Disposal of Consumer Report Information and Records; Confirmation of Rule
16 CFR Part 682
SUMMARY:
The Federal Trade Commission has completed its regulatory review of its rule regarding Disposal of Consumer Report Information and Records as part of the Commission’s systematic review of all current Commission rules and guides, and has determined to retain the Rule in its current form.
CITATION:
16 CFR Part 682
DATE: November 15, 2017
FEDERAL TRADE COMMISSION
16 CFR Part 314
[RIN 3084–AB41]
Disposal of Consumer Report Information and Records
AGENCY: Federal Trade Commission.
ACTION: Confirmation of rule.
DATES: This action is effective on November 15, 2017.
ADDRESSES: Relevant portions of the proceeding, including this document, are available at www.ftc.gov.
FOR FURTHER INFORMATION CONTACT:
Tiffany George, (202) 326–3040, Attorney, Division of Privacy and Identity Protection, Federal Trade Commission, Washington, DC 20580.
SUPPLEMENTARY INFORMATION:
I. Introduction
In September 2016, the Federal Trade Commission (‘‘FTC’’ or ‘‘Commission’’) requested comments on its rule regarding Disposal of Consumer Report Information and Records (‘‘Disposal Rule’’ or ‘‘Rule’’), as part of its comprehensive regulatory review program. Specifically, the Commission sought comments on the Rule’s costs and benefits, and on whether it should modify the Rule to account for changes in technology or information destruction standards.
After considering the comments, the Commission has determined to retain the Rule without amendment. Most of the commenters who addressed the issue supported the Rule’s current provisions. A few commenters recommended expanding the Rule’s provisions. Because the Commission has not seen any evidence of problematic acts or practices that any proposed modification would address, it has determined not to amend the Rule at this time.
This document provides background, analyzes the comments, and further explains the Commission’s decision.
II. Background
The Fair and Accurate Credit Transactions Act (‘‘FACTA’’ or ‘‘Act’’) was enacted in 2003. In part, the Act amended the Fair Credit Reporting Act (‘‘FCRA’’) by requiring that any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose, properly dispose of any such information or compilation. The Act also required the Commission and other federal agencies to promulgate rules regarding the proper disposal of consumer report information and records.
Pursuant to the Act’s directive, the Commission promulgated the Disposal Rule in 2004, which became effective on June 1, 2005.1 The Disposal Rule requires that persons over which the FTC has jurisdiction who maintain or otherwise possess consumer information for a business purpose properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. The Rule defines ‘‘consumer information’’ as ‘‘any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report. Consumer information also means a compilation of such records. Consumer information does not include information that does not identify individuals, such as aggregate information or blind data.’’ 2
The Rule includes several examples of what the Commission believes constitute reasonable measures to protect consumer information in connection with its disposal, including policies and procedures that require (1) the burning, pulverizing, or shredding of papers or (2) the destruction or erasure of electronic media containing consumer information so that the information cannot practicably be read or reconstructed. These examples are intended to provide covered entities with guidance on how to comply with the Rule, but are not intended to be safe harbors or exclusive methods for compliance. In promulgating the Rule, the FTC noted that there are few foolproof methods of record destruction and that entities covered by the Rule must consider their own unique circumstances when determining how to best comply with the Rule.
In September 2016, the Commission published a Notice seeking comment on the Rule as part of the Commission’s ongoing comprehensive regulatory review program.3 The Notice sought comment on the Rule’s overall costs, benefits, necessity, and regulatory and economic impact. The Notice also asked for comment on whether the Commission should modify the Rule in light of changes in technology and industry standards and practices.
III. Regulatory Review Comments and Analysis The Commission received 11 comments in response to the Notice during the comment period.4 Comments were filed by individuals, trade associations, and research organizations. The Commission received comments from such diverse organizations as the National Automobile Dealers Association (‘‘NADA’’), Data & Marketing Association (‘‘DMA’’), National Association for Information Destruction (‘‘NAID’’), Consumer Data Industry Association (‘‘CDIA’’), Electronic Transactions Association (‘‘ETA’’), and Electronic Privacy Information Center (‘‘EPIC’’).
All of the commenters addressing the issue supported the Rule overall. Indeed, none of the commenters advocated repealing the Rule or narrowing its scope. For example, NADA stated that ‘‘the Disposal Rule is well-established and working effectively and we do not believe it needs to be changed or amended in any significant way.’’ 5 In addition, ETA noted that ‘‘the Disposal Rule as currently written effectively promotes consumer information security.’’ 6
Commenters differed on whether the Commission should expand the Rule’s scope. Two organizations supported expanding the Rule. For example, NAID recommended that the Commission ‘‘add provisions and clarity to provide direction (and enforcement) related to . . . emerging issues’’ caused by advances in technology, such as the applicability of the Rule to third-party hardware providers (e.g., digital copier manufacturers who might retain a copy of consumer information) or cloud providers that may maintain consumer information. NAID also recommended expanding the definition of consumer information ‘‘as broadly as possible’’ because most covered entities already have considerably broad policies in place.7 EPIC supported expanding the definition of consumer information ‘‘to include information that is linked or linkable to an individual’’ because it ‘‘represents a more flexible, technology neutral approach that is consistent with the reality of modern business practices.’’ 8
Most trade associations argued against expansion of the Rule, asserting that laws and guidance currently in place sufficiently protect consumers. For instance, CDIA stated ‘‘[t]here is no net benefit in requiring consumer reporting agencies to incur the additional costs and burdens of applying the Disposal Rule to aggregate information, blind data, or otherwise de-identified data when such a change would not address any identified consumer harm or provide consumers with additional protection.’’ 9 DMA commented that ‘‘[e]xpanding the scope of the Disposal Rule could unnecessarily risk stifling an innovative sector that has created enormous job opportunities and provides consumers with robust benefits.’’ 10
The Commission agrees with the commenters who stated that the Rule should continue as it is and that it is not necessary to expand the Rule. No commenter who supported expansion of the Rule provided any evidence of problematic acts or practices that remain unaddressed with the scope of the current Rule.
As to NAID’s comment requesting clarity on emerging issues relating to advances in technology including the applicability of the Rule to third-party service providers, the Commission notes that the Rule already applies to ‘‘[a]ny person who maintains or otherwise possesses consumer information for a business purpose’’ and requires ‘‘reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.’’ 11 Thus, the Commission does not believe a Rule change is needed to address this issue.
As to the commenters that were concerned that the definition of ‘‘consumer information’’ is too limiting, the Commission notes that the definition—which excludes ‘‘aggregate information’’ and ‘‘blind data’’—is not limited to information that identifies a consumer by name only. The Statement of Basis and Purpose to the final Rule noted that the terms ‘‘aggregate information’’ and ‘‘blind data’’ are intended to have the same meaning as in the Commission’s Gramm-LeachBliley Act Rule regarding the Privacy of Consumer Financial Information, 16 CFR part 313 (the ‘‘GLB Privacy Rule’’). The GLB Privacy Rule in turn defines aggregate information or blind data as information ‘‘that does not contain personal identifiers such as account numbers, names, or addresses.’’ 12 In addition, in the Statement of Basis and Purpose for the Disposal Rule, the Commission stated that there are ‘‘a variety of personal identifiers beyond simply a person’s name that would bring information within the scope of the Rule, including, but not limited to, a social security number, driver’s license number, phone number, physical address, and email address.’’ 13 The Commission did not include a rigid definition in the final Rule because it noted that, depending upon the circumstances, data elements that are not inherently identifying can, in combination, identify particular individuals.14
Thus, the rulemaking record makes clear that the definition of ‘‘consumer information’’ is not unduly limited. It may include other information that can be used to identify an individual. The Commission does not believe it is necessary to amend the Rule on this point.
In light of the comments received, the Commission concludes that a continuing need exists for the Rule and that costs imposed on businesses are reasonable. The Commission has determined to retain the Rule without amendment at this time. The Commission will continue to monitor changes in technology and industry standards and practices to determine if it should take action in the future.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2017–24728 Filed 11–14–17; 8:45 am]
BILLING CODE 6750–01–P
____________
1 See 69 FR 68690 (Nov. 24, 2004); 16 CFR 682.
2 See 16 CFR 682.1(b).
3 Federal Trade Commission: Disposal of Consumer Report Information: Request for Comments, 81 FR 63435 (Sept. 15, 2016).
4 The comments are posted at: https://www.ftc.gov/policy/public-comments/initiative-672. The Commission has assigned each comment a number appearing after the name of the commenter and the date of submission. This notice cites comments using the last name of the individual submitter or the name of the organization, followed by the number assigned by the Commission.
5 See National Automobile Dealers Association (Comment #00013).
6 See Electronic Transactions Association (Comment #00011).
7 See National Association for Information Destruction (Comment #00009).
8 See Electronic Privacy Information Center (Comment #00015).
9 See Consumer Data Industry Association (Comment #00010).
10 See Data & Marketing Association (Comment #00012).
11 See 16 CFR 682.3(a).
12 See 69 FR at 68692; 16 CFR 313.3(o)(2)(ii).
13 69 FR at 68692.
14 Id.
For more information, see here: https://www.ftc.gov/policy/federal-register-notices/16-cfr-part-682-disposal-consumer-report-information-records
These materials were obtained directly from the Federal Government public websites and are posted here for your review and reference only. No Claim to Original U.S. Government Works. These may not be the most recent versions. The U.S. Government may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information or the information linked to. Please check the linked sources directly.
Download:
Attachment | Size |
---|---|
disposal_of_consumer_report_information_and_records_confirmation_of_rule_11-15-17.pdf | 221.33 KB |