MEMORANDUM OPINION
Before the Court are plaintiffs’ motions for summary judgment, defendants’ cross-motion for summary judgment, plaintiffs’ replies, defendants’ memorandum in support, plaintiffs’ supplemental memorandum, and defendants’ response thereto. Plaintiffs bring this action pursuant to the. Administrative Procedure Act (“APA”), 5 U.S.C. § 701, seeking judicial. review of regulations (the “Regulations”) that were promulgated by the defendant agencies to implement Title V, Subtitle A of the Gramm-Leach-Bliley Act, Pub.L. No. 106-102, 113 Stat. 1338 (1999) (codified as amended at 15 U.S.C.A. § 6801 'et seq. (2000)) (the “GLB Act”), which addresses the responsibility of financial institutions to protect the privacy of the personal financial information of their customers. Plaintiffs ask this Court to invalidate these Regulations and enjoin their enforcement.
Plaintiffs contend that the Regulations are both unlawful and unconstitutional. They argue that the Regulations are invalid for five reasons: a) the definition of “nonpublic personal information” in the Regulations contravenes the statutory requirement that only financial information is subject to the GLB Act; b) the Regulations constitute an impermissible regulation of non-financial institutions by the agencies; c) the Regulations contradict a provision of the GLB Act that exempts consumer reporting agencies from the statute’s prohibition of the use of account numbers for marketing purposes; d) the Regulations impose a restriction on the use of noripublic personal information that is, inconsistent with the statute; and e) the Regulations modify the operation of the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq. (the “FCRA”), in contravention of the savings clause of the GLB Act. In addition, plaintiffs allege that the Regulations are unconstitutional for three reasons: a) they are overbroad and improperly restrict plaintiffs’ speech in violation of the First Amendment; b) they were enacted without the requisite adjudicative hearings, in violation of Trans Union’s Fifth Amendment right to due process of law; and c) they impose restrictions on plaintiff Trans Union that are not imposed on entities that are not consumer reporting agencies, in violation of the Fifth Amendment. Upon consideration of the pleadings and the record herein, this Court concludes the Regulations are lawful and constitutional. Summary judgment is therefore granted for defendants as to all counts.
FACTUAL AND STATUTORY BACKGROUND
I. The Parties and The Role of Consumer Reporting Agencies
A. Trans Union and Its Products
Plaintiff Trans Union (“Trans Union”) is a Delawarе limited liability compa *14 ny with its principal place of business in Chicago, Illinois. (Trans Union Statement of Material Facts ¶ 1.) Trans Union is a “consumer reporting agency” (“CRA”), as defined in the FCRA, and it provides “consumer reports,” 1 as defined at 15 U.S.C. § 1681a(d). The foundation of Trans Union’s business is its database, CRONUS, which contains information about consumers that is used to generate credit reports. (Trans Union Statement ¶ 16.) Although Trans Union gathers this data from over 85,000 entities, its main source of information is financial institutions, 2 which generally provide this information in the form of accounts receivable tapes. (Trans Union Statement ¶¶ 17-19.) These tapes contain information — the name, address, zip code, and social security number, as well as information regarding the account itself— about each consumer that is reported by the financial institution. (Trans Union Statement ¶ 20.)
Trans Union maintains this information in CRONUS, from which it generates credit reports. These reports contain two types of information: identifying information for each individual, and tradeline information describing the consumer’s account and payment history. (Trans Union Statement ¶ 22.) The identifying information includes the name, address, social security number, and telephone number of the consumers, and since this data is printed at the top of the report, it is typically referred to as “credit header” information. (Trans Union Statement ¶ 23.) Although financial institutions are the primary source of the identifying information, plaintiffs allege that the resulting credit header is the product of various sources, and that it therefore does not reveal the existence of a customer relationship with any specific financial institution.
Trans Union alleges that three of its product lines will be affected by the Regulations and are therefore at issue in this litigation. First are Trans Union’s credit header products. In addition to including the header information in its credit reports, Trans Union sells this data separately to a number of business and governmental entities, which then use the information for both commercial and noncommercial purposes, including target marketing and fraud prevention. (See Trans Union Statement ¶¶ 27-44.) These products include “Trace,” which allows a customer of Trans Union to input an individual’s social security number and receive, in return, the name and address of that person (Trans Union Statement ¶ 29); “Retrace,” which enables a customer who has an individual’s name and address to obtain that person’s social security and phone numbers (Trans Union Statement ¶ 31); and “ID Search,” which permits a customer with a person’s name and phone number to obtain that individual’s social security number and current and former addresses from Trans Union. (Trans Union Statement ¶ 33.) Trans Union and other CRAs also sell credit header information to individual reference services, which typically work with government agencies to identify and locate individuals for a variety of purposes, including the prosecution of financial crimes and enforcement of child support orders. (Individual Reference Services Group (“IRSG”) *15 Statement of Material Facts ¶¶ 11-14.) 3 Similarly, private companies hire individual reference services to help detect and prevent fraud, and health organizations use their products to identify blood and organ donors. Media and political campaign organizations may use individual references services to verify the identities of campaign donors. (IRSG Statement ¶ 15-16.)
Second, Trans Union offers a line of target marketing products that provide both credit header and tradeline information. These target marketing lists are designed to identify consumers who may be interested in purchasing the particular goods or services that are offered by customers of Trans Union. (Trans Union Statement ¶ 45.) Typically, a targeting marketing list provides a customer with the names and addresses of individuals who live in a household that meets particular criteria, such as having a bank card or a home mortgage. (Trans Union Statement ¶¶ 46-47.) One of these products is “TransLink,” a program that allows a retailer to identify the names and addresses of customers who have made purchases from that retailer with a credit card. A retailer who has obtained the name and credit account number of a customer sends this information to Trans Union, which in response provides a corresponding name and address using the information stored in CRONUS. (Trans Union Statement ¶¶ 47, 55-56.)
Third, Trans Union uses information that it receives from financial institutions to prepare aggregate or average data on consumers. Trans Union’s SUM-it product, for example, creates aggregate financial information, such as the average mortgage and bank card balance, for consumers who live within a particular zip code, zip code-plus-two digits, or zip code-plus-four digits. (Trans Union Statement ¶ 48.) The information in the SUM-it database is then used to create models that predict consumers’ financial characteristics or their propensity to purchase certain goods or services. This aggregate information is then made available to marketing firms. (Trans Union Statement ¶ 49.) Individual information reported by financial institutions about particular customers is not disclosed in this material.
B. IRSG and Credit Header Information
Plaintiff Individual Reference Services Group, Inc. is a non-stock corporation organized exclusively as a nonprofit trade association under the laws of the state of Maryland. (IRSG Statement ¶ 1.) IRSG represents leading information industry companies, including major CRAs, that provide information to help identify, verify, or locate individuals. IRSG represents CRAs, which obtain credit header information directly from financial institutions, and other entities to whom the CRAs provide credit header data. 4 Trans Union is a member of IRSG.
*16 Plaintiff IRSG contests only the regulation of credit header information under the GLB Act; unlike Trans Union, it does not challenge the effects of the agencies’ Final Rules on target marketing lists or aggregate data.
C. The Defendant Agencies
The defendants in this action are the Federal Trade Commission (“FTC”), Board of Governors of the Federal Reserve System (“Board”), Federal Deposit Insurance Corporation (“FDIC”), Office of the Comptroller of the Currency (“OCC”), Office of Thrift Supervision (“OTS”), the National Credit Union Administration (“NCUA”), and them respective heads. These agencies are responsible for the administration and enforcement of Title V of the GLB Act, as well as other related statutes. The FTC and NCUA are independent agencies of the United States government; the Board administers the Federal Reserve System; the FDIC is a corporation organized under federal law; and OCC and OTS are divisions of the United States Department of the Treasury. Defendants are six of the seven agencies that promulgated regulations addressing, among other issues, the use and disclosure of “nonpublic personal information” pursuant to the GLB Act. These are the Regulations challenged in this action. (Trans Union Statement ¶¶ 2-12.) 5
II. The FCRA
An understanding of the legal issues in this case begins with an explanation of the FCRA, which provides a comprehensive regulatory scheme governing CRAs, in-eluding Trans Union. Enacted on October 26, 1970, the statute was drafted in an effort to balance the conflicting needs of commerce and consumer protection; its stated purpose was “to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer....” 15 U.S.C. § 1681(b).
Specifically, the Act requires CRAs to “follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates.” 15 U.S.C. § 1681e(b). To ensure the accuracy of this data, CRAs must make available to customers “all information in the consumer’s file at the time of the request,” § 1681g(a)(l), and promptly investigate any consumer dispute regarding “any item of information.” § 1681i(a)(l)(A). The FCRA also requires CRAs to report the results of any investigation and to correct any inaccurate information. § 1681i(a)(5). The financial institutions that report information to CRAs are subject to similar requirements under the Act. § 1681s-2.
The FCRA does not regulate the disclosure of all information that CRAs receive from financial institutions. Instead, the statute sets forth the permissible purposes for which a CRA may disclose information via a “consumer report.” Under the statute, a consumer report is “the communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit stand *17 ing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for [credit, insurance, employment, or other authorized purposes].” § 1681a(d)(l). Under the 1996 amendments to the Act, Congress expanded the permissible uses of consumer report information to include credit and insurance target marketing, including firm offers of credit or insurance that are not initiated by the consumer. § 1681b(c). These amendments also require CRAs to establish procedures for consumers to opt out of this target marketing and to notify consumers of their opt-out rights. §§ 1681b(e), 1681m(d).
The FCRA does not regulate the dissemination of information that is not contained in a “consumer report.” In 2000, the FTC stated that the “credit header” data at issue in this litigation — -the name, address, social security number, and phone number of the consumer — was not subject to the FCRA because it “does not bear on creditworthiness, credit capacity, credit standing, character, general reputation, personal characteristics, or mode of living, unless such terms are given an impermissibly broad meaning.” (Trans Union Index, Ex. F, In the Matter of Trans Union Corp., Docket No. 9255, Feb. 10, 2000, at 30.); 15 U.S.C. § 1681a(d)(1). Both sides agree that credit header information is not currently subject to the FCRA. (Trans Union Memorandum at 9.) 6
In contrast, the Court of Appeals for this Circuit has recently upheld the FTC’s determination that target marketing lists are “consumer reports” under the FCRA and are therefore subject to the provisions of that statute. In
Trans Union v. FTC,
III. The GLB Act
The Federal Financial Modernization Act, commonly known as the Gramm-Leach-Bliley Act, was passed by Congress and signed by President Clinton in November 1999. The purpose of the GLB Act was “to enhance competition in the financial services industry by providing a prudential framework for the affiliation of banks, securities firms, insurance companies, and other financial service providers....” H.R. Conf. Rep. No. 106-434, at 245 (1999), reprinted in 1999 U.S.C.C.A.N. 245, 245. Congress intended that in *18 creased competition would benefit consumers by enhancing the availability of financial products and services and by allowing domestic financial services firms to better compete globally. H.R.Rep. No. 106-74, pt. 3, at 98 (1999).
At the same time, Congress realized that such a structure could exacerbate the concerns of consumers regarding the dissemination of personal financial information. For example,' banks, insurance companies, and securities firms have the capacity to know more about an individual’s spending habits than ever before, and could use this information for many purposes, including unwanted marketing and solicitation. See H.R. Rep. 106-74, pt. 3, at 106-07 (June 15, 1999) (“As a result of the explosion of information available via electronic services such as the Internet, as well as the expansion of financial institutions through affiliations and other means as they seek to provide more and better products to consumers, the privacy of data about personal financial information has become an increasingly significant concern of consumers.”) To balance these interests, the Act provides consumers with the power to choose how their personal information will be shared by financial institutions. As the Act states, “It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” 15 U.S.C. § 6801. During debates in Congress, legislators noted that the proposed Act would “provide some of the strongest privacy protections to ever be enacted into any federal law,” 145 Cong. Rec. Hll, 539-40 (daily ed. Nov. 4, 1999) (statement of Rep. Vento), and would “represent the most comprehensive federal privacy protections ever enacted by Congress.” 145 Cong. Rec. Hll,544 (daily ed. Nov. 4, 1999) (statement of Rep. Sandlin).
A. The Legislative History
On May 6, 1999, the Senate approved S. 900, the Financial Services Modernization Act of 1999, a precursor to the GLB Act. That bill did not contain provisions protecting the disclosure of personal information. The House Commerce Committee, which was the first body to address privacy issues in the bill, proposed provisions to provide “protections for the privacy of customers of financial institutions, [including] put[ting] into place procedures to protect the confidentiality and security of nonpublic personal information collected in connection with any transaction of their сustomers.” H.R.Rep. No. 106-74, pt. 3, at 200. The Committee defined “nonpublic personal information” as “personally identifiable information, other than publicly available directory information, pertaining to an individual’s transactions with a financial institution.” H.R. 10, 106th Cong., 1st Sess § 509(4). (1999).
Language containing the definition of “nonpublic personal information” was added to the House bill through an amendment introduced by Representative Michael Oxley on July 1, 1999. 145 Cong. Rec. H5308 et seq. (daily ed. July 1, 1999). Industry groups objecting to broader restrictions on the disclosure of personal information, as well as advocates for greater privacy protections, testified at hearings on the amended bill later that month. For example, Richard Barton, the Senior Vice President for Congressional Relations of the Direct Marketing Association, expressed concern that “the definition of nonpublic personal information [was] unclear because [it tended to] blur the differences between personally identifiable financial information and other types of personally identifiable informa *19 tion, [and] might be read to interfere seriously with the use of certain non-financial identifying information to make marketing databases more accurate.” House Banking Subcommittee Hearing (July 20, 1999), at <http://%mm .house.gov/banking/72099rba.htm> at 5.
In contrast, other participants testified that it was important to restrict the unauthorized disclosure of certain sensitive personal information, including names and addresses. 7 Representatives of federal agencies testified that consumers consider information that they provide to financial institutions in order to obtain a financial product to be “private.” See, e.g., Statement of Edward Gramlich, Member, Board of Governors, The Federal Reserve System, House Banking Subcommittee Hearing (July 21, 1999), at < http://commdocs. house.gov/ committees/bank/hba58S08 — 0.htm> at 128 (private information includes “information that banking and other financial institutions derive from their relationships with customers [such as] information submitted by a customer in order to obtain a loan”). After hearing testimony from both sides, the House declined industry’s request to narrow the bill’s definition of “nonpublic personal information.”
As enacted, the statute defines “nonpublic personal information” (“NPI”) as “personally identifiable financial information [ (TIFT) ](i) provided by a customer to a financial institution; (ii) resulting from any transaction with the consumer or any service performed for the consumer; or (iii) otherwise obtained by the financial institution.” 15 U.S.C. § 6809(4). The GLB Act does not, however, define the term “personally identifiable financial information.”
Several members of Congress discussed the meaning of this provision. Sponsor Oxley noted that the bill called for “the responsible sharing of consumer information .... ” 145 Cong. Rec. H5310 (daily ed., July 1, 1999). Co-sponsor Deborah Pryce said that “for the first time ever we will require that financial institutions give their customers a right to just say no to the sharing of what most Americans hold very, very dear: private information about themselves and their families,” including “addresses and phone numbers,” in order to protect consumers from “random telemarketing and junk mail.” 145 Cong. Rec. H5312 (daily ed. July 1, 1999). Representative Bereuter, a member of the House Committee on Banking and Financial Services, noted, “These privacy provisions are a pioneering, landmark advance forward by Congress in ensuring that consumers’ personal information is protected from unwanted disclosures by financial institutions.” 145 Cong. Rec. Hll,546 (daily ed. Nov. 4,1999).
*20 Other aspects of the statute that are at issue in this case were added by a joint HouseSenate ■ Conference Committee, which convened in September 1999 to reconcile the differences between the versions of the bill. First, the Joint Conference Committee included a “savings” provision to address the relationship between the GLB Act and the FCRA; this clause provided that “nothing in this chapter shall be construed to modify, limit, or supersede the operation of the Fair Credit Reporting Act....” 15 U.S.C. § 6806; H.R. Conf. Rep. No. 106^434, at 171 (1999). Second, the Joint Committee added a consumer reporting agency exception to the Act’s blanket prohibition against disclosing account numbers to third parties for use in telemarketing, direct mail marketing, or other electronic mail marketing. H.R. Conf. Rep. No. 106-434, at 172. “A financial institution shall not disclose, other than to a consumer reporting agency, an account number or similar form of access number or access code for a credit card account, deposit account, or transaction account of a customer to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.” 15 U.S.C. § 6802(d).
B. Administrative Rulemaking
1. The Rulemaking Proceedings
Under the GLB Act, the defendant agencies were to issue regulations implementing provisions of the statute. 8 These regulations describe, for example, the conditions under which financial institutions may disclose nonpublic personal information about consumers to nonaffiliated third parties, require such institutions to provide notice to their customers about privacy policies, and subject to certain exceptions, permit the consumer to opt out of this transmission of information. The Regulations define the limits on the disclosure of nonpublic personal information by financial institutions, as well as the conditions under which a nonaffiliated third party that receives this information may redisclose or use it. See, e.g., FTC Final Rule, 16 C.F.R. §§ 313.10-313.12 (2000). It is these Regulations that are at issue in this litigation.
In particular, the agencies drafted a set of proposed rules as to which they solicited public comments. The draft rules attempted to define the term • “personally identifiable financial information” in 15 U.S.C. § 6809(4); the agencies proposed that personally identifiable information was financial if it was provided by a consumer, resulted from a transaction, or was otherwise obtained about a consumer by a financial institution in connection with providing a financial product or service to a consumer. See, e.g., FTC Notice of Proposed Rulemaking, “Privacy of Consumer Financial Information,” 65 Fed.Reg. 11,-174, 11,178 (March 1, 2000) (“FTC Proposed Rule”); Joint Notice of Proposed Rulemaking, “Privacy of Consumer Financial Information,” 65 Fed.Reg. 8770, 8773 (Feb. 22, 2000) (“Banking Agencies’ Proposed Rule”). To demonstrate the operation of the proposed definition, accompanying- examples explained that information that a consumer provides on an application to obtain a loan, credit card, or insurance would fall within this definition. 65 Fed. *21 Reg. at 11,178. The agencies sought comments on the proposed definition, including comments relating to the fact that the term might include information “that may not be considered intrinsically financial.” 65 Fed.Reg. at 8774,11,178.
More than 9,000 comments were submitted in response to the proposed rules. Comments concerning the definition of “personally identifiable financial information” were submitted by opposing groups. Industry groups argued that certain identifying information that wаs not intrinsically financial should not be considered within the definition. These entities contended that the proposed definition — when coupled with the Act’s limits on reuse and redisclosure — would restrict the flow of credit header information by preventing CRAs from disseminating such information. The net effect, they argued, would be to threaten the availability of highly reliable information used for socially beneficial purposes, such as combating fraud and locating missing individuals. See, e.g., FTC Record at 300,852 (Comment of Equi-fax that “the Proposed Rule functionally reads the word ‘financial’ out of the phrase ‘personally identifiable financial information’ ”); FTC Record at 300,932-33 (Comment of Experian Information Solutions to same effect); FTC Record at 301,638 (Comment of Trans Union to same effect); FTC Record at 301,964 (Comment of IRSG to same effect); FTC Record at 301,954 (Comment of Direct Marketing Association, Inc. to same effect). 9
In contrast, consumer groups and state lawmakers filed comments urging the agencies to prevent the disclosure of personal information. See, e.g., FDIC Record at 105,158 (Comment of Consumers Union: Consumer Federation of America agreeing with the proposed definition of “personally identifiable financial information” because “any information collected by an institution about an individual should be defined as ‘personally identifiable’.... In these instances, but for the financial nature of the relationship, the information would not be collected.”); FTC Record at 300,973 (comment of Privacy Rights Clearinghouse to same effect); FDIC Record at 102,300 (Comment of Center for Democracy and Technology to same effect); OTS Record at 601,246 (Comment of Privacy Rights Clearing House to same effect); FDIC Record at 103,067, Board Record at 203,-140 (Letter signed by thirty-three state Attorneys General). These commentators felt that the proposed rules did not go far enough toward protecting consumer privacy, leaving too many loopholes for personal information to be shared without an individual’s consent. Id. Several Members of Congress also filed comments in support of these arguments. FTC Record at 300,-541-48, OTS Record at 601,536-43 (Comment of Congressional Privacy Caucus).
2. The Final Rules
Following the Notice and Comment period, the agencies promulgated their Final Rules. They defined “nonpublic personal information,” in part, as “personally identifiable financial information.” 16 C.F.R. § 313.3(n)(l)(i). 10 In turn, the Regulations *22 defined “personally identifiable financial information” as information “(i) [a] consumer provides to you 11 to obtain a financial product or service from you; (ii)[a]bout a consumer resulting from any transaction involving a financial product or service between you and a consumer; or (in) you otherwise obtain about a consumer in connection with providing a financial product or service to that consumer.” 16 C.F.R. § 313.3(o)(l). In other words, “any information should be considered financial information if it is requested by a financial institution for the purpose of providing a financial service or product.” FTC Final Rule, “Privacy of Consumer Financial Information,” 65 Fed. Reg. 33,646, 33,658 (May 24, 2000); see Banking Agencies’ Final Rule, “Privacy of Consumer Financial Information,” 65 Fed.Reg. 35,162, 35,171 (June 1, 2000).
In response to comments from industry groups objecting to the inclusion of name, address, and social security number in the definition of personally identifiable financial information, the FTC explained:
[Financial institutions rely on a broad range of information that they obtain about consumers, including information such as addresses and telephone numbers, when providing financial products or services. Location information is used by financial institutions to provide a wide variety of financial services, from the sending of checking account statements to the disbursing of funds to a consumer. Other information, such as the maiden name of a consumer’s mother, often will be used by a financial institution to verify the consumer’s identity. The Commission concluded that it would be inappropriate to carve out certain terms of information that a particular financial institution might rely on when providing a particular financial product or service.
FTC Final Rule, 65 Fed.Reg. at 33,658. The other agencies adopted nearly identical reasoning. See, e.g., Banking Agencies’ Final Rule, 65 Fed.Reg. at 35,171. The Final Rules were issued in spring 2000 and became effective as of November 13, 2000, with full compliance required by July 1, 2001. This litigation rapidly ensued.
LEGAL ANALYSIS
I. Standards of Review for Plaintiffs’ APA Claims
Both plaintiffs have moved for summary judgment. A party is entitled to summary judgment where “there is no genuine issue as to any material fact and the moving party is entitled to judgment as a matter of law.” Fed.R.Civ.P. 56(c). Summary judgment is an appropriate mechanism for resolving cases involving administrative rulemaking on the record, particularly where, as here, the case turns chiefly on issues of statutory construction.
See Troy Corp. v. Browner,
Plaintiffs raise four primary claims under the APA. First, plaintiff IRSG, joined by Trans Union, argues that defendants’ definition of “personally identifiable financial information” violates the APA for three reasons. Plaintiffs contend that this definition (1) conflicts with the plain language of the GLB Act; (2) is not a reasonable and permissible construction of the statute; and (3) is arbitrary and capricious because it does not further the express purposes of the Act.
*23 Second, Trans Union argues that it is not a “financial institution” covered by the GLB Act, and therefore, the agencies have no authority to regulate it under the Act. With regard to this claim, Trans Union asserts only a plain language argument— that the regulation of Trans Union by the Act violates the unambiguous meaning of the statute.
Third, Trans Union argues that the Regulations violate the plain meaning of § 502(d) of the GLB Act, 15 U.S.G. § 6802(d). Trans Union argues that this section grants a special exemption to CRAs from the statute’s prohibition on the use of account numbers for marketing purposes, and that the Regulations conflict with the clear language of this exemption.
Finally, Trans Union contends that defendants’ Regulations restricting the use and redisclosure of nonpublic personal information that is provided to a CRA in accordance with the Fair Credit Reporting-Act violates the APA. With respect to this claim, Trans Union makes four arguments: 1) the use restrictions violate the plain meaning of the GLB Act; 2) these regulations contradict the plain meaning of the statute’s “savings” clause, 15 U.S.C. § 6806, which mandates that the GLB Act not be “construed to modify, limit, or supersede the operation of the Fair Credit Reporting Act,” Id.; 3) the use restrictions are an impermissible construction of the GLB Act; and 4) the use restrictions are arbitrary and capricious because the agencies have failed to justify them in the record.
A. Chevron
Claims that contest an agency’s construction of a statute it administers are ordinarily subject to the standard of review articulated in
Chevron U.S.A., Inc. v. Natural Resources Defense Council, Inc.,
In an attempt to avoid the deference owed an agency under Chevron, plaintiffs present a range of creative arguments. First, plaintiffs argue that Chevron deference does not apply where, as here, Congress has directed numerous agencies to administer the statute. Second, plaintiffs contend that, regardless of Chevron, the Court is obliged to construe the GLB Act to avoid the constitutional difficulties raised by the agencies’ Regulations.
The Court rejects plaintiffs’ contention that
Chevron
should not apply. The Regulations were the result of a statutorily coordinated effort among all the defendants. Plaintiffs’ initial argument — that
*24
Chevron
is not the proper standard for regulations promulgated by multiple agencies — stretches precedent. One line of cases that plaintiffs cite actually stands for the proposition that
Chevron
deference does not apply to interpretations of statutes of general applicability, such as the Privacy Act, which are administered by a number of agencies, none of which has particular expertise in the substance of the statute — the policy basis for Chevron’s holding.
See Bowen v. American Hosp. Ass’n,
A second line of cases that plaintiffs cite is similarly inapposite. Those cases hold that
Chevron
deferencе does not apply to only one agency’s interpretation of a statute administered by multiple agencies.
Salleh v. Christopher,
Plaintiffs also attempt to evade
Chevron
by arguing that, because the agencies’ Regulations give rise to serious constitutional issues, the Court should not defer to their interpretation. While it is true that this Court reviews constitutional questions
de novo,
deference to the agencies’ actions is not denied simply because plaintiffs have raised constitutional arguments. For deference to be rejected, plaintiffs challenges must rise to the level of “serious” or “grave constitutional issues.”
Chamber of Commerce v. FEC,
B. Arbitrary and Capricious
Plaintiffs also challenge the Regulations under the “arbitrary and capricious” standard in the APA, which requires the Court to review whether the agency actions are “arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law.” 5 U.S.C. § 706(2)(A). While challenges under § 706(2)(C) — which follow the test set forth in
Chevron
— are directed primarily at the decision of the agency, § 706(2)(A) actions focus mainly on the decision-making process and rationale behind agency action.
Michigan v. EPA,
In reviewing the action of the agencies under § 706(2)(A), the Court must engage in а “thorough, probing, in-depth review,”
Citizens to Preserve Overton Park, Inc. v. Volpe,
Conclusory statements are insufficient to meet this requirement.
Dickson v. Secretary of Defense,
II. Plaintiffs’ APA Claims
Having set forth the relevant standards of review under the APA, the Court turns now to plaintiffs’ four arguments for invalidating the Regulations.
*26 A. Is Credit Header Data “Personally Identifiable Financial Information”?
1. Chevron Step One
Plaintiffs argue that the agencies’ definition of “personally identifiable financial information” conflicts with the unambiguous meaning of the statute, and that under the first step of
Chevron,
defendants’ interpretations of several provisions of the Act should therefore not be accorded any deference. “[W]hen a statute is clear and unambiguous, consideration of administrative interpretation contrary to such language is inappropriate; the agency cannot by its interpretation, override the congressional will as memorialized in the statutory language.”
Mylan Pharm., Inc. v. Henney,
In 15 U.S.C. § 6809(4)(A), Congress defined NPI as “personally identifiable financial information — (i) provided by a customer to a financial institution; (ii) resulting from any transaction with the customer or any service performed for the customer; or (iii) otherwise obtained by the financial institution.” 15 U.S.C. § 6809(4)(A). The GLB Act provides no definition of “personally identifiable financial information.” The Regulations promulgated by the agencies fill this gap. Under the Final Rules, PIFI is “any information: (i)[a] consumer provides to [a regulated financial institution] to obtain a financial product or service ... (ii)[a]bout a consumer resulting from any transaction involving a financial product or service between [a regulated financial institution] and a consumer; or (iii) [a regulated financial institution] otherwise obtain[s] about a consumer in connection with providing a financial product or service to that consumer.” 16 C.F.R § 313.3(o)(l). Plaintiffs contend that this definition effectively reads the word “financial” out of the phrase “personally identifiable financial information,” because it applies to any information provided to or otherwise obtained by the financial institution about a consumer. Under the agencies’ definition of PIFI, plaintiffs argue, credit header information is improperly subsumed within the ambit of the GLB Act.
Whether the phrase “personally identifiable financial information” is an unambiguous term — and, as a corollary, whether defendants’ interpretation violates any plain meaning of that term — presents a challenging question. However, based on the language, structure, and legislative history of the GLB Act, this Court concludes that “personally identifiable financial information” is an ambiguous term in the Act and that the agencies’ interpretation is therefore entitled to deference.
“The first traditional tool of statutory construction focuses on the language of the statute.”
Bell Atlantic,
It is also necessary to examine § 6809(4)(A) in the context of the entire statute. “In determining whether Congress has specifically addressed the question at issue, the court should not confine itself to examining a particular statutory provision in isolation. Rather, it must place the provision in context, interpreting the statute to create a symmetrical and coherent regulatory scheme.”
FDA v. Brown & Williamson,
The language of other provisions of the GLB Act, however, suggests otherwise. Congress included within the definition of “nonpublic personal information” “any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived using any nonpublic personal information other than publicly available information.” 15 U.S.C. § 6809(4)(C)(i). In so doing, Congress provided for especially broad privacy protections for all information contained in these lists of consumers that is derived using nonpublic personal information. This is so even where the information is otherwise publicly available: the information is still protected, as long as it was derived using nonpublic personal information. Id. This provision suggests that in drafting the GLB Act, Congress recognized that the status of particular types of information may vary according to the context in which it is used. Information used in or derived from a financial context is nonpublic personal information under § 6809(4)(C)(i); the same information in another context, however, may not be NPI. Thus, it is the context in which information is disclosed — rather than the intrinsic nature of the information itself— that determines whether information falls within the GLB Act. 14
Plaintiffs counter by arguing that the overbreadth of defendants’ definition of “personally identifiable financial information” under § 6809(4)(A) can be shown by comparing it to the definition of “customer information of a financial institution” in 15 U.S.C. § 6827(2). The latter phrase is defined as “[a]ny information maintained by or for a financial institution which is derived from the relationship between the financial institution and a customer of the
*28
financial institution and is identified with the customer.”
Id.
Plaintiffs argue that this difference in language underscores the fact that Congress used different terms because it intended the provisions to have two different meanings.
Russello v. United States,
Finally, the Court notes that an examination of “the history, structure, аnd underlying policy purpose of the statute,”
Bell Atlantic,
[L]et me ask my colleagues if they are tired of their phone ringing in the middle of dinner only to be solicited for lawn care service. Are they tired of getting so much junk mail that they have to empty their trash twice as often as they used to? Are they tired of their teenagers being solicited for a new credit card every other week? Are they tired of wondering who in the world is giving out their addresses and phone numbers to these strangers? Well, I am, and I am mad as heck about it. So today I am taking the floor to issue a public service warning to all of our constituents: “Mr. and Mrs. America, your personal financial information may be disclosed by your bank to any Tom, Dick, and Harry without your knowledge and without your consent.”
145 Cong. Rep. H5312 (daily ed. July 1, 1999) (statement of Rep. Pryce) (emphasis added). This inclusion of credit header information within the meaning of “financial information” during debates in both Houses of Congress reinforces the finding that the statute cannot be interpreted as argued by plaintiffs would like, but more fairly should be characterized as ambiguous with respect to that term. As a result, defendants’ definition of PIFI does not contradict the plain language of the statute.
2. Chevron Step Two
Alternatively, plaintiffs argue that even if the term “personally identifiable financial information” is ambiguous, the regulation still cannot survive scrutiny under step two of
Chevron
because it “diverges from any realistic meaning of the statute.”
Natural Resources Defense Council, Inc. v. Daley,
Plaintiffs assert that defendants’ definition of PIFI is not a “reasonable and permissible construction of the statute,”
Daley,
The Court disagrees with plaintiffs’ analysis. Under the Final Rules, PIFI is, in fact, limited in several ways. The Regulations define PIFI as “any information a consumer provides to [a financial institution] to obtain a financial product or service.” 16 C.F.R. § 313.3(o)(1)(i). Excluded from the definition is information provided to a financial institution for other reasons, such as a sweepstakes entry. PIFI also includes only information about individuals who obtain financial services primarily for family, personal, or household purposes — therefore excluding all information provided by individuals for business purposes.
E.g.,
16 C.F.R. § 313.1(b). Unlike the order at issue in
GTE Serv. Corp.,
defendants’ regulations have boundaries. As described above, they are also “reasonable and consistent with the statutory purpose,”
GTE Serv. Corp.,
In this regard, the Supreme Court’s opinion in
Rust
is instructive. In
Rust,
plaintiffs challenged Department of Health and Human Services (“HHS”) regulations that were implemented pursuant to Title X of the Public Health Service Act, 84 Stat. 1506 (codified as amended at 42 U.S.C. §§ 300 to 300a-6 (1994)), which provides federal funding for family planning services. In the subsequent regulations, HHS established a procedure for allocating funds under Title X, and attached three principal conditions to the disbursements to ensure that “none of the funds appropriated under [that] subchapter [would] be used in programs where abortion is a method of family planning.” 42 U.S.C. § 300a-6. Plaintiffs challenged these regulations, and the Supreme Court aрplied Chevron’s analysis to determine their validity. After disposing of petitioners’ plain language argument, the Court found that “[t]he broad language of Title X plainly allows the [HHS] Secretary’s construction of the statute.”
Rust,
Here, as in Rust, both the language of the statute and the legislative history provide no clear answers. But the defendants have justified their constructions with reasoned analysis. The FTC, for example, explained its definition of PIFI by noting that “this approach is consistent with the broad definition of ‘financial institution’ used in the statute.... [Some] commentators consistently suggested that names, addresses, and phone numbers should not be treated as financial information. How *31 ever, financial institutions rely on a broad range of information that they obtain about consumers, including information such as addresses and telephone numbers .... The Commission concluded that it would be inappropriate to carve out certain items of information that a particular financial institution might rely on when providing a financial product or service.” FTC Final Rule, 65 Fed.Reg. at 33,658. Where, as here, Congress has acted ambiguously and defendants have justified their regulations with careful reasoning and analysis, Rust instructs that the agencies’ construction of the statute is permissible and that the Court must defer to that interpretation.
3. Arbitrary and Capricious.
Plaintiffs also argue that the Regulations are arbitrary and capricious and are therefore unlawful. In particular, plaintiffs assert that the definition of “personally identifiable financial information” is arbitrary and capricious because it does nothing to further the express purposes of the GLB Act — that is, that there is no rational connection between thе facts found by defendants and the choices they made in promulgating the Regulations.
Plaintiffs posit three central arguments in support of their position that defendants’ definition of “personally identifiable financial information” is arbitrary and capricious. First, they contend that defendants’ regulations conflict with their policy arguments about the sanctity of personal information. In particular, plaintiffs argue that consumers are equally susceptible to the risks of identity theft or physical harm, about which defendants have expressed concern, from information acquired by a bank for a sweepstakes — -which defendants admit is not covered by the Regulations— as from that provided for financial services. There is no arbitrariness, however, in the Regulations’ focus on protecting information that consumers are required to provide in order to obtain financial services, rather than information that is volunteered for other purposes, such as sweepstakes. In fact, only the former promotes the stated policy of the GLB Act. See 15 U.S.C. § 6801.
Second, plaintiffs argue that all the defendants except the FTC failed to respond to public comments on the proposed definition of “personally identifiable financial information.” In its Final Rule, the FTC noted that “[a]ny information should be considered financial information if it is requested by a financial institution for the purpose of providing a financial product or service.” FTC Final Rule, 65 Fed.Reg. at 33,658. The record reflects that all six of the defendant agencies coordinated their rulemaking efforts, as well as their Final Rules; there is no reason that each of the six defendants should be required to address directly the comments on the proposed definition of PIFI. Because the definitions promulgated by all six agencies are virtually identical, the response of the FTC is sufficient on behalf of all defendants.
Finally, plaintiffs contend that the inclusion of credit header information that has been homogenized — that is, stripped of all intrinsically financial information — within the definition of PIFI is arbitrary and capricious. As noted, however, the record reflects that the Regulations are consistent with the GLB Act’s policy of enabling consumers to retain control over the personal information that they аre required to provide to financial institutions. Thus, plaintiffs’ arbitrary and capricious challenge must fail.
B. Is Trans Union a Financial Institution Subject to Regulation Under the GLB Act?
Next, Trans Union contends it is a non-financial institution, and as such, de *32 fendants have no authority to regulate it. Specifically, plaintiff argues that CRAs are not financial institutions under the GLB Act, and that Congress intended to give the FTC enforcement, but not rulemaking, authority over these entities. In support of these arguments, plaintiffs spin complex arguments about both the legislative history of the GLB Act and the interplay between that statute and the FCRA in terms of agency authority.
In actuality, however, the grant of rule-making authority to the agencies over CRAs is unambiguously provided for under the GLB Act, when read in conjunction with other existing statutes and -regulations that are cross-referenced in the GLB Act. Section 509(3)(A) of the Act defines a financial institution as “any institution the business of which is engaging in financial activities as described in section 1843(k) of Title 12.” 15 U.S.C. § 6809(3)(A). Under 12 U.S.C. § 1843(k), financial activities include “[ejngaging in any activity that the [Federal Reserve] Board has determined, by order or regulation that is in effect on November 12,1999, to be so closely related to banking or managing banks as to be a proper incident thereto.... ” 12 U.S.C. § 1843(k)(4)(F). A regulation promulgated by the Federal Reserve Board in 1997, which was still in effect on November 12, 1999, lists a variety of activities that are “so closely related to banking ... as to be a proper incident thereto,” and included therein are “credit bureau services,” which are defined as entities engaged in “main-taming information related to the credit history of consumers and providing the information to a credit grantor who is considering a borrower’s application for credit or who has extended credit to a borrower.” 12 C.F.R. § 225.28(b)(2)(v). Trans Union acknowledges that it is one of three national credit reporting bureaus, and that a part of its business is to maintain and provide credit reports to third parties for the extension of consumer credit or insurance, employment, or business transactions. (Trans Union Statement of Facts ¶¶ 14-16.) In fact, Trans Union does not contest that it qualifies as a credit bureau. Consequently, the Court finds that Trans Union is a financial institution under Subtitle A of the GLB Act and is therefore subject to the FTC’s rules under that subtitle. 16
C. Does the Acсount Numbers Exception Affect Target Marketing Products Such as TransLink?
Trans Union also argues that the Regulations contradict § 502(d) of the Act, 15 U.S.C. § 6802(d), 17 which, according to Trans Union, grants a special exemption to CRAs from the statute’s prohibition on the use of account numbers for marketing purposes. 18 Defendants counter that the plaintiffs have misread the statute by failing to understand the relationship between §§ 502(b) and 502(d) of the Act.
Section 502(b) of-the Act, 15 U.S.C. § 6802(b), provides:
*33 (1) A financial institution may not disclose nonpublic personal information to a nonaffiliated third party unless—
(A) such financial information clearly and conspicuously discloses to the consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 6804 of this title, that such information may be disclosed to such third party;
(B) the consumer is given the opportunity, before the time that such information is initially disclosed, to direct that such information not be disclosed to such third party; and
(C) the consumer is given an explanation of how the consumer can exercise that nondisclosure option.
Section 502(c) of the Act, 15 U.S.C. § 6802(c), provides:
Except as otherwise provided in this subchapter, a nonaffiliated third party that receives from a financial institution nonpublic personal information under this section shall not, directly or through an affiliate of such receiving party, disclose such information to any other person that is a nonaffiliated third party of both the financial institution and such receiving third party, unless such disclosure would be lawful if made directly to such other persons by the financial institution.
Trans Union argues that the Regulations do not adequately reflect the language and intent of § 502(d). The FTC Regulations, like those of the other defendants, provide that there is a “general prohibition on disclosure of account numbers. [A financial institution] must not, directly or through an affiliate, disclose, other than to a consumer reporting agency, an account number or similar form of access number or access code for a consumer’s credit card account, deposit account, or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.” 16 C.F.R. § 313.12(a). Plaintiff argues that this section, when read in conjunction with, for example, 16 C.F.R. § 313(n)(3)(i), 19 bans the use of account information by Trans Union in at least one of its products (TransLink), in violation of the plain language of § 502(d) of the GLB Act.
Plaintiffs argument contravenes the text of the GLB Act. Section 502(b)(1) provides that a financial institution may not disclose any nonpublic personal information to a nonaffiliated third party unless the consumer is given the opportunity to opt out. 20 Section 502(d) is a restriction on § 502(b), not an exception to § 502(c). While most nonpublic personal information may be disclosed to third parties under the conditions imposed by § 502(b), § 502(d) states that account number information — a type of nonpublic personal information — may not be disclosed to any third party, except a CRA, for use in marketing. Section 502(d), therefore, adds a further layer of protection for this particularly sensitive information.
The CRA exception of § 502(d) precludes practices that are otherwise permissible under the Act. For example, it permits the disclosure of account number *34 information for specified purposes where the notice and opt-out provisions of § 502(b) are satisfied. Section 502(d) must also be read in conjunction with § 502(e). The latter section provides a list of exceptions to §§ 502(a) and (b) — purposes for which nonpublic personal information may be disclosed without giving the consumer notice and a chance to opt out. Among these exceptions is for the dissemination of consumer reports consistent with the terms of the FCRA. 15 U.S.C. § 6802(e)(6). The FCRA, in turn, permits the disclosure of consumer reports for marketing that results in a firm offer of credit or insurance to a consumer. 15 U.S.C. § 1681b(e). Without a consumer report exception in § 502(d), that section would conflict with the FCRA. The exception language of § 502(d) addresses this issue and eliminates any possible tension between the two statutes on this point.
The Regulations reflect this balance among the statutory provisions. 16 C.F.R. § 313.12(a) does no more than incorporate the language of § 502(d), and 16 C.F.R. § 313.3(n)(3)(i) provides an example to reflect the requirements of § 509(4)(C)(i) of the GLB Act, 15 U.S.C. § 6809(4)(C)(i). 21 These Regulations are therefore consistent with the plain language of §§ 502 and 509(4)(C) of the Act.
This construction of the statute is also supported by the legislative history of the GLB Act. At least two members of Congress stressed the importance of including a provision, such as § 502(d), that would afford extra protection to consumer account numbers with regard to target marketing. Representative Vento noted that under this clause, “[consumer account numbers cannot be shared for the purposes of third party marketing. This protection applies to all consumers and requires no action on their part.” 145 Cong. Rec. H5314 (daily ed. July 1,1999). Representative Jackson-Lee added that “[t]his account [number] information is especially sensitive and should be kept as confidential as possible.” 145 Cong. Rec. H5315 (daily ed. July 1,1999).
In sum, the language and legislative history of the GLB Act support the validity of the Regulations relating to consumer account numbers, and plaintiffs argument must be rejected.
D. Are the Use and Disclosure Provisions Lawful?
Trans Union argues that the agencies’ regulations restricting the use and redisclosure of nonpublic personal information that is provided to a CRA in accordance with the FCRA are unlawful. Joined by IRSG in its attack based on the “savings clause,” Trans Union challenges defendants’ regulations that restrict the use and redisclosure of information received by a CRA pursuant to an exception in the GLB Act. Under the regulations, such information could be used and redisclosed by the CRA only to carry out the activity covered by that exception. These regulations would impact Trans Union’s aggregate data products and target marketing lists by requiring consumer notice and opt out before the creation of the data and the disclosure of the lists.
As noted, § 502(c) of the GLB Act sets forth restrictions on nonaffiliated third parties that receive regulated data from a financial institution. That provision permits third parties to disclose NPI that they have received from a financial institu *35 tion only if its disclosure would be lawful if made directly by the financial institution. 15 U.S.C. § 6802(c). Most disclosure of NPI is lawful only if the consumer has had notice and the opportunity to opt out. However, § 502(e), 15 U.S.C. § 6802(e), provides exceptions that allow financial institutions to disclose nonpublic personal information without consumer notice or choice in certain situations. These limited exceptions allow disclosure when necessary to effectuate a transaction with the consumer, § 6802(e)(1); to protect the integrity of the financial institution, §§ 6802(e)(3)-(4); or where the disclosure is alreаdy mandated or regulated by other federal laws or to comply with judicial process or other applicable legal requirements, §§ 6802(e)(5), (6), (8). 22 In particular, 502(e)(6) permits disclosure without consumer notice or opt-out “(A) to a consumer reporting agency in accordance with the Fair Credit Reporting Act ... or (B) from a consumer report reported by a consumer reporting agency.” 15 U.S.C. § 6802(e)(6).
Pursuant to these provisions, defendants issued regulations regarding the re-disclosure and reuse of the information disseminated under the § 502(e) exceptions. Specifically, the Regulations permit the financial institution — including CRAs — only to “disclose and use the information pursuant to an exception in [§ 502(e) ] in the ordinary course of business to carry out the activity covered by the exception under which [the financial institution] received the information.” 16 C.F.R. § 313.11(a)(iii). 23
1. Chevron Step One
First, Trans Union argues that these regulations are invalid because it and other CRAs will no longer be able to disclose or even use information that they receive pursuant to the FCRA for the creation or disclosure of information products and services that are not expressly authorized by the FCRA. That, plaintiff contends, violates the plain meaning of the GLB Act. See 65 Fed.Reg. 33,646, 33,667 (2000).
In support of this argument, Trans Union asserts that the agencies’ interpretation of §§ 502(c) and (e) defies common sense principles of statutory construction. The legislative history and scheme of the GLB Act, however, suggest otherwise. According to Representative Vento, who helped to draft the privacy provisions of the GLB Act, the statute was intended to “[p]rohibit repackaging of consumer information. Consumer information remains protected. It cannot be resold or reshared by third parties or profiled or repackaged to avoid privacy protections.” 145 Cong. Rec. H5314 (daily ed. July 1, 1999). See 145 Cong. Rec. H5313 (daily ed. July 1, 1999) (statement of Rep. Gillmor that Congress was concerned that consumers had lost control over personal information in the hands of financial institutions).
The GLB Act created a means to ensure that consumers retain control over their nonpublic personal information. When consumers provide this information to a *36 financial institution, that institution may not disclose the information to third parties, unless the consumer hаs permitted this through the notice and opt-out procedure specified in the Act. 15 U.S.C. § 6802. The Act does, however, specify limited circumstances under which nonpublic personal information may be disclosed to a third party without notice and opt-out-including to a CRA in accordance with the FCRA. See § 6802(e)(6). The statute limits the redisclosure of this information by the CRAs, but is silent on the reuse of information disclosed under this exception. Nonetheless, the agencies found that “Although section 502(c) does not expressly address use, reuse limitations are, as indicated, implicit in the provisions authorizing or permitting disclosures. For example, it would be inconsistent with the purposes of the Act to permit information disclosed in accordance with section 502(e)(1) (which permits information disclosed as necessary to effect, administer, or enforce a transaction with a consumer or in connection with certain routine activities related to such a transaction) to be used for the third party recipient’s marketing purposes.” 65 Fed. Reg. 35,180.
The Court agrees. The statute’s legislative history and structure indicate that Congress intended the § 502(e) exceptions to be limited in scope and purpose. When Trans Union receives information from a financial institution under § 502(e) and the consumer has not had an opportunity to opt out, Trans Union is taking advantage of an exception to the Act’s provisions that otherwise give consumers control over their nonpublic personal information. Without the exception, Trans Union would only be able to obtain — and use — this information if the consumer had chosen not to opt out. It cannot, therefore, use the exception to swallow the statute.
Commissioner of Internal Revenue v. Clark,
Moreover, the use restrictions affirmatively imposed by the Regulations are consistent with the purpose of the GLB Act. Congress gave the Agencies broad rulemaking authority “necessary to carry out the purposes of’ the Act, 15 U.S.C. § 6804(a). Under
Board of Governors of Federal Reserve System v. Dimension Financial Corp.,
*37 2. The “Savings” Clause
Both plaintiffs argue that the agencies’ restrictions on use and disclosure' violate the plain meaning of the “savings clause” of § 506(c). That provision provides that “nothing in this chapter shall be construed to modify, limit, or supersede the operation of the Fair Credit Reporting Act....” 15 U.S.C. § 6806. Plaintiffs rely primarily on the use of the phrase “operation of’ to argue that § 506(c) was intended to preserve the effects produced by the FCRA, rather than just the activities regulated by it. One of these effects was the ability of CRAs to disseminate credit header data to individual reference services and other entities. For although the FCRA regulated the uses for which “consumer reports” could be disseminated, identifying information in a credit header was not included within the definition of a consumer report. 15 U.S.C. § 1681a(d). 25 In short, plaintiffs argue that because the FCRA does not restrict the dissemination of credit header information, the sale of such information is encompassed within the “operation of’ the FCRA and the GLB Act cannot be construed to forbid what is permitted under the FCRA.
Plaintiffs premise them argument on an expansive reading of “operation.” Because the GLB Act does not define “operation,” plaintiffs assert that the dictionary definition of the term — including the meaning “to produce an effect” — should be the implied usage of the word. According to plaintiffs, one of these “effects produced by the FCRA ... [was that] for the past 18 years, CRAs have been able to disclose [credit header] information to non-affiliated third parties. It is this type of practice — made possible by the operation of the FCRA and upon which individual reference services have based their businesses — that the ‘savings clause’ of section 506(c) is intended to preserve.” (IRSG Mem. at 35.)
Plaintiffs’ argument is unpersuasive. Even assuming that § 506(c) of the GLB Act is meant to preserve the effects of the FCRA, these effects are limited to the statutory and regulatory effects of the previous act and not the effects on private entities whose businesses are not addressed by the FCRA. In other words, Congress’ decision not to regulate the disclosure of credit header information in the FCRA — or in any other statute prior to the enactment of the GLB Act — does not bestow upon plaintiffs the right to disclose that information in perpetuity free of governmental interference. While Congress may have been silent on an issue in the past, this does not amount to a waiver of its right to legislate on that subject in the future.
Consequently, there is no tension between the agencies’ regulations on the disclosure of credit header information pursuant to the GLB Act and the FCRA. 26 *38 Similarly, there is no tension between the two statutes with regard to information that does constitute a consumer report, because the GLB Act and the regulations specifically exempt disclosure of this information subject to the FCRA’s limitations. 15 U.S.C. § 6802(e)(6); e.g., 16 C.F.R. § 313.15(a)(5). In short, the two statutes — and the Regulations passed pursuant to them — complement each other, and the plain language of § 506(c) supports the Regulations.
3. Chevron Step Two
Plaintiffs also contend that the use and disclosure restrictions are an impermissible construction of the Act because they are inconsistent with other conclusions reached by the agencies. The use restrictions, plaintiffs argue, would prohibit Trans Union from disclosing aggregate information which does not identify any particular customer or disclose specific information regarding a customer. Yet the agencies also noted that there is no privacy interest in the disclosure of such data, which is expressly exempted from their definition of “personally identifiable financial information.” See, e.g., 16 C.F.R. § 313.3(o)(2)(ii)(B). Plaintiffs argue that this inconsistency is evidence that the defendants have impermissibly interpreted the Act.
The Court disagrees, for the Regulations promulgated pursuant to § 502(e) are consistent with these findings. As stated above, these regulations do not in any way impose a blanket prohibition on the use of customer information to create aggregate data; the rules simply prevent CRAs from doing so without first giving the consumer the chance to opt out. Moreover, whether there is a privacy interest in the release of a set of aggregate data is a different question from whether consumers have a privacy interest in the initial use of their nonpublic personal information for the creation of aggregate data^ — -the scenario which is the focus of the Regulations. The use and disclosure regulations are therefore a permissible construction of the GLB Act under step two of Chevron.
4. Arbitrary and Capricious
Plaintiffs also challenge defendants’ use restrictions under § 706(2)(A) of the APA. Plaintiffs attack the regulations which permit the financial institution — including CRAs — only to “disclose and use the information pursuant to an exception in [502(e)] in the ordinary course of business to carry out the activity covered by the exception under which [the financial institution] received the information.” 16 C.F.R. § 313.11(a)(l)(iii). Specifically, plaintiffs argue that the agencies have failed to adequately justify the Regulations, and have instead simply “parrot[ed] the language of [the] statute without providing an account of how it reached its results.”
Dickson,
The Court is unconvinced in light of the statutory bases for the reuse restrictions, 27 *39 and the support for the decision of the agencies which appears in the administrative record. Defendants specifically sought comments on whether the proposed regulations “should limit the ability of an entity that receives nonpublic personal information pursuant to an exception to use that information only for the purpose of that exception.” 65 Fed.Reg. 35,180 (banking agencies); 65 Fed.Reg. 33,666 (FTC). The agencies received a number of comments on both sides of this issue. Some commentators argued that defendants would exceed their rulemaking authority if they imposed any limits on the reuse of information; 28 others believed that the agencies had such authority and supported the restrictions. 29
In its Final Rule, the FTC stated:
It would be inappropriate to undermine the key privacy requirements of the Act that ensure a consumer can generally control the disclosure of his or her nonpublic personal information by allowing the recipient of nonpublic personal information under the section 502(e) exception to reuse the information for any purpose, including marketing.
65 Fed.Reg. 33,667. This explanation indicates a review and consideration of the comments regarding the reuse provisions, in conformity with the requirements of the APA; the record reflects that the agencies considered the significant points raised in the comments, and under the law they are not required to respond directly to every comment in the record, which would be an impossible task.
Natural Resources Defense Council, Inc. v. U.S. Environmental Protection Agency,
Finally, plaintiffs contend that the agencies’ determination that information that constitutes PIFI when received by a CRA remains subject to use restrictions, regardless of how that data is homogenized, is arbitrary and capricious. Whether this information is homogenized — transformed into identifying information that has been stripped of intrinsically financial data — it was still provided by the consumer to a financial institution to obtain financial services. Its use and disclosure, therefore, still threatens a customer’s privacy rights by subjecting consumers to the very consequences, including telemarketing and direct sales, that Congress was particularly concerned about. When it was disclosed by the consumer to the financial institution, the information became nonpublic personal information for the purposes of GLB Act; once released in this matter, the information remains protected, no matter what form it takes. The approach of the Regulations to this problem is neither arbitrary nor capricious.
III. Plaintiffs’ Constitutional Claims
Plaintiffs argue that the Regulations violate their First Amendment right of free speech, and Trans Union argues that the Final Rules violate its Fifth Amendment rights of due process and equal protection. These arguments will be addressed seria-tim.
*40 A. The First Amendment
Plaintiffs’, primary constitutional argument is that the Regulations violate their First Amendment right to free speech. Plaintiffs’ argument is premised on the notion that the use and dissemination of credit header information is speech that is protected by the Constitution, and therefore, the agencies’ overbroad definition of “personally identifiable financial information” and flat ban on the use and disclosure of FCRA data impinge on this speech in violation of the First Amendment. The Court disagrees, particularly in light of this Circuit’s recent decision in Trans Union v. FTC, which addressed very similar issues.
1. Type of Speech
As a threshold matter, the Court must determine the type of speech that is at issue. The Supreme Court has “long recognized that not all speech is of equal First Amendment importance. It is speech on matters of public concern that is at the heart of the First Amendment’s protection.”
Dun & Bradstreet, Inc. v. Greenmoss Builders, Inc.,
Defendants argue that the dissemination of credit header information should be protected to the same extent as commercial speech, whereas plaintiffs contend that such expression should be accorded full First Amendment protection. However, plaintiffs offer little to distinguish this case from the precedents of the Supreme Court and this Circuit, which recognized the limited nature of First Amendment protection for the commercial activities of information-based businesses. In
Greenmoss,
for example, the Supreme Court examined credit reports issued by a consumer reporting agency. These reports “provided subscribers with financial and related information about businesses.”
Id.
at 751,
The Court of Appeals for this Circuit reached a similar conclusion in a case involving plaintiff, holding that “Trans Un-iones] target marketing lists is solely of interest to the company and its business customers and relates to no matter of public concern. Trans Union target marketing lists thus warrant reduced constitutional protection.”
Trans Union,
In the instant action, plaintiffs’ speech is the dissemination of credit header information by financial institutions. This speech does not involve any matter of public concern, but consists of information of interest solely to the speaker and the client audience.
31
Thus, restrictions on the dissemination of this nonpublic personal information does not impinge upon any public debate. Moreover, even if the credit header information that is disseminated by plaintiffs is not commercial speech
per se,
it is entitled to the same level of protection.
See, e.g., Motor and Equipment Manufacturers Ass’n v. EPA,
2. Central Hudson Analysis
Since the dissemination of credit header information is afforded the same level of protection as commercial speech, it is analyzed under the standard applicable to- commercial speech. First, the Court must conduct a threshold inquiry as to whether the commercial speech concerns lawful activity and is not misleading.
Central Hudson Gas & Electric Corp. v. Public Service Commission of New York,
Once this initial standard is met, the Regulations must pass a three-pronged test to survive under the First Amendment: 1) the asserted governmental interest must be substantial; 2) the regulation must directly advance that interest; and 3) the regulation may be no more extensive than necessary to serve that interest.
Greater New Orleans Broadcasting v. United States,
a. Does the Government Have a Substantial State Interest in Regulating the Use and Disclosure of Credit Header Information?
The asserted governmental interest that the Regulations seek to protect is
*42
the privacy of consumers — particularly the security and confidentiality of their nonpublic personal information. 15 U.S.C. § 6801(a). According to defendants, customer privacy is violated when an individual is required to relinquish the ability to control the dissemination of personal information in order to obtain financial services. Courts have repeatedly recognized that the protection of consumer privacy — in various forms — is a substantial governmental interest.
See, e.g., Florida Bar v. Went For It,
Plaintiffs argue, however, that the privacy interest at issue in this case does not rise to the level of a substantial state interest. In particular, plaintiffs rely on the Tenth Circuit’s opinion in
U.S. West, Inc. v. FCC,
At issue in
U.S. West
were regulations implementing 47 U.S.C. § 222, which was enacted as part of the Telecommunications Act of 1996. “[T]he essence of the statutory scheme require[d] a telecommunications carrier to obtain customer approval when it wishe[d] to use, disclose, or permit access to [customer proprietary information]....”
U.S. West,
Unlike the regulations and statute at issue in
U.S. West,
Congress and the defendant agencies have “specified a particular notion of privacy and the interest served,”
id.
at 1235, by articulating that the purpose of the Act as ensuring “that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal account information.” 15 U.S.C. § 6801(a). Unlike
U.S. West,
the agencies here have satisfactorily articulated a specific concept of privacy,
32
similar to the privacy interests identified in other statutes.
See, e.g.,
Video Privacy Protection Act, 18 U.S.C. § 2710 (prohibiting video stores from disclosing information about a customer’s rentals without that individual’s consent); Driver’s Privacy Protection Act, 18 U.S.C. §§ 2721
et seq.
(restricting the dissemination of motor vehicle records). Moreover, the record indicates that the agencies have carefully weighed the benefits and harms of imposing the privacy-based regulations.
See, e.g.,
65 Fed Reg. at 33,657-59 (FTC
*43
discussion of definition of “personally identifiable financial information,” explaining the costs and benefits of that definition);
id.
at 33,668-69 (FTC explanation of the reuse and redisclosure provisions in the Regulations, weighing comments for and against these restrictions). Thus, the Circuit Court’s recent opinion in
Trans Union
effectively disposes of plaintiffs’ argument relating to the substantial interest question by holding that “we have no doubt that this interest — protecting the privacy of consumer credit information — is substantial.”
Trans Union,
b. Do the Regulations Directly and Materially Advance That Interest?
Plaintiffs argue that the Regulations do not materially advance the asserted privacy interest, because the Regulations “effectively” prohibit the use and dissemination of identifying information that may have originated with financial institutions, but which is no longer in the form of personally identifiable financial information because all identifying information has been removed. In this regard, plaintiffs assert that there is no basis for defendants to argue that any harm will result to consumers from the use and dissemination of such homogenized information.
Plaintiffs mischaracterize, however, the nature of the governmental interest that the Regulations attempt to promote. The harm that the Act and the Regulations are designed to prevent is not any specific consequence of the use and disclosure of consumers’ nonpublic personal information; rather, it is the use and disclosure of that information without the consent of the consumer. Section 15 U.S.C. § 6801(a) makes this clear: “It is the policy of this Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.”
Id.
Regulations prohibiting the use and disclosure of that information without the consent of the consumer clearly advance that interest.
United States v. Edge Broadcasting Co.,
c. Are the Regulations No More Extensive Than Necessary To Serve That Interest?
Finally, plaintiffs contend that the Final Rules are more extensive than necessary to achieve the government’s interest. To survive this prong, the regulations cannot “completely suppress information when narrower restrictions on expression would serve its interest as well.”
Central Hudson,
The Final Rules do not directly prohibit the use and disclosure of nonpublic personal information, but instead, they require financial institutions to provide customers with notice and the opportunity to opt out. Plaintiffs argue, however, that defendants’ use and disclosure restrictions on a CRA’s ability to use and disclose credit header *44 information are tantamount to an outright prohibition on such activities, because financial institutions have indicated that they will not provide the required notice and opt-out for CRAs’ use of credit headers. (See Declaration of Jennifer Barrett, Ex. 6 to IRSG Mem.) As a result, plaintiffs claim that the Regulations are far broader than necessary and that the fit between the use restriction and the interest to be served is disparate.
Plaintiffs have again mischaracterized the nature of the governmental interest at stake, and have compounded that error by overstating the effect of the Regulations on CRAs. The Regulations do not impose any restrictions on CRAs that are not also applicable to all other institutions that receive nonpublic personal information. Like every other third party, Trans Union and other CRAs can still use and disclose this information — except as provided in one of the limited exceptions— as long as the individual consumer is given notice and the opportunity to opt out. This scheme reflects the purpose of the Act — to allow consumers to retain control over their personal financial information. The Rules do not ban speech and are no more extensive than necessary to serve the substantial governmental interest of protecting consumer privacy over personal financial information. For these reasons, the Regulations satisfy Central Hudson, and thereby comport with the requirements of the First Amendment. 33
B. Due Process
Plaintiff Trans Union next contends that it was entitled to a hearing under the Due Process Clause of the Fifth Amendment because the Regulations affected it in a “distinctive way.” (Trans Union Supplemental Mem. at 12.) Plaintiffs argue that, in promulgating the Regulations, defendants singled out a small class that included Trans Union, and therefore, they effectively transformed the legislative process into an adjudicative one.
The applicable standard was set forth by this Circuit in
Alaska Airlines, Inc. v. C.A.B.,
Here, plaintiff suggests that the FTC’s disclosure that it considered a portion of the opinion in the agency’s administrative proceeding against Trans Union, In the Matter of Trans Union Corp., No. 9255, in promulgating Regulations pursuant to the GLB Act constitutes an admission that the FTC’s rulemaking included the review of adjudicative facts regarding Trans Union. There is nothing in the record, however, to suggest that the FTC improperly relied on any particular facts from the Trans Union case, and the FTC Federal Register statement’s citation to one legal conclusion from the case — that “age” is a “consumer report” under the FCRA — in no way undermines the rulemaking record of the agency. The Trans Union case asked whether certain personal information sold by Trans Union to target marketers constituted a “consumer report” under § 603(d) of the FCRA; the GLB Act regulations do not address this topic. There is no indication that the FTC considered the adjudicative facts from its administrative proceeding against Trans Union in promulgating its rules under the GLB Act; instead, the record is replete with legislative judgments on issues of law and policy. See, e.g., 65 Fed.Reg. at 33,658 (describing the reasons for the Commission’s decision to treat “any information [as] financial information if it is requested by a financial institution for the purpose of providing a financial product or service”); id. at 33,-666-67 (describing the policies behind the regulations that limit the reuse and redis-closure of financial information).
The cases that plaintiffs cite, moreover, are inapposite. All of these cases involve clearcut examples of the government singling out a discrete party or parties, and then taking action that affects only them.
See, e.g., Alaska Airlines,
*46 C. Equal Protection
Finally, plaintiff Trans Union argues that defendants’ regulations violate its Fifth Amendment right to equal protection by prohibiting the use of consumer information by CRAs but not by other entities. The appropriate standard by which to examine these rules is the rational basis test, for plaintiff is not a member of a protected class, and the rules do not impinge on a fundamental interest.
Calloway v. District of Columbia,
Defendants’ use and disclosure regulations easily satisfy the rational basis test. The regulations were enacted because the agencies believed that “[i]t would be inappropriate to undermine the key privacy requirements of the Act that ensure a consumer can generally control the disclosure of his or her nonpublic information by allowing the recipient of nonpublic personal information under the section 502(e) exception to reuse the information for any purpose, including marketing.”
Trans Union argues that these regulations unequally burden it and other CRAs; in fact, the rules do exactly the opposite by equalizing the duties of CRAs and non-CRAs that receive this information. The CRAs have received a special benefit under 502(e)(6): the ability to obtain nonpublic information without the consumer’s authorization to facilitate the compilation of consumer reports in accordance with the FCRA. Beyond this limited purpose, Equal Protection dictates that CRAs and non-CRAs should be subject to the same restrictions as to information that is equally accessible to both. The Regulations do exactly that, and therefore are not susceptible to attack for an equal protection violation.
CONCLUSION
For the above reasons, the Court finds that defendants’ regulations are neither unlawful nor unconstitutional. The Regulations do not contravene the plain meaning of the GLB Act, and they are a permissible construction of that statute. Moreover, the agencies’ action in promulgating the Final Rules was not arbitrary and capricious. The Regulations do not violate plaintiffs’ right to free speech under the First Amendment, for they serve a substantial state interest, directly and materially advance that interest, and are no more extensive than necessary to do so. Finally, the Final Rules do not violate Trans Union’s right to either due process or equal protection under the Fifth Amendment. As a result, defendants’ cross-motion for summary judgment is granted as to all counts.
ORDER
This matter is before the Court on plaintiffs’ motions for summary judgment, defendants’ cross-motion for summary *47 judgment, plaintiffs’ replies, defendants’ memorandum in support, plaintiffs’ supplemental memorandum, and defendants’ response thereto. For the reasons stated in the Court’s accompanying memorandum opinion, it is hereby
ORDERED that defendants’ motion for summary judgment [31 1] is GRANTED as to all counts of plaintiffs complaint; and it is
FURTHER ORDERED that plaintiff Individual Reference Services Group, Inc.’s motion for summary judgment [27— 1] is DENIED; and it is
FURTHER ORDERED that plaintiff Trans Union’s motion for summary judgment [25-1] is DENIED; and it is
FURTHER ORDERED that plaintiffs’ complaints are dismissed with prejudice.
This is a final appealable order.
SO ORDERED.
Notes
. The terms "consumer report” and "credit report” are used interchangeably in this opinion.
. Although the Court notes above, by way of description, that Trans Union receives information from "financial institutions,” it also finds that, for the purposes of the GLB Act and the ensuing Regulations, Trans Union is a "financial institution” as that term is defined in the Act. See infra pp. 32-33.
. The GLB Act does not restrict the dissemination of nonpublic personal information for these purposes. See 15 U.S.C. § 6802(e)(8); infra note 22.
, One member of IRSG is Lexis-Nexis ("LN”), which uses information it has obtained from CRAs to develop its information services. LN's "people locator” enables users of the system to find the addresses of individuals throughout the United States. Law enforcement officers use this program to locate criminals, fugitives, and suspects; lawyers might tap this system to determine the whereabouts of witnesses, heirs, putative members of a class, and beneficiaries. (IRSG Statement ¶ 13). Other members of IRSG who are not individual parties to this action are U.S. Search.com, Inc., Acxiom, ChoicePoint, Data-Quick, DCS Information Systems, Dolan Media Co., Equifax Credit Information Services, First Data Solutions LLC, Online Professional *16 Electronic Network, Pinkerton Services Group, United Reporting Publishing Co., and West Group. (IRSG Statement ¶ 2.)
. The seventh agency, the Securities and Exchange Commission ("SEC”), is currently a defendant in a parallel lawsuit that is pending in the Court of Appeals for this Circuit, having been appealed directly to that Court from the SEC. Resolution of that action, Individual Reference Services Group v. SEC, No. 00-1339, was stayed on January 8, 2001, pending this Court’s decision in the instant action.
. For example, in 1993, the FTC ruled that information like that contained in credit headers — including a consumer's name, address, age, social security number, and telephone number — could be included in target marketing lists used by CRAs to offer goods and services to consumers. See Order Amending Consent Order, FTC v. TRW, Inc., (N.D.Tex. Jan. 14, 1993). Under this consent order, TRW was permitted to use this information to prepare and disclose aggregated information relating to a ■ hypothetical consumer residing in a given geographical area. In the Matter of Trans Union Corp., at 46 n. 77. In short, credit header data was subject to neither the FCRA nor any other federal statute until the passage of the GLB Act.
. For example, Dr. Mary Culnan of Georgetown University testified that consumers should be able to restrict the further dissemination of personal information disclosed in a financial transaction, even that which is commonly deemed “public.” She noted that the "telephone book, one of the most widely available sources of public information, is a good example that people value the ability to make choices about disclosing even their names and addresses, and when offered choices ... consumers should be able to opt out of having their names and addresses shared for marketing purposes.” House Banking Subcommittee Hearing (July 20, 1999), at <http://www.house.gov/bank-ing/72099cul.htm> at 4-5. Others testified that the bill should protect other sorts of information — such as personal medical information — that may not have been considered traditionally "financial,” but that is "shared and used in the financial services context.” Statement of Dr. Donald Palmisano, American Medical Association, House Banking Subcommittee Hearing (July 21, 1999), at <http://commdocs.house.gov/committees/bank/ hba58308 — 0.htm> at 184.
. The Act authorizes the agencies to promulgate regulations implementing the statute by directing the six defendants and the SEC to “prescribe . .. such regulations as may be necessary to carry out the purposes of this subchapter with respect to the financial institutions subject to their jurisdiction.... Each of the agencies ... si all consult and coordinate with other such agencies [to ensure that the regulations] are consistent and comparable....” 15 U.S.C. §§ 6804(a)(l)-(2).
. Comments to the other agencies paralleled those made to the FTC. See, e.g., FDIC Record at 104,834 (Comment of Lexis Nexis Group); FDIC Record at 104,839 (Comment of the Direct Marketing Association, Inc.); OCC Record at 500,969 (Comment of Mellon Financial Corporation); OTS Record at 600,775 (Comment of Craftmatic Organization, Inc.). Many of the comments were submitted in identical form to all six defendant agencies.
. Although the Court cites only to the FTC Final Rules, each of the other agencies promulgated an analogous set of regulations. See OCC Final Rules, 12 C.F.R. § 40.1 et seq., Board Final Rules, 12 C.F.R. § 216.1 et seq., *22 FDIC Final Rules, 12 C.F.R. § 332.1 et seq., OTS Final Rules, 12 C.F.R. § 573.1 et seq., NCUA Final Rules, 12 C.F.R. § 716.1 et seq.
. The definition of "you” varied slightly from agency to agency, but all defendants included "financial institutions” within its meaning.
. As the Court in Salleh explained, where multiple agencies have been designated to promulgate regulations pursuant to an Act of Congress, "it cannot be said that Congress implicitly delegated to one agency authority to reconcile ambiguities or to fill gaps, because more than one agency will independently interpret the statute.” Id. at 692. In Salleh, two agencies had asserted administrative authority and interpreted a single statute in conflicting ways. In the case at hand, however, the six defendant agencies and the SEC have coordinated their efforts and issued similar sets of regulations, each of which is designed to support the others, rather than to undermine them. Thus, unlike in Salleh, there is no inter-agency conflict here.
. See infra pp. 39-47.
. The broad meaning of “financial institution” under the Act also bolsters defendants' contention that the agencies' expansive construction of “personally identifiable financial information” is permissible. Under the Act, an institution is considered to be "financial” because of the activities in which it engages and its relationship with the other entities with whom it deals — not because of any intrinsic nature of the business. See 15 U.S.C. § 6809(3); 12 U.S.C. § 1843(k)(4). See infra pp. 31-32.
. Plaintiffs note that Senator Feinstein's statement appears to be at odds with the fact that on March 30, 2000, after passage of the GLB Act, she introduced a bill that was specifically aimed at regulating the use and disclosure of credit header information. See Ex. 62 to IRSG Mem., S. 2328 (introduced by Sen. Feinstein Mar. 30, 2000) (bill to amend FCRA to prohibit CRAs from releasing most identifying information except in consumer reports). Plaintiffs argue that Senator Fein-stein’s decision to introduce legislation regulating credit header information conflicts with defendants’ interpretation of the GLB Act, for Senator Feinstein would not have introduced such legislation had she believed that credit header information fell within the definition ol "personally identifiable financial information.”
This argument is tempting, but two factual points and one legal issue conflict with plaintiff's contention regarding this post-enactment legislative history. First, it does not appear that the proposed bill would have regulated the disclosure of name and address information — two of the key components of credit headers. See S. 2328 § 7. Moreover, the bill was based on a different governmental interest, i.e., preventing the crime of identity fraud, see id. § 2, and regulated a narrower class of information than the GLB Act. Second, even under a broader reading, Senator Feinstein proposed this bill in the midst of the *29 administrative rulemaking period before defendants had issued their Final Rules. In fact, Senator Feinstein could have been responding to the possibility — raised during the notice and comment period — that the agencies would not include credit header information within their definition of PIFI, and that therefore other legislation was necessary to ensure the protection of this information.
Finally, even if the Court were to find this post-enactment legislative history to be relevant, legal precedent provides no clear guidance as to the weight that it should be accorded. In
FDA
v.
Brown & Williamson Tobacco Corp.,
. Section 504(a)(1), 15 U.S.C. § 6804(a)(1), grants the FTC rulemaking authority pursuant to the GLB Act.
. Section 502(d) provides:
A financial institution shall not disclose, other than to a consumer reporting agency, an account number or similar form of access number or access code for a credit card account, deposit account, or transaction account of a consumer to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.
15 U.S.C. § 6802(d).
.Trans Union's TransLink product, which is described supra p. -, uses account numbers for marketing. TransLink enables Trans Union to provide the addresses of a consumer to retailers based on the name and account number of that individual.
. This subsection of the FTC Rules provides examples of lists that constitute nonpublic personal information subject to the restrictions of the GLB Act. Under § 313.3(n)(3)(i), "Nonpublic personal information includes any list of individuals' names and street addresses that is derived in whole or in part using personally identifiable financial information (that is not publicly available), such as account numbers.” Id.
. Section 502(b)(2) provides exceptions to the opt-out rule that are not relevant here.
. "Nonpublic personal information” is defined in 15 U.S.C. § 6809(4)(C)(i) as "shall include any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any nonpublic personal information other than publicly available information. ...”
. Specifically, 15 U.S.C. § 6802(e)(8) permits the disclosure of NPI without notice and opt-out “to comply with Federal, State, оr local laws, rules, and other applicable legal requirements; to comply with a properly authorized civil, criminal, or regulatory investigation or subpoena or summons by Federal, State, or local authorities.... ” Many of the purposes for which IRSG and Trans Union gather and disclose NPI, including the location of missing children, enforcement of child support, and prosecution of financial crimes, would fall under this exception to the GLB Act. (IRSG Statement of Facts ¶ 14.)
. For simplicity, the citation is to the FTC’s regulation; however, the other defendant agencies have issued similar rules.
. Trans Union also argues that the inclusion of a use restriction in § 502(d) — the account numbers prohibition — indicates that Congress acted intentionally when it failed to incorporate a use provision into § 502(c). The Court is not persuaded by this argument. As discussed, § 502(d) addresses a specific type of highly sensitive information — account numbers — about which legislators were particularly concerned. Section 502 does not *37 impose a blanket prohibition on the use of nonpublic personal information by CRAs. Rather, it limits the circumstances under which companies such as Trans Union may receive — and, therefore, use and redisclose— this information unless the consumer has opted out. Trans Union’s argument to the contrary is illogical.
. The recent decision of this Circuit,
Trans Union Corp. v. FTC,
. The legislative history of the GLB Act bolsters this conclusion. The FCRA savings clause was added in conference, following the testimony of FTC members who had expressed concern that the new Act could be seen as weakening the privacy provisions of the FCRA. Section 506 was added to ensure that consumer reports would be distributed only to those who had a permissible purpose, pursuant to the FCRA, for receiving them. *38 See House Banking Committee Hearing (July 21, 1999) (statement of Robert Pitofsky, Chairman, FTC). The Conference Report provides absolutely no indication that the clause was intended to shield the industry practices — including the dissemination of credit header information — that were in place prior to the GLB Act, and thereby limit the scope of the privacy protection in the new statute.
. See supra pp. 34-36.
. See, e.g., FTC Administrative Record at 301,641 (Trans Union); 301,095-96 (MasterCard International).
.See, e.g., FTC Administrative Record at 302,642 (Consumers Union: Consumer Federation of America); 300,484 (Massachusetts Office of Consumer Affairs and Business Regulation).
. Obscene speech and “fighting words,” for example, receive no First Amendment protec-lion.
Id.
at 759 n. 5,
. While it may be arguable that some of the credit header information that is disseminated is of public concern (e.g., information that is used to track down deadbeat parents and account identity thieves), credit header information is exempted from the notice and opt-out requirements of the GLB Act for these purposes, see 15 U.S.C. § 6802(e)(8), and is therefore not subject to the restrictions that plaintiffs challenge under the First Amendment.
. The regulations at issue in U.S. West, moreover, required carriers to obtain prior express approval from a customer before it could disclose that individual's proprietary information. Id. at 1230. The U.S. West court noted that an opt-out approach, such as the one employed by defendants in the instant action, was a "substantially less restrictive alternative” than the opt-in strategy at issue in U.S. West. Id. at 1238.
. Trans Union contends that its opt-out procedure is a sufficient and narrower alternative to the Regulations. Under that process, a consumer may notify Trans Union that it wishes to be excluded from the target marketing lists used to make firm offers of credit pursuant to the FCRA, 15 U.S.C. § 1681b(e). (Trans Union Statement ¶ 57.) Whenever Trans Union receives such a request, it "takes steps to ensure that the information regarding the consumer is excluded....” (Trans Union Statement ¶ 58.) The existing program, however, is limited to target marketing for credit and insurance, and does not cover the range of information implicated by the GLB Act. Moreover, to allow CRAs themselves to provide notice and opt-out to the consumers— rather than for the financial institution with whom the consumer has a relationship to do so — defeats a central purpose of the Act. It is the responsibility of the financial institutions to protect the privacy and confidentiality of their customers’ personal information, 15 U.S.C. 6801; it is therefore incumbent on those entities — and not third-party CRAs that have only received the information pursuant to an exception in the GLB Act — to act affirmatively and provide notice and opt-out rights to consumers. In any event, because the GLB Act is not subject to strict First Amendment scrutiny, defendants are not required to choose the least restrictive means of accomplishing their goal.
Trans Union,