GLB '08 SS.FIN_mtd

Supporting Statement for the Rule Implementing the Privacy Provisions
of the Gramm-Leach-Bliley Act
16 C.F.R. Part 313
(OMB Control No. 3084-0121)
(1) & (2)

Necessity for and Use of the Information Collection

The Gramm-Leach-Bliley Act (“GLBA” or the “Act”), Pub. L. No.106-102, 113 Stat.
1338 (November 12, 1999), permits banks to affiliate with firms engaged in insurance, securities,
and other financial activities. Title V, Subtitle A of the GLBA (“Subtitle A”) provides certain
privacy protections to consumers. The Federal Trade Commission (“Commission”) is charged
with prescribing rules as necessary to implement the provisions of Subtitle A as to those entities
over which the Commission has enforcement jurisdiction.1 Accordingly, the Commission
promulgated the Gramm-Leach-Bliley Financial Privacy Rule (“GLB Privacy Rule” or “Rule”).
As mandated by the GLBA, the Rule implements consumer disclosure requirements.
These requirements are subject to the provisions of the Paperwork Reduction Act, 44 U.S.C.
Chapter 35 (“PRA”). The required disclosures are: (1) initial notice of the financial institution’s
privacy policy when establishing a customer relationship with a consumer and/or before sharing
a consumer’s non-public personal information with certain nonaffiliated third parties; (2) notice
of the consumer’s right to opt out of information sharing with such parties; (3) annual notice of
the institution’s privacy policy to any continuing customer; and (4) notice of changes in the
institution’s practices on information sharing. The Rule does not include recordkeeping
requirements.
The Rule’s requirements are designed to ensure that customers and consumers, subject to
certain exceptions, will have access to the privacy policies of the financial institutions with
which they conduct business. The privacy policies must state: (a) the categories of nonpublic
personal information the financial institution collects; (b) the categories of nonpublic personal
information the financial institution discloses; (c) the categories of affiliates and nonaffiliated
third parties to whom the financial institution discloses such information; and (d) the financial
institution’s policies and practices with respect to protecting the confidentiality, security, and
integrity of the information. In certain situations, consumers will also be informed of the means
by which they can opt-out of financial institution sharing of their nonpublic personal information
with nonaffiliated third parties.
(3)

Information Technology

The Rule gives explicit examples of electronic options that financial institutions may use
to transmit the privacy and opt-out notices required by the Rule. See, e.g., 16 C.F.R. § 313.9(b),
(c), (e). These electronic options help minimize the burden and cost of the Rule's information
collection requirements for financial institutions subject to the Rule, and are consistent with the

1

15 U.S.C. §§ 6804, 6805. Several other agencies were also required to issue rules with respect to
those entities over which they have enforcement jurisdiction.

objectives of the Government Paperwork Elimination Act. See Pub. L. 105-277, Title XVII, 112
Stat. 2681, 2681-749, reprinted in 44 U.S.C. § 3504 note.
(4)

Efforts to Identify Duplication

Any inconsistent state notice requirement would be preempted by federal law unless it
provided greater protection. 15 U.S.C. § 6807. Further, the Rule provides, as required under 15
U.S.C. § 6803(c)(4), that the financial institution's initial and annual notices include any
disclosures required under Section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act, 15 U.S.C.
§ 1681a(d)(2)(A)(iii), thereby incorporating, but not duplicating, a pre-existing disclosure
obligation to consumers.
(5)

Efforts to Minimize Small Organization Burden

The Commission has drafted the Rule to minimize the compliance burden as much as
possible. As noted above, the notice requirements are expressly mandated by the GLBA. The
Rule implements these requirements by providing guidance on the contents of such notices while
affording small businesses (and all other regulated businesses) some flexibility in choosing the
means to disseminate such notices. For example, the required notices may, depending upon the
circumstances, be disclosed by hand-delivery, conventional or electronic mail. 16 C.F.R.
§ 313.9(b)(1).
The GLBA Rule also gives regulated parties clear guidance on the contents of the
required notices. This guidance, staff believes, will help eliminate much of the administrative
and legal costs that might be incurred by businesses seeking to determine what must be included
in a notice in order to comply with the Rule.
(6)

Consequences of Conducting Collection Less Frequently

A less frequent “collection” would violate both the express statutory language and intent
of the GLBA. See Sections 502(a) - (b), 503(a) of the GLBA.
(7)

Circumstances Requiring Collection Inconsistent With Guidelines

The collection of information in the Rule is consistent with all applicable guidelines
contained in 5 C.F.R. § 1320.5(d)(2).
(8)

Public Comments/Consultation Outside the Agency

The Commission initially sought public comment on the various aspects of the Rule,
including its PRA implications, in its notice of proposed rulemaking. See 65 Fed. Reg. 11,174,
11,188 (March 1, 2000). It addressed the comments received when it published the final version
of the Rule. 65 Fed. Reg. 33,646, 33,677 (May 24, 2000). As noted in the latter publication, the
Commission did not receive any comments that necessitated modifying the burden estimates
presented with the proposed rule. Moreover, as required by the GLBA, staff had consulted with
the other affected federal agencies on drafting the proposed rule, seeking to achieve clarity,
2

consistency, and comparability among their respective rules implementing the GLBA. See
section 504(a)(2) of the GLBA.
The FTC sought public comment on PRA aspects of the Rule, as required by 5 C.F.R.
1320.8(d). See 73 Fed. Reg. 17,980 (Apr. 2, 2008). No comments were received. The FTC is
providing a second opportunity for public comment while seeking OMB approval to extend the
existing PRA clearance for the Rule.
(9)

Payments or Gifts to Respondents
Not applicable.

(10) & (11)

Assurances of Confidentiality/Matters of a Sensitive Nature

The requirements for which the Commission seeks renewed OMB clearance do not
involve disclosure of confidential respondent or customer information but, rather, the disclosure
of financial institutions’ practices regarding collection and sharing of consumer and customer
nonpublic personal information. This is done with a view toward safeguarding consumer
privacy and/or enhancing their understanding of what nonpublic personal information
respondents may share with other institutions.
(12)

Estimated Annual Hours Burden

As noted in the original burden estimate for the GLB Privacy Rule, determining the
paperwork burden of the Rule’s disclosure requirements is very difficult because of the highly
diverse group of affected entities, consisting of financial institutions not regulated by a federal
financial regulatory agency. See 15 U.S.C. 6805 (committing to the Commission's jurisdiction
entities that are not specifically subject to another agency’s jurisdiction).
The burden estimates represent the FTC staff’s best assessment, based on its knowledge
and expertise relating to the financial institutions subject to the Commission's jurisdiction under
this law. To derive these estimates, staff considered the wide variations in covered entities. In
some instances, covered entities may make the required disclosures in the ordinary course of
business, apart from the GLB Privacy Rule. In addition, some entities may use highly automated
means to provide the required disclosures, while others may rely on methods requiring more
manual effort. The burden estimates shown below include the time that may be necessary to
train staff to comply with the regulations. These figures are averages based on staff’s best
estimate of the burden incurred over the broad spectrum of covered entities.
Staff retains its prior estimate of the number of entities each year that will address the
GLB Privacy Rule for the first time (5,000) and its estimate of established entities already
familiar with the Rule (100,000). While the number of established entities familiar with the Rule
would theoretically increase each year with the addition of new entrants, staff retains its previous
estimate of established entities given that a number of the established entities will close in any
given year, and also given the difficulty of establishing a more precise estimate. Staff’s burden
estimates for new entrants and established entities are detailed in the charts below.
3

Start-up hours and labor costs for new entrants:
Event

Hourly
wage and
labor
category*

Hours per
Respondent

Reviewing
internal policies
and developing
GLBAimplementing
instructions**

$31.66

20

5,000

100,000

$3,166,000

Creating
disclosure
document or
electronic
disclosure
(including initial,
annual, and opt
out disclosures)

$14.71
clerical

5

5,000

25,000

$367,750

$32.82
professional
/technical

10

50,000

$1,641,000

Disseminating
initial disclosure
(including
opt out notices)

$14.71

15

75,000

$1,103,250

50,000

$1,641,000

300,000

$7,919,000

Approx.
Number of
Respondents

Approx.
Total
Annual
Hrs.

Approx. Total
Labor Costs

managerial/
professional

5,000

clerical
$32.82
professional
/technical

10

Total
*

Staff calculated labor costs by applying appropriate hourly cost figures to burden hours. The hourly rates used were
based on mean wages for managerial/professional time (e.g., compliance evaluation and/or planning),
professional/technical time (e.g., designing and producing notices, reviewing and updating information systems), and
clerical time (e.g., reproduction tasks, filing, and, where applicable to the given event, typing or mailing). See BLS
National Compensation Survey, June 2006, Table 1, available at http://www.bls.gov/ncs/ocs/sp/ncbl0910.pdf
(Management, professional, and related; office and administrative support) and BLS Occupational Employment and
Wages 2006,Table 2, available at http://www.bls.gov/news.release/pdf/ocwage.pdf (professional, scientific, and technical
services - business and financial operations). Labor cost totals reflect solely that of the commercial entities affected. Staff
assumes that the time required of consumers to respond affirmatively to respondents’ opt-out programs (be it manually or
electronically) would be minimal.
**
Reviewing instructions includes all efforts performed by or for the respondent to: determine whether and to what
extent the respondent is covered by an agency collection of information, understand the nature of the request, and
determine the appropriate response (including the creation and dissemination of document and/or electronic disclosures).

Burden hours and costs for established entities:
Burden for established entities already familiar with the Rule predictably would be less
than for start-up entities because start-up costs, such as crafting a privacy policy, are generally
one-time costs and have already been incurred. Staff’s best estimate of the average burden for
these entities is as follows:

4

Event

Hourly
wage and
labor
category*

Hours per
Respondent

Reviewing GLBAimplementing
policies and
practices

$31.66

4

Disseminating
annual disclosure

$14.71

15

Approx. Total
Annual
Hours

Approx. Total Labor
Costs

70,000

280,000

$8,864,800

70,000

1,050,000

$15,445,500

350,000

$11,487,000

15,000

$220,650

5,000

$164,100

1,700,000

$36,182,050

Approx.
Number of
Respondents**

managerial/
professional

clerical

Changes to privacy
policies and related
disclosures

$32.82
professional
/technical

5

$14.71

15

1,000

clerical
$32.82
professional
/technical

5

Total
*

Staff calculated labor costs by applying appropriate hourly cost figures to burden hours; labor cost totals reflect solely that of the commercial
entities affected. The hourly rates used were based on mean wages for managerial/professional time (e.g., compliance evaluation and/or
planning), professional/technical time (e.g., designing and producing notices, reviewing and updating information systems), and clerical time
(e.g., reproduction tasks, filing, and, where applicable to the given event, typing or mailing). See BLS National Compensation Survey, June
2006, Table 1, available at http://www.bls.gov/ncs/ocs/sp/ncbl0910.pdf (Management, professional, and related; office and administrative
support) and BLS Occupational Employment and Wages 2006,Table 2, available at http://www.bls.gov/news.release/pdf/ocwage.pdf
(professional, scientific, and technical services - business and financial operations). Consumers have a continuing right to opt-out, as well as a
right to revoke their opt-out at any time. When a respondent changes its information sharing practices, consumers are again given the
opportunity to opt-out. Again, staff assumes that the time required of consumers to respond affirmatively to respondents’ opt-out programs (be it
manually or electronically) would be minimal.
**
The estimate of respondents is based on the following assumptions: (1) 100,000 respondents, approximately 70% of whom maintain customer
relationships exceeding one year, (2) no more than 1% (1,000) of whom make additional changes to privacy policies at any time other than the
occasion of the annual notice; and (3) such changes will occur no more often than once per year.

As calculated above, the total annual PRA burden hours and labor costs for all affected
entities in a given year would be 2,000,000 hours and $44,101,000, respectively.
(13)

Estimated Capital/Other Non-Labor Costs Burden

Staff estimates that the capital or other non-labor costs associated with the document
requests are minimal. Covered entities will already be equipped to provide written notices (e.g.,
computers with word processing programs, typewriters, copying machines, mailing capabilities).
Most likely, only entities that already have on-line capabilities will offer consumers the choice to
receive notices via electronic format. As such, these entities will already be equipped with the
computer equipment and software necessary to disseminate the required disclosures via
electronic means.

5

(14)

Estimate of Cost to Federal Government

Over the course of the 3-year clearance period sought, enforcing and administering
Subtitle A of the GLBA will require the cumulative expenditure per year of approximately five
attorney/investigator work years (approximately $72,000 per employee) for a total of $360,000
in labor costs. In addition, staff estimates that associated travel costs, clerical, and other support
services will total approximately $20,000 per year. Thus, the annualized approximate cost to the
Commission relating to enforcing and administering Subtitle A and the implementing Rule is
$380,000.
(15)

Program Changes or Adjustments

Staff has adjusted its various labor cost estimates regarding respondents based on more
recent data from the Bureau of Labor Statistics. Apart from labor costs, staff’s burden estimates
remain unchanged.
(16)

Statistical Use of Information

There are no plans to publish information associated with the Rule’s requirements for
statistical use.
(17)

Display of Expiration Date for OMB Approval
Not applicable.

(18)

Exceptions to Certification
Not applicable.

6