Federal Register, Volume 84 Issue 65 (Thursday, April 4, 2019)

[Federal Register Volume 84, Number 65 (Thursday, April 4, 2019)]
[Proposed Rules]
[Pages 13150-13158]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-06039]

=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 313

RIN 3084-AB42

Privacy of Consumer Financial Information Rule Under the Gramm-
Leach-Bliley Act

AGENCY: Federal Trade Commission.

[[Page 13151]]

ACTION: Notice of proposed rulemaking; request for public comment.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission is proposing to amend its Privacy
Rule for certain financial institutions subject to the Rule to revise
the Rule's scope, to modify the Rule's definitions of ``financial
institution'' and ``federal functional regulator,'' and to update the
Rule's annual customer privacy notice requirement. The proposed
amendments will also remove certain examples in the Rule that apply to
financial institutions that now fall outside the scope of the
Commission's Rule. This action is necessary to conform the Rule to the
current requirements of the Gramm-Leach-Bliley Act (GLBA), as amended
by the Dodd-Frank and FAST Acts, and will clarify which financial
institutions are covered by the Commission's Rule and their annual
customer privacy notice obligations under the Rule.

DATES: Written comments must be received on or before June 3, 2019.

ADDRESSES: Interested parties may file a comment online or on paper by
following the Request for Comment part of the SUPPLEMENTARY INFORMATION
section below. Write ``Amendment to the Privacy of Consumer Financial
Information Rule, 16 CFR part 313, Rulemaking No. R411016,'' on your
comment and file your comment online at https://www.regulations.gov by
following the instructions on the web-based form. If you prefer to file
your comment on paper, mail your comment to the following address:
Federal Trade Commission, Office of the Secretary, 600 Pennsylvania
Avenue NW, Suite CC-5610 (Annex B), Washington, DC 20580, or deliver
your comment to the following address: Federal Trade Commission, Office
of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor,
Suite 5610 (Annex B), Washington, DC 20024.

FOR FURTHER INFORMATION CONTACT: David Lincicum or Allison M. Lefrak,
Division of Privacy and Identity Protection, Bureau of Consumer
Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW,
Washington, DC 20580, (202) 326-2773 or (202) 326-2804.

SUPPLEMENTARY INFORMATION:

I. Background

A. The Statute and Regulation

The GLBA was enacted in 1999.\1\ The GLBA, among other things,
provides a framework for regulating the privacy practices of a broad
range of financial institutions. The GLBA requires that financial
institutions provide their customers with initial and annual notices
regarding their privacy practices, and allow their customers to opt out
of sharing their information with certain nonaffiliated third parties.
---------------------------------------------------------------------------

\1\ Public Law 106-102, 113 Stat. 1338 (1999).
---------------------------------------------------------------------------

Rulemaking authority to implement the GLBA's privacy provisions was
initially spread among multiple agencies. The Federal Reserve Board
(``the Fed''), the Office of Comptroller of the Currency (``OCC''), the
Federal Deposit Insurance Corporation (``FDIC''), and the Office of
Thrift Supervision (``OTS'') jointly adopted final rules to implement
the notice requirements of the GLBA in 2000.\2\ The Commission, the
National Credit Union Administration (``NCUA''), the Securities and
Exchange Commission (``SEC''), and the Commodity Futures Trading
Commission (``CFTC'') were part of the same interagency process, but
each issued their rules separately.\3\ In 2009, all those agencies
jointly adopted a model form that financial institutions could use to
provide the required initial and annual privacy disclosures.\4\
---------------------------------------------------------------------------

\2\ 65 FR 35162 (June 1, 2000).
\3\ 65 FR 33646 (May 24, 2000) (FTC final rule); 65 FR 31722
(May 18, 2000) (NCUA final rule); 65 FR 40334 (June 29, 2000) (SEC
final rule); 66 FR 21236 (Apr. 27, 2001) (CFTC final rule).
\4\ 74 FR 62890 (Dec. 1, 2009); see also 16 CFR 313.2, 313.4-
313.9.
---------------------------------------------------------------------------

As originally promulgated, the FTC's Privacy Rule covered a broad
range of non-bank financial institutions such as payday lenders,
mortgage brokers, check cashers, debt collectors, real estate
appraisers, certain motor vehicle dealers, and remittance transfer
providers. In 2010, the Dodd-Frank Act \5\ transferred the GLBA's
privacy notice rulemaking authority from the Fed, NCUA, OCC, OTS, the
FDIC, and the Commission (in part) to the Consumer Financial Protection
Bureau (``CFPB''). The CFPB then restated the implementing regulations
in Regulation P, 12 CFR part 1016, in late 2011 (``Regulation P'').\6\
However, under section 1029 of the Dodd-Frank Act, the Commission
retained rulemaking authority for certain motor vehicle dealers.\7\
Thus, in 2012, the Commission issued a notice that it was retaining the
implementing regulations governing privacy notices for motor vehicle
dealers at 16 CFR part 313.\8\
---------------------------------------------------------------------------

\5\ Public Law 111-203, 124 Stat. 1376 (2010).
\6\ 76 FR 79025 (Dec. 21, 2011).
\7\ 12 U.S.C. 5519. The FTC retained rulemaking jurisdiction as
to motor vehicle dealers that are predominantly engaged in the sale
and servicing or the leasing and servicing of motor vehicles,
excluding those dealers that directly extend credit to consumers and
do not routinely assign the extensions of credit to an unaffiliated
third party. For ease of reference, covered motor vehicle dealers
are referenced herein as ``motor vehicle dealers.''
\8\ 77 FR 22200, 22201 (April 13, 2012) (also rescinding those
regulations for which rulemaking authority was transferred to the
CFPB under the Dodd-Frank Act).
---------------------------------------------------------------------------

Despite the transfer of general rulemaking authority for the
Privacy Rule to the CFPB, the Commission and other agencies retain
their existing enforcement authority under the GLBA.\9\ In addition,
the SEC and CFTC retain rulemaking authority with respect to securities
and futures-related companies, respectively.\10\ Accordingly, as part
of this rulemaking process, the Commission has consulted and
coordinated, or offered to consult, with those agencies that have
rulemaking and/or enforcement authority under the GLBA, including the
CFPB, SEC, CFTC, and the National Association of Insurance
Commissioners (``NAIC'').\11\
---------------------------------------------------------------------------

\9\ 15 U.S.C. 6805(a).
\10\ 15 U.S.C. 6804, 6809; 12 U.S.C. 1843(k)(4); 12 CFR
1016.1(b).
\11\ See 15 U.S.C. 6804(a)(2).
---------------------------------------------------------------------------

On December 4, 2015, Congress amended the GLBA as part of the FAST
Act. This amendment, titled Eliminate Privacy Notice Confusion,\12\
added GLBA subsection 503(f). This subsection provides an exception
under which financial institutions that meet certain conditions are not
required to provide annual privacy notices to customers.
---------------------------------------------------------------------------

\12\ Public Law 114-94, sec. 75001, 129 Stat. 1312, 1787 (2015).
---------------------------------------------------------------------------

B. The Privacy Notice Requirements

As noted, the GLBA and the Privacy Rule require that motor vehicle
dealers provide consumers with notices describing their privacy
policies. Specifically, section 503 of the GLBA and the Privacy Rule
require covered entities to provide an initial notice of these
policies,\13\ and then ``provide a clear and conspicuous notice to
customers that accurately reflects [their] privacy policies and
practices not less than annually during the continuation of the
customer relationship.'' \14\
---------------------------------------------------------------------------

\13\ 15 U.S.C. 6803; 16 CFR 313.4.
\14\ 15 U.S.C. 6803; 16 CFR 313.5(a)(1).
---------------------------------------------------------------------------

Section 502 of the GLBA and the Privacy Rule require that initial
and annual notices inform customers of their right to opt out of the
sharing of nonpublic personal information with some types of
nonaffiliated third parties.\15\ For example, a customer has the right
to opt out of allowing a motor vehicle dealer to sell her name and
address to a nonaffiliated auto insurance company.\16\ On the other
hand, a motor vehicle dealer is not required to allow consumers to opt
out of the dealer's

[[Page 13152]]

sharing involving third-party service providers, joint marketing
arrangements, maintenance and servicing of accounts, securitization,
law enforcement and compliance, reporting to consumer reporting
agencies, and certain other activities that are specified in the
statute and regulation.\17\ Accordingly, if a motor vehicle dealer
limits its sharing to uses that do not trigger opt-out rights, it may
provide an annual privacy notice to its customers that does not include
information regarding opt-out rights.
---------------------------------------------------------------------------

\15\ 15 U.S.C. 6802; 16 CFR 313.6(a)(6).
\16\ 16 CFR 313.10(a).
\17\ 15 U.S.C. 6802(b)(2), 6802(e); 16 CFR 313.13-313.15.
---------------------------------------------------------------------------

Motor vehicle dealers also may include in the annual privacy notice
information about certain consumer opt-out rights related to affiliate
sharing under the Fair Credit Reporting Act (``FCRA''). First, section
603(d)(2)(A)(iii) of the FCRA allows the sharing of a consumer's
information among affiliates, but only if the consumer is notified of
such sharing and is given an opportunity to opt out.\18\ Section
503(c)(4) of the GLBA and the Privacy Rule generally require motor
vehicle dealers to incorporate any notifications and opt-out
disclosures provided pursuant to section 603(d)(2)(A)(iii) of the FCRA
into their initial and annual privacy notices.\19\
---------------------------------------------------------------------------

\18\ 15 U.S.C. 1681a(d)(2)(A)(iii).
\19\ 15 U.S.C. 6803(c)(4); 16 CFR 313.6(a)(7).
---------------------------------------------------------------------------

Second, section 624 of the FCRA and the FTC's Affiliate Marketing
Rule \20\ provide that an affiliate of a motor vehicle dealer that
receives certain information about a consumer from the dealer may not
use that information for marketing purposes, unless the consumer is
provided with an opportunity to opt out of that use.\21\ This
requirement governs the use of information by an affiliate, not the
sharing of information among affiliates, and thus is distinct from the
affiliate sharing opt-out discussed above. The Affiliate Marketing Rule
permits (but does not require) motor vehicle dealers to incorporate any
opt-out disclosures provided under section 624 of the FCRA and the
Affiliate Marketing Rule into the initial and annual privacy notices
required by the GLBA.\22\
---------------------------------------------------------------------------

\20\ 16 CFR 680.1-680.28.
\21\ 15 U.S.C. 1681s-3. The FTC's Affiliate Marketing Rule
applies to motor vehicle dealers. See 77 FR 22200 (Apr. 13, 2012).
The FTC also enforces the CFPB's Regulation V's Affiliate Marketing
Rule, 12 CFR part 1022, subpart C, for other entities over which the
FTC has enforcement authority under the FCRA.
\22\ 16 CFR 680.23(b).
---------------------------------------------------------------------------

Finally, section 313.6(a)(8) of the Privacy Rule requires that the
initial and annual notices briefly describe how motor vehicle dealers
protect the nonpublic personal information they collect and maintain.

II. Proposed Revision of the Privacy Rule

A. The Consumer Financial Protection Bureau Rulemaking

In December 2011, the CFPB issued a Request for Information seeking
specific suggestions for streamlining regulations that were transferred
to the CFPB from other Federal agencies, including the annual privacy
notice requirement.\23\ After receiving numerous comments, in May 2014,
the CFPB issued a proposed rule to amend its Regulation P to allow
financial institutions to notify consumers that a privacy notice was
available online, in certain enumerated circumstances.\24\ The CFPB
finalized its rulemaking in October 2014.\25\
---------------------------------------------------------------------------

\23\ 76 FR 75825, 75828 (Dec. 5, 2011).
\24\ 79 FR 27214 (May 14, 2014) (CFPB Notice of Proposed
Rulemaking).
\25\ 79 FR 64057 (Oct. 28, 2014).
---------------------------------------------------------------------------

B. The Commission's 2015 Proposed Rulemaking

On June 24, 2015, the Commission published a Notice of Proposed
Rulemaking (``2015 NPRM'') proposing revisions to the Privacy Rule.\26\
First, the Commission proposed a number of changes to comport with the
Dodd-Frank Act revision of GLBA, which transferred rulemaking authority
for most financial institutions to the CFPB. The Commission also
proposed amending the Rule to allow motor vehicle dealers to notify
their customers that a privacy notice is available online, under
circumstances identical to those that had been adopted by the CFPB.\27\
---------------------------------------------------------------------------

\26\ 80 FR 36267 (June 24, 2015).
\27\ See 79 FR 64057 (Oct. 28, 2014).
---------------------------------------------------------------------------

The Commission received six comments from individuals and
entities.\28\
---------------------------------------------------------------------------

\28\ The comments are posted at: https://www.ftc.gov/policy/public-comments/2015/06/initiative-614. The Commission assigned each
comment a number appearing after the name of the commenter and the
date of submission.
---------------------------------------------------------------------------

C. The Passage of the FAST Act

As described above, on December 4, 2015, President Obama signed the
FAST Act. The FAST Act contains a provision that modified the annual
privacy notice requirement under the GLBA. The provision states that a
financial institution is not required to provide an annual privacy
notice if it: (1) Only shares non-public personal information with non-
affiliated third parties in a manner that does not require an opt-out
right be provided to customers (e.g., if the institution discloses
nonpublic personal information to a service provider or for fraud
detection and prevention purposes), and (2) has not changed its
policies and practices with respect to disclosing nonpublic personal
information since it last provided a privacy notice to its
customers.\29\ This modification of the GLBA rendered the Commission's
proposed changes to the Privacy Rule moot because those changes, if
adopted, would have been in conflict with the revised statute.\30\
---------------------------------------------------------------------------

\29\ 15 U.S.C. 6803(f).
\30\ In 2016, the CFPB issued a proposed amendment to Regulation
P that would alter the annual notice requirement to conform to the
statutory changes. 81 FR 44801 (July 11, 2016). The rule became
final in September 2018. 83 FR 40945 (Sept. 17, 2018).
---------------------------------------------------------------------------

D. New Proposed Changes to the Privacy Rule

In light of this history, the Commission is issuing this notice of
proposed rulemaking. The Commission now proposes to make three types of
changes to the Privacy Rule: (1) Technical changes to the Rule to
correspond to the reduced scope of the Rule due to Dodd-Frank Act
changes, which primarily consist of removing references that do not
apply to motor vehicle dealers; (2) modifications to the annual privacy
notice requirements to reflect the changes made to the GLBA by the FAST
Act; and (3) a modification to the scope and definition of ``financial
institution'' to include entities engaged in activities that are
incidental to financial activities, which would bring the Rule into
accord with the CFPB's Regulation P.
1. Technical Changes To Correspond to Statutory Changes Resulting From
the Dodd-Frank Act
The Commission adopted the scope of, and definitions in, the
original Privacy Rule at a time when it had rulemaking authority for
the Privacy Rule over a broader group of non-bank ``financial
institutions'' as defined by the GLBA. While the Dodd-Frank Act did not
change the Commission's enforcement authority for the privacy notice
obligations of the GLBA, it did amend the Commission's rulemaking
authority under the GLBA such that the Privacy Rule only applies to
motor vehicle dealers.\31\ The amendments in the Dodd-Frank Act
necessitate certain technical revisions to the Privacy Rule to ensure
that the regulation is consistent with the text of the amended
GLBA.\32\ For example, retaining examples that apply to entities other

[[Page 13153]]

than motor vehicle dealers may lead to confusion about the existing,
narrower scope of the Privacy Rule. Accordingly, the Commission
proposes to modify the Privacy Rule to provide clearer guidance to
financial institutions that are covered motor vehicle dealers.\33\
---------------------------------------------------------------------------

\31\ For other types of financial institutions over which the
Commission has enforcement authority under the GLBA, the Commission
now enforces the CFPB's Regulation P.
\32\ 15 U.S.C. 6804(1)(C).
\33\ The Commission also proposes a change to 16 CFR 313.3(j)
removing the Director of the Office of Thrift Supervision from the
definition of ``Federal Functional Regulators,'' as the Office of
Thrift Supervision no longer exists.
---------------------------------------------------------------------------

The proposed amendment to section 313.1(b) narrows the description
of the scope of the Privacy Rule to those entities set forth in the
Dodd-Frank Act \34\ that are predominantly engaged in the sale and
servicing of motor vehicles or the leasing and servicing of motor
vehicles, excluding those dealers that directly extend credit to
consumers and do not routinely assign the extensions of credit to an
unaffiliated third party. It also removes the reference in the Rule's
scope to ``other persons'': Although the Commission continues to have
enforcement authority over ``other persons'' covered by the CFPB's
Regulation P, the Commission no longer has rulemaking authority for the
Privacy Rule over ``other persons.'' \35\ In addition, the Commission
proposes to eliminate from section 313.1(b) the note indicating that
(1) the Privacy Rule does not modify, limit, or supersede the standards
under the Health Insurance Portability and Accountability Act of 1996,
and (2) if a financial institution that is an institution of higher
education is in compliance with the Federal Educational Rights and
Privacy Act (``FERPA'') and its implementing regulations, such
institution shall be deemed in compliance with the Privacy Rule. The
Commission does not believe these provisions will apply to motor
vehicle dealers covered by the Rule and should be removed to improve
clarity. The Commission invites comments on whether these provisions
are relevant to motor vehicle dealers and should be retained.
---------------------------------------------------------------------------

\34\ 12 U.S.C. 5519.
\35\ The Commission also proposes to amend 16 CFR 313.15(a)(4)
to add the CFPB to the list of law enforcement agencies to which
financial institutions are permitted to share information to the
extent permitted by law.
---------------------------------------------------------------------------

The proposed amendments to section 313.3 also remove any examples
that are not likely to apply to motor vehicle dealers. To help
companies understand whether and how the Rule applies to them, the Rule
includes examples of financial institutions in section 313.3(k)(2). The
current examples refer to types of activities that motor vehicle
dealers typically do not engage in. Therefore, leaving those examples
in the Rule may lead to confusion about the Rule's current scope.
The proposed amendments also remove certain examples from the
definition of ``consumer'' in section 313.3(e)(2). These examples do
not apply because motor vehicle dealers do not provide the types of
services provided in the examples, such as financial, investment, or
economic advisory services or serving as the trustee of a trust.
Likewise, the proposed amendments remove certain examples of
establishing a customer relationship from section 313.4(c)(3)(i). The
removed examples do not apply to customers of motor vehicle dealers,
because such activities are not related to the sale or leasing of motor
vehicles. These include creating credit card accounts, providing
investment advice or tax counseling, providing mortgages, collecting
debts from other financial institutions, and providing websites for
consumers to review all of their on-line financial accounts with other
financial institutions.
Finally, the proposed amendments remove certain examples of
termination of customer relationships from section 313.5(b)(2). As with
previously discussed proposed amendments, the removed examples concern
customer relationships based on services that motor vehicle dealers do
not provide. These include credit card accounts, credit counseling
services, tax preparation, and real estate settlement. The removal of
these inapplicable examples will increase the clarity of the rule by
focusing on matters that are relevant to the regulated financial
institutions. Removing these examples will not alter the substance of
the underlying definitions or provisions of the rule, which will have
the same reach and applicability as before the revisions. The changes
are intended to improve clarity, not to alter substance. The Commission
invites comments on whether any of the omitted examples should be
retained.
Although the Dodd-Frank Act altered the Commission's rulemaking
authority with respect to the Privacy Rule, it did not alter the
Commission's rulemaking authority for the Safeguards Rule. For the
Safeguards Rule, the Commission continues to have rulemaking authority
over a broad range of non-bank financial institutions. The Safeguards
Rule, however, currently incorporates by reference the definitions
contained in the Privacy Rule, including all of the examples of
financial institutions listed in the existing Privacy Rule.\36\
Accordingly, while the Commission proposes to modify the Privacy Rule
definitions to include examples applicable only to motor vehicle
dealers, the Commission has also proposed in a separate concurrent NPRM
to amend the Safeguards Rule to import definitions of relevant terms
and examples from the current version of the Privacy Rule.\37\
---------------------------------------------------------------------------

\36\ 16 CFR 314.2(a).
\37\ The NPRM relating to the Safeguards Rule is published
elsewhere in this issue of the Federal Register.
---------------------------------------------------------------------------

2. Modifications to the Annual Privacy Notice To Reflect Statutory
Changes Resulting From the FAST Act
The Commission also proposes changes to the Privacy Rule provisions
governing how motor vehicle dealers should deliver annual privacy
notices. These changes implement statutory changes resulting from the
enactment of the FAST Act and replace those set forth in the 2015 NPRM.
Several commenters opined on the proposed changes to notice
delivery in the 2015 NPRM. Those comments have been rendered obsolete
by the statutory changes. The current proposed rule implements the
changes set forth in the FAST Act.

Section 313.5(a)(1)--General Rule

The proposed section 313.5(a)(1) notes that section 313.5(e)
provides an exception to the general rule requiring the delivery of
annual notices.

Section 313.5(e)

This proposed new section sets forth the exception to the annual
privacy notice requirement. The Commission adopts the reasoning and
changes set forth by the CFPB in its amendments to Regulation P to
adopt the FAST Act changes.\38\ First, proposed section 313.5(e)(1)(i)
sets forth that the financial institution must share nonpublic personal
information only in accordance with the provisions of sections 313.13,
313.14, and 313.15, none of which require an opt-out opportunity be
provided to customers. Second, proposed section 313.5(e)(1)(ii) states
that the financial institution must also not have changed its
disclosure policies and practices that were contained in its most
recent privacy notice to customers.
---------------------------------------------------------------------------

\38\ See 81 FR 44801 (July 10, 2016).
---------------------------------------------------------------------------

Proposed section 313.5(e)(2) sets forth the timing for delivering
an annual notice if a financial institution no longer meets
requirements for the exception and must resume delivery of annual
notices. There are two scenarios under which a financial institution
would need to resume delivering annual notices: (1) Where the change in
its policies trigger the existing requirement

[[Page 13154]]

to issue a revised privacy notice, as required by section 313.8; and
(2) where the change does not trigger a need for the financial
institution to issue a revised notice under section 313.8. These two
situations are addressed by proposed sections 313.5(e)(2)(i) and (ii),
respectively. In the first situation, the revised notice issued by the
financial institution acts as an initial privacy notice for the
purposes of the timing of future annual notices. In the second
situation, the financial institution must provide an annual notice to
customers within 100 days of the change in policies or practices.
Proposed section 313.5(e)(2)(iii) sets forth an example for both
scenarios.
1. Modifications To Scope and Definitions To Bring the Rule Into Accord
With Regulation P
Whether a company is a ``financial institution'' is determined by
the types of activities in which the company engages. When first
promulgating the Privacy Rule, the Commission determined that companies
engaged in activities that are ``incidental to financial activities''
would not be considered ``financial institutions.'' \39\ The Commission
was the only agency to adopt this restrictive definition in its Privacy
Rule, while the other agencies included incidental activities.\40\ In
addition, the Commission decided that activities that were determined
to be financial in nature after the enactment of the GLBA would not be
automatically included in its Privacy Rule; rather, the Commission
would have to take additional action to include them.\41\ The effect of
these two decisions was to limit the activities covered by the
Commission's rules to those set out in 12 CFR 225.28 as it existed in
1999, and to exclude any activities later determined by the Fed to be
financial activities or incidental to those activities.\42\
---------------------------------------------------------------------------

\39\ See 16 CFR 313.3(k); see also 65 FR 33646, 33654 (May 24,
2000).
\40\ The Commission also added the requirement that an entity
must be ``significantly engaged'' in the financial activity to be
considered a financial institution under the Privacy Rule. 16 CFR
313.3(k). The Commission is not proposing to change this
requirement.
\41\ 65 FR 33646, 33654 n.23 (May 24, 2000).
\42\ Id.
---------------------------------------------------------------------------

The Commission proposes modifying the definition of ``financial
institution'' to harmonize the Privacy Rule with other agencies' rules.
The Commission proposes to amend section 313.1(b) to include companies
that engage in activities that are financial in nature or incidental to
such financial activities. Likewise, it proposes to amend the
definition of ``financial institution'' in section 313.3(k), to include
any institution the business of which is engaging in an activity that
is financial in nature or incidental to such financial activities.\43\
The effect of this proposed amendment would be to cause ``finders'' to
be included in this definition, thereby bringing the Privacy Rule into
harmony with the scope of entities covered by other agencies under
Regulation P. It would not bring any other activities under the
coverage the definition because the Fed has not determined any other
activity other than ``finding'' to be financial in nature or incidental
to such activity since the enactment of the GLBA. In practice, the
Commission expects that this change to the Privacy Rule will have
little to no effect because of the already narrow scope of the Rule: It
is not clear that there are any motor vehicle dealers that would be
covered by this rule whose only activity that would qualify them as a
financial institution is the act of finding, as most motor vehicle
dealers are more directly involved in obtaining financing for their
customers. Nevertheless, the Commission believes this change is
important to keep the Rule consistent with the Safeguards Rule and
other agencies' GLBA implementing rules.
---------------------------------------------------------------------------

\43\ This proposal is also consistent with the agency's
concurrent proposal to revise the Safeguards Rule in the same
manner.
---------------------------------------------------------------------------

The Commission has not previously requested comment on revising the
definition of ``financial institution'' in this way for the Privacy
Rule. Through this NPRM, it does so here. Specifically, the Commission
seeks information on (1) whether any entities function as ``finders''
for motor vehicle dealers, and if so how many; (2) whether such finders
collect or maintain customer information as defined by the Rule; and
(3) the costs and benefits, including the costs and benefits to finders
and consumers, of this proposed amendment.

III. Request for Comment

You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before June 3, 2019.
Write ``Amendment to the Privacy of Consumer Financial Information
Rule, 16 CFR part 313, Rulemaking No. R411016'' on the comment. Your
comment, including your name and your state, will be placed on the
public record of this proceeding, including, to the extent practicable,
the https://www.regulations.gov website.
Postal mail addressed to the Commission is subject to delay due to
heightened security screening. As a result, we encourage you to submit
your comment online. To make sure that the Commission considers your
online comment, you must file it at https://www.regulations.gov by
following the instructions on the web-based form.
If you file your comment on paper, write ``Amendment to the Privacy
of Consumer Financial Information Rule, 16 CFR part 313, Rulemaking No.
R411016,'' on your comment and on the envelope, and mail your comment
to the following address: Federal Trade Commission, Office of the
Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex B),
Washington, DC 20580, or deliver your comment to the following address:
Federal Trade Commission, Office of the Secretary, Constitution Center,
400 7th Street SW, 5th Floor, Suite 5610 (Annex B), Washington, DC
20024. If possible, please submit your paper comment to the Commission
by courier or overnight service.
Because your comment will be placed on the publicly accessible
website, https://www.regulations.gov/, you are solely responsible for
making sure that your comment does not include any sensitive or
confidential information. In particular, your comment should not
include any sensitive personal information, such as your or anyone
else's Social Security number, date of birth, driver's license number
or other state identification number or foreign country equivalent,
passport number, financial account number, or credit or debit card
number. You are also solely responsible for making sure that your
comment does not include any sensitive health information, such as
medical records or other individually identifiable health information.
In addition, your comment should not include any ``trade secret or any
commercial or financial information which . . . is privileged or
confidential,'' as provided by section 6(f) of the FTC Act, 15 U.S.C.
46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2), including in
particular, competitively sensitive information such as costs, sales
statistics, inventories, formulas, patterns, devices, manufacturing
processes, or customer names.
Comments containing material for which confidential treatment is
requested must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular,
the written request for confidential treatment that accompanies the
comment must include the factual and legal basis for the request, and
must identify the specific portions of the comments to be withheld from
the

[[Page 13155]]

public record.\44\ Your comment will be kept confidential only if the
FTC General Counsel grants your request in accordance with the law and
the public interest. Once your comment has been posted publicly at
www.regulations.gov, we cannot redact or remove your comment from the
FTC website, unless you submit a confidentiality request that meets the
requirements for such treatment under FTC Rule 4.9(c), and the General
Counsel grants that request.
---------------------------------------------------------------------------

\44\ See 16 CFR 4.9(c).
---------------------------------------------------------------------------

Visit the Commission website at https://www.ftc.gov/ to read this
document and the news release describing it. The FTC Act and other laws
that the Commission administers permit the collection of public
comments to consider and use in this proceeding as appropriate. The
Commission will consider all timely and responsive public comments that
it receives on or before June 3, 2019. For information on the
Commission's privacy policy, including routine uses permitted by the
Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.

IV. Communications by Outside Parties to the Commissioners or Their
Advisors

Written communications and summaries or transcripts of oral
communications respecting the merits of this proceeding, from any
outside party to any Commissioner or Commissioner's advisor, will be
placed on the public record.\45\
---------------------------------------------------------------------------

\45\ 16 CFR 1.26(b)(5).
---------------------------------------------------------------------------

V. Paperwork Reduction Act

Under the Paperwork Reduction Act of 1995 (PRA),\46\ Federal
agencies are generally required to seek Office of Management and Budget
(OMB) approval for information collection requirements prior to
implementation. Under the PRA, the Commission may not conduct or
sponsor, and, notwithstanding any other provision of law, a person is
not required to respond to an information collection, unless the
information collection displays a valid control number assigned by OMB.
---------------------------------------------------------------------------

\46\ 44 U.S.C. 3501 et seq.
---------------------------------------------------------------------------

This proposal would amend 16 CFR part 313. The collections of
information related to the Privacy Rule and the FAST Act statutory
exceptions to the Rule's annual notice requirement have been previously
reviewed and approved by OMB in accordance with the PRA.\47\
---------------------------------------------------------------------------

\47\ The FTC has current clearance through November 30, 2020.
The OMB Control Number is 3084-0121.
---------------------------------------------------------------------------

Under the existing clearance, the FTC has attributed to itself the
estimated burden regarding all motor vehicle dealers and then shares
equally the remaining estimated PRA burden with the CFPB for other
types of financial institutions for which both agencies have
enforcement authority regarding the GLBA Privacy Rule.\48\
---------------------------------------------------------------------------

\48\ 82 FR 48081.
---------------------------------------------------------------------------

The proposed amendments do not modify or add to information
collection requirements that were previously approved by OMB. First,
the Commission anticipates that the proposed expansion of the
definition of ``financial institution'' to include entities engaged in
activities that are incidental to financial activities will have little
to no effect. It is not clear that any finders are in the business of
linking consumers with financing through motor vehicle dealers, as
opposed to other types of financial institutions such as payday lenders
or mortgage lenders.
Second, the proposed removal of certain examples provided in the
Rule that are not applicable to motor vehicle dealers will have no
impact on existing information collection requirements.
Therefore, the Commission does not believe that the proposed
amendments would substantially or materially modify any ``collections
of information'' as defined by the PRA.
The Commission seeks comment on whether there are any finders in
existence that would be covered by the proposed Rule. If there are such
businesses, the Commission will seek OMB clearance as appropriate.

VI. Regulatory Flexibility Act

The Regulatory Flexibility Act (RFA), as amended by the Small
Business Regulatory Enforcement Fairness Act of 1996, requires an
agency to either provide an Initial Regulatory Flexibility Analysis
(``IRFA'') with a proposed rule, or certify that the proposed rule will
not have a significant impact on a substantial number of small
entities.\49\ The Commission does not expect that this Rule, if
adopted, would have the threshold impact on small entities. First, most
of the burdens flow from the mandates of the GLBA, not from the
specific provisions of the proposed Rule. Second, the Commission does
not expect the proposal to impose costs on small motor vehicle dealers
because the amendments are primarily for clarification purposes and
should not result in any increased burden on any motor vehicle dealer.
Thus, a small entity that complies with current law need not take any
different or additional action if the proposal is adopted. Nonetheless,
the Commission has determined that it is appropriate to publish an
Initial Regulatory Flexibility Analysis in order to inquire into the
impact of the proposed Rule on small entities. The Commission does not
believe that there are any small entities engaged in finding for motor
vehicle financing that would now be covered as a result of the modified
definition of ``financial institution.'' However, the Commission
invites comment on this issue.
---------------------------------------------------------------------------

\49\ 5 U.S.C. 603-605.
---------------------------------------------------------------------------

1. Reasons for the Proposed Rule

To address the Dodd-Frank Act and FAST Act changes the Commission
proposes to change the Privacy Rule's scope and definition of
``financial institution''; change the annual notice requirement; and
remove certain examples provided in the Rule that are not applicable to
motor vehicle dealers. These changes will make the current, narrow
scope of the Rule clearer. Additionally, the Commission proposes
modifying the definition of ``financial institution'' to harmonize the
Privacy Rule with other agencies' rules by including ``activities
incidental to financial activities'' as a financial activity. This
change would bring ``finders'' within the scope of the Rule.

2. Statement of Objectives and Legal Basis

The objectives of the proposed Rule are discussed above. The legal
basis for the proposed Rule is section 501(b) of the GLBA.

3. Description of Small Entities to Which the Rule Will Apply

Determining a precise estimate of the number of small entities
\50\--including newly covered entities under the modified definition of
financial institution--is not readily feasible. Financial institutions
covered by the Rule include certain motor vehicle dealers. If the
proposed Rule is finalized, finders will also be covered.

[[Page 13156]]

The Commission requests comment and information on whether there are
any finders in existence that would be covered by the proposed Rule.
---------------------------------------------------------------------------

\50\ The U.S. Small Business Administration Table of Small
Business Size Standards Matched to North American Industry
Classification System Codes (NAICS) are generally expressed in
either millions of dollars or number of employees. A size standard
is the largest that a business can be and still qualify as a small
business for Federal Government programs. For the most part, size
standards are the annual receipts or the average employment of a
firm. New car dealers (NAICS code 441100) are classified as small if
they have fewer than 200 employees. Used car dealers (NAICS code
441120) are classified as small if their annual receipts are $25
million or less. Recreational vehicle dealers, boat dealers,
motorcycle, ATV and all other motor vehicle dealers (NAICS codes
441210, 441222 and 441228) are classified as small if their annual
receipts are $32.5 million or less. The 2017 Table of Small Business
Size Standards is available at https://www.sba.gov/sites/default/files/files/Size_Standards_Table_2017.pdf.
---------------------------------------------------------------------------

4. Projected Reporting, Recordkeeping, and Other Compliance
Requirements

The Commission does not believe that the proposed Rule would impose
any new or substantively revised ``collections of information'' as
defined by the PRA. Rather, the Commission believes that the proposed
amendments would have the overall effect of reducing the currently
cleared estimated burden for the information collections associated
with the Privacy Rule annual notice. The Commission invites comment on
the costs to newly covered financial institutions--if there are any--of
complying with the Rule.

5. Identification of Duplicative, Overlapping, or Conflicting Federal
Rules

The Commission's proposal to modify the definition of ``financial
institution'' harmonizes the Privacy Rule with other agencies' rules.
The effect of this proposed amendment, as discussed above, would be to
cause ``finders'' to be covered by the Rule, thereby bringing the scope
of the Privacy Rule into harmony with the scope of entities covered by
other agencies under Regulation P. The Commission believes that this
proposal does not create conflicting or duplicative obligations on
small entities. As stated previously, the Commission does not believe
there are any newly covered financial institutions resulting from the
proposed definitional modification. However, the Commission is
requesting comment on the extent to which other federal standards
involving privacy notices may duplicate and/or satisfy or possibly
conflict with the Rule's requirements for any newly covered financial
institutions.

6. Discussion of Significant Alternatives

As stated previously, the Commission does not believe there are any
newly covered financial institutions resulting from the proposed
definitional modification. Moreover, the Commission believes that the
other proposed amendments would have the overall effect of reducing the
burden for all covered entities associated with the Privacy Rule annual
notice. The proposed amendments do not reduce the flexibility already
present in the existing Rule, which allows notices to be provided in a
variety of ways, including electronically in some circumstances. As to
the core requirements of the proposed Rule, they come from GLBA itself,
as amended by the Dodd-Frank and the FAST Act. The statute prescribes
the definition of financial institutions to be covered by the Rule and
sets forth the specific requirements, which the Commission cannot
modify to ease burdens on small entities. Therefore the Commission does
not believe that any alternatives for small entities are required or
appropriate. However, the Commission welcomes comment on any
significant alternative consistent with the GLBA that would minimize
the impact of the proposed Rule on small entities--specifically
institutions that would be newly covered financial institutions--if
there are any.

List of Subjects in 16 CFR Part 313

Consumer protection, Credit, Data protection, Privacy, Trade
practices.

For the reasons stated above, the Federal Trade Commission proposes
to amend 16 CFR part 313 as follows:

0
1. Revise the authority section for part 313 to read as follows:

Authority: 15 U.S.C. 6801 et seq., 12 U.S.C. 5519.

0
2. In Sec. 313.1, revise paragraph (b) to read as follows:

Sec. 313.1 Purpose and scope.

* * * * *
(b) Scope. This part applies only to nonpublic personal information
about individuals who obtain financial products or services primarily
for personal, family or household purposes from the institutions listed
below. This part does not apply to information about companies or about
individuals who obtain financial products or services for business,
commercial, or agricultural purposes. This part applies to those
``financial institutions'' over which the Federal Trade Commission
(``Commission'') has rulemaking authority pursuant to section
504(a)(1)(C) of the Gramm-Leach-Bliley Act. An entity is a ``financial
institution'' if its business is engaging in an activity that is
financial in nature or incidental to such financial activities as
described in section 4(k) of the Bank Holding Company Act of 1956, 12
U.S.C. 1843(k), which incorporates by reference activities enumerated
by the Federal Reserve Board in 12 CFR 225.28 and 12 CFR 225.86. The
``financial institutions'' subject to the Commission's rulemaking
authority are any persons described in 12 U.S.C. 5519 that are
predominantly engaged in the sale and servicing of motor vehicles, the
leasing and servicing of motor vehicles, or both. They are referred to
in this part as ``You.'' Excluded from the coverage of this regulation
are motor vehicle dealers described in 12 U.S.C. 5519(b) that directly
extend to consumers retail credit or retail leases involving motor
vehicles in which the contract governing such extension of retail
credit or retail leases is not routinely assigned to an unaffiliated
third party finance or leasing source.
0
3. In Sec. 313.3, revise paragraphs (e), (i), (j), (k) and (q), to
read as follows:

Sec. 313.3 Definitions.

* * * * *
(e)(1) Consumer means an individual who obtains or has obtained a
financial product or service from you that is to be used primarily for
personal, family, or household purposes, or that individual's legal
representative.
(2) Examples--(i) An individual who applies to you for credit for
personal, family, or household purposes is a consumer of a financial
service, regardless of whether the credit is extended.
(ii) An individual who provides nonpublic personal information to
you in order to obtain a determination about whether he or she may
qualify for a loan to be used primarily for personal, family, or
household purposes is a consumer of a financial service, regardless of
whether the loan is extended.
(iii) If you hold ownership or servicing rights to an individual's
loan that is used primarily for personal, family, or household
purposes, the individual is your consumer, even if you hold those
rights in conjunction with one or more other institutions. (The
individual is also a consumer with respect to the other financial
institutions involved.) An individual who has a loan in which you have
ownership or servicing rights is your consumer, even if you, or another
institution with those rights, hire an agent to collect on the loan.
(iv) An individual who is a consumer of another financial
institution is not your consumer solely because you act as agent for,
or provide processing or other services to, that financial institution.
(v) An individual is not your consumer solely because he or she is
a participant or a beneficiary of an employee benefit plan that you
sponsor or for which you act as a trustee or fiduciary.
* * * * *
(i)(1) Customer relationship means a continuing relationship
between a consumer and you under which you provide one or more
financial products or services to the consumer that are to be used
primarily for personal, family, or household purposes.

[[Page 13157]]

(2) Examples--(i) Continuing relationship. A consumer has a
continuing relationship with you if the consumer:
(A) Has a credit or investment account with you;
(B) Obtains a loan from you;
(C) Purchases an insurance product from you;
(D) Enters into an agreement or understanding with you whereby you
undertake to arrange credit to purchase a vehicle for the consumer;
(E) Enters into a lease of personal property on a non-operating
basis with you; or
(F) Has a loan for which you own the servicing rights.
(ii) No continuing relationship. A consumer does not, however, have
a continuing relationship with you if:
(A) The consumer obtains a financial product or service from you
only in isolated transactions, such as cashing a check with you or
making a wire transfer through you;
(B) You sell the consumer's loan and do not retain the rights to
service that loan; or
(C) The consumer obtains one-time personal appraisal services from
you.
(j) Federal functional regulator means:
(1) The Board of Governors of the Federal Reserve System;
(2) The Office of the Comptroller of the Currency;
(3) The Board of Directors of the Federal Deposit Insurance
Corporation;
(4) The National Credit Union Administration Board; and
(5) The Securities and Exchange Commission.
(k)(1) Financial institution means any institution the business of
which is engaging in an activity that is financial in nature or
incidental to such financial activities as described in section 4(k) of
the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). An institution
that is significantly engaged in financial activities is a financial
institution.
(2) Example of financial institution. An automobile dealership
that, as a usual part of its business, leases automobiles on a
nonoperating basis for longer than 90 days is a financial institution
with respect to its leasing business because leasing personal property
on a nonoperating basis where the initial term of the lease is at least
90 days is a financial activity listed in 12 CFR 225.28(b)(3) and
referenced in section 4(k)(4)(F) of the Bank Holding Company Act.
(3) Financial institution does not include entities that engage in
financial activities but that are not significantly engaged in those
financial activities.
(4) Example of entities that are not significantly engaged in
financial activities. A motor vehicle dealer is not a financial
institution merely because it accepts payment in the form of cash,
checks, or credit cards that it did not issue.
* * * * *
(q) You includes each ``financial institution'' over which the
Commission has rulemaking authority pursuant to section 504(a)(1)(C) of
the Gramm-Leach-Bliley Act (15 U.S.C. 6804(a)(1)(C)).
0
4. In Sec. 313.4, revise paragraphs (c)(3)(i) and (e), to read as
follows:

Sec. 313.4 Initial privacy notice to consumers required.

* * * * *
(c) * * *
(3)(i) Examples of establishing a customer relationship. You
establish a customer relationship when the consumer:
(A) Executes the contract to obtain credit from you or purchase
insurance from you; or
(B) Executes the lease for personal property with you.
* * * * *
(e) Exceptions to allow subsequent delivery of notice. (1) You may
provide the initial notice required by paragraph (a)(1) of this section
within a reasonable time after you establish a customer relationship
if:
(i) Establishing the customer relationship is not at the customer's
election; or
(ii) Providing notice not later than when you establish a customer
relationship would substantially delay the customer's transaction and
customer agrees to receive the notice at a later time.
(2) Examples of exceptions--(i) Substantial delay of customer's
transaction. Providing notice not later than when you establish a
customer relationship would substantially delay the customer's
transaction when you and the individual agree over the telephone to
enter into a customer relationship involving prompt delivery of the
financial product or service.
(ii) No substantial delay of customer's transaction. Providing
notice not later than when you establish a customer relationship would
not substantially delay the customer's transaction when the
relationship is initiated in person at your office or through other
means by which the customer may view the notice, such as through a
website.
* * * * *
0
5. In Sec. 313.5, revise paragraphs (a)(1) and (b)(2) and add
paragraph (e) to read as follows:

Sec. 313.5 Annual privacy notice to customers required.

(a)(1) General rule. Except as provided by paragraph (e) of this
section, you must provide a clear and conspicuous notice to customers
that accurately reflects your privacy policies and practices not less
than annually during the continuation of the customer relationship.
Annually means at least once in any period of 12 consecutive months
during which that relationship exists. You may define the 12-
consecutive-month period, but you must apply it to the customer on a
consistent basis.
* * * * *
(b) * * *
(2) Examples. Your customer becomes a former customer when:
(i) In the case of a closed-end loan, the customer pays the loan in
full, you charge off the loan, or you sell the loan without retaining
servicing rights;
(ii) In the case of vehicle loan brokering services, your customer
has obtained a loan through you (and you no longer provide any
statements or notices to the customer concerning that relationship), or
has ceased using your services for such purposes;
(iii) In cases where there is no definitive time at which the
customer relationship has terminated, you have not communicated with
the customer about the relationship for a period of 12 consecutive
months, other than to provide annual privacy notices or promotional
material.
* * * * *
(e) Exception to annual privacy notice requirement. (1) When
exception available. You are not required to deliver an annual privacy
notice if you:
(i) Provide nonpublic personal information to nonaffiliated third
parties only in accordance with the provisions of Sec. 313.13, Sec.
313.14, or Sec. 313.15; and
(ii) Have not changed your policies and practices with regard to
disclosing nonpublic personal information from the policies and
practices that were disclosed to the customer under Sec. 313.6(a)(2)
through (5) and (9) in the most recent privacy notice provided pursuant
to this part.
(2) Delivery of annual privacy notice after financial institution
no longer meets requirements for exception. If you have been excepted
from delivering an annual privacy notice pursuant to paragraph (e)(1)
of this section and change your policies or practices in such a way
that you no longer meet the requirements for that exception, you must
comply with paragraph (e)(2)(i) or (ii) of this section, as applicable.

[[Page 13158]]

(i) Changes preceded by a revised privacy notice. If you no longer
meet the requirements of paragraph (e)(1) of this section because you
change your policies or practices in such a way that Sec. 313.8
requires you to provide a revised privacy notice, you must provide an
annual privacy notice in accordance with the timing requirement in
paragraph (a) of this section, treating the revised privacy notice as
an initial privacy notice.
(ii) Changes not preceded by a revised privacy notice. If you no
longer meet the requirements of paragraph (e)(1) of this section
because you change your policies or practices in such a way that Sec.
313.8 does not require you to provide a revised privacy notice, you
must provide an annual privacy notice within 100 days of the change in
your policies or practices that causes you to no longer meet the
requirement of paragraph (e)(1).
(iii) Examples. (A) You change your policies and practices in such
a way that you no longer meet the requirements of paragraph (e)(1) of
this section effective April 1 of year 1. Assuming you define the 12-
consecutive-month period pursuant to paragraph (a) of this section as a
calendar year, if you were required to provide a revised privacy notice
under Sec. 313.8 and you provided that notice on March 1 of year 1,
you must provide an annual privacy notice by December 31 of year 2. If
you were not required to provide a revised privacy notice under Sec.
313.8, you must provide an annual privacy notice by July 9 of year 1.
(B) You change your policies and practices in such a way that you
no longer meet the requirements of paragraph (e)(1) of this section,
and so provide an annual notice to your customers. After providing the
annual notice to your customers, you once again meet the requirements
of paragraph (e)(1) of this section for an exception to the annual
notice requirement. You do not need to provide additional annual notice
to your customers until such time as you no longer meet the
requirements of paragraph (e)(1) of this section.
0
6. In Sec. 313.15, revise paragraph (a)(4) to read as follows:

Sec. 313.15 Other exceptions to notice and opt out requirements.

(a) * * *
(4) To the extent specifically permitted or required under other
provisions of law and in accordance with the Right to Financial Privacy
Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcement agencies
(including the Consumer Financial Protection Bureau, a federal
functional regulator, the Secretary of the Treasury, with respect to 31
U.S.C. chapter 53, subchapter II (Records and Reports on Monetary
Instruments and Transactions) and 12 U.S.C. chapter 21 (Financial
Recordkeeping), a State insurance authority, with respect to any person
domiciled in that insurance authority's State that is engaged in
providing insurance, and the Federal Trade Commission), self-regulatory
organizations, or for an investigation on a matter related to public
safety.
* * * * *

By direction of the Commission.
April J. Tabor,
Acting Secretary.
[FR Doc. 2019-06039 Filed 4-3-19; 8:45 am]
BILLING CODE 6750-01-P