Skip to content
LexBuild

Agency Information Collection Activities; Submission for OMB Review; Comment Request 

---
identifier: "/us/fr/2017-22334"
source: "fr"
legal_status: "authoritative_unofficial"
title: "Agency Information Collection Activities; Submission for OMB Review; Comment Request"
title_number: 0
title_name: "Federal Register"
section_number: "2017-22334"
section_name: "Agency Information Collection Activities; Submission for OMB Review; Comment Request"
positive_law: false
currency: "2017-10-16"
last_updated: "2017-10-16"
format_version: "1.1.0"
generator: "[email protected]"
agency: "Federal Trade Commission"
document_number: "2017-22334"
document_type: "notice"
publication_date: "2017-10-16"
agencies:
  - "Federal Trade Commission"
fr_citation: "82 FR 48081"
fr_volume: 82
comments_close_date: "2017-11-15"
fr_action: "Notice and request for comment."
---

#  Agency Information Collection Activities; Submission for OMB Review; Comment Request

**AGENCY:**

Federal Trade Commission.

**ACTION:**

Notice and request for comment.

**SUMMARY:**

In compliance with the Paperwork Reduction Act (PRA) of 1995, the Federal Trade Commission (“FTC” or “Commission”) is seeking public comments on its request to the Office of Management and Budget (“OMB”) for a three-year extension of the current PRA clearance for the information collection requirements contained in the Gramm-Leach-Bliley Financial Privacy Rule (GLB Privacy Rule). That clearance expires on October 31, 2017.

**DATES:**

Comments must be received by November 15, 2017.

**ADDRESSES:**

Interested parties may file a comment online or on paper by following the instructions in the Request for Comments part of the *SUPPLEMENTARY INFORMATION* section below. Write “Privacy Rule: Paperwork Comment: FTC File No. P085405” on your comment, and file your comment online at *https://ftcpublic.commentworks.com/ftc/glbfinancialrulepra2* by following the instructions on the web-based form. If you prefer to file your comment on paper, mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC-5610 (Annex J), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex J), Washington, DC 20024.

Comments on the information collection requirements subject to review under the PRA should additionally be submitted to OMB. If sent by U.S. mail, they should be addressed to Office of Information and Regulatory Affairs, Office of Management and Budget, Attention: Desk Officer for the Federal Trade Commission, New Executive Office Building, Docket Library, Room 10102, 725 17th Street NW., Washington, DC 20503. Comments sent to OMB by U.S. postal mail-are subject to delays due to heightened security precautions. Thus, comments can also be sent via email to *[email protected].*

**FOR FURTHER INFORMATION CONTACT:**

Requests for additional information or copies of the proposed information requirements should be addressed to David Lincicum, Attorney, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Ave. NW., Drop Box 8232, Washington, DC 20580, (202) 326-2773.

**SUPPLEMENTARY INFORMATION:**

*Title:* GLB Privacy Rule (officially titled Privacy of Consumer Financial Information Rule), 16 CFR part 313.

*OMB Control Number:* 3084-0121.

*Type of Review:* Extension of a currently approved collection.

*Abstract:* The Privacy Rule is designed to ensure that customers and consumers, subject to certain exceptions, will have access to the privacy policies of the financial institutions with which they conduct business. As mandated by the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. 6801-6809, the Rule requires financial institutions to disclose to consumers: (1) Initial notice of the financial institution's privacy policy when establishing a customer relationship with a consumer and/or before sharing a consumer's non-public personal information with certain nonaffiliated third parties; (2) notice of the consumer's right to opt out of information sharing with such parties; (3) annual notice of the institution's privacy policy to any continuing customer; [^1] and (4) notice of changes in the institution's practices on information sharing. These requirements are subject to the PRA. The Rule does not require recordkeeping. For PRA burden calculations the FTC has attributed to itself the burden for all motor vehicle dealers that do not routinely extend credit to consumers directly without assigning the credit to unaffiliated third parties (hereafter, motor vehicle dealers), and then shares equally the remaining PRA burden with the CFPB for other types of financial institutions over which both agencies have enforcement authority. *See* 12 U.S.C. 5519.

[^1] On December 4, 2015, Congress amended the GLBA as part of the Fixing America's Surface Transportation Act (FAST Act). This amendment, titled Eliminate Privacy Notice Confusion (FAST Act, Pub. L. 114094, section 75001) added new GLBA section 503(f). This subsection provides an exception under which financial institutions that meet certain conditions are not required to provide annual privacy notices to customers. Section 503(f) requires that to qualify for this exception, a financial institution must not share nonpublic personal information about customers except as described in certain statutory exceptions, under which sharing does not trigger a customer's statutory right to opt out of the sharing. In addition, section 503(f)(2) requires that the financial institution must not have changed its policies and practices with regard to disclosing nonpublic personal information from those that the institution disclosed in the most recent privacy notice the customer received.

On July 7, 2017, the Commission sought comment on the Rule's information collection requirements. [^2] The Commission did not receive any germane comments. As required by OMB regulations, 5 CFR 1320, the FTC is providing this second opportunity for public comment.

[^2]*See* FR 31604 (60-Day *Federal Register* Notice).

**Privacy Rule Burden Statement**

*Estimated annual hours burden:* 1,725,600 annual hours (FTC portion).

As noted in previous burden estimates for the Privacy Rule, determining the PRA burden of the Rule's disclosure requirements is very difficult because of the highly diverse group of affected entities, consisting of financial institutions not regulated by a Federal financial regulatory agency. *See* 15 U.S.C. 6805 (committing to the Commission's jurisdiction entities that are not specifically subject to another agency's jurisdiction).

The burden estimates represent the FTC staff's best assessment, based on its knowledge and expertise relating to the financial institutions subject to the Commission's jurisdiction under this law. To derive these estimates, staff considered the wide variations in covered entities. In some instances, covered entities may make the required disclosures in the ordinary course of business, apart from the Privacy Rule. In addition, some entities may use highly automated means to provide the required disclosures, while others may rely on methods requiring more manual effort. The burden estimates shown below include the time that may be necessary to train staff to comply with the regulations. These figures are averages based on staff's best estimate of the burden incurred over the broad spectrum of covered entities.

Staff estimates that the number of entities each year that will address the Privacy Rule for the first time will be 5,000 and the number of established entities already familiar with the Rule will be 100,000. While the number of established entities familiar with the Rule would theoretically increase each year with the addition of new entrants, staff retains its estimate of established entities for each successive year given that a number of the established entities will close in any given year, and also given the difficulty of establishing a more precise estimate.

Staff believes that the usage of the model privacy form and the availability of the form builder simplify and automate much of the work associated with creating the disclosure documents for new entrants. Staff thus estimates 1 hour of clerical time and 2 hours of professional/technical time per new entrant.

For established entities, staff similarly believes that the usage of the model privacy form and the availability of the Online Form Builder reduces the time associated with the modification of the notices. Staff thus estimates 7 hours of clerical time and 3 hours of professional/technical time per respondent. Staff estimates that no more than 1% of the estimated 100,000 established-entity respondents would make additional changes to privacy policies at any time other than the occasion of the annual notice. Furthermore, under Section 503(f), businesses who have not changed their privacy notice since the last notice sent and who do not share information with  non-affiliated third parties outside of certain statutory exceptions do not have to issue annual notices to their customers. Staff estimates that at least 80% of businesses covered by the rule will, accordingly, not be required to issue annual notices.

The complete burden estimates for new entrants and established entities are detailed in the charts below.

| Event | Hourly wage and labor category * | Hours per | Approximate number of | Approximate total annual hours | Approximate total labor costs |
| --- | --- | --- | --- | --- | --- |
| Reviewing internal policies and developing GLB Act-implementing instructions ** | $42.76 Professional/Technical | 20 | 5,000 | 100,000 | $4,276,000 |
| Creating disclosure document or electronic disclosure (including initial, annual, and opt-out disclosures) | $17.91 Clerical | 1 | 5,000 | 5,000 | 89,550 |
| Disseminating initial disclosure (including opt-out notices) | $17.91 Clerical | 15 | 5,000 | 75,000 | 1,343,250 |
| Total |  |  |  | 240,000 | 8,274,400 |

Burden for established entities already familiar with the Rule predictably would be less than for startup entities because start-up costs, such as crafting a privacy policy, are generally one-time costs and have already been incurred. Staff's best estimate of the average burden for these entities is as follows:

| Event | Hourly wage and labor category * | Hours per | Approximate number of | Approximate total annual hrs. | Approximate total labor costs |
| --- | --- | --- | --- | --- | --- |
| Reviewing GLB Act-implementing policies and practices | $42.76 Professional/Technical | 4 | 100,000 | 400,000 | $17,104,000 |
| Disseminating initial notices to new customers | $17.91 Clerical | 15 | 100,000 | 1,500,000 | 26,865,000 |
| Disseminating annual disclosure to pre-existing customers | $17.91 Clerical | 15 | 14,000 | 210,000 | 3,761,100 |
| Changes to privacy policies and related disclosures | $17.91 Clerical | 7 | 1,000 | 7,000 | 125,370 |
| Total |  |  |  | 2,190,000 | 50,976,950 |

As calculated above, the total annual PRA burden hours and labor costs for all affected entities in a given year would be 2,430,000 hours and $59,251,350, respectively.

The FTC now carves out from these overall figures the burden hours and labor costs associated with motor vehicle dealers. This is because the CFPB does not enforce the Privacy Rule for those types of entities. We estimate the following:

| Event | Hourly wage and labor category | Hours per | Approximate number of | Approximate total annual hrs. | Approximate total labor costs |
| --- | --- | --- | --- | --- | --- |
| Reviewing internal policies and developing GLB Act-implementing instructions ** | $42.76 Professional/Technical | 20 | 2,100 | 42,000 | $21,795,920 |
| Creating disclosure document or electronic disclosure (including initial, annual, and opt -out disclosures) | $17.91 Clerical | 1 | 2,100 | 2,100 | 37,611 |
| Disseminating initial disclosure (including opt-out notices) | $17.91 Clerical | 15 | 2,100 | 31,500 | 564,165 |
| Total |  |  |  | 100,800 | 3,475,248 |

| Event | Hourly wage and labor category * | Hours per | Approximate number of | Approximate total annual hrs. | Approximate total labor costs |
| --- | --- | --- | --- | --- | --- |
| Reviewing GLB Act-implementing policies and practices | $42.76 Professional/Technical | 4 | 42,000 | 168,600 | $7,209,336 |
| Disseminating initial notices to new customers | $17.91 Clerical | 15 | 42,000 | 630,000 | 11,283,300 |
| Disseminating annual disclosure | $17.91 Clerical | 15 | 5,880 | 88,200 | 1,579,662 |
| Changes to privacy policies and related disclosures | $17.91 Clerical | 7 | 420 | 2,940 | 52,655 |
| Total |  |  |  | 920,400 | 21,435,975 |

The FTC's portion of the annual hourly burden would be 1,021,200 + ((2,430,000−1,021,200)/2) = 1,725,600 annual hours. The FTC's portion of the annual cost burden would be $24,911,223 + $((59,251,350−24,911,223)/2) = $42,081,287.

**Estimated Capital/Other Non-Labor Costs Burden**

Staff believes that capital or other non-labor costs associated with the document requests are minimal. Covered entities will already be equipped to provide written notices ( *e.g.,* computers with word processing programs, copying machines, mailing capabilities). Most likely, only entities that already have online capabilities will offer consumers the choice to receive notices via electronic format. As such, these entities will already be equipped with the computer equipment and software necessary to disseminate the required disclosures via electronic means.

**Request for Comment**

You can file a comment online or on paper. For the FTC to consider your comment, we must receive it on or before November 15, 2017. Write “Privacy Rule: Paperwork Comment: FTC File No. P085405” on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including, to the extent practicable, on the public Commission Web site, at *http://www.ftc.gov/os/publiccomments.shtm.* As a matter of discretion, the Commission tries to remove individuals' home contact information from comments before placing them on the Commission Web site.

Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, we encourage you to submit your comments online, or to send them to the Commission by courier or overnight service. To make sure that the Commission considers your online comment, you must file it at *https://ftcpublic.commentworks.com/ftc/glbfinancialrulepra2* by following the instructions on the web-based form. When this Notice appears at *http://www.regulations.gov,* you also may file a comment through that Web site.

If you file your comment on paper, write “Privacy Rule: Paperwork Comment: FTC File No. P085405” on your comment and on the envelope, and mail it to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC-5610 (Annex J), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610,  Washington, DC 20024. If possible, submit your paper comment to the Commission by courier or overnight service.

Comments on the information collection requirements subject to review under the PRA should additionally be submitted to OMB. If sent by U.S. mail, they should be addressed to Office of Information and Regulatory Affairs, Office of Management and Budget, Attention: Desk Officer for the Federal Trade Commission, New Executive Office Building, Docket Library, Room 10102, 725 17th Street NW., Washington, DC 20503. Comments sent to OMB by U.S. postal mail are subject to delays due to heightened security precautions. Thus, comments can also be sent via email to *[email protected].*

Because your comment will be placed on the publicly accessible FTC Web site at *https://www.ftc.gov/,* you are solely responsible for making sure that your comment does not include any sensitive or confidential information. In particular, your comment should not include any sensitive personal information, such as your or anyone else's Social Security number; date of birth; driver's license number or other state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any “trade secret or any commercial or financial information which . . . is privileged or confidential”—as provided by Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)—including in particular competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names.

Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled “Confidential,” and must comply with FTC Rule 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule 4.9(c). Your comment will be kept confidential only if the General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted on the public FTC Web site—as legally required by FTC Rule 4.9(b)—we cannot redact or remove your comment from the FTC Web site, unless you submit a confidentiality request that meets the requirements for such treatment under FTC Rule 4.9(c), and the General Counsel grants that request.

The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before November 15, 2017. For information on the Commission's privacy policy, including routine uses permitted by the Privacy Act, see *https://www.ftc.gov/site-information/privacy-policy.*

Christian S. White,

Acting General Counsel.