2021-25735. Privacy of Consumer Financial Information Rule Under the Gramm-Leach-Bliley Act  

  • Start Preamble

    AGENCY:

    Federal Trade Commission.

    ACTION:

    Final rule.

    SUMMARY:

    The Federal Trade Commission is amending its Privacy Rule to revise the rule's scope, to modify the rule's definitions of “financial institution” and “Federal functional regulator,” and to update the rule's annual customer privacy notice requirement. The amendments also remove certain examples in the rule that apply to financial institutions that now fall outside its scope. This action is necessary to conform the rule to the current requirements of the Gramm-Leach-Bliley Act (“GLBA”), as amended by the Dodd-Frank and FAST Acts, and the Commission's revisions to the Safeguards Rule, which are being announced simultaneously through a separate document published elsewhere in this issue of the Federal Register .

    DATES:

    The amendments are effective January 10, 2022.

    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    David Lincicum (202-326-2773), Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580.

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:

    I. Background

    A. The Statute and Regulation

    The GLBA was enacted in 1999.[1] The GLBA, among other things, requires that financial institutions provide their customers with initial and annual notices regarding their privacy practices, and allow their customers to opt out of sharing their information with certain nonaffiliated third parties.

    Rulemaking authority to implement the GLBA's privacy provisions was initially spread among multiple agencies. The Federal Reserve Board (“the Fed”), the Office of Comptroller of the Currency (“OCC”), the Federal Deposit Insurance Corporation (“FDIC”), and the Office of Thrift Supervision (“OTS”) jointly adopted final rules to implement the notice and opt-out requirements of the GLBA in 2000.[2] The Commission, the National Credit Union Administration (“NCUA”), the Securities and Exchange Commission (“SEC”), and the Commodity Futures Trading Commission (“CFTC”) were part of the same interagency process, but each issued their rules separately.[3] In 2009, all those agencies jointly adopted a model form financial institutions could use to provide the required initial and annual privacy disclosures.[4]

    As originally promulgated, the FTC's Privacy Rule covered a broad range of non-bank financial institutions such as payday lenders, mortgage brokers, check cashers, debt collectors, real estate appraisers, certain motor vehicle dealers, and remittance transfer providers. In 2010, the Dodd-Frank Act [5] transferred the majority of GLBA's privacy rulemaking authority from the Fed, NCUA, OCC, OTS, FDIC, and the Commission (in part) to the Consumer Financial Protection Bureau (“CFPB”). The CFPB then restated the implementing regulations in Regulation P, 12 CFR part 1016, in late 2011 (“Regulation P”).[6] However, under section 1029 of the Dodd-Frank Act, the Commission retained rulemaking authority for certain motor vehicle dealers.[7] Thus, in 2012, the Commission announced it was retaining the implementing regulations governing privacy notices for motor vehicle dealers at 16 CFR part 313.[8]

    Despite the transfer of general rulemaking authority for the Privacy Rule to the CFPB, the Commission and other agencies retain their existing enforcement authority under the GLBA.[9] In addition, the SEC and CFTC retain rulemaking authority with respect to securities and futures-related companies, respectively.[10] Accordingly, as part of this rulemaking process, the Commission has consulted and coordinated, or offered to consult, with those agencies that have rulemaking and/or enforcement authority under the GLBA, including the CFPB, SEC, CFTC, and the National Association of Insurance Commissioners (“NAIC”).[11]

    On December 4, 2015, Congress amended the GLBA as part of the FAST Act. This amendment, titled Eliminate Privacy Notice Confusion,[12] added GLBA subsection 503(f). This subsection Start Printed Page 70021 provides an exception under which financial institutions that meet certain conditions are not required to provide annual privacy notices to customers.

    B. The Privacy Notice Requirements

    As noted, the current Privacy Rule, as modified after Congress enacted the Dodd-Frank Act, requires motor vehicle dealers provide consumers with notices describing their privacy policies. Specifically, it requires covered entities to provide an initial notice of these policies,[13] and then “provide a clear and conspicuous notice to customers that accurately reflects [their] privacy policies and practices not less than annually during the continuation of the customer relationship.” [14]

    The rule requires that initial and annual notices inform customers of their right to opt out of the sharing of nonpublic personal information with some types of nonaffiliated third parties.[15] For example, a customer has the right to opt out of allowing a motor vehicle dealer to sell her name and address to a nonaffiliated auto insurance company.[16] On the other hand, a motor vehicle dealer is not required to allow consumers to opt out of the dealer's sharing involving third-party service providers, joint marketing arrangements, maintenance and servicing of accounts, securitization, law enforcement and compliance, reporting to consumer reporting agencies, and certain other specified activities.[17] Accordingly, if a motor vehicle dealer limits its sharing to uses that do not trigger opt-out rights, it may provide an annual privacy notice to its customers that does not include information regarding opt-out rights.

    Motor vehicle dealers also may include in the annual privacy notice information about certain consumer opt-out rights related to affiliate sharing under the Fair Credit Reporting Act (“FCRA”). First, section 603(d)(2)(A)(iii) of the FCRA allows the sharing of a consumer's information among affiliates, but only if the consumer is notified of such sharing and is given an opportunity to opt out.[18] Section 503(c)(4) of the GLBA and the Privacy Rule generally require motor vehicle dealers to incorporate any notifications and opt-out disclosures provided pursuant to section 603(d)(2)(A)(iii) of the FCRA into their initial and annual privacy notices.[19]

    In addition, section 624 of the FCRA and the FTC's Affiliate Marketing Rule [20] provide that an affiliate of a motor vehicle dealer that receives certain information about a consumer from the dealer may not use that information for marketing purposes, unless the consumer is provided with an opportunity to opt out of that use.[21] This requirement governs the use of information by an affiliate, not the sharing of information among affiliates, and thus is distinct from the affiliate sharing opt-out discussed above. The Affiliate Marketing Rule permits (but does not require) motor vehicle dealers to incorporate any opt-out disclosures provided under section 624 of the FCRA and the Affiliate Marketing Rule into the initial and annual privacy notices required by the GLBA.[22]

    Finally, § 313.6(a)(8) of the Privacy Rule requires the initial and annual notices briefly describe how motor vehicle dealers protect the nonpublic personal information they collect and maintain.[23]

    II. Revision of the Privacy Rule

    On April 4, 2019, the Commission issued a notice of proposed rulemaking [24] setting forth amendments to the Privacy Rule (the “Proposed Amendments”) proposing three types of changes to the Privacy Rule: (1) Technical changes to the rule to correspond to the reduced scope of the rule due to Dodd-Frank Act changes, which primarily consist of removing references that do not apply to motor vehicle dealers; (2) modifications to the annual privacy notice requirements to reflect the changes made to the GLBA by the FAST Act; and (3) a modification to the scope and definition of “financial institution” to include entities engaged in activities incidental to financial activities, which would bring the rule into accord with the CFPB's Regulation P. The Commission received four comments related to the proposed amendments, to which it responds below.[25]

    A. Technical Changes To Correspond to Statutory Changes Resulting From the Dodd-Frank Act

    (1) Section 313.1(b)

    The proposed amendment to § 313.1(b) narrowed the description of the scope of the Privacy Rule to those entities set forth in the Dodd-Frank Act: [26] Those predominantly engaged in the sale and servicing of motor vehicles or the leasing and servicing of motor vehicles, excluding those dealers that directly extend credit to consumers and do not routinely assign the extensions of credit to an unaffiliated third party. It also removed the reference in the rule's scope to “other persons,” because the Commission no longer has rulemaking authority for the Privacy Rule over “other persons.” Finally, the Proposed Amendments eliminated from § 313.1(b) the note indicating (1) the Privacy Rule does not modify, limit, or supersede the standards under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and (2) if a financial institution that is an institution of higher education is in compliance with the Federal Educational Rights and Privacy Act (“FERPA”) and its implementing regulations, such institution shall be deemed in compliance with the Privacy Rule.

    The Commission received two comments on these proposed changes. One commenter asked why the rule would not cover dealers that directly extend credit to consumers.[27] In response, the Commission notes the Dodd-Frank Act excludes these dealers from the Commission's rulemaking authority under the GLBA. The Commission continues to have enforcement authority over these dealers under Regulation P.

    Another commenter, the National Association of Automobile Dealers Start Printed Page 70022 (“NADA”), supported eliminating the references to HIPAA and FERPA, agreeing that these provisions would not apply to automobile dealers.[28] Given that it received no other substantive comments, the Commission adopts the changes as proposed.

    (2) Section 313.3

    To help companies understand whether and how the rule applies to them, the current rule includes examples of financial institutions in § 313.3(k)(2), examples of consumers in § 313.3(e)(2), examples of what would constitute establishing a customer relationship in § 313.3(i)(2)(i), and examples of what is not a customer relationship in § 313.2(i)(2)(ii). The Proposed Amendments to § 313.3 removed examples not likely to apply in the context of motor vehicle dealers.

    NADA was the only commenter who opined on this issue. It agreed the examples proposed for removal do not apply to motor vehicle dealers and supported their deletion. Accordingly, the final rule deletes these examples as proposed.

    NADA advocated for removal or modification of additional terms or examples that it asserted would not apply in the motor vehicle context. The Commission declines to make the changes suggested by NADA, for the reasons described below.

    a. Loans

    NADA argued the examples in the final rule should not include the word “loans” because motor vehicle dealers “do not generally issue `loans,'” but instead provide financing assistance or enter into retail installment sale contracts or leases. NADA suggested the term “loan” be replaced with “financing,” or “finance or lease contract.” [29] The Commission declines to modify existing examples in this manner. It believes the Privacy Rule should be substantively identical to Regulation P so financial institutions within the Commission's enforcement authority are subject to the same requirements, regardless of whether they are subject to Regulation P or the Privacy Rule. Although the Commission recognizes some examples it has retained may not apply well to the motor vehicle context,[30] changing the language of an example, as opposed to completely removing it, could be read as a change to the substance of the rule. Accordingly, the Commission declines to change an existing term in the final rule.[31]

    b. Examples of Continuing Relationships

    NADA suggested removing the term “investment accounts” from the example of a continuing relationship § 313.3(i)(2)(i)(A), as such accounts are not offered by motor vehicle dealers. As discussed above, however, the Commission declines to modify existing examples and does not adopt this change in the final rule. NADA also took issue with § 313.3(i)(2)(i)(D), which states a consumer has a continuing relationship with a financial institution when the consumer enters into an “agreement or understanding” with the financial institution in which the financial institution undertakes “to arrange credit to purchase a vehicle for the consumer.” NADA noted when motor vehicle dealers arrange credit for a consumer, they then assign that agreement to a third party and do not continue the relationship with the consumer.

    Although motor vehicle dealers may transfer the credit agreement to another financial institution, a continuing relationship is formed by the agreement and persists for as long as the motor vehicle dealer retains the agreement. The continuing relationship between the motor vehicle dealer and the consumer will end upon the transfer of the agreement, but until that transfer occurs, the consumer is the motor vehicle dealer's customer for purposes of the Privacy Rule. Accordingly, the Commission declines to remove this example from the final rule.

    NADA also argued the term “understanding” in paragraph (i)(2)(i)(D) is confusing because it is not clear what an “understanding” would mean in this context, and motor vehicle dealers do not enter into informal relationships to arrange credit for consumers. The Commission believes, however, while informal understandings may be unusual for motor vehicle dealers, it is possible some dealers may engage in such practices and the example should continue to make clear that such arrangements create continuing relationships. In addition, as discussed above, the Commission declines to change the language of examples retained in the final rule.

    c. Examples of No Continuing Relationships

    NADA argued the example in § 313.3(i)(2)(ii)(A) does not apply to motor vehicle dealers. This example states no continuing relationship is created when a “consumer obtains a financial product or service from [the financial institution] only in isolated transactions, such as cashing a check with [the financial institution] or making a wire transfer through” the financial institution. NADA argued motor vehicle dealers generally do not engage in these activities, and while “it is theoretically possible that a dealer somewhere may offer, under unique circumstances, to cash a check for a customer, [NADA] is not aware of that service being offered by dealers and the possibility is attenuated at best.” [32] The Commission does not agree that this example should be removed. Although check cashing and wire transfer transactions may be unlikely at motor vehicle dealerships, these are helpful examples of the types of isolated transactions that do not create an ongoing relationship and, even for motor vehicle dealers that do not engage in these particular activities, they illustrate the principle well. The final rule retains this example.

    NADA also questioned the inclusion of § 313.3(i)(2)(ii)(C), which states a continuing relationship is not created when a “consumer obtains one-time personal appraisal services from” the financial institution. NADA asked whether this would apply when a motor vehicle dealer appraises a consumer's used vehicle for trade-in value. The Commission believes that is precisely the type of appraisal suggested by the example. NADA also questioned how “such appraisal activity by a dealer could, as an initial matter be deemed to create a Customer relationship.” [33] The Commission believes, however, negative examples are useful to clarify the definition and, therefore, the final rule retains this example.

    Start Printed Page 70023

    B. Modifications to the Annual Privacy Notice To Reflect Statutory Changes Resulting From the FAST Act

    The Commission also proposed changing the Privacy Rule provisions governing how motor vehicle dealers should deliver annual privacy notices.

    Section 313.5(e)

    The proposed change to § 313.5(a)(1) added a statement that § 313.5(e) provides an exception to the general rule requiring the delivery of annual notices. Section 313.5(e) in turn sets forth the exception, which was taken from the FAST Act, and adopted by the CFPB in its amendments to Regulation P.[34] It stated the annual notice need not be provided if (1) the financial institution has shared nonpublic personal information only in accordance with the provisions of §§ 313.13, 313.14, and 313.15, none of which require an opt-out opportunity be provided to customers; and (2) the financial institution's disclosure policies and practices remain unchanged from the most recent privacy notice.

    Proposed § 313.5(e)(2) set forth the timing for resuming delivery of the annual notice if a financial institution no longer met requirements for the exception.

    The Commission received no comments on the substance of this paragraph and adopts it without modification.[35]

    C. Modifications to Scope and Definitions To Bring the Rule Into Accord With Regulation P

    The Proposed Amendments changed the scope of the Privacy Rule and its definition of a “financial institution” in order to bring the Commission's rule into accord with Regulation P. As explained in the NPRM, when first promulgating the Privacy Rule, the Commission determined companies engaged in activities “incidental to financial activities” would not be considered “financial institutions.” [36] The Commission was the only agency to adopt this restrictive definition in its Privacy Rule, while the other agencies included incidental activities. In addition, the Commission decided activities determined to be financial in nature after the enactment of the GLBA would not be automatically included in its Privacy Rule; rather, the Commission would have to take additional action to include them.[37] The effect of these two decisions was to limit the activities covered by the Commission's rules to those set out in 12 CFR 225.28 as it existed in 1999, and to exclude any activities later determined by the Fed to be financial activities or incidental to those activities.[38]

    The Commission proposed modifying the definition of “financial institution” to harmonize the Privacy Rule with other agencies' rules. The Commission proposed to amend § 313.1(b) to include companies that engage in activities financial in nature or incidental to such financial activities in the scope of the rule. Likewise, it proposed amending the definition of “financial institution” in § 313.3(k), to include any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities. The effect of this proposed amendment would be to cause “finders” to be included in this definition, thereby bringing the Privacy Rule into harmony with the scope of entities covered by other agencies under Regulation P.

    The Commission received only two comments that addressed this proposed change in the Privacy Rule.[39] NADA asked whether the proposed rule would apply to finders acting for a motor vehicle dealer.[40] As discussed above, the Commission's Privacy Rule applies only to motor vehicle dealers and so would apply only to finders that are also motor vehicle dealers. If a finder is not itself a motor vehicle dealer then the rule does not apply, even if the finder is acting to connect motor vehicle dealers with potential customers. Given that this scenario is unlikely, modifying the definition of “financial institution” for purposes of the Privacy Rule has little practical effect. Nevertheless, the Commission is modifying the definition for purposes of consistency with Regulation P and the Safeguards Rule.

    An individual consumer asked how often an entity must engage in an incidental activity to be considered a financial institution.[41] As with other financial activities under the existing rule, an entity is a financial institution only if it is “significantly engaged” in the incidental activities.

    The Commission adopts the proposed amendment without change.

    Section 313.15(a)(4)

    Finally, the Commission proposed to amend § 313.15(a)(4) to add the CFPB to the list of law enforcement agencies to which financial institutions are permitted to share information to the extent permitted by law. The Commission received no comments on this change and adopts it as proposed.

    Section 313.18

    Section 313.18 set forth the effective date for the rule and prescribed requirements for institutions' compliance with the rule as to customers who were already customers at the time the rule was first promulgated. The relevant dates have long since passed. Section 313.18(a)(2) also provided an exception, stating this “part is not effective as to any institution that is significantly engaged in activities that the Federal Reserve Board determines, after November 12, 1999 . . . are activities that a financial holding company may engage in, until the Commission so determines.” As discussed above, the Commission has determined herein that this rule applies to financial institutions that engage in activities financial in nature or incidental to such financial activities, including entities significantly engaged in activities the Federal Reserve Board has determined, after November 12, 1999, are activities a financial holding company may engage in. Accordingly, the final rule removes § 313.18 in its entirety.

    III. Paperwork Reduction Act

    Under the Paperwork Reduction Act of 1995 (“PRA”),[42] Federal agencies are generally required to seek Office of Management and Budget (“OMB”) approval for information collection requirements prior to implementation. Under the PRA, the Commission may not conduct or sponsor, and, notwithstanding any other provision of law, a person is not required to respond to an information collection, unless the information collection displays a valid control number assigned by OMB.

    This amendment modifies 16 CFR part 313. The collections of information related to the Privacy Rule and the Start Printed Page 70024 FAST Act statutory exceptions to the rule's annual notice requirement have been previously reviewed and approved by OMB in accordance with the PRA.[43]

    Under the existing clearance, the FTC has attributed to itself the estimated burden regarding all motor vehicle dealers and shares equally the remaining estimated PRA burden with the CFPB for other types of financial institutions for which both agencies have enforcement authority regarding the GLBA Privacy Rule.[44]

    The amendments do not modify or add to information collection requirements previously approved by OMB. First, the Commission anticipates the expansion of the definition of “financial institution” to include entities engaged in activities incidental to financial activities will have little to no effect. It is not clear any finders that are also motor vehicle dealers are not already covered by the rule through their activities as motor vehicle dealers.

    Second, the removal of certain examples provided in the rule that are not applicable to motor vehicle dealers will have no impact on existing information collection requirements.

    Therefore, the Commission does not believe the amendments substantially or materially modify any “collections of information” as defined by the PRA.

    The Commission sought comment on whether there are any finders in existence that would be covered by the proposed rule and are not covered by the current rule. The Commission received no comments that suggested such entities exist.

    IV. Regulatory Flexibility Act

    The Regulatory Flexibility Act (“RFA”), as amended by the Small Business Regulatory Enforcement Fairness Act of 1996, requires an agency to either provide an Initial Regulatory Flexibility Analysis (“IRFA”) with a proposed rule, or certify that the proposed rule will not have a significant impact on a substantial number of small entities.[45] The Commission does not believe this amendment to the Privacy Rule has the threshold impact on small entities. First, most of the changes effectuate statutory changes from the Dodd-Frank Act and the FAST Act. Second, the Commission does not expect the amendment to impose costs on small motor vehicle dealers because the amendments are primarily for clarification purposes and should not result in any increased burden on any motor vehicle dealer. Thus, a small entity that complies with current law need not take any different or additional action under the final rule.

    Accordingly, the Commission believes the rule will not have a significant economic impact on small entities. The final rule would add requirements only to motor vehicle dealers that function as finders and do not already engage in other financial activities that would cause them to be financial institutions under the rule. The Commission has not identified any such entities. Therefore, the Commission certifies the rule will not have a significant economic impact on a substantial number of small businesses.

    In this document, the Commission adopts the amendments proposed in its NPRM with only minimal modifications. In its Initial Regulatory Flexibility Analysis (“IRFA”), the Commission determined the proposed rule would not have a significant impact on small entities because there were no small businesses that were being subjected to new burdens as a result of the amendments. Although the Commission certifies under the RFA that the rule will not have a significant impact on a substantial number of small entities, and hereby provides notice of that certification to the Small Business Administration, the Commission nonetheless has determined publishing a final regulatory flexibility analysis (“FRFA”) is appropriate to ensure the impact of the rule is fully addressed. Therefore, the Commission has prepared the following analysis:

    1. Need for and Objectives of the Final Rule

    To address the Dodd-Frank Act and FAST Act changes the amendments change the Privacy Rule's scope and definition of “financial institution”; change the annual notice requirement; and remove certain examples provided in the rule that are not applicable to motor vehicle dealers. With this action, the Commission makes the current, narrow scope of the rule clearer. Additionally, the modification of the definition of “financial institution” to cover motor vehicle dealers engaged in “activities incidental to financial activities” harmonizes the Privacy Rule with other agencies' rules.

    2. Significant Issues Raised in Public Comments in Response to the IRFA

    The Commission did not receive any comments that addressed the burden on small entities. In addition, the Commission did not receive any comments filed by the Chief Counsel for Advocacy of the Small Business Administration (“SBA”).

    3. Estimate of Number of Small Entities To Which the Final Rule Will Apply

    The Commission anticipates many covered motor vehicle dealers may qualify as small businesses according to the applicable SBA size standards.[46] As explained in the IRFA, however, determining a precise estimate of the number of small entities—including newly covered entities under the modified definition of financial institution—is not readily feasible. No commenters addressed this issue. Nonetheless, as discussed above, these amendments will not add any additional burdens on any covered small businesses.

    4. Projected Reporting, Recordkeeping, and Other Compliance Requirements

    The amendments do not impose any new or substantively revised “collections of information,” as defined by the PRA.

    5. Description of Steps Taken To Minimize Significant Economic Impact, if Any, on Small Entities, Including Alternatives

    The Commission did not propose any specific small entity exemption or other significant alternatives because the amendment is not expected to increase reporting requirements and will not impose any new requirements or compliance costs. The Commission anticipates the amendments will reduce the burden for many covered entities associated with the Privacy Rule annual notice. The amendments retain the flexibility already present in the existing rule, which allows notices to be provided in a variety of ways, including electronically in some circumstances. As to the core requirements of the rule, they come from GLBA itself, as amended by the Dodd-Frank and the FAST Act. The statute prescribes the definition of financial institutions to be covered by the rule and sets forth the specific requirements, which the Commission cannot modify to ease burdens on small entities. Therefore, the Commission does not believe any Start Printed Page 70025 alternatives for small entities are required or appropriate.

    V. Other Matters

    Pursuant to the Congressional Review Act (5 U.S.C. 801 et seq. ), the Office of Information and Regulatory Affairs designated this rule as not a “major rule,” as defined by 5 U.S.C. 804(2).

    Start List of Subjects

    List of Subjects in 16 CFR Part 313

    • Consumer protection
    • Credit
    • Data protection
    • Privacy
    • Trade practices
    End List of Subjects

    For the reasons stated above, the Federal Trade Commission amends 16 CFR part 313 as follows:

    Start Part

    PART 313—PRIVACY OF CONSUMER FINANCIAL INFORMATION

    End Part Start Amendment Part

    1. The authority citation for part 313 is revised to read as follows:

    End Amendment Part Start Authority

    Authority: 15 U.S.C. 6801 et seq., 12 U.S.C. 5519.

    End Authority Start Amendment Part

    2. Amend § 313.1 by revising paragraph (b) to read as follows:

    End Amendment Part
    Purpose and scope.
    * * * * *

    (b) Scope. This part applies only to nonpublic personal information about individuals who obtain financial products or services primarily for personal, family or household purposes from the institutions listed below. This part does not apply to information about companies or about individuals who obtain financial products or services for business, commercial, or agricultural purposes. This part applies to those “financial institutions” over which the Federal Trade Commission (“Commission”) has rulemaking authority pursuant to section 504(a)(1)(C) of the Gramm-Leach-Bliley Act. An entity is a “financial institution” if its business is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k), which incorporates activities enumerated by the Federal Reserve Board in 12 CFR 225.28 and 225.86. The “financial institutions” subject to the Commission's rulemaking authority are any persons described in 12 U.S.C. 5519 that are predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both. They are referred to in this part as “You.” Excluded from the coverage of this part are motor vehicle dealers described in 12 U.S.C. 5519(b) that directly extend to consumers retail credit or retail leases involving motor vehicles in which the contract governing such extension of retail credit or retail leases is not routinely assigned to an unaffiliated third party finance or leasing source.

    Start Amendment Part

    3. Amend § 313.3 by revising paragraphs (e), (i), (j), (k), and (q) to read as follows:

    End Amendment Part
    Definitions.
    * * * * *

    (e)(1) Consumer means an individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family, or household purposes, or that individual's legal representative.

    (2) For example:

    (i) An individual who applies to you for credit for personal, family, or household purposes is a consumer of a financial service, regardless of whether the credit is extended.

    (ii) An individual who provides nonpublic personal information to you in order to obtain a determination about whether he or she may qualify for a loan to be used primarily for personal, family, or household purposes is a consumer of a financial service, regardless of whether the loan is extended.

    (iii) If you hold ownership or servicing rights to an individual's loan that is used primarily for personal, family, or household purposes, the individual is your consumer, even if you hold those rights in conjunction with one or more other institutions. (The individual is also a consumer with respect to the other financial institutions involved.) An individual who has a loan in which you have ownership or servicing rights is your consumer, even if you, or another institution with those rights, hire an agent to collect on the loan.

    (iv) An individual who is a consumer of another financial institution is not your consumer solely because you act as agent for, or provide processing or other services to, that financial institution.

    (v) An individual is not your consumer solely because he or she is a participant or a beneficiary of an employee benefit plan that you sponsor or for which you act as a trustee or fiduciary.

    * * * * *

    (i)(1) Customer relationship means a continuing relationship between a consumer and you under which you provide one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.

    (2) For example:

    (i) Continuing relationship. A consumer has a continuing relationship with you if the consumer:

    (A) Has a credit or investment account with you;

    (B) Obtains a loan from you;

    (C) Purchases an insurance product from you;

    (D) Enters into an agreement or understanding with you whereby you undertake to arrange or broker a home mortgage loan, or credit to purchase a vehicle, for the consumer;

    (E) Enters into a lease of personal property on a non-operating basis with you; or

    (F) Has a loan for which you own the servicing rights.

    (ii) No continuing relationship. A consumer does not, however, have a continuing relationship with you if:

    (A) The consumer obtains a financial product or service from you only in isolated transactions, such as cashing a check with you or making a wire transfer through you;

    (B) You sell the consumer's loan and do not retain the rights to service that loan; or

    (C) The consumer obtains one-time personal appraisal services from you.

    (j) Federal functional regulator means:

    (1) The Board of Governors of the Federal Reserve System;

    (2) The Office of the Comptroller of the Currency;

    (3) The Board of Directors of the Federal Deposit Insurance Corporation;

    (4) The National Credit Union Administration Board; and

    (5) The Securities and Exchange Commission.

    (k)(1) Financial institution means any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution.

    (2) An example of a financial institution is an automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days is a financial institution with respect to its leasing business because leasing personal property on a nonoperating basis where the initial term of the lease is at least 90 days is a financial activity listed in 12 CFR 225.28(b)(3) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act.

    (3) Financial institution does not include entities that engage in financial activities but that are not significantly engaged in those financial activities.

    (4) An example of entities that are not significantly engaged in financial Start Printed Page 70026 activities is a motor vehicle dealer is not a financial institution merely because it accepts payment in the form of cash, checks, or credit cards that it did not issue.

    * * * * *

    (q) You includes each “financial institution” over which the Commission has rulemaking authority pursuant to section 504(a)(1)(C) of the Gramm-Leach-Bliley Act (15 U.S.C. 6804(a)(1)(C)).

    Start Amendment Part

    4. Amend § 313.4 by adding a heading for paragraph (c)(3) and revising paragraphs (c)(3)(i) and (e) to read as follows:

    End Amendment Part
    Initial privacy notice to consumers required.
    * * * * *

    (c) * * *

    (3) Examples —(i) Examples of establishing a customer relationship. You establish a customer relationship when the consumer:

    (A) Executes the contract to obtain credit from you or purchase insurance from you; or

    (B) Executes the lease for personal property with you.

    * * * * *

    (e) Exceptions to allow subsequent delivery of notice —(1) General. You may provide the initial notice required by paragraph (a)(1) of this section within a reasonable time after you establish a customer relationship if:

    (i) Establishing the customer relationship is not at the customer's election; or

    (ii) Providing notice not later than when you establish a customer relationship would substantially delay the customer's transaction and customer agrees to receive the notice at a later time.

    (2) Examples of exceptions —(i) Substantial delay of customer's transaction. Providing notice not later than when you establish a customer relationship would substantially delay the customer's transaction when you and the individual agree over the telephone to enter into a customer relationship involving prompt delivery of the financial product or service.

    (ii) No substantial delay of customer's transaction. Providing notice not later than when you establish a customer relationship would not substantially delay the customer's transaction when the relationship is initiated in person at your office or through other means by which the customer may view the notice, such as through a website.

    * * * * *
    Start Amendment Part

    5. Amend § 313.5 by adding a heading for paragraph (a), revising paragraphs (a)(1) and (b)(2), and adding paragraph (e) to read as follows:

    End Amendment Part
    Annual privacy notice to customers required.

    (a) In general —(1) General rule. Except as provided by paragraph (e) of this section, you must provide a clear and conspicuous notice to customers that accurately reflects your privacy policies and practices not less than annually during the continuation of the customer relationship. Annually means at least once in any period of 12 consecutive months during which that relationship exists. You may define the 12-consecutive-month period, but you must apply it to the customer on a consistent basis.

    * * * * *

    (b) * * *

    (2) Examples. Your customer becomes a former customer when:

    (i) In the case of a closed-end loan, the customer pays the loan in full, you charge off the loan, or you sell the loan without retaining servicing rights.

    (ii) In the case of mortgage or vehicle loan brokering services, your customer has obtained a loan through you (and you no longer provide any statements or notices to the customer concerning that relationship), or has ceased using your services for such purposes.

    (iii) In cases where there is no definitive time at which the customer relationship has terminated, you have not communicated with the customer about the relationship for a period of 12 consecutive months, other than to provide annual privacy notices or promotional material.

    * * * * *

    (e) Exception to annual privacy notice requirement —(1) When exception available. You are not required to deliver an annual privacy notice if you:

    (i) Provide nonpublic personal information to nonaffiliated third parties only in accordance with the provisions of § 313.13, § 313.14, or § 313.15; and

    (ii) Have not changed your policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under § 313.6(a)(2) through (5) and (9) in the most recent privacy notice provided pursuant to this part.

    (2) Delivery of annual privacy notice after financial institution no longer meets requirements for exception. If you have been excepted from delivering an annual privacy notice pursuant to paragraph (e)(1) of this section and change your policies or practices in such a way that you no longer meet the requirements for that exception, you must comply with paragraph (e)(2)(i) or (ii) of this section, as applicable.

    (i) Changes preceded by a revised privacy notice. If you no longer meet the requirements of paragraph (e)(1) of this section because you change your policies or practices in such a way that § 313.8 requires you to provide a revised privacy notice, you must provide an annual privacy notice in accordance with the timing requirement in paragraph (a) of this section, treating the revised privacy notice as an initial privacy notice.

    (ii) Changes not preceded by a revised privacy notice. If you no longer meet the requirements of paragraph (e)(1) of this section because you change your policies or practices in such a way that § 313.8 does not require you to provide a revised privacy notice, you must provide an annual privacy notice within 100 days of the change in your policies or practices that causes you to no longer meet the requirement of paragraph (e)(1).

    (iii) Examples. (A) You change your policies and practices in such a way that you no longer meet the requirements of paragraph (e)(1) of this section effective April 1 of year 1. Assuming you define the 12-consecutive-month period pursuant to paragraph (a) of this section as a calendar year, if you were required to provide a revised privacy notice under § 313.8 and you provided that notice on March 1 of year 1, you must provide an annual privacy notice by December 31 of year 2. If you were not required to provide a revised privacy notice under § 313.8, you must provide an annual privacy notice by July 9 of year 1.

    (B) You change your policies and practices in such a way that you no longer meet the requirements of paragraph (e)(1) of this section, and so provide an annual notice to your customers. After providing the annual notice to your customers, you once again meet the requirements of paragraph (e)(1) of this section for an exception to the annual notice requirement. You do not need to provide additional annual notice to your customers until such time as you no longer meet the requirements of paragraph (e)(1) of this section.

    Start Amendment Part

    6. Amend § 313.15 by revising paragraph (a)(4) to read as follows:

    End Amendment Part
    Other exceptions to notice and opt out requirements.

    (a) * * *

    (4) To the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978 (12 U.S.C. 3401 et seq. ), to law Start Printed Page 70027 enforcement agencies (including the Consumer Financial Protection Bureau, a federal functional regulator, the Secretary of the Treasury, with respect to 31 U.S.C. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping), a State insurance authority, with respect to any person domiciled in that insurance authority's State that is engaged in providing insurance, and the Federal Trade Commission), self-regulatory organizations, or for an investigation on a matter related to public safety;

    * * * * *
    [Removed]
    Start Amendment Part

    7. Remove § 313.18.

    End Amendment Part Start Signature

    By direction of the Commission.

    April J. Tabor,

    Acting Secretary.

    End Signature End Supplemental Information

    Footnotes

    1.  Public Law 106-102, 113 Stat. 1338 (1999).

    Back to Citation

    5.  Public Law 111-203, 124 Stat. 1376 (2010).

    Back to Citation

    7.  12 U.S.C. 5519. The FTC retained rulemaking jurisdiction as to motor vehicle dealers that are predominantly engaged in the sale and servicing or the leasing and servicing of motor vehicles, excluding those dealers that directly extend credit to consumers and do not routinely assign the extensions of credit to an unaffiliated third party. For ease of reference, covered motor vehicle dealers are referenced herein as “motor vehicle dealers.”

    Back to Citation

    8.  Rescission of Rules, 77 FR 22200, 22201 (Apr. 13, 2012) available at https://www.federalregister.gov/​documents/​2012/​04/​13/​2012-8748/​rescission-of-rules (also rescinding those regulations for which rulemaking authority was transferred to the CFPB under the Dodd-Frank Act).

    Back to Citation

    12.  Section 75001, Public Law 114-94, 129 Stat. 1312, 1787 (2015).

    Back to Citation

    21.  15 U.S.C. 1681s-3. The FTC's Affiliate Marketing Rule applies to motor vehicle dealers. See 77 FR 22201. The FTC also enforces the CFPB's Regulation V's Affiliate Marketing Rule, 12 CFR part 1022, subpart C, for other entities over which the FTC has enforcement authority under the FCRA.

    Back to Citation

    24.  On June 24, 2015, the Commission published a notice of proposed rulemaking (“2015 NPRM”) proposing revisions to the Privacy Rule. NPRM, 80 FR 36267 (June 24, 2015) available at https://www.federalregister.gov/​documents/​2015/​06/​24/​2015-14328/​amendment-to-the-privacy-of-consumer-financial-information-rule-under-the-gramm-leach-bliley-act. First, the Commission proposed a number of changes to comport with the Dodd-Frank Act revision of GLBA, which transferred rulemaking authority for most financial institutions to the CFPB. The Commission also proposed amending the rule to allow motor vehicle dealers to notify their customers that a privacy notice is available online, under circumstances identical to those that had been adopted by the CFPB. Final Rule, 79 FR 64057 (Oct. 28, 2014) available at https://www.federalregister.gov/​documents/​2014/​10/​28/​2014-25299/​amendment-to-the-annual-privacy-notice-requirement-under-the-gramm-leach-bliley-act-regulation-p. The passage of the FAST Act rendered the Commission's proposed changes to the Privacy Rule moot because those changes, if adopted, would have been in conflict with the revised statute.

    Back to Citation

    25.  The Commission also received three comments that related to the Safeguards Rule (16 CFR part 314). Those comments are addressed in the final Safeguards Rule published elsewhere in this issue of the Federal Register .

    Back to Citation

    27.  Yuxiang Hao (comment 4).

    Back to Citation

    28.  National Automobile Dealers Association (comment 9), at 3-4.

    Back to Citation

    29.  NADA (comment 9), at 4.

    Back to Citation

    30.  The Commission notes that while the term “loan” may not be applicable to all motor vehicle dealers' transactions with their customers, most extensions of credit or the arranging of credit will play the same role as loans for purposes of this amendment, and dealers may generally apply these examples accordingly.

    Back to Citation

    31.  The Proposed Amendments did modify existing examples in two instances. In §§ 313.3(i)(2)(i)(A) and 313.5(b)(2)(ii), references to mortgage loans were removed. Although the Commission continues to believe that mortgage loans are unlikely to be involved in the motor vehicle dealer context, as discussed above, the Commission recognizes that there is value in maintaining consistency with Regulation P, and that particular examples provided may not be applicable to every type of financial institution's activities. Accordingly, the final rule retains the references to mortgage loans in these provisions.

    Back to Citation

    32.  NADA (comment 9), at 5.

    Back to Citation

    33.  NADA (comment 9), at 5.

    Back to Citation

    35.  As discussed above, NADA argued that the word “loan” should be replaced with “retail installment sale contract.” As discussed above, the Commission wishes the remaining examples in the final rule to be identical to those found in Regulation P and declines to make these changes. In addition, the National Independent Automobile Dealers Association noted that most dealers will not be required to provide annual notices because of their lack of ongoing relationships with their consumers, but supported the amendments in general.

    Back to Citation

    38.   Id.

    Back to Citation

    39.  Several other entities commented on the expansion of the definition of a “financial institution” in the Safeguards Rule. These comments are addressed in the discussion of the final Safeguards Rule, published elsewhere in this issue of the Federal Register .

    Back to Citation

    40.  NADA (comment 9), at 7-8.

    Back to Citation

    41.  Qiyi Hu (comment 5).

    Back to Citation

    43.  The OMB Control Number is 3084-0121.

    Back to Citation

    46.  Table of Small Bus. Size Standards Matched to North American Indus. Classification System Codes, 13 CFR 121.201 (available at: https://www.sba.gov/​document/​support--table-size-standards ), updated Aug. 19, 2019. For example, used car dealers are classified as NAICS 441120 and new car dealers as NAICS 441110. Under those standards, the SBA would classify as small businesses independent used car dealers having annual receipts of less than $27 million and new car dealers having fewer than 200 employees each.

    Back to Citation

    [FR Doc. 2021-25735 Filed 12-8-21; 8:45 am]

    BILLING CODE 6750-01-P

Document Information

Effective Date:
1/10/2022
Published:
12/09/2021
Department:
Federal Trade Commission
Entry Type:
Rule
Action:
Final rule.
Document Number:
2021-25735
Dates:
The amendments are effective January 10, 2022.
Pages:
70020-70027 (8 pages)
RINs:
3084-AB42: Privacy of Consumer Financial Information
RIN Links:
https://www.federalregister.gov/regulations/3084-AB42/privacy-of-consumer-financial-information
Topics:
Consumer protection, Credit, Privacy, Trade practices
PDF File:
2021-25735.pdf
Supporting Documents:
» Privacy of Consumer Financial Information Rule Under the Gramm-Leach-Bliley Act
CFR: (6)
16 CFR 313.1
16 CFR 313.3
16 CFR 313.4
16 CFR 313.5
16 CFR 313.15
More ...