[House Report 115-434]
[From the U.S. Government Publishing Office]


115th Congress    }                                    {       Report
                        HOUSE OF REPRESENTATIVES
 1st Session      }                                    {      115-434

======================================================================



 
            PRIVACY NOTIFICATION TECHNICAL CLARIFICATION ACT

                                _______
                                

December 4, 2017.--Committed to the Committee of the Whole House on the 
              State of the Union and ordered to be printed

                                _______
                                

Mr. Hensarling, from the Committee on Financial Services, submitted the 
                               following

                              R E P O R T

                             together with

                             MINORITY VIEWS

                        [To accompany H.R. 2396]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Financial Services, to whom was referred 
the bill (H.R. 2396) to amend the Gramm-Leach-Bliley Act to 
update the exception for certain annual notices provided by 
financial institutions, having considered the same, report 
favorably thereon with an amendment and recommend that the bill 
as amended do pass.
    The amendment is as follows:
  Strike all after the enacting clause and insert the 
following:

SECTION 1. SHORT TITLE.

  This Act may be cited as the ``Privacy Notification Technical 
Clarification Act''.

SEC. 2. EXCEPTION TO ANNUAL NOTICE REQUIREMENT.

  Section 503 of the Gramm-Leach-Bliley Act (15 U.S.C. 6803) is amended 
by adding at the end the following:
  ``(g) Additional Exception to Annual Notice Requirement.--
          ``(1) In general.--A financial institution that has not 
        changed its policies and practices with regard to disclosing 
        nonpublic personal information from the policies and practices 
        that were disclosed in the most recent disclosure sent to 
        consumers in accordance with this section shall not be required 
        to provide an annual disclosure under this section if--
                  ``(A) the financial institution makes its current 
                policy available to consumers on its website and via 
                mail upon written request sent to a designated address 
                identified for the purpose of requesting the policy or 
                upon telephone request made using a toll free consumer 
                service telephone number; and
                  ``(B) the financial institution conspicuously 
                notifies consumers of the availability of the current 
                policy, including--
                          ``(i) with respect to consumers who are 
                        entitled to a periodic billing statement, a 
                        message on or with each periodic billing 
                        statement; and
                          ``(ii) with respect to consumers who are not 
                        entitled to a periodic billing statement, 
                        through other reasonable means such as on its 
                        website or with other written communication, 
                        including electronic communication, sent to the 
                        consumer.
          ``(2) Treatment of multiple policies.--If a financial 
        institution maintains more than one set of policies described 
        under paragraph (1) that vary depending on the consumer's 
        account status or State of residence, the financial institution 
        may comply with the website posting requirement in paragraph 
        (1)(A) by posting all of such policies to the public section of 
        the financial institution's website, with instructions for 
        choosing the applicable policy.''.

                          Purpose and Summary

    Introduced by Representative David Trott on May 4, 2017, 
H.R. 2396, the ``Privacy Notification Technical Clarification 
Act,'' amends the Gramm-Leach-Bliley Act to exempt from its 
annual privacy policy notice requirement any financial 
institution which: (1) has not changed its policies and 
practices with regard to the disclosure of nonpublic personal 
information from those disclosed in the most recent disclosure 
sent to consumers; (2) makes its current policy available to 
consumers on its website and via request; (3) notifies 
customers of the availability on periodic billing statements or 
electronically; and (4) posts all notices if it maintains more 
than one policy.

                  Background and Need for Legislation

    The Gramm-Leach-Bliley Act of 1999 (GLBA) [Pub. Law No. 
106-102] requires financial institutions to issue privacy 
disclosure notices to consumers that detail the institution's 
privacy policies if it shares customers' non-public personal 
information with affiliates or third parties. GLBA also 
requires financial institutions to notify both existing and 
potential customers of their right to opt out of sharing non-
public personal information with third parties. Financial 
institutions must make such disclosures when it first 
establishes a customer relationship and then annually in 
written form as long as the relationship continues, even if the 
financial institution makes no changes to the disclosure 
policies.
    On October 20, 2014, the Consumer Financial Protection 
Bureau (CFPB) finalized a rule that allows financial 
institutions to post its annual privacy notices online instead 
of physical delivery to individuals if the financial 
institution meets a series of conditions, to include not 
sharing the customer's nonpublic personal information with 
nonaffiliated third parties.
    On December 4, 2015, President Obama signed into law the 
Fixing America's Surface Transportation Act (FAST Act) [Pub. 
Law No. 114-94]. Section 75001 of the FAST Act amended the GLBA 
to add an exception to the annual notice delivery requirement 
for any financial institution that does not share information 
with non-affiliated third parties and does not change its 
privacy policy from the last time it was disclosed.
    H.R. 2396 improves on these FAST Act changes as it exempts 
from the annual privacy policy notice requirement any financial 
institution that has not changed its policies for the sharing 
of non-public information and has not changed its privacy 
policy from the most recent disclosure. A number of financial 
institutions are unable to meet the conditions included in the 
current annual notice delivery exemption, including financial 
services providers such as captive auto finance companies 
because of activities related to their interaction with auto 
dealerships.
    H.R. 2396 provides additional flexibility for financial 
institutions to use alternative delivery methods, and would 
allow them to both make privacy polices available to customers 
on the institution's website, and notify customers of the 
statement's availability via any billing statements they 
already receive (including electronic billing statements), or, 
if the customer does not receive billing statements, a 
financial institution may use other reasonable means to provide 
the policy notice on the financial institution's website or in 
other communications that the customer may receive from the 
institution.
    Requiring financial institutions to continue to physically 
mail and prepare annual privacy notices even when no policy 
changes have been made are redundant, unnecessary, and can be 
confusing. Considering that many consumers often ignore these 
mailings, producing and mailing these notices cost institutions 
millions of dollars. Eliminating the annual physical delivery 
requirement would remove an additional expense for financial 
institutions, and allow institutions devote valuable staff and 
technological resources to other projects and reduce the 
overall cost of financial services. When a financial 
institution actually alters its privacy policy, consumers would 
receive material information and the mailing the consumer 
received would be more significant.
    Appearing before the Committee on March 18, 2015, Adam J. 
Levitin, Professor of Law, Georgetown University Law Center, 
testified:

          One thing that I think should go the way of the Dodo 
        bird are the Gramm-Leach-Bliley privacy notices. Nobody 
        reads them. If anything, the only effect they have 
        would be to lull consumers into thinking they actually 
        have some privacy rights. There is no reason anyone 
        should--even the large banks, should [be] spending 
        money on giving those notices.

    In a letter of support for H.R. 2396 dated October 10, 
2017, the American Financial Services Association wrote:

          Annual privacy notices without policy changes are 
        redundant, unnecessary, and confusing. They contain 
        several pages of small-print legalese, which have 
        little value for consumers. In fact, they are largely 
        discarded--unread--immediately upon receipt. However, 
        producing and mailing these notices costs millions of 
        dollars.

    In a letter of support for H.R. 2396 dated October 10, 
2017, the American Bankers Association wrote:

          [H.R. 2396] would simplify the notice requirements 
        for financial institutions that have not changed their 
        privacy policies. In addition to the relief provided by 
        the FAST Act for financial institutions that only share 
        information within the statutory exceptions, it would 
        create a simple disclosure mechanism using the Internet 
        for financial institutions that have not changed their 
        privacy practices.

                                Hearings

    The Committee on Financial Services held a hearing 
examining matters relating to H.R. 2396 on April 26, 2017, and 
April 28, 2017.

                        Committee Consideration

    The Committee on Financial Services met in open session on 
10/11/2017, 10/12/2017, and ordered H.R. 2396 to be reported 
favorably to the House as amended by a recorded vote of 40 yeas 
to 20 nays (Record vote no. FC-77), a quorum being present. 
Before the motion to report was offered, the Committee adopted 
an amendment in the nature of a substitute offered by Mr. 
Trott, and an amendment to the amendment in the nature of a 
substitute, by voice vote.

                            Committee Votes

    Clause 3(b) of rule XIII of the Rules of the House of 
Representatives requires the Committee to list the record votes 
on the motion to report legislation and amendments thereto. The 
sole recorded vote was on a motion by Chairman Hensarling to 
report the bill favorably to the House as amended. The motion 
was agreed to by a recorded vote of 40 yeas to 20 nays (Record 
vote no. FC-77), a quorum being present.


                      Committee Oversight Findings

    Pursuant to clause 3(c)(1) of rule XIII of the Rules of the 
House of Representatives, the findings and recommendations of 
the Committee based on oversight activities under clause 
2(b)(1) of rule X of the Rules of the House of Representatives, 
are incorporated in the descriptive portions of this report.

                    Performance Goals and Objectives

    Pursuant to clause 3(c)(4) of rule XIII of the Rules of the 
House of Representatives, the Committee states that H.R. 2396 
will end the practice of sending annual privacy disclosures to 
consumers that are redundant, unnecessary, and confusing, by 
exempting financial institutions from the requirement to send 
such disclosures in certain circumstances.

   New Budget Authority, Entitlement Authority, and Tax Expenditures

    In compliance with clause 3(c)(2) of rule XIII of the Rules 
of the House of Representatives, the Committee adopts as its 
own the estimate of new budget authority, entitlement 
authority, or tax expenditures or revenues contained in the 
cost estimate prepared by the Director of the Congressional 
Budget Office pursuant to section 402 of the Congressional 
Budget Act of 1974.

                 Congressional Budget Office Estimates

    Pursuant to clause 3(c)(3) of rule XIII of the Rules of the 
House of Representatives, the following is the cost estimate 
provided by the Congressional Budget Office pursuant to section 
402 of the Congressional Budget Act of 1974:

                                     U.S. Congress,
                               Congressional Budget Office,
                                 Washington, DC, November 30, 2017.
Hon. Jeb Hensarling,
Chairman, Committee on Financial Services,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 2396, the Privacy 
Notification Technical Clarification Act.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Stephen 
Rabent.
            Sincerely,
                                                Keith Hall,
                                                          Director.
    Enclosure.

H.R. 2396--Privacy Notification Technical Clarification Act

    Once each year, under current law, financial institutions 
are required to disclose to all customers their policies and 
practices regarding the collection of customers' private 
personal information and the disclosure of such information to 
affiliates and third parties. The Consumer Financial Protection 
Bureau (CFPB), Securities and Exchange Commission (SEC), 
Commodity Futures Trading Commission (CFTC), and Federal Trade 
Commission (FTC) are authorized to promulgate rules to enforce 
those requirements.
    H.R. 2396 would exempt financial institutions from that 
annual disclosure requirement, if they:
     Have not changed their policies and practices 
related to the disclosure of private personal information since 
their most recent disclosure;
     Make those policies available online and upon 
request through the mail or over the telephone; and
     Periodically notify customers of the availability 
of information on those policies and practices.
    Using information from the FTC, CBO estimates that 
implementing H.R. 2396 would cost less than $500,000 for the 
FTC and CFTC to update agency guidance documents related to the 
disclosure of customer information. That spending would be 
subject to the availability of appropriated funds. The SEC also 
would incur costs of less than $500,000. However, because the 
SEC is authorized to collect fees sufficient to offset its 
annual appropriation, CBO estimates that the net effect of the 
bill on discretionary spending by the SEC would be negligible, 
assuming appropriation actions that are consistent with that 
authority.
    Using information from CFPB, CBO estimates that enacting 
H.R. 2396 would increase direct spending by less than $500,000 
for the agency to update its guidance documents. Because H.R. 
2396 would affect direct spending, pay-as-you-go procedures 
apply. Enacting the bill would not affect revenues.
    CBO estimates that enacting H.R. 2396 would not increase 
net direct spending or on-budget deficits in any of the four 
consecutive 10-year periods beginning in 2028.
    H.R. 2396 contains no intergovernmental or private-sector 
mandates as defined in the Unfunded Mandates Reform Act.
    The CBO staff contact for this estimate is Stephen Rabent. 
The estimate was approved by H. Samuel Papenfuss, Deputy 
Assistant Director for Budget Analysis.

                       Federal Mandates Statement

    This information is provided in accordance with section 423 
of the Unfunded Mandates Reform Act of 1995.
    The Committee has determined that the bill does not contain 
Federal mandates on the private sector. The Committee has 
determined that the bill does not impose a Federal 
intergovernmental mandate on State, local, or tribal 
governments.

                      Advisory Committee Statement

    No advisory committees within the meaning of section 5(b) 
of the Federal Advisory Committee Act were created by this 
legislation.

                  Applicability to Legislative Branch

    The Committee finds that the legislation does not relate to 
the terms and conditions of employment or access to public 
services or accommodations within the meaning of the section 
102(b)(3) of the Congressional Accountability Act.

                         Earmark Identification

    With respect to clause 9 of rule XXI of the Rules of the 
House of Representatives, the Committee has carefully reviewed 
the provisions of the bill and states that the provisions of 
the bill do not contain any congressional earmarks, limited tax 
benefits, or limited tariff benefits within the meaning of the 
rule.

                    Duplication of Federal Programs

    In compliance with clause 3(c)(5) of rule XIII of the Rules 
of the House of Representatives, the Committee states that no 
provision of the bill establishes or reauthorizes: (1) a 
program of the Federal Government known to be duplicative of 
another Federal program; (2) a program included in any report 
from the Government Accountability Office to Congress pursuant 
to section 21 of Public Law 111-139; or (3) a program related 
to a program identified in the most recent Catalog of Federal 
Domestic Assistance, published pursuant to the Federal Program 
Information Act (Pub. L. No. 95-220, as amended by Pub. L. No. 
98-169).

                   Disclosure of Directed Rulemaking

    Pursuant to section 3(i) of H. Res. 5, (115th Congress), 
the following statement is made concerning directed 
rulemakings: The Committee estimates that the bill requires no 
directed rulemakings within the meaning of such section.

             Section-by-Section Analysis of the Legislation


Section 1. Short title

    This Section cites H.R. 2396 as the ``Privacy Notification 
Technical Clarification Act''.

Section 2. Exemption to annual notice requirement

    This section amends Section 503 of the Gramm-Leach-Bliley 
Act to create an exception to the annual privacy notice 
requirement so long as a financial institution: (1) has not 
changed its policies and practices with regard to disclosing 
nonpublic personal information from those disclosed in the most 
recent disclosure sent to consumers; (2) makes its current 
policy available to consumers on its website and via request; 
(3) notifies customers of the availability on periodic billing 
statements or electronically; and (4) posts all notices if it 
maintains more than one policy.

         Changes in Existing Law Made by the Bill, as Reported

    In compliance with clause 3(e) of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, are shown as follows (existing law 
proposed to be omitted is enclosed in black brackets, new 
matter is printed in italic, and existing law in which no 
change is proposed is shown in roman):

         Changes in Existing Law Made by the Bill, as Reported

  In compliance with clause 3(e) of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, are shown as follows (new matter is 
printed in italic and existing law in which no change is 
proposed is shown in roman):

                         GRAMM-LEACH-BLILEY ACT




           *       *       *       *       *       *       *
                            TITLE V--PRIVACY

Subtitle A--Disclosure of Nonpublic Personal Information

           *       *       *       *       *       *       *


SEC. 503. DISCLOSURE OF INSTITUTION PRIVACY POLICY.

  (a) Disclosure Required.--At the time of establishing a 
customer relationship with a consumer and not less than 
annually during the continuation of such relationship, a 
financial institution shall provide a clear and conspicuous 
disclosure to such consumer, in writing or in electronic form 
or other form permitted by the regulations prescribed under 
section 504, of such financial institution's policies and 
practices with respect to--
          (1) disclosing nonpublic personal information to 
        affiliates and nonaffiliated third parties, consistent 
        with section 502, including the categories of 
        information that may be disclosed;
          (2) disclosing nonpublic personal information of 
        persons who have ceased to be customers of the 
        financial institution; and
          (3) protecting the nonpublic personal information of 
        consumers.
  (b) Regulations.--Disclosures required by subsection (a) 
shall be made in accordance with the regulations prescribed 
under section 504.
  (c) Information To Be Included.--The disclosure required by 
subsection (a) shall include--
          (1) the policies and practices of the institution 
        with respect to disclosing nonpublic personal 
        information to nonaffiliated third parties, other than 
        agents of the institution, consistent with section 502 
        of this subtitle, and including--
                  (A) the categories of persons to whom the 
                information is or may be disclosed, other than 
                the persons to whom the information may be 
                provided pursuant to section 502(e); and
                  (B) the policies and practices of the 
                institution with respect to disclosing of 
                nonpublic personal information of persons who 
                have ceased to be customers of the financial 
                institution;
          (2) the categories of nonpublic personal information 
        that are collected by the financial institution;
          (3) the policies that the institution maintains to 
        protect the confidentiality and security of nonpublic 
        personal information in accordance with section 501; 
        and
          (4) the disclosures required, if any, under section 
        603(d)(2)(A)(iii) of the Fair Credit Reporting Act.
  (d) Exemption for Certified Public Accountants.--
          (1) In general.--The disclosure requirements of 
        subsection (a) do not apply to any person, to the 
        extent that the person is--
                  (A) a certified public accountant;
                  (B) certified or licensed for such purpose by 
                a State; and
                  (C) subject to any provision of law, rule, or 
                regulation issued by a legislative or 
                regulatory body of the State, including rules 
                of professional conduct or ethics, that 
                prohibits disclosure of nonpublic personal 
                information without the knowing and expressed 
                consent of the consumer.
          (2) Limitation.--Nothing in this subsection shall be 
        construed to exempt or otherwise exclude any financial 
        institution that is affiliated or becomes affiliated 
        with a certified public accountant described in 
        paragraph (1) from any provision of this section.
          (3) Definitions.--For purposes of this subsection, 
        the term ``State'' means any State or territory of the 
        United States, the District of Columbia, Puerto Rico, 
        Guam, American Samoa, the Trust Territory of the 
        Pacific Islands, the Virgin Islands, or the Northern 
        Mariana Islands.
  (e) Model Forms.--
          (1) In general.--The agencies referred to in section 
        504(a)(1) shall jointly develop a model form which may 
        be used, at the option of the financial institution, 
        for the provision of disclosures under this section.
          (2) Format.--A model form developed under paragraph 
        (1) shall--
                  (A) be comprehensible to consumers, with a 
                clear format and design;
                  (B) provide for clear and conspicuous 
                disclosures;
                  (C) enable consumers easily to identify the 
                sharing practices of a financial institution 
                and to compare privacy practices among 
                financial institutions; and
                  (D) be succinct, and use an easily readable 
                type font.
          (3) Timing.--A model form required to be developed by 
        this subsection shall be issued in proposed form for 
        public comment not later than 180 days after the date 
        of enactment of this subsection.
          (4) Safe harbor.--Any financial institution that 
        elects to provide the model form developed by the 
        agencies under this subsection shall be deemed to be in 
        compliance with the disclosures required under this 
        section.
  (f) Exception to Annual Notice Requirement.--A financial 
institution that--
          (1) provides nonpublic personal information only in 
        accordance with the provisions of subsection (b)(2) or 
        (e) of section 502 or regulations prescribed under 
        section 504(b), and
          (2) has not changed its policies and practices with 
        regard to disclosing nonpublic personal information 
        from the policies and practices that were disclosed in 
        the most recent disclosure sent to consumers in 
        accordance with this section,
shall not be required to provide an annual disclosure under 
this section until such time as the financial institution fails 
to comply with any criteria described in paragraph (1) or (2).
  (g) Additional Exception to Annual Notice Requirement.--
          (1) In general.--A financial institution that has not 
        changed its policies and practices with regard to 
        disclosing nonpublic personal information from the 
        policies and practices that were disclosed in the most 
        recent disclosure sent to consumers in accordance with 
        this section shall not be required to provide an annual 
        disclosure under this section if--
                  (A) the financial institution makes its 
                current policy available to consumers on its 
                website and via mail upon written request sent 
                to a designated address identified for the 
                purpose of requesting the policy or upon 
                telephone request made using a toll free 
                consumer service telephone number; and
                  (B) the financial institution conspicuously 
                notifies consumers of the availability of the 
                current policy, including--
                          (i) with respect to consumers who are 
                        entitled to a periodic billing 
                        statement, a message on or with each 
                        periodic billing statement; and
                          (ii) with respect to consumers who 
                        are not entitled to a periodic billing 
                        statement, through other reasonable 
                        means such as on its website or with 
                        other written communication, including 
                        electronic communication, sent to the 
                        consumer.
          (2) Treatment of multiple policies.--If a financial 
        institution maintains more than one set of policies 
        described under paragraph (1) that vary depending on 
        the consumer's account status or State of residence, 
        the financial institution may comply with the website 
        posting requirement in paragraph (1)(A) by posting all 
        of such policies to the public section of the financial 
        institution's website, with instructions for choosing 
        the applicable policy.

           *       *       *       *       *       *       *


                             MINORITY VIEWS

    H.R. 2396, the ``Privacy Notification Technical Correction 
Act,'' would ease the annual privacy notice requirements for 
financial institutions that share or sell a customer's personal 
information with an unaffiliated third party in instances where 
a customer has the right to opt-out from having their 
information shared.
    Under the Gramm-Leach-Bliley Act (GLBA), customers are 
generally entitled to an annual privacy notice from their 
financial institutions. During the 114th Congress, legislation 
was enacted to narrowly exempt financial institutions from 
having to provide an annual privacy notice if the privacy 
policy and practices had not changed from the last time the 
customer received a copy, and if the institution does not share 
or sell a customer's personal information with an unaffiliated 
third party. In those instances, the customer does not have the 
ability to opt-out from having their information shared by a 
financial company with its affiliated companies. Without 
clarifying language, H.R. 2396 would eliminate meaningful, 
clear disclosures to consumers about their privacy rights, 
including their ability to opt-out from having their 
information sold to unaffiliated third party companies.
    Furthermore, the current form of H.R. 2396 would expand 
flexibility to comply with, if not minimize, annual notice 
requirements under the GLBA to all financial institutions, 
including payday lenders, rent-to-own companies, and 
potentially bad actors. It would be prudent to narrow the scope 
of the bill to just financial institutions that obtain and 
share customer information only with close, but unaffiliated 
third parties. Specifically, captive automobile finance 
companies maintain a unique relationship with their parent 
manufacturing company and automobile dealerships that are 
technically unaffiliated third parties for purposes of the 
GLBA.
    Before advancing H.R. 2396 further in the legislative 
process, the bill should be further refined to limit its scope 
and to improve the notices that customers will receive.
    For these reasons, we oppose H.R. 2396, in its current 
form.

                                   Maxine Waters.
                                   Michael E. Capuano.
                                   Keith Ellison.
                                   Al Green (TX).
                                   Carolyn B. Maloney.
                                   Emanuel Cleaver.
                                   Ed Perlmutter.
                                   Gwen Moore.
                                   Juan Vargas.

                                  [all]