Privacy of Consumer Financial Information Rule Under the Gramm-Leach-Bliley Act, 70020-70027 [2021-25735]

Agencies

• FEDERAL TRADE COMMISSION

[Federal Register Volume 86, Number 234 (Thursday, December 9, 2021)]
[Rules and Regulations]
[Pages 70020-70027]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-25735]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 313

RIN 3084-AB42


Privacy of Consumer Financial Information Rule Under the Gramm-
Leach-Bliley Act

AGENCY: Federal Trade Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission is amending its Privacy Rule to 
revise the rule's scope, to modify the rule's definitions of 
``financial institution'' and ``Federal functional regulator,'' and to 
update the rule's annual customer privacy notice requirement. The 
amendments also remove certain examples in the rule that apply to 
financial institutions that now fall outside its scope. This action is 
necessary to conform the rule to the current requirements of the Gramm-
Leach-Bliley Act (``GLBA''), as amended by the Dodd-Frank and FAST 
Acts, and the Commission's revisions to the Safeguards Rule, which are 
being announced simultaneously through a separate document published 
elsewhere in this issue of the Federal Register.

DATES: The amendments are effective January 10, 2022.

FOR FURTHER INFORMATION CONTACT: David Lincicum (202-326-2773), 
Division of Privacy and Identity Protection, Bureau of Consumer 
Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, 
Washington, DC 20580.

SUPPLEMENTARY INFORMATION:

I. Background

A. The Statute and Regulation

    The GLBA was enacted in 1999.\1\ The GLBA, among other things, 
requires that financial institutions provide their customers with 
initial and annual notices regarding their privacy practices, and allow 
their customers to opt out of sharing their information with certain 
nonaffiliated third parties.
---------------------------------------------------------------------------

    \1\ Public Law 106-102, 113 Stat. 1338 (1999).
---------------------------------------------------------------------------

    Rulemaking authority to implement the GLBA's privacy provisions was 
initially spread among multiple agencies. The Federal Reserve Board 
(``the Fed''), the Office of Comptroller of the Currency (``OCC''), the 
Federal Deposit Insurance Corporation (``FDIC''), and the Office of 
Thrift Supervision (``OTS'') jointly adopted final rules to implement 
the notice and opt-out requirements of the GLBA in 2000.\2\ The 
Commission, the National Credit Union Administration (``NCUA''), the 
Securities and Exchange Commission (``SEC''), and the Commodity Futures 
Trading Commission (``CFTC'') were part of the same interagency 
process, but each issued their rules separately.\3\ In 2009, all those 
agencies jointly adopted a model form financial institutions could use 
to provide the required initial and annual privacy disclosures.\4\
---------------------------------------------------------------------------

    \2\ Joint Final Rule, 65 FR 35162 (June 1, 2000) available at 
https://www.federalregister.gov/documents/2001/04/27/01-10398/privacy-of-consumer-financial-information.
    \3\ FTC Final Privacy Rule, 65 FR 33645 (May 24, 2000) available 
at https://www.federalregister.gov/documents/2000/05/24/00-12755/privacy-of-consumer-financial-information; NCUA Final Privacy Rule, 
65 FR 31722 (May 18, 2000) available at https://www.federalregister.gov/documents/2000/05/18/00-12014/privacy-of-consumer-financial-information-requirements-for-insurance; SEC Final 
Privacy Rule, 65 FR 40333 (June 29, 2000) available at https://www.federalregister.gov/documents/2000/06/29/00-16269/privacy-of-consumer-financial-information-regulation-s-p; CFTC Final Privacy 
Rule, 66 FR 21235 (Apr. 27, 2001) available at https://www.federalregister.gov/documents/2001/04/27/01-10398/privacy-of-consumer-financial-information.
    \4\ Joint Model Form, 74 FR 62889 (Dec. 1, 2009) available at 
https://www.federalregister.gov/documents/2009/12/01/E9-27882/final-model-privacy-form-under-the-gramm-leach-bliley-act; see also 16 CFR 
313.2, 16 CFR 313.4 through 313.9.
---------------------------------------------------------------------------

    As originally promulgated, the FTC's Privacy Rule covered a broad 
range of non-bank financial institutions such as payday lenders, 
mortgage brokers, check cashers, debt collectors, real estate 
appraisers, certain motor vehicle dealers, and remittance transfer 
providers. In 2010, the Dodd-Frank Act \5\ transferred the majority of 
GLBA's privacy rulemaking authority from the Fed, NCUA, OCC, OTS, FDIC, 
and the Commission (in part) to the Consumer Financial Protection 
Bureau (``CFPB''). The CFPB then restated the implementing regulations 
in Regulation P, 12 CFR part 1016, in late 2011 (``Regulation P'').\6\ 
However, under section 1029 of the Dodd-Frank Act, the Commission 
retained rulemaking authority for certain motor vehicle dealers.\7\ 
Thus, in 2012, the Commission announced it was retaining the 
implementing regulations governing privacy notices for motor vehicle 
dealers at 16 CFR part 313.\8\
---------------------------------------------------------------------------

    \5\ Public Law 111-203, 124 Stat. 1376 (2010).
    \6\ Interim Final Rule for Regulation P, 76 FR 79025 (Dec. 21, 
2011) available at https://www.federalregister.gov/documents/2011/12/21/2011-31729/privacy-of-consumer-financial-information-regulation-p.
    \7\ 12 U.S.C. 5519. The FTC retained rulemaking jurisdiction as 
to motor vehicle dealers that are predominantly engaged in the sale 
and servicing or the leasing and servicing of motor vehicles, 
excluding those dealers that directly extend credit to consumers and 
do not routinely assign the extensions of credit to an unaffiliated 
third party. For ease of reference, covered motor vehicle dealers 
are referenced herein as ``motor vehicle dealers.''
    \8\ Rescission of Rules, 77 FR 22200, 22201 (Apr. 13, 2012) 
available at https://www.federalregister.gov/documents/2012/04/13/2012-8748/rescission-of-rules (also rescinding those regulations for 
which rulemaking authority was transferred to the CFPB under the 
Dodd-Frank Act).
---------------------------------------------------------------------------

    Despite the transfer of general rulemaking authority for the 
Privacy Rule to the CFPB, the Commission and other agencies retain 
their existing enforcement authority under the GLBA.\9\ In addition, 
the SEC and CFTC retain rulemaking authority with respect to securities 
and futures-related companies, respectively.\10\ Accordingly, as part 
of this rulemaking process, the Commission has consulted and 
coordinated, or offered to consult, with those agencies that have 
rulemaking and/or enforcement authority under the GLBA, including the 
CFPB, SEC, CFTC, and the National Association of Insurance 
Commissioners (``NAIC'').\11\
---------------------------------------------------------------------------

    \9\ 15 U.S.C. 6805(a).
    \10\ 15 U.S.C. 6804, 6809; 12 U.S.C. 1843(k)(4); 12 CFR 
1016.1(b).
    \11\ See 15 U.S.C. 6804(a)(2).
---------------------------------------------------------------------------

    On December 4, 2015, Congress amended the GLBA as part of the FAST 
Act. This amendment, titled Eliminate Privacy Notice Confusion,\12\ 
added GLBA subsection 503(f). This subsection

[[Page 70021]]

provides an exception under which financial institutions that meet 
certain conditions are not required to provide annual privacy notices 
to customers.
---------------------------------------------------------------------------

    \12\ Section 75001, Public Law 114-94, 129 Stat. 1312, 1787 
(2015).
---------------------------------------------------------------------------

B. The Privacy Notice Requirements

    As noted, the current Privacy Rule, as modified after Congress 
enacted the Dodd-Frank Act, requires motor vehicle dealers provide 
consumers with notices describing their privacy policies. Specifically, 
it requires covered entities to provide an initial notice of these 
policies,\13\ and then ``provide a clear and conspicuous notice to 
customers that accurately reflects [their] privacy policies and 
practices not less than annually during the continuation of the 
customer relationship.'' \14\
---------------------------------------------------------------------------

    \13\ 15 U.S.C. 6803; 16 CFR 313.4.
    \14\ 15 U.S.C. 6803; 16 CFR 313.5(a)(1).
---------------------------------------------------------------------------

    The rule requires that initial and annual notices inform customers 
of their right to opt out of the sharing of nonpublic personal 
information with some types of nonaffiliated third parties.\15\ For 
example, a customer has the right to opt out of allowing a motor 
vehicle dealer to sell her name and address to a nonaffiliated auto 
insurance company.\16\ On the other hand, a motor vehicle dealer is not 
required to allow consumers to opt out of the dealer's sharing 
involving third-party service providers, joint marketing arrangements, 
maintenance and servicing of accounts, securitization, law enforcement 
and compliance, reporting to consumer reporting agencies, and certain 
other specified activities.\17\ Accordingly, if a motor vehicle dealer 
limits its sharing to uses that do not trigger opt-out rights, it may 
provide an annual privacy notice to its customers that does not include 
information regarding opt-out rights.
---------------------------------------------------------------------------

    \15\ 15 U.S.C. 6802; 16 CFR 313.6(a)(6).
    \16\ 16 CFR 313.10(a).
    \17\ 15 U.S.C. 6802(b)(2), 6802(e); 16 CFR 313.13-313.15.
---------------------------------------------------------------------------

    Motor vehicle dealers also may include in the annual privacy notice 
information about certain consumer opt-out rights related to affiliate 
sharing under the Fair Credit Reporting Act (``FCRA''). First, section 
603(d)(2)(A)(iii) of the FCRA allows the sharing of a consumer's 
information among affiliates, but only if the consumer is notified of 
such sharing and is given an opportunity to opt out.\18\ Section 
503(c)(4) of the GLBA and the Privacy Rule generally require motor 
vehicle dealers to incorporate any notifications and opt-out 
disclosures provided pursuant to section 603(d)(2)(A)(iii) of the FCRA 
into their initial and annual privacy notices.\19\
---------------------------------------------------------------------------

    \18\ 15 U.S.C. 1681a(d)(2)(A)(iii).
    \19\ 15 U.S.C. 6803(c)(4); 16 CFR 313.6(a)(7).
---------------------------------------------------------------------------

    In addition, section 624 of the FCRA and the FTC's Affiliate 
Marketing Rule \20\ provide that an affiliate of a motor vehicle dealer 
that receives certain information about a consumer from the dealer may 
not use that information for marketing purposes, unless the consumer is 
provided with an opportunity to opt out of that use.\21\ This 
requirement governs the use of information by an affiliate, not the 
sharing of information among affiliates, and thus is distinct from the 
affiliate sharing opt-out discussed above. The Affiliate Marketing Rule 
permits (but does not require) motor vehicle dealers to incorporate any 
opt-out disclosures provided under section 624 of the FCRA and the 
Affiliate Marketing Rule into the initial and annual privacy notices 
required by the GLBA.\22\
---------------------------------------------------------------------------

    \20\ 16 CFR 680.1-680.28.
    \21\ 15 U.S.C. 1681s-3. The FTC's Affiliate Marketing Rule 
applies to motor vehicle dealers. See 77 FR 22201. The FTC also 
enforces the CFPB's Regulation V's Affiliate Marketing Rule, 12 CFR 
part 1022, subpart C, for other entities over which the FTC has 
enforcement authority under the FCRA.
    \22\ 16 CFR 680.23(b).
---------------------------------------------------------------------------

    Finally, Sec.  313.6(a)(8) of the Privacy Rule requires the initial 
and annual notices briefly describe how motor vehicle dealers protect 
the nonpublic personal information they collect and maintain.\23\
---------------------------------------------------------------------------

    \23\ 16 CFR 313.6(a)(8).
---------------------------------------------------------------------------

II. Revision of the Privacy Rule

    On April 4, 2019, the Commission issued a notice of proposed 
rulemaking \24\ setting forth amendments to the Privacy Rule (the 
``Proposed Amendments'') proposing three types of changes to the 
Privacy Rule: (1) Technical changes to the rule to correspond to the 
reduced scope of the rule due to Dodd-Frank Act changes, which 
primarily consist of removing references that do not apply to motor 
vehicle dealers; (2) modifications to the annual privacy notice 
requirements to reflect the changes made to the GLBA by the FAST Act; 
and (3) a modification to the scope and definition of ``financial 
institution'' to include entities engaged in activities incidental to 
financial activities, which would bring the rule into accord with the 
CFPB's Regulation P. The Commission received four comments related to 
the proposed amendments, to which it responds below.\25\
---------------------------------------------------------------------------

    \24\ On June 24, 2015, the Commission published a notice of 
proposed rulemaking (``2015 NPRM'') proposing revisions to the 
Privacy Rule. NPRM, 80 FR 36267 (June 24, 2015) available at https://www.federalregister.gov/documents/2015/06/24/2015-14328/amendment-to-the-privacy-of-consumer-financial-information-rule-under-the-gramm-leach-bliley-act. First, the Commission proposed a number of 
changes to comport with the Dodd-Frank Act revision of GLBA, which 
transferred rulemaking authority for most financial institutions to 
the CFPB. The Commission also proposed amending the rule to allow 
motor vehicle dealers to notify their customers that a privacy 
notice is available online, under circumstances identical to those 
that had been adopted by the CFPB. Final Rule, 79 FR 64057 (Oct. 28, 
2014) available at https://www.federalregister.gov/documents/2014/10/28/2014-25299/amendment-to-the-annual-privacy-notice-requirement-under-the-gramm-leach-bliley-act-regulation-p. The passage of the 
FAST Act rendered the Commission's proposed changes to the Privacy 
Rule moot because those changes, if adopted, would have been in 
conflict with the revised statute.
    \25\ The Commission also received three comments that related to 
the Safeguards Rule (16 CFR part 314). Those comments are addressed 
in the final Safeguards Rule published elsewhere in this issue of 
the Federal Register.
---------------------------------------------------------------------------

A. Technical Changes To Correspond to Statutory Changes Resulting From 
the Dodd-Frank Act

(1) Section 313.1(b)
    The proposed amendment to Sec.  313.1(b) narrowed the description 
of the scope of the Privacy Rule to those entities set forth in the 
Dodd-Frank Act: \26\ Those predominantly engaged in the sale and 
servicing of motor vehicles or the leasing and servicing of motor 
vehicles, excluding those dealers that directly extend credit to 
consumers and do not routinely assign the extensions of credit to an 
unaffiliated third party. It also removed the reference in the rule's 
scope to ``other persons,'' because the Commission no longer has 
rulemaking authority for the Privacy Rule over ``other persons.'' 
Finally, the Proposed Amendments eliminated from Sec.  313.1(b) the 
note indicating (1) the Privacy Rule does not modify, limit, or 
supersede the standards under the Health Insurance Portability and 
Accountability Act of 1996 (``HIPAA''), and (2) if a financial 
institution that is an institution of higher education is in compliance 
with the Federal Educational Rights and Privacy Act (``FERPA'') and its 
implementing regulations, such institution shall be deemed in 
compliance with the Privacy Rule.
---------------------------------------------------------------------------

    \26\ 12 U.S.C. 5519.
---------------------------------------------------------------------------

    The Commission received two comments on these proposed changes. One 
commenter asked why the rule would not cover dealers that directly 
extend credit to consumers.\27\ In response, the Commission notes the 
Dodd-Frank Act excludes these dealers from the Commission's rulemaking 
authority under the GLBA. The Commission continues to have enforcement 
authority over these dealers under Regulation P.
---------------------------------------------------------------------------

    \27\ Yuxiang Hao (comment 4).
---------------------------------------------------------------------------

    Another commenter, the National Association of Automobile Dealers

[[Page 70022]]

(``NADA''), supported eliminating the references to HIPAA and FERPA, 
agreeing that these provisions would not apply to automobile 
dealers.\28\ Given that it received no other substantive comments, the 
Commission adopts the changes as proposed.
---------------------------------------------------------------------------

    \28\ National Automobile Dealers Association (comment 9), at 3-
4.
---------------------------------------------------------------------------

(2) Section 313.3
    To help companies understand whether and how the rule applies to 
them, the current rule includes examples of financial institutions in 
Sec.  313.3(k)(2), examples of consumers in Sec.  313.3(e)(2), examples 
of what would constitute establishing a customer relationship in Sec.  
313.3(i)(2)(i), and examples of what is not a customer relationship in 
Sec.  313.2(i)(2)(ii). The Proposed Amendments to Sec.  313.3 removed 
examples not likely to apply in the context of motor vehicle dealers.
    NADA was the only commenter who opined on this issue. It agreed the 
examples proposed for removal do not apply to motor vehicle dealers and 
supported their deletion. Accordingly, the final rule deletes these 
examples as proposed.
    NADA advocated for removal or modification of additional terms or 
examples that it asserted would not apply in the motor vehicle context. 
The Commission declines to make the changes suggested by NADA, for the 
reasons described below.
a. Loans
    NADA argued the examples in the final rule should not include the 
word ``loans'' because motor vehicle dealers ``do not generally issue 
`loans,''' but instead provide financing assistance or enter into 
retail installment sale contracts or leases. NADA suggested the term 
``loan'' be replaced with ``financing,'' or ``finance or lease 
contract.'' \29\ The Commission declines to modify existing examples in 
this manner. It believes the Privacy Rule should be substantively 
identical to Regulation P so financial institutions within the 
Commission's enforcement authority are subject to the same 
requirements, regardless of whether they are subject to Regulation P or 
the Privacy Rule. Although the Commission recognizes some examples it 
has retained may not apply well to the motor vehicle context,\30\ 
changing the language of an example, as opposed to completely removing 
it, could be read as a change to the substance of the rule. 
Accordingly, the Commission declines to change an existing term in the 
final rule.\31\
---------------------------------------------------------------------------

    \29\ NADA (comment 9), at 4.
    \30\ The Commission notes that while the term ``loan'' may not 
be applicable to all motor vehicle dealers' transactions with their 
customers, most extensions of credit or the arranging of credit will 
play the same role as loans for purposes of this amendment, and 
dealers may generally apply these examples accordingly.
    \31\ The Proposed Amendments did modify existing examples in two 
instances. In Sec. Sec.  313.3(i)(2)(i)(A) and 313.5(b)(2)(ii), 
references to mortgage loans were removed. Although the Commission 
continues to believe that mortgage loans are unlikely to be involved 
in the motor vehicle dealer context, as discussed above, the 
Commission recognizes that there is value in maintaining consistency 
with Regulation P, and that particular examples provided may not be 
applicable to every type of financial institution's activities. 
Accordingly, the final rule retains the references to mortgage loans 
in these provisions.
---------------------------------------------------------------------------

b. Examples of Continuing Relationships
    NADA suggested removing the term ``investment accounts'' from the 
example of a continuing relationship Sec.  313.3(i)(2)(i)(A), as such 
accounts are not offered by motor vehicle dealers. As discussed above, 
however, the Commission declines to modify existing examples and does 
not adopt this change in the final rule. NADA also took issue with 
Sec.  313.3(i)(2)(i)(D), which states a consumer has a continuing 
relationship with a financial institution when the consumer enters into 
an ``agreement or understanding'' with the financial institution in 
which the financial institution undertakes ``to arrange credit to 
purchase a vehicle for the consumer.'' NADA noted when motor vehicle 
dealers arrange credit for a consumer, they then assign that agreement 
to a third party and do not continue the relationship with the 
consumer.
    Although motor vehicle dealers may transfer the credit agreement to 
another financial institution, a continuing relationship is formed by 
the agreement and persists for as long as the motor vehicle dealer 
retains the agreement. The continuing relationship between the motor 
vehicle dealer and the consumer will end upon the transfer of the 
agreement, but until that transfer occurs, the consumer is the motor 
vehicle dealer's customer for purposes of the Privacy Rule. 
Accordingly, the Commission declines to remove this example from the 
final rule.
    NADA also argued the term ``understanding'' in paragraph 
(i)(2)(i)(D) is confusing because it is not clear what an 
``understanding'' would mean in this context, and motor vehicle dealers 
do not enter into informal relationships to arrange credit for 
consumers. The Commission believes, however, while informal 
understandings may be unusual for motor vehicle dealers, it is possible 
some dealers may engage in such practices and the example should 
continue to make clear that such arrangements create continuing 
relationships. In addition, as discussed above, the Commission declines 
to change the language of examples retained in the final rule.
c. Examples of No Continuing Relationships
    NADA argued the example in Sec.  313.3(i)(2)(ii)(A) does not apply 
to motor vehicle dealers. This example states no continuing 
relationship is created when a ``consumer obtains a financial product 
or service from [the financial institution] only in isolated 
transactions, such as cashing a check with [the financial institution] 
or making a wire transfer through'' the financial institution. NADA 
argued motor vehicle dealers generally do not engage in these 
activities, and while ``it is theoretically possible that a dealer 
somewhere may offer, under unique circumstances, to cash a check for a 
customer, [NADA] is not aware of that service being offered by dealers 
and the possibility is attenuated at best.'' \32\ The Commission does 
not agree that this example should be removed. Although check cashing 
and wire transfer transactions may be unlikely at motor vehicle 
dealerships, these are helpful examples of the types of isolated 
transactions that do not create an ongoing relationship and, even for 
motor vehicle dealers that do not engage in these particular 
activities, they illustrate the principle well. The final rule retains 
this example.
---------------------------------------------------------------------------

    \32\ NADA (comment 9), at 5.
---------------------------------------------------------------------------

    NADA also questioned the inclusion of Sec.  313.3(i)(2)(ii)(C), 
which states a continuing relationship is not created when a ``consumer 
obtains one-time personal appraisal services from'' the financial 
institution. NADA asked whether this would apply when a motor vehicle 
dealer appraises a consumer's used vehicle for trade-in value. The 
Commission believes that is precisely the type of appraisal suggested 
by the example. NADA also questioned how ``such appraisal activity by a 
dealer could, as an initial matter be deemed to create a Customer 
relationship.'' \33\ The Commission believes, however, negative 
examples are useful to clarify the definition and, therefore, the final 
rule retains this example.
---------------------------------------------------------------------------

    \33\ NADA (comment 9), at 5.

---------------------------------------------------------------------------

[[Page 70023]]

B. Modifications to the Annual Privacy Notice To Reflect Statutory 
Changes Resulting From the FAST Act

    The Commission also proposed changing the Privacy Rule provisions 
governing how motor vehicle dealers should deliver annual privacy 
notices.
Section 313.5(e)
    The proposed change to Sec.  313.5(a)(1) added a statement that 
Sec.  313.5(e) provides an exception to the general rule requiring the 
delivery of annual notices. Section 313.5(e) in turn sets forth the 
exception, which was taken from the FAST Act, and adopted by the CFPB 
in its amendments to Regulation P.\34\ It stated the annual notice need 
not be provided if (1) the financial institution has shared nonpublic 
personal information only in accordance with the provisions of 
Sec. Sec.  313.13, 313.14, and 313.15, none of which require an opt-out 
opportunity be provided to customers; and (2) the financial 
institution's disclosure policies and practices remain unchanged from 
the most recent privacy notice.
---------------------------------------------------------------------------

    \34\ See Final Rule, 83 FR 40945 (August 17, 2018) available at 
https://www.federalregister.gov/documents/2018/08/17/2018-17572/amendment-to-the-annual-privacy-notice-requirement-under-the-gramm-leach-bliley-act-regulation-p.
---------------------------------------------------------------------------

    Proposed Sec.  313.5(e)(2) set forth the timing for resuming 
delivery of the annual notice if a financial institution no longer met 
requirements for the exception.
    The Commission received no comments on the substance of this 
paragraph and adopts it without modification.\35\
---------------------------------------------------------------------------

    \35\ As discussed above, NADA argued that the word ``loan'' 
should be replaced with ``retail installment sale contract.'' As 
discussed above, the Commission wishes the remaining examples in the 
final rule to be identical to those found in Regulation P and 
declines to make these changes. In addition, the National 
Independent Automobile Dealers Association noted that most dealers 
will not be required to provide annual notices because of their lack 
of ongoing relationships with their consumers, but supported the 
amendments in general.
---------------------------------------------------------------------------

C. Modifications to Scope and Definitions To Bring the Rule Into Accord 
With Regulation P

    The Proposed Amendments changed the scope of the Privacy Rule and 
its definition of a ``financial institution'' in order to bring the 
Commission's rule into accord with Regulation P. As explained in the 
NPRM, when first promulgating the Privacy Rule, the Commission 
determined companies engaged in activities ``incidental to financial 
activities'' would not be considered ``financial institutions.'' \36\ 
The Commission was the only agency to adopt this restrictive definition 
in its Privacy Rule, while the other agencies included incidental 
activities. In addition, the Commission decided activities determined 
to be financial in nature after the enactment of the GLBA would not be 
automatically included in its Privacy Rule; rather, the Commission 
would have to take additional action to include them.\37\ The effect of 
these two decisions was to limit the activities covered by the 
Commission's rules to those set out in 12 CFR 225.28 as it existed in 
1999, and to exclude any activities later determined by the Fed to be 
financial activities or incidental to those activities.\38\
---------------------------------------------------------------------------

    \36\ See 16 CFR 313.3(k); see also 65 FR 33654.
    \37\ 65 FR 33654 n.23.
    \38\ Id.
---------------------------------------------------------------------------

    The Commission proposed modifying the definition of ``financial 
institution'' to harmonize the Privacy Rule with other agencies' rules. 
The Commission proposed to amend Sec.  313.1(b) to include companies 
that engage in activities financial in nature or incidental to such 
financial activities in the scope of the rule. Likewise, it proposed 
amending the definition of ``financial institution'' in Sec.  313.3(k), 
to include any institution the business of which is engaging in an 
activity that is financial in nature or incidental to such financial 
activities. The effect of this proposed amendment would be to cause 
``finders'' to be included in this definition, thereby bringing the 
Privacy Rule into harmony with the scope of entities covered by other 
agencies under Regulation P.
    The Commission received only two comments that addressed this 
proposed change in the Privacy Rule.\39\ NADA asked whether the 
proposed rule would apply to finders acting for a motor vehicle 
dealer.\40\ As discussed above, the Commission's Privacy Rule applies 
only to motor vehicle dealers and so would apply only to finders that 
are also motor vehicle dealers. If a finder is not itself a motor 
vehicle dealer then the rule does not apply, even if the finder is 
acting to connect motor vehicle dealers with potential customers. Given 
that this scenario is unlikely, modifying the definition of ``financial 
institution'' for purposes of the Privacy Rule has little practical 
effect. Nevertheless, the Commission is modifying the definition for 
purposes of consistency with Regulation P and the Safeguards Rule.
---------------------------------------------------------------------------

    \39\ Several other entities commented on the expansion of the 
definition of a ``financial institution'' in the Safeguards Rule. 
These comments are addressed in the discussion of the final 
Safeguards Rule, published elsewhere in this issue of the Federal 
Register.
    \40\ NADA (comment 9), at 7-8.
---------------------------------------------------------------------------

    An individual consumer asked how often an entity must engage in an 
incidental activity to be considered a financial institution.\41\ As 
with other financial activities under the existing rule, an entity is a 
financial institution only if it is ``significantly engaged'' in the 
incidental activities.
---------------------------------------------------------------------------

    \41\ Qiyi Hu (comment 5).
---------------------------------------------------------------------------

    The Commission adopts the proposed amendment without change.
Section 313.15(a)(4)
    Finally, the Commission proposed to amend Sec.  313.15(a)(4) to add 
the CFPB to the list of law enforcement agencies to which financial 
institutions are permitted to share information to the extent permitted 
by law. The Commission received no comments on this change and adopts 
it as proposed.
Section 313.18
    Section 313.18 set forth the effective date for the rule and 
prescribed requirements for institutions' compliance with the rule as 
to customers who were already customers at the time the rule was first 
promulgated. The relevant dates have long since passed. Section 
313.18(a)(2) also provided an exception, stating this ``part is not 
effective as to any institution that is significantly engaged in 
activities that the Federal Reserve Board determines, after November 
12, 1999 . . . are activities that a financial holding company may 
engage in, until the Commission so determines.'' As discussed above, 
the Commission has determined herein that this rule applies to 
financial institutions that engage in activities financial in nature or 
incidental to such financial activities, including entities 
significantly engaged in activities the Federal Reserve Board has 
determined, after November 12, 1999, are activities a financial holding 
company may engage in. Accordingly, the final rule removes Sec.  313.18 
in its entirety.

III. Paperwork Reduction Act

    Under the Paperwork Reduction Act of 1995 (``PRA''),\42\ Federal 
agencies are generally required to seek Office of Management and Budget 
(``OMB'') approval for information collection requirements prior to 
implementation. Under the PRA, the Commission may not conduct or 
sponsor, and, notwithstanding any other provision of law, a person is 
not required to respond to an information collection, unless the 
information collection displays a valid control number assigned by OMB.
---------------------------------------------------------------------------

    \42\ 44 U.S.C. 3501 et seq.
---------------------------------------------------------------------------

    This amendment modifies 16 CFR part 313. The collections of 
information related to the Privacy Rule and the

[[Page 70024]]

FAST Act statutory exceptions to the rule's annual notice requirement 
have been previously reviewed and approved by OMB in accordance with 
the PRA.\43\
---------------------------------------------------------------------------

    \43\ The OMB Control Number is 3084-0121.
---------------------------------------------------------------------------

    Under the existing clearance, the FTC has attributed to itself the 
estimated burden regarding all motor vehicle dealers and shares equally 
the remaining estimated PRA burden with the CFPB for other types of 
financial institutions for which both agencies have enforcement 
authority regarding the GLBA Privacy Rule.\44\
---------------------------------------------------------------------------

    \44\ PRA Notice, 82 FR 48081 (Oct. 16, 2017) available at 
https://www.federalregister.gov/documents/2017/10/16/2017-22334/agency-information-collection-activities-submission-for-omb-review-comment-request.
---------------------------------------------------------------------------

    The amendments do not modify or add to information collection 
requirements previously approved by OMB. First, the Commission 
anticipates the expansion of the definition of ``financial 
institution'' to include entities engaged in activities incidental to 
financial activities will have little to no effect. It is not clear any 
finders that are also motor vehicle dealers are not already covered by 
the rule through their activities as motor vehicle dealers.
    Second, the removal of certain examples provided in the rule that 
are not applicable to motor vehicle dealers will have no impact on 
existing information collection requirements.
    Therefore, the Commission does not believe the amendments 
substantially or materially modify any ``collections of information'' 
as defined by the PRA.
    The Commission sought comment on whether there are any finders in 
existence that would be covered by the proposed rule and are not 
covered by the current rule. The Commission received no comments that 
suggested such entities exist.

IV. Regulatory Flexibility Act

    The Regulatory Flexibility Act (``RFA''), as amended by the Small 
Business Regulatory Enforcement Fairness Act of 1996, requires an 
agency to either provide an Initial Regulatory Flexibility Analysis 
(``IRFA'') with a proposed rule, or certify that the proposed rule will 
not have a significant impact on a substantial number of small 
entities.\45\ The Commission does not believe this amendment to the 
Privacy Rule has the threshold impact on small entities. First, most of 
the changes effectuate statutory changes from the Dodd-Frank Act and 
the FAST Act. Second, the Commission does not expect the amendment to 
impose costs on small motor vehicle dealers because the amendments are 
primarily for clarification purposes and should not result in any 
increased burden on any motor vehicle dealer. Thus, a small entity that 
complies with current law need not take any different or additional 
action under the final rule.
---------------------------------------------------------------------------

    \45\ 5 U.S.C. 603-605.
---------------------------------------------------------------------------

    Accordingly, the Commission believes the rule will not have a 
significant economic impact on small entities. The final rule would add 
requirements only to motor vehicle dealers that function as finders and 
do not already engage in other financial activities that would cause 
them to be financial institutions under the rule. The Commission has 
not identified any such entities. Therefore, the Commission certifies 
the rule will not have a significant economic impact on a substantial 
number of small businesses.
    In this document, the Commission adopts the amendments proposed in 
its NPRM with only minimal modifications. In its Initial Regulatory 
Flexibility Analysis (``IRFA''), the Commission determined the proposed 
rule would not have a significant impact on small entities because 
there were no small businesses that were being subjected to new burdens 
as a result of the amendments. Although the Commission certifies under 
the RFA that the rule will not have a significant impact on a 
substantial number of small entities, and hereby provides notice of 
that certification to the Small Business Administration, the Commission 
nonetheless has determined publishing a final regulatory flexibility 
analysis (``FRFA'') is appropriate to ensure the impact of the rule is 
fully addressed. Therefore, the Commission has prepared the following 
analysis:

1. Need for and Objectives of the Final Rule

    To address the Dodd-Frank Act and FAST Act changes the amendments 
change the Privacy Rule's scope and definition of ``financial 
institution''; change the annual notice requirement; and remove certain 
examples provided in the rule that are not applicable to motor vehicle 
dealers. With this action, the Commission makes the current, narrow 
scope of the rule clearer. Additionally, the modification of the 
definition of ``financial institution'' to cover motor vehicle dealers 
engaged in ``activities incidental to financial activities'' harmonizes 
the Privacy Rule with other agencies' rules.

2. Significant Issues Raised in Public Comments in Response to the IRFA

    The Commission did not receive any comments that addressed the 
burden on small entities. In addition, the Commission did not receive 
any comments filed by the Chief Counsel for Advocacy of the Small 
Business Administration (``SBA'').

3. Estimate of Number of Small Entities To Which the Final Rule Will 
Apply

    The Commission anticipates many covered motor vehicle dealers may 
qualify as small businesses according to the applicable SBA size 
standards.\46\ As explained in the IRFA, however, determining a precise 
estimate of the number of small entities--including newly covered 
entities under the modified definition of financial institution--is not 
readily feasible. No commenters addressed this issue. Nonetheless, as 
discussed above, these amendments will not add any additional burdens 
on any covered small businesses.
---------------------------------------------------------------------------

    \46\ Table of Small Bus. Size Standards Matched to North 
American Indus. Classification System Codes, 13 CFR 121.201 
(available at: https://www.sba.gov/document/support--table-size-standards), updated Aug. 19, 2019. For example, used car dealers are 
classified as NAICS 441120 and new car dealers as NAICS 441110. 
Under those standards, the SBA would classify as small businesses 
independent used car dealers having annual receipts of less than $27 
million and new car dealers having fewer than 200 employees each.
---------------------------------------------------------------------------

4. Projected Reporting, Recordkeeping, and Other Compliance 
Requirements

    The amendments do not impose any new or substantively revised 
``collections of information,'' as defined by the PRA.

5. Description of Steps Taken To Minimize Significant Economic Impact, 
if Any, on Small Entities, Including Alternatives

    The Commission did not propose any specific small entity exemption 
or other significant alternatives because the amendment is not expected 
to increase reporting requirements and will not impose any new 
requirements or compliance costs. The Commission anticipates the 
amendments will reduce the burden for many covered entities associated 
with the Privacy Rule annual notice. The amendments retain the 
flexibility already present in the existing rule, which allows notices 
to be provided in a variety of ways, including electronically in some 
circumstances. As to the core requirements of the rule, they come from 
GLBA itself, as amended by the Dodd-Frank and the FAST Act. The statute 
prescribes the definition of financial institutions to be covered by 
the rule and sets forth the specific requirements, which the Commission 
cannot modify to ease burdens on small entities. Therefore, the 
Commission does not believe any

[[Page 70025]]

alternatives for small entities are required or appropriate.

V. Other Matters

    Pursuant to the Congressional Review Act (5 U.S.C. 801 et seq.), 
the Office of Information and Regulatory Affairs designated this rule 
as not a ``major rule,'' as defined by 5 U.S.C. 804(2).

List of Subjects in 16 CFR Part 313

    Consumer protection, Credit, Data protection, Privacy, Trade 
practices.

    For the reasons stated above, the Federal Trade Commission amends 
16 CFR part 313 as follows:

PART 313--PRIVACY OF CONSUMER FINANCIAL INFORMATION

0
1. The authority citation for part 313 is revised to read as follows:

    Authority:  15 U.S.C. 6801 et seq., 12 U.S.C. 5519.


0
2. Amend Sec.  313.1 by revising paragraph (b) to read as follows:


Sec.  313.1   Purpose and scope.

* * * * *
    (b) Scope. This part applies only to nonpublic personal information 
about individuals who obtain financial products or services primarily 
for personal, family or household purposes from the institutions listed 
below. This part does not apply to information about companies or about 
individuals who obtain financial products or services for business, 
commercial, or agricultural purposes. This part applies to those 
``financial institutions'' over which the Federal Trade Commission 
(``Commission'') has rulemaking authority pursuant to section 
504(a)(1)(C) of the Gramm-Leach-Bliley Act. An entity is a ``financial 
institution'' if its business is engaging in an activity that is 
financial in nature or incidental to such financial activities as 
described in section 4(k) of the Bank Holding Company Act of 1956, 12 
U.S.C. 1843(k), which incorporates activities enumerated by the Federal 
Reserve Board in 12 CFR 225.28 and 225.86. The ``financial 
institutions'' subject to the Commission's rulemaking authority are any 
persons described in 12 U.S.C. 5519 that are predominantly engaged in 
the sale and servicing of motor vehicles, the leasing and servicing of 
motor vehicles, or both. They are referred to in this part as ``You.'' 
Excluded from the coverage of this part are motor vehicle dealers 
described in 12 U.S.C. 5519(b) that directly extend to consumers retail 
credit or retail leases involving motor vehicles in which the contract 
governing such extension of retail credit or retail leases is not 
routinely assigned to an unaffiliated third party finance or leasing 
source.

0
3. Amend Sec.  313.3 by revising paragraphs (e), (i), (j), (k), and (q) 
to read as follows:


Sec.  313.3   Definitions.

* * * * *
    (e)(1) Consumer means an individual who obtains or has obtained a 
financial product or service from you that is to be used primarily for 
personal, family, or household purposes, or that individual's legal 
representative.
    (2) For example:
    (i) An individual who applies to you for credit for personal, 
family, or household purposes is a consumer of a financial service, 
regardless of whether the credit is extended.
    (ii) An individual who provides nonpublic personal information to 
you in order to obtain a determination about whether he or she may 
qualify for a loan to be used primarily for personal, family, or 
household purposes is a consumer of a financial service, regardless of 
whether the loan is extended.
    (iii) If you hold ownership or servicing rights to an individual's 
loan that is used primarily for personal, family, or household 
purposes, the individual is your consumer, even if you hold those 
rights in conjunction with one or more other institutions. (The 
individual is also a consumer with respect to the other financial 
institutions involved.) An individual who has a loan in which you have 
ownership or servicing rights is your consumer, even if you, or another 
institution with those rights, hire an agent to collect on the loan.
    (iv) An individual who is a consumer of another financial 
institution is not your consumer solely because you act as agent for, 
or provide processing or other services to, that financial institution.
    (v) An individual is not your consumer solely because he or she is 
a participant or a beneficiary of an employee benefit plan that you 
sponsor or for which you act as a trustee or fiduciary.
* * * * *
    (i)(1) Customer relationship means a continuing relationship 
between a consumer and you under which you provide one or more 
financial products or services to the consumer that are to be used 
primarily for personal, family, or household purposes.
    (2) For example:
    (i) Continuing relationship. A consumer has a continuing 
relationship with you if the consumer:
    (A) Has a credit or investment account with you;
    (B) Obtains a loan from you;
    (C) Purchases an insurance product from you;
    (D) Enters into an agreement or understanding with you whereby you 
undertake to arrange or broker a home mortgage loan, or credit to 
purchase a vehicle, for the consumer;
    (E) Enters into a lease of personal property on a non-operating 
basis with you; or
    (F) Has a loan for which you own the servicing rights.
    (ii) No continuing relationship. A consumer does not, however, have 
a continuing relationship with you if:
    (A) The consumer obtains a financial product or service from you 
only in isolated transactions, such as cashing a check with you or 
making a wire transfer through you;
    (B) You sell the consumer's loan and do not retain the rights to 
service that loan; or
    (C) The consumer obtains one-time personal appraisal services from 
you.
    (j) Federal functional regulator means:
    (1) The Board of Governors of the Federal Reserve System;
    (2) The Office of the Comptroller of the Currency;
    (3) The Board of Directors of the Federal Deposit Insurance 
Corporation;
    (4) The National Credit Union Administration Board; and
    (5) The Securities and Exchange Commission.
    (k)(1) Financial institution means any institution the business of 
which is engaging in an activity that is financial in nature or 
incidental to such financial activities as described in section 4(k) of 
the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). An institution 
that is significantly engaged in financial activities, or significantly 
engaged in activities incidental to such financial activities, is a 
financial institution.
    (2) An example of a financial institution is an automobile 
dealership that, as a usual part of its business, leases automobiles on 
a nonoperating basis for longer than 90 days is a financial institution 
with respect to its leasing business because leasing personal property 
on a nonoperating basis where the initial term of the lease is at least 
90 days is a financial activity listed in 12 CFR 225.28(b)(3) and 
referenced in section 4(k)(4)(F) of the Bank Holding Company Act.
    (3) Financial institution does not include entities that engage in 
financial activities but that are not significantly engaged in those 
financial activities.
    (4) An example of entities that are not significantly engaged in 
financial

[[Page 70026]]

activities is a motor vehicle dealer is not a financial institution 
merely because it accepts payment in the form of cash, checks, or 
credit cards that it did not issue.
* * * * *
    (q) You includes each ``financial institution'' over which the 
Commission has rulemaking authority pursuant to section 504(a)(1)(C) of 
the Gramm-Leach-Bliley Act (15 U.S.C. 6804(a)(1)(C)).

0
4. Amend Sec.  313.4 by adding a heading for paragraph (c)(3) and 
revising paragraphs (c)(3)(i) and (e) to read as follows:


Sec.  313.4   Initial privacy notice to consumers required.

* * * * *
    (c) * * *
    (3) Examples--(i) Examples of establishing a customer relationship. 
You establish a customer relationship when the consumer:
    (A) Executes the contract to obtain credit from you or purchase 
insurance from you; or
    (B) Executes the lease for personal property with you.
* * * * *
    (e) Exceptions to allow subsequent delivery of notice--(1) General. 
You may provide the initial notice required by paragraph (a)(1) of this 
section within a reasonable time after you establish a customer 
relationship if:
    (i) Establishing the customer relationship is not at the customer's 
election; or
    (ii) Providing notice not later than when you establish a customer 
relationship would substantially delay the customer's transaction and 
customer agrees to receive the notice at a later time.
    (2) Examples of exceptions--(i) Substantial delay of customer's 
transaction. Providing notice not later than when you establish a 
customer relationship would substantially delay the customer's 
transaction when you and the individual agree over the telephone to 
enter into a customer relationship involving prompt delivery of the 
financial product or service.
    (ii) No substantial delay of customer's transaction. Providing 
notice not later than when you establish a customer relationship would 
not substantially delay the customer's transaction when the 
relationship is initiated in person at your office or through other 
means by which the customer may view the notice, such as through a 
website.
* * * * *

0
5. Amend Sec.  313.5 by adding a heading for paragraph (a), revising 
paragraphs (a)(1) and (b)(2), and adding paragraph (e) to read as 
follows:


Sec.  313.5   Annual privacy notice to customers required.

    (a) In general--(1) General rule. Except as provided by paragraph 
(e) of this section, you must provide a clear and conspicuous notice to 
customers that accurately reflects your privacy policies and practices 
not less than annually during the continuation of the customer 
relationship. Annually means at least once in any period of 12 
consecutive months during which that relationship exists. You may 
define the 12-consecutive-month period, but you must apply it to the 
customer on a consistent basis.
* * * * *
    (b) * * *
    (2) Examples. Your customer becomes a former customer when:
    (i) In the case of a closed-end loan, the customer pays the loan in 
full, you charge off the loan, or you sell the loan without retaining 
servicing rights.
    (ii) In the case of mortgage or vehicle loan brokering services, 
your customer has obtained a loan through you (and you no longer 
provide any statements or notices to the customer concerning that 
relationship), or has ceased using your services for such purposes.
    (iii) In cases where there is no definitive time at which the 
customer relationship has terminated, you have not communicated with 
the customer about the relationship for a period of 12 consecutive 
months, other than to provide annual privacy notices or promotional 
material.
* * * * *
    (e) Exception to annual privacy notice requirement--(1) When 
exception available. You are not required to deliver an annual privacy 
notice if you:
    (i) Provide nonpublic personal information to nonaffiliated third 
parties only in accordance with the provisions of Sec.  313.13, Sec.  
313.14, or Sec.  313.15; and
    (ii) Have not changed your policies and practices with regard to 
disclosing nonpublic personal information from the policies and 
practices that were disclosed to the customer under Sec.  313.6(a)(2) 
through (5) and (9) in the most recent privacy notice provided pursuant 
to this part.
    (2) Delivery of annual privacy notice after financial institution 
no longer meets requirements for exception. If you have been excepted 
from delivering an annual privacy notice pursuant to paragraph (e)(1) 
of this section and change your policies or practices in such a way 
that you no longer meet the requirements for that exception, you must 
comply with paragraph (e)(2)(i) or (ii) of this section, as applicable.
    (i) Changes preceded by a revised privacy notice. If you no longer 
meet the requirements of paragraph (e)(1) of this section because you 
change your policies or practices in such a way that Sec.  313.8 
requires you to provide a revised privacy notice, you must provide an 
annual privacy notice in accordance with the timing requirement in 
paragraph (a) of this section, treating the revised privacy notice as 
an initial privacy notice.
    (ii) Changes not preceded by a revised privacy notice. If you no 
longer meet the requirements of paragraph (e)(1) of this section 
because you change your policies or practices in such a way that Sec.  
313.8 does not require you to provide a revised privacy notice, you 
must provide an annual privacy notice within 100 days of the change in 
your policies or practices that causes you to no longer meet the 
requirement of paragraph (e)(1).
    (iii) Examples. (A) You change your policies and practices in such 
a way that you no longer meet the requirements of paragraph (e)(1) of 
this section effective April 1 of year 1. Assuming you define the 12-
consecutive-month period pursuant to paragraph (a) of this section as a 
calendar year, if you were required to provide a revised privacy notice 
under Sec.  313.8 and you provided that notice on March 1 of year 1, 
you must provide an annual privacy notice by December 31 of year 2. If 
you were not required to provide a revised privacy notice under Sec.  
313.8, you must provide an annual privacy notice by July 9 of year 1.
    (B) You change your policies and practices in such a way that you 
no longer meet the requirements of paragraph (e)(1) of this section, 
and so provide an annual notice to your customers. After providing the 
annual notice to your customers, you once again meet the requirements 
of paragraph (e)(1) of this section for an exception to the annual 
notice requirement. You do not need to provide additional annual notice 
to your customers until such time as you no longer meet the 
requirements of paragraph (e)(1) of this section.

0
6. Amend Sec.  313.15 by revising paragraph (a)(4) to read as follows:


Sec.  313.15   Other exceptions to notice and opt out requirements.

    (a) * * *
    (4) To the extent specifically permitted or required under other 
provisions of law and in accordance with the Right to Financial Privacy 
Act of 1978 (12 U.S.C. 3401 et seq.), to law

[[Page 70027]]

enforcement agencies (including the Consumer Financial Protection 
Bureau, a federal functional regulator, the Secretary of the Treasury, 
with respect to 31 U.S.C. Chapter 53, Subchapter II (Records and 
Reports on Monetary Instruments and Transactions) and 12 U.S.C. Chapter 
21 (Financial Recordkeeping), a State insurance authority, with respect 
to any person domiciled in that insurance authority's State that is 
engaged in providing insurance, and the Federal Trade Commission), 
self-regulatory organizations, or for an investigation on a matter 
related to public safety;
* * * * *


Sec.  313.18   [Removed]

0
7. Remove Sec.  313.18.

    By direction of the Commission.
April J. Tabor,
Acting Secretary.
[FR Doc. 2021-25735 Filed 12-8-21; 8:45 am]
BILLING CODE 6750-01-P