Amendment to the Privacy of Consumer Financial Information Rule Under the Gramm-Leach-Bliley Act, 36267-36279 [2015-14328]

Download as PDF Federal Register / Vol. 80, No. 121 / Wednesday, June 24, 2015 / Proposed Rules Paragraph 5000 Class D Airspace. * * * * FEDERAL TRADE COMMISSION * 16 CFR Part 313 AGL OH D Columbus, Ohio State University Airport, OH [Amended] RIN 3084–AB42 Columbus, Ohio State University Airport, OH (Lat. 40°04′47″ N., long. 83°04′23″ W.) That airspace extending upward from the surface to and including 3,400 feet MSL within a 4-mile radius of Ohio State University Airport, excluding that airspace within the Port Columbus International Airport, OH, Class C airspace area. This Class D airspace area is effective during the specific dates and times established in advance by a Notice to Airmen. The effective dates and times will thereafter be continuously published in the Airport/ Facility Directory. Paragraph 6004 Class E Airspace Areas Designated as a Surface Area. * * * * * AGL OH E4 Columbus, Ohio State University Airport, OH [Removed] Paragraph 6005 Class E Airspace Areas Extending Upward from 700 Feet or More Above the Surface of the Earth. * * * tkelley on DSK3SPTVN1PROD with PROPOSALS AGL OH E5 * * Columbus, OH [Amended] Columbus, Port Columbus International Airport, OH (Lat. 39°59′49″ N., long. 82°53′32″ W.) Columbus, Rickenbacker International Airport, OH (Lat. 39°48′50″ N., long. 82°55′40″ W.) Columbus, Ohio State University Airport, OH (Lat. 40°04′47″ N., long. 83°04′23″ W.) Columbus, Bolton Field Airport, OH (Lat. 39°54′04″ N., long. 83°08′13″ W.) Columbus, Darby Dan Airport, OH (Lat. 39°56′31″ N., long. 83°12′18″ W.) Lancaster, Fairfield County Airport, OH (Lat. 39°45′20″ N., long. 82°39′26″ W.) That airspace extending upward from 700 feet above the surface within a 7-mile radius of Port Columbus International Airport, and within 3.3 miles either side of the 094° bearing from Port Columbus International Airport extending from the 7-mile radius to 12.1 miles east of the airport, and within a 7-mile radius of Rickenbacker International Airport, and within 4 miles either side of the 045° bearing from Rickenbacker International Airport extending from the 7-mile radius to 12.5 miles northeast of the airport, and within a 6.5-mile radius of Ohio State University Airport, and within a 7.4-mile radius of Bolton Field Airport, and within a 6.4-mile radius of Fairfield County Airport, and within a 6.5-mile radius of Darby Dan Airport, excluding that airspace within the London, OH, Class E airspace area. Issued in Fort Worth, TX, on June 8, 2015. Robert W. Beck, Manager, Operations Support Group, ATO Central Service Center. [FR Doc. 2015–15461 Filed 6–23–15; 8:45 am] Amendment to the Privacy of Consumer Financial Information Rule Under the Gramm-Leach-Bliley Act Federal Trade Commission (FTC or Commission). ACTION: Notice of proposed rulemaking; Request for public comment. AGENCY: The FTC proposes to amend the Privacy of Consumer Financial Information Rule (Privacy Rule or Rule), which among other things requires that certain motor vehicle dealers provide an annual disclosure of their privacy policies to their customers by hand delivery, mail, electronic delivery, or, alternatively through a Web site, but only with the consent of the consumer. The amendment would allow motor vehicle dealers instead to notify their customers that a privacy policy is available on their Web site, under certain circumstances. The amendment would also revise the scope and definitions in this rule in light of the transfer of part of the Commission’s rulemaking authority to the Consumer Financial Protection Bureau (CFPB or the Bureau) in the Dodd-Frank Wall Street Reform and Consumer Protection Act, but retains certain examples for purposes of the FTC’s Safeguards Rule. DATES: Comments must be received on or before August 31, 2015. ADDRESSES: Interested parties may file a comment online or on paper, by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write ‘‘Amendment to the Privacy of Consumer Financial Information Rule, 16 CFR part 313, Project No. R411016’’ on your comment, and file your comment online at https:// ftcpublic.commentworks.com/ftc/ GLBPrivacyamendment, by following the instructions on the web-based form. If you prefer to file your comment on paper, write ‘‘Amendment to the Privacy of Consumer Financial Information Rule, 16 CFR part 313, Project No. R411016’’ on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC–5610 (Annex E), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th SUMMARY: VerDate Sep<11>2014 16:23 Jun 23, 2015 Street SW., 5th Floor, Suite 5610 (Annex E), Washington, DC 20024. FOR FURTHER INFORMATION CONTACT: Steven Toporoff, (202) 326–3135, Attorney, Division of Privacy and Identity Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW., Washington, DC 20580. SUPPLEMENTARY INFORMATION: I. Summary of the Proposed Rule The Gramm-Leach-Bliley Act (GLBA) 1 mandates that financial institutions provide their customers with initial and annual notices regarding their privacy policies. If financial institutions share certain customer information with particular types of third parties, the institutions are also required to provide an opportunity to opt out of the sharing. The Commission issued its rule implementing these provisions in 2000.2 The Dodd-Frank Wall Street Reform and Consumer Protection Act transferred GLBA privacy notice rulemaking authority, in part, to the Bureau; however, the Commission retains rulemaking authority over any financial institution that is a motor vehicle dealer predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both, as described in Section 1029 of the Dodd-Frank Act, 12 U.S.C. 5519 (hereafter, motor vehicle dealers). The Commission proposes to revise its Privacy Rule, 16 CFR part 313, in two ways. First, in light of the transfer of rulemaking authority for certain financial institutions to the Bureau, the Commission proposes to revise the explanation of the scope of the Rule and to tailor the examples provided in the Rule’s Definitions section describing entities over which the Commission has retained rulemaking authority. The Commission believes that revising these provisions will eliminate extraneous information, clarify the Rule’s applicability, and reduce confusion as to entities covered by the Rule. The Rule also retains several examples explaining the types of entities covered by the Safeguards Rule, 16 CFR part 314. Second, the Commission proposes to provide an alternative means for covered motor vehicle dealers to fulfill their obligation under the Privacy Rule to provide notice of their privacy policies. Under the proposal, motor vehicle dealers that do not engage in certain types of information-sharing activities would no longer be required to mail an annual privacy notice if they clearly and conspicuously convey, as 1 15 2 65 BILLING CODE 4910–13–P Jkt 235001 PO 00000 Frm 00017 Fmt 4702 Sfmt 4702 36267 E:\FR\FM\24JNP1.SGM U.S.C. 6801 et seq. FR 33646 (May 24, 2000). 24JNP1 36268 Federal Register / Vol. 80, No. 121 / Wednesday, June 24, 2015 / Proposed Rules part of another mandated or legally permissible notice or disclosure, that their privacy notice is available on their publicly accessible Web site. This proposed revision is consistent with changes made in an October 28, 2014, rulemaking by the Bureau, which has rulemaking authority over depository institutions and many non-depository institutions.3 The Commission believes that the proposed changes are consistent with those issued by the Bureau, and will help avoid consumer confusion and ensure that the requirements for motor vehicle dealers covered by the Rule are consistent with the GLBA’s privacy provisions for other financial institutions. Such changes may also streamline the flow of information to consumers, while easing the burden on motor vehicle dealers of providing annual notices. The Commission invites comment on the proposed rule revisions generally and on the specific issues outlined throughout Section IV. In addition, the Commission requests comment on whether, and the extent to which, the FTC’s Privacy Rule applicable to motor vehicle dealers should be consistent with the rule adopted by the Bureau, or if there are elements that should differ. The Commission seeks comment on the proposal through August 17, 2015. tkelley on DSK3SPTVN1PROD with PROPOSALS II. Background A. The Statute and Regulation The GLBA was enacted in 1999.4 The GLBA, among other things, provides a framework for regulating the privacy practices of a broad range of entities. The GLBA requires that financial institutions provide their customers with initial and annual notices regarding their privacy policies, and allow their customers to opt out of sharing their information with certain nonaffiliated third parties. Covered entities include, for example, payday lenders, mortgage brokers, check cashers, debt collectors, real estate appraisers, certain motor vehicle dealers and remittance transfer providers. Rulemaking authority to implement the GLBA’s privacy provisions was initially spread among many agencies. The Federal Reserve Board (Board), the Office of Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the Office of Thrift Supervision (OTS) jointly adopted final rules to implement the notice requirements of the GLBA in 2000.5 The Commission, the National 3 79 FR 64057 (Oct. 28, 2014). Law 106–102, 113 Stat. 1338 (1999). 5 65 FR 35162 (June 1, 2000). 4 Public VerDate Sep<11>2014 16:23 Jun 23, 2015 Jkt 235001 Credit Union Administration (NCUA), Securities and Exchange Commission (SEC), and Commodity Futures Trading Commission (CFTC) were part of the same interagency process, but issued their rules separately.6 In 2009, all these agencies issued a joint final rule with a model form that financial institutions could use, at their option, to provide the required initial and annual privacy disclosures.7 In 2011, the Dodd-Frank Act 8 transferred the GLBA’s privacy notice rulemaking authority from the Board, NCUA, OCC, OTS, the FDIC, and the Commission (in part) to the Bureau. The Bureau then restated the implementing regulations in Regulation P, 12 CFR part 1016, in late 2011 (Regulation P).9 However, under the Dodd-Frank Act, the Commission retained rulemaking authority for motor vehicle dealers described in section 1029 of the DoddFrank Act, 12 U.S.C. 5519. Thus, in 2012, the Commission issued a notice that it was retaining the implementing regulations governing privacy notices for motor vehicles dealers, at 16 CFR part 313.10 Despite the transfer of general rulemaking authority for the Privacy Rule to the CFPB, the Commission and other agencies retained their existing enforcement authority under the GLBA.11 In addition, the SEC and CFTC retained rulemaking authority with respect to securities and futures-related companies, respectively.12 Accordingly, as part of this rulemaking process, the Commission has consulted and coordinated, or offered to consult, with those agencies who have rulemaking and/or enforcement authority under the GLBA, including the Bureau, SEC, CFTC and the National Association of Insurance Commissioners (NAIC).13 B. The Privacy Notice Requirements As noted, the GLBA and the FTC Privacy Rule require that certain covered motor vehicle dealers provide consumers with notices describing their privacy policies. Section 503 of the GLBA and 16 CFR 313.4 require covered entities to provide an initial notice of 6 65 FR 33646 (May 24, 2000) (FTC final rule); 65 FR 31722 (May 18, 2000) (NCUA final rule); 65 FR 40334 (June 29, 2000) (SEC final rule); 66 FR 21252 (Apr. 27, 2001) (CFTC final rule). 7 74 FR 62890 (Dec. 1, 2009). 8 Public Law 111–203, 124 Stat. 1376 (2010). 9 76 FR 79025 (Dec. 21, 2011). 10 77 FR 22200, 22201 (April 13, 2012) (also rescinding those regulations for which rulemaking authority was transferred to the Bureau under the Dodd-Frank Act). 11 15 U.S.C. 6805(a). 12 15 U.S.C. 6804, 6809; 12 U.S.C. 1843(k)(4); 12 CFR 1016.1(b). 13 See 15 U.S.C. 6804(a)(2). PO 00000 Frm 00018 Fmt 4702 Sfmt 4702 these policies, and then ‘‘provide a clear and conspicuous notice to customers that accurately reflects [their] privacy policies and practices not less than annually during the continuation of the customer relationship.’’ 14 Section 502 of the GLBA and 16 CFR 313.6(a)(6) require that initial and annual notices inform customers of their right to opt out of the sharing of nonpublic personal information with some types of nonaffiliated third parties. For example, a customer has the right to opt out of allowing a motor vehicle dealer to sell her name and address to a nonaffiliated auto insurance company. On the other hand, a motor vehicle dealer is not required to allow consumers to opt out of the dealer’s sharing involving third-party service providers, joint marketing arrangements, maintenance and servicing of accounts, securitization, law enforcement and compliance, reporting to consumer reporting agencies, and certain other activities that are specified in the statute and regulation.15 If a motor vehicle dealer limits its sharing to uses that do not trigger opt-out rights, it may provide an annual privacy notice to its customers that does not include information regarding opt-out rights. Motor vehicle dealers also may include in the annual privacy notice information about certain consumer optout rights related to affiliate sharing under the FCRA. First, section 603(d)(2)(A)(iii) of the FCRA allows the sharing of a consumer’s information among affiliates, but only if the consumer is notified of such sharing and is given an opportunity to opt out.16 Section 503(c)(4) of the GLBA and the Privacy Rule generally require motor vehicle dealers to incorporate any notifications and opt-out disclosures provided pursuant to section 603(d)(2)(A)(iii) of the FCRA into their initial and annual privacy notices.17 Second, section 624 of the FCRA and 16 CFR 680 (the Affiliate Marketing Rule) provide that an affiliate of a motor vehicle dealer that receives certain information 18 about a consumer from the dealer may not use that information for marketing purposes, unless the consumer is provided with an opportunity to opt out of that use.19 14 16 CFR 313.5(a)(1) (emphasis added). U.S.C. 6802(b)(2), 6802(e); 16 CFR 313.13, 313.14, 313.15. 16 15 U.S.C. 1681a(d)(2)(A)(iii). 17 15 U.S.C. 6803(c)(4); 16 CFR 313.6(a)(7). 18 The type of information to which section 624 applies is information that would be a consumer report but for the exclusions provided by section 603(d)(2)(A)(i), (ii), or (iii) of the FCRA. 19 15 U.S.C. 1681s–3. The FTC’s Affiliate Marketing Rule applies to motor vehicle dealers. 15 15 E:\FR\FM\24JNP1.SGM 24JNP1 Federal Register / Vol. 80, No. 121 / Wednesday, June 24, 2015 / Proposed Rules This requirement governs the use of information by an affiliate, not the sharing of information among affiliates, and thus is distinct from the affiliate sharing opt-out discussed above. The Affiliate Marketing Rule permits (but does not require) motor vehicle dealers to incorporate any opt-out disclosures provided under section 624 of the FCRA and the Affiliate Marketing Rule into the initial and annual privacy notices required by the GLBA.20 Finally, § 313.6(a)(8) of the Privacy Rule requires that the notices also briefly describe how motor vehicle dealers protect the nonpublic personal information they collect and maintain. tkelley on DSK3SPTVN1PROD with PROPOSALS C. The Bureau Rulemaking In December 2011, the Bureau issued a Request for Information seeking specific suggestions for streamlining regulations that were transferred to the Bureau from other Federal agencies (Streamlining RFI), including the annual privacy notice requirement.21 The Bureau received numerous comments from industry urging the Bureau to eliminate or reduce the annual notice requirement.22 Industry argued that most customers ignore annual privacy notices; the content of the disclosures provides little benefit when customers have no right to opt out of information sharing; current distribution of the notices imposes significant costs; and other methods of delivery could effectively convey the information to customers at a lower cost. Industry commenters suggested that the Bureau eliminate or ease the annual notice requirement if businesses’ privacy policies have not changed and they do not share nonpublic personal information beyond the exceptions allowed by the GLBA.23 Consumer advocacy groups highlighted the benefit customers receive from printed annual privacy notices, which may remind customers of privacy rights that they may not have exercised previously.24 In November of 2013, the Bureau published a study assessing the effects of certain deposit regulations on financial institutions’ operations.25 This See 77 FR 22200. The FTC also enforces the Bureau’s Regulation V’s Affiliate Marketing Rule, 12 CFR part 1022, subpart C, for other entities over which it has enforcement authority under the FCRA. 20 16 CFR 680.23(b). 21 76 FR 75825, 75828 (Dec. 5, 2011). 22 79 FR 27214 at 27217 (May 14, 2014) (Bureau Notice of Proposed Rulemaking). 23 Id. 24 Id. 25 Consumer Financial Protection Bureau, ‘‘Understanding the Effects of Certain Deposit Regulations on Financial Institutions’ Operations: Findings on Relative Costs for Systems, Personnel, VerDate Sep<11>2014 16:23 Jun 23, 2015 Jkt 235001 study provided operational insights from seven banks about their annual privacy notices. All seven participants provided the annual notice as a separate mailing, which resulted in higher costs for postage, materials, and labor than if the notice were mailed with other material. Some of these participants separately mailed their notices to ensure that their disclosures are ‘‘clear and conspicuous,’’ 26 even though 2009 guidance from the eight agencies promulgating the model privacy form explained that a separate mailing is not required.27 As a result of its Streamlining RFI, study, and its outreach to industry and consumer groups, in May 2014, the Bureau issued a proposed rule to amend its Regulation P to allow financial institutions to notify consumers that a privacy notice was available online, in certain enumerated circumstances. The comment period closed on July 14, 2014. As noted above, the Bureau finalized its rulemaking in October 2014.28 III. The Commission’s Proposed Rule Changes A. Technical Changes To Correspond to Statutory Changes The Commission adopted the scope and definitions in the existing Privacy Rule at a time when it had rulemaking authority for the Privacy Rule over a broader group of non-bank ‘‘financial institutions’’ as defined by the GLBA. While the Dodd-Frank Act did not change the Commission’s enforcement authority for the privacy notice obligations of the GLBA, the DoddFrank Act amended the Commission’s rulemaking authority under the GLBA such that its Privacy Rule only applies to motor vehicle dealers. For other types of financial institutions over which the Commission has enforcement authority under the GLBA, the Commission now enforces the Bureau’s Regulation P. The amendments in the Dodd-Frank Act necessitate certain technical revisions to the Privacy Rule to ensure that the and Processes at Seven Institutions’’ (Nov. 2013), available at https://files.consumerfinance.gov/f/ 201311_cfpb_report_findings-relative-costs.pdf. Information collected for the study may be used to assist the Bureau in its investigations of ‘‘the effects of a potential or existing regulation on the business decisions of providers.’’ OMB Information Request—Control Number: 3170–0032. 26 15 U.S.C. 6803 (In its initial and annual privacy notices ‘‘a financial institution shall provide a clear and conspicuous disclosure . . . .’’); 12 CFR 1016.3(b)(1) and 16 CFR 313.3(b)(1) (both defining ‘‘clear and conspicuous’’ as ‘‘reasonably understandable and designed to call attention to the nature and significance of the information in the notice.’’). 27 See 74 FR 62890, 62897–62898. 28 79 FR 64057 (Oct. 28, 2014). PO 00000 Frm 00019 Fmt 4702 Sfmt 4702 36269 regulation is consistent with the text of the amended GLBA.29 Specifically, the Commission proposes to modify the Scope and Definitions section of the Privacy Rule to provide clearer guidance to financial institutions that are covered motor vehicle dealers. Although the Dodd-Frank Act altered the Commission’s rulemaking authority with respect to the Privacy Rule, it did not alter the Commission’s rulemaking authority for the GLBA’s Standards for Safeguarding Customer Information, at 16 CFR part 314 (the Safeguards Rule). For the Safeguards Rule, the Commission continues to have rulemaking authority over a broad range of non-bank financial institutions. The Safeguards Rule, however, incorporates by reference the definitions contained in the Privacy Rule, including all of the examples of financial institutions listed in the existing Privacy Rule.30 Accordingly, the Commission proposes to change the Privacy Rule definitions to make clear that, for the purpose of the Privacy Rule, the only examples applicable in the definitions are those related to motor vehicle dealers; for the purpose of the Safeguards Rule, however, all existing examples in the Privacy Rule continue to apply. B. Changes to the Annual Privacy Notice The Commission also proposes changes to the Privacy Rule provisions governing how motor vehicle dealers should deliver annual privacy notices. These changes are consistent with changes adopted by the Bureau for those financial institutions subject to the Bureau’s rulemaking authority. Under certain limited circumstances, these changes to the Privacy Rule would allow motor vehicle dealers to convey clearly and conspicuously—through another mandated or legally permissible notice or disclosure—that their privacy notice is available on their Web site (hereafter, the alternative delivery method).31 If, however, a motor vehicle dealer has made changes to its privacy practices or shares its customers’ nonpublic personal information with nonaffiliated third parties, the dealer 29 15 U.S.C. 6804(1)(C). CFR 314.2(a). 31 Because this disclosure must be provided annually, the proposal satisfies the statutory requirement that motor vehicle dealers provide annual notices about their privacy practices. Beyond the requirement to provide the notice annually, the GBLA allows agencies to prescribe the method of delivery. See 15 U.S.C. 6803(a) (The GLBA allows annual notice to be delivered ‘‘in writing or in electronic form or other form permitted by the regulations . . .’’). 30 16 E:\FR\FM\24JNP1.SGM 24JNP1 36270 Federal Register / Vol. 80, No. 121 / Wednesday, June 24, 2015 / Proposed Rules generally could not avail itself of this alternative delivery method.32 The Commission anticipates that use of the alternative delivery method that meets the requirements discussed below could inform customers of their motor vehicle dealer’s privacy policies effectively and at a lower cost than the current widespread method of mailing annual privacy notices. The cost savings could benefit both consumers and businesses.33 The Commission has also considered the potential impact of its proposed rule change on consumer privacy. The proposal would not affect the actual collection or use of consumers’ nonpublic personal information by motor vehicle dealers, and consumers would continue to get the information and opt-out rights they are entitled to under the statute. Moreover, the proposal would enable consumers to review a motor vehicle dealer’s policy at her own convenience any time during the year. For example, a motor vehicle dealer choosing to use the alternative method would have to post the privacy notice continuously on its Web site, thus enabling consumers to access the privacy notice throughout the year rather than having to wait for an annual mailing. IV. Section-by-Section Analysis tkelley on DSK3SPTVN1PROD with PROPOSALS Section 313.1(b)—Scope Section 313.1(b) outlines the scope of the Privacy Rule. The existing Rule describes the types of entities to which the Privacy Rule was applicable prior to the enactment of the Dodd-Frank Act. Those entities included—but were not limited to—financial institutions such as ‘‘payday’’ lenders, mortgage brokers, check cashers, and tax preparation firms, but did not include entities that were subject to the rulemaking authority of another agency.34 With the exception of motor vehicle dealers, the entities formerly subject to 16 CFR part 313 are now subject to the Bureau’s Regulation P.35 The Commission seeks to revise the Privacy Rule to make clear that it applies only to motor vehicle dealers. Accordingly, the Commission proposes to revise § 313.1(b) to remove examples of entities to which the FTC’s Privacy Rule no longer applies. The Commission also proposes to remove the reference in 32 A motor vehicle dealer may use the alternative delivery method if such sharing does not trigger GLBA opt-out rights as set forth in Parts 313.13, 313.14, and 313.15. 33 See 79 FR at 27218; 79 FR at 64061. 34 See 15 U.S.C. 6804 (2010). 35 The Commission retains enforcement authority over such entities for violations of the Bureau’s Regulation P. 15 U.S.C. 6805(a)(7). VerDate Sep<11>2014 16:23 Jun 23, 2015 Jkt 235001 the Privacy Rule’s scope to ‘‘other persons.’’ Although the Commission continues to have enforcement authority over ‘‘other persons’’ covered by the CFPB’s rule, the Commission no longer has rulemaking authority for the Privacy Rule over ‘‘other persons.’’ In addition, the Commission proposes to eliminate from § 313.1(b) the note indicating that: (1) The Privacy Rule does not modify, limit, or supersede the standards under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and (2) if a financial institution that is an institution of higher education is in compliance with the Federal Educational Rights and Privacy Act (FERPA) and its implementing regulations, such institution shall be deemed in compliance with 16 CFR part 313. The Commission believes it unlikely that this note is applicable to motor vehicle dealers but requests comment as to whether motor vehicle dealers ever engage in practices that require them to comply with HIPAA or FERPA. In addition, the Commission invites general comment on the proposed changes to the description of the scope of the Privacy Rule. Section 313.3—Definitions The Definitions section of the Privacy Rule includes a number of examples designed to provide guidance regarding the scope of terms used in the Privacy Rule. The Commission proposes to revise these definitions so that they provide accurate guidance regarding the Rule’s scope. Specifically, the Commission proposes to revise § 313.3 to make clear that certain examples in five definitions are not applicable to motor vehicle dealers for purposes of the Privacy Rule but continue to apply for purposes of the Safeguards Rule. Similarly, the Commission proposes to revise the definition of ‘‘you,’’ which currently includes entities to which the Privacy Rule no longer applies. First, for purposes of the Privacy Rule, proposed § 313.3(e)(2) no longer includes, as examples of ‘‘consumers,’’ those consumers seeking financial advisory services 36 or consumers with which the financial institution has a relationship related to a trust.37 The examples are retained for purposes of the Safeguards Rule, 16 CFR part 314. Second, for purposes of the Privacy Rule, proposed § 313.3(i)(2) no longer includes, as examples of a ‘‘continuing relationship’’ with a customer, a relationship in which the financial institution holds an investment product 36 16 37 16 PO 00000 CFR 313.3(e)(2)(iii). CFR 313.3(e)(2)(vi) and (vii). Frm 00020 Fmt 4702 Sfmt 4702 for the consumer; 38 enters into an agreement to arrange or broker a home mortgage loan; 39 provides financial, investment, or economic advisory services to a consumer; 40 provides tax preparation or credit counseling services; 41 provides career counseling for seeking employment with a financial institution or a financial, accounting or audit department of a company; 42 purchases an account, on which the consumer has an obligation, from another financial institution; 43 or provides real estate settlement services.44 The examples are retained for purposes of the Safeguards Rule. Third, for purposes of the Privacy Rule, proposed § 313.3(i)(2) no longer includes, as examples of ‘‘no continuing relationship’’ with a customer, a relationship in which the financial institution sells airline tickets 45 or sells checks for a personal checking account.46 The examples are retained for purposes of the Safeguards Rule. Fourth, for purposes of the Privacy Rule, proposed § 313.3(k)(2) no longer includes, as examples of ‘‘financial institutions,’’ retailers that extend credit by issuing their own credit cards to consumers; career counselors specializing in finance, accounting or audit employment; businesses that print and sell checks; businesses that regularly wire money to and from consumers; check cashing businesses; accountants or other tax preparation services that are in the business of completing tax returns; businesses that operate travel services in connection with financial services; businesses providing real estate settlement services; mortgage brokers, or investment advisory companies and credit counseling services.47 The examples are retained for purposes of the Safeguards Rule. Fifth, for purposes of the Privacy Rule, proposed § 313.3(k)(5) no longer includes as examples of ‘‘entities that are not significantly engaged in financial activities,’’ retailers that only extend credit via occasional ‘‘lay away’’ and deferred payment plans; merchants 38 16 CFR 313.3(i)(2)(i)(D). The Privacy Rule requires motor vehicle dealers to provide an annual notice while there is a continuing relationship between the dealer and the customer. 39 16 CFR 313.3(i)(2)(i)(E). This subsection has been revised to remove the portion of the example relating to home mortgage loans but retains the portion relating to credit to purchase a vehicle. 40 16 CFR 313.3(i)(2)(i)(G). 41 16 CFR 313.3(i)(2)(i)(H). 42 16 CFR 313.3(i)(2)(i)(I). 43 16 CFR 313.3(i)(2)(i)(J). 44 16 CFR 313.3(i)(2)(i)(K). 45 16 CFR 313.3(i)(2)(ii)(C). 46 16 CFR 313.3(i)(2)(ii)(E). 47 16 CFR 313.3(k)(2)(E)(i), (iv)–(xii). E:\FR\FM\24JNP1.SGM 24JNP1 Federal Register / Vol. 80, No. 121 / Wednesday, June 24, 2015 / Proposed Rules tkelley on DSK3SPTVN1PROD with PROPOSALS that allow individuals to ‘‘run a tab’’; or grocery stores that allow individuals to cash checks or write checks for a higher amount than a purchase and obtain cash back.48 The examples are retained for purposes of the Safeguards Rule. The Commission invites comment regarding whether any of the examples that the Commission proposes to eliminate for purposes of the Privacy Rule are applicable to motor vehicle dealers. The Commission also seeks comment regarding the examples that remain for purposes of the Privacy Rule in the definitions of proposed § 313.3 and the applicability of such examples to motor vehicle dealers. The existing Privacy Rule generally defines ‘‘you’’ as a financial institution over which the Commission has enforcement jurisdiction under the GLBA. Because this definition refers to the Commission’s enforcement authority rather than its rulemaking authority, the definition is overbroad in light of the amendments to the GLBA discussed above. Therefore, the Commission proposes to revise the definition of ‘‘you’’ so that for purposes of the Privacy Rule it applies to only those entities over which the Commission has rulemaking authority. For purposes of the Safeguards Rule, the definition of ‘‘you’’ remains unchanged. The Commission requests comment on the proposed changes to the definition of ‘‘you.’’ The Commission notes that the purpose of the changes to the Privacy Rule scope and definitions serve solely to conform the Privacy Rule to the revisions in the Dodd-Frank Act as to the scope of the Commission’s rulemaking authority. These changes do not reflect any change in the Commission’s authority to enforce the Privacy Rule or Regulation P. Section 313.9—Delivering Privacy and Opt-Out Notices Section 313.9(a) of the Rule requires that motor vehicle dealers provide initial and annual privacy notices so that each consumer ‘‘can reasonably be expected’’ to receive actual notice in writing or, if the consumer agrees, electronically. Section 313.9(b) provides examples of delivery methods that would result in reasonable expectation of actual notice, including hand delivery and delivery by mail. The examples also include posting on a Web site for customers who: (1) Conduct transactions electronically, and (2) acknowledge receipt of the notice as a necessary step to obtaining a particular financial product or service.49 Section 48 16 49 16 CFR 313.3(k)(4)(iii) and (iv). CFR 313.9(b). VerDate Sep<11>2014 16:23 Jun 23, 2015 313.9(c) further allows delivery of the annual notice through a Web site, but only if a customer uses the dealer’s Web site to access financial products and services and consents to receive notices at the Web site.50 Below, the Commission describes proposed changes to § 313.9(c) that would allow motor vehicle dealers to utilize an alternative delivery method for the annual notices. In some circumstances, motor vehicle dealers could substitute their annual privacy notices with a clear and conspicuous disclosure—as part of an account statement, coupon book, or other legally-required or permitted notice or disclosure—stating that their privacy notice is available on their Web site and will be mailed to the customer on request. As required by the GLBA, this substitute disclosure would have to be provided at least annually. The Commission seeks information concerning the effect on customer privacy rights if motor vehicle dealers were to use the alternative delivery method rather than their current delivery methods. Relatedly, the Commission requests comment on how often customers currently read annual privacy notices under the Privacy Rule and how frequently the notices would be read if they were provided pursuant to the proposed alternative delivery method. The Commission further requests comment on whether the proposed alternative delivery method would be effective in reducing the burden on motor vehicle dealers of mailing hard copy privacy notices. In particular, the Commission requests information regarding how many annual privacy notices motor vehicle dealers provide. Lastly, the Commission notes that the current Rule prescribes certain circumstances under which motor vehicle dealers can provide privacy notices electronically or via online posting. For example, the Rule allows covered entities to provide notices electronically if the consumer agrees or to provide notice online if the consumer is required to acknowledge receipt of the notice. See 16 CFR 313.9. The Commission invites comment regarding how often privacy notices are delivered electronically or posted online under the existing Rule and whether companies that currently provide notices electronically will likely experience cost savings under the proposed new rule requirements. 50 16 Jkt 235001 PO 00000 CFR 313.9(c). Frm 00021 Fmt 4702 Sfmt 4702 36271 9(c)(2) Alternative Method for Providing Certain Annual Notices 9(c)(2)(i) Proposed § 313.9(c)(2)(i) describes the circumstances under which a motor vehicle dealer may use the alternative delivery method summarized above.51 9(c)(2)(i)(A) Proposed § 313.9(c)(2)(i)(A) would set forth the first condition for using the alternative delivery method: That the motor vehicle dealer must not share the customer’s information with nonaffiliated third parties in a manner that triggers the opt-out requirement under the GLBA. Thus, for example, a motor vehicle dealer may use the alternative delivery method if it shares the customer’s information with nonaffiliated third parties as permitted by §§ 313.13 (for joint marketing), 313.14 (for processing and servicing transactions), and 313.15 (with consent, or for security purposes, fraud prevention, legal purposes or fiduciary purposes). It may not use the alternative delivery method, for example, if it shares the customer’s nonpublic personal information with a nonaffiliated insurance company for marketing purposes. The Commission believes the alternative delivery method will generally reduce the burden of compliance for motor vehicle dealers, while still mandating the use of the current delivery method to ensure that customers have direct notice of their opt-out rights, where they exist. The Commission invites comment on the number of motor vehicle dealers that would not be able to take advantage of the alternative delivery method because they share data with nonaffiliated third parties. The Commission further invites comment on whether customers with opt-out rights pursuant to the Privacy Rule should continue to receive the annual privacy notice pursuant to the current delivery method or if motor vehicle dealers should be able to utilize the proposed alternative delivery method for such customers. 9(c)(2)(i)(B) Proposed § 313.9(c)(2)(i)(B) would set forth the second condition for using the alternative delivery method for the annual privacy notice: That the motor vehicle dealer not include on its annual notice an opt-out under section 51 Existing § 313.9(c) would be redesignated as § 313.9(c)(1) and its subparagraphs redesignated as § 313.9(c)(1)(i) and (ii), respectively, to accommodate the new addition. The Commission is also proposing to add a heading to new paragraph (c)(1) for technical reasons. E:\FR\FM\24JNP1.SGM 24JNP1 36272 Federal Register / Vol. 80, No. 121 / Wednesday, June 24, 2015 / Proposed Rules tkelley on DSK3SPTVN1PROD with PROPOSALS 603(d)(2)(A)(iii) of the FCRA.52 As discussed above, FCRA section 603(d)(2)(A)(iii) allows sharing of certain consumer information with affiliates, but only if the motor vehicle dealer provides the consumer with notice and an opportunity to opt out of the information sharing. Although this is a requirement of the FCRA, section 503(b)(4) of the GLBA and § 313.6(a)(7) of the Privacy Rule require a motor vehicle dealer’s privacy notice to include any opt-out rights provided under section 603(d)(2)(A)(iii) of the FCRA. Accordingly, to the extent that a motor vehicle dealer shares customer information with affiliates for marketing purposes, thus triggering the obligation to include an opt-out pursuant to FCRA section 603(d)(2)(A)(iii), the motor vehicle dealer cannot take advantage of the alternative delivery method.53 As noted above, the Commission believes that directly reminding consumers of any opt-out rights at least annually will be important for consumers. This is true regardless whether the opt-out right is provided under the GLBA or the FCRA. The Commission invites comment on the extent to which different motor vehicle dealers provide a FCRA section 603(d)(2)(A)(iii) opt-out and thus would be precluded from using the proposed alternative delivery method. The Commission further invites comment as to whether customers with opt-out rights under this section of the FCRA benefit from receiving the annual privacy notice pursuant to the current delivery method or could receive the notice via the proposed alternative delivery method. 9(c)(2)(i)(C) Proposed § 313.9(c)(2)(i)(C) would contain the third condition for using the alternative delivery method, related to the requirements of section 624 of the FCRA 54 and the Affiliate Marketing Rule, 16 CFR part 680. FCRA section 624, as implemented by the Affiliate Marketing Rule, provides that a person may not use certain information about a consumer that it receives from an affiliate to market to that consumer unless the consumer receives notice and the opportunity to opt out of such marketing.55 In contrast to the FCRA section 603(d)(2)(A)(iii) notice and opt-out right concerning affiliate sharing, which is generally required to be included on the GLBA annual privacy notice, the FCRA section 624 (and Affiliate Marketing 52 15 U.S.C. 1681a(d)(2)(A)(iii). 64 FR 35162, 35176 (June 1, 2000). 54 15 U.S.C. 1681s–3. 55 16 CFR 680.21(a). 53 See VerDate Sep<11>2014 16:23 Jun 23, 2015 Jkt 235001 Rule) notice and opt-out right concerning marketing by affiliates is not required to be included on that notice. However, the Affiliate Marketing Rule notice and opt-out right may be included on the privacy notice.56 The Commission proposes—under § 313.9(c)(2)(i)(C)—that a motor vehicle dealer that is required to provide a notice and opt out under the Affiliate Marketing Rule may use the alternative delivery method, provided that the motor vehicle dealer has previously satisfied the Affiliate Marketing Rule requirements or does not use the annual privacy notice as the sole means of providing notice to customers of that opt-out right.57 Alternatively, the motor vehicle dealer could continue to use the current delivery method and include the Affiliate Marketing opt-out on the annual privacy notice, with no separate notice required. The Commission invites comment on the extent to which motor vehicle dealers include the Affiliate Marketing Rule opt-out on their Privacy Rule privacy notices and thus would be precluded from using the proposed alternative delivery method. The Commission further invites comment on whether imposing this condition on using the alternative delivery method is beneficial to consumers. 9(c)(2)(i)(D) Proposed § 313.9(c)(2)(i)(D) would present the fourth condition for using the alternative delivery method: That the substantive information a motor vehicle dealer is required to convey on its annual privacy notice has not changed since the immediately previous privacy notice (whether initial, annual, or revised) to the customer.58 The 56 16 CFR 680.23(b). requirements for the Affiliate Marketing notice and opt out differ, depending on whether it is included as part of the model privacy notice or issued separately. Where a motor vehicle dealer includes the Affiliate Marketing notice and opt-out on the model privacy notice, that opt-out must be of indefinite duration. See Appendix A to Part 313 at C.2(d)(6). In contrast, where a motor vehicle dealer provides the Affiliate Marketing notice and opt-out separately, the Affiliate Marketing Rule allows the opt-out to be offered for as little as five years, subject to renewal, and the disclosure of the duration of the opt-out must be included on the notice. See 16 CFR 680.22(b). 16 CFR 680.23(a)(1)(iv). Because inclusion of the Affiliate Marketing opt-out on the model privacy notice requires a motor vehicle dealer to honor the opt-out indefinitely, a motor vehicle dealer that also offers the opt-out right separately in order to use the alternative delivery method would be able to comply with both the Privacy Rule and the Affiliate Marketing Rule by stating in the separate Affiliate Marketing notice that the opt-out is of indefinite duration and by honoring such opt-out requests indefinitely. 58 Note that information disclosed pursuant to § 313.6(a)(6) and (a)(7) is not included in proposed 57 Certain PO 00000 Frm 00022 Fmt 4702 Sfmt 4702 Commission believes that the current delivery method is likely less useful if the customer has already received a privacy notice, and the motor vehicle dealer’s sharing practices remain generally unchanged since that previous notice. Proposed § 313.9(c)(2)(i)(D) lists the specific disclosures of the privacy notice that must not change in order for a motor vehicle dealer to take advantage of the alternative delivery method. They are: • The categories of nonpublic personal information that the motor vehicle dealer collects (§ 313.6(a)(1) and (a)(4)); • the categories of nonpublic personal information that the motor vehicle dealer discloses (§ 313.6(a)(2)); • the categories of affiliates and nonaffiliated third parties to whom the motor vehicle dealer discloses nonpublic personal information, other than to parties that administer or enforce transactions, service or process financial products, or maintain or service accounts, under § 313.14 and to parties for security, fraud prevention, legal purposes, or similar purposes under § 313.15 (§ 313.6(a)(3)); • if the motor vehicle dealer discloses nonpublic personal information to a nonaffiliated third party for joint marketing as set forth under § 313.13, a separate statement of the categories of information disclosed and the categories of third parties to whom the disclosures were made (§ 313.6(a)(5)); • the motor vehicle dealer’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information (§ 313.6(a)(8)); and • the description of the purpose for sharing with service providers and other entities that conduct fraud prevention, security, or similar services (§ 313.6(a)(9)). The Commission emphasizes that a motor vehicle dealer would be precluded from using the alternative delivery method only if it made substantive changes to the information disclosed on the previous written notice sent to the consumer. Stylistic changes in the wording of the notice that do not denote a change in practices would not prevent a motor vehicle dealer from using the alternative delivery method. Nor would the proposed section prohibit a motor vehicle dealer from using the alternative delivery method if the dealer eliminated categories of information it disclosed or categories of § 313.9(c)(2)(i)(D) because if those situations apply, a motor vehicle dealer could not use the alternative delivery method under proposed § 313.9(c)(2)(i)(A) and (B), as discussed above. E:\FR\FM\24JNP1.SGM 24JNP1 Federal Register / Vol. 80, No. 121 / Wednesday, June 24, 2015 / Proposed Rules tkelley on DSK3SPTVN1PROD with PROPOSALS third parties to whom it disclosed information. Any other substantive change to its information sharing practices would preclude use of the alternative delivery method; however, the motor vehicle dealer could use the alternative delivery method to meet its next annual privacy notice requirement if it first sent a revised privacy notice pursuant to the standard delivery requirements. The Commission invites comment about the effect on customers of conditioning availability of the alternative delivery method on there being no change from the previous year’s notice. The Commission further invites comment on how often motor vehicle dealers change their privacy notice such that they would be precluded from using the proposed alternative delivery method. Lastly, the Commission invites comment on the extent to which a motor vehicle dealer’s changing its data security policy should preclude it, like financial institutions covered by Regulation P, from using the proposed alternative delivery method. 9(c)(2)(i)(E) The last condition for use of the alternative delivery method, which would be set forth in proposed § 313.9(c)(2)(i)(E), requires that the motor vehicle dealer use the model privacy form for its annual privacy notice. Currently, the Privacy Rule does not require use of the model notice because the statute under which it was promulgated only required that regulators give financial institutions the option to use such a model notice.59 However, the Commission proposes to permit use of the alternative delivery method only if a motor vehicle dealer uses the model privacy form for its annual privacy notice. This approach would likely incentivize use of the model notice, which consumer research has shown to be effective in communicating information.60 The Commission does not believe that the one-time burden of creating a model notice will place an undue burden on motor vehicles dealers, who will likely be able to save costs by not sending annual privacy notices. The Commission notes that the model form accommodates information that may be required by state or international law, as applicable, in a box called ‘‘Other important information.’’ 61 Accordingly, the Commission expects that a motor vehicle dealer that has additional privacy disclosure 59 15 U.S.C. 6803. FR 62890, 62891 (Dec. 1, 2009). 61 Appendix A to Part 313 at C(3)(c). 60 74 VerDate Sep<11>2014 16:23 Jun 23, 2015 Jkt 235001 obligations pursuant to state or international law would still be able to use the model form in order to take advantage of the proposed alternative delivery method. The Commission invites comment on related state or international law requirements and their interaction with the model privacy notice, as well as the proposed condition on the alternative delivery method in general. The Commission contemplates that adoption of the model privacy form may require changes to the wording and layout of the privacy notice, but not to the information conveyed. Thus, adoption of the model notice would not constitute a change to the prior year’s notice that would preclude use of the alternative delivery method under proposed § 313.9(c)(2)(i)(D).62 The Commission solicits comment on this issue. The Commission further invites comment on the extent to which motor vehicle dealers currently use the model privacy notice, and if they do not, whether they would choose to adopt it in order to take advantage of the proposed alternative delivery method. Lastly, the Commission invites comment on the benefit to customers of receiving the model privacy notice rather than a privacy notice in a nonstandard format. Finally, the Commission generally invites comment on the conditions in proposed § 313.9(c)(2)(i)(A) through (E) and whether any of those conditions should not be required or whether other conditions should be added. 9(c)(2)(ii) Proposed § 313.9(c)(2)(ii) sets forth the mechanics of the alternative delivery method for annual notices. 9(c)(2)(ii)(A) Proposed § 313.9(c)(2)(ii)(A) would set forth the first component of the alternative delivery method: that a motor vehicle dealer inform the customer of the availability of the annual privacy notice on its Web site. Under this proposed subsection, a motor vehicle dealer must clearly and conspicuously convey, not less than annually—on an account statement, coupon book, or notice or disclosure the institution is required or expressly permitted to use under any other provision of law—three pieces of 62 In a somewhat analogous situation, the agencies that promulgated the model privacy notice explained: ‘‘Adoption of the model form, with no change in policies or practices, would not constitute a revised notice [for purposes of the rule section on revised privacy notices], although institutions may elect to consider the format change as revision, at their option.’’ 74 FR 62890, 62907 n. 196. PO 00000 Frm 00023 Fmt 4702 Sfmt 4702 36273 information: (1) That its privacy notice has not changed, (2) that the notice is available on its Web site, and (3) that a hard copy of the notice will be mailed to customers if they call to request one. Proposed § 313.9(c)(2)(ii)(A) states that this notice must be ‘‘clear and conspicuous,’’ which is defined as meaning ‘‘reasonably understandable’’ and ‘‘designed to call attention to the nature and significance of the information.’’ 63 The Commission believes that the existing examples in § 313.3(b)(2)(i) and (ii) for the ‘‘reasonably understandable’’ and ‘‘designed to call attention’’ requirements likely would provide sufficient guidance on ways to make the notice clear and conspicuous. For example, the Rule states that, if the notice is combined with other information, it must contain ‘‘distinctive type size, style, and graphic devices, such as shading or sidebars.’’ 64 Although the Commission proposes to require that motor vehicle dealers convey this ‘‘notice of availability’’ not less than annually, they may elect to convey it more often (e.g., quarterly or monthly). The Commission invites comment on whether the approach used for notice of availability for motor vehicle dealers should differ from that for the financial institutions covered by Regulation P. In particular, the Commission is interested in comment on: (1) Whether the proposed example notice of availability would make the alternative delivery method more feasible for motor vehicle dealers to implement, (2) whether the illustrative elements not specifically required by the Rule should be so required, and (3) whether the proposed language would be effective in informing customers of the availability of the privacy notice. As noted, proposed § 313.9(c)(2)(ii)(A) would require the notice of availability to be conveyed on an account statement, coupon book, or notice or disclosure the motor vehicle dealer is required or expressly and specifically permitted to issue under any other provision of law. An account statement would include periodic statements or billing statements. A coupon book refers to a book of payment coupons typically included with an installment loan. The Commission believes customers are likely to read account statements or coupon books that directly concern the status of their account. A ‘‘notice or disclosure the institution is required or expressly and specifically permitted to issue under any other provision of law’’ would include 63 16 64 16 E:\FR\FM\24JNP1.SGM CFR 313.3(b)(1). CFR 313.3(b)(2)(ii)(E). 24JNP1 tkelley on DSK3SPTVN1PROD with PROPOSALS 36274 Federal Register / Vol. 80, No. 121 / Wednesday, June 24, 2015 / Proposed Rules disclosures that are expressly and specifically permitted by law, even if not required. This language builds on the language used in the Affiliate Marketing Rule, which provides that ‘‘a notice required by this subpart may be coordinated and consolidated with any other notice or disclosure required to be issued under any other provision of law. . . .’’ 65 The Commission notes that a notice of availability would not satisfy the proposed rule requirement if included on advertising materials that were neither required nor specifically permitted by law. The Commission invites comment on the benefits and costs of requiring the notice of availability to be included on an account statement, coupon book, or document required or expressly and specifically permitted under any other provision of law. The Commission further requests comment as to the best documents on which to place the notice of availability, particularly in light of what consumers are likely to read. The Commission further notes that where two or more motor vehicle dealers provide a joint privacy notice pursuant to § 313.9(f), the proposal would require each motor vehicle dealer to separately provide the notice of availability. The Commission invites comment on how often motor vehicle dealers jointly provide privacy notices and whether the proposed alternative delivery method would be feasible for such jointly issued notices. Proposed § 313.9(c)(2)(ii)(A) also would require the institution to state on the notice of availability that its privacy policy has not changed, which, as discussed in detail below, is a condition that a dealer must satisfy in order to be able to use the alternative delivery method. This proposed requirement can help customers assess whether they are interested in reading the policy. This statement would always be accurate if the alternative delivery method is used correctly, since a motor vehicle dealer could not use the alternative delivery method if its annual privacy notice had changed. The proposal would further require that the statement include a specific web address that takes customers directly to the page where the privacy notice is available. The section also would require that the web address conveyed on the notice of availability provide the customer with direct access to the page that contains the privacy notice, so that the customer need not click on any additional links. Next, proposed § 313.9(c)(2)(ii)(A) would require that the notice of 65 16 CFR 680.23(b). VerDate Sep<11>2014 16:23 Jun 23, 2015 Jkt 235001 availability include a telephone number that a customer can call to request a hard copy of the annual privacy notice. This number need not be a dedicated number established for this purpose alone. This requirement is intended to assist customers who do not have internet access or would prefer to receive a hard copy of the privacy notice. The Commission encourages motor vehicle dealers that already maintain a toll-free number to use that number in the statement required by § 313.9(c)(2)(ii)(A), to simplify the process for a customer to call and request a mailed copy of the privacy notice. As an alternative, the Commission invites comment on whether the approach used for notice of availability for motor vehicle dealers should differ from that for the financial institutions covered by Regulation P. Specifically, the Commission seeks comment on the advantages and disadvantages of requiring motor vehicle dealers to provide a dedicated telephone number for privacy notice requests so that customers can easily request a hard copy of the notice without navigating a complicated automated telephone menu. The Commission also invites comment on whether it should require a dedicated toll-free number for this purpose. 9(c)(2)(ii)(B) Proposed § 313.9(c)(2)(ii)(B) would set forth the second component of the alternative delivery method: that the motor vehicle dealer post its current privacy notice continuously and in a clear and conspicuous manner on a page of the institution’s Web site on which the only content is the privacy notice. The Commission believes that, were the notice included on a page with other content, such as other disclosures or promotions for products, that content could detract from the prominence of the notice and make it less likely that a customer would actually read it.66 The 66 Information that is not content, such as navigational menus to other pages on the Web site, could appear on the same page as the privacy notice. Moreover, other pages on the dealer’s Web site could link to the page containing the privacy notice, but the customer would still have to be provided a specific web address that takes the customer directly to the page where the privacy notice is available to satisfy the requirement to post the notice on the motor vehicle dealer’s Web site in proposed § 313.9(c)(2)(ii)(B). Finally, with regard to the proposed requirement that the notice be posted in a ‘‘clear and conspicuous’’ manner, the Commission notes that existing § 313.3(b)(2)(iii) gives examples of what clear and conspicuous means for a privacy notice posted on a Web site. One example is a Web page that uses text or visual cues to encourage scrolling down the page if necessary to view the entire notice, and as long as PO 00000 Frm 00024 Fmt 4702 Sfmt 4702 Commission believes that this requirement is feasible for most motor vehicle dealers, and for a motor vehicle dealer that does not currently post its annual notice on its Web site, creating a specific page for this purpose is a onetime process that could be implemented without significant cost. This section would further require that the Web page that contains the privacy notice be accessible to the customer without requiring the customer to provide any information such as a login name or password or agree to any conditions to access the page. This provision is intended to make accessing the privacy notice on an institution’s Web site as simple and straightforward as possible. The Commission invites comment regarding the prevalence of motor vehicle dealers that currently maintain Web sites, whether they currently post the Privacy Rule notice on those Web sites, and if they do not, how costly it would be to do so. The Commission additionally seeks comment on whether motor vehicle dealers provide different privacy notices for different groups of customers, such that posting multiple privacy notices on the dealer’s Web site may create confusion as to which is the relevant privacy notice that is applicable to a particular customer. The Commission seeks comment on the relative benefit or harm to customers of accessing the privacy notice on a motor vehicle dealer’s Web site as proposed. Lastly, the Commission invites comment as to whether motor vehicle dealers should be required to provide specific reminder information to a consumer about that consumer’s previously established preferences—for example, whether the consumer has already opted out—via a login and password-protected section of the Web site. 9(c)(2)(ii)(C) Proposed § 313.9(c)(2)(ii)(C) would set forth the third component of the alternative delivery method: That the motor vehicle dealer mail its current privacy notice to those customers who request it by telephone within ten calendar days of such request. The Commission proposes this requirement to assist customers without internet access and customers with internet access who would prefer to receive a hard copy of the notice. This requirement makes clear that a motor vehicle dealer may not, for example, wait to mail the privacy notice with another document, such as a quarterly the page does not include text, graphics, hyperlinks, or sound that may distract from the notice. E:\FR\FM\24JNP1.SGM 24JNP1 Federal Register / Vol. 80, No. 121 / Wednesday, June 24, 2015 / Proposed Rules tkelley on DSK3SPTVN1PROD with PROPOSALS statement. Motor vehicle dealers may not charge the customer for delivering the annual notice, given that delivery of the annual notice is required by statute and regulation. The Commission invites comment on the cost associated with mailing privacy notices on request, and whether mailing of the privacy notice within ten calendar days of a request is feasible for motor vehicle dealers. The Commission further requests comment on whether requiring mailing within ten calendar days is sufficient to ensure that customers receive privacy notices in a timely manner. 9(c)(2)(iii) Proposed § 313.9(c)(2)(iii) would provide an example of a notice of availability that satisfies § 313.9(c)(2)(ii)(A). The Commission intends this example to provide clear guidance on permissible content for the notice of availability to facilitate compliance. The content of the example notice of availability in proposed § 313.9(c)(2)(iii) draws from language in the existing model privacy notice in Part 313, App. A, which was previously subject to consumer testing.67 The proposed example would include the heading ‘‘Privacy Notice’’ in boldface (or otherwise emphasized) on the notice of availability. The proposed example further would state that Federal law requires the motor vehicle dealer to tell customers how it collects, shares, and protects their personal information; this language mirrors the ‘‘Why’’ box on the model privacy notices.68 The remaining portion of the proposed example would inform customers that the motor vehicle dealer’s privacy notice has not changed, the address of the Web site at which customers can access the privacy notice, and the telephone number to call to request a free copy of the notice. The Commission notes that the proposed example contains certain elements that would satisfy proposed § 313.9(c)(2), but other language and formatting techniques could also satisfy that section. These elements include titling the notice of availability ‘‘Privacy Notice,’’ including a statement that ‘‘Federal law requires the motor vehicle dealer to tell customers how it collects, shares, and protects their personal information,’’ and stating that getting a copy of the notice is ‘‘free’’ to the consumer. The Commission invites comment on whether the proposed example notice of availability for motor vehicle dealers should differ from that for financial 67 See Appendix A to 16 CFR part 313, at A. 68 Id. VerDate Sep<11>2014 16:23 Jun 23, 2015 Jkt 235001 institutions covered by Regulation P. In particular, the Commission is interested in comment on: (1) Whether the proposed example notice of availability would make the alternative delivery method more feasible for motor vehicle dealers to implement, (2) whether the elements not specifically required by the rule should be so required, and (3) whether the proposed language would be effective in informing customers of the availability of the privacy notice. V. Regulatory Flexibility Act The Regulatory Flexibility Act (RFA), as amended by the Small Business Regulatory Enforcement Fairness Act of 1996, requires each agency to consider the potential impact of its regulations on small entities, including small businesses, small governmental units, and small not-for-profit organizations. The RFA generally requires an agency to conduct an initial regulatory flexibility analysis (IRFA) and a final regulatory flexibility analysis (FRFA) of any rule subject to notice-and-comment rulemaking requirements, unless the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities.69 An IRFA is not required here because the proposal, if adopted, would not have a significant economic impact on a substantial number of small entities. The Commission does not expect the proposal to impose costs on small entities. All methods of compliance under current law will remain available to small entities if the proposal is adopted. Thus, a small entity that is in compliance with current law need not take any different or additional action if the proposal is adopted. In addition, as discussed above, the Commission believes that the proposed alternative method would allow many motor vehicle dealers to reduce their costs. Accordingly, the Commission certifies that this proposal, if adopted, would not have a significant economic impact on a substantial number of small entities. VI. Paperwork Reduction Act Under the Paperwork Reduction Act of 1995 (PRA),70 Federal agencies are generally required to seek Office of Management and Budget (OMB) approval for information collection requirements prior to implementation. Under the PRA, the Commission may not conduct or sponsor, and, notwithstanding any other provision of law, a person is not required to respond to an information collection, unless the U.S.C. 603–605. 70 44 U.S.C. 3501 et seq. Frm 00025 Fmt 4702 information collection displays a valid control number assigned by OMB. This proposal would amend 16 CFR part 313. The collections of information related to the Privacy Rule have been previously reviewed and approved by OMB in accordance with the PRA and assigned OMB Control Number 3084– 0121.71 As explained below, the proposed amendments do not modify or add to information collection requirements that were previously approved by OMB. Under this proposal, a motor vehicle dealer will be permitted, but not required, to use an alternative delivery method for the annual privacy notice if: • It does not share information with nonaffiliated third parties other than for purposes covered by the exclusions allowed under the Privacy Rule; • It does not include on its annual privacy notice an opt-out under section 603(d)(2)(A)(iii) of the FCRA; • The annual privacy notice is not the only method used to satisfy the requirements of section 624 of the FCRA and 16 CFR part 680, if applicable; • Certain information it is required to convey on its annual privacy notice has not changed since it provided the immediately prior privacy notice; and • It uses the Privacy Rule model privacy form for its annual privacy notice. Under the proposed alternative delivery method, the motor vehicle dealer would have to: • Convey at least annually on another notice or disclosure that its privacy notice is available on its Web site and will be mailed upon request to a specified telephone number. Among other things, the dealer would have to include a specific web address that takes the customer directly to the privacy notice; • Post its current privacy notice continuously on a page of its Web site that contains only the privacy notice, without requiring a login or any conditions to access the page; and • Mail its current privacy notice to customers who request it by telephone within ten calendar days of such request. Under the existing clearance, the FTC has attributed to itself the estimated burden regarding all motor vehicle dealers and then shares equally the remaining estimated PRA burden with the Bureau for other types of financial institutions for which both agencies have enforcement authority regarding the GLBA Privacy Rule.72 71 The FTC has current clearance through October 31, 2017. See 79 FR 55489 (Sept. 16, 2014). 72 79 FR 55489. 69 5 PO 00000 36275 Sfmt 4702 E:\FR\FM\24JNP1.SGM 24JNP1 36276 Federal Register / Vol. 80, No. 121 / Wednesday, June 24, 2015 / Proposed Rules The Commission does not believe that this proposed rule would impose any new or substantively revised collections of information as defined by the PRA. Rather, the Commission believes that the proposed amendment would have the overall effect of reducing the currently cleared estimated burden for the information collections associated with the Privacy Rule annual privacy notice. By definition, the expected cost savings to motor vehicle dealers from the proposed revisions to § 313.9(c) is the expected number of annual privacy notices that would be provided through the proposed alternative delivery method multiplied by the expected reduction in the cost per-notice from using the alternative delivery method. The first step in estimating the expected cost savings to motor vehicle dealers from proposed § 313.9(c)(2) would be to identify the motor vehicle dealers whose current information sharing practices would allow them to use the proposed alternative method. The Commission would then need to determine their currents costs for providing the annual privacy notices and the expected costs of providing these notices under proposed § 313.9(c)(2). In order to reach such an estimate for financial institutions, the Commission looked to the Bureau’s rulemaking. The Bureau performed a number of analyses and outreach activities to approximate the expected cost savings for financial institutions. After examining 125 banks selected through random sampling, the Bureau found that the overall average rate at which banks’ information sharing practices would make them eligible for using the alternative delivery method if other conditions were met is 80%.73 The Bureau’s results indicated that a large majority of smaller banks would likely be able to use the proposed alternative delivery method but most of the largest banks would not.74 For non-depository institutions subject to the Commission’s enforcement, the Bureau similarly estimated that 80% would be able to use the alternate delivery method.75 Subject 73 79 FR at 27226. Only 18% of sampled banks with assets over $10 billion could clearly use the proposed alternative delivery method, while 81% of sampled banks with assets of $10 billion or less and 88% of sampled banks with assets of $500 million or less could clearly use the proposed alternative delivery method. The Bureau also examined the privacy policies of 54 credit unions and found 62% of those with assets over $500 million could use the alternative delivery method and 44% of those with $500 million or less in assets could (though, due to inadequate information, the Bureau could not make the assessment for 48% of those credit unions with $500 million or less in assets). Id. 75 79 FR at 27229. tkelley on DSK3SPTVN1PROD with PROPOSALS 74 Id. VerDate Sep<11>2014 16:23 Jun 23, 2015 Jkt 235001 to further information through public comment, the Commission preliminarily assumes that this 80% is characteristic as well for motor vehicle dealers. The Commission requests comment and the submission of information relevant to the information sharing practices of motor vehicle dealers and the extent to which they may be able to use the proposed alternative delivery method. The Commission does not have precise data on the number of annual privacy notices motor vehicle dealers currently provide to directly compute the total number of annual privacy notices that would no longer be sent; however, in the Commission’s proposal to extend the current PRA clearance for the Privacy Rule,76 the Commission estimated the total costs to motor vehicle dealers to disseminate annual disclosures to be about $18.4 million.77 Applying the Commission’s estimate that 80% of motor vehicle dealers would be able to utilize the alternative delivery method, the estimated reduction in ongoing burden would be approximately 638,400 hours annually for roughly 48,000 motor vehicle dealers.78 The reduction in estimated ongoing costs from the reduction in ongoing burden would be approximately $14.7 million annually.79 The Commission requests comment on this preliminary analysis as well as the submission of additional data that could inform the Commission’s consideration of the cost savings to motor vehicle dealers. The Commission believes that the one-time cost for some motor vehicle 76 79 FR 55489 (Sept. 14, 2014). at 55490–91 Table IIB. 78 The 638,400 hours estimate is 80% of the previously published estimate of 798,000 hours, cumulatively, for established motor vehicle dealers to disseminate annual notices. See id. at 55490 (Table IIB). The estimated number of motor vehicle dealers that would use the alternative delivery method is 80% of the previously published estimate of the number of motor vehicle dealers, 60,000. See id. at Table IIA notes. 79 This is the product of the above-noted costs to motor vehicle dealers to disseminate annual disclosures, $18.4 million, multiplied by the assumed 80% reduction for the alternative delivery method. Estimates of ongoing savings are gross figures and do not take into account any ongoing costs associated with the alternative delivery method, which the Commission believes would be minimal. They would consist of additional text on a notice or disclosure the institution already provides, additional phone calls from consumers requesting that the model form be mailed, and the costs of mailing the forms prompted by these calls. The Commission currently believes that few consumers will request that the form be mailed in order to read it or to exercise any voluntary opt-out right, given the availability of the notices online. There would be minimal ongoing costs associated with the alternative delivery method from maintaining a Web page if a motor vehicle dealer already has a Web page dedicated to the annual privacy policy. 77 Id. PO 00000 Frm 00026 Fmt 4702 Sfmt 4702 dealers to adopt the alternative delivery method is minimal. Motor vehicle dealers that already use the model form and would adopt the alternative delivery method would incur minor one-time legal, programming and training costs. These dealers would have to communicate on a notice or disclosure they already issue under any other provision of law that the privacy notice is available. The expense of adding this notification would be minor. Staff may need some additional training in storing copies of the model form and sending it to customers on request. Motor vehicle dealers that do not use the model form would incur a one-time cost to create one. However, since the promulgation of the model privacy form in 2009, an Online Form Builder has existed that any institution can use to readily create a unique, customized privacy notice using the model form template.80 The Commission assumes that motor vehicle dealers that do not currently have Web sites would not choose to comply with these requirements in order to use the alternative delivery method. The Commission has determined that the proposed rule does not contain any new or substantively revised information collection requirements as defined by the PRA and that the burden estimate for the previously-approved information collections should be reduced as explained above. The Commission welcomes comments on these determinations or any other aspect of the proposal for purposes of the PRA. Comments should be submitted as outlined in the ADDRESSES section above. All comments will become a matter of public record. Invitation To Comment You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before August 31, 2015. Write ‘‘Amendment to the Privacy of Consumer Financial Information Rule, 16 CFR part 313, Project No. R411016’’ on your comment. Your comment— including your name and your state— will be placed on the public record of this proceeding, including, to the extent practicable, on the Commission Web site, at https://www.ftc.gov/os/ publiccomments.shtm. As a matter of discretion, the Commission tries to remove individuals’ home contact information from comments before placing them on the Commission Web site. 80 This Online Form Builder is available at https://www.federalreserve.gov/newsevents/press/ bcreg/20100415a.htm. E:\FR\FM\24JNP1.SGM 24JNP1 tkelley on DSK3SPTVN1PROD with PROPOSALS Federal Register / Vol. 80, No. 121 / Wednesday, June 24, 2015 / Proposed Rules Because your comment will be made public, you are solely responsible for making sure that your comment doesn’t include any sensitive personal information, such as Social Security number, date of birth, driver’s license number or other state identification number or foreign country equivalent, passport number, financial account number, or credit or debit card number. You are also solely responsible for making sure that your comment doesn’t include any sensitive health information, including medical records or other individually identifiable health information. In addition, do not include any ‘‘[t]rade secret or any commercial or financial information which . . . is privileged or confidential,’’ as discussed in section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, do not include competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names. If you want the Commission to give your comment confidential treatment, you must file it in paper form, with a request for confidential treatment, and you have to follow the procedure explained in FTC Rule 4.9(c), 16 CFR 4.9(c).81 Your comment will be kept confidential only if the FTC General Counsel, in his or her sole discretion, grants your request in accordance with the law and the public interest. Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, we encourage you to submit your comments online. To make sure that the Commission considers your online comment, you must file it at https:// ftcpublic.commentworks.com/ftc/ GLBPrivacyamendment, by following the instructions on the web-based form. If this Notice appears at https:// www.regulations.gov/#!home, you also may file a comment through that Web site. If you file your comment on paper, write ‘‘Amendment to the Privacy of Consumer Financial Information Rule, 16 CFR part 313, Project No. R411016’’ on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC– 5610 (Annex E), Washington, DC 20580, or deliver your comment to the 81 In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule 4.9(c), 16 CFR 4.9(c). VerDate Sep<11>2014 16:23 Jun 23, 2015 Jkt 235001 following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex E), Washington, DC 20024. If possible, submit your paper comment to the Commission by courier or overnight service. Visit the Commission Web site at https://www.ftc.gov to read this Notice and the news release describing it. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before August 31, 2015. For information on the Commission’s privacy policy, including routine uses permitted by the Privacy Act, see https://www.ftc.gov/ftc/ privacy.htm. List of Subjects in 16 CFR Part 313 Consumer protection, Motor vehicle dealers, Privacy, Reporting and recordkeeping requirements, Trade practices. Authority and Issuance For the reasons set forth in the preamble, the Commission proposes to amend 16 CFR part 313, as set forth below: PART 313—PRIVACY OF CONSUMER FINANCIAL INFORMATION 1. The authority citation for Part 313 is revised to read as follows: ■ Authority: 15 U.S.C. 6801 et seq., 12 U.S.C. 5519. 2. In § 313.1, revise paragraph (b) to read as follows: ■ § 313.1 Purpose and scope. * * * * * (b) Scope. This part applies only to nonpublic personal information about individuals who obtain financial products or services primarily for personal, family or household purposes from the institutions listed below. This part does not apply to information about companies or about individuals who obtain financial products or services for business, commercial, or agricultural purposes. This part applies to those ‘‘financial institutions’’ over which the Federal Trade Commission (‘‘Commission’’) has rulemaking authority pursuant to section 504(a)(1)(C) of the Gramm-Leach-Bliley Act. An entity is a ‘‘financial institution’’ if its business is engaging in a financial activity as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. PO 00000 Frm 00027 Fmt 4702 Sfmt 4702 36277 1843(k), which incorporates by reference activities enumerated by the Federal Reserve Board in 12 CFR 211.5(d) and 12 CFR 225.28. The ‘‘financial institutions’’ subject to the Commission’s rulemaking authority are any persons described in 12 U.S.C. 5519 that are predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both. They are referred to in this part as ‘‘You.’’ ■ 3. In § 313.3, revise paragraphs (e), (i), (k), and (q) to read as follows: § 313.3 Definitions. * * * * * (e)(1) Consumer means an individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative. (2) Examples for purposes of 16 CFR part 313 and 314—(i) An individual who applies to you for credit for personal, family, or household purposes is a consumer of a financial service, regardless of whether the credit is extended. (ii) An individual who provides nonpublic personal information to you in order to obtain a determination about whether he or she may qualify for a loan to be used primarily for personal, family, or household purposes is a consumer of a financial service, regardless of whether the loan is extended. (iii) If you hold ownership or servicing rights to an individual’s loan that is used primarily for personal, family, or household purposes, the individual is your consumer, even if you hold those rights in conjunction with one or more other institutions. (The individual is also a consumer with respect to the other financial institutions involved.) An individual who has a loan in which you have ownership or servicing rights is your consumer, even if you, or another institution with those rights, hire an agent to collect on the loan. (iv) An individual who is a consumer of another financial institution is not your consumer solely because you act as agent for, or provide processing or other services to, that financial institution. (v) An individual is not your consumer solely because he or she is a participant or a beneficiary of an employee benefit plan that you sponsor or for which you act as a trustee or fiduciary. (3) Examples for purposes of 16 CFR part 314—(i) An individual who provides nonpublic personal information to you in connection with E:\FR\FM\24JNP1.SGM 24JNP1 tkelley on DSK3SPTVN1PROD with PROPOSALS 36278 Federal Register / Vol. 80, No. 121 / Wednesday, June 24, 2015 / Proposed Rules obtaining or seeking to obtain financial, investment, or economic advisory services is a consumer, regardless of whether you establish a continuing advisory relationship. (ii) An individual is not your consumer solely because he or she has designated you as trustee for a trust. (iii) An individual is not your consumer solely because he or she is a beneficiary of a trust for which you are a trustee. * * * * * (i)(1) Customer relationship means a continuing relationship between a consumer and you under which you provide one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes. (2) Examples—(i) Continuing relationship. (A) A consumer has a continuing relationship with you, for purposes of 16 CFR part 313 and part 314, if the consumer: (1) Has a credit or investment account with you; (2) Obtains a loan from you; (3) Purchases an insurance product from you; (4) Enters into an agreement or understanding with you whereby you undertake to arrange credit to purchase a vehicle, for the consumer; (5) Enters into a lease of personal property on a non-operating basis with you; or (6) Has a loan for which you own the servicing rights. (B) A consumer also has a continuing relationship with you, for purposes of 16 CFR part 314, if the consumer: (1) Holds an investment product through you, such as when you act as a custodian for securities or for assets in an Individual Retirement Arrangement; (2) Enters into an agreement or understanding with you whereby you undertake to arrange or broker a home mortgage loan, for the consumer; (3) Obtains financial, investment, or economic advisory services from you for a fee; (4) Becomes your client for the purpose of obtaining tax preparation or credit counseling services from you; (5) Obtains career counseling while seeking employment with a financial institution or the finance, accounting, or audit department of any company (or while employed by such a financial institution or department of any company); (6) Is obligated on an account that you purchase from another financial institution, regardless of whether the account is in default when purchased, unless you do not locate the consumer VerDate Sep<11>2014 16:23 Jun 23, 2015 Jkt 235001 or attempt to collect any amount from the consumer on the account; or (7) Obtains real estate settlement services from you. (ii) No continuing relationship. (A) For purposes of 16 CFR parts 313 and 314, a consumer does not, however, have a continuing relationship with you if: (1) The consumer obtains a financial product or service from you only in isolated transactions, such as cashing a check with you or making a wire transfer through you; (2) You sell the consumer’s loan and do not retain the rights to service that loan; or (3) The consumer obtains one-time personal or real property appraisal services from you. (B) For purposes of 16 CFR part 314, a consumer also does not have a continuing relationship with you if: (1) The consumer obtains a financial product or service from you only in isolated transactions, such as using your ATM to withdraw cash from an account at another financial institution or purchasing a money order from you; (2) You sell the consumer airline tickets, travel insurance, or traveler’s checks in isolated transactions; or (3) The consumer purchases checks for a personal checking account from you. * * * * * (k)(1) Financial institution means any institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). An institution that is significantly engaged in financial activities is a financial institution. (2) Example of financial institution for purposes of 16 CFR part 313 and 314. An automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days is a financial institution with respect to its leasing business because leasing personal property on a nonoperating basis where the initial term of the lease is at least 90 days is a financial activity listed in 12 CFR 225.28(b)(3) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act. (3) Examples of financial institution for purposes of 16 CFR part 314. (i) A retailer that extends credit by issuing its own credit card directly to consumers is a financial institution because extending credit is a financial activity listed in 12 CFR 225.28(b)(1) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act and issuing that extension of credit through a proprietary credit PO 00000 Frm 00028 Fmt 4702 Sfmt 4702 card demonstrates that a retailer is significantly engaged in extending credit. (ii) A personal property or real estate appraiser is a financial institution because real and personal property appraisal is a financial activity listed in 12 CFR 225.28(b)(2)(i) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act. (iii) A career counselor that specializes in providing career counseling services to individuals currently employed by or recently displaced from a financial organization, individuals who are seeking employment with a financial organization, or individuals who are currently employed by or seeking placement with the finance, accounting or audit departments of any company is a financial institution because such career counseling activities are financial activities listed in 12 CFR 225.28(b)(9)(iii) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act. (iv) A business that prints and sells checks for consumers, either as its sole business or as one of its product lines, is a financial institution because printing and selling checks is a financial activity that is listed in 12 CFR 225.28(b)(10)(ii) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act. (v) A business that regularly wires money to and from consumers is a financial institution because transferring money is a financial activity referenced in section 4(k)(4)(A) of the Bank Holding Company Act and regularly providing that service demonstrates that the business is significantly engaged in that activity. (vi) A check cashing business is a financial institution because cashing a check is exchanging money, which is a financial activity listed in section 4(k)(4)(A) of the Bank Holding Company Act. (vii) An accountant or other tax preparation service that is in the business of completing income tax returns is a financial institution because tax preparation services is a financial activity listed in 12 CFR 225.28(b)(6)(vi) and referenced in section 4(k)(4)(G) of the Bank Holding Company Act. (viii) A business that operates a travel agency in connection with financial services is a financial institution because operating a travel agency in connection with financial services is a financial activity listed in 12 CFR 211.5(d)(15) and referenced in section 4(k)(4)(G) of the Bank Holding Company Act. E:\FR\FM\24JNP1.SGM 24JNP1 tkelley on DSK3SPTVN1PROD with PROPOSALS Federal Register / Vol. 80, No. 121 / Wednesday, June 24, 2015 / Proposed Rules (ix) An entity that provides real estate settlement services is a financial institution because providing real estate settlement services is a financial activity listed in 12 CFR 225.28(b)(2)(viii) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act. (x) A mortgage broker is a financial institution because brokering loans is a financial activity listed in 12 CFR 225.28(b)(1) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act. (xi) An investment advisory company and a credit counseling service are each financial institutions because providing financial and investment advisory services are financial activities referenced in section 4(k)(4)(C) of the Bank Holding Company Act. (4) Financial institution does not include: (i) Any person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act (7 U.S.C. 1 et seq.); (ii) The Federal Agricultural Mortgage Corporation or any entity chartered and operating under the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.); or (iii) Institutions chartered by Congress specifically to engage in securitizations, secondary market sales (including sales of servicing rights) or similar transactions related to a transaction of a consumer, as long as such institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party other than as permitted by §§ 313.14 and 313.15 of this Part. (iv) Entities that engage in financial activities but that are not significantly engaged in those financial activities. (5) Example of entities that are not significantly engaged in financial activities for purposes of 16 CFR part 313 and 314. A motor vehicle dealer is not a financial institution merely because it accepts payment in the form of cash, checks, or credit cards that it did not issue. (6) Examples of entities that are not significantly engaged in financial activities for purposes of 16 CFR part 314. (i) A retailer is not a financial institution if its only means of extending credit are occasional ‘‘lay away’’ and deferred payment plans or accepting payment by means of credit cards issued by others. (ii) A retailer is not a financial institution merely because it accepts payment in the form of cash, checks, or credit cards that it did not issue. (iii) A merchant is not a financial institution merely because it allows an individual to ‘‘run a tab.’’ VerDate Sep<11>2014 16:23 Jun 23, 2015 Jkt 235001 (iv) A grocery store is not a financial institution merely because it allows individuals to whom it sells groceries to cash a check, or write a check for a higher amount than the grocery purchase and obtain cash in return. * * * * * (q) For purposes of 16 CFR part 313, You includes each ‘‘financial institution’’ over which the Commission has rulemaking authority pursuant to section 504(a)(1)(C) of the GrammLeach-Bliley Act. For purposes of 16 CFR part 314, You includes each ‘‘financial institution’’ (but excludes any ‘‘other person’’) over which the Commission has enforcement jurisdiction pursuant to section 505(a)(7) of the Gramm-Leach-Bliley Act. ■ 4. In § 313.9, revise paragraph (c) to read as follows: § 313.9 Delivering privacy and opt out notices. * * * * * (c) Annual notices only. (1) Reasonable expectation. You may reasonably expect that a customer will receive actual notice of your annual privacy notice if: (i) The customer uses your Web site to access financial products and services electronically and agrees to receive notices at the Web site, and you post your current privacy notice continuously in a clear and conspicuous manner on the Web site; or (ii) The customer has requested that you refrain from sending any information regarding the customer relationship, and your current privacy notice remains available to the customer upon request. (2) Alternative method for providing certain annual notices. (i) Notwithstanding paragraph (a) of this section, you may use the alternative method described in paragraph (c)(2)(ii) of this section to satisfy the requirement in § 313.5(a)(1) to provide a notice if: (A) You do not disclose the customer’s nonpublic personal information with nonaffiliated third parties other than for purposes under §§ 313.13, 313.14, and 313.15; (B) You do not include on your annual privacy notice pursuant to § 313.6(a)(7) an opt out under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)); (C) The requirements of section 624 of the Fair Credit Reporting Act (15 U.S.C. 1681s–3) and Part 680 of this chapter, if applicable, have been satisfied previously or the annual privacy notice is not the only notice provided to satisfy such requirements; PO 00000 Frm 00029 Fmt 4702 Sfmt 9990 36279 (D) The information you are required to convey on your annual privacy notice pursuant to § 313.6(a)(1) through (5), (8), and (9) has not changed since you provided the immediately previous privacy notice (whether initial, annual or revised) to the customer, other than to eliminate categories of information you disclose or categories of third parties to whom you disclose information; and (E) You use the model privacy form in the appendix to this part for your annual privacy notice. (ii) For an annual privacy notice that meets the requirements in paragraph (c)(2)(i) of this section, you satisfy the requirement in § 313.5(a)(1) to provide a notice if you: (A) Convey in a clear and conspicuous manner not less than annually on an account statement, coupon book, or a notice or disclosure you are required or expressly and specifically permitted to issue under any other provision of law that your privacy notice is available on your Web site and will be mailed to the customer upon request by telephone. The statement must state that your privacy notice has not changed and must include a specific Web address that takes the customer directly to the page where the privacy notice is posted and a designated telephone number for the customer to request that it be mailed; (B) Post your current privacy notice continuously in a clear and conspicuous manner on a page of your Web site that contains only the privacy notice, without requiring the customer to provide any information such as a login name or password or agree to any conditions to access the page; and (C) Mail your current privacy notice to those customers who request it by telephone within ten days of the request. (iii) An example of a statement that satisfies paragraph (c)(2)(ii)(A) of this section is: ‘‘Privacy Notice’’ in boldface or otherwise emphasized: Privacy Notice—Federal law requires us to tell you how we collect, share, and protect your personal information. Our privacy policy has not changed and you may review our policy and practices with respect to your personal information at [Web address] or we will mail you a free copy upon request if you call us at [telephone number]. * * * * * By direction of the Commission. Donald S. Clark, Secretary. [FR Doc. 2015–14328 Filed 6–23–15; 8:45 am] BILLING CODE 6750–01–P E:\FR\FM\24JNP1.SGM 24JNP1

Agencies

[Federal Register Volume 80, Number 121 (Wednesday, June 24, 2015)]
[Proposed Rules]
[Pages 36267-36279]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-14328]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 313

RIN 3084-AB42


Amendment to the Privacy of Consumer Financial Information Rule 
Under the Gramm-Leach-Bliley Act

AGENCY: Federal Trade Commission (FTC or Commission).

ACTION: Notice of proposed rulemaking; Request for public comment.

-----------------------------------------------------------------------

SUMMARY: The FTC proposes to amend the Privacy of Consumer Financial 
Information Rule (Privacy Rule or Rule), which among other things 
requires that certain motor vehicle dealers provide an annual 
disclosure of their privacy policies to their customers by hand 
delivery, mail, electronic delivery, or, alternatively through a Web 
site, but only with the consent of the consumer. The amendment would 
allow motor vehicle dealers instead to notify their customers that a 
privacy policy is available on their Web site, under certain 
circumstances. The amendment would also revise the scope and 
definitions in this rule in light of the transfer of part of the 
Commission's rulemaking authority to the Consumer Financial Protection 
Bureau (CFPB or the Bureau) in the Dodd-Frank Wall Street Reform and 
Consumer Protection Act, but retains certain examples for purposes of 
the FTC's Safeguards Rule.

DATES: Comments must be received on or before August 31, 2015.

ADDRESSES: Interested parties may file a comment online or on paper, by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Write ``Amendment to the 
Privacy of Consumer Financial Information Rule, 16 CFR part 313, 
Project No. R411016'' on your comment, and file your comment online at 
https://ftcpublic.commentworks.com/ftc/GLBPrivacyamendment, by 
following the instructions on the web-based form. If you prefer to file 
your comment on paper, write ``Amendment to the Privacy of Consumer 
Financial Information Rule, 16 CFR part 313, Project No. R411016'' on 
your comment and on the envelope, and mail your comment to the 
following address: Federal Trade Commission, Office of the Secretary, 
600 Pennsylvania Avenue NW., Suite CC-5610 (Annex E), Washington, DC 
20580, or deliver your comment to the following address: Federal Trade 
Commission, Office of the Secretary, Constitution Center, 400 7th 
Street SW., 5th Floor, Suite 5610 (Annex E), Washington, DC 20024.

FOR FURTHER INFORMATION CONTACT: Steven Toporoff, (202) 326-3135, 
Attorney, Division of Privacy and Identity Protection, Federal Trade 
Commission, 600 Pennsylvania Avenue NW., Washington, DC 20580.

SUPPLEMENTARY INFORMATION: 

I. Summary of the Proposed Rule

    The Gramm-Leach-Bliley Act (GLBA) \1\ mandates that financial 
institutions provide their customers with initial and annual notices 
regarding their privacy policies. If financial institutions share 
certain customer information with particular types of third parties, 
the institutions are also required to provide an opportunity to opt out 
of the sharing. The Commission issued its rule implementing these 
provisions in 2000.\2\ The Dodd-Frank Wall Street Reform and Consumer 
Protection Act transferred GLBA privacy notice rulemaking authority, in 
part, to the Bureau; however, the Commission retains rulemaking 
authority over any financial institution that is a motor vehicle dealer 
predominantly engaged in the sale and servicing of motor vehicles, the 
leasing and servicing of motor vehicles, or both, as described in 
Section 1029 of the Dodd-Frank Act, 12 U.S.C. 5519 (hereafter, motor 
vehicle dealers).
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 6801 et seq.
    \2\ 65 FR 33646 (May 24, 2000).
---------------------------------------------------------------------------

    The Commission proposes to revise its Privacy Rule, 16 CFR part 
313, in two ways. First, in light of the transfer of rulemaking 
authority for certain financial institutions to the Bureau, the 
Commission proposes to revise the explanation of the scope of the Rule 
and to tailor the examples provided in the Rule's Definitions section 
describing entities over which the Commission has retained rulemaking 
authority. The Commission believes that revising these provisions will 
eliminate extraneous information, clarify the Rule's applicability, and 
reduce confusion as to entities covered by the Rule. The Rule also 
retains several examples explaining the types of entities covered by 
the Safeguards Rule, 16 CFR part 314. Second, the Commission proposes 
to provide an alternative means for covered motor vehicle dealers to 
fulfill their obligation under the Privacy Rule to provide notice of 
their privacy policies. Under the proposal, motor vehicle dealers that 
do not engage in certain types of information-sharing activities would 
no longer be required to mail an annual privacy notice if they clearly 
and conspicuously convey, as

[[Page 36268]]

part of another mandated or legally permissible notice or disclosure, 
that their privacy notice is available on their publicly accessible Web 
site. This proposed revision is consistent with changes made in an 
October 28, 2014, rulemaking by the Bureau, which has rulemaking 
authority over depository institutions and many non-depository 
institutions.\3\
---------------------------------------------------------------------------

    \3\ 79 FR 64057 (Oct. 28, 2014).
---------------------------------------------------------------------------

    The Commission believes that the proposed changes are consistent 
with those issued by the Bureau, and will help avoid consumer confusion 
and ensure that the requirements for motor vehicle dealers covered by 
the Rule are consistent with the GLBA's privacy provisions for other 
financial institutions. Such changes may also streamline the flow of 
information to consumers, while easing the burden on motor vehicle 
dealers of providing annual notices. The Commission invites comment on 
the proposed rule revisions generally and on the specific issues 
outlined throughout Section IV. In addition, the Commission requests 
comment on whether, and the extent to which, the FTC's Privacy Rule 
applicable to motor vehicle dealers should be consistent with the rule 
adopted by the Bureau, or if there are elements that should differ.
    The Commission seeks comment on the proposal through August 17, 
2015.

II. Background

A. The Statute and Regulation

    The GLBA was enacted in 1999.\4\ The GLBA, among other things, 
provides a framework for regulating the privacy practices of a broad 
range of entities. The GLBA requires that financial institutions 
provide their customers with initial and annual notices regarding their 
privacy policies, and allow their customers to opt out of sharing their 
information with certain nonaffiliated third parties. Covered entities 
include, for example, payday lenders, mortgage brokers, check cashers, 
debt collectors, real estate appraisers, certain motor vehicle dealers 
and remittance transfer providers.
---------------------------------------------------------------------------

    \4\ Public Law 106-102, 113 Stat. 1338 (1999).
---------------------------------------------------------------------------

    Rulemaking authority to implement the GLBA's privacy provisions was 
initially spread among many agencies. The Federal Reserve Board 
(Board), the Office of Comptroller of the Currency (OCC), the Federal 
Deposit Insurance Corporation (FDIC), and the Office of Thrift 
Supervision (OTS) jointly adopted final rules to implement the notice 
requirements of the GLBA in 2000.\5\ The Commission, the National 
Credit Union Administration (NCUA), Securities and Exchange Commission 
(SEC), and Commodity Futures Trading Commission (CFTC) were part of the 
same interagency process, but issued their rules separately.\6\ In 
2009, all these agencies issued a joint final rule with a model form 
that financial institutions could use, at their option, to provide the 
required initial and annual privacy disclosures.\7\
---------------------------------------------------------------------------

    \5\ 65 FR 35162 (June 1, 2000).
    \6\ 65 FR 33646 (May 24, 2000) (FTC final rule); 65 FR 31722 
(May 18, 2000) (NCUA final rule); 65 FR 40334 (June 29, 2000) (SEC 
final rule); 66 FR 21252 (Apr. 27, 2001) (CFTC final rule).
    \7\ 74 FR 62890 (Dec. 1, 2009).
---------------------------------------------------------------------------

    In 2011, the Dodd-Frank Act \8\ transferred the GLBA's privacy 
notice rulemaking authority from the Board, NCUA, OCC, OTS, the FDIC, 
and the Commission (in part) to the Bureau. The Bureau then restated 
the implementing regulations in Regulation P, 12 CFR part 1016, in late 
2011 (Regulation P).\9\ However, under the Dodd-Frank Act, the 
Commission retained rulemaking authority for motor vehicle dealers 
described in section 1029 of the Dodd-Frank Act, 12 U.S.C. 5519. Thus, 
in 2012, the Commission issued a notice that it was retaining the 
implementing regulations governing privacy notices for motor vehicles 
dealers, at 16 CFR part 313.\10\
---------------------------------------------------------------------------

    \8\ Public Law 111-203, 124 Stat. 1376 (2010).
    \9\ 76 FR 79025 (Dec. 21, 2011).
    \10\ 77 FR 22200, 22201 (April 13, 2012) (also rescinding those 
regulations for which rulemaking authority was transferred to the 
Bureau under the Dodd-Frank Act).
---------------------------------------------------------------------------

    Despite the transfer of general rulemaking authority for the 
Privacy Rule to the CFPB, the Commission and other agencies retained 
their existing enforcement authority under the GLBA.\11\ In addition, 
the SEC and CFTC retained rulemaking authority with respect to 
securities and futures-related companies, respectively.\12\ 
Accordingly, as part of this rulemaking process, the Commission has 
consulted and coordinated, or offered to consult, with those agencies 
who have rulemaking and/or enforcement authority under the GLBA, 
including the Bureau, SEC, CFTC and the National Association of 
Insurance Commissioners (NAIC).\13\
---------------------------------------------------------------------------

    \11\ 15 U.S.C. 6805(a).
    \12\ 15 U.S.C. 6804, 6809; 12 U.S.C. 1843(k)(4); 12 CFR 
1016.1(b).
    \13\ See 15 U.S.C. 6804(a)(2).
---------------------------------------------------------------------------

B. The Privacy Notice Requirements

    As noted, the GLBA and the FTC Privacy Rule require that certain 
covered motor vehicle dealers provide consumers with notices describing 
their privacy policies. Section 503 of the GLBA and 16 CFR 313.4 
require covered entities to provide an initial notice of these 
policies, and then ``provide a clear and conspicuous notice to 
customers that accurately reflects [their] privacy policies and 
practices not less than annually during the continuation of the 
customer relationship.'' \14\
---------------------------------------------------------------------------

    \14\ 16 CFR 313.5(a)(1) (emphasis added).
---------------------------------------------------------------------------

    Section 502 of the GLBA and 16 CFR 313.6(a)(6) require that initial 
and annual notices inform customers of their right to opt out of the 
sharing of nonpublic personal information with some types of 
nonaffiliated third parties. For example, a customer has the right to 
opt out of allowing a motor vehicle dealer to sell her name and address 
to a nonaffiliated auto insurance company. On the other hand, a motor 
vehicle dealer is not required to allow consumers to opt out of the 
dealer's sharing involving third-party service providers, joint 
marketing arrangements, maintenance and servicing of accounts, 
securitization, law enforcement and compliance, reporting to consumer 
reporting agencies, and certain other activities that are specified in 
the statute and regulation.\15\ If a motor vehicle dealer limits its 
sharing to uses that do not trigger opt-out rights, it may provide an 
annual privacy notice to its customers that does not include 
information regarding opt-out rights.
---------------------------------------------------------------------------

    \15\ 15 U.S.C. 6802(b)(2), 6802(e); 16 CFR 313.13, 313.14, 
313.15.
---------------------------------------------------------------------------

    Motor vehicle dealers also may include in the annual privacy notice 
information about certain consumer opt-out rights related to affiliate 
sharing under the FCRA. First, section 603(d)(2)(A)(iii) of the FCRA 
allows the sharing of a consumer's information among affiliates, but 
only if the consumer is notified of such sharing and is given an 
opportunity to opt out.\16\ Section 503(c)(4) of the GLBA and the 
Privacy Rule generally require motor vehicle dealers to incorporate any 
notifications and opt-out disclosures provided pursuant to section 
603(d)(2)(A)(iii) of the FCRA into their initial and annual privacy 
notices.\17\
---------------------------------------------------------------------------

    \16\ 15 U.S.C. 1681a(d)(2)(A)(iii).
    \17\ 15 U.S.C. 6803(c)(4); 16 CFR 313.6(a)(7).
---------------------------------------------------------------------------

    Second, section 624 of the FCRA and 16 CFR 680 (the Affiliate 
Marketing Rule) provide that an affiliate of a motor vehicle dealer 
that receives certain information \18\ about a consumer from the dealer 
may not use that information for marketing purposes, unless the 
consumer is provided with an opportunity to opt out of that use.\19\

[[Page 36269]]

This requirement governs the use of information by an affiliate, not 
the sharing of information among affiliates, and thus is distinct from 
the affiliate sharing opt-out discussed above. The Affiliate Marketing 
Rule permits (but does not require) motor vehicle dealers to 
incorporate any opt-out disclosures provided under section 624 of the 
FCRA and the Affiliate Marketing Rule into the initial and annual 
privacy notices required by the GLBA.\20\
---------------------------------------------------------------------------

    \18\ The type of information to which section 624 applies is 
information that would be a consumer report but for the exclusions 
provided by section 603(d)(2)(A)(i), (ii), or (iii) of the FCRA.
    \19\ 15 U.S.C. 1681s-3. The FTC's Affiliate Marketing Rule 
applies to motor vehicle dealers. See 77 FR 22200. The FTC also 
enforces the Bureau's Regulation V's Affiliate Marketing Rule, 12 
CFR part 1022, subpart C, for other entities over which it has 
enforcement authority under the FCRA.
    \20\ 16 CFR 680.23(b).
---------------------------------------------------------------------------

    Finally, Sec.  313.6(a)(8) of the Privacy Rule requires that the 
notices also briefly describe how motor vehicle dealers protect the 
nonpublic personal information they collect and maintain.

C. The Bureau Rulemaking

    In December 2011, the Bureau issued a Request for Information 
seeking specific suggestions for streamlining regulations that were 
transferred to the Bureau from other Federal agencies (Streamlining 
RFI), including the annual privacy notice requirement.\21\
---------------------------------------------------------------------------

    \21\ 76 FR 75825, 75828 (Dec. 5, 2011).
---------------------------------------------------------------------------

    The Bureau received numerous comments from industry urging the 
Bureau to eliminate or reduce the annual notice requirement.\22\ 
Industry argued that most customers ignore annual privacy notices; the 
content of the disclosures provides little benefit when customers have 
no right to opt out of information sharing; current distribution of the 
notices imposes significant costs; and other methods of delivery could 
effectively convey the information to customers at a lower cost. 
Industry commenters suggested that the Bureau eliminate or ease the 
annual notice requirement if businesses' privacy policies have not 
changed and they do not share nonpublic personal information beyond the 
exceptions allowed by the GLBA.\23\ Consumer advocacy groups 
highlighted the benefit customers receive from printed annual privacy 
notices, which may remind customers of privacy rights that they may not 
have exercised previously.\24\
---------------------------------------------------------------------------

    \22\ 79 FR 27214 at 27217 (May 14, 2014) (Bureau Notice of 
Proposed Rulemaking).
    \23\ Id.
    \24\ Id.
---------------------------------------------------------------------------

    In November of 2013, the Bureau published a study assessing the 
effects of certain deposit regulations on financial institutions' 
operations.\25\ This study provided operational insights from seven 
banks about their annual privacy notices. All seven participants 
provided the annual notice as a separate mailing, which resulted in 
higher costs for postage, materials, and labor than if the notice were 
mailed with other material. Some of these participants separately 
mailed their notices to ensure that their disclosures are ``clear and 
conspicuous,'' \26\ even though 2009 guidance from the eight agencies 
promulgating the model privacy form explained that a separate mailing 
is not required.\27\ As a result of its Streamlining RFI, study, and 
its outreach to industry and consumer groups, in May 2014, the Bureau 
issued a proposed rule to amend its Regulation P to allow financial 
institutions to notify consumers that a privacy notice was available 
online, in certain enumerated circumstances. The comment period closed 
on July 14, 2014. As noted above, the Bureau finalized its rulemaking 
in October 2014.\28\
---------------------------------------------------------------------------

    \25\ Consumer Financial Protection Bureau, ``Understanding the 
Effects of Certain Deposit Regulations on Financial Institutions' 
Operations: Findings on Relative Costs for Systems, Personnel, and 
Processes at Seven Institutions'' (Nov. 2013), available at https://files.consumerfinance.gov/f/201311_cfpb_report_findings-relative-costs.pdf. Information collected for the study may be used to assist 
the Bureau in its investigations of ``the effects of a potential or 
existing regulation on the business decisions of providers.'' OMB 
Information Request--Control Number: 3170-0032.
    \26\ 15 U.S.C. 6803 (In its initial and annual privacy notices 
``a financial institution shall provide a clear and conspicuous 
disclosure . . . .''); 12 CFR 1016.3(b)(1) and 16 CFR 313.3(b)(1) 
(both defining ``clear and conspicuous'' as ``reasonably 
understandable and designed to call attention to the nature and 
significance of the information in the notice.'').
    \27\ See 74 FR 62890, 62897-62898.
    \28\ 79 FR 64057 (Oct. 28, 2014).
---------------------------------------------------------------------------

III. The Commission's Proposed Rule Changes

A. Technical Changes To Correspond to Statutory Changes

    The Commission adopted the scope and definitions in the existing 
Privacy Rule at a time when it had rulemaking authority for the Privacy 
Rule over a broader group of non-bank ``financial institutions'' as 
defined by the GLBA. While the Dodd-Frank Act did not change the 
Commission's enforcement authority for the privacy notice obligations 
of the GLBA, the Dodd-Frank Act amended the Commission's rulemaking 
authority under the GLBA such that its Privacy Rule only applies to 
motor vehicle dealers. For other types of financial institutions over 
which the Commission has enforcement authority under the GLBA, the 
Commission now enforces the Bureau's Regulation P. The amendments in 
the Dodd-Frank Act necessitate certain technical revisions to the 
Privacy Rule to ensure that the regulation is consistent with the text 
of the amended GLBA.\29\ Specifically, the Commission proposes to 
modify the Scope and Definitions section of the Privacy Rule to provide 
clearer guidance to financial institutions that are covered motor 
vehicle dealers.
---------------------------------------------------------------------------

    \29\ 15 U.S.C. 6804(1)(C).
---------------------------------------------------------------------------

    Although the Dodd-Frank Act altered the Commission's rulemaking 
authority with respect to the Privacy Rule, it did not alter the 
Commission's rulemaking authority for the GLBA's Standards for 
Safeguarding Customer Information, at 16 CFR part 314 (the Safeguards 
Rule). For the Safeguards Rule, the Commission continues to have 
rulemaking authority over a broad range of non-bank financial 
institutions. The Safeguards Rule, however, incorporates by reference 
the definitions contained in the Privacy Rule, including all of the 
examples of financial institutions listed in the existing Privacy 
Rule.\30\ Accordingly, the Commission proposes to change the Privacy 
Rule definitions to make clear that, for the purpose of the Privacy 
Rule, the only examples applicable in the definitions are those related 
to motor vehicle dealers; for the purpose of the Safeguards Rule, 
however, all existing examples in the Privacy Rule continue to apply.
---------------------------------------------------------------------------

    \30\ 16 CFR 314.2(a).
---------------------------------------------------------------------------

B. Changes to the Annual Privacy Notice

    The Commission also proposes changes to the Privacy Rule provisions 
governing how motor vehicle dealers should deliver annual privacy 
notices. These changes are consistent with changes adopted by the 
Bureau for those financial institutions subject to the Bureau's 
rulemaking authority. Under certain limited circumstances, these 
changes to the Privacy Rule would allow motor vehicle dealers to convey 
clearly and conspicuously--through another mandated or legally 
permissible notice or disclosure--that their privacy notice is 
available on their Web site (hereafter, the alternative delivery 
method).\31\ If, however, a motor vehicle dealer has made changes to 
its privacy practices or shares its customers' nonpublic personal 
information with nonaffiliated third parties, the dealer

[[Page 36270]]

generally could not avail itself of this alternative delivery 
method.\32\
---------------------------------------------------------------------------

    \31\ Because this disclosure must be provided annually, the 
proposal satisfies the statutory requirement that motor vehicle 
dealers provide annual notices about their privacy practices. Beyond 
the requirement to provide the notice annually, the GBLA allows 
agencies to prescribe the method of delivery. See 15 U.S.C. 6803(a) 
(The GLBA allows annual notice to be delivered ``in writing or in 
electronic form or other form permitted by the regulations . . .'').
    \32\ A motor vehicle dealer may use the alternative delivery 
method if such sharing does not trigger GLBA opt-out rights as set 
forth in Parts 313.13, 313.14, and 313.15.
---------------------------------------------------------------------------

    The Commission anticipates that use of the alternative delivery 
method that meets the requirements discussed below could inform 
customers of their motor vehicle dealer's privacy policies effectively 
and at a lower cost than the current widespread method of mailing 
annual privacy notices. The cost savings could benefit both consumers 
and businesses.\33\
---------------------------------------------------------------------------

    \33\ See 79 FR at 27218; 79 FR at 64061.
---------------------------------------------------------------------------

    The Commission has also considered the potential impact of its 
proposed rule change on consumer privacy. The proposal would not affect 
the actual collection or use of consumers' nonpublic personal 
information by motor vehicle dealers, and consumers would continue to 
get the information and opt-out rights they are entitled to under the 
statute. Moreover, the proposal would enable consumers to review a 
motor vehicle dealer's policy at her own convenience any time during 
the year. For example, a motor vehicle dealer choosing to use the 
alternative method would have to post the privacy notice continuously 
on its Web site, thus enabling consumers to access the privacy notice 
throughout the year rather than having to wait for an annual mailing.

IV. Section-by-Section Analysis

Section 313.1(b)--Scope
    Section 313.1(b) outlines the scope of the Privacy Rule. The 
existing Rule describes the types of entities to which the Privacy Rule 
was applicable prior to the enactment of the Dodd-Frank Act. Those 
entities included--but were not limited to--financial institutions such 
as ``payday'' lenders, mortgage brokers, check cashers, and tax 
preparation firms, but did not include entities that were subject to 
the rulemaking authority of another agency.\34\ With the exception of 
motor vehicle dealers, the entities formerly subject to 16 CFR part 313 
are now subject to the Bureau's Regulation P.\35\
---------------------------------------------------------------------------

    \34\ See 15 U.S.C. 6804 (2010).
    \35\ The Commission retains enforcement authority over such 
entities for violations of the Bureau's Regulation P. 15 U.S.C. 
6805(a)(7).
---------------------------------------------------------------------------

    The Commission seeks to revise the Privacy Rule to make clear that 
it applies only to motor vehicle dealers. Accordingly, the Commission 
proposes to revise Sec.  313.1(b) to remove examples of entities to 
which the FTC's Privacy Rule no longer applies. The Commission also 
proposes to remove the reference in the Privacy Rule's scope to ``other 
persons.'' Although the Commission continues to have enforcement 
authority over ``other persons'' covered by the CFPB's rule, the 
Commission no longer has rulemaking authority for the Privacy Rule over 
``other persons.'' In addition, the Commission proposes to eliminate 
from Sec.  313.1(b) the note indicating that: (1) The Privacy Rule does 
not modify, limit, or supersede the standards under the Health 
Insurance Portability and Accountability Act of 1996 (HIPAA), and (2) 
if a financial institution that is an institution of higher education 
is in compliance with the Federal Educational Rights and Privacy Act 
(FERPA) and its implementing regulations, such institution shall be 
deemed in compliance with 16 CFR part 313. The Commission believes it 
unlikely that this note is applicable to motor vehicle dealers but 
requests comment as to whether motor vehicle dealers ever engage in 
practices that require them to comply with HIPAA or FERPA. In addition, 
the Commission invites general comment on the proposed changes to the 
description of the scope of the Privacy Rule.
Section 313.3--Definitions
    The Definitions section of the Privacy Rule includes a number of 
examples designed to provide guidance regarding the scope of terms used 
in the Privacy Rule. The Commission proposes to revise these 
definitions so that they provide accurate guidance regarding the Rule's 
scope. Specifically, the Commission proposes to revise Sec.  313.3 to 
make clear that certain examples in five definitions are not applicable 
to motor vehicle dealers for purposes of the Privacy Rule but continue 
to apply for purposes of the Safeguards Rule. Similarly, the Commission 
proposes to revise the definition of ``you,'' which currently includes 
entities to which the Privacy Rule no longer applies.
    First, for purposes of the Privacy Rule, proposed Sec.  313.3(e)(2) 
no longer includes, as examples of ``consumers,'' those consumers 
seeking financial advisory services \36\ or consumers with which the 
financial institution has a relationship related to a trust.\37\ The 
examples are retained for purposes of the Safeguards Rule, 16 CFR part 
314.
---------------------------------------------------------------------------

    \36\ 16 CFR 313.3(e)(2)(iii).
    \37\ 16 CFR 313.3(e)(2)(vi) and (vii).
---------------------------------------------------------------------------

    Second, for purposes of the Privacy Rule, proposed Sec.  
313.3(i)(2) no longer includes, as examples of a ``continuing 
relationship'' with a customer, a relationship in which the financial 
institution holds an investment product for the consumer; \38\ enters 
into an agreement to arrange or broker a home mortgage loan; \39\ 
provides financial, investment, or economic advisory services to a 
consumer; \40\ provides tax preparation or credit counseling services; 
\41\ provides career counseling for seeking employment with a financial 
institution or a financial, accounting or audit department of a 
company; \42\ purchases an account, on which the consumer has an 
obligation, from another financial institution; \43\ or provides real 
estate settlement services.\44\ The examples are retained for purposes 
of the Safeguards Rule.
---------------------------------------------------------------------------

    \38\ 16 CFR 313.3(i)(2)(i)(D). The Privacy Rule requires motor 
vehicle dealers to provide an annual notice while there is a 
continuing relationship between the dealer and the customer.
    \39\ 16 CFR 313.3(i)(2)(i)(E). This subsection has been revised 
to remove the portion of the example relating to home mortgage loans 
but retains the portion relating to credit to purchase a vehicle.
    \40\ 16 CFR 313.3(i)(2)(i)(G).
    \41\ 16 CFR 313.3(i)(2)(i)(H).
    \42\ 16 CFR 313.3(i)(2)(i)(I).
    \43\ 16 CFR 313.3(i)(2)(i)(J).
    \44\ 16 CFR 313.3(i)(2)(i)(K).
---------------------------------------------------------------------------

    Third, for purposes of the Privacy Rule, proposed Sec.  313.3(i)(2) 
no longer includes, as examples of ``no continuing relationship'' with 
a customer, a relationship in which the financial institution sells 
airline tickets \45\ or sells checks for a personal checking 
account.\46\ The examples are retained for purposes of the Safeguards 
Rule.
---------------------------------------------------------------------------

    \45\ 16 CFR 313.3(i)(2)(ii)(C).
    \46\ 16 CFR 313.3(i)(2)(ii)(E).
---------------------------------------------------------------------------

    Fourth, for purposes of the Privacy Rule, proposed Sec.  
313.3(k)(2) no longer includes, as examples of ``financial 
institutions,'' retailers that extend credit by issuing their own 
credit cards to consumers; career counselors specializing in finance, 
accounting or audit employment; businesses that print and sell checks; 
businesses that regularly wire money to and from consumers; check 
cashing businesses; accountants or other tax preparation services that 
are in the business of completing tax returns; businesses that operate 
travel services in connection with financial services; businesses 
providing real estate settlement services; mortgage brokers, or 
investment advisory companies and credit counseling services.\47\ The 
examples are retained for purposes of the Safeguards Rule.
---------------------------------------------------------------------------

    \47\ 16 CFR 313.3(k)(2)(E)(i), (iv)-(xii).
---------------------------------------------------------------------------

    Fifth, for purposes of the Privacy Rule, proposed Sec.  313.3(k)(5) 
no longer includes as examples of ``entities that are not significantly 
engaged in financial activities,'' retailers that only extend credit 
via occasional ``lay away'' and deferred payment plans; merchants

[[Page 36271]]

that allow individuals to ``run a tab''; or grocery stores that allow 
individuals to cash checks or write checks for a higher amount than a 
purchase and obtain cash back.\48\ The examples are retained for 
purposes of the Safeguards Rule. The Commission invites comment 
regarding whether any of the examples that the Commission proposes to 
eliminate for purposes of the Privacy Rule are applicable to motor 
vehicle dealers. The Commission also seeks comment regarding the 
examples that remain for purposes of the Privacy Rule in the 
definitions of proposed Sec.  313.3 and the applicability of such 
examples to motor vehicle dealers.
---------------------------------------------------------------------------

    \48\ 16 CFR 313.3(k)(4)(iii) and (iv).
---------------------------------------------------------------------------

    The existing Privacy Rule generally defines ``you'' as a financial 
institution over which the Commission has enforcement jurisdiction 
under the GLBA. Because this definition refers to the Commission's 
enforcement authority rather than its rulemaking authority, the 
definition is overbroad in light of the amendments to the GLBA 
discussed above. Therefore, the Commission proposes to revise the 
definition of ``you'' so that for purposes of the Privacy Rule it 
applies to only those entities over which the Commission has rulemaking 
authority. For purposes of the Safeguards Rule, the definition of 
``you'' remains unchanged.
    The Commission requests comment on the proposed changes to the 
definition of ``you.'' The Commission notes that the purpose of the 
changes to the Privacy Rule scope and definitions serve solely to 
conform the Privacy Rule to the revisions in the Dodd-Frank Act as to 
the scope of the Commission's rulemaking authority. These changes do 
not reflect any change in the Commission's authority to enforce the 
Privacy Rule or Regulation P.
Section 313.9--Delivering Privacy and Opt-Out Notices
    Section 313.9(a) of the Rule requires that motor vehicle dealers 
provide initial and annual privacy notices so that each consumer ``can 
reasonably be expected'' to receive actual notice in writing or, if the 
consumer agrees, electronically. Section 313.9(b) provides examples of 
delivery methods that would result in reasonable expectation of actual 
notice, including hand delivery and delivery by mail. The examples also 
include posting on a Web site for customers who: (1) Conduct 
transactions electronically, and (2) acknowledge receipt of the notice 
as a necessary step to obtaining a particular financial product or 
service.\49\ Section 313.9(c) further allows delivery of the annual 
notice through a Web site, but only if a customer uses the dealer's Web 
site to access financial products and services and consents to receive 
notices at the Web site.\50\ Below, the Commission describes proposed 
changes to Sec.  313.9(c) that would allow motor vehicle dealers to 
utilize an alternative delivery method for the annual notices. In some 
circumstances, motor vehicle dealers could substitute their annual 
privacy notices with a clear and conspicuous disclosure--as part of an 
account statement, coupon book, or other legally-required or permitted 
notice or disclosure--stating that their privacy notice is available on 
their Web site and will be mailed to the customer on request. As 
required by the GLBA, this substitute disclosure would have to be 
provided at least annually.
---------------------------------------------------------------------------

    \49\ 16 CFR 313.9(b).
    \50\ 16 CFR 313.9(c).
---------------------------------------------------------------------------

    The Commission seeks information concerning the effect on customer 
privacy rights if motor vehicle dealers were to use the alternative 
delivery method rather than their current delivery methods. Relatedly, 
the Commission requests comment on how often customers currently read 
annual privacy notices under the Privacy Rule and how frequently the 
notices would be read if they were provided pursuant to the proposed 
alternative delivery method. The Commission further requests comment on 
whether the proposed alternative delivery method would be effective in 
reducing the burden on motor vehicle dealers of mailing hard copy 
privacy notices. In particular, the Commission requests information 
regarding how many annual privacy notices motor vehicle dealers 
provide.
    Lastly, the Commission notes that the current Rule prescribes 
certain circumstances under which motor vehicle dealers can provide 
privacy notices electronically or via online posting. For example, the 
Rule allows covered entities to provide notices electronically if the 
consumer agrees or to provide notice online if the consumer is required 
to acknowledge receipt of the notice. See 16 CFR 313.9. The Commission 
invites comment regarding how often privacy notices are delivered 
electronically or posted online under the existing Rule and whether 
companies that currently provide notices electronically will likely 
experience cost savings under the proposed new rule requirements.
9(c)(2) Alternative Method for Providing Certain Annual Notices
9(c)(2)(i)
    Proposed Sec.  313.9(c)(2)(i) describes the circumstances under 
which a motor vehicle dealer may use the alternative delivery method 
summarized above.\51\
---------------------------------------------------------------------------

    \51\ Existing Sec.  313.9(c) would be redesignated as Sec.  
313.9(c)(1) and its subparagraphs redesignated as Sec.  
313.9(c)(1)(i) and (ii), respectively, to accommodate the new 
addition. The Commission is also proposing to add a heading to new 
paragraph (c)(1) for technical reasons.
---------------------------------------------------------------------------

9(c)(2)(i)(A)
    Proposed Sec.  313.9(c)(2)(i)(A) would set forth the first 
condition for using the alternative delivery method: That the motor 
vehicle dealer must not share the customer's information with 
nonaffiliated third parties in a manner that triggers the opt-out 
requirement under the GLBA. Thus, for example, a motor vehicle dealer 
may use the alternative delivery method if it shares the customer's 
information with nonaffiliated third parties as permitted by Sec. Sec.  
313.13 (for joint marketing), 313.14 (for processing and servicing 
transactions), and 313.15 (with consent, or for security purposes, 
fraud prevention, legal purposes or fiduciary purposes). It may not use 
the alternative delivery method, for example, if it shares the 
customer's nonpublic personal information with a nonaffiliated 
insurance company for marketing purposes. The Commission believes the 
alternative delivery method will generally reduce the burden of 
compliance for motor vehicle dealers, while still mandating the use of 
the current delivery method to ensure that customers have direct notice 
of their opt-out rights, where they exist.
    The Commission invites comment on the number of motor vehicle 
dealers that would not be able to take advantage of the alternative 
delivery method because they share data with nonaffiliated third 
parties. The Commission further invites comment on whether customers 
with opt-out rights pursuant to the Privacy Rule should continue to 
receive the annual privacy notice pursuant to the current delivery 
method or if motor vehicle dealers should be able to utilize the 
proposed alternative delivery method for such customers.
9(c)(2)(i)(B)
    Proposed Sec.  313.9(c)(2)(i)(B) would set forth the second 
condition for using the alternative delivery method for the annual 
privacy notice: That the motor vehicle dealer not include on its annual 
notice an opt-out under section

[[Page 36272]]

603(d)(2)(A)(iii) of the FCRA.\52\ As discussed above, FCRA section 
603(d)(2)(A)(iii) allows sharing of certain consumer information with 
affiliates, but only if the motor vehicle dealer provides the consumer 
with notice and an opportunity to opt out of the information sharing. 
Although this is a requirement of the FCRA, section 503(b)(4) of the 
GLBA and Sec.  313.6(a)(7) of the Privacy Rule require a motor vehicle 
dealer's privacy notice to include any opt-out rights provided under 
section 603(d)(2)(A)(iii) of the FCRA. Accordingly, to the extent that 
a motor vehicle dealer shares customer information with affiliates for 
marketing purposes, thus triggering the obligation to include an opt-
out pursuant to FCRA section 603(d)(2)(A)(iii), the motor vehicle 
dealer cannot take advantage of the alternative delivery method.\53\ As 
noted above, the Commission believes that directly reminding consumers 
of any opt-out rights at least annually will be important for 
consumers. This is true regardless whether the opt-out right is 
provided under the GLBA or the FCRA.
---------------------------------------------------------------------------

    \52\ 15 U.S.C. 1681a(d)(2)(A)(iii).
    \53\ See 64 FR 35162, 35176 (June 1, 2000).
---------------------------------------------------------------------------

    The Commission invites comment on the extent to which different 
motor vehicle dealers provide a FCRA section 603(d)(2)(A)(iii) opt-out 
and thus would be precluded from using the proposed alternative 
delivery method. The Commission further invites comment as to whether 
customers with opt-out rights under this section of the FCRA benefit 
from receiving the annual privacy notice pursuant to the current 
delivery method or could receive the notice via the proposed 
alternative delivery method.
9(c)(2)(i)(C)
    Proposed Sec.  313.9(c)(2)(i)(C) would contain the third condition 
for using the alternative delivery method, related to the requirements 
of section 624 of the FCRA \54\ and the Affiliate Marketing Rule, 16 
CFR part 680. FCRA section 624, as implemented by the Affiliate 
Marketing Rule, provides that a person may not use certain information 
about a consumer that it receives from an affiliate to market to that 
consumer unless the consumer receives notice and the opportunity to opt 
out of such marketing.\55\
---------------------------------------------------------------------------

    \54\ 15 U.S.C. 1681s-3.
    \55\ 16 CFR 680.21(a).
---------------------------------------------------------------------------

    In contrast to the FCRA section 603(d)(2)(A)(iii) notice and opt-
out right concerning affiliate sharing, which is generally required to 
be included on the GLBA annual privacy notice, the FCRA section 624 
(and Affiliate Marketing Rule) notice and opt-out right concerning 
marketing by affiliates is not required to be included on that notice. 
However, the Affiliate Marketing Rule notice and opt-out right may be 
included on the privacy notice.\56\
---------------------------------------------------------------------------

    \56\ 16 CFR 680.23(b).
---------------------------------------------------------------------------

    The Commission proposes--under Sec.  313.9(c)(2)(i)(C)--that a 
motor vehicle dealer that is required to provide a notice and opt out 
under the Affiliate Marketing Rule may use the alternative delivery 
method, provided that the motor vehicle dealer has previously satisfied 
the Affiliate Marketing Rule requirements or does not use the annual 
privacy notice as the sole means of providing notice to customers of 
that opt-out right.\57\ Alternatively, the motor vehicle dealer could 
continue to use the current delivery method and include the Affiliate 
Marketing opt-out on the annual privacy notice, with no separate notice 
required.
---------------------------------------------------------------------------

    \57\ Certain requirements for the Affiliate Marketing notice and 
opt out differ, depending on whether it is included as part of the 
model privacy notice or issued separately. Where a motor vehicle 
dealer includes the Affiliate Marketing notice and opt-out on the 
model privacy notice, that opt-out must be of indefinite duration. 
See Appendix A to Part 313 at C.2(d)(6). In contrast, where a motor 
vehicle dealer provides the Affiliate Marketing notice and opt-out 
separately, the Affiliate Marketing Rule allows the opt-out to be 
offered for as little as five years, subject to renewal, and the 
disclosure of the duration of the opt-out must be included on the 
notice. See 16 CFR 680.22(b). 16 CFR 680.23(a)(1)(iv). Because 
inclusion of the Affiliate Marketing opt-out on the model privacy 
notice requires a motor vehicle dealer to honor the opt-out 
indefinitely, a motor vehicle dealer that also offers the opt-out 
right separately in order to use the alternative delivery method 
would be able to comply with both the Privacy Rule and the Affiliate 
Marketing Rule by stating in the separate Affiliate Marketing notice 
that the opt-out is of indefinite duration and by honoring such opt-
out requests indefinitely.
---------------------------------------------------------------------------

    The Commission invites comment on the extent to which motor vehicle 
dealers include the Affiliate Marketing Rule opt-out on their Privacy 
Rule privacy notices and thus would be precluded from using the 
proposed alternative delivery method. The Commission further invites 
comment on whether imposing this condition on using the alternative 
delivery method is beneficial to consumers.
9(c)(2)(i)(D)
    Proposed Sec.  313.9(c)(2)(i)(D) would present the fourth condition 
for using the alternative delivery method: That the substantive 
information a motor vehicle dealer is required to convey on its annual 
privacy notice has not changed since the immediately previous privacy 
notice (whether initial, annual, or revised) to the customer.\58\ The 
Commission believes that the current delivery method is likely less 
useful if the customer has already received a privacy notice, and the 
motor vehicle dealer's sharing practices remain generally unchanged 
since that previous notice. Proposed Sec.  313.9(c)(2)(i)(D) lists the 
specific disclosures of the privacy notice that must not change in 
order for a motor vehicle dealer to take advantage of the alternative 
delivery method. They are:
---------------------------------------------------------------------------

    \58\ Note that information disclosed pursuant to Sec.  
313.6(a)(6) and (a)(7) is not included in proposed Sec.  
313.9(c)(2)(i)(D) because if those situations apply, a motor vehicle 
dealer could not use the alternative delivery method under proposed 
Sec.  313.9(c)(2)(i)(A) and (B), as discussed above.
---------------------------------------------------------------------------

     The categories of nonpublic personal information that the 
motor vehicle dealer collects (Sec.  313.6(a)(1) and (a)(4));
     the categories of nonpublic personal information that the 
motor vehicle dealer discloses (Sec.  313.6(a)(2));
     the categories of affiliates and nonaffiliated third 
parties to whom the motor vehicle dealer discloses nonpublic personal 
information, other than to parties that administer or enforce 
transactions, service or process financial products, or maintain or 
service accounts, under Sec.  313.14 and to parties for security, fraud 
prevention, legal purposes, or similar purposes under Sec.  313.15 
(Sec.  313.6(a)(3));
     if the motor vehicle dealer discloses nonpublic personal 
information to a nonaffiliated third party for joint marketing as set 
forth under Sec.  313.13, a separate statement of the categories of 
information disclosed and the categories of third parties to whom the 
disclosures were made (Sec.  313.6(a)(5));
     the motor vehicle dealer's policies and practices with 
respect to protecting the confidentiality and security of nonpublic 
personal information (Sec.  313.6(a)(8)); and
     the description of the purpose for sharing with service 
providers and other entities that conduct fraud prevention, security, 
or similar services (Sec.  313.6(a)(9)).
    The Commission emphasizes that a motor vehicle dealer would be 
precluded from using the alternative delivery method only if it made 
substantive changes to the information disclosed on the previous 
written notice sent to the consumer. Stylistic changes in the wording 
of the notice that do not denote a change in practices would not 
prevent a motor vehicle dealer from using the alternative delivery 
method. Nor would the proposed section prohibit a motor vehicle dealer 
from using the alternative delivery method if the dealer eliminated 
categories of information it disclosed or categories of

[[Page 36273]]

third parties to whom it disclosed information. Any other substantive 
change to its information sharing practices would preclude use of the 
alternative delivery method; however, the motor vehicle dealer could 
use the alternative delivery method to meet its next annual privacy 
notice requirement if it first sent a revised privacy notice pursuant 
to the standard delivery requirements.
    The Commission invites comment about the effect on customers of 
conditioning availability of the alternative delivery method on there 
being no change from the previous year's notice. The Commission further 
invites comment on how often motor vehicle dealers change their privacy 
notice such that they would be precluded from using the proposed 
alternative delivery method. Lastly, the Commission invites comment on 
the extent to which a motor vehicle dealer's changing its data security 
policy should preclude it, like financial institutions covered by 
Regulation P, from using the proposed alternative delivery method.
9(c)(2)(i)(E)
    The last condition for use of the alternative delivery method, 
which would be set forth in proposed Sec.  313.9(c)(2)(i)(E), requires 
that the motor vehicle dealer use the model privacy form for its annual 
privacy notice. Currently, the Privacy Rule does not require use of the 
model notice because the statute under which it was promulgated only 
required that regulators give financial institutions the option to use 
such a model notice.\59\
---------------------------------------------------------------------------

    \59\ 15 U.S.C. 6803.
---------------------------------------------------------------------------

    However, the Commission proposes to permit use of the alternative 
delivery method only if a motor vehicle dealer uses the model privacy 
form for its annual privacy notice. This approach would likely 
incentivize use of the model notice, which consumer research has shown 
to be effective in communicating information.\60\ The Commission does 
not believe that the one-time burden of creating a model notice will 
place an undue burden on motor vehicles dealers, who will likely be 
able to save costs by not sending annual privacy notices.
---------------------------------------------------------------------------

    \60\ 74 FR 62890, 62891 (Dec. 1, 2009).
---------------------------------------------------------------------------

    The Commission notes that the model form accommodates information 
that may be required by state or international law, as applicable, in a 
box called ``Other important information.'' \61\ Accordingly, the 
Commission expects that a motor vehicle dealer that has additional 
privacy disclosure obligations pursuant to state or international law 
would still be able to use the model form in order to take advantage of 
the proposed alternative delivery method. The Commission invites 
comment on related state or international law requirements and their 
interaction with the model privacy notice, as well as the proposed 
condition on the alternative delivery method in general.
---------------------------------------------------------------------------

    \61\ Appendix A to Part 313 at C(3)(c).
---------------------------------------------------------------------------

    The Commission contemplates that adoption of the model privacy form 
may require changes to the wording and layout of the privacy notice, 
but not to the information conveyed. Thus, adoption of the model notice 
would not constitute a change to the prior year's notice that would 
preclude use of the alternative delivery method under proposed Sec.  
313.9(c)(2)(i)(D).\62\ The Commission solicits comment on this issue. 
The Commission further invites comment on the extent to which motor 
vehicle dealers currently use the model privacy notice, and if they do 
not, whether they would choose to adopt it in order to take advantage 
of the proposed alternative delivery method. Lastly, the Commission 
invites comment on the benefit to customers of receiving the model 
privacy notice rather than a privacy notice in a non-standard format.
---------------------------------------------------------------------------

    \62\ In a somewhat analogous situation, the agencies that 
promulgated the model privacy notice explained: ``Adoption of the 
model form, with no change in policies or practices, would not 
constitute a revised notice [for purposes of the rule section on 
revised privacy notices], although institutions may elect to 
consider the format change as revision, at their option.'' 74 FR 
62890, 62907 n. 196.
---------------------------------------------------------------------------

    Finally, the Commission generally invites comment on the conditions 
in proposed Sec.  313.9(c)(2)(i)(A) through (E) and whether any of 
those conditions should not be required or whether other conditions 
should be added.
9(c)(2)(ii)
    Proposed Sec.  313.9(c)(2)(ii) sets forth the mechanics of the 
alternative delivery method for annual notices.
9(c)(2)(ii)(A)
    Proposed Sec.  313.9(c)(2)(ii)(A) would set forth the first 
component of the alternative delivery method: that a motor vehicle 
dealer inform the customer of the availability of the annual privacy 
notice on its Web site. Under this proposed subsection, a motor vehicle 
dealer must clearly and conspicuously convey, not less than annually--
on an account statement, coupon book, or notice or disclosure the 
institution is required or expressly permitted to use under any other 
provision of law--three pieces of information: (1) That its privacy 
notice has not changed, (2) that the notice is available on its Web 
site, and (3) that a hard copy of the notice will be mailed to 
customers if they call to request one.
    Proposed Sec.  313.9(c)(2)(ii)(A) states that this notice must be 
``clear and conspicuous,'' which is defined as meaning ``reasonably 
understandable'' and ``designed to call attention to the nature and 
significance of the information.'' \63\ The Commission believes that 
the existing examples in Sec.  313.3(b)(2)(i) and (ii) for the 
``reasonably understandable'' and ``designed to call attention'' 
requirements likely would provide sufficient guidance on ways to make 
the notice clear and conspicuous. For example, the Rule states that, if 
the notice is combined with other information, it must contain 
``distinctive type size, style, and graphic devices, such as shading or 
sidebars.'' \64\
---------------------------------------------------------------------------

    \63\ 16 CFR 313.3(b)(1).
    \64\ 16 CFR 313.3(b)(2)(ii)(E).
---------------------------------------------------------------------------

    Although the Commission proposes to require that motor vehicle 
dealers convey this ``notice of availability'' not less than annually, 
they may elect to convey it more often (e.g., quarterly or monthly). 
The Commission invites comment on whether the approach used for notice 
of availability for motor vehicle dealers should differ from that for 
the financial institutions covered by Regulation P. In particular, the 
Commission is interested in comment on: (1) Whether the proposed 
example notice of availability would make the alternative delivery 
method more feasible for motor vehicle dealers to implement, (2) 
whether the illustrative elements not specifically required by the Rule 
should be so required, and (3) whether the proposed language would be 
effective in informing customers of the availability of the privacy 
notice.
    As noted, proposed Sec.  313.9(c)(2)(ii)(A) would require the 
notice of availability to be conveyed on an account statement, coupon 
book, or notice or disclosure the motor vehicle dealer is required or 
expressly and specifically permitted to issue under any other provision 
of law. An account statement would include periodic statements or 
billing statements. A coupon book refers to a book of payment coupons 
typically included with an installment loan. The Commission believes 
customers are likely to read account statements or coupon books that 
directly concern the status of their account.
    A ``notice or disclosure the institution is required or expressly 
and specifically permitted to issue under any other provision of law'' 
would include

[[Page 36274]]

disclosures that are expressly and specifically permitted by law, even 
if not required. This language builds on the language used in the 
Affiliate Marketing Rule, which provides that ``a notice required by 
this subpart may be coordinated and consolidated with any other notice 
or disclosure required to be issued under any other provision of law. . 
. .'' \65\ The Commission notes that a notice of availability would not 
satisfy the proposed rule requirement if included on advertising 
materials that were neither required nor specifically permitted by law. 
The Commission invites comment on the benefits and costs of requiring 
the notice of availability to be included on an account statement, 
coupon book, or document required or expressly and specifically 
permitted under any other provision of law. The Commission further 
requests comment as to the best documents on which to place the notice 
of availability, particularly in light of what consumers are likely to 
read.
---------------------------------------------------------------------------

    \65\ 16 CFR 680.23(b).
---------------------------------------------------------------------------

    The Commission further notes that where two or more motor vehicle 
dealers provide a joint privacy notice pursuant to Sec.  313.9(f), the 
proposal would require each motor vehicle dealer to separately provide 
the notice of availability. The Commission invites comment on how often 
motor vehicle dealers jointly provide privacy notices and whether the 
proposed alternative delivery method would be feasible for such jointly 
issued notices.
    Proposed Sec.  313.9(c)(2)(ii)(A) also would require the 
institution to state on the notice of availability that its privacy 
policy has not changed, which, as discussed in detail below, is a 
condition that a dealer must satisfy in order to be able to use the 
alternative delivery method. This proposed requirement can help 
customers assess whether they are interested in reading the policy. 
This statement would always be accurate if the alternative delivery 
method is used correctly, since a motor vehicle dealer could not use 
the alternative delivery method if its annual privacy notice had 
changed.
    The proposal would further require that the statement include a 
specific web address that takes customers directly to the page where 
the privacy notice is available. The section also would require that 
the web address conveyed on the notice of availability provide the 
customer with direct access to the page that contains the privacy 
notice, so that the customer need not click on any additional links.
    Next, proposed Sec.  313.9(c)(2)(ii)(A) would require that the 
notice of availability include a telephone number that a customer can 
call to request a hard copy of the annual privacy notice. This number 
need not be a dedicated number established for this purpose alone. This 
requirement is intended to assist customers who do not have internet 
access or would prefer to receive a hard copy of the privacy notice. 
The Commission encourages motor vehicle dealers that already maintain a 
toll-free number to use that number in the statement required by Sec.  
313.9(c)(2)(ii)(A), to simplify the process for a customer to call and 
request a mailed copy of the privacy notice.
    As an alternative, the Commission invites comment on whether the 
approach used for notice of availability for motor vehicle dealers 
should differ from that for the financial institutions covered by 
Regulation P. Specifically, the Commission seeks comment on the 
advantages and disadvantages of requiring motor vehicle dealers to 
provide a dedicated telephone number for privacy notice requests so 
that customers can easily request a hard copy of the notice without 
navigating a complicated automated telephone menu. The Commission also 
invites comment on whether it should require a dedicated toll-free 
number for this purpose.
9(c)(2)(ii)(B)
    Proposed Sec.  313.9(c)(2)(ii)(B) would set forth the second 
component of the alternative delivery method: that the motor vehicle 
dealer post its current privacy notice continuously and in a clear and 
conspicuous manner on a page of the institution's Web site on which the 
only content is the privacy notice. The Commission believes that, were 
the notice included on a page with other content, such as other 
disclosures or promotions for products, that content could detract from 
the prominence of the notice and make it less likely that a customer 
would actually read it.\66\ The Commission believes that this 
requirement is feasible for most motor vehicle dealers, and for a motor 
vehicle dealer that does not currently post its annual notice on its 
Web site, creating a specific page for this purpose is a one-time 
process that could be implemented without significant cost.
---------------------------------------------------------------------------

    \66\ Information that is not content, such as navigational menus 
to other pages on the Web site, could appear on the same page as the 
privacy notice. Moreover, other pages on the dealer's Web site could 
link to the page containing the privacy notice, but the customer 
would still have to be provided a specific web address that takes 
the customer directly to the page where the privacy notice is 
available to satisfy the requirement to post the notice on the motor 
vehicle dealer's Web site in proposed Sec.  313.9(c)(2)(ii)(B). 
Finally, with regard to the proposed requirement that the notice be 
posted in a ``clear and conspicuous'' manner, the Commission notes 
that existing Sec.  313.3(b)(2)(iii) gives examples of what clear 
and conspicuous means for a privacy notice posted on a Web site. One 
example is a Web page that uses text or visual cues to encourage 
scrolling down the page if necessary to view the entire notice, and 
as long as the page does not include text, graphics, hyperlinks, or 
sound that may distract from the notice.
---------------------------------------------------------------------------

    This section would further require that the Web page that contains 
the privacy notice be accessible to the customer without requiring the 
customer to provide any information such as a login name or password or 
agree to any conditions to access the page. This provision is intended 
to make accessing the privacy notice on an institution's Web site as 
simple and straightforward as possible.
    The Commission invites comment regarding the prevalence of motor 
vehicle dealers that currently maintain Web sites, whether they 
currently post the Privacy Rule notice on those Web sites, and if they 
do not, how costly it would be to do so. The Commission additionally 
seeks comment on whether motor vehicle dealers provide different 
privacy notices for different groups of customers, such that posting 
multiple privacy notices on the dealer's Web site may create confusion 
as to which is the relevant privacy notice that is applicable to a 
particular customer. The Commission seeks comment on the relative 
benefit or harm to customers of accessing the privacy notice on a motor 
vehicle dealer's Web site as proposed. Lastly, the Commission invites 
comment as to whether motor vehicle dealers should be required to 
provide specific reminder information to a consumer about that 
consumer's previously established preferences--for example, whether the 
consumer has already opted out--via a login and password-protected 
section of the Web site.
9(c)(2)(ii)(C)
    Proposed Sec.  313.9(c)(2)(ii)(C) would set forth the third 
component of the alternative delivery method: That the motor vehicle 
dealer mail its current privacy notice to those customers who request 
it by telephone within ten calendar days of such request. The 
Commission proposes this requirement to assist customers without 
internet access and customers with internet access who would prefer to 
receive a hard copy of the notice. This requirement makes clear that a 
motor vehicle dealer may not, for example, wait to mail the privacy 
notice with another document, such as a quarterly

[[Page 36275]]

statement. Motor vehicle dealers may not charge the customer for 
delivering the annual notice, given that delivery of the annual notice 
is required by statute and regulation.
    The Commission invites comment on the cost associated with mailing 
privacy notices on request, and whether mailing of the privacy notice 
within ten calendar days of a request is feasible for motor vehicle 
dealers. The Commission further requests comment on whether requiring 
mailing within ten calendar days is sufficient to ensure that customers 
receive privacy notices in a timely manner.
9(c)(2)(iii)
    Proposed Sec.  313.9(c)(2)(iii) would provide an example of a 
notice of availability that satisfies Sec.  313.9(c)(2)(ii)(A). The 
Commission intends this example to provide clear guidance on 
permissible content for the notice of availability to facilitate 
compliance. The content of the example notice of availability in 
proposed Sec.  313.9(c)(2)(iii) draws from language in the existing 
model privacy notice in Part 313, App. A, which was previously subject 
to consumer testing.\67\ The proposed example would include the heading 
``Privacy Notice'' in boldface (or otherwise emphasized) on the notice 
of availability. The proposed example further would state that Federal 
law requires the motor vehicle dealer to tell customers how it 
collects, shares, and protects their personal information; this 
language mirrors the ``Why'' box on the model privacy notices.\68\ The 
remaining portion of the proposed example would inform customers that 
the motor vehicle dealer's privacy notice has not changed, the address 
of the Web site at which customers can access the privacy notice, and 
the telephone number to call to request a free copy of the notice. The 
Commission notes that the proposed example contains certain elements 
that would satisfy proposed Sec.  313.9(c)(2), but other language and 
formatting techniques could also satisfy that section. These elements 
include titling the notice of availability ``Privacy Notice,'' 
including a statement that ``Federal law requires the motor vehicle 
dealer to tell customers how it collects, shares, and protects their 
personal information,'' and stating that getting a copy of the notice 
is ``free'' to the consumer.
---------------------------------------------------------------------------

    \67\ See Appendix A to 16 CFR part 313, at A.
    \68\ Id.
---------------------------------------------------------------------------

    The Commission invites comment on whether the proposed example 
notice of availability for motor vehicle dealers should differ from 
that for financial institutions covered by Regulation P. In particular, 
the Commission is interested in comment on: (1) Whether the proposed 
example notice of availability would make the alternative delivery 
method more feasible for motor vehicle dealers to implement, (2) 
whether the elements not specifically required by the rule should be so 
required, and (3) whether the proposed language would be effective in 
informing customers of the availability of the privacy notice.

V. Regulatory Flexibility Act

    The Regulatory Flexibility Act (RFA), as amended by the Small 
Business Regulatory Enforcement Fairness Act of 1996, requires each 
agency to consider the potential impact of its regulations on small 
entities, including small businesses, small governmental units, and 
small not-for-profit organizations. The RFA generally requires an 
agency to conduct an initial regulatory flexibility analysis (IRFA) and 
a final regulatory flexibility analysis (FRFA) of any rule subject to 
notice-and-comment rulemaking requirements, unless the agency certifies 
that the rule will not have a significant economic impact on a 
substantial number of small entities.\69\
---------------------------------------------------------------------------

    \69\ 5 U.S.C. 603-605.
---------------------------------------------------------------------------

    An IRFA is not required here because the proposal, if adopted, 
would not have a significant economic impact on a substantial number of 
small entities. The Commission does not expect the proposal to impose 
costs on small entities. All methods of compliance under current law 
will remain available to small entities if the proposal is adopted. 
Thus, a small entity that is in compliance with current law need not 
take any different or additional action if the proposal is adopted. In 
addition, as discussed above, the Commission believes that the proposed 
alternative method would allow many motor vehicle dealers to reduce 
their costs.
    Accordingly, the Commission certifies that this proposal, if 
adopted, would not have a significant economic impact on a substantial 
number of small entities.

VI. Paperwork Reduction Act

    Under the Paperwork Reduction Act of 1995 (PRA),\70\ Federal 
agencies are generally required to seek Office of Management and Budget 
(OMB) approval for information collection requirements prior to 
implementation. Under the PRA, the Commission may not conduct or 
sponsor, and, notwithstanding any other provision of law, a person is 
not required to respond to an information collection, unless the 
information collection displays a valid control number assigned by OMB.
---------------------------------------------------------------------------

    \70\ 44 U.S.C. 3501 et seq.
---------------------------------------------------------------------------

    This proposal would amend 16 CFR part 313. The collections of 
information related to the Privacy Rule have been previously reviewed 
and approved by OMB in accordance with the PRA and assigned OMB Control 
Number 3084-0121.\71\
---------------------------------------------------------------------------

    \71\ The FTC has current clearance through October 31, 2017. See 
79 FR 55489 (Sept. 16, 2014).
---------------------------------------------------------------------------

    As explained below, the proposed amendments do not modify or add to 
information collection requirements that were previously approved by 
OMB. Under this proposal, a motor vehicle dealer will be permitted, but 
not required, to use an alternative delivery method for the annual 
privacy notice if:
     It does not share information with nonaffiliated third 
parties other than for purposes covered by the exclusions allowed under 
the Privacy Rule;
     It does not include on its annual privacy notice an opt-
out under section 603(d)(2)(A)(iii) of the FCRA;
     The annual privacy notice is not the only method used to 
satisfy the requirements of section 624 of the FCRA and 16 CFR part 
680, if applicable;
     Certain information it is required to convey on its annual 
privacy notice has not changed since it provided the immediately prior 
privacy notice; and
     It uses the Privacy Rule model privacy form for its annual 
privacy notice.
    Under the proposed alternative delivery method, the motor vehicle 
dealer would have to:
     Convey at least annually on another notice or disclosure 
that its privacy notice is available on its Web site and will be mailed 
upon request to a specified telephone number. Among other things, the 
dealer would have to include a specific web address that takes the 
customer directly to the privacy notice;
     Post its current privacy notice continuously on a page of 
its Web site that contains only the privacy notice, without requiring a 
login or any conditions to access the page; and
     Mail its current privacy notice to customers who request 
it by telephone within ten calendar days of such request.
    Under the existing clearance, the FTC has attributed to itself the 
estimated burden regarding all motor vehicle dealers and then shares 
equally the remaining estimated PRA burden with the Bureau for other 
types of financial institutions for which both agencies have 
enforcement authority regarding the GLBA Privacy Rule.\72\
---------------------------------------------------------------------------

    \72\ 79 FR 55489.

---------------------------------------------------------------------------

[[Page 36276]]

    The Commission does not believe that this proposed rule would 
impose any new or substantively revised collections of information as 
defined by the PRA. Rather, the Commission believes that the proposed 
amendment would have the overall effect of reducing the currently 
cleared estimated burden for the information collections associated 
with the Privacy Rule annual privacy notice.
    By definition, the expected cost savings to motor vehicle dealers 
from the proposed revisions to Sec.  313.9(c) is the expected number of 
annual privacy notices that would be provided through the proposed 
alternative delivery method multiplied by the expected reduction in the 
cost per-notice from using the alternative delivery method. The first 
step in estimating the expected cost savings to motor vehicle dealers 
from proposed Sec.  313.9(c)(2) would be to identify the motor vehicle 
dealers whose current information sharing practices would allow them to 
use the proposed alternative method. The Commission would then need to 
determine their currents costs for providing the annual privacy notices 
and the expected costs of providing these notices under proposed Sec.  
313.9(c)(2).
    In order to reach such an estimate for financial institutions, the 
Commission looked to the Bureau's rulemaking. The Bureau performed a 
number of analyses and outreach activities to approximate the expected 
cost savings for financial institutions. After examining 125 banks 
selected through random sampling, the Bureau found that the overall 
average rate at which banks' information sharing practices would make 
them eligible for using the alternative delivery method if other 
conditions were met is 80%.\73\ The Bureau's results indicated that a 
large majority of smaller banks would likely be able to use the 
proposed alternative delivery method but most of the largest banks 
would not.\74\ For non-depository institutions subject to the 
Commission's enforcement, the Bureau similarly estimated that 80% would 
be able to use the alternate delivery method.\75\ Subject to further 
information through public comment, the Commission preliminarily 
assumes that this 80% is characteristic as well for motor vehicle 
dealers. The Commission requests comment and the submission of 
information relevant to the information sharing practices of motor 
vehicle dealers and the extent to which they may be able to use the 
proposed alternative delivery method.
---------------------------------------------------------------------------

    \73\ 79 FR at 27226.
    \74\ Id. Only 18% of sampled banks with assets over $10 billion 
could clearly use the proposed alternative delivery method, while 
81% of sampled banks with assets of $10 billion or less and 88% of 
sampled banks with assets of $500 million or less could clearly use 
the proposed alternative delivery method. The Bureau also examined 
the privacy policies of 54 credit unions and found 62% of those with 
assets over $500 million could use the alternative delivery method 
and 44% of those with $500 million or less in assets could (though, 
due to inadequate information, the Bureau could not make the 
assessment for 48% of those credit unions with $500 million or less 
in assets). Id.
    \75\ 79 FR at 27229.
---------------------------------------------------------------------------

    The Commission does not have precise data on the number of annual 
privacy notices motor vehicle dealers currently provide to directly 
compute the total number of annual privacy notices that would no longer 
be sent; however, in the Commission's proposal to extend the current 
PRA clearance for the Privacy Rule,\76\ the Commission estimated the 
total costs to motor vehicle dealers to disseminate annual disclosures 
to be about $18.4 million.\77\ Applying the Commission's estimate that 
80% of motor vehicle dealers would be able to utilize the alternative 
delivery method, the estimated reduction in ongoing burden would be 
approximately 638,400 hours annually for roughly 48,000 motor vehicle 
dealers.\78\ The reduction in estimated ongoing costs from the 
reduction in ongoing burden would be approximately $14.7 million 
annually.\79\ The Commission requests comment on this preliminary 
analysis as well as the submission of additional data that could inform 
the Commission's consideration of the cost savings to motor vehicle 
dealers.
---------------------------------------------------------------------------

    \76\ 79 FR 55489 (Sept. 14, 2014).
    \77\ Id. at 55490-91 Table IIB.
    \78\ The 638,400 hours estimate is 80% of the previously 
published estimate of 798,000 hours, cumulatively, for established 
motor vehicle dealers to disseminate annual notices. See id. at 
55490 (Table IIB). The estimated number of motor vehicle dealers 
that would use the alternative delivery method is 80% of the 
previously published estimate of the number of motor vehicle 
dealers, 60,000. See id. at Table IIA notes.
    \79\ This is the product of the above-noted costs to motor 
vehicle dealers to disseminate annual disclosures, $18.4 million, 
multiplied by the assumed 80% reduction for the alternative delivery 
method. Estimates of ongoing savings are gross figures and do not 
take into account any ongoing costs associated with the alternative 
delivery method, which the Commission believes would be minimal. 
They would consist of additional text on a notice or disclosure the 
institution already provides, additional phone calls from consumers 
requesting that the model form be mailed, and the costs of mailing 
the forms prompted by these calls. The Commission currently believes 
that few consumers will request that the form be mailed in order to 
read it or to exercise any voluntary opt-out right, given the 
availability of the notices online. There would be minimal ongoing 
costs associated with the alternative delivery method from 
maintaining a Web page if a motor vehicle dealer already has a Web 
page dedicated to the annual privacy policy.
---------------------------------------------------------------------------

    The Commission believes that the one-time cost for some motor 
vehicle dealers to adopt the alternative delivery method is minimal. 
Motor vehicle dealers that already use the model form and would adopt 
the alternative delivery method would incur minor one-time legal, 
programming and training costs. These dealers would have to communicate 
on a notice or disclosure they already issue under any other provision 
of law that the privacy notice is available. The expense of adding this 
notification would be minor. Staff may need some additional training in 
storing copies of the model form and sending it to customers on 
request. Motor vehicle dealers that do not use the model form would 
incur a one-time cost to create one. However, since the promulgation of 
the model privacy form in 2009, an Online Form Builder has existed that 
any institution can use to readily create a unique, customized privacy 
notice using the model form template.\80\ The Commission assumes that 
motor vehicle dealers that do not currently have Web sites would not 
choose to comply with these requirements in order to use the 
alternative delivery method.
---------------------------------------------------------------------------

    \80\ This Online Form Builder is available at https://www.federalreserve.gov/newsevents/press/bcreg/20100415a.htm.
---------------------------------------------------------------------------

    The Commission has determined that the proposed rule does not 
contain any new or substantively revised information collection 
requirements as defined by the PRA and that the burden estimate for the 
previously-approved information collections should be reduced as 
explained above. The Commission welcomes comments on these 
determinations or any other aspect of the proposal for purposes of the 
PRA. Comments should be submitted as outlined in the ADDRESSES section 
above. All comments will become a matter of public record.

Invitation To Comment

    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before August 31, 2015. 
Write ``Amendment to the Privacy of Consumer Financial Information 
Rule, 16 CFR part 313, Project No. R411016'' on your comment. Your 
comment--including your name and your state--will be placed on the 
public record of this proceeding, including, to the extent practicable, 
on the Commission Web site, at https://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the Commission tries to 
remove individuals' home contact information from comments before 
placing them on the Commission Web site.

[[Page 36277]]

    Because your comment will be made public, you are solely 
responsible for making sure that your comment doesn't include any 
sensitive personal information, such as Social Security number, date of 
birth, driver's license number or other state identification number or 
foreign country equivalent, passport number, financial account number, 
or credit or debit card number. You are also solely responsible for 
making sure that your comment doesn't include any sensitive health 
information, including medical records or other individually 
identifiable health information. In addition, do not include any 
``[t]rade secret or any commercial or financial information which . . . 
is privileged or confidential,'' as discussed in section 6(f) of the 
FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). 
In particular, do not include competitively sensitive information such 
as costs, sales statistics, inventories, formulas, patterns, devices, 
manufacturing processes, or customer names.
    If you want the Commission to give your comment confidential 
treatment, you must file it in paper form, with a request for 
confidential treatment, and you have to follow the procedure explained 
in FTC Rule 4.9(c), 16 CFR 4.9(c).\81\ Your comment will be kept 
confidential only if the FTC General Counsel, in his or her sole 
discretion, grants your request in accordance with the law and the 
public interest.
---------------------------------------------------------------------------

    \81\ In particular, the written request for confidential 
treatment that accompanies the comment must include the factual and 
legal basis for the request, and must identify the specific portions 
of the comment to be withheld from the public record. See FTC Rule 
4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------

    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, we encourage you to submit 
your comments online. To make sure that the Commission considers your 
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/GLBPrivacyamendment, by following the instructions on the web-based 
form. If this Notice appears at https://www.regulations.gov/#!home, you 
also may file a comment through that Web site.
    If you file your comment on paper, write ``Amendment to the Privacy 
of Consumer Financial Information Rule, 16 CFR part 313, Project No. 
R411016'' on your comment and on the envelope, and mail your comment to 
the following address: Federal Trade Commission, Office of the 
Secretary, 600 Pennsylvania Avenue NW., Suite CC-5610 (Annex E), 
Washington, DC 20580, or deliver your comment to the following address: 
Federal Trade Commission, Office of the Secretary, Constitution Center, 
400 7th Street SW., 5th Floor, Suite 5610 (Annex E), Washington, DC 
20024. If possible, submit your paper comment to the Commission by 
courier or overnight service.
    Visit the Commission Web site at https://www.ftc.gov to read this 
Notice and the news release describing it. The FTC Act and other laws 
that the Commission administers permit the collection of public 
comments to consider and use in this proceeding as appropriate. The 
Commission will consider all timely and responsive public comments that 
it receives on or before August 31, 2015. For information on the 
Commission's privacy policy, including routine uses permitted by the 
Privacy Act, see https://www.ftc.gov/ftc/privacy.htm.

List of Subjects in 16 CFR Part 313

    Consumer protection, Motor vehicle dealers, Privacy, Reporting and 
recordkeeping requirements, Trade practices.

Authority and Issuance

    For the reasons set forth in the preamble, the Commission proposes 
to amend 16 CFR part 313, as set forth below:

PART 313--PRIVACY OF CONSUMER FINANCIAL INFORMATION

0
1. The authority citation for Part 313 is revised to read as follows:

    Authority:  15 U.S.C. 6801 et seq., 12 U.S.C. 5519.

0
2. In Sec.  313.1, revise paragraph (b) to read as follows:


Sec.  313.1  Purpose and scope.

* * * * *
    (b) Scope. This part applies only to nonpublic personal information 
about individuals who obtain financial products or services primarily 
for personal, family or household purposes from the institutions listed 
below. This part does not apply to information about companies or about 
individuals who obtain financial products or services for business, 
commercial, or agricultural purposes. This part applies to those 
``financial institutions'' over which the Federal Trade Commission 
(``Commission'') has rulemaking authority pursuant to section 
504(a)(1)(C) of the Gramm-Leach-Bliley Act. An entity is a ``financial 
institution'' if its business is engaging in a financial activity as 
described in section 4(k) of the Bank Holding Company Act of 1956, 12 
U.S.C. 1843(k), which incorporates by reference activities enumerated 
by the Federal Reserve Board in 12 CFR 211.5(d) and 12 CFR 225.28. The 
``financial institutions'' subject to the Commission's rulemaking 
authority are any persons described in 12 U.S.C. 5519 that are 
predominantly engaged in the sale and servicing of motor vehicles, the 
leasing and servicing of motor vehicles, or both. They are referred to 
in this part as ``You.''
0
3. In Sec.  313.3, revise paragraphs (e), (i), (k), and (q) to read as 
follows:


Sec.  313.3  Definitions.

* * * * *
    (e)(1) Consumer means an individual who obtains or has obtained a 
financial product or service from you that is to be used primarily for 
personal, family, or household purposes, or that individual's legal 
representative.
    (2) Examples for purposes of 16 CFR part 313 and 314--(i) An 
individual who applies to you for credit for personal, family, or 
household purposes is a consumer of a financial service, regardless of 
whether the credit is extended.
    (ii) An individual who provides nonpublic personal information to 
you in order to obtain a determination about whether he or she may 
qualify for a loan to be used primarily for personal, family, or 
household purposes is a consumer of a financial service, regardless of 
whether the loan is extended.
    (iii) If you hold ownership or servicing rights to an individual's 
loan that is used primarily for personal, family, or household 
purposes, the individual is your consumer, even if you hold those 
rights in conjunction with one or more other institutions. (The 
individual is also a consumer with respect to the other financial 
institutions involved.) An individual who has a loan in which you have 
ownership or servicing rights is your consumer, even if you, or another 
institution with those rights, hire an agent to collect on the loan.
    (iv) An individual who is a consumer of another financial 
institution is not your consumer solely because you act as agent for, 
or provide processing or other services to, that financial institution.
    (v) An individual is not your consumer solely because he or she is 
a participant or a beneficiary of an employee benefit plan that you 
sponsor or for which you act as a trustee or fiduciary.
    (3) Examples for purposes of 16 CFR part 314--(i) An individual who 
provides nonpublic personal information to you in connection with

[[Page 36278]]

obtaining or seeking to obtain financial, investment, or economic 
advisory services is a consumer, regardless of whether you establish a 
continuing advisory relationship.
    (ii) An individual is not your consumer solely because he or she 
has designated you as trustee for a trust.
    (iii) An individual is not your consumer solely because he or she 
is a beneficiary of a trust for which you are a trustee.
* * * * *
    (i)(1) Customer relationship means a continuing relationship 
between a consumer and you under which you provide one or more 
financial products or services to the consumer that are to be used 
primarily for personal, family, or household purposes.
    (2) Examples--(i) Continuing relationship. (A) A consumer has a 
continuing relationship with you, for purposes of 16 CFR part 313 and 
part 314, if the consumer:
    (1) Has a credit or investment account with you;
    (2) Obtains a loan from you;
    (3) Purchases an insurance product from you;
    (4) Enters into an agreement or understanding with you whereby you 
undertake to arrange credit to purchase a vehicle, for the consumer;
    (5) Enters into a lease of personal property on a non-operating 
basis with you; or
    (6) Has a loan for which you own the servicing rights.
    (B) A consumer also has a continuing relationship with you, for 
purposes of 16 CFR part 314, if the consumer:
    (1) Holds an investment product through you, such as when you act 
as a custodian for securities or for assets in an Individual Retirement 
Arrangement;
    (2) Enters into an agreement or understanding with you whereby you 
undertake to arrange or broker a home mortgage loan, for the consumer;
    (3) Obtains financial, investment, or economic advisory services 
from you for a fee;
    (4) Becomes your client for the purpose of obtaining tax 
preparation or credit counseling services from you;
    (5) Obtains career counseling while seeking employment with a 
financial institution or the finance, accounting, or audit department 
of any company (or while employed by such a financial institution or 
department of any company);
    (6) Is obligated on an account that you purchase from another 
financial institution, regardless of whether the account is in default 
when purchased, unless you do not locate the consumer or attempt to 
collect any amount from the consumer on the account; or
    (7) Obtains real estate settlement services from you.
    (ii) No continuing relationship. (A) For purposes of 16 CFR parts 
313 and 314, a consumer does not, however, have a continuing 
relationship with you if:
    (1) The consumer obtains a financial product or service from you 
only in isolated transactions, such as cashing a check with you or 
making a wire transfer through you;
    (2) You sell the consumer's loan and do not retain the rights to 
service that loan; or
    (3) The consumer obtains one-time personal or real property 
appraisal services from you.
    (B) For purposes of 16 CFR part 314, a consumer also does not have 
a continuing relationship with you if:
    (1) The consumer obtains a financial product or service from you 
only in isolated transactions, such as using your ATM to withdraw cash 
from an account at another financial institution or purchasing a money 
order from you;
    (2) You sell the consumer airline tickets, travel insurance, or 
traveler's checks in isolated transactions; or
    (3) The consumer purchases checks for a personal checking account 
from you.
* * * * *
    (k)(1) Financial institution means any institution the business of 
which is engaging in financial activities as described in section 4(k) 
of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). An 
institution that is significantly engaged in financial activities is a 
financial institution.
    (2) Example of financial institution for purposes of 16 CFR part 
313 and 314. An automobile dealership that, as a usual part of its 
business, leases automobiles on a nonoperating basis for longer than 90 
days is a financial institution with respect to its leasing business 
because leasing personal property on a nonoperating basis where the 
initial term of the lease is at least 90 days is a financial activity 
listed in 12 CFR 225.28(b)(3) and referenced in section 4(k)(4)(F) of 
the Bank Holding Company Act.
    (3) Examples of financial institution for purposes of 16 CFR part 
314. (i) A retailer that extends credit by issuing its own credit card 
directly to consumers is a financial institution because extending 
credit is a financial activity listed in 12 CFR 225.28(b)(1) and 
referenced in section 4(k)(4)(F) of the Bank Holding Company Act and 
issuing that extension of credit through a proprietary credit card 
demonstrates that a retailer is significantly engaged in extending 
credit.
    (ii) A personal property or real estate appraiser is a financial 
institution because real and personal property appraisal is a financial 
activity listed in 12 CFR 225.28(b)(2)(i) and referenced in section 
4(k)(4)(F) of the Bank Holding Company Act.
    (iii) A career counselor that specializes in providing career 
counseling services to individuals currently employed by or recently 
displaced from a financial organization, individuals who are seeking 
employment with a financial organization, or individuals who are 
currently employed by or seeking placement with the finance, accounting 
or audit departments of any company is a financial institution because 
such career counseling activities are financial activities listed in 12 
CFR 225.28(b)(9)(iii) and referenced in section 4(k)(4)(F) of the Bank 
Holding Company Act.
    (iv) A business that prints and sells checks for consumers, either 
as its sole business or as one of its product lines, is a financial 
institution because printing and selling checks is a financial activity 
that is listed in 12 CFR 225.28(b)(10)(ii) and referenced in section 
4(k)(4)(F) of the Bank Holding Company Act.
    (v) A business that regularly wires money to and from consumers is 
a financial institution because transferring money is a financial 
activity referenced in section 4(k)(4)(A) of the Bank Holding Company 
Act and regularly providing that service demonstrates that the business 
is significantly engaged in that activity.
    (vi) A check cashing business is a financial institution because 
cashing a check is exchanging money, which is a financial activity 
listed in section 4(k)(4)(A) of the Bank Holding Company Act.
    (vii) An accountant or other tax preparation service that is in the 
business of completing income tax returns is a financial institution 
because tax preparation services is a financial activity listed in 12 
CFR 225.28(b)(6)(vi) and referenced in section 4(k)(4)(G) of the Bank 
Holding Company Act.
    (viii) A business that operates a travel agency in connection with 
financial services is a financial institution because operating a 
travel agency in connection with financial services is a financial 
activity listed in 12 CFR 211.5(d)(15) and referenced in section 
4(k)(4)(G) of the Bank Holding Company Act.

[[Page 36279]]

    (ix) An entity that provides real estate settlement services is a 
financial institution because providing real estate settlement services 
is a financial activity listed in 12 CFR 225.28(b)(2)(viii) and 
referenced in section 4(k)(4)(F) of the Bank Holding Company Act.
    (x) A mortgage broker is a financial institution because brokering 
loans is a financial activity listed in 12 CFR 225.28(b)(1) and 
referenced in section 4(k)(4)(F) of the Bank Holding Company Act.
    (xi) An investment advisory company and a credit counseling service 
are each financial institutions because providing financial and 
investment advisory services are financial activities referenced in 
section 4(k)(4)(C) of the Bank Holding Company Act.
    (4) Financial institution does not include:
    (i) Any person or entity with respect to any financial activity 
that is subject to the jurisdiction of the Commodity Futures Trading 
Commission under the Commodity Exchange Act (7 U.S.C. 1 et seq.);
    (ii) The Federal Agricultural Mortgage Corporation or any entity 
chartered and operating under the Farm Credit Act of 1971 (12 U.S.C. 
2001 et seq.); or
    (iii) Institutions chartered by Congress specifically to engage in 
securitizations, secondary market sales (including sales of servicing 
rights) or similar transactions related to a transaction of a consumer, 
as long as such institutions do not sell or transfer nonpublic personal 
information to a nonaffiliated third party other than as permitted by 
Sec. Sec.  313.14 and 313.15 of this Part.
    (iv) Entities that engage in financial activities but that are not 
significantly engaged in those financial activities.
    (5) Example of entities that are not significantly engaged in 
financial activities for purposes of 16 CFR part 313 and 314. A motor 
vehicle dealer is not a financial institution merely because it accepts 
payment in the form of cash, checks, or credit cards that it did not 
issue.
    (6) Examples of entities that are not significantly engaged in 
financial activities for purposes of 16 CFR part 314. (i) A retailer is 
not a financial institution if its only means of extending credit are 
occasional ``lay away'' and deferred payment plans or accepting payment 
by means of credit cards issued by others.
    (ii) A retailer is not a financial institution merely because it 
accepts payment in the form of cash, checks, or credit cards that it 
did not issue.
    (iii) A merchant is not a financial institution merely because it 
allows an individual to ``run a tab.''
    (iv) A grocery store is not a financial institution merely because 
it allows individuals to whom it sells groceries to cash a check, or 
write a check for a higher amount than the grocery purchase and obtain 
cash in return.
* * * * *
    (q) For purposes of 16 CFR part 313, You includes each ``financial 
institution'' over which the Commission has rulemaking authority 
pursuant to section 504(a)(1)(C) of the Gramm-Leach-Bliley Act. For 
purposes of 16 CFR part 314, You includes each ``financial 
institution'' (but excludes any ``other person'') over which the 
Commission has enforcement jurisdiction pursuant to section 505(a)(7) 
of the Gramm-Leach-Bliley Act.
0
4. In Sec.  313.9, revise paragraph (c) to read as follows:


Sec.  313.9  Delivering privacy and opt out notices.

* * * * *
    (c) Annual notices only. (1) Reasonable expectation. You may 
reasonably expect that a customer will receive actual notice of your 
annual privacy notice if:
    (i) The customer uses your Web site to access financial products 
and services electronically and agrees to receive notices at the Web 
site, and you post your current privacy notice continuously in a clear 
and conspicuous manner on the Web site; or
    (ii) The customer has requested that you refrain from sending any 
information regarding the customer relationship, and your current 
privacy notice remains available to the customer upon request.
    (2) Alternative method for providing certain annual notices. (i) 
Notwithstanding paragraph (a) of this section, you may use the 
alternative method described in paragraph (c)(2)(ii) of this section to 
satisfy the requirement in Sec.  313.5(a)(1) to provide a notice if:
    (A) You do not disclose the customer's nonpublic personal 
information with nonaffiliated third parties other than for purposes 
under Sec. Sec.  313.13, 313.14, and 313.15;
    (B) You do not include on your annual privacy notice pursuant to 
Sec.  313.6(a)(7) an opt out under section 603(d)(2)(A)(iii) of the 
Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii));
    (C) The requirements of section 624 of the Fair Credit Reporting 
Act (15 U.S.C. 1681s-3) and Part 680 of this chapter, if applicable, 
have been satisfied previously or the annual privacy notice is not the 
only notice provided to satisfy such requirements;
    (D) The information you are required to convey on your annual 
privacy notice pursuant to Sec.  313.6(a)(1) through (5), (8), and (9) 
has not changed since you provided the immediately previous privacy 
notice (whether initial, annual or revised) to the customer, other than 
to eliminate categories of information you disclose or categories of 
third parties to whom you disclose information; and
    (E) You use the model privacy form in the appendix to this part for 
your annual privacy notice.
    (ii) For an annual privacy notice that meets the requirements in 
paragraph (c)(2)(i) of this section, you satisfy the requirement in 
Sec.  313.5(a)(1) to provide a notice if you:
    (A) Convey in a clear and conspicuous manner not less than annually 
on an account statement, coupon book, or a notice or disclosure you are 
required or expressly and specifically permitted to issue under any 
other provision of law that your privacy notice is available on your 
Web site and will be mailed to the customer upon request by telephone. 
The statement must state that your privacy notice has not changed and 
must include a specific Web address that takes the customer directly to 
the page where the privacy notice is posted and a designated telephone 
number for the customer to request that it be mailed;
    (B) Post your current privacy notice continuously in a clear and 
conspicuous manner on a page of your Web site that contains only the 
privacy notice, without requiring the customer to provide any 
information such as a login name or password or agree to any conditions 
to access the page; and
    (C) Mail your current privacy notice to those customers who request 
it by telephone within ten days of the request.
    (iii) An example of a statement that satisfies paragraph 
(c)(2)(ii)(A) of this section is: ``Privacy Notice'' in boldface or 
otherwise emphasized: Privacy Notice--Federal law requires us to tell 
you how we collect, share, and protect your personal information. Our 
privacy policy has not changed and you may review our policy and 
practices with respect to your personal information at [Web address] or 
we will mail you a free copy upon request if you call us at [telephone 
number].
* * * * *

    By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2015-14328 Filed 6-23-15; 8:45 am]
 BILLING CODE 6750-01-P
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.