Privacy of Consumer Financial Information Rule Under the Gramm-Leach-Bliley Act, 13150-13158 [2019-06039]

Download as PDF 13150 Federal Register / Vol. 84, No. 65 / Thursday, April 4, 2019 / Proposed Rules For the reasons discussed above, I certify this proposed regulation: 1. Is not a ‘‘significant regulatory action’’ under Executive Order 12866; 2. Is not a ‘‘significant rule’’ under the DOT Regulatory Policies and Procedures (44 FR 11034, February 26, 1979); 3. Will not affect intrastate aviation in Alaska; and 4. Will not have a significant economic impact, positive or negative, on a substantial number of small entities under the criteria of the Regulatory Flexibility Act. List of Subjects in 14 CFR Part 39 Air transportation, Aircraft, Aviation safety, Incorporation by reference, Safety. The Proposed Amendment Accordingly, under the authority delegated to me by the Administrator, the FAA proposes to amend 14 CFR part 39 as follows: PART 39—AIRWORTHINESS DIRECTIVES 1. The authority citation for part 39 continues to read as follows: ■ Authority: 49 U.S.C. 106(g), 40113, 44701. § 39.13 [Amended] 2. The FAA amends § 39.13 by adding the following new airworthiness directive (AD): ■ Bombardier, Inc.: Docket No. FAA–2019– 0189; Product Identifier 2019–NM–001– AD. (a) Comments Due Date We must receive comments by May 20, 2019. (b) Affected ADs None. (c) Applicability This AD applies to Bombardier, Inc., Model DHC–8–102, –103, –106, –201, –202, –301, –311, and –315 airplanes, certificated in any category, serial numbers 003 through 672 inclusive. jbell on DSK30RV082PROD with PROPOSALS (d) Subject Air Transport Association (ATA) of America Code 55, Stabilizers. (e) Reason This AD was prompted by the reported loss of an elevator spring tab balance weight prior to takeoff. We are issuing this AD to address tolerance stack-up between the balance weight and the hinge arm that can allow the attachment bolts to fret with the hinge arm and result in wear, fracture, and loss of the spring tab balance weight. Loss of the spring tab balance weight can lead to unacceptable flutter margins and loss of the airplane. VerDate Sep<11>2014 16:38 Apr 03, 2019 Jkt 247001 (f) Compliance Comply with this AD within the compliance times specified, unless already done. (g) Inspection and Corrective Actions Within 600 flight hours after the effective date of this AD, perform a detailed inspection of the two balance weights and a detailed inspection of the two hinge arms on each elevator spring tab (left hand and right hand), in accordance with Section 3.B, Part A, of the Accomplishment Instructions of Bombardier Service Bulletin 8–55–27, Revision A, dated August 15, 2018. (1) If any of the balance weight attachment locknuts, part number (P/N) MS21042–4, is found fractured, loose, or missing: Before further flight conduct the rectification in accordance with Section 3.B, Part B, of the Accomplishment Instructions of Bombardier Service Bulletin 8–55–27, Revision A, dated August 15, 2018. (2) If the balance weight is found not secure: Within 60 flight hours after the inspection required by paragraph (g) of this AD, repair any damage to the hinge arm and permanently secure the mass balance, in accordance with Section 3.B, Part B, of the Accomplishment Instructions of Bombardier Service Bulletin 8–55–27, Revision A, dated August 15, 2018. (3) If the balance weight is found secure: Within 5,000 flight hours after the inspection required by paragraph (g) of this AD, repair any damage to the hinge arm and permanently secure the mass balance, in accordance with Section 3.B, Part B, of the Accomplishment Instructions of Bombardier Service Bulletin 8–55–27, Revision A, dated August 15, 2018. (4) Where Bombardier Service Bulletin 8– 55–27, Revision A, dated August 15, 2018, specifies to contact Bombardier for appropriate action: Before further flight, accomplish corrective actions in accordance with the procedures specified in paragraph (i)(2) of this AD. (h) Credit for Previous Actions This paragraph provides credit for actions required by paragraphs (g), (g)(2), (g)(3), and (g)(4) of this AD, if those actions were performed before the effective date of this AD using Section 3.B of the Accomplishment Instructions of Bombardier Service Bulletin 8–55–27, dated April 17, 2018, provided that within 600 flight hours after the effective date of this AD, a detailed visual inspection of the balance weight locknuts, P/N MS21042–4, is performed in accordance with Section 3.B, Part C, of the Accomplishment Instructions of Bombardier Service Bulletin 8–55–27, Revision A, dated August 15, 2018, and the rectification is performed before further flight for any fractured, loose, or missing balance weight attachment locknuts, P/N MS21042–4, in accordance with Section 3.B, Part B, of Bombardier Service Bulletin 8– 55–27, Revision A dated August 15, 2018. (i) Other FAA AD Provisions The following provisions also apply to this AD: (1) Alternative Methods of Compliance (AMOCs): The Manager, New York ACO PO 00000 Frm 00008 Fmt 4702 Sfmt 4702 Branch, FAA, has the authority to approve AMOCs for this AD, if requested using the procedures found in 14 CFR 39.19. In accordance with 14 CFR 39.19, send your request to your principal inspector or local Flight Standards District Office, as appropriate. If sending information directly to the manager of the certification office, send it to ATTN: Program Manager, Continuing Operational Safety, FAA, New York ACO Branch, 1600 Stewart Avenue, Suite 410, Westbury, NY 11590; telephone 516–228–7300; fax 516–794–5531. Before using any approved AMOC, notify your appropriate principal inspector, or lacking a principal inspector, the manager of the local flight standards district office/certificate holding district office. (2) Contacting the Manufacturer: For any requirement in this AD to obtain corrective actions from a manufacturer, the action must be accomplished using a method approved by the Manager, New York ACO Branch, FAA; or Transport Canada Civil Aviation (TCCA); or Bombardier, Inc.’s TCCA Design Approval Organization (DAO). If approved by the DAO, the approval must include the DAO-authorized signature. (j) Related Information (1) Refer to Mandatory Continuing Airworthiness Information (MCAI) Canadian AD CF–2018–30, dated November 7, 2018, for related information. This MCAI may be found in the AD docket on the internet at http://www.regulations.gov by searching for and locating Docket No. FAA–2019–0189. (2) For more information about this AD, contact Andrea Jimenez, Aerospace Engineer, Airframe and Mechanical Systems Section, FAA, New York ACO Branch, 1600 Stewart Avenue, Suite 410, Westbury, NY 11590; telephone 516–228–7330; fax 516–794–5531; email 9-avs-nyaco-cos@faa.gov. (3) For service information identified in this AD, contact Bombardier, Inc., Q-Series Technical Help Desk, 123 Garratt Boulevard, Toronto, Ontario M3K 1Y5, Canada; telephone 416–375–4000; fax 416–375–4539; email thd.qseries@aero.bombardier.com; internet http://www.bombardier.com. You may view this service information at the FAA, Transport Standards Branch, 2200 South 216th St., Des Moines, WA. For information on the availability of this material at the FAA, call 206–231–3195. Issued in Des Moines, Washington, on March 28, 2019. Michael Kaszycki, Acting Director, System Oversight Division, Aircraft Certification Service. [FR Doc. 2019–06458 Filed 4–3–19; 8:45 am] BILLING CODE 4910–13–P FEDERAL TRADE COMMISSION 16 CFR Part 313 RIN 3084–AB42 Privacy of Consumer Financial Information Rule Under the GrammLeach-Bliley Act AGENCY: E:\FR\FM\04APP1.SGM Federal Trade Commission. 04APP1 Federal Register / Vol. 84, No. 65 / Thursday, April 4, 2019 / Proposed Rules Notice of proposed rulemaking; request for public comment. ACTION: The Federal Trade Commission is proposing to amend its Privacy Rule for certain financial institutions subject to the Rule to revise the Rule’s scope, to modify the Rule’s definitions of ‘‘financial institution’’ and ‘‘federal functional regulator,’’ and to update the Rule’s annual customer privacy notice requirement. The proposed amendments will also remove certain examples in the Rule that apply to financial institutions that now fall outside the scope of the Commission’s Rule. This action is necessary to conform the Rule to the current requirements of the Gramm-LeachBliley Act (GLBA), as amended by the Dodd-Frank and FAST Acts, and will clarify which financial institutions are covered by the Commission’s Rule and their annual customer privacy notice obligations under the Rule. DATES: Written comments must be received on or before June 3, 2019. ADDRESSES: Interested parties may file a comment online or on paper by following the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write ‘‘Amendment to the Privacy of Consumer Financial Information Rule, 16 CFR part 313, Rulemaking No. R411016,’’ on your comment and file your comment online at https://www.regulations.gov by following the instructions on the webbased form. If you prefer to file your comment on paper, mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC–5610 (Annex B), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex B), Washington, DC 20024. FOR FURTHER INFORMATION CONTACT: David Lincicum or Allison M. Lefrak, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580, (202) 326–2773 or (202) 326–2804. SUPPLEMENTARY INFORMATION: SUMMARY: jbell on DSK30RV082PROD with PROPOSALS I. Background A. The Statute and Regulation The GLBA was enacted in 1999.1 The GLBA, among other things, provides a framework for regulating the privacy practices of a broad range of financial 1 Public Law 106–102, 113 Stat. 1338 (1999). VerDate Sep<11>2014 16:38 Apr 03, 2019 Jkt 247001 institutions. The GLBA requires that financial institutions provide their customers with initial and annual notices regarding their privacy practices, and allow their customers to opt out of sharing their information with certain nonaffiliated third parties. Rulemaking authority to implement the GLBA’s privacy provisions was initially spread among multiple agencies. The Federal Reserve Board (‘‘the Fed’’), the Office of Comptroller of the Currency (‘‘OCC’’), the Federal Deposit Insurance Corporation (‘‘FDIC’’), and the Office of Thrift Supervision (‘‘OTS’’) jointly adopted final rules to implement the notice requirements of the GLBA in 2000.2 The Commission, the National Credit Union Administration (‘‘NCUA’’), the Securities and Exchange Commission (‘‘SEC’’), and the Commodity Futures Trading Commission (‘‘CFTC’’) were part of the same interagency process, but each issued their rules separately.3 In 2009, all those agencies jointly adopted a model form that financial institutions could use to provide the required initial and annual privacy disclosures.4 As originally promulgated, the FTC’s Privacy Rule covered a broad range of non-bank financial institutions such as payday lenders, mortgage brokers, check cashers, debt collectors, real estate appraisers, certain motor vehicle dealers, and remittance transfer providers. In 2010, the Dodd-Frank Act 5 transferred the GLBA’s privacy notice rulemaking authority from the Fed, NCUA, OCC, OTS, the FDIC, and the Commission (in part) to the Consumer Financial Protection Bureau (‘‘CFPB’’). The CFPB then restated the implementing regulations in Regulation P, 12 CFR part 1016, in late 2011 (‘‘Regulation P’’).6 However, under section 1029 of the Dodd-Frank Act, the Commission retained rulemaking authority for certain motor vehicle dealers.7 Thus, in 2012, the Commission issued a notice that it was retaining the implementing regulations governing 2 65 FR 35162 (June 1, 2000). FR 33646 (May 24, 2000) (FTC final rule); 65 FR 31722 (May 18, 2000) (NCUA final rule); 65 FR 40334 (June 29, 2000) (SEC final rule); 66 FR 21236 (Apr. 27, 2001) (CFTC final rule). 4 74 FR 62890 (Dec. 1, 2009); see also 16 CFR 313.2, 313.4–313.9. 5 Public Law 111–203, 124 Stat. 1376 (2010). 6 76 FR 79025 (Dec. 21, 2011). 7 12 U.S.C. 5519. The FTC retained rulemaking jurisdiction as to motor vehicle dealers that are predominantly engaged in the sale and servicing or the leasing and servicing of motor vehicles, excluding those dealers that directly extend credit to consumers and do not routinely assign the extensions of credit to an unaffiliated third party. For ease of reference, covered motor vehicle dealers are referenced herein as ‘‘motor vehicle dealers.’’ 3 65 PO 00000 Frm 00009 Fmt 4702 Sfmt 4702 13151 privacy notices for motor vehicle dealers at 16 CFR part 313.8 Despite the transfer of general rulemaking authority for the Privacy Rule to the CFPB, the Commission and other agencies retain their existing enforcement authority under the GLBA.9 In addition, the SEC and CFTC retain rulemaking authority with respect to securities and futures-related companies, respectively.10 Accordingly, as part of this rulemaking process, the Commission has consulted and coordinated, or offered to consult, with those agencies that have rulemaking and/or enforcement authority under the GLBA, including the CFPB, SEC, CFTC, and the National Association of Insurance Commissioners (‘‘NAIC’’).11 On December 4, 2015, Congress amended the GLBA as part of the FAST Act. This amendment, titled Eliminate Privacy Notice Confusion,12 added GLBA subsection 503(f). This subsection provides an exception under which financial institutions that meet certain conditions are not required to provide annual privacy notices to customers. B. The Privacy Notice Requirements As noted, the GLBA and the Privacy Rule require that motor vehicle dealers provide consumers with notices describing their privacy policies. Specifically, section 503 of the GLBA and the Privacy Rule require covered entities to provide an initial notice of these policies,13 and then ‘‘provide a clear and conspicuous notice to customers that accurately reflects [their] privacy policies and practices not less than annually during the continuation of the customer relationship.’’ 14 Section 502 of the GLBA and the Privacy Rule require that initial and annual notices inform customers of their right to opt out of the sharing of nonpublic personal information with some types of nonaffiliated third parties.15 For example, a customer has the right to opt out of allowing a motor vehicle dealer to sell her name and address to a nonaffiliated auto insurance company.16 On the other hand, a motor vehicle dealer is not required to allow consumers to opt out of the dealer’s 8 77 FR 22200, 22201 (April 13, 2012) (also rescinding those regulations for which rulemaking authority was transferred to the CFPB under the Dodd-Frank Act). 9 15 U.S.C. 6805(a). 10 15 U.S.C. 6804, 6809; 12 U.S.C. 1843(k)(4); 12 CFR 1016.1(b). 11 See 15 U.S.C. 6804(a)(2). 12 Public Law 114–94, sec. 75001, 129 Stat. 1312, 1787 (2015). 13 15 U.S.C. 6803; 16 CFR 313.4. 14 15 U.S.C. 6803; 16 CFR 313.5(a)(1). 15 15 U.S.C. 6802; 16 CFR 313.6(a)(6). 16 16 CFR 313.10(a). E:\FR\FM\04APP1.SGM 04APP1 13152 Federal Register / Vol. 84, No. 65 / Thursday, April 4, 2019 / Proposed Rules jbell on DSK30RV082PROD with PROPOSALS sharing involving third-party service providers, joint marketing arrangements, maintenance and servicing of accounts, securitization, law enforcement and compliance, reporting to consumer reporting agencies, and certain other activities that are specified in the statute and regulation.17 Accordingly, if a motor vehicle dealer limits its sharing to uses that do not trigger opt-out rights, it may provide an annual privacy notice to its customers that does not include information regarding opt-out rights. Motor vehicle dealers also may include in the annual privacy notice information about certain consumer optout rights related to affiliate sharing under the Fair Credit Reporting Act (‘‘FCRA’’). First, section 603(d)(2)(A)(iii) of the FCRA allows the sharing of a consumer’s information among affiliates, but only if the consumer is notified of such sharing and is given an opportunity to opt out.18 Section 503(c)(4) of the GLBA and the Privacy Rule generally require motor vehicle dealers to incorporate any notifications and opt-out disclosures provided pursuant to section 603(d)(2)(A)(iii) of the FCRA into their initial and annual privacy notices.19 Second, section 624 of the FCRA and the FTC’s Affiliate Marketing Rule 20 provide that an affiliate of a motor vehicle dealer that receives certain information about a consumer from the dealer may not use that information for marketing purposes, unless the consumer is provided with an opportunity to opt out of that use.21 This requirement governs the use of information by an affiliate, not the sharing of information among affiliates, and thus is distinct from the affiliate sharing opt-out discussed above. The Affiliate Marketing Rule permits (but does not require) motor vehicle dealers to incorporate any opt-out disclosures provided under section 624 of the FCRA and the Affiliate Marketing Rule into the initial and annual privacy notices required by the GLBA.22 Finally, section 313.6(a)(8) of the Privacy Rule requires that the initial and annual notices briefly describe how motor vehicle dealers protect the 17 15 U.S.C. 6802(b)(2), 6802(e); 16 CFR 313.13– 313.15. 18 15 U.S.C. 1681a(d)(2)(A)(iii). 19 15 U.S.C. 6803(c)(4); 16 CFR 313.6(a)(7). 20 16 CFR 680.1–680.28. 21 15 U.S.C. 1681s–3. The FTC’s Affiliate Marketing Rule applies to motor vehicle dealers. See 77 FR 22200 (Apr. 13, 2012). The FTC also enforces the CFPB’s Regulation V’s Affiliate Marketing Rule, 12 CFR part 1022, subpart C, for other entities over which the FTC has enforcement authority under the FCRA. 22 16 CFR 680.23(b). VerDate Sep<11>2014 16:38 Apr 03, 2019 Jkt 247001 nonpublic personal information they collect and maintain. II. Proposed Revision of the Privacy Rule A. The Consumer Financial Protection Bureau Rulemaking In December 2011, the CFPB issued a Request for Information seeking specific suggestions for streamlining regulations that were transferred to the CFPB from other Federal agencies, including the annual privacy notice requirement.23 After receiving numerous comments, in May 2014, the CFPB issued a proposed rule to amend its Regulation P to allow financial institutions to notify consumers that a privacy notice was available online, in certain enumerated circumstances.24 The CFPB finalized its rulemaking in October 2014.25 provider or for fraud detection and prevention purposes), and (2) has not changed its policies and practices with respect to disclosing nonpublic personal information since it last provided a privacy notice to its customers.29 This modification of the GLBA rendered the Commission’s proposed changes to the Privacy Rule moot because those changes, if adopted, would have been in conflict with the revised statute.30 D. New Proposed Changes to the Privacy Rule In light of this history, the Commission is issuing this notice of proposed rulemaking. The Commission now proposes to make three types of changes to the Privacy Rule: (1) Technical changes to the Rule to correspond to the reduced scope of the Rule due to Dodd-Frank Act changes, which primarily consist of removing B. The Commission’s 2015 Proposed references that do not apply to motor Rulemaking vehicle dealers; (2) modifications to the On June 24, 2015, the Commission annual privacy notice requirements to published a Notice of Proposed reflect the changes made to the GLBA by Rulemaking (‘‘2015 NPRM’’) proposing the FAST Act; and (3) a modification to 26 revisions to the Privacy Rule. First, the the scope and definition of ‘‘financial Commission proposed a number of institution’’ to include entities engaged changes to comport with the Doddin activities that are incidental to Frank Act revision of GLBA, which financial activities, which would bring transferred rulemaking authority for the Rule into accord with the CFPB’s most financial institutions to the CFPB. Regulation P. The Commission also proposed 1. Technical Changes To Correspond to amending the Rule to allow motor vehicle dealers to notify their customers Statutory Changes Resulting From the that a privacy notice is available online, Dodd-Frank Act under circumstances identical to those The Commission adopted the scope that had been adopted by the CFPB.27 of, and definitions in, the original The Commission received six Privacy Rule at a time when it had comments from individuals and rulemaking authority for the Privacy entities.28 Rule over a broader group of non-bank ‘‘financial institutions’’ as defined by C. The Passage of the FAST Act the GLBA. While the Dodd-Frank Act As described above, on December 4, did not change the Commission’s 2015, President Obama signed the FAST enforcement authority for the privacy Act. The FAST Act contains a provision notice obligations of the GLBA, it did that modified the annual privacy notice amend the Commission’s rulemaking requirement under the GLBA. The authority under the GLBA such that the provision states that a financial Privacy Rule only applies to motor institution is not required to provide an vehicle dealers.31 The amendments in annual privacy notice if it: (1) Only the Dodd-Frank Act necessitate certain shares non-public personal information technical revisions to the Privacy Rule with non-affiliated third parties in a to ensure that the regulation is manner that does not require an opt-out consistent with the text of the amended right be provided to customers (e.g., if GLBA.32 For example, retaining the institution discloses nonpublic examples that apply to entities other personal information to a service 23 76 FR 75825, 75828 (Dec. 5, 2011). 24 79 FR 27214 (May 14, 2014) (CFPB Notice of Proposed Rulemaking). 25 79 FR 64057 (Oct. 28, 2014). 26 80 FR 36267 (June 24, 2015). 27 See 79 FR 64057 (Oct. 28, 2014). 28 The comments are posted at: https:// www.ftc.gov/policy/public-comments/2015/06/ initiative-614. The Commission assigned each comment a number appearing after the name of the commenter and the date of submission. PO 00000 Frm 00010 Fmt 4702 Sfmt 4702 29 15 U.S.C. 6803(f). 2016, the CFPB issued a proposed amendment to Regulation P that would alter the annual notice requirement to conform to the statutory changes. 81 FR 44801 (July 11, 2016). The rule became final in September 2018. 83 FR 40945 (Sept. 17, 2018). 31 For other types of financial institutions over which the Commission has enforcement authority under the GLBA, the Commission now enforces the CFPB’s Regulation P. 32 15 U.S.C. 6804(1)(C). 30 In E:\FR\FM\04APP1.SGM 04APP1 Federal Register / Vol. 84, No. 65 / Thursday, April 4, 2019 / Proposed Rules jbell on DSK30RV082PROD with PROPOSALS than motor vehicle dealers may lead to confusion about the existing, narrower scope of the Privacy Rule. Accordingly, the Commission proposes to modify the Privacy Rule to provide clearer guidance to financial institutions that are covered motor vehicle dealers.33 The proposed amendment to section 313.1(b) narrows the description of the scope of the Privacy Rule to those entities set forth in the Dodd-Frank Act 34 that are predominantly engaged in the sale and servicing of motor vehicles or the leasing and servicing of motor vehicles, excluding those dealers that directly extend credit to consumers and do not routinely assign the extensions of credit to an unaffiliated third party. It also removes the reference in the Rule’s scope to ‘‘other persons’’: Although the Commission continues to have enforcement authority over ‘‘other persons’’ covered by the CFPB’s Regulation P, the Commission no longer has rulemaking authority for the Privacy Rule over ‘‘other persons.’’ 35 In addition, the Commission proposes to eliminate from section 313.1(b) the note indicating that (1) the Privacy Rule does not modify, limit, or supersede the standards under the Health Insurance Portability and Accountability Act of 1996, and (2) if a financial institution that is an institution of higher education is in compliance with the Federal Educational Rights and Privacy Act (‘‘FERPA’’) and its implementing regulations, such institution shall be deemed in compliance with the Privacy Rule. The Commission does not believe these provisions will apply to motor vehicle dealers covered by the Rule and should be removed to improve clarity. The Commission invites comments on whether these provisions are relevant to motor vehicle dealers and should be retained. The proposed amendments to section 313.3 also remove any examples that are not likely to apply to motor vehicle dealers. To help companies understand whether and how the Rule applies to them, the Rule includes examples of financial institutions in section 313.3(k)(2). The current examples refer to types of activities that motor vehicle dealers typically do not engage in. Therefore, leaving those examples in the 33 The Commission also proposes a change to 16 CFR 313.3(j) removing the Director of the Office of Thrift Supervision from the definition of ‘‘Federal Functional Regulators,’’ as the Office of Thrift Supervision no longer exists. 34 12 U.S.C. 5519. 35 The Commission also proposes to amend 16 CFR 313.15(a)(4) to add the CFPB to the list of law enforcement agencies to which financial institutions are permitted to share information to the extent permitted by law. VerDate Sep<11>2014 16:38 Apr 03, 2019 Jkt 247001 Rule may lead to confusion about the Rule’s current scope. The proposed amendments also remove certain examples from the definition of ‘‘consumer’’ in section 313.3(e)(2). These examples do not apply because motor vehicle dealers do not provide the types of services provided in the examples, such as financial, investment, or economic advisory services or serving as the trustee of a trust. Likewise, the proposed amendments remove certain examples of establishing a customer relationship from section 313.4(c)(3)(i). The removed examples do not apply to customers of motor vehicle dealers, because such activities are not related to the sale or leasing of motor vehicles. These include creating credit card accounts, providing investment advice or tax counseling, providing mortgages, collecting debts from other financial institutions, and providing websites for consumers to review all of their on-line financial accounts with other financial institutions. Finally, the proposed amendments remove certain examples of termination of customer relationships from section 313.5(b)(2). As with previously discussed proposed amendments, the removed examples concern customer relationships based on services that motor vehicle dealers do not provide. These include credit card accounts, credit counseling services, tax preparation, and real estate settlement. The removal of these inapplicable examples will increase the clarity of the rule by focusing on matters that are relevant to the regulated financial institutions. Removing these examples will not alter the substance of the underlying definitions or provisions of the rule, which will have the same reach and applicability as before the revisions. The changes are intended to improve clarity, not to alter substance. The Commission invites comments on whether any of the omitted examples should be retained. Although the Dodd-Frank Act altered the Commission’s rulemaking authority with respect to the Privacy Rule, it did not alter the Commission’s rulemaking authority for the Safeguards Rule. For the Safeguards Rule, the Commission continues to have rulemaking authority over a broad range of non-bank financial institutions. The Safeguards Rule, however, currently incorporates by reference the definitions contained in the Privacy Rule, including all of the examples of financial institutions listed in the existing Privacy Rule.36 Accordingly, while the Commission 36 16 PO 00000 CFR 314.2(a). Frm 00011 Fmt 4702 Sfmt 4702 13153 proposes to modify the Privacy Rule definitions to include examples applicable only to motor vehicle dealers, the Commission has also proposed in a separate concurrent NPRM to amend the Safeguards Rule to import definitions of relevant terms and examples from the current version of the Privacy Rule.37 2. Modifications to the Annual Privacy Notice To Reflect Statutory Changes Resulting From the FAST Act The Commission also proposes changes to the Privacy Rule provisions governing how motor vehicle dealers should deliver annual privacy notices. These changes implement statutory changes resulting from the enactment of the FAST Act and replace those set forth in the 2015 NPRM. Several commenters opined on the proposed changes to notice delivery in the 2015 NPRM. Those comments have been rendered obsolete by the statutory changes. The current proposed rule implements the changes set forth in the FAST Act. Section 313.5(a)(1)—General Rule The proposed section 313.5(a)(1) notes that section 313.5(e) provides an exception to the general rule requiring the delivery of annual notices. Section 313.5(e) This proposed new section sets forth the exception to the annual privacy notice requirement. The Commission adopts the reasoning and changes set forth by the CFPB in its amendments to Regulation P to adopt the FAST Act changes.38 First, proposed section 313.5(e)(1)(i) sets forth that the financial institution must share nonpublic personal information only in accordance with the provisions of sections 313.13, 313.14, and 313.15, none of which require an opt-out opportunity be provided to customers. Second, proposed section 313.5(e)(1)(ii) states that the financial institution must also not have changed its disclosure policies and practices that were contained in its most recent privacy notice to customers. Proposed section 313.5(e)(2) sets forth the timing for delivering an annual notice if a financial institution no longer meets requirements for the exception and must resume delivery of annual notices. There are two scenarios under which a financial institution would need to resume delivering annual notices: (1) Where the change in its policies trigger the existing requirement 37 The NPRM relating to the Safeguards Rule is published elsewhere in this issue of the Federal Register. 38 See 81 FR 44801 (July 10, 2016). E:\FR\FM\04APP1.SGM 04APP1 13154 Federal Register / Vol. 84, No. 65 / Thursday, April 4, 2019 / Proposed Rules to issue a revised privacy notice, as required by section 313.8; and (2) where the change does not trigger a need for the financial institution to issue a revised notice under section 313.8. These two situations are addressed by proposed sections 313.5(e)(2)(i) and (ii), respectively. In the first situation, the revised notice issued by the financial institution acts as an initial privacy notice for the purposes of the timing of future annual notices. In the second situation, the financial institution must provide an annual notice to customers within 100 days of the change in policies or practices. Proposed section 313.5(e)(2)(iii) sets forth an example for both scenarios. jbell on DSK30RV082PROD with PROPOSALS 1. Modifications To Scope and Definitions To Bring the Rule Into Accord With Regulation P Whether a company is a ‘‘financial institution’’ is determined by the types of activities in which the company engages. When first promulgating the Privacy Rule, the Commission determined that companies engaged in activities that are ‘‘incidental to financial activities’’ would not be considered ‘‘financial institutions.’’ 39 The Commission was the only agency to adopt this restrictive definition in its Privacy Rule, while the other agencies included incidental activities.40 In addition, the Commission decided that activities that were determined to be financial in nature after the enactment of the GLBA would not be automatically included in its Privacy Rule; rather, the Commission would have to take additional action to include them.41 The effect of these two decisions was to limit the activities covered by the Commission’s rules to those set out in 12 CFR 225.28 as it existed in 1999, and to exclude any activities later determined by the Fed to be financial activities or incidental to those activities.42 The Commission proposes modifying the definition of ‘‘financial institution’’ to harmonize the Privacy Rule with other agencies’ rules. The Commission proposes to amend section 313.1(b) to include companies that engage in activities that are financial in nature or incidental to such financial activities. Likewise, it proposes to amend the 39 See 16 CFR 313.3(k); see also 65 FR 33646, 33654 (May 24, 2000). 40 The Commission also added the requirement that an entity must be ‘‘significantly engaged’’ in the financial activity to be considered a financial institution under the Privacy Rule. 16 CFR 313.3(k). The Commission is not proposing to change this requirement. 41 65 FR 33646, 33654 n.23 (May 24, 2000). 42 Id. VerDate Sep<11>2014 16:38 Apr 03, 2019 Jkt 247001 definition of ‘‘financial institution’’ in section 313.3(k), to include any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities.43 The effect of this proposed amendment would be to cause ‘‘finders’’ to be included in this definition, thereby bringing the Privacy Rule into harmony with the scope of entities covered by other agencies under Regulation P. It would not bring any other activities under the coverage the definition because the Fed has not determined any other activity other than ‘‘finding’’ to be financial in nature or incidental to such activity since the enactment of the GLBA. In practice, the Commission expects that this change to the Privacy Rule will have little to no effect because of the already narrow scope of the Rule: It is not clear that there are any motor vehicle dealers that would be covered by this rule whose only activity that would qualify them as a financial institution is the act of finding, as most motor vehicle dealers are more directly involved in obtaining financing for their customers. Nevertheless, the Commission believes this change is important to keep the Rule consistent with the Safeguards Rule and other agencies’ GLBA implementing rules. The Commission has not previously requested comment on revising the definition of ‘‘financial institution’’ in this way for the Privacy Rule. Through this NPRM, it does so here. Specifically, the Commission seeks information on (1) whether any entities function as ‘‘finders’’ for motor vehicle dealers, and if so how many; (2) whether such finders collect or maintain customer information as defined by the Rule; and (3) the costs and benefits, including the costs and benefits to finders and consumers, of this proposed amendment. III. Request for Comment You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before June 3, 2019. Write ‘‘Amendment to the Privacy of Consumer Financial Information Rule, 16 CFR part 313, Rulemaking No. R411016’’ on the comment. Your comment, including your name and your state, will be placed on the public record of this proceeding, including, to the extent practicable, the https:// www.regulations.gov website. Postal mail addressed to the Commission is subject to delay due to 43 This proposal is also consistent with the agency’s concurrent proposal to revise the Safeguards Rule in the same manner. PO 00000 Frm 00012 Fmt 4702 Sfmt 4702 heightened security screening. As a result, we encourage you to submit your comment online. To make sure that the Commission considers your online comment, you must file it at https:// www.regulations.gov by following the instructions on the web-based form. If you file your comment on paper, write ‘‘Amendment to the Privacy of Consumer Financial Information Rule, 16 CFR part 313, Rulemaking No. R411016,’’ on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC–5610 (Annex B), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex B), Washington, DC 20024. If possible, please submit your paper comment to the Commission by courier or overnight service. Because your comment will be placed on the publicly accessible website, https://www.regulations.gov/, you are solely responsible for making sure that your comment does not include any sensitive or confidential information. In particular, your comment should not include any sensitive personal information, such as your or anyone else’s Social Security number, date of birth, driver’s license number or other state identification number or foreign country equivalent, passport number, financial account number, or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any ‘‘trade secret or any commercial or financial information which . . . is privileged or confidential,’’ as provided by section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2), including in particular, competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names. Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled ‘‘Confidential,’’ and must comply with FTC Rule 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comments to be withheld from the E:\FR\FM\04APP1.SGM 04APP1 Federal Register / Vol. 84, No. 65 / Thursday, April 4, 2019 / Proposed Rules public record.44 Your comment will be kept confidential only if the FTC General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted publicly at www.regulations.gov, we cannot redact or remove your comment from the FTC website, unless you submit a confidentiality request that meets the requirements for such treatment under FTC Rule 4.9(c), and the General Counsel grants that request. Visit the Commission website at https://www.ftc.gov/ to read this document and the news release describing it. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before June 3, 2019. For information on the Commission’s privacy policy, including routine uses permitted by the Privacy Act, see https://www.ftc.gov/site-information/ privacy-policy. jbell on DSK30RV082PROD with PROPOSALS IV. Communications by Outside Parties to the Commissioners or Their Advisors Written communications and summaries or transcripts of oral communications respecting the merits of this proceeding, from any outside party to any Commissioner or Commissioner’s advisor, will be placed on the public record.45 V. Paperwork Reduction Act Under the Paperwork Reduction Act of 1995 (PRA),46 Federal agencies are generally required to seek Office of Management and Budget (OMB) approval for information collection requirements prior to implementation. Under the PRA, the Commission may not conduct or sponsor, and, notwithstanding any other provision of law, a person is not required to respond to an information collection, unless the information collection displays a valid control number assigned by OMB. This proposal would amend 16 CFR part 313. The collections of information related to the Privacy Rule and the FAST Act statutory exceptions to the Rule’s annual notice requirement have been previously reviewed and approved by OMB in accordance with the PRA.47 Under the existing clearance, the FTC has attributed to itself the estimated burden regarding all motor vehicle 44 See 16 CFR 4.9(c). CFR 1.26(b)(5). 46 44 U.S.C. 3501 et seq. 47 The FTC has current clearance through November 30, 2020. The OMB Control Number is 3084–0121. 45 16 VerDate Sep<11>2014 16:38 Apr 03, 2019 Jkt 247001 dealers and then shares equally the remaining estimated PRA burden with the CFPB for other types of financial institutions for which both agencies have enforcement authority regarding the GLBA Privacy Rule.48 The proposed amendments do not modify or add to information collection requirements that were previously approved by OMB. First, the Commission anticipates that the proposed expansion of the definition of ‘‘financial institution’’ to include entities engaged in activities that are incidental to financial activities will have little to no effect. It is not clear that any finders are in the business of linking consumers with financing through motor vehicle dealers, as opposed to other types of financial institutions such as payday lenders or mortgage lenders. Second, the proposed removal of certain examples provided in the Rule that are not applicable to motor vehicle dealers will have no impact on existing information collection requirements. Therefore, the Commission does not believe that the proposed amendments would substantially or materially modify any ‘‘collections of information’’ as defined by the PRA. The Commission seeks comment on whether there are any finders in existence that would be covered by the proposed Rule. If there are such businesses, the Commission will seek OMB clearance as appropriate. VI. Regulatory Flexibility Act The Regulatory Flexibility Act (RFA), as amended by the Small Business Regulatory Enforcement Fairness Act of 1996, requires an agency to either provide an Initial Regulatory Flexibility Analysis (‘‘IRFA’’) with a proposed rule, or certify that the proposed rule will not have a significant impact on a substantial number of small entities.49 The Commission does not expect that this Rule, if adopted, would have the threshold impact on small entities. First, most of the burdens flow from the mandates of the GLBA, not from the specific provisions of the proposed Rule. Second, the Commission does not expect the proposal to impose costs on small motor vehicle dealers because the amendments are primarily for clarification purposes and should not result in any increased burden on any motor vehicle dealer. Thus, a small entity that complies with current law need not take any different or additional action if the proposal is adopted. Nonetheless, the Commission has 48 82 49 5 PO 00000 FR 48081. U.S.C. 603–605. Frm 00013 Fmt 4702 Sfmt 4702 13155 determined that it is appropriate to publish an Initial Regulatory Flexibility Analysis in order to inquire into the impact of the proposed Rule on small entities. The Commission does not believe that there are any small entities engaged in finding for motor vehicle financing that would now be covered as a result of the modified definition of ‘‘financial institution.’’ However, the Commission invites comment on this issue. 1. Reasons for the Proposed Rule To address the Dodd-Frank Act and FAST Act changes the Commission proposes to change the Privacy Rule’s scope and definition of ‘‘financial institution’’; change the annual notice requirement; and remove certain examples provided in the Rule that are not applicable to motor vehicle dealers. These changes will make the current, narrow scope of the Rule clearer. Additionally, the Commission proposes modifying the definition of ‘‘financial institution’’ to harmonize the Privacy Rule with other agencies’ rules by including ‘‘activities incidental to financial activities’’ as a financial activity. This change would bring ‘‘finders’’ within the scope of the Rule. 2. Statement of Objectives and Legal Basis The objectives of the proposed Rule are discussed above. The legal basis for the proposed Rule is section 501(b) of the GLBA. 3. Description of Small Entities to Which the Rule Will Apply Determining a precise estimate of the number of small entities 50—including newly covered entities under the modified definition of financial institution—is not readily feasible. Financial institutions covered by the Rule include certain motor vehicle dealers. If the proposed Rule is finalized, finders will also be covered. 50 The U.S. Small Business Administration Table of Small Business Size Standards Matched to North American Industry Classification System Codes (NAICS) are generally expressed in either millions of dollars or number of employees. A size standard is the largest that a business can be and still qualify as a small business for Federal Government programs. For the most part, size standards are the annual receipts or the average employment of a firm. New car dealers (NAICS code 441100) are classified as small if they have fewer than 200 employees. Used car dealers (NAICS code 441120) are classified as small if their annual receipts are $25 million or less. Recreational vehicle dealers, boat dealers, motorcycle, ATV and all other motor vehicle dealers (NAICS codes 441210, 441222 and 441228) are classified as small if their annual receipts are $32.5 million or less. The 2017 Table of Small Business Size Standards is available at https://www.sba.gov/sites/default/files/files/Size_ Standards_Table_2017.pdf. E:\FR\FM\04APP1.SGM 04APP1 13156 Federal Register / Vol. 84, No. 65 / Thursday, April 4, 2019 / Proposed Rules The Commission requests comment and information on whether there are any finders in existence that would be covered by the proposed Rule. 4. Projected Reporting, Recordkeeping, and Other Compliance Requirements The Commission does not believe that the proposed Rule would impose any new or substantively revised ‘‘collections of information’’ as defined by the PRA. Rather, the Commission believes that the proposed amendments would have the overall effect of reducing the currently cleared estimated burden for the information collections associated with the Privacy Rule annual notice. The Commission invites comment on the costs to newly covered financial institutions—if there are any— of complying with the Rule. jbell on DSK30RV082PROD with PROPOSALS 5. Identification of Duplicative, Overlapping, or Conflicting Federal Rules The Commission’s proposal to modify the definition of ‘‘financial institution’’ harmonizes the Privacy Rule with other agencies’ rules. The effect of this proposed amendment, as discussed above, would be to cause ‘‘finders’’ to be covered by the Rule, thereby bringing the scope of the Privacy Rule into harmony with the scope of entities covered by other agencies under Regulation P. The Commission believes that this proposal does not create conflicting or duplicative obligations on small entities. As stated previously, the Commission does not believe there are any newly covered financial institutions resulting from the proposed definitional modification. However, the Commission is requesting comment on the extent to which other federal standards involving privacy notices may duplicate and/or satisfy or possibly conflict with the Rule’s requirements for any newly covered financial institutions. 6. Discussion of Significant Alternatives As stated previously, the Commission does not believe there are any newly covered financial institutions resulting from the proposed definitional modification. Moreover, the Commission believes that the other proposed amendments would have the overall effect of reducing the burden for all covered entities associated with the Privacy Rule annual notice. The proposed amendments do not reduce the flexibility already present in the existing Rule, which allows notices to be provided in a variety of ways, including electronically in some circumstances. As to the core requirements of the proposed Rule, they come from GLBA itself, as amended by VerDate Sep<11>2014 16:38 Apr 03, 2019 Jkt 247001 the Dodd-Frank and the FAST Act. The statute prescribes the definition of financial institutions to be covered by the Rule and sets forth the specific requirements, which the Commission cannot modify to ease burdens on small entities. Therefore the Commission does not believe that any alternatives for small entities are required or appropriate. However, the Commission welcomes comment on any significant alternative consistent with the GLBA that would minimize the impact of the proposed Rule on small entities— specifically institutions that would be newly covered financial institutions—if there are any. List of Subjects in 16 CFR Part 313 Consumer protection, Credit, Data protection, Privacy, Trade practices. For the reasons stated above, the Federal Trade Commission proposes to amend 16 CFR part 313 as follows: ■ 1. Revise the authority section for part 313 to read as follows: Authority: 15 U.S.C. 6801 et seq., 12 U.S.C. 5519. 2. In § 313.1, revise paragraph (b) to read as follows: ■ § 313.1 Purpose and scope. * * * * * (b) Scope. This part applies only to nonpublic personal information about individuals who obtain financial products or services primarily for personal, family or household purposes from the institutions listed below. This part does not apply to information about companies or about individuals who obtain financial products or services for business, commercial, or agricultural purposes. This part applies to those ‘‘financial institutions’’ over which the Federal Trade Commission (‘‘Commission’’) has rulemaking authority pursuant to section 504(a)(1)(C) of the Gramm-Leach-Bliley Act. An entity is a ‘‘financial institution’’ if its business is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k), which incorporates by reference activities enumerated by the Federal Reserve Board in 12 CFR 225.28 and 12 CFR 225.86. The ‘‘financial institutions’’ subject to the Commission’s rulemaking authority are any persons described in 12 U.S.C. 5519 that are predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both. They are referred to in this part as ‘‘You.’’ Excluded from the coverage of this regulation are motor vehicle PO 00000 Frm 00014 Fmt 4702 Sfmt 4702 dealers described in 12 U.S.C. 5519(b) that directly extend to consumers retail credit or retail leases involving motor vehicles in which the contract governing such extension of retail credit or retail leases is not routinely assigned to an unaffiliated third party finance or leasing source. ■ 3. In § 313.3, revise paragraphs (e), (i), (j), (k) and (q), to read as follows: § 313.3 Definitions. * * * * * (e)(1) Consumer means an individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative. (2) Examples—(i) An individual who applies to you for credit for personal, family, or household purposes is a consumer of a financial service, regardless of whether the credit is extended. (ii) An individual who provides nonpublic personal information to you in order to obtain a determination about whether he or she may qualify for a loan to be used primarily for personal, family, or household purposes is a consumer of a financial service, regardless of whether the loan is extended. (iii) If you hold ownership or servicing rights to an individual’s loan that is used primarily for personal, family, or household purposes, the individual is your consumer, even if you hold those rights in conjunction with one or more other institutions. (The individual is also a consumer with respect to the other financial institutions involved.) An individual who has a loan in which you have ownership or servicing rights is your consumer, even if you, or another institution with those rights, hire an agent to collect on the loan. (iv) An individual who is a consumer of another financial institution is not your consumer solely because you act as agent for, or provide processing or other services to, that financial institution. (v) An individual is not your consumer solely because he or she is a participant or a beneficiary of an employee benefit plan that you sponsor or for which you act as a trustee or fiduciary. * * * * * (i)(1) Customer relationship means a continuing relationship between a consumer and you under which you provide one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes. E:\FR\FM\04APP1.SGM 04APP1 jbell on DSK30RV082PROD with PROPOSALS Federal Register / Vol. 84, No. 65 / Thursday, April 4, 2019 / Proposed Rules (2) Examples—(i) Continuing relationship. A consumer has a continuing relationship with you if the consumer: (A) Has a credit or investment account with you; (B) Obtains a loan from you; (C) Purchases an insurance product from you; (D) Enters into an agreement or understanding with you whereby you undertake to arrange credit to purchase a vehicle for the consumer; (E) Enters into a lease of personal property on a non-operating basis with you; or (F) Has a loan for which you own the servicing rights. (ii) No continuing relationship. A consumer does not, however, have a continuing relationship with you if: (A) The consumer obtains a financial product or service from you only in isolated transactions, such as cashing a check with you or making a wire transfer through you; (B) You sell the consumer’s loan and do not retain the rights to service that loan; or (C) The consumer obtains one-time personal appraisal services from you. (j) Federal functional regulator means: (1) The Board of Governors of the Federal Reserve System; (2) The Office of the Comptroller of the Currency; (3) The Board of Directors of the Federal Deposit Insurance Corporation; (4) The National Credit Union Administration Board; and (5) The Securities and Exchange Commission. (k)(1) Financial institution means any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). An institution that is significantly engaged in financial activities is a financial institution. (2) Example of financial institution. An automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days is a financial institution with respect to its leasing business because leasing personal property on a nonoperating basis where the initial term of the lease is at least 90 days is a financial activity listed in 12 CFR 225.28(b)(3) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act. (3) Financial institution does not include entities that engage in financial activities but that are not significantly engaged in those financial activities. (4) Example of entities that are not significantly engaged in financial VerDate Sep<11>2014 16:38 Apr 03, 2019 Jkt 247001 activities. A motor vehicle dealer is not a financial institution merely because it accepts payment in the form of cash, checks, or credit cards that it did not issue. * * * * * (q) You includes each ‘‘financial institution’’ over which the Commission has rulemaking authority pursuant to section 504(a)(1)(C) of the GrammLeach-Bliley Act (15 U.S.C. 6804(a)(1)(C)). ■ 4. In § 313.4, revise paragraphs (c)(3)(i) and (e), to read as follows: § 313.4 Initial privacy notice to consumers required. * * * * * (c) * * * (3)(i) Examples of establishing a customer relationship. You establish a customer relationship when the consumer: (A) Executes the contract to obtain credit from you or purchase insurance from you; or (B) Executes the lease for personal property with you. * * * * * (e) Exceptions to allow subsequent delivery of notice. (1) You may provide the initial notice required by paragraph (a)(1) of this section within a reasonable time after you establish a customer relationship if: (i) Establishing the customer relationship is not at the customer’s election; or (ii) Providing notice not later than when you establish a customer relationship would substantially delay the customer’s transaction and customer agrees to receive the notice at a later time. (2) Examples of exceptions—(i) Substantial delay of customer’s transaction. Providing notice not later than when you establish a customer relationship would substantially delay the customer’s transaction when you and the individual agree over the telephone to enter into a customer relationship involving prompt delivery of the financial product or service. (ii) No substantial delay of customer’s transaction. Providing notice not later than when you establish a customer relationship would not substantially delay the customer’s transaction when the relationship is initiated in person at your office or through other means by which the customer may view the notice, such as through a website. * * * * * ■ 5. In § 313.5, revise paragraphs (a)(1) and (b)(2) and add paragraph (e) to read as follows: PO 00000 Frm 00015 Fmt 4702 Sfmt 4702 13157 § 313.5 Annual privacy notice to customers required. (a)(1) General rule. Except as provided by paragraph (e) of this section, you must provide a clear and conspicuous notice to customers that accurately reflects your privacy policies and practices not less than annually during the continuation of the customer relationship. Annually means at least once in any period of 12 consecutive months during which that relationship exists. You may define the 12consecutive-month period, but you must apply it to the customer on a consistent basis. * * * * * (b) * * * (2) Examples. Your customer becomes a former customer when: (i) In the case of a closed-end loan, the customer pays the loan in full, you charge off the loan, or you sell the loan without retaining servicing rights; (ii) In the case of vehicle loan brokering services, your customer has obtained a loan through you (and you no longer provide any statements or notices to the customer concerning that relationship), or has ceased using your services for such purposes; (iii) In cases where there is no definitive time at which the customer relationship has terminated, you have not communicated with the customer about the relationship for a period of 12 consecutive months, other than to provide annual privacy notices or promotional material. * * * * * (e) Exception to annual privacy notice requirement. (1) When exception available. You are not required to deliver an annual privacy notice if you: (i) Provide nonpublic personal information to nonaffiliated third parties only in accordance with the provisions of § 313.13, § 313.14, or § 313.15; and (ii) Have not changed your policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under § 313.6(a)(2) through (5) and (9) in the most recent privacy notice provided pursuant to this part. (2) Delivery of annual privacy notice after financial institution no longer meets requirements for exception. If you have been excepted from delivering an annual privacy notice pursuant to paragraph (e)(1) of this section and change your policies or practices in such a way that you no longer meet the requirements for that exception, you must comply with paragraph (e)(2)(i) or (ii) of this section, as applicable. E:\FR\FM\04APP1.SGM 04APP1 13158 Federal Register / Vol. 84, No. 65 / Thursday, April 4, 2019 / Proposed Rules (i) Changes preceded by a revised privacy notice. If you no longer meet the requirements of paragraph (e)(1) of this section because you change your policies or practices in such a way that § 313.8 requires you to provide a revised privacy notice, you must provide an annual privacy notice in accordance with the timing requirement in paragraph (a) of this section, treating the revised privacy notice as an initial privacy notice. (ii) Changes not preceded by a revised privacy notice. If you no longer meet the requirements of paragraph (e)(1) of this section because you change your policies or practices in such a way that § 313.8 does not require you to provide a revised privacy notice, you must provide an annual privacy notice within 100 days of the change in your policies or practices that causes you to no longer meet the requirement of paragraph (e)(1). (iii) Examples. (A) You change your policies and practices in such a way that you no longer meet the requirements of paragraph (e)(1) of this section effective April 1 of year 1. Assuming you define the 12-consecutive-month period pursuant to paragraph (a) of this section as a calendar year, if you were required to provide a revised privacy notice under § 313.8 and you provided that notice on March 1 of year 1, you must provide an annual privacy notice by December 31 of year 2. If you were not required to provide a revised privacy notice under § 313.8, you must provide an annual privacy notice by July 9 of year 1. (B) You change your policies and practices in such a way that you no longer meet the requirements of paragraph (e)(1) of this section, and so provide an annual notice to your customers. After providing the annual notice to your customers, you once again meet the requirements of paragraph (e)(1) of this section for an exception to the annual notice requirement. You do not need to provide additional annual notice to your customers until such time as you no longer meet the requirements of paragraph (e)(1) of this section. ■ 6. In § 313.15, revise paragraph (a)(4) to read as follows: jbell on DSK30RV082PROD with PROPOSALS § 313.15 Other exceptions to notice and opt out requirements. (a) * * * (4) To the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcement agencies (including the Consumer Financial Protection Bureau, VerDate Sep<11>2014 16:38 Apr 03, 2019 Jkt 247001 a federal functional regulator, the Secretary of the Treasury, with respect to 31 U.S.C. chapter 53, subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C. chapter 21 (Financial Recordkeeping), a State insurance authority, with respect to any person domiciled in that insurance authority’s State that is engaged in providing insurance, and the Federal Trade Commission), self-regulatory organizations, or for an investigation on a matter related to public safety. * * * * * By direction of the Commission. April J. Tabor, Acting Secretary. [FR Doc. 2019–06039 Filed 4–3–19; 8:45 am] BILLING CODE 6750–01–P FEDERAL TRADE COMMISSION 16 CFR Part 314 RIN 3084–AB35 Standards for Safeguarding Customer Information Federal Trade Commission. Notice of proposed rulemaking; request for public comment. AGENCY: ACTION: The Federal Trade Commission (‘‘FTC’’ or ‘‘Commission’’) requests public comment on its proposal to amend the Standards for Safeguarding Customer Information (‘‘Safeguards Rule’’ or ‘‘Rule’’). The proposal contains five main modifications to the existing Rule. First, it adds provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program. Second, it adds provisions designed to improve the accountability of financial institutions’ information security programs. Third, it exempts small businesses from certain requirements. Fourth, it expands the definition of ‘‘financial institution’’ to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. Finally, the Commission proposes to include the definition of ‘‘financial institution’’ and related examples in the Rule itself rather than cross-reference them from a related FTC rule, the Privacy of Consumer Financial Information Rule. DATES: Written comments must be received on or before June 3, 2019. ADDRESSES: Interested parties may file a comment online or on paper by following the Request for Comment part SUMMARY: PO 00000 Frm 00016 Fmt 4702 Sfmt 4702 of the SUPPLEMENTARY INFORMATION section below. Write ‘‘Safeguards Rule, 16 CFR part 314, Project No. P145407,’’ on your comment and file your comment online at https:// www.regulations.gov by following the instructions on the web-based form. If you prefer to file your comment on paper, mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC–5610 (Annex B), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex B), Washington, DC 20024. FOR FURTHER INFORMATION CONTACT: David Lincicum or Allison M. Lefrak, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580, (202) 326–2773 or (202) 326–2804. SUPPLEMENTARY INFORMATION: I. Background The Gramm Leach Bliley Act (‘‘GLB’’ or ‘‘GLBA’’) was enacted in 1999.1 The GLBA provides a framework for regulating the privacy and data security practices of a broad range of financial institutions. Among other things, the GLBA requires financial institutions to provide customers with information about the institutions’ privacy practices and about their opt-out rights, and to implement security safeguards for customer information. Subtitle A of Title V of the GLBA required the Commission and other federal agencies to establish standards for financial institutions relating to administrative, technical, and physical safeguards for certain information.2 Pursuant to the Act’s directive, the Commission promulgated the Safeguards Rule in 2002. The Safeguards Rule became effective on May 23, 2003. The Safeguards Rule requires a financial institution to develop, implement, and maintain a comprehensive information security program that consists of the administrative, technical, and physical safeguards the financial institution uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.3 The information security program must be written in one or more 1 Public Law 106–102, 113 Stat. 1338 (1999). 15 U.S.C. 6801(b), 6805(b)(2). 3 16 CFR 314.2(c). 2 See E:\FR\FM\04APP1.SGM 04APP1

Agencies

[Federal Register Volume 84, Number 65 (Thursday, April 4, 2019)]
[Proposed Rules]
[Pages 13150-13158]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-06039]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 313

RIN 3084-AB42


Privacy of Consumer Financial Information Rule Under the Gramm-
Leach-Bliley Act

AGENCY: Federal Trade Commission.

[[Page 13151]]


ACTION: Notice of proposed rulemaking; request for public comment.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission is proposing to amend its Privacy 
Rule for certain financial institutions subject to the Rule to revise 
the Rule's scope, to modify the Rule's definitions of ``financial 
institution'' and ``federal functional regulator,'' and to update the 
Rule's annual customer privacy notice requirement. The proposed 
amendments will also remove certain examples in the Rule that apply to 
financial institutions that now fall outside the scope of the 
Commission's Rule. This action is necessary to conform the Rule to the 
current requirements of the Gramm-Leach-Bliley Act (GLBA), as amended 
by the Dodd-Frank and FAST Acts, and will clarify which financial 
institutions are covered by the Commission's Rule and their annual 
customer privacy notice obligations under the Rule.

DATES: Written comments must be received on or before June 3, 2019.

ADDRESSES: Interested parties may file a comment online or on paper by 
following the Request for Comment part of the SUPPLEMENTARY INFORMATION 
section below. Write ``Amendment to the Privacy of Consumer Financial 
Information Rule, 16 CFR part 313, Rulemaking No. R411016,'' on your 
comment and file your comment online at https://www.regulations.gov by 
following the instructions on the web-based form. If you prefer to file 
your comment on paper, mail your comment to the following address: 
Federal Trade Commission, Office of the Secretary, 600 Pennsylvania 
Avenue NW, Suite CC-5610 (Annex B), Washington, DC 20580, or deliver 
your comment to the following address: Federal Trade Commission, Office 
of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, 
Suite 5610 (Annex B), Washington, DC 20024.

FOR FURTHER INFORMATION CONTACT: David Lincicum or Allison M. Lefrak, 
Division of Privacy and Identity Protection, Bureau of Consumer 
Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, 
Washington, DC 20580, (202) 326-2773 or (202) 326-2804.

SUPPLEMENTARY INFORMATION:

I. Background

A. The Statute and Regulation

    The GLBA was enacted in 1999.\1\ The GLBA, among other things, 
provides a framework for regulating the privacy practices of a broad 
range of financial institutions. The GLBA requires that financial 
institutions provide their customers with initial and annual notices 
regarding their privacy practices, and allow their customers to opt out 
of sharing their information with certain nonaffiliated third parties.
---------------------------------------------------------------------------

    \1\ Public Law 106-102, 113 Stat. 1338 (1999).
---------------------------------------------------------------------------

    Rulemaking authority to implement the GLBA's privacy provisions was 
initially spread among multiple agencies. The Federal Reserve Board 
(``the Fed''), the Office of Comptroller of the Currency (``OCC''), the 
Federal Deposit Insurance Corporation (``FDIC''), and the Office of 
Thrift Supervision (``OTS'') jointly adopted final rules to implement 
the notice requirements of the GLBA in 2000.\2\ The Commission, the 
National Credit Union Administration (``NCUA''), the Securities and 
Exchange Commission (``SEC''), and the Commodity Futures Trading 
Commission (``CFTC'') were part of the same interagency process, but 
each issued their rules separately.\3\ In 2009, all those agencies 
jointly adopted a model form that financial institutions could use to 
provide the required initial and annual privacy disclosures.\4\
---------------------------------------------------------------------------

    \2\ 65 FR 35162 (June 1, 2000).
    \3\ 65 FR 33646 (May 24, 2000) (FTC final rule); 65 FR 31722 
(May 18, 2000) (NCUA final rule); 65 FR 40334 (June 29, 2000) (SEC 
final rule); 66 FR 21236 (Apr. 27, 2001) (CFTC final rule).
    \4\ 74 FR 62890 (Dec. 1, 2009); see also 16 CFR 313.2, 313.4-
313.9.
---------------------------------------------------------------------------

    As originally promulgated, the FTC's Privacy Rule covered a broad 
range of non-bank financial institutions such as payday lenders, 
mortgage brokers, check cashers, debt collectors, real estate 
appraisers, certain motor vehicle dealers, and remittance transfer 
providers. In 2010, the Dodd-Frank Act \5\ transferred the GLBA's 
privacy notice rulemaking authority from the Fed, NCUA, OCC, OTS, the 
FDIC, and the Commission (in part) to the Consumer Financial Protection 
Bureau (``CFPB''). The CFPB then restated the implementing regulations 
in Regulation P, 12 CFR part 1016, in late 2011 (``Regulation P'').\6\ 
However, under section 1029 of the Dodd-Frank Act, the Commission 
retained rulemaking authority for certain motor vehicle dealers.\7\ 
Thus, in 2012, the Commission issued a notice that it was retaining the 
implementing regulations governing privacy notices for motor vehicle 
dealers at 16 CFR part 313.\8\
---------------------------------------------------------------------------

    \5\ Public Law 111-203, 124 Stat. 1376 (2010).
    \6\ 76 FR 79025 (Dec. 21, 2011).
    \7\ 12 U.S.C. 5519. The FTC retained rulemaking jurisdiction as 
to motor vehicle dealers that are predominantly engaged in the sale 
and servicing or the leasing and servicing of motor vehicles, 
excluding those dealers that directly extend credit to consumers and 
do not routinely assign the extensions of credit to an unaffiliated 
third party. For ease of reference, covered motor vehicle dealers 
are referenced herein as ``motor vehicle dealers.''
    \8\ 77 FR 22200, 22201 (April 13, 2012) (also rescinding those 
regulations for which rulemaking authority was transferred to the 
CFPB under the Dodd-Frank Act).
---------------------------------------------------------------------------

    Despite the transfer of general rulemaking authority for the 
Privacy Rule to the CFPB, the Commission and other agencies retain 
their existing enforcement authority under the GLBA.\9\ In addition, 
the SEC and CFTC retain rulemaking authority with respect to securities 
and futures-related companies, respectively.\10\ Accordingly, as part 
of this rulemaking process, the Commission has consulted and 
coordinated, or offered to consult, with those agencies that have 
rulemaking and/or enforcement authority under the GLBA, including the 
CFPB, SEC, CFTC, and the National Association of Insurance 
Commissioners (``NAIC'').\11\
---------------------------------------------------------------------------

    \9\ 15 U.S.C. 6805(a).
    \10\ 15 U.S.C. 6804, 6809; 12 U.S.C. 1843(k)(4); 12 CFR 
1016.1(b).
    \11\ See 15 U.S.C. 6804(a)(2).
---------------------------------------------------------------------------

    On December 4, 2015, Congress amended the GLBA as part of the FAST 
Act. This amendment, titled Eliminate Privacy Notice Confusion,\12\ 
added GLBA subsection 503(f). This subsection provides an exception 
under which financial institutions that meet certain conditions are not 
required to provide annual privacy notices to customers.
---------------------------------------------------------------------------

    \12\ Public Law 114-94, sec. 75001, 129 Stat. 1312, 1787 (2015).
---------------------------------------------------------------------------

B. The Privacy Notice Requirements

    As noted, the GLBA and the Privacy Rule require that motor vehicle 
dealers provide consumers with notices describing their privacy 
policies. Specifically, section 503 of the GLBA and the Privacy Rule 
require covered entities to provide an initial notice of these 
policies,\13\ and then ``provide a clear and conspicuous notice to 
customers that accurately reflects [their] privacy policies and 
practices not less than annually during the continuation of the 
customer relationship.'' \14\
---------------------------------------------------------------------------

    \13\ 15 U.S.C. 6803; 16 CFR 313.4.
    \14\ 15 U.S.C. 6803; 16 CFR 313.5(a)(1).
---------------------------------------------------------------------------

    Section 502 of the GLBA and the Privacy Rule require that initial 
and annual notices inform customers of their right to opt out of the 
sharing of nonpublic personal information with some types of 
nonaffiliated third parties.\15\ For example, a customer has the right 
to opt out of allowing a motor vehicle dealer to sell her name and 
address to a nonaffiliated auto insurance company.\16\ On the other 
hand, a motor vehicle dealer is not required to allow consumers to opt 
out of the dealer's

[[Page 13152]]

sharing involving third-party service providers, joint marketing 
arrangements, maintenance and servicing of accounts, securitization, 
law enforcement and compliance, reporting to consumer reporting 
agencies, and certain other activities that are specified in the 
statute and regulation.\17\ Accordingly, if a motor vehicle dealer 
limits its sharing to uses that do not trigger opt-out rights, it may 
provide an annual privacy notice to its customers that does not include 
information regarding opt-out rights.
---------------------------------------------------------------------------

    \15\ 15 U.S.C. 6802; 16 CFR 313.6(a)(6).
    \16\ 16 CFR 313.10(a).
    \17\ 15 U.S.C. 6802(b)(2), 6802(e); 16 CFR 313.13-313.15.
---------------------------------------------------------------------------

    Motor vehicle dealers also may include in the annual privacy notice 
information about certain consumer opt-out rights related to affiliate 
sharing under the Fair Credit Reporting Act (``FCRA''). First, section 
603(d)(2)(A)(iii) of the FCRA allows the sharing of a consumer's 
information among affiliates, but only if the consumer is notified of 
such sharing and is given an opportunity to opt out.\18\ Section 
503(c)(4) of the GLBA and the Privacy Rule generally require motor 
vehicle dealers to incorporate any notifications and opt-out 
disclosures provided pursuant to section 603(d)(2)(A)(iii) of the FCRA 
into their initial and annual privacy notices.\19\
---------------------------------------------------------------------------

    \18\ 15 U.S.C. 1681a(d)(2)(A)(iii).
    \19\ 15 U.S.C. 6803(c)(4); 16 CFR 313.6(a)(7).
---------------------------------------------------------------------------

    Second, section 624 of the FCRA and the FTC's Affiliate Marketing 
Rule \20\ provide that an affiliate of a motor vehicle dealer that 
receives certain information about a consumer from the dealer may not 
use that information for marketing purposes, unless the consumer is 
provided with an opportunity to opt out of that use.\21\ This 
requirement governs the use of information by an affiliate, not the 
sharing of information among affiliates, and thus is distinct from the 
affiliate sharing opt-out discussed above. The Affiliate Marketing Rule 
permits (but does not require) motor vehicle dealers to incorporate any 
opt-out disclosures provided under section 624 of the FCRA and the 
Affiliate Marketing Rule into the initial and annual privacy notices 
required by the GLBA.\22\
---------------------------------------------------------------------------

    \20\ 16 CFR 680.1-680.28.
    \21\ 15 U.S.C. 1681s-3. The FTC's Affiliate Marketing Rule 
applies to motor vehicle dealers. See 77 FR 22200 (Apr. 13, 2012). 
The FTC also enforces the CFPB's Regulation V's Affiliate Marketing 
Rule, 12 CFR part 1022, subpart C, for other entities over which the 
FTC has enforcement authority under the FCRA.
    \22\ 16 CFR 680.23(b).
---------------------------------------------------------------------------

    Finally, section 313.6(a)(8) of the Privacy Rule requires that the 
initial and annual notices briefly describe how motor vehicle dealers 
protect the nonpublic personal information they collect and maintain.

II. Proposed Revision of the Privacy Rule

A. The Consumer Financial Protection Bureau Rulemaking

    In December 2011, the CFPB issued a Request for Information seeking 
specific suggestions for streamlining regulations that were transferred 
to the CFPB from other Federal agencies, including the annual privacy 
notice requirement.\23\ After receiving numerous comments, in May 2014, 
the CFPB issued a proposed rule to amend its Regulation P to allow 
financial institutions to notify consumers that a privacy notice was 
available online, in certain enumerated circumstances.\24\ The CFPB 
finalized its rulemaking in October 2014.\25\
---------------------------------------------------------------------------

    \23\ 76 FR 75825, 75828 (Dec. 5, 2011).
    \24\ 79 FR 27214 (May 14, 2014) (CFPB Notice of Proposed 
Rulemaking).
    \25\ 79 FR 64057 (Oct. 28, 2014).
---------------------------------------------------------------------------

B. The Commission's 2015 Proposed Rulemaking

    On June 24, 2015, the Commission published a Notice of Proposed 
Rulemaking (``2015 NPRM'') proposing revisions to the Privacy Rule.\26\ 
First, the Commission proposed a number of changes to comport with the 
Dodd-Frank Act revision of GLBA, which transferred rulemaking authority 
for most financial institutions to the CFPB. The Commission also 
proposed amending the Rule to allow motor vehicle dealers to notify 
their customers that a privacy notice is available online, under 
circumstances identical to those that had been adopted by the CFPB.\27\
---------------------------------------------------------------------------

    \26\ 80 FR 36267 (June 24, 2015).
    \27\ See 79 FR 64057 (Oct. 28, 2014).
---------------------------------------------------------------------------

    The Commission received six comments from individuals and 
entities.\28\
---------------------------------------------------------------------------

    \28\ The comments are posted at: https://www.ftc.gov/policy/public-comments/2015/06/initiative-614. The Commission assigned each 
comment a number appearing after the name of the commenter and the 
date of submission.
---------------------------------------------------------------------------

C. The Passage of the FAST Act

    As described above, on December 4, 2015, President Obama signed the 
FAST Act. The FAST Act contains a provision that modified the annual 
privacy notice requirement under the GLBA. The provision states that a 
financial institution is not required to provide an annual privacy 
notice if it: (1) Only shares non-public personal information with non-
affiliated third parties in a manner that does not require an opt-out 
right be provided to customers (e.g., if the institution discloses 
nonpublic personal information to a service provider or for fraud 
detection and prevention purposes), and (2) has not changed its 
policies and practices with respect to disclosing nonpublic personal 
information since it last provided a privacy notice to its 
customers.\29\ This modification of the GLBA rendered the Commission's 
proposed changes to the Privacy Rule moot because those changes, if 
adopted, would have been in conflict with the revised statute.\30\
---------------------------------------------------------------------------

    \29\ 15 U.S.C. 6803(f).
    \30\ In 2016, the CFPB issued a proposed amendment to Regulation 
P that would alter the annual notice requirement to conform to the 
statutory changes. 81 FR 44801 (July 11, 2016). The rule became 
final in September 2018. 83 FR 40945 (Sept. 17, 2018).
---------------------------------------------------------------------------

D. New Proposed Changes to the Privacy Rule

    In light of this history, the Commission is issuing this notice of 
proposed rulemaking. The Commission now proposes to make three types of 
changes to the Privacy Rule: (1) Technical changes to the Rule to 
correspond to the reduced scope of the Rule due to Dodd-Frank Act 
changes, which primarily consist of removing references that do not 
apply to motor vehicle dealers; (2) modifications to the annual privacy 
notice requirements to reflect the changes made to the GLBA by the FAST 
Act; and (3) a modification to the scope and definition of ``financial 
institution'' to include entities engaged in activities that are 
incidental to financial activities, which would bring the Rule into 
accord with the CFPB's Regulation P.
1. Technical Changes To Correspond to Statutory Changes Resulting From 
the Dodd-Frank Act
    The Commission adopted the scope of, and definitions in, the 
original Privacy Rule at a time when it had rulemaking authority for 
the Privacy Rule over a broader group of non-bank ``financial 
institutions'' as defined by the GLBA. While the Dodd-Frank Act did not 
change the Commission's enforcement authority for the privacy notice 
obligations of the GLBA, it did amend the Commission's rulemaking 
authority under the GLBA such that the Privacy Rule only applies to 
motor vehicle dealers.\31\ The amendments in the Dodd-Frank Act 
necessitate certain technical revisions to the Privacy Rule to ensure 
that the regulation is consistent with the text of the amended 
GLBA.\32\ For example, retaining examples that apply to entities other

[[Page 13153]]

than motor vehicle dealers may lead to confusion about the existing, 
narrower scope of the Privacy Rule. Accordingly, the Commission 
proposes to modify the Privacy Rule to provide clearer guidance to 
financial institutions that are covered motor vehicle dealers.\33\
---------------------------------------------------------------------------

    \31\ For other types of financial institutions over which the 
Commission has enforcement authority under the GLBA, the Commission 
now enforces the CFPB's Regulation P.
    \32\ 15 U.S.C. 6804(1)(C).
    \33\ The Commission also proposes a change to 16 CFR 313.3(j) 
removing the Director of the Office of Thrift Supervision from the 
definition of ``Federal Functional Regulators,'' as the Office of 
Thrift Supervision no longer exists.
---------------------------------------------------------------------------

    The proposed amendment to section 313.1(b) narrows the description 
of the scope of the Privacy Rule to those entities set forth in the 
Dodd-Frank Act \34\ that are predominantly engaged in the sale and 
servicing of motor vehicles or the leasing and servicing of motor 
vehicles, excluding those dealers that directly extend credit to 
consumers and do not routinely assign the extensions of credit to an 
unaffiliated third party. It also removes the reference in the Rule's 
scope to ``other persons'': Although the Commission continues to have 
enforcement authority over ``other persons'' covered by the CFPB's 
Regulation P, the Commission no longer has rulemaking authority for the 
Privacy Rule over ``other persons.'' \35\ In addition, the Commission 
proposes to eliminate from section 313.1(b) the note indicating that 
(1) the Privacy Rule does not modify, limit, or supersede the standards 
under the Health Insurance Portability and Accountability Act of 1996, 
and (2) if a financial institution that is an institution of higher 
education is in compliance with the Federal Educational Rights and 
Privacy Act (``FERPA'') and its implementing regulations, such 
institution shall be deemed in compliance with the Privacy Rule. The 
Commission does not believe these provisions will apply to motor 
vehicle dealers covered by the Rule and should be removed to improve 
clarity. The Commission invites comments on whether these provisions 
are relevant to motor vehicle dealers and should be retained.
---------------------------------------------------------------------------

    \34\ 12 U.S.C. 5519.
    \35\ The Commission also proposes to amend 16 CFR 313.15(a)(4) 
to add the CFPB to the list of law enforcement agencies to which 
financial institutions are permitted to share information to the 
extent permitted by law.
---------------------------------------------------------------------------

    The proposed amendments to section 313.3 also remove any examples 
that are not likely to apply to motor vehicle dealers. To help 
companies understand whether and how the Rule applies to them, the Rule 
includes examples of financial institutions in section 313.3(k)(2). The 
current examples refer to types of activities that motor vehicle 
dealers typically do not engage in. Therefore, leaving those examples 
in the Rule may lead to confusion about the Rule's current scope.
    The proposed amendments also remove certain examples from the 
definition of ``consumer'' in section 313.3(e)(2). These examples do 
not apply because motor vehicle dealers do not provide the types of 
services provided in the examples, such as financial, investment, or 
economic advisory services or serving as the trustee of a trust.
    Likewise, the proposed amendments remove certain examples of 
establishing a customer relationship from section 313.4(c)(3)(i). The 
removed examples do not apply to customers of motor vehicle dealers, 
because such activities are not related to the sale or leasing of motor 
vehicles. These include creating credit card accounts, providing 
investment advice or tax counseling, providing mortgages, collecting 
debts from other financial institutions, and providing websites for 
consumers to review all of their on-line financial accounts with other 
financial institutions.
    Finally, the proposed amendments remove certain examples of 
termination of customer relationships from section 313.5(b)(2). As with 
previously discussed proposed amendments, the removed examples concern 
customer relationships based on services that motor vehicle dealers do 
not provide. These include credit card accounts, credit counseling 
services, tax preparation, and real estate settlement. The removal of 
these inapplicable examples will increase the clarity of the rule by 
focusing on matters that are relevant to the regulated financial 
institutions. Removing these examples will not alter the substance of 
the underlying definitions or provisions of the rule, which will have 
the same reach and applicability as before the revisions. The changes 
are intended to improve clarity, not to alter substance. The Commission 
invites comments on whether any of the omitted examples should be 
retained.
    Although the Dodd-Frank Act altered the Commission's rulemaking 
authority with respect to the Privacy Rule, it did not alter the 
Commission's rulemaking authority for the Safeguards Rule. For the 
Safeguards Rule, the Commission continues to have rulemaking authority 
over a broad range of non-bank financial institutions. The Safeguards 
Rule, however, currently incorporates by reference the definitions 
contained in the Privacy Rule, including all of the examples of 
financial institutions listed in the existing Privacy Rule.\36\ 
Accordingly, while the Commission proposes to modify the Privacy Rule 
definitions to include examples applicable only to motor vehicle 
dealers, the Commission has also proposed in a separate concurrent NPRM 
to amend the Safeguards Rule to import definitions of relevant terms 
and examples from the current version of the Privacy Rule.\37\
---------------------------------------------------------------------------

    \36\ 16 CFR 314.2(a).
    \37\ The NPRM relating to the Safeguards Rule is published 
elsewhere in this issue of the Federal Register.
---------------------------------------------------------------------------

2. Modifications to the Annual Privacy Notice To Reflect Statutory 
Changes Resulting From the FAST Act
    The Commission also proposes changes to the Privacy Rule provisions 
governing how motor vehicle dealers should deliver annual privacy 
notices. These changes implement statutory changes resulting from the 
enactment of the FAST Act and replace those set forth in the 2015 NPRM.
    Several commenters opined on the proposed changes to notice 
delivery in the 2015 NPRM. Those comments have been rendered obsolete 
by the statutory changes. The current proposed rule implements the 
changes set forth in the FAST Act.

Section 313.5(a)(1)--General Rule

    The proposed section 313.5(a)(1) notes that section 313.5(e) 
provides an exception to the general rule requiring the delivery of 
annual notices.

Section 313.5(e)

    This proposed new section sets forth the exception to the annual 
privacy notice requirement. The Commission adopts the reasoning and 
changes set forth by the CFPB in its amendments to Regulation P to 
adopt the FAST Act changes.\38\ First, proposed section 313.5(e)(1)(i) 
sets forth that the financial institution must share nonpublic personal 
information only in accordance with the provisions of sections 313.13, 
313.14, and 313.15, none of which require an opt-out opportunity be 
provided to customers. Second, proposed section 313.5(e)(1)(ii) states 
that the financial institution must also not have changed its 
disclosure policies and practices that were contained in its most 
recent privacy notice to customers.
---------------------------------------------------------------------------

    \38\ See 81 FR 44801 (July 10, 2016).
---------------------------------------------------------------------------

    Proposed section 313.5(e)(2) sets forth the timing for delivering 
an annual notice if a financial institution no longer meets 
requirements for the exception and must resume delivery of annual 
notices. There are two scenarios under which a financial institution 
would need to resume delivering annual notices: (1) Where the change in 
its policies trigger the existing requirement

[[Page 13154]]

to issue a revised privacy notice, as required by section 313.8; and 
(2) where the change does not trigger a need for the financial 
institution to issue a revised notice under section 313.8. These two 
situations are addressed by proposed sections 313.5(e)(2)(i) and (ii), 
respectively. In the first situation, the revised notice issued by the 
financial institution acts as an initial privacy notice for the 
purposes of the timing of future annual notices. In the second 
situation, the financial institution must provide an annual notice to 
customers within 100 days of the change in policies or practices. 
Proposed section 313.5(e)(2)(iii) sets forth an example for both 
scenarios.
1. Modifications To Scope and Definitions To Bring the Rule Into Accord 
With Regulation P
    Whether a company is a ``financial institution'' is determined by 
the types of activities in which the company engages. When first 
promulgating the Privacy Rule, the Commission determined that companies 
engaged in activities that are ``incidental to financial activities'' 
would not be considered ``financial institutions.'' \39\ The Commission 
was the only agency to adopt this restrictive definition in its Privacy 
Rule, while the other agencies included incidental activities.\40\ In 
addition, the Commission decided that activities that were determined 
to be financial in nature after the enactment of the GLBA would not be 
automatically included in its Privacy Rule; rather, the Commission 
would have to take additional action to include them.\41\ The effect of 
these two decisions was to limit the activities covered by the 
Commission's rules to those set out in 12 CFR 225.28 as it existed in 
1999, and to exclude any activities later determined by the Fed to be 
financial activities or incidental to those activities.\42\
---------------------------------------------------------------------------

    \39\ See 16 CFR 313.3(k); see also 65 FR 33646, 33654 (May 24, 
2000).
    \40\ The Commission also added the requirement that an entity 
must be ``significantly engaged'' in the financial activity to be 
considered a financial institution under the Privacy Rule. 16 CFR 
313.3(k). The Commission is not proposing to change this 
requirement.
    \41\ 65 FR 33646, 33654 n.23 (May 24, 2000).
    \42\ Id.
---------------------------------------------------------------------------

    The Commission proposes modifying the definition of ``financial 
institution'' to harmonize the Privacy Rule with other agencies' rules. 
The Commission proposes to amend section 313.1(b) to include companies 
that engage in activities that are financial in nature or incidental to 
such financial activities. Likewise, it proposes to amend the 
definition of ``financial institution'' in section 313.3(k), to include 
any institution the business of which is engaging in an activity that 
is financial in nature or incidental to such financial activities.\43\ 
The effect of this proposed amendment would be to cause ``finders'' to 
be included in this definition, thereby bringing the Privacy Rule into 
harmony with the scope of entities covered by other agencies under 
Regulation P. It would not bring any other activities under the 
coverage the definition because the Fed has not determined any other 
activity other than ``finding'' to be financial in nature or incidental 
to such activity since the enactment of the GLBA. In practice, the 
Commission expects that this change to the Privacy Rule will have 
little to no effect because of the already narrow scope of the Rule: It 
is not clear that there are any motor vehicle dealers that would be 
covered by this rule whose only activity that would qualify them as a 
financial institution is the act of finding, as most motor vehicle 
dealers are more directly involved in obtaining financing for their 
customers. Nevertheless, the Commission believes this change is 
important to keep the Rule consistent with the Safeguards Rule and 
other agencies' GLBA implementing rules.
---------------------------------------------------------------------------

    \43\ This proposal is also consistent with the agency's 
concurrent proposal to revise the Safeguards Rule in the same 
manner.
---------------------------------------------------------------------------

    The Commission has not previously requested comment on revising the 
definition of ``financial institution'' in this way for the Privacy 
Rule. Through this NPRM, it does so here. Specifically, the Commission 
seeks information on (1) whether any entities function as ``finders'' 
for motor vehicle dealers, and if so how many; (2) whether such finders 
collect or maintain customer information as defined by the Rule; and 
(3) the costs and benefits, including the costs and benefits to finders 
and consumers, of this proposed amendment.

III. Request for Comment

    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before June 3, 2019. 
Write ``Amendment to the Privacy of Consumer Financial Information 
Rule, 16 CFR part 313, Rulemaking No. R411016'' on the comment. Your 
comment, including your name and your state, will be placed on the 
public record of this proceeding, including, to the extent practicable, 
the https://www.regulations.gov website.
    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, we encourage you to submit 
your comment online. To make sure that the Commission considers your 
online comment, you must file it at https://www.regulations.gov by 
following the instructions on the web-based form.
    If you file your comment on paper, write ``Amendment to the Privacy 
of Consumer Financial Information Rule, 16 CFR part 313, Rulemaking No. 
R411016,'' on your comment and on the envelope, and mail your comment 
to the following address: Federal Trade Commission, Office of the 
Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex B), 
Washington, DC 20580, or deliver your comment to the following address: 
Federal Trade Commission, Office of the Secretary, Constitution Center, 
400 7th Street SW, 5th Floor, Suite 5610 (Annex B), Washington, DC 
20024. If possible, please submit your paper comment to the Commission 
by courier or overnight service.
    Because your comment will be placed on the publicly accessible 
website, https://www.regulations.gov/, you are solely responsible for 
making sure that your comment does not include any sensitive or 
confidential information. In particular, your comment should not 
include any sensitive personal information, such as your or anyone 
else's Social Security number, date of birth, driver's license number 
or other state identification number or foreign country equivalent, 
passport number, financial account number, or credit or debit card 
number. You are also solely responsible for making sure that your 
comment does not include any sensitive health information, such as 
medical records or other individually identifiable health information. 
In addition, your comment should not include any ``trade secret or any 
commercial or financial information which . . . is privileged or 
confidential,'' as provided by section 6(f) of the FTC Act, 15 U.S.C. 
46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2), including in 
particular, competitively sensitive information such as costs, sales 
statistics, inventories, formulas, patterns, devices, manufacturing 
processes, or customer names.
    Comments containing material for which confidential treatment is 
requested must be filed in paper form, must be clearly labeled 
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular, 
the written request for confidential treatment that accompanies the 
comment must include the factual and legal basis for the request, and 
must identify the specific portions of the comments to be withheld from 
the

[[Page 13155]]

public record.\44\ Your comment will be kept confidential only if the 
FTC General Counsel grants your request in accordance with the law and 
the public interest. Once your comment has been posted publicly at 
www.regulations.gov, we cannot redact or remove your comment from the 
FTC website, unless you submit a confidentiality request that meets the 
requirements for such treatment under FTC Rule 4.9(c), and the General 
Counsel grants that request.
---------------------------------------------------------------------------

    \44\ See 16 CFR 4.9(c).
---------------------------------------------------------------------------

    Visit the Commission website at https://www.ftc.gov/ to read this 
document and the news release describing it. The FTC Act and other laws 
that the Commission administers permit the collection of public 
comments to consider and use in this proceeding as appropriate. The 
Commission will consider all timely and responsive public comments that 
it receives on or before June 3, 2019. For information on the 
Commission's privacy policy, including routine uses permitted by the 
Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.

IV. Communications by Outside Parties to the Commissioners or Their 
Advisors

    Written communications and summaries or transcripts of oral 
communications respecting the merits of this proceeding, from any 
outside party to any Commissioner or Commissioner's advisor, will be 
placed on the public record.\45\
---------------------------------------------------------------------------

    \45\ 16 CFR 1.26(b)(5).
---------------------------------------------------------------------------

V. Paperwork Reduction Act

    Under the Paperwork Reduction Act of 1995 (PRA),\46\ Federal 
agencies are generally required to seek Office of Management and Budget 
(OMB) approval for information collection requirements prior to 
implementation. Under the PRA, the Commission may not conduct or 
sponsor, and, notwithstanding any other provision of law, a person is 
not required to respond to an information collection, unless the 
information collection displays a valid control number assigned by OMB.
---------------------------------------------------------------------------

    \46\ 44 U.S.C. 3501 et seq.
---------------------------------------------------------------------------

    This proposal would amend 16 CFR part 313. The collections of 
information related to the Privacy Rule and the FAST Act statutory 
exceptions to the Rule's annual notice requirement have been previously 
reviewed and approved by OMB in accordance with the PRA.\47\
---------------------------------------------------------------------------

    \47\ The FTC has current clearance through November 30, 2020. 
The OMB Control Number is 3084-0121.
---------------------------------------------------------------------------

    Under the existing clearance, the FTC has attributed to itself the 
estimated burden regarding all motor vehicle dealers and then shares 
equally the remaining estimated PRA burden with the CFPB for other 
types of financial institutions for which both agencies have 
enforcement authority regarding the GLBA Privacy Rule.\48\
---------------------------------------------------------------------------

    \48\ 82 FR 48081.
---------------------------------------------------------------------------

    The proposed amendments do not modify or add to information 
collection requirements that were previously approved by OMB. First, 
the Commission anticipates that the proposed expansion of the 
definition of ``financial institution'' to include entities engaged in 
activities that are incidental to financial activities will have little 
to no effect. It is not clear that any finders are in the business of 
linking consumers with financing through motor vehicle dealers, as 
opposed to other types of financial institutions such as payday lenders 
or mortgage lenders.
    Second, the proposed removal of certain examples provided in the 
Rule that are not applicable to motor vehicle dealers will have no 
impact on existing information collection requirements.
    Therefore, the Commission does not believe that the proposed 
amendments would substantially or materially modify any ``collections 
of information'' as defined by the PRA.
    The Commission seeks comment on whether there are any finders in 
existence that would be covered by the proposed Rule. If there are such 
businesses, the Commission will seek OMB clearance as appropriate.

VI. Regulatory Flexibility Act

    The Regulatory Flexibility Act (RFA), as amended by the Small 
Business Regulatory Enforcement Fairness Act of 1996, requires an 
agency to either provide an Initial Regulatory Flexibility Analysis 
(``IRFA'') with a proposed rule, or certify that the proposed rule will 
not have a significant impact on a substantial number of small 
entities.\49\ The Commission does not expect that this Rule, if 
adopted, would have the threshold impact on small entities. First, most 
of the burdens flow from the mandates of the GLBA, not from the 
specific provisions of the proposed Rule. Second, the Commission does 
not expect the proposal to impose costs on small motor vehicle dealers 
because the amendments are primarily for clarification purposes and 
should not result in any increased burden on any motor vehicle dealer. 
Thus, a small entity that complies with current law need not take any 
different or additional action if the proposal is adopted. Nonetheless, 
the Commission has determined that it is appropriate to publish an 
Initial Regulatory Flexibility Analysis in order to inquire into the 
impact of the proposed Rule on small entities. The Commission does not 
believe that there are any small entities engaged in finding for motor 
vehicle financing that would now be covered as a result of the modified 
definition of ``financial institution.'' However, the Commission 
invites comment on this issue.
---------------------------------------------------------------------------

    \49\ 5 U.S.C. 603-605.
---------------------------------------------------------------------------

1. Reasons for the Proposed Rule

    To address the Dodd-Frank Act and FAST Act changes the Commission 
proposes to change the Privacy Rule's scope and definition of 
``financial institution''; change the annual notice requirement; and 
remove certain examples provided in the Rule that are not applicable to 
motor vehicle dealers. These changes will make the current, narrow 
scope of the Rule clearer. Additionally, the Commission proposes 
modifying the definition of ``financial institution'' to harmonize the 
Privacy Rule with other agencies' rules by including ``activities 
incidental to financial activities'' as a financial activity. This 
change would bring ``finders'' within the scope of the Rule.

2. Statement of Objectives and Legal Basis

    The objectives of the proposed Rule are discussed above. The legal 
basis for the proposed Rule is section 501(b) of the GLBA.

3. Description of Small Entities to Which the Rule Will Apply

    Determining a precise estimate of the number of small entities 
\50\--including newly covered entities under the modified definition of 
financial institution--is not readily feasible. Financial institutions 
covered by the Rule include certain motor vehicle dealers. If the 
proposed Rule is finalized, finders will also be covered.

[[Page 13156]]

The Commission requests comment and information on whether there are 
any finders in existence that would be covered by the proposed Rule.
---------------------------------------------------------------------------

    \50\ The U.S. Small Business Administration Table of Small 
Business Size Standards Matched to North American Industry 
Classification System Codes (NAICS) are generally expressed in 
either millions of dollars or number of employees. A size standard 
is the largest that a business can be and still qualify as a small 
business for Federal Government programs. For the most part, size 
standards are the annual receipts or the average employment of a 
firm. New car dealers (NAICS code 441100) are classified as small if 
they have fewer than 200 employees. Used car dealers (NAICS code 
441120) are classified as small if their annual receipts are $25 
million or less. Recreational vehicle dealers, boat dealers, 
motorcycle, ATV and all other motor vehicle dealers (NAICS codes 
441210, 441222 and 441228) are classified as small if their annual 
receipts are $32.5 million or less. The 2017 Table of Small Business 
Size Standards is available at https://www.sba.gov/sites/default/files/files/Size_Standards_Table_2017.pdf.
---------------------------------------------------------------------------

4. Projected Reporting, Recordkeeping, and Other Compliance 
Requirements

    The Commission does not believe that the proposed Rule would impose 
any new or substantively revised ``collections of information'' as 
defined by the PRA. Rather, the Commission believes that the proposed 
amendments would have the overall effect of reducing the currently 
cleared estimated burden for the information collections associated 
with the Privacy Rule annual notice. The Commission invites comment on 
the costs to newly covered financial institutions--if there are any--of 
complying with the Rule.

5. Identification of Duplicative, Overlapping, or Conflicting Federal 
Rules

    The Commission's proposal to modify the definition of ``financial 
institution'' harmonizes the Privacy Rule with other agencies' rules. 
The effect of this proposed amendment, as discussed above, would be to 
cause ``finders'' to be covered by the Rule, thereby bringing the scope 
of the Privacy Rule into harmony with the scope of entities covered by 
other agencies under Regulation P. The Commission believes that this 
proposal does not create conflicting or duplicative obligations on 
small entities. As stated previously, the Commission does not believe 
there are any newly covered financial institutions resulting from the 
proposed definitional modification. However, the Commission is 
requesting comment on the extent to which other federal standards 
involving privacy notices may duplicate and/or satisfy or possibly 
conflict with the Rule's requirements for any newly covered financial 
institutions.

6. Discussion of Significant Alternatives

    As stated previously, the Commission does not believe there are any 
newly covered financial institutions resulting from the proposed 
definitional modification. Moreover, the Commission believes that the 
other proposed amendments would have the overall effect of reducing the 
burden for all covered entities associated with the Privacy Rule annual 
notice. The proposed amendments do not reduce the flexibility already 
present in the existing Rule, which allows notices to be provided in a 
variety of ways, including electronically in some circumstances. As to 
the core requirements of the proposed Rule, they come from GLBA itself, 
as amended by the Dodd-Frank and the FAST Act. The statute prescribes 
the definition of financial institutions to be covered by the Rule and 
sets forth the specific requirements, which the Commission cannot 
modify to ease burdens on small entities. Therefore the Commission does 
not believe that any alternatives for small entities are required or 
appropriate. However, the Commission welcomes comment on any 
significant alternative consistent with the GLBA that would minimize 
the impact of the proposed Rule on small entities--specifically 
institutions that would be newly covered financial institutions--if 
there are any.

List of Subjects in 16 CFR Part 313

    Consumer protection, Credit, Data protection, Privacy, Trade 
practices.

    For the reasons stated above, the Federal Trade Commission proposes 
to amend 16 CFR part 313 as follows:

0
1. Revise the authority section for part 313 to read as follows:

    Authority:  15 U.S.C. 6801 et seq., 12 U.S.C. 5519.

0
2. In Sec.  313.1, revise paragraph (b) to read as follows:


Sec.  313.1   Purpose and scope.

* * * * *
    (b) Scope. This part applies only to nonpublic personal information 
about individuals who obtain financial products or services primarily 
for personal, family or household purposes from the institutions listed 
below. This part does not apply to information about companies or about 
individuals who obtain financial products or services for business, 
commercial, or agricultural purposes. This part applies to those 
``financial institutions'' over which the Federal Trade Commission 
(``Commission'') has rulemaking authority pursuant to section 
504(a)(1)(C) of the Gramm-Leach-Bliley Act. An entity is a ``financial 
institution'' if its business is engaging in an activity that is 
financial in nature or incidental to such financial activities as 
described in section 4(k) of the Bank Holding Company Act of 1956, 12 
U.S.C. 1843(k), which incorporates by reference activities enumerated 
by the Federal Reserve Board in 12 CFR 225.28 and 12 CFR 225.86. The 
``financial institutions'' subject to the Commission's rulemaking 
authority are any persons described in 12 U.S.C. 5519 that are 
predominantly engaged in the sale and servicing of motor vehicles, the 
leasing and servicing of motor vehicles, or both. They are referred to 
in this part as ``You.'' Excluded from the coverage of this regulation 
are motor vehicle dealers described in 12 U.S.C. 5519(b) that directly 
extend to consumers retail credit or retail leases involving motor 
vehicles in which the contract governing such extension of retail 
credit or retail leases is not routinely assigned to an unaffiliated 
third party finance or leasing source.
0
3. In Sec.  313.3, revise paragraphs (e), (i), (j), (k) and (q), to 
read as follows:


Sec.  313.3   Definitions.

* * * * *
    (e)(1) Consumer means an individual who obtains or has obtained a 
financial product or service from you that is to be used primarily for 
personal, family, or household purposes, or that individual's legal 
representative.
    (2) Examples--(i) An individual who applies to you for credit for 
personal, family, or household purposes is a consumer of a financial 
service, regardless of whether the credit is extended.
    (ii) An individual who provides nonpublic personal information to 
you in order to obtain a determination about whether he or she may 
qualify for a loan to be used primarily for personal, family, or 
household purposes is a consumer of a financial service, regardless of 
whether the loan is extended.
    (iii) If you hold ownership or servicing rights to an individual's 
loan that is used primarily for personal, family, or household 
purposes, the individual is your consumer, even if you hold those 
rights in conjunction with one or more other institutions. (The 
individual is also a consumer with respect to the other financial 
institutions involved.) An individual who has a loan in which you have 
ownership or servicing rights is your consumer, even if you, or another 
institution with those rights, hire an agent to collect on the loan.
    (iv) An individual who is a consumer of another financial 
institution is not your consumer solely because you act as agent for, 
or provide processing or other services to, that financial institution.
    (v) An individual is not your consumer solely because he or she is 
a participant or a beneficiary of an employee benefit plan that you 
sponsor or for which you act as a trustee or fiduciary.
* * * * *
    (i)(1) Customer relationship means a continuing relationship 
between a consumer and you under which you provide one or more 
financial products or services to the consumer that are to be used 
primarily for personal, family, or household purposes.

[[Page 13157]]

    (2) Examples--(i) Continuing relationship. A consumer has a 
continuing relationship with you if the consumer:
    (A) Has a credit or investment account with you;
    (B) Obtains a loan from you;
    (C) Purchases an insurance product from you;
    (D) Enters into an agreement or understanding with you whereby you 
undertake to arrange credit to purchase a vehicle for the consumer;
    (E) Enters into a lease of personal property on a non-operating 
basis with you; or
    (F) Has a loan for which you own the servicing rights.
    (ii) No continuing relationship. A consumer does not, however, have 
a continuing relationship with you if:
    (A) The consumer obtains a financial product or service from you 
only in isolated transactions, such as cashing a check with you or 
making a wire transfer through you;
    (B) You sell the consumer's loan and do not retain the rights to 
service that loan; or
    (C) The consumer obtains one-time personal appraisal services from 
you.
    (j) Federal functional regulator means:
    (1) The Board of Governors of the Federal Reserve System;
    (2) The Office of the Comptroller of the Currency;
    (3) The Board of Directors of the Federal Deposit Insurance 
Corporation;
    (4) The National Credit Union Administration Board; and
    (5) The Securities and Exchange Commission.
    (k)(1) Financial institution means any institution the business of 
which is engaging in an activity that is financial in nature or 
incidental to such financial activities as described in section 4(k) of 
the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). An institution 
that is significantly engaged in financial activities is a financial 
institution.
    (2) Example of financial institution. An automobile dealership 
that, as a usual part of its business, leases automobiles on a 
nonoperating basis for longer than 90 days is a financial institution 
with respect to its leasing business because leasing personal property 
on a nonoperating basis where the initial term of the lease is at least 
90 days is a financial activity listed in 12 CFR 225.28(b)(3) and 
referenced in section 4(k)(4)(F) of the Bank Holding Company Act.
    (3) Financial institution does not include entities that engage in 
financial activities but that are not significantly engaged in those 
financial activities.
    (4) Example of entities that are not significantly engaged in 
financial activities. A motor vehicle dealer is not a financial 
institution merely because it accepts payment in the form of cash, 
checks, or credit cards that it did not issue.
* * * * *
    (q) You includes each ``financial institution'' over which the 
Commission has rulemaking authority pursuant to section 504(a)(1)(C) of 
the Gramm-Leach-Bliley Act (15 U.S.C. 6804(a)(1)(C)).
0
4. In Sec.  313.4, revise paragraphs (c)(3)(i) and (e), to read as 
follows:


Sec.  313.4   Initial privacy notice to consumers required.

* * * * *
    (c) * * *
    (3)(i) Examples of establishing a customer relationship. You 
establish a customer relationship when the consumer:
    (A) Executes the contract to obtain credit from you or purchase 
insurance from you; or
    (B) Executes the lease for personal property with you.
* * * * *
    (e) Exceptions to allow subsequent delivery of notice. (1) You may 
provide the initial notice required by paragraph (a)(1) of this section 
within a reasonable time after you establish a customer relationship 
if:
    (i) Establishing the customer relationship is not at the customer's 
election; or
    (ii) Providing notice not later than when you establish a customer 
relationship would substantially delay the customer's transaction and 
customer agrees to receive the notice at a later time.
    (2) Examples of exceptions--(i) Substantial delay of customer's 
transaction. Providing notice not later than when you establish a 
customer relationship would substantially delay the customer's 
transaction when you and the individual agree over the telephone to 
enter into a customer relationship involving prompt delivery of the 
financial product or service.
    (ii) No substantial delay of customer's transaction. Providing 
notice not later than when you establish a customer relationship would 
not substantially delay the customer's transaction when the 
relationship is initiated in person at your office or through other 
means by which the customer may view the notice, such as through a 
website.
* * * * *
0
5. In Sec.  313.5, revise paragraphs (a)(1) and (b)(2) and add 
paragraph (e) to read as follows:


Sec.  313.5   Annual privacy notice to customers required.

    (a)(1) General rule. Except as provided by paragraph (e) of this 
section, you must provide a clear and conspicuous notice to customers 
that accurately reflects your privacy policies and practices not less 
than annually during the continuation of the customer relationship. 
Annually means at least once in any period of 12 consecutive months 
during which that relationship exists. You may define the 12-
consecutive-month period, but you must apply it to the customer on a 
consistent basis.
* * * * *
    (b) * * *
    (2) Examples. Your customer becomes a former customer when:
    (i) In the case of a closed-end loan, the customer pays the loan in 
full, you charge off the loan, or you sell the loan without retaining 
servicing rights;
    (ii) In the case of vehicle loan brokering services, your customer 
has obtained a loan through you (and you no longer provide any 
statements or notices to the customer concerning that relationship), or 
has ceased using your services for such purposes;
    (iii) In cases where there is no definitive time at which the 
customer relationship has terminated, you have not communicated with 
the customer about the relationship for a period of 12 consecutive 
months, other than to provide annual privacy notices or promotional 
material.
* * * * *
    (e) Exception to annual privacy notice requirement. (1) When 
exception available. You are not required to deliver an annual privacy 
notice if you:
    (i) Provide nonpublic personal information to nonaffiliated third 
parties only in accordance with the provisions of Sec.  313.13, Sec.  
313.14, or Sec.  313.15; and
    (ii) Have not changed your policies and practices with regard to 
disclosing nonpublic personal information from the policies and 
practices that were disclosed to the customer under Sec.  313.6(a)(2) 
through (5) and (9) in the most recent privacy notice provided pursuant 
to this part.
    (2) Delivery of annual privacy notice after financial institution 
no longer meets requirements for exception. If you have been excepted 
from delivering an annual privacy notice pursuant to paragraph (e)(1) 
of this section and change your policies or practices in such a way 
that you no longer meet the requirements for that exception, you must 
comply with paragraph (e)(2)(i) or (ii) of this section, as applicable.

[[Page 13158]]

    (i) Changes preceded by a revised privacy notice. If you no longer 
meet the requirements of paragraph (e)(1) of this section because you 
change your policies or practices in such a way that Sec.  313.8 
requires you to provide a revised privacy notice, you must provide an 
annual privacy notice in accordance with the timing requirement in 
paragraph (a) of this section, treating the revised privacy notice as 
an initial privacy notice.
    (ii) Changes not preceded by a revised privacy notice. If you no 
longer meet the requirements of paragraph (e)(1) of this section 
because you change your policies or practices in such a way that Sec.  
313.8 does not require you to provide a revised privacy notice, you 
must provide an annual privacy notice within 100 days of the change in 
your policies or practices that causes you to no longer meet the 
requirement of paragraph (e)(1).
    (iii) Examples. (A) You change your policies and practices in such 
a way that you no longer meet the requirements of paragraph (e)(1) of 
this section effective April 1 of year 1. Assuming you define the 12-
consecutive-month period pursuant to paragraph (a) of this section as a 
calendar year, if you were required to provide a revised privacy notice 
under Sec.  313.8 and you provided that notice on March 1 of year 1, 
you must provide an annual privacy notice by December 31 of year 2. If 
you were not required to provide a revised privacy notice under Sec.  
313.8, you must provide an annual privacy notice by July 9 of year 1.
    (B) You change your policies and practices in such a way that you 
no longer meet the requirements of paragraph (e)(1) of this section, 
and so provide an annual notice to your customers. After providing the 
annual notice to your customers, you once again meet the requirements 
of paragraph (e)(1) of this section for an exception to the annual 
notice requirement. You do not need to provide additional annual notice 
to your customers until such time as you no longer meet the 
requirements of paragraph (e)(1) of this section.
0
6. In Sec.  313.15, revise paragraph (a)(4) to read as follows:


Sec.  313.15   Other exceptions to notice and opt out requirements.

    (a) * * *
    (4) To the extent specifically permitted or required under other 
provisions of law and in accordance with the Right to Financial Privacy 
Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcement agencies 
(including the Consumer Financial Protection Bureau, a federal 
functional regulator, the Secretary of the Treasury, with respect to 31 
U.S.C. chapter 53, subchapter II (Records and Reports on Monetary 
Instruments and Transactions) and 12 U.S.C. chapter 21 (Financial 
Recordkeeping), a State insurance authority, with respect to any person 
domiciled in that insurance authority's State that is engaged in 
providing insurance, and the Federal Trade Commission), self-regulatory 
organizations, or for an investigation on a matter related to public 
safety.
* * * * *

    By direction of the Commission.
April J. Tabor,
Acting Secretary.
[FR Doc. 2019-06039 Filed 4-3-19; 8:45 am]
BILLING CODE 6750-01-P