[Federal Register Volume 76, Number 92 (Thursday, May 12, 2011)]
[Notices]
[Pages 27645-27648]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-11686]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION


Agency Information Collection Activities; Proposed Collection; 
Comment Request; Extension

AGENCY: Federal Trade Commission (``Commission'' or ``FTC'').

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: The information collection requirements described below will 
be submitted to the Office of Management and Budget (``OMB'') for 
review, as required by the Paperwork Reduction Act (``PRA''). The FTC 
is seeking public comments on its proposal to extend through October 
31, 2014, the current PRA clearance for information collection 
requirements contained in the Commission's Gramm-Leach-Bliley Financial 
Privacy Rule (``GLB Privacy Rule'' or ``Rule''). The current clearance 
expires on October 31, 2011.

DATES: Comments must be submitted on or before July 11, 2011.

ADDRESSES: Interested parties may file a comment online or on paper, by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Write: ``FTC File No. 
P085405'' on your comment, and file your comment online at https://ftcpublic.commentworks.com/ftc/glbprivacyrulepra by following the 
instructions on the Web-based form. If you prefer to file your comment 
on paper, mail or deliver your comment to the following address: 
Federal Trade Commission, Office of the Secretary, Room H-113 (Annex 
J), 600 Pennsylvania Avenue, NW., Washington, DC 20580.

FOR FURTHER INFORMATION CONTACT: Katherine White, Attorney, Division of 
Privacy and Identity Protection, Bureau of Consumer Protection, (202) 
326-2252, Federal Trade Commission, 600 Pennsylvania Avenue, NW., 
Washington, DC 20580.

SUPPLEMENTARY INFORMATION: Under the PRA, 44 U.S.C. 3501-3521, Federal 
agencies must obtain approval from OMB for each collection of 
information they conduct or sponsor. ``Collection of information'' 
means agency requests or requirements that members of the public submit 
reports, keep records, or provide information to a third party. 44 
U.S.C. 3502(3), 5 CFR 1320.3(c). As required by section 3506(c)(2)(A) 
of the PRA, the FTC is providing this opportunity for public comment 
before requesting that OMB extend the existing clearance for the GLB 
Privacy Rule, 16 CFR Part 313 (OMB Control Number 3084-0121).
    The FTC invites comments on: (1) Whether the proposed collection of 
information is necessary for the proper performance of the functions of 
the agency, including whether the information will have practical 
utility; (2) the accuracy of the agency's estimate of the burden of the 
proposed collection of information, including the validity of the 
methodology and assumptions used; (3) ways to enhance the quality, 
utility, and clarity of the information to be collected; and (4) ways 
to minimize the burden of the collection of information on those who 
are to respond, including through the use of appropriate automated, 
electronic, mechanical, or other technological collection techniques or 
other forms of information technology, e.g., permitting electronic 
submission of responses.
    The GLB Privacy Rule is designed to ensure that customers and 
consumers, subject to certain exceptions, will have access to the 
privacy policies of the financial institutions with which they conduct 
business. As mandated by the Gramm-Leach-Bliley Act, 15 U.S.C. 6801-
6809, the Rule requires financial institutions to disclose to 
consumers: (1) Initial notice of the financial institution's privacy 
policy when establishing a customer relationship with a consumer and/or 
before sharing a consumer's non-public personal information with 
certain nonaffiliated third parties; (2) notice of the consumer's right 
to opt out of information sharing with such parties; (3) annual notice 
of the institution's privacy policy to any continuing customer; and (4) 
notice of changes in the institution's practices on information 
sharing. These requirements are subject to the PRA. The Rule does not 
require recordkeeping.
    The FTC, together with the Federal financial agencies,\1\ adopted a 
model privacy form that financial institutions may rely on as a safe 
harbor to provide disclosures under the privacy rules. The model 
privacy form was available for use beginning in January 2010 and, as of 
January 1, 2011, is the only safe harbor available for compliance with 
the privacy rules. 74 FR 62890 (Dec. 1, 2009).
---------------------------------------------------------------------------

    \1\ Board of Governors of the Federal Reserve System, Commodity 
Futures Trading Commission Federal Deposit Insurance Corporation, 
National Credit Union Administration, Office of the Comptroller of 
the Currency, Office of Thrift Supervision, and the Securities and 
Exchange Commission.
---------------------------------------------------------------------------

    In order to ease the burden on entities that wanted to adopt the 
new model privacy form, the agencies developed an ``Online Form 
Builder'' that an entity can download and use to develop and print 
customized versions of a model

[[Page 27646]]

consumer privacy notice. The Online Form Builder is available with 
several options. Easy-to-follow instructions for the form builder will 
guide an institution to select the version of the model form that fits 
its practices, such as whether the institution provides an opt-out for 
consumers. The agencies announced the availability of this tool on 
April 15, 2010: http://www.ftc.gov/opa/2010/04/glb.shtm.
    Estimated annual hours burden: As noted in previous burden 
estimates for the GLB Privacy Rule, determining the PRA burden of the 
Rule's disclosure requirements is very difficult because of the highly 
diverse group of affected entities, consisting of financial 
institutions not regulated by a Federal financial regulatory agency. 
See 15 U.S.C. 6805 (committing to the Commission's jurisdiction 
entities that are not specifically subject to another agency's 
jurisdiction).
    The burden estimates represent the FTC staff's best assessment, 
based on its knowledge and expertise relating to the financial 
institutions subject to the Commission's jurisdiction under this law. 
To derive these estimates, staff considered the wide variations in 
covered entities. In some instances, covered entities may make the 
required disclosures in the ordinary course of business, apart from the 
GLB Privacy Rule. In addition, some entities may use highly automated 
means to provide the required disclosures, while others may rely on 
methods requiring more manual effort. The burden estimates shown below 
include the time that may be necessary to train staff to comply with 
the regulations. These figures are averages based on staff's best 
estimate of the burden incurred over the broad spectrum of covered 
entities.
    Staff retains its prior estimate of the number of entities each 
year that will address the GLB Privacy Rule for the first time (5,000) 
and its estimate of established entities already familiar with the Rule 
(100,000). While the number of established entities familiar with the 
Rule would theoretically increase each year with the addition of new 
entrants, staff retains its previous estimate of established entities 
given that a number of the established entities will close in any given 
year, and also given the difficulty of establishing a more precise 
estimate.
    The combined effect of the availability of the model privacy form 
and the Online Form Builder has caused the FTC to revise its previous 
hourly burden estimates. Staff believes that the model form and form 
builder reduces the hours per new entrant respondent required for 
``Creating disclosure document or electronic disclosure (including 
initial, annual, and opt out disclosures).'' In the FTC's 2008 
clearance request, staff estimated 5 hours of clerical time and 10 
hours of professional/technical time for this category. Staff now 
believes that the adoption of the model privacy form and the 
availability of the form builder simplify and automate much of this 
work, reducing the time needed to create the disclosure documents to 1 
hour of clerical time and 2 hours of professional/technical time, a 
total savings of 12 burden hours per new entrant. If all 5,000 new 
entrants were to use the model privacy form and form builder, an 
estimated 60,000 hours would be saved.
    Similarly, the FTC is adjusting its previous estimates of the 
burden hours for established entities. The 2008 PRA clearance for the 
privacy rule estimated 15 hours of clerical time and 5 hours of 
professional/technical time associated with ``Changes to privacy 
policies and related disclosures'' for approximately 1,000 established 
entity respondents, based on staff's assumption that no more than 1% of 
the estimated 100,000 established entity respondents would make 
additional changes to privacy policies at any time other than the 
occasion of the annual notice; thus, 1,000 entities. Staff believes the 
adoption of the model privacy form and the availability of the Online 
Form Builder reduces the time associated with the modification of the 
notices to 7 hours of clerical time and 3 hours of professional/
technical time, a reduction of 10 hours per respondent. If all 1,000 
established entities were to use the model form and the Online Form 
Builder, 10,000 hours would be saved.
    The complete burden estimates for new entrants and established 
entities are detailed in the charts below.
    Start-up hours and labor costs for new entrants:

 
----------------------------------------------------------------------------------------------------------------
                                 Hourly wage and     Hours per    Approx. number   Approx. total   Approx. total
             Event              labor category *    respondent    of respondents    annual hrs.     labor costs
----------------------------------------------------------------------------------------------------------------
Reviewing internal policies     $34.35                        20           5,000         100,000      $3,435,000
 and developing GLBA-            Managerial/
 implementing instructions **.   professional.
Creating disclosure document    $15.84 Clerical.               1           5,000           5,000          79,200
 or electronic disclosure
 (including initial, annual,
 and opt out disclosures).
                                $35.98                         2  ..............          10,000         359,800
                                 Professional/
                                 technical.
Disseminating initial           $15.84 Clerical.              15           5,000          75,000       1,188,000
 disclosure (including opt out
 notices).
                                $35.98                        10  ..............          50,000       1,799,000
                                 Professional/
                                 technical.
                               ---------------------------------------------------------------------------------
    Total.....................  ................  ..............  ..............         240,000       6,861,000
----------------------------------------------------------------------------------------------------------------
* Staff calculated labor costs by applying appropriate hourly cost figures to burden hours. The hourly rates
  used were based on mean wages for managerial/professional time (e.g., compliance evaluation and/or planning),
  professional/technical time (e.g., designing and producing notices, reviewing and updating information
  systems), and clerical time (e.g., reproduction tasks, filing, and, where applicable to the given event,
  typing or mailing). See BLS National Compensation Survey: Occupational Earnings in the United States, 2009,
  Table 1, available at http://www.bls.gov/ncs/ocs/sp/nctb1344.pdf (Management occupations; office and
  administrative support occupations) and BLS Occupational Employment and Wages--May 2009, Table 3, available at
  http://www.bls.gov/news.release/pdf/ocwage.pdf (Professional, scientific, and technical services). Labor cost
  totals reflect solely that of the commercial entities affected. Staff assumes that the time required of
  consumers to respond affirmatively to respondents' opt-out programs (be it manually or electronically) would
  be minimal.
** Reviewing instructions includes all efforts performed by or for the respondent to: determine whether and to
  what extent the respondent is covered by an agency collection of information, understand the nature of the
  request, and determine the appropriate response (including the creation and dissemination of document and/or
  electronic disclosures).


[[Page 27647]]

    Burden hours and costs for established entities:
    Burden for established entities already familiar with the Rule 
predictably would be less than for start-up entities because start-up 
costs, such as crafting a privacy policy, are generally one-time costs 
and have already been incurred. Staff's best estimate of the average 
burden for these entities is as follows:

----------------------------------------------------------------------------------------------------------------
                                                                  Approx. number
             Event               Hourly wage and     Hours per    of respondents   Approx. total   Approx. total
                                labor category *    respondent          **          annual hrs.     labor costs
----------------------------------------------------------------------------------------------------------------
Reviewing GLBA-implementing     $34.35                         4          70,000         280,000      $9,618,000
 policies and practices.         Managerial/
                                 professional.
Disseminating annual            $15.84 Clerical.              15          70,000       1,050,000      16,632,000
 disclosure.
                                $35.98                         5  ..............         350,000      12,593,000
                                 Professional/
                                 technical.
Changes to privacy policies     $15.84 Clerical.               7           1,000           7,000         110,880
 and related disclosures.
                                $35.98                         3  ..............           3,000         107,940
                                 Professional/
                                 technical.
                               ---------------------------------------------------------------------------------
    Total.....................  ................  ..............  ..............       1,690,000      39,061,820
----------------------------------------------------------------------------------------------------------------
* Staff calculated labor costs by applying appropriate hourly cost figures to burden hours. The hourly rates
  used were based on mean wages for managerial/professional time (e.g., compliance evaluation and/or planning),
  professional/technical time (e.g., designing and producing notices, reviewing and updating information
  systems), and clerical time (e.g., reproduction tasks, filing, and, where applicable to the given event,
  typing or mailing). See BLS National Compensation Survey: Occupational Earnings in the United States, 2009,
  Table 1, available at http://www.bls.gov/ncs/ocs/sp/nctb1344.pdf (Management occupations; office and
  administrative support occupations) and BLS Occupational Employment and Wages--May 2009 Table 3, available at
  http://www.bls.gov/news.release/pdf/ocwage.pdf (Professional, scientific, and technical services). Labor cost
  totals reflect solely that of the commercial entities affected. Consumers have a continuing right to opt-out,
  as well as a right to revoke their opt-out at any time. When a respondent changes its information sharing
  practices, consumers are again given the opportunity to opt-out. Again, staff assumes that the time required
  of consumers to respond affirmatively to respondents' opt-out programs (be it manually or electronically)
  would be minimal.
** The estimate of respondents is based on the following assumptions: (1) 100,000 respondents, approximately 70%
  of whom maintain customer relationships exceeding one year, (2) no more than 1% (1,000) of whom make
  additional changes to privacy policies at any time other than the occasion of the annual notice; and (3) such
  changes will occur no more often than once per year.

    As calculated above, the total annual PRA burden hours and labor 
costs for all affected entities in a given year would be 1,930,000 
hours and $45,922,820, respectively.
    Estimated Capital/Other Non-Labor Costs Burden: Staff believes that 
capital or other non-labor costs associated with the document requests 
are minimal. Covered entities will already be equipped to provide 
written notices (e.g., computers with word processing programs, 
typewriters, copying machines, mailing capabilities). Most likely, only 
entities that already have on-line capabilities will offer consumers 
the choice to receive notices via electronic format. As such, these 
entities will already be equipped with the computer equipment and 
software necessary to disseminate the required disclosures via 
electronic means.
    Request For Comment: You can file a comment online or on paper. For 
the Commission to consider your comment, we must receive it on or 
before July 11, 2011. Write ``Paperwork Comment: FTC File No. P085405'' 
on your comment. Your comment--including your name and your state--will 
be placed on the public record of this proceeding, including, to the 
extent practicable, on the public Commission Web site, at http://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the 
Commission tries to remove individuals' home contact information from 
comments before placing them on the Commission Web site.
    Because your comment will be made public, you are solely 
responsible for making sure that your comment doesn't include any 
sensitive personal information, like anyone's Social Security number, 
date of birth, driver's license number or other state identification 
number or foreign country equivalent, passport number, financial 
account number, or credit or debit card number. You are also solely 
responsible for making sure that your comment doesn't include any 
sensitive health information, like medical records or other 
individually identifiable health information. In addition, don't 
include any ``[t]rade secret or any commercial or financial information 
which is obtained from any person and which is privileged or 
confidential. * * *,'' as provided in Section 6(f) of the FTC Act, 15 
U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In 
particular, don't include competitively sensitive information such as 
costs, sales statistics, inventories, formulas, patterns, devices, 
manufacturing processes, or customer names.
    If you want the Commission to give your comment confidential 
treatment, you must file it in paper form, with a request for 
confidential treatment, and you have to follow the procedure explained 
in FTC Rule 4.9(c), 16 CFR 4.9(c).\2\ Your comment will be kept 
confidential only if the FTC General Counsel, in his or her sole 
discretion, grants your request in accordance with the law and the 
public interest.
---------------------------------------------------------------------------

    \2\ In particular, the written request for confidential 
treatment that accompanies the comment must include the factual and 
legal basis for the request, and must identify the specific portions 
of the comment to be withheld from the public record. See FTC Rule 
4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------

    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, we encourage you to submit 
your comments online, or to send them to the Commission by courier or 
overnight service. To make sure that the Commission considers your 
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/glbprivacyrulepra, by following the instructions on the Web-based 
form. If this Notice appears at http://www.regulations.gov/#!home, you 
also may file a comment through that Web site.
    If you file your comment on paper, write ``Paperwork Comment: FTC 
File No. P085405'' on your comment and on the envelope, and mail or 
deliver it to the following address: Federal Trade Commission, Office 
of the Secretary, Room H-113 (Annex J), 600 Pennsylvania Avenue, NW., 
Washington, DC 20580. If possible, submit your paper comment to the 
Commission by courier or overnight service.

[[Page 27648]]

    Visit the Commission Web site at http://www.ftc.gov to read this 
Notice and the news release describing it. The FTC Act and other laws 
that the Commission administers permit the collection of public 
comments to consider and use in this proceeding as appropriate. The 
Commission will consider all timely and responsive public comments that 
it receives on or before July 11, 2011. You can find more information, 
including routine uses permitted by the Privacy Act, in the 
Commission's privacy policy, at http://www.ftc.gov/ftc/privacy.htm.

Willard K. Tom,
General Counsel.
[FR Doc. 2011-11686 Filed 5-11-11; 8:45 am]
BILLING CODE 6750-01-P