FTC Amended the Privacy of Consumer Financial Information Rule under the Gramm-Leach-Bliley Act (16 CFR Part 313) (December 9, 2021)

FTC Amended Privacy of Consumer Financial Information Rule under the Gramm-Leach-Bliley Act

16 CFR Part 313

SUMMARY:

The Federal Trade Commission is amending its Privacy Rule to revise the Rule’s scope, to modify the Rule’s definitions of “financial institution” and “federal functional regulator,” and to update the Rule’s annual customer privacy notice requirement. The amendments also remove certain examples in the Rule that apply to financial institutions that now fall outside the scope of the Commission’s Rule. This action is necessary to conform the Rule to (1) the current requirements of the Gramm-Leach-Bliley Act (“GLBA”), as amended by the Dodd-Frank and FAST Acts, and (2) the Commission’s revisions to the Safeguards Rule, which are being announced simultaneously through a separate notice.

 

For the reasons stated above, the Federal Trade Commission amends 16 CFR part 313 as follows:

 

PART 313—PRIVACY OF CONSUMER FINANCIAL INFORMATION

1. The authority citation for part 313 is revised to read as follows:

Authority:

15 U.S.C. 6801

et seq.,12 U.S.C. 5519.

 

2. Amend § 313.1 by revising paragraph (b) to read as follows:

§ 313.1

Purpose and scope.

* * * * *

(b)

Scope.

This part applies only to nonpublic personal information about individuals who obtain financial products or services primarily for personal, family or household purposes from the institutions listed below. This part does not apply to information about companies or about individuals who obtain financial products or services for business, commercial, or agricultural purposes. This part applies to those “financial institutions” over which the Federal Trade Commission (“Commission”) has rulemaking authority pursuant to section 504(a)(1)(C) of the Gramm-Leach-Bliley Act. An entity is a “financial institution” if its business is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k), which incorporates activities enumerated by the Federal Reserve Board in 12 CFR 225.28 and 225.86. The “financial institutions” subject to the Commission's rulemaking authority are any persons described in 12 U.S.C. 5519 that are predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both. They are referred to in this part as “You.” Excluded from the coverage of this part are motor vehicle dealers described in 12 U.S.C. 5519(b) that directly extend to consumers retail credit or retail leases involving motor vehicles in which the contract governing such extension of retail credit or retail leases is not routinely assigned to an unaffiliated third party finance or leasing source.

 

3. Amend § 313.3 by revising paragraphs (e), (i), (j), (k), and (q) to read as follows:

§ 313.3

Definitions.

* * * * *

(e)(1)

Consumer

means an individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family, or household purposes, or that individual's legal representative.

(2) For example:

(i) An individual who applies to you for credit for personal, family, or household purposes is a consumer of a financial service, regardless of whether the credit is extended.

(ii) An individual who provides nonpublic personal information to you in order to obtain a determination about whether he or she may qualify for a loan to be used primarily for personal, family, or household purposes is a consumer of a financial service, regardless of whether the loan is extended.

(iii) If you hold ownership or servicing rights to an individual's loan that is used primarily for personal, family, or household purposes, the individual is your consumer, even if you hold those rights in conjunction with one or more other institutions. (The individual is also a consumer with respect to the other financial institutions involved.) An individual who has a loan in which you have ownership or servicing rights is your consumer, even if you, or another institution with those rights, hire an agent to collect on the loan.

(iv) An individual who is a consumer of another financial institution is not your consumer solely because you act as agent for, or provide processing or other services to, that financial institution.

(v) An individual is not your consumer solely because he or she is a participant or a beneficiary of an employee benefit plan that you sponsor or for which you act as a trustee or fiduciary.

* * * * *

(i)(1)

Customer relationship

means a continuing relationship between a consumer and you under which you provide one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.

(2) For example:

(i)

Continuing relationship.

A consumer has a continuing relationship with you if the consumer:

(A) Has a credit or investment account with you;

(B) Obtains a loan from you;

(C) Purchases an insurance product from you;

(D) Enters into an agreement or understanding with you whereby you undertake to arrange or broker a home mortgage loan, or credit to purchase a vehicle, for the consumer;

(E) Enters into a lease of personal property on a non-operating basis with you; or

(F) Has a loan for which you own the servicing rights.

(ii)

No continuing relationship.

A consumer does not, however, have a continuing relationship with you if:

(A) The consumer obtains a financial product or service from you only in isolated transactions, such as cashing a check with you or making a wire transfer through you;

(B) You sell the consumer's loan and do not retain the rights to service that loan; or

(C) The consumer obtains one-time personal appraisal services from you.

(j)

Federal functional regulator

means:

(1) The Board of Governors of the Federal Reserve System;

(2) The Office of the Comptroller of the Currency;

(3) The Board of Directors of the Federal Deposit Insurance Corporation;

(4) The National Credit Union Administration Board; and

(5) The Securities and Exchange Commission.

(k)(1)

Financial institution

means any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution.

(2) An example of a financial institution is an automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days is a financial institution with respect to its leasing business because leasing personal property on a nonoperating basis where the initial term of the lease is at least 90 days is a financial activity listed in 12 CFR 225.28(b)(3) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act.

(3)

Financial institution

does not include entities that engage in financial activities but that are not significantly engaged in those financial activities.

(4) An example of entities that are not significantly engaged in financial

activities is a motor vehicle dealer is not a financial institution merely because it accepts payment in the form of cash, checks, or credit cards that it did not issue.

* * * * *

(q)

You

includes each “financial institution” over which the Commission has rulemaking authority pursuant to section 504(a)(1)(C) of the Gramm-Leach-Bliley Act (15 U.S.C. 6804(a)(1)(C)).

4. Amend § 313.4 by adding a heading for paragraph (c)(3) and revising paragraphs (c)(3)(i) and (e) to read as follows:

 

§ 313.4

Initial privacy notice to consumers required.

* * * * *

(c) * * *

(3)

Examples

—(i)

Examples of establishing a customer relationship.

You establish a customer relationship when the consumer:

(A) Executes the contract to obtain credit from you or purchase insurance from you; or

(B) Executes the lease for personal property with you.

* * * * *

(e)

Exceptions to allow subsequent delivery of notice

—(1)

General.

You may provide the initial notice required by paragraph (a)(1) of this section within a reasonable time after you establish a customer relationship if:

(i) Establishing the customer relationship is not at the customer's election; or

(ii) Providing notice not later than when you establish a customer relationship would substantially delay the customer's transaction and customer agrees to receive the notice at a later time.

(2)

Examples of exceptions

—(i)

Substantial delay of customer's transaction.

Providing notice not later than when you establish a customer relationship would substantially delay the customer's transaction when you and the individual agree over the telephone to enter into a customer relationship involving prompt delivery of the financial product or service.

(ii)

No substantial delay of customer's transaction.

Providing notice not later than when you establish a customer relationship would not substantially delay the customer's transaction when the relationship is initiated in person at your office or through other means by which the customer may view the notice, such as through a website.

* * * * *

 

5. Amend § 313.5 by adding a heading for paragraph (a), revising paragraphs (a)(1) and (b)(2), and adding paragraph (e) to read as follows:

§ 313.5

 

Annual privacy notice to customers required.

(a)

In general

—(1)

General rule.

Except as provided by paragraph (e) of this section, you must provide a clear and conspicuous notice to customers that accurately reflects your privacy policies and practices not less than annually during the continuation of the customer relationship.

Annually

means at least once in any period of 12 consecutive months during which that relationship exists. You may define the 12-consecutive-month period, but you must apply it to the customer on a consistent basis.

* * * * *

(b) * * *

(2)

Examples.

Your customer becomes a former customer when:

(i) In the case of a closed-end loan, the customer pays the loan in full, you charge off the loan, or you sell the loan without retaining servicing rights.

(ii) In the case of mortgage or vehicle loan brokering services, your customer has obtained a loan through you (and you no longer provide any statements or notices to the customer concerning that relationship), or has ceased using your services for such purposes.

(iii) In cases where there is no definitive time at which the customer relationship has terminated, you have not communicated with the customer about the relationship for a period of 12 consecutive months, other than to provide annual privacy notices or promotional material.

* * * * *

(e)

Exception to annual privacy notice requirement

—(1)

When exception available.

You are not required to deliver an annual privacy notice if you:

(i) Provide nonpublic personal information to nonaffiliated third parties only in accordance with the provisions of § 313.13, § 313.14, or § 313.15; and

(ii) Have not changed your policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under § 313.6(a)(2) through (5) and (9) in the most recent privacy notice provided pursuant to this part.

(2)

Delivery of annual privacy notice after financial institution no longer meets requirements for exception.

If you have been excepted from delivering an annual privacy notice pursuant to paragraph (e)(1) of this section and change your policies or practices in such a way that you no longer meet the requirements for that exception, you must comply with paragraph (e)(2)(i) or (ii) of this section, as applicable.

(i)

Changes preceded by a revised privacy notice.

If you no longer meet the requirements of paragraph (e)(1) of this section because you change your policies or practices in such a way that § 313.8 requires you to provide a revised privacy notice, you must provide an annual privacy notice in accordance with the timing requirement in paragraph (a) of this section, treating the revised privacy notice as an initial privacy notice.

(ii)

Changes not preceded by a revised privacy notice.

If you no longer meet the requirements of paragraph (e)(1) of this section because you change your policies or practices in such a way that § 313.8 does not require you to provide a revised privacy notice, you must provide an annual privacy notice within 100 days of the change in your policies or practices that causes you to no longer meet the requirement of paragraph (e)(1).

(iii)

Examples.

(A) You change your policies and practices in such a way that you no longer meet the requirements of paragraph (e)(1) of this section effective April 1 of year 1. Assuming you define the 12-consecutive-month period pursuant to paragraph (a) of this section as a calendar year, if you were required to provide a revised privacy notice under § 313.8 and you provided that notice on March 1 of year 1, you must provide an annual privacy notice by December 31 of year 2. If you were not required to provide a revised privacy notice under § 313.8, you must provide an annual privacy notice by July 9 of year 1.

(B) You change your policies and practices in such a way that you no longer meet the requirements of paragraph (e)(1) of this section, and so provide an annual notice to your customers. After providing the annual notice to your customers, you once again meet the requirements of paragraph (e)(1) of this section for an exception to the annual notice requirement. You do not need to provide additional annual notice to your customers until such time as you no longer meet the requirements of paragraph (e)(1) of this section.

 

6. Amend § 313.15 by revising paragraph (a)(4) to read as follows:

§ 313.15

Other exceptions to notice and opt out requirements.

(a) * * *

(4) To the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978 (12 U.S.C. 3401

et seq.), to law

enforcement agencies (including the Consumer Financial Protection Bureau, a federal functional regulator, the Secretary of the Treasury, with respect to 31 U.S.C. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping), a State insurance authority, with respect to any person domiciled in that insurance authority's State that is engaged in providing insurance, and the Federal Trade Commission), self-regulatory organizations, or for an investigation on a matter related to public safety;

* * * * *

 

§ 313.18

[Removed]

 

7. Remove § 313.18.

 

By direction of the Commission.

April J. Tabor,

Acting Secretary.

Footnotes

1.

 Public Law 106-102, 113 Stat. 1338 (1999).

2.

 Joint Final Rule, 65 FR 35162 (June 1, 2000) available at

3.

 FTC Final Privacy Rule, 65 FR 33645 (May 24, 2000) available at

NCUA Final Privacy Rule, 65 FR 31722 (May 18, 2000) available at

SEC Final Privacy Rule, 65 FR 40333 (June 29, 2000) available at

CFTC Final Privacy Rule, 66 FR 21235 (Apr. 27, 2001) available at

4.

 Joint Model Form, 74 FR 62889 (Dec. 1, 2009) available at

5.

 Public Law 111-203, 124 Stat. 1376 (2010).

6.

 Interim Final Rule for Regulation P, 76 FR 79025 (Dec. 21, 2011) available at

7.

 12 U.S.C. 5519. The FTC retained rulemaking jurisdiction as to motor vehicle dealers that are predominantly engaged in the sale and servicing or the leasing and servicing of motor vehicles, excluding those dealers that directly extend credit to consumers and do not routinely assign the extensions of credit to an unaffiliated third party. For ease of reference, covered motor vehicle dealers are referenced herein as “motor vehicle dealers.”

8.

 Rescission of Rules, 77 FR 22200, 22201 (Apr. 13, 2012) available at

(also rescinding those regulations for which rulemaking authority was transferred to the CFPB under the Dodd-Frank Act).

9.

 15 U.S.C. 6805(a).

10.

 15 U.S.C. 6804, 6809; 12 U.S.C. 1843(k)(4); 12 CFR 1016.1(b).

11.

See 15 U.S.C. 6804(a)(2).

12.

 Section 75001, Public Law 114-94, 129 Stat. 1312, 1787 (2015).

13.

 15 U.S.C. 6803; 16 CFR 313.4.

14.

 15 U.S.C. 6803; 16 CFR 313.5(a)(1).

15.

 15 U.S.C. 6802; 16 CFR 313.6(a)(6).

16.

 16 CFR 313.10(a).

17.

 15 U.S.C. 6802(b)(2), 6802(e); 16 CFR 313.13-313.15.

18.

 15 U.S.C. 1681a(d)(2)(A)(iii).

19.

 15 U.S.C. 6803(c)(4); 16 CFR 313.6(a)(7).

20.

 16 CFR 680.1-680.28.

21.

 15 U.S.C. 1681s-3. The FTC's Affiliate Marketing Rule applies to motor vehicle dealers.

See 77 FR 22201. The FTC also enforces the CFPB's Regulation V's Affiliate Marketing Rule, 12 CFR part 1022, subpart C, for other entities over which the FTC has enforcement authority under the FCRA.

22.

 16 CFR 680.23(b).

23.

 16 CFR 313.6(a)(8).

24.

 On June 24, 2015, the Commission published a notice of proposed rulemaking (“2015 NPRM”) proposing revisions to the Privacy Rule. NPRM, 80 FR 36267 (June 24, 2015) available at

First, the Commission proposed a number of changes to comport with the Dodd-Frank Act revision of GLBA, which transferred rulemaking authority for most financial institutions to the CFPB. The Commission also proposed amending the rule to allow motor vehicle dealers to notify their customers that a privacy notice is available online, under circumstances identical to those that had been adopted by the CFPB. Final Rule, 79 FR 64057 (Oct. 28, 2014) available at

The passage of the FAST Act rendered the Commission's proposed changes to the Privacy Rule moot because those changes, if adopted, would have been in conflict with the revised statute.

25.

 The Commission also received three comments that related to the Safeguards Rule (16 CFR part 314). Those comments are addressed in the final Safeguards Rule published elsewhere in this issue of the

Federal Register

26.

 12 U.S.C. 5519.

27.

 Yuxiang Hao (comment 4).

28.

 National Automobile Dealers Association (comment 9), at 3-4.

29.

 NADA (comment 9), at 4.

30.

 The Commission notes that while the term “loan” may not be applicable to all motor vehicle dealers' transactions with their customers, most extensions of credit or the arranging of credit will play the same role as loans for purposes of this amendment, and dealers may generally apply these examples accordingly.

31.

 The Proposed Amendments did modify existing examples in two instances. In §§ 313.3(i)(2)(i)(A) and 313.5(b)(2)(ii), references to mortgage loans were removed. Although the Commission continues to believe that mortgage loans are unlikely to be involved in the motor vehicle dealer context, as discussed above, the Commission recognizes that there is value in maintaining consistency with Regulation P, and that particular examples provided may not be applicable to every type of financial institution's activities. Accordingly, the final rule retains the references to mortgage loans in these provisions.

32.

 NADA (comment 9), at 5.

33.

 NADA (comment 9), at 5.

34.

See Final Rule, 83 FR 40945 (August 17, 2018) available at

35.

 As discussed above, NADA argued that the word “loan” should be replaced with “retail installment sale contract.” As discussed above, the Commission wishes the remaining examples in the final rule to be identical to those found in Regulation P and declines to make these changes. In addition, the National Independent Automobile Dealers Association noted that most dealers will not be required to provide annual notices because of their lack of ongoing relationships with their consumers, but supported the amendments in general.

36.

See 16 CFR 313.3(k);

see also 65 FR 33654.

37.

 65 FR 33654 n.23.

38.

Id.

39.

 Several other entities commented on the expansion of the definition of a “financial institution” in the Safeguards Rule. These comments are addressed in the discussion of the final Safeguards Rule, published elsewhere in this issue of the

Federal Register

40.

 NADA (comment 9), at 7-8.

41.

 Qiyi Hu (comment 5).

42.

 44 U.S.C. 3501 et seq.

43.

 The OMB Control Number is 3084-0121.

44.

 PRA Notice, 82 FR 48081 (Oct. 16, 2017) available at

45.

 5 U.S.C. 603-605.

46.

 Table of Small Bus. Size Standards Matched to North American Indus. Classification System Codes, 13 CFR 121.201 (available at:

https://www.sba.gov/​document/​support--table-size-standards), updated Aug. 19, 2019. For example, used car dealers are classified as NAICS 441120 and new car dealers as NAICS 441110. Under those standards, the SBA would classify as small businesses independent used car dealers having annual receipts of less than $27 million and new car dealers having fewer than 200 employees each.

[FR Doc. 2021-25735 Filed 12-8-21; 8:45 am]

BILLING CODE 6750-01-P

 

For more information, see here:  https://www.ftc.gov/policy/federal-register-notices/16-cfr-part-313-privacy-consumer-financial-information-rule-under-0

AND

https://www.federalregister.gov/documents/2021/12/09/2021-25735/privacy-of-consumer-financial-information-rule-under-the-gramm-leach-bliley-act

 

These materials were obtained directly from the Federal Government public websites and are posted here for your review and reference only.  No Claim to Original U.S. Government Works.  These may not be the most recent versions.  The U.S. Government may have more current information.  We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to.  Please check the linked sources directly.