Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.


April 30, 2001


The opinion of the court was delivered by: Ellen Segal Huvelle, United States District Judge.

Before the Court are plaintiffs' motions for summary judgment, defendants' cross-motion for summary judgment, plaintiffs' replies, defendants' memorandum in support, plaintiffs' supplemental memorandum, and defendants' response thereto. Plaintiffs bring this action pursuant to the Administrative Procedure Act ("APA"), 5 U.S.C. § 701, seeking judicial review of regulations (the "Regulations") that were promulgated by the defendant agencies to implement Title V, Subtitle A of the Gramm-Leach-Bliley Act, Pub.L. No. 106-102, 113 Stat. 1338 (1999) (codified as amended at 15 U.S.C.A. § 6801 et seq. (2000)) (the "GLB Act"), which addresses the responsibility of financial institutions to protect the privacy of the personal financial information of their customers. Plaintiffs ask this Court to invalidate these Regulations and enjoin their enforcement.
Plaintiffs contend that the Regulations are both unlawful and unconstitutional. They argue that the Regulations are invalid for five reasons: a) the definition of "nonpublic personal information" in the Regulations contravenes the statutory requirement that only financial information is subject to the GLB Act; b) the Regulations constitute an impermissible regulation of non-financial institutions by the agencies; c) the Regulations contradict a provision of the GLB Act that exempts consumer reporting agencies from the statute's prohibition of the use of account numbers for marketing purposes; d) the Regulations impose a restriction on the use of nonpublic personal information that is inconsistent with the statute; and e) the Regulations modify the operation of the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq. (the "FCRA"), in contravention of the savings clause of the GLB Act. In addition, plaintiffs allege that the Regulations are unconstitutional for three reasons: a) they are overbroad and improperly restrict plaintiffs' speech in violation of the First Amendment; b) they were enacted without the requisite adjudicative hearings, in violation of Trans Union's Fifth Amendment right to due process of law; and c) they impose restrictions on plaintiff Trans Union that are not imposed on entities that are not consumer reporting agencies, in violation of the Fifth Amendment. Upon consideration of the pleadings and the record herein, this Court concludes the Regulations are lawful and constitutional. Summary judgment is therefore granted for defendants as to all counts.


I. The Parties and The Role of Consumer Reporting Agencies

A. Trans Union and Its Products

Plaintiff Trans Union ("Trans Union") is a Delaware limited liability company with its principal place of business in Chicago, Illinois. (Trans Union Statement of Material Facts ¶ 1.) Trans Union is a "consumer reporting agency" ("CRA"), as defined in the FCRA, and it provides "consumer reports,"*fn1 as defined at 15 U.S.C. § 1681a(d). The foundation of Trans Union's business is its database, CRONUS, which contains information about consumers that is used to generate credit reports. (Trans Union Statement ¶ 16.) Although Trans Union gathers this data from over 85,000 entities, its main source of information is financial institutions,*fn2 which generally provide this information in the form of accounts receivable tapes. (Trans Union Statement ¶¶ 17-19.) These tapes contain information — the name, address, zip code, and social security number, as well as information regarding the account itself — about each consumer that is reported by the financial institution. (Trans Union Statement ¶ 20.)

Trans Union maintains this information in CRONUS, from which it generates credit reports. These reports contain two types of information: identifying information for each individual, and tradeline information describing the consumer's account and payment history. (Trans Union Statement ¶ 22.) The identifying information includes the name, address, social security number, and telephone number of the consumers, and since this data is printed at the top of the report, it is typically referred to as "credit header" information. (Trans Union Statement ¶ 23.) Although financial institutions are the primary source of the identifying information, plaintiffs allege that the resulting credit header is the product of various sources, and that it therefore does not reveal the existence of a customer relationship with any specific financial institution.
Trans Union alleges that three of its product lines will be affected by the Regulations and are therefore at issue in this litigation. First are Trans Union's credit header products. In addition to including the header information in its credit reports, Trans Union sells this data separately to a number of business and governmental entities, which then use the information for both commercial and noncommercial purposes, including target marketing and fraud prevention. (See Trans Union Statement ¶¶ 27-44.) These products include "Trace," which allows a customer of Trans Union to input an individual's social security number and receive, in return, the name and address of that person (Trans Union Statement ¶ 29); "Retrace," which enables a customer who has an individual's name and address to obtain that person's social security and phone numbers (Trans Union Statement ¶ 31); and "ID Search," which permits a customer with a person's name and phone number to obtain that individual's social security number and current and former addresses from Trans Union. (Trans Union Statement ¶ 33.) Trans Union and other CRAs also sell credit header information to individual reference services, which typically work with government agencies to identify and locate individuals for a variety of purposes, including the prosecution of financial crimes and enforcement of child support orders. (Individual Reference Services Group ("IRSG") Statement of Material Facts ¶¶ 11-14.)*fn3 Similarly, private companies hire individual reference services to help detect and prevent fraud, and health organizations use their products to identify blood and organ donors. Media and political campaign organizations may use individual references services to verify the identities of campaign donors. (IRSG Statement ¶ 15-16.)
Second, Trans Union offers a line of target marketing products that provide both credit header and tradeline information. These target marketing lists are designed to identify consumers who may be interested in purchasing the particular goods or services that are offered by customers of Trans Union. (Trans Union Statement ¶ 45.) Typically, a targeting marketing list provides a customer with the names and addresses of individuals who live in a household that meets particular criteria, such as having a bank card or a home mortgage. (Trans Union Statement ¶¶ 46-47.) One of these products is "TransLink," a program that allows a retailer to identify the names and addresses of customers who have made purchases from that retailer with a credit card. A retailer who has obtained the name and credit account number of a customer sends this information to Trans Union, which in response provides a corresponding name and address using the information stored in CRONUS. (Trans Union Statement ¶¶ 47, 55-56.)
Third, Trans Union uses information that it receives from financial institutions to prepare aggregate or average data on consumers. Trans Union's SUM-it product, for example, creates aggregate financial information, such as the average mortgage and bank card balance, for consumers who live within a particular zip code, zip code-plus-two digits, or zip code-plus-four digits. (Trans Union Statement ¶ 48.) The information in the SUM-it database is then used to create models that predict consumers' financial characteristics or their propensity to purchase certain goods or services. This aggregate information is then made available to marketing firms. (Trans Union Statement ¶ 49.) Individual information reported by financial institutions about particular customers is not disclosed in this material.

B. IRSG and Credit Header Information

Plaintiff Individual Reference Services Group, Inc. is a non-stock corporation organized exclusively as a nonprofit trade association under the laws of the state of Maryland. (IRSG Statement ¶ 1.) IRSG represents leading information industry companies, including major CRAs, that provide information to help identify, verify, or locate individuals. IRSG represents CRAs, which obtain credit header information directly from financial institutions, and other entities to whom the CRAs provide credit header data.*fn4 Trans Union is a member of IRSG.

Plaintiff IRSG contests only the regulation of credit header information under the GLB Act; unlike Trans Union, it does not challenge the effects of the agencies' Final Rules on target marketing lists or aggregate data.

C. The Defendant Agencies

The defendants in this action are the Federal Trade Commission ("FTC"), Board of Governors of the Federal Reserve System ("Board"), Federal Deposit Insurance Corporation ("FDIC"), Office of the Comptroller of the Currency ("OCC"), Office of Thrift Supervision ("OTS"), the National Credit Union Administration ("NCUA"), and their respective heads. These agencies are responsible for the administration and enforcement of Title V of the GLB Act, as well as other related statutes. The FTC and NCUA are independent agencies of the United States government; the Board administers the Federal Reserve System; the FDIC is a corporation organized under federal law; and OCC and OTS are divisions of the United States Department of the Treasury. Defendants are six of the seven agencies that promulgated regulations addressing, among other issues, the use and disclosure of "nonpublic personal information" pursuant to the GLB Act. These are the Regulations challenged in this action. (Trans Union Statement ¶¶ 2-12.)*fn5

An understanding of the legal issues in this case begins with an explanation of the FCRA, which provides a comprehensive regulatory scheme governing CRAs, including Trans Union. Enacted on October 26, 1970, the statute was drafted in an effort to balance the conflicting needs of commerce and consumer protection; its stated purpose was "to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer . . . ." 15 U.S.C. § 1681(b).

Specifically, the Act requires CRAs to "follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates." 15 U.S.C. § 1681e(b). To ensure the accuracy of this data, CRAs must make available to customers "all information in the consumer's file at the time of the request," § 1681g(a)(1), and promptly investigate any consumer dispute regarding "any item of information." § 1681i(a)(1)(A). The FCRA also requires CRAs to report the results of any investigation and to correct any inaccurate information. § 1681i(a)(5). The financial institutions that report information to CRAs are subject to similar requirements under the Act. § 1681s-2.
The FCRA does not regulate the dissemination of information that is not contained in a "consumer report." In 2000, the FTC stated that the "credit header" data at issue in this litigation — the name, address, social security number, and phone number of the consumer — was not subject to the FCRA because it "does not bear on creditworthiness, credit capacity, credit standing, character, general reputation, personal characteristics, or mode of living, unless such terms are given an impermissibly broad meaning." (Trans Union Index, Ex. F, In the Matter of Trans Union Corp., Docket No. 9255, Feb. 10, 2000, at 30.); 15 U.S.C. § 1681a(d)(1). Both sides agree that credit header information is not currently subject to the FCRA. (Trans Union Memorandum at 9.)*fn6
In contrast, the Court of Appeals for this Circuit has recently upheld the FTC's determination that target marketing lists are "consumer reports" under the FCRA and are therefore subject to the provisions of that statute. In Trans Union v. FTC, 2001 WL 363964 (D.C. Cir. Apr. 13, 2001), the Court found that lists of names and addresses of individuals who fall into particular categories based on tradeline information — for example, their credit limits, open dates of loans, number of tradelines, type of tradelines (such as an auto loan or mortgage), or the mere existence of a tradeline — qualify as consumer reports. These categories, the Court found, were exactly the type of information considered by lenders in determining who was eligible for a loan or credit. Lists of names and addresses of consumers based on those categories, therefore, are covered by § 1681a(d)(1) of the FCRA. Trans Union, 2001 WL 363964, at *5.

III. The GLB Act

The Federal Financial Modernization Act, commonly known as the Gramm-Leach-Bliley Act, was passed by Congress and signed by President Clinton in November 1999. The purpose of the GLB Act was "to enhance competition in the financial services industry by providing a prudential framework for the affiliation of banks, securities firms, insurance companies, and other financial service providers . . . ." H.R. Conf. Rep. No. 106-434, at 245 (1999), reprinted in 1999 U.S.C.C.A.N. 245, 245. Congress intended that increased competition would benefit consumers by enhancing the availability of financial products and services and by allowing domestic financial services firms to better compete globally. H.R. Rep. No. 106-74, pt. 3, at 98 (1999).
At the same time, Congress realized that such a structure could exacerbate the concerns of consumers regarding the dissemination of personal financial information. For example, banks, insurance companies, and securities firms have the capacity to know more about an individual's spending habits than ever before, and could use this information for many purposes, including unwanted marketing and solicitation. See H.R. Rep. 106-74, pt. 3, at 106-07 (June 15, 1999) ("As a result of the explosion of information available via electronic services such as the Internet, as well as the expansion of financial institutions through affiliations and other means as they seek to provide more and better products to consumers, the privacy of data about personal financial information has become an increasingly significant concern of consumers.") To balance these interests, the Act provides consumers with the power to choose how their personal information will be shared by financial institutions. As the Act states, "It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information." 15 U.S.C. § 6801. During debates in Congress, legislators noted that the proposed Act would "provide some of the strongest privacy protections to ever be enacted into any federal law," 145 Cong. Rec. H11,539-40 (daily ed. Nov. 4, 1999) (statement of Rep. Vento), and would "represent the most comprehensive federal privacy protections ever enacted by Congress." 145 Cong. Rec. H11,544 (daily ed. Nov. 4, 1999) (statement of Rep. Sandlin).

A. The Legislative History

On May 6, 1999, the Senate approved S. 900, the Financial Services Modernization Act of 1999, a precursor to the GLB Act. That bill did not contain provisions protecting the disclosure of personal information. The House Commerce Committee, which was the first body to address privacy issues in the bill, proposed provisions to provide "protections for the privacy of customers of financial institutions, [including] put[ting] into place procedures to protect the confidentiality and security of nonpublic personal information collected in connection with any transaction of their customers." H.R. Rep. No. 106-74, pt. 3, at 200. The Committee defined "nonpublic personal information" as "personally identifiable information, other than publicly available directory information, pertaining to an individual's transactions with a financial institution." H.R. 10, 106th Cong., 1st Sess § 509(4). (1999).
Language containing the definition of "nonpublic personal information" was added to the House bill through an amendment introduced by Representative Michael Oxley on July 1, 1999. 145 Cong. Rec. H5308 et seq. (daily ed. July 1, 1999). Industry groups objecting to broader restrictions on the disclosure of personal information, as well as advocates for greater privacy protections, testified at hearings on the amended bill later that month. For example, Richard Barton, the Senior Vice President for Congressional Relations of the Direct Marketing Association, expressed concern that "the definition of nonpublic personal information [was] unclear because [it tended to] blur the differences between personally identifiable financial information and other types of personally identifiable information, [and] might be read to interfere seriously with the use of certain non-financial identifying information to make marketing databases more accurate." House Banking Subcommittee Hearing (July 20, 1999), at <> at 5.

In contrast, other participants testified that it was important to restrict the unauthorized disclosure of certain sensitive personal information, including names and addresses.*fn7 Representatives of federal agencies testified that consumers consider information that they provide to financial institutions in order to obtain a financial product to be "private." See, e.g., Statement of Edward Gramlich, Member, Board of Governors, The Federal Reserve System, House Banking Subcommittee Hearing (July 21, 1999), at < committees/bank/hba58308_0.htm> at 128 (private information includes "information that banking and other financial institutions derive from their relationships with customers [such as] information submitted by a customer in order to obtain a loan"). After hearing testimony from both sides, the House declined industry's request to narrow the bill's definition of "nonpublic personal information."

As enacted, the statute defines "nonpublic personal information" ("NPI") as "personally identifiable financial information [(`PIFI')] (i) provided by a customer to a financial institution; (ii) resulting from any transaction with the consumer or any service performed for the consumer; or (iii) otherwise obtained by the financial institution." 15 U.S.C. § 6809(4). The GLB Act does not, however, define the term "personally identifiable financial information."
Several members of Congress discussed the meaning of this provision. Sponsor Oxley noted that the bill called for "the responsible sharing of consumer information . . . ." 145 Cong. Rec. H5310 (daily ed., July 1, 1999). Co-sponsor Deborah Pryce said that "for the first time ever we will require that financial institutions give their customers a right to just say no to the sharing of what most Americans hold very, very dear: private information about themselves and their families," including "addresses and phone numbers," in order to protect consumers from "random telemarketing and junk mail." 145 Cong. Rec. H5312 (daily ed. July 1, 1999). Representative Bereuter, a member of the House Committee on Banking and Financial Services, noted, "These privacy provisions are a pioneering, landmark advance forward by Congress in ensuring that consumers' personal information is protected from unwanted disclosures by financial institutions." 145 Cong. Rec. H11,546 (daily ed. Nov. 4, 1999).
Other aspects of the statute that are at issue in this case were added by a joint House-Senate Conference Committee, which convened in September 1999 to reconcile the differences between the versions of the bill. First, the Joint Conference Committee included a "savings" provision to address the relationship between the GLB Act and the FCRA; this clause provided that "nothing in this chapter shall be construed to modify, limit, or supersede the operation of the Fair Credit Reporting Act . . . ." 15 U.S.C. § 6806; H.R. Conf. Rep. No. 106-434, at 171 (1999). Second, the Joint Committee added a consumer reporting agency exception to the Act's blanket prohibition against disclosing account numbers to third parties for use in telemarketing, direct mail marketing, or other electronic mail marketing. H.R. Conf. Rep. No. 106-434, at 172. "A financial institution shall not disclose, other than to a consumer reporting agency, an account number or similar form of access number or access code for a credit card account, deposit account, or transaction account of a customer to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer." 15 U.S.C. § 6802(d).

B. Administrative Rulemaking

1. The Rulemaking Proceedings

Under the GLB Act, the defendant agencies were to issue regulations implementing provisions of the statute.*fn8 These regulations describe, for example, the conditions under which financial institutions may disclose nonpublic personal information about consumers to nonaffiliated third parties, require such institutions to provide notice to their customers about privacy policies, and subject to certain exceptions, permit the consumer to opt out of this transmission of information. The Regulations define the limits on the disclosure of nonpublic personal information by financial institutions, as well as the conditions under which a nonaffiliated third party that receives this information may redisclose or use it. See, e.g., FTC Final Rule, 16 C.F.R. § 313.10-313.12 (2000). It is these Regulations that are at issue in this litigation.

In particular, the agencies drafted a set of proposed rules as to which they solicited public comments. The draft rules attempted to define the term "personally identifiable financial information" in 15 U.S.C. § 6809(4); the agencies proposed that personally identifiable information was financial if it was provided by a consumer, resulted from a transaction, or was otherwise obtained about a consumer by a financial institution in connection with providing a financial product or service to a consumer. See, e.g., FTC Notice of Proposed Rulemaking, "Privacy of Consumer Financial Information," 65 Fed. Reg. 11,174, 11,178 (March 1, 2000) ("FTC Proposed Rule"); Joint Notice of Proposed Rulemaking, "Privacy of Consumer Financial Information," 65 Fed. Reg. 8770, 8773 (Feb. 22, 2000) ("Banking Agencies' Proposed Rule"). To demonstrate the operation of the proposed definition, accompanying examples explained that information that a consumer provides on an application to obtain a loan, credit card, or insurance would fall within this definition. 65 Fed. Reg. at 11,178. The agencies sought comments on the proposed definition, including comments relating to the fact that the term might include information "that may not be considered intrinsically financial." 65 Fed. Reg. at 8774, 11,178.
More than 9,000 comments were submitted in response to the proposed rules. Comments concerning the definition of "personally identifiable financial information" were submitted by opposing groups. Industry groups argued that certain identifying information that was not intrinsically financial should not be considered within the definition. These entities contended that the proposed definition — when coupled with the Act's limits on reuse and redisclosure — would restrict the flow of credit header information by preventing CRAs from disseminating such information. The net effect, they argued, would be to threaten the availability of highly reliable information used for socially beneficial purposes, such as combating fraud and locating missing individuals. See, e.g., FTC Record at 300,852 (Comment of Equifax that "the Proposed Rule functionally reads the word `financial' out of the phrase `personally identifiable financial information'"); FTC Record at 300,932-33 (Comment of Experian Information Solutions to same effect); FTC Record at 301,638 (Comment of Trans Union to same effect); FTC Record at 301,964 (Comment of IRSG to same effect); FTC Record at 301,954 (Comment of Direct Marketing Association, Inc. to same effect).*fn9
In contrast, consumer groups and state lawmakers filed comments urging the agencies to prevent the disclosure of personal information. See, e.g.,FDIC Record at 105,158 (Comment of Consumers Union: Consumer Federation of America agreeing with the proposed definition of "personally identifiable financial information" because "any information collected by an institution about an individual should be defined as `personally identifiable'. . . . In these instances, but for the financial nature of the relationship, the information would not be collected."); FTC Record at 300,973 (comment of Privacy Rights Clearinghouse to same effect); FDIC Record at 102,300 (Comment of Center for Democracy and Technology to same effect); OTS Record at 601,246 (Comment of Privacy Rights Clearing House to same effect); FDIC Record at 103,067, Board Record at 203,140 (Letter signed by thirty-three state Attorneys General). These commentators felt that the proposed rules did not go far enough toward protecting consumer privacy, leaving too many loopholes for personal information to be shared without an individual's consent. Id. Several Members of Congress also filed comments in support of these arguments. FTC Record at 300,541-48, OTS Record at 601,536-43 (Comment of Congressional Privacy Caucus).

2. The Final Rules

Following the Notice and Comment period, the agencies promulgated their Final Rules. They defined "nonpublic personal information," in part, as "personally identifiable financial information." 16 C.F.R. § 313.3(n)(1)(i).*fn10 In turn, the Regulations defined "personally identifiable financial information" as information "(i) [a] consumer provides to you*fn11 to obtain a financial product or service from you; (ii) [a]bout a consumer resulting from any transaction involving a financial product or service between you and a consumer; or (iii) you otherwise obtain about a consumer in connection with providing a financial product or service to that consumer." 16 C.F.R. § 313.3(o)(1). In other words, "any information should be considered financial information if it is requested by a financial institution for the purpose of providing a financial service or product." FTC Final Rule, "Privacy of Consumer Financial Information," 65 Fed. Reg. 33,646, 33,658 (May 24, 2000); see Banking Agencies' Final Rule, "Privacy of Consumer Financial Information," 65 Fed. Reg. 35,162, 35,171 (June 1, 2000).

In response to comments from industry groups objecting to the inclusion of name, address, and social security number in the definition of personally identifiable financial information, the FTC explained:

[F]inancial institutions rely on a broad range of information that they obtain about consumers, including information such as addresses and telephone numbers, when providing financial products or services. Location information is used by financial institutions to provide a wide variety of financial services, from the sending of checking account statements to the disbursing of funds to a consumer. Other information, such as the maiden name of a consumer's mother, often will be used by a financial institution to verify the consumer's identity. The Commission concluded that it would be inappropriate to carve out certain terms of information that a particular financial institution might rely on when providing a particular financial product or service.
FTC Final Rule, 65 Fed. Reg. at 33,658. The other agencies adopted nearly identical reasoning. See, e.g., Banking Agencies' Final Rule, 65 Fed. Reg. at 35,171. The Final Rules were issued in spring 2000 and became effective as of November 13, 2000, with full compliance required by July 1, 2001. This litigation rapidly ensued.


I. Standards of Review for Plaintiffs' APA Claims

Both plaintiffs have moved for summary judgment. A party is entitled to summary judgment where "there is no genuine issue as to any material fact and the moving party is entitled to judgment as a matter of law." Fed.R.Civ.P. 56(c). Summary judgment is an appropriate mechanism for resolving cases involving administrative rulemaking on the record, particularly where, as here, the case turns chiefly on issues of statutory construction. See Troy Corp. v. Browner, 120 F.3d 277, 281 (D.C. Cir. 1997).
Plaintiffs raise four primary claims under the APA. First, plaintiff IRSG, joined by Trans Union, argues that defendants' definition of "personally identifiable financial information" violates the APA for three reasons. Plaintiffs contend that this definition (1) conflicts with the plain language of the GLB Act; (2) is not a reasonable and permissible construction of the statute; and (3) is arbitrary and capricious because it does not further the express purposes of the Act.
Second, Trans Union argues that it is not a "financial institution" covered by the GLB Act, and therefore, the agencies have no authority to regulate it under the Act. With regard to this claim, Trans Union asserts only a plain language argument — that the regulation of Trans Union by the Act violates the unambiguous meaning of the statute.
Third, Trans Union argues that the Regulations violate the plain meaning of § 502(d) of the GLB Act, 15 U.S.C. § 6802(d). Trans Union argues that this section grants a special exemption to CRAs from the statute's prohibition on the use of account numbers for marketing purposes, and that the Regulations conflict with the clear language of this exemption.
Finally, Trans Union contends that defendants' Regulations restricting the use and redisclosure of nonpublic personal information that is provided to a CRA in accordance with the Fair Credit Reporting Act violates the APA. With respect to this claim, Trans Union makes four arguments: 1) the use restrictions violate the plain meaning of the GLB Act; 2) these regulations contradict the plain meaning of the statute's "savings" clause, 15 U.S.C. ยง 6806, which mandates that the GLB Act not be "construed to modify, limit, or supersede the operation of the Fair Credit Reporting Act," Id.; 3) the use restrictions are ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.