Download:
pdf |
pdfSupporting Statement for the Privacy of
Consumer Financial Information Rule
16 CFR § 313
(OMB Control No. 3084-0121)
(1) & (2)
Necessity for and Use of the Information Collection
The Gramm-Leach-Bliley Act (“GLB Act” or the “Act”), Pub. L. No.106-102, 113 Stat.
1338 (November 12, 1999), permits banks to affiliate with firms engaged in insurance, securities,
and other financial activities. Title V, Subtitle A of the GLB Act (“Subtitle A”) provides certain
privacy protections to consumers. The Federal Trade Commission (“FTC” or “Commission”) is
charged with prescribing rules as necessary to implement the provisions of Subtitle A as to those
entities over which the Commission has enforcement jurisdiction.1 Accordingly, the
Commission promulgated the Privacy of Consumer Financial Information Rule (also known as
the “Rule” or the “GLB Privacy Rule”).
As mandated by the GLBA, the Rule implements consumer disclosure requirements that
are subject to the provisions of the Paperwork Reduction Act, 44 U.S.C. Chapter 35 (“PRA”).2
The required disclosures are: (1) initial notice of the financial institution’s privacy policy when
establishing a customer relationship with a consumer and/or before sharing a consumer’s nonpublic personal information with certain nonaffiliated third parties; (2) notice of the consumer’s
right to opt out of information sharing with such parties; (3) annual notice of the institution’s
privacy policy to any continuing customer; and (4) notice of changes in the institution’s
practices on information sharing. The Rule does not include recordkeeping requirements.
The Rule’s requirements are designed to ensure that customers and consumers, subject to
certain exceptions, will have access to the privacy policies of the financial institutions with
which they conduct business. The privacy policies must state: (a) the categories of nonpublic
personal information the financial institution collects; (b) the categories of nonpublic personal
information the financial institution discloses; (c) the categories of affiliates and nonaffiliated
third parties to whom the financial institution discloses such information; and (d) the financial
institution’s policies and practices with respect to protecting the confidentiality, security, and
integrity of the information. In certain situations, consumers will also be informed of the means
by which they can opt out of financial institution sharing of their nonpublic personal information
with nonaffiliated third parties.
The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (“Dodd-Frank
1
15 U.S.C. §§ 6804, 6805. Other agencies were also required to issue rules with respect to those entities
over which they have enforcement jurisdiction. For example, the Bureau of Consumer Financial Protection
issued Privacy Of Consumer Financial Information (Regulation P), 12 CFR § 1016, which applies to
depository institutions and many non-depository institutions. See 76 Fed. Reg. 79,028 (Dec. 21, 2011).
2
Under the PRA, federal agencies must get OMB approval for each collection of information they conduct,
sponsor, or require. “Collection of information” means agency request or requirements to submit reports,
keep records, or provide information to a third party. 44 U.S.C. § 3502(3); 5 CFR § 1320.3(c).
September 2014
1
�Act”)3 substantially changed the federal legal framework for financial services providers.
Among the changes, the Dodd-Frank Act transferred rulemaking authority for a number of
consumer financial protection laws from seven Federal agencies, including the FTC, to the
Bureau of Consumer Financial Protection (“CFPB”) as of July 21, 2011. This transfer to the
CFPB included most provisions of Subtitle A of Title V of the GLB Act, with respect to
financial institutions described in Section 504 of the GLB Act. Pursuant to the GLB Act, only
the FTC retains rulemaking authority for its GLB Privacy Rule, 16 CFR § 313, for motor vehicle
dealers predominantly engaged in the sale and servicing of motor vehicles, the leasing and
servicing of motor vehicles, or both. The CFPB implemented its own regulations to enforce the
Dodd-Frank provisions, including Privacy of Consumer Financial Information (Regulation P), 12
CFR § 1016.
Contemporaneous with that issuance, the CFPB and FTC each have previously submitted
to OMB, and received its approval for, the agencies’ respective burden estimates reflecting their
overlapping enforcement jurisdiction. The FTC supplemented its estimates for the enforcement
authority exclusive to it regarding the class of motor vehicle dealers noted above. Following the
preliminary background information, the discussion in response to Specification #12 below
continues that analytical framework with appropriate updates.
(3)
Information Technology
The Rule gives explicit examples of electronic options that financial institutions may use
to transmit the privacy and opt-out notices required by the Rule. See, e.g., 16 CFR § 313.9(b),
(c), (e). The FTC, together with the other federal financial agencies, adopted a model privacy
form that financial institutions may rely on as a safe harbor to provide disclosures under each
agency’s GLB privacy rules. The model privacy form was available for use beginning in
January 2010 and remains the only safe harbor currently available for compliance with such
privacy rules. 74 Fed. Reg. 62,890 (Dec. 1, 2009).
In order to ease the burden on entities that wanted to adopt the new model privacy form,
the agencies developed an “Online Form Builder” that an entity can download and use to
develop and print customized versions of a model consumer privacy notice. The Online Form
Builder is available with several options. Easy-to-follow instructions for the form builder will
guide an institution to select the version of the model form that fits its practices, such as whether
the institution provides an opt-out for consumers. The agencies announced the availability of
this tool, which can be found at http://www.ftc.gov/news-events/press-releases/2010/04/federalregulators-release-model-consumer-privacy-notice-online.
These electronic options help minimize the burden and cost of the Rule’s information
collection requirements for financial institutions subject to the Rule, and are consistent with the
objectives of the Government Paperwork Elimination Act. See Pub. L. 105-277, Div. C, Title
XVII, 112 Stat. 2681, 2681-749, reprinted in 44 U.S.C. § 3504 note.
3
Public Law 111–203, 124 Stat. 1376 (2010).
September 2014
2
�(4)
Efforts to Identify Duplication
Any inconsistent state notice requirement would be preempted by federal law unless it
provided greater protection. 15 U.S.C. § 6807. Further, the Rule provides, as required under 15
U.S.C. § 6803(c)(4), that the financial institution’s initial and annual notices include any
disclosures required under Section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act, 15 U.S.C.
§ 1681a(d)(2)(A)(iii), thereby incorporating, but not duplicating, a pre-existing disclosure
obligation to consumers.
(5)
Efforts to Minimize Small Organization Burden
The Commission drafted the Rule to minimize the compliance burden as much as
possible. As noted above, the notice requirements are expressly mandated by the GLBA. The
Rule implements these requirements by providing guidance on the contents of such notices while
affording small businesses (and all other regulated businesses) some flexibility in choosing the
means to disseminate such notices. For example, the required notices may, depending upon the
circumstances, be disclosed by hand-delivery, conventional, or electronic mail. 16 CFR
§ 313.9(b)(1).4
The GLBA Rule also gives regulated parties clear guidance on the contents of the
required notices. This guidance, staff believes, will help eliminate much of the administrative
and legal costs that might be incurred by businesses seeking to determine what must be included
in a notice in order to comply with the Rule. Finally, as also noted above, the agencies
developed an “Online Form Builder” to further ease the burden on regulated parties, which
affected entities can download and use to develop and print customized versions of a model
consumer privacy notice.
(6)
Consequences of Conducting Collection Less Frequently
While the Rule allows some flexibility in the means of disseminating the required notices,
the frequency of “collection” is set by the statutory language of the GLBA. See Sections 502(a) (b), 503(a) of the GLBA.
(7)
Circumstances Requiring Collection Inconsistent With Guidelines
The collection of information in the Rule is consistent with all applicable guidelines
contained in 5 CFR § 1320.5(d)(2).
(8)
Public Comments/Consultation Outside the Agency
The Commission initially sought public comment on the various aspects of the Rule,
4
In May 2014, the CFPB proposed changes to the annual notice requirement to enable financial institutions
to satisfy the notice requirement through alternative means. See 79 FR 27214 (May 13, 2014).
Commission staff are currently evaluating the proposed rulemaking and, if the CFPB issues a final rule, the
Commission will consider changes to the Privacy Rule.
September 2014
3
�including its PRA implications, in its notice of proposed rulemaking. 65 Fed. Reg. 11,174,
11,188 (March 1, 2000). It addressed the comments received when it published the final version
of the Rule. 65 Fed. Reg. 33,646, 33,677 (May 24, 2000). As noted in the latter publication, the
Commission did not receive any comments that necessitated modifying the burden estimates
presented with the proposed rule. Moreover, as required by the GLBA, staff had consulted with
the other affected federal agencies on drafting the proposed rule, seeking to achieve clarity,
consistency, and comparability among their respective rules implementing the GLBA. See
Section 504(a)(2) of the GLBA. Subsequently, the FTC has sought public comment at three-year
intervals each time it has submitted a proposal to OMB to extend its PRA clearance for the Rule.
The FTC has again sought public comment on its request to OMB for a three-year extension of
the current PRA clearance for the information collection aspects of the Rule, as required by 5
CFR § 1320.8(d). See 79 Fed. Reg. 35,158 (June 19, 2014). No comments were received. The
FTC is providing a second opportunity for public comment while seeking OMB approval to
extend the existing PRA clearance for the Rule.
(9)
Payments or Gifts to Respondents
Not applicable.
(10) & (11)
Assurances of Confidentiality/Matters of a Sensitive Nature
The requirements for which the Commission seeks renewed OMB clearance do not
involve disclosure of confidential respondent or customer information but, rather, the disclosure
of financial institutions’ practices regarding collection and sharing of consumer and customer
nonpublic personal information. This is done with a view toward safeguarding consumer
privacy and/or enhancing their understanding of what nonpublic personal information
respondents may share with other institutions.
(12)
Estimated Annual Hours Burden
Estimated annual hours burden: 1,515,050 annual hours (FTC portion)
As noted in previous burden estimates for the GLB Privacy Rule, determining the PRA
burden of the Rule’s disclosure requirements is very difficult because of the highly diverse group
of affected entities, consisting of financial institutions not regulated by a Federal financial
regulatory agency. See 15 U.S.C. § 6805 (committing to the Commission’s jurisdiction entities
that are not specifically subject to another agency’s jurisdiction).
The burden estimates represent the FTC staff’s best assessment, based on its knowledge
and expertise relating to the financial institutions subject to the Commission’s jurisdiction under
this law. To derive these estimates, staff considered the wide variations in covered entities. In
some instances, covered entities may make the required disclosures in the ordinary course of
business, apart from the GLB Privacy Rule. In addition, some entities may use highly automated
means to provide the required disclosures, while others may rely on methods requiring more
manual effort. The burden estimates shown below include the time that may be necessary to train
September 2014
4
�staff to comply with the regulations. These figures are averages based on staff’s best estimate of
the burden incurred over the broad spectrum of covered entities.
Staff estimates that the number of entities each year that will address the GLB Privacy
Rule for the first time will be 5,000 and the number of established entities already familiar with
the Rule will be 100,000. While the number of established entities familiar with the Rule would
theoretically increase each year with the addition of new entrants, staff retains its estimate of
established entities for each successive year given that a number of the established entities will
close in any given year, and also given the difficulty of establishing a more precise estimate.
Staff believes that the usage of the model privacy form and the availability of the form
builder simplify and automate much of the work associated with creating the disclosure
documents for new entrants. Staff thus estimates 1 hour of clerical time and 2 hours of
professional/technical time per new entrant.
For established entities, staff similarly believes that the usage of the model privacy form
and the availability of the Online Form Builder reduces the time associated with the modification
of the notices. Staff thus estimates 7 hours of clerical time and 3 hours of professional/technical
time per respondent. Staff estimates that no more than 1% of the estimated 100,000 establishedentity respondents would make additional changes to privacy policies at any time other than the
occasion of the annual notice.
The complete burden estimates for new entrants and established entities are detailed in the
charts below.
Annual start-up hours and labor costs for all new entrants (Table IA):
Event
Hourly wage and labor category*
Reviewing internal policies and
developing GLBA-implementing
instructions **.
$41.82 Professional/Technical
Creating disclosure document or
electronic disclosure (including
initial, annual, and opt-out
disclosures).
Disseminating initial disclosure
(including opt- out notices).
Hours per
respondent
Approx.
number of
respondent
Approx. total
annual hrs.
Approx. total
labor costs
20
5,000
100,000
$16.78 Clerical
1
5,000
5,000
83,900
$41.82 Professional/Technical
2
5,000
10,000
418,200
$16.78 Clerical
15
5,000
75,000
1,258,500
$41.82 Professional/Technical
10
5,000
50,000
2,091,000
240,000
Total
*Staff calculated labor costs by applying appropriate hourly cost figures to burden hours. The hourly rates used were based on
mean wages for Financial Examiners and for Office and Administrative Support, corresponding to professional/technical time (e.g.,
compliance evaluation and/or planning, designing and producing notices, reviewing and updating information systems), and clerical
time (e.g., reproduction tasks, filing, and, where applicable to the given event, typing or mailing) respectively. See BLS
Occupational Employment and Wages, May 2013, Table 1 at http://www.bls.gov/news.release/pdf/ocwage.pdf. Labor cost totals reflect
solely that of the commercial entities affected. Staff estimates that the time required of consumers to respond affirmatively to
respondents’ opt-out programs (be it manually or electronically) would be minimal.
**Reviewing instructions includes all efforts performed by or for the respondent to: determine whether and to what extent the
respondent is covered by an agency collection of information, understand the nature of the request, and determine the appropriate
response (including the creation and dissemination of documents and/or electronic disclosures).
September 2014
5
$4,182,000
$8,033,600
�Burden hours and costs for all established entities (Table IB):
Burden for established entities already familiar with the Rule predictably would be less
than for new entrants because start-up costs, such as crafting a privacy policy, are generally onetime costs and have already been incurred. Staff's best estimate of the average burden for these
entities is as follows:
Event
Hourly wage and labor category*
Hours per
respondent
Approx.
number of
respondents
**
Approx. total
annual hrs.
Approx. total
labor costs
Reviewing GLBA-implementing
policies and practices.
$41.82 Professional/Technical
4
70,000
280,000
Disseminating annual disclosure.
$16.78 Clerical
15
70,000
1,050,000
17,619,000
$41.82 Professional/Technical
5
70,000
350,000
14,637,000
$16.78 Clerical
7
1,000
7,000
117,460
$41.82 Professional/Technical
3
1,000
3,000
125,460
Changes to privacy policies and
related disclosures.
Total
1,690,000
$11,709,600
$44,208,520
*Staff calculated labor costs by applying appropriate hourly cost figures to burden hours. The hourly rates used were based on mean
wages for Financial Examiners and for Office and Administrative Support, corresponding to professional/technical time (e.g., compliance
evaluation and/or planning, designing and producing notices, reviewing and updating information systems), and clerical time (e.g.,
reproduction tasks, filing, and, where applicable to the given event, typing or mailing) respectively. See BLS Occupational
Employment and Wages, May 2013, Table 1 at http://www.bls.gov/news.release/pdf/ocwage.pdf. Labor cost totals reflect solely that of
the a f f e c t e d commercial entities. Consumers have a continuing right to opt out, as well as a right to revoke their opt-out at any
time. When a respondent changes its information sharing practices, consumers are again given the opportunity to opt out. Again, staff
assumes that the time required of consumers to respond affirmatively to respondents' opt-out programs (be it manually or
electronically) would be minimal.
**The estimate of respondents is based on the following assumptions: (1) 100,000 e s t a b l i s h e d respondents, approximately
70% of whom maintain customer relationships exceeding one year, (2) no more than 1% (1 ,000) of whom make additional
changes to privacy policies at any time other than the occasion of the annual notice; and (3) such changes will occur no more
often than once per year.
As calculated above, the total annual PRA burden hours and labor costs for all affected
entities in a given year would be 1,930,000 hours and $52,242,120, respectively.
The FTC now carves out from these overall figures the burden hours and labor costs
associated with motor vehicle dealers. This is because the CFPB does not enforce the GLB
September 2014
6
�Privacy Rule for those types of entities. We estimate the following:
Annual start-up hours and labor costs for new entrants – motor vehicle dealers only
(Table IIA):
Event
Hourly wage and labor category
Hours per
respondent
Approx.
number of
respondents
(Table IA
Approx.
total annual
hrs.
Approx. total
labor costs
inputs x 0.57)
Reviewing internal policies and
developing GLBAimplementing instructions
**.
$41.82 Professional/Technical
Creating disclosure document or
electronic disclosure
(including
initial, annual,
and opt out disclosures).
$16.78 Clerical
Disseminating initial disclosure
(including opt out notices).
$16.78 Clerical
$41.82 Professional/Technical
$41.82 Professional/Technical
20
**
2,850
57,000
$2,383,740
1
2,850
2,850
47,823
2
2,850
5,700
238,374
15
2,850
42,750
717,345
10
2,850
28,500
1,191,870
136,800
$4,579,152
Total
**Multiply the number of respondents from the comparable table above on all new entrants by the following allocation (60,000/105,000) =
0.57. The number in the denominator represents the total of the FTC’s existing GLB Rule estimates for new entrants (5,000) and established
entities (100,000). The numerator represents an estimate of motor vehicle respondents. For this category, Commission staff relied on the
following industry estimates: 17,635 new car dealers per National Automobile Dealers Association data (2013)
and 35,000
independent/used car dealers per National Independent Automobile Dealers Association data (2012), respectively, multiplied by an added
factor of 1.10 to cover for an unknown quantity of additional motor vehicle dealer types (motorcycles, boats, other recreational vehicles) also
covered within the definition of “motor vehicle dealer” under section 1029(a) of the Dodd-Frank Act.
Annual burden hours and labor costs for all established entities – motor vehicle dealers only
(Table IIB):
Event
Hourly wage and labor category*
Hours per
respondent
Approx.
number of
respondents**
(Table IB
Approx.
total annual
hrs.
Approx. total
labor costs
inputs x 0.57)
Reviewing GLBA-implementing
policies and practices.
$41.82 Professional/Technical
4
39,900
159,600
$6,674,472
Disseminating annual disclosure.
$16.78 Clerical
15
39,900
598,500
10,042,830
$41.82 Professional/Technical
5
39,900
199,500
8,343,090
$16.78 Clerical
7
570
3,990
66,952
$41.82 Professional/Technical.
3
570
1,710
71,512
Changes to privacy policies and
related disclosures.
Total
September 2014
963,300
7
$25,198,856
�The FTC’s portion of the annual hourly burden would be 1,100,100 hours + ((1,930,000 –
1,100,100) / 2) = 1,515,050 annual hours. The FTC’s portion of the annual cost burden would be
$29,778,008 + $((52,242,120 – 29,778,008) / 2) = $41,010,064.
(13)
Estimated Capital/Other Non-Labor Costs Burden
Staff believes that capital or other non-labor costs associated with the document requests
are minimal. Covered entities will already be equipped to provide written notices (e.g.,
computers with word processing programs, copying machines, mailing capabilities). Most likely,
only entities that already have online capabilities will offer consumers the choice to receive
notices via electronic format. As such, these entities will already be equipped with the computer
equipment and software necessary to disseminate the required disclosures via electronic means.
(14) Estimate of Cost to Federal Government
Over the course of the three-year clearance period sought, enforcing and administering
GLB Privacy Rule will require the cumulative expenditure per year of approximately five
attorney/investigator work years (approximately $72,000 per employee) for a total of $360,000
in labor costs. In addition, staff estimates that associated travel costs, clerical, and other support
services will total approximately $20,000 per year. Thus, the annualized approximate cost to the
Commission is $380,000.
(15)
Program Changes or Adjustments
Staff has slightly adjusted downward the FTC portion of the annual burden costs from
1,524,700 (2012) to 1,515,050 annual hours (2014).
(16)
Statistical Use of Information
There are no plans to publish information associated with the Rule’s requirements for
statistical use.
(17)
Display of Expiration Date for OMB Approval
Not applicable.
(18)
Exceptions to Certification
Not applicable.
September 2014
8
�
| File Type | application/pdf |
| File Modified | 2014-09-16 |
| File Created | 2014-09-16 |