Opinion  Selected Opinions 01-080, 01-088

Applicability of FTC privacy regulations to collection agencies

June 25, 2001

Rozanne M. Andersen
Vice President and Corporate Counsel
American Collectors Association, Inc.
4040 West 70th Street
P.O. Box 39106
Minneapolis, MN 55439-0106

Dear Ms. Andersen,

This letter is in response to your correspondence dated April 30, 2001 to the Division of Banks (the "Division") relative to applicability of the Gramm-Leach-Bliley Act (the "GLBA") and the Federal Trade Commission's (the "FTC") privacy regulations to collection agency licensees.

According to your letter you are the Corporate Counsel to the American Collectors Association (the "ACA"). The ACA membership includes many collection agencies licensed within the Commonwealth of Massachusetts. The stated purpose of your letter is to provide the Division with information about the GLBA that would assist the Division in working with licensed collection agencies to comply with the privacy regulations.

Your letter generally describes the GLBA and the FTC's final rule and the applicability of the regulation to third party collection agencies. Your letter stated that although a collection agency falls under the definition of a financial institution, it was the ACA's interpretation that the FTC's privacy regulation do not apply to third party collection agencies. This determination was established from the interpretation of the definition of "customer relationship" in the FTC's final rule. The ACA contends that footnote 18 of the FTC's final rule, which states that "[a] consumer has a 'customer relationship' with a debt collector that purchases an account from the original creditor ..., but not with a debt collector that simply attempts to collect amounts owed to the creditor", would exclude third party collection agencies from the initial notice and opt-out disclosures of the regulation. The ACA, therefore, concludes that the lack of a "customer relationship" with the debtor would exclude collection agencies from the entire regulation since the customer relationship is an essential element in determining the applicability of the privacy regulations to a financial institution.

The Division has reviewed the positions raised in your letter and has studied the FTC's final rule. The Division agrees with the ACA that the FTC privacy regulations state that a traditional, third party collection agency does not establish a "customer relationship" with the debtor. The lack of this relationship, therefore, would, in effect, make the initial notice and opt-out disclosure requirements of the GLBA not applicable to these collection agencies. The Division, however, has determined that the ACA's general statement that the GLBA and the FTC's privacy regulations do not apply to collection agencies is over-broad. The lack of a "customer relationship", although exempting collection agencies from the initial notice and opt-out disclosure, does not make the entire GLBA non-applicable to a financial institution. The Division would conclude that, at a minimum, section 313.11 of the regulation would apply to collection agencies in their role in the collection of debt for financial institutions.

The FTC, in section 313.11, imposes limits on the redisclosure and reuse of nonpublic personal information that a nonaffiliated third party receives. The FTC's final rule establishes limitations on the redisclosure and reuse of nonpublic personal information that any nonaffiliated third party receives from a financial institution. As you are aware, in order to collect debts, third party collection agencies receive nonpublic personal information from financial institution creditors. Section 313.14 of the regulation creates an exception for collection agencies to receive nonpublic personal information because the disclosure of this information between a creditor and collection agency is "necessary to effect, administer, or enforce a transaction." The FTC established this broad exception for the disclosure of nonpublic personal information to nonaffiliated third parties in connection with the administration, processing, servicing and sale of a consumer's account. The FTC does not list the specific types of activities that would fall within the exception but does state that debt collection under certain circumstances "may be necessary to effect, administer, or effect a transaction." Section 313.11 of the FTC's privacy regulation, therefore, would apply to collection agencies and would limit the manner in which these licensees reuse and redisclose nonpublic personal information it receives in the course of collecting a debt.

The conclusions reached in this letter are based solely on the facts presented. Fact patterns which vary from that presented may result in a different position statement by the Division.

Sincerely,

Joseph. A. Leonard, Jr.
Deputy Commissioner of Banks
and General Counsel

June 25, 2001

Emil Hartleb
Executive Director
Commercial Collection Agency Association
P.0. Box 205
Cedar Grove, NJ 07009-0205

Dear Mr. Hartleb,

This letter is in response to your correspondence dated June 1, 2001 to the Division of Banks (the "Division") relative to applicability of the Gramm-Leach-Bliley Act (the "GLBA") and the Federal Trade Commission's (the "FTC") privacy regulations to collection agency licensees.

According to your letter, you are the Executive Director of Commercial Collection Agency Association (the "CCAA"). The CCAA's membership includes many collection agencies licensed within the Commonwealth of Massachusetts. The stated purpose of your letter is to receive a clarification of the Division's position regarding the specific compliance requirements of the privacy regulations to both commercial and consumer collection agencies.

The first request in your letter is for the Division to clarify its position with regards to the applicability of the privacy regulations to commercial collection agencies. Your letter stated it was the CCAA's interpretation that the FTC's privacy regulation does not apply to these types of collection agencies. The FTC's final rule states that the regulation applies only to information about individuals who obtain a financial product or service from a financial institution to be used for personal, family, or household purposes. The Division, therefore, would agree that commercial collection agencies would be exempt from this regulation because of the non-personal, family, or household nature of the financial product.

The second request in your letter is for the Division to clarify its position with regards to the applicability of the privacy regulations to consumer collection agencies. The FTC's final rule, as stated above, would apply only to financial institutions that provide financial services that are to be used for personal, family, or household purposes. The privacy regulations, therefore, would apply to consumer collection agencies. Your belief, as stated above, is that the FTC's privacy regulation do not apply to consumer third party collection agencies. This determination was established from the interpretation of the definition of "customer relationship" in the FTC's final rule. The CCAA contends that footnote 18 of the FTC's final rule, which states that "[a] consumer has a 'customer relationship' with a debt collector that purchases an account from the original creditor .., but not with a debt collector that simply attempts to collect amounts owed to the creditor", would exclude third party collection agencies from the initial notice and opt-out disclosures of the regulation. The CCAA, therefore, concludes that the lack of a "customer relationship" with the debtor would exclude collection agencies from the entire regulation since the customer relationship is an essential element in determining the applicability of the privacy regulations to a financial institution.

The Division has reviewed the positions raised in your letter and has studied the FTC's final rule. The Division agrees with the CCAA that the FTC privacy regulations state that a traditional, third party collection agency does not establish a "customer relationship" with the debtor. The lack of this relationship, therefore, would, in effect, make the initial notice and opt-out disclosure requirements of the GLBA not applicable to these collection agencies. The Division, however, has determined that the CCAA's general statement that the GLBA and the FTC's privacy regulations do not apply to consumer collection agencies is over-broad. The lack of a "customer relationship", although exempting consumer collection agencies from the initial notice and opt-out disclosure, does not make the entire GLBA non-applicable to a financial institution. The Division would conclude that, at a minimum, section 313.11 of the regulation would apply to consumer collection agencies in their role in the collection of debt for financial institutions.

The FTC, in section 313.11, imposes limits on the redisclosure and reuse of nonpublic personal information that a nonaffiliated third party receives. The FTC's final rule establishes limitations on the redisclosure and reuse of nonpublic personal information that any nonaffiliated third party receives from a financial institution. As you are aware, in order to collect debts, third party consumer collection agencies receive nonpublic personal information from financial institution creditors. Section 313.14 of the regulation creates an exception for consumer collection agencies to receive nonpublic personal information because the disclosure of this information between a creditor and collection agency is "necessary to effect, administer, or enforce a transaction." The FTC established this broad exception for the disclosure of nonpublic personal information to nonaffiliated third parties in connection with the administration, processing, servicing and sale of a consumer's account. The FTC does not list the specific types of activities that would fall within the exception but does state that debt collection under certain circumstances "may be necessary to effect, administer, or effect a transaction." Section 313.11 of the FTC's privacy regulation, therefore, would apply to consumer collection agencies and would limit the manner in which these licensees reuse and redisclose nonpublic personal information it receives in the course of collecting a debt.

The conclusions reached in this letter are based solely on the facts presented. Fact patterns which vary from that presented may result in a different position statement by the Division.

Sincerely,

Joseph. A. Leonard, Jr.
Deputy Commissioner of Banks
and General Counsel