AGENCY:
Federal Trade Commission (FTC or Commission).
ACTION:
Notice.
SUMMARY:
The information collection requirements described below will be submitted to the Office of Management and Budget (OMB) for review, as required by the Paperwork Reduction Act (PRA). The FTC seeks public comments on its proposal to extend through September 30, 2017, the current PRA clearance for information collection requirements contained in the Gramm-Leach-Bliley Financial Privacy Rule (GLB Privacy Rule or Rule), 16 CFR Part 313. That clearance expires on September 30, 2014.
DATES:
Comments must be received on or before August 18, 2014.
ADDRESSES:
Interested parties may file a comment online or on paper by following the instructions in the Request for Comments part of the SUPPLEMENTARY INFORMATION section below.
FOR FURTHER INFORMATION CONTACT:
Requests for copies of the collection of information and supporting documentation should be addressed to Jessica Lyon, Attorney, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Ave. NW., Drop Box 8232, Washington, DC 20580, (202) 326-2344.
SUPPLEMENTARY INFORMATION:
Background
The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act) substantially changed the federal legal framework for financial services providers. Among the changes, the Dodd-Frank Act transferred rulemaking authority for a number of consumer financial protection laws from seven Federal agencies, including the FTC, to the Bureau of Consumer Financial Protection (CFPB) as of July 21, 2011. This transfer to the CFPB included most provisions of Subtitle A of Title V of the Gramm-Leach-Bliley Act (GLB Act), with respect to financial institutions described in section 504 of the GLB Act. Pursuant to the GLB Act, only the FTC retains rulemaking authority for its GLB Privacy Rule, 16 CFR 313, for motor vehicle dealers predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both. The CFPB implemented its own regulations to enforce the Dodd-Frank provisions, including Privacy of Consumer Financial Information (Regulation P), 12 CFR 1016. Contemporaneous with that issuance, the CFPB and FTC each had submitted to OMB, and received its approval for, the agencies' respective burden estimates reflecting their overlapping enforcement jurisdiction. The FTC supplemented its estimates for the enforcement authority exclusive to it regarding the class of motor vehicle dealers noted above. Following the preliminary background information, the discussion in the Burden Statement below continues that analytical framework with appropriate updates or other revisions for instant purposes.
Public Law 111-203, 124 Stat. 1376 (2010).
See Dodd-Frank Act, at section 1029(a), (c).
See 76 FR 79025 (Dec. 21, 2011); Privacy of Consumer Financial Information (Regulation P), 12 CFR 1016, OMB Control Number 3170-0010.
Proposed Information Collection Activities
Under the Paperwork Reduction Act (PRA), 44 U.S.C. 3501-3520, federal agencies must get OMB approval for each collection of information they conduct, sponsor, or require. “Collection of information” means agency requests or requirements to submit reports, keep records, or provide information to a third party. 44 U.S.C. 3502(3); 5 CFR 1320.3(c). As required by section 3506(c)(2)(A) of the PRA, the FTC is providing this opportunity for public comment before requesting that OMB extend the existing PRA clearance for the information collection requirements associated with the Commission's GLB Financial Privacy Rule,16 CFR 313 (OMB Control Number 3084-0121).
The FTC invites comments on: (1) Whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility; (2) the accuracy of the agency's estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used; (3) ways to enhance the quality, utility, and clarity of the information to be collected; and (4) ways to minimize the burden of the collection of information on those who are to respond. All comments must be received on or before August 18, 2014.
The GLB Privacy Rule is designed to ensure that customers and consumers, subject to certain exceptions, will have access to the privacy policies of the financial institutions with which they conduct business. As mandated by the Gramm-Leach-Bliley Act, 15 U.S.C. 6801-6809, the Rule requires financial institutions to disclose to consumers: (1) Initial notice of the financial institution's privacy policy when establishing a customer relationship with a consumer and/or before sharing a consumer's non-public personal information with certain nonaffiliated third parties; (2) notice of the consumer's right to opt out of information sharing with such parties; (3) annual notice of the institution's privacy policy to any continuing customer; and (4) notice of changes in the institution's practices on information sharing. These requirements are subject to the PRA. The Rule does not require recordkeeping. For PRA burden calculations the FTC has attributed to itself the burden for all motor vehicle dealers and then shares equally the remaining PRA burden with the CFPB for other types of financial institutions that both agencies have enforcement authority regarding the GLB Privacy Rule.
The CFPB has proposed amending Regulation P, to create an alternative delivery method for this annual disclosure, which financial institutions would be able to use under certain conditions. See 79 FR 27214 (May 13, 2014). Specifically, the CFPB proposes allowing financial institutions that do not engage in certain types of information-sharing activities to stop mailing an annual disclosure if they post the annual notices on their Web sites and meet certain other criteria. A financial institution would still be required to use the currently permitted delivery method if the institution, among other things, has changed its privacy practices or engages in information-sharing activities for which customers have a right to opt out.
GLB Privacy Rule Burden Statement
Estimated annual hours burden: 1,515,050 annual hours (FTC portion).
As noted in previous burden estimates for the GLB Privacy Rule, determining the PRA burden of the Rule's disclosure requirements is very difficult because of the highly diverse group of affected entities, consisting of financial institutions not regulated by a Federal financial regulatory agency. See 15 U.S.C. 6805 (committing to the Commission's jurisdiction entities that are not specifically subject to another agency's jurisdiction).
The burden estimates represent the FTC staff's best assessment, based on its knowledge and expertise relating to the financial institutions subject to the Commission's jurisdiction under this law. To derive these estimates, staff considered the wide variations in covered entities. In some instances, covered entities may make the required disclosures in the ordinary course of business, apart from the GLB Privacy Rule. In addition, some entities may use highly automated means to provide the required disclosures, while others may rely on methods requiring more manual effort. The burden estimates shown below include the time that may be necessary to train staff to comply with the regulations. These figures are averages based on staff's best estimate of the burden incurred over the broad spectrum of covered entities.
Staff estimates that the number of entities each year that will address the GLB Privacy Rule for the first time will be 5,000 and the number of established entities already familiar with the Rule will be 100,000. While the number of established entities familiar with the Rule would theoretically increase each year with the addition of new entrants, staff retains its estimate of established entities for each successive year given that a number of the established entities will close in any given year, and also given the difficulty of establishing a more precise estimate.
Staff believes that the usage of the model privacy form and the availability of the form builder simplify and automate much of the work associated with creating the disclosure documents for new entrants. Staff thus estimates 1 hour of clerical time and 2 hours of professional/technical time per new entrant.
For established entities, staff similarly believes that the usage of the model privacy form and the availability of the Online Form Builder reduces the time associated with the modification of the notices. Staff thus estimates 7 hours of clerical time and 3 hours of professional/technical time per respondent. Staff estimates that no more than 1% of the estimated 100,000 established-entity respondents would make additional changes to privacy policies at any time other than the occasion of the annual notice.
The complete burden estimates for new entrants and established entities are detailed in the charts below.
Start-Up Hours and Labor Costs for All New Entrants
[Table IA]
| Event | Hourly wage and labor category * | Hours per respondent | Approx. number of respondents | Approx. total annual hrs. | Approx. total labor costs |
|---|---|---|---|---|---|
| Reviewing internal policies and developing GLBA-implementing instructions. ** | $41.82 Professional/Technical | 20 | 5,000 | 100,000 | $4,182,000 |
| Creating disclosure document or electronic disclosure (including initial, annual, and opt out disclosures) | $16.78 Clerical | 1 | 5,000 | 5,000 | 83,900 |
| $41.82 Professional/Technical | 2 | 5,000 | 10,000 | 418,200 | |
| Disseminating initial disclosure (including opt out notices) | $16.78 Clerical | 15 | 5,000 | 75,000 | 1,258,500 |
| $41.82 Professional/Technical | 10 | 5,000 | 50,000 | 2,091,000 | |
| Total | 240,000 | 8,033,600 | |||
| * Staff calculated labor costs by applying appropriate hourly cost figures to burden hours. The hourly rates used were based on mean wages for Financial Examiners and for Office and Administrative Support, corresponding to professional/technical time (e.g., compliance evaluation and/or planning, designing and producing notices, reviewing and updating information systems), and clerical time (e.g., reproduction tasks, filing, and, where applicable to the given event, typing or mailing) respectively. See BLS Occupational Employment and Wages, May 2013, Table 1 at http://www.bls.gov/news.release/pdf/ocwage.pdf . Labor cost totals reflect solely that of the commercial entities affected. Staff estimates that the time required of consumers to respond affirmatively to respondents' opt-out programs (be it manually or electronically) would be minimal. | |||||
| ** Reviewing instructions includes all efforts performed by or for the respondent to: Determine whether and to what extent the respondent is covered by an agency collection of information, understand the nature of the request, and determine the appropriate response (including the creation and dissemination of documents and/or electronic disclosures). |
Burden Hours and Costs for All Established Entities (Table IB)
Burden for established entities already familiar with the Rule predictably would be less than for start up entities because start-up costs, such as crafting a privacy policy, are generally one-time costs and have already been incurred. Staff's best estimate of the average burden for these entities is as follows:
| Event | Hourly wage and labor category * | Hours per respondent | Approx. number of respondents ** | Approx. total annual hrs. | Approx. total labor costs |
|---|---|---|---|---|---|
| Reviewing GLBA-implementing policies and practices | $41.82 Professional/Technical | 4 | 70,000 | 280,000 | $11,709,600 |
| Disseminating annual disclosure | $16.78 Clerical | 15 | 70,000 | 1,050,000 | 17,619,000 |
| $41.82 Professional/Technical | 5 | 70,000 | 350,000 | 14,637,000 | |
| Changes to privacy policies and related disclosures | $16.78 Clerical | 7 | 1,000 | 7,000 | 117,460 |
| $41.82 Professional/Technical | 3 | 1,000 | 3,000 | 125,460 | |
| Total | 1,690,000 | 44,208,520 | |||
| * Staff calculated labor costs by applying appropriate hourly cost figures to burden hours. The hourly rates used were based on mean wages for Financial Examiners and for Office and Administrative Support, corresponding to professional/technical time (e.g., compliance evaluation and/or planning, designing and producing notices, reviewing and updating information systems), and clerical time (e.g., reproduction tasks, filing, and, where applicable to the given event, typing or mailing) respectively. See BLS Occupational Employment and Wages, May 2013, Table 1 at http://www.bls.gov/news.release/pdf/ocwage.pdf . Labor cost totals reflect solely that of the affected commercial entities. Consumers have a continuing right to opt out, as well as a right to revoke their opt-out at any time. When a respondent changes its information sharing practices, consumers are again given the opportunity to opt out. Again, staff assumes that the time required of consumers to respond affirmatively to respondents' opt-out programs (be it manually or electronically) would be minimal. | |||||
| ** The estimate of respondents is based on the following assumptions: (1) 100,000 established respondents, approximately 70% of whom maintain customer relationships exceeding one year, (2) no more than 1% (1,000) of whom make additional changes to privacy policies at any time other than the occasion of the annual notice; and (3) such changes will occur no more often than once per year. |
As calculated above, the total annual PRA burden hours and labor costs for all affected entities in a given year would be 1,930,000 hours and $52,242,120, respectively.
The FTC now carves out from these overall figures the burden hours and labor costs associated with motor vehicle dealers. This is because the CFPB does not enforce the GLB Privacy Rule for those types of entities. We estimate the following:
Annual Start-Up Hours and Labor Costs for New Entrants—Motor Vehicle Dealers Only
[Table IIA]
| Event | Hourly wage and labor category | Hours per respondent | Approx. number of respondents (Table IA inputs × 0.57) | Approx. total annual hrs. | Approx. total labor costs |
|---|---|---|---|---|---|
| Reviewing internal policies and developing GLBA-implementing instructions. ** | $41.82 Professional/Technical | 20 | 2,850 | 57,000 | $2,383,740 |
| Creating disclosure document or electronic disclosure (including initial, annual, and opt out disclosures) | $16.78 Clerical | 1 | 2,850 | 2,850 | 47,823 |
| $41.82 Professional/Technical | 2 | 2,850 | 5,700 | 238,374 | |
| Disseminating initial disclosure (including opt out notices) | $16.78 Clerical | 15 | 2,850 | 42,750 | 717,345 |
| $41.82 Professional/Technical | 10 | 2,850 | 28,500 | 1,191,870 | |
| Total | 136,800 | 4,579,152 | |||
| ** Multiply the number of respondents from the comparable table above on all new entrants by the following allocation (60,000/105,000) = 0.57. The number in the denominator represents the total of the FTC's existing GLB Rule estimates for new entrants (5,000) and established entities (100,000). The numerator represents an estimate of motor vehicle respondents. For this category, Commission staff relied on the following industry estimates: 17,635 new car dealers per National Automobile Dealers Association data (2013) and 35,000 independent/used car dealers per National Independent Automobile Dealers Association data (2012), respectively, multiplied by an added factor of 1.10 to cover for an unknown quantity of additional motor vehicle dealer types (motorcycles, boats, other recreational vehicles) also covered within the definition of “motor vehicle dealer” under section 1029(a) of the Dodd-Frank Act. |
Annual Burden Hours and Labor Costs for All Established Entities—Motor Vehicle Dealers Only
[Table IIB]
| Event | Hourly wage and labor category * | Hours per respondent | Approx. number of respondents ** (Table IB inputs × 0.57) | Approx. total annual hrs. | Approx. total labor costs |
|---|---|---|---|---|---|
| Reviewing GLBA-implementing policies and practices | $41.82 Professional/Technical | 4 | 39,900 | 159,600 | $6,674,472 |
| Disseminating annual disclosure | $16.78 Clerical | 15 | 39,900 | 598,500 | 10,042,830 |
| $41.82 Professional/Technical | 5 | 39,900 | 199,500 | 8,343,090 | |
| Changes to privacy policies and related disclosures | $16.78 Clerical | 7 | 570 | 3,990 | 66,952 |
| $41.82 Professional/Technical | 3 | 570 | 1,710 | 71,512 | |
| Total | 963,300 | 25,198,856 |
The FTC's portion of the annual hourly burden would be 1,100,100 hours + ((1,930,000-1,100,100)/2) = 1,515,050 annual hours. The FTC's portion of the annual cost burden would be $29,778,008 + $((52,242,120−29,778,008)/2) = $41,010,064.
Estimated Capital/Other Non-Labor Costs Burden
Staff believes that capital or other non-labor costs associated with the document requests are minimal. Covered entities will already be equipped to provide written notices (e.g., computers with word processing programs, typewriters, copying machines, mailing capabilities). Most likely, only entities that already have online capabilities will offer consumers the choice to receive notices via electronic format. As such, these entities will already be equipped with the computer equipment and software necessary to disseminate the required disclosures via electronic means.
Request for Comments
You can file a comment online or on paper. Write “Paperwork Comment: FTC File No. P085405” on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including, to the extent practicable, on the public Commission Web site, at http://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the Commission tries to remove individuals' home contact information from comments before placing them on the Commission Web site.
Because your comment will be made public, you are solely responsible for making sure that your comment does not include any sensitive personal information, such as a Social Security number, date of birth, driver's license number or other state identification number or foreign country equivalent, passport number, financial account number, or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, such as medical records or other individually identifiable health information. In addition, do not include any “[t]rade secret or any commercial or financial information which is . . . privileged or confidential,” as discussed in Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, do not include competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names.
If you want the Commission to give your comment confidential treatment, you must file it in paper form, with a request for confidential treatment, and you must follow the procedure explained in FTC Rule 4.9(c), 16 CFR 4.9(c). Your comment will be kept confidential only if the FTC General Counsel, in his or her sole discretion, grants your request in accordance with the law and the public interest. Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, the Commission encourages you to submit your comments online. To make sure that the Commission considers your online comment, you must file it at https://ftcpublic.commentworks.com/ftc/glbfinancialrulepra by following the instructions on the web-based form. If this Notice appears at http://www.regulations.gov,, you also may file a comment through that Web site.
If you file your comment on paper, write “Paperwork Comment: FTC File No. P085405” on your comment and on the envelope, and mail it to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC-5610, (Annex J), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610, (Annex J), Washington, DC 20024. If possible, submit your paper comment to the Commission by courier or overnight service.
Visit the Commission Web site at http://www.ftc.gov to read this Notice. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before August 18, 2014. You can find more information, including routine uses permitted by the Privacy Act, in the Commission's privacy policy, at http://www.ftc.gov/ftc/privacy.htm.
David C. Shonka,
Principal Deputy General Counsel.
[FR Doc. 2014-14326 Filed 6-18-14; 8:45 am]
BILLING CODE 6750-01-P