2020 GLB Privacy Rule Supporting Statement

Supporting Statement
Privacy of Consumer Financial Information Rule
16 CFR 313
(OMB Control No. 3084-0121)
(1) & (2) Necessity for and Use of the Information Collection
The Gramm-Leach-Bliley Act (“GLB Act” or the “Act”), Pub. L. No.106-102, 113 Stat.
1338 (November 12, 1999), permits banks to affiliate with firms engaged in insurance, securities,
and other financial activities. Title V, Subtitle A of the GLB Act (“Subtitle A”) provides certain
privacy protections to consumers. The Federal Trade Commission (“FTC” or “Commission”)
was charged with prescribing rules as necessary to implement the provisions of Subtitle A as to
those entities over which the Commission has enforcement jurisdiction. 1 Accordingly, the
Commission promulgated the Privacy of Consumer Financial Information Rule (hereinafter,
“GLB Privacy Rule” or “Rule”).
The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (“DoddFrank Act”)2 transferred rulemaking authority to the Consumer Financial Protection Bureau
(“CFPB”) for most provisions of Subtitle A of Title V of the GLB Act, with respect to financial
institutions described in Section 504 of the GLB Act. Pursuant to the GLB Act, the FTC retains
rulemaking authority for its GLB Privacy Rule, 16 CFR § 313, only for motor vehicle dealers
predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of
motor vehicles, or both (hereafter, “motor vehicle dealers”). The CFPB implemented its own
regulations to enforce the Dodd-Frank provisions, including Privacy of Consumer Financial
Information (Regulation P), 12 CFR § 1016. The FTC shares enforcement authority with the
CFPB for certain non-motor vehicle dealer financial institutions subject to Regulation P.
On December 4, 2015, Congress amended the GLB Act as part of the Fixing America’s
Surface Transportation Act (“FAST Act”). This amendment, titled Eliminate Privacy Notice
Confusion (FAST Act, Public Law 114094, section 75001) added new GLB Act section 503(f).
This subsection provides an exception under which financial institutions that meet certain
conditions are not required to provide annual privacy notices to customers. Section 503(f)
requires that to qualify for this exception, a financial institution must not share nonpublic
personal information about customers except as described in certain statutory exceptions, under
which sharing does not trigger a customer’s statutory right to opt out of the sharing. In addition,
section 503(f)(2) requires that the financial institution must not have changed its policies and
practices with regard to disclosing nonpublic personal information from those that the institution
disclosed in the most recent privacy notice the customer received.
As mandated by the GLB Act, the Rule implements consumer disclosure requirements
that are subject to the provisions of the Paperwork Reduction Act, 44 U.S.C. Chapter 35
1

15 U.S.C. §§ 6804, 6805. Other agencies were also required to issue rules with respect to those entities over
which they have enforcement jurisdiction. For example, the Bureau of Consumer Financial Protection issued
Privacy of Consumer Financial Information (Regulation P), 12 CFR § 1016, which applies to depository institutions
and many non-depository institutions. See 76 Fed. Reg. 79,028 (Dec. 21, 2011).
2

Public Law 111–203, 124 Stat. 1376 (2010).

1

(“PRA”).3 The required disclosures are: (1) initial notice of the financial institution’s privacy
policy when establishing a customer relationship with a consumer and/or before sharing a
consumer’s non-public personal information with certain nonaffiliated third parties; (2) notice of
the consumer’s right to opt out of information sharing with such parties; (3) annual notice of the
institution’s privacy policy to any continuing customer unless the financial institution meets an
exception for providing the annual notice; and (4) notice of changes in the institution’s practices
on information sharing. The Rule does not include recordkeeping requirements.
The Rule’s requirements are designed to ensure that customers and consumers, subject to
certain exceptions, will have access to the privacy policies of the covered financial institutions
with which they conduct business. The privacy policies must state: (a) the categories of
nonpublic personal information the financial institution collects; (b) the categories of nonpublic
personal information the financial institution discloses; (c) the categories of affiliates and
nonaffiliated third parties to whom the financial institution discloses such information; and (d)
the financial institution’s policies and practices with respect to protecting the confidentiality,
security, and integrity of the information. In certain situations, consumers will also be informed
of the means by which they can opt out of financial institution sharing of their nonpublic
personal information with nonaffiliated third parties.

(3) Information Technology
The Rule gives explicit examples of electronic options that financial institutions may use
to transmit the privacy and opt-out notices required by the Rule. See, e.g., 16 CFR § 313.9(b),
(c), (e). The FTC, together with the other federal financial agencies, adopted a model privacy
form that financial institutions may rely on as a safe harbor to provide disclosures under each
agency’s GLB privacy rules. See 74 Fed. Reg. 62,890 (Dec. 1, 2009). To assist entities in using
the model privacy form, the agencies also provide an “Online Form Builder” that an entity can
download and use to develop and print customized versions of a model consumer privacy notice.
The Online Form Builder is available with several options. Easy-to-follow instructions for the
form builder will guide an institution to select the version of the model form that fits its
practices, such as whether the institution provides an opt-out for consumers. The tool can be
found at https://www.federalreserve.gov/bankinforeg/privacy_notice_instructions.pdf.
These electronic options help minimize the burden and cost of the Rule’s information
collection requirements for financial institutions subject to the Rule, and are consistent with the
objectives of the Government Paperwork Elimination Act. See Pub. L. 105-277, Div. C, Title
XVII, 112 Stat. 2681, 2681-749, reprinted in 44 U.S.C. § 3504 note.

(4)

Efforts to Identify Duplication

Any inconsistent state notice requirement would be preempted by federal law unless it
provides greater protection. 15 U.S.C. § 6807. Further, the Rule provides, as required under 15
U.S.C. § 6803(c)(4), that the financial institution’s initial and annual notices may include any
3

Under the PRA, federal agencies must get OMB approval for each collection of information they conduct,
sponsor, or require. “Collection of information” means agency request or requirements to submit reports, keep
records, or provide information to a third party. 44 U.S.C. § 3502(3); 5 CFR § 1320.3(c).

2

disclosures required under Section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act, 15 U.S.C.
§ 1681a(d)(2)(A)(iii), thereby incorporating, but not duplicating, a pre-existing disclosure
obligation to consumers.

(5)

Efforts to Minimize Small Organization Burden

The Commission drafted the Rule to minimize compliance burden to the extent feasible.
The Rule’s notice requirements are expressly mandated by the GLB Act. The Rule implements
these requirements by providing guidance on the contents of such notices while affording small
businesses (and all other regulated businesses) some flexibility in choosing the means to
disseminate such notices. For example, the required notices may, depending upon the
circumstances, be disclosed by hand-delivery, conventional, or electronic mail. 16 CFR
§ 313.9(b)(1).
The Rule also gives regulated parties clear guidance on the contents of the required
notices. This guidance, staff believes, will help eliminate much of the administrative and legal
costs that might be incurred by businesses seeking to determine what must be included in a
notice in order to comply with the Rule. Finally, as also noted above, the agencies developed an
“Online Form Builder” to further ease the burden on regulated parties, which financial
institutions can download and use to develop and print customized versions of a model consumer
privacy notice.

(6) Consequences of Conducting Collection Less Frequently
While the Rule allows some flexibility in the means of disseminating the required
notices, the frequency of “collection” is set by the statutory language of the GLB Act. See
Sections 502(a)-(b), 503(a) of the GLB Act.

(7) Circumstances Requiring Collection Inconsistent With Guidelines
The collection of information in the Rule is consistent with all applicable guidelines
contained in 5 CFR § 1320.5(d)(2).

(8)

Public Comments/Consultation Outside the Agency

The FTC sought public comment on its request to OMB for a three-year extension of the
current PRA clearance for the information collection aspects of the Rule, as required by 5 CFR
§ 1320.8(d). See 85 Fed. Reg. 23961 (Apr. 30, 2020). No comments were received. The FTC is
providing a second opportunity for public comment while seeking OMB approval to extend the
existing PRA clearance for the Rule.
In addition, the Commission is conducting a rulemaking proceeding to, among other
things, modify the Rule’s definitions of “financial institution” and “federal functional regulator,”
and to update the Rule’s annual customer privacy notice requirement. See 84 FR 13150 (Apr. 4,
2019). The proposed changes are necessary to conform the Rule to the current requirements of
the GLBA, as amended by the Dodd-Frank and FAST Acts, and will clarify which financial
institutions are covered by the Commission’s Rule and their annual customer privacy notice
obligations under the Rule. The Commission has
3 determined that the proposed amendments do

not modify or add to information collection requirements that were previously approved by
OMB, but has nonetheless solicited public comment on the proposed changes and any potential
impact on the information collection burden associated with the Rule.

(9)

Payments or Gifts to Respondents
Not applicable.

(10) & (11)

Assurances of Confidentiality/Matters of a Sensitive Nature

The requirements for which the Commission seeks renewed OMB clearance do not
involve disclosure of confidential respondent or customer information but, rather, the disclosure
of financial institutions’ practices regarding collection and sharing of consumer and customer
nonpublic personal information. These disclosures are necessary to safeguard consumer privacy
and enhance consumers’ understanding of what nonpublic personal information covered entities
may share with other institutions.

(12)

Estimated Annual Hours Burden
Estimated annual hours burden: 1,345,350 annual hours.
Estimated annual cost burden: $30,363,151.

For PRA purposes, the FTC and CFPB share enforcement authority for those
non-depository institutions subject to the CFPB’s Regulation P. The CFPB assumes
all burden for depository institutions with more than $10 billion in assets as well as
their affiliates, for which CFPB has primary enforcement authority with respect to
regulation P. The FTC assumes all burden for motor vehicle dealers subject to the
Rule.
I.

Financial Institutions

FTC staff estimate that approximately 29,500 non-motor vehicle dealer financial
institutions are subject to joint FTC and CFPB jurisdiction. See 83 FR 65642 (Dec. 21, 2018);
CFPB Supporting Statement, OMB Control No. 3170-0010, Regulation P, 12 CFR 1016 (Dec.
21, 2018). FTC staff further estimates that this number consists of approximately 29,000
established entities and 500 new entrants annually during the renewal period.
A. Established financial institutions:
Under the Rule, covered financial institutions must provide an initial notice of their
privacy policies and practices to new customers and annual privacy notices to customers
thereafter.4 To comply with these disclosure requirements, covered entities must also expend
time to review and update their privacy policies and procedures.
For established entities, staff believes that the model privacy form and the Online Form
Builder reduce the time associated with providing required initial and annual notices.
4

16 CFR 313.4 (initial notices); 16 CFR 313.5 (annual notices).
4

Furthermore, under Section 503(f), businesses who have not changed their privacy notice since
the last notice sent and who do not share information with non-affiliated third parties outside of
certain statutory exceptions are not required to issue annual notices to their customers. Staff
estimates that at least 80% of businesses covered by the Rule will, accordingly, not be required
to issue annual notices. Finally, staff estimates that no more than 1% of the estimated 29,000
established-entity respondents would make additional changes to privacy policies at any time
other than the occasion of the annual notice.
Accordingly, FTC staff estimates annual burden for established entities as follows:
Burden hours and labor costs for established financial institutions (Table IA):

Activity

Hours per
respondent

Approx.
number of
respondents5

Reviewing GLB Actimplementing policies
and practices.

4

29,000

Disseminating initial
notices to new
customers

15

29,000

Disseminating annual
disclosure to preexisting customers.

15

Changes to privacy
policies and related
disclosures.

Approx. total
annual hrs.

4,060

116,000

FTC portion

58,000

Hourly wage
and labor
category6
$38.55
Professional/
Technical

$2,235,900

435,000

217,500

$17.19
Clerical

$3,738,825

60,900

30,450

$17.19
Clerical

$523,436

$391,283

5

4,060

20,300

10,150

$38.55
Professional/
Technical

7

290

2,030

1,015

$17.19
Clerical

3

290

870

435

Totals:

Approx. total
labor costs

635,100

317,550

$17,448
$7,478

$6,914,370

B. New entrant financial institutions:
New entrant financial institutions subject to the Rule must provide initial disclosure
notices to their consumers, including taking the time to develop implementing policies and
procedures and create disclosure documents to effectuate the Rule’s disclosure requirements.
5

The estimate of respondents which are required to disseminate annual notices is based on the following
assumptions: (1) 29,000 established respondents, approximately 70% of whom maintain customer relationships
exceeding one year, (2) no more than 20% (4,060) of whom have made changes to their policies and share nonpublic
information outside of the statutory exceptions, and therefore are required to provide annual notices under GLB Act
503(f); (3) and no more than 1% (290) of whom make additional changes to privacy policies at any time other than
the occasion of the annual notice; and (4) such changes will occur no more often than once per year.
6

Staff calculated labor costs by applying appropriate hourly cost figures to burden hours. The hourly rates
used were based on median wages for Financial Examiners and for Office and Administrative Support,
corresponding to professional/technical time (e.g., compliance evaluation and planning, designing and producing
notices, reviewing and updating information systems), and clerical time (e.g., reproduction tasks, filing, and, where
applicable to the given event, typing or mailing) respectively. See BLS Occupational Employment and Wages, May
2018, Table 1 at http://www.bls.gov/news.release/pdf/ocwage.pdf.

5

FTC staff believes that the usage of the model privacy form and the Online Form Builder
automate much of the work associated with creating the disclosure documents for new entrants.
Staff’s estimates of annual burden for established entities is as follows:
Burden hours and labor costs for new entrant financial institutions (Table IB):
Activity

Hours per
respondent

Approx.
number of
respondent

Approx. total
annual hrs.

10,000

Reviewing internal
policies and
developing GLB Actimplementing
instructions.8

20

500

Creating disclosure
document or
electronic disclosure
(including initial,
annual, and opt-out
disclosures).

1

500

2

500

Disseminating initial
disclosure (including optout notices).

Hourly wage
and labor
category7

Approx. total
labor costs

5,000

$38.55
Professional/
Technical

$192,750

500

250

$17.19
Clerical

$4,298

1,000

500

$38.55
Professional/
Technical

$19,275

$17.19
Clerical

$64,463

$38.55
Professional/
Technical

$96,375

15

500

7,500

3,750

10

500

5,000

2,500

Totals

II.

FTC portion

240,000

12,000

$377,161

Motor Vehicle Dealers

FTC has sole authority over motor vehicle dealers subject to the Rule. Staff estimates
that approximately 44,000 auto dealers are subject to the Rule’s requirements, consisting of
42,000 established dealers and 2,000 new entrants during the renewal period.
A. Established motor vehicle dealers:
Staff believes that the usage of the model privacy form and the availability of the form
builder simplify and automate much of the work associated with creating the disclosure
documents for motor vehicle dealers. FTC staff provides the following burden estimates for
established motor vehicle dealers:

7

Staff calculated labor costs by applying appropriate hourly cost figures to burden hours, as described in
footnote 6 above.
8

Reviewing instructions includes all efforts performed by or for the respondent to: determine whether and
to what extent the respondent is covered by an agency collection of information, understand the nature of the
request, and determine the appropriate response (including the creation and dissemination of documents and/or
electronic disclosures).

6

Burden hours and labor costs for established motor vehicle dealers
(Table IIA):
Activity

Hours per
respondent

Approx. No. of
Respondents9

Approx. total
annual hrs.

Approx. total
Hourly
labor costs
wage and
labor
category10
$38.55
$6,476,000
Professional/
Technical

Reviewing GLB Actimplementing policies
and practices.

4

42,000

168,000

Disseminating initial
notices to new
customers.

15

42,000

630,000

$17.19
Clerical

$10,829,700

Disseminating annual
disclosure.

15

5,880

88,200

$17.19
Clerical

$1,516,158

5

5,880

29,400

$1,133,370
$38.55
Professional/
Technical

Changes to privacy
policies and related
disclosures.

7

420

2,940

3

420

1,260

919,800

Totals:

$17.19
Clerical

$50,539

$38.55
Professional/
Technical

$48,573

$20,054,340

B. New entrant motor vehicle dealer entrants:
FTC staff provides the following burden estimates for established new entrant vehicle
dealers:

9

For this estimate, Commission staff relies on industry estimates based on census data and information from
the National Automobile Dealers Association and National Independent Automobile Dealers Association.
10

Staff calculated labor costs by applying appropriate hourly cost figures to the burden hours described
above. See BLS Occupational Employment and Wages, May 2018, Table 1 at
http://www.bls.gov/news.release/pdf/ocwage.pdf.

7

Burden hours and labor costs for new entrant motor vehicle dealers
(Table IIB):
Activity

Hours per
respondent

Approx. number
of respondents

2,000

Reviewing internal
policies and
developing GLB Actimplementing
instructions.
Creating disclosure
document or
electronic disclosure
(including initial,
annual, and opt -out
disclosures).

20

40,000

Disseminating initial
disclosure (including
opt- out notices).

15

2,000

30,000

10

2,000

20,000

1

2,000

2,000

2

2,000

4,000

Hourly
wage and
labor
category
$38.55
Professional/
Technical

$17.19
Clerical

Approx. total labor
costs

$1,542,000

$34,380
$154,200

$38.55
Professional/
Technical

Totals:

(13)

Approx. total
annual hrs.

96,000

$17.19
Clerical
$38.55
Professional/
Technical

$515,700

$771,000

$3,017,280

Estimated Capital/Other Non-Labor Costs Burden

Staff believes that capital or other non-labor costs associated with the information
collection requirements are minimal. Staff anticipates that covered entities are already equipped
to provide written notices (e.g., computers with word processing programs, copying machines,
mailing capabilities). In addition, staff anticipates that entities that offer consumers the choice to
receive notices via electronic format will already have an online presence to support this option.
As such, these entities will already be equipped with the computer equipment and software
necessary to disseminate the required disclosures via electronic means.

(14) Estimate of Cost to Federal Government
Over the course of the three-year clearance period sought, enforcing and administering
GLB Privacy Rule will require the cumulative expenditure per year of approximately five
attorney/investigator work years (approximately $72,000 per employee) for a total of $360,000
in labor costs. In addition, staff estimates that associated travel costs, clerical, and other support
services will total approximately $20,000 per year. Thus, the annualized approximate cost to the
Commission is $380,000.

(15)

Program Changes or Adjustments

There are no program changes. The differences in burden estimates from the prior
clearance reflect updates in the estimated number of financial institutions and motor vehicle
dealers subject to the Rule.
As part of this renewal, the FTC has revised its Information Collection List to better reflect
8

the organization and information burden of the Rule. As explained in Section 12, the FTC estimates
burden under the Rule separately for (a) motor vehicle dealers that are solely subject to FTC
authority and (b) non-motor vehicle dealer financial institutions for which the FTC and CFPB share
enforcement authority. To reflect this estimation method, the FTC has revised the Information
Collection List to list separate burden estimates for these categories of entities. Accordingly, the
revised Information Collection list includes the following Information Collections:
Established Financial Institutions: (1) Review of GLBA-implementing policies and
practices; (2) Dissemination of initial notices to new customers; (3) Dissemination of annual
disclosure; and (4) Changes to privacy policies & related disclosures.
Established Motor Vehicle Dealers: (1) Review of GLBA-implementing policies and
practices; (2) Dissemination of initial notices to new customers; (3) Dissemination of annual
disclosure; and (4) Changes to privacy policies & related disclosures.
New Entrant Financial Institutions: (1) Review of internal policies in developing GLBAimplementing instructions; (2) Creation of disclosure documents; and (3) Dissemination of
initial disclosures.
New Entrant Motor Vehicle Dealers: (1) Review of internal policies in developing GLBAimplementing instructions; (2) Creation of disclosure documents; and (3) Dissemination of
initial disclosures.

(16)

Statistical Use of Information

There are no plans to publish information associated with the Rule’s requirements for
statistical use.

(17)

Display of Expiration Date for OMB Approval
Not applicable.

(18)

Exceptions to Certification

The FTC certifies that this collection of information is consistent with the requirements
of 5 CFR 1320.9, and the related provisions of 5 CFR 1320.8(b)(3), and is not seeking an
exemption to these certification requirements.

9