Amendment to the Privacy of Consumer Financial Information Rule Under the Gramm-Leach-Bliley Act, 36267-36279 [2015-14328]
Download as PDF
<![CDATA[
Federal Register / Vol. 80, No. 121 / Wednesday, June 24, 2015 / Proposed Rules
Paragraph 5000
Class D Airspace.
*
*
*
*
FEDERAL TRADE COMMISSION
*
16 CFR Part 313
AGL OH D Columbus, Ohio State
University Airport, OH [Amended]
RIN 3084–AB42
Columbus, Ohio State University Airport, OH
(Lat. 40°04′47″ N., long. 83°04′23″ W.)
That airspace extending upward from the
surface to and including 3,400 feet MSL
within a 4-mile radius of Ohio State
University Airport, excluding that airspace
within the Port Columbus International
Airport, OH, Class C airspace area. This Class
D airspace area is effective during the
specific dates and times established in
advance by a Notice to Airmen. The effective
dates and times will thereafter be
continuously published in the Airport/
Facility Directory.
Paragraph 6004 Class E Airspace Areas
Designated as a Surface Area.
*
*
*
*
*
AGL OH E4 Columbus, Ohio State
University Airport, OH [Removed]
Paragraph 6005 Class E Airspace Areas
Extending Upward from 700 Feet or More
Above the Surface of the Earth.
*
*
*
tkelley on DSK3SPTVN1PROD with PROPOSALS
AGL OH E5
*
*
Columbus, OH [Amended]
Columbus, Port Columbus International
Airport, OH
(Lat. 39°59′49″ N., long. 82°53′32″ W.)
Columbus, Rickenbacker International
Airport, OH
(Lat. 39°48′50″ N., long. 82°55′40″ W.)
Columbus, Ohio State University Airport, OH
(Lat. 40°04′47″ N., long. 83°04′23″ W.)
Columbus, Bolton Field Airport, OH
(Lat. 39°54′04″ N., long. 83°08′13″ W.)
Columbus, Darby Dan Airport, OH
(Lat. 39°56′31″ N., long. 83°12′18″ W.)
Lancaster, Fairfield County Airport, OH
(Lat. 39°45′20″ N., long. 82°39′26″ W.)
That airspace extending upward from 700
feet above the surface within a 7-mile radius
of Port Columbus International Airport, and
within 3.3 miles either side of the 094°
bearing from Port Columbus International
Airport extending from the 7-mile radius to
12.1 miles east of the airport, and within a
7-mile radius of Rickenbacker International
Airport, and within 4 miles either side of the
045° bearing from Rickenbacker International
Airport extending from the 7-mile radius to
12.5 miles northeast of the airport, and
within a 6.5-mile radius of Ohio State
University Airport, and within a 7.4-mile
radius of Bolton Field Airport, and within a
6.4-mile radius of Fairfield County Airport,
and within a 6.5-mile radius of Darby Dan
Airport, excluding that airspace within the
London, OH, Class E airspace area.
Issued in Fort Worth, TX, on June 8, 2015.
Robert W. Beck,
Manager, Operations Support Group, ATO
Central Service Center.
[FR Doc. 2015–15461 Filed 6–23–15; 8:45 am]
Amendment to the Privacy of
Consumer Financial Information Rule
Under the Gramm-Leach-Bliley Act
Federal Trade Commission
(FTC or Commission).
ACTION: Notice of proposed rulemaking;
Request for public comment.
AGENCY:
The FTC proposes to amend
the Privacy of Consumer Financial
Information Rule (Privacy Rule or Rule),
which among other things requires that
certain motor vehicle dealers provide an
annual disclosure of their privacy
policies to their customers by hand
delivery, mail, electronic delivery, or,
alternatively through a Web site, but
only with the consent of the consumer.
The amendment would allow motor
vehicle dealers instead to notify their
customers that a privacy policy is
available on their Web site, under
certain circumstances. The amendment
would also revise the scope and
definitions in this rule in light of the
transfer of part of the Commission’s
rulemaking authority to the Consumer
Financial Protection Bureau (CFPB or
the Bureau) in the Dodd-Frank Wall
Street Reform and Consumer Protection
Act, but retains certain examples for
purposes of the FTC’s Safeguards Rule.
DATES: Comments must be received on
or before August 31, 2015.
ADDRESSES: Interested parties may file a
comment online or on paper, by
following the instructions in the
Request for Comment part of the
SUPPLEMENTARY INFORMATION section
below. Write ‘‘Amendment to the
Privacy of Consumer Financial
Information Rule, 16 CFR part 313,
Project No. R411016’’ on your comment,
and file your comment online at https://
ftcpublic.commentworks.com/ftc/
GLBPrivacyamendment, by following
the instructions on the web-based form.
If you prefer to file your comment on
paper, write ‘‘Amendment to the
Privacy of Consumer Financial
Information Rule, 16 CFR part 313,
Project No. R411016’’ on your comment
and on the envelope, and mail your
comment to the following address:
Federal Trade Commission, Office of the
Secretary, 600 Pennsylvania Avenue
NW., Suite CC–5610 (Annex E),
Washington, DC 20580, or deliver your
comment to the following address:
Federal Trade Commission, Office of the
Secretary, Constitution Center, 400 7th
SUMMARY:
VerDate Sep<11>2014
16:23 Jun 23, 2015
Street SW., 5th Floor, Suite 5610
(Annex E), Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT:
Steven Toporoff, (202) 326–3135,
Attorney, Division of Privacy and
Identity Protection, Federal Trade
Commission, 600 Pennsylvania Avenue
NW., Washington, DC 20580.
SUPPLEMENTARY INFORMATION:
I. Summary of the Proposed Rule
The Gramm-Leach-Bliley Act
(GLBA) 1 mandates that financial
institutions provide their customers
with initial and annual notices
regarding their privacy policies. If
financial institutions share certain
customer information with particular
types of third parties, the institutions
are also required to provide an
opportunity to opt out of the sharing.
The Commission issued its rule
implementing these provisions in 2000.2
The Dodd-Frank Wall Street Reform and
Consumer Protection Act transferred
GLBA privacy notice rulemaking
authority, in part, to the Bureau;
however, the Commission retains
rulemaking authority over any financial
institution that is a motor vehicle dealer
predominantly engaged in the sale and
servicing of motor vehicles, the leasing
and servicing of motor vehicles, or both,
as described in Section 1029 of the
Dodd-Frank Act, 12 U.S.C. 5519
(hereafter, motor vehicle dealers).
The Commission proposes to revise
its Privacy Rule, 16 CFR part 313, in two
ways. First, in light of the transfer of
rulemaking authority for certain
financial institutions to the Bureau, the
Commission proposes to revise the
explanation of the scope of the Rule and
to tailor the examples provided in the
Rule’s Definitions section describing
entities over which the Commission has
retained rulemaking authority. The
Commission believes that revising these
provisions will eliminate extraneous
information, clarify the Rule’s
applicability, and reduce confusion as
to entities covered by the Rule. The Rule
also retains several examples explaining
the types of entities covered by the
Safeguards Rule, 16 CFR part 314.
Second, the Commission proposes to
provide an alternative means for
covered motor vehicle dealers to fulfill
their obligation under the Privacy Rule
to provide notice of their privacy
policies. Under the proposal, motor
vehicle dealers that do not engage in
certain types of information-sharing
activities would no longer be required to
mail an annual privacy notice if they
clearly and conspicuously convey, as
1 15
2 65
BILLING CODE 4910–13–P
Jkt 235001
PO 00000
Frm 00017
Fmt 4702
Sfmt 4702
36267
E:\FR\FM\24JNP1.SGM
U.S.C. 6801 et seq.
FR 33646 (May 24, 2000).
24JNP1
36268
Federal Register / Vol. 80, No. 121 / Wednesday, June 24, 2015 / Proposed Rules
part of another mandated or legally
permissible notice or disclosure, that
their privacy notice is available on their
publicly accessible Web site. This
proposed revision is consistent with
changes made in an October 28, 2014,
rulemaking by the Bureau, which has
rulemaking authority over depository
institutions and many non-depository
institutions.3
The Commission believes that the
proposed changes are consistent with
those issued by the Bureau, and will
help avoid consumer confusion and
ensure that the requirements for motor
vehicle dealers covered by the Rule are
consistent with the GLBA’s privacy
provisions for other financial
institutions. Such changes may also
streamline the flow of information to
consumers, while easing the burden on
motor vehicle dealers of providing
annual notices. The Commission invites
comment on the proposed rule revisions
generally and on the specific issues
outlined throughout Section IV. In
addition, the Commission requests
comment on whether, and the extent to
which, the FTC’s Privacy Rule
applicable to motor vehicle dealers
should be consistent with the rule
adopted by the Bureau, or if there are
elements that should differ.
The Commission seeks comment on
the proposal through August 17, 2015.
tkelley on DSK3SPTVN1PROD with PROPOSALS
II. Background
A. The Statute and Regulation
The GLBA was enacted in 1999.4 The
GLBA, among other things, provides a
framework for regulating the privacy
practices of a broad range of entities.
The GLBA requires that financial
institutions provide their customers
with initial and annual notices
regarding their privacy policies, and
allow their customers to opt out of
sharing their information with certain
nonaffiliated third parties. Covered
entities include, for example, payday
lenders, mortgage brokers, check
cashers, debt collectors, real estate
appraisers, certain motor vehicle dealers
and remittance transfer providers.
Rulemaking authority to implement
the GLBA’s privacy provisions was
initially spread among many agencies.
The Federal Reserve Board (Board), the
Office of Comptroller of the Currency
(OCC), the Federal Deposit Insurance
Corporation (FDIC), and the Office of
Thrift Supervision (OTS) jointly
adopted final rules to implement the
notice requirements of the GLBA in
2000.5 The Commission, the National
3 79
FR 64057 (Oct. 28, 2014).
Law 106–102, 113 Stat. 1338 (1999).
5 65 FR 35162 (June 1, 2000).
4 Public
VerDate Sep<11>2014
16:23 Jun 23, 2015
Jkt 235001
Credit Union Administration (NCUA),
Securities and Exchange Commission
(SEC), and Commodity Futures Trading
Commission (CFTC) were part of the
same interagency process, but issued
their rules separately.6 In 2009, all these
agencies issued a joint final rule with a
model form that financial institutions
could use, at their option, to provide the
required initial and annual privacy
disclosures.7
In 2011, the Dodd-Frank Act 8
transferred the GLBA’s privacy notice
rulemaking authority from the Board,
NCUA, OCC, OTS, the FDIC, and the
Commission (in part) to the Bureau. The
Bureau then restated the implementing
regulations in Regulation P, 12 CFR part
1016, in late 2011 (Regulation P).9
However, under the Dodd-Frank Act,
the Commission retained rulemaking
authority for motor vehicle dealers
described in section 1029 of the DoddFrank Act, 12 U.S.C. 5519. Thus, in
2012, the Commission issued a notice
that it was retaining the implementing
regulations governing privacy notices
for motor vehicles dealers, at 16 CFR
part 313.10
Despite the transfer of general
rulemaking authority for the Privacy
Rule to the CFPB, the Commission and
other agencies retained their existing
enforcement authority under the
GLBA.11 In addition, the SEC and CFTC
retained rulemaking authority with
respect to securities and futures-related
companies, respectively.12 Accordingly,
as part of this rulemaking process, the
Commission has consulted and
coordinated, or offered to consult, with
those agencies who have rulemaking
and/or enforcement authority under the
GLBA, including the Bureau, SEC, CFTC
and the National Association of
Insurance Commissioners (NAIC).13
B. The Privacy Notice Requirements
As noted, the GLBA and the FTC
Privacy Rule require that certain
covered motor vehicle dealers provide
consumers with notices describing their
privacy policies. Section 503 of the
GLBA and 16 CFR 313.4 require covered
entities to provide an initial notice of
6 65 FR 33646 (May 24, 2000) (FTC final rule); 65
FR 31722 (May 18, 2000) (NCUA final rule); 65 FR
40334 (June 29, 2000) (SEC final rule); 66 FR 21252
(Apr. 27, 2001) (CFTC final rule).
7 74 FR 62890 (Dec. 1, 2009).
8 Public Law 111–203, 124 Stat. 1376 (2010).
9 76 FR 79025 (Dec. 21, 2011).
10 77 FR 22200, 22201 (April 13, 2012) (also
rescinding those regulations for which rulemaking
authority was transferred to the Bureau under the
Dodd-Frank Act).
11 15 U.S.C. 6805(a).
12 15 U.S.C. 6804, 6809; 12 U.S.C. 1843(k)(4); 12
CFR 1016.1(b).
13 See 15 U.S.C. 6804(a)(2).
PO 00000
Frm 00018
Fmt 4702
Sfmt 4702
these policies, and then ‘‘provide a clear
and conspicuous notice to customers
that accurately reflects [their] privacy
policies and practices not less than
annually during the continuation of the
customer relationship.’’ 14
Section 502 of the GLBA and 16 CFR
313.6(a)(6) require that initial and
annual notices inform customers of their
right to opt out of the sharing of
nonpublic personal information with
some types of nonaffiliated third parties.
For example, a customer has the right to
opt out of allowing a motor vehicle
dealer to sell her name and address to
a nonaffiliated auto insurance company.
On the other hand, a motor vehicle
dealer is not required to allow
consumers to opt out of the dealer’s
sharing involving third-party service
providers, joint marketing arrangements,
maintenance and servicing of accounts,
securitization, law enforcement and
compliance, reporting to consumer
reporting agencies, and certain other
activities that are specified in the statute
and regulation.15 If a motor vehicle
dealer limits its sharing to uses that do
not trigger opt-out rights, it may provide
an annual privacy notice to its
customers that does not include
information regarding opt-out rights.
Motor vehicle dealers also may
include in the annual privacy notice
information about certain consumer optout rights related to affiliate sharing
under the FCRA. First, section
603(d)(2)(A)(iii) of the FCRA allows the
sharing of a consumer’s information
among affiliates, but only if the
consumer is notified of such sharing
and is given an opportunity to opt out.16
Section 503(c)(4) of the GLBA and the
Privacy Rule generally require motor
vehicle dealers to incorporate any
notifications and opt-out disclosures
provided pursuant to section
603(d)(2)(A)(iii) of the FCRA into their
initial and annual privacy notices.17
Second, section 624 of the FCRA and
16 CFR 680 (the Affiliate Marketing
Rule) provide that an affiliate of a motor
vehicle dealer that receives certain
information 18 about a consumer from
the dealer may not use that information
for marketing purposes, unless the
consumer is provided with an
opportunity to opt out of that use.19
14 16
CFR 313.5(a)(1) (emphasis added).
U.S.C. 6802(b)(2), 6802(e); 16 CFR 313.13,
313.14, 313.15.
16 15 U.S.C. 1681a(d)(2)(A)(iii).
17 15 U.S.C. 6803(c)(4); 16 CFR 313.6(a)(7).
18 The type of information to which section 624
applies is information that would be a consumer
report but for the exclusions provided by section
603(d)(2)(A)(i), (ii), or (iii) of the FCRA.
19 15 U.S.C. 1681s–3. The FTC’s Affiliate
Marketing Rule applies to motor vehicle dealers.
15 15
E:\FR\FM\24JNP1.SGM
24JNP1
Federal Register / Vol. 80, No. 121 / Wednesday, June 24, 2015 / Proposed Rules
This requirement governs the use of
information by an affiliate, not the
sharing of information among affiliates,
and thus is distinct from the affiliate
sharing opt-out discussed above. The
Affiliate Marketing Rule permits (but
does not require) motor vehicle dealers
to incorporate any opt-out disclosures
provided under section 624 of the FCRA
and the Affiliate Marketing Rule into the
initial and annual privacy notices
required by the GLBA.20
Finally, § 313.6(a)(8) of the Privacy
Rule requires that the notices also
briefly describe how motor vehicle
dealers protect the nonpublic personal
information they collect and maintain.
tkelley on DSK3SPTVN1PROD with PROPOSALS
C. The Bureau Rulemaking
In December 2011, the Bureau issued
a Request for Information seeking
specific suggestions for streamlining
regulations that were transferred to the
Bureau from other Federal agencies
(Streamlining RFI), including the annual
privacy notice requirement.21
The Bureau received numerous
comments from industry urging the
Bureau to eliminate or reduce the
annual notice requirement.22 Industry
argued that most customers ignore
annual privacy notices; the content of
the disclosures provides little benefit
when customers have no right to opt out
of information sharing; current
distribution of the notices imposes
significant costs; and other methods of
delivery could effectively convey the
information to customers at a lower
cost. Industry commenters suggested
that the Bureau eliminate or ease the
annual notice requirement if businesses’
privacy policies have not changed and
they do not share nonpublic personal
information beyond the exceptions
allowed by the GLBA.23 Consumer
advocacy groups highlighted the benefit
customers receive from printed annual
privacy notices, which may remind
customers of privacy rights that they
may not have exercised previously.24
In November of 2013, the Bureau
published a study assessing the effects
of certain deposit regulations on
financial institutions’ operations.25 This
See 77 FR 22200. The FTC also enforces the
Bureau’s Regulation V’s Affiliate Marketing Rule, 12
CFR part 1022, subpart C, for other entities over
which it has enforcement authority under the
FCRA.
20 16 CFR 680.23(b).
21 76 FR 75825, 75828 (Dec. 5, 2011).
22 79 FR 27214 at 27217 (May 14, 2014) (Bureau
Notice of Proposed Rulemaking).
23 Id.
24 Id.
25 Consumer Financial Protection Bureau,
‘‘Understanding the Effects of Certain Deposit
Regulations on Financial Institutions’ Operations:
Findings on Relative Costs for Systems, Personnel,
VerDate Sep<11>2014
16:23 Jun 23, 2015
Jkt 235001
study provided operational insights
from seven banks about their annual
privacy notices. All seven participants
provided the annual notice as a separate
mailing, which resulted in higher costs
for postage, materials, and labor than if
the notice were mailed with other
material. Some of these participants
separately mailed their notices to ensure
that their disclosures are ‘‘clear and
conspicuous,’’ 26 even though 2009
guidance from the eight agencies
promulgating the model privacy form
explained that a separate mailing is not
required.27 As a result of its
Streamlining RFI, study, and its
outreach to industry and consumer
groups, in May 2014, the Bureau issued
a proposed rule to amend its Regulation
P to allow financial institutions to notify
consumers that a privacy notice was
available online, in certain enumerated
circumstances. The comment period
closed on July 14, 2014. As noted above,
the Bureau finalized its rulemaking in
October 2014.28
III. The Commission’s Proposed Rule
Changes
A. Technical Changes To Correspond to
Statutory Changes
The Commission adopted the scope
and definitions in the existing Privacy
Rule at a time when it had rulemaking
authority for the Privacy Rule over a
broader group of non-bank ‘‘financial
institutions’’ as defined by the GLBA.
While the Dodd-Frank Act did not
change the Commission’s enforcement
authority for the privacy notice
obligations of the GLBA, the DoddFrank Act amended the Commission’s
rulemaking authority under the GLBA
such that its Privacy Rule only applies
to motor vehicle dealers. For other types
of financial institutions over which the
Commission has enforcement authority
under the GLBA, the Commission now
enforces the Bureau’s Regulation P. The
amendments in the Dodd-Frank Act
necessitate certain technical revisions to
the Privacy Rule to ensure that the
and Processes at Seven Institutions’’ (Nov. 2013),
available at http://files.consumerfinance.gov/f/
201311_cfpb_report_findings-relative-costs.pdf.
Information collected for the study may be used to
assist the Bureau in its investigations of ‘‘the effects
of a potential or existing regulation on the business
decisions of providers.’’ OMB Information
Request—Control Number: 3170–0032.
26 15 U.S.C. 6803 (In its initial and annual privacy
notices ‘‘a financial institution shall provide a clear
and conspicuous disclosure . . . .’’); 12 CFR
1016.3(b)(1) and 16 CFR 313.3(b)(1) (both defining
‘‘clear and conspicuous’’ as ‘‘reasonably
understandable and designed to call attention to the
nature and significance of the information in the
notice.’’).
27 See 74 FR 62890, 62897–62898.
28 79 FR 64057 (Oct. 28, 2014).
PO 00000
Frm 00019
Fmt 4702
Sfmt 4702
36269
regulation is consistent with the text of
the amended GLBA.29 Specifically, the
Commission proposes to modify the
Scope and Definitions section of the
Privacy Rule to provide clearer guidance
to financial institutions that are covered
motor vehicle dealers.
Although the Dodd-Frank Act altered
the Commission’s rulemaking authority
with respect to the Privacy Rule, it did
not alter the Commission’s rulemaking
authority for the GLBA’s Standards for
Safeguarding Customer Information, at
16 CFR part 314 (the Safeguards Rule).
For the Safeguards Rule, the
Commission continues to have
rulemaking authority over a broad range
of non-bank financial institutions. The
Safeguards Rule, however, incorporates
by reference the definitions contained in
the Privacy Rule, including all of the
examples of financial institutions listed
in the existing Privacy Rule.30
Accordingly, the Commission proposes
to change the Privacy Rule definitions to
make clear that, for the purpose of the
Privacy Rule, the only examples
applicable in the definitions are those
related to motor vehicle dealers; for the
purpose of the Safeguards Rule,
however, all existing examples in the
Privacy Rule continue to apply.
B. Changes to the Annual Privacy Notice
The Commission also proposes
changes to the Privacy Rule provisions
governing how motor vehicle dealers
should deliver annual privacy notices.
These changes are consistent with
changes adopted by the Bureau for those
financial institutions subject to the
Bureau’s rulemaking authority. Under
certain limited circumstances, these
changes to the Privacy Rule would
allow motor vehicle dealers to convey
clearly and conspicuously—through
another mandated or legally permissible
notice or disclosure—that their privacy
notice is available on their Web site
(hereafter, the alternative delivery
method).31 If, however, a motor vehicle
dealer has made changes to its privacy
practices or shares its customers’
nonpublic personal information with
nonaffiliated third parties, the dealer
29 15
U.S.C. 6804(1)(C).
CFR 314.2(a).
31 Because this disclosure must be provided
annually, the proposal satisfies the statutory
requirement that motor vehicle dealers provide
annual notices about their privacy practices.
Beyond the requirement to provide the notice
annually, the GBLA allows agencies to prescribe the
method of delivery. See 15 U.S.C. 6803(a) (The
GLBA allows annual notice to be delivered ‘‘in
writing or in electronic form or other form
permitted by the regulations . . .’’).
30 16
E:\FR\FM\24JNP1.SGM
24JNP1
36270
Federal Register / Vol. 80, No. 121 / Wednesday, June 24, 2015 / Proposed Rules
generally could not avail itself of this
alternative delivery method.32
The Commission anticipates that use
of the alternative delivery method that
meets the requirements discussed below
could inform customers of their motor
vehicle dealer’s privacy policies
effectively and at a lower cost than the
current widespread method of mailing
annual privacy notices. The cost savings
could benefit both consumers and
businesses.33
The Commission has also considered
the potential impact of its proposed rule
change on consumer privacy. The
proposal would not affect the actual
collection or use of consumers’
nonpublic personal information by
motor vehicle dealers, and consumers
would continue to get the information
and opt-out rights they are entitled to
under the statute. Moreover, the
proposal would enable consumers to
review a motor vehicle dealer’s policy at
her own convenience any time during
the year. For example, a motor vehicle
dealer choosing to use the alternative
method would have to post the privacy
notice continuously on its Web site,
thus enabling consumers to access the
privacy notice throughout the year
rather than having to wait for an annual
mailing.
IV. Section-by-Section Analysis
tkelley on DSK3SPTVN1PROD with PROPOSALS
Section 313.1(b)—Scope
Section 313.1(b) outlines the scope of
the Privacy Rule. The existing Rule
describes the types of entities to which
the Privacy Rule was applicable prior to
the enactment of the Dodd-Frank Act.
Those entities included—but were not
limited to—financial institutions such
as ‘‘payday’’ lenders, mortgage brokers,
check cashers, and tax preparation
firms, but did not include entities that
were subject to the rulemaking authority
of another agency.34 With the exception
of motor vehicle dealers, the entities
formerly subject to 16 CFR part 313 are
now subject to the Bureau’s Regulation
P.35
The Commission seeks to revise the
Privacy Rule to make clear that it
applies only to motor vehicle dealers.
Accordingly, the Commission proposes
to revise § 313.1(b) to remove examples
of entities to which the FTC’s Privacy
Rule no longer applies. The Commission
also proposes to remove the reference in
32 A motor vehicle dealer may use the alternative
delivery method if such sharing does not trigger
GLBA opt-out rights as set forth in Parts 313.13,
313.14, and 313.15.
33 See 79 FR at 27218; 79 FR at 64061.
34 See 15 U.S.C. 6804 (2010).
35 The Commission retains enforcement authority
over such entities for violations of the Bureau’s
Regulation P. 15 U.S.C. 6805(a)(7).
VerDate Sep<11>2014
16:23 Jun 23, 2015
Jkt 235001
the Privacy Rule’s scope to ‘‘other
persons.’’ Although the Commission
continues to have enforcement authority
over ‘‘other persons’’ covered by the
CFPB’s rule, the Commission no longer
has rulemaking authority for the Privacy
Rule over ‘‘other persons.’’ In addition,
the Commission proposes to eliminate
from § 313.1(b) the note indicating that:
(1) The Privacy Rule does not modify,
limit, or supersede the standards under
the Health Insurance Portability and
Accountability Act of 1996 (HIPAA),
and (2) if a financial institution that is
an institution of higher education is in
compliance with the Federal
Educational Rights and Privacy Act
(FERPA) and its implementing
regulations, such institution shall be
deemed in compliance with 16 CFR part
313. The Commission believes it
unlikely that this note is applicable to
motor vehicle dealers but requests
comment as to whether motor vehicle
dealers ever engage in practices that
require them to comply with HIPAA or
FERPA. In addition, the Commission
invites general comment on the
proposed changes to the description of
the scope of the Privacy Rule.
Section 313.3—Definitions
The Definitions section of the Privacy
Rule includes a number of examples
designed to provide guidance regarding
the scope of terms used in the Privacy
Rule. The Commission proposes to
revise these definitions so that they
provide accurate guidance regarding the
Rule’s scope. Specifically, the
Commission proposes to revise § 313.3
to make clear that certain examples in
five definitions are not applicable to
motor vehicle dealers for purposes of
the Privacy Rule but continue to apply
for purposes of the Safeguards Rule.
Similarly, the Commission proposes to
revise the definition of ‘‘you,’’ which
currently includes entities to which the
Privacy Rule no longer applies.
First, for purposes of the Privacy Rule,
proposed § 313.3(e)(2) no longer
includes, as examples of ‘‘consumers,’’
those consumers seeking financial
advisory services 36 or consumers with
which the financial institution has a
relationship related to a trust.37 The
examples are retained for purposes of
the Safeguards Rule, 16 CFR part 314.
Second, for purposes of the Privacy
Rule, proposed § 313.3(i)(2) no longer
includes, as examples of a ‘‘continuing
relationship’’ with a customer, a
relationship in which the financial
institution holds an investment product
36 16
37 16
PO 00000
CFR 313.3(e)(2)(iii).
CFR 313.3(e)(2)(vi) and (vii).
Frm 00020
Fmt 4702
Sfmt 4702
for the consumer; 38 enters into an
agreement to arrange or broker a home
mortgage loan; 39 provides financial,
investment, or economic advisory
services to a consumer; 40 provides tax
preparation or credit counseling
services; 41 provides career counseling
for seeking employment with a financial
institution or a financial, accounting or
audit department of a company; 42
purchases an account, on which the
consumer has an obligation, from
another financial institution; 43 or
provides real estate settlement
services.44 The examples are retained
for purposes of the Safeguards Rule.
Third, for purposes of the Privacy
Rule, proposed § 313.3(i)(2) no longer
includes, as examples of ‘‘no continuing
relationship’’ with a customer, a
relationship in which the financial
institution sells airline tickets 45 or sells
checks for a personal checking
account.46 The examples are retained
for purposes of the Safeguards Rule.
Fourth, for purposes of the Privacy
Rule, proposed § 313.3(k)(2) no longer
includes, as examples of ‘‘financial
institutions,’’ retailers that extend credit
by issuing their own credit cards to
consumers; career counselors
specializing in finance, accounting or
audit employment; businesses that print
and sell checks; businesses that
regularly wire money to and from
consumers; check cashing businesses;
accountants or other tax preparation
services that are in the business of
completing tax returns; businesses that
operate travel services in connection
with financial services; businesses
providing real estate settlement services;
mortgage brokers, or investment
advisory companies and credit
counseling services.47 The examples are
retained for purposes of the Safeguards
Rule.
Fifth, for purposes of the Privacy
Rule, proposed § 313.3(k)(5) no longer
includes as examples of ‘‘entities that
are not significantly engaged in
financial activities,’’ retailers that only
extend credit via occasional ‘‘lay away’’
and deferred payment plans; merchants
38 16 CFR 313.3(i)(2)(i)(D). The Privacy Rule
requires motor vehicle dealers to provide an annual
notice while there is a continuing relationship
between the dealer and the customer.
39 16 CFR 313.3(i)(2)(i)(E). This subsection has
been revised to remove the portion of the example
relating to home mortgage loans but retains the
portion relating to credit to purchase a vehicle.
40 16 CFR 313.3(i)(2)(i)(G).
41 16 CFR 313.3(i)(2)(i)(H).
42 16 CFR 313.3(i)(2)(i)(I).
43 16 CFR 313.3(i)(2)(i)(J).
44 16 CFR 313.3(i)(2)(i)(K).
45 16 CFR 313.3(i)(2)(ii)(C).
46 16 CFR 313.3(i)(2)(ii)(E).
47 16 CFR 313.3(k)(2)(E)(i), (iv)–(xii).
E:\FR\FM\24JNP1.SGM
24JNP1
Federal Register / Vol. 80, No. 121 / Wednesday, June 24, 2015 / Proposed Rules
tkelley on DSK3SPTVN1PROD with PROPOSALS
that allow individuals to ‘‘run a tab’’; or
grocery stores that allow individuals to
cash checks or write checks for a higher
amount than a purchase and obtain cash
back.48 The examples are retained for
purposes of the Safeguards Rule. The
Commission invites comment regarding
whether any of the examples that the
Commission proposes to eliminate for
purposes of the Privacy Rule are
applicable to motor vehicle dealers. The
Commission also seeks comment
regarding the examples that remain for
purposes of the Privacy Rule in the
definitions of proposed § 313.3 and the
applicability of such examples to motor
vehicle dealers.
The existing Privacy Rule generally
defines ‘‘you’’ as a financial institution
over which the Commission has
enforcement jurisdiction under the
GLBA. Because this definition refers to
the Commission’s enforcement authority
rather than its rulemaking authority, the
definition is overbroad in light of the
amendments to the GLBA discussed
above. Therefore, the Commission
proposes to revise the definition of
‘‘you’’ so that for purposes of the
Privacy Rule it applies to only those
entities over which the Commission has
rulemaking authority. For purposes of
the Safeguards Rule, the definition of
‘‘you’’ remains unchanged.
The Commission requests comment
on the proposed changes to the
definition of ‘‘you.’’ The Commission
notes that the purpose of the changes to
the Privacy Rule scope and definitions
serve solely to conform the Privacy Rule
to the revisions in the Dodd-Frank Act
as to the scope of the Commission’s
rulemaking authority. These changes do
not reflect any change in the
Commission’s authority to enforce the
Privacy Rule or Regulation P.
Section 313.9—Delivering Privacy and
Opt-Out Notices
Section 313.9(a) of the Rule requires
that motor vehicle dealers provide
initial and annual privacy notices so
that each consumer ‘‘can reasonably be
expected’’ to receive actual notice in
writing or, if the consumer agrees,
electronically. Section 313.9(b) provides
examples of delivery methods that
would result in reasonable expectation
of actual notice, including hand
delivery and delivery by mail. The
examples also include posting on a Web
site for customers who: (1) Conduct
transactions electronically, and (2)
acknowledge receipt of the notice as a
necessary step to obtaining a particular
financial product or service.49 Section
48 16
49 16
CFR 313.3(k)(4)(iii) and (iv).
CFR 313.9(b).
VerDate Sep<11>2014
16:23 Jun 23, 2015
313.9(c) further allows delivery of the
annual notice through a Web site, but
only if a customer uses the dealer’s Web
site to access financial products and
services and consents to receive notices
at the Web site.50 Below, the
Commission describes proposed
changes to § 313.9(c) that would allow
motor vehicle dealers to utilize an
alternative delivery method for the
annual notices. In some circumstances,
motor vehicle dealers could substitute
their annual privacy notices with a clear
and conspicuous disclosure—as part of
an account statement, coupon book, or
other legally-required or permitted
notice or disclosure—stating that their
privacy notice is available on their Web
site and will be mailed to the customer
on request. As required by the GLBA,
this substitute disclosure would have to
be provided at least annually.
The Commission seeks information
concerning the effect on customer
privacy rights if motor vehicle dealers
were to use the alternative delivery
method rather than their current
delivery methods. Relatedly, the
Commission requests comment on how
often customers currently read annual
privacy notices under the Privacy Rule
and how frequently the notices would
be read if they were provided pursuant
to the proposed alternative delivery
method. The Commission further
requests comment on whether the
proposed alternative delivery method
would be effective in reducing the
burden on motor vehicle dealers of
mailing hard copy privacy notices. In
particular, the Commission requests
information regarding how many annual
privacy notices motor vehicle dealers
provide.
Lastly, the Commission notes that the
current Rule prescribes certain
circumstances under which motor
vehicle dealers can provide privacy
notices electronically or via online
posting. For example, the Rule allows
covered entities to provide notices
electronically if the consumer agrees or
to provide notice online if the consumer
is required to acknowledge receipt of
the notice. See 16 CFR 313.9. The
Commission invites comment regarding
how often privacy notices are delivered
electronically or posted online under
the existing Rule and whether
companies that currently provide
notices electronically will likely
experience cost savings under the
proposed new rule requirements.
50 16
Jkt 235001
PO 00000
CFR
313.9(c).
Frm 00021
Fmt 4702
Sfmt 4702
36271
9(c)(2) Alternative Method for Providing
Certain Annual Notices
9(c)(2)(i)
Proposed § 313.9(c)(2)(i) describes the
circumstances under which a motor
vehicle dealer may use the alternative
delivery method summarized above.51
9(c)(2)(i)(A)
Proposed § 313.9(c)(2)(i)(A) would set
forth the first condition for using the
alternative delivery method: That the
motor vehicle dealer must not share the
customer’s information with
nonaffiliated third parties in a manner
that triggers the opt-out requirement
under the GLBA. Thus, for example, a
motor vehicle dealer may use the
alternative delivery method if it shares
the customer’s information with
nonaffiliated third parties as permitted
by §§ 313.13 (for joint marketing),
313.14 (for processing and servicing
transactions), and 313.15 (with consent,
or for security purposes, fraud
prevention, legal purposes or fiduciary
purposes). It may not use the alternative
delivery method, for example, if it
shares the customer’s nonpublic
personal information with a
nonaffiliated insurance company for
marketing purposes. The Commission
believes the alternative delivery method
will generally reduce the burden of
compliance for motor vehicle dealers,
while still mandating the use of the
current delivery method to ensure that
customers have direct notice of their
opt-out rights, where they exist.
The Commission invites comment on
the number of motor vehicle dealers that
would not be able to take advantage of
the alternative delivery method because
they share data with nonaffiliated third
parties. The Commission further invites
comment on whether customers with
opt-out rights pursuant to the Privacy
Rule should continue to receive the
annual privacy notice pursuant to the
current delivery method or if motor
vehicle dealers should be able to utilize
the proposed alternative delivery
method for such customers.
9(c)(2)(i)(B)
Proposed § 313.9(c)(2)(i)(B) would set
forth the second condition for using the
alternative delivery method for the
annual privacy notice: That the motor
vehicle dealer not include on its annual
notice an opt-out under section
51 Existing § 313.9(c) would be redesignated as
§ 313.9(c)(1) and its subparagraphs redesignated as
§ 313.9(c)(1)(i) and (ii), respectively, to
accommodate the new addition. The Commission is
also proposing to add a heading to new paragraph
(c)(1) for technical reasons.
E:\FR\FM\24JNP1.SGM
24JNP1
36272
Federal Register / Vol. 80, No. 121 / Wednesday, June 24, 2015 / Proposed Rules
tkelley on DSK3SPTVN1PROD with PROPOSALS
603(d)(2)(A)(iii) of the FCRA.52 As
discussed above, FCRA section
603(d)(2)(A)(iii) allows sharing of
certain consumer information with
affiliates, but only if the motor vehicle
dealer provides the consumer with
notice and an opportunity to opt out of
the information sharing. Although this
is a requirement of the FCRA, section
503(b)(4) of the GLBA and § 313.6(a)(7)
of the Privacy Rule require a motor
vehicle dealer’s privacy notice to
include any opt-out rights provided
under section 603(d)(2)(A)(iii) of the
FCRA. Accordingly, to the extent that a
motor vehicle dealer shares customer
information with affiliates for marketing
purposes, thus triggering the obligation
to include an opt-out pursuant to FCRA
section 603(d)(2)(A)(iii), the motor
vehicle dealer cannot take advantage of
the alternative delivery method.53 As
noted above, the Commission believes
that directly reminding consumers of
any opt-out rights at least annually will
be important for consumers. This is true
regardless whether the opt-out right is
provided under the GLBA or the FCRA.
The Commission invites comment on
the extent to which different motor
vehicle dealers provide a FCRA section
603(d)(2)(A)(iii) opt-out and thus would
be precluded from using the proposed
alternative delivery method. The
Commission further invites comment as
to whether customers with opt-out
rights under this section of the FCRA
benefit from receiving the annual
privacy notice pursuant to the current
delivery method or could receive the
notice via the proposed alternative
delivery method.
9(c)(2)(i)(C)
Proposed § 313.9(c)(2)(i)(C) would
contain the third condition for using the
alternative delivery method, related to
the requirements of section 624 of the
FCRA 54 and the Affiliate Marketing
Rule, 16 CFR part 680. FCRA section
624, as implemented by the Affiliate
Marketing Rule, provides that a person
may not use certain information about a
consumer that it receives from an
affiliate to market to that consumer
unless the consumer receives notice and
the opportunity to opt out of such
marketing.55
In contrast to the FCRA section
603(d)(2)(A)(iii) notice and opt-out right
concerning affiliate sharing, which is
generally required to be included on the
GLBA annual privacy notice, the FCRA
section 624 (and Affiliate Marketing
52 15
U.S.C. 1681a(d)(2)(A)(iii).
64 FR 35162, 35176 (June 1, 2000).
54 15 U.S.C. 1681s–3.
55 16 CFR 680.21(a).
53 See
VerDate Sep<11>2014
16:23 Jun 23, 2015
Jkt 235001
Rule) notice and opt-out right
concerning marketing by affiliates is not
required to be included on that notice.
However, the Affiliate Marketing Rule
notice and opt-out right may be
included on the privacy notice.56
The Commission proposes—under
§ 313.9(c)(2)(i)(C)—that a motor vehicle
dealer that is required to provide a
notice and opt out under the Affiliate
Marketing Rule may use the alternative
delivery method, provided that the
motor vehicle dealer has previously
satisfied the Affiliate Marketing Rule
requirements or does not use the annual
privacy notice as the sole means of
providing notice to customers of that
opt-out right.57 Alternatively, the motor
vehicle dealer could continue to use the
current delivery method and include the
Affiliate Marketing opt-out on the
annual privacy notice, with no separate
notice required.
The Commission invites comment on
the extent to which motor vehicle
dealers include the Affiliate Marketing
Rule opt-out on their Privacy Rule
privacy notices and thus would be
precluded from using the proposed
alternative delivery method. The
Commission further invites comment on
whether imposing this condition on
using the alternative delivery method is
beneficial to consumers.
9(c)(2)(i)(D)
Proposed § 313.9(c)(2)(i)(D) would
present the fourth condition for using
the alternative delivery method: That
the substantive information a motor
vehicle dealer is required to convey on
its annual privacy notice has not
changed since the immediately previous
privacy notice (whether initial, annual,
or revised) to the customer.58 The
56 16
CFR 680.23(b).
requirements for the Affiliate Marketing
notice and opt out differ, depending on whether it
is included as part of the model privacy notice or
issued separately. Where a motor vehicle dealer
includes the Affiliate Marketing notice and opt-out
on the model privacy notice, that opt-out must be
of indefinite duration. See Appendix A to Part 313
at C.2(d)(6). In contrast, where a motor vehicle
dealer provides the Affiliate Marketing notice and
opt-out separately, the Affiliate Marketing Rule
allows the opt-out to be offered for as little as five
years, subject to renewal, and the disclosure of the
duration of the opt-out must be included on the
notice. See 16 CFR 680.22(b). 16 CFR
680.23(a)(1)(iv). Because inclusion of the Affiliate
Marketing opt-out on the model privacy notice
requires a motor vehicle dealer to honor the opt-out
indefinitely, a motor vehicle dealer that also offers
the opt-out right separately in order to use the
alternative delivery method would be able to
comply with both the Privacy Rule and the Affiliate
Marketing Rule by stating in the separate Affiliate
Marketing notice that the opt-out is of indefinite
duration and by honoring such opt-out requests
indefinitely.
58 Note that information disclosed pursuant to
§ 313.6(a)(6) and (a)(7) is not included in proposed
57 Certain
PO 00000
Frm 00022
Fmt 4702
Sfmt 4702
Commission believes that the current
delivery method is likely less useful if
the customer has already received a
privacy notice, and the motor vehicle
dealer’s sharing practices remain
generally unchanged since that previous
notice. Proposed § 313.9(c)(2)(i)(D) lists
the specific disclosures of the privacy
notice that must not change in order for
a motor vehicle dealer to take advantage
of the alternative delivery method. They
are:
• The categories of nonpublic
personal information that the motor
vehicle dealer collects (§ 313.6(a)(1) and
(a)(4));
• the categories of nonpublic personal
information that the motor vehicle
dealer discloses (§ 313.6(a)(2));
• the categories of affiliates and
nonaffiliated third parties to whom the
motor vehicle dealer discloses
nonpublic personal information, other
than to parties that administer or
enforce transactions, service or process
financial products, or maintain or
service accounts, under § 313.14 and to
parties for security, fraud prevention,
legal purposes, or similar purposes
under § 313.15 (§ 313.6(a)(3));
• if the motor vehicle dealer discloses
nonpublic personal information to a
nonaffiliated third party for joint
marketing as set forth under § 313.13, a
separate statement of the categories of
information disclosed and the categories
of third parties to whom the disclosures
were made (§ 313.6(a)(5));
• the motor vehicle dealer’s policies
and practices with respect to protecting
the confidentiality and security of
nonpublic personal information
(§ 313.6(a)(8)); and
• the description of the purpose for
sharing with service providers and other
entities that conduct fraud prevention,
security, or similar services
(§ 313.6(a)(9)).
The Commission emphasizes that a
motor vehicle dealer would be
precluded from using the alternative
delivery method only if it made
substantive changes to the information
disclosed on the previous written notice
sent to the consumer. Stylistic changes
in the wording of the notice that do not
denote a change in practices would not
prevent a motor vehicle dealer from
using the alternative delivery method.
Nor would the proposed section
prohibit a motor vehicle dealer from
using the alternative delivery method if
the dealer eliminated categories of
information it disclosed or categories of
§ 313.9(c)(2)(i)(D) because if those situations apply,
a motor vehicle dealer could not use the alternative
delivery method under proposed § 313.9(c)(2)(i)(A)
and (B), as discussed above.
E:\FR\FM\24JNP1.SGM
24JNP1
Federal Register / Vol. 80, No. 121 / Wednesday, June 24, 2015 / Proposed Rules
tkelley on DSK3SPTVN1PROD with PROPOSALS
third parties to whom it disclosed
information. Any other substantive
change to its information sharing
practices would preclude use of the
alternative delivery method; however,
the motor vehicle dealer could use the
alternative delivery method to meet its
next annual privacy notice requirement
if it first sent a revised privacy notice
pursuant to the standard delivery
requirements.
The Commission invites comment
about the effect on customers of
conditioning availability of the
alternative delivery method on there
being no change from the previous
year’s notice. The Commission further
invites comment on how often motor
vehicle dealers change their privacy
notice such that they would be
precluded from using the proposed
alternative delivery method. Lastly, the
Commission invites comment on the
extent to which a motor vehicle dealer’s
changing its data security policy should
preclude it, like financial institutions
covered by Regulation P, from using the
proposed alternative delivery method.
9(c)(2)(i)(E)
The last condition for use of the
alternative delivery method, which
would be set forth in proposed
§ 313.9(c)(2)(i)(E), requires that the
motor vehicle dealer use the model
privacy form for its annual privacy
notice. Currently, the Privacy Rule does
not require use of the model notice
because the statute under which it was
promulgated only required that
regulators give financial institutions the
option to use such a model notice.59
However, the Commission proposes to
permit use of the alternative delivery
method only if a motor vehicle dealer
uses the model privacy form for its
annual privacy notice. This approach
would likely incentivize use of the
model notice, which consumer research
has shown to be effective in
communicating information.60 The
Commission does not believe that the
one-time burden of creating a model
notice will place an undue burden on
motor vehicles dealers, who will likely
be able to save costs by not sending
annual privacy notices.
The Commission notes that the model
form accommodates information that
may be required by state or international
law, as applicable, in a box called
‘‘Other important information.’’ 61
Accordingly, the Commission expects
that a motor vehicle dealer that has
additional privacy disclosure
59 15
U.S.C. 6803.
FR 62890, 62891 (Dec. 1, 2009).
61 Appendix A to Part 313 at C(3)(c).
60 74
VerDate Sep<11>2014
16:23 Jun 23, 2015
Jkt 235001
obligations pursuant to state or
international law would still be able to
use the model form in order to take
advantage of the proposed alternative
delivery method. The Commission
invites comment on related state or
international law requirements and their
interaction with the model privacy
notice, as well as the proposed
condition on the alternative delivery
method in general.
The Commission contemplates that
adoption of the model privacy form may
require changes to the wording and
layout of the privacy notice, but not to
the information conveyed. Thus,
adoption of the model notice would not
constitute a change to the prior year’s
notice that would preclude use of the
alternative delivery method under
proposed § 313.9(c)(2)(i)(D).62 The
Commission solicits comment on this
issue. The Commission further invites
comment on the extent to which motor
vehicle dealers currently use the model
privacy notice, and if they do not,
whether they would choose to adopt it
in order to take advantage of the
proposed alternative delivery method.
Lastly, the Commission invites
comment on the benefit to customers of
receiving the model privacy notice
rather than a privacy notice in a nonstandard format.
Finally, the Commission generally
invites comment on the conditions in
proposed § 313.9(c)(2)(i)(A) through (E)
and whether any of those conditions
should not be required or whether other
conditions should be added.
9(c)(2)(ii)
Proposed § 313.9(c)(2)(ii) sets forth
the mechanics of the alternative
delivery method for annual notices.
9(c)(2)(ii)(A)
Proposed § 313.9(c)(2)(ii)(A) would
set forth the first component of the
alternative delivery method: that a
motor vehicle dealer inform the
customer of the availability of the
annual privacy notice on its Web site.
Under this proposed subsection, a motor
vehicle dealer must clearly and
conspicuously convey, not less than
annually—on an account statement,
coupon book, or notice or disclosure the
institution is required or expressly
permitted to use under any other
provision of law—three pieces of
62 In a somewhat analogous situation, the
agencies that promulgated the model privacy notice
explained: ‘‘Adoption of the model form, with no
change in policies or practices, would not
constitute a revised notice [for purposes of the rule
section on revised privacy notices], although
institutions may elect to consider the format change
as revision, at their option.’’ 74 FR 62890, 62907 n.
196.
PO 00000
Frm 00023
Fmt 4702
Sfmt 4702
36273
information: (1) That its privacy notice
has not changed, (2) that the notice is
available on its Web site, and (3) that a
hard copy of the notice will be mailed
to customers if they call to request one.
Proposed § 313.9(c)(2)(ii)(A) states
that this notice must be ‘‘clear and
conspicuous,’’ which is defined as
meaning ‘‘reasonably understandable’’
and ‘‘designed to call attention to the
nature and significance of the
information.’’ 63 The Commission
believes that the existing examples in
§ 313.3(b)(2)(i) and (ii) for the
‘‘reasonably understandable’’ and
‘‘designed to call attention’’
requirements likely would provide
sufficient guidance on ways to make the
notice clear and conspicuous. For
example, the Rule states that, if the
notice is combined with other
information, it must contain ‘‘distinctive
type size, style, and graphic devices,
such as shading or sidebars.’’ 64
Although the Commission proposes to
require that motor vehicle dealers
convey this ‘‘notice of availability’’ not
less than annually, they may elect to
convey it more often (e.g., quarterly or
monthly). The Commission invites
comment on whether the approach used
for notice of availability for motor
vehicle dealers should differ from that
for the financial institutions covered by
Regulation P. In particular, the
Commission is interested in comment
on: (1) Whether the proposed example
notice of availability would make the
alternative delivery method more
feasible for motor vehicle dealers to
implement, (2) whether the illustrative
elements not specifically required by
the Rule should be so required, and (3)
whether the proposed language would
be effective in informing customers of
the availability of the privacy notice.
As noted, proposed § 313.9(c)(2)(ii)(A)
would require the notice of availability
to be conveyed on an account statement,
coupon book, or notice or disclosure the
motor vehicle dealer is required or
expressly and specifically permitted to
issue under any other provision of law.
An account statement would include
periodic statements or billing
statements. A coupon book refers to a
book of payment coupons typically
included with an installment loan. The
Commission believes customers are
likely to read account statements or
coupon books that directly concern the
status of their account.
A ‘‘notice or disclosure the institution
is required or expressly and specifically
permitted to issue under any other
provision of law’’ would include
63 16
64 16
E:\FR\FM\24JNP1.SGM
CFR 313.3(b)(1).
CFR 313.3(b)(2)(ii)(E).
24JNP1
tkelley on DSK3SPTVN1PROD with PROPOSALS
36274
Federal Register / Vol. 80, No. 121 / Wednesday, June 24, 2015 / Proposed Rules
disclosures that are expressly and
specifically permitted by law, even if
not required. This language builds on
the language used in the Affiliate
Marketing Rule, which provides that ‘‘a
notice required by this subpart may be
coordinated and consolidated with any
other notice or disclosure required to be
issued under any other provision of law.
. . .’’ 65 The Commission notes that a
notice of availability would not satisfy
the proposed rule requirement if
included on advertising materials that
were neither required nor specifically
permitted by law. The Commission
invites comment on the benefits and
costs of requiring the notice of
availability to be included on an
account statement, coupon book, or
document required or expressly and
specifically permitted under any other
provision of law. The Commission
further requests comment as to the best
documents on which to place the notice
of availability, particularly in light of
what consumers are likely to read.
The Commission further notes that
where two or more motor vehicle
dealers provide a joint privacy notice
pursuant to § 313.9(f), the proposal
would require each motor vehicle dealer
to separately provide the notice of
availability. The Commission invites
comment on how often motor vehicle
dealers jointly provide privacy notices
and whether the proposed alternative
delivery method would be feasible for
such jointly issued notices.
Proposed § 313.9(c)(2)(ii)(A) also
would require the institution to state on
the notice of availability that its privacy
policy has not changed, which, as
discussed in detail below, is a condition
that a dealer must satisfy in order to be
able to use the alternative delivery
method. This proposed requirement can
help customers assess whether they are
interested in reading the policy. This
statement would always be accurate if
the alternative delivery method is used
correctly, since a motor vehicle dealer
could not use the alternative delivery
method if its annual privacy notice had
changed.
The proposal would further require
that the statement include a specific
web address that takes customers
directly to the page where the privacy
notice is available. The section also
would require that the web address
conveyed on the notice of availability
provide the customer with direct access
to the page that contains the privacy
notice, so that the customer need not
click on any additional links.
Next, proposed § 313.9(c)(2)(ii)(A)
would require that the notice of
65 16
CFR 680.23(b).
VerDate Sep<11>2014
16:23 Jun 23, 2015
Jkt 235001
availability include a telephone number
that a customer can call to request a
hard copy of the annual privacy notice.
This number need not be a dedicated
number established for this purpose
alone. This requirement is intended to
assist customers who do not have
internet access or would prefer to
receive a hard copy of the privacy
notice. The Commission encourages
motor vehicle dealers that already
maintain a toll-free number to use that
number in the statement required by
§ 313.9(c)(2)(ii)(A), to simplify the
process for a customer to call and
request a mailed copy of the privacy
notice.
As an alternative, the Commission
invites comment on whether the
approach used for notice of availability
for motor vehicle dealers should differ
from that for the financial institutions
covered by Regulation P. Specifically,
the Commission seeks comment on the
advantages and disadvantages of
requiring motor vehicle dealers to
provide a dedicated telephone number
for privacy notice requests so that
customers can easily request a hard
copy of the notice without navigating a
complicated automated telephone
menu. The Commission also invites
comment on whether it should require
a dedicated toll-free number for this
purpose.
9(c)(2)(ii)(B)
Proposed § 313.9(c)(2)(ii)(B) would set
forth the second component of the
alternative delivery method: that the
motor vehicle dealer post its current
privacy notice continuously and in a
clear and conspicuous manner on a page
of the institution’s Web site on which
the only content is the privacy notice.
The Commission believes that, were the
notice included on a page with other
content, such as other disclosures or
promotions for products, that content
could detract from the prominence of
the notice and make it less likely that a
customer would actually read it.66 The
66 Information that is not content, such as
navigational menus to other pages on the Web site,
could appear on the same page as the privacy
notice. Moreover, other pages on the dealer’s Web
site could link to the page containing the privacy
notice, but the customer would still have to be
provided a specific web address that takes the
customer directly to the page where the privacy
notice is available to satisfy the requirement to post
the notice on the motor vehicle dealer’s Web site
in proposed § 313.9(c)(2)(ii)(B). Finally, with regard
to the proposed requirement that the notice be
posted in a ‘‘clear and conspicuous’’ manner, the
Commission notes that existing § 313.3(b)(2)(iii)
gives examples of what clear and conspicuous
means for a privacy notice posted on a Web site.
One example is a Web page that uses text or visual
cues to encourage scrolling down the page if
necessary to view the entire notice, and as long as
PO 00000
Frm 00024
Fmt 4702
Sfmt 4702
Commission believes that this
requirement is feasible for most motor
vehicle dealers, and for a motor vehicle
dealer that does not currently post its
annual notice on its Web site, creating
a specific page for this purpose is a onetime process that could be implemented
without significant cost.
This section would further require
that the Web page that contains the
privacy notice be accessible to the
customer without requiring the
customer to provide any information
such as a login name or password or
agree to any conditions to access the
page. This provision is intended to
make accessing the privacy notice on an
institution’s Web site as simple and
straightforward as possible.
The Commission invites comment
regarding the prevalence of motor
vehicle dealers that currently maintain
Web sites, whether they currently post
the Privacy Rule notice on those Web
sites, and if they do not, how costly it
would be to do so. The Commission
additionally seeks comment on whether
motor vehicle dealers provide different
privacy notices for different groups of
customers, such that posting multiple
privacy notices on the dealer’s Web site
may create confusion as to which is the
relevant privacy notice that is
applicable to a particular customer. The
Commission seeks comment on the
relative benefit or harm to customers of
accessing the privacy notice on a motor
vehicle dealer’s Web site as proposed.
Lastly, the Commission invites
comment as to whether motor vehicle
dealers should be required to provide
specific reminder information to a
consumer about that consumer’s
previously established preferences—for
example, whether the consumer has
already opted out—via a login and
password-protected section of the Web
site.
9(c)(2)(ii)(C)
Proposed § 313.9(c)(2)(ii)(C) would set
forth the third component of the
alternative delivery method: That the
motor vehicle dealer mail its current
privacy notice to those customers who
request it by telephone within ten
calendar days of such request. The
Commission proposes this requirement
to assist customers without internet
access and customers with internet
access who would prefer to receive a
hard copy of the notice. This
requirement makes clear that a motor
vehicle dealer may not, for example,
wait to mail the privacy notice with
another document, such as a quarterly
the page does not include text, graphics, hyperlinks,
or sound that may distract from the notice.
E:\FR\FM\24JNP1.SGM
24JNP1
Federal Register / Vol. 80, No. 121 / Wednesday, June 24, 2015 / Proposed Rules
tkelley on DSK3SPTVN1PROD with PROPOSALS
statement. Motor vehicle dealers may
not charge the customer for delivering
the annual notice, given that delivery of
the annual notice is required by statute
and regulation.
The Commission invites comment on
the cost associated with mailing privacy
notices on request, and whether mailing
of the privacy notice within ten
calendar days of a request is feasible for
motor vehicle dealers. The Commission
further requests comment on whether
requiring mailing within ten calendar
days is sufficient to ensure that
customers receive privacy notices in a
timely manner.
9(c)(2)(iii)
Proposed § 313.9(c)(2)(iii) would
provide an example of a notice of
availability that satisfies
§ 313.9(c)(2)(ii)(A). The Commission
intends this example to provide clear
guidance on permissible content for the
notice of availability to facilitate
compliance. The content of the example
notice of availability in proposed
§ 313.9(c)(2)(iii) draws from language in
the existing model privacy notice in Part
313, App. A, which was previously
subject to consumer testing.67 The
proposed example would include the
heading ‘‘Privacy Notice’’ in boldface
(or otherwise emphasized) on the notice
of availability. The proposed example
further would state that Federal law
requires the motor vehicle dealer to tell
customers how it collects, shares, and
protects their personal information; this
language mirrors the ‘‘Why’’ box on the
model privacy notices.68 The remaining
portion of the proposed example would
inform customers that the motor vehicle
dealer’s privacy notice has not changed,
the address of the Web site at which
customers can access the privacy notice,
and the telephone number to call to
request a free copy of the notice. The
Commission notes that the proposed
example contains certain elements that
would satisfy proposed § 313.9(c)(2), but
other language and formatting
techniques could also satisfy that
section. These elements include titling
the notice of availability ‘‘Privacy
Notice,’’ including a statement that
‘‘Federal law requires the motor vehicle
dealer to tell customers how it collects,
shares, and protects their personal
information,’’ and stating that getting a
copy of the notice is ‘‘free’’ to the
consumer.
The Commission invites comment on
whether the proposed example notice of
availability for motor vehicle dealers
should differ from that for financial
67 See
Appendix A to 16 CFR part 313, at A.
68 Id.
VerDate Sep<11>2014
16:23 Jun 23, 2015
Jkt 235001
institutions covered by Regulation P. In
particular, the Commission is interested
in comment on: (1) Whether the
proposed example notice of availability
would make the alternative delivery
method more feasible for motor vehicle
dealers to implement, (2) whether the
elements not specifically required by
the rule should be so required, and (3)
whether the proposed language would
be effective in informing customers of
the availability of the privacy notice.
V. Regulatory Flexibility Act
The Regulatory Flexibility Act (RFA),
as amended by the Small Business
Regulatory Enforcement Fairness Act of
1996, requires each agency to consider
the potential impact of its regulations on
small entities, including small
businesses, small governmental units,
and small not-for-profit organizations.
The RFA generally requires an agency to
conduct an initial regulatory flexibility
analysis (IRFA) and a final regulatory
flexibility analysis (FRFA) of any rule
subject to notice-and-comment
rulemaking requirements, unless the
agency certifies that the rule will not
have a significant economic impact on
a substantial number of small entities.69
An IRFA is not required here because
the proposal, if adopted, would not have
a significant economic impact on a
substantial number of small entities.
The Commission does not expect the
proposal to impose costs on small
entities. All methods of compliance
under current law will remain available
to small entities if the proposal is
adopted. Thus, a small entity that is in
compliance with current law need not
take any different or additional action if
the proposal is adopted. In addition, as
discussed above, the Commission
believes that the proposed alternative
method would allow many motor
vehicle dealers to reduce their costs.
Accordingly, the Commission certifies
that this proposal, if adopted, would not
have a significant economic impact on
a substantial number of small entities.
VI. Paperwork Reduction Act
Under the Paperwork Reduction Act
of 1995 (PRA),70 Federal agencies are
generally required to seek Office of
Management and Budget (OMB)
approval for information collection
requirements prior to implementation.
Under the PRA, the Commission may
not conduct or sponsor, and,
notwithstanding any other provision of
law, a person is not required to respond
to an information collection, unless the
U.S.C. 603–605.
70 44 U.S.C. 3501 et seq.
Frm 00025
Fmt 4702
information collection displays a valid
control number assigned by OMB.
This proposal would amend 16 CFR
part 313. The collections of information
related to the Privacy Rule have been
previously reviewed and approved by
OMB in accordance with the PRA and
assigned OMB Control Number 3084–
0121.71
As explained below, the proposed
amendments do not modify or add to
information collection requirements that
were previously approved by OMB.
Under this proposal, a motor vehicle
dealer will be permitted, but not
required, to use an alternative delivery
method for the annual privacy notice if:
• It does not share information with
nonaffiliated third parties other than for
purposes covered by the exclusions
allowed under the Privacy Rule;
• It does not include on its annual
privacy notice an opt-out under section
603(d)(2)(A)(iii) of the FCRA;
• The annual privacy notice is not the
only method used to satisfy the
requirements of section 624 of the FCRA
and 16 CFR part 680, if applicable;
• Certain information it is required to
convey on its annual privacy notice has
not changed since it provided the
immediately prior privacy notice; and
• It uses the Privacy Rule model
privacy form for its annual privacy
notice.
Under the proposed alternative
delivery method, the motor vehicle
dealer would have to:
• Convey at least annually on another
notice or disclosure that its privacy
notice is available on its Web site and
will be mailed upon request to a
specified telephone number. Among
other things, the dealer would have to
include a specific web address that
takes the customer directly to the
privacy notice;
• Post its current privacy notice
continuously on a page of its Web site
that contains only the privacy notice,
without requiring a login or any
conditions to access the page; and
• Mail its current privacy notice to
customers who request it by telephone
within ten calendar days of such
request.
Under the existing clearance, the FTC
has attributed to itself the estimated
burden regarding all motor vehicle
dealers and then shares equally the
remaining estimated PRA burden with
the Bureau for other types of financial
institutions for which both agencies
have enforcement authority regarding
the GLBA Privacy Rule.72
71 The FTC has current clearance through October
31, 2017. See 79 FR 55489 (Sept. 16, 2014).
72 79 FR 55489.
69 5
PO 00000
36275
Sfmt 4702
E:\FR\FM\24JNP1.SGM
24JNP1
36276
Federal Register / Vol. 80, No. 121 / Wednesday, June 24, 2015 / Proposed Rules
The Commission does not believe that
this proposed rule would impose any
new or substantively revised collections
of information as defined by the PRA.
Rather, the Commission believes that
the proposed amendment would have
the overall effect of reducing the
currently cleared estimated burden for
the information collections associated
with the Privacy Rule annual privacy
notice.
By definition, the expected cost
savings to motor vehicle dealers from
the proposed revisions to § 313.9(c) is
the expected number of annual privacy
notices that would be provided through
the proposed alternative delivery
method multiplied by the expected
reduction in the cost per-notice from
using the alternative delivery method.
The first step in estimating the expected
cost savings to motor vehicle dealers
from proposed § 313.9(c)(2) would be to
identify the motor vehicle dealers
whose current information sharing
practices would allow them to use the
proposed alternative method. The
Commission would then need to
determine their currents costs for
providing the annual privacy notices
and the expected costs of providing
these notices under proposed
§ 313.9(c)(2).
In order to reach such an estimate for
financial institutions, the Commission
looked to the Bureau’s rulemaking. The
Bureau performed a number of analyses
and outreach activities to approximate
the expected cost savings for financial
institutions. After examining 125 banks
selected through random sampling, the
Bureau found that the overall average
rate at which banks’ information sharing
practices would make them eligible for
using the alternative delivery method if
other conditions were met is 80%.73 The
Bureau’s results indicated that a large
majority of smaller banks would likely
be able to use the proposed alternative
delivery method but most of the largest
banks would not.74 For non-depository
institutions subject to the Commission’s
enforcement, the Bureau similarly
estimated that 80% would be able to use
the alternate delivery method.75 Subject
73 79
FR at 27226.
Only 18% of sampled banks with assets
over $10 billion could clearly use the proposed
alternative delivery method, while 81% of sampled
banks with assets of $10 billion or less and 88% of
sampled banks with assets of $500 million or less
could clearly use the proposed alternative delivery
method. The Bureau also examined the privacy
policies of 54 credit unions and found 62% of those
with assets over $500 million could use the
alternative delivery method and 44% of those with
$500 million or less in assets could (though, due to
inadequate information, the Bureau could not make
the assessment for 48% of those credit unions with
$500 million or less in assets). Id.
75 79 FR at 27229.
tkelley on DSK3SPTVN1PROD with PROPOSALS
74 Id.
VerDate Sep<11>2014
16:23 Jun 23, 2015
Jkt 235001
to further information through public
comment, the Commission preliminarily
assumes that this 80% is characteristic
as well for motor vehicle dealers. The
Commission requests comment and the
submission of information relevant to
the information sharing practices of
motor vehicle dealers and the extent to
which they may be able to use the
proposed alternative delivery method.
The Commission does not have
precise data on the number of annual
privacy notices motor vehicle dealers
currently provide to directly compute
the total number of annual privacy
notices that would no longer be sent;
however, in the Commission’s proposal
to extend the current PRA clearance for
the Privacy Rule,76 the Commission
estimated the total costs to motor
vehicle dealers to disseminate annual
disclosures to be about $18.4 million.77
Applying the Commission’s estimate
that 80% of motor vehicle dealers
would be able to utilize the alternative
delivery method, the estimated
reduction in ongoing burden would be
approximately 638,400 hours annually
for roughly 48,000 motor vehicle
dealers.78 The reduction in estimated
ongoing costs from the reduction in
ongoing burden would be
approximately $14.7 million annually.79
The Commission requests comment on
this preliminary analysis as well as the
submission of additional data that could
inform the Commission’s consideration
of the cost savings to motor vehicle
dealers.
The Commission believes that the
one-time cost for some motor vehicle
76 79
FR 55489 (Sept. 14, 2014).
at 55490–91 Table IIB.
78 The 638,400 hours estimate is 80% of the
previously published estimate of 798,000 hours,
cumulatively, for established motor vehicle dealers
to disseminate annual notices. See id. at 55490
(Table IIB). The estimated number of motor vehicle
dealers that would use the alternative delivery
method is 80% of the previously published estimate
of the number of motor vehicle dealers, 60,000. See
id. at Table IIA notes.
79 This is the product of the above-noted costs to
motor vehicle dealers to disseminate annual
disclosures, $18.4 million, multiplied by the
assumed 80% reduction for the alternative delivery
method. Estimates of ongoing savings are gross
figures and do not take into account any ongoing
costs associated with the alternative delivery
method, which the Commission believes would be
minimal. They would consist of additional text on
a notice or disclosure the institution already
provides, additional phone calls from consumers
requesting that the model form be mailed, and the
costs of mailing the forms prompted by these calls.
The Commission currently believes that few
consumers will request that the form be mailed in
order to read it or to exercise any voluntary opt-out
right, given the availability of the notices online.
There would be minimal ongoing costs associated
with the alternative delivery method from
maintaining a Web page if a motor vehicle dealer
already has a Web page dedicated to the annual
privacy policy.
77 Id.
PO 00000
Frm 00026
Fmt 4702
Sfmt 4702
dealers to adopt the alternative delivery
method is minimal. Motor vehicle
dealers that already use the model form
and would adopt the alternative
delivery method would incur minor
one-time legal, programming and
training costs. These dealers would have
to communicate on a notice or
disclosure they already issue under any
other provision of law that the privacy
notice is available. The expense of
adding this notification would be minor.
Staff may need some additional training
in storing copies of the model form and
sending it to customers on request.
Motor vehicle dealers that do not use
the model form would incur a one-time
cost to create one. However, since the
promulgation of the model privacy form
in 2009, an Online Form Builder has
existed that any institution can use to
readily create a unique, customized
privacy notice using the model form
template.80 The Commission assumes
that motor vehicle dealers that do not
currently have Web sites would not
choose to comply with these
requirements in order to use the
alternative delivery method.
The Commission has determined that
the proposed rule does not contain any
new or substantively revised
information collection requirements as
defined by the PRA and that the burden
estimate for the previously-approved
information collections should be
reduced as explained above. The
Commission welcomes comments on
these determinations or any other aspect
of the proposal for purposes of the PRA.
Comments should be submitted as
outlined in the ADDRESSES section
above. All comments will become a
matter of public record.
Invitation To Comment
You can file a comment online or on
paper. For the Commission to consider
your comment, we must receive it on or
before August 31, 2015. Write
‘‘Amendment to the Privacy of
Consumer Financial Information Rule,
16 CFR part 313, Project No. R411016’’
on your comment. Your comment—
including your name and your state—
will be placed on the public record of
this proceeding, including, to the extent
practicable, on the Commission Web
site, at http://www.ftc.gov/os/
publiccomments.shtm. As a matter of
discretion, the Commission tries to
remove individuals’ home contact
information from comments before
placing them on the Commission Web
site.
80 This Online Form Builder is available at
http://www.federalreserve.gov/newsevents/press/
bcreg/20100415a.htm.
E:\FR\FM\24JNP1.SGM
24JNP1
tkelley on DSK3SPTVN1PROD with PROPOSALS
Federal Register / Vol. 80, No. 121 / Wednesday, June 24, 2015 / Proposed Rules
Because your comment will be made
public, you are solely responsible for
making sure that your comment doesn’t
include any sensitive personal
information, such as Social Security
number, date of birth, driver’s license
number or other state identification
number or foreign country equivalent,
passport number, financial account
number, or credit or debit card number.
You are also solely responsible for
making sure that your comment doesn’t
include any sensitive health
information, including medical records
or other individually identifiable health
information. In addition, do not include
any ‘‘[t]rade secret or any commercial or
financial information which . . . is
privileged or confidential,’’ as discussed
in section 6(f) of the FTC Act, 15 U.S.C.
46(f), and FTC Rule 4.10(a)(2), 16 CFR
4.10(a)(2). In particular, do not include
competitively sensitive information
such as costs, sales statistics,
inventories, formulas, patterns, devices,
manufacturing processes, or customer
names.
If you want the Commission to give
your comment confidential treatment,
you must file it in paper form, with a
request for confidential treatment, and
you have to follow the procedure
explained in FTC Rule 4.9(c), 16 CFR
4.9(c).81 Your comment will be kept
confidential only if the FTC General
Counsel, in his or her sole discretion,
grants your request in accordance with
the law and the public interest.
Postal mail addressed to the
Commission is subject to delay due to
heightened security screening. As a
result, we encourage you to submit your
comments online. To make sure that the
Commission considers your online
comment, you must file it at https://
ftcpublic.commentworks.com/ftc/
GLBPrivacyamendment, by following
the instructions on the web-based form.
If this Notice appears at http://
www.regulations.gov/#!home, you also
may file a comment through that Web
site.
If you file your comment on paper,
write ‘‘Amendment to the Privacy of
Consumer Financial Information Rule,
16 CFR part 313, Project No. R411016’’
on your comment and on the envelope,
and mail your comment to the following
address: Federal Trade Commission,
Office of the Secretary, 600
Pennsylvania Avenue NW., Suite CC–
5610 (Annex E), Washington, DC 20580,
or deliver your comment to the
81 In particular, the written request for
confidential treatment that accompanies the
comment must include the factual and legal basis
for the request, and must identify the specific
portions of the comment to be withheld from the
public record. See FTC Rule 4.9(c), 16 CFR 4.9(c).
VerDate Sep<11>2014
16:23 Jun 23, 2015
Jkt 235001
following address: Federal Trade
Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW.,
5th Floor, Suite 5610 (Annex E),
Washington, DC 20024. If possible,
submit your paper comment to the
Commission by courier or overnight
service.
Visit the Commission Web site at
http://www.ftc.gov to read this Notice
and the news release describing it. The
FTC Act and other laws that the
Commission administers permit the
collection of public comments to
consider and use in this proceeding as
appropriate. The Commission will
consider all timely and responsive
public comments that it receives on or
before August 31, 2015. For information
on the Commission’s privacy policy,
including routine uses permitted by the
Privacy Act, see http://www.ftc.gov/ftc/
privacy.htm.
List of Subjects in 16 CFR Part 313
Consumer protection, Motor vehicle
dealers, Privacy, Reporting and
recordkeeping requirements, Trade
practices.
Authority and Issuance
For the reasons set forth in the
preamble, the Commission proposes to
amend 16 CFR part 313, as set forth
below:
PART 313—PRIVACY OF CONSUMER
FINANCIAL INFORMATION
1. The authority citation for Part 313
is revised to read as follows:
■
Authority: 15 U.S.C. 6801 et seq., 12
U.S.C. 5519.
2. In § 313.1, revise paragraph (b) to
read as follows:
■
§ 313.1
Purpose and scope.
*
*
*
*
*
(b) Scope. This part applies only to
nonpublic personal information about
individuals who obtain financial
products or services primarily for
personal, family or household purposes
from the institutions listed below. This
part does not apply to information about
companies or about individuals who
obtain financial products or services for
business, commercial, or agricultural
purposes. This part applies to those
‘‘financial institutions’’ over which the
Federal Trade Commission
(‘‘Commission’’) has rulemaking
authority pursuant to section
504(a)(1)(C) of the Gramm-Leach-Bliley
Act. An entity is a ‘‘financial
institution’’ if its business is engaging in
a financial activity as described in
section 4(k) of the Bank Holding
Company Act of 1956, 12 U.S.C.
PO 00000
Frm 00027
Fmt 4702
Sfmt 4702
36277
1843(k), which incorporates by
reference activities enumerated by the
Federal Reserve Board in 12 CFR
211.5(d) and 12 CFR 225.28. The
‘‘financial institutions’’ subject to the
Commission’s rulemaking authority are
any persons described in 12 U.S.C. 5519
that are predominantly engaged in the
sale and servicing of motor vehicles, the
leasing and servicing of motor vehicles,
or both. They are referred to in this part
as ‘‘You.’’
■ 3. In § 313.3, revise paragraphs (e), (i),
(k), and (q) to read as follows:
§ 313.3
Definitions.
*
*
*
*
*
(e)(1) Consumer means an individual
who obtains or has obtained a financial
product or service from you that is to be
used primarily for personal, family, or
household purposes, or that individual’s
legal representative.
(2) Examples for purposes of 16 CFR
part 313 and 314—(i) An individual
who applies to you for credit for
personal, family, or household purposes
is a consumer of a financial service,
regardless of whether the credit is
extended.
(ii) An individual who provides
nonpublic personal information to you
in order to obtain a determination about
whether he or she may qualify for a loan
to be used primarily for personal,
family, or household purposes is a
consumer of a financial service,
regardless of whether the loan is
extended.
(iii) If you hold ownership or
servicing rights to an individual’s loan
that is used primarily for personal,
family, or household purposes, the
individual is your consumer, even if
you hold those rights in conjunction
with one or more other institutions.
(The individual is also a consumer with
respect to the other financial
institutions involved.) An individual
who has a loan in which you have
ownership or servicing rights is your
consumer, even if you, or another
institution with those rights, hire an
agent to collect on the loan.
(iv) An individual who is a consumer
of another financial institution is not
your consumer solely because you act as
agent for, or provide processing or other
services to, that financial institution.
(v) An individual is not your
consumer solely because he or she is a
participant or a beneficiary of an
employee benefit plan that you sponsor
or for which you act as a trustee or
fiduciary.
(3) Examples for purposes of 16 CFR
part 314—(i) An individual who
provides nonpublic personal
information to you in connection with
E:\FR\FM\24JNP1.SGM
24JNP1
tkelley on DSK3SPTVN1PROD with PROPOSALS
36278
Federal Register / Vol. 80, No. 121 / Wednesday, June 24, 2015 / Proposed Rules
obtaining or seeking to obtain financial,
investment, or economic advisory
services is a consumer, regardless of
whether you establish a continuing
advisory relationship.
(ii) An individual is not your
consumer solely because he or she has
designated you as trustee for a trust.
(iii) An individual is not your
consumer solely because he or she is a
beneficiary of a trust for which you are
a trustee.
*
*
*
*
*
(i)(1) Customer relationship means a
continuing relationship between a
consumer and you under which you
provide one or more financial products
or services to the consumer that are to
be used primarily for personal, family,
or household purposes.
(2) Examples—(i) Continuing
relationship. (A) A consumer has a
continuing relationship with you, for
purposes of 16 CFR part 313 and part
314, if the consumer:
(1) Has a credit or investment account
with you;
(2) Obtains a loan from you;
(3) Purchases an insurance product
from you;
(4) Enters into an agreement or
understanding with you whereby you
undertake to arrange credit to purchase
a vehicle, for the consumer;
(5) Enters into a lease of personal
property on a non-operating basis with
you; or
(6) Has a loan for which you own the
servicing rights.
(B) A consumer also has a continuing
relationship with you, for purposes of
16 CFR part 314, if the consumer:
(1) Holds an investment product
through you, such as when you act as
a custodian for securities or for assets in
an Individual Retirement Arrangement;
(2) Enters into an agreement or
understanding with you whereby you
undertake to arrange or broker a home
mortgage loan, for the consumer;
(3) Obtains financial, investment, or
economic advisory services from you for
a fee;
(4) Becomes your client for the
purpose of obtaining tax preparation or
credit counseling services from you;
(5) Obtains career counseling while
seeking employment with a financial
institution or the finance, accounting, or
audit department of any company (or
while employed by such a financial
institution or department of any
company);
(6) Is obligated on an account that you
purchase from another financial
institution, regardless of whether the
account is in default when purchased,
unless you do not locate the consumer
VerDate Sep<11>2014
16:23 Jun 23, 2015
Jkt 235001
or attempt to collect any amount from
the consumer on the account; or
(7) Obtains real estate settlement
services from you.
(ii) No continuing relationship. (A)
For purposes of 16 CFR parts 313 and
314, a consumer does not, however,
have a continuing relationship with you
if:
(1) The consumer obtains a financial
product or service from you only in
isolated transactions, such as cashing a
check with you or making a wire
transfer through you;
(2) You sell the consumer’s loan and
do not retain the rights to service that
loan; or
(3) The consumer obtains one-time
personal or real property appraisal
services from you.
(B) For purposes of 16 CFR part 314,
a consumer also does not have a
continuing relationship with you if:
(1) The consumer obtains a financial
product or service from you only in
isolated transactions, such as using your
ATM to withdraw cash from an account
at another financial institution or
purchasing a money order from you;
(2) You sell the consumer airline
tickets, travel insurance, or traveler’s
checks in isolated transactions; or
(3) The consumer purchases checks
for a personal checking account from
you.
*
*
*
*
*
(k)(1) Financial institution means any
institution the business of which is
engaging in financial activities as
described in section 4(k) of the Bank
Holding Company Act of 1956 (12
U.S.C. 1843(k)). An institution that is
significantly engaged in financial
activities is a financial institution.
(2) Example of financial institution
for purposes of 16 CFR part 313 and
314. An automobile dealership that, as
a usual part of its business, leases
automobiles on a nonoperating basis for
longer than 90 days is a financial
institution with respect to its leasing
business because leasing personal
property on a nonoperating basis where
the initial term of the lease is at least 90
days is a financial activity listed in 12
CFR 225.28(b)(3) and referenced in
section 4(k)(4)(F) of the Bank Holding
Company Act.
(3) Examples of financial institution
for purposes of 16 CFR part 314. (i) A
retailer that extends credit by issuing its
own credit card directly to consumers is
a financial institution because extending
credit is a financial activity listed in 12
CFR 225.28(b)(1) and referenced in
section 4(k)(4)(F) of the Bank Holding
Company Act and issuing that extension
of credit through a proprietary credit
PO 00000
Frm 00028
Fmt 4702
Sfmt 4702
card demonstrates that a retailer is
significantly engaged in extending
credit.
(ii) A personal property or real estate
appraiser is a financial institution
because real and personal property
appraisal is a financial activity listed in
12 CFR 225.28(b)(2)(i) and referenced in
section 4(k)(4)(F) of the Bank Holding
Company Act.
(iii) A career counselor that
specializes in providing career
counseling services to individuals
currently employed by or recently
displaced from a financial organization,
individuals who are seeking
employment with a financial
organization, or individuals who are
currently employed by or seeking
placement with the finance, accounting
or audit departments of any company is
a financial institution because such
career counseling activities are financial
activities listed in 12 CFR
225.28(b)(9)(iii) and referenced in
section 4(k)(4)(F) of the Bank Holding
Company Act.
(iv) A business that prints and sells
checks for consumers, either as its sole
business or as one of its product lines,
is a financial institution because
printing and selling checks is a financial
activity that is listed in 12 CFR
225.28(b)(10)(ii) and referenced in
section 4(k)(4)(F) of the Bank Holding
Company Act.
(v) A business that regularly wires
money to and from consumers is a
financial institution because transferring
money is a financial activity referenced
in section 4(k)(4)(A) of the Bank
Holding Company Act and regularly
providing that service demonstrates that
the business is significantly engaged in
that activity.
(vi) A check cashing business is a
financial institution because cashing a
check is exchanging money, which is a
financial activity listed in section
4(k)(4)(A) of the Bank Holding Company
Act.
(vii) An accountant or other tax
preparation service that is in the
business of completing income tax
returns is a financial institution because
tax preparation services is a financial
activity listed in 12 CFR 225.28(b)(6)(vi)
and referenced in section 4(k)(4)(G) of
the Bank Holding Company Act.
(viii) A business that operates a travel
agency in connection with financial
services is a financial institution
because operating a travel agency in
connection with financial services is a
financial activity listed in 12 CFR
211.5(d)(15) and referenced in section
4(k)(4)(G) of the Bank Holding Company
Act.
E:\FR\FM\24JNP1.SGM
24JNP1
tkelley on DSK3SPTVN1PROD with PROPOSALS
Federal Register / Vol. 80, No. 121 / Wednesday, June 24, 2015 / Proposed Rules
(ix) An entity that provides real estate
settlement services is a financial
institution because providing real estate
settlement services is a financial activity
listed in 12 CFR 225.28(b)(2)(viii) and
referenced in section 4(k)(4)(F) of the
Bank Holding Company Act.
(x) A mortgage broker is a financial
institution because brokering loans is a
financial activity listed in 12 CFR
225.28(b)(1) and referenced in section
4(k)(4)(F) of the Bank Holding Company
Act.
(xi) An investment advisory company
and a credit counseling service are each
financial institutions because providing
financial and investment advisory
services are financial activities
referenced in section 4(k)(4)(C) of the
Bank Holding Company Act.
(4) Financial institution does not
include:
(i) Any person or entity with respect
to any financial activity that is subject
to the jurisdiction of the Commodity
Futures Trading Commission under the
Commodity Exchange Act (7 U.S.C. 1 et
seq.);
(ii) The Federal Agricultural Mortgage
Corporation or any entity chartered and
operating under the Farm Credit Act of
1971 (12 U.S.C. 2001 et seq.); or
(iii) Institutions chartered by Congress
specifically to engage in securitizations,
secondary market sales (including sales
of servicing rights) or similar
transactions related to a transaction of a
consumer, as long as such institutions
do not sell or transfer nonpublic
personal information to a nonaffiliated
third party other than as permitted by
§§ 313.14 and 313.15 of this Part.
(iv) Entities that engage in financial
activities but that are not significantly
engaged in those financial activities.
(5) Example of entities that are not
significantly engaged in financial
activities for purposes of 16 CFR part
313 and 314. A motor vehicle dealer is
not a financial institution merely
because it accepts payment in the form
of cash, checks, or credit cards that it
did not issue.
(6) Examples of entities that are not
significantly engaged in financial
activities for purposes of 16 CFR part
314. (i) A retailer is not a financial
institution if its only means of
extending credit are occasional ‘‘lay
away’’ and deferred payment plans or
accepting payment by means of credit
cards issued by others.
(ii) A retailer is not a financial
institution merely because it accepts
payment in the form of cash, checks, or
credit cards that it did not issue.
(iii) A merchant is not a financial
institution merely because it allows an
individual to ‘‘run a tab.’’
VerDate Sep<11>2014
16:23 Jun 23, 2015
Jkt 235001
(iv) A grocery store is not a financial
institution merely because it allows
individuals to whom it sells groceries to
cash a check, or write a check for a
higher amount than the grocery
purchase and obtain cash in return.
*
*
*
*
*
(q) For purposes of 16 CFR part 313,
You includes each ‘‘financial
institution’’ over which the Commission
has rulemaking authority pursuant to
section 504(a)(1)(C) of the GrammLeach-Bliley Act. For purposes of 16
CFR part 314, You includes each
‘‘financial institution’’ (but excludes any
‘‘other person’’) over which the
Commission has enforcement
jurisdiction pursuant to section
505(a)(7) of the Gramm-Leach-Bliley
Act.
■ 4. In § 313.9, revise paragraph (c) to
read as follows:
§ 313.9 Delivering privacy and opt out
notices.
*
*
*
*
*
(c) Annual notices only. (1)
Reasonable expectation. You may
reasonably expect that a customer will
receive actual notice of your annual
privacy notice if:
(i) The customer uses your Web site
to access financial products and services
electronically and agrees to receive
notices at the Web site, and you post
your current privacy notice
continuously in a clear and conspicuous
manner on the Web site; or
(ii) The customer has requested that
you refrain from sending any
information regarding the customer
relationship, and your current privacy
notice remains available to the customer
upon request.
(2) Alternative method for providing
certain annual notices. (i)
Notwithstanding paragraph (a) of this
section, you may use the alternative
method described in paragraph (c)(2)(ii)
of this section to satisfy the requirement
in § 313.5(a)(1) to provide a notice if:
(A) You do not disclose the
customer’s nonpublic personal
information with nonaffiliated third
parties other than for purposes under
§§ 313.13, 313.14, and 313.15;
(B) You do not include on your
annual privacy notice pursuant to
§ 313.6(a)(7) an opt out under section
603(d)(2)(A)(iii) of the Fair Credit
Reporting Act (15 U.S.C.
1681a(d)(2)(A)(iii));
(C) The requirements of section 624 of
the Fair Credit Reporting Act (15 U.S.C.
1681s–3) and Part 680 of this chapter, if
applicable, have been satisfied
previously or the annual privacy notice
is not the only notice provided to satisfy
such requirements;
PO 00000
Frm 00029
Fmt 4702
Sfmt 9990
36279
(D) The information you are required
to convey on your annual privacy notice
pursuant to § 313.6(a)(1) through (5), (8),
and (9) has not changed since you
provided the immediately previous
privacy notice (whether initial, annual
or revised) to the customer, other than
to eliminate categories of information
you disclose or categories of third
parties to whom you disclose
information; and
(E) You use the model privacy form in
the appendix to this part for your
annual privacy notice.
(ii) For an annual privacy notice that
meets the requirements in paragraph
(c)(2)(i) of this section, you satisfy the
requirement in § 313.5(a)(1) to provide a
notice if you:
(A) Convey in a clear and
conspicuous manner not less than
annually on an account statement,
coupon book, or a notice or disclosure
you are required or expressly and
specifically permitted to issue under
any other provision of law that your
privacy notice is available on your Web
site and will be mailed to the customer
upon request by telephone. The
statement must state that your privacy
notice has not changed and must
include a specific Web address that
takes the customer directly to the page
where the privacy notice is posted and
a designated telephone number for the
customer to request that it be mailed;
(B) Post your current privacy notice
continuously in a clear and conspicuous
manner on a page of your Web site that
contains only the privacy notice,
without requiring the customer to
provide any information such as a login
name or password or agree to any
conditions to access the page; and
(C) Mail your current privacy notice
to those customers who request it by
telephone within ten days of the
request.
(iii) An example of a statement that
satisfies paragraph (c)(2)(ii)(A) of this
section is: ‘‘Privacy Notice’’ in boldface
or otherwise emphasized: Privacy
Notice—Federal law requires us to tell
you how we collect, share, and protect
your personal information. Our privacy
policy has not changed and you may
review our policy and practices with
respect to your personal information at
[Web address] or we will mail you a free
copy upon request if you call us at
[telephone number].
*
*
*
*
*
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2015–14328 Filed 6–23–15; 8:45 am]
BILLING CODE 6750–01–P
E:\FR\FM\24JNP1.SGM
24JNP1
]]>Agencies
[Federal Register Volume 80, Number 121 (Wednesday, June 24, 2015)]
[Proposed Rules]
[Pages 36267-36279]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-14328]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
16 CFR Part 313
RIN 3084-AB42
Amendment to the Privacy of Consumer Financial Information Rule
Under the Gramm-Leach-Bliley Act
AGENCY: Federal Trade Commission (FTC or Commission).
ACTION: Notice of proposed rulemaking; Request for public comment.
-----------------------------------------------------------------------
SUMMARY: The FTC proposes to amend the Privacy of Consumer Financial
Information Rule (Privacy Rule or Rule), which among other things
requires that certain motor vehicle dealers provide an annual
disclosure of their privacy policies to their customers by hand
delivery, mail, electronic delivery, or, alternatively through a Web
site, but only with the consent of the consumer. The amendment would
allow motor vehicle dealers instead to notify their customers that a
privacy policy is available on their Web site, under certain
circumstances. The amendment would also revise the scope and
definitions in this rule in light of the transfer of part of the
Commission's rulemaking authority to the Consumer Financial Protection
Bureau (CFPB or the Bureau) in the Dodd-Frank Wall Street Reform and
Consumer Protection Act, but retains certain examples for purposes of
the FTC's Safeguards Rule.
DATES: Comments must be received on or before August 31, 2015.
ADDRESSES: Interested parties may file a comment online or on paper, by
following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Write ``Amendment to the
Privacy of Consumer Financial Information Rule, 16 CFR part 313,
Project No. R411016'' on your comment, and file your comment online at
https://ftcpublic.commentworks.com/ftc/GLBPrivacyamendment, by
following the instructions on the web-based form. If you prefer to file
your comment on paper, write ``Amendment to the Privacy of Consumer
Financial Information Rule, 16 CFR part 313, Project No. R411016'' on
your comment and on the envelope, and mail your comment to the
following address: Federal Trade Commission, Office of the Secretary,
600 Pennsylvania Avenue NW., Suite CC-5610 (Annex E), Washington, DC
20580, or deliver your comment to the following address: Federal Trade
Commission, Office of the Secretary, Constitution Center, 400 7th
Street SW., 5th Floor, Suite 5610 (Annex E), Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT: Steven Toporoff, (202) 326-3135,
Attorney, Division of Privacy and Identity Protection, Federal Trade
Commission, 600 Pennsylvania Avenue NW., Washington, DC 20580.
SUPPLEMENTARY INFORMATION:
I. Summary of the Proposed Rule
The Gramm-Leach-Bliley Act (GLBA) \1\ mandates that financial
institutions provide their customers with initial and annual notices
regarding their privacy policies. If financial institutions share
certain customer information with particular types of third parties,
the institutions are also required to provide an opportunity to opt out
of the sharing. The Commission issued its rule implementing these
provisions in 2000.\2\ The Dodd-Frank Wall Street Reform and Consumer
Protection Act transferred GLBA privacy notice rulemaking authority, in
part, to the Bureau; however, the Commission retains rulemaking
authority over any financial institution that is a motor vehicle dealer
predominantly engaged in the sale and servicing of motor vehicles, the
leasing and servicing of motor vehicles, or both, as described in
Section 1029 of the Dodd-Frank Act, 12 U.S.C. 5519 (hereafter, motor
vehicle dealers).
---------------------------------------------------------------------------
\1\ 15 U.S.C. 6801 et seq.
\2\ 65 FR 33646 (May 24, 2000).
---------------------------------------------------------------------------
The Commission proposes to revise its Privacy Rule, 16 CFR part
313, in two ways. First, in light of the transfer of rulemaking
authority for certain financial institutions to the Bureau, the
Commission proposes to revise the explanation of the scope of the Rule
and to tailor the examples provided in the Rule's Definitions section
describing entities over which the Commission has retained rulemaking
authority. The Commission believes that revising these provisions will
eliminate extraneous information, clarify the Rule's applicability, and
reduce confusion as to entities covered by the Rule. The Rule also
retains several examples explaining the types of entities covered by
the Safeguards Rule, 16 CFR part 314. Second, the Commission proposes
to provide an alternative means for covered motor vehicle dealers to
fulfill their obligation under the Privacy Rule to provide notice of
their privacy policies. Under the proposal, motor vehicle dealers that
do not engage in certain types of information-sharing activities would
no longer be required to mail an annual privacy notice if they clearly
and conspicuously convey, as
[[Page 36268]]
part of another mandated or legally permissible notice or disclosure,
that their privacy notice is available on their publicly accessible Web
site. This proposed revision is consistent with changes made in an
October 28, 2014, rulemaking by the Bureau, which has rulemaking
authority over depository institutions and many non-depository
institutions.\3\
---------------------------------------------------------------------------
\3\ 79 FR 64057 (Oct. 28, 2014).
---------------------------------------------------------------------------
The Commission believes that the proposed changes are consistent
with those issued by the Bureau, and will help avoid consumer confusion
and ensure that the requirements for motor vehicle dealers covered by
the Rule are consistent with the GLBA's privacy provisions for other
financial institutions. Such changes may also streamline the flow of
information to consumers, while easing the burden on motor vehicle
dealers of providing annual notices. The Commission invites comment on
the proposed rule revisions generally and on the specific issues
outlined throughout Section IV. In addition, the Commission requests
comment on whether, and the extent to which, the FTC's Privacy Rule
applicable to motor vehicle dealers should be consistent with the rule
adopted by the Bureau, or if there are elements that should differ.
The Commission seeks comment on the proposal through August 17,
2015.
II. Background
A. The Statute and Regulation
The GLBA was enacted in 1999.\4\ The GLBA, among other things,
provides a framework for regulating the privacy practices of a broad
range of entities. The GLBA requires that financial institutions
provide their customers with initial and annual notices regarding their
privacy policies, and allow their customers to opt out of sharing their
information with certain nonaffiliated third parties. Covered entities
include, for example, payday lenders, mortgage brokers, check cashers,
debt collectors, real estate appraisers, certain motor vehicle dealers
and remittance transfer providers.
---------------------------------------------------------------------------
\4\ Public Law 106-102, 113 Stat. 1338 (1999).
---------------------------------------------------------------------------
Rulemaking authority to implement the GLBA's privacy provisions was
initially spread among many agencies. The Federal Reserve Board
(Board), the Office of Comptroller of the Currency (OCC), the Federal
Deposit Insurance Corporation (FDIC), and the Office of Thrift
Supervision (OTS) jointly adopted final rules to implement the notice
requirements of the GLBA in 2000.\5\ The Commission, the National
Credit Union Administration (NCUA), Securities and Exchange Commission
(SEC), and Commodity Futures Trading Commission (CFTC) were part of the
same interagency process, but issued their rules separately.\6\ In
2009, all these agencies issued a joint final rule with a model form
that financial institutions could use, at their option, to provide the
required initial and annual privacy disclosures.\7\
---------------------------------------------------------------------------
\5\ 65 FR 35162 (June 1, 2000).
\6\ 65 FR 33646 (May 24, 2000) (FTC final rule); 65 FR 31722
(May 18, 2000) (NCUA final rule); 65 FR 40334 (June 29, 2000) (SEC
final rule); 66 FR 21252 (Apr. 27, 2001) (CFTC final rule).
\7\ 74 FR 62890 (Dec. 1, 2009).
---------------------------------------------------------------------------
In 2011, the Dodd-Frank Act \8\ transferred the GLBA's privacy
notice rulemaking authority from the Board, NCUA, OCC, OTS, the FDIC,
and the Commission (in part) to the Bureau. The Bureau then restated
the implementing regulations in Regulation P, 12 CFR part 1016, in late
2011 (Regulation P).\9\ However, under the Dodd-Frank Act, the
Commission retained rulemaking authority for motor vehicle dealers
described in section 1029 of the Dodd-Frank Act, 12 U.S.C. 5519. Thus,
in 2012, the Commission issued a notice that it was retaining the
implementing regulations governing privacy notices for motor vehicles
dealers, at 16 CFR part 313.\10\
---------------------------------------------------------------------------
\8\ Public Law 111-203, 124 Stat. 1376 (2010).
\9\ 76 FR 79025 (Dec. 21, 2011).
\10\ 77 FR 22200, 22201 (April 13, 2012) (also rescinding those
regulations for which rulemaking authority was transferred to the
Bureau under the Dodd-Frank Act).
---------------------------------------------------------------------------
Despite the transfer of general rulemaking authority for the
Privacy Rule to the CFPB, the Commission and other agencies retained
their existing enforcement authority under the GLBA.\11\ In addition,
the SEC and CFTC retained rulemaking authority with respect to
securities and futures-related companies, respectively.\12\
Accordingly, as part of this rulemaking process, the Commission has
consulted and coordinated, or offered to consult, with those agencies
who have rulemaking and/or enforcement authority under the GLBA,
including the Bureau, SEC, CFTC and the National Association of
Insurance Commissioners (NAIC).\13\
---------------------------------------------------------------------------
\11\ 15 U.S.C. 6805(a).
\12\ 15 U.S.C. 6804, 6809; 12 U.S.C. 1843(k)(4); 12 CFR
1016.1(b).
\13\ See 15 U.S.C. 6804(a)(2).
---------------------------------------------------------------------------
B. The Privacy Notice Requirements
As noted, the GLBA and the FTC Privacy Rule require that certain
covered motor vehicle dealers provide consumers with notices describing
their privacy policies. Section 503 of the GLBA and 16 CFR 313.4
require covered entities to provide an initial notice of these
policies, and then ``provide a clear and conspicuous notice to
customers that accurately reflects [their] privacy policies and
practices not less than annually during the continuation of the
customer relationship.'' \14\
---------------------------------------------------------------------------
\14\ 16 CFR 313.5(a)(1) (emphasis added).
---------------------------------------------------------------------------
Section 502 of the GLBA and 16 CFR 313.6(a)(6) require that initial
and annual notices inform customers of their right to opt out of the
sharing of nonpublic personal information with some types of
nonaffiliated third parties. For example, a customer has the right to
opt out of allowing a motor vehicle dealer to sell her name and address
to a nonaffiliated auto insurance company. On the other hand, a motor
vehicle dealer is not required to allow consumers to opt out of the
dealer's sharing involving third-party service providers, joint
marketing arrangements, maintenance and servicing of accounts,
securitization, law enforcement and compliance, reporting to consumer
reporting agencies, and certain other activities that are specified in
the statute and regulation.\15\ If a motor vehicle dealer limits its
sharing to uses that do not trigger opt-out rights, it may provide an
annual privacy notice to its customers that does not include
information regarding opt-out rights.
---------------------------------------------------------------------------
\15\ 15 U.S.C. 6802(b)(2), 6802(e); 16 CFR 313.13, 313.14,
313.15.
---------------------------------------------------------------------------
Motor vehicle dealers also may include in the annual privacy notice
information about certain consumer opt-out rights related to affiliate
sharing under the FCRA. First, section 603(d)(2)(A)(iii) of the FCRA
allows the sharing of a consumer's information among affiliates, but
only if the consumer is notified of such sharing and is given an
opportunity to opt out.\16\ Section 503(c)(4) of the GLBA and the
Privacy Rule generally require motor vehicle dealers to incorporate any
notifications and opt-out disclosures provided pursuant to section
603(d)(2)(A)(iii) of the FCRA into their initial and annual privacy
notices.\17\
---------------------------------------------------------------------------
\16\ 15 U.S.C. 1681a(d)(2)(A)(iii).
\17\ 15 U.S.C. 6803(c)(4); 16 CFR 313.6(a)(7).
---------------------------------------------------------------------------
Second, section 624 of the FCRA and 16 CFR 680 (the Affiliate
Marketing Rule) provide that an affiliate of a motor vehicle dealer
that receives certain information \18\ about a consumer from the dealer
may not use that information for marketing purposes, unless the
consumer is provided with an opportunity to opt out of that use.\19\
[[Page 36269]]
This requirement governs the use of information by an affiliate, not
the sharing of information among affiliates, and thus is distinct from
the affiliate sharing opt-out discussed above. The Affiliate Marketing
Rule permits (but does not require) motor vehicle dealers to
incorporate any opt-out disclosures provided under section 624 of the
FCRA and the Affiliate Marketing Rule into the initial and annual
privacy notices required by the GLBA.\20\
---------------------------------------------------------------------------
\18\ The type of information to which section 624 applies is
information that would be a consumer report but for the exclusions
provided by section 603(d)(2)(A)(i), (ii), or (iii) of the FCRA.
\19\ 15 U.S.C. 1681s-3. The FTC's Affiliate Marketing Rule
applies to motor vehicle dealers. See 77 FR 22200. The FTC also
enforces the Bureau's Regulation V's Affiliate Marketing Rule, 12
CFR part 1022, subpart C, for other entities over which it has
enforcement authority under the FCRA.
\20\ 16 CFR 680.23(b).
---------------------------------------------------------------------------
Finally, Sec. 313.6(a)(8) of the Privacy Rule requires that the
notices also briefly describe how motor vehicle dealers protect the
nonpublic personal information they collect and maintain.
C. The Bureau Rulemaking
In December 2011, the Bureau issued a Request for Information
seeking specific suggestions for streamlining regulations that were
transferred to the Bureau from other Federal agencies (Streamlining
RFI), including the annual privacy notice requirement.\21\
---------------------------------------------------------------------------
\21\ 76 FR 75825, 75828 (Dec. 5, 2011).
---------------------------------------------------------------------------
The Bureau received numerous comments from industry urging the
Bureau to eliminate or reduce the annual notice requirement.\22\
Industry argued that most customers ignore annual privacy notices; the
content of the disclosures provides little benefit when customers have
no right to opt out of information sharing; current distribution of the
notices imposes significant costs; and other methods of delivery could
effectively convey the information to customers at a lower cost.
Industry commenters suggested that the Bureau eliminate or ease the
annual notice requirement if businesses' privacy policies have not
changed and they do not share nonpublic personal information beyond the
exceptions allowed by the GLBA.\23\ Consumer advocacy groups
highlighted the benefit customers receive from printed annual privacy
notices, which may remind customers of privacy rights that they may not
have exercised previously.\24\
---------------------------------------------------------------------------
\22\ 79 FR 27214 at 27217 (May 14, 2014) (Bureau Notice of
Proposed Rulemaking).
\23\ Id.
\24\ Id.
---------------------------------------------------------------------------
In November of 2013, the Bureau published a study assessing the
effects of certain deposit regulations on financial institutions'
operations.\25\ This study provided operational insights from seven
banks about their annual privacy notices. All seven participants
provided the annual notice as a separate mailing, which resulted in
higher costs for postage, materials, and labor than if the notice were
mailed with other material. Some of these participants separately
mailed their notices to ensure that their disclosures are ``clear and
conspicuous,'' \26\ even though 2009 guidance from the eight agencies
promulgating the model privacy form explained that a separate mailing
is not required.\27\ As a result of its Streamlining RFI, study, and
its outreach to industry and consumer groups, in May 2014, the Bureau
issued a proposed rule to amend its Regulation P to allow financial
institutions to notify consumers that a privacy notice was available
online, in certain enumerated circumstances. The comment period closed
on July 14, 2014. As noted above, the Bureau finalized its rulemaking
in October 2014.\28\
---------------------------------------------------------------------------
\25\ Consumer Financial Protection Bureau, ``Understanding the
Effects of Certain Deposit Regulations on Financial Institutions'
Operations: Findings on Relative Costs for Systems, Personnel, and
Processes at Seven Institutions'' (Nov. 2013), available at http://files.consumerfinance.gov/f/201311_cfpb_report_findings-relative-costs.pdf. Information collected for the study may be used to assist
the Bureau in its investigations of ``the effects of a potential or
existing regulation on the business decisions of providers.'' OMB
Information Request--Control Number: 3170-0032.
\26\ 15 U.S.C. 6803 (In its initial and annual privacy notices
``a financial institution shall provide a clear and conspicuous
disclosure . . . .''); 12 CFR 1016.3(b)(1) and 16 CFR 313.3(b)(1)
(both defining ``clear and conspicuous'' as ``reasonably
understandable and designed to call attention to the nature and
significance of the information in the notice.'').
\27\ See 74 FR 62890, 62897-62898.
\28\ 79 FR 64057 (Oct. 28, 2014).
---------------------------------------------------------------------------
III. The Commission's Proposed Rule Changes
A. Technical Changes To Correspond to Statutory Changes
The Commission adopted the scope and definitions in the existing
Privacy Rule at a time when it had rulemaking authority for the Privacy
Rule over a broader group of non-bank ``financial institutions'' as
defined by the GLBA. While the Dodd-Frank Act did not change the
Commission's enforcement authority for the privacy notice obligations
of the GLBA, the Dodd-Frank Act amended the Commission's rulemaking
authority under the GLBA such that its Privacy Rule only applies to
motor vehicle dealers. For other types of financial institutions over
which the Commission has enforcement authority under the GLBA, the
Commission now enforces the Bureau's Regulation P. The amendments in
the Dodd-Frank Act necessitate certain technical revisions to the
Privacy Rule to ensure that the regulation is consistent with the text
of the amended GLBA.\29\ Specifically, the Commission proposes to
modify the Scope and Definitions section of the Privacy Rule to provide
clearer guidance to financial institutions that are covered motor
vehicle dealers.
---------------------------------------------------------------------------
\29\ 15 U.S.C. 6804(1)(C).
---------------------------------------------------------------------------
Although the Dodd-Frank Act altered the Commission's rulemaking
authority with respect to the Privacy Rule, it did not alter the
Commission's rulemaking authority for the GLBA's Standards for
Safeguarding Customer Information, at 16 CFR part 314 (the Safeguards
Rule). For the Safeguards Rule, the Commission continues to have
rulemaking authority over a broad range of non-bank financial
institutions. The Safeguards Rule, however, incorporates by reference
the definitions contained in the Privacy Rule, including all of the
examples of financial institutions listed in the existing Privacy
Rule.\30\ Accordingly, the Commission proposes to change the Privacy
Rule definitions to make clear that, for the purpose of the Privacy
Rule, the only examples applicable in the definitions are those related
to motor vehicle dealers; for the purpose of the Safeguards Rule,
however, all existing examples in the Privacy Rule continue to apply.
---------------------------------------------------------------------------
\30\ 16 CFR 314.2(a).
---------------------------------------------------------------------------
B. Changes to the Annual Privacy Notice
The Commission also proposes changes to the Privacy Rule provisions
governing how motor vehicle dealers should deliver annual privacy
notices. These changes are consistent with changes adopted by the
Bureau for those financial institutions subject to the Bureau's
rulemaking authority. Under certain limited circumstances, these
changes to the Privacy Rule would allow motor vehicle dealers to convey
clearly and conspicuously--through another mandated or legally
permissible notice or disclosure--that their privacy notice is
available on their Web site (hereafter, the alternative delivery
method).\31\ If, however, a motor vehicle dealer has made changes to
its privacy practices or shares its customers' nonpublic personal
information with nonaffiliated third parties, the dealer
[[Page 36270]]
generally could not avail itself of this alternative delivery
method.\32\
---------------------------------------------------------------------------
\31\ Because this disclosure must be provided annually, the
proposal satisfies the statutory requirement that motor vehicle
dealers provide annual notices about their privacy practices. Beyond
the requirement to provide the notice annually, the GBLA allows
agencies to prescribe the method of delivery. See 15 U.S.C. 6803(a)
(The GLBA allows annual notice to be delivered ``in writing or in
electronic form or other form permitted by the regulations . . .'').
\32\ A motor vehicle dealer may use the alternative delivery
method if such sharing does not trigger GLBA opt-out rights as set
forth in Parts 313.13, 313.14, and 313.15.
---------------------------------------------------------------------------
The Commission anticipates that use of the alternative delivery
method that meets the requirements discussed below could inform
customers of their motor vehicle dealer's privacy policies effectively
and at a lower cost than the current widespread method of mailing
annual privacy notices. The cost savings could benefit both consumers
and businesses.\33\
---------------------------------------------------------------------------
\33\ See 79 FR at 27218; 79 FR at 64061.
---------------------------------------------------------------------------
The Commission has also considered the potential impact of its
proposed rule change on consumer privacy. The proposal would not affect
the actual collection or use of consumers' nonpublic personal
information by motor vehicle dealers, and consumers would continue to
get the information and opt-out rights they are entitled to under the
statute. Moreover, the proposal would enable consumers to review a
motor vehicle dealer's policy at her own convenience any time during
the year. For example, a motor vehicle dealer choosing to use the
alternative method would have to post the privacy notice continuously
on its Web site, thus enabling consumers to access the privacy notice
throughout the year rather than having to wait for an annual mailing.
IV. Section-by-Section Analysis
Section 313.1(b)--Scope
Section 313.1(b) outlines the scope of the Privacy Rule. The
existing Rule describes the types of entities to which the Privacy Rule
was applicable prior to the enactment of the Dodd-Frank Act. Those
entities included--but were not limited to--financial institutions such
as ``payday'' lenders, mortgage brokers, check cashers, and tax
preparation firms, but did not include entities that were subject to
the rulemaking authority of another agency.\34\ With the exception of
motor vehicle dealers, the entities formerly subject to 16 CFR part 313
are now subject to the Bureau's Regulation P.\35\
---------------------------------------------------------------------------
\34\ See 15 U.S.C. 6804 (2010).
\35\ The Commission retains enforcement authority over such
entities for violations of the Bureau's Regulation P. 15 U.S.C.
6805(a)(7).
---------------------------------------------------------------------------
The Commission seeks to revise the Privacy Rule to make clear that
it applies only to motor vehicle dealers. Accordingly, the Commission
proposes to revise Sec. 313.1(b) to remove examples of entities to
which the FTC's Privacy Rule no longer applies. The Commission also
proposes to remove the reference in the Privacy Rule's scope to ``other
persons.'' Although the Commission continues to have enforcement
authority over ``other persons'' covered by the CFPB's rule, the
Commission no longer has rulemaking authority for the Privacy Rule over
``other persons.'' In addition, the Commission proposes to eliminate
from Sec. 313.1(b) the note indicating that: (1) The Privacy Rule does
not modify, limit, or supersede the standards under the Health
Insurance Portability and Accountability Act of 1996 (HIPAA), and (2)
if a financial institution that is an institution of higher education
is in compliance with the Federal Educational Rights and Privacy Act
(FERPA) and its implementing regulations, such institution shall be
deemed in compliance with 16 CFR part 313. The Commission believes it
unlikely that this note is applicable to motor vehicle dealers but
requests comment as to whether motor vehicle dealers ever engage in
practices that require them to comply with HIPAA or FERPA. In addition,
the Commission invites general comment on the proposed changes to the
description of the scope of the Privacy Rule.
Section 313.3--Definitions
The Definitions section of the Privacy Rule includes a number of
examples designed to provide guidance regarding the scope of terms used
in the Privacy Rule. The Commission proposes to revise these
definitions so that they provide accurate guidance regarding the Rule's
scope. Specifically, the Commission proposes to revise Sec. 313.3 to
make clear that certain examples in five definitions are not applicable
to motor vehicle dealers for purposes of the Privacy Rule but continue
to apply for purposes of the Safeguards Rule. Similarly, the Commission
proposes to revise the definition of ``you,'' which currently includes
entities to which the Privacy Rule no longer applies.
First, for purposes of the Privacy Rule, proposed Sec. 313.3(e)(2)
no longer includes, as examples of ``consumers,'' those consumers
seeking financial advisory services \36\ or consumers with which the
financial institution has a relationship related to a trust.\37\ The
examples are retained for purposes of the Safeguards Rule, 16 CFR part
314.
---------------------------------------------------------------------------
\36\ 16 CFR 313.3(e)(2)(iii).
\37\ 16 CFR 313.3(e)(2)(vi) and (vii).
---------------------------------------------------------------------------
Second, for purposes of the Privacy Rule, proposed Sec.
313.3(i)(2) no longer includes, as examples of a ``continuing
relationship'' with a customer, a relationship in which the financial
institution holds an investment product for the consumer; \38\ enters
into an agreement to arrange or broker a home mortgage loan; \39\
provides financial, investment, or economic advisory services to a
consumer; \40\ provides tax preparation or credit counseling services;
\41\ provides career counseling for seeking employment with a financial
institution or a financial, accounting or audit department of a
company; \42\ purchases an account, on which the consumer has an
obligation, from another financial institution; \43\ or provides real
estate settlement services.\44\ The examples are retained for purposes
of the Safeguards Rule.
---------------------------------------------------------------------------
\38\ 16 CFR 313.3(i)(2)(i)(D). The Privacy Rule requires motor
vehicle dealers to provide an annual notice while there is a
continuing relationship between the dealer and the customer.
\39\ 16 CFR 313.3(i)(2)(i)(E). This subsection has been revised
to remove the portion of the example relating to home mortgage loans
but retains the portion relating to credit to purchase a vehicle.
\40\ 16 CFR 313.3(i)(2)(i)(G).
\41\ 16 CFR 313.3(i)(2)(i)(H).
\42\ 16 CFR 313.3(i)(2)(i)(I).
\43\ 16 CFR 313.3(i)(2)(i)(J).
\44\ 16 CFR 313.3(i)(2)(i)(K).
---------------------------------------------------------------------------
Third, for purposes of the Privacy Rule, proposed Sec. 313.3(i)(2)
no longer includes, as examples of ``no continuing relationship'' with
a customer, a relationship in which the financial institution sells
airline tickets \45\ or sells checks for a personal checking
account.\46\ The examples are retained for purposes of the Safeguards
Rule.
---------------------------------------------------------------------------
\45\ 16 CFR 313.3(i)(2)(ii)(C).
\46\ 16 CFR 313.3(i)(2)(ii)(E).
---------------------------------------------------------------------------
Fourth, for purposes of the Privacy Rule, proposed Sec.
313.3(k)(2) no longer includes, as examples of ``financial
institutions,'' retailers that extend credit by issuing their own
credit cards to consumers; career counselors specializing in finance,
accounting or audit employment; businesses that print and sell checks;
businesses that regularly wire money to and from consumers; check
cashing businesses; accountants or other tax preparation services that
are in the business of completing tax returns; businesses that operate
travel services in connection with financial services; businesses
providing real estate settlement services; mortgage brokers, or
investment advisory companies and credit counseling services.\47\ The
examples are retained for purposes of the Safeguards Rule.
---------------------------------------------------------------------------
\47\ 16 CFR 313.3(k)(2)(E)(i), (iv)-(xii).
---------------------------------------------------------------------------
Fifth, for purposes of the Privacy Rule, proposed Sec. 313.3(k)(5)
no longer includes as examples of ``entities that are not significantly
engaged in financial activities,'' retailers that only extend credit
via occasional ``lay away'' and deferred payment plans; merchants
[[Page 36271]]
that allow individuals to ``run a tab''; or grocery stores that allow
individuals to cash checks or write checks for a higher amount than a
purchase and obtain cash back.\48\ The examples are retained for
purposes of the Safeguards Rule. The Commission invites comment
regarding whether any of the examples that the Commission proposes to
eliminate for purposes of the Privacy Rule are applicable to motor
vehicle dealers. The Commission also seeks comment regarding the
examples that remain for purposes of the Privacy Rule in the
definitions of proposed Sec. 313.3 and the applicability of such
examples to motor vehicle dealers.
---------------------------------------------------------------------------
\48\ 16 CFR 313.3(k)(4)(iii) and (iv).
---------------------------------------------------------------------------
The existing Privacy Rule generally defines ``you'' as a financial
institution over which the Commission has enforcement jurisdiction
under the GLBA. Because this definition refers to the Commission's
enforcement authority rather than its rulemaking authority, the
definition is overbroad in light of the amendments to the GLBA
discussed above. Therefore, the Commission proposes to revise the
definition of ``you'' so that for purposes of the Privacy Rule it
applies to only those entities over which the Commission has rulemaking
authority. For purposes of the Safeguards Rule, the definition of
``you'' remains unchanged.
The Commission requests comment on the proposed changes to the
definition of ``you.'' The Commission notes that the purpose of the
changes to the Privacy Rule scope and definitions serve solely to
conform the Privacy Rule to the revisions in the Dodd-Frank Act as to
the scope of the Commission's rulemaking authority. These changes do
not reflect any change in the Commission's authority to enforce the
Privacy Rule or Regulation P.
Section 313.9--Delivering Privacy and Opt-Out Notices
Section 313.9(a) of the Rule requires that motor vehicle dealers
provide initial and annual privacy notices so that each consumer ``can
reasonably be expected'' to receive actual notice in writing or, if the
consumer agrees, electronically. Section 313.9(b) provides examples of
delivery methods that would result in reasonable expectation of actual
notice, including hand delivery and delivery by mail. The examples also
include posting on a Web site for customers who: (1) Conduct
transactions electronically, and (2) acknowledge receipt of the notice
as a necessary step to obtaining a particular financial product or
service.\49\ Section 313.9(c) further allows delivery of the annual
notice through a Web site, but only if a customer uses the dealer's Web
site to access financial products and services and consents to receive
notices at the Web site.\50\ Below, the Commission describes proposed
changes to Sec. 313.9(c) that would allow motor vehicle dealers to
utilize an alternative delivery method for the annual notices. In some
circumstances, motor vehicle dealers could substitute their annual
privacy notices with a clear and conspicuous disclosure--as part of an
account statement, coupon book, or other legally-required or permitted
notice or disclosure--stating that their privacy notice is available on
their Web site and will be mailed to the customer on request. As
required by the GLBA, this substitute disclosure would have to be
provided at least annually.
---------------------------------------------------------------------------
\49\ 16 CFR 313.9(b).
\50\ 16 CFR 313.9(c).
---------------------------------------------------------------------------
The Commission seeks information concerning the effect on customer
privacy rights if motor vehicle dealers were to use the alternative
delivery method rather than their current delivery methods. Relatedly,
the Commission requests comment on how often customers currently read
annual privacy notices under the Privacy Rule and how frequently the
notices would be read if they were provided pursuant to the proposed
alternative delivery method. The Commission further requests comment on
whether the proposed alternative delivery method would be effective in
reducing the burden on motor vehicle dealers of mailing hard copy
privacy notices. In particular, the Commission requests information
regarding how many annual privacy notices motor vehicle dealers
provide.
Lastly, the Commission notes that the current Rule prescribes
certain circumstances under which motor vehicle dealers can provide
privacy notices electronically or via online posting. For example, the
Rule allows covered entities to provide notices electronically if the
consumer agrees or to provide notice online if the consumer is required
to acknowledge receipt of the notice. See 16 CFR 313.9. The Commission
invites comment regarding how often privacy notices are delivered
electronically or posted online under the existing Rule and whether
companies that currently provide notices electronically will likely
experience cost savings under the proposed new rule requirements.
9(c)(2) Alternative Method for Providing Certain Annual Notices
9(c)(2)(i)
Proposed Sec. 313.9(c)(2)(i) describes the circumstances under
which a motor vehicle dealer may use the alternative delivery method
summarized above.\51\
---------------------------------------------------------------------------
\51\ Existing Sec. 313.9(c) would be redesignated as Sec.
313.9(c)(1) and its subparagraphs redesignated as Sec.
313.9(c)(1)(i) and (ii), respectively, to accommodate the new
addition. The Commission is also proposing to add a heading to new
paragraph (c)(1) for technical reasons.
---------------------------------------------------------------------------
9(c)(2)(i)(A)
Proposed Sec. 313.9(c)(2)(i)(A) would set forth the first
condition for using the alternative delivery method: That the motor
vehicle dealer must not share the customer's information with
nonaffiliated third parties in a manner that triggers the opt-out
requirement under the GLBA. Thus, for example, a motor vehicle dealer
may use the alternative delivery method if it shares the customer's
information with nonaffiliated third parties as permitted by Sec. Sec.
313.13 (for joint marketing), 313.14 (for processing and servicing
transactions), and 313.15 (with consent, or for security purposes,
fraud prevention, legal purposes or fiduciary purposes). It may not use
the alternative delivery method, for example, if it shares the
customer's nonpublic personal information with a nonaffiliated
insurance company for marketing purposes. The Commission believes the
alternative delivery method will generally reduce the burden of
compliance for motor vehicle dealers, while still mandating the use of
the current delivery method to ensure that customers have direct notice
of their opt-out rights, where they exist.
The Commission invites comment on the number of motor vehicle
dealers that would not be able to take advantage of the alternative
delivery method because they share data with nonaffiliated third
parties. The Commission further invites comment on whether customers
with opt-out rights pursuant to the Privacy Rule should continue to
receive the annual privacy notice pursuant to the current delivery
method or if motor vehicle dealers should be able to utilize the
proposed alternative delivery method for such customers.
9(c)(2)(i)(B)
Proposed Sec. 313.9(c)(2)(i)(B) would set forth the second
condition for using the alternative delivery method for the annual
privacy notice: That the motor vehicle dealer not include on its annual
notice an opt-out under section
[[Page 36272]]
603(d)(2)(A)(iii) of the FCRA.\52\ As discussed above, FCRA section
603(d)(2)(A)(iii) allows sharing of certain consumer information with
affiliates, but only if the motor vehicle dealer provides the consumer
with notice and an opportunity to opt out of the information sharing.
Although this is a requirement of the FCRA, section 503(b)(4) of the
GLBA and Sec. 313.6(a)(7) of the Privacy Rule require a motor vehicle
dealer's privacy notice to include any opt-out rights provided under
section 603(d)(2)(A)(iii) of the FCRA. Accordingly, to the extent that
a motor vehicle dealer shares customer information with affiliates for
marketing purposes, thus triggering the obligation to include an opt-
out pursuant to FCRA section 603(d)(2)(A)(iii), the motor vehicle
dealer cannot take advantage of the alternative delivery method.\53\ As
noted above, the Commission believes that directly reminding consumers
of any opt-out rights at least annually will be important for
consumers. This is true regardless whether the opt-out right is
provided under the GLBA or the FCRA.
---------------------------------------------------------------------------
\52\ 15 U.S.C. 1681a(d)(2)(A)(iii).
\53\ See 64 FR 35162, 35176 (June 1, 2000).
---------------------------------------------------------------------------
The Commission invites comment on the extent to which different
motor vehicle dealers provide a FCRA section 603(d)(2)(A)(iii) opt-out
and thus would be precluded from using the proposed alternative
delivery method. The Commission further invites comment as to whether
customers with opt-out rights under this section of the FCRA benefit
from receiving the annual privacy notice pursuant to the current
delivery method or could receive the notice via the proposed
alternative delivery method.
9(c)(2)(i)(C)
Proposed Sec. 313.9(c)(2)(i)(C) would contain the third condition
for using the alternative delivery method, related to the requirements
of section 624 of the FCRA \54\ and the Affiliate Marketing Rule, 16
CFR part 680. FCRA section 624, as implemented by the Affiliate
Marketing Rule, provides that a person may not use certain information
about a consumer that it receives from an affiliate to market to that
consumer unless the consumer receives notice and the opportunity to opt
out of such marketing.\55\
---------------------------------------------------------------------------
\54\ 15 U.S.C. 1681s-3.
\55\ 16 CFR 680.21(a).
---------------------------------------------------------------------------
In contrast to the FCRA section 603(d)(2)(A)(iii) notice and opt-
out right concerning affiliate sharing, which is generally required to
be included on the GLBA annual privacy notice, the FCRA section 624
(and Affiliate Marketing Rule) notice and opt-out right concerning
marketing by affiliates is not required to be included on that notice.
However, the Affiliate Marketing Rule notice and opt-out right may be
included on the privacy notice.\56\
---------------------------------------------------------------------------
\56\ 16 CFR 680.23(b).
---------------------------------------------------------------------------
The Commission proposes--under Sec. 313.9(c)(2)(i)(C)--that a
motor vehicle dealer that is required to provide a notice and opt out
under the Affiliate Marketing Rule may use the alternative delivery
method, provided that the motor vehicle dealer has previously satisfied
the Affiliate Marketing Rule requirements or does not use the annual
privacy notice as the sole means of providing notice to customers of
that opt-out right.\57\ Alternatively, the motor vehicle dealer could
continue to use the current delivery method and include the Affiliate
Marketing opt-out on the annual privacy notice, with no separate notice
required.
---------------------------------------------------------------------------
\57\ Certain requirements for the Affiliate Marketing notice and
opt out differ, depending on whether it is included as part of the
model privacy notice or issued separately. Where a motor vehicle
dealer includes the Affiliate Marketing notice and opt-out on the
model privacy notice, that opt-out must be of indefinite duration.
See Appendix A to Part 313 at C.2(d)(6). In contrast, where a motor
vehicle dealer provides the Affiliate Marketing notice and opt-out
separately, the Affiliate Marketing Rule allows the opt-out to be
offered for as little as five years, subject to renewal, and the
disclosure of the duration of the opt-out must be included on the
notice. See 16 CFR 680.22(b). 16 CFR 680.23(a)(1)(iv). Because
inclusion of the Affiliate Marketing opt-out on the model privacy
notice requires a motor vehicle dealer to honor the opt-out
indefinitely, a motor vehicle dealer that also offers the opt-out
right separately in order to use the alternative delivery method
would be able to comply with both the Privacy Rule and the Affiliate
Marketing Rule by stating in the separate Affiliate Marketing notice
that the opt-out is of indefinite duration and by honoring such opt-
out requests indefinitely.
---------------------------------------------------------------------------
The Commission invites comment on the extent to which motor vehicle
dealers include the Affiliate Marketing Rule opt-out on their Privacy
Rule privacy notices and thus would be precluded from using the
proposed alternative delivery method. The Commission further invites
comment on whether imposing this condition on using the alternative
delivery method is beneficial to consumers.
9(c)(2)(i)(D)
Proposed Sec. 313.9(c)(2)(i)(D) would present the fourth condition
for using the alternative delivery method: That the substantive
information a motor vehicle dealer is required to convey on its annual
privacy notice has not changed since the immediately previous privacy
notice (whether initial, annual, or revised) to the customer.\58\ The
Commission believes that the current delivery method is likely less
useful if the customer has already received a privacy notice, and the
motor vehicle dealer's sharing practices remain generally unchanged
since that previous notice. Proposed Sec. 313.9(c)(2)(i)(D) lists the
specific disclosures of the privacy notice that must not change in
order for a motor vehicle dealer to take advantage of the alternative
delivery method. They are:
---------------------------------------------------------------------------
\58\ Note that information disclosed pursuant to Sec.
313.6(a)(6) and (a)(7) is not included in proposed Sec.
313.9(c)(2)(i)(D) because if those situations apply, a motor vehicle
dealer could not use the alternative delivery method under proposed
Sec. 313.9(c)(2)(i)(A) and (B), as discussed above.
---------------------------------------------------------------------------
The categories of nonpublic personal information that the
motor vehicle dealer collects (Sec. 313.6(a)(1) and (a)(4));
the categories of nonpublic personal information that the
motor vehicle dealer discloses (Sec. 313.6(a)(2));
the categories of affiliates and nonaffiliated third
parties to whom the motor vehicle dealer discloses nonpublic personal
information, other than to parties that administer or enforce
transactions, service or process financial products, or maintain or
service accounts, under Sec. 313.14 and to parties for security, fraud
prevention, legal purposes, or similar purposes under Sec. 313.15
(Sec. 313.6(a)(3));
if the motor vehicle dealer discloses nonpublic personal
information to a nonaffiliated third party for joint marketing as set
forth under Sec. 313.13, a separate statement of the categories of
information disclosed and the categories of third parties to whom the
disclosures were made (Sec. 313.6(a)(5));
the motor vehicle dealer's policies and practices with
respect to protecting the confidentiality and security of nonpublic
personal information (Sec. 313.6(a)(8)); and
the description of the purpose for sharing with service
providers and other entities that conduct fraud prevention, security,
or similar services (Sec. 313.6(a)(9)).
The Commission emphasizes that a motor vehicle dealer would be
precluded from using the alternative delivery method only if it made
substantive changes to the information disclosed on the previous
written notice sent to the consumer. Stylistic changes in the wording
of the notice that do not denote a change in practices would not
prevent a motor vehicle dealer from using the alternative delivery
method. Nor would the proposed section prohibit a motor vehicle dealer
from using the alternative delivery method if the dealer eliminated
categories of information it disclosed or categories of
[[Page 36273]]
third parties to whom it disclosed information. Any other substantive
change to its information sharing practices would preclude use of the
alternative delivery method; however, the motor vehicle dealer could
use the alternative delivery method to meet its next annual privacy
notice requirement if it first sent a revised privacy notice pursuant
to the standard delivery requirements.
The Commission invites comment about the effect on customers of
conditioning availability of the alternative delivery method on there
being no change from the previous year's notice. The Commission further
invites comment on how often motor vehicle dealers change their privacy
notice such that they would be precluded from using the proposed
alternative delivery method. Lastly, the Commission invites comment on
the extent to which a motor vehicle dealer's changing its data security
policy should preclude it, like financial institutions covered by
Regulation P, from using the proposed alternative delivery method.
9(c)(2)(i)(E)
The last condition for use of the alternative delivery method,
which would be set forth in proposed Sec. 313.9(c)(2)(i)(E), requires
that the motor vehicle dealer use the model privacy form for its annual
privacy notice. Currently, the Privacy Rule does not require use of the
model notice because the statute under which it was promulgated only
required that regulators give financial institutions the option to use
such a model notice.\59\
---------------------------------------------------------------------------
\59\ 15 U.S.C. 6803.
---------------------------------------------------------------------------
However, the Commission proposes to permit use of the alternative
delivery method only if a motor vehicle dealer uses the model privacy
form for its annual privacy notice. This approach would likely
incentivize use of the model notice, which consumer research has shown
to be effective in communicating information.\60\ The Commission does
not believe that the one-time burden of creating a model notice will
place an undue burden on motor vehicles dealers, who will likely be
able to save costs by not sending annual privacy notices.
---------------------------------------------------------------------------
\60\ 74 FR 62890, 62891 (Dec. 1, 2009).
---------------------------------------------------------------------------
The Commission notes that the model form accommodates information
that may be required by state or international law, as applicable, in a
box called ``Other important information.'' \61\ Accordingly, the
Commission expects that a motor vehicle dealer that has additional
privacy disclosure obligations pursuant to state or international law
would still be able to use the model form in order to take advantage of
the proposed alternative delivery method. The Commission invites
comment on related state or international law requirements and their
interaction with the model privacy notice, as well as the proposed
condition on the alternative delivery method in general.
---------------------------------------------------------------------------
\61\ Appendix A to Part 313 at C(3)(c).
---------------------------------------------------------------------------
The Commission contemplates that adoption of the model privacy form
may require changes to the wording and layout of the privacy notice,
but not to the information conveyed. Thus, adoption of the model notice
would not constitute a change to the prior year's notice that would
preclude use of the alternative delivery method under proposed Sec.
313.9(c)(2)(i)(D).\62\ The Commission solicits comment on this issue.
The Commission further invites comment on the extent to which motor
vehicle dealers currently use the model privacy notice, and if they do
not, whether they would choose to adopt it in order to take advantage
of the proposed alternative delivery method. Lastly, the Commission
invites comment on the benefit to customers of receiving the model
privacy notice rather than a privacy notice in a non-standard format.
---------------------------------------------------------------------------
\62\ In a somewhat analogous situation, the agencies that
promulgated the model privacy notice explained: ``Adoption of the
model form, with no change in policies or practices, would not
constitute a revised notice [for purposes of the rule section on
revised privacy notices], although institutions may elect to
consider the format change as revision, at their option.'' 74 FR
62890, 62907 n. 196.
---------------------------------------------------------------------------
Finally, the Commission generally invites comment on the conditions
in proposed Sec. 313.9(c)(2)(i)(A) through (E) and whether any of
those conditions should not be required or whether other conditions
should be added.
9(c)(2)(ii)
Proposed Sec. 313.9(c)(2)(ii) sets forth the mechanics of the
alternative delivery method for annual notices.
9(c)(2)(ii)(A)
Proposed Sec. 313.9(c)(2)(ii)(A) would set forth the first
component of the alternative delivery method: that a motor vehicle
dealer inform the customer of the availability of the annual privacy
notice on its Web site. Under this proposed subsection, a motor vehicle
dealer must clearly and conspicuously convey, not less than annually--
on an account statement, coupon book, or notice or disclosure the
institution is required or expressly permitted to use under any other
provision of law--three pieces of information: (1) That its privacy
notice has not changed, (2) that the notice is available on its Web
site, and (3) that a hard copy of the notice will be mailed to
customers if they call to request one.
Proposed Sec. 313.9(c)(2)(ii)(A) states that this notice must be
``clear and conspicuous,'' which is defined as meaning ``reasonably
understandable'' and ``designed to call attention to the nature and
significance of the information.'' \63\ The Commission believes that
the existing examples in Sec. 313.3(b)(2)(i) and (ii) for the
``reasonably understandable'' and ``designed to call attention''
requirements likely would provide sufficient guidance on ways to make
the notice clear and conspicuous. For example, the Rule states that, if
the notice is combined with other information, it must contain
``distinctive type size, style, and graphic devices, such as shading or
sidebars.'' \64\
---------------------------------------------------------------------------
\63\ 16 CFR 313.3(b)(1).
\64\ 16 CFR 313.3(b)(2)(ii)(E).
---------------------------------------------------------------------------
Although the Commission proposes to require that motor vehicle
dealers convey this ``notice of availability'' not less than annually,
they may elect to convey it more often (e.g., quarterly or monthly).
The Commission invites comment on whether the approach used for notice
of availability for motor vehicle dealers should differ from that for
the financial institutions covered by Regulation P. In particular, the
Commission is interested in comment on: (1) Whether the proposed
example notice of availability would make the alternative delivery
method more feasible for motor vehicle dealers to implement, (2)
whether the illustrative elements not specifically required by the Rule
should be so required, and (3) whether the proposed language would be
effective in informing customers of the availability of the privacy
notice.
As noted, proposed Sec. 313.9(c)(2)(ii)(A) would require the
notice of availability to be conveyed on an account statement, coupon
book, or notice or disclosure the motor vehicle dealer is required or
expressly and specifically permitted to issue under any other provision
of law. An account statement would include periodic statements or
billing statements. A coupon book refers to a book of payment coupons
typically included with an installment loan. The Commission believes
customers are likely to read account statements or coupon books that
directly concern the status of their account.
A ``notice or disclosure the institution is required or expressly
and specifically permitted to issue under any other provision of law''
would include
[[Page 36274]]
disclosures that are expressly and specifically permitted by law, even
if not required. This language builds on the language used in the
Affiliate Marketing Rule, which provides that ``a notice required by
this subpart may be coordinated and consolidated with any other notice
or disclosure required to be issued under any other provision of law. .
. .'' \65\ The Commission notes that a notice of availability would not
satisfy the proposed rule requirement if included on advertising
materials that were neither required nor specifically permitted by law.
The Commission invites comment on the benefits and costs of requiring
the notice of availability to be included on an account statement,
coupon book, or document required or expressly and specifically
permitted under any other provision of law. The Commission further
requests comment as to the best documents on which to place the notice
of availability, particularly in light of what consumers are likely to
read.
---------------------------------------------------------------------------
\65\ 16 CFR 680.23(b).
---------------------------------------------------------------------------
The Commission further notes that where two or more motor vehicle
dealers provide a joint privacy notice pursuant to Sec. 313.9(f), the
proposal would require each motor vehicle dealer to separately provide
the notice of availability. The Commission invites comment on how often
motor vehicle dealers jointly provide privacy notices and whether the
proposed alternative delivery method would be feasible for such jointly
issued notices.
Proposed Sec. 313.9(c)(2)(ii)(A) also would require the
institution to state on the notice of availability that its privacy
policy has not changed, which, as discussed in detail below, is a
condition that a dealer must satisfy in order to be able to use the
alternative delivery method. This proposed requirement can help
customers assess whether they are interested in reading the policy.
This statement would always be accurate if the alternative delivery
method is used correctly, since a motor vehicle dealer could not use
the alternative delivery method if its annual privacy notice had
changed.
The proposal would further require that the statement include a
specific web address that takes customers directly to the page where
the privacy notice is available. The section also would require that
the web address conveyed on the notice of availability provide the
customer with direct access to the page that contains the privacy
notice, so that the customer need not click on any additional links.
Next, proposed Sec. 313.9(c)(2)(ii)(A) would require that the
notice of availability include a telephone number that a customer can
call to request a hard copy of the annual privacy notice. This number
need not be a dedicated number established for this purpose alone. This
requirement is intended to assist customers who do not have internet
access or would prefer to receive a hard copy of the privacy notice.
The Commission encourages motor vehicle dealers that already maintain a
toll-free number to use that number in the statement required by Sec.
313.9(c)(2)(ii)(A), to simplify the process for a customer to call and
request a mailed copy of the privacy notice.
As an alternative, the Commission invites comment on whether the
approach used for notice of availability for motor vehicle dealers
should differ from that for the financial institutions covered by
Regulation P. Specifically, the Commission seeks comment on the
advantages and disadvantages of requiring motor vehicle dealers to
provide a dedicated telephone number for privacy notice requests so
that customers can easily request a hard copy of the notice without
navigating a complicated automated telephone menu. The Commission also
invites comment on whether it should require a dedicated toll-free
number for this purpose.
9(c)(2)(ii)(B)
Proposed Sec. 313.9(c)(2)(ii)(B) would set forth the second
component of the alternative delivery method: that the motor vehicle
dealer post its current privacy notice continuously and in a clear and
conspicuous manner on a page of the institution's Web site on which the
only content is the privacy notice. The Commission believes that, were
the notice included on a page with other content, such as other
disclosures or promotions for products, that content could detract from
the prominence of the notice and make it less likely that a customer
would actually read it.\66\ The Commission believes that this
requirement is feasible for most motor vehicle dealers, and for a motor
vehicle dealer that does not currently post its annual notice on its
Web site, creating a specific page for this purpose is a one-time
process that could be implemented without significant cost.
---------------------------------------------------------------------------
\66\ Information that is not content, such as navigational menus
to other pages on the Web site, could appear on the same page as the
privacy notice. Moreover, other pages on the dealer's Web site could
link to the page containing the privacy notice, but the customer
would still have to be provided a specific web address that takes
the customer directly to the page where the privacy notice is
available to satisfy the requirement to post the notice on the motor
vehicle dealer's Web site in proposed Sec. 313.9(c)(2)(ii)(B).
Finally, with regard to the proposed requirement that the notice be
posted in a ``clear and conspicuous'' manner, the Commission notes
that existing Sec. 313.3(b)(2)(iii) gives examples of what clear
and conspicuous means for a privacy notice posted on a Web site. One
example is a Web page that uses text or visual cues to encourage
scrolling down the page if necessary to view the entire notice, and
as long as the page does not include text, graphics, hyperlinks, or
sound that may distract from the notice.
---------------------------------------------------------------------------
This section would further require that the Web page that contains
the privacy notice be accessible to the customer without requiring the
customer to provide any information such as a login name or password or
agree to any conditions to access the page. This provision is intended
to make accessing the privacy notice on an institution's Web site as
simple and straightforward as possible.
The Commission invites comment regarding the prevalence of motor
vehicle dealers that currently maintain Web sites, whether they
currently post the Privacy Rule notice on those Web sites, and if they
do not, how costly it would be to do so. The Commission additionally
seeks comment on whether motor vehicle dealers provide different
privacy notices for different groups of customers, such that posting
multiple privacy notices on the dealer's Web site may create confusion
as to which is the relevant privacy notice that is applicable to a
particular customer. The Commission seeks comment on the relative
benefit or harm to customers of accessing the privacy notice on a motor
vehicle dealer's Web site as proposed. Lastly, the Commission invites
comment as to whether motor vehicle dealers should be required to
provide specific reminder information to a consumer about that
consumer's previously established preferences--for example, whether the
consumer has already opted out--via a login and password-protected
section of the Web site.
9(c)(2)(ii)(C)
Proposed Sec. 313.9(c)(2)(ii)(C) would set forth the third
component of the alternative delivery method: That the motor vehicle
dealer mail its current privacy notice to those customers who request
it by telephone within ten calendar days of such request. The
Commission proposes this requirement to assist customers without
internet access and customers with internet access who would prefer to
receive a hard copy of the notice. This requirement makes clear that a
motor vehicle dealer may not, for example, wait to mail the privacy
notice with another document, such as a quarterly
[[Page 36275]]
statement. Motor vehicle dealers may not charge the customer for
delivering the annual notice, given that delivery of the annual notice
is required by statute and regulation.
The Commission invites comment on the cost associated with mailing
privacy notices on request, and whether mailing of the privacy notice
within ten calendar days of a request is feasible for motor vehicle
dealers. The Commission further requests comment on whether requiring
mailing within ten calendar days is sufficient to ensure that customers
receive privacy notices in a timely manner.
9(c)(2)(iii)
Proposed Sec. 313.9(c)(2)(iii) would provide an example of a
notice of availability that satisfies Sec. 313.9(c)(2)(ii)(A). The
Commission intends this example to provide clear guidance on
permissible content for the notice of availability to facilitate
compliance. The content of the example notice of availability in
proposed Sec. 313.9(c)(2)(iii) draws from language in the existing
model privacy notice in Part 313, App. A, which was previously subject
to consumer testing.\67\ The proposed example would include the heading
``Privacy Notice'' in boldface (or otherwise emphasized) on the notice
of availability. The proposed example further would state that Federal
law requires the motor vehicle dealer to tell customers how it
collects, shares, and protects their personal information; this
language mirrors the ``Why'' box on the model privacy notices.\68\ The
remaining portion of the proposed example would inform customers that
the motor vehicle dealer's privacy notice has not changed, the address
of the Web site at which customers can access the privacy notice, and
the telephone number to call to request a free copy of the notice. The
Commission notes that the proposed example contains certain elements
that would satisfy proposed Sec. 313.9(c)(2), but other language and
formatting techniques could also satisfy that section. These elements
include titling the notice of availability ``Privacy Notice,''
including a statement that ``Federal law requires the motor vehicle
dealer to tell customers how it collects, shares, and protects their
personal information,'' and stating that getting a copy of the notice
is ``free'' to the consumer.
---------------------------------------------------------------------------
\67\ See Appendix A to 16 CFR part 313, at A.
\68\ Id.
---------------------------------------------------------------------------
The Commission invites comment on whether the proposed example
notice of availability for motor vehicle dealers should differ from
that for financial institutions covered by Regulation P. In particular,
the Commission is interested in comment on: (1) Whether the proposed
example notice of availability would make the alternative delivery
method more feasible for motor vehicle dealers to implement, (2)
whether the elements not specifically required by the rule should be so
required, and (3) whether the proposed language would be effective in
informing customers of the availability of the privacy notice.
V. Regulatory Flexibility Act
The Regulatory Flexibility Act (RFA), as amended by the Small
Business Regulatory Enforcement Fairness Act of 1996, requires each
agency to consider the potential impact of its regulations on small
entities, including small businesses, small governmental units, and
small not-for-profit organizations. The RFA generally requires an
agency to conduct an initial regulatory flexibility analysis (IRFA) and
a final regulatory flexibility analysis (FRFA) of any rule subject to
notice-and-comment rulemaking requirements, unless the agency certifies
that the rule will not have a significant economic impact on a
substantial number of small entities.\69\
---------------------------------------------------------------------------
\69\ 5 U.S.C. 603-605.
---------------------------------------------------------------------------
An IRFA is not required here because the proposal, if adopted,
would not have a significant economic impact on a substantial number of
small entities. The Commission does not expect the proposal to impose
costs on small entities. All methods of compliance under current law
will remain available to small entities if the proposal is adopted.
Thus, a small entity that is in compliance with current law need not
take any different or additional action if the proposal is adopted. In
addition, as discussed above, the Commission believes that the proposed
alternative method would allow many motor vehicle dealers to reduce
their costs.
Accordingly, the Commission certifies that this proposal, if
adopted, would not have a significant economic impact on a substantial
number of small entities.
VI. Paperwork Reduction Act
Under the Paperwork Reduction Act of 1995 (PRA),\70\ Federal
agencies are generally required to seek Office of Management and Budget
(OMB) approval for information collection requirements prior to
implementation. Under the PRA, the Commission may not conduct or
sponsor, and, notwithstanding any other provision of law, a person is
not required to respond to an information collection, unless the
information collection displays a valid control number assigned by OMB.
---------------------------------------------------------------------------
\70\ 44 U.S.C. 3501 et seq.
---------------------------------------------------------------------------
This proposal would amend 16 CFR part 313. The collections of
information related to the Privacy Rule have been previously reviewed
and approved by OMB in accordance with the PRA and assigned OMB Control
Number 3084-0121.\71\
---------------------------------------------------------------------------
\71\ The FTC has current clearance through October 31, 2017. See
79 FR 55489 (Sept. 16, 2014).
---------------------------------------------------------------------------
As explained below, the proposed amendments do not modify or add to
information collection requirements that were previously approved by
OMB. Under this proposal, a motor vehicle dealer will be permitted, but
not required, to use an alternative delivery method for the annual
privacy notice if:
It does not share information with nonaffiliated third
parties other than for purposes covered by the exclusions allowed under
the Privacy Rule;
It does not include on its annual privacy notice an opt-
out under section 603(d)(2)(A)(iii) of the FCRA;
The annual privacy notice is not the only method used to
satisfy the requirements of section 624 of the FCRA and 16 CFR part
680, if applicable;
Certain information it is required to convey on its annual
privacy notice has not changed since it provided the immediately prior
privacy notice; and
It uses the Privacy Rule model privacy form for its annual
privacy notice.
Under the proposed alternative delivery method, the motor vehicle
dealer would have to:
Convey at least annually on another notice or disclosure
that its privacy notice is available on its Web site and will be mailed
upon request to a specified telephone number. Among other things, the
dealer would have to include a specific web address that takes the
customer directly to the privacy notice;
Post its current privacy notice continuously on a page of
its Web site that contains only the privacy notice, without requiring a
login or any conditions to access the page; and
Mail its current privacy notice to customers who request
it by telephone within ten calendar days of such request.
Under the existing clearance, the FTC has attributed to itself the
estimated burden regarding all motor vehicle dealers and then shares
equally the remaining estimated PRA burden with the Bureau for other
types of financial institutions for which both agencies have
enforcement authority regarding the GLBA Privacy Rule.\72\
---------------------------------------------------------------------------
\72\ 79 FR 55489.
---------------------------------------------------------------------------
[[Page 36276]]
The Commission does not believe that this proposed rule would
impose any new or substantively revised collections of information as
defined by the PRA. Rather, the Commission believes that the proposed
amendment would have the overall effect of reducing the currently
cleared estimated burden for the information collections associated
with the Privacy Rule annual privacy notice.
By definition, the expected cost savings to motor vehicle dealers
from the proposed revisions to Sec. 313.9(c) is the expected number of
annual privacy notices that would be provided through the proposed
alternative delivery method multiplied by the expected reduction in the
cost per-notice from using the alternative delivery method. The first
step in estimating the expected cost savings to motor vehicle dealers
from proposed Sec. 313.9(c)(2) would be to identify the motor vehicle
dealers whose current information sharing practices would allow them to
use the proposed alternative method. The Commission would then need to
determine their currents costs for providing the annual privacy notices
and the expected costs of providing these notices under proposed Sec.
313.9(c)(2).
In order to reach such an estimate for financial institutions, the
Commission looked to the Bureau's rulemaking. The Bureau performed a
number of analyses and outreach activities to approximate the expected
cost savings for financial institutions. After examining 125 banks
selected through random sampling, the Bureau found that the overall
average rate at which banks' information sharing practices would make
them eligible for using the alternative delivery method if other
conditions were met is 80%.\73\ The Bureau's results indicated that a
large majority of smaller banks would likely be able to use the
proposed alternative delivery method but most of the largest banks
would not.\74\ For non-depository institutions subject to the
Commission's enforcement, the Bureau similarly estimated that 80% would
be able to use the alternate delivery method.\75\ Subject to further
information through public comment, the Commission preliminarily
assumes that this 80% is characteristic as well for motor vehicle
dealers. The Commission requests comment and the submission of
information relevant to the information sharing practices of motor
vehicle dealers and the extent to which they may be able to use the
proposed alternative delivery method.
---------------------------------------------------------------------------
\73\ 79 FR at 27226.
\74\ Id. Only 18% of sampled banks with assets over $10 billion
could clearly use the proposed alternative delivery method, while
81% of sampled banks with assets of $10 billion or less and 88% of
sampled banks with assets of $500 million or less could clearly use
the proposed alternative delivery method. The Bureau also examined
the privacy policies of 54 credit unions and found 62% of those with
assets over $500 million could use the alternative delivery method
and 44% of those with $500 million or less in assets could (though,
due to inadequate information, the Bureau could not make the
assessment for 48% of those credit unions with $500 million or less
in assets). Id.
\75\ 79 FR at 27229.
---------------------------------------------------------------------------
The Commission does not have precise data on the number of annual
privacy notices motor vehicle dealers currently provide to directly
compute the total number of annual privacy notices that would no longer
be sent; however, in the Commission's proposal to extend the current
PRA clearance for the Privacy Rule,\76\ the Commission estimated the
total costs to motor vehicle dealers to disseminate annual disclosures
to be about $18.4 million.\77\ Applying the Commission's estimate that
80% of motor vehicle dealers would be able to utilize the alternative
delivery method, the estimated reduction in ongoing burden would be
approximately 638,400 hours annually for roughly 48,000 motor vehicle
dealers.\78\ The reduction in estimated ongoing costs from the
reduction in ongoing burden would be approximately $14.7 million
annually.\79\ The Commission requests comment on this preliminary
analysis as well as the submission of additional data that could inform
the Commission's consideration of the cost savings to motor vehicle
dealers.
---------------------------------------------------------------------------
\76\ 79 FR 55489 (Sept. 14, 2014).
\77\ Id. at 55490-91 Table IIB.
\78\ The 638,400 hours estimate is 80% of the previously
published estimate of 798,000 hours, cumulatively, for established
motor vehicle dealers to disseminate annual notices. See id. at
55490 (Table IIB). The estimated number of motor vehicle dealers
that would use the alternative delivery method is 80% of the
previously published estimate of the number of motor vehicle
dealers, 60,000. See id. at Table IIA notes.
\79\ This is the product of the above-noted costs to motor
vehicle dealers to disseminate annual disclosures, $18.4 million,
multiplied by the assumed 80% reduction for the alternative delivery
method. Estimates of ongoing savings are gross figures and do not
take into account any ongoing costs associated with the alternative
delivery method, which the Commission believes would be minimal.
They would consist of additional text on a notice or disclosure the
institution already provides, additional phone calls from consumers
requesting that the model form be mailed, and the costs of mailing
the forms prompted by these calls. The Commission currently believes
that few consumers will request that the form be mailed in order to
read it or to exercise any voluntary opt-out right, given the
availability of the notices online. There would be minimal ongoing
costs associated with the alternative delivery method from
maintaining a Web page if a motor vehicle dealer already has a Web
page dedicated to the annual privacy policy.
---------------------------------------------------------------------------
The Commission believes that the one-time cost for some motor
vehicle dealers to adopt the alternative delivery method is minimal.
Motor vehicle dealers that already use the model form and would adopt
the alternative delivery method would incur minor one-time legal,
programming and training costs. These dealers would have to communicate
on a notice or disclosure they already issue under any other provision
of law that the privacy notice is available. The expense of adding this
notification would be minor. Staff may need some additional training in
storing copies of the model form and sending it to customers on
request. Motor vehicle dealers that do not use the model form would
incur a one-time cost to create one. However, since the promulgation of
the model privacy form in 2009, an Online Form Builder has existed that
any institution can use to readily create a unique, customized privacy
notice using the model form template.\80\ The Commission assumes that
motor vehicle dealers that do not currently have Web sites would not
choose to comply with these requirements in order to use the
alternative delivery method.
---------------------------------------------------------------------------
\80\ This Online Form Builder is available at http://www.federalreserve.gov/newsevents/press/bcreg/20100415a.htm.
---------------------------------------------------------------------------
The Commission has determined that the proposed rule does not
contain any new or substantively revised information collection
requirements as defined by the PRA and that the burden estimate for the
previously-approved information collections should be reduced as
explained above. The Commission welcomes comments on these
determinations or any other aspect of the proposal for purposes of the
PRA. Comments should be submitted as outlined in the ADDRESSES section
above. All comments will become a matter of public record.
Invitation To Comment
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before August 31, 2015.
Write ``Amendment to the Privacy of Consumer Financial Information
Rule, 16 CFR part 313, Project No. R411016'' on your comment. Your
comment--including your name and your state--will be placed on the
public record of this proceeding, including, to the extent practicable,
on the Commission Web site, at http://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the Commission tries to
remove individuals' home contact information from comments before
placing them on the Commission Web site.
[[Page 36277]]
Because your comment will be made public, you are solely
responsible for making sure that your comment doesn't include any
sensitive personal information, such as Social Security number, date of
birth, driver's license number or other state identification number or
foreign country equivalent, passport number, financial account number,
or credit or debit card number. You are also solely responsible for
making sure that your comment doesn't include any sensitive health
information, including medical records or other individually
identifiable health information. In addition, do not include any
``[t]rade secret or any commercial or financial information which . . .
is privileged or confidential,'' as discussed in section 6(f) of the
FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2).
In particular, do not include competitively sensitive information such
as costs, sales statistics, inventories, formulas, patterns, devices,
manufacturing processes, or customer names.
If you want the Commission to give your comment confidential
treatment, you must file it in paper form, with a request for
confidential treatment, and you have to follow the procedure explained
in FTC Rule 4.9(c), 16 CFR 4.9(c).\81\ Your comment will be kept
confidential only if the FTC General Counsel, in his or her sole
discretion, grants your request in accordance with the law and the
public interest.
---------------------------------------------------------------------------
\81\ In particular, the written request for confidential
treatment that accompanies the comment must include the factual and
legal basis for the request, and must identify the specific portions
of the comment to be withheld from the public record. See FTC Rule
4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------
Postal mail addressed to the Commission is subject to delay due to
heightened security screening. As a result, we encourage you to submit
your comments online. To make sure that the Commission considers your
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/GLBPrivacyamendment, by following the instructions on the web-based
form. If this Notice appears at http://www.regulations.gov/#!home, you
also may file a comment through that Web site.
If you file your comment on paper, write ``Amendment to the Privacy
of Consumer Financial Information Rule, 16 CFR part 313, Project No.
R411016'' on your comment and on the envelope, and mail your comment to
the following address: Federal Trade Commission, Office of the
Secretary, 600 Pennsylvania Avenue NW., Suite CC-5610 (Annex E),
Washington, DC 20580, or deliver your comment to the following address:
Federal Trade Commission, Office of the Secretary, Constitution Center,
400 7th Street SW., 5th Floor, Suite 5610 (Annex E), Washington, DC
20024. If possible, submit your paper comment to the Commission by
courier or overnight service.
Visit the Commission Web site at http://www.ftc.gov to read this
Notice and the news release describing it. The FTC Act and other laws
that the Commission administers permit the collection of public
comments to consider and use in this proceeding as appropriate. The
Commission will consider all timely and responsive public comments that
it receives on or before August 31, 2015. For information on the
Commission's privacy policy, including routine uses permitted by the
Privacy Act, see http://www.ftc.gov/ftc/privacy.htm.
List of Subjects in 16 CFR Part 313
Consumer protection, Motor vehicle dealers, Privacy, Reporting and
recordkeeping requirements, Trade practices.
Authority and Issuance
For the reasons set forth in the preamble, the Commission proposes
to amend 16 CFR part 313, as set forth below:
PART 313--PRIVACY OF CONSUMER FINANCIAL INFORMATION
0
1. The authority citation for Part 313 is revised to read as follows:
Authority: 15 U.S.C. 6801 et seq., 12 U.S.C. 5519.
0
2. In Sec. 313.1, revise paragraph (b) to read as follows:
Sec. 313.1 Purpose and scope.
* * * * *
(b) Scope. This part applies only to nonpublic personal information
about individuals who obtain financial products or services primarily
for personal, family or household purposes from the institutions listed
below. This part does not apply to information about companies or about
individuals who obtain financial products or services for business,
commercial, or agricultural purposes. This part applies to those
``financial institutions'' over which the Federal Trade Commission
(``Commission'') has rulemaking authority pursuant to section
504(a)(1)(C) of the Gramm-Leach-Bliley Act. An entity is a ``financial
institution'' if its business is engaging in a financial activity as
described in section 4(k) of the Bank Holding Company Act of 1956, 12
U.S.C. 1843(k), which incorporates by reference activities enumerated
by the Federal Reserve Board in 12 CFR 211.5(d) and 12 CFR 225.28. The
``financial institutions'' subject to the Commission's rulemaking
authority are any persons described in 12 U.S.C. 5519 that are
predominantly engaged in the sale and servicing of motor vehicles, the
leasing and servicing of motor vehicles, or both. They are referred to
in this part as ``You.''
0
3. In Sec. 313.3, revise paragraphs (e), (i), (k), and (q) to read as
follows:
Sec. 313.3 Definitions.
* * * * *
(e)(1) Consumer means an individual who obtains or has obtained a
financial product or service from you that is to be used primarily for
personal, family, or household purposes, or that individual's legal
representative.
(2) Examples for purposes of 16 CFR part 313 and 314--(i) An
individual who applies to you for credit for personal, family, or
household purposes is a consumer of a financial service, regardless of
whether the credit is extended.
(ii) An individual who provides nonpublic personal information to
you in order to obtain a determination about whether he or she may
qualify for a loan to be used primarily for personal, family, or
household purposes is a consumer of a financial service, regardless of
whether the loan is extended.
(iii) If you hold ownership or servicing rights to an individual's
loan that is used primarily for personal, family, or household
purposes, the individual is your consumer, even if you hold those
rights in conjunction with one or more other institutions. (The
individual is also a consumer with respect to the other financial
institutions involved.) An individual who has a loan in which you have
ownership or servicing rights is your consumer, even if you, or another
institution with those rights, hire an agent to collect on the loan.
(iv) An individual who is a consumer of another financial
institution is not your consumer solely because you act as agent for,
or provide processing or other services to, that financial institution.
(v) An individual is not your consumer solely because he or she is
a participant or a beneficiary of an employee benefit plan that you
sponsor or for which you act as a trustee or fiduciary.
(3) Examples for purposes of 16 CFR part 314--(i) An individual who
provides nonpublic personal information to you in connection with
[[Page 36278]]
obtaining or seeking to obtain financial, investment, or economic
advisory services is a consumer, regardless of whether you establish a
continuing advisory relationship.
(ii) An individual is not your consumer solely because he or she
has designated you as trustee for a trust.
(iii) An individual is not your consumer solely because he or she
is a beneficiary of a trust for which you are a trustee.
* * * * *
(i)(1) Customer relationship means a continuing relationship
between a consumer and you under which you provide one or more
financial products or services to the consumer that are to be used
primarily for personal, family, or household purposes.
(2) Examples--(i) Continuing relationship. (A) A consumer has a
continuing relationship with you, for purposes of 16 CFR part 313 and
part 314, if the consumer:
(1) Has a credit or investment account with you;
(2) Obtains a loan from you;
(3) Purchases an insurance product from you;
(4) Enters into an agreement or understanding with you whereby you
undertake to arrange credit to purchase a vehicle, for the consumer;
(5) Enters into a lease of personal property on a non-operating
basis with you; or
(6) Has a loan for which you own the servicing rights.
(B) A consumer also has a continuing relationship with you, for
purposes of 16 CFR part 314, if the consumer:
(1) Holds an investment product through you, such as when you act
as a custodian for securities or for assets in an Individual Retirement
Arrangement;
(2) Enters into an agreement or understanding with you whereby you
undertake to arrange or broker a home mortgage loan, for the consumer;
(3) Obtains financial, investment, or economic advisory services
from you for a fee;
(4) Becomes your client for the purpose of obtaining tax
preparation or credit counseling services from you;
(5) Obtains career counseling while seeking employment with a
financial institution or the finance, accounting, or audit department
of any company (or while employed by such a financial institution or
department of any company);
(6) Is obligated on an account that you purchase from another
financial institution, regardless of whether the account is in default
when purchased, unless you do not locate the consumer or attempt to
collect any amount from the consumer on the account; or
(7) Obtains real estate settlement services from you.
(ii) No continuing relationship. (A) For purposes of 16 CFR parts
313 and 314, a consumer does not, however, have a continuing
relationship with you if:
(1) The consumer obtains a financial product or service from you
only in isolated transactions, such as cashing a check with you or
making a wire transfer through you;
(2) You sell the consumer's loan and do not retain the rights to
service that loan; or
(3) The consumer obtains one-time personal or real property
appraisal services from you.
(B) For purposes of 16 CFR part 314, a consumer also does not have
a continuing relationship with you if:
(1) The consumer obtains a financial product or service from you
only in isolated transactions, such as using your ATM to withdraw cash
from an account at another financial institution or purchasing a money
order from you;
(2) You sell the consumer airline tickets, travel insurance, or
traveler's checks in isolated transactions; or
(3) The consumer purchases checks for a personal checking account
from you.
* * * * *
(k)(1) Financial institution means any institution the business of
which is engaging in financial activities as described in section 4(k)
of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). An
institution that is significantly engaged in financial activities is a
financial institution.
(2) Example of financial institution for purposes of 16 CFR part
313 and 314. An automobile dealership that, as a usual part of its
business, leases automobiles on a nonoperating basis for longer than 90
days is a financial institution with respect to its leasing business
because leasing personal property on a nonoperating basis where the
initial term of the lease is at least 90 days is a financial activity
listed in 12 CFR 225.28(b)(3) and referenced in section 4(k)(4)(F) of
the Bank Holding Company Act.
(3) Examples of financial institution for purposes of 16 CFR part
314. (i) A retailer that extends credit by issuing its own credit card
directly to consumers is a financial institution because extending
credit is a financial activity listed in 12 CFR 225.28(b)(1) and
referenced in section 4(k)(4)(F) of the Bank Holding Company Act and
issuing that extension of credit through a proprietary credit card
demonstrates that a retailer is significantly engaged in extending
credit.
(ii) A personal property or real estate appraiser is a financial
institution because real and personal property appraisal is a financial
activity listed in 12 CFR 225.28(b)(2)(i) and referenced in section
4(k)(4)(F) of the Bank Holding Company Act.
(iii) A career counselor that specializes in providing career
counseling services to individuals currently employed by or recently
displaced from a financial organization, individuals who are seeking
employment with a financial organization, or individuals who are
currently employed by or seeking placement with the finance, accounting
or audit departments of any company is a financial institution because
such career counseling activities are financial activities listed in 12
CFR 225.28(b)(9)(iii) and referenced in section 4(k)(4)(F) of the Bank
Holding Company Act.
(iv) A business that prints and sells checks for consumers, either
as its sole business or as one of its product lines, is a financial
institution because printing and selling checks is a financial activity
that is listed in 12 CFR 225.28(b)(10)(ii) and referenced in section
4(k)(4)(F) of the Bank Holding Company Act.
(v) A business that regularly wires money to and from consumers is
a financial institution because transferring money is a financial
activity referenced in section 4(k)(4)(A) of the Bank Holding Company
Act and regularly providing that service demonstrates that the business
is significantly engaged in that activity.
(vi) A check cashing business is a financial institution because
cashing a check is exchanging money, which is a financial activity
listed in section 4(k)(4)(A) of the Bank Holding Company Act.
(vii) An accountant or other tax preparation service that is in the
business of completing income tax returns is a financial institution
because tax preparation services is a financial activity listed in 12
CFR 225.28(b)(6)(vi) and referenced in section 4(k)(4)(G) of the Bank
Holding Company Act.
(viii) A business that operates a travel agency in connection with
financial services is a financial institution because operating a
travel agency in connection with financial services is a financial
activity listed in 12 CFR 211.5(d)(15) and referenced in section
4(k)(4)(G) of the Bank Holding Company Act.
[[Page 36279]]
(ix) An entity that provides real estate settlement services is a
financial institution because providing real estate settlement services
is a financial activity listed in 12 CFR 225.28(b)(2)(viii) and
referenced in section 4(k)(4)(F) of the Bank Holding Company Act.
(x) A mortgage broker is a financial institution because brokering
loans is a financial activity listed in 12 CFR 225.28(b)(1) and
referenced in section 4(k)(4)(F) of the Bank Holding Company Act.
(xi) An investment advisory company and a credit counseling service
are each financial institutions because providing financial and
investment advisory services are financial activities referenced in
section 4(k)(4)(C) of the Bank Holding Company Act.
(4) Financial institution does not include:
(i) Any person or entity with respect to any financial activity
that is subject to the jurisdiction of the Commodity Futures Trading
Commission under the Commodity Exchange Act (7 U.S.C. 1 et seq.);
(ii) The Federal Agricultural Mortgage Corporation or any entity
chartered and operating under the Farm Credit Act of 1971 (12 U.S.C.
2001 et seq.); or
(iii) Institutions chartered by Congress specifically to engage in
securitizations, secondary market sales (including sales of servicing
rights) or similar transactions related to a transaction of a consumer,
as long as such institutions do not sell or transfer nonpublic personal
information to a nonaffiliated third party other than as permitted by
Sec. Sec. 313.14 and 313.15 of this Part.
(iv) Entities that engage in financial activities but that are not
significantly engaged in those financial activities.
(5) Example of entities that are not significantly engaged in
financial activities for purposes of 16 CFR part 313 and 314. A motor
vehicle dealer is not a financial institution merely because it accepts
payment in the form of cash, checks, or credit cards that it did not
issue.
(6) Examples of entities that are not significantly engaged in
financial activities for purposes of 16 CFR part 314. (i) A retailer is
not a financial institution if its only means of extending credit are
occasional ``lay away'' and deferred payment plans or accepting payment
by means of credit cards issued by others.
(ii) A retailer is not a financial institution merely because it
accepts payment in the form of cash, checks, or credit cards that it
did not issue.
(iii) A merchant is not a financial institution merely because it
allows an individual to ``run a tab.''
(iv) A grocery store is not a financial institution merely because
it allows individuals to whom it sells groceries to cash a check, or
write a check for a higher amount than the grocery purchase and obtain
cash in return.
* * * * *
(q) For purposes of 16 CFR part 313, You includes each ``financial
institution'' over which the Commission has rulemaking authority
pursuant to section 504(a)(1)(C) of the Gramm-Leach-Bliley Act. For
purposes of 16 CFR part 314, You includes each ``financial
institution'' (but excludes any ``other person'') over which the
Commission has enforcement jurisdiction pursuant to section 505(a)(7)
of the Gramm-Leach-Bliley Act.
0
4. In Sec. 313.9, revise paragraph (c) to read as follows:
Sec. 313.9 Delivering privacy and opt out notices.
* * * * *
(c) Annual notices only. (1) Reasonable expectation. You may
reasonably expect that a customer will receive actual notice of your
annual privacy notice if:
(i) The customer uses your Web site to access financial products
and services electronically and agrees to receive notices at the Web
site, and you post your current privacy notice continuously in a clear
and conspicuous manner on the Web site; or
(ii) The customer has requested that you refrain from sending any
information regarding the customer relationship, and your current
privacy notice remains available to the customer upon request.
(2) Alternative method for providing certain annual notices. (i)
Notwithstanding paragraph (a) of this section, you may use the
alternative method described in paragraph (c)(2)(ii) of this section to
satisfy the requirement in Sec. 313.5(a)(1) to provide a notice if:
(A) You do not disclose the customer's nonpublic personal
information with nonaffiliated third parties other than for purposes
under Sec. Sec. 313.13, 313.14, and 313.15;
(B) You do not include on your annual privacy notice pursuant to
Sec. 313.6(a)(7) an opt out under section 603(d)(2)(A)(iii) of the
Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii));
(C) The requirements of section 624 of the Fair Credit Reporting
Act (15 U.S.C. 1681s-3) and Part 680 of this chapter, if applicable,
have been satisfied previously or the annual privacy notice is not the
only notice provided to satisfy such requirements;
(D) The information you are required to convey on your annual
privacy notice pursuant to Sec. 313.6(a)(1) through (5), (8), and (9)
has not changed since you provided the immediately previous privacy
notice (whether initial, annual or revised) to the customer, other than
to eliminate categories of information you disclose or categories of
third parties to whom you disclose information; and
(E) You use the model privacy form in the appendix to this part for
your annual privacy notice.
(ii) For an annual privacy notice that meets the requirements in
paragraph (c)(2)(i) of this section, you satisfy the requirement in
Sec. 313.5(a)(1) to provide a notice if you:
(A) Convey in a clear and conspicuous manner not less than annually
on an account statement, coupon book, or a notice or disclosure you are
required or expressly and specifically permitted to issue under any
other provision of law that your privacy notice is available on your
Web site and will be mailed to the customer upon request by telephone.
The statement must state that your privacy notice has not changed and
must include a specific Web address that takes the customer directly to
the page where the privacy notice is posted and a designated telephone
number for the customer to request that it be mailed;
(B) Post your current privacy notice continuously in a clear and
conspicuous manner on a page of your Web site that contains only the
privacy notice, without requiring the customer to provide any
information such as a login name or password or agree to any conditions
to access the page; and
(C) Mail your current privacy notice to those customers who request
it by telephone within ten days of the request.
(iii) An example of a statement that satisfies paragraph
(c)(2)(ii)(A) of this section is: ``Privacy Notice'' in boldface or
otherwise emphasized: Privacy Notice--Federal law requires us to tell
you how we collect, share, and protect your personal information. Our
privacy policy has not changed and you may review our policy and
practices with respect to your personal information at [Web address] or
we will mail you a free copy upon request if you call us at [telephone
number].
* * * * *
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2015-14328 Filed 6-23-15; 8:45 am]
BILLING CODE 6750-01-P
