SBL labeled links and a set of HMDA labeled links. I could include the contact phone number for the technical help desk but would a user reach HMDA or SBL or are these ultimately the same team/thing/place?

These are the links that were shown in the previous mock-up (all SBL focused):

• Final rule
• Resources for small business owners
• Technical help for filers (SBL help form)

Shared landing page (unauthenticated)	Paperwork Reduction Act statement	Privacy Act Notice

Additional things to discuss:

• Header
• Footer
• Nav bar
• Sidebar links approach
• Thoughts on what to call SBL help - I have skewed toward the generic "technical support staff" or "technical help team." This is consistent with what is already live on the site for SBL (including the SBL help form). @angelcardoz @dan-padgett - Let me know if you want to discuss in more detail.

[billhimmelsbach]

Great! I think there's some minimal work that needs to be done on these pages to square them with these designs which is exciting! 🎉

[billhimmelsbach]

For the footer, header, nav bar... I don't know what we're required to put in those sections for MVP? 🤔 I would probably lean towards only including things that are directly related to our project at first for the beta, minimizing outside links unless we're told otherwise.

[dan-padgett]

I like this way of handling the various notices.

For SBL Help, could we just say "support staff" or "help team"? I'm not sure what additional clarification "technical" provides, or whether we have any distinction between technical and non-technical help. It seems likely that a user will follow the links regardless of whether they think their question is "technical"; though maybe we'll find one or two people who pay attention to the word and wonder where to go for non-technical help.

If that's an acceptable change, I'd revise "Get technical help" to "Get help", and "Our technical help team is available to help" to "Our support staff is available to help."

[natalia-fitzgerald]

@dan-padgett I think that the distinction may be between technical questions related to filing and regulatory questions? With that being said I want our language to be as concise as possible and not include anything extra that would serve to confuse in any way.

Interested in feedback/thoughts from @angelcardoz @chynnakeys @sthomas93:

Current language

Proposed language

Here's a screenshot of the help form for SBL. This could of course be changed if we decide on shifting to removing the word "technical" from the mix.

[dan-padgett]

Agreed on wanting concise terminology. A follow on related to the Help Form: if there is a distinction between filing and regulatory questions, do they go to different places? If yes, the form should include a link to that spot to help appropriately funnel questions. If no, that's a little more evidence in favor of just removing "technical".

[natalia-fitzgerald]

@dan-padgett For the header and navigation there is the question of what should be shown. The current mock-up includes the cf.gov megamenu and navigation. A user that does not access this page with a direct link will access it via this page: https://www.consumerfinance.gov/data-research/small-business-lending. There will be a link in the "Submit your data" section.

So, here we have to decide whether we use the cf.gov navigation or we shift to a "shared platform" navigation and header bar.

cf.gov navigation

Small business lending database (home)	Shared landing page (unauthenticated)

"shared platform" navigation

• Naming of these links is placeholder. But I'd like to discuss how we think about this overall experience. Should I user feel like they are moving through multiple apps or should this feel more seamless and connected? The image here doesn't really make sense because a user isn't logged in yet. I could change it to just include Platform home and Login but that doesn't seem quite right. Filing home won't be active yet because the user has to log in to go there. So I'm somewhat stuck about what this navigation should look like if it isn't the cf.gov navigation.

Small business lending database (home)	Shared landing page (unauthenticated)

Revised to show that the user isn't logged in yet (pretty sparse and not very useful).

[natalia-fitzgerald]

@angelcardoz @chynnakeys @sthomas93 Can I get your feedback on a proposed change to the help language on the shared landing (unauthenticated) page? Whatever we decide should be reflected and consistent across SBL pages (new and existing webpages) so I'd like to be sure to have your feedback and perspectives. What we're discussing is changing "Get technical help" to "Get help" and "technical support staff" to "support staff." The question is whether the word "technical" is essential. I seem to recall that we used the word "technical" to differentiate from regs related inquiries (regs has it's own help). @nongarak - Maybe you have historical context from our FIG days?

[nongarak]

I'm not sure if technical is essential at this point. I can ask Larry Lee if it matters, but I think we did that to differentiate for the purposes of the outreach work we were doing.

[natalia-fitzgerald]

I'm not sure if technical is essential at this point. I can ask Larry Lee if it matters, but I think we did that to differentiate for the purposes of the outreach work we were doing.

Ok, if I don't hear from those I tagged that we prefer or need to keep the word "technical" for a reason we will plan to remove it.

[sthomas93]

I don't think technical help is the best term either. Technically (lol) we don't provide technical support. We help with file formats but we don't give system updates other than "clear your cache" or "clear your cookies". Any official technical question we'd bring back to the team.

[chynnakeys]

Agreed @natalia-fitzgerald support staff is fine.

[dan-padgett]

For megamenu question, I've added some additional thoughts to this thread in Figma.

Per the discussion on 12/7, I'm going to work on some ideas around navigation for the pages that a user can go to after authenticating. In general, there's not really a set standard for utility navigation (view profile, log in/out, etc) apart from keeping profile-related items towards the top right of the screen (though even then you can find some exceptions).