Privacy Act of 1974; System of Records

DATES:

This notice shall become final and effective on June 3, 2026.

SUPPLEMENTARY INFORMATION:

To inform the public, the FTC publishes in the Federal Register and posts on its website a "system of records notice" (SORN) for each system of records that the FTC currently maintains within the meaning of the Privacy Act of 1974, as amended, 5 U.S.C. 552a ("Privacy Act" or "Act"). See https://www.ftc.gov/about-ftc/foia/foia-reading-rooms/privacy-act-systems. The Privacy Act protects records about individuals in systems of records collected and maintained by Federal agencies. (A system is not a "system of records" under the Act unless the agency maintains and retrieves records in the system by the relevant individual's name or other personally assigned identifier.) Each Federal agency, including the FTC, must publish a SORN that describes the records maintained in each of its Privacy Act systems, including the categories of individuals that the records in the system are about, where and how the agency maintains these records, and how individuals can find out whether an agency system contains any records about them or request access to their records, if any. The FTC, for example, maintains 39 systems of records under the Act. Some of these systems contain records about the FTC's own employees, such as personnel and payroll files. Other FTC systems contain records about members of the public, such as public comments, consumer complaints, or phone numbers submitted to the FTC's Do Not Call Registry.

Based on a periodic review of its SORNs, the FTC is publishing these additional technical revisions to the SORN for FTC-IV-1 (Consumer Information System-FTC) to ensure that this SORN remains clear, accurate, and up-to-date. This SORN covers consumer reports, complaints, and information requests received from consumers, as well as identity theft and TakeItDown complaints. ⁽¹⁾ The Commission has updated the sections relating to the Purpose of the System, Categories of Records in the System, and Policies and Practices for Storage of Records.

The FTC is not substantively adding or amending any routine uses of its Privacy Act system records. Accordingly, the FTC is not required to provide prior public comment or notice to the Office of Management and Budget (OMB) or Congress for these technical amendments, which are final upon publication. See 5 U.S.C. 552a(e)(11) and 552a(r); OMB Circular A-108 (2016) (which reorganized the format and content for SORNs published by Federal agencies). The FTC is reprinting the entire text of this amended SORN for the public's benefit, to read as follows:

* * * * *

IV. Correspondence Systems of Records

* * * * *

SYSTEM NAME AND NUMBER:

Consumer Information System-FTC (FTC-IV-1).

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. This system is operated off-site by a contractor. For other locations where records may be maintained or accessed, see Appendix III (Locations of FTC Buildings and Regional Offices), available on the FTC's website at https://www.ftc.gov/about-ftc/foia/foia-reading-rooms/privacy-act-systems and at 87 FR 57698 (Sept. 21, 2022).

SYSTEM MANAGER(S):

Assistant Director, Division of Consumer Response and Operations, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580, email: [email protected].

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Federal Trade Commission Act, 15 U.S.C. 41 et seq.; section 5 of the Identity Theft and Assumption Deterrence Act of 1998 (ITADA), 18 U.S.C. 1028 note.

PURPOSE(S) OF THE SYSTEM:

To maintain records of complaints and inquiries from individual consumers; to track and respond to such communications ( e.g., providing information to consumers over the phone or fulfilling requests by consumers to be mailed copies of FTC publications); identify consumer problems and issues that may lead to law enforcement investigations, litigation, or other proceedings; to be used in and made part of the records of such proceedings, or to be referred to other persons, entities, or authorities, where appropriate, covered by other Privacy Act system of records notices; and to provide statistical data on the number and types of complaints or other communications received by the FTC. Also, to satisfy the requirement of the ITADA that the FTC compile and refer identity theft complaints to "appropriate entities," and to provide useful information that may contribute to regulation and oversight of institutions and systems that play a role in or are affected by fraudulent business practices or identity theft.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

(1) Individual consumers who submit complaints to the FTC about identity theft, or the business practices of a company or individual, as well as consumers who request information or assistance.

(2) Individuals who submit their complaints about identity theft or the business practices of a company or individual to another organization that has agreed to provide its consumer complaint information to the FTC.

(3) Individuals acting on behalf of another consumer to submit the other consumer's complaint about identity theft, or the business practices of a company or individual, or to request information or assistance on behalf of another individual.

(4) Individuals who are the subjects of complaints about identity theft or about the business practices of a company or individual.

(5) FTC or contractor staff assigned to process or respond to such communications.

(6) Other system users outside the FTC ( e.g., law enforcement agencies authorized to have access to the system under confidentiality agreements).

CATEGORIES OF RECORDS IN THE SYSTEM:

(1) Personally identifying information about the individual who submits a complaint or requests information or assistance, including, for example, the individual's name, address, telephone number, fax number, date of birth, age range, Social Security or credit card numbers, email address, and other personal information extracted or summarized from the individual's complaint.

(2) Personally identifying information about the individual who submits a complaint or requests information or assistance on behalf of someone else, including, for example, the submitting individual's name, address, age range, phone or fax number, and email address.

(3) The name, address, telephone number, or other information about an individual who is the subject of a complaint, or is allegedly associated with the subject of a complaint. (Information in the system about companies or other non-individuals is not covered by the Privacy Act.)

(4) The name and reference number of FTC or contractor staff person who entered or updated the complaint information in the database.

(5) Name, organization, and contact data for system users outside the FTC ( e.g., staff of other authorized law enforcement agencies).

RECORD SOURCE CATEGORIES:

Consumers and entities who communicate with the FTC; FTC staff and contractors; other law enforcement agencies and non-FTC organizations.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

(1) Consumer complaints can be disclosed to the subject of the complaint for purposes of attempting to resolve the complaint;

(2) Identity theft complaints also can be disclosed to the three major national credit reporting agencies and other appropriate entities to fulfill the requirements of section 5 of the ITADA; and

(3) Contact data for non-FTC users of this system ( e.g., staff of authorized law enforcement agencies) can be shared among such users or with others within or outside the FTC to enable them to communicate with one another.

For other ways that the Privacy Act permits the FTC to use or disclose system records outside the agency, see Appendix I (Authorized Disclosures and Routine Uses Applicable to All FTC Privacy Act Systems of Records), available on the FTC's website at https://www.ftc.gov/about-ftc/foia/foia-reading-rooms/privacy-act-systems and at 83 FR 55542-55543 (Nov. 6, 2018).

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

The FTC uses several applications or components to collect and share consumer data. The FTC maintains a Consumer Response Center (CRC), which gathers, processes, and updates consumer information submitted by consumers via telephone-based services and internet-based complaint forms. Consumers access a multi-channel bilingual (English and Spanish) contact center to file complaints, report instances of identity theft, receive and print an identity theft report, and request or receive consumer education materials. Consumers may also file complaints directly from their computers and mobile devices using the online ReportFraud portal, which asks consumers to answer a series of questions organized into a few simple steps. The portal can be accessed from the URLs Reportfraud.ftc.gov and www.ftc.gov/complaint. Consumers may file an identity theft report on identitytheft.gov and report Do Not Call violations at donotcall.gov. Consumers may report an online platform at TakeItDown.ftc.gov for failing to remove within 48 hours an intimate image that was posted without their consent. Consumers with cross-border e-commerce complaints may file an online complaint at www.econsumer.gov, which offers cross-border consumer protection information and an additional separate online cross-border complaint form. Finally, consumers may contact the CRC through postal mail. The FTC also receives data collected by other entities. External contributors include a broad array of public and private domestic and foreign organizations. Data from such communications are entered into a structured electronic database maintained by a contractor on the agency's behalf, and accessible by Web-based interface to FTC staff, contractors, and other authorized users ( e.g., Federal, State, local, and international law enforcement) subject to strict access and security controls (see "Safeguards" below).

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Records may be retrieved and indexed by any category of data that is submitted by consumers or otherwise compiled in association with such records ( e.g., name, subject of the complaint).

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

Records are retained and disposed of in accordance with Schedule DAA-0122-2021-0002, which was approved by the National Archives and Records Administration. Consumer complaint entries are generally destroyed when they are 5 years old except when they are subject to litigation holds to preserve complaints.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

The system can currently be accessed by FTC staff, contractors, and other system users, such as authorized law enforcement agency personnel. This access occurs via a Web-based interface and is authorized only on a need-to-know basis to those individuals and organizations requiring access. Contractors and other non-FTC users must sign confidentiality and nondisclosure agreements and, in some cases, are required to undergo additional security clearance procedures. Letters or other system records in paper format are maintained in lockable rooms and cabinets. Access to the electronic database requires users to have the correct "user ID" and password combination, individual security token code, and internet protocol ("IP") address for the user's law enforcement agency. The system database is maintained on secure servers, protected by firewalls, access and usage logs, and other security controls. Servers are maintained in a secure physical environment, including building locks, security guards, and cameras.

RECORD ACCESS PROCEDURES:

See § 4.13 of the FTC's Rules of Practice, 16 CFR 4.13. For additional guidance, see also Appendix II (How To Make A Privacy Act Request), available on the FTC's website at https://www.ftc.gov/about-ftc/foia/foia-reading-rooms/privacy-act-systems and at 73 FR 33592, 33634 (June 12, 2008). Individuals who call the FTC's Consumer Response Center can also use their FTC reference number to identify complaints they have previously submitted in order to update them.

CONTESTING RECORD PROCEDURES:

See § 4.13 of the FTC's Rules of Practice, 16 CFR 4.13. For additional guidance, see also Appendix II (How To Make A Privacy Act Request), available on the FTC's website at https://www.ftc.gov/about-ftc/foia/foia-reading-rooms/privacy-act-systems and at 73 FR 33592, 33634 (June 12, 2008). Individuals who call the FTC's Consumer Response Center can also use their FTC reference number to identify complaints they have previously submitted in order to update them.

NOTIFICATION PROCEDURES:

See § 4.13 of the FTC's Rules of Practice, 16 CFR 4.13. For additional guidance, see also Appendix II (How To Make A Privacy Act Request), available on the FTC's website at https://www.ftc.gov/about-ftc/foia/foia-reading-rooms/privacy-act-systems and at 73 FR 33592, 33634 (June 12, 2008). Individuals who call the FTC's Consumer Response Center can also use their FTC reference number to identify complaints they have previously submitted in order to update them.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

Pursuant to 5 U.S.C. 552a(k)(2), records in this system relating to identity theft are exempt from the requirements of subsections (c)(3), (d), (e)(1), (e)(4) (G), (H), (I), and (f) of 5 U.S.C. 552a, and the corresponding provisions of 16 CFR 4.13. See FTC Rules of Practice § 4.13(m), 16 CFR 4.13(m).

HISTORY:

89 FR 79598-79610 (September 30, 2024).

73 FR 33591-33634 (June 12, 2008).

* * * * *

[FR Doc. 2026-11114 Filed 6-2-26; 8:45 am]

BILLING CODE 6750-01-P

⁽¹⁾  Under the Take It Down Act of 2025, consumers may report an online platform for failing to remove within 48 hours an intimate image that was posted without their consent.