The Federal Trade Commission (FTC) amended its Privacy Rule to (i) modify the definition of “financial institution” and “federal functional regulator” and (ii) update the Rule’s annual privacy notice requirement. The FTC’s Privacy Rule requires motor vehicle dealers to provide consumers with notices describing their privacy policies. Specifically, the amendments to the Rule includes:
- Narrowed the scope of entities in the Privacy Rule to align with the Dodd-Frank Act. The Dodd-Frank Act described those entities as “those predominantly engaged in the sale and servicing of motor vehicles or the leasing and servicing of motor vehicles, excluding those dealers that directly extend credit to consumers and do not routinely assign the extensions of credit to an unaffiliated third party.” The Rule also removed reference to “other persons”.
- Modified the annual privacy notice delivery requirements by adding an exception to the general annual privacy notice requirements. The exception states that an annual notice is not required if (1) the financial institution has shared nonpublic personal information only in accordance with the provisions of §§ 313.13 (Exception to opt out requirements for service providers and joint marketing) , 313.14 (Exceptions to notice and opt out requirements for processing and servicing transactions), and 313.15 (Other exceptions to notice and opt out requirements0, none of which require an opt-out opportunity be provided to customers; and (2) the financial institution’s disclosure policies and practices remain unchanged from the most recent privacy notice. Additionally, this exception describes the timing for resuming delivery of the annual notice if a financial institution no longer met requirements for the exception. This exception was adopted from the FAST Act.
- Modified the definition of “financial institution” to align with Regulation P and the definition now includes any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities.
- Added the CFPB to the list of law enforcement agencies to which financial institutions are permitted to share information to the extent permitted by law.
The amendments are effective January 10, 2022. The Federal Register of the final rule can be found here.