Final rule.
CFR Part: “16 CFR Part 313”
RIN Number: “RIN 3084-AB42”
Citation: “86 FR 70020”
Page Number: “70020”
“Rules and Regulations”
Agency: “Federal Trade Commission.”
SUMMARY: The Federal Trade Commission is amending its Privacy Rule to revise the rule’s scope, to change the rule’s definitions of “monetary establishment” and “Federal purposeful regulator,” and to replace the rule’s annual buyer privateness discover requirement. The amendments additionally take away sure examples in the rule that apply to monetary establishments that now fall outdoors its scope. This motion is critical to adapt the rule to the present necessities of the Gramm-Leach-Bliley Act (“GLBA”), as amended by the Dodd-Frank and FAST Acts, and the Commission’s revisions to the Safeguards Rule, that are being introduced concurrently by means of a separate doc printed elsewhere on this problem of the Federal Register.
DATES: The amendments are efficient January 10, 2022.
FOR FURTHER INFORMATION CONTACT: David Lincicum (202-326-2773), Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580.
SUPPLEMENTARY INFORMATION:
I. Background
A. The Statute and Regulation The GLBA was enacted in 1999. /1/ The GLBA, amongst different issues, requires that monetary establishments present their prospects with preliminary and annual notices relating to their privateness practices, and permit their prospects to decide out of sharing their data with sure nonaffiliated third events.
FOOTNOTE 1 Public Law 106-102, 113 Stat. 1338 (1999). END FOOTNOTE
Rulemaking authority to implement the GLBA’s privateness provisions was initially unfold amongst a number of businesses. The Federal Reserve Board (“the Fed”), the Office of Comptroller of the Currency (“OCC”), the Federal Deposit Insurance Corporation (“FDIC”), and the Office of Thrift Supervision (“OTS”) collectively adopted last guidelines to implement the discover and opt-out necessities of the GLBA in 2000. /2/ The Commission, the National Credit Union Administration (“NCUA”), the Securities and Exchange Commission (“SEC”), and the Commodity Futures Trading Commission (“CFTC”) have been half of the similar interagency course of, however every issued their guidelines individually. /3/ In 2009, all these businesses collectively adopted a mannequin kind monetary establishments might use to offer the required preliminary and annual privateness disclosures. /4/
FOOTNOTE 2 Joint Final Rule, 65 FR 35162 (June 1, 2000) obtainable at https://www.federalregister.gov/paperwork/2001/04/27/01-10398/privacy-of-consumer-financial-information. END FOOTNOTE
FOOTNOTE 3 FTC Final Privacy Rule, 65 FR 33645 (May 24, 2000) obtainable at https://www.federalregister.gov/paperwork/2000/05/24/00-12755/privacy-of-consumer-financial-information; NCUA Final Privacy Rule, 65 FR 31722 (May 18, 2000) obtainable at https://www.federalregister.gov/paperwork/2000/05/18/00-12014/privacy-of-consumer-financial-information-requirements-for-insurance; SEC Final Privacy Rule, 65 FR 40333 (June 29, 2000) obtainable at https://www.federalregister.gov/paperwork/2000/06/29/00-16269/privacy-of-consumer-financial-information-regulation-s-p; CFTC Final Privacy Rule, 66 FR 21235 (Apr. 27, 2001) obtainable at https://www.federalregister.gov/paperwork/2001/04/27/01-10398/privacy-of-consumer-financial-information. END FOOTNOTE
FOOTNOTE 4 Joint Model Form, 74 FR 62889 (Dec. 1, 2009) obtainable at https://www.federalregister.gov/paperwork/2009/12/01/E9-27882/final-model-privacy-form-under-the-gramm-leach-bliley-act; see additionally 16 CFR 313.2, 16 CFR 313.4 by means of 313.9. END FOOTNOTE
As initially promulgated, the FTC’s Privacy Rule lined a broad vary of non-bank monetary establishments corresponding to payday lenders, mortgage brokers, verify cashers, debt collectors, actual property appraisers, sure motorcar sellers, and remittance switch suppliers. In 2010, the Dodd-Frank Act /5/ transferred the majority of GLBA’s privateness rulemaking authority from the Fed, NCUA, OCC, OTS, FDIC, and the Commission (partially) to the Consumer Financial Protection Bureau (“CFPB”). The CFPB then restated the implementing rules in Regulation P, 12 CFR half 1016, in late 2011 (“Regulation P”). /6/ However, beneath part 1029 of the Dodd-Frank Act, the Commission retained rulemaking authority for sure motorcar sellers. /7/ Thus, in 2012, the Commission introduced it was retaining the implementing rules governing privateness notices for motorcar sellers at 16 CFR half 313. /8/
FOOTNOTE 5 Public Law 111-203, 124 Stat. 1376 (2010). END FOOTNOTE
FOOTNOTE 6 Interim Final Rule for Regulation P, 76 FR 79025 (Dec. 21, 2011) obtainable at https://www.federalregister.gov/paperwork/2011/12/21/2011-31729/privacy-of-consumer-financial-information-regulation-p. END FOOTNOTE
FOOTNOTE 7 12 U.S.C. 5519. The FTC retained rulemaking jurisdiction as to motorcar sellers which might be predominantly engaged in the sale and servicing or the leasing and servicing of motor automobiles, excluding these sellers that instantly lengthen credit score to customers and don’t routinely assign the extensions of credit score to an unaffiliated third get together. For ease of reference, lined motorcar sellers are referenced herein as “motorcar sellers.” END FOOTNOTE
FOOTNOTE 8 Rescission of Rules, 77 FR 22200, 22201 (Apr. 13, 2012) obtainable at https://www.federalregister.gov/paperwork/2012/04/13/2012-8748/rescission-of-rules (additionally rescinding these rules for which rulemaking authority was transferred to the CFPB beneath the Dodd-Frank Act). END FOOTNOTE
Despite the switch of basic rulemaking authority for the Privacy Rule to the CFPB, the Commission and different businesses retain their present enforcement authority beneath the GLBA. /9/ In addition, the SEC and CFTC retain rulemaking authority with respect to securities and futures-related corporations, respectively. /10/ Accordingly, as half of this rulemaking course of, the Commission has consulted and coordinated, or provided to seek the advice of, with these businesses which have rulemaking and/or enforcement authority beneath the GLBA, together with the CFPB, SEC, CFTC, and the National Association of Insurance Commissioners (“NAIC”). /11/
FOOTNOTE 9 15 U.S.C. 6805(a). END FOOTNOTE
FOOTNOTE 10 15 U.S.C. 6804, 6809; 12 U.S.C. 1843(okay)(4); 12 CFR 1016.1(b). END FOOTNOTE
FOOTNOTE 11 See 15 U.S.C. 6804(a)(2). END FOOTNOTE
On December 4, 2015, Congress amended the GLBA as half of the FAST Act. This modification, titled Eliminate Privacy Notice Confusion, /12/ added GLBA subsection 503(f). This subsection supplies an exception beneath which monetary establishments that meet sure circumstances will not be required to offer annual privateness notices to prospects.
FOOTNOTE 12 Section 75001, Public Law 114-94, 129 Stat. 1312, 1787 (2015). END FOOTNOTE
B. The Privacy Notice Requirements
As famous, the present Privacy Rule, as modified after Congress enacted the Dodd-Frank Act, requires motorcar sellers present customers with notices describing their privateness insurance policies. Specifically, it requires lined entities to offer an preliminary discover of these insurance policies, /13/ after which “present a transparent and conspicuous discover to prospects that precisely displays [their] privateness insurance policies and practices not lower than yearly throughout the continuation of the buyer relationship.” /14/
FOOTNOTE 13 15 U.S.C. 6803; 16 CFR 313.4. END FOOTNOTE
FOOTNOTE 14 15 U.S.C. 6803; 16 CFR 313.5(a)(1). END FOOTNOTE
The rule requires that preliminary and annual notices inform prospects of their proper to decide out of the sharing of nonpublic private data with some sorts of nonaffiliated third events. /15/ For instance, a buyer has the proper to decide out of permitting a motorcar supplier to promote her title and tackle to a nonaffiliated auto insurance coverage firm. /16/ On the different hand, a motorcar supplier is just not required to permit customers to decide out of the supplier’s sharing involving third-party service suppliers, joint advertising and marketing preparations, upkeep and servicing of accounts, securitization, regulation enforcement and compliance, reporting to shopper reporting businesses, and sure different specified actions. /17/ Accordingly, if a motorcar supplier limits its sharing to makes use of that don’t set off opt-out rights, it could present an annual privateness discover to its prospects that doesn’t embody data relating to opt-out rights.
FOOTNOTE 15 15 U.S.C. 6802; 16 CFR 313.6(a)(6). END FOOTNOTE
FOOTNOTE 16 16 CFR 313.10(a). END FOOTNOTE
FOOTNOTE 17 15 U.S.C. 6802(b)(2), 6802(e); 16 CFR 313.13-313.15. END FOOTNOTE
Motor automobile sellers additionally could embody in the annual privateness discover details about sure shopper opt-out rights associated to affiliate sharing beneath the Fair Credit Reporting Act (“FCRA”). First, part 603(d)(2)(A)(iii) of the FCRA permits the sharing of a shopper’s data amongst associates, however provided that the shopper is notified of such sharing and is given a chance to decide out. /18/ Section 503(c)(4) of the GLBA and the Privacy Rule typically require motorcar sellers to include any notifications and opt-out disclosures offered pursuant to part 603(d)(2)(A)(iii) of the FCRA into their preliminary and annual privateness notices. /19/
FOOTNOTE 18 15 U.S.C. 1681a(d)(2)(A)(iii). END FOOTNOTE
FOOTNOTE 19 15 U.S.C. 6803(c)(4); 16 CFR 313.6(a)(7). END FOOTNOTE
In addition, part 624 of the FCRA and the FTC’s Affiliate Marketing Rule /20/ present that an affiliate of a motorcar supplier that receives sure details about a shopper from the supplier could not use that data for advertising and marketing functions, until the shopper is supplied with a chance to decide out of that use. /21/ This requirement governs the use of data by an affiliate, not the sharing of data amongst associates, and thus is distinct from the affiliate sharing opt-out mentioned above. The Affiliate Marketing Rule permits (however doesn’t require) motorcar sellers to include any opt-out disclosures offered beneath part 624 of the FCRA and the Affiliate Marketing Rule into the preliminary and annual privateness notices required by the GLBA. /22/
FOOTNOTE 20 16 CFR 680.1-680.28. END FOOTNOTE
FOOTNOTE 21 15 U.S.C. 1681s-3. The FTC’s Affiliate Marketing Rule applies to motorcar sellers. See 77 FR 22201. The FTC additionally enforces the CFPB’s Regulation V’s Affiliate Marketing Rule, 12 CFR half 1022, subpart C, for different entities over which the FTC has enforcement authority beneath the FCRA. END FOOTNOTE
FOOTNOTE 22 16 CFR 680.23(b). END FOOTNOTE
Finally, SEC 313.6(a)(8) of the Privacy Rule requires the preliminary and annual notices briefly describe how motorcar sellers defend the nonpublic private data they gather and keep. /23/
FOOTNOTE 23 16 CFR 313.6(a)(8). END FOOTNOTE
II. Revision of the Privacy Rule
On April 4, 2019, the Commission issued a discover of proposed rulemaking /24/ setting forth amendments to the Privacy Rule (the “Proposed Amendments”) proposing three sorts of adjustments to the Privacy Rule: (1) Technical adjustments to the rule to correspond to the decreased scope of the rule on account of Dodd-Frank Act adjustments, which primarily consist of eradicating references that don’t apply to motorcar sellers; (2) modifications to the annual privateness discover necessities to replicate the adjustments made to the GLBA by the FAST Act; and (3) a modification to the scope and definition of “monetary establishment” to incorporate entities engaged in actions incidental to monetary actions, which might deliver the rule into accord with the CFPB’s Regulation P. The Commission acquired 4 feedback associated to the proposed amendments, to which it responds beneath. /25/
FOOTNOTE 24 On June 24, 2015, the Commission printed a discover of proposed rulemaking (“2015 NPRM”) proposing revisions to the Privacy Rule. NPRM, 80 FR 36267 (June 24, 2015) obtainable at https://www.federalregister.gov/paperwork/2015/06/24/2015-14328/amendment-to-the-privacy-of-consumer-financial-information-rule-under-the-gramm-leach-bliley-act. First, the Commission proposed a quantity of adjustments to comport with the Dodd-Frank Act revision of GLBA, which transferred rulemaking authority for many monetary establishments to the CFPB. The Commission additionally proposed amending the rule to permit motorcar sellers to inform their prospects {that a} privateness discover is offered on-line, beneath circumstances an identical to those who had been adopted by the CFPB. Final Rule, 79 FR 64057 (Oct. 28, 2014) obtainable at https://www.federalregister.gov/paperwork/2014/10/28/2014-25299/amendment-to-the-annual-privacy-notice-requirement-under-the-gramm-leach-bliley-act-regulation-p. The passage of the FAST Act rendered the Commission’s proposed adjustments to the Privacy Rule moot as a result of these adjustments, if adopted, would have been in battle with the revised statute. END FOOTNOTE
FOOTNOTE 25 The Commission additionally acquired three feedback that associated to the Safeguards Rule (16 CFR half 314). Those feedback are addressed in the last Safeguards Rule printed elsewhere on this problem of the Federal Register. END FOOTNOTE
A. Technical Changes To Correspond to Statutory Changes Resulting From the Dodd-Frank Act
(1) Section 313.1(b)
The proposed modification to SEC 313.1(b) narrowed the description of the scope of the Privacy Rule to these entities set forth in the Dodd-Frank Act: /26/ Those predominantly engaged in the sale and servicing of motor automobiles or the leasing and servicing of motor automobiles, excluding these sellers that instantly lengthen credit score to customers and don’t routinely assign the extensions of credit score to an unaffiliated third get together. It additionally eliminated the reference in the rule’s scope to “different individuals,” as a result of the Commission now not has rulemaking authority for the Privacy Rule over “different individuals.” Finally, the Proposed Amendments eradicated from SEC 313.1(b) the observe indicating (1) the Privacy Rule doesn’t modify, restrict, or supersede the requirements beneath the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and (2) if a monetary establishment that’s an establishment of greater training is in compliance with the Federal Educational Rights and Privacy Act (“FERPA”) and its implementing rules, such establishment shall be deemed in compliance with the Privacy Rule.
FOOTNOTE 26 12 U.S.C. 5519. END FOOTNOTE
The Commission acquired two feedback on these proposed adjustments. One commenter requested why the rule wouldn’t cowl sellers that instantly lengthen credit score to customers. /27/ In response, the Commission notes the Dodd-Frank Act excludes these sellers from the Commission’s rulemaking authority beneath the GLBA. The Commission continues to have enforcement authority over these sellers beneath Regulation P.
FOOTNOTE 27 Yuxiang Hao (remark 4). END FOOTNOTE
Another commenter, the National Association of Automobile Dealers (“NADA”), supported eliminating the references to HIPAA and FERPA, agreeing that these provisions wouldn’t apply to vehicle sellers. /28/ Given that it acquired no different substantive feedback, the Commission adopts the adjustments as proposed.
FOOTNOTE 28 National Automobile Dealers Association (remark 9), at 3-4. END FOOTNOTE
(2) Section 313.3
To assist corporations perceive whether or not and the way the rule applies to them, the present rule contains examples of monetary establishments in SEC 313.3(okay)(2), examples of customers in SEC 313.3(e)(2), examples of what would represent establishing a buyer relationship in SEC 313.3(i)(2)(i), and examples of what is just not a buyer relationship in SEC 313.2(i)(2)(ii). The Proposed Amendments to SEC 313.3 eliminated examples not prone to apply in the context of motorcar sellers.
NADA was the solely commenter who opined on this problem. It agreed the examples proposed for elimination don’t apply to motorcar sellers and supported their deletion. Accordingly, the last rule deletes these examples as proposed.
NADA advocated for elimination or modification of further phrases or examples that it asserted wouldn’t apply in the motorcar context. The Commission declines to make the adjustments steered by NADA, for the causes described beneath.
a. Loans
NADA argued the examples in the last rule mustn’t embody the phrase “loans” as a result of motorcar sellers “don’t typically problem ‘loans,'” however as an alternative present financing help or enter into retail installment sale contracts or leases. NADA steered the time period “mortgage” get replaced with “financing,” or “finance or lease contract.” /29/ The Commission declines to change present examples on this method. It believes the Privacy Rule needs to be substantively an identical to Regulation P so monetary establishments inside the Commission’s enforcement authority are topic to the similar necessities, regardless of whether or not they’re topic to Regulation P or the Privacy Rule. Although the Commission acknowledges some examples it has retained could not apply properly to the motorcar context, /30/ altering the language of an instance, versus fully eradicating it, might be learn as a change to the substance of the rule. Accordingly, the Commission declines to alter an present time period in the last rule. /31/
FOOTNOTE 29 NADA (remark 9), at 4. END FOOTNOTE
FOOTNOTE 30 The Commission notes that whereas the time period “mortgage” might not be relevant to all motorcar sellers’ transactions with their prospects, most extensions of credit score or the arranging of credit score will play the similar position as loans for functions of this modification, and sellers could typically apply these examples accordingly. END FOOTNOTE
FOOTNOTE 31 The Proposed Amendments did modify present examples in two situations. In [Sec.] SEC 313.3(i)(2)(i)(A) and 313.5(b)(2)(ii), references to mortgage loans have been eliminated. Although the Commission continues to consider that mortgage loans are unlikely to be concerned in the motorcar supplier context, as mentioned above, the Commission acknowledges that there’s worth in sustaining consistency with Regulation P, and that individual examples offered might not be relevant to each sort of monetary establishment’s actions. Accordingly, the last rule retains the references to mortgage loans in these provisions. END FOOTNOTE
b. Examples of Continuing Relationships
NADA steered eradicating the time period “funding accounts” from the instance of a unbroken relationship SEC 313.3(i)(2)(i)(A), as such accounts will not be provided by motorcar sellers. As mentioned above, nevertheless, the Commission declines to change present examples and doesn’t undertake this transformation in the last rule. NADA additionally took problem with SEC 313.3(i)(2)(i)(D), which states a shopper has a unbroken relationship with a monetary establishment when the shopper enters into an “settlement or understanding” with the monetary establishment through which the monetary establishment undertakes “to rearrange credit score to buy a automobile for the shopper.” NADA famous when motorcar sellers organize credit score for a shopper, they then assign that settlement to a 3rd get together and don’t proceed the relationship with the shopper.
Although motorcar sellers could switch the credit score settlement to a different monetary establishment, a unbroken relationship is fashioned by the settlement and persists for so long as the motorcar supplier retains the settlement. The persevering with relationship between the motorcar supplier and the shopper will finish upon the switch of the settlement, however till that switch happens, the shopper is the motorcar supplier’s buyer for functions of the Privacy Rule. Accordingly, the Commission declines to take away this instance from the last rule.
NADA additionally argued the time period “understanding” in paragraph (i)(2)(i)(D) is complicated as a result of it isn’t clear what an “understanding” would imply on this context, and motorcar sellers don’t enter into casual relationships to rearrange credit score for customers. The Commission believes, nevertheless, whereas casual understandings could also be uncommon for motorcar sellers, it’s attainable some sellers could have interaction in such practices and the instance ought to proceed to clarify that such preparations create persevering with relationships. In addition, as mentioned above, the Commission declines to alter the language of examples retained in the last rule.
c. Examples of No Continuing Relationships
NADA argued the instance in SEC 313.3(i)(2)(ii)(A) doesn’t apply to motorcar sellers. This instance states no persevering with relationship is created when a “shopper obtains a monetary services or products from [the financial institution] solely in remoted transactions, corresponding to cashing a verify with [the financial institution] or making a wire switch by means of” the monetary establishment. NADA argued motorcar sellers typically don’t have interaction in these actions, and whereas “it’s theoretically attainable {that a} supplier someplace could supply, beneath distinctive circumstances, to money a verify for a buyer, [NADA] is just not conscious of that service being provided by sellers and the risk is attenuated at finest.” /32/ The Commission doesn’t agree that this instance needs to be eliminated. Although verify cashing and wire switch transactions could also be unlikely at motorcar dealerships, these are useful examples of the sorts of remoted transactions that don’t create an ongoing relationship and, even for motorcar sellers that don’t have interaction in these explicit actions, they illustrate the precept properly. The last rule retains this instance.
FOOTNOTE 32 NADA (remark 9), at 5. END FOOTNOTE
NADA additionally questioned the inclusion of SEC 313.3(i)(2)(ii)(C), which states a unbroken relationship is just not created when a “shopper obtains one-time private appraisal companies from” the monetary establishment. NADA requested whether or not this is able to apply when a motorcar supplier appraises a shopper’s used automobile for trade-in worth. The Commission believes that’s exactly the sort of appraisal steered by the instance. NADA additionally questioned how “such appraisal exercise by a supplier might, as an preliminary matter be deemed to create a Customer relationship.” /33/ The Commission believes, nevertheless, unfavourable examples are helpful to make clear the definition and, subsequently, the last rule retains this instance.
FOOTNOTE 33 NADA (remark 9), at 5. END FOOTNOTE
B. Modifications to the Annual Privacy Notice To Reflect Statutory Changes Resulting From the FAST Act
The Commission additionally proposed altering the Privacy Rule provisions governing how motorcar sellers ought to ship annual privateness notices.
Section 313.5(e)
The proposed change to SEC 313.5(a)(1) added an announcement that SEC 313.5(e) supplies an exception to the basic rule requiring the supply of annual notices. Section 313.5(e) in flip units forth the exception, which was taken from the FAST Act, and adopted by the CFPB in its amendments to Regulation P. /34/ It acknowledged the annual discover needn’t be offered if (1) the monetary establishment has shared nonpublic private data solely in accordance with the provisions of [Sec.] SEC 313.13, 313.14, and 313.15, none of which require an opt-out alternative be offered to prospects; and (2) the monetary establishment’s disclosure insurance policies and practices stay unchanged from the most up-to-date privateness discover.
FOOTNOTE 34 See Final Rule, 83 FR 40945 (August 17, 2018) obtainable at https://www.federalregister.gov/paperwork/2018/08/17/2018-17572/amendment-to-the-annual-privacy-notice-requirement-under-the-gramm-leach-bliley-act-regulation-p. END FOOTNOTE
Proposed SEC 313.5(e)(2) set forth the timing for resuming supply of the annual discover if a monetary establishment now not met necessities for the exception.
The Commission acquired no feedback on the substance of this paragraph and adopts it with out modification. /35/
FOOTNOTE 35 As mentioned above, NADA argued that the phrase “mortgage” needs to be changed with “retail installment sale contract.” As mentioned above, the Commission needs the remaining examples in the last rule to be an identical to these present in Regulation P and declines to make these adjustments. In addition, the National Independent Automobile Dealers Association famous that almost all sellers is not going to be required to offer annual notices as a result of of their lack of ongoing relationships with their customers, however supported the amendments typically. END FOOTNOTE
C. Modifications to Scope and Definitions To Bring the Rule Into Accord With Regulation P
The Proposed Amendments modified the scope of the Privacy Rule and its definition of a “monetary establishment” in an effort to deliver the Commission’s rule into accord with Regulation P. As defined in the NPRM, when first promulgating the Privacy Rule, the Commission decided corporations engaged in actions “incidental to monetary actions” wouldn’t be thought of “monetary establishments.” /36/ The Commission was the solely company to undertake this restrictive definition in its Privacy Rule, whereas the different businesses included incidental actions. In addition, the Commission determined actions decided to be monetary in nature after the enactment of the GLBA wouldn’t be mechanically included in its Privacy Rule; reasonably, the Commission must take further motion to incorporate them. /37/ The impact of these two selections was to restrict the actions lined by the Commission’s guidelines to these set out in 12 CFR 225.28 because it existed in 1999, and to exclude any actions later decided by the Fed to be monetary actions or incidental to these actions. /38/
FOOTNOTE 36 See 16 CFR 313.3(okay); see additionally 65 FR 33654. END FOOTNOTE
FOOTNOTE 37 65 FR 33654 n.23. END FOOTNOTE
FOOTNOTE 38 Id. END FOOTNOTE
The Commission proposed modifying the definition of “monetary establishment” to harmonize the Privacy Rule with different businesses’ guidelines. The Commission proposed to amend SEC 313.1(b) to incorporate corporations that have interaction in actions monetary in nature or incidental to such monetary actions in the scope of the rule. Likewise, it proposed amending the definition of “monetary establishment” in SEC 313.3(okay), to incorporate any establishment the enterprise of which is participating in an exercise that’s monetary in nature or incidental to such monetary actions. The impact of this proposed modification could be to trigger “finders” to be included on this definition, thereby bringing the Privacy Rule into concord with the scope of entities lined by different businesses beneath Regulation P.
The Commission acquired solely two feedback that addressed this proposed change in the Privacy Rule. /39/ NADA requested whether or not the proposed rule would apply to finders performing for a motorcar supplier. /40/ As mentioned above, the Commission’s Privacy Rule applies solely to motorcar sellers and so would apply solely to finders which might be additionally motorcar sellers. If a finder is just not itself a motorcar supplier then the rule doesn’t apply, even when the finder is performing to attach motorcar sellers with potential prospects. Given that this situation is unlikely, modifying the definition of “monetary establishment” for functions of the Privacy Rule has little sensible impact. Nevertheless, the Commission is modifying the definition for functions of consistency with Regulation P and the Safeguards Rule.
FOOTNOTE 39 Several different entities commented on the enlargement of the definition of a “monetary establishment” in the Safeguards Rule. These feedback are addressed in the dialogue of the last Safeguards Rule, printed elsewhere on this problem of the Federal Register. END FOOTNOTE
FOOTNOTE 40 NADA (remark 9), at 7-8. END FOOTNOTE
An particular person shopper requested how usually an entity should have interaction in an incidental exercise to be thought of a monetary establishment. /41/ As with different monetary actions beneath the present rule, an entity is a monetary establishment solely whether it is “considerably engaged” in the incidental actions.
FOOTNOTE 41 Qiyi Hu (remark 5). END FOOTNOTE
The Commission adopts the proposed modification with out change.
Section 313.15(a)(4)
Finally, the Commission proposed to amend SEC 313.15(a)(4) so as to add the CFPB to the checklist of regulation enforcement businesses to which monetary establishments are permitted to share data to the extent permitted by regulation. The Commission acquired no feedback on this transformation and adopts it as proposed.
Section 313.18
Section 313.18 set forth the efficient date for the rule and prescribed necessities for establishments’ compliance with the rule as to prospects who have been already prospects at the time the rule was first promulgated. The related dates have lengthy since handed. Section 313.18(a)(2) additionally offered an exception, stating this “half is just not efficient as to any establishment that’s considerably engaged in actions that the Federal Reserve Board determines, after November 12, 1999 . . . are actions {that a} monetary holding firm could have interaction in, till the Commission so determines.” As mentioned above, the Commission has decided herein that this rule applies to monetary establishments that have interaction in actions monetary in nature or incidental to such monetary actions, together with entities considerably engaged in actions the Federal Reserve Board has decided, after November 12, 1999, are actions a monetary holding firm could have interaction in. Accordingly, the last rule removes SEC 313.18 in its entirety.
III. Paperwork Reduction Act
Under the Paperwork Reduction Act of 1995 (“PRA”), /42/ Federal businesses are typically required to hunt Office of Management and Budget (“OMB”) approval for data assortment necessities previous to implementation. Under the PRA, the Commission could not conduct or sponsor, and, however some other provision of regulation, an individual is just not required to answer an data assortment, until the data assortment shows a legitimate management quantity assigned by OMB.
FOOTNOTE 42 44 U.S.C. 3501 et seq. END FOOTNOTE
This modification modifies 16 CFR half 313. The collections of data associated to the Privacy Rule and the FAST Act statutory exceptions to the rule’s annual discover requirement have been beforehand reviewed and permitted by OMB in accordance with the PRA. /43/
FOOTNOTE 43 The OMB Control Number is 3084-0121. END FOOTNOTE
Under the present clearance, the FTC has attributed to itself the estimated burden relating to all motorcar sellers and shares equally the remaining estimated PRA burden with the CFPB for different sorts of monetary establishments for which each businesses have enforcement authority relating to the GLBA Privacy Rule. /44/
FOOTNOTE 44 PRA Notice, 82 FR 48081 (Oct. 16, 2017) obtainable at https://www.federalregister.gov/paperwork/2017/10/16/2017-22334/agency-information-collection-activities-submission-for-omb-review-comment-request. END FOOTNOTE
The amendments don’t modify or add to data assortment necessities beforehand permitted by OMB. First, the Commission anticipates the enlargement of the definition of “monetary establishment” to incorporate entities engaged in actions incidental to monetary actions could have little to no impact. It is just not clear any finders which might be additionally motorcar sellers will not be already lined by the rule by means of their actions as motorcar sellers.
Second, the elimination of sure examples offered in the rule that aren’t relevant to motorcar sellers could have no influence on present data assortment necessities.
Therefore, the Commission doesn’t consider the amendments considerably or materially modify any “collections of data” as outlined by the PRA.
The Commission sought touch upon whether or not there are any finders in existence that may be lined by the proposed rule and will not be lined by the present rule. The Commission acquired no feedback that steered such entities exist.
IV. Regulatory Flexibility Act
The Regulatory Flexibility Act (“RFA”), as amended by the Small Business Regulatory Enforcement Fairness Act of 1996, requires an company to both present an Initial Regulatory Flexibility Analysis (“IRFA”) with a proposed rule, or certify that the proposed rule is not going to have a major influence on a considerable quantity of small entities. /45/ The Commission doesn’t consider this modification to the Privacy Rule has the threshold influence on small entities. First, most of the adjustments effectuate statutory adjustments from the Dodd-Frank Act and the FAST Act. Second, the Commission doesn’t count on the modification to impose prices on small motorcar sellers as a result of the amendments are primarily for clarification functions and mustn’t lead to any elevated burden on any motorcar supplier. Thus, a small entity that complies with present regulation needn’t take any completely different or further motion beneath the last rule.
FOOTNOTE 45 5 U.S.C. 603-605. END FOOTNOTE
Accordingly, the Commission believes the rule is not going to have a major financial influence on small entities. The last rule would add necessities solely to motorcar sellers that perform as finders and don’t already have interaction in different monetary actions that may trigger them to be monetary establishments beneath the rule. The Commission has not recognized any such entities. Therefore, the Commission certifies the rule is not going to have a major financial influence on a considerable quantity of small companies.
In this doc, the Commission adopts the amendments proposed in its NPRM with solely minimal modifications. In its Initial Regulatory Flexibility Analysis (“IRFA”), the Commission decided the proposed rule wouldn’t have a major influence on small entities as a result of there have been no small companies that have been being subjected to new burdens because of this of the amendments. Although the Commission certifies beneath the RFA that the rule is not going to have a major influence on a considerable quantity of small entities, and hereby supplies discover of that certification to the Small Business Administration, the Commission nonetheless has decided publishing a last regulatory flexibility evaluation (“FRFA”) is acceptable to make sure the influence of the rule is absolutely addressed. Therefore, the Commission has ready the following evaluation:
1. Need for and Objectives of the Final Rule
To tackle the Dodd-Frank Act and FAST Act adjustments the amendments change the Privacy Rule’s scope and definition of “monetary establishment”; change the annual discover requirement; and take away sure examples offered in the rule that aren’t relevant to motorcar sellers. With this motion, the Commission makes the present, slim scope of the rule clearer. Additionally, the modification of the definition of “monetary establishment” to cowl motorcar sellers engaged in “actions incidental to monetary actions” harmonizes the Privacy Rule with different businesses’ guidelines.
2. Significant Issues Raised in Public Comments in Response to the IRFA
The Commission didn’t obtain any feedback that addressed the burden on small entities. In addition, the Commission didn’t obtain any feedback filed by the Chief Counsel for Advocacy of the Small Business Administration (“SBA”).
3. Estimate of Number of Small Entities To Which the Final Rule Will Apply
The Commission anticipates many lined motorcar sellers could qualify as small companies in response to the relevant SBA dimension requirements. /46/ As defined in the IRFA, nevertheless, figuring out a exact estimate of the quantity of small entities–including newly lined entities beneath the modified definition of monetary institution–is not readily possible. No commenters addressed this problem. Nonetheless, as mentioned above, these amendments is not going to add any further burdens on any lined small companies.
FOOTNOTE 46 Table of Small Bus. Size Standards Matched to North American Indus. Classification System Codes, 13 CFR 121.201 (obtainable at: https://www.sba.gov/doc/support–table-size-standards), up to date Aug. 19, 2019. For instance, used automotive sellers are categorised as NAICS 441120 and new automotive sellers as NAICS 441110. Under these requirements, the SBA would classify as small companies impartial used automotive sellers having annual receipts of lower than $27 million and new automotive sellers having fewer than 200 workers every. END FOOTNOTE
4. Projected Reporting, Recordkeeping, and Other Compliance Requirements
The amendments don’t impose any new or substantively revised “collections of data,” as outlined by the PRA.
5. Description of Steps Taken To Minimize Significant Economic Impact, if Any, on Small Entities, Including Alternatives
The Commission didn’t suggest any particular small entity exemption or different vital options as a result of the modification is just not anticipated to extend reporting necessities and won’t impose any new necessities or compliance prices. The Commission anticipates the amendments will cut back the burden for a lot of lined entities related to the Privacy Rule annual discover. The amendments retain the flexibility already current in the present rule, which permits notices to be offered in a range of methods, together with electronically in some circumstances. As to the core necessities of the rule, they arrive from GLBA itself, as amended by the Dodd-Frank and the FAST Act. The statute prescribes the definition of monetary establishments to be lined by the rule and units forth the particular necessities, which the Commission can’t modify to ease burdens on small entities. Therefore, the Commission doesn’t consider any options for small entities are required or acceptable.
V. Other Matters
Pursuant to the Congressional Review Act (5 U.S.C. 801 et seq.), the Office of Information and Regulatory Affairs designated this rule as not a “main rule,” as outlined by 5 U.S.C. 804(2).
List of Subjects in 16 CFR Part 313 Consumer safety, Credit, Data safety, Privacy, Trade practices.
For the causes acknowledged above, the Federal Trade Commission amends 16 CFR half 313 as follows:
PART 313–PRIVACY OF CONSUMER FINANCIAL INFORMATION
1. The authority quotation for half 313 is revised to learn as follows:
Authority: 15 U.S.C. 6801 et seq., 12 U.S.C. 5519.
2. Amend SEC 313.1 by revising paragraph (b) to learn as follows:
SEC 313.1 Purpose and scope.
*****
(b) Scope. This half applies solely to nonpublic private details about people who get hold of monetary services or products primarily for private, household or family functions from the establishments listed beneath. This half doesn’t apply to details about corporations or about people who get hold of monetary services or products for enterprise, industrial, or agricultural functions. This half applies to these “monetary establishments” over which the Federal Trade Commission (“Commission”) has rulemaking authority pursuant to part 504(a)(1)(C) of the Gramm-Leach-Bliley Act. An entity is a “monetary establishment” if its enterprise is participating in an exercise that’s monetary in nature or incidental to such monetary actions as described in part 4(okay) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(okay), which includes actions enumerated by the Federal Reserve Board in 12 CFR 225.28 and 225.86. The “monetary establishments” topic to the Commission’s rulemaking authority are any individuals described in 12 U.S.C. 5519 which might be predominantly engaged in the sale and servicing of motor automobiles, the leasing and servicing of motor automobiles, or each. They are referred to on this half as “You.” Excluded from the protection of this half are motorcar sellers described in 12 U.S.C. 5519(b) that instantly lengthen to customers retail credit score or retail leases involving motor automobiles through which the contract governing such extension of retail credit score or retail leases is just not routinely assigned to an unaffiliated third get together finance or leasing supply.
3. Amend SEC 313.3 by revising paragraphs (e), (i), (j), (okay), and (q) to learn as follows:
SEC 313.3 Definitions.
*****
(e)(1) Consumer means a person who obtains or has obtained a monetary services or products from you that’s for use primarily for private, household, or family functions, or that particular person’s authorized consultant.
(2) For instance:
(i) An particular person who applies to you for credit score for private, household, or family functions is a shopper of a monetary service, regardless of whether or not the credit score is prolonged.
(ii) An particular person who supplies nonpublic private data to you in an effort to get hold of a willpower about whether or not she or he could qualify for a mortgage for use primarily for private, household, or family functions is a shopper of a monetary service, regardless of whether or not the mortgage is prolonged.
(iii) If you maintain possession or servicing rights to a person’s mortgage that’s used primarily for private, household, or family functions, the particular person is your shopper, even for those who maintain these rights together with a number of different establishments. (The particular person can also be a shopper with respect to the different monetary establishments concerned.) An particular person who has a mortgage through which you have got possession or servicing rights is your shopper, even for those who, or one other establishment with these rights, rent an agent to gather on the mortgage.
(iv) An particular person who’s a shopper of one other monetary establishment is just not your shopper solely since you act as agent for, or present processing or different companies to, that monetary establishment.
(v) An particular person is just not your shopper solely as a result of she or he is a participant or a beneficiary of an worker profit plan that you simply sponsor or for which you act as a trustee or fiduciary.
*****
(i)(1) Customer relationship means a unbroken relationship between a shopper and also you beneath which you present a number of monetary services or products to the shopper which might be for use primarily for private, household, or family functions.
(2) For instance:
(i) Continuing relationship. A shopper has a unbroken relationship with you if the shopper:
(A) Has a credit score or funding account with you;
(B) Obtains a mortgage from you;
(C) Purchases an insurance coverage product from you;
(D) Enters into an settlement or understanding with you whereby you undertake to rearrange or dealer a house mortgage mortgage, or credit score to buy a automobile, for the shopper;
(E) Enters right into a lease of private property on a non-operating foundation with you; or
(F) Has a mortgage for which you personal the servicing rights.
(ii) No persevering with relationship. A shopper doesn’t, nevertheless, have a unbroken relationship with you if:
(A) The shopper obtains a monetary services or products from you solely in remoted transactions, corresponding to cashing a verify with you or making a wire switch by means of you;
(B) You promote the shopper’s mortgage and don’t retain the rights to service that mortgage; or
(C) The shopper obtains one-time private appraisal companies from you.
(j) Federal purposeful regulator means:
(1) The Board of Governors of the Federal Reserve System;
(2) The Office of the Comptroller of the Currency;
(3) The Board of Directors of the Federal Deposit Insurance Corporation;
(4) The National Credit Union Administration Board; and
(5) The Securities and Exchange Commission.
(okay)(1) Financial establishment means any establishment the enterprise of which is participating in an exercise that’s monetary in nature or incidental to such monetary actions as described in part 4(okay) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(okay). An establishment that’s considerably engaged in monetary actions, or considerably engaged in actions incidental to such monetary actions, is a monetary establishment.
(2) An instance of a monetary establishment is an vehicle dealership that, as a common half of its enterprise, leases cars on a nonoperating foundation for longer than 90 days is a monetary establishment with respect to its leasing enterprise as a result of leasing private property on a nonoperating foundation the place the preliminary time period of the lease is a minimum of 90 days is a monetary exercise listed in 12 CFR 225.28(b)(3) and referenced in part 4(okay)(4)(F) of the Bank Holding Company Act.
(3) Financial establishment doesn’t embody entities that have interaction in monetary actions however that aren’t considerably engaged in these monetary actions.
(4) An instance of entities that aren’t considerably engaged in monetary actions is a motorcar supplier is just not a monetary establishment merely as a result of it accepts cost in the kind of money, checks, or bank cards that it didn’t problem.
*****
(q) You contains every “monetary establishment” over which the Commission has rulemaking authority pursuant to part 504(a)(1)(C) of the Gramm-Leach-Bliley Act (15 U.S.C. 6804(a)(1)(C)).
4. Amend SEC 313.4 by including a heading for paragraph (c)(3) and revising paragraphs (c)(3)(i) and (e) to learn as follows:
SEC 313.4 Initial privateness discover to customers required.
*****
(c) * * *
(3) Examples–(i) Examples of establishing a buyer relationship. You set up a buyer relationship when the shopper:
(A) Executes the contract to acquire credit score from you or buy insurance coverage from you; or
(B) Executes the lease for private property with you.
*****
(e) Exceptions to permit subsequent supply of notice–(1) General. You could present the preliminary discover required by paragraph (a)(1) of this part inside an affordable time after you identify a buyer relationship if:
(i) Establishing the buyer relationship is just not at the buyer’s election; or
(ii) Providing discover not later than whenever you set up a buyer relationship would considerably delay the buyer’s transaction and buyer agrees to obtain the discover at a later time.
(2) Examples of exceptions–(i) Substantial delay of buyer’s transaction. Providing discover not later than whenever you set up a buyer relationship would considerably delay the buyer’s transaction whenever you and the particular person agree over the phone to enter right into a buyer relationship involving immediate supply of the monetary services or products.
(ii) No substantial delay of buyer’s transaction. Providing discover not later than whenever you set up a buyer relationship wouldn’t considerably delay the buyer’s transaction when the relationship is initiated in particular person at your workplace or by means of different means by which the buyer could view the discover, corresponding to by means of a web site.
*****
5. Amend SEC 313.5 by including a heading for paragraph (a), revising paragraphs (a)(1) and (b)(2), and including paragraph (e) to learn as follows:
SEC 313.5 Annual privateness discover to prospects required.
(a) In general–(1) General rule. Except as offered by paragraph (e) of this part, you need to present a transparent and conspicuous discover to prospects that precisely displays your privateness insurance policies and practices not lower than yearly throughout the continuation of the buyer relationship. Annually means a minimum of as soon as in any interval of 12 consecutive months throughout which that relationship exists. You could outline the 12-consecutive-month interval, however you need to apply it to the buyer on a constant foundation.
*****
(b) * * *
(2) Examples. Your buyer turns into a former buyer when:
(i) In the case of a closed-end mortgage, the buyer pays the mortgage in full, you cost off the mortgage, otherwise you promote the mortgage with out retaining servicing rights.
(ii) In the case of mortgage or automobile mortgage brokering companies, your buyer has obtained a mortgage by means of you (and also you now not present any statements or notices to the buyer regarding that relationship), or has ceased utilizing your companies for such functions.
(iii) In instances the place there is no such thing as a definitive time at which the buyer relationship has terminated, you haven’t communicated with the buyer about the relationship for a interval of 12 consecutive months, apart from to offer annual privateness notices or promotional materials.
*****
(e) Exception to annual privateness discover requirement–(1) When exception obtainable. You will not be required to ship an annual privateness discover for those who:
(i) Provide nonpublic private data to nonaffiliated third events solely in accordance with the provisions of SEC 313.13, SEC 313.14, or SEC 313.15; and
(ii) Have not modified your insurance policies and practices with regard to disclosing nonpublic private data from the insurance policies and practices that have been disclosed to the buyer beneath SEC 313.6(a)(2) by means of (5) and (9) in the most up-to-date privateness discover offered pursuant to this half.
(2) Delivery of annual privateness discover after monetary establishment now not meets necessities for exception. If you have got been excepted from delivering an annual privateness discover pursuant to paragraph (e)(1) of this part and alter your insurance policies or practices in such a method that you simply now not meet the necessities for that exception, you need to adjust to paragraph (e)(2)(i) or (ii) of this part, as relevant.
(i) Changes preceded by a revised privateness discover. If you now not meet the necessities of paragraph (e)(1) of this part since you change your insurance policies or practices in such a method that SEC 313.8 requires you to offer a revised privateness discover, you need to present an annual privateness discover in accordance with the timing requirement in paragraph (a) of this part, treating the revised privateness discover as an preliminary privateness discover.
(ii) Changes not preceded by a revised privateness discover. If you now not meet the necessities of paragraph (e)(1) of this part since you change your insurance policies or practices in such a method that SEC 313.8 doesn’t require you to offer a revised privateness discover, you need to present an annual privateness discover inside 100 days of the change in your insurance policies or practices that causes you to now not meet the requirement of paragraph (e)(1).
(iii) Examples. (A) You change your insurance policies and practices in such a method that you simply now not meet the necessities of paragraph (e)(1) of this part efficient April 1 of yr 1. Assuming you outline the 12-consecutive-month interval pursuant to paragraph (a) of this part as a calendar yr, for those who have been required to offer a revised privateness discover beneath SEC 313.8 and also you offered that discover on March 1 of yr 1, you need to present an annual privateness discover by December 31 of yr 2. If you weren’t required to offer a revised privateness discover beneath SEC 313.8, you need to present an annual privateness discover by July 9 of yr 1.
(B) You change your insurance policies and practices in such a method that you simply now not meet the necessities of paragraph (e)(1) of this part, and so present an annual discover to your prospects. After offering the annual discover to your prospects, you as soon as once more meet the necessities of paragraph (e)(1) of this part for an exception to the annual discover requirement. You don’t want to offer further annual discover to your prospects till such time as you now not meet the necessities of paragraph (e)(1) of this part.
6. Amend SEC 313.15 by revising paragraph (a)(4) to learn as follows:
SEC 313.15 Other exceptions to note and decide out necessities.
(a) * * *
(4) To the extent particularly permitted or required beneath different provisions of regulation and in accordance with the Right to Financial Privacy Act of 1978 (12 U.S.C. 3401 et seq.), to regulation enforcement businesses (together with the Consumer Financial Protection Bureau, a federal purposeful regulator, the Secretary of the Treasury, with respect to 31 U.S.C. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping), a State insurance coverage authority, with respect to any particular person domiciled in that insurance coverage authority’s State that’s engaged in offering insurance coverage, and the Federal Trade Commission), self-regulatory organizations, or for an investigation on a matter associated to public security;
*****
SEC 313.18 [Removed]
7. Remove SEC 313.18.
By path of the Commission.
April J. Tabor,
Acting Secretary.
[FR Doc. 2021-25735 Filed 12-8-21; 8:45 am]
BILLING CODE 6750-01-P
https://insurancenewsnet.com/oarticle/privacy-of-consumer-financial-information-rule-under-the-gramm-leach-bliley-act
