[Federal Register Volume 82, Number 198 (Monday, October 16, 2017)]
[Notices]
[Pages 48081-48085]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-22334]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION


Agency Information Collection Activities; Submission for OMB 
Review; Comment Request

AGENCY: Federal Trade Commission.

ACTION: Notice and request for comment.

-----------------------------------------------------------------------

SUMMARY: In compliance with the Paperwork Reduction Act (PRA) of 1995, 
the Federal Trade Commission (``FTC'' or ``Commission'') is seeking 
public comments on its request to the Office of Management and Budget 
(``OMB'') for a three-year extension of the current PRA clearance for 
the information collection requirements contained in the Gramm-Leach-
Bliley Financial Privacy Rule (GLB Privacy Rule). That clearance 
expires on October 31, 2017.

[[Page 48082]]


DATES: Comments must be received by November 15, 2017.

ADDRESSES: Interested parties may file a comment online or on paper by 
following the instructions in the Request for Comments part of the 
SUPPLEMENTARY INFORMATION section below. Write ``Privacy Rule: 
Paperwork Comment: FTC File No. P085405'' on your comment, and file 
your comment online at https://ftcpublic.commentworks.com/ftc/glbfinancialrulepra2 by following the instructions on the web-based 
form. If you prefer to file your comment on paper, mail your comment to 
the following address: Federal Trade Commission, Office of the 
Secretary, 600 Pennsylvania Avenue NW., Suite CC-5610 (Annex J), 
Washington, DC 20580, or deliver your comment to the following address: 
Federal Trade Commission, Office of the Secretary, Constitution Center, 
400 7th Street SW., 5th Floor, Suite 5610 (Annex J), Washington, DC 
20024.
    Comments on the information collection requirements subject to 
review under the PRA should additionally be submitted to OMB. If sent 
by U.S. mail, they should be addressed to Office of Information and 
Regulatory Affairs, Office of Management and Budget, Attention: Desk 
Officer for the Federal Trade Commission, New Executive Office 
Building, Docket Library, Room 10102, 725 17th Street NW., Washington, 
DC 20503. Comments sent to OMB by U.S. postal mail-are subject to 
delays due to heightened security precautions. Thus, comments can also 
be sent via email to [email protected].

FOR FURTHER INFORMATION CONTACT: Requests for additional information or 
copies of the proposed information requirements should be addressed to 
David Lincicum, Attorney, Division of Privacy and Identity Protection, 
Bureau of Consumer Protection, Federal Trade Commission, 600 
Pennsylvania Ave. NW., Drop Box 8232, Washington, DC 20580, (202) 326-
2773.

SUPPLEMENTARY INFORMATION: 
    Title: GLB Privacy Rule (officially titled Privacy of Consumer 
Financial Information Rule), 16 CFR part 313.
    OMB Control Number: 3084-0121.
    Type of Review: Extension of a currently approved collection.
    Abstract: The Privacy Rule is designed to ensure that customers and 
consumers, subject to certain exceptions, will have access to the 
privacy policies of the financial institutions with which they conduct 
business. As mandated by the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. 
6801-6809, the Rule requires financial institutions to disclose to 
consumers: (1) Initial notice of the financial institution's privacy 
policy when establishing a customer relationship with a consumer and/or 
before sharing a consumer's non-public personal information with 
certain nonaffiliated third parties; (2) notice of the consumer's right 
to opt out of information sharing with such parties; (3) annual notice 
of the institution's privacy policy to any continuing customer; \1\ and 
(4) notice of changes in the institution's practices on information 
sharing. These requirements are subject to the PRA. The Rule does not 
require recordkeeping. For PRA burden calculations the FTC has 
attributed to itself the burden for all motor vehicle dealers that do 
not routinely extend credit to consumers directly without assigning the 
credit to unaffiliated third parties (hereafter, motor vehicle 
dealers), and then shares equally the remaining PRA burden with the 
CFPB for other types of financial institutions over which both agencies 
have enforcement authority. See 12 U.S.C. 5519.
---------------------------------------------------------------------------

    \1\ On December 4, 2015, Congress amended the GLBA as part of 
the Fixing America's Surface Transportation Act (FAST Act). This 
amendment, titled Eliminate Privacy Notice Confusion (FAST Act, Pub. 
L. 114094, section 75001) added new GLBA section 503(f). This 
subsection provides an exception under which financial institutions 
that meet certain conditions are not required to provide annual 
privacy notices to customers. Section 503(f) requires that to 
qualify for this exception, a financial institution must not share 
nonpublic personal information about customers except as described 
in certain statutory exceptions, under which sharing does not 
trigger a customer's statutory right to opt out of the sharing. In 
addition, section 503(f)(2) requires that the financial institution 
must not have changed its policies and practices with regard to 
disclosing nonpublic personal information from those that the 
institution disclosed in the most recent privacy notice the customer 
received.
---------------------------------------------------------------------------

    On July 7, 2017, the Commission sought comment on the Rule's 
information collection requirements.\2\ The Commission did not receive 
any germane comments. As required by OMB regulations, 5 CFR 1320, the 
FTC is providing this second opportunity for public comment.
---------------------------------------------------------------------------

    \2\ See FR 31604 (60-Day Federal Register Notice).
---------------------------------------------------------------------------

Privacy Rule Burden Statement

    Estimated annual hours burden: 1,725,600 annual hours (FTC 
portion).
    As noted in previous burden estimates for the Privacy Rule, 
determining the PRA burden of the Rule's disclosure requirements is 
very difficult because of the highly diverse group of affected 
entities, consisting of financial institutions not regulated by a 
Federal financial regulatory agency. See 15 U.S.C. 6805 (committing to 
the Commission's jurisdiction entities that are not specifically 
subject to another agency's jurisdiction).
    The burden estimates represent the FTC staff's best assessment, 
based on its knowledge and expertise relating to the financial 
institutions subject to the Commission's jurisdiction under this law. 
To derive these estimates, staff considered the wide variations in 
covered entities. In some instances, covered entities may make the 
required disclosures in the ordinary course of business, apart from the 
Privacy Rule. In addition, some entities may use highly automated means 
to provide the required disclosures, while others may rely on methods 
requiring more manual effort. The burden estimates shown below include 
the time that may be necessary to train staff to comply with the 
regulations. These figures are averages based on staff's best estimate 
of the burden incurred over the broad spectrum of covered entities.
    Staff estimates that the number of entities each year that will 
address the Privacy Rule for the first time will be 5,000 and the 
number of established entities already familiar with the Rule will be 
100,000. While the number of established entities familiar with the 
Rule would theoretically increase each year with the addition of new 
entrants, staff retains its estimate of established entities for each 
successive year given that a number of the established entities will 
close in any given year, and also given the difficulty of establishing 
a more precise estimate.
    Staff believes that the usage of the model privacy form and the 
availability of the form builder simplify and automate much of the work 
associated with creating the disclosure documents for new entrants. 
Staff thus estimates 1 hour of clerical time and 2 hours of 
professional/technical time per new entrant.
    For established entities, staff similarly believes that the usage 
of the model privacy form and the availability of the Online Form 
Builder reduces the time associated with the modification of the 
notices. Staff thus estimates 7 hours of clerical time and 3 hours of 
professional/technical time per respondent. Staff estimates that no 
more than 1% of the estimated 100,000 established-entity respondents 
would make additional changes to privacy policies at any time other 
than the occasion of the annual notice. Furthermore, under Section 
503(f), businesses who have not changed their privacy notice since the 
last notice sent and who do not share information with

[[Page 48083]]

non-affiliated third parties outside of certain statutory exceptions do 
not have to issue annual notices to their customers. Staff estimates 
that at least 80% of businesses covered by the rule will, accordingly, 
not be required to issue annual notices.
    The complete burden estimates for new entrants and established 
entities are detailed in the charts below.

                         Start-Up Hours and Labor Costs for All New Entrants (Table IA)
----------------------------------------------------------------------------------------------------------------
                                                                    Approximate     Approximate     Approximate
             Event               Hourly wage and     Hours per       number of     total annual     total labor
                                labor category *    respondent      respondents        hours           costs
----------------------------------------------------------------------------------------------------------------
Reviewing internal policies     $42.76                        20           5,000         100,000      $4,276,000
 and developing GLB Act-         Professional/
 implementing instructions **.   Technical.
Creating disclosure document    $17.91 Clerical.               1           5,000           5,000          89,550
 or electronic disclosure       $42.76                         2           5,000          10,000         427,600
 (including initial, annual,     Professional/
 and opt-out disclosures).       Technical.
Disseminating initial           $17.91 Clerical.              15           5,000          75,000       1,343,250
 disclosure (including opt-out  $42.76                        10           5,000          50,000       2,138,000
 notices).                       Professional/
                                 Technical.
                                                 ---------------------------------------------------------------
    Total.....................  ................  ..............  ..............         240,000       8,274,400
----------------------------------------------------------------------------------------------------------------
* Staff calculated labor costs by applying appropriate hourly cost figures to burden hours. The hourly rates
  used were based on mean wages for Financial Examiners and for Office and Administrative Support, corresponding
  to professional/technical time (e.g., compliance evaluation and/or planning, designing and producing notices,
  reviewing and updating information systems), and clerical time (e.g., reproduction tasks, filing, and, where
  applicable to the given event, typing or mailing) respectively. See BLS Occupational Employment and Wages, May
  2016, Table 1 at http://www.bls.gov/news.release/pdf/ocwage.pdf. Labor cost totals reflect solely that of the
  commercial entities affected. Staff estimates that the time required of consumers to respond affirmatively to
  respondents' opt-out programs (be it manually or electronically) would be minimal.
** Reviewing instructions includes all efforts performed by or for the respondent to: Determine whether and to
  what extent the respondent is covered by an agency collection of information, understand the nature of the
  request, and determine the appropriate response (including the creation and dissemination of documents and/or
  electronic disclosures).

    Burden for established entities already familiar with the Rule 
predictably would be less than for startup entities because start-up 
costs, such as crafting a privacy policy, are generally one-time costs 
and have already been incurred. Staff's best estimate of the average 
burden for these entities is as follows:

                         Burden Hours and Costs for All Established Entities (Table IB)
----------------------------------------------------------------------------------------------------------------
                                                                    Approximate     Approximate     Approximate
             Event               Hourly wage and     Hours per       number of     total annual     total labor
                                labor category *    respondent    respondents **       hrs.            costs
----------------------------------------------------------------------------------------------------------------
Reviewing GLB Act-implementing  $42.76                         4         100,000         400,000     $17,104,000
 policies and practices.         Professional/
                                 Technical.
Disseminating initial notices   $17.91 Clerical.              15         100,000       1,500,000      26,865,000
 to new customers.
Disseminating annual            $17.91 Clerical.              15          14,000         210,000       3,761,100
 disclosure to pre-existing     $42.76                         5          14,000          70,000       2,993,200
 customers.                      Professional/
                                 Technical.
Changes to privacy policies     $17.91 Clerical.               7           1,000           7,000         125,370
 and related disclosures.       $42.76                         3           1,000           3,000         128,280
                                 Professional/
                                 Technical.
                                                 ---------------------------------------------------------------
    Total.....................  ................  ..............  ..............       2,190,000      50,976,950
----------------------------------------------------------------------------------------------------------------
* Staff calculated labor costs by applying appropriate hourly cost figures to burden hours. The hourly rates
  used were based on mean wages for Financial Examiners and for Office and Administrative Support, corresponding
  to professional/technical time (e.g., compliance evaluation and/or planning, designing and producing notices,
  reviewing and updating information systems), and clerical time (e.g., reproduction tasks, filing, and, where
  applicable to the given event, typing or mailing) respectively. See BLS Occupational Employment and Wages, May
  2016, Table 1 at http://www.bls.gov/news.release/pdf/ocwage.pdf. Labor cost totals reflect solely that of the
  affected commercial entities. Consumers have a continuing right to opt out, as well as a right to revoke their
  opt-out at any time. When a respondent changes its information sharing practices, consumers are again given
  the opportunity to opt out. Again, staff assumes that the time required of consumers to respond affirmatively
  to respondents' opt-out programs (be it manually or electronically) would be minimal.
** The estimate of respondents which are required to disseminate annual notices is based on the following
  assumptions: (1) 100,000 established respondents, approximately 70% of whom maintain customer relationships
  exceeding one year, (2) no more than 20% (14,000) of whom have made changes to their policies and share
  nonpublic information outside of the statutory exceptions, and therefore are required to provide annual
  notices under GLBA 503(f). See CFPB, Proposed Rule, 81 FR 44801, 44809 (July 11, 2016); (3) and no more than
  1% (1,000) of whom make additional changes to privacy policies at any time other than the occasion of the
  annual notice; and (4) such changes will occur no more often than once per year.

As calculated above, the total annual PRA burden hours and labor costs 
for all affected entities in a given year would be 2,430,000 hours and 
$59,251,350, respectively.
    The FTC now carves out from these overall figures the burden hours 
and labor costs associated with motor vehicle dealers. This is because 
the CFPB does not enforce the Privacy Rule for those types of entities. 
We estimate the following:

[[Page 48084]]



          Annual Start-Up Hours and Labor Costs for New Motor Vehicle Dealer Entrants Only (Table IIA)
----------------------------------------------------------------------------------------------------------------
                                                                    Approximate
                                                                     number of
                                 Hourly wage and     Hours per      respondents     Approximate     Approximate
             Event               labor category     respondent       (Table IA     total annual     total labor
                                                                  inputs x 0.57)       hrs.            costs
                                                                        **
----------------------------------------------------------------------------------------------------------------
Reviewing internal policies     $42.76                        20           2,100          42,000     $21,795,920
 and developing GLB Act-         Professional/
 implementing instructions **.   Technical.
Creating disclosure document    $17.91 Clerical.               1           2,100           2,100          37,611
 or electronic disclosure       $42.76                         2           2,100           4,200         179,592
 (including initial, annual,     Professional/
 and opt -out disclosures).      Technical.
Disseminating initial           $17.91 Clerical.              15           2,100          31,500         564,165
 disclosure (including opt-out  $42.76                        10           2,100          21,000         897,960
 notices).                       Professional/
                                 Technical.
                                                 ---------------------------------------------------------------
    Total.....................  ................  ..............  ..............         100,800       3,475,248
----------------------------------------------------------------------------------------------------------------
** Multiply the number of respondents from the comparable table above on all new entrants by the following
  allocation (43,708/105,000) = 0.42. The number in the denominator represents the total of the FTC's existing
  Privacy Rule estimates for new entrants (5,000) and established entities (100,000). The numerator represents
  an estimate of motor vehicle respondents. For this category, Commission staff relied on the following industry
  estimates: 16,708 new car dealers per National Automobile Dealers Association data (2016) and 12,000
  independent/used car dealers who do not extend credit directly to consumers without routinely assigning the
  credit to third-parties per National Independent Automobile Dealers Association data (2012), respectively, in
  addition to 15,000 dealers of other motor vehicles (motorcycles, boats, other recreational vehicles) per the
  2012 economic census, which are also covered within the definition of ``motor vehicle dealer'' under section
  1029(a) of the Dodd-Frank Act.


           Annual Burden Hours and Labor Costs for Established Motor Vehicle Dealers Only (Table IIB)
----------------------------------------------------------------------------------------------------------------
                                                                    Approximate
                                                                     number of      Approximate     Approximate
             Event               Hourly wage and     Hours per    respondents **   total annual     total labor
                                labor category *    respondent       (Table IB         hrs.            costs
                                                                  inputs x 0.57)
----------------------------------------------------------------------------------------------------------------
Reviewing GLB Act-implementing  $42.76                         4          42,000         168,600      $7,209,336
 policies and practices.         Professional/
                                 Technical.
Disseminating initial notices   $17.91 Clerical.              15          42,000         630,000      11,283,300
 to new customers.
Disseminating annual            $17.91 Clerical.              15           5,880          88,200       1,579,662
 disclosure.                    $42.76                         5           5,880          29,400       1,257,144
                                 Professional/
                                 Technical.
Changes to privacy policies     $17.91 Clerical.               7             420           2,940          52,655
 and related disclosures.       $42.76                         3             420           1,260          53,878
                                 Professional/
                                 Technical..
                                                 ---------------------------------------------------------------
    Total.....................  ................  ..............  ..............         920,400      21,435,975
----------------------------------------------------------------------------------------------------------------

The FTC's portion of the annual hourly burden would be 1,021,200 + 
((2,430,000-1,021,200)/2) = 1,725,600 annual hours. The FTC's portion 
of the annual cost burden would be $24,911,223 + $((59,251,350-
24,911,223)/2) = $42,081,287.

Estimated Capital/Other Non-Labor Costs Burden

    Staff believes that capital or other non-labor costs associated 
with the document requests are minimal. Covered entities will already 
be equipped to provide written notices (e.g., computers with word 
processing programs, copying machines, mailing capabilities). Most 
likely, only entities that already have online capabilities will offer 
consumers the choice to receive notices via electronic format. As such, 
these entities will already be equipped with the computer equipment and 
software necessary to disseminate the required disclosures via 
electronic means.

Request for Comment

    You can file a comment online or on paper. For the FTC to consider 
your comment, we must receive it on or before November 15, 2017. Write 
``Privacy Rule: Paperwork Comment: FTC File No. P085405'' on your 
comment. Your comment--including your name and your state--will be 
placed on the public record of this proceeding, including, to the 
extent practicable, on the public Commission Web site, at http://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the 
Commission tries to remove individuals' home contact information from 
comments before placing them on the Commission Web site.
    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, we encourage you to submit 
your comments online, or to send them to the Commission by courier or 
overnight service. To make sure that the Commission considers your 
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/glbfinancialrulepra2 by following the instructions on the web-based 
form. When this Notice appears at http://www.regulations.gov, you also 
may file a comment through that Web site.
    If you file your comment on paper, write ``Privacy Rule: Paperwork 
Comment: FTC File No. P085405'' on your comment and on the envelope, 
and mail it to the following address: Federal Trade Commission, Office 
of the Secretary, 600 Pennsylvania Avenue NW., Suite CC-5610 (Annex J), 
Washington, DC 20580, or deliver your comment to the following address: 
Federal Trade Commission, Office of the Secretary, Constitution Center, 
400 7th Street SW., 5th Floor, Suite 5610,

[[Page 48085]]

Washington, DC 20024. If possible, submit your paper comment to the 
Commission by courier or overnight service.
    Comments on the information collection requirements subject to 
review under the PRA should additionally be submitted to OMB. If sent 
by U.S. mail, they should be addressed to Office of Information and 
Regulatory Affairs, Office of Management and Budget, Attention: Desk 
Officer for the Federal Trade Commission, New Executive Office 
Building, Docket Library, Room 10102, 725 17th Street NW., Washington, 
DC 20503. Comments sent to OMB by U.S. postal mail are subject to 
delays due to heightened security precautions. Thus, comments can also 
be sent via email to [email protected].
    Because your comment will be placed on the publicly accessible FTC 
Web site at https://www.ftc.gov/, you are solely responsible for making 
sure that your comment does not include any sensitive or confidential 
information. In particular, your comment should not include any 
sensitive personal information, such as your or anyone else's Social 
Security number; date of birth; driver's license number or other state 
identification number, or foreign country equivalent; passport number; 
financial account number; or credit or debit card number. You are also 
solely responsible for making sure that your comment does not include 
any sensitive health information, such as medical records or other 
individually identifiable health information. In addition, your comment 
should not include any ``trade secret or any commercial or financial 
information which . . . is privileged or confidential''--as provided by 
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 
16 CFR 4.10(a)(2)--including in particular competitively sensitive 
information such as costs, sales statistics, inventories, formulas, 
patterns, devices, manufacturing processes, or customer names.
    Comments containing material for which confidential treatment is 
requested must be filed in paper form, must be clearly labeled 
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular, 
the written request for confidential treatment that accompanies the 
comment must include the factual and legal basis for the request, and 
must identify the specific portions of the comment to be withheld from 
the public record. See FTC Rule 4.9(c). Your comment will be kept 
confidential only if the General Counsel grants your request in 
accordance with the law and the public interest. Once your comment has 
been posted on the public FTC Web site--as legally required by FTC Rule 
4.9(b)--we cannot redact or remove your comment from the FTC Web site, 
unless you submit a confidentiality request that meets the requirements 
for such treatment under FTC Rule 4.9(c), and the General Counsel 
grants that request.
    The FTC Act and other laws that the Commission administers permit 
the collection of public comments to consider and use in this 
proceeding as appropriate. The Commission will consider all timely and 
responsive public comments that it receives on or before November 15, 
2017. For information on the Commission's privacy policy, including 
routine uses permitted by the Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.

Christian S. White,
Acting General Counsel.
[FR Doc. 2017-22334 Filed 10-13-17; 8:45 am]
 BILLING CODE 6750-01-P