In April, the Federal Trade Commission (FTC) published in the Federal Register its proposed amendments to the 2000 Privacy Rule and 2003 Safeguards Rule. The genesis of these amendments is based on the FTC’s enforcement experience, and are intended to keep pace with technological developments within the financial industry. The proposed revisions relevant to automotive lenders fall under the Gramm Leach Bliley Act (GLBA).
Changes to the Privacy Rule
Revisions to the Privacy Rule would result in two substantive changes:
- The scope and definition of “financial institution” was modified to include entities that are engaged in activities that are incidental to financial activities, to bring both rules into accordance with the CFPB’s Regulation P (Privacy of Consumer Financial Information).
- The annual privacy notice requirements were modified to implement statutory changes to the GLBA enacted by the Fixing America’s Surface Transportation Act (the FAST Act).
The FAST Act established that a financial institution is not required to provide an annual privacy notice under the Privacy Rule if it:
- only shares NPI with nonaffiliated third parties in a manner that does not require notice of an opt-out right to be provided to its customers; and,
- has not changed its privacy policies and practices with respect to the disclosure of NPI since it last provided a privacy notice to its customers.
The CFPB published a final rule to implement these statutory changes in September 2018. The FTC’s proposal would amend the annual notice requirements to bring it in line with the FAST Act and the CFPB regulations.