Voglio sapere a riguardo di…

Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Rules and Regulations provides an exception under which financial institutions that meet certain conditions are not required to provide annual privacy notices to customers.

khammond on DSKJM1Z7X2PROD with RULES

B. The Privacy Notice Requirements As noted, the current Privacy Rule, as modified after Congress enacted the Dodd-Frank Act, requires motor vehicle dealers provide consumers with notices describing their privacy policies.
Specifically, it requires covered entities to provide an initial notice of these policies,13 and then provide a clear and conspicuous notice to customers that accurately reflects their privacy policies and practices not less than annually during the continuation of the customer relationship. 14
The rule requires that initial and annual notices inform customers of their right to opt out of the sharing of nonpublic personal information with some types of nonaffiliated third parties.15 For example, a customer has the right to opt out of allowing a motor vehicle dealer to sell her name and address to a nonaffiliated auto insurance company.16 On the other hand, a motor vehicle dealer is not required to allow consumers to opt out of the dealers sharing involving third-party service providers, joint marketing arrangements, maintenance and servicing of accounts, securitization, law enforcement and compliance, reporting to consumer reporting agencies, and certain other specified activities.17 Accordingly, if a motor vehicle dealer limits its sharing to uses that do not trigger opt-out rights, it may provide an annual privacy notice to its customers that does not include information regarding opt-out rights.
Motor vehicle dealers also may include in the annual privacy notice information about certain consumer optout rights related to affiliate sharing under the Fair Credit Reporting Act FCRA. First, section 603d2Aiii of the FCRA allows the sharing of a consumers information among affiliates, but only if the consumer is notified of such sharing and is given an opportunity to opt out.18 Section 503c4 of the GLBA and the Privacy Rule generally require motor vehicle dealers to incorporate any notifications and opt-out disclosures provided pursuant to section 603d2Aiii of the FCRA into their initial and annual privacy notices.19
13 15

U.S.C. 6803; 16 CFR 313.4.
U.S.C. 6803; 16 CFR 313.5a1.
15 15 U.S.C. 6802; 16 CFR 313.6a6.
16 16 CFR 313.10a.
17 15 U.S.C. 6802b2, 6802e; 16 CFR 313.13
313.15.
18 15 U.S.C. 1681ad2Aiii.
19 15 U.S.C. 6803c4; 16 CFR 313.6a7.
14 15

VerDate Sep<11>2014

16:33 Dec 08, 2021

Jkt 256001

In addition, section 624 of the FCRA
and the FTCs Affiliate Marketing Rule 20 provide that an affiliate of a motor vehicle dealer that receives certain information about a consumer from the dealer may not use that information for marketing purposes, unless the consumer is provided with an opportunity to opt out of that use.21
This requirement governs the use of information by an affiliate, not the sharing of information among affiliates, and thus is distinct from the affiliate sharing opt-out discussed above. The Affiliate Marketing Rule permits but does not require motor vehicle dealers to incorporate any opt-out disclosures provided under section 624 of the FCRA
and the Affiliate Marketing Rule into the initial and annual privacy notices required by the GLBA.22
Finally, 313.6a8 of the Privacy Rule requires the initial and annual notices briefly describe how motor vehicle dealers protect the nonpublic personal information they collect and maintain.23
II. Revision of the Privacy Rule On April 4, 2019, the Commission issued a notice of proposed rulemaking 24 setting forth amendments to the Privacy Rule the Proposed Amendments proposing three types of changes to the Privacy Rule: 1
Technical changes to the rule to correspond to the reduced scope of the rule due to Dodd-Frank Act changes, which primarily consist of removing references that do not apply to motor 20 16

CFR 680.1680.28.
U.S.C. 1681s-3. The FTCs Affiliate Marketing Rule applies to motor vehicle dealers.
See 77 FR 22201. The FTC also enforces the CFPBs Regulation Vs Affiliate Marketing Rule, 12 CFR
part 1022, subpart C, for other entities over which the FTC has enforcement authority under the FCRA.
22 16 CFR 680.23b.
23 16 CFR 313.6a8.
24 On June 24, 2015, the Commission published a notice of proposed rulemaking 2015 NPRM
proposing revisions to the Privacy Rule. NPRM, 80
FR 36267 June 24, 2015 available at https
www.federalregister.gov/documents/2015/06/24/
2015-14328/amendment-to-the-privacy-ofconsumer-financial-information-rule-under-thegramm-leach-bliley-act. First, the Commission proposed a number of changes to comport with the Dodd-Frank Act revision of GLBA, which transferred rulemaking authority for most financial institutions to the CFPB. The Commission also proposed amending the rule to allow motor vehicle dealers to notify their customers that a privacy notice is available online, under circumstances identical to those that had been adopted by the CFPB. Final Rule, 79 FR 64057 Oct. 28, 2014
available at https www.federalregister.gov/
documents/2014/10/28/2014-25299/amendment-tothe-annual-privacy-notice-requirement-under-thegramm-leach-bliley-act-regulation-p. The passage of the FAST Act rendered the Commissions proposed changes to the Privacy Rule moot because those changes, if adopted, would have been in conflict with the revised statute.
21 15

PO 00000

Frm 00045

Fmt 4700

Sfmt 4700

70021

vehicle dealers; 2 modifications to the annual privacy notice requirements to reflect the changes made to the GLBA by the FAST Act; and 3 a modification to the scope and definition of financial institution to include entities engaged in activities incidental to financial activities, which would bring the rule into accord with the CFPBs Regulation P. The Commission received four comments related to the proposed amendments, to which it responds below.25
A. Technical Changes To Correspond to Statutory Changes Resulting From the Dodd-Frank Act 1 Section 313.1b The proposed amendment to 313.1b narrowed the description of the scope of the Privacy Rule to those entities set forth in the Dodd-Frank Act: 26 Those predominantly engaged in the sale and servicing of motor vehicles or the leasing and servicing of motor vehicles, excluding those dealers that directly extend credit to consumers and do not routinely assign the extensions of credit to an unaffiliated third party. It also removed the reference in the rules scope to other persons, because the Commission no longer has rulemaking authority for the Privacy Rule over other persons. Finally, the Proposed Amendments eliminated from 313.1b the note indicating 1 the Privacy Rule does not modify, limit, or supersede the standards under the Health Insurance Portability and Accountability Act of 1996 HIPAA, and 2 if a financial institution that is an institution of higher education is in compliance with the Federal Educational Rights and Privacy Act FERPA and its implementing regulations, such institution shall be deemed in compliance with the Privacy Rule.
The Commission received two comments on these proposed changes.
One commenter asked why the rule would not cover dealers that directly extend credit to consumers.27 In response, the Commission notes the Dodd-Frank Act excludes these dealers from the Commissions rulemaking authority under the GLBA. The Commission continues to have enforcement authority over these dealers under Regulation P.
Another commenter, the National Association of Automobile Dealers 25 The Commission also received three comments that related to the Safeguards Rule 16 CFR part 314. Those comments are addressed in the final Safeguards Rule published elsewhere in this issue of the Federal Register.
26 12 U.S.C. 5519.
27 Yuxiang Hao comment 4.

E:FRFM09DER1.SGM

09DER1