Skip to Content

Notice

Agency Information Collection Activities; Proposed Collection; Comment Request; Extension

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Federal Trade Commission (“Commission” or “FTC”).

ACTION:

Notice.

SUMMARY:

The information collection requirements described below will be submitted to the Office of Management and Budget (“OMB”) for review, as required by the Paperwork Reduction Act (“PRA”). The FTC is seeking public comments on its proposal to extend through October 31, 2014, the current PRA clearance for information collection requirements contained in the Commission's Gramm-Leach-Bliley Financial Privacy Rule (“GLB Privacy Rule” or “Rule”). The current clearance expires on October 31, 2011.

DATES:

Comments must be submitted on or before July 11, 2011.

ADDRESSES:

Interested parties may file a comment online or on paper, by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write: “FTC File No. P085405” on your comment, and file your comment online at https://ftcpublic.commentworks.com/​ftc/​glbprivacyrulepra by following the instructions on the Web-based form. If you prefer to file your comment on paper, mail or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex J), 600 Pennsylvania Avenue, NW., Washington, DC 20580.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Katherine White, Attorney, Division of Privacy and Identity Protection, Bureau of Consumer Protection, (202) 326-2252, Federal Trade Commission, 600 Pennsylvania Avenue, NW., Washington, DC 20580.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

Under the PRA, 44 U.S.C. 3501-3521, Federal agencies must obtain approval from OMB for each collection of information they conduct or sponsor. “Collection of information” means agency requests or requirements that members of the public submit reports, keep records, or provide information to a third party. 44 U.S.C. 3502(3), 5 CFR 1320.3(c). As required by section 3506(c)(2)(A) of the PRA, the FTC is providing this opportunity for public comment before requesting that OMB extend the existing clearance for the GLB Privacy Rule, 16 CFR Part 313 (OMB Control Number 3084-0121).

The FTC invites comments on: (1) Whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility; (2) the accuracy of the agency's estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used; (3) ways to enhance the quality, utility, and clarity of the information to be collected; and (4) ways to minimize the burden of the collection of information on those who are to respond, including through the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses.

The GLB Privacy Rule is designed to ensure that customers and consumers, subject to certain exceptions, will have access to the privacy policies of the financial institutions with which they conduct business. As mandated by the Gramm-Leach-Bliley Act, 15 U.S.C. 6801-6809, the Rule requires financial institutions to disclose to consumers: (1) Initial notice of the financial institution's privacy policy when establishing a customer relationship with a consumer and/or before sharing a consumer's non-public personal information with certain nonaffiliated third parties; (2) notice of the consumer's right to opt out of information sharing with such parties; (3) annual notice of the institution's privacy policy to any continuing customer; and (4) notice of changes in the institution's practices on information sharing. These requirements are subject to the PRA. The Rule does not require recordkeeping.

The FTC, together with the Federal financial agencies,[1] adopted a model privacy form that financial institutions may rely on as a safe harbor to provide disclosures under the privacy rules. The model privacy form was available for use beginning in January 2010 and, as of January 1, 2011, is the only safe harbor available for compliance with the privacy rules. 74 FR 62890 (Dec. 1, 2009).

In order to ease the burden on entities that wanted to adopt the new model privacy form, the agencies developed an “Online Form Builder” that an entity can download and use to develop and print customized versions of a model Start Printed Page 27646consumer privacy notice. The Online Form Builder is available with several options. Easy-to-follow instructions for the form builder will guide an institution to select the version of the model form that fits its practices, such as whether the institution provides an opt-out for consumers. The agencies announced the availability of this tool on April 15, 2010: http://www.ftc.gov/​opa/​2010/​04/​glb.shtm.

Estimated annual hours burden: As noted in previous burden estimates for the GLB Privacy Rule, determining the PRA burden of the Rule's disclosure requirements is very difficult because of the highly diverse group of affected entities, consisting of financial institutions not regulated by a Federal financial regulatory agency. See 15 U.S.C. 6805 (committing to the Commission's jurisdiction entities that are not specifically subject to another agency's jurisdiction).

The burden estimates represent the FTC staff's best assessment, based on its knowledge and expertise relating to the financial institutions subject to the Commission's jurisdiction under this law. To derive these estimates, staff considered the wide variations in covered entities. In some instances, covered entities may make the required disclosures in the ordinary course of business, apart from the GLB Privacy Rule. In addition, some entities may use highly automated means to provide the required disclosures, while others may rely on methods requiring more manual effort. The burden estimates shown below include the time that may be necessary to train staff to comply with the regulations. These figures are averages based on staff's best estimate of the burden incurred over the broad spectrum of covered entities.

Staff retains its prior estimate of the number of entities each year that will address the GLB Privacy Rule for the first time (5,000) and its estimate of established entities already familiar with the Rule (100,000). While the number of established entities familiar with the Rule would theoretically increase each year with the addition of new entrants, staff retains its previous estimate of established entities given that a number of the established entities will close in any given year, and also given the difficulty of establishing a more precise estimate.

The combined effect of the availability of the model privacy form and the Online Form Builder has caused the FTC to revise its previous hourly burden estimates. Staff believes that the model form and form builder reduces the hours per new entrant respondent required for “Creating disclosure document or electronic disclosure (including initial, annual, and opt out disclosures).” In the FTC's 2008 clearance request, staff estimated 5 hours of clerical time and 10 hours of professional/technical time for this category. Staff now believes that the adoption of the model privacy form and the availability of the form builder simplify and automate much of this work, reducing the time needed to create the disclosure documents to 1 hour of clerical time and 2 hours of professional/technical time, a total savings of 12 burden hours per new entrant. If all 5,000 new entrants were to use the model privacy form and form builder, an estimated 60,000 hours would be saved.

Similarly, the FTC is adjusting its previous estimates of the burden hours for established entities. The 2008 PRA clearance for the privacy rule estimated 15 hours of clerical time and 5 hours of professional/technical time associated with “Changes to privacy policies and related disclosures” for approximately 1,000 established entity respondents, based on staff's assumption that no more than 1% of the estimated 100,000 established entity respondents would make additional changes to privacy policies at any time other than the occasion of the annual notice; thus, 1,000 entities. Staff believes the adoption of the model privacy form and the availability of the Online Form Builder reduces the time associated with the modification of the notices to 7 hours of clerical time and 3 hours of professional/technical time, a reduction of 10 hours per respondent. If all 1,000 established entities were to use the model form and the Online Form Builder, 10,000 hours would be saved.

The complete burden estimates for new entrants and established entities are detailed in the charts below.

Start-up hours and labor costs for new entrants:

EventHourly wage and labor category *Hours per respondentApprox. number of respondentsApprox. total annual hrs.Approx. total labor costs
Reviewing internal policies and developing GLBA-implementing instructions **$34.35 Managerial/professional205,000100,000$3,435,000
Creating disclosure document or electronic disclosure (including initial, annual, and opt out disclosures)$15.84 Clerical15,0005,00079,200
$35.98 Professional/technical210,000359,800
Disseminating initial disclosure (including opt out notices)$15.84 Clerical155,00075,0001,188,000
$35.98 Professional/technical1050,0001,799,000
Total240,0006,861,000
* Staff calculated labor costs by applying appropriate hourly cost figures to burden hours. The hourly rates used were based on mean wages for managerial/professional time (e.g., compliance evaluation and/or planning), professional/technical time (e.g., designing and producing notices, reviewing and updating information systems), and clerical time (e.g., reproduction tasks, filing, and, where applicable to the given event, typing or mailing). See BLS National Compensation Survey: Occupational Earnings in the United States, 2009, Table 1, available at http://www.bls.gov/​ncs/​ocs/​sp/​nctb1344.pdf (Management occupations; office and administrative support occupations) and BLS Occupational Employment and Wages—May 2009, Table 3, available at http://www.bls.gov/​news.release/​pdf/​ocwage.pdf (Professional, scientific, and technical services). Labor cost totals reflect solely that of the commercial entities affected. Staff assumes that the time required of consumers to respond affirmatively to respondents' opt-out programs (be it manually or electronically) would be minimal.
** Reviewing instructions includes all efforts performed by or for the respondent to: determine whether and to what extent the respondent is covered by an agency collection of information, understand the nature of the request, and determine the appropriate response (including the creation and dissemination of document and/or electronic disclosures).
Start Printed Page 27647

Burden hours and costs for established entities:

Burden for established entities already familiar with the Rule predictably would be less than for start-up entities because start-up costs, such as crafting a privacy policy, are generally one-time costs and have already been incurred. Staff's best estimate of the average burden for these entities is as follows:

EventHourly wage and labor category *Hours per respondentApprox. number of respondents **Approx. total annual hrs.Approx. total labor costs
Reviewing GLBA-implementing policies and practices$34.35 Managerial/professional470,000280,000$9,618,000
Disseminating annual disclosure$15.84 Clerical1570,0001,050,00016,632,000
$35.98 Professional/technical5350,00012,593,000
Changes to privacy policies and related disclosures$15.84 Clerical71,0007,000110,880
$35.98 Professional/technical33,000107,940
Total1,690,00039,061,820
* Staff calculated labor costs by applying appropriate hourly cost figures to burden hours. The hourly rates used were based on mean wages for managerial/professional time (e.g., compliance evaluation and/or planning), professional/technical time (e.g., designing and producing notices, reviewing and updating information systems), and clerical time (e.g., reproduction tasks, filing, and, where applicable to the given event, typing or mailing). See BLS National Compensation Survey: Occupational Earnings in the United States, 2009, Table 1, available at http://www.bls.gov/​ncs/​ocs/​sp/​nctb1344.pdf (Management occupations; office and administrative support occupations) and BLS Occupational Employment and Wages—May 2009 Table 3, available at http://www.bls.gov/​news.release/​pdf/​ocwage.pdf (Professional, scientific, and technical services). Labor cost totals reflect solely that of the commercial entities affected. Consumers have a continuing right to opt-out, as well as a right to revoke their opt-out at any time. When a respondent changes its information sharing practices, consumers are again given the opportunity to opt-out. Again, staff assumes that the time required of consumers to respond affirmatively to respondents' opt-out programs (be it manually or electronically) would be minimal.
** The estimate of respondents is based on the following assumptions: (1) 100,000 respondents, approximately 70% of whom maintain customer relationships exceeding one year, (2) no more than 1% (1,000) of whom make additional changes to privacy policies at any time other than the occasion of the annual notice; and (3) such changes will occur no more often than once per year.

As calculated above, the total annual PRA burden hours and labor costs for all affected entities in a given year would be 1,930,000 hours and $45,922,820, respectively.

Estimated Capital/Other Non-Labor Costs Burden: Staff believes that capital or other non-labor costs associated with the document requests are minimal. Covered entities will already be equipped to provide written notices (e.g., computers with word processing programs, typewriters, copying machines, mailing capabilities). Most likely, only entities that already have on-line capabilities will offer consumers the choice to receive notices via electronic format. As such, these entities will already be equipped with the computer equipment and software necessary to disseminate the required disclosures via electronic means.

Request For Comment: You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before July 11, 2011. Write “Paperwork Comment: FTC File No. P085405” on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including, to the extent practicable, on the public Commission Web site, at http://www.ftc.gov/​os/​publiccomments.shtm. As a matter of discretion, the Commission tries to remove individuals' home contact information from comments before placing them on the Commission Web site.

Because your comment will be made public, you are solely responsible for making sure that your comment doesn't include any sensitive personal information, like anyone's Social Security number, date of birth, driver's license number or other state identification number or foreign country equivalent, passport number, financial account number, or credit or debit card number. You are also solely responsible for making sure that your comment doesn't include any sensitive health information, like medical records or other individually identifiable health information. In addition, don't include any “[t]rade secret or any commercial or financial information which is obtained from any person and which is privileged or confidential. * * *,” as provided in Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, don't include competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names.

If you want the Commission to give your comment confidential treatment, you must file it in paper form, with a request for confidential treatment, and you have to follow the procedure explained in FTC Rule 4.9(c), 16 CFR 4.9(c).[2] Your comment will be kept confidential only if the FTC General Counsel, in his or her sole discretion, grants your request in accordance with the law and the public interest.

Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, we encourage you to submit your comments online, or to send them to the Commission by courier or overnight service. To make sure that the Commission considers your online comment, you must file it at https://ftcpublic.commentworks.com/​ftc/​glbprivacyrulepra, by following the instructions on the Web-based form. If this Notice appears at http://www.regulations.gov/​#!home, you also may file a comment through that Web site.

If you file your comment on paper, write “Paperwork Comment: FTC File No. P085405” on your comment and on the envelope, and mail or deliver it to the following address: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex J), 600 Pennsylvania Avenue, NW., Washington, DC 20580. If possible, submit your paper comment to the Commission by courier or overnight service.Start Printed Page 27648

Visit the Commission Web site at http://www.ftc.gov to read this Notice and the news release describing it. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before July 11, 2011. You can find more information, including routine uses permitted by the Privacy Act, in the Commission's privacy policy, at http://www.ftc.gov/​ftc/​privacy.htm.

Start Signature

Willard K. Tom,

General Counsel.

End Signature End Supplemental Information

Footnotes

1.  Board of Governors of the Federal Reserve System, Commodity Futures Trading Commission Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision, and the Securities and Exchange Commission.

Back to Citation

2.  In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule 4.9(c), 16 CFR 4.9(c).

Back to Citation

[FR Doc. 2011-11686 Filed 5-11-11; 8:45 am]

BILLING CODE 6750-01-P