[Federal Register Volume 82, Number 219 (Wednesday, November 15, 2017)]
[Rules and Regulations]
[Pages 52846-52848]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-24728]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 314

[RIN 3084-AB41]


Disposal of Consumer Report Information and Records

AGENCY: Federal Trade Commission.

ACTION: Confirmation of rule.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission has completed its regulatory 
review of its rule regarding Disposal of Consumer Report Information 
and Records as part of the Commission's systematic review of all 
current Commission rules and guides, and has determined to retain the 
Rule in its current form.

DATES: This action is effective on November 15, 2017.

ADDRESSES: Relevant portions of the proceeding, including this 
document, are available at www.ftc.gov.

FOR FURTHER INFORMATION CONTACT: Tiffany George, (202) 326-3040, 
Attorney, Division of Privacy and Identity Protection, Federal Trade 
Commission, Washington, DC 20580.

SUPPLEMENTARY INFORMATION: 

I. Introduction

    In September 2016, the Federal Trade Commission (``FTC'' or 
``Commission'') requested comments on its rule regarding Disposal of 
Consumer Report Information and Records (``Disposal Rule'' or 
``Rule''), as part of its comprehensive regulatory review program. 
Specifically, the Commission sought comments on the Rule's costs and 
benefits, and on whether it should modify the Rule to account for 
changes in technology or information destruction standards.
    After considering the comments, the Commission has determined to 
retain the Rule without amendment. Most of the commenters who addressed 
the issue supported the Rule's current provisions. A few commenters 
recommended expanding the Rule's provisions. Because the Commission has 
not seen any evidence of problematic acts or practices that any 
proposed modification would address, it has determined not to amend the 
Rule at this time.
    This document provides background, analyzes the comments, and 
further explains the Commission's decision.

II. Background

    The Fair and Accurate Credit Transactions Act (``FACTA'' or 
``Act'') was enacted in 2003. In part, the Act amended the Fair Credit 
Reporting Act (``FCRA'') by requiring that any person that maintains or 
otherwise possesses consumer information, or any compilation of 
consumer information, derived from consumer reports for a business 
purpose, properly dispose of any such information or compilation. The 
Act also required the Commission and other federal agencies to 
promulgate rules regarding the proper disposal of consumer report 
information and records.
    Pursuant to the Act's directive, the Commission promulgated the 
Disposal Rule in 2004, which became effective on June 1, 2005.\1\ The 
Disposal Rule requires that persons over which the FTC has jurisdiction 
who maintain or otherwise possess consumer information for a business 
purpose properly dispose of such information by taking reasonable 
measures to protect against unauthorized access to or use of the 
information in connection with its disposal. The Rule defines 
``consumer information'' as ``any record about an individual, whether 
in paper, electronic, or other form, that is a consumer report or is 
derived from a consumer report. Consumer information also means a 
compilation of such records. Consumer information does not include 
information that does not identify individuals, such as aggregate 
information or blind data.'' \2\
---------------------------------------------------------------------------

    \1\ See 69 FR 68690 (Nov. 24, 2004); 16 CFR 682.
    \2\ See 16 CFR 682.1(b).
---------------------------------------------------------------------------

    The Rule includes several examples of what the Commission believes 
constitute reasonable measures to protect consumer information in 
connection with its disposal, including policies and procedures that 
require (1) the burning, pulverizing, or shredding of papers or (2) the 
destruction or erasure of electronic media containing consumer 
information so that the information cannot practicably be read or 
reconstructed. These examples are intended to provide covered entities 
with guidance on how to comply with

[[Page 52847]]

the Rule, but are not intended to be safe harbors or exclusive methods 
for compliance. In promulgating the Rule, the FTC noted that there are 
few foolproof methods of record destruction and that entities covered 
by the Rule must consider their own unique circumstances when 
determining how to best comply with the Rule.
    In September 2016, the Commission published a Notice seeking 
comment on the Rule as part of the Commission's ongoing comprehensive 
regulatory review program.\3\ The Notice sought comment on the Rule's 
overall costs, benefits, necessity, and regulatory and economic impact. 
The Notice also asked for comment on whether the Commission should 
modify the Rule in light of changes in technology and industry 
standards and practices.
---------------------------------------------------------------------------

    \3\ Federal Trade Commission: Disposal of Consumer Report 
Information: Request for Comments, 81 FR 63435 (Sept. 15, 2016).
---------------------------------------------------------------------------

III. Regulatory Review Comments and Analysis

    The Commission received 11 comments in response to the Notice 
during the comment period.\4\ Comments were filed by individuals, trade 
associations, and research organizations. The Commission received 
comments from such diverse organizations as the National Automobile 
Dealers Association (``NADA''), Data & Marketing Association (``DMA''), 
National Association for Information Destruction (``NAID''), Consumer 
Data Industry Association (``CDIA''), Electronic Transactions 
Association (``ETA''), and Electronic Privacy Information Center 
(``EPIC'').
---------------------------------------------------------------------------

    \4\ The comments are posted at: https://www.ftc.gov/policy/public-comments/initiative-672. The Commission has assigned each 
comment a number appearing after the name of the commenter and the 
date of submission. This notice cites comments using the last name 
of the individual submitter or the name of the organization, 
followed by the number assigned by the Commission.
---------------------------------------------------------------------------

    All of the commenters addressing the issue supported the Rule 
overall. Indeed, none of the commenters advocated repealing the Rule or 
narrowing its scope. For example, NADA stated that ``the Disposal Rule 
is well-established and working effectively and we do not believe it 
needs to be changed or amended in any significant way.'' \5\ In 
addition, ETA noted that ``the Disposal Rule as currently written 
effectively promotes consumer information security.'' \6\
---------------------------------------------------------------------------

    \5\ See National Automobile Dealers Association (Comment 
#00013).
    \6\ See Electronic Transactions Association (Comment #00011).
---------------------------------------------------------------------------

    Commenters differed on whether the Commission should expand the 
Rule's scope. Two organizations supported expanding the Rule. For 
example, NAID recommended that the Commission ``add provisions and 
clarity to provide direction (and enforcement) related to . . . 
emerging issues'' caused by advances in technology, such as the 
applicability of the Rule to third-party hardware providers (e.g., 
digital copier manufacturers who might retain a copy of consumer 
information) or cloud providers that may maintain consumer information. 
NAID also recommended expanding the definition of consumer information 
``as broadly as possible'' because most covered entities already have 
considerably broad policies in place.\7\ EPIC supported expanding the 
definition of consumer information ``to include information that is 
linked or linkable to an individual'' because it ``represents a more 
flexible, technology neutral approach that is consistent with the 
reality of modern business practices.'' \8\
---------------------------------------------------------------------------

    \7\ See National Association for Information Destruction 
(Comment #00009).
    \8\ See Electronic Privacy Information Center (Comment #00015).
---------------------------------------------------------------------------

    Most trade associations argued against expansion of the Rule, 
asserting that laws and guidance currently in place sufficiently 
protect consumers. For instance, CDIA stated ``[t]here is no net 
benefit in requiring consumer reporting agencies to incur the 
additional costs and burdens of applying the Disposal Rule to aggregate 
information, blind data, or otherwise de-identified data when such a 
change would not address any identified consumer harm or provide 
consumers with additional protection.'' \9\ DMA commented that 
``[e]xpanding the scope of the Disposal Rule could unnecessarily risk 
stifling an innovative sector that has created enormous job 
opportunities and provides consumers with robust benefits.'' \10\
---------------------------------------------------------------------------

    \9\ See Consumer Data Industry Association (Comment #00010).
    \10\ See Data & Marketing Association (Comment #00012).
---------------------------------------------------------------------------

    The Commission agrees with the commenters who stated that the Rule 
should continue as it is and that it is not necessary to expand the 
Rule. No commenter who supported expansion of the Rule provided any 
evidence of problematic acts or practices that remain unaddressed with 
the scope of the current Rule.
    As to NAID's comment requesting clarity on emerging issues relating 
to advances in technology including the applicability of the Rule to 
third-party service providers, the Commission notes that the Rule 
already applies to ``[a]ny person who maintains or otherwise possesses 
consumer information for a business purpose'' and requires ``reasonable 
measures to protect against unauthorized access to or use of the 
information in connection with its disposal.'' \11\ Thus, the 
Commission does not believe a Rule change is needed to address this 
issue.
---------------------------------------------------------------------------

    \11\ See 16 CFR 682.3(a).
---------------------------------------------------------------------------

    As to the commenters that were concerned that the definition of 
``consumer information'' is too limiting, the Commission notes that the 
definition--which excludes ``aggregate information'' and ``blind 
data''--is not limited to information that identifies a consumer by 
name only. The Statement of Basis and Purpose to the final Rule noted 
that the terms ``aggregate information'' and ``blind data'' are 
intended to have the same meaning as in the Commission's Gramm-Leach-
Bliley Act Rule regarding the Privacy of Consumer Financial 
Information, 16 CFR part 313 (the ``GLB Privacy Rule''). The GLB 
Privacy Rule in turn defines aggregate information or blind data as 
information ``that does not contain personal identifiers such as 
account numbers, names, or addresses.'' \12\ In addition, in the 
Statement of Basis and Purpose for the Disposal Rule, the Commission 
stated that there are ``a variety of personal identifiers beyond simply 
a person's name that would bring information within the scope of the 
Rule, including, but not limited to, a social security number, driver's 
license number, phone number, physical address, and email address.'' 
\13\ The Commission did not include a rigid definition in the final 
Rule because it noted that, depending upon the circumstances, data 
elements that are not inherently identifying can, in combination, 
identify particular individuals.\14\
---------------------------------------------------------------------------

    \12\ See 69 FR at 68692; 16 CFR 313.3(o)(2)(ii).
    \13\ 69 FR at 68692.
    \14\ Id.
---------------------------------------------------------------------------

    Thus, the rulemaking record makes clear that the definition of 
``consumer information'' is not unduly limited. It may include other 
information that can be used to identify an individual. The Commission 
does not believe it is necessary to amend the Rule on this point.
    In light of the comments received, the Commission concludes that a 
continuing need exists for the Rule and that costs imposed on 
businesses are reasonable. The Commission has determined to retain the 
Rule without amendment at this time. The Commission will continue to 
monitor changes in technology and industry

[[Page 52848]]

standards and practices to determine if it should take action in the 
future.

    By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2017-24728 Filed 11-14-17; 8:45 am]
BILLING CODE 6750-01-P