Amendment to the Privacy of Consumer Financial Information Rule Under the Gramm-Leach-Bliley Act, 36267-36279 [2015-14328]
Download as PDFAgencies
[Federal Register Volume 80, Number 121 (Wednesday, June 24, 2015)] [Proposed Rules] [Pages 36267-36279] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2015-14328] ======================================================================= ----------------------------------------------------------------------- FEDERAL TRADE COMMISSION 16 CFR Part 313 RIN 3084-AB42 Amendment to the Privacy of Consumer Financial Information Rule Under the Gramm-Leach-Bliley Act AGENCY: Federal Trade Commission (FTC or Commission). ACTION: Notice of proposed rulemaking; Request for public comment. ----------------------------------------------------------------------- SUMMARY: The FTC proposes to amend the Privacy of Consumer Financial Information Rule (Privacy Rule or Rule), which among other things requires that certain motor vehicle dealers provide an annual disclosure of their privacy policies to their customers by hand delivery, mail, electronic delivery, or, alternatively through a Web site, but only with the consent of the consumer. The amendment would allow motor vehicle dealers instead to notify their customers that a privacy policy is available on their Web site, under certain circumstances. The amendment would also revise the scope and definitions in this rule in light of the transfer of part of the Commission's rulemaking authority to the Consumer Financial Protection Bureau (CFPB or the Bureau) in the Dodd-Frank Wall Street Reform and Consumer Protection Act, but retains certain examples for purposes of the FTC's Safeguards Rule. DATES: Comments must be received on or before August 31, 2015. ADDRESSES: Interested parties may file a comment online or on paper, by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write ``Amendment to the Privacy of Consumer Financial Information Rule, 16 CFR part 313, Project No. R411016'' on your comment, and file your comment online at https://ftcpublic.commentworks.com/ftc/GLBPrivacyamendment, by following the instructions on the web-based form. If you prefer to file your comment on paper, write ``Amendment to the Privacy of Consumer Financial Information Rule, 16 CFR part 313, Project No. R411016'' on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC-5610 (Annex E), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex E), Washington, DC 20024. FOR FURTHER INFORMATION CONTACT: Steven Toporoff, (202) 326-3135, Attorney, Division of Privacy and Identity Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW., Washington, DC 20580. SUPPLEMENTARY INFORMATION: I. Summary of the Proposed Rule The Gramm-Leach-Bliley Act (GLBA) \1\ mandates that financial institutions provide their customers with initial and annual notices regarding their privacy policies. If financial institutions share certain customer information with particular types of third parties, the institutions are also required to provide an opportunity to opt out of the sharing. The Commission issued its rule implementing these provisions in 2000.\2\ The Dodd-Frank Wall Street Reform and Consumer Protection Act transferred GLBA privacy notice rulemaking authority, in part, to the Bureau; however, the Commission retains rulemaking authority over any financial institution that is a motor vehicle dealer predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both, as described in Section 1029 of the Dodd-Frank Act, 12 U.S.C. 5519 (hereafter, motor vehicle dealers). --------------------------------------------------------------------------- \1\ 15 U.S.C. 6801 et seq. \2\ 65 FR 33646 (May 24, 2000). --------------------------------------------------------------------------- The Commission proposes to revise its Privacy Rule, 16 CFR part 313, in two ways. First, in light of the transfer of rulemaking authority for certain financial institutions to the Bureau, the Commission proposes to revise the explanation of the scope of the Rule and to tailor the examples provided in the Rule's Definitions section describing entities over which the Commission has retained rulemaking authority. The Commission believes that revising these provisions will eliminate extraneous information, clarify the Rule's applicability, and reduce confusion as to entities covered by the Rule. The Rule also retains several examples explaining the types of entities covered by the Safeguards Rule, 16 CFR part 314. Second, the Commission proposes to provide an alternative means for covered motor vehicle dealers to fulfill their obligation under the Privacy Rule to provide notice of their privacy policies. Under the proposal, motor vehicle dealers that do not engage in certain types of information-sharing activities would no longer be required to mail an annual privacy notice if they clearly and conspicuously convey, as [[Page 36268]] part of another mandated or legally permissible notice or disclosure, that their privacy notice is available on their publicly accessible Web site. This proposed revision is consistent with changes made in an October 28, 2014, rulemaking by the Bureau, which has rulemaking authority over depository institutions and many non-depository institutions.\3\ --------------------------------------------------------------------------- \3\ 79 FR 64057 (Oct. 28, 2014). --------------------------------------------------------------------------- The Commission believes that the proposed changes are consistent with those issued by the Bureau, and will help avoid consumer confusion and ensure that the requirements for motor vehicle dealers covered by the Rule are consistent with the GLBA's privacy provisions for other financial institutions. Such changes may also streamline the flow of information to consumers, while easing the burden on motor vehicle dealers of providing annual notices. The Commission invites comment on the proposed rule revisions generally and on the specific issues outlined throughout Section IV. In addition, the Commission requests comment on whether, and the extent to which, the FTC's Privacy Rule applicable to motor vehicle dealers should be consistent with the rule adopted by the Bureau, or if there are elements that should differ. The Commission seeks comment on the proposal through August 17, 2015. II. Background A. The Statute and Regulation The GLBA was enacted in 1999.\4\ The GLBA, among other things, provides a framework for regulating the privacy practices of a broad range of entities. The GLBA requires that financial institutions provide their customers with initial and annual notices regarding their privacy policies, and allow their customers to opt out of sharing their information with certain nonaffiliated third parties. Covered entities include, for example, payday lenders, mortgage brokers, check cashers, debt collectors, real estate appraisers, certain motor vehicle dealers and remittance transfer providers. --------------------------------------------------------------------------- \4\ Public Law 106-102, 113 Stat. 1338 (1999). --------------------------------------------------------------------------- Rulemaking authority to implement the GLBA's privacy provisions was initially spread among many agencies. The Federal Reserve Board (Board), the Office of Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the Office of Thrift Supervision (OTS) jointly adopted final rules to implement the notice requirements of the GLBA in 2000.\5\ The Commission, the National Credit Union Administration (NCUA), Securities and Exchange Commission (SEC), and Commodity Futures Trading Commission (CFTC) were part of the same interagency process, but issued their rules separately.\6\ In 2009, all these agencies issued a joint final rule with a model form that financial institutions could use, at their option, to provide the required initial and annual privacy disclosures.\7\ --------------------------------------------------------------------------- \5\ 65 FR 35162 (June 1, 2000). \6\ 65 FR 33646 (May 24, 2000) (FTC final rule); 65 FR 31722 (May 18, 2000) (NCUA final rule); 65 FR 40334 (June 29, 2000) (SEC final rule); 66 FR 21252 (Apr. 27, 2001) (CFTC final rule). \7\ 74 FR 62890 (Dec. 1, 2009). --------------------------------------------------------------------------- In 2011, the Dodd-Frank Act \8\ transferred the GLBA's privacy notice rulemaking authority from the Board, NCUA, OCC, OTS, the FDIC, and the Commission (in part) to the Bureau. The Bureau then restated the implementing regulations in Regulation P, 12 CFR part 1016, in late 2011 (Regulation P).\9\ However, under the Dodd-Frank Act, the Commission retained rulemaking authority for motor vehicle dealers described in section 1029 of the Dodd-Frank Act, 12 U.S.C. 5519. Thus, in 2012, the Commission issued a notice that it was retaining the implementing regulations governing privacy notices for motor vehicles dealers, at 16 CFR part 313.\10\ --------------------------------------------------------------------------- \8\ Public Law 111-203, 124 Stat. 1376 (2010). \9\ 76 FR 79025 (Dec. 21, 2011). \10\ 77 FR 22200, 22201 (April 13, 2012) (also rescinding those regulations for which rulemaking authority was transferred to the Bureau under the Dodd-Frank Act). --------------------------------------------------------------------------- Despite the transfer of general rulemaking authority for the Privacy Rule to the CFPB, the Commission and other agencies retained their existing enforcement authority under the GLBA.\11\ In addition, the SEC and CFTC retained rulemaking authority with respect to securities and futures-related companies, respectively.\12\ Accordingly, as part of this rulemaking process, the Commission has consulted and coordinated, or offered to consult, with those agencies who have rulemaking and/or enforcement authority under the GLBA, including the Bureau, SEC, CFTC and the National Association of Insurance Commissioners (NAIC).\13\ --------------------------------------------------------------------------- \11\ 15 U.S.C. 6805(a). \12\ 15 U.S.C. 6804, 6809; 12 U.S.C. 1843(k)(4); 12 CFR 1016.1(b). \13\ See 15 U.S.C. 6804(a)(2). --------------------------------------------------------------------------- B. The Privacy Notice Requirements As noted, the GLBA and the FTC Privacy Rule require that certain covered motor vehicle dealers provide consumers with notices describing their privacy policies. Section 503 of the GLBA and 16 CFR 313.4 require covered entities to provide an initial notice of these policies, and then ``provide a clear and conspicuous notice to customers that accurately reflects [their] privacy policies and practices not less than annually during the continuation of the customer relationship.'' \14\ --------------------------------------------------------------------------- \14\ 16 CFR 313.5(a)(1) (emphasis added). --------------------------------------------------------------------------- Section 502 of the GLBA and 16 CFR 313.6(a)(6) require that initial and annual notices inform customers of their right to opt out of the sharing of nonpublic personal information with some types of nonaffiliated third parties. For example, a customer has the right to opt out of allowing a motor vehicle dealer to sell her name and address to a nonaffiliated auto insurance company. On the other hand, a motor vehicle dealer is not required to allow consumers to opt out of the dealer's sharing involving third-party service providers, joint marketing arrangements, maintenance and servicing of accounts, securitization, law enforcement and compliance, reporting to consumer reporting agencies, and certain other activities that are specified in the statute and regulation.\15\ If a motor vehicle dealer limits its sharing to uses that do not trigger opt-out rights, it may provide an annual privacy notice to its customers that does not include information regarding opt-out rights. --------------------------------------------------------------------------- \15\ 15 U.S.C. 6802(b)(2), 6802(e); 16 CFR 313.13, 313.14, 313.15. --------------------------------------------------------------------------- Motor vehicle dealers also may include in the annual privacy notice information about certain consumer opt-out rights related to affiliate sharing under the FCRA. First, section 603(d)(2)(A)(iii) of the FCRA allows the sharing of a consumer's information among affiliates, but only if the consumer is notified of such sharing and is given an opportunity to opt out.\16\ Section 503(c)(4) of the GLBA and the Privacy Rule generally require motor vehicle dealers to incorporate any notifications and opt-out disclosures provided pursuant to section 603(d)(2)(A)(iii) of the FCRA into their initial and annual privacy notices.\17\ --------------------------------------------------------------------------- \16\ 15 U.S.C. 1681a(d)(2)(A)(iii). \17\ 15 U.S.C. 6803(c)(4); 16 CFR 313.6(a)(7). --------------------------------------------------------------------------- Second, section 624 of the FCRA and 16 CFR 680 (the Affiliate Marketing Rule) provide that an affiliate of a motor vehicle dealer that receives certain information \18\ about a consumer from the dealer may not use that information for marketing purposes, unless the consumer is provided with an opportunity to opt out of that use.\19\ [[Page 36269]] This requirement governs the use of information by an affiliate, not the sharing of information among affiliates, and thus is distinct from the affiliate sharing opt-out discussed above. The Affiliate Marketing Rule permits (but does not require) motor vehicle dealers to incorporate any opt-out disclosures provided under section 624 of the FCRA and the Affiliate Marketing Rule into the initial and annual privacy notices required by the GLBA.\20\ --------------------------------------------------------------------------- \18\ The type of information to which section 624 applies is information that would be a consumer report but for the exclusions provided by section 603(d)(2)(A)(i), (ii), or (iii) of the FCRA. \19\ 15 U.S.C. 1681s-3. The FTC's Affiliate Marketing Rule applies to motor vehicle dealers. See 77 FR 22200. The FTC also enforces the Bureau's Regulation V's Affiliate Marketing Rule, 12 CFR part 1022, subpart C, for other entities over which it has enforcement authority under the FCRA. \20\ 16 CFR 680.23(b). --------------------------------------------------------------------------- Finally, Sec. 313.6(a)(8) of the Privacy Rule requires that the notices also briefly describe how motor vehicle dealers protect the nonpublic personal information they collect and maintain. C. The Bureau Rulemaking In December 2011, the Bureau issued a Request for Information seeking specific suggestions for streamlining regulations that were transferred to the Bureau from other Federal agencies (Streamlining RFI), including the annual privacy notice requirement.\21\ --------------------------------------------------------------------------- \21\ 76 FR 75825, 75828 (Dec. 5, 2011). --------------------------------------------------------------------------- The Bureau received numerous comments from industry urging the Bureau to eliminate or reduce the annual notice requirement.\22\ Industry argued that most customers ignore annual privacy notices; the content of the disclosures provides little benefit when customers have no right to opt out of information sharing; current distribution of the notices imposes significant costs; and other methods of delivery could effectively convey the information to customers at a lower cost. Industry commenters suggested that the Bureau eliminate or ease the annual notice requirement if businesses' privacy policies have not changed and they do not share nonpublic personal information beyond the exceptions allowed by the GLBA.\23\ Consumer advocacy groups highlighted the benefit customers receive from printed annual privacy notices, which may remind customers of privacy rights that they may not have exercised previously.\24\ --------------------------------------------------------------------------- \22\ 79 FR 27214 at 27217 (May 14, 2014) (Bureau Notice of Proposed Rulemaking). \23\ Id. \24\ Id. --------------------------------------------------------------------------- In November of 2013, the Bureau published a study assessing the effects of certain deposit regulations on financial institutions' operations.\25\ This study provided operational insights from seven banks about their annual privacy notices. All seven participants provided the annual notice as a separate mailing, which resulted in higher costs for postage, materials, and labor than if the notice were mailed with other material. Some of these participants separately mailed their notices to ensure that their disclosures are ``clear and conspicuous,'' \26\ even though 2009 guidance from the eight agencies promulgating the model privacy form explained that a separate mailing is not required.\27\ As a result of its Streamlining RFI, study, and its outreach to industry and consumer groups, in May 2014, the Bureau issued a proposed rule to amend its Regulation P to allow financial institutions to notify consumers that a privacy notice was available online, in certain enumerated circumstances. The comment period closed on July 14, 2014. As noted above, the Bureau finalized its rulemaking in October 2014.\28\ --------------------------------------------------------------------------- \25\ Consumer Financial Protection Bureau, ``Understanding the Effects of Certain Deposit Regulations on Financial Institutions' Operations: Findings on Relative Costs for Systems, Personnel, and Processes at Seven Institutions'' (Nov. 2013), available at https://files.consumerfinance.gov/f/201311_cfpb_report_findings-relative-costs.pdf. Information collected for the study may be used to assist the Bureau in its investigations of ``the effects of a potential or existing regulation on the business decisions of providers.'' OMB Information Request--Control Number: 3170-0032. \26\ 15 U.S.C. 6803 (In its initial and annual privacy notices ``a financial institution shall provide a clear and conspicuous disclosure . . . .''); 12 CFR 1016.3(b)(1) and 16 CFR 313.3(b)(1) (both defining ``clear and conspicuous'' as ``reasonably understandable and designed to call attention to the nature and significance of the information in the notice.''). \27\ See 74 FR 62890, 62897-62898. \28\ 79 FR 64057 (Oct. 28, 2014). --------------------------------------------------------------------------- III. The Commission's Proposed Rule Changes A. Technical Changes To Correspond to Statutory Changes The Commission adopted the scope and definitions in the existing Privacy Rule at a time when it had rulemaking authority for the Privacy Rule over a broader group of non-bank ``financial institutions'' as defined by the GLBA. While the Dodd-Frank Act did not change the Commission's enforcement authority for the privacy notice obligations of the GLBA, the Dodd-Frank Act amended the Commission's rulemaking authority under the GLBA such that its Privacy Rule only applies to motor vehicle dealers. For other types of financial institutions over which the Commission has enforcement authority under the GLBA, the Commission now enforces the Bureau's Regulation P. The amendments in the Dodd-Frank Act necessitate certain technical revisions to the Privacy Rule to ensure that the regulation is consistent with the text of the amended GLBA.\29\ Specifically, the Commission proposes to modify the Scope and Definitions section of the Privacy Rule to provide clearer guidance to financial institutions that are covered motor vehicle dealers. --------------------------------------------------------------------------- \29\ 15 U.S.C. 6804(1)(C). --------------------------------------------------------------------------- Although the Dodd-Frank Act altered the Commission's rulemaking authority with respect to the Privacy Rule, it did not alter the Commission's rulemaking authority for the GLBA's Standards for Safeguarding Customer Information, at 16 CFR part 314 (the Safeguards Rule). For the Safeguards Rule, the Commission continues to have rulemaking authority over a broad range of non-bank financial institutions. The Safeguards Rule, however, incorporates by reference the definitions contained in the Privacy Rule, including all of the examples of financial institutions listed in the existing Privacy Rule.\30\ Accordingly, the Commission proposes to change the Privacy Rule definitions to make clear that, for the purpose of the Privacy Rule, the only examples applicable in the definitions are those related to motor vehicle dealers; for the purpose of the Safeguards Rule, however, all existing examples in the Privacy Rule continue to apply. --------------------------------------------------------------------------- \30\ 16 CFR 314.2(a). --------------------------------------------------------------------------- B. Changes to the Annual Privacy Notice The Commission also proposes changes to the Privacy Rule provisions governing how motor vehicle dealers should deliver annual privacy notices. These changes are consistent with changes adopted by the Bureau for those financial institutions subject to the Bureau's rulemaking authority. Under certain limited circumstances, these changes to the Privacy Rule would allow motor vehicle dealers to convey clearly and conspicuously--through another mandated or legally permissible notice or disclosure--that their privacy notice is available on their Web site (hereafter, the alternative delivery method).\31\ If, however, a motor vehicle dealer has made changes to its privacy practices or shares its customers' nonpublic personal information with nonaffiliated third parties, the dealer [[Page 36270]] generally could not avail itself of this alternative delivery method.\32\ --------------------------------------------------------------------------- \31\ Because this disclosure must be provided annually, the proposal satisfies the statutory requirement that motor vehicle dealers provide annual notices about their privacy practices. Beyond the requirement to provide the notice annually, the GBLA allows agencies to prescribe the method of delivery. See 15 U.S.C. 6803(a) (The GLBA allows annual notice to be delivered ``in writing or in electronic form or other form permitted by the regulations . . .''). \32\ A motor vehicle dealer may use the alternative delivery method if such sharing does not trigger GLBA opt-out rights as set forth in Parts 313.13, 313.14, and 313.15. --------------------------------------------------------------------------- The Commission anticipates that use of the alternative delivery method that meets the requirements discussed below could inform customers of their motor vehicle dealer's privacy policies effectively and at a lower cost than the current widespread method of mailing annual privacy notices. The cost savings could benefit both consumers and businesses.\33\ --------------------------------------------------------------------------- \33\ See 79 FR at 27218; 79 FR at 64061. --------------------------------------------------------------------------- The Commission has also considered the potential impact of its proposed rule change on consumer privacy. The proposal would not affect the actual collection or use of consumers' nonpublic personal information by motor vehicle dealers, and consumers would continue to get the information and opt-out rights they are entitled to under the statute. Moreover, the proposal would enable consumers to review a motor vehicle dealer's policy at her own convenience any time during the year. For example, a motor vehicle dealer choosing to use the alternative method would have to post the privacy notice continuously on its Web site, thus enabling consumers to access the privacy notice throughout the year rather than having to wait for an annual mailing. IV. Section-by-Section Analysis Section 313.1(b)--Scope Section 313.1(b) outlines the scope of the Privacy Rule. The existing Rule describes the types of entities to which the Privacy Rule was applicable prior to the enactment of the Dodd-Frank Act. Those entities included--but were not limited to--financial institutions such as ``payday'' lenders, mortgage brokers, check cashers, and tax preparation firms, but did not include entities that were subject to the rulemaking authority of another agency.\34\ With the exception of motor vehicle dealers, the entities formerly subject to 16 CFR part 313 are now subject to the Bureau's Regulation P.\35\ --------------------------------------------------------------------------- \34\ See 15 U.S.C. 6804 (2010). \35\ The Commission retains enforcement authority over such entities for violations of the Bureau's Regulation P. 15 U.S.C. 6805(a)(7). --------------------------------------------------------------------------- The Commission seeks to revise the Privacy Rule to make clear that it applies only to motor vehicle dealers. Accordingly, the Commission proposes to revise Sec. 313.1(b) to remove examples of entities to which the FTC's Privacy Rule no longer applies. The Commission also proposes to remove the reference in the Privacy Rule's scope to ``other persons.'' Although the Commission continues to have enforcement authority over ``other persons'' covered by the CFPB's rule, the Commission no longer has rulemaking authority for the Privacy Rule over ``other persons.'' In addition, the Commission proposes to eliminate from Sec. 313.1(b) the note indicating that: (1) The Privacy Rule does not modify, limit, or supersede the standards under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and (2) if a financial institution that is an institution of higher education is in compliance with the Federal Educational Rights and Privacy Act (FERPA) and its implementing regulations, such institution shall be deemed in compliance with 16 CFR part 313. The Commission believes it unlikely that this note is applicable to motor vehicle dealers but requests comment as to whether motor vehicle dealers ever engage in practices that require them to comply with HIPAA or FERPA. In addition, the Commission invites general comment on the proposed changes to the description of the scope of the Privacy Rule. Section 313.3--Definitions The Definitions section of the Privacy Rule includes a number of examples designed to provide guidance regarding the scope of terms used in the Privacy Rule. The Commission proposes to revise these definitions so that they provide accurate guidance regarding the Rule's scope. Specifically, the Commission proposes to revise Sec. 313.3 to make clear that certain examples in five definitions are not applicable to motor vehicle dealers for purposes of the Privacy Rule but continue to apply for purposes of the Safeguards Rule. Similarly, the Commission proposes to revise the definition of ``you,'' which currently includes entities to which the Privacy Rule no longer applies. First, for purposes of the Privacy Rule, proposed Sec. 313.3(e)(2) no longer includes, as examples of ``consumers,'' those consumers seeking financial advisory services \36\ or consumers with which the financial institution has a relationship related to a trust.\37\ The examples are retained for purposes of the Safeguards Rule, 16 CFR part 314. --------------------------------------------------------------------------- \36\ 16 CFR 313.3(e)(2)(iii). \37\ 16 CFR 313.3(e)(2)(vi) and (vii). --------------------------------------------------------------------------- Second, for purposes of the Privacy Rule, proposed Sec. 313.3(i)(2) no longer includes, as examples of a ``continuing relationship'' with a customer, a relationship in which the financial institution holds an investment product for the consumer; \38\ enters into an agreement to arrange or broker a home mortgage loan; \39\ provides financial, investment, or economic advisory services to a consumer; \40\ provides tax preparation or credit counseling services; \41\ provides career counseling for seeking employment with a financial institution or a financial, accounting or audit department of a company; \42\ purchases an account, on which the consumer has an obligation, from another financial institution; \43\ or provides real estate settlement services.\44\ The examples are retained for purposes of the Safeguards Rule. --------------------------------------------------------------------------- \38\ 16 CFR 313.3(i)(2)(i)(D). The Privacy Rule requires motor vehicle dealers to provide an annual notice while there is a continuing relationship between the dealer and the customer. \39\ 16 CFR 313.3(i)(2)(i)(E). This subsection has been revised to remove the portion of the example relating to home mortgage loans but retains the portion relating to credit to purchase a vehicle. \40\ 16 CFR 313.3(i)(2)(i)(G). \41\ 16 CFR 313.3(i)(2)(i)(H). \42\ 16 CFR 313.3(i)(2)(i)(I). \43\ 16 CFR 313.3(i)(2)(i)(J). \44\ 16 CFR 313.3(i)(2)(i)(K). --------------------------------------------------------------------------- Third, for purposes of the Privacy Rule, proposed Sec. 313.3(i)(2) no longer includes, as examples of ``no continuing relationship'' with a customer, a relationship in which the financial institution sells airline tickets \45\ or sells checks for a personal checking account.\46\ The examples are retained for purposes of the Safeguards Rule. --------------------------------------------------------------------------- \45\ 16 CFR 313.3(i)(2)(ii)(C). \46\ 16 CFR 313.3(i)(2)(ii)(E). --------------------------------------------------------------------------- Fourth, for purposes of the Privacy Rule, proposed Sec. 313.3(k)(2) no longer includes, as examples of ``financial institutions,'' retailers that extend credit by issuing their own credit cards to consumers; career counselors specializing in finance, accounting or audit employment; businesses that print and sell checks; businesses that regularly wire money to and from consumers; check cashing businesses; accountants or other tax preparation services that are in the business of completing tax returns; businesses that operate travel services in connection with financial services; businesses providing real estate settlement services; mortgage brokers, or investment advisory companies and credit counseling services.\47\ The examples are retained for purposes of the Safeguards Rule. --------------------------------------------------------------------------- \47\ 16 CFR 313.3(k)(2)(E)(i), (iv)-(xii). --------------------------------------------------------------------------- Fifth, for purposes of the Privacy Rule, proposed Sec. 313.3(k)(5) no longer includes as examples of ``entities that are not significantly engaged in financial activities,'' retailers that only extend credit via occasional ``lay away'' and deferred payment plans; merchants [[Page 36271]] that allow individuals to ``run a tab''; or grocery stores that allow individuals to cash checks or write checks for a higher amount than a purchase and obtain cash back.\48\ The examples are retained for purposes of the Safeguards Rule. The Commission invites comment regarding whether any of the examples that the Commission proposes to eliminate for purposes of the Privacy Rule are applicable to motor vehicle dealers. The Commission also seeks comment regarding the examples that remain for purposes of the Privacy Rule in the definitions of proposed Sec. 313.3 and the applicability of such examples to motor vehicle dealers. --------------------------------------------------------------------------- \48\ 16 CFR 313.3(k)(4)(iii) and (iv). --------------------------------------------------------------------------- The existing Privacy Rule generally defines ``you'' as a financial institution over which the Commission has enforcement jurisdiction under the GLBA. Because this definition refers to the Commission's enforcement authority rather than its rulemaking authority, the definition is overbroad in light of the amendments to the GLBA discussed above. Therefore, the Commission proposes to revise the definition of ``you'' so that for purposes of the Privacy Rule it applies to only those entities over which the Commission has rulemaking authority. For purposes of the Safeguards Rule, the definition of ``you'' remains unchanged. The Commission requests comment on the proposed changes to the definition of ``you.'' The Commission notes that the purpose of the changes to the Privacy Rule scope and definitions serve solely to conform the Privacy Rule to the revisions in the Dodd-Frank Act as to the scope of the Commission's rulemaking authority. These changes do not reflect any change in the Commission's authority to enforce the Privacy Rule or Regulation P. Section 313.9--Delivering Privacy and Opt-Out Notices Section 313.9(a) of the Rule requires that motor vehicle dealers provide initial and annual privacy notices so that each consumer ``can reasonably be expected'' to receive actual notice in writing or, if the consumer agrees, electronically. Section 313.9(b) provides examples of delivery methods that would result in reasonable expectation of actual notice, including hand delivery and delivery by mail. The examples also include posting on a Web site for customers who: (1) Conduct transactions electronically, and (2) acknowledge receipt of the notice as a necessary step to obtaining a particular financial product or service.\49\ Section 313.9(c) further allows delivery of the annual notice through a Web site, but only if a customer uses the dealer's Web site to access financial products and services and consents to receive notices at the Web site.\50\ Below, the Commission describes proposed changes to Sec. 313.9(c) that would allow motor vehicle dealers to utilize an alternative delivery method for the annual notices. In some circumstances, motor vehicle dealers could substitute their annual privacy notices with a clear and conspicuous disclosure--as part of an account statement, coupon book, or other legally-required or permitted notice or disclosure--stating that their privacy notice is available on their Web site and will be mailed to the customer on request. As required by the GLBA, this substitute disclosure would have to be provided at least annually. --------------------------------------------------------------------------- \49\ 16 CFR 313.9(b). \50\ 16CFR 313.9(c). --------------------------------------------------------------------------- The Commission seeks information concerning the effect on customer privacy rights if motor vehicle dealers were to use the alternative delivery method rather than their current delivery methods. Relatedly, the Commission requests comment on how often customers currently read annual privacy notices under the Privacy Rule and how frequently the notices would be read if they were provided pursuant to the proposed alternative delivery method. The Commission further requests comment on whether the proposed alternative delivery method would be effective in reducing the burden on motor vehicle dealers of mailing hard copy privacy notices. In particular, the Commission requests information regarding how many annual privacy notices motor vehicle dealers provide. Lastly, the Commission notes that the current Rule prescribes certain circumstances under which motor vehicle dealers can provide privacy notices electronically or via online posting. For example, the Rule allows covered entities to provide notices electronically if the consumer agrees or to provide notice online if the consumer is required to acknowledge receipt of the notice. See 16 CFR 313.9. The Commission invites comment regarding how often privacy notices are delivered electronically or posted online under the existing Rule and whether companies that currently provide notices electronically will likely experience cost savings under the proposed new rule requirements. 9(c)(2) Alternative Method for Providing Certain Annual Notices 9(c)(2)(i) Proposed Sec. 313.9(c)(2)(i) describes the circumstances under which a motor vehicle dealer may use the alternative delivery method summarized above.\51\ --------------------------------------------------------------------------- \51\ Existing Sec. 313.9(c) would be redesignated as Sec. 313.9(c)(1) and its subparagraphs redesignated as Sec. 313.9(c)(1)(i) and (ii), respectively, to accommodate the new addition. The Commission is also proposing to add a heading to new paragraph (c)(1) for technical reasons. --------------------------------------------------------------------------- 9(c)(2)(i)(A) Proposed Sec. 313.9(c)(2)(i)(A) would set forth the first condition for using the alternative delivery method: That the motor vehicle dealer must not share the customer's information with nonaffiliated third parties in a manner that triggers the opt-out requirement under the GLBA. Thus, for example, a motor vehicle dealer may use the alternative delivery method if it shares the customer's information with nonaffiliated third parties as permitted by Sec. Sec. 313.13 (for joint marketing), 313.14 (for processing and servicing transactions), and 313.15 (with consent, or for security purposes, fraud prevention, legal purposes or fiduciary purposes). It may not use the alternative delivery method, for example, if it shares the customer's nonpublic personal information with a nonaffiliated insurance company for marketing purposes. The Commission believes the alternative delivery method will generally reduce the burden of compliance for motor vehicle dealers, while still mandating the use of the current delivery method to ensure that customers have direct notice of their opt-out rights, where they exist. The Commission invites comment on the number of motor vehicle dealers that would not be able to take advantage of the alternative delivery method because they share data with nonaffiliated third parties. The Commission further invites comment on whether customers with opt-out rights pursuant to the Privacy Rule should continue to receive the annual privacy notice pursuant to the current delivery method or if motor vehicle dealers should be able to utilize the proposed alternative delivery method for such customers. 9(c)(2)(i)(B) Proposed Sec. 313.9(c)(2)(i)(B) would set forth the second condition for using the alternative delivery method for the annual privacy notice: That the motor vehicle dealer not include on its annual notice an opt-out under section [[Page 36272]] 603(d)(2)(A)(iii) of the FCRA.\52\ As discussed above, FCRA section 603(d)(2)(A)(iii) allows sharing of certain consumer information with affiliates, but only if the motor vehicle dealer provides the consumer with notice and an opportunity to opt out of the information sharing. Although this is a requirement of the FCRA, section 503(b)(4) of the GLBA and Sec. 313.6(a)(7) of the Privacy Rule require a motor vehicle dealer's privacy notice to include any opt-out rights provided under section 603(d)(2)(A)(iii) of the FCRA. Accordingly, to the extent that a motor vehicle dealer shares customer information with affiliates for marketing purposes, thus triggering the obligation to include an opt- out pursuant to FCRA section 603(d)(2)(A)(iii), the motor vehicle dealer cannot take advantage of the alternative delivery method.\53\ As noted above, the Commission believes that directly reminding consumers of any opt-out rights at least annually will be important for consumers. This is true regardless whether the opt-out right is provided under the GLBA or the FCRA. --------------------------------------------------------------------------- \52\ 15 U.S.C. 1681a(d)(2)(A)(iii). \53\ See 64 FR 35162, 35176 (June 1, 2000). --------------------------------------------------------------------------- The Commission invites comment on the extent to which different motor vehicle dealers provide a FCRA section 603(d)(2)(A)(iii) opt-out and thus would be precluded from using the proposed alternative delivery method. The Commission further invites comment as to whether customers with opt-out rights under this section of the FCRA benefit from receiving the annual privacy notice pursuant to the current delivery method or could receive the notice via the proposed alternative delivery method. 9(c)(2)(i)(C) Proposed Sec. 313.9(c)(2)(i)(C) would contain the third condition for using the alternative delivery method, related to the requirements of section 624 of the FCRA \54\ and the Affiliate Marketing Rule, 16 CFR part 680. FCRA section 624, as implemented by the Affiliate Marketing Rule, provides that a person may not use certain information about a consumer that it receives from an affiliate to market to that consumer unless the consumer receives notice and the opportunity to opt out of such marketing.\55\ --------------------------------------------------------------------------- \54\ 15 U.S.C. 1681s-3. \55\ 16 CFR 680.21(a). --------------------------------------------------------------------------- In contrast to the FCRA section 603(d)(2)(A)(iii) notice and opt- out right concerning affiliate sharing, which is generally required to be included on the GLBA annual privacy notice, the FCRA section 624 (and Affiliate Marketing Rule) notice and opt-out right concerning marketing by affiliates is not required to be included on that notice. However, the Affiliate Marketing Rule notice and opt-out right may be included on the privacy notice.\56\ --------------------------------------------------------------------------- \56\ 16 CFR 680.23(b). --------------------------------------------------------------------------- The Commission proposes--under Sec. 313.9(c)(2)(i)(C)--that a motor vehicle dealer that is required to provide a notice and opt out under the Affiliate Marketing Rule may use the alternative delivery method, provided that the motor vehicle dealer has previously satisfied the Affiliate Marketing Rule requirements or does not use the annual privacy notice as the sole means of providing notice to customers of that opt-out right.\57\ Alternatively, the motor vehicle dealer could continue to use the current delivery method and include the Affiliate Marketing opt-out on the annual privacy notice, with no separate notice required. --------------------------------------------------------------------------- \57\ Certain requirements for the Affiliate Marketing notice and opt out differ, depending on whether it is included as part of the model privacy notice or issued separately. Where a motor vehicle dealer includes the Affiliate Marketing notice and opt-out on the model privacy notice, that opt-out must be of indefinite duration. See Appendix A to Part 313 at C.2(d)(6). In contrast, where a motor vehicle dealer provides the Affiliate Marketing notice and opt-out separately, the Affiliate Marketing Rule allows the opt-out to be offered for as little as five years, subject to renewal, and the disclosure of the duration of the opt-out must be included on the notice. See 16 CFR 680.22(b). 16 CFR 680.23(a)(1)(iv). Because inclusion of the Affiliate Marketing opt-out on the model privacy notice requires a motor vehicle dealer to honor the opt-out indefinitely, a motor vehicle dealer that also offers the opt-out right separately in order to use the alternative delivery method would be able to comply with both the Privacy Rule and the Affiliate Marketing Rule by stating in the separate Affiliate Marketing notice that the opt-out is of indefinite duration and by honoring such opt- out requests indefinitely. --------------------------------------------------------------------------- The Commission invites comment on the extent to which motor vehicle dealers include the Affiliate Marketing Rule opt-out on their Privacy Rule privacy notices and thus would be precluded from using the proposed alternative delivery method. The Commission further invites comment on whether imposing this condition on using the alternative delivery method is beneficial to consumers. 9(c)(2)(i)(D) Proposed Sec. 313.9(c)(2)(i)(D) would present the fourth condition for using the alternative delivery method: That the substantive information a motor vehicle dealer is required to convey on its annual privacy notice has not changed since the immediately previous privacy notice (whether initial, annual, or revised) to the customer.\58\ The Commission believes that the current delivery method is likely less useful if the customer has already received a privacy notice, and the motor vehicle dealer's sharing practices remain generally unchanged since that previous notice. Proposed Sec. 313.9(c)(2)(i)(D) lists the specific disclosures of the privacy notice that must not change in order for a motor vehicle dealer to take advantage of the alternative delivery method. They are: --------------------------------------------------------------------------- \58\ Note that information disclosed pursuant to Sec. 313.6(a)(6) and (a)(7) is not included in proposed Sec. 313.9(c)(2)(i)(D) because if those situations apply, a motor vehicle dealer could not use the alternative delivery method under proposed Sec. 313.9(c)(2)(i)(A) and (B), as discussed above. ---------------------------------------------------------------------------The categories of nonpublic personal information that the motor vehicle dealer collects (Sec. 313.6(a)(1) and (a)(4)); the categories of nonpublic personal information that the motor vehicle dealer discloses (Sec. 313.6(a)(2)); the categories of affiliates and nonaffiliated third parties to whom the motor vehicle dealer discloses nonpublic personal information, other than to parties that administer or enforce transactions, service or process financial products, or maintain or service accounts, under Sec. 313.14 and to parties for security, fraud prevention, legal purposes, or similar purposes under Sec. 313.15 (Sec. 313.6(a)(3)); if the motor vehicle dealer discloses nonpublic personal information to a nonaffiliated third party for joint marketing as set forth under Sec. 313.13, a separate statement of the categories of information disclosed and the categories of third parties to whom the disclosures were made (Sec. 313.6(a)(5)); the motor vehicle dealer's policies and practices with respect to protecting the confidentiality and security of nonpublic personal information (Sec. 313.6(a)(8)); and the description of the purpose for sharing with service providers and other entities that conduct fraud prevention, security, or similar services (Sec. 313.6(a)(9)). The Commission emphasizes that a motor vehicle dealer would be precluded from using the alternative delivery method only if it made substantive changes to the information disclosed on the previous written notice sent to the consumer. Stylistic changes in the wording of the notice that do not denote a change in practices would not prevent a motor vehicle dealer from using the alternative delivery method. Nor would the proposed section prohibit a motor vehicle dealer from using the alternative delivery method if the dealer eliminated categories of information it disclosed or categories of [[Page 36273]] third parties to whom it disclosed information. Any other substantive change to its information sharing practices would preclude use of the alternative delivery method; however, the motor vehicle dealer could use the alternative delivery method to meet its next annual privacy notice requirement if it first sent a revised privacy notice pursuant to the standard delivery requirements. The Commission invites comment about the effect on customers of conditioning availability of the alternative delivery method on there being no change from the previous year's notice. The Commission further invites comment on how often motor vehicle dealers change their privacy notice such that they would be precluded from using the proposed alternative delivery method. Lastly, the Commission invites comment on the extent to which a motor vehicle dealer's changing its data security policy should preclude it, like financial institutions covered by Regulation P, from using the proposed alternative delivery method. 9(c)(2)(i)(E) The last condition for use of the alternative delivery method, which would be set forth in proposed Sec. 313.9(c)(2)(i)(E), requires that the motor vehicle dealer use the model privacy form for its annual privacy notice. Currently, the Privacy Rule does not require use of the model notice because the statute under which it was promulgated only required that regulators give financial institutions the option to use such a model notice.\59\ --------------------------------------------------------------------------- \59\ 15 U.S.C. 6803. --------------------------------------------------------------------------- However, the Commission proposes to permit use of the alternative delivery method only if a motor vehicle dealer uses the model privacy form for its annual privacy notice. This approach would likely incentivize use of the model notice, which consumer research has shown to be effective in communicating information.\60\ The Commission does not believe that the one-time burden of creating a model notice will place an undue burden on motor vehicles dealers, who will likely be able to save costs by not sending annual privacy notices. --------------------------------------------------------------------------- \60\ 74 FR 62890, 62891 (Dec. 1, 2009). --------------------------------------------------------------------------- The Commission notes that the model form accommodates information that may be required by state or international law, as applicable, in a box called ``Other important information.'' \61\ Accordingly, the Commission expects that a motor vehicle dealer that has additional privacy disclosure obligations pursuant to state or international law would still be able to use the model form in order to take advantage of the proposed alternative delivery method. The Commission invites comment on related state or international law requirements and their interaction with the model privacy notice, as well as the proposed condition on the alternative delivery method in general. --------------------------------------------------------------------------- \61\ Appendix A to Part 313 at C(3)(c). --------------------------------------------------------------------------- The Commission contemplates that adoption of the model privacy form may require changes to the wording and layout of the privacy notice, but not to the information conveyed. Thus, adoption of the model notice would not constitute a change to the prior year's notice that would preclude use of the alternative delivery method under proposed Sec. 313.9(c)(2)(i)(D).\62\ The Commission solicits comment on this issue. The Commission further invites comment on the extent to which motor vehicle dealers currently use the model privacy notice, and if they do not, whether they would choose to adopt it in order to take advantage of the proposed alternative delivery method. Lastly, the Commission invites comment on the benefit to customers of receiving the model privacy notice rather than a privacy notice in a non-standard format. --------------------------------------------------------------------------- \62\ In a somewhat analogous situation, the agencies that promulgated the model privacy notice explained: ``Adoption of the model form, with no change in policies or practices, would not constitute a revised notice [for purposes of the rule section on revised privacy notices], although institutions may elect to consider the format change as revision, at their option.'' 74 FR 62890, 62907 n. 196. --------------------------------------------------------------------------- Finally, the Commission generally invites comment on the conditions in proposed Sec. 313.9(c)(2)(i)(A) through (E) and whether any of those conditions should not be required or whether other conditions should be added. 9(c)(2)(ii) Proposed Sec. 313.9(c)(2)(ii) sets forth the mechanics of the alternative delivery method for annual notices. 9(c)(2)(ii)(A) Proposed Sec. 313.9(c)(2)(ii)(A) would set forth the first component of the alternative delivery method: that a motor vehicle dealer inform the customer of the availability of the annual privacy notice on its Web site. Under this proposed subsection, a motor vehicle dealer must clearly and conspicuously convey, not less than annually-- on an account statement, coupon book, or notice or disclosure the institution is required or expressly permitted to use under any other provision of law--three pieces of information: (1) That its privacy notice has not changed, (2) that the notice is available on its Web site, and (3) that a hard copy of the notice will be mailed to customers if they call to request one. Proposed Sec. 313.9(c)(2)(ii)(A) states that this notice must be ``clear and conspicuous,'' which is defined as meaning ``reasonably understandable'' and ``designed to call attention to the nature and significance of the information.'' \63\ The Commission believes that the existing examples in Sec. 313.3(b)(2)(i) and (ii) for the ``reasonably understandable'' and ``designed to call attention'' requirements likely would provide sufficient guidance on ways to make the notice clear and conspicuous. For example, the Rule states that, if the notice is combined with other information, it must contain ``distinctive type size, style, and graphic devices, such as shading or sidebars.'' \64\ --------------------------------------------------------------------------- \63\ 16 CFR 313.3(b)(1). \64\ 16 CFR 313.3(b)(2)(ii)(E). --------------------------------------------------------------------------- Although the Commission proposes to require that motor vehicle dealers convey this ``notice of availability'' not less than annually, they may elect to convey it more often (e.g., quarterly or monthly). The Commission invites comment on whether the approach used for notice of availability for motor vehicle dealers should differ from that for the financial institutions covered by Regulation P. In particular, the Commission is interested in comment on: (1) Whether the proposed example notice of availability would make the alternative delivery method more feasible for motor vehicle dealers to implement, (2) whether the illustrative elements not specifically required by the Rule should be so required, and (3) whether the proposed language would be effective in informing customers of the availability of the privacy notice. As noted, proposed Sec. 313.9(c)(2)(ii)(A) would require the notice of availability to be conveyed on an account statement, coupon book, or notice or disclosure the motor vehicle dealer is required or expressly and specifically permitted to issue under any other provision of law. An account statement would include periodic statements or billing statements. A coupon book refers to a book of payment coupons typically included with an installment loan. The Commission believes customers are likely to read account statements or coupon books that directly concern the status of their account. A ``notice or disclosure the institution is required or expressly and specifically permitted to issue under any other provision of law'' would include [[Page 36274]] disclosures that are expressly and specifically permitted by law, even if not required. This language builds on the language used in the Affiliate Marketing Rule, which provides that ``a notice required by this subpart may be coordinated and consolidated with any other notice or disclosure required to be issued under any other provision of law. . . .'' \65\ The Commission notes that a notice of availability would not satisfy the proposed rule requirement if included on advertising materials that were neither required nor specifically permitted by law. The Commission invites comment on the benefits and costs of requiring the notice of availability to be included on an account statement, coupon book, or document required or expressly and specifically permitted under any other provision of law. The Commission further requests comment as to the best documents on which to place the notice of availability, particularly in light of what consumers are likely to read. --------------------------------------------------------------------------- \65\ 16 CFR 680.23(b). --------------------------------------------------------------------------- The Commission further notes that where two or more motor vehicle dealers provide a joint privacy notice pursuant to Sec. 313.9(f), the proposal would require each motor vehicle dealer to separately provide the notice of availability. The Commission invites comment on how often motor vehicle dealers jointly provide privacy notices and whether the proposed alternative delivery method would be feasible for such jointly issued notices. Proposed Sec. 313.9(c)(2)(ii)(A) also would require the institution to state on the notice of availability that its privacy policy has not changed, which, as discussed in detail below, is a condition that a dealer must satisfy in order to be able to use the alternative delivery method. This proposed requirement can help customers assess whether they are interested in reading the policy. This statement would always be accurate if the alternative delivery method is used correctly, since a motor vehicle dealer could not use the alternative delivery method if its annual privacy notice had changed. The proposal would further require that the statement include a specific web address that takes customers directly to the page where the privacy notice is available. The section also would require that the web address conveyed on the notice of availability provide the customer with direct access to the page that contains the privacy notice, so that the customer need not click on any additional links. Next, proposed Sec. 313.9(c)(2)(ii)(A) would require that the notice of availability include a telephone number that a customer can call to request a hard copy of the annual privacy notice. This number need not be a dedicated number established for this purpose alone. This requirement is intended to assist customers who do not have internet access or would prefer to receive a hard copy of the privacy notice. The Commission encourages motor vehicle dealers that already maintain a toll-free number to use that number in the statement required by Sec. 313.9(c)(2)(ii)(A), to simplify the process for a customer to call and request a mailed copy of the privacy notice. As an alternative, the Commission invites comment on whether the approach used for notice of availability for motor vehicle dealers should differ from that for the financial institutions covered by Regulation P. Specifically, the Commission seeks comment on the advantages and disadvantages of requiring motor vehicle dealers to provide a dedicated telephone number for privacy notice requests so that customers can easily request a hard copy of the notice without navigating a complicated automated telephone menu. The Commission also invites comment on whether it should require a dedicated toll-free number for this purpose. 9(c)(2)(ii)(B) Proposed Sec. 313.9(c)(2)(ii)(B) would set forth the second component of the alternative delivery method: that the motor vehicle dealer post its current privacy notice continuously and in a clear and conspicuous manner on a page of the institution's Web site on which the only content is the privacy notice. The Commission believes that, were the notice included on a page with other content, such as other disclosures or promotions for products, that content could detract from the prominence of the notice and make it less likely that a customer would actually read it.\66\ The Commission believes that this requirement is feasible for most motor vehicle dealers, and for a motor vehicle dealer that does not currently post its annual notice on its Web site, creating a specific page for this purpose is a one-time process that could be implemented without significant cost. --------------------------------------------------------------------------- \66\ Information that is not content, such as navigational menus to other pages on the Web site, could appear on the same page as the privacy notice. Moreover, other pages on the dealer's Web site could link to the page containing the privacy notice, but the customer would still have to be provided a specific web address that takes the customer directly to the page where the privacy notice is available to satisfy the requirement to post the notice on the motor vehicle dealer's Web site in proposed Sec. 313.9(c)(2)(ii)(B). Finally, with regard to the proposed requirement that the notice be posted in a ``clear and conspicuous'' manner, the Commission notes that existing Sec. 313.3(b)(2)(iii) gives examples of what clear and conspicuous means for a privacy notice posted on a Web site. One example is a Web page that uses text or visual cues to encourage scrolling down the page if necessary to view the entire notice, and as long as the page does not include text, graphics, hyperlinks, or sound that may distract from the notice. --------------------------------------------------------------------------- This section would further require that the Web page that contains the privacy notice be accessible to the customer without requiring the customer to provide any information such as a login name or password or agree to any conditions to access the page. This provision is intended to make accessing the privacy notice on an institution's Web site as simple and straightforward as possible. The Commission invites comment regarding the prevalence of motor vehicle dealers that currently maintain Web sites, whether they currently post the Privacy Rule notice on those Web sites, and if they do not, how costly it would be to do so. The Commission additionally seeks comment on whether motor vehicle dealers provide different privacy notices for different groups of customers, such that posting multiple privacy notices on the dealer's Web site may create confusion as to which is the relevant privacy notice that is applicable to a particular customer. The Commission seeks comment on the relative benefit or harm to customers of accessing the privacy notice on a motor vehicle dealer's Web site as proposed. Lastly, the Commission invites comment as to whether motor vehicle dealers should be required to provide specific reminder information to a consumer about that consumer's previously established preferences--for example, whether the consumer has already opted out--via a login and password-protected section of the Web site. 9(c)(2)(ii)(C) Proposed Sec. 313.9(c)(2)(ii)(C) would set forth the third component of the alternative delivery method: That the motor vehicle dealer mail its current privacy notice to those customers who request it by telephone within ten calendar days of such request. The Commission proposes this requirement to assist customers without internet access and customers with internet access who would prefer to receive a hard copy of the notice. This requirement makes clear that a motor vehicle dealer may not, for example, wait to mail the privacy notice with another document, such as a quarterly [[Page 36275]] statement. Motor vehicle dealers may not charge the customer for delivering the annual notice, given that delivery of the annual notice is required by statute and regulation. The Commission invites comment on the cost associated with mailing privacy notices on request, and whether mailing of the privacy notice within ten calendar days of a request is feasible for motor vehicle dealers. The Commission further requests comment on whether requiring mailing within ten calendar days is sufficient to ensure that customers receive privacy notices in a timely manner. 9(c)(2)(iii) Proposed Sec. 313.9(c)(2)(iii) would provide an example of a notice of availability that satisfies Sec. 313.9(c)(2)(ii)(A). The Commission intends this example to provide clear guidance on permissible content for the notice of availability to facilitate compliance. The content of the example notice of availability in proposed Sec. 313.9(c)(2)(iii) draws from language in the existing model privacy notice in Part 313, App. A, which was previously subject to consumer testing.\67\ The proposed example would include the heading ``Privacy Notice'' in boldface (or otherwise emphasized) on the notice of availability. The proposed example further would state that Federal law requires the motor vehicle dealer to tell customers how it collects, shares, and protects their personal information; this language mirrors the ``Why'' box on the model privacy notices.\68\ The remaining portion of the proposed example would inform customers that the motor vehicle dealer's privacy notice has not changed, the address of the Web site at which customers can access the privacy notice, and the telephone number to call to request a free copy of the notice. The Commission notes that the proposed example contains certain elements that would satisfy proposed Sec. 313.9(c)(2), but other language and formatting techniques could also satisfy that section. These elements include titling the notice of availability ``Privacy Notice,'' including a statement that ``Federal law requires the motor vehicle dealer to tell customers how it collects, shares, and protects their personal information,'' and stating that getting a copy of the notice is ``free'' to the consumer. --------------------------------------------------------------------------- \67\ See Appendix A to 16 CFR part 313, at A. \68\ Id. --------------------------------------------------------------------------- The Commission invites comment on whether the proposed example notice of availability for motor vehicle dealers should differ from that for financial institutions covered by Regulation P. In particular, the Commission is interested in comment on: (1) Whether the proposed example notice of availability would make the alternative delivery method more feasible for motor vehicle dealers to implement, (2) whether the elements not specifically required by the rule should be so required, and (3) whether the proposed language would be effective in informing customers of the availability of the privacy notice. V. Regulatory Flexibility Act The Regulatory Flexibility Act (RFA), as amended by the Small Business Regulatory Enforcement Fairness Act of 1996, requires each agency to consider the potential impact of its regulations on small entities, including small businesses, small governmental units, and small not-for-profit organizations. The RFA generally requires an agency to conduct an initial regulatory flexibility analysis (IRFA) and a final regulatory flexibility analysis (FRFA) of any rule subject to notice-and-comment rulemaking requirements, unless the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities.\69\ --------------------------------------------------------------------------- \69\ 5 U.S.C. 603-605. --------------------------------------------------------------------------- An IRFA is not required here because the proposal, if adopted, would not have a significant economic impact on a substantial number of small entities. The Commission does not expect the proposal to impose costs on small entities. All methods of compliance under current law will remain available to small entities if the proposal is adopted. Thus, a small entity that is in compliance with current law need not take any different or additional action if the proposal is adopted. In addition, as discussed above, the Commission believes that the proposed alternative method would allow many motor vehicle dealers to reduce their costs. Accordingly, the Commission certifies that this proposal, if adopted, would not have a significant economic impact on a substantial number of small entities. VI. Paperwork Reduction Act Under the Paperwork Reduction Act of 1995 (PRA),\70\ Federal agencies are generally required to seek Office of Management and Budget (OMB) approval for information collection requirements prior to implementation. Under the PRA, the Commission may not conduct or sponsor, and, notwithstanding any other provision of law, a person is not required to respond to an information collection, unless the information collection displays a valid control number assigned by OMB. --------------------------------------------------------------------------- \70\ 44 U.S.C. 3501 et seq. --------------------------------------------------------------------------- This proposal would amend 16 CFR part 313. The collections of information related to the Privacy Rule have been previously reviewed and approved by OMB in accordance with the PRA and assigned OMB Control Number 3084-0121.\71\ --------------------------------------------------------------------------- \71\ The FTC has current clearance through October 31, 2017. See 79 FR 55489 (Sept. 16, 2014). --------------------------------------------------------------------------- As explained below, the proposed amendments do not modify or add to information collection requirements that were previously approved by OMB. Under this proposal, a motor vehicle dealer will be permitted, but not required, to use an alternative delivery method for the annual privacy notice if: It does not share information with nonaffiliated third parties other than for purposes covered by the exclusions allowed under the Privacy Rule; It does not include on its annual privacy notice an opt- out under section 603(d)(2)(A)(iii) of the FCRA; The annual privacy notice is not the only method used to satisfy the requirements of section 624 of the FCRA and 16 CFR part 680, if applicable; Certain information it is required to convey on its annual privacy notice has not changed since it provided the immediately prior privacy notice; and It uses the Privacy Rule model privacy form for its annual privacy notice. Under the proposed alternative delivery method, the motor vehicle dealer would have to: Convey at least annually on another notice or disclosure that its privacy notice is available on its Web site and will be mailed upon request to a specified telephone number. Among other things, the dealer would have to include a specific web address that takes the customer directly to the privacy notice; Post its current privacy notice continuously on a page of its Web site that contains only the privacy notice, without requiring a login or any conditions to access the page; and Mail its current privacy notice to customers who request it by telephone within ten calendar days of such request. Under the existing clearance, the FTC has attributed to itself the estimated burden regarding all motor vehicle dealers and then shares equally the remaining estimated PRA burden with the Bureau for other types of financial institutions for which both agencies have enforcement authority regarding the GLBA Privacy Rule.\72\ --------------------------------------------------------------------------- \72\ 79 FR 55489. --------------------------------------------------------------------------- [[Page 36276]] The Commission does not believe that this proposed rule would impose any new or substantively revised collections of information as defined by the PRA. Rather, the Commission believes that the proposed amendment would have the overall effect of reducing the currently cleared estimated burden for the information collections associated with the Privacy Rule annual privacy notice. By definition, the expected cost savings to motor vehicle dealers from the proposed revisions to Sec. 313.9(c) is the expected number of annual privacy notices that would be provided through the proposed alternative delivery method multiplied by the expected reduction in the cost per-notice from using the alternative delivery method. The first step in estimating the expected cost savings to motor vehicle dealers from proposed Sec. 313.9(c)(2) would be to identify the motor vehicle dealers whose current information sharing practices would allow them to use the proposed alternative method. The Commission would then need to determine their currents costs for providing the annual privacy notices and the expected costs of providing these notices under proposed Sec. 313.9(c)(2). In order to reach such an estimate for financial institutions, the Commission looked to the Bureau's rulemaking. The Bureau performed a number of analyses and outreach activities to approximate the expected cost savings for financial institutions. After examining 125 banks selected through random sampling, the Bureau found that the overall average rate at which banks' information sharing practices would make them eligible for using the alternative delivery method if other conditions were met is 80%.\73\ The Bureau's results indicated that a large majority of smaller banks would likely be able to use the proposed alternative delivery method but most of the largest banks would not.\74\ For non-depository institutions subject to the Commission's enforcement, the Bureau similarly estimated that 80% would be able to use the alternate delivery method.\75\ Subject to further information through public comment, the Commission preliminarily assumes that this 80% is characteristic as well for motor vehicle dealers. The Commission requests comment and the submission of information relevant to the information sharing practices of motor vehicle dealers and the extent to which they may be able to use the proposed alternative delivery method. --------------------------------------------------------------------------- \73\ 79 FR at 27226. \74\ Id. Only 18% of sampled banks with assets over $10 billion could clearly use the proposed alternative delivery method, while 81% of sampled banks with assets of $10 billion or less and 88% of sampled banks with assets of $500 million or less could clearly use the proposed alternative delivery method. The Bureau also examined the privacy policies of 54 credit unions and found 62% of those with assets over $500 million could use the alternative delivery method and 44% of those with $500 million or less in assets could (though, due to inadequate information, the Bureau could not make the assessment for 48% of those credit unions with $500 million or less in assets). Id. \75\ 79 FR at 27229. --------------------------------------------------------------------------- The Commission does not have precise data on the number of annual privacy notices motor vehicle dealers currently provide to directly compute the total number of annual privacy notices that would no longer be sent; however, in the Commission's proposal to extend the current PRA clearance for the Privacy Rule,\76\ the Commission estimated the total costs to motor vehicle dealers to disseminate annual disclosures to be about $18.4 million.\77\ Applying the Commission's estimate that 80% of motor vehicle dealers would be able to utilize the alternative delivery method, the estimated reduction in ongoing burden would be approximately 638,400 hours annually for roughly 48,000 motor vehicle dealers.\78\ The reduction in estimated ongoing costs from the reduction in ongoing burden would be approximately $14.7 million annually.\79\ The Commission requests comment on this preliminary analysis as well as the submission of additional data that could inform the Commission's consideration of the cost savings to motor vehicle dealers. --------------------------------------------------------------------------- \76\ 79 FR 55489 (Sept. 14, 2014). \77\ Id. at 55490-91 Table IIB. \78\ The 638,400 hours estimate is 80% of the previously published estimate of 798,000 hours, cumulatively, for established motor vehicle dealers to disseminate annual notices. See id. at 55490 (Table IIB). The estimated number of motor vehicle dealers that would use the alternative delivery method is 80% of the previously published estimate of the number of motor vehicle dealers, 60,000. See id. at Table IIA notes. \79\ This is the product of the above-noted costs to motor vehicle dealers to disseminate annual disclosures, $18.4 million, multiplied by the assumed 80% reduction for the alternative delivery method. Estimates of ongoing savings are gross figures and do not take into account any ongoing costs associated with the alternative delivery method, which the Commission believes would be minimal. They would consist of additional text on a notice or disclosure the institution already provides, additional phone calls from consumers requesting that the model form be mailed, and the costs of mailing the forms prompted by these calls. The Commission currently believes that few consumers will request that the form be mailed in order to read it or to exercise any voluntary opt-out right, given the availability of the notices online. There would be minimal ongoing costs associated with the alternative delivery method from maintaining a Web page if a motor vehicle dealer already has a Web page dedicated to the annual privacy policy. --------------------------------------------------------------------------- The Commission believes that the one-time cost for some motor vehicle dealers to adopt the alternative delivery method is minimal. Motor vehicle dealers that already use the model form and would adopt the alternative delivery method would incur minor one-time legal, programming and training costs. These dealers would have to communicate on a notice or disclosure they already issue under any other provision of law that the privacy notice is available. The expense of adding this notification would be minor. Staff may need some additional training in storing copies of the model form and sending it to customers on request. Motor vehicle dealers that do not use the model form would incur a one-time cost to create one. However, since the promulgation of the model privacy form in 2009, an Online Form Builder has existed that any institution can use to readily create a unique, customized privacy notice using the model form template.\80\ The Commission assumes that motor vehicle dealers that do not currently have Web sites would not choose to comply with these requirements in order to use the alternative delivery method. --------------------------------------------------------------------------- \80\ This Online Form Builder is available at https://www.federalreserve.gov/newsevents/press/bcreg/20100415a.htm. --------------------------------------------------------------------------- The Commission has determined that the proposed rule does not contain any new or substantively revised information collection requirements as defined by the PRA and that the burden estimate for the previously-approved information collections should be reduced as explained above. The Commission welcomes comments on these determinations or any other aspect of the proposal for purposes of the PRA. Comments should be submitted as outlined in the ADDRESSES section above. All comments will become a matter of public record. Invitation To Comment You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before August 31, 2015. Write ``Amendment to the Privacy of Consumer Financial Information Rule, 16 CFR part 313, Project No. R411016'' on your comment. Your comment--including your name and your state--will be placed on the public record of this proceeding, including, to the extent practicable, on the Commission Web site, at https://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the Commission tries to remove individuals' home contact information from comments before placing them on the Commission Web site. [[Page 36277]] Because your comment will be made public, you are solely responsible for making sure that your comment doesn't include any sensitive personal information, such as Social Security number, date of birth, driver's license number or other state identification number or foreign country equivalent, passport number, financial account number, or credit or debit card number. You are also solely responsible for making sure that your comment doesn't include any sensitive health information, including medical records or other individually identifiable health information. In addition, do not include any ``[t]rade secret or any commercial or financial information which . . . is privileged or confidential,'' as discussed in section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, do not include competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names. If you want the Commission to give your comment confidential treatment, you must file it in paper form, with a request for confidential treatment, and you have to follow the procedure explained in FTC Rule 4.9(c), 16 CFR 4.9(c).\81\ Your comment will be kept confidential only if the FTC General Counsel, in his or her sole discretion, grants your request in accordance with the law and the public interest. --------------------------------------------------------------------------- \81\ In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule 4.9(c), 16 CFR 4.9(c). --------------------------------------------------------------------------- Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, we encourage you to submit your comments online. To make sure that the Commission considers your online comment, you must file it at https://ftcpublic.commentworks.com/ftc/GLBPrivacyamendment, by following the instructions on the web-based form. If this Notice appears at https://www.regulations.gov/#!home, you also may file a comment through that Web site. If you file your comment on paper, write ``Amendment to the Privacy of Consumer Financial Information Rule, 16 CFR part 313, Project No. R411016'' on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC-5610 (Annex E), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex E), Washington, DC 20024. If possible, submit your paper comment to the Commission by courier or overnight service. Visit the Commission Web site at https://www.ftc.gov to read this Notice and the news release describing it. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before August 31, 2015. For information on the Commission's privacy policy, including routine uses permitted by the Privacy Act, see https://www.ftc.gov/ftc/privacy.htm. List of Subjects in 16 CFR Part 313 Consumer protection, Motor vehicle dealers, Privacy, Reporting and recordkeeping requirements, Trade practices. Authority and Issuance For the reasons set forth in the preamble, the Commission proposes to amend 16 CFR part 313, as set forth below: PART 313--PRIVACY OF CONSUMER FINANCIAL INFORMATION 0 1. The authority citation for Part 313 is revised to read as follows: Authority: 15 U.S.C. 6801 et seq., 12 U.S.C. 5519. 0 2. In Sec. 313.1, revise paragraph (b) to read as follows: Sec. 313.1 Purpose and scope. * * * * * (b) Scope. This part applies only to nonpublic personal information about individuals who obtain financial products or services primarily for personal, family or household purposes from the institutions listed below. This part does not apply to information about companies or about individuals who obtain financial products or services for business, commercial, or agricultural purposes. This part applies to those ``financial institutions'' over which the Federal Trade Commission (``Commission'') has rulemaking authority pursuant to section 504(a)(1)(C) of the Gramm-Leach-Bliley Act. An entity is a ``financial institution'' if its business is engaging in a financial activity as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k), which incorporates by reference activities enumerated by the Federal Reserve Board in 12 CFR 211.5(d) and 12 CFR 225.28. The ``financial institutions'' subject to the Commission's rulemaking authority are any persons described in 12 U.S.C. 5519 that are predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both. They are referred to in this part as ``You.'' 0 3. In Sec. 313.3, revise paragraphs (e), (i), (k), and (q) to read as follows: Sec. 313.3 Definitions. * * * * * (e)(1) Consumer means an individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family, or household purposes, or that individual's legal representative. (2) Examples for purposes of 16 CFR part 313 and 314--(i) An individual who applies to you for credit for personal, family, or household purposes is a consumer of a financial service, regardless of whether the credit is extended. (ii) An individual who provides nonpublic personal information to you in order to obtain a determination about whether he or she may qualify for a loan to be used primarily for personal, family, or household purposes is a consumer of a financial service, regardless of whether the loan is extended. (iii) If you hold ownership or servicing rights to an individual's loan that is used primarily for personal, family, or household purposes, the individual is your consumer, even if you hold those rights in conjunction with one or more other institutions. (The individual is also a consumer with respect to the other financial institutions involved.) An individual who has a loan in which you have ownership or servicing rights is your consumer, even if you, or another institution with those rights, hire an agent to collect on the loan. (iv) An individual who is a consumer of another financial institution is not your consumer solely because you act as agent for, or provide processing or other services to, that financial institution. (v) An individual is not your consumer solely because he or she is a participant or a beneficiary of an employee benefit plan that you sponsor or for which you act as a trustee or fiduciary. (3) Examples for purposes of 16 CFR part 314--(i) An individual who provides nonpublic personal information to you in connection with [[Page 36278]] obtaining or seeking to obtain financial, investment, or economic advisory services is a consumer, regardless of whether you establish a continuing advisory relationship. (ii) An individual is not your consumer solely because he or she has designated you as trustee for a trust. (iii) An individual is not your consumer solely because he or she is a beneficiary of a trust for which you are a trustee. * * * * * (i)(1) Customer relationship means a continuing relationship between a consumer and you under which you provide one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes. (2) Examples--(i) Continuing relationship. (A) A consumer has a continuing relationship with you, for purposes of 16 CFR part 313 and part 314, if the consumer: (1) Has a credit or investment account with you; (2) Obtains a loan from you; (3) Purchases an insurance product from you; (4) Enters into an agreement or understanding with you whereby you undertake to arrange credit to purchase a vehicle, for the consumer; (5) Enters into a lease of personal property on a non-operating basis with you; or (6) Has a loan for which you own the servicing rights. (B) A consumer also has a continuing relationship with you, for purposes of 16 CFR part 314, if the consumer: (1) Holds an investment product through you, such as when you act as a custodian for securities or for assets in an Individual Retirement Arrangement; (2) Enters into an agreement or understanding with you whereby you undertake to arrange or broker a home mortgage loan, for the consumer; (3) Obtains financial, investment, or economic advisory services from you for a fee; (4) Becomes your client for the purpose of obtaining tax preparation or credit counseling services from you; (5) Obtains career counseling while seeking employment with a financial institution or the finance, accounting, or audit department of any company (or while employed by such a financial institution or department of any company); (6) Is obligated on an account that you purchase from another financial institution, regardless of whether the account is in default when purchased, unless you do not locate the consumer or attempt to collect any amount from the consumer on the account; or (7) Obtains real estate settlement services from you. (ii) No continuing relationship. (A) For purposes of 16 CFR parts 313 and 314, a consumer does not, however, have a continuing relationship with you if: (1) The consumer obtains a financial product or service from you only in isolated transactions, such as cashing a check with you or making a wire transfer through you; (2) You sell the consumer's loan and do not retain the rights to service that loan; or (3) The consumer obtains one-time personal or real property appraisal services from you. (B) For purposes of 16 CFR part 314, a consumer also does not have a continuing relationship with you if: (1) The consumer obtains a financial product or service from you only in isolated transactions, such as using your ATM to withdraw cash from an account at another financial institution or purchasing a money order from you; (2) You sell the consumer airline tickets, travel insurance, or traveler's checks in isolated transactions; or (3) The consumer purchases checks for a personal checking account from you. * * * * * (k)(1) Financial institution means any institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). An institution that is significantly engaged in financial activities is a financial institution. (2) Example of financial institution for purposes of 16 CFR part 313 and 314. An automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days is a financial institution with respect to its leasing business because leasing personal property on a nonoperating basis where the initial term of the lease is at least 90 days is a financial activity listed in 12 CFR 225.28(b)(3) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act. (3) Examples of financial institution for purposes of 16 CFR part 314. (i) A retailer that extends credit by issuing its own credit card directly to consumers is a financial institution because extending credit is a financial activity listed in 12 CFR 225.28(b)(1) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act and issuing that extension of credit through a proprietary credit card demonstrates that a retailer is significantly engaged in extending credit. (ii) A personal property or real estate appraiser is a financial institution because real and personal property appraisal is a financial activity listed in 12 CFR 225.28(b)(2)(i) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act. (iii) A career counselor that specializes in providing career counseling services to individuals currently employed by or recently displaced from a financial organization, individuals who are seeking employment with a financial organization, or individuals who are currently employed by or seeking placement with the finance, accounting or audit departments of any company is a financial institution because such career counseling activities are financial activities listed in 12 CFR 225.28(b)(9)(iii) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act. (iv) A business that prints and sells checks for consumers, either as its sole business or as one of its product lines, is a financial institution because printing and selling checks is a financial activity that is listed in 12 CFR 225.28(b)(10)(ii) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act. (v) A business that regularly wires money to and from consumers is a financial institution because transferring money is a financial activity referenced in section 4(k)(4)(A) of the Bank Holding Company Act and regularly providing that service demonstrates that the business is significantly engaged in that activity. (vi) A check cashing business is a financial institution because cashing a check is exchanging money, which is a financial activity listed in section 4(k)(4)(A) of the Bank Holding Company Act. (vii) An accountant or other tax preparation service that is in the business of completing income tax returns is a financial institution because tax preparation services is a financial activity listed in 12 CFR 225.28(b)(6)(vi) and referenced in section 4(k)(4)(G) of the Bank Holding Company Act. (viii) A business that operates a travel agency in connection with financial services is a financial institution because operating a travel agency in connection with financial services is a financial activity listed in 12 CFR 211.5(d)(15) and referenced in section 4(k)(4)(G) of the Bank Holding Company Act. [[Page 36279]] (ix) An entity that provides real estate settlement services is a financial institution because providing real estate settlement services is a financial activity listed in 12 CFR 225.28(b)(2)(viii) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act. (x) A mortgage broker is a financial institution because brokering loans is a financial activity listed in 12 CFR 225.28(b)(1) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act. (xi) An investment advisory company and a credit counseling service are each financial institutions because providing financial and investment advisory services are financial activities referenced in section 4(k)(4)(C) of the Bank Holding Company Act. (4) Financial institution does not include: (i) Any person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act (7 U.S.C. 1 et seq.); (ii) The Federal Agricultural Mortgage Corporation or any entity chartered and operating under the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.); or (iii) Institutions chartered by Congress specifically to engage in securitizations, secondary market sales (including sales of servicing rights) or similar transactions related to a transaction of a consumer, as long as such institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party other than as permitted by Sec. Sec. 313.14 and 313.15 of this Part. (iv) Entities that engage in financial activities but that are not significantly engaged in those financial activities. (5) Example of entities that are not significantly engaged in financial activities for purposes of 16 CFR part 313 and 314. A motor vehicle dealer is not a financial institution merely because it accepts payment in the form of cash, checks, or credit cards that it did not issue. (6) Examples of entities that are not significantly engaged in financial activities for purposes of 16 CFR part 314. (i) A retailer is not a financial institution if its only means of extending credit are occasional ``lay away'' and deferred payment plans or accepting payment by means of credit cards issued by others. (ii) A retailer is not a financial institution merely because it accepts payment in the form of cash, checks, or credit cards that it did not issue. (iii) A merchant is not a financial institution merely because it allows an individual to ``run a tab.'' (iv) A grocery store is not a financial institution merely because it allows individuals to whom it sells groceries to cash a check, or write a check for a higher amount than the grocery purchase and obtain cash in return. * * * * * (q) For purposes of 16 CFR part 313, You includes each ``financial institution'' over which the Commission has rulemaking authority pursuant to section 504(a)(1)(C) of the Gramm-Leach-Bliley Act. For purposes of 16 CFR part 314, You includes each ``financial institution'' (but excludes any ``other person'') over which the Commission has enforcement jurisdiction pursuant to section 505(a)(7) of the Gramm-Leach-Bliley Act. 0 4. In Sec. 313.9, revise paragraph (c) to read as follows: Sec. 313.9 Delivering privacy and opt out notices. * * * * * (c) Annual notices only. (1) Reasonable expectation. You may reasonably expect that a customer will receive actual notice of your annual privacy notice if: (i) The customer uses your Web site to access financial products and services electronically and agrees to receive notices at the Web site, and you post your current privacy notice continuously in a clear and conspicuous manner on the Web site; or (ii) The customer has requested that you refrain from sending any information regarding the customer relationship, and your current privacy notice remains available to the customer upon request. (2) Alternative method for providing certain annual notices. (i) Notwithstanding paragraph (a) of this section, you may use the alternative method described in paragraph (c)(2)(ii) of this section to satisfy the requirement in Sec. 313.5(a)(1) to provide a notice if: (A) You do not disclose the customer's nonpublic personal information with nonaffiliated third parties other than for purposes under Sec. Sec. 313.13, 313.14, and 313.15; (B) You do not include on your annual privacy notice pursuant to Sec. 313.6(a)(7) an opt out under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)); (C) The requirements of section 624 of the Fair Credit Reporting Act (15 U.S.C. 1681s-3) and Part 680 of this chapter, if applicable, have been satisfied previously or the annual privacy notice is not the only notice provided to satisfy such requirements; (D) The information you are required to convey on your annual privacy notice pursuant to Sec. 313.6(a)(1) through (5), (8), and (9) has not changed since you provided the immediately previous privacy notice (whether initial, annual or revised) to the customer, other than to eliminate categories of information you disclose or categories of third parties to whom you disclose information; and (E) You use the model privacy form in the appendix to this part for your annual privacy notice. (ii) For an annual privacy notice that meets the requirements in paragraph (c)(2)(i) of this section, you satisfy the requirement in Sec. 313.5(a)(1) to provide a notice if you: (A) Convey in a clear and conspicuous manner not less than annually on an account statement, coupon book, or a notice or disclosure you are required or expressly and specifically permitted to issue under any other provision of law that your privacy notice is available on your Web site and will be mailed to the customer upon request by telephone. The statement must state that your privacy notice has not changed and must include a specific Web address that takes the customer directly to the page where the privacy notice is posted and a designated telephone number for the customer to request that it be mailed; (B) Post your current privacy notice continuously in a clear and conspicuous manner on a page of your Web site that contains only the privacy notice, without requiring the customer to provide any information such as a login name or password or agree to any conditions to access the page; and (C) Mail your current privacy notice to those customers who request it by telephone within ten days of the request. (iii) An example of a statement that satisfies paragraph (c)(2)(ii)(A) of this section is: ``Privacy Notice'' in boldface or otherwise emphasized: Privacy Notice--Federal law requires us to tell you how we collect, share, and protect your personal information. Our privacy policy has not changed and you may review our policy and practices with respect to your personal information at [Web address] or we will mail you a free copy upon request if you call us at [telephone number]. * * * * * By direction of the Commission. Donald S. Clark, Secretary. [FR Doc. 2015-14328 Filed 6-23-15; 8:45 am] BILLING CODE 6750-01-P
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
