145 F. Supp. 2d 6 | D.D.C. | 2001
INDIVIDUAL REFERENCE SERVICES GROUP, INC., Plaintiff,
v.
FEDERAL TRADE COMMISSION, et al., Defendants.
Trans Union LLC, Plaintiff,
v.
Federal Trade Commission, et al., Defendants.
United States District Court, District of Columbia.
*7 *8 *9 *10 *11 *12 Richard James Oparil, Piper, Marbury, Rudnick & Wolfe, LLP, Washington DC, *13 for Individual Reference Services Group, Inc.
Barry Marshall, Heller, Piper, Marbury, Rudnick & Wolfe, LLP, Washington, DC, for Trans Union LLC.
Lisa Sheri Goldfluss, U.S. Attys. Office, Washington, DC, Lawrence DeMille-Wagman, Michael Daniel Bergman, John F. Daly, FTC, Washington, DC, for Federal Trade Commission.
Gregory F. Taylor, FDIC, Washington, DC, for Federal Deposit Ins. Corp.
Larry J. Stein, Office of the Comptroller of the Currency, Washington, DC, for Comptroller of the Currency.
Thomas Jacob Segal, Elizabeth Reitz Moore, Office of Thrift Supervision, Washington, DC, for Office of Thrift Supervision.
Ori Lev, Dept. Of Justice, Washington, DC, for National Credit Union Admin.
MEMORANDUM OPINION
HUVELLE, District Judge.
Before the Court are plaintiffs' motions for summary judgment, defendants' cross-motion for summary judgment, plaintiffs' replies, defendants' memorandum in support, plaintiffs' supplemental memorandum, and defendants' response thereto. Plaintiffs bring this action pursuant to the Administrative Procedure Act ("APA"), 5 U.S.C. § 701, seeking judicial review of regulations (the "Regulations") that were promulgated by the defendant agencies to implement Title V, Subtitle A of the Gramm-Leach-Bliley Act, Pub.L. No. 106-102, 113 Stat. 1338 (1999) (codified as amended at 15 U.S.C.A. § 6801 et seq. (2000)) (the "GLB Act"), which addresses the responsibility of financial institutions to protect the privacy of the personal financial information of their customers. Plaintiffs ask this Court to invalidate these Regulations and enjoin their enforcement.
Plaintiffs contend that the Regulations are both unlawful and unconstitutional. They argue that the Regulations are invalid for five reasons: a) the definition of "nonpublic personal information" in the Regulations contravenes the statutory requirement that only financial information is subject to the GLB Act; b) the Regulations constitute an impermissible regulation of non-financial institutions by the agencies; c) the Regulations contradict a provision of the GLB Act that exempts consumer reporting agencies from the statute's prohibition of the use of account numbers for marketing purposes; d) the Regulations impose a restriction on the use of nonpublic personal information that is inconsistent with the statute; and e) the Regulations modify the operation of the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq. (the "FCRA"), in contravention of the savings clause of the GLB Act. In addition, plaintiffs allege that the Regulations are unconstitutional for three reasons: a) they are overbroad and improperly restrict plaintiffs' speech in violation of the First Amendment; b) they were enacted without the requisite adjudicative hearings, in violation of Trans Union's Fifth Amendment right to due process of law; and c) they impose restrictions on plaintiff Trans Union that are not imposed on entities that are not consumer reporting agencies, in violation of the Fifth Amendment. Upon consideration of the pleadings and the record herein, this Court concludes the Regulations are lawful and constitutional. Summary judgment is therefore granted for defendants as to all counts.
FACTUAL AND STATUTORY BACKGROUND
I. The Parties and The Role of Consumer Reporting Agencies
A. Trans Union and Its Products
Plaintiff Trans Union ("Trans Union") is a Delaware limited liability company *14 with its principal place of business in Chicago, Illinois. (Trans Union Statement of Material Facts ¶ 1.) Trans Union is a "consumer reporting agency" ("CRA"), as defined in the FCRA, and it provides "consumer reports,"[1] as defined at 15 U.S.C. § 1681a(d). The foundation of Trans Union's business is its database, CRONUS, which contains information about consumers that is used to generate credit reports. (Trans Union Statement ¶ 16.) Although Trans Union gathers this data from over 85,000 entities, its main source of information is financial institutions,[2] which generally provide this information in the form of accounts receivable tapes. (Trans Union Statement ¶¶ 17-19.) These tapes contain information the name, address, zip code, and social security number, as well as information regarding the account itself about each consumer that is reported by the financial institution. (Trans Union Statement ¶ 20.)
Trans Union maintains this information in CRONUS, from which it generates credit reports. These reports contain two types of information: identifying information for each individual, and tradeline information describing the consumer's account and payment history. (Trans Union Statement ¶ 22.) The identifying information includes the name, address, social security number, and telephone number of the consumers, and since this data is printed at the top of the report, it is typically referred to as "credit header" information. (Trans Union Statement ¶ 23.) Although financial institutions are the primary source of the identifying information, plaintiffs allege that the resulting credit header is the product of various sources, and that it therefore does not reveal the existence of a customer relationship with any specific financial institution.
Trans Union alleges that three of its product lines will be affected by the Regulations and are therefore at issue in this litigation. First are Trans Union's credit header products. In addition to including the header information in its credit reports, Trans Union sells this data separately to a number of business and governmental entities, which then use the information for both commercial and noncommercial purposes, including target marketing and fraud prevention. (See Trans Union Statement ¶¶ 27-44.) These products include "Trace," which allows a customer of Trans Union to input an individual's social security number and receive, in return, the name and address of that person (Trans Union Statement ¶ 29); "Retrace," which enables a customer who has an individual's name and address to obtain that person's social security and phone numbers (Trans Union Statement ¶ 31); and "ID Search," which permits a customer with a person's name and phone number to obtain that individual's social security number and current and former addresses from Trans Union. (Trans Union Statement ¶ 33.) Trans Union and other CRAs also sell credit header information to individual reference services, which typically work with government agencies to identify and locate individuals for a variety of purposes, including the prosecution of financial crimes and enforcement of child support orders. (Individual Reference Services Group ("IRSG") *15 Statement of Material Facts ¶¶ 11-14.)[3] Similarly, private companies hire individual reference services to help detect and prevent fraud, and health organizations use their products to identify blood and organ donors. Media and political campaign organizations may use individual references services to verify the identities of campaign donors. (IRSG Statement ¶ 15-16.)
Second, Trans Union offers a line of target marketing products that provide both credit header and tradeline information. These target marketing lists are designed to identify consumers who may be interested in purchasing the particular goods or services that are offered by customers of Trans Union. (Trans Union Statement ¶ 45.) Typically, a targeting marketing list provides a customer with the names and addresses of individuals who live in a household that meets particular criteria, such as having a bank card or a home mortgage. (Trans Union Statement ¶¶ 46-47.) One of these products is "TransLink," a program that allows a retailer to identify the names and addresses of customers who have made purchases from that retailer with a credit card. A retailer who has obtained the name and credit account number of a customer sends this information to Trans Union, which in response provides a corresponding name and address using the information stored in CRONUS. (Trans Union Statement ¶¶ 47, 55-56.)
Third, Trans Union uses information that it receives from financial institutions to prepare aggregate or average data on consumers. Trans Union's SUM-it product, for example, creates aggregate financial information, such as the average mortgage and bank card balance, for consumers who live within a particular zip code, zip code-plus-two digits, or zip code-plus-four digits. (Trans Union Statement ¶ 48.) The information in the SUM-it database is then used to create models that predict consumers' financial characteristics or their propensity to purchase certain goods or services. This aggregate information is then made available to marketing firms. (Trans Union Statement ¶ 49.) Individual information reported by financial institutions about particular customers is not disclosed in this material.
B. IRSG and Credit Header Information
Plaintiff Individual Reference Services Group, Inc. is a non-stock corporation organized exclusively as a nonprofit trade association under the laws of the state of Maryland. (IRSG Statement ¶ 1.) IRSG represents leading information industry companies, including major CRAs, that provide information to help identify, verify, or locate individuals. IRSG represents CRAs, which obtain credit header information directly from financial institutions, and other entities to whom the CRAs provide credit header data.[4] Trans Union is a member of IRSG.
*16 Plaintiff IRSG contests only the regulation of credit header information under the GLB Act; unlike Trans Union, it does not challenge the effects of the agencies' Final Rules on target marketing lists or aggregate data.
C. The Defendant Agencies
The defendants in this action are the Federal Trade Commission ("FTC"), Board of Governors of the Federal Reserve System ("Board"), Federal Deposit Insurance Corporation ("FDIC"), Office of the Comptroller of the Currency ("OCC"), Office of Thrift Supervision ("OTS"), the National Credit Union Administration ("NCUA"), and their respective heads. These agencies are responsible for the administration and enforcement of Title V of the GLB Act, as well as other related statutes. The FTC and NCUA are independent agencies of the United States government; the Board administers the Federal Reserve System; the FDIC is a corporation organized under federal law; and OCC and OTS are divisions of the United States Department of the Treasury. Defendants are six of the seven agencies that promulgated regulations addressing, among other issues, the use and disclosure of "nonpublic personal information" pursuant to the GLB Act. These are the Regulations challenged in this action. (Trans Union Statement ¶¶ 2-12.)[5]
II. The FCRA
An understanding of the legal issues in this case begins with an explanation of the FCRA, which provides a comprehensive regulatory scheme governing CRAs, including Trans Union. Enacted on October 26, 1970, the statute was drafted in an effort to balance the conflicting needs of commerce and consumer protection; its stated purpose was "to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer...." 15 U.S.C. § 1681(b).
Specifically, the Act requires CRAs to "follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates." 15 U.S.C. § 1681e(b). To ensure the accuracy of this data, CRAs must make available to customers "all information in the consumer's file at the time of the request," § 1681g(a)(1), and promptly investigate any consumer dispute regarding "any item of information." § 1681i(a)(1)(A). The FCRA also requires CRAs to report the results of any investigation and to correct any inaccurate information. § 1681i(a)(5). The financial institutions that report information to CRAs are subject to similar requirements under the Act. § 1681s-2.
The FCRA does not regulate the disclosure of all information that CRAs receive from financial institutions. Instead, the statute sets forth the permissible purposes for which a CRA may disclose information via a "consumer report." Under the statute, a consumer report is "the communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, *17 credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for [credit, insurance, employment, or other authorized purposes]." § 1681a(d)(1). Under the 1996 amendments to the Act, Congress expanded the permissible uses of consumer report information to include credit and insurance target marketing, including firm offers of credit or insurance that are not initiated by the consumer. § 1681b(c). These amendments also require CRAs to establish procedures for consumers to opt out of this target marketing and to notify consumers of their opt-out rights. §§ 1681b(e), 1681m(d).
The FCRA does not regulate the dissemination of information that is not contained in a "consumer report." In 2000, the FTC stated that the "credit header" data at issue in this litigation the name, address, social security number, and phone number of the consumer was not subject to the FCRA because it "does not bear on creditworthiness, credit capacity, credit standing, character, general reputation, personal characteristics, or mode of living, unless such terms are given an impermissibly broad meaning." (Trans Union Index, Ex. F, In the Matter of Trans Union Corp., Docket No. 9255, Feb. 10, 2000, at 30.); 15 U.S.C. § 1681a(d)(1). Both sides agree that credit header information is not currently subject to the FCRA. (Trans Union Memorandum at 9.)[6]
In contrast, the Court of Appeals for this Circuit has recently upheld the FTC's determination that target marketing lists are "consumer reports" under the FCRA and are therefore subject to the provisions of that statute. In Trans Union v. FTC, 245 F.3d 809 (D.C.Cir.2001), the Court found that lists of names and addresses of individuals who fall into particular categories based on tradeline information for example, their credit limits, open dates of loans, number of tradelines, type of tradelines (such as an auto loan or mortgage), or the mere existence of a tradeline qualify as consumer reports. These categories, the Court found, were exactly the type of information considered by lenders in determining who was eligible for a loan or credit. Lists of names and addresses of consumers based on those categories, therefore, are covered by § 1681a(d)(1) of the FCRA. Trans Union, 245 F.3d 809, 815-16.
III. The GLB Act
The Federal Financial Modernization Act, commonly known as the Gramm-Leach-Bliley Act, was passed by Congress and signed by President Clinton in November 1999. The purpose of the GLB Act was "to enhance competition in the financial services industry by providing a prudential framework for the affiliation of banks, securities firms, insurance companies, and other financial service providers...." H.R. Conf. Rep. No. 106-434, at 245 (1999), reprinted in 1999 U.S.C.C.A.N. 245, 245. Congress intended that increased *18 competition would benefit consumers by enhancing the availability of financial products and services and by allowing domestic financial services firms to better compete globally. H.R.Rep. No. 106-74, pt. 3, at 98 (1999).
At the same time, Congress realized that such a structure could exacerbate the concerns of consumers regarding the dissemination of personal financial information. For example, banks, insurance companies, and securities firms have the capacity to know more about an individual's spending habits than ever before, and could use this information for many purposes, including unwanted marketing and solicitation. See H.R. Rep. 106-74, pt. 3, at 106-07 (June 15, 1999) ("As a result of the explosion of information available via electronic services such as the Internet, as well as the expansion of financial institutions through affiliations and other means as they seek to provide more and better products to consumers, the privacy of data about personal financial information has become an increasingly significant concern of consumers.") To balance these interests, the Act provides consumers with the power to choose how their personal information will be shared by financial institutions. As the Act states, "It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information." 15 U.S.C. § 6801. During debates in Congress, legislators noted that the proposed Act would "provide some of the strongest privacy protections to ever be enacted into any federal law," 145 Cong. Rec. H11, 539-40 (daily ed. Nov. 4, 1999) (statement of Rep. Vento), and would "represent the most comprehensive federal privacy protections ever enacted by Congress." 145 Cong. Rec. H11,544 (daily ed. Nov. 4, 1999) (statement of Rep. Sandlin).
A. The Legislative History
On May 6, 1999, the Senate approved S. 900, the Financial Services Modernization Act of 1999, a precursor to the GLB Act. That bill did not contain provisions protecting the disclosure of personal information. The House Commerce Committee, which was the first body to address privacy issues in the bill, proposed provisions to provide "protections for the privacy of customers of financial institutions, [including] put[ting] into place procedures to protect the confidentiality and security of nonpublic personal information collected in connection with any transaction of their customers." H.R.Rep. No. 106-74, pt. 3, at 200. The Committee defined "nonpublic personal information" as "personally identifiable information, other than publicly available directory information, pertaining to an individual's transactions with a financial institution." H.R. 10, 106th Cong., 1st Sess § 509(4). (1999).
Language containing the definition of "nonpublic personal information" was added to the House bill through an amendment introduced by Representative Michael Oxley on July 1, 1999. 145 Cong. Rec. H5308 et seq. (daily ed. July 1, 1999). Industry groups objecting to broader restrictions on the disclosure of personal information, as well as advocates for greater privacy protections, testified at hearings on the amended bill later that month. For example, Richard Barton, the Senior Vice President for Congressional Relations of the Direct Marketing Association, expressed concern that "the definition of nonpublic personal information [was] unclear because [it tended to] blur the differences between personally identifiable financial information and other types of personally identifiable information, *19 [and] might be read to interfere seriously with the use of certain non-financial identifying information to make marketing databases more accurate." House Banking Subcommittee Hearing (July 20, 1999), at http://www .house.gov/banking/72099rba.htm> at 5.
In contrast, other participants testified that it was important to restrict the unauthorized disclosure of certain sensitive personal information, including names and addresses.[7] Representatives of federal agencies testified that consumers consider information that they provide to financial institutions in order to obtain a financial product to be "private." See, e.g., Statement of Edward Gramlich, Member, Board of Governors, The Federal Reserve System, House Banking Subcommittee Hearing (July 21, 1999), at http://commdocs.house.gov/ committees/bank/hba58308 0.htm> at 128 (private information includes "information that banking and other financial institutions derive from their relationships with customers [such as] information submitted by a customer in order to obtain a loan"). After hearing testimony from both sides, the House declined industry's request to narrow the bill's definition of "nonpublic personal information."
As enacted, the statute defines "nonpublic personal information" ("NPI") as "personally identifiable financial information [ (`PIFI') ](i) provided by a customer to a financial institution; (ii) resulting from any transaction with the consumer or any service performed for the consumer; or (iii) otherwise obtained by the financial institution." 15 U.S.C. § 6809(4). The GLB Act does not, however, define the term "personally identifiable financial information."
Several members of Congress discussed the meaning of this provision. Sponsor Oxley noted that the bill called for "the responsible sharing of consumer information...." 145 Cong. Rec. H5310 (daily ed., July 1, 1999). Co-sponsor Deborah Pryce said that "for the first time ever we will require that financial institutions give their customers a right to just say no to the sharing of what most Americans hold very, very dear: private information about themselves and their families," including "addresses and phone numbers," in order to protect consumers from "random tele-marketing and junk mail." 145 Cong. Rec. H5312 (daily ed. July 1, 1999). Representative Bereuter, a member of the House Committee on Banking and Financial Services, noted, "These privacy provisions are a pioneering, landmark advance forward by Congress in ensuring that consumers' personal information is protected from unwanted disclosures by financial institutions." 145 Cong. Rec. H11,546 (daily ed. Nov. 4, 1999).
*20 Other aspects of the statute that are at issue in this case were added by a joint HouseSenate Conference Committee, which convened in September 1999 to reconcile the differences between the versions of the bill. First, the Joint Conference Committee included a "savings" provision to address the relationship between the GLB Act and the FCRA; this clause provided that "nothing in this chapter shall be construed to modify, limit, or supersede the operation of the Fair Credit Reporting Act...." 15 U.S.C. § 6806; H.R. Conf. Rep. No. 106-434, at 171 (1999). Second, the Joint Committee added a consumer reporting agency exception to the Act's blanket prohibition against disclosing account numbers to third parties for use in telemarketing, direct mail marketing, or other electronic mail marketing. H.R. Conf. Rep. No. 106-434, at 172. "A financial institution shall not disclose, other than to a consumer reporting agency, an account number or similar form of access number or access code for a credit card account, deposit account, or transaction account of a customer to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer." 15 U.S.C. § 6802(d).
B. Administrative Rulemaking
1. The Rulemaking Proceedings
Under the GLB Act, the defendant agencies were to issue regulations implementing provisions of the statute.[8] These regulations describe, for example, the conditions under which financial institutions may disclose nonpublic personal information about consumers to nonaffiliated third parties, require such institutions to provide notice to their customers about privacy policies, and subject to certain exceptions, permit the consumer to opt out of this transmission of information. The Regulations define the limits on the disclosure of nonpublic personal information by financial institutions, as well as the conditions under which a nonaffiliated third party that receives this information may redisclose or use it. See, e.g., FTC Final Rule, 16 C.F.R. §§ 313.10-313.12 (2000). It is these Regulations that are at issue in this litigation.
In particular, the agencies drafted a set of proposed rules as to which they solicited public comments. The draft rules attempted to define the term "personally identifiable financial information" in 15 U.S.C. § 6809(4); the agencies proposed that personally identifiable information was financial if it was provided by a consumer, resulted from a transaction, or was otherwise obtained about a consumer by a financial institution in connection with providing a financial product or service to a consumer. See, e.g., FTC Notice of Proposed Rulemaking, "Privacy of Consumer Financial Information," 65 Fed.Reg. 11,174, 11,178 (March 1, 2000) ("FTC Proposed Rule"); Joint Notice of Proposed Rulemaking, "Privacy of Consumer Financial Information," 65 Fed.Reg. 8770, 8773 (Feb. 22, 2000) ("Banking Agencies' Proposed Rule"). To demonstrate the operation of the proposed definition, accompanying examples explained that information that a consumer provides on an application to obtain a loan, credit card, or insurance would fall within this definition. 65 Fed. *21 Reg. at 11,178. The agencies sought comments on the proposed definition, including comments relating to the fact that the term might include information "that may not be considered intrinsically financial." 65 Fed.Reg. at 8774, 11,178.
More than 9,000 comments were submitted in response to the proposed rules. Comments concerning the definition of "personally identifiable financial information" were submitted by opposing groups. Industry groups argued that certain identifying information that was not intrinsically financial should not be considered within the definition. These entities contended that the proposed definition when coupled with the Act's limits on reuse and redisclosure would restrict the flow of credit header information by preventing CRAs from disseminating such information. The net effect, they argued, would be to threaten the availability of highly reliable information used for socially beneficial purposes, such as combating fraud and locating missing individuals. See, e.g., FTC Record at 300,852 (Comment of Equifax that "the Proposed Rule functionally reads the word `financial' out of the phrase `personally identifiable financial information'"); FTC Record at 300,932-33 (Comment of Experian Information Solutions to same effect); FTC Record at 301,638 (Comment of Trans Union to same effect); FTC Record at 301,964 (Comment of IRSG to same effect); FTC Record at 301,954 (Comment of Direct Marketing Association, Inc. to same effect).[9]
In contrast, consumer groups and state lawmakers filed comments urging the agencies to prevent the disclosure of personal information. See, e.g., FDIC Record at 105,158 (Comment of Consumers Union: Consumer Federation of America agreeing with the proposed definition of "personally identifiable financial information" because "any information collected by an institution about an individual should be defined as `personally identifiable'.... In these instances, but for the financial nature of the relationship, the information would not be collected."); FTC Record at 300,973 (comment of Privacy Rights Clearinghouse to same effect); FDIC Record at 102,300 (Comment of Center for Democracy and Technology to same effect); OTS Record at 601,246 (Comment of Privacy Rights Clearing House to same effect); FDIC Record at 103,067, Board Record at 203,140 (Letter signed by thirty-three state Attorneys General). These commentators felt that the proposed rules did not go far enough toward protecting consumer privacy, leaving too many loopholes for personal information to be shared without an individual's consent. Id. Several Members of Congress also filed comments in support of these arguments. FTC Record at 300,541-48, OTS Record at 601,536-43 (Comment of Congressional Privacy Caucus).
2. The Final Rules
Following the Notice and Comment period, the agencies promulgated their Final Rules. They defined "nonpublic personal information," in part, as "personally identifiable financial information." 16 C.F.R. § 313.3(n)(1)(i).[10] In turn, the Regulations *22 defined "personally identifiable financial information" as information "(i) [a] consumer provides to you[11] to obtain a financial product or service from you; (ii)[a]bout a consumer resulting from any transaction involving a financial product or service between you and a consumer; or (iii) you otherwise obtain about a consumer in connection with providing a financial product or service to that consumer." 16 C.F.R. § 313.3(o)(1). In other words, "any information should be considered financial information if it is requested by a financial institution for the purpose of providing a financial service or product." FTC Final Rule, "Privacy of Consumer Financial Information," 65 Fed.Reg. 33,646, 33,658 (May 24, 2000); see Banking Agencies' Final Rule, "Privacy of Consumer Financial Information," 65 Fed.Reg. 35,162, 35,171 (June 1, 2000).
In response to comments from industry groups objecting to the inclusion of name, address, and social security number in the definition of personally identifiable financial information, the FTC explained:
[F]inancial institutions rely on a broad range of information that they obtain about consumers, including information such as addresses and telephone numbers, when providing financial products or services. Location information is used by financial institutions to provide a wide variety of financial services, from the sending of checking account statements to the disbursing of funds to a consumer. Other information, such as the maiden name of a consumer's mother, often will be used by a financial institution to verify the consumer's identity. The Commission concluded that it would be inappropriate to carve out certain terms of information that a particular financial institution might rely on when providing a particular financial product or service.
FTC Final Rule, 65 Fed.Reg. at 33,658. The other agencies adopted nearly identical reasoning. See, e.g., Banking Agencies' Final Rule, 65 Fed.Reg. at 35,171. The Final Rules were issued in spring 2000 and became effective as of November 13, 2000, with full compliance required by July 1, 2001. This litigation rapidly ensued.
LEGAL ANALYSIS
I. Standards of Review for Plaintiffs' APA Claims
Both plaintiffs have moved for summary judgment. A party is entitled to summary judgment where "there is no genuine issue as to any material fact and the moving party is entitled to judgment as a matter of law." Fed.R.Civ.P. 56(c). Summary judgment is an appropriate mechanism for resolving cases involving administrative rulemaking on the record, particularly where, as here, the case turns chiefly on issues of statutory construction. See Troy Corp. v. Browner, 120 F.3d 277, 281 (D.C.Cir.1997).
Plaintiffs raise four primary claims under the APA. First, plaintiff IRSG, joined by Trans Union, argues that defendants' definition of "personally identifiable financial information" violates the APA for three reasons. Plaintiffs contend that this definition (1) conflicts with the plain language of the GLB Act; (2) is not a reasonable and permissible construction of the statute; and (3) is arbitrary and capricious because it does not further the express purposes of the Act.
*23 Second, Trans Union argues that it is not a "financial institution" covered by the GLB Act, and therefore, the agencies have no authority to regulate it under the Act. With regard to this claim, Trans Union asserts only a plain language argument that the regulation of Trans Union by the Act violates the unambiguous meaning of the statute.
Third, Trans Union argues that the Regulations violate the plain meaning of § 502(d) of the GLB Act, 15 U.S.C. § 6802(d). Trans Union argues that this section grants a special exemption to CRAs from the statute's prohibition on the use of account numbers for marketing purposes, and that the Regulations conflict with the clear language of this exemption.
Finally, Trans Union contends that defendants' Regulations restricting the use and redisclosure of nonpublic personal information that is provided to a CRA in accordance with the Fair Credit Reporting Act violates the APA. With respect to this claim, Trans Union makes four arguments: 1) the use restrictions violate the plain meaning of the GLB Act; 2) these regulations contradict the plain meaning of the statute's "savings" clause, 15 U.S.C. § 6806, which mandates that the GLB Act not be "construed to modify, limit, or supersede the operation of the Fair Credit Reporting Act," Id.; 3) the use restrictions are an impermissible construction of the GLB Act; and 4) the use restrictions are arbitrary and capricious because the agencies have failed to justify them in the record.
A. Chevron
Claims that contest an agency's construction of a statute it administers are ordinarily subject to the standard of review articulated in Chevron U.S.A., Inc. v. Natural Resources Defense Council, Inc., 467 U.S. 837, 104 S. Ct. 2778, 81 L. Ed. 2d 694 (1984). In Chevron, the Supreme Court mandated a two-step process for reviewing an agency's construction of a statute it administers. First, a court considers whether Congress spoke directly to the question at issue: if so, "that is the end of the matter, for the court, as well as the agency, must give effect to the unambiguously expressed intent of Congress." Id. at 842-43, 104 S. Ct. 2778. If, however, the statute is unclear, "the question for the court is whether the agency's answer is based on a permissible construction of the statute." Id. at 843, 104 S. Ct. 2778. In answering that question, "considerable weight should be accorded to an executive department's construction of a statutory scheme it is entrusted to administer." Id. at 844, 104 S. Ct. 2778. The rationale for this deference is that the agency's decision as to the meaning of the statute involves "reconciling conflicting policies and a full understanding of the force of the statutory policy ... [and] depend[s] upon more than ordinary knowledge respecting the matters subjected to agency regulations." Id. In short, "a court may not substitute its own construction of a statutory provision for a reasonable interpretation made by the administrator of an agency." Id.
In an attempt to avoid the deference owed an agency under Chevron, plaintiffs present a range of creative arguments. First, plaintiffs argue that Chevron deference does not apply where, as here, Congress has directed numerous agencies to administer the statute. Second, plaintiffs contend that, regardless of Chevron, the Court is obliged to construe the GLB Act to avoid the constitutional difficulties raised by the agencies' Regulations.
The Court rejects plaintiffs' contention that Chevron should not apply. The Regulations were the result of a statutorily coordinated effort among all the defendants. Plaintiffs' initial argument that *24 Chevron is not the proper standard for regulations promulgated by multiple agencies stretches precedent. One line of cases that plaintiffs cite actually stands for the proposition that Chevron deference does not apply to interpretations of statutes of general applicability, such as the Privacy Act, which are administered by a number of agencies, none of which has particular expertise in the substance of the statute the policy basis for Chevron's holding. See Bowen v. American Hosp. Ass'n, 476 U.S. 610, 642 n. 30, 106 S. Ct. 2101, 90 L. Ed. 2d 584 (1986) (no deference to one agency's interpretation of the Rehabilitation Act); Proffitt v. FDIC, 200 F.3d 855, 860 (D.C.Cir.2000) (agency interpretation of a statute of limitations); Benavides v. U.S. Bureau of Prisons, 995 F.2d 269, 272 n. 2 (D.C.Cir.1993) (agency interpretation of the Privacy Act).
A second line of cases that plaintiffs cite is similarly inapposite. Those cases hold that Chevron deference does not apply to only one agency's interpretation of a statute administered by multiple agencies. Salleh v. Christopher, 85 F.3d 689, 691-92 (D.C.Cir.1996);[12]Wachtel v. OTS, 982 F.2d 581, 585 (D.C.Cir.1993) (no deference to OTS interpretation of statute that was also administered by the Board, the FDIC, and the Comptroller of Currency). Where, as here, the subject matter of the statute falls squarely within the agencies' areas of expertise, and the Regulations were issued as a result of a statutorily-coordinated effort among the agencies, Chevron is the governing standard. National Treasury Employees Union v. MSPB, 743 F.2d 895, 916-17 (D.C.Cir. 1984).
Plaintiffs also attempt to evade Chevron by arguing that, because the agencies' Regulations give rise to serious constitutional issues, the Court should not defer to their interpretation. While it is true that this Court reviews constitutional questions de novo, deference to the agencies' actions is not denied simply because plaintiffs have raised constitutional arguments. For deference to be rejected, plaintiff's challenges must rise to the level of "serious" or "grave constitutional issues." Chamber of Commerce v. FEC, 69 F.3d 600, 604 (D.C.Cir.1995). If not, as this Circuit explained in Republican National Committee v. FEC, 76 F.3d 400 (D.C.Cir.1996), Chevron still applies. "Because we can easily resolve the Committees' First Amendment challenges through the application of controlling precedent ... we do not face the sort of serious constitutional questions that would lead us to assume Congress did not intend to authorize [the regulation's] issuance." Id. at 409 (internal quotations omitted). As in Republican National Committee, the instant plaintiffs' constitutional arguments can be "easily resolved" through "controlling precedent" and therefore do not rise to the level of "grave constitutional issues" necessary to eliminate Chevron deference.[13]See also Rust v. Sullivan, 500 U.S. 173, 191, 111 S. Ct. 1759, 114 L. Ed. 2d 233 (1991) (holding that the regulations at issue *25 did not "raise the sort of grave and doubtful constitutional questions that would lead us to assume Congress did not intend to authorize their issuance").
B. Arbitrary and Capricious
Plaintiffs also challenge the Regulations under the "arbitrary and capricious" standard in the APA, which requires the Court to review whether the agency actions are "arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law." 5 U.S.C. § 706(2)(A). While challenges under § 706(2)(C) which follow the test set forth in Chevron are directed primarily at the decision of the agency, § 706(2)(A) actions focus mainly on the decision-making process and rationale behind agency action. Michigan v. EPA, 213 F.3d 663, 682 (D.C.Cir.2000), cert. denied sub nom., ___ U.S. ___, 121 S. Ct. 1225, 149 L. Ed. 2d 135 (2001). While the standards of review for these types of challenges overlap, they are not identical: an agency's interpretation may survive analysis under Chevron but still be struck down as arbitrary and capricious. American Petroleum Inst. v. EPA, 216 F.3d 50, 57-58 (D.C.Cir.2000); Michigan v. EPA, 213 F.3d at 682.
In reviewing the action of the agencies under § 706(2)(A), the Court must engage in a "thorough, probing, in-depth review," Citizens to Preserve Overton Park, Inc. v. Volpe, 401 U.S. 402, 415, 91 S. Ct. 814, 28 L. Ed. 2d 136 (1971), to determine whether the agencies have "examine[d] the relevant data and articulate[d] a satisfactory explanation for its action...." Motor Vehicle Manufacturer's Ass'n v. State Farm Mutual Ins. Co., 463 U.S. 29, 43, 103 S. Ct. 2856, 77 L. Ed. 2d 443 (1983). "In thoroughly reviewing the agency's actions, the Court considers whether the agency acted within the scope of its legal authority, whether the agency has explained its decision, whether the facts on which the agency purports to have relied have some basis in the record, and whether the agency considered the relevant factors." Fund for Animals v. Babbitt, 903 F. Supp. 96, 105 (D.D.C.1995) (citing Marsh v. Oregon Natural Resources Council, 490 U.S. 360, 378, 109 S. Ct. 1851, 104 L. Ed. 2d 377 (1989); Citizens to Preserve Overton Park, 401 U.S. at 415-16, 91 S. Ct. 814; Professional Drivers Council v. Bureau of Motor Carrier Safety, 706 F.2d 1216, 1220 (D.C.Cir.1983)).
Conclusory statements are insufficient to meet this requirement. Dickson v. Secretary of Defense, 68 F.3d 1396, 1405 (D.C.Cir.1995). "Normally, an agency rule would be arbitrary and capricious if the agency has relied on factors which Congress had not intended it to consider, entirely failed to consider an important aspect of the problem, offered an explanation for its decision that runs counter to the evidence before the agency, or is so implausible that it could not be ascribed to a difference in view or the product of agency expertise." Motor Vehicle Mfrs. Ass'n., 463 U.S. at 43, 103 S. Ct. 2856. The scope of review under this standard, however, is narrow, and a court is not to substitute its view for that of the agency. Id. Moreover, an agency's decision must be upheld under this standard "if the agency's path may reasonably be discerned" and will only be reversed where "there has been a clear error of judgment." Id. (citations omitted).
II. Plaintiffs' APA Claims
Having set forth the relevant standards of review under the APA, the Court turns now to plaintiffs' four arguments for invalidating the Regulations.
*26 A. Is Credit Header Data "Personally Identifiable Financial Information"?
1. Chevron Step One
Plaintiffs argue that the agencies' definition of "personally identifiable financial information" conflicts with the unambiguous meaning of the statute, and that under the first step of Chevron, defendants' interpretations of several provisions of the Act should therefore not be accorded any deference. "[W]hen a statute is clear and unambiguous, consideration of administrative interpretation contrary to such language is inappropriate; the agency cannot by its interpretation, override the congressional will as memorialized in the statutory language." Mylan Pharm., Inc. v. Henney, 94 F. Supp. 2d 36, 47 (D.D.C.2000) (internal quotations omitted). "Under the first step of Chevron, the reviewing court must first exhaust the traditional tools of statutory construction to determine whether Congress has spoken to the precise question at issue." Bell Atlantic Telephone v. FCC, 131 F.3d 1044, 1047 (D.C.Cir.1997) (internal quotations omitted).
In 15 U.S.C. § 6809(4)(A), Congress defined NPI as "personally identifiable financial information (i) provided by a customer to a financial institution; (ii) resulting from any transaction with the customer or any service performed for the customer; or (iii) otherwise obtained by the financial institution." 15 U.S.C. § 6809(4)(A). The GLB Act provides no definition of "personally identifiable financial information." The Regulations promulgated by the agencies fill this gap. Under the Final Rules, PIFI is "any information: (i)[a] consumer provides to [a regulated financial institution] to obtain a financial product or service ... (ii)[a]bout a consumer resulting from any transaction involving a financial product or service between [a regulated financial institution] and a consumer; or (iii) [a regulated financial institution] otherwise obtain[s] about a consumer in connection with providing a financial product or service to that consumer." 16 C.F.R § 313.3(o)(1). Plaintiffs contend that this definition effectively reads the word "financial" out of the phrase "personally identifiable financial information," because it applies to any information provided to or otherwise obtained by the financial institution about a consumer. Under the agencies' definition of PIFI, plaintiffs argue, credit header information is improperly subsumed within the ambit of the GLB Act.
Whether the phrase "personally identifiable financial information" is an unambiguous term and, as a corollary, whether defendants' interpretation violates any plain meaning of that term presents a challenging question. However, based on the language, structure, and legislative history of the GLB Act, this Court concludes that "personally identifiable financial information" is an ambiguous term in the Act and that the agencies' interpretation is therefore entitled to deference.
"The first traditional tool of statutory construction focuses on the language of the statute." Bell Atlantic, 131 F.3d at 1047. Plaintiffs cite the dictionary definition of "financial" as "pertaining to monetary receipts and expenditures; pertaining to or relating to money matters; pecuniary ... of or pertaining to those commonly engaged in dealing with money or credit." (IRSG Mem. at 30.) Consequently, plaintiffs argue that defendants' definition of "personally identifiable financial information" as all information that a customer provides to a financial institution (or that the financial institution otherwise obtains about the customer) conflicts with the plain meaning of "financial" thereby effectively eliminating any financial component *27 from the Act's phrase "personally identifiable financial information." The Court finds this argument to be somewhat too simplistic, since one meaning plaintiffs expressly suggest as a dictionary definition of "financial" is "of or pertaining to those commonly engaged in dealing with money or credit." Under that definition, all information provided by a customer to a bank, for example, would likely qualify as "financial," because once disclosed by the customer, it becomes information that is "of or pertaining to" the bank.
It is also necessary to examine § 6809(4)(A) in the context of the entire statute. "In determining whether Congress has specifically addressed the question at issue, the court should not confine itself to examining a particular statutory provision in isolation. Rather, it must place the provision in context, interpreting the statute to create a symmetrical and coherent regulatory scheme." FDA v. Brown & Williamson, 529 U.S. 120, 121, 120 S. Ct. 1291, 146 L. Ed. 2d 121 (2000). Plaintiffs appear to argue that Congress intended to categorize consumer information into two distinct groups identifying information and intrinsically financial information that parallel the organization of a consumer report. Plaintiffs contend that the identifying information the content of a credit header is plainly beyond the definition of "personally identifiable financial information," whereas intrinsically financial information which plaintiffs equate with the tradeline data falls within the meaning of the term.
The language of other provisions of the GLB Act, however, suggests otherwise. Congress included within the definition of "nonpublic personal information" "any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived using any nonpublic personal information other than publicly available information." 15 U.S.C. § 6809(4)(C)(i). In so doing, Congress provided for especially broad privacy protections for all information contained in these lists of consumers that is derived using nonpublic personal information. This is so even where the information is otherwise publicly available: the information is still protected, as long as it was derived using nonpublic personal information. Id. This provision suggests that in drafting the GLB Act, Congress recognized that the status of particular types of information may vary according to the context in which it is used. Information used in or derived from a financial context is nonpublic personal information under § 6809(4)(C)(i); the same information in another context, however, may not be NPI. Thus, it is the context in which information is disclosed rather than the intrinsic nature of the information itself that determines whether information falls within the GLB Act.[14]
Plaintiffs counter by arguing that the overbreadth of defendants' definition of "personally identifiable financial information" under § 6809(4)(A) can be shown by comparing it to the definition of "customer information of a financial institution" in 15 U.S.C. § 6827(2). The latter phrase is defined as "[a]ny information maintained by or for a financial institution which is derived from the relationship between the financial institution and a customer of the *28 financial institution and is identified with the customer." Id. Plaintiffs argue that this difference in language underscores the fact that Congress used different terms because it intended the provisions to have two different meanings. Russello v. United States, 464 U.S. 16, 23, 104 S. Ct. 296, 78 L. Ed. 2d 17 (1983); Southwestern Bell Corp. v. FCC, 43 F.3d 1515, 1521-22 (D.C.Cir.1995). Plaintiffs' argument, however, is not persuasive. "Personally identifiable financial information" comes from Subtitle A of the GLB Act, which governs the disclosure of nonpublic personal information by financial institutions, as defined broadly. See 15 U.S.C. § 6809(3). "Customer information of a financial institution," on the other hand, is a phrase from Subtitle B of the Act, which addresses fraudulent access to financial information in financial institutions, as defined narrowly. See 15 U.S.C. § 6827(4). These two different subtitles of the Act govern different activities, and use different terms and different definitions of the same terms. "Customer information of a financial institution," for example, covers only information that is "maintained" by a financial institution; "nonpublic personal information" includes information that is "provided by" consumers. Compare 15 U.S.C. § 6827(2) with § 6809(4)(A)(i). Contrary to plaintiffs' argument, the Court is unwilling to draw an inference about the plain meaning of a phrase in one subtitle of the Act based on the definition of a phrase used in a separate subtitle that contains different words and different definitions of the same words, and addresses different issues.
Finally, the Court notes that an examination of "the history, structure, and underlying policy purpose of the statute," Bell Atlantic, 131 F.3d at 1048, supports the finding that the meaning of "personally identifiable financial information" is not clear from the GLB Act. Committee reports and legislative debates show that at least two Members of Congress explicitly stated that the type of information contained in credit headers is "personal financial information." Senator Diane Feinstein, a co-sponsor of the legislation, noted, "Financial institutions share and sell social security numbers, addresses, information about what stocks we own, what checks we write, what we charge on our credit cards, and how much we have in the bank. All of this without the knowledge or permission of their clients. I believe Americans should have the opportunity to prohibit a financial institution from sharing or selling this personal financial information." 145 Cong. Rec. S13,903 (daily ed. Nov. 4, 1999) (emphasis added).[15] Another cosponsor, *29 Representative Deborah Pryce, made similar statements during debates in the House.
[L]et me ask my colleagues if they are tired of their phone ringing in the middle of dinner only to be solicited for lawn care service. Are they tired of getting so much junk mail that they have to empty their trash twice as often as they used to? Are they tired of their teenagers being solicited for a new credit card every other week? Are they tired of wondering who in the world is giving out their addresses and phone numbers to these strangers? Well, I am, and I am mad as heck about it. So today I am taking the floor to issue a public service warning to all of our constituents: "Mr. and Mrs. America, your personal financial information may be disclosed by your bank to any Tom, Dick, and Harry without your knowledge and without your consent."
145 Cong. Rep. H5312 (daily ed. July 1, 1999) (statement of Rep. Pryce) (emphasis added). This inclusion of credit header information within the meaning of "financial information" during debates in both Houses of Congress reinforces the finding that the statute cannot be interpreted as argued by plaintiffs would like, but more fairly should be characterized as ambiguous with respect to that term. As a result, defendants' definition of PIFI does not contradict the plain language of the statute.
2. Chevron Step Two
Alternatively, plaintiffs argue that even if the term "personally identifiable financial information" is ambiguous, the regulation still cannot survive scrutiny under step two of Chevron because it "diverges from any realistic meaning of the statute." Natural Resources Defense Council, Inc. v. Daley, 209 F.3d 747, 753 (D.C.Cir.2000); GTE Serv. Corp. v. FCC, 205 F.3d 416, 421 (D.C.Cir.2000). See City of Cleveland v. U.S. Nuclear Regulatory Comm'n, 68 F.3d 1361, 1367 (D.C.Cir.1995) (providing that an agency's interpretation must be "reasonable and consistent with the statutory scheme and legislative history").
Plaintiffs assert that defendants' definition of PIFI is not a "reasonable and permissible construction of the statute," Daley, 209 F.3d at 754, because it contradicts the GLB Act's requirement that NPI be both "personally identifiable" and "financial." In support of this argument, plaintiffs cite GTE Serv. Corp, in which this Circuit struck down an FCC Collocation Order based on the statutory term "necessary." The Court found the term to *30 be ambiguous, but held that the order was an impermissibly broad construction of the statute because it required collocation of "any and all" equipment rather than just that which was "necessary." GTE Serv. Corp., 205 F.3d at 424. Like the Collocation Order, plaintiffs argue, defendants' definition of PIFI has no limits.
The Court disagrees with plaintiffs' analysis. Under the Final Rules, PIFI is, in fact, limited in several ways. The Regulations define PIFI as "any information a consumer provides to [a financial institution] to obtain a financial product or service." 16 C.F.R. § 313.3(o)(1)(i). Excluded from the definition is information provided to a financial institution for other reasons, such as a sweepstakes entry. PIFI also includes only information about individuals who obtain financial services primarily for family, personal, or household purposes therefore excluding all information provided by individuals for business purposes. E.g., 16 C.F.R. § 313.1(b). Unlike the order at issue in GTE Serv. Corp., defendants' regulations have boundaries. As described above, they are also "reasonable and consistent with the statutory purpose," GTE Serv. Corp., 205 F.3d at 420-21, because they are linked directly to the goal of giving customers of financial institutions control over their personal information. Defendants' regulations are therefore a permissible construction of the GLB Act under step two of Chevron.
In this regard, the Supreme Court's opinion in Rust is instructive. In Rust, plaintiffs challenged Department of Health and Human Services ("HHS") regulations that were implemented pursuant to Title X of the Public Health Service Act, 84 Stat. 1506 (codified as amended at 42 U.S.C. §§ 300 to 300a-6 (1994)), which provides federal funding for family planning services. In the subsequent regulations, HHS established a procedure for allocating funds under Title X, and attached three principal conditions to the disbursements to ensure that "none of the funds appropriated under [that] subchapter [would] be used in programs where abortion is a method of family planning." 42 U.S.C. § 300a-6. Plaintiffs challenged these regulations, and the Supreme Court applied Chevron's analysis to determine their validity. After disposing of petitioners' plain language argument, the Court found that "[t]he broad language of Title X plainly allows the [HHS] Secretary's construction of the statute." Rust, 500 U.S. at 184, 111 S. Ct. 1759. Moreover, the Court found the legislative history to be "ambiguous with respect to Congress' intent in enacting Title X." Id. at 185, 111 S. Ct. 1759. The Court concluded that "[w]hen we find, as we do here, that the legislative history is ambiguous and unenlightening on the matters with respect to which the regulations deal, we customarily defer to the expertise of the agency." Id. at 186, 111 S. Ct. 1759. Because the Court found that "the Secretary amply justified his ... interpretation with a reasoned analysis, ... [and] having concluded that the plain language and legislative history are ambiguous as to Congress' intent in enacting Title X, we must defer to the Secretary's permissible construction of the statute." Id. at 187, 111 S. Ct. 1759 (internal quotations and citations omitted).
Here, as in Rust, both the language of the statute and the legislative history provide no clear answers. But the defendants have justified their constructions with reasoned analysis. The FTC, for example, explained its definition of PIFI by noting that "this approach is consistent with the broad definition of `financial institution' used in the statute.... [Some] commentators consistently suggested that names, addresses, and phone numbers should not be treated as financial information. However, *31 financial institutions rely on a broad range of information that they obtain about consumers, including information such as addresses and telephone numbers.... The Commission concluded that it would be inappropriate to carve out certain items of information that a particular financial institution might rely on when providing a financial product or service." FTC Final Rule, 65 Fed.Reg. at 33,658. Where, as here, Congress has acted ambiguously and defendants have justified their regulations with careful reasoning and analysis, Rust instructs that the agencies' construction of the statute is permissible and that the Court must defer to that interpretation.
3. Arbitrary and Capricious
Plaintiffs also argue that the Regulations are arbitrary and capricious and are therefore unlawful. In particular, plaintiffs assert that the definition of "personally identifiable financial information" is arbitrary and capricious because it does nothing to further the express purposes of the GLB Act that is, that there is no rational connection between the facts found by defendants and the choices they made in promulgating the Regulations.
Plaintiffs posit three central arguments in support of their position that defendants' definition of "personally identifiable financial information" is arbitrary and capricious. First, they contend that defendants' regulations conflict with their policy arguments about the sanctity of personal information. In particular, plaintiffs argue that consumers are equally susceptible to the risks of identity theft or physical harm, about which defendants have expressed concern, from information acquired by a bank for a sweepstakes which defendants admit is not covered by the Regulations as from that provided for financial services. There is no arbitrariness, however, in the Regulations' focus on protecting information that consumers are required to provide in order to obtain financial services, rather than information that is volunteered for other purposes, such as sweepstakes. In fact, only the former promotes the stated policy of the GLB Act. See 15 U.S.C. § 6801.
Second, plaintiffs argue that all the defendants except the FTC failed to respond to public comments on the proposed definition of "personally identifiable financial information." In its Final Rule, the FTC noted that "[a]ny information should be considered financial information if it is requested by a financial institution for the purpose of providing a financial product or service." FTC Final Rule, 65 Fed.Reg. at 33,658. The record reflects that all six of the defendant agencies coordinated their rulemaking efforts, as well as their Final Rules; there is no reason that each of the six defendants should be required to address directly the comments on the proposed definition of PIFI. Because the definitions promulgated by all six agencies are virtually identical, the response of the FTC is sufficient on behalf of all defendants.
Finally, plaintiffs contend that the inclusion of credit header information that has been homogenized that is, stripped of all intrinsically financial information within the definition of PIFI is arbitrary and capricious. As noted, however, the record reflects that the Regulations are consistent with the GLB Act's policy of enabling consumers to retain control over the personal information that they are required to provide to financial institutions. Thus, plaintiffs' arbitrary and capricious challenge must fail.
B. Is Trans Union a Financial Institution Subject to Regulation Under the GLB Act?
Next, Trans Union contends it is a non-financial institution, and as such, defendants *32 have no authority to regulate it. Specifically, plaintiff argues that CRAs are not financial institutions under the GLB Act, and that Congress intended to give the FTC enforcement, but not rulemaking, authority over these entities. In support of these arguments, plaintiffs spin complex arguments about both the legislative history of the GLB Act and the interplay between that statute and the FCRA in terms of agency authority.
In actuality, however, the grant of rulemaking authority to the agencies over CRAs is unambiguously provided for under the GLB Act, when read in conjunction with other existing statutes and regulations that are cross-referenced in the GLB Act. Section 509(3)(A) of the Act defines a financial institution as "any institution the business of which is engaging in financial activities as described in section 1843(k) of Title 12." 15 U.S.C. § 6809(3)(A). Under 12 U.S.C. § 1843(k), financial activities include "[e]ngaging in any activity that the [Federal Reserve] Board has determined, by order or regulation that is in effect on November 12, 1999, to be so closely related to banking or managing banks as to be a proper incident thereto...." 12 U.S.C. § 1843(k)(4)(F). A regulation promulgated by the Federal Reserve Board in 1997, which was still in effect on November 12, 1999, lists a variety of activities that are "so closely related to banking ... as to be a proper incident thereto," and included therein are "credit bureau services," which are defined as entities engaged in "maintaining information related to the credit history of consumers and providing the information to a credit grantor who is considering a borrower's application for credit or who has extended credit to a borrower." 12 C.F.R. § 225.28(b)(2)(v). Trans Union acknowledges that it is one of three national credit reporting bureaus, and that a part of its business is to maintain and provide credit reports to third parties for the extension of consumer credit or insurance, employment, or business transactions. (Trans Union Statement of Facts ¶¶ 14-16.) In fact, Trans Union does not contest that it qualifies as a credit bureau. Consequently, the Court finds that Trans Union is a financial institution under Subtitle A of the GLB Act and is therefore subject to the FTC's rules under that subtitle.[16]
C. Does the Account Numbers Exception Affect Target Marketing Products Such as TransLink?
Trans Union also argues that the Regulations contradict § 502(d) of the Act, 15 U.S.C. § 6802(d),[17] which, according to Trans Union, grants a special exemption to CRAs from the statute's prohibition on the use of account numbers for marketing purposes.[18] Defendants counter that the plaintiffs have misread the statute by failing to understand the relationship between §§ 502(b) and 502(d) of the Act.
Section 502(b) of the Act, 15 U.S.C. § 6802(b), provides:
*33 (1) A financial institution may not disclose nonpublic personal information to a nonaffiliated third party unless
(A) such financial information clearly and conspicuously discloses to the consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 6804 of this title, that such information may be disclosed to such third party;
(B) the consumer is given the opportunity, before the time that such information is initially disclosed, to direct that such information not be disclosed to such third party; and
(C) the consumer is given an explanation of how the consumer can exercise that nondisclosure option.
Section 502(c) of the Act, 15 U.S.C. § 6802(c), provides:
Except as otherwise provided in this subchapter, a nonaffiliated third party that receives from a financial institution nonpublic personal information under this section shall not, directly or through an affiliate of such receiving party, disclose such information to any other person that is a nonaffiliated third party of both the financial institution and such receiving third party, unless such disclosure would be lawful if made directly to such other persons by the financial institution.
Trans Union argues that the Regulations do not adequately reflect the language and intent of § 502(d). The FTC Regulations, like those of the other defendants, provide that there is a "general prohibition on disclosure of account numbers. [A financial institution] must not, directly or through an affiliate, disclose, other than to a consumer reporting agency, an account number or similar form of access number or access code for a consumer's credit card account, deposit account, or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer." 16 C.F.R. § 313.12(a). Plaintiff argues that this section, when read in conjunction with, for example, 16 C.F.R. § 313(n)(3)(i),[19] bans the use of account information by Trans Union in at least one of its products (TransLink), in violation of the plain language of § 502(d) of the GLB Act.
Plaintiff's argument contravenes the text of the GLB Act. Section 502(b)(1) provides that a financial institution may not disclose any nonpublic personal information to a nonaffiliated third party unless the consumer is given the opportunity to opt out.[20] Section 502(d) is a restriction on § 502(b), not an exception to § 502(c). While most nonpublic personal information may be disclosed to third parties under the conditions imposed by § 502(b), § 502(d) states that account number information a type of nonpublic personal information may not be disclosed to any third party, except a CRA, for use in marketing. Section 502(d), therefore, adds a further layer of protection for this particularly sensitive information.
The CRA exception of § 502(d) precludes practices that are otherwise permissible under the Act. For example, it permits the disclosure of account number *34 information for specified purposes where the notice and opt-out provisions of § 502(b) are satisfied. Section 502(d) must also be read in conjunction with § 502(e). The latter section provides a list of exceptions to §§ 502(a) and (b) purposes for which nonpublic personal information may be disclosed without giving the consumer notice and a chance to opt out. Among these exceptions is for the dissemination of consumer reports consistent with the terms of the FCRA. 15 U.S.C. § 6802(e)(6). The FCRA, in turn, permits the disclosure of consumer reports for marketing that results in a firm offer of credit or insurance to a consumer. 15 U.S.C. § 1681b(c). Without a consumer report exception in § 502(d), that section would conflict with the FCRA. The exception language of § 502(d) addresses this issue and eliminates any possible tension between the two statutes on this point.
The Regulations reflect this balance among the statutory provisions. 16 C.F.R. § 313.12(a) does no more than incorporate the language of § 502(d), and 16 C.F.R. § 313.3(n)(3)(i) provides an example to reflect the requirements of § 509(4)(C)(i) of the GLB Act, 15 U.S.C. § 6809(4)(C)(i).[21] These Regulations are therefore consistent with the plain language of §§ 502 and 509(4)(C) of the Act.
This construction of the statute is also supported by the legislative history of the GLB Act. At least two members of Congress stressed the importance of including a provision, such as § 502(d), that would afford extra protection to consumer account numbers with regard to target marketing. Representative Vento noted that under this clause, "[c]onsumer account numbers cannot be shared for the purposes of third party marketing. This protection applies to all consumers and requires no action on their part." 145 Cong. Rec. H5314 (daily ed. July 1, 1999). Representative Jackson-Lee added that "[t]his account [number] information is especially sensitive and should be kept as confidential as possible." 145 Cong. Rec. H5315 (daily ed. July 1, 1999).
In sum, the language and legislative history of the GLB Act support the validity of the Regulations relating to consumer account numbers, and plaintiffs argument must be rejected.
D. Are the Use and Disclosure Provisions Lawful?
Trans Union argues that the agencies' regulations restricting the use and redisclosure of nonpublic personal information that is provided to a CRA in accordance with the FCRA are unlawful. Joined by IRSG in its attack based on the "savings clause," Trans Union challenges defendants' regulations that restrict the use and redisclosure of information received by a CRA pursuant to an exception in the GLB Act. Under the regulations, such information could be used and redisclosed by the CRA only to carry out the activity covered by that exception. These regulations would impact Trans Union's aggregate data products and target marketing lists by requiring consumer notice and opt out before the creation of the data and the disclosure of the lists.
As noted, § 502(c) of the GLB Act sets forth restrictions on nonaffiliated third parties that receive regulated data from a financial institution. That provision permits third parties to disclose NPI that they have received from a financial institution *35 only if its disclosure would be lawful if made directly by the financial institution. 15 U.S.C. § 6802(c). Most disclosure of NPI is lawful only if the consumer has had notice and the opportunity to opt out. However, § 502(e), 15 U.S.C. § 6802(e), provides exceptions that allow financial institutions to disclose nonpublic personal information without consumer notice or choice in certain situations. These limited exceptions allow disclosure when necessary to effectuate a transaction with the consumer, § 6802(e)(1); to protect the integrity of the financial institution, §§ 6802(e)(3)-(4); or where the disclosure is already mandated or regulated by other federal laws or to comply with judicial process or other applicable legal requirements, §§ 6802(e)(5), (6), (8).[22] In particular, 502(e)(6) permits disclosure without consumer notice or opt-out "(A) to a consumer reporting agency in accordance with the Fair Credit Reporting Act ... or (B) from a consumer report reported by a consumer reporting agency." 15 U.S.C. § 6802(e)(6).
Pursuant to these provisions, defendants issued regulations regarding the redisclosure and reuse of the information disseminated under the § 502(e) exceptions. Specifically, the Regulations permit the financial institution including CRAs only to "disclose and use the information pursuant to an exception in [§ 502(e) ] in the ordinary course of business to carry out the activity covered by the exception under which [the financial institution] received the information." 16 C.F.R. § 313.11(a)(iii).[23]
1. Chevron Step One
First, Trans Union argues that these regulations are invalid because it and other CRAs will no longer be able to disclose or even use information that they receive pursuant to the FCRA for the creation or disclosure of information products and services that are not expressly authorized by the FCRA. That, plaintiff contends, violates the plain meaning of the GLB Act. See 65 Fed.Reg. 33,646, 33,667 (2000).
In support of this argument, Trans Union asserts that the agencies' interpretation of §§ 502(c) and (e) defies common sense principles of statutory construction. The legislative history and scheme of the GLB Act, however, suggest otherwise. According to Representative Vento, who helped to draft the privacy provisions of the GLB Act, the statute was intended to "[p]rohibit repackaging of consumer information. Consumer information remains protected. It cannot be resold or reshared by third parties or profiled or repackaged to avoid privacy protections." 145 Cong. Rec. H5314 (daily ed. July 1, 1999). See 145 Cong. Rec. H5313 (daily ed. July 1, 1999) (statement of Rep. Gillmor that Congress was concerned that consumers had lost control over personal information in the hands of financial institutions).
The GLB Act created a means to ensure that consumers retain control over their nonpublic personal information. When consumers provide this information to a *36 financial institution, that institution may not disclose the information to third parties, unless the consumer has permitted this through the notice and opt-out procedure specified in the Act. 15 U.S.C. § 6802. The Act does, however, specify limited circumstances under which nonpublic personal information may be disclosed to a third party without notice and opt-out-including to a CRA in accordance with the FCRA. See § 6802(e)(6). The statute limits the redisclosure of this information by the CRAs, but is silent on the reuse of information disclosed under this exception. Nonetheless, the agencies found that "[a]lthough section 502(c) does not expressly address use, reuse limitations are, as indicated, implicit in the provisions authorizing or permitting disclosures. For example, it would be inconsistent with the purposes of the Act to permit information disclosed in accordance with section 502(e)(1) (which permits information disclosed as necessary to effect, administer, or enforce a transaction with a consumer or in connection with certain routine activities related to such a transaction) to be used for the third party recipient's marketing purposes." 65 Fed. Reg. 35,180.
The Court agrees. The statute's legislative history and structure indicate that Congress intended the § 502(e) exceptions to be limited in scope and purpose. When Trans Union receives information from a financial institution under § 502(e) and the consumer has not had an opportunity to opt out, Trans Union is taking advantage of an exception to the Act's provisions that otherwise give consumers control over their nonpublic personal information. Without the exception, Trans Union would only be able to obtain and use this information if the consumer had chosen not to opt out. It cannot, therefore, use the exception to swallow the statute. Commissioner of Internal Revenue v. Clark, 489 U.S. 726, 739, 109 S. Ct. 1455, 103 L. Ed. 2d 753 (1989) (citing A.H. Phillips, Inc. v. Walling, 324 U.S. 490, 493, 65 S. Ct. 807, 89 L. Ed. 1095 (1945)).
Moreover, the use restrictions affirmatively imposed by the Regulations are consistent with the purpose of the GLB Act. Congress gave the Agencies broad rulemaking authority "necessary to carry out the purposes of" the Act, 15 U.S.C. § 6804(a). Under Board of Governors of Federal Reserve System v. Dimension Financial Corp., 474 U.S. 361, 374, 106 S. Ct. 681, 88 L. Ed. 2d 691 (1986), regulatory agencies have the authority to promulgate regulations that "carry into effect the will of Congress as expressed in the statute." Id. at 374, 106 S. Ct. 681. In issuing the Final Rules, the agencies imposed use restrictions on receiving third parties only where that entity had obtained nonpublic personal information pursuant to a § 502(e) exception the only instances where the consumer has not authorized the disclosure of his personal information. For nonpublic personal information the consumer has voluntarily permitted disclosure, the agencies imposed only redisclosure restrictions and not use regulations. These rules therefore further the stated purpose of the Act to impose on every financial institution "an affirmative and continuing duty to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information." 15 U.S.C. § 6801(a).[24]
*37 2. The "Savings" Clause
Both plaintiffs argue that the agencies' restrictions on use and disclosure violate the plain meaning of the "savings clause" of § 506(c). That provision provides that "nothing in this chapter shall be construed to modify, limit, or supersede the operation of the Fair Credit Reporting Act...." 15 U.S.C. § 6806. Plaintiffs rely primarily on the use of the phrase "operation of" to argue that § 506(c) was intended to preserve the effects produced by the FCRA, rather than just the activities regulated by it. One of these effects was the ability of CRAs to disseminate credit header data to individual reference services and other entities. For although the FCRA regulated the uses for which "consumer reports" could be disseminated, identifying information in a credit header was not included within the definition of a consumer report. 15 U.S.C. § 1681a(d).[25] In short, plaintiffs argue that because the FCRA does not restrict the dissemination of credit header information, the sale of such information is encompassed within the "operation of" the FCRA and the GLB Act cannot be construed to forbid what is permitted under the FCRA.
Plaintiffs premise their argument on an expansive reading of "operation." Because the GLB Act does not define "operation," plaintiffs assert that the dictionary definition of the term including the meaning "to produce an effect" should be the implied usage of the word. According to plaintiffs, one of these "effects produced by the FCRA ... [was that] for the past 18 years, CRAs have been able to disclose [credit header] information to non-affiliated third parties. It is this type of practice made possible by the operation of the FCRA and upon which individual reference services have based their businesses that the `savings clause' of section 506(c) is intended to preserve." (IRSG Mem. at 35.)
Plaintiffs' argument is unpersuasive. Even assuming that § 506(c) of the GLB Act is meant to preserve the effects of the FCRA, these effects are limited to the statutory and regulatory effects of the previous act and not the effects on private entities whose businesses are not addressed by the FCRA. In other words, Congress' decision not to regulate the disclosure of credit header information in the FCRA or in any other statute prior to the enactment of the GLB Act does not bestow upon plaintiffs the right to disclose that information in perpetuity free of governmental interference. While Congress may have been silent on an issue in the past, this does not amount to a waiver of its right to legislate on that subject in the future.
Consequently, there is no tension between the agencies' regulations on the disclosure of credit header information pursuant to the GLB Act and the FCRA.[26]*38 Similarly, there is no tension between the two statutes with regard to information that does constitute a consumer report, because the GLB Act and the regulations specifically exempt disclosure of this information subject to the FCRA's limitations. 15 U.S.C. § 6802(e)(6); e.g., 16 C.F.R. § 313.15(a)(5). In short, the two statutes and the Regulations passed pursuant to them complement each other, and the plain language of § 506(c) supports the Regulations.
3. Chevron Step Two
Plaintiffs also contend that the use and disclosure restrictions are an impermissible construction of the Act because they are inconsistent with other conclusions reached by the agencies. The use restrictions, plaintiffs argue, would prohibit Trans Union from disclosing aggregate information which does not identify any particular customer or disclose specific information regarding a customer. Yet the agencies also noted that there is no privacy interest in the disclosure of such data, which is expressly exempted from their definition of "personally identifiable financial information." See, e.g., 16 C.F.R. § 313.3(o)(2)(ii)(B). Plaintiffs argue that this inconsistency is evidence that the defendants have impermissibly interpreted the Act.
The Court disagrees, for the Regulations promulgated pursuant to § 502(e) are consistent with these findings. As stated above, these regulations do not in any way impose a blanket prohibition on the use of customer information to create aggregate data; the rules simply prevent CRAs from doing so without first giving the consumer the chance to opt out. Moreover, whether there is a privacy interest in the release of a set of aggregate data is a different question from whether consumers have a privacy interest in the initial use of their nonpublic personal information for the creation of aggregate data the scenario which is the focus of the Regulations. The use and disclosure regulations are therefore a permissible construction of the GLB Act under step two of Chevron.
4. Arbitrary and Capricious
Plaintiffs also challenge defendants' use restrictions under § 706(2)(A) of the APA. Plaintiffs attack the regulations which permit the financial institution including CRAs only to "disclose and use the information pursuant to an exception in [502(e)] in the ordinary course of business to carry out the activity covered by the exception under which [the financial institution] received the information." 16 C.F.R. § 313.11(a)(1)(iii). Specifically, plaintiffs argue that the agencies have failed to adequately justify the Regulations, and have instead simply "parrot[ed] the language of [the] statute without providing an account of how it reached its results." Dickson, 68 F.3d at 1405. Plaintiffs contend that defendants have failed to provide findings in the Regulations or in the administrative record to support such a broad rule, and that the agencies' reliance on the statute's overall purpose and their general rulemaking authority are insufficient to satisfy the requirements of the APA.
The Court is unconvinced in light of the statutory bases for the reuse restrictions,[27]*39 and the support for the decision of the agencies which appears in the administrative record. Defendants specifically sought comments on whether the proposed regulations "should limit the ability of an entity that receives nonpublic personal information pursuant to an exception to use that information only for the purpose of that exception." 65 Fed.Reg. 35,180 (banking agencies); 65 Fed.Reg. 33,666 (FTC). The agencies received a number of comments on both sides of this issue. Some commentators argued that defendants would exceed their rulemaking authority if they imposed any limits on the reuse of information;[28] others believed that the agencies had such authority and supported the restrictions.[29]
In its Final Rule, the FTC stated:
It would be inappropriate to undermine the key privacy requirements of the Act that ensure a consumer can generally control the disclosure of his or her nonpublic personal information by allowing the recipient of nonpublic personal information under the section 502(e) exception to reuse the information for any purpose, including marketing.
65 Fed.Reg. 33,667. This explanation indicates a review and consideration of the comments regarding the reuse provisions, in conformity with the requirements of the APA; the record reflects that the agencies considered the significant points raised in the comments, and under the law they are not required to respond directly to every comment in the record, which would be an impossible task. Natural Resources Defense Council, Inc. v. U.S. Environmental Protection Agency, 859 F.2d 156, 188-89 (D.C.Cir.1988); Mt. Diablo Hospital v. Shalala, 3 F.3d 1226, 1234 (9th Cir.1993); South Carolina ex rel. Tindal v. Block, 717 F.2d 874, 885-86 (4th Cir.1983).
Finally, plaintiffs contend that the agencies' determination that information that constitutes PIFI when received by a CRA remains subject to use restrictions, regardless of how that data is homogenized, is arbitrary and capricious. Whether this information is homogenized transformed into identifying information that has been stripped of intrinsically financial data it was still provided by the consumer to a financial institution to obtain financial services. Its use and disclosure, therefore, still threatens a customer's privacy rights by subjecting consumers to the very consequences, including telemarketing and direct sales, that Congress was particularly concerned about. When it was disclosed by the consumer to the financial institution, the information became nonpublic personal information for the purposes of GLB Act; once released in this matter, the information remains protected, no matter what form it takes. The approach of the Regulations to this problem is neither arbitrary nor capricious.
III. Plaintiffs' Constitutional Claims
Plaintiffs argue that the Regulations violate their First Amendment right of free speech, and Trans Union argues that the Final Rules violate its Fifth Amendment rights of due process and equal protection. These arguments will be addressed seriatim.
*40 A. The First Amendment
Plaintiffs' primary constitutional argument is that the Regulations violate their First Amendment right to free speech. Plaintiffs' argument is premised on the notion that the use and dissemination of credit header information is speech that is protected by the Constitution, and therefore, the agencies' overbroad definition of "personally identifiable financial information" and flat ban on the use and disclosure of FCRA data impinge on this speech in violation of the First Amendment. The Court disagrees, particularly in light of this Circuit's recent decision in Trans Union v. FTC, which addressed very similar issues.
1. Type of Speech
As a threshold matter, the Court must determine the type of speech that is at issue. The Supreme Court has "long recognized that not all speech is of equal First Amendment importance. It is speech on matters of public concern that is at the heart of the First Amendment's protection." Dun & Bradstreet, Inc. v. Greenmoss Builders, Inc., 472 U.S. 749, 758-59, 105 S. Ct. 2939, 86 L. Ed. 2d 593 (1985) (plurality opinion) (internal quotations omitted).[30] "This Court on many occasions has recognized that certain kinds of speech are less central to the interests of the First Amendment than others.... In the area of protected speech, the most prominent example of reduced protection for certain kinds of speech concerns commercial speech. Such speech ... occupies a subordinate position in the scale of First Amendment values." Id. at 759 n. 5, 105 S. Ct. 2939 (internal citations and quotations omitted). This is because the core of commercial speech "does no more than propose a commercial transaction," Bolger v. Youngs Drug Products Corp., 463 U.S. 60, 66, 103 S. Ct. 2875, 77 L. Ed. 2d 469 (1983), and this "speech on matters of purely private concern is of less First Amendment concern." Greenmoss, 472 U.S. at 759, 105 S. Ct. 2939.
Defendants argue that the dissemination of credit header information should be protected to the same extent as commercial speech, whereas plaintiffs contend that such expression should be accorded full First Amendment protection. However, plaintiffs offer little to distinguish this case from the precedents of the Supreme Court and this Circuit, which recognized the limited nature of First Amendment protection for the commercial activities of information-based businesses. In Greenmoss, for example, the Supreme Court examined credit reports issued by a consumer reporting agency. These reports "provided subscribers with financial and related information about businesses." Id. at 751, 105 S. Ct. 2939. The Court declined to hold that consumer reports constitute commercial speech for all purposes, noting that "[t]he protection to be accorded a particular credit report depends on whether the report's content, form, and context indicate that it concerns a public matter." Id. at 762 n. 8, 105 S. Ct. 2939 (internal quotations omitted). However, the credit reports at issue in Greenmoss implicated "many of the same concerns that argue in favor of reduced constitutional protection" for commercial speech. Id. In particular, the consumer reports were "speech solely in the individual interest of the speaker and its specific business audience.... There is simply no credible argument that this type of credit reporting requires special protection to ensure that debate on *41 public issues will be uninhibited, robust, and wideopen." Id. at 762, 105 S. Ct. 2939 (internal quotation omitted).
The Court of Appeals for this Circuit reached a similar conclusion in a case involving plaintiff, holding that "Trans Union['s] target marketing lists is solely of interest to the company and its business customers and relates to no matter of public concern. Trans Union target marketing lists thus warrant reduced constitutional protection." Trans Union, 245 F.3d at 818 (internal quotations omitted).
In the instant action, plaintiffs' speech is the dissemination of credit header information by financial institutions. This speech does not involve any matter of public concern, but consists of information of interest solely to the speaker and the client audience.[31] Thus, restrictions on the dissemination of this nonpublic personal information does not impinge upon any public debate. Moreover, even if the credit header information that is disseminated by plaintiffs is not commercial speech per se, it is entitled to the same level of protection. See, e.g., Motor and Equipment Manufacturers Ass'n v. EPA, 627 F.2d 1095, 1127 (D.C.Cir.1979) (regulation restricting automobile manufacturers from disseminating maintenance notices analyzed as a restriction on commercial speech); U.S. West v. FCC, 182 F.3d 1224, 1233 n. 4 (10th Cir.1999) (dissemination of information by telecommunications carriers regarding their customers is commercial speech); United Reporting Publishing Corp. v. California Highway Patrol, 146 F.3d 1133, 1137 (9th Cir.1998), rev'd on other grounds, 528 U.S. 32, 120 S. Ct. 483, 145 L. Ed. 2d 451 (1999) (names and addresses of recently arrested individuals in the possession of a company that sold that information was commercial speech).
2. Central Hudson Analysis
Since the dissemination of credit header information is afforded the same level of protection as commercial speech, it is analyzed under the standard applicable to commercial speech. First, the Court must conduct a threshold inquiry as to whether the commercial speech concerns lawful activity and is not misleading. Central Hudson Gas & Electric Corp. v. Public Service Commission of New York, 447 U.S. 557, 566, 100 S. Ct. 2343, 65 L. Ed. 2d 341 (1980). Neither party contests that the speech at issue is both lawful and truthful.
Once this initial standard is met, the Regulations must pass a three-pronged test to survive under the First Amendment: 1) the asserted governmental interest must be substantial; 2) the regulation must directly advance that interest; and 3) the regulation may be no more extensive than necessary to serve that interest. Greater New Orleans Broadcasting v. United States, 527 U.S. 173, 183, 119 S. Ct. 1923, 144 L. Ed. 2d 161 (1999) (citing Central Hudson, 447 U.S. at 566, 100 S. Ct. 2343).
a. Does the Government Have a Substantial State Interest in Regulating the Use and Disclosure of Credit Header Information?
The asserted governmental interest that the Regulations seek to protect is *42 the privacy of consumers particularly the security and confidentiality of their nonpublic personal information. 15 U.S.C. § 6801(a). According to defendants, customer privacy is violated when an individual is required to relinquish the ability to control the dissemination of personal information in order to obtain financial services. Courts have repeatedly recognized that the protection of consumer privacy in various forms is a substantial governmental interest. See, e.g., Florida Bar v. Went For It, 515 U.S. 618, 625, 115 S. Ct. 2371, 132 L. Ed. 2d 541 (1995) (protecting consumers from unwanted solicitation); Edenfield v. Fane, 507 U.S. 761, 769, 113 S. Ct. 1792, 123 L. Ed. 2d 543 (1993) (same).
Plaintiffs argue, however, that the privacy interest at issue in this case does not rise to the level of a substantial state interest. In particular, plaintiffs rely on the Tenth Circuit's opinion in U.S. West, Inc. v. FCC, 182 F.3d 1224 (10th Cir.1999). There, the court noted in dicta that "the government cannot satisfy the [substantial interest] prong of the Central Hudson test by merely asserting a broad interest in privacy. It must specify the particular notion of privacy and the interest served.... [T]he specific privacy interest must be substantial, demonstrating that the state has considered the proper balancing of the benefits and harms of privacy. In sum, privacy may only constitute a substantial state interest if the government specifically articulates and properly justifies it." Id. at 1234-35.
At issue in U.S. West were regulations implementing 47 U.S.C. § 222, which was enacted as part of the Telecommunications Act of 1996. "[T]he essence of the statutory scheme require[d] a telecommunications carrier to obtain customer approval when it wishe[d] to use, disclose, or permit access to [customer proprietary information]...." U.S. West, 182 F.3d at 1229. The court was uncomfortable because "[n]either Congress nor the FCC explicitly stated what `privacy' harm [the statute or the regulations sought] to protect against," id. at 1235, but nonetheless assumed without deciding that "the government ha[d] asserted a substantial state interest in protecting people from the disclosure of sensitive and potentially embarrassing personal information." Id. at 1236.
Unlike the regulations and statute at issue in U.S. West, Congress and the defendant agencies have "specified a particular notion of privacy and the interest served," id. at 1235, by articulating that the purpose of the Act as ensuring "that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal account information." 15 U.S.C. § 6801(a). Unlike U.S. West, the agencies here have satisfactorily articulated a specific concept of privacy,[32] similar to the privacy interests identified in other statutes. See, e.g., Video Privacy Protection Act, 18 U.S.C. § 2710 (prohibiting video stores from disclosing information about a customer's rentals without that individual's consent); Driver's Privacy Protection Act, 18 U.S.C. §§ 2721 et seq. (restricting the dissemination of motor vehicle records). Moreover, the record indicates that the agencies have carefully weighed the benefits and harms of imposing the privacy-based regulations. See, e.g., 65 Fed Reg. at 33,657-59 (FTC *43 discussion of definition of "personally identifiable financial information," explaining the costs and benefits of that definition); id. at 33,668-69 (FTC explanation of the reuse and redisclosure provisions in the Regulations, weighing comments for and against these restrictions). Thus, the Circuit Court's recent opinion in Trans Union effectively disposes of plaintiffs' argument relating to the substantial interest question by holding that "we have no doubt that this interest protecting the privacy of consumer credit information is substantial." Trans Union, 245 F.3d at 818. Similarly, in this case, defendants have justified the privacy interest at stake and have demonstrated that it rises to the level of a substantial governmental interest.
b. Do the Regulations Directly and Materially Advance That Interest?
Plaintiffs argue that the Regulations do not materially advance the asserted privacy interest, because the Regulations "effectively" prohibit the use and dissemination of identifying information that may have originated with financial institutions, but which is no longer in the form of personally identifiable financial information because all identifying information has been removed. In this regard, plaintiffs assert that there is no basis for defendants to argue that any harm will result to consumers from the use and dissemination of such homogenized information.
Plaintiffs mischaracterize, however, the nature of the governmental interest that the Regulations attempt to promote. The harm that the Act and the Regulations are designed to prevent is not any specific consequence of the use and disclosure of consumers' nonpublic personal information; rather, it is the use and disclosure of that information without the consent of the consumer. Section 15 U.S.C. § 6801(a) makes this clear: "It is the policy of this Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information." Id. Regulations prohibiting the use and disclosure of that information without the consent of the consumer clearly advance that interest. United States v. Edge Broadcasting Co., 509 U.S. 418, 428, 113 S. Ct. 2696, 125 L. Ed. 2d 345 (1993) (factual evidence unnecessary to establish that regulations directly and materially advance governmental interest where the link is obvious).
c. Are the Regulations No More Extensive Than Necessary To Serve That Interest?
Finally, plaintiffs contend that the Final Rules are more extensive than necessary to achieve the government's interest. To survive this prong, the regulations cannot "completely suppress information when narrower restrictions on expression would serve its interest as well." Central Hudson, 447 U.S. at 565, 100 S. Ct. 2343. The rules must "demonstrate narrow tailoring of the challenged regulation to the asserted interest a fit that is not necessarily perfect, but reasonable; that represents not necessarily the single best disposition, but one whose scope is in proportion to the interest served." Greater New Orleans, 527 U.S. at 188, 119 S. Ct. 1923 (internal quotation omitted).
The Final Rules do not directly prohibit the use and disclosure of nonpublic personal information, but instead, they require financial institutions to provide customers with notice and the opportunity to opt out. Plaintiffs argue, however, that defendants' use and disclosure restrictions on a CRA's ability to use and disclose credit header *44 information are tantamount to an outright prohibition on such activities, because financial institutions have indicated that they will not provide the required notice and opt-out for CRAs' use of credit headers. (See Declaration of Jennifer Barrett, Ex. 6 to IRSG Mem.) As a result, plaintiffs claim that the Regulations are far broader than necessary and that the fit between the use restriction and the interest to be served is disparate.
Plaintiffs have again mischaracterized the nature of the governmental interest at stake, and have compounded that error by overstating the effect of the Regulations on CRAs. The Regulations do not impose any restrictions on CRAs that are not also applicable to all other institutions that receive nonpublic personal information. Like every other third party, Trans Union and other CRAs can still use and disclose this information except as provided in one of the limited exceptions as long as the individual consumer is given notice and the opportunity to opt out. This scheme reflects the purpose of the Act to allow consumers to retain control over their personal financial information. The Rules do not ban speech and are no more extensive than necessary to serve the substantial governmental interest of protecting consumer privacy over personal financial information. For these reasons, the Regulations satisfy Central Hudson, and thereby comport with the requirements of the First Amendment.[33]
B. Due Process
Plaintiff Trans Union next contends that it was entitled to a hearing under the Due Process Clause of the Fifth Amendment because the Regulations affected it in a "distinctive way." (Trans Union Supplemental Mem. at 12.) Plaintiffs argue that, in promulgating the Regulations, defendants singled out a small class that included Trans Union, and therefore, they effectively transformed the legislative process into an adjudicative one.
The applicable standard was set forth by this Circuit in Alaska Airlines, Inc. v. C.A.B., 545 F.2d 194 (D.C.Cir. 1976). There, the Court noted, "Where adjudicative, rather than legislative, facts are involved, the parties must be afforded a hearing to allow them an opportunity to meet and to present evidence. The determinative inquiry is whether the agency is engaged in rule-making, a legislative function which requires no hearing, or in adjudication, a judicial function which may require a hearing to resolve disputed facts." Id. at 200. Specifically, "[a]djudicative *45 facts are the facts about the parties and their activities, businesses, and properties. Adjudicative facts usually answer the questions of who did what, where, when, how, why, with what motive or intent; adjudicative facts are roughly the kind of facts that go to a jury in a jury case. Legislative facts do not usually concern the immediate parties but are general facts which help the tribunal decide questions of law and policy discretion." Id. at 200 n. 11.
Here, plaintiff suggests that the FTC's disclosure that it considered a portion of the opinion in the agency's administrative proceeding against Trans Union, In the Matter of Trans Union Corp., No. 9255, in promulgating Regulations pursuant to the GLB Act constitutes an admission that the FTC's rulemaking included the review of adjudicative facts regarding Trans Union. There is nothing in the record, however, to suggest that the FTC improperly relied on any particular facts from the Trans Union case, and the FTC Federal Register statement's citation to one legal conclusion from the case that "age" is a "consumer report" under the FCRA in no way undermines the rulemaking record of the agency. The Trans Union case asked whether certain personal information sold by Trans Union to target marketers constituted a "consumer report" under § 603(d) of the FCRA; the GLB Act regulations do not address this topic. There is no indication that the FTC considered the adjudicative facts from its administrative proceeding against Trans Union in promulgating its rules under the GLB Act; instead, the record is replete with legislative judgments on issues of law and policy. See, e.g., 65 Fed.Reg. at 33,658 (describing the reasons for the Commission's decision to treat "any information [as] financial information if it is requested by a financial institution for the purpose of providing a financial product or service"); id. at 33,666-67 (describing the policies behind the regulations that limit the reuse and redisclosure of financial information).
The cases that plaintiffs cite, moreover, are inapposite. All of these cases involve clearcut examples of the government singling out a discrete party or parties, and then taking action that affects only them. See, e.g., Alaska Airlines, 545 F.2d 194 (finding due process violation in order of Civil Aeronautics Board precluding Alaska Airlines from operating certain flights without a hearing); Harris v. County of Riverside, 904 F.2d 497 (9th Cir.1990) (finding due process violation in rezoning that included plaintiff's property where record indicated that legislature's action had been prompted by a desire to restrict plaintiff's use of his land). The Supreme Court has noted that "we have intimated that even in a rulemaking proceeding when an agency is making a quasi-judicial determination by which a very small number of persons are exceptionally affected, in each case upon individual grounds, in some circumstances additional procedures may be required in order to afford the aggrieved individuals due process." Vermont Yankee Nuclear Power Corp. v. Natural Resources Defense Council, Inc., 435 U.S. 519, 542, 98 S. Ct. 1197, 55 L. Ed. 2d 460 (1978) (internal quotations omitted). Here, however, Trans Union's business is not affected by the privacy rules any differently than any other third party not just any other CRA that receives nonpublic personal information from a financial institution and is subject to the restrictions in the rules. There is thus no indication that plaintiff was "exceptionally affected [by the ruling] upon individual grounds," Bi-Metallic Investment Co. v. State Board of Equalization, 239 U.S. 441, 446, 36 S. Ct. 141, 60 L. Ed. 372 (1915), and there can be no finding of a due process violation.
*46 C. Equal Protection
Finally, plaintiff Trans Union argues that defendants' regulations violate its Fifth Amendment right to equal protection by prohibiting the use of consumer information by CRAs but not by other entities. The appropriate standard by which to examine these rules is the rational basis test, for plaintiff is not a member of a protected class, and the rules do not impinge on a fundamental interest. Calloway v. District of Columbia, 216 F.3d 1, 6 (D.C.Cir.2000). Under that test, "[w]e ask whether `there is a rational relationship between the disparity of treatment and some legitimate governmental purpose.'" Id. at 7. (quoting Heller v. Doe, 509 U.S. 312, 320, 113 S. Ct. 2637, 125 L. Ed. 2d 257 (1993)). "On rational-basis review, a ... statute ... comes to us bearing a strong presumption of validity, and those attacking the rationality of the legislative classification have the burden to negative every conceivable basis which might support it." FCC v. Beach Communications, Inc., 508 U.S. 307, 314-15, 113 S. Ct. 2096, 124 L. Ed. 2d 211 (1993) (internal citations and quotation marks omitted).
Defendants' use and disclosure regulations easily satisfy the rational basis test. The regulations were enacted because the agencies believed that "[i]t would be inappropriate to undermine the key privacy requirements of the Act that ensure a consumer can generally control the disclosure of his or her nonpublic information by allowing the recipient of nonpublic personal information under the section 502(e) exception to reuse the information for any purpose, including marketing." 65 Fed. Reg. at 33,667. These same privacy concerns are not implicated where the consumer's information is obtained from public sources. The reuse restrictions on CRAs that have received nonpublic personal information under an exception to the notice and opt-out provisions easily pass the rational basis test.
Trans Union argues that these regulations unequally burden it and other CRAs; in fact, the rules do exactly the opposite by equalizing the duties of CRAs and non-CRAs that receive this information. The CRAs have received a special benefit under 502(e)(6): the ability to obtain nonpublic information without the consumer's authorization to facilitate the compilation of consumer reports in accordance with the FCRA. Beyond this limited purpose, Equal Protection dictates that CRAs and non-CRAs should be subject to the same restrictions as to information that is equally accessible to both. The Regulations do exactly that, and therefore are not susceptible to attack for an equal protection violation.
CONCLUSION
For the above reasons, the Court finds that defendants' regulations are neither unlawful nor unconstitutional. The Regulations do not contravene the plain meaning of the GLB Act, and they are a permissible construction of that statute. Moreover, the agencies' action in promulgating the Final Rules was not arbitrary and capricious. The Regulations do not violate plaintiffs' right to free speech under the First Amendment, for they serve a substantial state interest, directly and materially advance that interest, and are no more extensive than necessary to do so. Finally, the Final Rules do not violate Trans Union's right to either due process or equal protection under the Fifth Amendment. As a result, defendants' cross-motion for summary judgment is granted as to all counts.
ORDER
This matter is before the Court on plaintiffs' motions for summary judgment, defendants' cross-motion for summary *47 judgment, plaintiffs' replies, defendants' memorandum in support, plaintiffs' supplemental memorandum, and defendants' response thereto. For the reasons stated in the Court's accompanying memorandum opinion, it is hereby
ORDERED that defendants' motion for summary judgment [31 1] is GRANTED as to all counts of plaintiff's complaint; and it is
FURTHER ORDERED that plaintiff Individual Reference Services Group, Inc.'s motion for summary judgment [27-1] is DENIED; and it is
FURTHER ORDERED that plaintiff Trans Union's motion for summary judgment [25-1] is DENIED; and it is
FURTHER ORDERED that plaintiffs' complaints are dismissed with prejudice.
This is a final appealable order.
SO ORDERED.
NOTES
[1] The terms "consumer report" and "credit report" are used interchangeably in this opinion.
[2] Although the Court notes above, by way of description, that Trans Union receives information from "financial institutions," it also finds that, for the purposes of the GLB Act and the ensuing Regulations, Trans Union is a "financial institution" as that term is defined in the Act. See infra pp. 32-33.
[3] The GLB Act does not restrict the dissemination of nonpublic personal information for these purposes. See 15 U.S.C. § 6802(e)(8); infra note 22.
[4] One member of IRSG is Lexis-Nexis ("LN"), which uses information it has obtained from CRAs to develop its information services. LN's "people locator" enables users of the system to find the addresses of individuals throughout the United States. Law enforcement officers use this program to locate criminals, fugitives, and suspects; lawyers might tap this system to determine the whereabouts of witnesses, heirs, putative members of a class, and beneficiaries. (IRSG Statement ¶ 13). Other members of IRSG who are not individual parties to this action are U.S. Search.com, Inc., Acxiom, ChoicePoint, Data-Quick, DCS Information Systems, Dolan Media Co., Equifax Credit Information Services, First Data Solutions LLC, Online Professional Electronic Network, Pinkerton Services Group, United Reporting Publishing Co., and West Group. (IRSG Statement ¶ 2.)
[5] The seventh agency, the Securities and Exchange Commission ("SEC"), is currently a defendant in a parallel lawsuit that is pending in the Court of Appeals for this Circuit, having been appealed directly to that Court from the SEC. Resolution of that action, Individual Reference Services Group v. SEC, No. 00-1339, was stayed on January 8, 2001, pending this Court's decision in the instant action.
[6] For example, in 1993, the FTC ruled that information like that contained in credit headers including a consumer's name, address, age, social security number, and telephone number could be included in target marketing lists used by CRAs to offer goods and services to consumers. See Order Amending Consent Order, FTC v. TRW, Inc., (N.D.Tex. Jan. 14, 1993). Under this consent order, TRW was permitted to use this information to prepare and disclose aggregated information relating to a hypothetical consumer residing in a given geographical area. In the Matter of Trans Union Corp., at 46 n. 77. In short, credit header data was subject to neither the FCRA nor any other federal statute until the passage of the GLB Act.
[7] For example, Dr. Mary Culnan of Georgetown University testified that consumers should be able to restrict the further dissemination of personal information disclosed in a financial transaction, even that which is commonly deemed "public." She noted that the "telephone book, one of the most widely available sources of public information, is a good example that people value the ability to make choices about disclosing even their names and addresses, and when offered choices ... consumers should be able to opt out of having their names and addresses shared for marketing purposes." House Banking Subcommittee Hearing (July 20, 1999), at http://www.house.gov/banking/72099cul.htm> at 4-5. Others testified that the bill should protect other sorts of information such as personal medical information that may not have been considered traditionally "financial," but that is "shared and used in the financial services context." Statement of Dr. Donald Palmisano, American Medical Association, House Banking Subcommittee Hearing (July 21, 1999), at http://commdocs.house.gov/committees/bank/hba58308 0.htm> at 184.
[8] The Act authorizes the agencies to promulgate regulations implementing the statute by directing the six defendants and the SEC to "prescribe ... such regulations as may be necessary to carry out the purposes of this subchapter with respect to the financial institutions subject to their jurisdiction.... Each of the agencies ... shall consult and coordinate with other such agencies [to ensure that the regulations] are consistent and comparable...." 15 U.S.C. §§ 6804(a)(1)-(2).
[9] Comments to the other agencies paralleled those made to the FTC. See, e.g., FDIC Record at 104,834 (Comment of Lexis Nexis Group); FDIC Record at 104,839 (Comment of the Direct Marketing Association, Inc.); OCC Record at 500,969 (Comment of Mellon Financial Corporation); OTS Record at 600,775 (Comment of Craftmatic Organization, Inc.). Many of the comments were submitted in identical form to all six defendant agencies.
[10] Although the Court cites only to the FTC Final Rules, each of the other agencies promulgated an analogous set of regulations. See OCC Final Rules, 12 C.F.R. § 40.1 et seq., Board Final Rules, 12 C.F.R. § 216.1 et seq., FDIC Final Rules, 12 C.F.R. § 332.1 et seq., OTS Final Rules, 12 C.F.R. § 573.1 et seq., NCUA Final Rules, 12 C.F.R. § 716.1 et seq.,
[11] The definition of "you" varied slightly from agency to agency, but all defendants included "financial institutions" within its meaning.
[12] As the Court in Salleh explained, where multiple agencies have been designated to promulgate regulations pursuant to an Act of Congress, "it cannot be said that Congress implicitly delegated to one agency authority to reconcile ambiguities or to fill gaps, because more than one agency will independently interpret the statute." Id. at 692. In Salleh, two agencies had asserted administrative authority and interpreted a single statute in conflicting ways. In the case at hand, however, the six defendant agencies and the SEC have coordinated their efforts and issued similar sets of regulations, each of which is designed to support the others, rather than to undermine them. Thus, unlike in Salleh, there is no inter-agency conflict here.
[13] See infra pp. 39-47.
[14] The broad meaning of "financial institution" under the Act also bolsters defendants' contention that the agencies' expansive construction of "personally identifiable financial information" is permissible. Under the Act, an institution is considered to be "financial" because of the activities in which it engages and its relationship with the other entities with whom it deals not because of any intrinsic nature of the business. See 15 U.S.C. § 6809(3); 12 U.S.C. § 1843(k)(4). See infra pp. 31-32.
[15] Plaintiffs note that Senator Feinstein's statement appears to be at odds with the fact that on March 30, 2000, after passage of the GLB Act, she introduced a bill that was specifically aimed at regulating the use and disclosure of credit header information. See Ex. 62 to IRSG Mem., S. 2328 (introduced by Sen. Feinstein Mar. 30, 2000) (bill to amend FCRA to prohibit CRAs from releasing most identifying information except in consumer reports). Plaintiffs argue that Senator Feinstein's decision to introduce legislation regulating credit header information conflicts with defendants' interpretation of the GLB Act, for Senator Feinstein would not have introduced such legislation had she believed that credit header information fell within the definition of "personally identifiable financial information."
This argument is tempting, but two factual points and one legal issue conflict with plaintiff's contention regarding this post-enactment legislative history. First, it does not appear that the proposed bill would have regulated the disclosure of name and address information two of the key components of credit headers. See S. 2328 § 7. Moreover, the bill was based on a different governmental interest, i.e., preventing the crime of identity fraud, see id. § 2, and regulated a narrower class of information than the GLB Act. Second, even under a broader reading, Senator Feinstein proposed this bill in the midst of the administrative rulemaking period before defendants had issued their Final Rules. In fact, Senator Feinstein could have been responding to the possibility raised during the notice and comment period that the agencies would not include credit header information within their definition of PIFI, and that therefore other legislation was necessary to ensure the protection of this information.
Finally, even if the Court were to find this post-enactment legislative history to be relevant, legal precedent provides no clear guidance as to the weight that it should be accorded. In FDA v. Brown & Williamson Tobacco Corp., 529 U.S. 120, 120 S. Ct. 1291, 146 L. Ed. 2d 121 (2000), the Supreme Court considered the history of subsequent legislation in construing the meaning of a previous statute. Id. at 144-48, 120 S. Ct. 1291. In United States v. Carlton, 512 U.S. 26, 114 S. Ct. 2018, 129 L. Ed. 2d 22 (1994), on the other hand, Justice Scalia characterized post-enactment legislative history as an "oxymoron." Id. at 39, 114 S. Ct. 2018 (Scalia, J., concurring). See United States v. SCS Business & Technical Institute, Inc., 173 F.3d 870, 878 (D.C.Cir. 1999) (assigning post-enactment legislative history "only marginal, if any, value"). Irrespective of which principle is followed in this case, the related post-enactment legislative history here does not conflict with a finding that the language of the GLB Act is ambiguous.
[16] Section 504(a)(1), 15 U.S.C. § 6804(a)(1), grants the FTC rulemaking authority pursuant to the GLB Act.
[17] Section 502(d) provides:
A financial institution shall not disclose, other than to a consumer reporting agency, an account number or similar form of access number or access code for a credit card account, deposit account, or transaction account of a consumer to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.
15 U.S.C. § 6802(d).
[18] Trans Union's TransLink product, which is described supra p. ___, uses account numbers for marketing. TransLink enables Trans Union to provide the addresses of a consumer to retailers based on the name and account number of that individual.
[19] This subsection of the FTC Rules provides examples of lists that constitute nonpublic personal information subject to the restrictions of the GLB Act. Under § 313.3(n)(3)(i), "Nonpublic personal information includes any list of individuals' names and street addresses that is derived in whole or in part using personally identifiable financial information (that is not publicly available), such as account numbers." Id.
[20] Section 502(b)(2) provides exceptions to the opt-out rule that are not relevant here.
[21] "Nonpublic personal information" is defined in 15 U.S.C. § 6809(4)(C)(i) as "shall include any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any nonpublic personal information other than publicly available information...."
[22] Specifically, 15 U.S.C. § 6802(e)(8) permits the disclosure of NPI without notice and opt-out "to comply with Federal, State, or local laws, rules, and other applicable legal requirements; to comply with a properly authorized civil, criminal, or regulatory investigation or subpoena or summons by Federal, State, or local authorities...." Many of the purposes for which IRSG and Trans Union gather and disclose NPI, including the location of missing children, enforcement of child support, and prosecution of financial crimes, would fall under this exception to the GLB Act. (IRSG Statement of Facts ¶ 14.)
[23] For simplicity, the citation is to the FTC's regulation; however, the other defendant agencies have issued similar rules.
[24] Trans Union also argues that the inclusion of a use restriction in § 502(d) the account numbers prohibition indicates that Congress acted intentionally when it failed to incorporate a use provision into § 502(c). The Court is not persuaded by this argument. As discussed, § 502(d) addresses a specific type of highly sensitive information account numbers about which legislators were particularly concerned. Section 502 does not impose a blanket prohibition on the use of nonpublic personal information by CRAs. Rather, it limits the circumstances under which companies such as Trans Union may receive and, therefore, use and redisclose this information unless the consumer has opted out. Trans Union's argument to the contrary is illogical.
[25] The recent decision of this Circuit, Trans Union Corp. v. FTC, 245 F.3d 809 (D.C.Cir. 2001), reaffirmed that the FCRA, as construed by the FTC, does not apply to credit header information.
[26] The legislative history of the GLB Act bolsters this conclusion. The FCRA savings clause was added in conference, following the testimony of FTC members who had expressed concern that the new Act could be seen as weakening the privacy provisions of the FCRA. Section 506 was added to ensure that consumer reports would be distributed only to those who had a permissible purpose, pursuant to the FCRA, for receiving them. See House Banking Committee Hearing (July 21, 1999) (statement of Robert Pitofsky, Chairman, FTC). The Conference Report provides absolutely no indication that the clause was intended to shield the industry practices including the dissemination of credit header information that were in place prior to the GLB Act, and thereby limit the scope of the privacy protection in the new statute.
[27] See supra pp. 34-36.
[28] See, e.g., FTC Administrative Record at 301,641 (Trans Union); 301,095-96 (MasterCard International).
[29] See, e.g., FTC Administrative Record at 302,642 (Consumers Union: Consumer Federation of America); 300,484 (Massachusetts Office of Consumer Affairs and Business Regulation).
[30] Obscene speech and "fighting words," for example, receive no First Amendment protection. Id. at 759 n. 5, 105 S. Ct. 2939.
[31] While it may be arguable that some of the credit header information that is disseminated is of public concern (e.g., information that is used to track down deadbeat parents and account identity thieves), credit header information is exempted from the notice and opt-out requirements of the GLB Act for these purposes, see 15 U.S.C. § 6802(e)(8), and is therefore not subject to the restrictions that plaintiffs challenge under the First Amendment.
[32] The regulations at issue in U.S. West, moreover, required carriers to obtain prior express approval from a customer before it could disclose that individual's proprietary information. Id. at 1230. The U.S. West court noted that an opt-out approach, such as the one employed by defendants in the instant action, was a "substantially less restrictive alternative" than the opt-in strategy at issue in U.S. West. Id. at 1238.
[33] Trans Union contends that its opt-out procedure is a sufficient and narrower alternative to the Regulations. Under that process, a consumer may notify Trans Union that it wishes to be excluded from the target marketing lists used to make firm offers of credit pursuant to the FCRA, 15 U.S.C. § 1681b(e). (Trans Union Statement ¶ 57.) Whenever Trans Union receives such a request, it "takes steps to ensure that the information regarding the consumer is excluded...." (Trans Union Statement ¶ 58.) The existing program, however, is limited to target marketing for credit and insurance, and does not cover the range of information implicated by the GLB Act. Moreover, to allow CRAs themselves to provide notice and opt-out to the consumers rather than for the financial institution with whom the consumer has a relationship to do so defeats a central purpose of the Act. It is the responsibility of the financial institutions to protect the privacy and confidentiality of their customers' personal information, 15 U.S.C. 6801; it is therefore incumbent on those entities and not third-party CRAs that have only received the information pursuant to an exception in the GLB Act to act affirmatively and provide notice and opt-out rights to consumers. In any event, because the GLB Act is not subject to strict First Amendment scrutiny, defendants are not required to choose the least restrictive means of accomplishing their goal. Trans Union, 245 F.3d at 818.