eLaws | eCases | United States Code | Federal Courts |
Home » 2019 Issues » 84 FR (04/04/2019) » 2019-06039. Privacy of Consumer Financial Information Rule Under the Gramm-Leach-Bliley Act

  2019-06039. Privacy of Consumer Financial Information Rule Under the Gramm-Leach-Bliley Act  

  • Start Preamble

    AGENCY:

    Federal Trade Commission.

    Start Printed Page 13151

    ACTION:

    Notice of proposed rulemaking; request for public comment.

    SUMMARY:

    The Federal Trade Commission is proposing to amend its Privacy Rule for certain financial institutions subject to the Rule to revise the Rule's scope, to modify the Rule's definitions of “financial institution” and “federal functional regulator,” and to update the Rule's annual customer privacy notice requirement. The proposed amendments will also remove certain examples in the Rule that apply to financial institutions that now fall outside the scope of the Commission's Rule. This action is necessary to conform the Rule to the current requirements of the Gramm-Leach-Bliley Act (GLBA), as amended by the Dodd-Frank and FAST Acts, and will clarify which financial institutions are covered by the Commission's Rule and their annual customer privacy notice obligations under the Rule.

    DATES:

    Written comments must be received on or before June 3, 2019.

    ADDRESSES:

    Interested parties may file a comment online or on paper by following the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write “Amendment to the Privacy of Consumer Financial Information Rule, 16 CFR part 313, Rulemaking No. R411016,” on your comment and file your comment online at https://www.regulations.gov by following the instructions on the web-based form. If you prefer to file your comment on paper, mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex B), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex B), Washington, DC 20024.

    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    David Lincicum or Allison M. Lefrak, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580, (202) 326-2773 or (202) 326-2804.

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:

    I. Background

    A. The Statute and Regulation

    The GLBA was enacted in 1999.[1] The GLBA, among other things, provides a framework for regulating the privacy practices of a broad range of financial institutions. The GLBA requires that financial institutions provide their customers with initial and annual notices regarding their privacy practices, and allow their customers to opt out of sharing their information with certain nonaffiliated third parties.

    Rulemaking authority to implement the GLBA's privacy provisions was initially spread among multiple agencies. The Federal Reserve Board (“the Fed”), the Office of Comptroller of the Currency (“OCC”), the Federal Deposit Insurance Corporation (“FDIC”), and the Office of Thrift Supervision (“OTS”) jointly adopted final rules to implement the notice requirements of the GLBA in 2000.[2] The Commission, the National Credit Union Administration (“NCUA”), the Securities and Exchange Commission (“SEC”), and the Commodity Futures Trading Commission (“CFTC”) were part of the same interagency process, but each issued their rules separately.[3] In 2009, all those agencies jointly adopted a model form that financial institutions could use to provide the required initial and annual privacy disclosures.[4]

    As originally promulgated, the FTC's Privacy Rule covered a broad range of non-bank financial institutions such as payday lenders, mortgage brokers, check cashers, debt collectors, real estate appraisers, certain motor vehicle dealers, and remittance transfer providers. In 2010, the Dodd-Frank Act [5] transferred the GLBA's privacy notice rulemaking authority from the Fed, NCUA, OCC, OTS, the FDIC, and the Commission (in part) to the Consumer Financial Protection Bureau (“CFPB”). The CFPB then restated the implementing regulations in Regulation P, 12 CFR part 1016, in late 2011 (“Regulation P”).[6] However, under section 1029 of the Dodd-Frank Act, the Commission retained rulemaking authority for certain motor vehicle dealers.[7] Thus, in 2012, the Commission issued a notice that it was retaining the implementing regulations governing privacy notices for motor vehicle dealers at 16 CFR part 313.[8]

    Despite the transfer of general rulemaking authority for the Privacy Rule to the CFPB, the Commission and other agencies retain their existing enforcement authority under the GLBA.[9] In addition, the SEC and CFTC retain rulemaking authority with respect to securities and futures-related companies, respectively.[10] Accordingly, as part of this rulemaking process, the Commission has consulted and coordinated, or offered to consult, with those agencies that have rulemaking and/or enforcement authority under the GLBA, including the CFPB, SEC, CFTC, and the National Association of Insurance Commissioners (“NAIC”).[11]

    On December 4, 2015, Congress amended the GLBA as part of the FAST Act. This amendment, titled Eliminate Privacy Notice Confusion,[12] added GLBA subsection 503(f). This subsection provides an exception under which financial institutions that meet certain conditions are not required to provide annual privacy notices to customers.

    B. The Privacy Notice Requirements

    As noted, the GLBA and the Privacy Rule require that motor vehicle dealers provide consumers with notices describing their privacy policies. Specifically, section 503 of the GLBA and the Privacy Rule require covered entities to provide an initial notice of these policies,[13] and then “provide a clear and conspicuous notice to customers that accurately reflects [their] privacy policies and practices not less than annually during the continuation of the customer relationship.” [14]

    Section 502 of the GLBA and the Privacy Rule require that initial and annual notices inform customers of their right to opt out of the sharing of nonpublic personal information with some types of nonaffiliated third parties.[15] For example, a customer has the right to opt out of allowing a motor vehicle dealer to sell her name and address to a nonaffiliated auto insurance company.[16] On the other hand, a motor vehicle dealer is not required to allow consumers to opt out of the dealer's Start Printed Page 13152sharing involving third-party service providers, joint marketing arrangements, maintenance and servicing of accounts, securitization, law enforcement and compliance, reporting to consumer reporting agencies, and certain other activities that are specified in the statute and regulation.[17] Accordingly, if a motor vehicle dealer limits its sharing to uses that do not trigger opt-out rights, it may provide an annual privacy notice to its customers that does not include information regarding opt-out rights.

    Motor vehicle dealers also may include in the annual privacy notice information about certain consumer opt-out rights related to affiliate sharing under the Fair Credit Reporting Act (“FCRA”). First, section 603(d)(2)(A)(iii) of the FCRA allows the sharing of a consumer's information among affiliates, but only if the consumer is notified of such sharing and is given an opportunity to opt out.[18] Section 503(c)(4) of the GLBA and the Privacy Rule generally require motor vehicle dealers to incorporate any notifications and opt-out disclosures provided pursuant to section 603(d)(2)(A)(iii) of the FCRA into their initial and annual privacy notices.[19]

    Second, section 624 of the FCRA and the FTC's Affiliate Marketing Rule [20] provide that an affiliate of a motor vehicle dealer that receives certain information about a consumer from the dealer may not use that information for marketing purposes, unless the consumer is provided with an opportunity to opt out of that use.[21] This requirement governs the use of information by an affiliate, not the sharing of information among affiliates, and thus is distinct from the affiliate sharing opt-out discussed above. The Affiliate Marketing Rule permits (but does not require) motor vehicle dealers to incorporate any opt-out disclosures provided under section 624 of the FCRA and the Affiliate Marketing Rule into the initial and annual privacy notices required by the GLBA.[22]

    Finally, section 313.6(a)(8) of the Privacy Rule requires that the initial and annual notices briefly describe how motor vehicle dealers protect the nonpublic personal information they collect and maintain.

    II. Proposed Revision of the Privacy Rule

    A. The Consumer Financial Protection Bureau Rulemaking

    In December 2011, the CFPB issued a Request for Information seeking specific suggestions for streamlining regulations that were transferred to the CFPB from other Federal agencies, including the annual privacy notice requirement.[23] After receiving numerous comments, in May 2014, the CFPB issued a proposed rule to amend its Regulation P to allow financial institutions to notify consumers that a privacy notice was available online, in certain enumerated circumstances.[24] The CFPB finalized its rulemaking in October 2014.[25]

    B. The Commission's 2015 Proposed Rulemaking

    On June 24, 2015, the Commission published a Notice of Proposed Rulemaking (“2015 NPRM”) proposing revisions to the Privacy Rule.[26] First, the Commission proposed a number of changes to comport with the Dodd-Frank Act revision of GLBA, which transferred rulemaking authority for most financial institutions to the CFPB. The Commission also proposed amending the Rule to allow motor vehicle dealers to notify their customers that a privacy notice is available online, under circumstances identical to those that had been adopted by the CFPB.[27]

    The Commission received six comments from individuals and entities.[28]

    C. The Passage of the FAST Act

    As described above, on December 4, 2015, President Obama signed the FAST Act. The FAST Act contains a provision that modified the annual privacy notice requirement under the GLBA. The provision states that a financial institution is not required to provide an annual privacy notice if it: (1) Only shares non-public personal information with non-affiliated third parties in a manner that does not require an opt-out right be provided to customers (e.g., if the institution discloses nonpublic personal information to a service provider or for fraud detection and prevention purposes), and (2) has not changed its policies and practices with respect to disclosing nonpublic personal information since it last provided a privacy notice to its customers.[29] This modification of the GLBA rendered the Commission's proposed changes to the Privacy Rule moot because those changes, if adopted, would have been in conflict with the revised statute.[30]

    D. New Proposed Changes to the Privacy Rule

    In light of this history, the Commission is issuing this notice of proposed rulemaking. The Commission now proposes to make three types of changes to the Privacy Rule: (1) Technical changes to the Rule to correspond to the reduced scope of the Rule due to Dodd-Frank Act changes, which primarily consist of removing references that do not apply to motor vehicle dealers; (2) modifications to the annual privacy notice requirements to reflect the changes made to the GLBA by the FAST Act; and (3) a modification to the scope and definition of “financial institution” to include entities engaged in activities that are incidental to financial activities, which would bring the Rule into accord with the CFPB's Regulation P.

    1. Technical Changes To Correspond to Statutory Changes Resulting From the Dodd-Frank Act

    The Commission adopted the scope of, and definitions in, the original Privacy Rule at a time when it had rulemaking authority for the Privacy Rule over a broader group of non-bank “financial institutions” as defined by the GLBA. While the Dodd-Frank Act did not change the Commission's enforcement authority for the privacy notice obligations of the GLBA, it did amend the Commission's rulemaking authority under the GLBA such that the Privacy Rule only applies to motor vehicle dealers.[31] The amendments in the Dodd-Frank Act necessitate certain technical revisions to the Privacy Rule to ensure that the regulation is consistent with the text of the amended GLBA.[32] For example, retaining examples that apply to entities other Start Printed Page 13153than motor vehicle dealers may lead to confusion about the existing, narrower scope of the Privacy Rule. Accordingly, the Commission proposes to modify the Privacy Rule to provide clearer guidance to financial institutions that are covered motor vehicle dealers.[33]

    The proposed amendment to section 313.1(b) narrows the description of the scope of the Privacy Rule to those entities set forth in the Dodd-Frank Act [34] that are predominantly engaged in the sale and servicing of motor vehicles or the leasing and servicing of motor vehicles, excluding those dealers that directly extend credit to consumers and do not routinely assign the extensions of credit to an unaffiliated third party. It also removes the reference in the Rule's scope to “other persons”: Although the Commission continues to have enforcement authority over “other persons” covered by the CFPB's Regulation P, the Commission no longer has rulemaking authority for the Privacy Rule over “other persons.” [35] In addition, the Commission proposes to eliminate from section 313.1(b) the note indicating that (1) the Privacy Rule does not modify, limit, or supersede the standards under the Health Insurance Portability and Accountability Act of 1996, and (2) if a financial institution that is an institution of higher education is in compliance with the Federal Educational Rights and Privacy Act (“FERPA”) and its implementing regulations, such institution shall be deemed in compliance with the Privacy Rule. The Commission does not believe these provisions will apply to motor vehicle dealers covered by the Rule and should be removed to improve clarity. The Commission invites comments on whether these provisions are relevant to motor vehicle dealers and should be retained.

    The proposed amendments to section 313.3 also remove any examples that are not likely to apply to motor vehicle dealers. To help companies understand whether and how the Rule applies to them, the Rule includes examples of financial institutions in section 313.3(k)(2). The current examples refer to types of activities that motor vehicle dealers typically do not engage in. Therefore, leaving those examples in the Rule may lead to confusion about the Rule's current scope.

    The proposed amendments also remove certain examples from the definition of “consumer” in section 313.3(e)(2). These examples do not apply because motor vehicle dealers do not provide the types of services provided in the examples, such as financial, investment, or economic advisory services or serving as the trustee of a trust.

    Likewise, the proposed amendments remove certain examples of establishing a customer relationship from section 313.4(c)(3)(i). The removed examples do not apply to customers of motor vehicle dealers, because such activities are not related to the sale or leasing of motor vehicles. These include creating credit card accounts, providing investment advice or tax counseling, providing mortgages, collecting debts from other financial institutions, and providing websites for consumers to review all of their on-line financial accounts with other financial institutions.

    Finally, the proposed amendments remove certain examples of termination of customer relationships from section 313.5(b)(2). As with previously discussed proposed amendments, the removed examples concern customer relationships based on services that motor vehicle dealers do not provide. These include credit card accounts, credit counseling services, tax preparation, and real estate settlement. The removal of these inapplicable examples will increase the clarity of the rule by focusing on matters that are relevant to the regulated financial institutions. Removing these examples will not alter the substance of the underlying definitions or provisions of the rule, which will have the same reach and applicability as before the revisions. The changes are intended to improve clarity, not to alter substance. The Commission invites comments on whether any of the omitted examples should be retained.

    Although the Dodd-Frank Act altered the Commission's rulemaking authority with respect to the Privacy Rule, it did not alter the Commission's rulemaking authority for the Safeguards Rule. For the Safeguards Rule, the Commission continues to have rulemaking authority over a broad range of non-bank financial institutions. The Safeguards Rule, however, currently incorporates by reference the definitions contained in the Privacy Rule, including all of the examples of financial institutions listed in the existing Privacy Rule.[36] Accordingly, while the Commission proposes to modify the Privacy Rule definitions to include examples applicable only to motor vehicle dealers, the Commission has also proposed in a separate concurrent NPRM to amend the Safeguards Rule to import definitions of relevant terms and examples from the current version of the Privacy Rule.[37]

    2. Modifications to the Annual Privacy Notice To Reflect Statutory Changes Resulting From the FAST Act

    The Commission also proposes changes to the Privacy Rule provisions governing how motor vehicle dealers should deliver annual privacy notices. These changes implement statutory changes resulting from the enactment of the FAST Act and replace those set forth in the 2015 NPRM.

    Several commenters opined on the proposed changes to notice delivery in the 2015 NPRM. Those comments have been rendered obsolete by the statutory changes. The current proposed rule implements the changes set forth in the FAST Act.

    Section 313.5(a)(1)—General Rule

    The proposed section 313.5(a)(1) notes that section 313.5(e) provides an exception to the general rule requiring the delivery of annual notices.

    Section 313.5(e)

    This proposed new section sets forth the exception to the annual privacy notice requirement. The Commission adopts the reasoning and changes set forth by the CFPB in its amendments to Regulation P to adopt the FAST Act changes.[38] First, proposed section 313.5(e)(1)(i) sets forth that the financial institution must share nonpublic personal information only in accordance with the provisions of sections 313.13, 313.14, and 313.15, none of which require an opt-out opportunity be provided to customers. Second, proposed section 313.5(e)(1)(ii) states that the financial institution must also not have changed its disclosure policies and practices that were contained in its most recent privacy notice to customers.

    Proposed section 313.5(e)(2) sets forth the timing for delivering an annual notice if a financial institution no longer meets requirements for the exception and must resume delivery of annual notices. There are two scenarios under which a financial institution would need to resume delivering annual notices: (1) Where the change in its policies trigger the existing requirement Start Printed Page 13154to issue a revised privacy notice, as required by section 313.8; and (2) where the change does not trigger a need for the financial institution to issue a revised notice under section 313.8. These two situations are addressed by proposed sections 313.5(e)(2)(i) and (ii), respectively. In the first situation, the revised notice issued by the financial institution acts as an initial privacy notice for the purposes of the timing of future annual notices. In the second situation, the financial institution must provide an annual notice to customers within 100 days of the change in policies or practices. Proposed section 313.5(e)(2)(iii) sets forth an example for both scenarios.

    1. Modifications To Scope and Definitions To Bring the Rule Into Accord With Regulation P

    Whether a company is a “financial institution” is determined by the types of activities in which the company engages. When first promulgating the Privacy Rule, the Commission determined that companies engaged in activities that are “incidental to financial activities” would not be considered “financial institutions.” [39] The Commission was the only agency to adopt this restrictive definition in its Privacy Rule, while the other agencies included incidental activities.[40] In addition, the Commission decided that activities that were determined to be financial in nature after the enactment of the GLBA would not be automatically included in its Privacy Rule; rather, the Commission would have to take additional action to include them.[41] The effect of these two decisions was to limit the activities covered by the Commission's rules to those set out in 12 CFR 225.28 as it existed in 1999, and to exclude any activities later determined by the Fed to be financial activities or incidental to those activities.[42]

    The Commission proposes modifying the definition of “financial institution” to harmonize the Privacy Rule with other agencies' rules. The Commission proposes to amend section 313.1(b) to include companies that engage in activities that are financial in nature or incidental to such financial activities. Likewise, it proposes to amend the definition of “financial institution” in section 313.3(k), to include any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities.[43] The effect of this proposed amendment would be to cause “finders” to be included in this definition, thereby bringing the Privacy Rule into harmony with the scope of entities covered by other agencies under Regulation P. It would not bring any other activities under the coverage the definition because the Fed has not determined any other activity other than “finding” to be financial in nature or incidental to such activity since the enactment of the GLBA. In practice, the Commission expects that this change to the Privacy Rule will have little to no effect because of the already narrow scope of the Rule: It is not clear that there are any motor vehicle dealers that would be covered by this rule whose only activity that would qualify them as a financial institution is the act of finding, as most motor vehicle dealers are more directly involved in obtaining financing for their customers. Nevertheless, the Commission believes this change is important to keep the Rule consistent with the Safeguards Rule and other agencies' GLBA implementing rules.

    The Commission has not previously requested comment on revising the definition of “financial institution” in this way for the Privacy Rule. Through this NPRM, it does so here. Specifically, the Commission seeks information on (1) whether any entities function as “finders” for motor vehicle dealers, and if so how many; (2) whether such finders collect or maintain customer information as defined by the Rule; and (3) the costs and benefits, including the costs and benefits to finders and consumers, of this proposed amendment.

    III. Request for Comment

    You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before June 3, 2019. Write “Amendment to the Privacy of Consumer Financial Information Rule, 16 CFR part 313, Rulemaking No. R411016” on the comment. Your comment, including your name and your state, will be placed on the public record of this proceeding, including, to the extent practicable, the https://www.regulations.gov website.

    Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, we encourage you to submit your comment online. To make sure that the Commission considers your online comment, you must file it at https://www.regulations.gov by following the instructions on the web-based form.

    If you file your comment on paper, write “Amendment to the Privacy of Consumer Financial Information Rule, 16 CFR part 313, Rulemaking No. R411016,” on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex B), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex B), Washington, DC 20024. If possible, please submit your paper comment to the Commission by courier or overnight service.

    Because your comment will be placed on the publicly accessible website, https://www.regulations.gov/​,, you are solely responsible for making sure that your comment does not include any sensitive or confidential information. In particular, your comment should not include any sensitive personal information, such as your or anyone else's Social Security number, date of birth, driver's license number or other state identification number or foreign country equivalent, passport number, financial account number, or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any “trade secret or any commercial or financial information which . . . is privileged or confidential,” as provided by section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2), including in particular, competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names.

    Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled “Confidential,” and must comply with FTC Rule 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comments to be withheld from the Start Printed Page 13155public record.[44] Your comment will be kept confidential only if the FTC General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted publicly at www.regulations.gov,, we cannot redact or remove your comment from the FTC website, unless you submit a confidentiality request that meets the requirements for such treatment under FTC Rule 4.9(c), and the General Counsel grants that request.

    Visit the Commission website at https://www.ftc.gov/​ to read this document and the news release describing it. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before June 3, 2019. For information on the Commission's privacy policy, including routine uses permitted by the Privacy Act, see https://www.ftc.gov/​site-information/​privacy-policy.

    IV. Communications by Outside Parties to the Commissioners or Their Advisors

    Written communications and summaries or transcripts of oral communications respecting the merits of this proceeding, from any outside party to any Commissioner or Commissioner's advisor, will be placed on the public record.[45]

    V. Paperwork Reduction Act

    Under the Paperwork Reduction Act of 1995 (PRA),[46] Federal agencies are generally required to seek Office of Management and Budget (OMB) approval for information collection requirements prior to implementation. Under the PRA, the Commission may not conduct or sponsor, and, notwithstanding any other provision of law, a person is not required to respond to an information collection, unless the information collection displays a valid control number assigned by OMB.

    This proposal would amend 16 CFR part 313. The collections of information related to the Privacy Rule and the FAST Act statutory exceptions to the Rule's annual notice requirement have been previously reviewed and approved by OMB in accordance with the PRA.[47]

    Under the existing clearance, the FTC has attributed to itself the estimated burden regarding all motor vehicle dealers and then shares equally the remaining estimated PRA burden with the CFPB for other types of financial institutions for which both agencies have enforcement authority regarding the GLBA Privacy Rule.[48]

    The proposed amendments do not modify or add to information collection requirements that were previously approved by OMB. First, the Commission anticipates that the proposed expansion of the definition of “financial institution” to include entities engaged in activities that are incidental to financial activities will have little to no effect. It is not clear that any finders are in the business of linking consumers with financing through motor vehicle dealers, as opposed to other types of financial institutions such as payday lenders or mortgage lenders.

    Second, the proposed removal of certain examples provided in the Rule that are not applicable to motor vehicle dealers will have no impact on existing information collection requirements.

    Therefore, the Commission does not believe that the proposed amendments would substantially or materially modify any “collections of information” as defined by the PRA.

    The Commission seeks comment on whether there are any finders in existence that would be covered by the proposed Rule. If there are such businesses, the Commission will seek OMB clearance as appropriate.

    VI. Regulatory Flexibility Act

    The Regulatory Flexibility Act (RFA), as amended by the Small Business Regulatory Enforcement Fairness Act of 1996, requires an agency to either provide an Initial Regulatory Flexibility Analysis (“IRFA”) with a proposed rule, or certify that the proposed rule will not have a significant impact on a substantial number of small entities.[49] The Commission does not expect that this Rule, if adopted, would have the threshold impact on small entities. First, most of the burdens flow from the mandates of the GLBA, not from the specific provisions of the proposed Rule. Second, the Commission does not expect the proposal to impose costs on small motor vehicle dealers because the amendments are primarily for clarification purposes and should not result in any increased burden on any motor vehicle dealer. Thus, a small entity that complies with current law need not take any different or additional action if the proposal is adopted. Nonetheless, the Commission has determined that it is appropriate to publish an Initial Regulatory Flexibility Analysis in order to inquire into the impact of the proposed Rule on small entities. The Commission does not believe that there are any small entities engaged in finding for motor vehicle financing that would now be covered as a result of the modified definition of “financial institution.” However, the Commission invites comment on this issue.

    1. Reasons for the Proposed Rule

    To address the Dodd-Frank Act and FAST Act changes the Commission proposes to change the Privacy Rule's scope and definition of “financial institution”; change the annual notice requirement; and remove certain examples provided in the Rule that are not applicable to motor vehicle dealers. These changes will make the current, narrow scope of the Rule clearer. Additionally, the Commission proposes modifying the definition of “financial institution” to harmonize the Privacy Rule with other agencies' rules by including “activities incidental to financial activities” as a financial activity. This change would bring “finders” within the scope of the Rule.

    2. Statement of Objectives and Legal Basis

    The objectives of the proposed Rule are discussed above. The legal basis for the proposed Rule is section 501(b) of the GLBA.

    3. Description of Small Entities to Which the Rule Will Apply

    Determining a precise estimate of the number of small entities [50] —including newly covered entities under the modified definition of financial institution—is not readily feasible. Financial institutions covered by the Rule include certain motor vehicle dealers. If the proposed Rule is finalized, finders will also be covered. Start Printed Page 13156The Commission requests comment and information on whether there are any finders in existence that would be covered by the proposed Rule.

    4. Projected Reporting, Recordkeeping, and Other Compliance Requirements

    The Commission does not believe that the proposed Rule would impose any new or substantively revised “collections of information” as defined by the PRA. Rather, the Commission believes that the proposed amendments would have the overall effect of reducing the currently cleared estimated burden for the information collections associated with the Privacy Rule annual notice. The Commission invites comment on the costs to newly covered financial institutions—if there are any—of complying with the Rule.

    5. Identification of Duplicative, Overlapping, or Conflicting Federal Rules

    The Commission's proposal to modify the definition of “financial institution” harmonizes the Privacy Rule with other agencies' rules. The effect of this proposed amendment, as discussed above, would be to cause “finders” to be covered by the Rule, thereby bringing the scope of the Privacy Rule into harmony with the scope of entities covered by other agencies under Regulation P. The Commission believes that this proposal does not create conflicting or duplicative obligations on small entities. As stated previously, the Commission does not believe there are any newly covered financial institutions resulting from the proposed definitional modification. However, the Commission is requesting comment on the extent to which other federal standards involving privacy notices may duplicate and/or satisfy or possibly conflict with the Rule's requirements for any newly covered financial institutions.

    6. Discussion of Significant Alternatives

    As stated previously, the Commission does not believe there are any newly covered financial institutions resulting from the proposed definitional modification. Moreover, the Commission believes that the other proposed amendments would have the overall effect of reducing the burden for all covered entities associated with the Privacy Rule annual notice. The proposed amendments do not reduce the flexibility already present in the existing Rule, which allows notices to be provided in a variety of ways, including electronically in some circumstances. As to the core requirements of the proposed Rule, they come from GLBA itself, as amended by the Dodd-Frank and the FAST Act. The statute prescribes the definition of financial institutions to be covered by the Rule and sets forth the specific requirements, which the Commission cannot modify to ease burdens on small entities. Therefore the Commission does not believe that any alternatives for small entities are required or appropriate. However, the Commission welcomes comment on any significant alternative consistent with the GLBA that would minimize the impact of the proposed Rule on small entities—specifically institutions that would be newly covered financial institutions—if there are any.

    Start List of Subjects

    List of Subjects in 16 CFR Part 313

    • Consumer protection
    • Credit
    • Data protection
    • Privacy
    • Trade practices
    End List of Subjects

    For the reasons stated above, the Federal Trade Commission proposes to amend 16 CFR part 313 as follows:

    Start Amendment Part

    1. Revise the authority section for part 313 to read as follows:

    End Amendment Part Start Authority

    Authority: 15 U.S.C. 6801 et seq., 12 U.S.C. 5519.

    End Authority Start Amendment Part

    2. In § 313.1, revise paragraph (b) to read as follows:

    End Amendment Part
    Purpose and scope.
    * * * * *

    (b) Scope. This part applies only to nonpublic personal information about individuals who obtain financial products or services primarily for personal, family or household purposes from the institutions listed below. This part does not apply to information about companies or about individuals who obtain financial products or services for business, commercial, or agricultural purposes. This part applies to those “financial institutions” over which the Federal Trade Commission (“Commission”) has rulemaking authority pursuant to section 504(a)(1)(C) of the Gramm-Leach-Bliley Act. An entity is a “financial institution” if its business is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k), which incorporates by reference activities enumerated by the Federal Reserve Board in 12 CFR 225.28 and 12 CFR 225.86. The “financial institutions” subject to the Commission's rulemaking authority are any persons described in 12 U.S.C. 5519 that are predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both. They are referred to in this part as “You.” Excluded from the coverage of this regulation are motor vehicle dealers described in 12 U.S.C. 5519(b) that directly extend to consumers retail credit or retail leases involving motor vehicles in which the contract governing such extension of retail credit or retail leases is not routinely assigned to an unaffiliated third party finance or leasing source.

    Start Amendment Part

    3. In § 313.3, revise paragraphs (e), (i), (j), (k) and (q), to read as follows:

    End Amendment Part
    Definitions.
    * * * * *

    (e)(1) Consumer means an individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family, or household purposes, or that individual's legal representative.

    (2) Examples—(i) An individual who applies to you for credit for personal, family, or household purposes is a consumer of a financial service, regardless of whether the credit is extended.

    (ii) An individual who provides nonpublic personal information to you in order to obtain a determination about whether he or she may qualify for a loan to be used primarily for personal, family, or household purposes is a consumer of a financial service, regardless of whether the loan is extended.

    (iii) If you hold ownership or servicing rights to an individual's loan that is used primarily for personal, family, or household purposes, the individual is your consumer, even if you hold those rights in conjunction with one or more other institutions. (The individual is also a consumer with respect to the other financial institutions involved.) An individual who has a loan in which you have ownership or servicing rights is your consumer, even if you, or another institution with those rights, hire an agent to collect on the loan.

    (iv) An individual who is a consumer of another financial institution is not your consumer solely because you act as agent for, or provide processing or other services to, that financial institution.

    (v) An individual is not your consumer solely because he or she is a participant or a beneficiary of an employee benefit plan that you sponsor or for which you act as a trustee or fiduciary.

    * * * * *

    (i)(1) Customer relationship means a continuing relationship between a consumer and you under which you provide one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.Start Printed Page 13157

    (2) Examples—(i) Continuing relationship. A consumer has a continuing relationship with you if the consumer:

    (A) Has a credit or investment account with you;

    (B) Obtains a loan from you;

    (C) Purchases an insurance product from you;

    (D) Enters into an agreement or understanding with you whereby you undertake to arrange credit to purchase a vehicle for the consumer;

    (E) Enters into a lease of personal property on a non-operating basis with you; or

    (F) Has a loan for which you own the servicing rights.

    (ii) No continuing relationship. A consumer does not, however, have a continuing relationship with you if:

    (A) The consumer obtains a financial product or service from you only in isolated transactions, such as cashing a check with you or making a wire transfer through you;

    (B) You sell the consumer's loan and do not retain the rights to service that loan; or

    (C) The consumer obtains one-time personal appraisal services from you.

    (j) Federal functional regulator means:

    (1) The Board of Governors of the Federal Reserve System;

    (2) The Office of the Comptroller of the Currency;

    (3) The Board of Directors of the Federal Deposit Insurance Corporation;

    (4) The National Credit Union Administration Board; and

    (5) The Securities and Exchange Commission.

    (k)(1) Financial institution means any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). An institution that is significantly engaged in financial activities is a financial institution.

    (2) Example of financial institution. An automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days is a financial institution with respect to its leasing business because leasing personal property on a nonoperating basis where the initial term of the lease is at least 90 days is a financial activity listed in 12 CFR 225.28(b)(3) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act.

    (3) Financial institution does not include entities that engage in financial activities but that are not significantly engaged in those financial activities.

    (4) Example of entities that are not significantly engaged in financial activities. A motor vehicle dealer is not a financial institution merely because it accepts payment in the form of cash, checks, or credit cards that it did not issue.

    * * * * *

    (q) You includes each “financial institution” over which the Commission has rulemaking authority pursuant to section 504(a)(1)(C) of the Gramm-Leach-Bliley Act (15 U.S.C. 6804(a)(1)(C)).

    Start Amendment Part

    4. In § 313.4, revise paragraphs (c)(3)(i) and (e), to read as follows:

    End Amendment Part
    Initial privacy notice to consumers required.
    * * * * *

    (c) * * *

    (3)(i) Examples of establishing a customer relationship. You establish a customer relationship when the consumer:

    (A) Executes the contract to obtain credit from you or purchase insurance from you; or

    (B) Executes the lease for personal property with you.

    * * * * *

    (e) Exceptions to allow subsequent delivery of notice. (1) You may provide the initial notice required by paragraph (a)(1) of this section within a reasonable time after you establish a customer relationship if:

    (i) Establishing the customer relationship is not at the customer's election; or

    (ii) Providing notice not later than when you establish a customer relationship would substantially delay the customer's transaction and customer agrees to receive the notice at a later time.

    (2) Examples of exceptions—(i) Substantial delay of customer's transaction. Providing notice not later than when you establish a customer relationship would substantially delay the customer's transaction when you and the individual agree over the telephone to enter into a customer relationship involving prompt delivery of the financial product or service.

    (ii) No substantial delay of customer's transaction. Providing notice not later than when you establish a customer relationship would not substantially delay the customer's transaction when the relationship is initiated in person at your office or through other means by which the customer may view the notice, such as through a website.

    * * * * *
    Start Amendment Part

    5. In § 313.5, revise paragraphs (a)(1) and (b)(2) and add paragraph (e) to read as follows:

    End Amendment Part
    Annual privacy notice to customers required.

    (a)(1) General rule. Except as provided by paragraph (e) of this section, you must provide a clear and conspicuous notice to customers that accurately reflects your privacy policies and practices not less than annually during the continuation of the customer relationship. Annually means at least once in any period of 12 consecutive months during which that relationship exists. You may define the 12-consecutive-month period, but you must apply it to the customer on a consistent basis.

    * * * * *

    (b) * * *

    (2) Examples. Your customer becomes a former customer when:

    (i) In the case of a closed-end loan, the customer pays the loan in full, you charge off the loan, or you sell the loan without retaining servicing rights;

    (ii) In the case of vehicle loan brokering services, your customer has obtained a loan through you (and you no longer provide any statements or notices to the customer concerning that relationship), or has ceased using your services for such purposes;

    (iii) In cases where there is no definitive time at which the customer relationship has terminated, you have not communicated with the customer about the relationship for a period of 12 consecutive months, other than to provide annual privacy notices or promotional material.

    * * * * *

    (e) Exception to annual privacy notice requirement. (1) When exception available. You are not required to deliver an annual privacy notice if you:

    (i) Provide nonpublic personal information to nonaffiliated third parties only in accordance with the provisions of § 313.13, § 313.14, or § 313.15; and

    (ii) Have not changed your policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under § 313.6(a)(2) through (5) and (9) in the most recent privacy notice provided pursuant to this part.

    (2) Delivery of annual privacy notice after financial institution no longer meets requirements for exception. If you have been excepted from delivering an annual privacy notice pursuant to paragraph (e)(1) of this section and change your policies or practices in such a way that you no longer meet the requirements for that exception, you must comply with paragraph (e)(2)(i) or (ii) of this section, as applicable.Start Printed Page 13158

    (i) Changes preceded by a revised privacy notice. If you no longer meet the requirements of paragraph (e)(1) of this section because you change your policies or practices in such a way that § 313.8 requires you to provide a revised privacy notice, you must provide an annual privacy notice in accordance with the timing requirement in paragraph (a) of this section, treating the revised privacy notice as an initial privacy notice.

    (ii) Changes not preceded by a revised privacy notice. If you no longer meet the requirements of paragraph (e)(1) of this section because you change your policies or practices in such a way that § 313.8 does not require you to provide a revised privacy notice, you must provide an annual privacy notice within 100 days of the change in your policies or practices that causes you to no longer meet the requirement of paragraph (e)(1).

    (iii) Examples. (A) You change your policies and practices in such a way that you no longer meet the requirements of paragraph (e)(1) of this section effective April 1 of year 1. Assuming you define the 12-consecutive-month period pursuant to paragraph (a) of this section as a calendar year, if you were required to provide a revised privacy notice under § 313.8 and you provided that notice on March 1 of year 1, you must provide an annual privacy notice by December 31 of year 2. If you were not required to provide a revised privacy notice under § 313.8, you must provide an annual privacy notice by July 9 of year 1.

    (B) You change your policies and practices in such a way that you no longer meet the requirements of paragraph (e)(1) of this section, and so provide an annual notice to your customers. After providing the annual notice to your customers, you once again meet the requirements of paragraph (e)(1) of this section for an exception to the annual notice requirement. You do not need to provide additional annual notice to your customers until such time as you no longer meet the requirements of paragraph (e)(1) of this section.

    Start Amendment Part

    6. In § 313.15, revise paragraph (a)(4) to read as follows:

    End Amendment Part
    Other exceptions to notice and opt out requirements.

    (a) * * *

    (4) To the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcement agencies (including the Consumer Financial Protection Bureau, a federal functional regulator, the Secretary of the Treasury, with respect to 31 U.S.C. chapter 53, subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C. chapter 21 (Financial Recordkeeping), a State insurance authority, with respect to any person domiciled in that insurance authority's State that is engaged in providing insurance, and the Federal Trade Commission), self-regulatory organizations, or for an investigation on a matter related to public safety.

    * * * * *
    Start Signature

    By direction of the Commission.

    April J. Tabor,

    Acting Secretary.

    End Signature End Supplemental Information

    Footnotes

    1.  Public Law 106-102, 113 Stat. 1338 (1999).

    Back to Citation

    2.  65 FR 35162 (June 1, 2000).

    Back to Citation

    3.  65 FR 33646 (May 24, 2000) (FTC final rule); 65 FR 31722 (May 18, 2000) (NCUA final rule); 65 FR 40334 (June 29, 2000) (SEC final rule); 66 FR 21236 (Apr. 27, 2001) (CFTC final rule).

    Back to Citation

    4.  74 FR 62890 (Dec. 1, 2009); see also 16 CFR 313.2, 313.4-313.9.

    Back to Citation

    5.  Public Law 111-203, 124 Stat. 1376 (2010).

    Back to Citation

    6.  76 FR 79025 (Dec. 21, 2011).

    Back to Citation

    7.  12 U.S.C. 5519. The FTC retained rulemaking jurisdiction as to motor vehicle dealers that are predominantly engaged in the sale and servicing or the leasing and servicing of motor vehicles, excluding those dealers that directly extend credit to consumers and do not routinely assign the extensions of credit to an unaffiliated third party. For ease of reference, covered motor vehicle dealers are referenced herein as “motor vehicle dealers.”

    Back to Citation

    8.  77 FR 22200, 22201 (April 13, 2012) (also rescinding those regulations for which rulemaking authority was transferred to the CFPB under the Dodd-Frank Act).

    Back to Citation

    12.  Public Law 114-94, sec. 75001, 129 Stat. 1312, 1787 (2015).

    Back to Citation

    21.  15 U.S.C. 1681s-3. The FTC's Affiliate Marketing Rule applies to motor vehicle dealers. See 77 FR 22200 (Apr. 13, 2012). The FTC also enforces the CFPB's Regulation V's Affiliate Marketing Rule, 12 CFR part 1022, subpart C, for other entities over which the FTC has enforcement authority under the FCRA.

    Back to Citation

    23.  76 FR 75825, 75828 (Dec. 5, 2011).

    Back to Citation

    24.  79 FR 27214 (May 14, 2014) (CFPB Notice of Proposed Rulemaking).

    Back to Citation

    25.  79 FR 64057 (Oct. 28, 2014).

    Back to Citation

    26.  80 FR 36267 (June 24, 2015).

    Back to Citation

    27.  See 79 FR 64057 (Oct. 28, 2014).

    Back to Citation

    28.  The comments are posted at: https://www.ftc.gov/​policy/​public-comments/​2015/​06/​initiative-614. The Commission assigned each comment a number appearing after the name of the commenter and the date of submission.

    Back to Citation

    30.  In 2016, the CFPB issued a proposed amendment to Regulation P that would alter the annual notice requirement to conform to the statutory changes. 81 FR 44801 (July 11, 2016). The rule became final in September 2018. 83 FR 40945 (Sept. 17, 2018).

    Back to Citation

    31.  For other types of financial institutions over which the Commission has enforcement authority under the GLBA, the Commission now enforces the CFPB's Regulation P.

    Back to Citation

    33.  The Commission also proposes a change to 16 CFR 313.3(j) removing the Director of the Office of Thrift Supervision from the definition of “Federal Functional Regulators,” as the Office of Thrift Supervision no longer exists.

    Back to Citation

    35.  The Commission also proposes to amend 16 CFR 313.15(a)(4) to add the CFPB to the list of law enforcement agencies to which financial institutions are permitted to share information to the extent permitted by law.

    Back to Citation

    37.  The NPRM relating to the Safeguards Rule is published elsewhere in this issue of the Federal Register.

    Back to Citation

    38.  See 81 FR 44801 (July 10, 2016).

    Back to Citation

    39.  See 16 CFR 313.3(k); see also 65 FR 33646, 33654 (May 24, 2000).

    Back to Citation

    40.  The Commission also added the requirement that an entity must be “significantly engaged” in the financial activity to be considered a financial institution under the Privacy Rule. 16 CFR 313.3(k). The Commission is not proposing to change this requirement.

    Back to Citation

    41.  65 FR 33646, 33654 n.23 (May 24, 2000).

    Back to Citation

    43.  This proposal is also consistent with the agency's concurrent proposal to revise the Safeguards Rule in the same manner.

    Back to Citation

    47.  The FTC has current clearance through November 30, 2020. The OMB Control Number is 3084-0121.

    Back to Citation

    50.  The U.S. Small Business Administration Table of Small Business Size Standards Matched to North American Industry Classification System Codes (NAICS) are generally expressed in either millions of dollars or number of employees. A size standard is the largest that a business can be and still qualify as a small business for Federal Government programs. For the most part, size standards are the annual receipts or the average employment of a firm. New car dealers (NAICS code 441100) are classified as small if they have fewer than 200 employees. Used car dealers (NAICS code 441120) are classified as small if their annual receipts are $25 million or less. Recreational vehicle dealers, boat dealers, motorcycle, ATV and all other motor vehicle dealers (NAICS codes 441210, 441222 and 441228) are classified as small if their annual receipts are $32.5 million or less. The 2017 Table of Small Business Size Standards is available at https://www.sba.gov/​sites/​default/​files/​files/​Size_​Standards_​Table_​2017.pdf.

    Back to Citation

    [FR Doc. 2019-06039 Filed 4-3-19; 8:45 am]

    BILLING CODE 6750-01-P

Visit the Official Version
Leave a Comment

Document Information

Published:
04/04/2019
Department:
Federal Trade Commission
Entry Type:
Proposed Rule
Action:
Notice of proposed rulemaking; request for public comment.
Document Number:
2019-06039
Dates:
Written comments must be received on or before June 3, 2019.
Pages:
13150-13158 (9 pages)
RINs:
3084-AB42: Privacy of Consumer Financial Information
RIN Links:
https://www.federalregister.gov/regulations/3084-AB42/privacy-of-consumer-financial-information
Topics:
Consumer protection, Credit, Privacy, Trade practices
PDF File:
2019-06039.pdf
CFR: (5)
16 CFR 313.1
16 CFR 313.3
16 CFR 313.4
16 CFR 313.5
16 CFR 313.15